The threat of cyber attacks continues to loom large over individuals, businesses, and governments as the increasing use of technology has provided cyber criminals with more opportunities than ever before.
From ransomware attacks to phishing scams and data breaches, the consequences of these attacks can be devastating, resulting in financial losses, reputational damage, and even physical harm.
It has become clear that the need for improved cyber resilience has never been greater, and individuals and organizations must take proactive measures to protect themselves from these threats.
As such, Public Spectrum has reached out to Matthew Fedele-Sirotich, the Chief Technology Officer (CTO) of cyber security company CSO Group.
Matthew has previously worked as a CISO at the NSW Department of Customer Service, where he led its cyber security strategy.
He was also CISO at the NSW Department of Communities & Justice prior, and there he led a first-of-its-kind (globally) zero-trust security remote work deployment.
In his role as CTO, Matthew will lead the internal and external technical delivery capability for CSO Group and its customers, which include state government departments countrywide.
In the interview, Matthew discusses how organisations can strengthen their cyber resilience.
With how volatile the cyber security landscape is today; do you believe that organisations are well-equipped against cyber attacks?
There is no single answer to cover all businesses but hopefully, some recent reforms to Australia’s privacy legislation will more appropriately standardise a response in the future. In my time within the cyber security industry, I have seen some excellent practices within both private and public. However, I have also seen extreme risk which has either been accepted, ignored or not identified by the business.
If we focus on the organisations that are taking cyber security seriously and have good practices in place, I am of the opinion they are trying to manage their risk effectively. Unfortunately, our attackers are not encumbered with legislation/legalities, financial statements, boards, funding cycles and procurement controls. As such their ability to respond to and exploit change is unmatched.
A business’s only protection is multi-layered controls that provide breathing space before we can respond more appropriately. Given this, I believe that there is always more that can be done, but this is limited by the organisation’s risk appetite, understanding and finances.
During your time as CISO within the NSW Government, what were your strategies for addressing the vulnerabilities within your technology systems and infrastructure?
Upfront and open conversations with management to prioritise which risks were addressed, which were reduced within appetite and which are accepted. My firm belief is that is not a CISO’s job to make these decisions for a business. Our role is to identify risk, present options and work with business owners to prioritise and action appropriate mitigations.
Beyond this, my strategy has been to consolidate: Consolidate the cyber teams, technologies used, processes followed and vendors partnered with. This approach supports the efficient use of funding and delivers repeatable outcomes. But more importantly, the approach should enable the organisation to respond far more quickly to a changing threat landscape.
How can organisations measure the effectiveness of their cyber resilience efforts and make improvements over time?
All measures are not equal. Furthermore, great measures for one business hold no meaning for another. It is important to first understand the ‘currency’ of the organisation – the terms that carry value for the organisation.
Next, we need to build measures that help tell a story of how your cyber team is doing in enabling or delivering upon the organisation’s goals and mission. Measures that adhere to these two principles enable executive stakeholders to build tangibility and appreciate the cyber program. As a practitioner of cyber, you will require a myriad of other metrics that enable you to track the current state and measure the effectiveness of your changes.
During my time as a CISO, one of the core lessons I learnt was to design with metrics in mind. We don’t implement new security tools for fun (let’s be honest, the cyber teams do think it’s fun – but there has to be a purpose that management has bought into) and we don’t change organisation processes without reason.
It is important to identify the reason a change is being made and at the point of implementation build metrics that enable success and efficacy to be measured.
What are your future plans as the current CTO of CSO Group?
Having been a CISO for many years, I have a unique appreciation for the needs of CISO’s and businesses. My intention is to truly partner with our clients and deliver services that I would appreciate if I were the client – security services designed and operated by a CISO for a CISO.
My personal goal is to make CSO Group the Cyber Security solutions partner of choice for Australian businesses. Having been a customer of the organisation previously, it became clear the organisation is different to other providers and has a capacity that other consultancies and system integrators don’t. My conviction in this belief is so strong I pursued an opportunity to be a part of their leadership team.
Eliza is a content producer and editor at Public Spectrum. She is an experienced writer on topics related to the government and to the public, as well as stories that uplift and improve the community.
