enterprise-support.telstra.com.au...manipulation of commodity prices, competitors trawling for...
TRANSCRIPT
4
1.0 EXECUTIVE SUMMARY
As technology becomes more intimately ingrained in the business and operational DNA of resource companies, IT security challenges are becoming increasingly complex. In particular, the drive for operational and environmental efficiency has seen a rapid upswing in the automation of systems and equipment, reliance on the Internet and remote operations – however, all these developments leave companies increasingly open to the risk of cyber attack.
Cyber attacks can come from criminals looking to make money from supply disruptions or the manipulation of commodity prices, competitors trawling for business secrets, foreign governments and state-owned firms in search of political advantage, hacktivists, who may be religiously, politically or environmentally motivated, and the just plain malicious.
At risk could be anything from details of your latest pricing plans, to prospecting information, your competitive strategy, or even data from driverless trucks that let your competitors know exactly what you are achieving. And these threats are very real, as seen in cases such as the Stuxnet virus in Iran and the malware attack on RasGas, the state petroleum company of Qatar.
Given the potential for the disruption of critical systems – not to mention risks to the safety of workers, and damage to a company’s reputation and financial standing – most organisations recognise that cyber attacks need to be stopped before attackers breach upstream business infrastructure. But how can this be best achieved in tandem with key technology trends such as the Internet of Things, remote operations, cloud computing, Big Data and Mobility?
Telstra engaged with Frost and Sullivan to understand how the Mining, Oil &Gas market
is approaching this challenge – the key drivers, restraints and adoption trends in IT security today, and the impact of cyberattacks on business continuity and productivity. More importantly, the report also looks at organisational attitudes to and perceptions of IT security – what steps are being taken to address current threats, and how successful these strategies are proving.
Key insights from Telstra’s commissioned research include:
1. Focus on protecting critical assets to maintain business continuity
To minimise potential damage, first define the information or assets that matter most to your company, then prioritise their protection. In reviewing security, it’s also important to identify interest groups who would benefit from access to a resource organisation’s systems and information.
Our respondents told us that reputation loss and the impact on IT systems and other critical infrastructure are the two key areas most affected by a security incident. Oil & Gas organisations were more focused on preventing cybersecurity incidents than miners,
who were more concerned about the remediation required as the result of a breach. Both acknowledged that there is no such thing as a 100 per cent foolproof IT security set-up, and that visibility of any breach is critical.
2. Build awareness of information security throughout the organisation – it’s not just a problem for the IT team
Given the consequences of a security breach, resource companies should create a culture of information security throughout the organisation, actively working to raise employee awareness of the risks they can control, and what they can do to protect the organisation. Empowering employees through regular awareness training is key.
This is particularly important as respondents told us that 57 per cent of security incidents in the past twelve months had been a result of human error. The next largest category was the loss of employee end devices containing confidential information. The human factor is clearly important and, while IT security technology is essential, organisations must consider every element, including people, processes, training and policy.
Throughout this report, we use cyberattack to describe any offensive action carried out by an individual or organisation that targets computer information systems, infrastructures, computer networks, and/or personal computer devices. Cyberattacks can range from installing spyware on a PC to attempts to destroy infrastructure.
Meanwhile, IT security is defined as the body of technologies, processes and practices designed to protect networks, computers, programs and data against unauthorised access or modification of information, whether in storage, processing, or transit, and against denial of service to authorised users.
5
3. Fund security initiatives to match the real threat landscape
Despite the increasing security risks, 69 per cent of resource organisations believe that their IT security spending will remain the same for the next 12 months. Most cite budget constraints as the reason. Those who are increasing their spend are being driven by business expansion or a belief in greater exposure to threats.
4. Continually assess and monitor risks
In order for resource companies to understand threats and vulnerabilities – and effectively respond to those risks – they need to assess and monitor risks on an ongoing basis. A security audit should be taken immediately after any incident, and any remediation activity carried out immediately. Importantly, all incidents should be reported to C-level Business Executives to provide them
with visibility of the risks the organisation is facing. This approach was endorsed by 69 per cent of respondents.
5. Manage incidents effectively
Our respondents agreed that absolute security is not possible. Managing incidents should become part of the corporate DNA because cyber attacks can be sophisticated and dynamic, and any system can become vulnerable to emerging threats. Resource organisations agree that where measures fail to prevent a cyber incident, detection, remediation, recovery, and restoration initiatives can minimise its impact. Creating a cyber attack response protocol is an essential step.
6. Think long-term
IT security should not be considered a short-term fix – it should be an ongoing leadership and operational consideration, and a board-level and senior management priority. The challenge is that resource
organisations that have not experienced an incident are only likely to reassess their IT security strategy annually. Of those who had experienced a security incident, 57 per cent now review IT security quarterly.
7. Consider IT security at the design stage
Resource organisations should not only build IT security into next-generation networks and applications, they should also consider vulnerabilities in any existing systems. Of concern is the fact that only 23 per cent of Oil & Gas respondents and 29 per cent of Mining respondents typically consider IT security issues during the design phase (as distinct from the implementation phase).
6
2.0 BACKGROUND: THE RESOURCES SECTOR TODAY
The Australian resources sector is emerging from a period of sustained growth and many within it are facing a markedly different economic environment, with the emphasis moving from capital expansion to production.
Organisations now need to realign their businesses to much lower revenues and profitability. These challenges are further driven by changes in the technology, network, operational and regulatory environment. As a result, many are looking towards automation to improve performance and productivity and enable better decision-making across the enterprise. For miners, this is seen in the implementation of remote monitoring and control systems; for Oil & Gas companies, it’s the digital oil field.
Until recently, industry networks were typically proprietary and were isolated from business networks and the Internet. Over the last decade,
though, we have seen these proprietary systems transition to systems based on commercial off-the-shelf technologies like Ethernet, TCP/IP and Windows.
In addition, resource companies have traditionally had a fragmented view of the supply chain, with many of segments being stand-alone silos. The need for a better view of the supply chain is reflected in the shift towards greater integration, visibility and “intelligence” within and amongst the operational technology (OT) production control systems and the information technology (IT) that companies use to manage their critical assets, logistics, planning and operations.
Critical factors driving this shift towards OT and IT integration include4:
• Increasing amount of actionable data from mobile field workers, equipment, and operational processes
• Open platforms and network connectivity that facilitate the integration and sharing of critical data across an organisation
• Rapid advances in asset and work management applications.
