IT services provider Avocado Consulting has acquired Melbourne-based Cyberisk Australia, with the former growing to 165 people with clients including some of the largest government agencies and top ASX-listed companies.
Avocado was established in 2004 and lists AMP, Services NSW, Telstra, BT, Westpac and Transport for NSW, Macquarie, the ASX and the Victorian Department of Health among its clients.
Avocado provides end-to-end technology services and has testing, digital and cloud solutions, and product delivery and governance practices. It lists Splunk, Dynatrace, AWS, Azure, Redhat, MyRISK and CyberArk among its vendor partners.
Cyberisk brings 15 people specialising cyber architecture, governance, risk and compliance.
Cyberisk owner David Vohradsky told CRN that a lot of Avocado’s security advisory work was subcontracted to Cyberisk prior to the consolidation.
“Avocado has a digital and cloud solutions team who do the implementation: we’re at the start of the assessment during the strategy phase: focusing on things like cyber architecture, governance, risk and compliance. So it's sort of bringing the two pieces of the puzzle together.”
Vohradsky said that the growing demand for a more quantitative approach to threat and risk assessment was also behind Avocado’s absorption of Cyberisk’s security advisory capabilities.
“We are seeing more demand for a quantitative threat and risk assessment to prioritise remediation based on the budget of the organisation.”
Vohradsky said that last week’s Optus hack was a perfect example of the need for both companies and the government to adopt a more comprehensive and quantitative approach to risk.
Using the Critical Infrastructure Bill as an example, which centres on obligations for companies to prevent and respond to losses of service, Vohradsky said risk needed to also incorporate the cost to both companies and the public of things like data loss.
“You don't have to report data loss to the government under the critical infrastructure bill. You have to report the loss of a system. The loss of a telco system for example,” he said.
Vohradsky emphasised the importance of security advisors communicating risk to their clients in ways that addressed its role in ROI.
“Cyber security leaders need to be able to articulate the threat and risk in business terms quantifying the metrics to present a ROI that the business leaders can understand and then support the mitigation actions needed.”
“In order to implement comprehensive coverage you also need to look beyond the minimum,” Vohradsky added.
“Essential eight is useful for benchmarking within our government clients, but we also work across other sectors to implement and assess against NIST CSF, ISO, PCI and many other government or industry mandated frameworks.”
The Avocado-Cyberisk acquisition follows a $10 million investment announced in the last week by venture capital firm Centerstone Capital in Australian governance, risk and compliance (GRC) software vendor 6clicks.