In her day one closing keynote at Gartner's Security and Risk Management Summit yesterday, ex-Chief Commissioner for the Victorian Police Force, Christine Nixon, discussed her time in such a high-profile leadership role, drawing parallels between restructuring a corrupt drug squad, catching a notorious crime-lord, and managing risk in today's business.
Having joined the New South Wales police force in 1972, Nixon became the first female assistant commissioner in the state in 1994, just three days before a royal commission into the police force was announced.
"It wasn't my fault, but I was held accountable, just like everybody else was." she said. "If you want to reduce risk, you need to hold people accountable."
Nixon said she was told at the time, that if she did not know, she should have.
In 2001, Nixon was appointed as the Chief Commissioner for the Victorian Police, a 14,500 people-strong organisation spread across 550 locations, in a role that she branded as a challenge, coming into the organisation as an outsider.
"Sometimes to figure out your problems, you've got to be an outsider, you've got to have someone who comes from another place," Nixon said. "The lesson in that is about how close you get, you sometimes don't see the issues you've got to deal with."
In April 2001, Nixon assumed her appointment as Chief Commissioner, and asked for a briefing. She said what was returned to her a few months later was centred on the significant allegations about corruption made against the Victoria Police Drug Squad. She said that this was a very good example of risk, and risk management, telling the drug squad team of 80 people they were in a serious space, and some of them had damaged the organisation very badly.
"For those of you who are crooks, I'm going to spend as much time and as much money as it takes to get you. Trust me." Nixon said recalling her speech to the drug squad. "Those that are not, how did we get here?"
Nixon said that asking the people involved is a really important thing. She said that in amongst the risky strategies employed by the squad, one in particular, branded "buy and bust" was exceptionally risky. The strategy would see an undercover member of the squad buy drugs off a dealer, then have that individual arrested, however, Nixon said they took this too far.
"They went a bit further. They went to the chemical manufactures and decided they would set up deals with them. They would then put the amphetamines into the market, and they allegedly would track them, and allegedly get the bigger dealers.
Nixon said her reaction to the strategy was, "You're not serious are you? We put large amounts of amphetamines into the market and we sell it."
The ex-chief commissioner said that there was no statistics on how many drugs were recovered, or on-sold. She said it is a strategy that deliberately puts everybody at enormous risk, and demanded it be stopped immediately, much to the dismay of her colleagues. She changed the systems and strategies, and even appointed a new drug squad.
Nixon also talked about a pair of senior constables who drove the same expensive four-wheel-drive cars, which were above their means for the time, yet nobody had thought to investigate this as suspicious.
Nixon then discussed her dealing with drug boss Tony Mokbel, his organisation, and the risk management strategies he put in place.
"He ran this very interesting organisation," she said.
Nixon said that when he had cash, he would buy houses, source someone to live there, put it in their name, and demand money from the impending sale when the time came.
"This was a very interesting risk management strategy," she joked.
Mokbel would bury money and jewels in the property as another risk management practice, Nixon said, and he was never far away.
"Eventually he decided the risk to stay around was too much, and he disappeared.
"The further away you are from where the crime is, the harder it is for you to control. And while he was away, his whole network got very nervous, other people tried to cut in, including the police."
Nixon said that whilst the drug lord was in Athens, he tried to control his network in Melbourne, but it became increasingly vulnerable, and the Victorian police were able to eventually track him down, motivated by the knowledge that if Mokbel was caught, he would offer AU$1 million to a corruption-riddled Greek Police Force to facilitate his release.
"I wanted to show you the risk management and the systems on his side -- which are very interesting to deal with if you're dealing with crime -- as well as within our own capacity, big teams, sensible management, good culture, using intelligence and analytical tools to find him."
Speaking at Gartner's opening keynote earlier that day, the firm's research vice president Earl Perkins said that businesses need to think differently, highlighting Gartner's six principles of resilience to manage digital security.
The first principle is to gravitate away from checkbox compliance, and trust in risk-based thinking that focuses on business outcomes.
"While this way of thinking is not new, the urgency to embrace it is," Perkins said. "Just doing what your auditors tell you to do has never resulted in appropriate or sufficient protection for an organisation."
Principle number two is to focus on outcomes, not technology, as Perkins said, a business still needs to protect its infrastructure, but needs to elevate its strategy to protect the things a business actually cares about.
As part of the transition to supporting a business outcome mindset, Perkins said that a business needs to move from being the righteous defender of an organisation, to acting as the facilitators of the balance. Within that sentiment lies principle number three; to move your business model, transform yourself from a defender to a facilitator, and become the facilitator of change.
"The balance between the need to protect the organisation, and the need to achieve a desired business outcome," Perkins said.
"We must not confuse security with control. It is not appropriate for security people to decide how much risk is good for the organisation. The business needs to decide."
The fourth principle is to move from trying to control the flow of information, to understanding how that information flows.
Principle number five is to have a people focus; leverage people-centric security and motivate your employees to do the right thing.
"Properly motivated people can be the strongest links in the chain, but we need to shape behaviour and motivate people to do the right thing, not just to do what we want," he said.
"When employees are motivated and understand the limitations of trust, the click-through rate of phishing emails drops dramatically."
The last principle, is to move away from protection only, and head toward the detect and respond model. The analyst said that ultimately, it is time to invest in technical, procedural, and human capabilities to detect when a compromise occurs.
"Compromise is inevitable," Perkins said.