Centralisation brings new vulnerabilities
The centralisation of many business functions across the supply chain – largely driven by cost rationalisation – has made resource organisations particularly vulnerable to cyberattack. EY found that the centralisation of business functions:
“…has translated into the need for a more sophisticated IT system and network infrastructure to connect the geographically diverse workforce, which increases an organisation’s exposure to, and dependence on, the Internet. With the trend toward remote operation to improve operational
7
integration and cost efficiency, there is a convergence of IT and OT [Operations Technology] which provides cyber hackers an access path to the operations systems from the internet. Further, OT systems are inherently less secure as many old systems were not designed with security in mind.1”
Transformational technologies such as Cloud have been a matter of concern for many IT professionals, particularly for early adopters. Lockheed Martin states:
“[For cloud]…this was in part because, while organisations were eager to embrace the potential cost savings, flexibility and ability to create new collaborative models, they did not know enough about the workings of security under different models – public, private, and hybrid clouds – to protect sensitive information. 5”
Think, too, of emerging trends such as Big Data and Analytics, and the Internet of Things, and it’s clear that the security challenges faced by resource companies are only likely to become more complex and more critical. But research conducted by McKinsey in partnership with the World Economic Forum suggests that companies are already struggling with their capabilities in cyber risk management:
“As highly visible breaches occur with growing regularity, most technology executives believe that they are losing ground to attackers. Organisations large and small lack the facts to make effective decisions, and traditional “protect the perimeter” technology strategies are proving insufficient. Most companies also have difficulty quantifying the impact of risks and mitigation plans. Much of the damage results from an inadequate response to a breach rather than
the breach itself. Complicating matters further for executives, mitigating the effect of attacks often requires making complicated trade-offs between reducing risk and keeping pace with business demands. 2”
Any attack comes at a cost. Many companies believe that the real cost of cybercrime comes from supply chain losses; however, in many instances, it’s the opportunity cost from delayed technological innovation. This is caused, in part, by the need to screen new platforms or assets for any vulnerabilities before deployment. For instance, it’s unlikely for instance that you’ll introduce a new company-wide communications platform if you suspect your competitors will be able to hack in and uncover important business secrets.
A sector under attack
Threats can come from a growing number of sources, including well-organised criminal syndicates, terrorist groups and nation-states, ideologically-driven individuals, and disgruntled or careless employees.
Many breaches have taken place in the resources sector over the past few years. Some, such as the Stuxnet virus attack on the Natanz uranium enrichment facility in Iran in 2012, make the headlines, but most are kept out of the news to protect share and brand value. If organisations can avoid admitting a data breach, they will, unless forced to do otherwise by legal or compliance issues.
The Stuxnet computer worm was reportedly designed to damage centrifuges by making covert adjustments to the machines controlling them. Allegedly, Stuxnet was developed by two nation states and was one of the first attacks designed to inflict physical destruction and slow
(or destroy) Iran’s uranium program rather than simply steal data. While the severity of the infection was mostly felt in Iran, Stuxnet also infected about 18,000 other process control systems, including some in the US. 1
WikiLeaks exposed the resource sector’s very real fears of a nation state attack when it released a diplomatic cable from former BHP Billiton Chief Executive Marius Kloppers to a US diplomat in Melbourne in 2009, saying that he was worried about espionage from China, as well as competitors like Rio Tinto.
The sheer scale of attacks is increasing, too. BP’s CEO, Bob Dudley, revealed in 2013 that BP suffered on average 50,000 attempted attacks daily, from both domestic and foreign offenders, many of whom were probably casual resource sector hacktivists, although this was not made explicit.
As another example of hacktivism, in August 2012, there was an attack on RasGas, the state petroleum company of Qatar. Cyber criminals attacked the corporate IT system of the company using malware called Shamoon, but this was an attempt to disrupt operations rather than to steal information. The perpetrator was widely reported to be the “Cutting Sword of Justice” group.
Websites can be particularly easy disruption targets as rare earths producer Lynas Corp discovered to their cost last year, when a hacker defaced and blocked access to their website as part of a campaign against the opening of a processing plant in Malaysia. 3 Lynas has since moved its website in-house in order to bring it under the control of IT and secure it in the same way as their internal networks.
8
3.0 THE CHANGING INFORMATION SECURITY LANDSCAPE
The convergence of OT and IT in the resources industry and the focus on operational delivery systems allow greater physical access to components that can affect security. Smart devices, new infrastructure components, the increased use of mobile devices and new applications are changing the way devices are controlled while also introducing new vulnerabilities and creating new needs for the protection of data.
Microsoft notes that the sheer volume of data now captured and stored both creates real value – and significant work challenges. A shrinking workforce means that fewer skilled professionals and experts are tasked with sharing information across global projects, a trend that can expose organisations
to greater risk. More available data supports improved collaboration and better insights, but it also raises dramatic new security issues.
Similarly, previously isolated plant and control systems are now increasingly integrated with corporate networks, vendor, and service company systems, and these connections can be access points for potential threats. The complex and connected nature of these threats calls for a comprehensive and flexible approach to detection, elimination and continuity, as well as ongoing communication between IT and OT departments to ensure a resilient, company-wide security strategy.
Philippe Bouvier, in his article Oil &
Gas Industry: Towards Global Security7, notes that:
“ The oil and gas cycle from initial field exploration through production, transportation and consumer retail operations is highly complex, with countless potential weak links that are subject to security breakdowns. The security should reflect the risk status and financial resources of the infrastructure. Smaller infrastructures have limited funding and have to plan their security projects with an eye toward simplicity and manageable costs.”
Forbes, too, commented that many companies are not prepared to pay the price for improved security, viewing it as a “sunk cost” even though the
9
10, 11 & 12 ibid
13 http://mumbrella.com.au/iab-australia-nielsen-release-first-insight-mobile-tablet-data-230943
14 Deloitte Media Consumer Survey 2014
15 When we use social media: Yellow™ Social Media Report May 2014
consequences of a breach could be catastrophic.8
Ovum believes that, in the future, organisations will need to leverage security intelligence and Big Data and Analytics to understand threat priorities and act to sustain the wellbeing of the organisation and its people. Their research also highlighted the growing shortage of IT skills, particularly within the security sector.9
Fighting back
Companies are rightfully worried and IDC’s Energy Insights3 lists security concerns as one of the “Top 10” Oil & Gas industry issues for 2012. IDC predicts a 5.24 per cent compound annual growth rate increase in worldwide Oil & Gas software security spending in the next few years, to more than $705 million by 2015.
IDC also expects Oil & Gas companies to invest in antivirus, anti-spam, identity and access management systems, and in securing systems that connect partners, contractors, suppliers, and service providers across their B2B environments. IDC also expects to see growth in breach notification and vulnerability management services.
For those still concerned about the impact of evolving threats on new technology ecosystems, EY notes that there are many steps resource companies can take to combat cyber threats and increase security, including:
• Making IT security a board-level and senior management priority
• Identifying what data or assets are most important to the company, and prioritising their protection
• Identifying interest groups who would benefit from access to a resource organisation’s systems and information
• Assessing current systems and understanding their vulnerabilities
• Understanding the laws and regulations that help protect a resource organisation from a cyber attack and building a relationship with the agencies that enforce them
• Creating a cyber threat or attack response protocol.
