June 07, 2024

00:33:44

Episode 261 Deep Dive: Thomas Fikentscher | The Executive Leadership’s (C-Suite) Role in Staying Informed and Ensuring the Right Investment is in place to comply with the Critical Infrastructure Risk Management Program (CIRMP) requirements

Episode 261 Deep Dive: Thomas Fikentscher | The Executive Leadership’s (C-Suite) Role in Staying Informed and Ensuring the Right Investment is in place to comply with the Critical Infrastructure Risk Management Program (CIRMP) requirements
KBKAST
Episode 261 Deep Dive: Thomas Fikentscher | The Executive Leadership’s (C-Suite) Role in Staying Informed and Ensuring the Right Investment is in place to comply with the Critical Infrastructure Risk Management Program (CIRMP) requirements

Jun 07 2024 | 00:33:44

/

Show Notes

In this episode, we’re joined by Thomas Fikentscher, Area Vice President ANZ from CyberArk, as we delve into the critical topic of effective communication in the context of government concerns and cybersecurity risks for businesses. With a focus on the evolving landscape of legislation and compliance, Thomas shares invaluable insights on the proactive strategies, challenges, and collaboration needed for organizations to navigate and implement robust security architectures and risk management programs. Join us as we explore the complexities, uncertainties, and promising developments in this crucial area of business operations.

Thomas Fikentscher is responsible for driving strong customer and partner engagement and expanding CyberArk’s emerging cloud business in the region.

Prior to joining CyberArk, Thomas was Chief Revenue Officer at JXT Global, and has more than 20 years’ experience in the IT industry, including significant stints at Oracle, Ingram Micro and Sun Microsystems. His extensive industry and leadership experience – particularly in the cloud domain – has been invaluable to CyberArk, helping grow demand for Identity Security solutions.

When it comes to cybersecurity, Thomas sees a significant opportunity to bridge the gap between technology jargon and business language. A big part of this is helping company leaders understand the importance of identity security to organisational risk management.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: Action is a good thing, and we've seen tremendous success and progress in some organizations. It's heavy lifting. It's not easy. But if the right like minded people get together and start to move things forward, you can put security architectures in place. And if you actually do that together with your business partners, with the customers, involve some government viewpoints, you can really achieve major milestones in a reasonable timeframe. [00:00:26] Speaker B: This is KBCs as a primary target for ransomware campaigns, security and testing, and. [00:00:34] Speaker C: Performance risk and compliance. We can actually automatically take that data and use it. Joining me today is Thomas Fakinsha, area vice president from ANZ, from Cyberark. And today we're discussing the executive leadership's role in staying informed and ensuring the right investment is in place to comply with the critical infrastructure risk management program, which is also known as CIRMP. So, Thomas, thanks for joining me back on the show, and welcome. [00:01:03] Speaker A: Thanks for having me again. [00:01:04] Speaker C: So, okay, let's start with how executives should stay informed, because there's a lot of new legislations out there, there's a lot of things to digest, a lot of things going on. People feel overwhelmed. So maybe what's your sort of advice when I ask you that question? What sort of comes to mind? [00:01:20] Speaker A: Yeah, I think I totally understand that it's difficult to digest all the information out there. I've got the same problem very often. There are a few things that I would recommend and principles that I follow myself as well, is, first of all, I would always consume information in a sort of summarized format. We're talking about the executive level here, report level audience, rather than reading policy documents. I think the summarized format would be more like a fact sheet. And I mean government bodies, they actually issue fact sheets related to things like the cRMP board papers with relevant business impact statements or business cases would be a good summary format as well. That's one element. Even more importantly, I think looking for information, digesting information in the context of a business model, and then also looking for opportunities related to legislation is important as well. So what do I mean by that? I think there's insurance companies you could talk to when it comes to how they view the risk of critical infrastructure and how they actually look at their own insurance policies like loss ratios and the pricing associated with critical infrastructure assets. I think that's important because that has a monetary impact on your business. I would talk to law firms and their interpretation what the legal impact of certain obligations are. I think that's a good angle. Also, talking to your peers in other industries or in other organizations for example, the Australia Israel Chamber of Commerce. They run quite good sessions and forums where you can meet your peers. As a specific example, there's one coming up later this year with Joseph Longo, who is the chair from ESsiC, and he will basically talk about regulatory priorities when it comes to cybersecurity and cyber resilience. And that's really specific to the financial services industry, but