Insights from a Cyber Security Expert with 
Raymond Frangie MACS Snr CP

9th March 2021

Highlights

• Raymond Frangie MACS Snr CP is the Principal Governance, Risk Management, and Compliance (GRC) Consultant at CXO Security and an Academic Lecturer, Tutor & Deputy Unit Coordinator - Cyber Security at Western Sydney University.
• Raymond shares valuable tips on ensuring your business is safe from cyber threats.
• Hear Raymonds experience on becoming an ACS Certified Professional and how it has supported his career.

1. As the first person in New South Wales to be awarded the Australian Computer Society's Certified Cyber Security Professional certification, how has this certification helped you in your career journey?

When I got the call advising me that I was the first person in New South Wales to be awarded the Australian Computer Society's Certified Cyber Security Professional certification, humbling would be how I would explain the feeling at the time. To be recognised by the leading professional association for ICT professionals as worthy of the certification, only further ratified to me personally that I am on the right track and that hard work does pay off.

Gaining this certification has opened many doors and continues to do so. Since acquiring this certification, I have received a promotion within the Australian Computer Society to Senior Member, completed two ACS microCredentials, and qualified as a Fellow of the Governance Institute of Australia alongside numerous other certifications. I have also gained vast experience in multiple roles and market sectors, taught, and continue to teach, at Western Sydney University, and spoken at numerous events both domestically and internationally, earning my peers' respect.

For those considering this certification but have not obtained it yet, all I can say is stop waiting, submit your application, chase the certification goal, and do this for themselves and not for anyone else.

2. Ethical hacking is one of your areas of expertise. What is ethical hacking, and why is it important?

Ethical hacking, or otherwise known as Penetration Testing, is an authorised attempt to gain unauthorised access over a defined network, computer, or data, with the key term here being "authorised". Performed by ethical security experts colloquially known as "white hats", ethical hacking is vital as it aims to refine and improve an organisation's security posture. These ethical security experts are subject matter experts with a wide range of computing skills.

Ethical hacking for organisations answers key questions such as:

• what kind of vulnerabilities does an attacker see in my environment
• what information or system would a hacker most want to access
• what can a malicious attacker do with the information
• how many people would an attempted attack affect, and
• what is the best way to remediate identified vulnerabilities?

Vulnerability Assessment and Management, along with Penetration Testing or Ethical Hacking, are mentioned in almost all domestic and international standards, guidelines and best practices. Organisations must ensure that such tasks exist within their organisational information security programs, alongside security and awareness training, and occur frequently.

3. You have worked and consulted for numerous small, medium, and large enterprises, across all management levels. What are some of the common cybersecurity challenges facing businesses today?

Trying to pick one challenge is difficult as there are many differences and challenges between organisations, organisational sizes, market sectors and verticals. However, the one common challenge I see across most organisations is "organisational culture" towards information and cybersecurity. Many organisations still place security as an afterthought rather than a priority, chasing revenue and profits over securing such income streams from potential financial penalties and reputational damage. I also still see many organisations placing cybersecurity as a function within the IT Department. Cybersecurity is not an IT issue, it is a business issue, and such a mindset needs changing within organisations. Cybersecurity teams should exist as dedicated teams overseeing the security aspects of all other business functions and groups, including overseeing the IT Department, with reporting lines directly to senior management, C-Level or Board Level, depending on the organisation type and size.

I have also come across cases where organisations unethically hide, spin or report incorrect or fake information to auditors to cover up the real state of information security and cybersecurity issues within their environments. I find these cases to be quite concerning, and recommend that such organisations prioritise remediation of issues and security awareness improvement, rather than engage in such unethical behaviour as such behaviour only harms them. There are no shortcuts to success, and there is no shortcut to achievement; a shortcut is simply the longest distance between two points.

However, I will note that there are pleasing movements across some industries, despite the improvements currently slower than I would like to see. Professional associations specific to certain industries are starting to push and even mandate better cybersecurity to their members, which is extremely encouraging to see that such organisations are taking notice and working together to secure their industry better.

4. Explain the first step a business should take if they feel their cyber footprint has been compromised?  

A natural human instinct in this situation would be to panic. The first step I would advise personnel and organisations who feel compromised would be not to panic and do anything rash but to contain the incident and work through the incident methodically. The reason I say this is because on average, it takes organisations over 200 days to learn of a compromise[1], so an attacker more than likely already has what they need from your environment. Organisations must have a disaster recovery plan and a business continuity plan to deal specifically with Information and Cyber Security incidents. These plans should clearly define how to prepare for an incident, detect and analyse an incident, contain, eradicate, and recover from an incident, and post-incident activities such as lessons learned.