The following section of this research report shares our knowledge and insights about the security risks Australian resource organisations face. We hope it also offers useful guidance on how organisations can better detect, mitigate, and improve awareness in the field of IT security. It is our hope that such information will support your organisation in making vital decisions about IT security policy and its impact on your operations.
10
4.0 METHODOLOGY
Telstra Security Services’ Customer Market and Insight report is based on a market assessment gathered from three main sources:
1. Telstra security products and services
2. General market research
3. A Mining, Oil & Gas industry-based survey aimed at information technology (IT) professionals who are security decision makers.
The objective of the survey was to assess the pressures relating to IT security faced by customers. Respondents were mainly chief information officers (CIOs), chief information security officers (CISOs), IT security directors and IT security managers, although a smaller number of CFOs and CSOs also took part. More than 300 responses were collected.
The survey was deployed through a web survey questionnaire and a telephone interview. Survey results have a sampling error of +/- 5 per cent.
Although the Customer and Market Insight report surveyed multiple industries, this paper highlights results relating to the Mining, Oil & Gas sector.
11
5.0 RESULTS
The following sections detail the results of Telstra’s research. It provides a sobering look at the threats that Mining, Oil & Gas companies are facing, and provides insights into how organisations are responding.
5.1 Identify what you need to protect
To maintain business continuity, it is essential to focus on protecting critical infrastructure. Reputation and the impact on IT systems and other infrastructure are the two key areas most often affected by a security incident in the resource sector.
It’s worth noting that even one event can have any or a number of the following consequences:
• Damage to IT systems and critical infrastructure
• Loss of business continuity
• Damage to IT or business processes
• Loss of sensitive data
• Financial loss
• Reputation loss
• Environmental impact.
5.1.1 Where do the greatest threats come from?
Mining, Oil & Gas respondents rated internal and external perpetrators equally in terms of security threats.
Productivity losses and the loss of sensitive data were rated equally in terms of the impact a security incident may have.
WHERE DO YOU THINK THE GREATEST RISK OF IT SECURITY THREAT TO YOUR ORGANISATION COMES FROM?Rank the following in terms of the impact a security incident would have on your organisation
ACTION
Internal threats carry a high risk: never underestimate them. Awareness campaigns are important as well as avenues to report suspicious behaviour.
5.1.2 What areas of business are most affected by IT security incidents?
29 per cent of Mining, Oil & Gas respondents rated either IT or business processes and reputation loss as the most important area of impact.
40 per cent rated either IT or critical infrastructure and business continuity to have been affected most severely. This suggests that in attackers are not only hitting critical areas of the business, but also hitting them hard. (SEE CHART 1 NEXT PAGE)
12
5.0 RESULTS (CONT.)
Rank the areas of your organisation that were impacted because of the security incident
3%
5%
15%
15%
20%
42%
15%
5%
17%
33%
15%
17%
13%
10%
14%
17%
33%
14%
15%
15%
31%
12%
15%
11%
31%
21%
16%
11%
10%
11%
24%
43%
8%
11%
8%
5%
REPUTATION LOSS
FINANCIAL LOSS
LOSS OF SENSITIVE
DATA
IT OR BUSINESS
PROCESSES
BUSINESS CONTINUITY
IT SYSTEMS OR CRITICAL
INFRASTRUCTURE
MOST IMPACT 2ND MOST 3RD MOST 4TH MOST 5TH MOST 6TH MOST
0.8%
3.1%
4.6%
14.5%
15.3%
19.8%
42.0%
OTHERS
REPUTATION LOSS
FINANCIAL LOSS
LOSS OF SENSITIVE DATA
IT OR BUSINESS PROCESSES
BUSINESS CONTINUITY
IT SYSTEMS OR CRITICAL INFRASTRUCTURE
MOST IMPORTANT AREA OF IMPACT OVERALL DISTRIBUTION OF IMPACT
ACTION
Consider the potential impact of a major security breach, and whether your organisation needs to develop advanced technical expertise in-house or engage specialised service providers.
5.2 Create a culture of information security
Given the consequences of an information security breach, resource companies should raise awareness of the importance of information security, not only at management and board level, but also with all employees. This can be achieved through policies and building a sustained communications and awareness program. Keeping abreast of developments and emerging threats is also critical. Importantly, any cultural change has to have leadership approval and support. It will fail if it is seen as just another HR initiative.
Respondents told us that 57 per cent of security incidents in the past twelve months had been a result of human error, suggesting a very real need for companies to consider how information security is viewed across the organisation. The next largest category was the loss of employee end devices containing confidential information.
These results should be of great concern to resource companies, given the findings of McAfee, in their research into the cost of cybercrime. They identified the theft of IP and business confidential information as the most important loss, as this has the most significant economic implications. They estimate that
the likely annual cost to the global economy from cybercrime is more than $400 billion.10
5.2.1 Where do you gather information about IT security solutions and services?
In the Mining, Oil & Gas industry, 56 per cent of respondents saw vendors and security service providers as being the two main channels for information, followed closely by security consultants (50 per cent).
CHART 1
(SEE CHART 2)
13
5.2.2 What is your organisation’s attitude towards IT security?
Across the resource sector, attitudes toward IT security are changing, with most organisations acknowledging that there is no fool proof security setup.
The vast majority of respondents in the Mining industry don’t believe that IT security is all about preventing incidents. This is reflected in their attitude towards remediation, with 86 per cent of miners concerned about the remediation required in the event of a security breach.
At 67 per cent, Oil & Gas organisations rated all three areas as equally important.
WHERE DO YOU GATHER INFORMATION REGARDING IT SECURITY SOLUTIONS AND SERVICES?
% OF RESPONDENTS
0.2%
5.6%
6.2%
6.5%
10.9%
11.3%
11.4%
11.5%
12.1%
12.1%
12.4%
0% 4% 8% 12% 16%
OTHERS
SOCIAL MEDIA (EG. BLOGS, NEWS FEEDS, FORUMS, SOCIAL NETWORKING)
DIRECT MAIL/E-NEWSLETTERS
NEWSPAPERS/MAGAZINES/PRINT ADVERTISEMENTS
ORGANISATIONAL WEBSITES
SECURITY CONSULTANTS
CONFERENCES/EVENTS
REFERRALS
VENDORS
INDUSTRY ANALYST REPORTS
SECURITY SERVICE PROVIDERS
WEIGHTED AVERAGE SCORING OF CHANNEL IMPORTANCE CHANNELS THAT ORGANISATION SEEK INFORMATION FROM
1%
11%
15%
16%
28%
30%
34%
38%
39%
52%
53%
0% 10% 20% 30% 40% 50% 60%
OTHERS
NEWSPAPERS/MAGAZINES/PRINT ADVERTISEMENTS
DIRECT MAIL/E-NEWSLETTERS
SOCIAL MEDIA (EG. BLOGS, NEWS FEEDS, FORUMS, SOCIAL NETWORKING)
CONFERENCES/EVENTS
REFERRALS
ORGANISATIONAL WEBSITES
INDUSTRY ANALYST REPORTS
SECURITY CONSULTANTS
SECURITY SERVICE PROVIDERS
VENDORS
% OF RESPONDENTS N = 320 N = 320
% O
F RE
SPON
DENTS
28% 21%
12%
40% 43%
38%
24% 29%
18%
7% 5%
19%
2% 1%
13%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
THERE IS NO SUCH THING AS A 100% FOOL PROOF IT SECURITY SET-UP. VISIBILITY OF BREACH IMPORTANT.
