NBN pushing its unified security model for wider adoption

NBN's chief security officer is urging organisations in Australia to give one individual responsibility across all things security, just like his company has done.
Written by Asha Barbaschow, Contributor

Darren Kane, chief security officer for Australia's National Broadband Network (NBN) company, has called on organisations in the country to treat physical security, cybersecurity, personal security, and forensics as one in the same, and appoint a single individual that is responsible for the entire security remit.

Speaking at the SINET61 conference in Sydney on Tuesday, Kane said that one of the reasons he stepped down from Telstra and went across to NBN was because the company was an "immature organisation that was growing".

He said it was an opportunity for him to actually explain to CEO Bill Morrow and his board that NBN needed to have a single accountable individual that owned the word security.

"That means that I have responsibility for cyber; I have responsibility for the hard shell of the security operations which is the physical and personal security of every individual and contractor within the company," he said.

"I have a single budget; I don't compete with IT and I don't compete with risk, or physical security of property or facilities -- my budget is my budget and I manage security from that budget."

The title of CSO means Kane has responsibility for the 5.7 million homes NBN has already run past and the 2.4 million homes that have been activated. By 2020, that number is expected to be 8 million homes.

"Those people will not only be connected through comms, but they'll also rely on electricity, with a dependency on water, finance, so forth, so to actually be the person responsible for security for NBN is a big role," he explained.

He said that with approximately 1.8 people per household, that's around 20 million people connected across the country that Kane is responsible for from a security perspective.

"An issue I would like to throw open to the community is to say, 'At what stage do we step up and say we should treat security as a pertinent issue of our critical infrastructure'," he said.

"And by that I mean we actually combine the accountability under one senior executive who actually prepares that accountability for the organisation to manage the risk."

Although not from a technical background, Kane said he has bounced off those who are, likening it to the way a CEO doesn't know how to run HR, finance, IT, or operations.

In the event of a breach or critical infrastructure outage, Kane said without a single individual holding the responsibility, the buck often gets passed between other C-level executives or even down through different managers.

Pointing to the National Australia Bank and its CISO Andrew Dell, Kane said there's no reason he couldn't be the bank's CSO.

"There's absolutely no reason why he couldn't hold personnel and physical security -- he's a very capable person who through osmosis will pick it up in 18 months," Kane explained.

"In the meantime, he will rely heavily on trusted advisors and delegates under him to actually manage that for him.

"There's no reason why Andrew couldn't have the expertise in cyber and then have the expertise of managing the physical."

Kane said that if an organisation has a strong enough personality, it can actually manage all the lines of defence.

"You've got to take security from behind a locked barn door," he said.

Editorial standards