it's also about identification, protection of information in critical services like payment systems. And another angle I would also cite is talking to investment bankers or corporate bankers when it comes to understanding valuations based on asset security. So you could look at company valuations and, and say, what does asset security actually mean? When you want to buy a business, you want to sell certain parts of your business. I think that would be important as well. And government specific information. Department of Foreign affairs issues papers like the overview of cybersecurity obligations for corporate leaders is a good one. The latest one is governing through a cyber crisis, which is a really good guidance paper. So these are all pieces of information that are relevant, in my opinion. And, well, they can also use your podcast because I think you also assembly a lot of relevant speakers, and that information is also quite relevant. So that's just a few of my thoughts. [00:04:06] Speaker C: Yeah. And I think there's so many things, like you've rattled off a fair few things, and do you think it's hard for people to wrap their head around? That's why I wanted to bring on the show, like just give people sort of the main things, because, yes, we could be talking about this for hours if we were to get into the detail of it. But on that front, have you actually personally read the legislation in detail? [00:04:24] Speaker A: No, I haven't. But I have looked at certain elements of the paper and understand what critical infrastructure definition actually is, which assets are impacted by that. Try to understand sort of the gist of it when it comes to what material risk means, how they define supply chains, things like that, penalty units that are stipulated in the document. So I've gone through some of those elements, but it's quite a legal paper. It's not that easy to read. There are lots of subsections and reference to the 2018 Soccer act, so you have to jump between those elements. So I don't think it's easy to adjust, to be honest. [00:05:00] Speaker C: Exactly. And the reason why I asked that question is because when you're, and it could be longer than 400 pages, I'll have to just double check that. But that's a long document for people to. Your phraseology understand the gist of. So that's why I want to sort of do, like more of a high level, because with anyone that's a long document to read, especially for executive, they're time poor. They've got other things that are on their mind. So I understand that. So maybe from your perspective then, Thomas, like, what is the gist then, if you had to sort of summarize that? Because again, what we're trying to do here on this show is give people an overview of what they need to know at the executive level. Yes, we can get into the detail, but a high level, what do you think are the main points that people listening really need to understand? [00:05:45] Speaker A: So, first of all, it refers to particular assets. So examples are broadcasting assets, electricity assets, liquid fuel assets, or particular assets in the transportation industry. So I think it's, first, it's important to understand what's meant by critical asset. That's the first one. The second one would be it uses particular wording, for example, like identify material risk for a hazard that has relevant impact on a critical asset. It talks about minimize, eliminate material risk so far as it reasonably practicable. So that's the kind of wording being used. So it's important to look at this legislation and understand what is material risk. So, for example, it's defined as a stoppage or a slowdown of a critical assets function for a particular period of time. So that's the kind of wording that you need to pick up and then someone, and that's why I'm saying it's important to go to talk to peers, talk to a law firm, needs to translate that into what does that mean for your business? So if you run electricity company, you've got SCADA systems. Are these assets that are actually impacted by that? What could happen with them in a hazard? What does slowdown mean? I think that's important to understand. It also refers to the supply chain side for data that's held outside of Australia, certain information assets that are held outside of Australia. So I think that's fairly clear to me. And I think it also refers to personal hazards when it comes to your internal critical workers, the suitability of those workers to access critical information. So there are some of the elements in there that I picked up that are important to understand. As I said, the wording sometimes slightly confusing and needs to be translated in terms of what it means for your individual organization. [00:07:29] Speaker C: So with the wording, because it is a little bit confusing and a little bit convoluted, do you think that then means that there's risk that people don't understand something. Things are overlooked. Do you think there's that side of it as well? [00:07:40] Speaker A: Yeah. So I give you a specific example because it's quite topical. I was on the road yesterday and I sat down with the siso of an electricity company, a very large one, and we spoke about particular the implementation of that risk management plan. And the first question we discussed for probably 20 minutes was what is actually a critical asset? So think about a very large organization like an electricity business. That particular business runs over 200,000 poles and wires in the distribution network. So what is a critical asset? Is the