I AM VERY CONCERNED ABOUT THE REMEDIATION ACTION REQUIRED IN THE EVENT OF A SECURITY BREACH.
IT SECURITY IS ALL ABOUT PREVENTING SECURITY INCIDENTS.
STRONGLY DISAGREE
SOMEWHAT DISAGREE
NEUTRAL
SOMEWHAT AGREE
STRONGLY AGREE
% O
F RE
SPON
DENTS
28% 21%
12%
40% 43%
38%
24% 29%
18%
7% 5%
19%
2% 1%
13%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
THERE IS NO SUCH THING AS A 100% FOOL PROOF IT SECURITY SET-UP. VISIBILITY OF BREACH IMPORTANT.
I AM VERY CONCERNED ABOUT THE REMEDIATION ACTION REQUIRED IN THE EVENT OF A SECURITY BREACH.
IT SECURITY IS ALL ABOUT PREVENTING SECURITY INCIDENTS.
STRONGLY DISAGREE
SOMEWHAT DISAGREE
NEUTRAL
SOMEWHAT AGREE
STRONGLY AGREE
ACTION
Knowledge is power: when an organisation views security incidents as critical business risks, it’s more committed to building its knowledge of threats, assets and adversaries – and therefore more likely to be able to manage new threats. While some security incidents may not always be preventable, better knowledge of the risks can help manage new threats to acceptable levels.
ACTION
Move to a risk-based approach. Focus your resources and investments on what really matters. Review your investment decisions. Evaluate your capability against Protect, Detect and Respond.
CHART 2
CHART 3
14
5.0 RESULTS (CONT.)
WHAT ARE YOUR OPINIONS TOWARDS THE FOLLOWING STATEMENTS?
WHAT ARE YOUR OPINIONS TOWARDS THE FOLLOWING STATEMENTS?
51%
51%
71%
41%
63%
55%
57%
64%
71%
61%
61%
57%
44%
79%
67%
67%
67%
67%
14%
86%
86%
42%
82%
58%
0% 20% 40% 60% 80% 100%
IT SECURITY IS ALL ABOUT PREVENTING SECURITY INCIDENTS.
THERE IS NO SUCH THING AS A 100% FOOLPROOF IT SECURITY SET-UP. VISIBILITY OF BREACH IMPORTANT.
I AM VERY CONCERNED ABOUT THE REMEDIATION ACTION REQUIRED IN THE
EVENT OF A SECURITY BREACH.
OTHERS
MINING
OIL & GAS
MANUFACTURING, LOGISTICS & TRANSPORT
RETAIL & CONSUMER
IT & TECHNOLOGY
GOVERNMENT & PUBLIC SECTOR (EDUCATION, HEALTH, ETC)
BANKING, FINANCIAL SERVICES AND INSURANCE (BFSI)
% OF RESPONDENTS AGREEING AND STRONGLY AGREEING
51%
51%
71%
41%
63%
55%
57%
64%
71%
61%
61%
57%
44%
79%
67%
67%
67%
67%
14%
86%
86%
42%
82%
58%
0% 20% 40% 60% 80% 100%
IT SECURITY IS ALL ABOUT PREVENTING SECURITY INCIDENTS.
THERE IS NO SUCH THING AS A 100% FOOLPROOF IT SECURITY SET-UP. VISIBILITY OF BREACH IMPORTANT.
I AM VERY CONCERNED ABOUT THE REMEDIATION ACTION REQUIRED IN THE
EVENT OF A SECURITY BREACH.
OTHERS
MINING
OIL & GAS
MANUFACTURING, LOGISTICS & TRANSPORT
RETAIL & CONSUMER
IT & TECHNOLOGY
GOVERNMENT & PUBLIC SECTOR (EDUCATION, HEALTH, ETC)
BANKING, FINANCIAL SERVICES AND INSURANCE (BFSI)
% OF RESPONDENTS AGREEING AND STRONGLY AGREEING
Note: Others in the vertical industries include training, construction, wholesale, professional services, media, security, legal, distribution, pharmaceutical, charity, education, travel, agriculture, hospitality, non-government healthcare, engineering, energy storage.
CHART 4
CHART 5
% O
F RE
SPON
DENTS
24% 23% 22% 20%
60% 58% 61% 59%
12% 15% 15% 16%
3% 3% 2% 5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
CORPORATE SECURITY IT PROCESSES AND
INCIDENT RESPONSE
CORPORATE SECURITY RESOURCING AND
STAFF
CORPORATE SECURITY INFRASTRUCTURE,
TECHNOLOGY AND CONTROLS
CORPORATE SECURITY GOVERNANCE &
POLICIES
NOT ALIGNED
RARELY ALIGNS
SOMEWHAT ALIGNS
COMPLETELY ALIGNS
% O
F RE
SPON
DENTS
24% 23% 22% 20%
60% 58% 61% 59%
12% 15% 15% 16%
3% 3% 2% 5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
CORPORATE SECURITY IT PROCESSES AND
INCIDENT RESPONSE
CORPORATE SECURITY RESOURCING AND
STAFF
CORPORATE SECURITY INFRASTRUCTURE,
TECHNOLOGY AND CONTROLS
CORPORATE SECURITY GOVERNANCE &
POLICIES
NOT ALIGNED
RARELY ALIGNS
SOMEWHAT ALIGNS
COMPLETELY ALIGNS
16
5.0 RESULTS (CONT.)
73% 84% 62%
78% 78% 69%
78% 72% 71%
79% 80% 71%
78% 78% 63%
76% 77% 67%
77% 80% 55%
85% 78% 58%
82% 84% 68%
MORE THAN 500 EMPLOYEES 250 TO 500 EMPLOYEES 50 TO 250 EMPLOYEES
CONTENT SECURITY
NETWORK OR PERIMETER SECURITY
WIRELESS SECURITY
DATA SECURITY
EMPLOYEE SECURITY AWARENESS TRAINING
GOVERNANCE RISK AND COMPLIANCE
CLOUD SECURITY
IDENTITY AND ACCESS MANAGEMENT
END POINT SECURITY
WHICH AREAS OF IT SECURITY SERVICES DO YOU EXPECT YOUR ORGANISATION TO INVEST IN THE NEXT 12 MONTHS?
% of respondents by verticals requiring “incremental investment (requirements further development/enhancements)” and “Significant investment (new deployments, major upgrades)
ACTION
Consider the cost of a major security incident versus the cost of increased security investment. Then, compare your security spend to your insurance spend. Are you giving the same weighting to different risks?
