Troy Braban, chief information security officer at Australia Post, has been awarded by SC Magazine for his pioneering work on building an IT security practice to keep pace with Post’s digital delivery teams.
Braban was presented the award at the AusCERT information security conference in front of several hundred infosec professionals.
The CISO was put forward by his executive peers for his efforts to turn IT security from a “back office function” into a function that considers business enablement a top priority.
The pace of change set by Australia Post’s digital delivery centre - which of late has spun out a digital mailbox service, video stamps, travel insurance, foreign exchange services, several mobile apps and a series of APIs exposing postal services to ecommerce merchants - would conceivably have created governance concerns for most IT shops.
Braban's team has been certified in the SAFe (Scaled Agile Framework), which attempts to apply enterprise rigour to a model that is otherwise concerned with customer experience and speed of iteration.
Post takes a risk-based approach which - for the majority of apps - results in the information security function embedded into development teams to ensure security is built into the new application from the beginning.
“This way, security isn’t seen as a blocker at the end of the process,” Braban said.
When risks are deemed too high for this approach, the process is slowed.
Braban favours investment in application security over the penetration testing of IT infrastructure, an approach that costs 75 percent less, he said. Embedded information security testers run checks on code five and six times a week, relying heavily on test automation.
"In some cases, deploying a web application firewall is a bandaid for bad coding," he said. "We'll use one where we have to, but if we've got exceptional code, it shouldn't be required."
Australia Post’s information security function has grown from seven staff two years ago to 35 today. Third parties are used for monitoring purposes - to help narrow the range of security incidents worth bringing to the internal team's attention - but information security is otherwise an in-house operation.
“For one, we have direct access to the code - because the developers know and trust us. Plus we have far more business context - we are intimately involved in knowing what the app sets out to achieve.”
Australia Post’s strategy throws down a significant challenge to typical approaches to information security. The future infosec worker, Braban argued, is as likely to be a “customer-centric developer with an app security bent” rather than a perimeter security devotee.
The infosec function at Australia Post is now seen as a business partner - with Braban sitting on the organisation’s enterprise risk management forum, which meets 10 times a year, and providing a one page ‘cyber security update’ to every board meeting to help his executive peers understand how the team is responding to the external threat landscape.