whole distribution network a critical asset or is it just particular technology within that distribution network, certain nodes that need to be managed. Is a power plant a critical asset or only certain aspects of that particular power plans? That in itself is something that is not 100% clear. [00:08:29] Speaker C: How can it not be clear, though? Because then something being in totality, the whole distribution network versus one element of something or one node, to your point, thats a very big sort of delta, wouldnt you agree? [00:08:41] Speaker A: Yeah, I agree. And I think thats where the confusion comes from. And im talking about the size of a large energy business here, asking that question to himself and to the organization. I think thats where the consultation with government and particular department of Home affairs is super important. I dont believe everything has been answered, but thats why organizations need to build a relationship with government and consult, ask those questions, explain their own setup, and make sure they get some answers specific to the business that they run. I think this work in progress, the. [00:09:16] Speaker C: Part that I don't get is, but how can things not be answered so effectively? If I zoom out, basically the government wants critical infrastructure, businesses like energy, power, those types of things, water, utilities, businesses to comply, but yet they don't make it clear to comply. That's the part that I don't sort of get. If you've got to be really prescriptive or else if people are missing very key components, then therefore we are going to have a problem like it. I just kind of just don't get how we can't be clear in the communication and being very prescriptive with what people are trying to do. People do want to do the right thing, but again, if things aren't worded in a way that makes sense for people to understand, things are going to get missed. [00:09:57] Speaker A: Yeah, I agree with you. But at the same time, I'm not surprised because if you look at the whole evolution of the legislation, if you go back to 2018, you had the original acts, then you have like a security legislation amendment to the critical infrastructure. So slacky, then you had the security legislation amendment to critical infrastructure protection. So it's called Slack IB. And then he had the risky assets being defined and he had this system of national significance being defined. So it's like there's an evolution, and it's almost like going layer by layer further into the complexity of the matter. And I think that's where we now haven't seen the end of it, because the more it becomes clear how complex some of those business models are, and not just within the boundaries of Australia, within international supply chains, I think the more the legislation needs to be further refined and clarified and things added to it. That's why the dialogue between companies and governments is so super important. I don't think we have seen the end of it. [00:10:55] Speaker C: Where do you think is the end? [00:10:57] Speaker A: I think there's none, to be honest. It's going to be an ongoing process, and I think that's fine. The iterations in improving that, if you look at what the government tries to achieve to be the most secure country in the world, that's a big, ambitious objective. And we'll have iterations. And I think it's probably going to be an ongoing body of work to improve that and getting better and better, and be more specific, relevant to particular industries, particular assets that are coming to the surface. That's what I think. So is there an end? Maybe? No, it's a programmatic effort to make it better and better and better. [00:11:30] Speaker C: Yeah. So that's a good sort of response, Thomas, in terms of where does it end? Because it is hard for people and there's a lot of things going on in executives minds, and that sort of leads me more now to my next question. So how would you advise the C suite to help the cisos comply with ongoing obligations under the cirmp? And maybe even cite your example with your client yesterday that you saw? Because perhaps there's something in that meeting that people can find insightful. [00:12:02] Speaker A: I found it extremely insightful to understand the complexity of managing such a large company. The first one I would mention is super important is improved communication from the top down, like boards, executive teams, all the way to different business units. So the importance of a program like the cRMP for the business needs to be communicated not just as a one off, but in ongoing forums, town halls, different forums in the business, and accountabilities that includes the different business units, like general managers of business units, need to also be made very, very clear. So they provide full support for the adoption of the required security controls in the business. So that's the first thing I would mention. I would also mention that there needs to be an organization structure created to enable SAIs to do a good job and, and effectively execute a program. Yesterday we talked about different agendas in the business and different priorities in the business, and that led to a delay, that led to a delay in terms of attender process and being awarded to go forward. And it's just agendas. I totally get it. If you have a business that needs to transform into renewable energy and has a lot of priorities, then people sometimes see that as a bit of a sideshow. But then you have delay in terms of your security obligations, which