CHART 8
TREND FOR IT SECURITY SPENDING (OVERALL)
12%
52%
36%
11%
67%
22%
DECREASE
REMAIN ABOUT THE
SAME
INCREASE 50 TO 500 EMPLOYEES
MORE THAN 500 EMPLOYEES
TREND FOR IT SECURITY SPENDING (HORIZONTAL)
DECREASE IN IT SECURITY SPENDING IS LIKELY TO BE DRIVEN BY BUDGET CONSTRAINTS AND MOVING FROM PLATFORM PRODUCTS TO CHEAPER IT SECURITY SERVICES. INCREASE IN IT SECURITY SPENDING IS LIKELY TO BE DRIVEN BY BUSINESS EXPANSION AND GREATER THREAT EXPOSURE.
DECREASE 11%
REMAIN ABOUT THE
SAME 61%
INCREASE 28%
DECREASE
REMAIN ABOUT THE SAME
INCREASE
7%
8%
9%
9%
12%
12%
13%
30%
51%
12%
15%
13%
13%
28%
19%
32%
41%
33%
18%
28%
20%
27%
29%
20%
18%
22%
12%
21%
38%
23%
35%
53%
41%
41%
33%
21%
24%
24%
31%
26%
28%
22%
18%
14%
15%
29%
12%
21%
13%
5%
12%
11%
7%
8%
DISTRIBUTORS
EXTERNAL CONSULTANTS / SYSTEM INTEGRATORS
END USERS
SECURITY SERVICE PROVIDERS
IT MANAGERS/ IT ADMINISTRATORS
DEPARTMENTAL HEADS/ LINE-OF-BUSINESS EXECUTIVES
COMPLIANCE/RISK DIRECTOR
CTO/ CIO OR IT DIRECTOR/ CSO/ CISO
CEO/ CFO/ COO
FINAL SIGNOFF FINAL PURCHASE DECISION SHORTLIST SOLUTIONS
EVALUATE SOLUTIONS IDENTIFY NEEDS NOT INVOLVED AT ANY STAGE
20
5.4.3 On average, how often is your organisation responding to or detecting major IT security incidents?
Mining, Oil & Gas companies are responding to or detecting major security incidents at least weekly if not more often. This is a concerning trend for the sector, given that this is higher than for many other industry verticals.
5.4.4 Rank the areas of your organisation that have been impacted because of a security incident
For both Mining, Oil & Gas companies, critical infrastructure, business continuity and IT business processes were areas most affected by a security incident. (SEE CHART 14)
5.4.5 What was the usual response of your organisation towards the security incident?
After a security incident, 60 per cent of Mining, Oil & Gas companies said a security audit was done immediately and a resolution enforced. The remaining 40 per cent responded with a preventative response only. (SEE CHART 15)
57 per cent of Mining, Oil & Gas organisations who had a security incident reviewed their security strategy quarterly with the reminder undertaking monthly reviews. (SEE CHART 16)
Most organisations perceived themselves as “Not Ready” in terms of responding to and mitigating a security breach, regardless of whether or not they had a security incident. Only 9 per cent of Mining, Oil & Gas organisations perceived themselves as ready. Lack of resources and lack of understanding by higher executives were cited as the main reasons for not being ready. (SEE CHART 17)
5.0 RESULTS (CONT.)
0
5
10
15
20
25
30
35
DAILY WEEKLY MONTHLY QUARTERLY HALF-YEARLY YEARLY
100%
75% 67%
47%
61%
43% 50%
27%
0%
20%
40%
60%
80%
100%
120% OVERALL BY VERTICAL
IT & T
GOVT
& PUB
LIC SE
CTOR
MFG, UTILITIE
S, LOG &
TRAN
SPORT
RETAIL & C
ONSUME
R
MININ
G
OTHERS
OIL &
GAS
BFSI
3%
5%
15%
15%
20%
42%
15%
5%
17%
33%
15%
17%
13%
10%
14%
17%
33%
14%
15%
15%
31%
12%
15%
11%
31%
21%
16%
11%
10%
11%
24%
43%
8%
11%
8%
5%
REPUTATION LOSS
FINANCIAL LOSS
LOSS OF SENSITIVE
DATA
IT OR BUSINESS
PROCESSES
BUSINESS CONTINUITY
IT SYSTEMS OR CRITICAL
INFRASTRUCTURE
MOST IMPACT 2ND MOST 3RD MOST 4TH MOST 5TH MOST 6TH MOST
0.8%
3.1%
4.6%
14.5%
15.3%
19.8%
42.0%
OTHERS
REPUTATION LOSS
FINANCIAL LOSS
LOSS OF SENSITIVE DATA
IT OR BUSINESS PROCESSES
BUSINESS CONTINUITY
IT SYSTEMS OR CRITICAL INFRASTRUCTURE
MOST IMPORTANT AREA OF IMPACT OVERALL DISTRIBUTION OF IMPACT
20.6%
43.5%
26.0%
9.9%
0.0% PREVENTIVE RESPONSE ONLY. NO FIRE-FIGHTING WAS REQUIRED
SECURITY AUDIT WAS DONE IMMEDIATELY AND RESOLUTION WAS ENFORCED EFFECTIVELY
DELAYED RESPONSE TO THE INCIDENT, BUT EFFECTIVE ACTION WAS TAKEN
UNPREPARED FOR THE INCIDENT AND HAD TO DO MAJOR FIRE-FIGHTING
NO RESPONSE WAS UNDERTAKEN
OTHER
ON AVERAGE, HOW OFTEN IS YOUR ORGANISATION RESPONDING TO OR DETECTING MAJOR IT SECURITY INCIDENTS?
RANK THE AREAS OF YOUR ORGANISATION THAT HAVE BEEN IMPACTED BECAUSE OF A SECURITY INCIDENT
WHAT WAS THE USUAL RESPONSE OF YOUR ORGANISATION TOWARDS THE SECURITY INCIDENT?
CHART 13
CHART 14
CHART 15
21
ASSESS SECURITY STRATEGY
65%
DO NOT ASSESS SECURITY STRATEGY
35%
2%
11%
15%
34%
38%
OTHERS
YEARLY
HALF-YEARLY
MONTHLY
QUARTERLY
2%
11%
23%
28%
37%
OTHERS
MONTHLY
QUARTERLY
HALF-YEARLY
YEARLY
HOW OFTEN DO YOU ASSESS YOUR SECURITY STRATEGY
HOW OFTEN DO YOU ASSESS YOUR SECURITY STRATEGY
54% 31%
14%
1%
INCIDENTS ARE PRIORITISED AND ONLY THE SEVERE ONES ARE REPORTED TO C LEVEL BUSINESS EXECUTIVES
ALL INCIDENTS ARE ESCALATED TO C LEVEL BUSINESS EXECUTIVES
ALL THE SECURITY INCIDENTS HANDLED ONLY BY THE IT DEPARTMENT & NOT REPORTED TO C-LEVEL BUSINESS EXECUTIVES
OTHER
NOT READY 87%
READY 13%
LACK OF RESOURCES OLDER EMPLOYEES LACK OF KNOWLEDGE SHADOW IT PROBLEM
REASONS FOR NOT BEING READY LACK OF UNDERSTANDING FROM HIGHER EXECUTIVES LACK OF RESOURCES RELIANCE ON OFF-THE-SHELF PRODUCTS LACK OF RELEVANT PROCESSES LACK OF KNOWLEDGE BUDGET CONSTRAINTS LACK OF MONITORING
REASONS FOR NOT BEING READY
NOT READY 83%
READY 17%
HOW WOULD YOU RATE YOUR LEVEL OF READINESS IN TERMS OF RESPONDING TO AND MITIGATING A SECURITY BREACH?
