A conversation with #rmia2016 speaker Stan Gallo

Your speaking session will outline IT security. What are the biggest risks that organisations face at the moment in relation to this?

We live in exciting times of unprecedented changes in technology evolution which gives us increasing access to burgeoning volumes of information from around the world. Organisations operating in this environment can leverage this information to tremendously enhance the provision of goods and services.  As with all great opportunity, there are risks that need to be properly managed and IT security is a critical one that we need to get right. The biggest risks revolve around how business walk the fine line between accessibility, for clients, employees, providers etc to systems and the data they contain, and the security of those same systems and data.  Organisations are finding themselves attacked from all sides, internal and external and also coming under increased compliance pressures.  Data breaches, regardless of the form they take, can have significant and lasting impacts on the organisations.  The ramifications can be personal, legal, compliance, reputational or any combination of them.

The difficulty is that organisations are trying to understand and keep up with rapidly changing technology, which in the majority of cases is not their core strength – it is not what they are in business for, but necessary nonetheless.

How would you describe the culture of risk management at KPMG?

The nature of our work means that the security of client’s (and our own) sensitive information is paramount.  KPMG ingrains broader risk management practises at every level, educating and encouraging active participation from our newest graduates through to the most senior Partners.  We have the added benefit of a very active and involved CISO and some of the brightest minds in the world as part of our Risk Consultancy services. In addition to rigorous data security protocols we engage our people across the business to not only be aware of security risks, but actively participate as part of the human firewall.  We don’t just say that Risk Management is people driven, we live it every day.

What’s the most difficult part of translating theory to practice?

From an data security perspective, I often have C-suite and Board level conversations about security not being an IT problem.  All too often people think of data security as the shadowy genius hacker, whiz bang firewalls, malware and other fantastic ‘techy’ stuff that you need an IT or computer science degree to understand.  As such it goes in the too hard basket and is pushed off to the IT team.  Whilst there is no doubt that IT plays a critical part of any security plan, without buy in from people, we are doomed to failure.  One of the most challenging, and at the same time rewarding, parts of my role is translating between the theory and practical application.  It generally starts with eyes rolling back as we start to talk about cyber security.  You can almost see them thinking “I have no idea about all this technical stuff – doesn’t our CIO deal with this?”.  They know it is critically important, but find it difficult to grapple with complex IT concepts littered with acronyms and jargon and understanding what it all means. I get really excited when I see that light bulb moment in executives eyes during the discussion and the mindset changes to “I get this”.  This is when the questions start coming and things get really interesting because they then bring a whole new insight into the discussion.

The ability to translate between IT speak and what I call ‘Executive English’ is a highly valuable skill.

How does your experience with roles you held prior to joining KPMG inform your approach to risk?

As a former long term covert police operative, I lived various lives, all of which saw me heavily involved a raft of hands on criminal activity, both opportunistic and organised.  My primary focus was on the higher value targets and I was immersed in large scale criminal enterprises involved in trafficking of drugs, firearms and pretty much anything else that held tradeable value, including data. Toward the latter part of my ‘criminal career’ I got involved in data and computer crime activities. Australia is well known as early adopters of technology and our criminal element is no exception.  We were not tech savvy hackers, but contrary to popular belief you don’t need to be. Like many organisations, we could outsource as needed. This life gave me a very unique perspective on organisational risks as I have literally lived them for a number of years.

On returning to a more ‘traditional’ law enforcement role as an appointed Detective, I was involved in the more typical client side of risk, conducting complex investigations including drugs, major crime, homicide, fraud and computer crime.  The unique insights from playing on both sides of the fence allows me to provide clients with something different to the traditional consultancy view of risk. I assist clients in understanding exactly why and how they are being targeted, and what they can do about it.