Time to change the face of Cyber Security in Australia & Aotearoa NZ

Why do we insist on bringing a knife to a gun fight when it comes to
Cyber Security in Australia and New Zealand?

It's time to think globally and unlock an exciting new army of talent        

With cyber-attacks and data breaches continuing to grow in scale, sophistication and frequency it is our responsibility to take every step possible to protect our organisations, whanau, customers, supply chain partners and ourselves from those who seek to silence our voices and or steal our precious taonga and hold it to ransom.

There's quite literally a war going on out there and like a virus it’s out of control and spreading every day.?Although unlike the Covid-19 virus; I'm not sure this is one we should simply accept we are living with and go on about our daily lives with the status quo.

In my tech career spanning almost 20 years, I've seen a number of epic Cyber Security weapons and teams up to their necks in this important mahi. In fact, I believe that right here at home in Aotearoa, we are genuinely blessed with some of the best cyber talent in the world!?

All of that is well and good for the 100's of customers that those amazing resources can protect and defend at the same time, BUT put in plain english the traditional approach with the same old legacy “non playing characters” and traditional managed service providers “security wrapping” their services are not an effective solution based on the SCALE of the problem ahead - at least not in isolation.

In spite of a record number of Cyber Security Professional Service organisations registered and active in the market; according to Microsoft’s latest “Digital Defense Report”, the volume of cyber security attacks rose to an eye watering 921 attacks every second in 2022.?

That's a 74% (YoY) increase in just 2022 alone.

And a cursory glance at the headlines this year, I would suggest that it's only set to get worse in 2023…..

As a region, Australasia (Aussie and NZ) represents a "soft target" and one of the world’s most targeted regions, accounting for approximately one in six recorded global cyberattacks.

As a country, our Australian neighbours had the highest “data breach density” in the world as of the fourth quarter of 2022, according to new data compiled by Surfshark, printed in their April 2023 update.

On average, 7387 user accounts were leaked per 100,000 Australians during the first two months of this quarter, making its breach density 24 times higher than the global average, the privacy protection firm claimed. In the same report; Russia was a clear 2nd place (2568 accounts per 100,000), followed by Turkey (2421 per 100,000).

It's important to note that these figures are somewhat inflated, largely down to the 2023 Medibank breach which was amongst Australia’s largest ever, which exposed nearly 1.8 million email accounts and comes second only to the 2020 Wattpad breach, which exposed 2.45 million accounts. Never the less, it makes for some pretty miserable reading.

The key message here is that when it comes to Cyber security attacks and breaches, NO organisation is immune.??

Even the most reputable brands, businesses and agencies with the largest balance sheets and security budgets across the globe are falling victim to cyber security breaches on a daily basis.

As we’ve seen from the myriad of headlines over the course of 2022 and 2023, cyberattacks often have devastating impacts – Forrester estimates that the average cost of an enterprise cyber breach has risen to $4.35 million.?

So with that being the case; it seems like a hopeless task for the small and medium business community not to mention the lesser funded local and central government agencies to try and protect themselves proactively, let alone defend and respond in the event they suffer a breach or incident

All of which has led to two major market crisis points we currently face today:

• The cost of tech liability and cyber liability insurance has spiralled out of control and as a result cyber insurance is largely out of reach for most small and medium organisations across the globe. Or worse those costs are being passed straight onto the consume.
• There is a supreme shortage of Cyber Security talent; combined with a significant increase in demand for ‘skilled cybersecurity professionals’ at scale across the region which is driving the price of locally delivered cyber security professional and managed services through the roof.

Did you know that as a result in the rise of cyber security events that there are a projected 3.5 million cybersecurity jobs to be filled globally by the year 2025, with a 350% increase in demand for people with cybersecurity skills over the next eight-years??

In spite of some herculean efforts from a few awesome boutique providers and likes of kiwi and australian education providers such as Te Pūkenga, AUT University, AWS, Microsoft and Tata with initiatives such as #RE/Start and #Ready4Cybersecurity programme, it’s my hypothesis that at the current rate and course, without serious disruption backed by significant capital we simply will not be able to develop sufficient talent, nor services at scale to keep global hackers at bay.?

This only equates to further risk and exposure for private and public organisations in our region.

Having personally sat in the integrator and managed security service provider tent myself over the years, initially through IBM's Secure 24 offerings, Cisco Systems security resilence then at The Instillery, as CEO personally securing board sign off on extensive multi million dollar investment to build out a next gen Security Operations Centre with Siem capability alongside new cyber security talent to fill it - I’ve come to realise that in addition to those critical services, an additional innovative, collaborative and inclusive layer is required to be added to the bog standard approach if we are truly going to be successful at scale.

For starters, we need to throw out what we think we know about the look and feel of what a security researcher or ethical hacker actually is and where they’re located.?

[Please… bear with me and close your eyes]

When you hear the words “security researcher” or “ethical hacker,” what or who do you think about?

A socially awkward character, reminiscent of Dennis Nedry from the original Jurassic park, with 3 screens housed in a small basement data centre facility, drinking red bulls while tapping out code rapid fire??

or

A gang of faceless, shadowy figures ie. What death would look like if he started wearing hoodies and sharky sunnies?

The truth is, there are a multitude of personas that represent the "good guy/gal hackers", with an equally diverse set of agendas.

Better yet...

What If I told you that your next security researcher or ethical hacker could well be a young aussie mum with a young baby at home with a passion for software development.?

A kiwi auntie, sitting at the kitchen bench of her whare in Raglan between shifts, where she has only recently completed micro-credential courses on ethical hacking for the purpose of proactive security and in doing so.

A cousin on an OE in London or a friend who is left Australian shores to pursue a new life and culture in Dubai?

ALL of those alternate scenarios, might be just as effective at discovering vulnerabilities as a “professional” researcher from one of the big 4 consulting firms….

Is there any downside to giving consideration to expanding our resource pool of cyber security resources with a truly global lens?

The stereotypes and assumptions that persist in the cyber industry are wrong on multiple levels.?And combined with protectionism on a crazy scale, represents a large portion of reason as to the WHY of how we got here in the first place.

They cast a very negative light on the majority of ethical hackers and researchers who actually have made it their life’s work to protect others.

Ultimately, in my mind, “hacking” has just as much to do with developing creative solutions to technical problems as it does with compromising data. It all comes down to intentions.?

It's a capability that quite simply any business that relies on trust and confidence of its brand could not do without. But it must be democratised and accessible.....

In my experience, the proactive pursuit of vulnerabilities and ethical hacking absolutely DOES improve the security of business and government agencies - as part of a multi layered cyber security strategy and approach.

Through a fundamental change in our perspective as to not only WHO is a suitable 'persona' or or person to act on our behalf as an ethical hacker or security researcher, but also their location, combined with the HOW and WHERE we should or could source and procure those services from; we automatically open the possibility that a large percentage of the planet COULD be a potential resource in the good fight to solve the current resource shortage we face, reducing the total cost of acquiring those services and in doing so bolstering cybersecurity resilience across the planet. [Acknowledging a very important job of verifying both the ethical hacker - "the human" and their intent.]

All the while also creating exciting opportunities for a new generation of previously forgotten diverse talent to join us in the war against cyber criminals.