Do we have a strong security culture?

19 December 2022 Jane M Author avatar

New Zealand’s Innovation Agency

For many people, the pandemic that has not quite abated, has meant that they have embraced technology in new and unique ways. From remote working to the streaming of entertainment, from virtual meetings and events to an increase in video calling – many of us have become ever more reliant on the technology that is in our homes and in our lives. But an increase in the use of innovative digital platforms and the internet means an increase in cyber threats and attacks.

One of the agency’s that is at the forefront of thwarting these attacks and creating platforms to minimise their reach is Callaghan Innovation (CI), sometimes referred to as ‘New Zealand’s Innovation Agency’. Jenna Whitman, the Chief Information Security Officer at CI, says that “we tend to fly a bit under the radar, but we do carry some real street cred.” Though their reach is broad, one of their goals is to “enable ambitious Kiwi businesses to accelerate growth through innovation funding and by building innovation capability.” This includes connecting innovators through collaboration networks and “providing world-class R&D solutions. We are also recognised as critical infrastructure due to the significant profile and contribution to the NZ domestic and export economy.” 

Though the remit is broad, in the security context, “our priority is to allow innovation to occur in a safe way.” The use of technology and the work of innovators and IT providers means there will always be inherent risks. “Our efforts will never change that, but we can minimise the risk where possible through tools, partnerships and people, and awareness.” In the last (financial) year, that has meant engaging with nearly 3,000 organisations and people, including schools and students, start-ups, businesses, government, scientists and engineers. One of the other reasons why no-one will ever be able to stem the flow of risk is because of the globalised nature of most of the threat actors and risks. The question therefore for New Zealand and for every other jurisdiction is, “if borderless collaboration is a top priority, how do we share safely and intentionally?” 

Identifying Top Priorities

In light of the current cyber landscape and the changing local and international circumstances, CI has “identified new priorities and we’ve undertaken steps to implement new capabilities.” Previously, CI and many other similar government and private companies tried to do too much. “While these initiatives were shiny and sexy, they left foundational controls and vulnerabilities ignored.” To combat this, they have now “gone back to basics.” The priorities now are to work with government agencies to “identify critical controls,” implementing “identity management and MFA,” working to support “security information and event management (SIEM) technology,” and continued education because “without a culture of security awareness and governance, everything else falls over.”

These priorities will be “progressed and achieved through tooling and investments.” For instance, the implementation of “internal standards for new tools leading to a cloud first, or cloud forward strategy.” There is also endpoint detection, “the introduction of those password managers at the enterprise level which has financial security value as well, and cyber insurance.” Whilst this is new and currently uncommon and untested, “it’s worth asking your broker about it.”

It is not just about Cyber Security

Though security in the tech sector is usually associated with cyber threats and the internet, it doesn’t have to be. For instance, there are “distinguished scientists in New Zealand who have achieved significant accolades and contributions to their fields, not just in NZ but internationally.” Many of these scientists are “foremost experts and knowledge holders for some of the world’s most cutting-edge advancements that will drive tomorrow’s economy.” They are passionate and dedicated, but “the pay in NZ science isn’t flash.” If such scientists were offered more money, more autonomy and a fancy lab overseas, “surely they would be tempted.” This almost seems like a no-brainer, but in the security and innovation job arena, this kind of offer comes with “huge dilemma and risk.” The loss of even one distinguished scientist’s contribution “would have significant impacts on NZ’s ability to compete economically.” In fact, “this is an example of what industrial and economic espionage can look like. A competitor or adversary seeking a way to undermine us through stealing or obtaining our best assets.”

“We live in a world where exports aren’t just things, they are people too. So, our key priorities in New Zealand shouldn’t just be in technology, but in the people risk and reputational risk that comes with it.”

Jenna Whitman, Chief Information Security Officer, Callaghan Innovation

The best outcome in this scenario is that “we have a security culture strong enough” that if any scientists are offered big money overseas, they should seek the advice of their leaders and agencies. That way, “we are able to empower our people with the skills and knowledge to evaluate these offers and recognise the difference between a genuine career opportunity or a perverse attempt to steal IP.” The other way to “protect our assets, human or otherwise, is through strategic partnerships.” The NZ Government for instance, has released “guidance on conducting due diligence [1] to prevent the risk of economic espionage and foreign interference threats.” These products are freely available online and have “become invaluable to us and other agencies.” There are other partnership platforms and organisational support programs that also help to “mature everyone.”

The truth however is that none of these things or any other mitigation programs work perfectly or on their own. In the current environment, the threat actors are brazen and the international poachers are just as bold. But it is equally true that “knowledge is power. We use stats repeatedly to measure our progress and see what’s changed over time. We also engage with our users, leaders and community, and do long and short-term roadmap planning.” Obviously, no-one “can predict what will happen in the future,” but it is ideal to “develop strategic partnerships, take trusted advice from our partners, and in government, being cyber prepared means that we stay on top of trends and threats, and respond to any change in the landscape in the best ways we can.”



 Jenna Whitman
 
Chief Information Security Officer, 
 Callaghan Innovation


Community Comments