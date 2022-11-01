Eighty-eight per cent considered themselves to be under moderate or high stress

David Higgins (Kiwibank) Credit: Supplied

Corporate information security leaders shared the threats and challenges keeping them awake at night at Chillisoft's biggest ever CyberSecCon this month.

The security distributor's Auckland event came as the security landscape was being upended by the war in Ukraine, raising levels of concern about state-sponsored cyber attacks to extreme levels.

David Higgins, chief information security officer (CISO) at Kiwibank, told attendees incidents reported to CERT NZ had increased eight-fold annually since the agency was established in 2017.

At the same time, 70 per cent of organisations reported cybersecurity skills shortages had impacted them and their objectives.

For CISOs here was a personal toll to pay: up to 88 per cent considered themselves to be under moderate or high stress in one survey from 2020, with 48 per cent saying that impacted on their mental health.

Newcomers to the industry faced a disturbingly steep learning curve, making fatigue and burnout a "real threat to the industry at all levels".

"My only advice here: be kind," he said.

InfoSec professionals needed to practice self-care and recognise their own vulnerabilities, deconstruct the "hero complex" and give more priority to life over work.

Credit: Supplied Alex Teh (Chillisoft)

Kordia Group CISO Hilary Walton stressed that technology and processes were necessary but not adequate components of cybersecurity. Culture also played a huge role.

However, two in five organisations did not have training in place to help staff understand how to prevent cyber breaches while only half were confident staff understood the importance of good password practice.

"It's more than just awareness, we have to change culture and behaviour to reduce people risk," Walton stressed.

Leaders needed to empower their teams to make decisions autonomously and to achieve shared goals by creating leaders at all levels, she said.

CISOs needed to treat security as a continuous improvement exercise and use change management models to move the dial on security culture, not just InfoSec models, she said.

Mark Knowles, general manager security assurance at Xero, told attendees that in addition to persistent phishing threats and ransomware attacks and the pandemic, the war in Ukraine were now also changing the threat landscape.

Knowles also stressed the importance of education, including testing reactions to potential events, running phishing simulations and reviewing business continuity plans and health practices.

Creating security champions, a culture that embraced security and recognising and addressing stress within the security team were all vital.

Eli Hirschauge, director of technology and acting CIO at NZX-listed insurer Tower, described managing cyber risk as a "journey".

Again, it was the "ABCs" of cyber security that could shift the dial: attitude and awareness, behaviour, and culture, but developing these takes time, Hirschauge said.

Hygiene in IT processes such as removing old accounts and sustainable patching takes time; developing the right culture and awareness takes time; partnering takes time, and; “habit forming” and sustained investment takes time.

After cataloguing the "cyber tsunami" of threats spurred in part by the war in Ukraine, Chillisoft CEO Alex Teh advised the industry to support for training and intern programmes, support for local MSPs with local teams, work with GCSB and the National Cyber Security Centre as well as programmes such as malware free networks and adopt modern cyber products enabled and automated by artificial intelligence.

In the awards segment of the event, the winners by vendor were:

Imperva

Imperva best new partner – Linearstack

Imperva best NZ partner of the year – Silverstripe

ESET

ESET MDR partner of the year – Advantage

ESET consumer partner of the year – 2 Degrees

ESET Pacific Island partner of the year – VT solutions

CyberArk

CyberArk NZ partner of the year – Advantage

Chillisoft

Chillisoft project of the year – Sky City Cyberark PAM project with Advantage

450 people registered for CybersecCon this year, making it the biggest ever, while over 200 attended the gala dinner.

