KPMG/UQBS CEO Dinner: Cyber Security and the CEO

This is a presentation I gave for the UQ Business School (in conjunction with Stan Gallo of KPMG) at the Urbane Restaurant to a group of Queensland CEO/C-Suite people. These dinners are part of UQ’s engagement with the business community – a relationship we value. This engagement ensures we don’t get all locked up in our ivory tower.

This was a good night last night, I really enjoyed discussing cyber security/data governance issues with CEOs. This is going to be an increasingly important issue for Australian businesses – particularly as mandatory data breach notification takes hold.

The trend is certainly not toward ‘letting the data go wild’. It’s more a paddock-and-fences kind of situation.

Transformational Leadership and Not for Profits and Social Enterprises

Well, my last blog post was about this book I was editing – and here is a sneak preview of the flyer for it.  Ken, Aastha and I have enjoyed working with the authors a great deal.  


From the blurb on the book, which is in the Routledge Studies in the Management of Voluntary and Non-Profit Organizations series:

This book addresses the leadership challenges and strategies required when Not for Profits embrace new models of working such as Social Enterprises . It covers both concepts, and case studies of successful Not for Profits, and is very suitable for professional development programs .

And this is the table of contents:

Part I: The Leadership Journey

1. Leadership Concepts and Approaches; Kenneth Wiltshire
2. Three Schools of Nonprofit Thought: Evolution of the Field and Implications for Leadership; Aastha Malhotra
3. The Journey of a Social Leader: Leading and Transforming Organisations For Social Impact; Anna Krzeminska, Andreas Heinecke, and Christian Koch

Part II: Shaping the Journey

4. Stakeholder Partnerships and the Delivery of Services; Stephen Jones
5. Corporate Social Responsibility, Government, and the Balancing Act; Kenneth Wiltshire
6. Financial Sustainability Through Leadership; David Knowles and Chris Wilson
7. Your People, Your Volunteers; Amanda Roan
8. Non-Profit Marketing Strategy; Jay Weerawardena
9. Leadership and Governance Issues in Faith Based Organizations; Susan Dann
10. Leading Through the Jungle of Legislation, Regulation and Reporting; Paul Paxton-Hall Part III: New Journeys, New Horizons

Part III – New Journeys, New Horizons

11. Innovation Leadership; Mark Dodgson
12. Strategy, Leadership and Team Building; Karina Collins
13. Successful Nonprofit Leadership in an IT World; Micheal Axelsen

Fun times. 

Round-table discussion: Effective social networking in the public sector

I was invited to facilitate a round-table discussion on effective social networking in the public sector for CPA Australia at their International Public Sector Convention on 21st February 2013. These notes derived from that session.  I have formatted this discussion as an article, and it is available h here for download:  20130221 Roundtable Notes.pdf.  Please feel free to provide feedback or discuss this topic further in the comments below.


Social networking has gained enormous traction in recent years, changing business models and the ways humans interact.

However, social networking is more than just using a particular tool or medium. This roundtable discussion held at the CPA Australia International Public Sector Convention on 21st February 2013 aimed to discuss the long-term value of online social networking and explore how it can be applied to generate lasting benefits across the public sector.

The facilitator was Micheal Axelsen, of Applied Insight Pty Ltd, and the participants were representatives from the public sector. This discussion took place at the Brisbane Convention Centre.

Funny toy or useful?

It was apparent from our discussion that people are still not entirely sure what exactly online social networking is, and whether it is ‘too risky’ or not.


It was noted that collaboration is easily done using tools such as Facebook in comparison with the sometimes-slow bureaucratic processes for developing internet sites.

We did note some benefits – for example, we can keep in touch with people by ‘loose connections’ rather than lose touch when people change jobs.

Online social networking replaces chat groups or email lists, in many ways. Online social networking though is faster and more immediate.

Risks that may arise from the use of online social networking include:

  • Legal
  • Reputation
  • Cyber
  • Privacy and identity theft
  • Records management
  • Technology

Although we recognised those risks, awareness of the risks when online social networking is important to ensuring effective social networking.

Risky business?

Online social networking – the younger generation just ‘gets it’. But they too can be lax and not think through all the risks.

Users do need to be ‘savvy and sophisticated’ users. Not all people in all places are aware of what they can and can’t do with material on online social networking. A nightmare for auditors!

It’s not the tool that is evil, though – it is how the tool is used. The opportunity for fraud exists and the means by which online social networking can be used can be ‘really mind-boggling’ – particularly the social media tools. People still are not aware of the risk of fraud that can occur through social media.

Change for the better?

There are still definite benefits. Online social networking can be a real tool for finding out information.

One participant noted that they now find out more information from Facebook and Twitter than they do from television. For instance – weather awareness and information that more traditional channels are ‘slower’ to distribute.

So as an information awareness tool and gathering tool, online social networking has real benefits. Particularly product search and product help is a definite positive of online social networking.

