The Smith Family hunts for new cyber chief

National education support charity The Smith Family is looking for a replacement for its former CISO Andrew Wan who left in May last year.  

Wan said in a LinkedIn post in November that he was appointed SCBX's group chief Information security officer. 

SCBX - the innovation arm of Thailand-based Siam Commercial Bank - did not reply to iTnews’ request for comment. 

A spokesperson for The Smith Family told iTnews that the cyber lead for its cyber resilience program Ajoy Ghosh is acting as CISO until the appointment of what it now calls a chief trust and security officer (CTSO).

“The primary purpose of the CTSO position is to ensure that the Smith Family effectively manages cyber risk to preserve the trust of our customers, staff, volunteers, donors, partners, and stakeholders," the spokesperson said.

The charity has twice had its stakeholders' data exposed in separate cyber incidents.

In November 2022, up to 80,000 donors’ details were accessed through a compromised employee email account, while an unrevealed number of donors’ data was also published on the dark web in September last year after a third-party fundraising campaign partner was breached.

The spokesperson said that although the job posting is for a ‘chief trust and security officer’, “the CTSO will fulfil the CISO role and have additional responsibilities.” 

Like the former incumbent, the “CTSO will be responsible for overseeing and managing all aspects of cyber security, infrastructure hosting, and cloud environments, and work collaboratively across the organisation to optimise the security of The Smith Family services.

“Additionally, the CTSO will deliver high quality, innovative technology infrastructure/cloud strategies in support of business and technology architecture.”

The portfolio’s expanded “responsibilities will better reflect our strategic plan and goals and how we work with those we support and those who support us," the spokesperson continued.

“The context of the CTSO role is a broader change to The Smith Family’s digital and IT teams which includes five new general manager roles.”

The CTSO will also oversee and support the organisation’s "longer-term investment in cyber security", which is a program of work branded SmithShield.

“This work covers three key components: data security, perimeter security, and employee and stakeholder awareness and processes," the spokesperson said.

“Our key focus in 2023 has been on strengthening our cyber security systems, processes and related practices and behaviours.”

The charity’s 2022-23 annual report [pdf] said its investments and achievements in security during the past financial year included “centralising volunteer data in an onshore system for better data management” and improving “the architecture and security of the donation form on the Smith Family’s website.

“This year we also enhanced The Smith Family’s resilience and continuity across regions, conducting disaster recovery tests for all core systems, and we established high availability disaster recovery for our content management system.”

Before joining The Smith Family, Wan was the NSW whole of government cyber security operations’ inaugural director; he was appointed in 2017. He has also held senior roles at NSW Police, Telstra and other organisations.