Mariana Paun | Head of Information Security & Technology
15th March 2024
Cyber Resilience Summit 2024 brought senior cyber leaders together to share actionable and strategic insights addressing the evolving cybersecurity landscape.
Alongside Christopher Witter, Former Engineering Manager, Detection & Response at Spotify (USA), and Ariel Egber, Principal Cybersecurity Architect OT/ICS at Enzen, I was a panellist on the ‘Architecting Security Excellence’ session that was deftly moderated by Luke Silverback, Regional Manager - Cyber Security, Cisco.
The Marvel universe is inhabited by resilient superheroes and relentless villains, so the eponymously-named venue seemed entirely appropriate for this forum even if there were only heroes in the room on this day.
The theme of resilience threaded its way through every session informing many conversations particularly around the importance of aligning security objectives with business objectives. Working in isolation simply does not work.
Collaboration is vital to ensure that security is robustly but seamlessly embedded into the way a business operates. I believe deeply that best results come when ‘security’ isn’t seen as a burden nor adds undue complexity to the business of business.
But, inevitably, even when security objectives and business objectives are aligned there’s going to be complexity. Cybersecurity is a challenging space, and not just in terms of anticipating, repelling and responding to attacks from bad actors. We also have to understand our footprint. We have to consider how we might consolidate the tools we have at our disposal to enhance our readiness. We have to assess risks and costs — financial or otherwise — and anticipate and enable change.
Well may we say that change is as good as a holiday.
That may be true when switching things up from Mango Tango to Mint Choc Chip ice cream, but not so much perhaps when trying to shift ways of working. Change in the workplace is notoriously difficult to deliver if you don’t engage and collaborate with the people that inhabit it. We have to be friends with them, not foes or frenemies.
We play a massive role in helping them understand the risks lurking in the digital world. When they understand those risks and the measures we can take, resistance to embedding security controls in their daily routines drops dramatically. As your trusted friend, for example, I can recommend the Mint Choc Chip — because it's actually the best flavour — and help you adjust to the different mouth-feel of all those decadent choc chips smooshed into that oddly refreshing and smooth creamy-mintiness. You might even give me a scoop.
This point about genuinely befriending the teams in your business as a means of building trust and enabling change seemed to resonate right across the room.
But for the bad actors out in the world, every change is an opportunity. New technologies, new business models, new customer preferences, and new ways to pay all offer up moments and spaces that can be probed and tested by those with nefarious intentions.
The elephant in the room
Did somebody say ‘AI’?
Not too long ago we’d train people to recognise phishing scams by focusing on the calls-to-action, for example, or by looking for grammatical errors and spelling mistakes — pretty clear warning signs that the vehicle of deception was not a legitimate piece of communication. But, as was demonstrated in a session at the summit, AI has weaponised phishing.
AI scripts can be used to analyse and gather vast amounts of data to produce extremely personalised and convincing messages designed to deceive. Not only that, AI can be used to evade detection by security systems by analysing and mimicking legitimate communication patterns. This makes it harder for traditional security measures to flag malicious content.
They're becoming more and more evolved. So for us and the security vendors and partners we might engage, it is vital to work relentlessly to enhance our security posture, invest in new behavioural-based detection — for example — and keep as close as possible to the bad actors in this extremely consequential, fast-moving cat-and-mouse game.
A game, however, it is not.
Games have rules, referees and boundaries that players must adhere to. Bad actors throw the rule book out the window. In their regulation-free space, they’re free to exploit whatever weakness they can find to launch DDOS attacks and embark on damaging phishing expeditions.
We might be talking about tech right now, but I revert to my earlier point about the importance of engaging with the people in our business. As friends we can connect, communicate, inform and encourage our people to report things that look suspicious. With the lines of communication and respect open, we are stronger and more resilient.
The world is in a phase of heightened geopolitical tension and conflict. DDOS attacks are weapons of war as those engaged in conflict attempt to bring down their enemies and those who support them. Australia has felt this directly. Aussie businesses are at risk because of these distant geopolitical conflicts, even those we’re not directly involved with.