For example, obtaining very quick recommendations for a service or product via twitter or Facebook can result very quickly, and if you receive 15 recommendations for the one service (for example, a restaurant), then you probably have had your choice made for you.

Sometimes participants felt that they have had quicker and better responses online to problems with products, although this varied between organisations.

We did consider though whether there may be a ‘regression to the mean’ in relation to how companies deal with issues raised through social media.

It may soon be only those Facebook posts with 300 likes that get a company’s attention, and then later only posts with 1,000 likes. Eventually, the extra resource expended on customer monitoring on online social networking will become part of ‘business as usual’ and the response will return to long-term trends.


Unlike a phone call or a letter, however, we did note that, with online social networking, complaints and discussions take place in a public place. For that reason organisations will likely place a higher priority on that for some time to come.

We recognised that online social networking is another channel, and this complicates our communication channels. The world is more complex than a PO Box and a phone, and this complexity means that agencies need to respond. Unfortunately, the ‘simple’ world of the past has most likely disappeared.

In twenty years’ time, online social networking will continue on, it will be the new norm. But new technologies will be developed, and the technologies will mature.

The need to critically appraise the information and comments made on online social networking by users is important. People need to assess quickly the credibility of the source making the comment, and also consider the number and sources of information. There are trolls on the internet but there are self-correcting mechanisms to filter these things out. It is an ‘ongoing war’ and the ‘wisdom of the crowds’ can help with this. Nevertheless, this takes time and effort to sort through the ‘chaff’, and some ‘walled off’ communities can be credible resources.

For example, LinkedIn makes a considerable effort to ensure the credibility of participants in conversations through moderated membership of groups.

Government agencies can use online social networking to access the communities that they deal with. Facebook pages, for example, allow an agency to talk one on one with their community, and obtain immediacy in their response.

This capability is used to varying effect. Some agencies have had fairly aggressive relationships with their communities whereas others have had more positive experiences. Monitoring online social networking can be used to provide information for policy development, particularly with respect to the targeted communities.

For example, overall the Queensland Police Service presence on Facebook has been considered a major success in their sometimes-difficult dealings with the public. This was a focussed and strategic use of social media.


Brand recognition on twitter and the maintenance of the brand is important. However, you have to understand the risks and mitigate the risks – you have many more stakeholders. Brand recognition will be important for agencies that need to self-promote to obtain their funding.

Targeted delivery of information via online social networking can be more effective, as well. For example, Generation Y (or perhaps the younger Generation X) that are heavily into social media can be accessed through social media rather than the traditional media. Engagement through traditional media may be diminishing.

Social media is just another channel to communicate; whereas people from one generation might write a letter to the editor, those from another generation might tweet about the issue or use activist sites such as ‘GetUp!’.

As generational change happens, agencies and organisations will need to educate and adapt to meet the needs of their communities.

There are opportunities to keep in touch with organisational alumni – particularly for the recruitment of new staff – but unfortunately not much is being done in this area at the moment. There is a lot of untapped potential there.

Concluding thoughts

People are still not entirely sure of online social networking, and whether its risks are worthwhile. Some benefits can be obtained by using online social networking in the public sector, but by no means has it been universally adopted.

Participants felt that the public sector is definitely lagging behind in the use of online social networking compared to the private sector. As generational change occurs, particularly for health, change will be needed.

Although our discussion centred on risks, several themes did emerge, including:

  • More understanding of what online social networking is is still needed.
  • User awareness of the risks of participating in online social networking still needs to mature.
  • Agency communities (for example, QPS Media on Facebook) can increase community engagement, but they might just as equally cause difficulties with the community.
  • Maturity will reduce this complexity, and as the novelty diminishes the tools will be embedded.
  • Targeted delivery via online social networking of information can be more effective and engaging than traditional media.
  • Informing policy response via community engagement can be particularly helpful for public sector agencies.

In the long term, the world has changed to be more complex.

Overall the discussion was lively and the risks and benefits were debated intelligently and in an informed way. Online social networking clearly has a long way to go in terms of maturing across the public sector, but the potential perhaps can be summarised as ‘promising, but beware the risks!’

Of droughts, and flooding rains, of businesses and broken business continuity plans.

Well, this is a blog entry, and I have a thing for bad business poetry.  In Brizvegas, as you may have heard, we’ve had droughts a-plenty until the last two years, and then the flooding rains that just created a seeping, growing, black mess that crept stealthily towards everyone’s place of business or abode.

Well, that might seem a little melodramatic, but you know what?  It’s not.  We’re all affected here in Brizvegas, even in little ways such as losing our carparks (my wife doesn’t think that’s so little) or daycare centre (my daughter, yes, same attitude as her mother).  My house was perfectly fine, halfway up Mount Cootha, but I went for a ride on my pushbike to see how my daughter’s daycare centre was faring.  As I rounded a corner and ran into deep, black water quite some time before I rather thought I would.  Squealing on the brakes, I thought to myself, ‘That’s not good!’

