Cyber risk creates a real opportunity for New Zealand, Kordia chief executive Scott Bartlett tells Tim McCready

New Zealand businesses are starting to show a real mindset shift when it comes to cyber security, agrees Kordia's chief executive Scott Bartlett.

"It's in the papers a lot more, there is a real narrative going on in the business community around business obligations, endless surveys where CEOs say it is a top five issue -- a real groundswell happening."

But Bartlett admits that while this increased awareness is something to take notice of, it is just the beginning.

Two-thirds of emails contain security risk
Security breaches on rise, says expert


The next question companies must ask themselves is what they can do to make themselves safe. Businesses need to create a strategy -- and then monitor it.

Bartlett sees organisations at different stages in addressing cyber security. "We have seen a lot of public sector departments and agencies jump on that maturity curve sooner than some others. And there are some standout examples among the business community."

The challenge is that the issue, opportunity, and the subject of cyber security is universal -- those instigating attacks don't discriminate. "The reality is that you will get hacked, and you may not know that you have been," says Bartlett.

"That is the attitude you must go into this with."

Over the next year, Bartlett sees external threats increasing.

"We are going to see far more automation of attacks, and the tools are only getting better. Over the course of the next couple of years we are going to see the impact of these attacks worsen."

Watch: Herald Talks: Hon Amy Adams on cyber security

One of the major challenges for businesses is legacy code that has been iteratively added to over the past 10 years.

"Find an organisation where all the web systems are new -- they don't exist," Bartlett says.


"You are probably still vulnerable to things that came two years ago." For external threats, raising the hygiene factor is critical. But they will always exist regardless of what a company does. Internal threats, on the other hand, depend on culture.

"There is a tendency to think of cyber security as a technical problem. But you can have all the policies, procedures, and firewalls in place you want, but if your people don't understand the risk that comes with picking up a USB stick and throwing it into a computer, or doing commercially sensitive work on public hotel Wi-Fi, then the bad guys will get around your systems."

We are a small country, and should be able to become a cyber security paradise.

Kordia's mission is to be New Zealand's leading business-critical technology company -- "you can't be in the business-critical game without cyber security." In line with this, Kordia announced the expansion of its cyber security offering with the acquisition of Aura Information Security for $10.02 million in November last year.

Before the acquisition, Kordia already provided security products to customers, but Bartlett describes bringing Aura into the portfolio as Kordia's "secret sauce".

Fifty per cent of their business is in telecommunications, and roughly half of that in New Zealand is now security services.

Aura has about 300 customers, most of which are New Zealand's largest organisations, including government departments, banks, and large insurers. They are also increasingly working with medium sized businesses.

Bartlett stresses that the biggest requirement in cyber security is to do a terrific job for customers -- "if you drop the ball once, you are done".

It is that requirement that makes Kordia acutely conscious of responsibly managing the growth of its cyber security consulting services. Although growth can be alluring, Bartlett insists that serving existing customers first is the priority.

"While we have experienced CIOs and technical folk in New Zealand, cyber security is specialist.

Generally, the talent pool for security professionals is empty. We need to encourage -- from secondary level and up -- people with an interest in security to get into the industry.

New Zealand's pitch to attract people here isn't bad, but Bartlett admits that the world is competing for the same talent. We need to have a combination of "grow our own" as well as attracting the best, he says.

For Kordia, this means making sure their cyber security team of 30 spends more than a fifth of their time on R&D -- research that interests them. It's a huge investment for Kordia, but things are changing rapidly -- "if you're not doing research, you're falling behind."

As opposed to Aura's consultancy services, Kordia's security product is very scalable.

RedShield provides defence for websites and web applications, and is currently shielding most of the Government and large businesses. It has the potential to go truly global, beyond current deployment in Australia and the UK.

It is obvious that Bartlett has a real passion for the opportunity cyber security can offer both Kordia and New Zealand.

"Exporting IP is fantastic and it is definitely part of the plan," he says. "Products like RedShield will be key for New Zealand's economic future -- weightless and scalable. With fair wind and a lot of smart people it could become a big opportunity for New Zealand."

Bartlett notes that the Government plays a leading role in informing and educating. The establishment of a CERT -- a computer emergency response team -- provides businesses a first port of call for advice, and allows knowledge sharing from the global community and within New Zealand.

This will ultimately help to lift awareness.

But the Government can't do it alone.

Bartlett has been surprised at how much desire there has been across the spectrum to make the country safer, and how willing people are to contribute to it.

"We are a small country, and should be able to become a cyber security paradise," he says. "If we can make New Zealand a cyber safe country -- the world's first -- that would give New Zealand an enormous competitive advantage."