Search
Close this search box.
November 2024 contributions transactions: 13, 451,855
November 2024 rollover transactions: 185,932
November 2024 total superannuation transaction messages: 45,863, 944

Meet Ross Daws! GNGB’s new Chief Information and Security Manager

Image captured by Ross Daws. Title: NGC 3576 – The Statue of Liberty Nebula in SHO. Image source: https://www.astrobin.com/4cxs0g/

Gosh, where to start? I started working in IT in the mid 1990s, and since then I have worked in a number of different organisations, on a number of different projects and products, and with a number of different types of teams.  

Over the years, I’ve learned that there are key ingredients in the roles that I have found the most rewarding and fulfilling:  

  • I thrive in “small teams” environments where the breadth of experience is advantageous;  
  • working with people who are passionate about what they are doing; 
  • I enjoy working in an area that I feel matters and helps make the world a better place;  
  • and I love solving problems, especially when that empowers others to achieve more as a result. 

I’ve spent most of the last decade working within the superannuation sector. As a technologist, that has meant working away behind the scenes, trying to make super simpler, smarter, and safer, so Australians can enjoy greater security in their retirement. 

The opportunity to join the GNGB as Chief Information Security Manager feels like a perfect next-step. I get to be part of a small team charged with a huge responsibility, where I can bring both my breadth and depth of experience to bear. I get to work with people I’ve gotten to know over a number of years. Getting to solve problems and protecting a system that I believe in passionately. I’m certainly delighted and humbled to be here, and I’m excited to be getting on with the job.

There are a couple of aspects of this role that I am excited to sink my teeth into. Firstly, effective information security is a nuanced and context-sensitive undertaking. Gateway operators are asked to assess and implement controls that can be as high level or abstract as “follow the principle of least privilege access management,” or as fine-grained and prescriptive as “Microsoft Office macros must not be enabled.” For either of these examples, and for every scenario in between, the challenge and goal is not to implement the control, but to implement the control effectively. What ‘effective’ looks like can at times vary greatly from gateway to gateway, and this ambiguity can be both challenging and frustrating for gateway operators. I’m looking forward to working with the gateway operators to understand and unpack the nuances of their specific gateway implementation and ecosystem.. 

That leads me to the second key challenge I’m looking forward to, which is to address the security of the network as a whole. GNGB are in a position to see how all the different threads pull together, discerning the overall network security posture. As our threat landscape gets more and more complex, it is even more important that GNGB can keep an eye on the broader picture and the system as a whole. GNGB can look into those risks that live in the gaps between where one gateway’s implementation ends, and the next one’s starts.

Building Iress’ SuperConnector gateway is one of the highlights of my 25 years in Software Engineering. Over a seven-year period we went from a proof-of-concept AS4 service to allow funds to call the Super Member Info services when they were first introduced, to a SuperStream gateway. This handled rollover and contributions messages for super funds, and then complementing that with building a clearing house that allowed us to cover the entire contribution lifecycle end-to-end. 

From a technology standpoint, having the chance to build a platform like this from the ground up in a complete greenfield environment is an opportunity that every software engineer dreams of. I was equally fortunate with the timing of this project. The STN was already established by this time, and so I was able to design and build a gateway with all the information security requirements known up-front. This gave me the opportunity to build a SuperStream gateway from the ground up, with the fundamentals of information security baked in from the very start. I can see how my twin passions for our superannuation system and pragmatic information security were nurtured and matured through this experience, and I wouldn’t have arrived here at GNGB without it. 

In terms of lessons learned, it’s no surprise that information security is a recurring theme. One of the most transformative lessons for me is that security uplift and implementations can be their most effective when understood through the lens of protecting your own people from the risks inherent in having privileged levels of access. Early on in my career I did a couple of stints as a System Administrator, and enjoyed a sense of being trusted – and of my own importance – by virtue of having root level access to systems under my control. Fast forward twenty-something years, I now advocate for people holding the least levels of privileged access that they responsibly can.  

Information Security is all about identifying, managing, and treating risk. Restricting privileged access to a) the lowest responsible levels of access, and b) for the shortest responsible length of time, provides a very strong foundation to build upon when it comes to protecting your people from the risks of human error in production environments. Time-limited just-in-time privileged access creates natural checkpoints to assess whether privileged access is still required, and provides an audit trail of why access was elevated and for how long, which provides both transparency around elevated access, and an approval record that the team can refer to that justifies and explains why the access was necessary. 

On reflection, building and operating a gateway has also shaped my notion of responsibility. In the product world – software or physical, it doesn’t matter – people talk about the golden triangle: you can choose the features, you can control the costs, or you can control the timeline… but you can only control two of the three, never all three. This often leads to questions like “what is the shortest possible time to deliver?” or “what is the cheapest possible cost we can deliver for?” But for operating a gateway, or overseeing a network, we are not in the “possible” game, but the “responsible” one. I like to ask what is the shortest time we can responsibly deliver in, or how much will it cost to implement feature a or secure data b responsibly?  We are guardians of other people’s data, other people’s life savings, and while I care about what is possible, I care much more about what is possible to achieve responsibly.  