has then monetary impact to the business as well. So it needs to be communicated, needs to be enabled organizationally. I think it's also good to set up a cross functional task force and that includes the risk function of the business. So yesterday there was a discussion about hiring a general manager for risk and compliance. It includes the technology function of the business or functions of the business. It includes the security function in the business and then the business process responsibilities as well. So that task force as a coordinating task force is a good investment. I think setting up a cyber incident subcommittee at a board level for more of a governance function I think is important. And even as a board, investing time in simulations and running simulations of what could happen I think is a really good investment. It's a time investment because in these businesses you have a lot of legacy, you have organizational complexity. There's many priorities that people need to figure out what's, what comes first. So all of that needs to be overcome by what I just mentioned. I think that's what I would say. [00:14:28] Speaker C: So from your experience, what do you think worries people the most about this? Because even when you're speaking, I'm like, oh, that's a lot of stuff people have to do. And a reminder that this is only like 10% of like what other people have got to do every day because, you know, trying to keep the lights on. If you're running critical infrastructure like utilities, people don't have electricity very soon, people start to arc up pretty hard, as we've seen with other telcos and that in the past. So of course there's always that added stress and pressure to make sure that things always need to be running. And then also sort of the downstream impacts. There's no electricity, for example. There's a lot of impact on things. So what would you sort of, what comes up in your mind when I'm asking that question or what worries people the most about this, because you've already sort of said the comms from the government in terms of the detailed like legislation, et cetera, isn't super clear. So that then means that there's more of an onus then on each business to go back to the government to start to understand. Well, what do you mean specifically? Then you've got to make sure you actually know what you've got. Then you've got to try to protect it. Then you've actually got to give an update. There's a lot of things then on that. So at what part do people feel overwhelmed by all this? [00:15:35] Speaker A: I come back to what I said before on the communication side. You can form a position where you wait for the government to be perfect and explain everything in ultimate detail. But I, I don't think that's good for your business either. If I'm an executive in an energy organization or a healthcare organization, I mean, yesterday I was in the healthcare business as well. Later on day. You have a business model to defend. And a lot of them, they make huge decisions on capital programs because everyone talks about digitization. I think it's important to communicate to the business, to the wider business in those town halls or communication forums, what is the risk to the business model that you actually want to run? What are the government concerns, obviously, and why is the government concerns about foreign state actors to interfere with your assets and how they're hunting for that particular environment. So if you communicate that effectively, I think you get the buy in. And it's not just like I have to comply to a government regulation. It's I have to defend my business model. I have to defend our position in the market. I have to defend our reputation. I think that's really super important and comes first. I mean, we're talking like going back to my example of changing an energy company into using or leveraging opportunity of renewable energy markets. They're going to introduce 50,000 smart meters. And every smart meter potentially is a cybersecurity risk. Well, okay. I mean, there's an opportunity here for you to gain market share and to get more retailers on your network, to get more customers on your network, but at the same time, you want to make sure that it's actually without disruption. And I think if you explain that in context of your business model and defending your business model, people will get behind it. [00:17:17] Speaker C: So do you think people are doing that though, or not really effectively in terms of explaining the context the feedback. [00:17:23] Speaker A: That I'm getting is a bit more patchwork. It's still communicated in silos and not necessarily consistently company wide. That's where executives and boards can certainly jump in and improve that. I mean, there's departments and businesses that actually talk about internal communication. Some of them have internal communication specialists sitting in HR and marketing, and it's possible to actually do that programmatically. I think that's where it can be improved. [00:17:49] Speaker C: So in terms of, like, comms functions within businesses. So some. Something that I have observed in my own career is you've got these comms functions, but the people aren't necessarily from that background, like a cyber background, there can be disconnects because sometimes the vernacular used in cyber, or you and I might speak in shorthand because we kind of get it, but then it's like there's someone else, perhaps, who's a comms professional, but they're like, hey, like, what does that then sort of