“Analysis shows organisations often spend too much money on cyber. Fundamentally, they are spending in the the wrong areas,” he said.
“They’re spending more and more money on technology, thinking technology will fix the issue. Addressing cyber risk requires a much broader approach than focusing on technology investment. Often it’s a process issue, it may be a third party governance issue, or it could be a reporting issue, which in itself often doesn’t require a lot of money to fix.
“For years and years organisations have put more money into cyber but their risk has gone up not down. The approach to addressing the cyber issue needs to fundamentally change.”
Mr O’Rourke said a key aspect of BCG’s approach to cyber risk was to assess which part of an organisation’s system were most at risk of a cyber attack and then calculate the potential cost of it happening. This would give clients an idea of how much and where to allocate resources to mitigate risk.
“The way BCG works with boards is what we call ‘evidence-based cyber strategy’,” he said.
“For example, in a bank, one of the most valuable types of data is customer information. If that’s compromised it’s going to cause significant financial risk, regulatory risk and also reputational risk.
“Rather than trying to protect everything across that bank, you start to tier the assets and say ‘this is a critical asset we’re going to invest extra money to assess the security around the asset and protect the asset and make sure we do everything to stop a breach,’ and if a breach happens, you also have a plan about how to mitigate exposure.”
Mr O’Rourke said that running the global cyber practice from Melbourne would not be a problem as the COVID-19 pandemic had “fundamentally changed the nature of how we work” with video conferencing becoming the norm.
He added “the nature of cyber allows us to increasingly engage virtually and as travel restrictions ease, this will allow increased face to face engagement globally.”
Prior to joining BCG, Mr O’Rourke was most recently the global head of cyber security at big four consulting firm PwC. His previous roles have included being the Asia Pacific head of cyber security services at big four firm Ernst & Young and technology consulting firm Accenture, as well as being the Chief Information Security Officer at ANZ Bank.
In August, the federal government unveiled a $1.7 billion cyber security strategy to counter online threats which range from criminal scams through to persistent attacks by foreign governments.
The strategy includes hiring an extra 500 cyber spies, new powers for security agency the Australian Signals Directorate to directly protect computer networks and obligations for critical infrastructure providers to strengthen their cyber security defences.