I certainly love working within the Superannuation sector, and I find it extremely rewarding to be able to focus my efforts on securing the life savings and quality of life of millions of Australians for their retirement. One thing that it hasn’t given me however is an unassailable track record as a technologist with a crystal ball! 

I see the shift towards real-time everything as being one of the major triggers for change across banking in general, and Superannuation in particular, over the next few years. Initiatives such as Pay Day Super are pushing towards much faster reconciliation times for transactions, and as financial consumers, Australians are embracing and expecting real-time financial transactions as part of normal life. How deeply this will flow through into the superannuation sector remains to be seen, though certainly there is momentum around adopting near-real-time transaction processing and reconciliation at the contribution end of the superannuation ecosystem. Without a doubt Australians are expecting to be able to access and transact their wealth using mobile phones or computers at any time of day or night and expecting that transaction to complete there and then.  

The ever shortening cycle time for transactions is already putting pressure on the checks and balances in the system, so I’m eagerly waiting to see the developments in ID technology that will be able to safeguard real-time transaction processing and provide that level of surety and rigour around transaction authorisation, so that accessing our retirement savings or our wealth in general remains as safe as it is convenient. 

There are two things that fall into this category for me: identity theft, and fortress thinking. 

Identity theft: 

The acceleration of transaction reconciliations is a huge boon for Australians wanting rapid and convenient access to their wealth, and wanting to remain in control of where their money is and how it is managed. Unfortunately, decades of data breaches has significantly compromised the identity security of millions of Australians, and I’m concerned about the ability of Identity Tech to keep pace, to provide a reasonable level of assurance that transactions have been requested by the individual themselves. 

The proliferation of personally identifying information being exposed through data breaches is a very real threat to the life savings of millions of Australians. This is one of those concerns that really keeps me awake in the wee hours. So much of our identity validation is built around challenging people based on what they know: usernames and identifiers, passwords, obscure facts chosen as security questions, and so on. There are elements of our identity validation that are very slow changing. For example, early adopters of Google Mail, Hotmail or Yahoo can be using the same email address as their identifier as they were twenty years ago – and some, such as my mother’s maiden name, haven’t changed at all. The insidious aspect of this in my view is the fact that data breaches are fundamentally cumulative. It can take a little time to filter through, but in the end there can be an identity profile available for sale that contains the combined information about you that has been leaked over the last decade or more. For people who’ve been on the internet for a while that can be a surprisingly and disturbingly comprehensive dossier of information.  

So the theft and exploitation of Australians’ identities is a very real concern for me. Security fatigue is very real, and those with the most to lose in terms of personal wealth are often those whose understanding of internet safety and safe practice is lowest. 

Fortress Thinking: 

The other issue is what I call Fortress Thinking. In terms of the systems that we implement, we often focus on the security checks that need to be met before we grant access to someone or something. Once checks are passed, the drawbridge gets lowered, and the user goes from being on the outside to the inside. Challenges have been passed and they are largely free from challenge from that point onwards. 

From a systems engineering perspective there is a long-established practice of implementing security based practices on this same pattern of thinking. That is, until you are challenged you get nothing, but once you pass the challenges, you are in. Zero trust offers some benefits in terms of transactional security, but from my perspective we need to be rearchitecting the security domains within our fortresses altogether. I’m a big believer in the “hot potato” approach to data security – that most data is too hot for most systems to want or need access to. If I want a web portal to say “Hello, Ross” for that nice personalised touch, it doesn’t need to know my full name; a nickname would suffice. The portal doesn’t need to know my date of birth, my address, my phone number, none of that information is necessary for most use cases. 

I’d love to see more organisations get on board with transient data processing.  That is, they would only have access to information for the duration of the transaction in which they need to operate upon it, and at the end of that operation the connection to that datastore is severed. These concepts are commonly accepted and implemented at the logical level. They ensure that the user of a system can only access records belonging to that user, for example – but I want to see more organisations internalising this into their data system architectures so that systems themselves are limited in what data they have access to. It’s a huge change, but I think an essential one.  

Honestly, it depends on the weather! If the skies are clear, chances are you will find me outside at my telescope, taking photographs of emissions nebulae thousands – or tens of thousands – of light years away. If the skies are cloudy but the weather is otherwise non-violent, I like to get out in my four-wheel drive and camp on the banks of a river in the Victorian High Country somewhere. And when the weather lets me down completely (I am in Melbourne, remember) I’m playing computer games with my daughters, or learning the basics of woodworking, and building myself a live edge hardwood slab desk for my home office.  

Visit Ross’ astrophotography archive: Rosco’s gallery – AstroBin