AGL CISO Maryam Bechtel: Business leaders need cybersecurity KPIs

Simply stating that business leaders need to be held accountable for cybersecurity is not enough, they need to be personally measured against cybersecurity goals, according to AGL’s CISO Maryam Bechtel.

Maryam Bechtel, CISO, AGL and Bianca Wirth, CISO, NSW Department of Planning and Environment

Bechtel spoke on a panel at a recent Australia-Israel Chamber of Commerce (AICC) event discussing the cyber threat to innovation and digital transformation.

She told audiences, “Everyone is responsible [for cybersecurity] we know that, but we have to give it a bite.”

Bechtel said that leaders should have cybersecurity attached to their individual personal development goals to ensure accountability.

“Whilst we do a lot of things, culture change and cyber championship and everything, it has to at the end of the day be part of metrics and be measurable,” she said.

Cybersecurity is about people

While cybersecurity may be widely perceived to be a technical problem, Bianca Wirth, panellist and CISO at NSW Department of Planning and Environment believes its not about technology, it’s about people.

“It's people that make mistakes when they configure machines on the cloud and let hackers in. It's hackers — people that hack things. It's people who accidentally click on one of those phishing links,” said Wirth.

Considering cybersecurity as about people widens the scope of how to respond to cyber threats. According to Wirth, responding to the threat of cybercrime does not just take technology, but it takes people, of diverse backgrounds.

“You don't just need technology people to do that. You need people with psychology backgrounds and people with change backgrounds. The thing I love about cybersecurity at the moment is we’re getting these broad, wonderful skill sets of people in who have these specialisations and just add to our ability to deliver something better from a security perspective. When we do that, we deliver for digital as well."

Cybersecurity is about risk

AICC panellist Gal Tal-Hochberg, group CTO at venture capital and company building business Team8 told audiences that approaching cybersecurity as a risk is crucial to bringing the board and executive team along on the journey.

CISOs need to “speak the language of business, and come to those forums and say ‘this isn’t a technical discussion, this is a discussion about risk',” he said.

According to Tal-Hochberg, the senior executive in the organisation needs to be involved in cybersecurity.

“Today, cyber security has the ability to impact the entire business. It can hurt revenue, it can hurt the reputation, and it can create legal risk. It is something that every single person part of the organisation has to deal with in predicting phishing for example. Relegating it to the security organisation doesn't work,” said Tal-Hochberg.

He suggests that the trend of embedding security champions into every part of the organisation can help to inform and support employees when it comes to cyber risk.