HOW WOULD YOU RATE YOUR LEVEL OF READINESS IN TERMS OF RESPONDING TO AND MITIGATING A SECURITY BREACH?
NOT READY 87%
READY 13%
LACK OF RESOURCES OLDER EMPLOYEES LACK OF KNOWLEDGE SHADOW IT PROBLEM
REASONS FOR NOT BEING READY LACK OF UNDERSTANDING FROM HIGHER EXECUTIVES LACK OF RESOURCES RELIANCE ON OFF-THE-SHELF PRODUCTS LACK OF RELEVANT PROCESSES LACK OF KNOWLEDGE BUDGET CONSTRAINTS LACK OF MONITORING
REASONS FOR NOT BEING READY
NOT READY 83%
READY 17%
HOW WOULD YOU RATE YOUR LEVEL OF READINESS IN TERMS OF RESPONDING TO AND MITIGATING A SECURITY BREACH?
HOW WOULD YOU RATE YOUR LEVEL OF READINESS IN TERMS OF RESPONDING TO AND MITIGATING A SECURITY BREACH?
HOW ARE IT SECURITY INCIDENTS BEING REPORTED IN YOUR ORGANISATION?
ORGANISATIONS WHO HAD A SECURITY INCIDENT
ORGANISATIONS WHO HAD A SECURITY INCIDENT
ORGANISATIONS WHO DID NOT HAVE A SECURITY INCIDENT
ORGANISATIONS WHO DID NOT HAVE A SECURITY INCIDENT
ACTION
Assess security strategy frequently not just after an incident.
ACTION
Ensure senior leaders are always informed of significant security incidents. Importantly, senior leaders must be aware of incidents as soon as they occur so that they understand how they impact their organisation. This is a leadership issue, the more exposure leaders have to the dynamic nature of cyber breaches, the more they will understand the need to factor information security into corporate DNA.
CHART 16
CHART 17
CHART 18
22
5.5 Develop and implement protective measures to manage risk
Resource organisations should not only build security into next-generation networks and applications; they should also ensure that risks are reduced to acceptable levels in existing systems. Of concern is the fact that only 23 per cent of Oil & Gas respondents and 29 per cent of Mining respondents typically consider IT security during the design phase (as distinct from the implementation phase).
5.5.1 In which phase of a project are IT security services typically considered?
Mining, Oil & Gas Respondents: Only 23 per cent of the respondents in the Oil & Gas sector and 29 per cent in the Mining sector typically considered IT security during the implementation phase of a project. Perhaps even more worrying, only 20 per cent of Oil & Gas companies and 14 per cent of Mining organisations considered IT security during the design phase.
35
DURING THE DESIGN PHASE OF THE PROJECTOR INITIATIVE 27%
DURING THE BUILD OR IMPLEMENTATION OF THE PROJECT OR INITIATIVE 21% AT THE BEGINNING OF
A NEW PROJECT OR INITIATIVE 20%
AS REQUIRED 13%
IN RESPONSE TO A PROBLEM
9%
AT THE END OF THE PROJECT OR INITIATIVE
8%
DO NOT KNOW 2%
% O
F RE
SPON
DENTS
67%
34% 34% 33%
22% 20% 14% 18%
11%
29% 25%
16%
16% 20% 29% 21%
11%
9% 16%
5%
6% 8%
14% 13%
11%
3%
16%
21%
8%
13%
18%
20%
7%
21%
33% 23% 29%
21%
3% 2% 5%
8% 15% 14% 8%
3% 6% 1%
0%
20%
40%
60%
80%
100%
BFSI GOVT & PUBLIC SECTOR
IT & T RETAIL & CONSUMER
MFG, LOGISTICS &
UTILITIES
OIL & GAS MINING OTHERS
DO NOT KNOW
AT THE END OF THE PROJECT OR INITIATIVE
DURING THE BUILD OR IMPLEMENTATION OF THE PROJECT OR INITIATIVE
AS REQUIRED
IN RESPONSE TO A PROBLEM
AT THE BEGINNING OF A NEW PROJECT OR INITIATIVE
DURING THE DESIGN PHASE OF THE PROJECT OR INITIATIVE
% O
F RE
SPON
DENTS
67%
34% 34% 33%
22% 20% 14% 18%
11%
29% 25%
16%
16% 20% 29% 21%
11%
9% 16%
5%
6% 8%
14% 13%
11%
3%
16%
21%
8%
13%
18%
20%
7%
21%
33% 23% 29%
21%
3% 2% 5%
8% 15% 14% 8%
3% 6% 1%
0%
20%
40%
60%
80%
100%
BFSI GOVT & PUBLIC SECTOR
IT & T RETAIL & CONSUMER
MFG, LOGISTICS &
UTILITIES
OIL & GAS MINING OTHERS
DO NOT KNOW
AT THE END OF THE PROJECT OR INITIATIVE
DURING THE BUILD OR IMPLEMENTATION OF THE PROJECT OR INITIATIVE
AS REQUIRED
IN RESPONSE TO A PROBLEM
AT THE BEGINNING OF A NEW PROJECT OR INITIATIVE
DURING THE DESIGN PHASE OF THE PROJECT OR INITIATIVE
WHEN ARE IT SECURITY SERVICES TYPICALLY FIRST CONSIDERED WITHIN YOUR ORGANISATION?
WHEN ARE IT SECURITY SERVICES TYPICALLY FIRST CONSIDERED WITHIN YOUR ORGANISATION?
ACTION
• Consider security at the beginning of EVERY project, and in all other phases too.
• Align security to a framework or industry good practice, such as ISO 27001 or from a creditable organisation like the SANS institute. Consider periodic health checks as an informal audit of yourself or review of your progress during various phases of initiatives.
