Published on the 10/12/2021 | Written by Heather Wright
It’s all about leadership…
Helaman Tangiora admits that only a few years ago, he didn’t have a great attitude when it came to cybersecurity.
“I used to be the bad attitude guy, downloading stuff and so on. I had to have a massive change in my mindset around the importance of cybersecurity,” Tangiora, head of digital transformation for Tainui Group Holdings, says.
That change came in 2017, when Tainui Group Holdings had its first audit focusing on cybersecurity controls.
“At the same time the Institute of Directors had started to talk about it a lot and I had just seen it on the landscape that our directors were asking more pointed questions around what we are doing.
“We need health and safety for data, and it’s not there”
“From that point on there was no way I was going to drop the ball with this, so over time I’ve forced myself to become good at this and made cybersecurity a big part of my daily activities,” he says.
Today, Tangiora, who will be speaking at the 2022 NZ Cyber Security Summit in February, believes cybersecurity should be viewed in the same way as health and safety for businesses and be just as visible to everyone within the business.
“Health and safety is really big at the moment. That’s the attitude change we need around data. We have to do things in a similar way and have a sense of urgency around having strategies and plans.
“We need health and safety for data, and it’s not there,” he says.
“The information I get from our vendors is that New Zealand is immature in its approach to cybersecurity and we need to be more realistic and also more thoughtful about it.”
That includes IT teams moving front and centre with the cybersecurity message.
“Leadership and influence are the first part to developing a cybersecurity strategy for business agility and resilience,” he says.
“You’ve got to be a better leader, have the uncomfortable conversations and lead from the front, because who is going to be a champion of data if you’re not?”
For Tangiora, that means ensuring that cybersecurity is front of mind not just for his board and executive teams, but for the wider business.
Just as the organisation puts out health and safety messages every week, so Tangiora has mirrored that with cybersecurity.
“It’s important to be out in front of people, ensuring everyone knows it is really important to us and that everyone has a role to play and needs to understand their role as a digital kaitiaki. You are a digital guardian of our information for our organisation.”
He’s proud of the fact that some of Tainui’s users who are in their 70s are now well versed in detecting phishing emails, and know what to do.
“Cybersecurity is around protecting the most vulnerable and critical assets. It’s around understanding our digital life.”
But he says, often users have poor cybersecurity practices in their private lives – poor password management or a lack of backups.
“People come from home into the corporate environment, and we can’t even validate that they know what safe looks like. Someone turns up at your workplace on the first day and we just assume they know how to use systems safely. Do they really? Do they know what safe looks like?”
Tangiora’s journey has seen him working to understand people, processes and technology, and implementing strong, robust frameworks, such as the NIST cybersecurity framework, while connecting with thought leaders from global providers to the National Cybersecurity Centre and NZ Cert, to ensure he’s across changes in real time.
“It’s about the controls you put in place to protect your environment and data and understanding what your real risk is and making sure you have the right level of control for the level of risk facing that particular piece of data or application.”
He admits it’s hard work, with cybersecurity now accounting for up to 30 percent of his daily workload.
“Cybersecurity is a business priority.
“If someone has a fall at work that’s not going to take the business down. But one slip or fall in cybersecurity and the whole business could go away. We know the stakes.”
And he’s open that there aren’t any shortcuts. But it’s also not rocket science.
“There’s a method to do cybersecurity well and it’s well known,” he says, noting that current advice is largely directing organisations to zero trust with some security automation and AI, along with having strong policies.
“There is no magic pill. It’s just hard work and sticking to the basics.”
When it comes to breaching an environment there are two ways – hacking people and hacking technology.
“Hacking technology means you have a vulnerability or an unknown exploit that you haven’t patched yet. That’s one way in.
“If you haven’t got a policy that tells you how to update your computers and how to maintain them and update all your infrastructure, or you don’t know what your assets are, you can’t patch them. You don’t know where they all are.
“So the basic take away there is understand your IT environment, understand what is important and keep a record of it. Know the basics. Those are 101s and everyone will tell you those.
“All your policies and procedures, are they any good, can you read them, can anyone pick them up and understand the language of what to do and why it is important? And how it fits into the context of the rest of the business.
“It’s about leadership and doing the basics well.”
Hear more from Tangiora and other security practitioners at the 2022 NZ Cyber Security Summit which returns to Wellington – and online – February 15-16. Super saver pricing is available until 17 December.