For the first time I’m at the Australian Cyber Conference, “Cybercon”, in Melbourne. It has been an interesting day with some good presenters and people. In all 6,000 people expected over the three days of the conference.
I’m non-technical and most of my sessions are in the governance/people arena.
Today’s themes and key points are:
- Cyber security is not the role of IT alone. Everyone from board level down has a role to play. IT provide the solutions. Others provide the problem definition.
- Responding to a cyber incident also involves many people. Again, C-Level people beyond the CISO, but also Legal and HR. All should be part of testing a cyber incident response plan.
- “Reasonable” is a term used often in Australian cyber related law. What is reasonable depends on many factors however it is the business who initially decides what is reasonable and they had better do their homework and show their working. Every decision to not act and protect data may be reasonable, but if it isn’t documented why, it didn’t happen.
- s912a of The Corporations Act says a company should have a risk management system. Guess what? That includes cyber risks.
- At all levels get the story right. Some need technical details whilst others will require financial details. The models for character and story archetypes will help.