Craig Horne may be an academic now, but it was the years he spent working in signals intelligence as a military reservist that made it clear to him just how important information security is.

Hostile forces – and, often, even friendly ones – were intensely interested in intercepting secret communications. The primary role of signals intelligence experts is to ensure that doesn’t happen.

That work “gave me insight into how information can be protected in some of the most hostile environments in the world,” Horne recalls.

Horne left the Australian Army Reserve after 14 years and has leveraged his expertise into a technical career that has included sales, business analysis, project management, and other roles.

It was a logical progression for someone who was, as Horne puts it, “a bit of a lockpicker as a kid”. But it was also the gateway into a long-running career that has taken Horne from the battlefields of the Middle East to the front line of corporate technology sales and administration.

Horne’s stint as a reservist came about after years working as a system administrator, fresh out of university.

He wanted to investigate career options in the military but “didn’t want to become institutionalised,” he recalls. “I’d always had a civilian career.”

As a compromise, he opted for a reservist career that would allow him to enjoy the best of both worlds.

That time helped him hone his security skills through his reserve work, during a period in which he completed a Master of Business Administration and became acutely aware of the corporate challenges that cyber security posed for businesses of all kinds.

This extended to directorial advice, and Horne soon found himself applying his business and cyber security skills in an advisory capacity.

Strategy in a box

One of the recurring themes during Horne’s advisory work was just how hard it is for businesses to develop a consistent and effective cyber security culture, across departments and boardrooms.

Company directors need solutions to their problems, not just explanations of their problems – and that gave him an idea about a way to combine his strengths and interests.

“There don’t seem to be any levers that company directors can pull to exert control over the information in their organisations,” Horne explains.

“They largely sit back and rely on the best efforts of their CISO [chief information security officer] – if they have one – and take their advice. But everyone’s advice is going to be different.”

The resultant project has been one of Horne’s biggest endeavours.

He is currently working towards towards a PhD at the University of Melbourne, where he is trying to distil the best-practice elements of information security into a repeatable, effective series of steps that any director can follow.

Strategy in a box, if you will.

It hasn’t been easy going. Since he began research in April 2014, Horne has conducted interviews with dozens of CISOs at “some of Australia’s largest organisations”.

Several consistent themes have emerged from the research, which Horne has honed into a two-pronged framework for understanding effective data security.

First, companies need to understand the value of their data. This includes the identification and assessment of the value of the organisation’s data – which can often be harder than expected to ascertain.

Second, companies need a clear understanding of the barriers, constraints, and threats to information arising from access by third parties.

These threats may be explicit – as in the constant threat of outsider compromise – or completely hidden, as when data is stored on a cloud service that replicates it into other jurisdictions.

“Suddenly you’ve got a GDPR issue without even knowing it,” says Horne.

Such threats are part and parcel of doing business in today’s information-driven world, and they require institutionalised mechanisms of control that continue to be hard to develop and maintain.

“The notion of control is changing,” Horne explains. “In the past, control was highly prized – and it was the price that organisations pay to achieve flexibility, collaboration, scalability, cost-effectiveness, and the other benefits of the cloud.”

Even as companies now try to wrestle back that control, they are finding that it hasn’t been easy at all.

“The issue, as I see it, is that organisational boundaries are becoming more porous,” Horne says. “The idea that corporations were fortresses where you could put up castle walls and protect your information, are long gone.”

Rebuilding the castle walls

New technological development – including cloud-based storage, social media and mobile phones –ended the days of perimeter-based security.

Sensitive data is flowing within and between these domains at an unprecedented pace, and companies simply aren’t keeping up.

“My research so far is showing that even large organisations are not paying enough attention to these porous boundaries,” Horne says.

“Some are, and some aren’t – but it’s really quite confronting and bizarre that in this day and age, some organisations with very large security budgets can still suffer a ransomware attack and lose weeks of productivity for an entire global organisation”.

Fixing the situation will require, among other things, efforts to better understand and proceduralise the process of applying information security within a corporate context.

This is where Horne’s idea for a ‘strategy-in-a-box’ solution continues to resonate – and where he hopes to make a difference by helping companies muster the executive support to address the security loopholes that are so regularly compromised.

As he wraps up his PhD work, Horne is working to commercialise his findings and help different kinds of businesses get a better grip on the exposure that their newly transformed businesses are creating.

Getting there won’t be easy, he admits. But he’s counting on support from the many companies that can’t afford $250,000 CISO salaries – and need any help they can get through other means.

The key to getting the message through, he believes, is not only winning hearts and minds in the boardroom, but getting all members of the ecosystem onboard.

University settings, such as the one where Horne spends most of his time at the moment, are a great example.

“Researchers travel globally and collaborate with other researchers,” he explains. “They’re in a situation where information is required to be shared across borders and network boundaries, yet still remain secure and accessible.”

“If you impose security controls on them to the point where it becomes unusable, you will retard productivity.”

A time for compliance

To whatever extent his idea for cyber security-in-a-box transforms executive awareness of cyber security imperatives, Horne’s commitment to improving cyber security practice has taken his career in other directions as well.

He has been active within ACS for several years: previously he was the chairman of the Victorian branch, and this year expanded that role to become national Vice President.

The timing couldn’t have been more interesting or relevant to his work, Horne says. With Australia’s new notifiable data breaches (NDB) scheme having come into effect in February and GDPR in play in May, notions of information control are more important than ever.

Requirements for compliance with these standards vary widely between organisations but Horne says the general lack of awareness is likely to drive his work in many valuable directions.

“I’d love to be able to help provide really pragmatic, practical advice and steps that would guide company directors on how to secure their company information,” he says.

“At the moment it seems that most advice about security is at an operational or technical level – and it would be great if that could be turned around.”

Craig Horne is an ACS Certified Professional (Cyber Security).

In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.