I like “lessons learned” reports. From this one the key message I get is that it’s not enough that the security team are aware of risks, what to do about them is a business problem…:
[…] Reports in the Australian Financial Review suggest at least 15 people across LMW’s team of IT staff, contractors and senior management knew of the vulnerability in LMW’s platform before the incident. While the facts about the incident are not known, this could suggest a breakdown in internal reporting, and the way security concerns are communicated and acted on by management.
In some organisations challenges arise because cybersecurity governance is not aligned to other organisation-wide risk processes and procedures. Increasingly, specialist functional groups are established within organisations to monitor and address data risks and to provide clear accountability for reporting and escalation of security concerns. To provide the most benefit, these specialists groups need to work closely with information security staff, as well as operational, legal and risk teams.