ANZ infosec chief sees ‘moral obligation’ to collaborate on cyber security

ANZ Banking Group has a “moral obligation” to collaborate with other organisations to help improve cyber security, says the bank’s global head of information security.

“I believe quite strongly…that we are stronger together,” Steve Glynn told a CEDA Digital Bytes event in Sydney today. “And because we form part of a national critical infrastructure there’s almost a moral obligation to extend beyond our organisation and collaborate in order to improve our defences.

“The bad guys collaborate, so therefore why don’t we?”

He urged industry to share threat intelligence, despite potential risks, because it was “the right thing to do”.

“For us to share this information, it does carry risk. But we do it. And we do it because we feel strongly that it’s the right thing to do. That if we lead, and we do that, others will respond and come up and we will be stronger as a whole as a result.”

As well as ANZ’s collaboration with government and universities, Glynn said he shared expertise via an email thread with his security counterparts at other companies, including Telstra’s CISO Mike Burgess, who also spoke at today's event.

“Just yesterday we were emailing amongst a group of heads of security from a number of different organisations,” said Glynn. “It wasn’t too sensitive so it’s all okay.”

One of the components of the federal government’s national cyber security strategy, which was unveiled in April, is boosting collaboration within the private and public sectors.

The strategy includes as a priority establishing joint cyber threat sharing centres in key capital cities. The strategy document states that the centres will be co-designed with the private sector and co-locate businesses and the research community together with state, territory and federal agencies.

The government said it would also establish an online cyber threat sharing portal that will “enable participants in joint cyber threat sharing centres to quickly publish threat information and practical advice that Australian organisations can use to strengthen their cyber defences”.

Burgess told attendees at the CEDA event that Telstra worked with each of its internal business units to ensure staff take responsibility for cyber security.

“Cyber-crime is just crime, cyber-espionage is just espionage, hacktivism is just protest,” he said. “There’s nothing new in any of that. What is new, however, is technology connectivity now means that crime, espionage, protest and let’s face it, mistakes, can now happen at a pace, scale and reach which is unprecedented.

“We take a very collaborative approach to this: Every business unit needs to understand this is a business risk and how that risk manifests for their business unit. It’s not my responsibility solely, it’s not the CIO’s responsibility – every business has that responsibility. It is not an IT problem. It’s not something that rests with the IT department.”

Glynn added that ANZ promoted cyber security internally by sending fake phishing emails to its own staff.

“I’m probably less interested in the number of people that click on the link because I know at least one – many, many more actually – will click on the link. I’m more interested in how many report it.”

Glynn and Burgess agreed that educating staff — the “human firewall” — was one of the most important elements of a successful cyber security strategy.