Deakin University hires first-ever CISO

Deakin University has named infosec and compliance veteran Sanjay Verma as its first-ever head of information security and risk, with resilience set to be a key focus of his security strategy.

Sanjay Verma

Verma has served as an infosec, risk and compliance manager for the likes of MYOB, BHP Billiton, Dun & Bradstreet, Cadbury and Foster's Group during his career.

Deakin University chief digital officer William Confalonieri told iTnews the university decided to expand its security team and recruit for new roles, including a CISO equivalent, following a recent strategic review.

“In previous years, we took a traditional approach to cybersecurity in the operational sense… Cybersecurity was centralised under the IT banner, managed by a central team, embedded in technical operations,” Confalonieri said.

“Some time ago, we decided to be innovative and lead in the digital space, and we realised we needed to take things to the next level.

“We’re doing things in IoT and the cloud that will put pressure on security."

Verma will report into Confalonieri, who will retain overarching responsibility for the expanded cybersecurity team.

The importance of resilience

A key focus of the university’s cybersecurity strategy under Verma will be the resilience of its systems.

“It’s essential as a 24/7 business, and we cannot have the luxury of disruption. This is something we are very serious about,” Confalonieri said.

“What’s different is challenges and technologies are evolving quickly, and external factors are expanding.”

It’s a strategy Verma is highly qualified to deliver, having overseen a major project to shore up the cyber defence posture of D&B during his year with the company.

A key aspect of that effort, known as Project Octave, was to ensure business continuity management so D&B could remain operational even during a crisis, such as a natural disaster, major IT systems outage, terrorist attack or staff illness.

As a result, D&B ANZ became the first organisation in Australia and New Zealand to be certified as ISO 22301 compliant, following an independent audit by BSI Group. The project also saw Verma named as a finalist in the 2015 Secure Computing Benchmark Awards.

“My role at D&B, which covered security and risk management, at a high level, was about keeping the organisation operational in a crisis… Because whether it’s a malicious act, spam, malware, [etc] the intent of all attacks is ultimately to bring a business down,” Verma told iTnews.

A changing landscape

As organisations increasingly adopt public and hybrid cloud services, Verma said information security should not be treated as red tape or a box-ticking exercise. Instead, organisations should focus on awareness as a strategy, as well as making their infrastructure more robust.

“I think the perimeter is dead with the cloud. I was working on some research around three to four years ago, and the conclusion we reached is that there are no network boundaries as you expand your corporate footprint,” Verma said.

“In [the] technology [industry], what you spend all day thinking about is technology. And what we can miss is that our role in an organisation is, ultimately, to defend and help grow revenue.”