The Australian government cannot underestimate the importance of cyber security threats and it would be ‘foolhardy’ not to appoint a cyber tsar at some point, says Forcepoint’s US-based CEO, Matthew Moynahan.
Australia is currently without a dedicated cyber security minister after prime minister Scott Morrison earlier this week shifted responsibility for information security policy to the.
Angus Taylor, who was previously minister for law enforcement and cyber security, has been appointed as energy minister.
Moynahan, who was in Australia this week, told CIO Australia that he was shocked by the move.
“I thought it send a horrible signal … I think it sends the exact wrong signal to the world not just the Australian population not to have an office or a ministry of cyber, it’s crazy,” he said.
“As a US citizen, I am not that happy about it – we are part of the Five Eyes coalition so what does [the removal of a dedicated cyber minister] mean?
"It’s complicated, I get it, and I’m hoping it’s more about short term political issue than it is a long term one. So if this situation exists three or six months or after the next election, that will be really bad.”
Meanwhile, Moynahan said that most companies are getting their internal data breach responses wrong. He cited credit agency Equifax's response to a data breach in early 2017 as an example.
The infamous hack exposed the personal data of almost half the population of the United States and could be the most costly breach in corporate history.
“Everyone talks about IT but the incident response and PR element, no-one practices that stuff. Equifax was a complete mess,” he said.
The issue, according to Moynahan, is that commercial companies are being forced to become security companies.
“And they’re not. Companies are doing all they can and the spend is going up … a commercial products company isn’t a security company; they can only ‘wargame’ and plan for [attacks] but it’s not how they do business. It’s almost unfair – you are forcing companies to think in different ways and it’s really difficult.”
Moynahan believes that cyber security will be one of the top one or two issues facing society in the 25 years.
“The problem with the internet is that it will never be secure; it was built with trust in mind and trust is different to security. How crazy is it that the founding fathers of the internet basically said, ‘we are going to make it anonymous.’
“Companies undergoing digital transformation activities are moving from a physical world from an environment where there’s no trust, the question is, ‘how do you restore trust?’ It’s not ‘how do you secure the internet?’
"You could spend your whole lifetime trying to secure the internet and you will never do it. Customers say they will never be secure so how do you change based on that statement?”
If organisations assume they are going to be breached at some stage, they will think differently, he says.
“Insider threats are happening more and more, it doesn’t matter if it’s an employee who has turned against your company, a nation state [launching] an advanced attack or just a hacker getting in – it doesn’t matter.
“No-one is thinking that way. That’s where you have to start thinking differently, if you assume that they are going to get in and you can’t stop them, what would you do?
"You should stop them from getting out, most of your resources should be focused on that ... you can mitigate the damage whether it's stopping data from getting out or responding to the breach notification [laws] in the right way. Being in control of the situation is half the battle."
Follow Byron Connolly on Twitter: @ByronConnolly