​RBA banks on operational resilience to tackle organisational threats

The Reserve Bank of Australia's CIO believes it is operational best practice to employ a resilience strategy.

Cybersecurity is an inherit dimension of operational resilience and is something that can stop an organisation in its tracks, according to Sarv Girn, chief information officer at the Reserve Bank of Australia (RBA).

Detailing what a day in the life of a CIO for Australia's central bank is like, Girn painted a picture of what he called RBA's operational resilience strategy.

He told an audience of CIOs that while it can be tempting to use the many industry surveys to depict the risks and threats in their own environment, it is not often wise to do so.

"Knowing the heartbeat of your own environment and how it prevents, detects, and responds is a far healthier option," he said, speaking at the Gartner Sympoium/ITxpo on Wednesday.

Girn said the RBA places a lot of importance on this, so that appropriate defences can be established as the threats change.

"For example, almost 70 percent of the emails we receive are malicious in nature," he said. "Making sure we analyse and understand the risks in these is critical."

Further to this, Girn said the RBA's external perimeter, like most organisations, is faced with a barrage of scans and probes, noting the bank faces one probe every two seconds.

"Metrics such as this help to serve and understand the risks to our environment so that pragmatic, cost effective mitigating controls can be established," he explained.

"For some, a focus on operational maturity and resilience may seem boring, basic, and business as usual, but in the digital economy, your brand and very existence may well depend on getting this right."

According to Girn, the bank takes this very seriously, ensuring it actively engages in effectiveness and resilience testing.

For example, the RBA undertakes a biannual exercise testing its business and technology continuity by running its entire operations from a second datacentre and runs quarterly rotations of the systems across its dual sites so that at any point in time it can switch the processing of critical systems from one site to another.

"This proved its worth during the Lindt cafe siege in 2014 which took place a few metres from the bank's building," Girn said.

"Within minutes of the incident we switched our platforms to operate out of our second datacentre.

"The next day, the bank's business operations all took place out of the second site whilst Martin Place was closed off to the public.

"Operational resilience didn't seem that boring on that day."

Disclosure: Asha Barbaschow travelled to Gartner Symposium/ITxpo as a guest of Gartner.