In the face of escalating cyber threats, non-cyber professionals are pivotal defenders. Here, Christina Arcane, Cyber Security Educator and PM-Partners Training Facilitator, explores cyber security as a whole-of-organisation issue and what roles across the project, change and business spectrum can do to build cyber resilience, while at the same time advancing their careers.
In an era dominated by digital transformation, cyber threats have emerged as one of the foremost challenges facing businesses across the globe. Australia, with its highly interconnected business landscape, is no exception. Our governments, businesses and critical infrastructure – or more specifically, the valuable data they hold and services they maintain, are all attractive targets for malicious cyber activity. Against this backdrop, cyber security, once considered the sole responsibility of IT, has become a concern that permeates every facet of an organisation, encompassing everyone including project managers, business analysts, change managers and functional staff.
The rising tide of cyber attacks
Recent years have seen a significant surge in both the quantity and sophistication of cyber attacks. According to the Australian Cyber Security Centre, there were 94,000 cybercrime reports in the 2022-23 financial year, marking a 23 per cent increase over the previous 12-month period. From elaborate phishing schemes exploiting unsuspecting employees to crippling ransomware attacks, the impacts on businesses can be devastating.
Last year, nearly half the country’s 26 million population had personal information stolen in just two data breaches at companies, and already in the first few weeks of 2024 there have been multiple breach notifications, all with the potential to compromise data, disrupt operations and erode public trust. But aside from the shocking statistics, what these events particularly highlight, is not just a need for greater investment in advanced cyber security monitoring technologies, but a glaring lack of awareness and capability among non-cyber professionals.
Upskilling non-cyber roles
A recent cyber incident at The Iconic provides a useful case in point. The online retailer was not directly hacked but customer accounts were reportedly accessed using stolen logins from other compromised websites – a practice known as credential stuffing. In these scenarios it’s typically the customer service teams and fraud teams who first become aware of the problem, not security teams. But without the cyber know-how to recognise the events for what they are, or the skills to mount a best practice response, they’re ill equipped to minimise the fallout, which in the case of The Iconic, included fraudulent transactions and angry, disgruntled customers.
The same follows across every core business function. Most employees are not security inherent. As such, it’s only by acquiring essential cyber knowledge and skills that professionals across the spectrum can ensure their projects, products, tools and processes take account of and adequately address the vulnerabilities in their domain.
Key areas of consideration for non-cyber roles
As the frequency and severity of cyber incidents continue to escalate, it’s imperative that non-cyber roles recognise the gravity of the situation and step up to the challenge. Here we look at the areas you need to consider on this journey and how you can improve your contribution to safeguarding organisational boundaries.
- Risk management: In the project realm, cyber risks must be planned for at the outset and integrated into your existing risk framework and approach to minimise adverse impacts. Likewise, every other function across an organisation has processes and tools that can expose it to cyber risk. Understanding how cyber actors might exploit potential vulnerabilities, documenting risks and taking steps to mitigate against them is paramount. The Iconic example shows how the overall response from teams outside the cyber security function contributed to customer frustration and reputational damage. Could the outcome have been different if these teams were better equipped?
- Regulatory compliance: Being across the cyber governance rules and regulations affecting your domain is also critical. For business analysts, for instance, this would include your obligations under the Australian Privacy Act 1988. There are 13 Australian Privacy Principles guiding the management of personal information you need to comprehend to ensure that your systems comply with legal requirements. Additionally, if your company holds certifications such as ISO27001 for information security management there are specific requirements that must be met.
- Security policies and frameworks: Establishing robust policies and procedures that fully consider security requirements, instead of just prioritising business objectives, helps create a solid foundation for cyber resilience. In the last ABS Characteristics of Australian Business survey covering the year ending June 2022, only 8 per cent of businesses reported having a formal policy or policies in place to manage cyber security risk. Being familiar with and contributing to the development of these measures will help to reduce the impact and risk of cyber incidents and inform others on how to respond in the event of an attack.
- Roles and responsibilities: It’s important to remember that security is not inherent to most roles – even those in IT. Having the right people in the right roles is critical for any initiative. For programme or project managers, this means understanding the full picture, including what a cyber attack or vulnerability might look like. It’s only by knowing what the context is that they can set the tone for security across their teams and plan and deliver on the right outcomes. To this end, ensuring cyber-related accountabilities are clearly defined, communicated and understood is essential.