5.0 RESULTS (CONT.)
CHART 19
CHART 20
% O
F RE
SPON
DENTS
20% 19% 19% 18% 18% 17% 16% 15% 14%
45% 48% 46% 40% 41%
49% 47% 39% 44%
29% 29% 28%
31% 35% 29%
29% 38%
34%
6% 3% 6% 11% 6% 5% 8% 8% 7%
0%
20%
40%
60%
80%
100%
CORPORATE DATA USAGE &
POLICIES
CORPORATE GOVERNANCE,
RISK AND COMPLIANCE STRATEGY
NETWORK SECURITY CONTROLS
CLOUD ORDATA CENTRE
STRATEGY
INCIDENT MANAGEMENT,RESPONSE & REMEDIATION
END DEVICE CONTROLS
EMPLOYEE EDUCATION & AWARENESS TRAINING
SOCIAL MEDIA STRATEGY
WIRELESS OR MOBILE DEVICES STRATEGY
DO NOT ADEQUATELY ADDRESS
SOMEWHAT EFFECTIVE (REACTIVE TO THREATS)
EFFECTIVE (BUT NEEDS IMPROVEMENTS)
VERY EFFECTIVE (PROACTIVE TO MOST THREATS)
24
5.6.1 Attitudes to IT security services
78 per cent of Oil & Gas organisations feel that they have adequate security controls in place and also see IT security outsourcing as being more attractive than having in-house resources.
The overwhelming majority of Mining organisations (86%) feel that customisation is the key benefit offered by of outsourced security services, and believe that outsourcing complements in-house security services.
5.0 RESULTS (CONT.)
26% 22% 23% 18% 15%
50% 53%
43% 44%
43%
17% 20%
15% 25% 27%
5% 4%
11% 10% 12%
2% 1% 7%
3% 4%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
CUSTOMISATION IS A KEY VALUE
PROPOSITION OF SECURITY SERVICES.
IT SECURITY SERVICES COMPLEMENT IN-HOUSE SECURITY
IT SECURITY IS AN INVESTMENT AND NOT
A COST
OUR ORGANISATION HAS ADEQUATE
SECURITY CONTROLS IN PLACE
IT SECURITY OUTSOURCING IS MORE ATTRACTIVE RELATIVE TO
IN-HOUSE
STRONGLY DISAGREE
SOMEWHAT DISAGREE
NEUTRAL
SOMEWHAT AGREE
STRONGLY AGREE
WHAT ARE RESPONDENTS’ ATTITUDE AND PERCEPTIONS TOWARDS IT SECURITY SERVICES?
WHAT ARE RESPONDENTS’ ATTITUDE AND PERCEPTIONS TOWARDS IT SECURITY SERVICES?
74%
63%
55%
53%
50%
66%
69%
46%
49%
46%
86%
86%
57%
57%
14%
82%
67%
61%
61%
53%
71%
76%
71%
60%
59%
67%
67%
78%
78%
78%
80%
80%
82%
68%
66%
80%
83%
73%
72%
68%
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0% 100.0%
CUSTOMISATION IS A KEY VALUEPROPOSITION OF SECURITY SERVICES
IT SECURITY SERVICES COMPLEMENTIN-HOUSE SECURITY
IT SERCURITY IS AN INVESTMENT ANDNOT A COST
OUR ORGANISATION HAS ADEQUATESECURITY CONTROLS IN PLACE
IT SECURITY OUTSOURCING IS MOREATTRACTIVE RELATIVE TO IN-HOUSE
IT & TECHNOLOGY
RETAIL & CONSUMER
OIL & GAS
MANUFACTURING, LOGISTICS & TRANSPORT
GOVERNMENT & PUBLIC SECTOR (EDUCATION, HEALTH, ETC)
MINING
BANKING, FINANCIAL SERVICES AND INSURANCE (BFSI)
OTHERS
CHART 23
CHART 24
25
5.6.2 How effective are IT security services in achieving benefits to your organisation in the following areas?
Mining, Oil & Gas organisations see risk reduction (88%) and compliance (75%) as being the two areas that benefit most from IT security services. In contrast, corporate governance, operational efficiency and business agility are considered to be the biggest benefits delivered by IT security services in the wider industry.
5.6.3 Drivers for Mining, Oil & Gas customers to outsource IT security to a third-party services vendor
Across all industries, cost and speed of deployment are the most common reasons for outsourcing IT security. However, only 31 per cent of Mining and 35 per cent of Oil & Gas organisations saw cost as the key driver for outsourcing IT security to a third-party services vendor. Data sovereignty was clearly the second driver.
% O
F RE
SPON
DENTS
26% 23% 22% 20% 20% 19% 18% 13% 12%
44% 43% 42% 49% 48%
43% 42% 47% 40%
25% 31% 29%
26% 28% 32% 34% 33%
36%
5% 3% 7% 5% 4% 6% 7% 7% 11%
0%
20%
40%
60%
80%
100%
COMPLIANCE RISK REDUCTION
CUSTOMER CONFIDENCE
CORPORATE GOVERNANCE
OPERATIONAL EFFICIENCY
EMPLOYEE PRODUCTIVITY
NEW BUSINESS INITIATIVES
BUSINESS AGILITY
COST REDUCTION
NOT AT ALL EFFECTIVE
SLIGHTLY EFFECTIVE
REASONABLY EFFECTIVE
VERY EFFECTIVE
0%
8%
28%
28%
31%
38%
41%
62%
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0%
OTHERS
OTHER IT SOLUTIONS AND SERVICES
ORGANISATION'S REPUTATION
BUSINESS CONTINUITY
BUSINESS TRANSFORMATION
INTERNAL POLICIES AND PROCESSES
REGULATORY COMPLIANCE
COST
44% 39% 35% 35% 31% 31% 29% 32%
17% 23% 29% 24% 31%
23% 24% 20%
19% 20% 24%
28% 15% 26% 26% 25%
19% 18% 12% 13%
23% 17% 20% 22%
2% 0% 0% 1% 0% 3% 1% 1%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
BANKING, FINANCIAL SERVICES AND
INSURANCE (BFSI)
RETAIL & CONSUMER
OIL & GAS IT & TECHNOLOGY MINING MANUFACTURING, LOGISTICS & TRANSPORT
GOVERNMENT & PUBLIC SECTOR
OTHERS
OTHERS
LACK OF IT SKILLS
SPEED OF DEPLOYMENT
DATA SOVEREIGNTY
COST
% O
F RE
SPON
DENTS
HOW EFFECTIVE IS IT SECURITY SERVICES IN ACHIEVING BENEFITS TO YOUR ORGANISATION IN THE FOLLOWING AREAS?
WHAT WERE THE DRIVERS FOR YOUR ORGANISATION TO OUTSOURCE IT SECURITY TO A THIRD-PARTY SERVICES VENDOR?
ACTION
• Assess the cost of employing security staff compared with engaging service providers. Remember to include the need for constant training in your employment costs. Consider also the value that comes with outside perspectives.
• Compare your approach when hiring security professionals to that used when hiring essential consultancy services like accountancy or legal services. Ask if any difference is appropriate.
