Principal for Brover Advisory and former Toyota Australia CIO Ellis Brover shares his lived experience of a targeted and highly skilled cyber-attack
Ellis Brover comes from a technical background and has spent his whole career in IT. He started off as a software developer, working on a variety of interesting projects in industries like banking and telco, across organisations ranging from start-ups to multi-nationals, as well as developing operating systems and middleware.
“About 20 years ago I moved into IT management roles, initially leading architecture and software development teams, and later leading IT operations, support and cyber security functions,” Brover says.
In 2014, he was appointed CIO for Toyota Australia, a role he held for more than eight years.
“It was a time of huge transformation for the automotive industry - both due to the shutdown of Australian manufacturing which drove our transformation into a sales and distribution company, and also due to the massive growth in demand for digital solutions to improve customer experience and operational efficiency,” Brover says.
During this time, Brover saw the IT team grow more than threefold, and fundamentally changed its focus from a traditional “back-office” service provider to a business-focussed strategic enabler with a substantial agile development capability, partnering collaboratively with all areas of the company as well as their independent dealer network.
“IT became a critical part of almost every activity within the complex $10b+ supply chain," Brover says. "I was fortunate to work with lots of great people and have the opportunity to experience and learn from a wide variety of technology and leadership challenges.”
In 2022, Brover decided to make a change from the corporate/executive life and become an independent IT advisor. He now enjoys working with a wide range of clients, including many far smaller than Toyota, providing advice to Boards and leadership teams on high-impact IT challenges including cyber strategy, digital transformation, operating model design, M&A, and mentoring.
The Intersection Between the CISO and the CIO roles
While some organisations have moved towards having a cyber leader reporting outside of IT, Brover thinks most CIOs are still accountable for cyber security. During his time in the industry, he saw the level of focus on cyber security for most CIOs has risen dramatically, commensurate with the level of risk as well as the complexity of controls.
“Often the CIO is not just the decision-maker for cyber policy and investment, but also the primary advocate and educator for cyber risks with the executive team and Board,” Brover says.
He believes it’s vital to be able to help non-technical stakeholders understand cyber risks in the specific context of their organisation, to drive accountability for cyber resilience beyond IT and across the entire leadership team, and to ensure all leaders are role-modelling the importance of cyber with their staff.
“In my experience, an organisation with good cyber resilience has a Board and leadership team who recognise their own responsibilities for cyber security (rather than “leaving it to the IT team”), treating cyber as an enterprise-wide risk function, and driving a culture that ensures staff are keenly aware of how they contribute to keeping the organisation protected,” he says.
/CISO%20Sydney_Agenda_use%20with%202cm%20left%20%26%20right%20margin.png?width=1000&height=300&name=CISO%20Sydney_Agenda_use%20with%202cm%20left%20%26%20right%20margin.png)
What Happens When a Breach Happens
While Ellis Brover was the CIO of one of Australia’s largest organisations, he went through a targeted and highly skilled cyber-attack, which caused significant business disruption. The experience allowed him to learn important lessons at the front-line about how to avoid, recognise, defend, and recover from such an event.
When a breach occurs, it is very common that the organisation needs to shut down its IT systems and connectivity for a period of time, to allow for proper investigation, eviction of threat actors, and strengthening of controls.
This immediately broadens the issue beyond the scope of the cyber security team, to encompass not only the rest of the IT group but in fact all stakeholders responsible for key business processes.
We asked Brover how a CIO can provide effective collaboration to security teams during incident response and business continuity plans. He shared that the CIO is often called upon to lead overall incident response, or at the very least to act as the key bridge between the cyber/IT specialists and the executive team.
“One of the hardest tasks for the CIO in this situation is to be able to explain intrinsically complex technical matters in language that can be clearly understood by all stakeholders, to set realistic expectations for response and recovery, to support their nervous and exhausted teams, and to resist pressure to restart IT operations before safety can be confirmed.”
“It is often a high-stress environment where you see both the best and the worst traits amongst your colleagues. It takes courage and emotional resilience for the CIO to convey calm and clarity, even in the face of significant uncertainty and stress,” Brover says.
We also asked Brover the things he wishes he knew about cybersecurity incidents beforehand that he knows today. He has learned many lessons, but probably the single most important one is actually not about technical controls; it’s about the importance of having robust business continuity plans.
“A key gap that I find in a majority of organisations is that they haven’t genuinely considered how they would continue to operate their critical business processes in the event of an extended IT outage,” Brover says.
“Simply saying ‘we will restore from backup within a few hours’ is not good enough for a major cyber incident scenario; there needs to be serious consideration of manual process fallback in the event that there is no access to IT systems. Likewise, assuming that ‘we won’t be breached because IT have good preventative controls’ is naïve; on the contrary, it is prudent to assume that a breach will occur and plan for it,” he says.
Adding to that, Brover also mentioned that developing a strong business continuity plan is actually not primarily the job of the cyber security or IT team.
“It’s something that needs to be driven by key business process owners, debated, and socialized thoroughly, and rehearsed amongst the crisis response team. Trying to figure it out in the midst of a cyber-attack is obviously not the best situation to be in,” he says.
Brover will be a part of CISO Sydney 2024 and will be passing on the key lessons he has learned from his lived experience of dealing with a high-impact cyber-attack by a highly sophisticated threat actor. It’s a searing experience and one that not many people (even within the cyber industry) have been through first-hand as the “person on the spot”.
“I have a passion for conveying these lessons to others and hopefully helping them to avoid some of the pain. Many of the things I learned are quite different to the advice organisations often receive, which tends to be too narrowly focussed and comes from IT vendors with a product or service to sell. I hope attendees find it insightful and are inspired to apply some of the recommendations,” he says.
To find out more about his session, check out the agenda and register to attend, simply click this link!
