CBA and BlueScope CISOs: Cybersecurity is about people, and its personal

Cybersecurity is not about tech, its about people, according to two leading Australian chief information security officers (CISOs).

At Gartner’s Security and Risk Management Summit in Sydney today, Audrey Hanson, CISO at BlueScope and Keith Howard, group CISO at Commonwealth Bank insisted that building a culture of security in business must first start with a reminder to employees of the importance of security in their personal lives.

According to CBA’s Howard, “If its relevant to home its easier for people I think to transition that into its relevant to work as well.”

BlueScope’s Hanson said that personal relevance can be effective in increasing security awareness and embedding it in the business as cybersecurity is everyone's responsibility. 

“I find to be really effective to talk about how people should secure their homes, how they secure their private data, how they secure their children, their parents. So, once you take it out of that kind of corporate context, which is important, I believe if you teach people how to be secure in their private life, they're going to bring that into their corporate life and they seem to be more engaged and more interested,” she said.

Speaking at the Think Sydney conference last week, IBM’s SVP infrastructure Ric Lewis said that cybersecurity has accelerated from being an occasional topic brought up in meetings to being core to business decision making.

According to Hanson, it became clear after dealing with a cybersecurity incident at BlueScope, that cybersecurity it’s a business risk.

“If nothing else good came out of it, that was a good thing that came out of it, cybersecurity is a business risk. And I guess my language has always been that cybersecurity is about risk. It's about managing risk. It's about understanding that risk, and it's about mitigating it as well,” she said.

While Hanson acknowledged the difficulty in getting buy-in from the executive leadership team and senior stakeholders to consider cybersecurity as a business risk, she suggested putting it into context for your own organisation, in order to make it realistic, and to avoid fear, uncertainty and doubt.

Howard also advised security leaders to approach the subject with realism.

“The job of the CISO certainly in an organisation is to keep that zoomed-out view. I think its incredibly important to help executives understand based on that, what are the priorities set that we need to go through,” he said.

In order to maintain that perspective, Howard argued that CISOs also need to prioritise their own wellbeing.

“Sometimes I think the CISO can feel the world is on your shoulders,” he said.

“Maintaining your centre, your wellbeing, I think is tremendously fundamental. I saw a survey, where 51 percent of CISOs were worried about their wellbeing, and that made me think the 49 percent are probably in denial.”