mean? Do you think that that sometimes, yes, the function's good, but sometimes that the background, it does make it even more challenging because you got to explain certain terms. Are you seeing a bit of that as well in terms of things being, you know, being this conundrum with the comms people? [00:18:28] Speaker A: Yeah, I think you're right. Last time we met, we spoke about the requirement to talk in plain English, if you recall that. And I still believe that requirement is super important, to talk in plain English. There could be an outside expert from consulting firms, organizations like ours, to come in and help a little with their communication. Yesterday I had this recommendation to the SISO to say, let us come in early, work with you. You explain your business context. We actually come in with a cybersecurity lens, and we try to educate your engineering teams quite early in what's possible. So, you know, you give us the context, we give you the specific cyber aspect, and maybe together we can transform that and instill or inject some change. So it's not just always you have to do that within. You can get external help to be able to overcome that communication challenge, because. [00:19:23] Speaker C: That sort of, again, leads me to my next question around how to elevate that then to, you know, to more senior folks or board members and that. So how do you sort of take that conversation to make sure the right people are getting their eyeballs? It's getting the attention, because again, if you're not explaining yourself, you don't make sense. People are just not going to care. So how would you advise people to do that effectively and optimally? [00:19:44] Speaker A: If you ask me about further, like, you know, investments that you can make in the business, I mean, there's, if I said in some of those forums, exec forums, I would invest more into business analysts to be able to create more visibility of the problem in the business. Sometimes the baseline has not been established. How big is the problem, actually? So create visibility and make sure the baseline is clear. Everyone understands the magnitude of the problem. That one is then easier to understand and easier to communicate. Some organizations have already invested in digital transformation resources, like a chief digital officer. I think there's an underinvestment when it comes to CSO's chief security officers, because you can also drive security transformation, not just digital transformation, and that's the job for a CSO. I would invest more in that space. And the CSO then, together with the comms function, can communicate on an ongoing basis, particularly in organizations and sectors where you have massive capital investments and they are dependent on the secure introduction and the management of critical services. So I think that's another one. I also would probably look at some investments in better supply chain management, vendors and alliance management. The analysts that I just mentioned could assist, but there's a bit of lobbying required to initiate change in that space as well. So, you know, if you have external, if you're in healthcare, like I mentioned yesterday, I'm one of the healthcare companies. They asked about medical device manufacturers and how they could be brought into the tents like the GEs and Siemens and Honeywells of this world. So if you have better alliance management, you can talk to those organizations a lot earlier. So that's just some examples that I would mention that could improve the situation. [00:21:27] Speaker C: So in terms of your comment around the lobbying, do you think that that's getting a bit better? And I know when we did speak last time, we obviously speak heavily on the comms part, which has been a very big problem for a very long time, and it still is a problem. I do think it's changing. But again, maybe there is more this lobbying that has to happen internally as well as externally. Are you starting to see that shift, that perhaps people are communicating in ways, they're bringing in the right team, they're getting the right business analysts to understand what this means and put it in ways that people can understand. Is that changing? Obviously not quick enough, but are you seeing it go in the right direction? [00:21:59] Speaker A: I do. It is changing. So we see different maturity levels in industries. I think the finance sector is certainly, in my opinion, the most mature. A lot more people are involved now in the topic. There's business analysts, program managers, there are all sorts of different functions who are actually stepping in. And I think that's directly from the top. That's the highest maturity level. The energy companies, the healthcare companies, the freight management companies, food and beverage organizations, all of those organizations who listed under greek infrastructure, they have a little bit of ground to cover, but they're coming along and again, not at the same maturity level yet, but they're certainly coming along pretty quickly. And then there are some industries who probably at the early start and early beginning. So it depends on where we look at, but I think year by year there's an improvement. People get behind it and it's a good thing. [00:22:50] Speaker C: So from where you're sitting with some of the customers that you speak to and people, obviously people need to be on the front foot, as you've clearly articulated throughout this interview, that you can't sit around waiting for government. You've got to actively go out and have understand