An Interview with Prof. Gary Martin of AIM WA
I recently spoke at a leadership forum organised by the Australian Institute of Management, Western Australia (AIM WA). In my talk, I invited the audience to consider the real and immediate threat that cybercrime poses to business, not only in terms of potential losses but at the level where it can be a threat to a company’s very existence.
Following-up on the AIM WA forum I interviewed Professor Gary Martin. Gary is CEO and Executive Director of AIM WA, and is hands-on in making their forums happen. He has held several executive level appointments at Murdoch University in Western Australia, the most recent of which was that of Senior Deputy Vice-Chancellor. He is currently an Emeritus Professor of Murdoch University’s School of Business and Governance, and Zhejiang University of Technology (China), as well as an Honorary Professor at Guangdong University of Business Studies (China).
(Photo at top: presenting a copy of my book to Prof. Gary Martin - at left - after the AIM WA forum last week).
Gary Martin is an eminent educator in the field of leadership, and he shares my profound concern about the toll that cybercrime is taking on businesspeople and our economy, so I wanted to get his insights into the cybersecurity challenge, and why he feels it’s important to communicate more actively about this complex problem.
Here are some highlights of our conversation following the AIM WA event last week:
Craig: Thanks very much for taking the time to talk some more about this stuff, Gary. We really got into the nitty-gritty of the cybercrime puzzle at AIM WA -and I think that was a very useful forum for all of us there - so I want to continue that conversation on my LinkedIn and on the MailGuard Blog and hopefully get some of my readers involved in this conversation, as well.
I know you're extremely busy with the organisational aspects of AIM WA, but as a participant, what do you think were the most valuable opportunities it highlighted for those who were there?
Gary: Thanks, Craig. I think that one of the critical issues that came out of your talk was the realisation that the days are gone when cybersecurity was considered simply an IT issue. Your talk highlighted the fact that what is required now is a truly multi-disciplinary approach which must involve all parts of an organisation, including an organisation’s senior management and its Board, and not just IT personnel. I think many at the talk realised that senior leaders, can no longer afford to have a ‘head in the sand’ approach.
As a case in point, I think you made it very clear that most breaches of IT security are through human error – not a lack of technology protection. So an organisation’s culture plays a huge role in setting the standards for behaviours that help to prevent cybersecurity issues – and culture is very much the responsibility of the CEO and the C-suite; in fact all of those working at an organisation. I think it’s clear to many at the talk that leaders must focus on how they can set the standards for a culture that not only optimises awareness but also distributes the responsibility and accountability across an organisation.
Craig: Right. Well I’m really glad that came across. That’s a key part of my message to business owners and CxOs. And I feel strongly that we need to talk about cybersecurity a lot more openly. We sometimes find that when companies are impacted, and often badly damaged by cybercrime, they don’t share their experience because of the reputational damage associated with it. Do you think we can get to a place where - at least at a leadership level - we can share knowledge about this problem more?
Gary: Here’s the thing, Craig; until there is a lot more discussion and sharing, cybersecurity challenges will not only prevail; they will escalate. What is required is exactly as you say. We need much more open dialogue about cybersecurity and we are not getting that because – once again – senior leaders in an organisation haven’t been involved in enough discussion around cybersecurity issues; typically leaving these matters to IT staff.
There’s a level of ignorance prevailing around these issues in many organisations. Once more senior leaders become involved, there will be an increasing realisation that organisations need to share their challenges and unite to minimise or overcome the challenges posed. We do have quite a way to go to getting to this point though, I believe. That is; to a point where organisations share the challenges they’ve experienced and how they’ve dealt with them.
Craig: Are there specific challenges around cybercrime that Australian business leaders are facing that are different to the ones experienced in other economies? In the US for example?
Gary: I think these are global issues and Australia is no different to other countries when it comes to the type of challenges experienced. What is different is how we are responding. While many Australian organisations still seem to view cybersecurity as a technical issue it’s clear that in the USA, for example, many organisations view the same challenges as a human issue; recognising that most cybersecurity issues arise through human error and not through a lack of technological protection. Those Australian organisations clearly need to shift their perspective or face even more severe problems. Failure of an Australian organisation to recognise that a shift in thinking is required will be at its peril.