- Supply chain security: Supply chains increasingly rely on fully integrated solutions to work efficiently. A recent attack at one of Australia’s largest port operators, DP World, forced it offline for three days bringing freight movement to a virtual standstill. For non-cyber roles, assessing and improving how you work with your supply chain is most important. How do you ensure your business is not affected if your supply chain is? What data are you sharing and how are you sharing this securely? What personnel are involved and how are you securing communication channels?
- Business continuity and disaster recovery (BCDR): In most circumstances, non-cyber roles including product owners and operational staff are the ones who own the BCDR strategy and plan (not the cyber team). These groups know more about an application or processes and how to main services after a disruption. Being able to also consider and account for potential cyber-related disruptions and actively contribute to the creation and testing of more robust plans is therefore vital to support an organisation’s ability to remain operational in the event of a cyber incident.
- Security awareness and culture: Building a cyber security-aware culture is the only way to truly protect an organisation as it supports having maximum visibility on vulnerabilities. This is more than basic compliance training; it requires a collective effort to equip every person who accesses your systems with the right knowledge and behaviours. Every role has a responsibility to champion security awareness and foster understanding of threats and best practices. The ABS study referenced above also found that only 13 per cent of businesses were investing in cyber security awareness and training for staff, so there is much room for improvement on this front.
Challenges and opportunities faced by non-cyber professionals
The journey toward cybersecurity excellence is not without obstacles. Project professionals and those in other non-cyber functions often struggle with a lack of understanding around technology, poor cyber security literacy and general resistance to change. But as malicious actors continue to show the intent and advancing capability to compromise systems and data, organisations urgently need these roles to step up. Overcoming these challenges is both an organisational imperative and an opportunity for aspirational employees to develop their skillset and boost their employability.
Cyber security skills are among the most in demand skills for 2024, particularly in sectors like finance, health and retail. What’s more, cyber security awareness and best practices will only become more sought-after, driving the need for more people to take the lead on cyber advocacy – something cyber security teams are unable to do.
Research shows that most large companies are handling more than 1,000 security alerts per day. Combined with a severe talent shortage, cyber security workers are increasingly experiencing prolonged mental stress and burnout. In today’s climate, every professional should be part of the security team, identifying vulnerabilities, raising cyber risks, applying logical controls and building secure products and services.
4 steps to build your cyber security skills and resilience
Regardless of your role, there are some simple ways to start building your own cyber capabilities and those of your team:
- Invest in cyber security education: Enrolling in a tailored training program, such as PM-Partners Cyber Security for Project Professionals, is an excellent way to boost your understanding of today’s threat landscape and gain essential skills you can immediately put into practice. Run over two days and designed specifically for those without prerequisite knowledge of cyber security, the course equips participants with the ability to identify cyber threats applicable to their function and apply effective cyber security measures and controls that make sense in their context.
- Bridge the communication gap: Non-cyber professionals should actively engage with their IT and cybersecurity counterparts. Developing a common language and understanding between technical and non-technical teams is vital for effective communication and collaboration. PM-Partners’ course helps to break down complex terms enabling both project and business roles to unravel how events are connected, ask the right questions and engage in and drive critical conversations.
- Advocate for a cyber security culture: All roles, especially managerial, can help to promote a cyber security-conscious culture within their organisation. Take a proactive stance by encouraging regular training sessions and disseminating relevant information. Whether you have just one or several reports, emphasise the role each individual plays in maintaining a secure environment and be the role model for cyber security best practice across the team.
- Stay informed: Professionals must recognise that today’s cyber security environment is complex and dynamic. Staying informed about the latest threats, vulnerabilities and best practices and seeking advice as and when necessary, is critical to effectively navigate the digital frontier. Commit to continuous learning and regularly update your knowledge to adapt to the ever-evolving landscape and the impacts on your domain.
The pervasive rise of cyber threats in Australia calls for businesses to prioritise cyber security and demands a collective response from professionals in various functions. Beyond the obvious IT impacts, cyber incidents have the potential to derail projects and change initiatives, expose customer information and even halt Australian trade.
Non-cyber roles must step up, enhance their knowledge and understanding of key cyber concepts and boost their cyber security literacy. By taking proactive steps and leveraging educational opportunities you can actively contribute to fortifying people, process and technology defence lines. This not only ensures you play a more pivotal role in strengthening your organisation’s cyber resilience but will help to build essential skills for the future. By bolstering your toolkit of skills you’ll be better able to adapt to challenges as they arise and further your career goals.
Ready to step up to the demand for cyber security capabilities? With PM-Partners Cyber Security for Project Professionals course you’ll not only gain essential knowledge and skills but discover new career possibilities. For more information or to enrol, contact us online or call our team on 1300 13 14 today.