I also came to the realisation that my five-year old daughter was not going back to daycare tomorrow.

And so from my back deck, all seemed fine as I looked over the tall trees of Mt Coot-tha, but at the same time some people were cut off from food and petrol – friends of mine were refused service after the floods because they ‘looked grotty’. Well, how would you look after 5 days without power or a shower?

It was an odd flood, bright sunny day, and yet still I noticed the Lexus dealership madly moving cars, and the people at the Brumby’s bakery madly moving flour to the only bakery down the road that wasn’t flooded (it appears they rather had some trouble finding the key, and saved the flour only just in time or the western suburbs would have had to start eating crushed up gumleaves spiced with mud. And then having to drink the wooded Chardonnay left in the wine rack – oh the humanity!)

But the point (and there is one!) is that we precisely do not know what will ever happen to our homes or places of business.  Some of us thought we were really very safe at the time.  That idea’s comforting, but not always true (I can see a mountain full of trees from my back deck – so one day bushfires are on the cards).

Here’s a video I took of a house normally way, way above the river:

All of us banana-benders are looking at each other now, after inland tsunamis, floods-that-weren’t-supposed-to-happen, and Cyclone Yasi, and saying that if we had a blizzard come down Queen Street we’d let loose a suitable expletive and get down to it.

So how do you as a business prepare for these things?

Well, fortunately we do have best practice approaches available such as COBIT and ITIL.  A year or so ago, when I was lecturing at QUT in IT Governance, I asked the students to use COBIT’s framework to help with the development of a business continuity plan.  This is what it, rather drily, says:

DS4.2 IT Continuity Plans: Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

The exercise for the student was to take a look around their bedroom and work out what they might lose, what they could afford to lose, and how they might get back on deck.  I seem to recall one student came up with a contingency plan that involved explaining to his lecturer how he didn’t need to submit the assignment that week – I believe I may have said he needed to improve that excuse for his risk register.

Anyway, business continuity plans are things that are really hard if you don’t know where to start.  So I took that reasonably vague statement above from ITGI’s COBIT and turned it into something like the below.  Feel free to borrow it as a template if you like for your business.  It’s not great, it’s not fantastic, but it’s a start, and at least you get thinking about what you need to do in the event of problems like droughts, flooding rains, bushfires, cyclones, blizzards, alien invasion, or inland tsunamis.  Try adapting this for your purposes:

And so I’m going to leave this blog entry right about here, now that I’ve gotten to use some great phrases like ‘a seeping growing black mess’ (seriously, anyone who saw that floodwater will agree that it was pretty yuck).  Readers, please take a look or download the example business continuity plan – a BCP doesn’t need to be hard, it just needs to work.  In fact, if it’s big and hard and ugly, it’s likely it’ll never work.  ‘Keep it Simple, Silly’ is the appropriate rule of thumb.  It’s a good start for some businesses, possibly not for others.

But please don’t find yourself caught on the hop and having to remove those files from the basement where they’re stored to the top floor of your building in your pyjamas and best thongs, like some people I’ve heard of.  Or the people at the Lexus dealership, who were frantic because they couldn’t find the keys to the four wheel drive blocking the driveway.

PS:  I hope I rickrolled somebody in one of those links up above…

Academic submission to a conference on Information Systems.

The past week or so of my professional life (it’s all a blur) has been taken up with writing a paper for submission to an upcoming conference.  If you’ve ever wondered about the process, it’s been painful.  If you are interested, read on to read the abstract of what is now a 12 page paper (it started out at 16 pages – cutting down is annoying).

If you aren’t interested – move along, nothing to see here.

Abstract (I’ll leave the title out as it’s A: long and B: it’s meant to be a double-blind review.  Suffice to say it’s about auditing and accounting standard reforms, BIS and IT audit).

Information systems are key components of the internal control system that ensure the business entity complies with the requirements of the financial reporting regulatory framework. This regulatory framework consists primarily of accounting and auditing standards. As the regulatory framework changes, so too do the functional requirements of information systems. Compliance with the regulatory framework is essential to the long-term business success.

This paper is a report of a  review of the effect of Australian reforms to auditing standards (the ‘audit risk’ and ‘black-letter law’ reforms) and accounting standards (the ‘A-IFRS’ reforms) upon business information systems and information systems audit. This analysis is verified with audit professionals and the final results reported as an exploratory study. The results identify seven significant computer-based registers for businesses to manage in complying with the financial regulatory framework, and identifies the significant relationships between accounting and auditing standards and information systems audit.

The audit and accounting profession requires a deep understanding of the implications of the financial reporting regulatory framework for business information systems design and the role of information systems audit. This paper provides a valuable contribution to this professional need through considered analysis  of the auditing and accounting standards.

Keywords: IFRS, ISA, IS Audit, business information systems

This research is a part of the output of my Australian Research Council Project.