Building cyber resilience and incident response best practice

Ryan Janosevic shares his thoughts on the inevitability of cyber breaches, how companies can respond to those incidents, and why diverse skills in the workforce are essential in the fight against cyber threats.

Are cyber breaches really inevitable? If so, how should you prepare your business to respond? Ryan Janosevic, Co-founder and COO at Retrospect Labs, discusses cyber resilience and incident response, as well as the value in looking beyond tech skill sets when growing your cyber team. 

What is cyber resilience?

Resilience obviously has many meanings, but for me it’s really about preparedness. It’s about your ability to respond when something bad happens. It’s about building that muscle memory – getting your organisation, your teams and your staff ready, and maturing your processes to make sure they are elite at what they do.

Something will eventually happen, as it always does in the cyber world. The bad guys are out there. They’re highly motivated and they’re coming for us. So being able to respond to it quickly and effectively means you can get back to doing the day-to-day business and ensuring the continuity of your work.

That’s what readiness and resilience really is for me: it’s about knowing how to respond and being prepared for something bad. 

Why is resilience so important – is it because of a breach’s inevitability?

That’s a good observation. But I think we’ve seen – over the last several years – a real increase in attacks. The amount of malicious cyber activity that’s out there is widening in terms of who these malicious actors are targeting.

When I first started out working in cyber, it was the end of 2012, early 2013, and there was a lot of ATP (advanced threat protection) state-sponsored cyber activity targeting the big end of town. But over the last several years, we’ve really seen that shift. Now you’ve got cybercriminals targeting mums and dad, small businesses, even individuals for their own financial gain.

The risk that we all face as a result of cyber has increased so much over the last few years that it really is inevitable that in some way, shape or form – whether it’s privately or in a business sense – we absolutely will suffer from some sort of incident, if not multiple ones, during our lifetime. That can be pretty scary for people. It’s why we need to focus on building, upskilling and maintaining that readiness and that resilient pace throughout all sectors of the economy.

Do you think Australia is prepared for an attack on our critical infrastructure systems?

No great surprise – I don’t particularly think we are immediately ready for that. In fact, I think most countries aren’t. We’ve seen a fair bit of evidence of this if we look internationally at some of the most cyber-mature countries that have had heavy regulatory requirements for a long time. Some of the organisations within those countries have found it really hard to respond to a variety of cyberattacks.

I think we’re quite lucky in Australia that we haven’t yet been hit as hard as other countries, even though we are targeted extensively. We haven’t quite seen the scale of attacks that other countries have. Certainly, we haven’t yet faced the type of attack that is intentionally trying to degrade the services of a critical infrastructure provider, like a successful attack on an energy company.

But if we look at those incidents overseas, it’s pretty scary to think about the impact that they’ve had. It’s a good reason why Australian organisations and the Australian government should be focusing heavily on improving our defences, readying ourselves and having that discussion around how we uplift the entire economy to be truly ready to face cyber threats. They certainly are not going away any time soon.

We hear a lot about cyber being the domain where the next war will be carried out. We know that it’s pervasive through all of our lives as we become more and more interconnected through a multitude of devices. So at every level, in every part of our lives, we need to do a little bit more work to be properly prepared for it. 

One of the steps towards maturity is the Security Legislation Amendment (Critical Infrastructure) Bill 2020. Why is it so important that we’re starting to legislate for critical infrastructure explicitly, and how should it be protected?

Firstly, I think it was great to see the level of discussion that government and industry had in forming that bill. It was really unique and wonderful that we had the opportunity to have so much input as private industry into what the government is trying to legislate. Full kudos to the government for listening to the industry’s feedback.

I think what the Critical Infrastructure Bill really provides, though, is a great common ground for us to all focus on. I know there’s a lot of talk about it potentially being the first step towards regulating cyber, and regulating certain industries. But I think if we look at it from a more positive light, it’s exciting to have a common benchmark for us to all focus on, trying to make so many different industry standards, industry frameworks that we can pick and choose from.

From an Australian perspective, this is a great first step in trying to deliver some of the government’s expectations and goals for all industries, not just critical infrastructure. It’s great to see the discussion starting around it, and we’re excited to have a common benchmark that makes it clear what we should be aiming for and the consequences if we miss it. 

We hear a lot in Australia about the need for more cyber-skilled professionals in the workforce and issues around the skills shortage. But do you think there needs to be more focus on the diversity of skills in cyber, and not just building the technical capability?

I definitely do. I’m big on diversity and I don’t say that lightly. It’s incredibly important if we’re going to overcome the complex issues we face in cyber. If we’re going to develop the right solutions to overcome the myriad issues we are facing, we need a wide variety of people with a wide variety of skill sets to come together and work effectively. That means broader skill sets that complement technical skills are absolutely critically important.

I’d love for us to move away from being quite so obsessed with industry qualifications or letters after your name. They are important tools, yes, but I think we should focus more on the aptitude of people – what they are bringing to the table. Not just their experience, not just their technical prowess, but what the broader skill sets are – the broader strategic, critical-thinking skills that people can use to help solve some common cyber issues with fresh eyes.

There was a really great article recently that talked about humanities graduates and how useful they can be to overcome some of the cyber-skills-shortage problems we have. As a humanities grad myself, I wholeheartedly agree. But I think we can be a little bit too focused sometimes on the technical side. We sometimes neglect the fact that cyber is a skill that can be learnt; you don’t always need a ton of hands-on keyboard warriors.

If we look at incident response as just one domain of cybersecurity, it’s increasingly about managing the media, managing your senior executives, communicating effectively with all of the stakeholders and managing the whole incident-response process. So we need people who are skilled in all these areas, not just people who can do the ‘ones and zeros’ behind the scenes.

That is what’s going to help us capitalise on this cyber focus that we’re going through at the moment. Being able to bring a bit more diversity to the table is going to help make us much more competitive globally, and much more effective operators in an organisational sense. Ultimately, it will help us build far more capable teams and people.


Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.