KBI Media is bringing you a preview of presentations from the upcoming Australian Cyber Security Conference in Melbourne. On 28 November 2024, Dr Ivano Bongiovanni, General Manager, AUSCERT will be unveiling insights from cutting edge research to unpack how decisions are being made in cybersecurity

Dr Bongiovanni recently undertook research to discover what are the driving factors that influence cybersecurity decision-making in Australia. With the aim to help the industry shine a spotlight on identifying potential biases before making decisions and to determine the key factors to focus more on what matters most. 

Across 2022-2023, Dr Bongiovanni conducted in-depth interviews with 36 leading cyber-professionals across six organisations, at various hierarchical levels: strategic (boards, CEOs and CISOs), tactical (risk managers, GRC specialists) and operational (SOC analysts, security engineers). 

He found the factors that impact all decisions in cybersecurity mainly stem from four sources: industry, organisation, team, and individual. 

At the industry level, regulations and the position of overarching entities including government and regulatory bodies influence decision-making by cyber professionals. At the organisational level, risk posture and economic considerations including budget constraints are significant factors. 

At the team level, the usage and availability of tools, in particular, threat visibility tools are key influences. While at the individual level, personal attitudes and proneness to risk and conscious and unconscious bias are a determining factor. 

Dr Bongiovanni also confirmed that regardless of their hierarchical level, cyber professionals tend to be very wary of the role of regulations and the importance of understanding the organisation’s risk appetite, something that is not always true with other functional areas. Deference to expertise, therefore, and not hierarchy, should be a driving approach when making cybersecurity decisions under duress, he believes.  

The research showed that tactical individuals, for instance risk specialists, have the potential to become the ‘glue’ that connects cybersecurity to other organisational areas and departments.  

He also found reliance on conversations with external stakeholders mainly occurs at the strategic level, while operational individuals tend to rely on their internal networks.  

As a result of the findings, Dr Bongiovanni’s three key pieces of advice for board members include: 

1. Make sure the board has visibility and understanding of regulations but be wary of ageing ones. Effectiveness in promoting cyber-maturity needs to be complemented with non-regulatory measures, for instance education, awareness and testing.
2. Reflect on decision-making in your organisation and ask management to map out decision-making processes for cybersecurity. What process are they undertaking? What are the touchpoints they’re factoring? Are decisions made in a proactive or reactive way? Ask for enhanced visibility on this.
3. Ask management for metrics to assess the quality of cyber-decisions encompassing anecdotal, qualitative, semi-quantitative (qualitative data with numerical values) and quantitative (KPIs).

Dr Ivano Bongiovanni is the General Manager of AUSCERT, Australia’s first cyber emergency response team (CERT), and one of the oldest CERTs in the world.