CHART 25
CHART 26
CHART 27
42%
37%
16%
4%
1%
CUSTOMER PREMISES EQUIPMENT (CPE)-BASED SOLUTIONS ON OUR PREMISES
SERVICE PROVIDER HOSTED SOLUTIONS
SAAS CLOUD-BASED SOLUTIONS
WE DON'T DEPLOY IT SECURITY SERVICES
OTHER
27
Mining, Oil & Gas organisations have entered a new era of operations with the convergence of Operational Technology (OT) and Information Technology (IT). However, the shift towards remote operations as a means of improving operational integration and cost efficiency provides cybercriminals with an access path to the operations systems via the Internet. Organisations must ensure that their networks and applications are designed, installed, operated, and maintained to survive a cyber incident and sustain critical functions.
It is also important that your CEO and leadership team understand the strategic and economic risks of inaction, and that security must form part of a company’s DNA.
Our survey findings indicate that organisations need to place more emphasis on improving employee awareness and accountability, increasing budgets and devoting more resources to updating and innovating security solutions. This is particularly important in the resources sector. given that respondents believed that 57 per cent of incidents were the result of human error.
Organisations must also recognise that it is increasingly difficult and costly, if not impossible, to have all the required IT skills in-house. The effective use of external experts and resources is a key component of any effective security plan. This is especially critical given that cyber attacks are becoming more frequent, and more sophisticated. Many companies believe they are losing ground to hackers.
Security should not merely be seen as a preventive measure; rather, it is a business imperative and a means of improving an organisation’s reputation.
As mining and resource companies move into the next generation of Remote Operations, Cloud Computing, Big Data and Analytics, and Mobility, they will need to dramatically increase their security posture in order to maintain ongoing operations. As the survey results highlighted, this requires specialist resources and many companies are falling behind due to limited in-house skills and budget constraints. For most, the effective use of external experts and resources will be critical to future security strategies and operations.
6.0 CONCLUSION
28
7.0 ABOUT THE AUTHOR
Alan Hindes is the National Industry Executive, at the Industry Centre of Excellence, Telstra Global Industries. Alan is Telstra’s thought leader in Mining, Oil & Gas and Construction. Based in Perth, Alan is responsible for the key relationships, new products and services and innovation within these industry segments. Alan also works with the resources sector to provide recommendations on technologies and applications that the sector can leverage in order to improve productivity and drive growth.
Alan has over 45 years’ experience in the telecommunications sector, having had a diverse range of career roles including Technical, Product Development and Management, Marketing and Finance in Western Australia, Victoria and New South Wales. Before taking this new role in Telstra Enterprise and Government, Alan was the State Director in WA, during which time he was responsible for managing the Industry and
Government sales and technical team. Previous to this, Alan worked in Vietnam as a Business Development Manager, negotiating a trial market agreement with the Vietnamese Government for the deployment of a mobile network.
Recently Alan authored a thought leadership research report in the utilities segment titled Getting Smart: How Electricity Businesses Can Leverage the Telco Advantage. Other thought leadership research has focused on how an integrated “Pit to Port” strategy in the Mining & Resource sector can help improve productivity and drive growth.
Alan holds a Master of Business Administration, a Graduate Diploma of Business (Business Computing) and a Diploma in Electronic Engineering. He was also presented with an award by the Australian Institute of Company Directors for his outstanding results in the Graduate Diploma of Business.
29
8.0 ABOUT TELSTRA SECURITY SERVICES
FOR MORE INFORMATIONWe can assist your organisation to meet your increasingly sophisticated security requirements. For more information, contact your Telstra Account Executive or visit: https://www.telstra.com.au/business-enterprise/solutions/security-services
MANAGED SECURITY SOLUTIONS
• As more security technologies are deployed within organisations, their monitoring and management becomes increasingly complex. To assist with this, Telstra can provide a suite of Managed Security Services that can supplement an organisation’s internal capabilities.
• An integral part of this offering is the Telstra Security Operations Centre (TSOC), a dedicated monitoring facility that operates 24 hours a day, 365 days a year to detect malicious activity and help ensure ICT resources are not compromised.
• The TSOC, a government classified (T4) facility, provides an integrated approach to security for customers. Monitoring activities are fully integrated with Telstra’s Global Operations Centre (GOC) which provides service monitoring across the Telstra core infrastructure.
• By providing security monitoring across both customer and Telstra’s core networks, the Security Response Centre team is able to pre-empt threats and escalate major issues Telstra’s Computer Emergency Response Team (T-CERT) as required.
CONSULTANTING SERVICES
• Telstra assists organisations of all industries and sizes, in Australia and globally, to identify, understand and better manage their technology and security risks within business risk targets.
• We leverage our own experience and capabilities in managing security risks across large and small organisation, network, cloud and mobile environments.
• We provide a range of services such as security assessments (incl. testing), security strategies, security compliance management, security architectures and roadmap, ICT resilience management and security intelligence amongst others.
• Telstra’s teams of security experts have also been involved in the design, build and management of some of the largest and most complex networks in the region.
• This real-world experience means we understand the challenges faced by organisations and are well placed to provide advice and guidance on current security-related issues.
30
9.0 REFERENCES
1 Cyber Hacking & Information Security: Mining & Metals, Clement Soh, EY Australia, 2013
2 The Raising Strategic Risks of Cyberattacks, Tucker Bailey, Andrea Del Miglio, Wolf Richter, McKinsey Quarterly, May 2014
3 IDC Energy Insights, 2011 – Worldwide Oil & Gas Top 10 predictions 2012
4 IT/OT Convergence: Integrating Technology and Operations to Optimize Business Results, Ventyx
5 Cyber Security & Transformational technologies: Keeping Systems & Data Safe, Lockheed Martin Cyber Security Alliance November 2012
6 Security in Upstream Oil & Gas, Microsoft Corporation, March 2013
7 Oil & Gas Industry Towards Global Security: A Holistic Security Risk Management Approach, Philippe Bouvier, Thales, 2007
8 Hacking Gets Physical: Utilities at Risk for Cyber Attacks, Kate Vinton, Forbes 2014
9 172014 Trends to Watch: Security, Andrew Kellett, Ovum 2013
10 Net Losses: Estimating the Global Cost of Cybercrime, McAfee, Centre for Strategic & International Studies, June 2014
11 Cyber Security Perspective, John Suffolk, Huawei Technologies, October 2013
12 Cyber Security: For Upstream Oil & Gas, CSC, 2011
13 Waging a War in Cyberspace, Domini Stuart, Company Director, June 2014
14 Being Ready For Attack, Zilla Efrat, Company Director, June 2014
15 Under Cyber Attack: EY’s Global Information Security Survey, October 2013
16 The Industrial Cybersecurity Problem, Eric Byres, Tofino Security
17 Roadmap to Achieve Energy Delivery Systems Cybersecurity, The Energy Sector Control Systems Working Group, 2010
18 The New Business Challenge: Next generation Security, Telstra
19 McKinsey Global Institute, Disruptive Technologies: Advances that will transform life, business, and the global economy, May 2013
31
