skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Ovum view


At the inaugural Telstra Cyber Security Forum, held in Sydney, Australia, the reality of ongoing vulnerabilities in major systems was met with a call for a new approach to security risk management and incident response.

Security vulnerabilities show no signs of going away

During the recent Telstra Cyber Security Forum in February 2016, Andrew France, the former deputy director of GCHQ (UK) and now strategic advisor to the Wynyard Group, highlighted the lack of progress that has been made in producing software without vulnerabilities, either during creation or subsequent modification.

Analysis of CERT data on significant vulnerabilities over the last decade indicates that there has been no significant reduction in Common Vulnerabilities and Exposures (CVE) reports – despite the significant funds and person years of effort that have been put into various initiatives such as "secure coding." Although such efforts are certainly worth continuing to pursue, security vulnerabilities are a bit like the common cold: they have always been with us and always will be with us despite what we do – the trick is to "not let them develop into pneumonia," as Andrew put it.

The forum coincided with the release of Telstra's annual Cyber Security Report for 2016, which provides a keen insight into the company's security experience, both internally and from its extensive customer base. The report is freely available for download and is recommended reading for C-level executives and their direct reports – whether they are directly involved in cybersecurity or in due diligence on business risk management, which is an increasingly important part of the responsibility of all corporate leaders.

In fact, organizations that have transitioned to thinking of cybersecurity as a business risk to be managed across the organization, rather than a purely technical function, tend to have a better understanding of their cybersecurity posture and are better positioned to handle incidents. In addition, there is ongoing debate as to whether stacking boards with technical "uber-geeks" to handle technical issues is actually counterproductive, because it can lead to the propagation of the view that cybersecurity is the responsibility of the "boffins."

Of course the biggest challenge is to communicate complex issues to non-experts without descending into jargon and acronyms. A simple model, used by Telstra internally and in security discussions with its clients, consists of five "knows," advising that organizations should

  • know the value of their data

  • know who has access to it

  • know where it is

  • know who is protecting it

  • know how well it is being protected.

These considerations are applicable to any organization in any industry and provide a simple, non-technical framework for boards and senior executives to gain a clear understanding of their risk profile.


Further reading

"Reducing the security perimeter can minimize risk and improve the user experience," IT0007-000812 (April 2015)

Telstra Cyber Security Report 2016. Available from [Accessed February 24, 2016]


Al Blake, Principal Analyst, Public sector

Recommended Articles


Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700

Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

Email us at

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Call us at +44 788 597 5160 or email us at

Contact marketing -

Already an Ovum client? Login to the Knowledge Center now