Military and social conflicts are expanding and the attackers are targeting businesses, particularly small to medium businesses, hoping they don't have adequate security controls in place. It goes without saying that in the modern world, the tyranny of distance cannot protect Australia from these things.
Security as a product feature
As a payments infrastructure technology business, Zepto’s approach is to build the most solid security foundations possible. That might seem like a fairly obvious starting point, but our security infrastructure foundation has to support and protect our payments infrastructure and the client monies that flow through it. That foundation is something our customers rightly expect. Frankly, it's non-negotiable, and it feeds into our view of solid baseline security as a product feature.
By that I mean understanding the landscape and regulation where we work, understanding what our customers want, and then building security controls that are product features. Those security controls are beneficial to Zepto because they reduce risks of customer accounts being compromised, but they’re a feature for the customer because they might enable them to move faster and meet their regulatory requirements.
Likewise, under the hood, Zepto’s authentication foundation is very complex, but our API is designed to be really easy to integrate with. The combination of safety, speed and convenience is undoubtedly a security-first product feature. It enables our customers to innovate and safely deliver extraordinary payment experiences on a solid foundation of security.
Common ground, sovereign capability and data sovereignty
Throughout the day, we heard from consultancies, we heard from the energy sector and other industries, and there was a lot of common ground. How we think about security and resilience seems universal regardless of industry, company size or other factors.
The importance of engaging with regulators to ensure that frameworks are modernised as required and fit-for-purpose was a common theme. It’s something we put significant resources into at Zepto both in terms of influencing payments policy and encouraging the government to support the development of sovereign capability in the Australian tech sector, and to bring it into focus from a procurement perspective.
Data sovereignty — the idea that data is subject to the laws and governance of the geographic location in which the data is collected and processed — in the context of a global digital economy was another hot topic. It was clear in the room that storing data in the jurisdiction where it originated is an important principle for both data privacy and data security. But many vendors come from other jurisdictions, which may influence where the data is stored. And what if your vendor comes from a country engaged in conflict? Little wonder this was a hot button issue.
Leadership
The day was rounded out by a brilliant keynote from former Detective Inspector, Forensic Services Group, NSW Police Force, Peter Baines.
Rather than focusing on technology and security, Baines spoke about the importance of resilience in your people. Having led response teams in some of our region's most catastrophic disasters, his insights into leadership during crises were fascinating. Some of my learnings from his session, which deeply align with my values:
Being present and visible to your team is essential. At some point you might not actually be able to do anything as a CEO, CTO or Head of Security, but just being present can be a great source of comfort and inspiration to your team.
The stress of a crisis can lead people to grind to a halt. Getting started on something decisively can inspire a team into action.
Things can shift quickly in a crisis, change can be constant. How you as a leader deal with uncertainty can set the tone for your team. Likewise, preparing your people for inevitable change can have an immense impact on success or failure.
Layers of bureaucracy add friction and latency when fast decisions need to be made so we can act with speed. Structure is vital, but so is keeping bureaucracy to a minimum.
By taking care of their people and business in these ways, leaders can foster the resilience required to navigate the most challenging situations.
You don’t have to wear a cape.
But help your people with theirs, and you might just see who the real heroes are when it counts.
Australia's BECS payment framework is slated for retirement by 2030. That might seem a way off. But as Richard Watson stresses in this article, consumers already want what 2030 will bring. And acquirers, gateways & PayFacs can act now to give it to them.
Read more
In late 2023, the Governor of the Reserve Bank of Australia — Michele Bullock — delivered the Annual Payments Address at the Australian Payments Network Summit. Governor Bullock described the Payments System Board’s strategic priorities, and drew a 2030 line-in-the-sand for Australia's legacy BECS framework. As Chris Ponton Dwyer says, the payments modernisation starter's pistol has been fired.
Read more