2021 Global Top 100 LinkedIn Live Panel Discussion – APAC
Did you miss our panel session? Tune in to this panel discussion with senior execs from the APAC region and find out how they are establishing a company-wide data security culture, how infosec professionals can display business value, and strategies to manage the shift to remote working.
Hosted by: Catherine King, Director, Business of InfoSec
- How have you been adapting your strategies to safely manage the move to remote working?
- What is the biggest challenge you are currently facing in your organisation, in terms of InfoSec?
- How are you creating and maintaining an organization-wide culture of data security?
- Ashwin Pal, Director, Cyber Security, Unisys
- Rob Wiggan, Associate Director, Information Security, QUT
- John Ellis, CISO, BUPA Australia & New Zealand
Get your copy of the 2021 Global Top 100 Leaders in Information Security Report. Click here to read the full list.
Australian Cybersecurity Leaders Discuss Rapid Move to Secure, Remote Work
While it has in many ways avoided the worst effects of the global coronavirus pandemic, Australia and its corporate and public institutions have nevertheless implemented huge digitisation and remote working processes in order to adhere to changes in public health policy.
A lot happens behind the scenes to enable a shift to remote work, and organisations in each industry will have faced unique challenges to ensure every staff member’s experience is as seamless as possible during such a transition.
We sat down with three of the 2021 Global Top 100 Leaders in Information Security hailing from Australia to hear how their security strategies were impacted and adjusted to meet the needs of a massive change to working life.
Major IT services provider Unisys had to be conscious not only of their own transition to secure remote work, but that of their customers as well. Cyber Security Director with Unisys Australia, Ashwin Pal, has both an internal and external perspective on how COVID-19 affected information security strategies.
“Two big things actually happened for us. One was making sure everybody could work remotely, and work remotely securely,” he says. “There was a lot of work that had to be undertaken with that regard. [For instance], VPN access and VPN-less-access in some cases. We actually had to upgrade our concentrators and all the rest of it.
“On top of that, we actually ended up moving a lot of our workloads into the cloud to allow for easier access. That was an interesting experience on its own. As much as we were [already] moving stuff into the cloud, that accelerated that journey out of necessity.”
Pal says VPN configuration and rapid cloud migration also trended among Unisys’ customers, with some more successful than others.
“We had some good stories, frankly, and we had some horror stories as well, where people just didn’t allow secure remote access and they had compromises and other issues. [There were] people that put workloads into the cloud and they weren’t secured appropriately, so that caused dramas too,” he says. “It’s definitely been an interesting experience for everybody in cyber just having to accelerate everything.”
Change in a Matter of Days
Accelerating change has been essential for organisations adapting to public health and safety requirements while still ensuring the integrity of their processes. At Queensland University of Technology, Associate Director for Information Security Rob Wiggan says the institution had just a ‘couple of days’ before it needed to go fully remote with not only learning and teaching, but also its corporate and research services.
“It was a big change in a lot of ways but in some ways, it wasn’t,” Wiggan tells the panel. “We’ve always had a certain cohort of people who worked at home or remotely or from other countries depending on where their research is happening. So, the systems themselves were in place, the capacity perhaps was not.
“We had to spend some time increasing VPN capacity and then just helping people who hadn’t normally worked off-site to be able to do so successfully.”
Also challenged by a changing funding model due to international student revenue quickly drying up, Wiggan and his team needed to be attentive to where they could be most effective.
“One of the things we decided to focus on was that most of our incidents come out of email.
We’d spent some time well-before COVID in securing our email boxes on whatever device people were using, so we had some level of comfort that we at least had that attack vector covered,” he says.
Challenged from Day One
Australian Health Insurance firm BUPA’s Chief Information Security Officer John Ellis started his role just as COVID-19 was making itself well known around the world. He says he was impressed by how well the organisation rallied around the goal of enabling the business to operate remotely.
“We already had a number of the key ingredients in place, with a lot of the cloud services up and running,” he says. “We were also in the midst of a significant transformation program, so being able to mobilise a lot of those project resources to do work remotely was a big focus.
“The other thing that was really quite interesting in terms of learnings, was being able to look at taking a number of business practices that had historically been set up to work in an on-prem environment – call centres and things like that – and taking it into a virtualised setup.”
One example of an unforeseen complexity Ellis mentions is understanding how the company would navigate the complexities of certain security standards, such as the Payment Card Industry Data Security Standard, while staff work off-site.
“How we secure cardholder data when there are people sitting in a flat or apartment who might have flatmates and things like that… That was a really interesting experience,” he says.
Ellis says those complex problems were quite fascinating to navigate as the organisation accelerated projects it had already begun investing in.
“It also gave us confirmation that the direction we had been undertaking as an organisation by moving our workflows to the cloud – and I’m using some buzzword bingo terms here but adopting a ‘SaaSy approach’ and zero trust-models – was the right direction,” Ellis says.
“It was a very interesting time. Certainly, as I had just joined the organisation, that was my first big challenge.”