Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security

By on
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Matt Miller, Insicon.

Those on the frontlines of the IT industry are well aware of the role cyber security plays in their everyday operations, but what about those who are one or two steps removed?

Insicon, founded back in 2013 by Matt Miller, provides independent cyber security intelligence and advice tailored to executive leadership and board members, as well as offering governance, compliance, and risk advisory services.

Insicon also develops customised cyber posture strategies based on each company's risk profile and appetite, along with a CISO-as-a-service offering.

“The cyber security challenge is real and, for directors, increasing in importance and in complexity,” according to the Cyber Security Governance Principles document released last year by the Australian Institute of Company Directors and the CEO of the Cyber Security Cooperative Research Centre.

Miller said Insicon – comprising of a team of 18 with another 6 soon to be hired - targets the board and the executives due to the service Insicon provides transgressing the technology stack.

"It's more about how do we realise the potential of the technology investment that companies already have,” Miller said.

“One concern that we have picked up is that we've [collectively as an industry] spent $50 trillion over 50 years, and we're still no further more secured, but I think that's not so much the technology's problem - it's more our ability to manage it and to measure it.”

Question: Personal liability for directors and business owners is an increasing area of interest to our audience - to what extent is that creating more engagement for Insicon? 

That's still evolving from our perspective - people are aware of it but they're not educated. There's been so many changes in the Privacy Act lately – of the 116 proposals in the Privacy Act Review Report, the government agreed to 38 - but a lot of that is around personal liability, even to the point where ASIC have now got elevated powers for publicly listed companies, so that whole compliance or regulatory environment at the moment is changing fast. Board members are a lot more aware of their liability, but they're still learning and still educating themselves and what that means to them personally.

The government has introduced an industry professionalisation scheme for cyber security - what are your thoughts on this?

I do see the need for professionalism. [The government] have done a lot of good stuff lately around the Essential Eight, so that is like a magnet to the professionalism part - implementing the Essential Eight is [a process] done with care and you need to ensure that the people that you have out there are professional enough to implement those types of frameworks, because organisations have to live with that and have to operationalise it. It's an important thing, and the more investment that we get from the government to professionalise our industry is critical.

Are you seeing any shift in the criteria and credentials customers are looking for from tech partners and vendors? What do you think about the likes of ISO27001, SMB1001, apra CPS 230 etc?

It’s a moving target for people like us but we've put a stake in the ground and said ISO27001 is the best certification that Australian companies can go with. It's comprehensive, it's multi discipline, it's all of business and it's not just technology. There’s four major components to it: technological, organisational, employee and physical, which encompasses the whole organisation, but it's not for everyone. A small business would struggle to implement ISO27001, so therefore our recommendation then is to go with something like the Essential Eight, which the Australian Signals Directorate put together.

Funnily enough, it's harder to implement Essential Eight when you're bigger, whereas it's harder to implement ISO27001when you're smaller. You can throw another one in there too, like the NIST Cybersecurity Framework. What we do is we cherry pick the best of all the certifications and bring them together and say to the customer, ‘this is what you should look like’.

The important thing to note is that ISO27001 is the only certified best practice; the other two are frameworks, so you can only align to them or attest to them, so it's a self-assessment process, whereas ISO27001 is an international standards body and you do get a certification at the end, and that's what people want to see - what's your certification? There's value in that certification.

We haven't had too many customers come to us with SMB1001 at the moment, but it's a watered-down version of ISO27001, and again, it's not a certification, so you're still missing that piece of paper at the end of it. I do believe that both the Essential Eight and the SMB1001 are going to be certifications in the future; if not, they should be, so at least people can see that they've done the right thing by the business and by their customers. Apra CPS 230 and 234 ARE very relevant – but it's another certification on top of other certifications. It's very hard to work out which one's the dominant one.

We’re seeing some vendors pitch the concept of real time compliance for business users (e.g. with regulation, contracts and SLAs) – is there a shift coming in the compliance space?

It's coming like a tsunami and that's why we've tried to get in front of that. We've built the appropriate castles around our businesses, but are all the doors closed and are all the windows locked? Compliance is making sure that you've got that person making sure that you stay compliant. It's really hard to do.

If you look at something like ISO27001, you get externally audited every 12 months. You get recertified every three years. If you're not on top of it from a real time compliance perspective, you basically shut down your business while you go through those audits and it's really intense.

Real time evidence collection and compliance management is exactly what we do to make sure that we take the weight out of those audits, because real time compliance is nirvana. That's where everyone wants to be, but it's such a manual process.

Are there any trends you’re seeing emerge around the cyber security consulting space?

The number one topic that we answer all the time is around AI, which is a very valid question, especially in the adversarial sense. Generative AI is there to produce, adversarial AI is there to be used in a malicious manner and that's where we're focusing our efforts around that adversarial space.

I think the vendors are really ramping up their efforts to be able to detect and respond against this new wave of attacks like deepfakes, because the efficacy of those old school attacks, such as phishing, has gone through the roof because of AI. Grammar, spelling and all the things that we could with the human eye predict [to be AI] have all gone away because AI's cleaned all that up. We're now looking for localisation of language, as opposed to spelling mistakes. It's a different way that we're looking at the same attack.

Now, the AI detection engines are a lot more sophisticated. That helps us a lot, because we can respond to these things a lot quicker. We're seeing that it's the state-based actors [who are using adversarial AI], because they have the technology, power and energy to do it en masse. The resources are just phenomenal. It's very hard for an organisation in Australia to compete against that because you’re competing against a state nation.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
insicon security

Partner Content

Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes

Sponsored Whitepapers

Driving Innovation and Sustainability through Hybrid IT and AI Solutions
Driving Innovation and Sustainability through Hybrid IT and AI Solutions
Easing the burden of Microsoft CSP management
Easing the burden of Microsoft CSP management
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework

Events

techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025
techpartner.news Benchmark Security Awards 2025
techpartner.news Benchmark Security Awards 2025

Most read articles

Dicker Data announces telco division, Vocus partnership

Dicker Data announces telco division, Vocus partnership
Evergreen acquires 100th MSP, Brisbane-based REDD

Evergreen acquires 100th MSP, Brisbane-based REDD
PC retailer Mwave acquired by digiDirect Group

PC retailer Mwave acquired by digiDirect Group
The Australian Cyber Network closing its doors

The Australian Cyber Network closing its doors

Log in

Email:
Password:
  |  Forgot your password?