Disaster recovery plans and business continuity plans are essential for every organisation, especially in information and Cyber Security. If these don't exist, I recommend they first read the National Institute of Standards and Technology (NIST)'s Special Publication (SP) 800-61 Revision 2. This publication is their Computer Security Incident Handling Guide [2]. Once read, and the required effort is understood, engage a security consultancy firm to allow one of their experts to create and tailor such plans towards their specific organisation.

5. Why do you think business continuity planning and cybersecurity come hand in hand?

Whether in cybersecurity or in general, a continuity plan is essential to any organisation. Take, for example, a president of a country and the chain of command. If the president was incapacitated, then the next person in the chain of command takes over, and the government operates. As simple as that sounds, this process is a continuity plan; and the same concept exists for organisations and their businesses.

A disaster recovery plan and business continuity plan must contain two vital parameters that require definition; Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period, or offline business time, exceeds the Business Continuity Plan's maximum allowable threshold or "tolerance." The Recovery Time Objective (RTO) is the duration of time and service level in which business process restoration must occur after a disaster to avoid unacceptable consequences associated with a break in continuity.

Business continuity planning and cybersecurity go hand in hand as it is no longer "if I get attacked", but rather, "when I get attacked". With that, organisations must ensure disaster recovery and continuity of business during any incident or disruption.

6. What advice would you give to members wishing to start or advance their career in cybersecurity?

As I have told and continue to say to my students at Western Sydney University, it is never too late to start, no matter your age or background or existing skillset. I have had the pleasure of teaching students of all types, from those straight out of school, to mature age students, even ex-military. Some of my students want to change careers and industries entirely to enter the cybersecurity field, such as those from backgrounds such as law, medical, social sciences, non-technical, and general trades. Many of my former students are doing wonders within the field, which is encouraging to see; watching them grow and leave their mark on the field.

The cybersecurity field will accept everyone, but you must put the effort in; do not think it is a walk in the park. Ideally, depending on the area within cybersecurity, you will have some general information technology understanding and skills. For technical pathways, prospective entrants should understand general topics such as networks, servers, protocols, some scripting or programming, and communication methods; not vendor-specific per se, but rather the actual technological concept. For non-technical paths, depending on the path chosen, understanding governance, risk management, compliance, project management, law, and business or strategic planning all come in handy.

One recommendation I would give anyone thinking of entering the cybersecurity field is to look at the National Initiative for Cybersecurity Education (NICE) Workforce Framework. This framework is by the National Institute of Standards and Technology (NIST) in the USA, published under Special Publication (SP) 800-181. Australia's very own cybersecurity growth network, AustCyber, has a great NICE Framework Dashboard [3], making it much easier to digest the framework, find a role of interest, and understand the required knowledge, skills, abilities, and tasks.

The Skills Framework for the Information Age (SFIA) is also a favourite and a great help to understand the skill sets required. The upcoming Version 8, due out in Q3 2021, expands on more skills related to Information and Cyber Security [4]. The roadmap for Version 8 also shows a mapping of SFIA Skills to the NICE work roles, helping organisations and existing or prospective entrants to use both frameworks to improve their skills.

About the Author: 

With a Graduate Certificate and Masters' Degree in Information Systems Security, numerous industry certifications, and the first person in New South Wales, Australia, to be awarded the Australian Computer Society's Certified Cyber Security Professional certification, Raymond Frangie is a highly recommended and regarded Fellow of the Governance Institute of Australia, Senior Member of the Australian Computer Society, Sessional Academic Lecturer, Tutor and Cyber Security Deputy Unit Coordinator at Western Sydney University, International Industry Speaker and Thought Leader, and an Information Security, Cyber Security and Digital Business Subject Matter Expert, with over 22 years combined experience across Information Technology, Information Security and Cyber Security.

Raymond has worked and consulted for numerous small, medium, and large enterprises, across all management, C-Level and executive board levels. Raymond provides a unique approach in delivering both broad and deep technical and business level Information Technology, Information Security and Cyber Security services, across many national and international standards, frameworks, best practices, guidelines, industries, and market sectors. Raymond enjoys sharing the knowledge he has gained over his career with industry prospects and all clients, advocating safer and secure environments. Raymond is a citizen of Australia and Lebanon, fluent in English and Arabic and continues to target specialised training and certifications, further upskilling and increasing his vast knowledge and subject matter expertise.

[1] https://www.varonis.com/blog/data-breach-statistics/

[2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

[3] https://www.austcyber.com/resources/dashboards/NICE-workforce-framework

[4] https://sfia-online.org/en/tools-and-resources/sfia-views/sfia-view-information-cyber-security