How CISOs are tackling cyber security challenges

Stephen Bennett, group chief information security officer (CISO) at pizza delivery company Domino’s, describes his organisation as “the largest startup I’ve ever worked in”.

As the first person to hold the role, he was, to some extent, able to define what the position involved. At first, he “couldn’t even find the elephant”, so he sat next to his senior staff to find out what was and was not working within the security function. He also became “a meeting pest” to find out what the organisation needed, as it was initially hard to get any time with senior executives.

Bennett’s first meeting with the board was a turning point, as he realised he had to understand security from both business and technical perspectives. The rest of the business does not really care about technical matters, because they are focused on making a profit. So, the CISO’s role needs to be about enabling the business – and, on rare occasions, stopping it from making a serious mistake, such as its Netherlands operation’s planned Domino’s Dating app, which had serious privacy issues.

It’s about identifying the organisation’s “crown jewels”, what’s needed to protect them, and how much that will cost. But as Gartner vice-president for research Christine Lee mentioned in her keynote at the recent Gartner Security and Risk Management Summit in Sydney, the more protection you want, the more it costs. At Domino’s, recovery point objectives are still being discussed in that context.

Bennett suggested that CISOs should “befriend a board member” to find out what the board does and does not want to know. That might be reports on the five biggest risks and how they are being managed, presented in a way that suits the board – for instance, by avoiding tech jargon such as “endpoint” and “framework”.

Another revelation occurred when he spent his mandatory two days working in a store and realised that the extremely specific instructions about the amount of cheese that goes on a pizza and how long it spends in the oven were just an example of governance. He questioned that if governance was accepted in the stores, why wasn’t it applied to other parts of the business when it came to good security practices?

Asked what advice he would give to his younger self, Bennett said he should have started talking to the other parts of the business sooner, instead of being engrossed in the technology for the first two years. By that time, he was no longer new to the company, making it harder to approach his colleagues in other areas for the first time.

Over at UniSuper, CISO Vijay Krishnan spoke about the need for organisational resilience. The superannuation fund suffered a major outage in May 2024 as a result of “an inadvertent misconfiguration” by Google that resulted in the automatic deletion of UniSuper’s Google Cloud VMware Engine private cloud, which was home to the member administration system.

It took around three weeks to fully resolve the issue, thanks in part to a variety of measures that were already in place at UniSuper. The organisation had a crisis management plan that could be put into action. A major incident team was set up, and it worked closely with Google Cloud.

“What really helped us was our robust, redundant, multicloud architecture,” he said. “We have production systems dispersed across multiple cloud service providers, and also within that cloud service provider we have multisite redundancy,” he said.

But that redundancy wasn’t much help in this instance, as the deletion of UniSuper’s private cloud affected both zones. Instead, the company relied on its robust backup practices, which included storing backups not only in Google Cloud but also copies of backups at two other service providers.

The use of infrastructure-as-code also contributed to the speed of recovery, and “disaster recovery planning and testing was instrumental” even though the plan didn’t include black swan events such as the one that triggered the outage.

UniSuper also had a business continuity plan and had simulated an incident that made a difference to recovery efforts. This included having the crisis management team practice good communication prior to any outage.

Asked which one or two things he would advise the audience to check when they got back to work, Krishnan said “make sure your backups are watertight” with a copy stored away from the primary system. “Look at your architecture … make sure you are sound and resilient,” he added.