it more, protect your own business, making sure that you are, yes, the compliant side of it, but you're doing the right thing. Where would you sort of start? Because sometimes where's the front door to some of these companies as well? Who do you even do is call someone up? Female people. How does it work? [00:23:20] Speaker A: It's hard to say because it's very specific to the organization and the industry. I don't think there is a step by step sort of script that applies to everyone the same way I believe I mentioned before. I think talking to peers, especially peers that are in organizations that probably have achieved a higher level of maturity, is probably a very, very good start because you don't have to reinvent the wheel. If you listen to someone who has already established a program, an organization, a structure, a communication model, that's effective. And I would encourage especially members of the sea level and board members to spend a little bit of time with their peers and listen to what they are doing. The Australian Israel Chamber of Commerce, I mentioned that before, is an example and had in a couple of their sessions, senior audience and you get some good understanding of what's possible, get understanding of their risk appetite and how they actually align risk appetite with particular measures. And I think that one probably will help to fast track things a little bit, rather than spending too much time on planning and execution. That's probably the best advice I can give. [00:24:32] Speaker C: And do you think from your perspective, executives and board members are taking this a bit more seriously? Because when I spoke to you last time, I think we spoke around like Sisos being sort of at the, you know, the lower end of the pecking order. Do you think that's sort of changing? I know we didn't speak sort of, you know, five years ago. It was only sort of within the last 18 months. But do you think that's sort of changing? Are people taking this a bit more seriously? [00:24:56] Speaker A: Yes, they sure do. And again, I asked the question all the time yesterday in two of those meetings. Do you have full support by the board? Yes, we do. We have full support by the board. We have to report every month. That was the energy company I mentioned in the healthcare sector. That's a government healthcare environment or public environment. Same thing all the way through the organization. Everyone is involved. There were actually six people in the room from different functions, and all of them were aligned and on board. So I absolutely see that. I think there's no choice, to be honest. If you look at the credibility of the breaches that we've experienced, people should be awake. It's pretty irresponsible to not be awake. So, yes, I see movement. [00:25:37] Speaker C: What about for some of these regional folks, though, that perhaps, and I've spoken to, and they were saying, like, hey, I don't think some of these regional people understand really what's going on. So how do they sort of come into the mix then? [00:25:46] Speaker A: Perhaps I don't have full visibility of everyone who's out there. I can only tell you what we see in terms of being involved in projects. You mentioned water. So water management companies, most of them, at least the bigger and medium ones, that are absolutely in the market to look at better technology and improve their security. Along the western seaboard, there's a big one. There are a couple in the big cities and even regional water management companies. I could probably give you three or four examples of organizations that are trying to improve their security posture. I'm not sure. Of course, there would always be some organizations that are behind and maybe even a little bit complacent, and that's a leadership topic, to be honest. But by and large, at least critical infrastructure sectors, I think people have woken up. [00:26:37] Speaker C: What do you think defines someone as complacent? So perhaps people not being on the front foot or people being more reactive and on the back foot. [00:26:44] Speaker A: Yeah, it's a question of strong leadership and belief. Maybe there are companies out there, and anecdotally, I hear the stories where the leadership believes they wouldn't be hit, and even if they were hit by a cyber breach, they could deal with the situation. But the board and the executive teams are ultimately responsible and should feel the heat. Quite frankly, if things go horribly wrong. We've had too many examples what could go wrong? And I think, honestly, I personally think it's highly responsible to introduce services, especially if they're critical services or even new digital services, without strong security wrapped around. In particular, when it comes to healthcare services or transport services or telecommunication services, all those fundamental services that you rely on. So well, that's complacency for me if you don't act on that. [00:27:34] Speaker C: Surely people must have learnt some of their lessons of observing other players that have been impacted. But I guess time will tell. So what do you sort of see in the next twelve months? And I have spoken a little bit about this topic on this show. What do you think's going to happen and do you have any sort of insights? I know you're not Nostradamus or anything like that, but I'm just always curious to understand, are we moving in the right direction? Yes, but what does that look like from your point of view? [00:28:01] Speaker A: So we started talking about the risk management