Touted as Australia’s largest cybersecurity event, the AISA (Australian Information Security Association) CyberCon2018 conference attracted over 2100 attendees. The event was held on 9-11 October, 2018 at the Melbourne Convention Centre.

Judging from the record-breaking attendance, it’s apparent that cyber security tops the agenda for many Australian businesses. And, so it should. Recent Malwarebytes™ research found that two thirds of Australian companies had suffered a security threat during the previous year each worth approximately an average of $861,789.

Built on the theme of Innovate, Disrupt, Change, the premier event brought together a wide-ranging audience to hear of the latest insights, case studies, best practices and thought-provoking content from leading security practitioners and thought leaders across the world.

Hosted by Tracey Spicer, who was again an exceptional MC, added a touch of humour to the serious subject of cybersecurity. Over the two days there was around 110 speakers for the vast congregation to tap into.

Here, I’m sharing my three personal highlights with the first being listening in on Gregory J Touhill’s presentation ‘It’s time to stop today’s insanity!’

Being a retired Air Force general officer, there was a military flavour to the presentation which included ‘The Perimeter is Dead’, a historical reference to World War 1 and the Maginot Line. The Maginot Line was a defensive perimeter based on trench warfare built by the French after WW1 (1930) to defend mainly against Germany in the event of them ever invading again. I believe you know the rest of the story …

Thanks to Gregory, I also learned what the French spent their military funds on pre-1940, and how Germany got to invade Belgium before France.

Gregory outlined his five guiding propositions which have been emphasised for many years across the IT and Risk, Security industry, being:

  1. Cybersecurity ≠ solely a technology issue
  2. Cybersecurity = a risk management issue
  3. Cybersecurity = people + process + technology
  4. Risk ≠ 0
  5. There is no “perfect” way to manage risk
  6. One size never fits all

All being very significant to the cyber environment we find ourselves in today.

You may not expect a branding segment at a cybersecurity conference, however, Dan Gregory’s presentation did just that. Gregory, of Gruen Transfer fame, is considered a thought leader in the field of Communication Mastery spoke on re-branding cybersecurity. Admittedly, I enjoyed this session the most as it was a thought-provoking delivery with several points resonating with me:

  1. As with all sales the power is in storytelling, and let’s face it, we are all trying to sell cyber security until it is ingrained in our daily lives, as we have done with safety. While, I have talked about this for quite some time, I must confess not as eloquently as Dan. He also suggests to start practising ‘Story Doing’ – this is an interesting concept of getting people to understand your story through actions relating back to them.
  2. Align with people’s values, who they are or who they want to be? A very good point in that by linking what are you trying to achieve with the client and align your goals accordingly.
  3. Your weaknesses are your best assets, they present the largest opportunity for growth and development.

One of the most astounding presentations was Brian Kreb’s piece on taking fake news to a whole new level and using it as an avenue for a cyber-criminal activity. Krebs is an investigative reporter who is renowned for breaking stories on high profile data breaches, having reported on the Target and Ashley Madison breaches to name only a few.

Krebs plays a video that could technically have been embedded with malware – it wasn’t of course but you would have never guessed. How will the average person let alone a child fair when a computer-generated video disguised as a millennial superstar, or perhaps their idol, playing for 30 seconds while it infects or hijack your PC, mobile device, or worse, your identity. As Corch X states ‘in a voice that sounds exactly like their spouse calls and says they need the credit card number to pay for petrol because they left theirs at home’. Quite a startling prospect.

An analogy used by Kreb for cybersecurity ‘hygiene’, was based around four things a doctor may prescribe:

  1. Portion size matters – focus on protecting what is important not everything
  2. Get plenty of exercise – practise your incident and breach response and recovery plans
  3. Listen to your doctor – cyber specialists exist, take the time to listen and then make educated decisions
  4. Challenge your security assumptions – what assurance have you got that your organisation is secure to your satisfaction

 Keeping pace with technology and how to maximise it ‘safely’ is something that affects all businesses. In the good old days, we used to build a wall around ourselves to keep us safe. Now, you build your strategy, think about your core assets and adjust your thinking to preserving what is most important.

As summed up perfectly by Touhill: best practice equals compliance; however, compliance does not necessarily equal best practice. If the intent of the organisation is to be thoroughly secure then compliance is not the tactic, best practice is.