Craig: Indeed. We’re going to see the introduction shortly of some really groundbreaking new regulations in the cybersecurity sphere; there’s GDPR coming up in the EU, which is going to affect companies all over the planet, and Australia’s NDB Scheme comes into effect early next year as well. Gary, what do you think are going to be the big ongoing changes that these new regulatory regimes will create?
Gary: These new groundbreaking regulations will go a long way to raising an awareness of cybersecurity issues. But many organisations will be very unprepared for the changes and potentially they will lack the expertise to be able to achieve compliance.
Craig: You’re an esteemed academic Gary, as well as a businessperson - you were previously the Executive Dean and Senior Deputy Vice-Chancellor of Murdoch University. I would really like to get your take on the role that education has to play in shaping a new generation of business leaders - leaders who are better equipped to deal with the security challenges that cybersecurity entails. There’s a lot of talk and concern at the moment about the gap between our technology and the sort of leadership culture we have in place, and I think that in the cybersecurity sphere that gap expresses itself in the lack of communication on these big challenges. How can we redress that gap? How do we create more agile, ‘why’, ‘how’ driven collaborative leadership to deal with cybercrime problems?
Gary: Education has a pivotal role to play in these issues. Yet unfortunately, efforts to date have been underwhelming, to say the least. Cybersecurity issues have become so prominent in business, yet little appears to be being done via leadership and management development programs to address this area of need. Most leadership and management courses pay scant attention to cybercrime because developers of these programs haven’t changed their perspective: they’re still viewing cybercrime as an IT issue too. Their focus has been on enabling leaders to use data but not on how to protect data and intellectual property.
I think much more needs to be done along the lines of this presentation we just held at AIM WA; in which you were able to highlight the key challenges. Many would also say that boards need education and training around cybercrime too, especially if they are to manage organisational risk effectively. And CEOs and senior leaders of organisations need to play a role in allocating resources so that staff across organisations, at all levels, can receive appropriate training to mitigate cybersecurity risks.
Craig: One of the things I’m really focused on with my social media and the MailGuard Blog is sharing information so that people can self-educate about cybersecurity. AIM WA is a great resource for businesspeople seeking guidance through the cybersecurity minefield too, obviously, and the Australian Government is really pro-active in addressing this problem. From the perspective of a business leader who is also an educator; what sort of information/educational resources do you think we need to cultivate going forward? Do we need some sort of central, corporate agency that can coordinate cybersecurity strategy and education for business? Does that kind of thing already exist maybe, and we need to leverage it more successfully?
Gary: I don’t think it is feasible to have a single agency or organisation coordinating cybersecurity education. I think we need multiple approaches and require multiple organisations to tackle the problem. And it needs to start off in a very basic way and then gradually lift in complexity. I say gradually because many people - including senior leaders - are scared off by what to them is almost a different language. How many senior leaders, for example, really understand basic cybersecurity terms such as 'spear-phishing,' 'trojan horse,' and 'malware?' At a basic level, there is a need for programs which simply explain the key concepts– rising up to how to lead to mitigate the risks.
Craig: I couldn’t agree with you more on that point, Gary. Redressing the gulf of awareness is step number one, for sure. The sort of communication to businesspeople around cybersecurity that AIM WA is doing is really key, I think, to making our economy sustainable.
(Photo: speaking at the AIM WA forum last week. Thanks again for creating this important platform for discussion, AIM WA.)
>> Please join in this important conversation on my LinkedIn and Twitter channels. I would be very interested to hear about your experiences with cybercrime and data-security. The more we discuss these issues openly, the better prepared we will be to deal with the next security challenge.
>> BTW: the MailGuard Blog is still running the competition to win a signed copy of my book, Surviving the Rise of Cybercrime. To win, just share this post on your social media.