Quick Q&A with Garry Barnes


Editor’s Interview with Garry Barnes, Practice Lead, Governance Advisory, at Vital Interacts, Australia, and former ISACA Board Director

According to Gartner, by 2019, 40 per cent of large enterprises will require specialised, automated tools to meet regulatory obligations in the event of a serious information security incident. Cybersecurity governance expert and former ISACA board director, Garry Barnes, presented at CeBIT in Sydney, about the business implications and benefits of automated cyber security defences, including current technology being used and best practice implementation.

EDITOR: You outlined that you found it relatively hard to find proactive, supportive and enabling automation. Taking an InfoSec lens to business, you have created a credo that if you can eliminate the security budget just down to ‘your’ salary, then the business has embedded security. Can you expand on these concepts?

Garry Barnes (GB): My research was not exhaustive, but the majority view was that cyber security primarily equated to threat detection and incident response and not “secure Internet-enabled business”. This means that security becomes a discrete function protecting the business against diverse threats. An information security lens, however, would highlight business value in information assets and information services and would seek to establish the appropriate control model based on those values. This means a CISO can better align security activities with the cost of doing business, and help product or service owners recognise these costs as a function of revenue, sales, growth, etc. This in turn means a security budget may be able to apportion those back into the business functions. In this way, the business is taking ownership of security and it enhances their learning about risks and opportunities and the acceptance of risk. The challenge is that there is danger in complacent acceptance of cyber risk, but the intent should be to have the business leaders making those decisions, rather than the CISO…Click HERE to read full interview.