Skip to main content Skip to main navigation
Skip to access and inclusion page Skip to search input

Every home needs a ‘CISO’

12:01am February 11 2020

Safer Internet Day ‘champion’ and Westpac chief information security officer Richard Johnson says every home needs a ‘CISO’. (Getty)

It’s worrying – yet unfortunately not surprising – that cyber criminals are already taking advantage of the fear created by the coronavirus outbreak around the world.

A few weeks ago, IBM X-Force Exchange researchers discovered a wave of spam emails designed to trick people into opening a notice about protection measures against coronavirus which, if opened, will infect their smartphone or computer with malicious software that steals personal data.

Leveraging worldwide events in this way is becoming more frequent and regrettably can be relatively successful by preying on people’s anxieties.

Ahead of today’s Safer Internet Day, we are clearly seeing that, like in the real world, savvy criminals and hackers are constantly evolving their online efforts to harm unsuspecting victims.

As Westpac’s chief information security officer – or CISO – it’s something my team and I deal with every day: mitigating, monitoring and managing new cyber threats constantly to ensure customers and employees are sufficiently protected.

And, despite our desire for a time when cybercrime and scams are stamped out – and a role like mine is no longer needed – for as long as the internet is around, they are regrettably here to stay. 

In fact, estimates put the number of malware attacks globally in 2019 at 9.9 billion according to last week’s SonicWall Cyber Threat Report. And from a financial loss perspective, Australians are estimated to have lost more than $530 million last year to scams, mostly online, according to the Australian Competition and Consumer Commission.

Thankfully, there’s a lot we can do to arm ourselves and our families to not become victims.

As a father of four school-aged children – all often glued to their screens – I know only too well this is a conversation that needs to start at a young age. 

There is no doubt kids today are being raised in an online world.

In most houses I know, if I want to fix a technical glitch, connect a new device, or hear about the latest app, you go find the nearest 14-year-old. As digital natives, they always seem to know more than their parents.

But what they’re unlikely to have yet learnt are life’s harder lessons – that people may not be who they say, be trustworthy, or act online the way they do in reality. Then there’s realising anything said online has a life-long digital imprint and everything is traceable.

It can be a complex obstacle course for many parents and carers. Let’s face it, it’s impossible to supervise online viewing 24/7, some threats like cyber bullying can be hard to detect and tech is constantly evolving.

My tip? Just be a parent.

It sounds obvious, but not always straightforward. The rule of thumb my wife and I use is to teach the same kinds of lessons and take the same level of oversight online as with physical threats or problems. We’ve established a set of rules around acceptable use of tech. We’ve taken an interest in what they’re doing online. And we’ve tried to create an environment where they are comfortable to come and talk to us if something happens online.

So, similar to my role at Westpac where I need to manage cyber threats, essentially, parents and carers need to be the CISOs in their own homes.

The more a child learns to be safe online when they're using Snapchat, Instagram or Facebook Messenger for example, the more those behaviours will set them up to be suitably thoughtful about online interactions when they start to pay bills, if they’re asked by a stranger for a credit card number or get an out-of-the-blue message with an attachment. Sometimes it’s as simple as ‘think before you click’.

It’s heartening to see and be part of some great collaborations gaining momentum around these issues across society’s key players, including law enforcement, financial institutions, government bodies and schools.

Safer Internet Day is a great example. Led by the eSafety Commissioner in Australia, and celebrated in more than 150 countries, the aim is to help spread critical online safety skills.

Similarly, along with other major banks and organisations, we’ve partnered with the Australian Computing Academy on the “Schools Cyber Security Challenge”, a $1.35 million national program launched last year to teach students cybersecurity for the first time in Australia, with more than 50,000 enrolments to date. Ideally, all Australian schools will in time have cybersecurity in their curriculum.

From my point of view as a CISO, it’s about the entire cyber ecosystem – if customers and employees can be safer online and practice good cyber hygiene, that has a direct benefit to the various organisations they are part of, while also helping people in general to avoid being exploited.

The more we can all recognise the threats we face and know how to respond, the safer it is for everyone.

And the harder we make it for cyber criminals. 


Westpac's Group Chief Information Security Officer, Richard Johnson joined the bank in 2000. In this role, and his previous position as Head of Technical Security Services for the Group, he has led the information security strategy, delivery and governance. Prior to joining the Westpac Group, Richard held roles as Head of Technology Audit at Woolworths Limited, Technology Audit Manager at BT Financial Group, and in Computer Risk Management at Arthur Andersen. In addition to his academic credentials, Richard has a number of professional security qualifications including CISA, CISM, CISSP, CRISC, SCF, and ACP.

Browse topics