plan. I mean, there's pretty significant year. So this year it's the first time that the boards and exec teams have to basically sign off on a risk management plan. They've got 90 days post the end of the fiscal year. So by the end of September there needs to be a signed declaration to the Department of Foreign affairs that the risk management plan is in place and is up to date. So that drives behavior, and I can already see that drives certain projects and programs. So I think that's what sort of the near term scenario is and applies to energy companies, water management companies. It drives particular financial services, technology, infrastructure and architectures. So I think that's the next thing. And then after that, I think we're probably going to see more iterations of legislation. We probably see particular systems specified that need to be further secured. People would have learned that some of that is quite complex or even more critical than people thought it would be, and it might actually been embedded in further legislation. That might be the next twelve months to 18 months, but for this year, people will have to put some plans together and put a signature underneath and submit that and hope that the government is not going to step in and ask for further reviews. That's what probably will happen in the next twelve to 18 months. [00:29:21] Speaker C: Do you think they may do that though? [00:29:22] Speaker A: Well, they've indicated they can. They've indicated they could step in and review contractual arrangements. They have the right potentially to look at procurement plans. They could actually review, tenders that have been issued. So by legislation, government is entitled to do that. I don't think anyone wants that necessarily. And I think the government is actually, when you, when you read the provisions, they're fairly reasonable as long as there is a dialogue and everyone in corporations should probably get into that dialogue. It's a good thing, in my opinion, it's a good thing to understand how the government thinks and not just react to penalties and be at the back foot. [00:30:03] Speaker C: What do you think about the penalties though? Because look, for some of these fines, it's not a lot of money for a lot of these companies, right. They just rip it out of their, you know, their maserati that they drive around in, in terms of these fines. Right. So do you think that does nothing to these people or do you think it does something? [00:30:19] Speaker A: Yeah, I mean, the monetary penalties there are, I mean, if you read the act again, the penalty units in there. So if you, if you don't review, then you could actually be hit with 200 penalty units. And I think they're in one unit is worth $275. So if you, if you translate that, it's about $55,000 per breach. If you don't review and update your risk management plan, that's $110,000 of a potential penalty. That's not a lot of money for a large corporation. So the monetary side, I think, is not necessarily the biggest threat. But I think the fact that someone could come in and audit your organization, disrupt your operations and really slow you down, I think that's a big penalty. That's what I hear. People don't want that to happen. And go back and apologies for citing this example, but it's so timely because I was discussing that yesterday. They want to demonstrate that they have a program underway and it's accelerating to avoid further scrutiny by the government. Because I think disruption through government audits is a big penalty. [00:31:19] Speaker C: And do the organisations have to pay for that audit as well? Does that sort of come out of their budget if they choose to investigate further? [00:31:25] Speaker A: To be honest, I don't know. I wouldn't be able to give you an opinion on that one, whether there is a payment associated with that, but the indirect cost of distracting people from what they're supposed to do and time is a big disincentive. [00:31:39] Speaker C: So, Thomas, do you have any sort of closing comments or final thoughts today? [00:31:43] Speaker A: Action is a good thing and we've seen tremendous success and progress in some organizations. It's heavy lifting, it's not easy. But if the right like minded people get together and start to move things forward. You can put security architectures in place. I mean, I'm a bit selfish here because it's exactly what we do. We're very close in line with our technology to the critical infrastructure risk management program. What we do and the programs that we are running is quite significant for organizations. And if you actually do that together with your business partners, with the customers, involve some government viewpoints, you can really achieve major milestones in a reasonable timeframe. And I think that's a good thing because it allows you to launch services, new services, highly risky services like healthcare services. I mean, yesterday we spoke about robotic surgery, digital surgery platforms, and everyone was like, okay, I wouldn't want to be exposed to that unless there is a lot of security associated with those services. It's possible to do that if you've done your homework, and I'm quite encouraged to see that people are getting on with it. Not everyone, but a lot of organizations have lessons so positive. I'm pretty excited about what's possible. [00:33:01] Speaker B: This is KVCast, the voice of cyber. [00:33:06] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:33:14] Speaker B: This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes