Chirag D Joshi’s Post

Transcript

Reasonable and proportionate. These are the two magic words that you heard me talk a lot about when I bring up the topic of strategic cybersecurity investments in order to manage risks effectively, because the investments, the measures, the controls that organizations need to put in place. Are highly dependent on the context of the organizations, the threat that they face, the business that they run. The risk that they're exposed to, and that's why these two words come up are reasonable steps. Proportionate to the risks that you face. Now, I'm telling you this because something really significant happened this week in the Australian cybersecurity landscape. This is the action that ASIC has taken against FIG Securities, where ASIC alleges that Feig Securities did not have adequate cybersecurity measures in place to put themselves and their clients in a good positions against cyber threats, basically. Uh, putting themselves and their clients at and heightened and unreasonable level of cyber risk. No. This brings to light one thing that is becoming very clear, that regulators are aggressively pursuing organizations that are not putting good cybersecurity and cyber risk measures in place. The other thing that is really relevant is the fact that Fig. Securities. Who by the way. Provide services that are related to fixed income products and services both and they also hold an Australian financial services license. That means there are certain obligations that come with it. Now this organization also currently has over $4 billion in assets under advice. So it's not insignificant. It's actually really significant if you think about it. But when you look at the filing that ASIC has done and there's a concise statement link that will post. Wrong. It is a host of cyber security measures that were missing. Right now, there's been a lot of coverage on this, so I don't want to go over them in a lot of detail because like I said, there's been there's been a lot of coverage. I've seen a lot of LinkedIn posts with AI generated summaries that are doing that anyway. So just for the benefit of the audience, some key ones that were missing were incident response plans not being in place, privileged access management controls not in place, missing MFA in instances, you know, poor monitoring of the environment. Not, not significant levels of awareness in training either. And then, you know, missing endpoint security controls along with the parameter controls. So again, a lot of missing measures here. So I don't want to go on about them. I think what I want to share is something that I thought was, you know, the leadership gap. And ASICS called that out where Feige securities, you know, considering their the nature of the work that they were doing and are doing, they did not have somebody who was at an equivalent level to a chief information security officer or even somebody was dedicated to leading cyber security efforts, which is a big problem, which is a leadership issue. And again, I don't claim to know you know much about FIG securities. I just went on their website and looked at the look at their executive leadership team that they have on there and I did not see a chief information officer there. I did not see a chief technology officer there. I did not see a chief information security officer there. Right. Maybe these roles were part of some existing leaders responsibilities, but by the virtue of them not being there it calls out it kind of brings to life this leadership issue. The other thing that I found was disturbing was in the filing. Is the fact that FIG Securities had policies and standards said all the right things? If those things were implemented, this situation could potentially have been avoided. Right. So they were aware of these things, they were aware of what good security looks like, but they did not implement them reasonably. Or to the acceptable level. And that has been the problem with cybersecurity, which is why I wanted to make this video is not to bash on anyone company or to rehash old ground, but something that I find is a significant problem is organizations don't like awareness. They know what good looks like. They probably paid consultants. Or wrote up these documents that said all the right things, but where organizational wide, industry wide we suffer is lack of execution and implementation of good security. Everybody talks a good talk, but the implementation is missing, which is why we end up in this situation if AIG Securities lost merely 4 gigs of data including really sensitive information. Text file numbers, passport numbers, amongst others. The thread actor was active in the environment for nearly a month. And there were tools, existing tools. Or flaring alerts. Nobody was looking at them. Well, not reasonably or in a timely or efficient fashion anyway. So that's why I want us to think about it. I want to think about cybersecurity as being a leadership issue, of being an issue of implementation execution, of an issue that requires contextualization of threats and adequate measures to be put in place. But also an issue that goes beyond just technology and tools to actually having the right leadership and monitoring and the right people and the processes to go with it. And not just throwing money at the problem of getting providers and thinking that's going to solve the problem. It doesn't solve the problem. And we see that repeatedly. So I hope this is a bit of a wake up call. I will do more talks on this issue and I already have some lined up that go into the the strategic cyber investment conversation of reasonable and defensible measures. So I'll continue to do my bit, but I wanted to hopefully, you know, share some thoughts with you here today that benefits you. Thank you for your thank you for listening.