Thank you for Subscribing to Apac CIO Outlook Weekly Brief
Editor's Pick (1 - 4 of 8)
Trusted Insider versus Insider Threat: A New Model at nbn
By Darren Kane, Chief Security Officer, nbn™ Australia
Many modern mature organisations have an Insider Threat Program. But why call it that? Most organisations will readily acknowledge that people are their greatest asset. We invest time and resources finding them, completing due diligence on them, attracting them to our organisation and, ultimately, paying them. We train and nurture them. We trust them with building access, system access and corporate knowledge. They will be the basis of the success of our company. However, the irony is that while recognising the value of their people, most organisations readily bestow a title with such negative and untrustworthy connotations – Insider Threat – to a program designed to assist an organisation to perform better. At nbn, we have taken an inverse view of that philosophy with our ‘Trusted Insider Program’ that aims to protect employees and the company from external and internal threats. This approach allows our people to buy into the ‘Security is everybody’s responsibility’ mantra and affords our C-suite visibility on the added value the security group provides our organisation. These types of programs are largely misunderstood, and the ‘Insider Threat’ name does not help that cause. Our people are the lifeblood of any organisation, and nbn is no different. nbn has a talented workforce of around 6000 that is vital to our success in providing access to high-speed broadband for all Australian homes and businesses. Having established a ‘converged model’ in 2015, where a single role has remit for both cyber and physical threats, our job in security is to protect our people and the company itself from all reasonable threats. After all, these threats can materialise against any organisation in many forms. Internal threats come in different forms: Compromised staff can become victims of phishing attacks or social engineering, inadvertent events by staff who may have mistakenly sent valuable data outside an organisation, or even malicious activity by staff who steal or disseminate valuable intellectual property or customer records for the purposes of identity theft.
Negating physical security threats requires absolute vigilance. There is no silver bullet, and maintaining physical security usually comes down to doing many little things well