Jean-Baptiste Bres

Chief Information Security Officer

Unto the breach: let’s face up to data security

We just published an article that talks about data security and how we, at Xinja, are protecting our customers. Let us know what you think!

Screen Shot 2019-10-15 at 13.12.25

Cyber Attack Conference Sydney 2019

I am very honoured to be one of the speakers at the upcoming Cyber Attack 2019 Conference in Sydney on October 17th. I will be facilitating a round table discussion on how to implement a security Bring Your Own Device (BYOD) policy.

Let's. Go.

Xinja has officially a full banking licence! We will be opening our first bank accounts today! πŸ₯³



Xinja is #5 top startups to work for now!

Xinja is #5 top startups to work for now! πŸ†πŸ†

Australian banks face secret penetration tests

An interesting initiative from NPP (which coordinate the open access infrastructure for fast payments in Australia, PayID). Following the PayID lookup attacks that occurred in the last months, they might now perform secret penetration tests to ensure that participating banks are up to the right level of protection. πŸ’‘


What will future jobs look like?

A very interesting talk from economist Andrew McAfee on how jobs will change in the future. Yes, droids will take our jobs -- or at least the kinds of jobs we know now. In this far-seeing talk, he thinks through what future jobs might look like, and how to educate coming generations to hold them.

Super Risk Symposium - Melbourne 14/08

I was honoured to be one of the speakers at the Super Risk Symposium organised by the AIST in Melbourne on 14/08.

It was a great session, on the impact of the new CPS 234 regulation, thanks to Rob Pickering who facilitated the debate and to Joss Howard and Matt O'Keefe for their great insights.


Security Designer @ Xinja

Last but not least, we are also hiring a Security Designer, a strategically critical role in defining and assessing Xinja’s security strategy, architecture and practices.

If you think this is something for you, contact me or visit Xinja career website for more information.

Security Designer

Info Sec GRC Manager @ Xinja

Another great opening in the Xinja Security Team. We are looking for an Information Security GRC Manager!

This is a key role for the organisation: You will manage the information risk and security governance, focussing on raising standards and awareness, as well as providing assurance and monitoring compliance with policies and standards.

If you think this is something for you, contact me or visit Xinja career website for more information.

More openings coming soon…

Screen Shot 2019-08-05 at 10.15.51

DevSecOps role @ Xinja

Another great new security-related role we are recruiting for at Xinja: we are looking for a DevSecOps engineer with a focus on security automation. You’ll be embedded in the DevOps team to facilitate continuous delivery of secure, quality software to the Xinja Banking Platform using DevSecOps practices and principles. You’ll need to have a broad cross section of skills along with a strong consultative approach.
You’ll work with software engineers and security experts to ensure that the right practices are in place and to take the security lead on automating the path to production to enable deployment of changes with no manual intervention and in a highly secure manner.
We run a small, crack team of DevOps engineers to help us to build out a world class continuous integration and delivery pipeline for the Xinja Banking Platform as we continue to scale at pace. You will ensure security standards are upheld and secure coding practices maintained.
You should know that we do things a little differently at Xinja. You won’t be micromanaged and will have the flexibility to choose the tools you need to get your work done. Along with the team you work with, you’ll be given autonomy on how you design and build DevSecOps processes as long as it stays within the guidance of the Xinja Software Development Lifecycle and Information Security Management System. You should be comfortable with pushing new tools and processes and challenging the norms of secure software development and deployment.

If you think this is something for you,
contact me or visit Xinja career website for more information.

More openings coming soon…


Security Analyst role @ Xinja

I am recruiting a Security Analyst to join the fantastic security team at Xinja. The role will be responsible for assisting in building upon and improving Xinja’s Information Security Program. You will be the primary technical security resource in a small team responsible for the day-to-day operations of the security of all things Xinja.

If you think this is something for you, contact me or visit Xinja career website for more information.

More openings coming soon… πŸ˜‰

Security Analyst

Your inbox is spying on you

It seems that Technology and Privacy still have a long road to go to work hand-in-hand. Security is still - for a lot of organisations - an afterthought and not an inherent part of the design.

"When we built [our company], we focused only on the needs of our customers. We did not consider potential bad actors." 😧

Read more:

Super Risk Symposium - Melbourne 14/08

I am very honoured to be one of the speakers at the next Super Risk Symposium organised by the AIST in Melbourne on 14/08. I will be discussing being CPS compliant with 2 great experts: Joss Howard (Head of Risk Management and Governance Consulting, APAC, NCC Group) and Matt O'Keefe (Partner, KPMG).

Information security is all about risk management. With APRA’s CPS 234 framework now live, how do funds need to be secured and why? What is an acceptable risk? And what is the lasting impact if valuable data is compromised, exposed or unavailable?
This session will explore how funds are demonstrating compliance with the new prudential standard and the strategies being used in safeguarding systems against information security threats.

[Update] Info and tickets at

RBA details disaster recovery efforts

Disaster Recovery is a complex exercise. For the few of us who had to manage a crisis and ensure a full recovery of critical business activities, we know that despite all the planning, testing and simulation we have done, there are always elements we did not foresee.

In August 2018, the Reserve Bank of Australia faced a disruption to the power supplying the data centre at one of its site (primary and backup) due to a vendor error. Then multiple factors, from super-high security to plain bad luck, made the recovery difficult, and the bank did not manage to recover within their recovery time objective (RTO).
This article details the extent of the events. It is a very interesting story for everybody interested in continuity and disaster recovery. And also kudo to the RBA for the retrospective analysis of their own efforts, their honesty about what did not go as well as planned, and their transparency in sharing their findings with the rest of the industry.

Is your cybersecurity training reaching the right people?

People attitude toward security is probably the most important factor when it comes to ensure a good Security strategy is in place. Even with the right technical protections, if people do not act carefully, it is not going to work out! So awareness is key. And targeting the right audience is critical to ensure the right outcome. On that topic, ZDNet published an interesting article titled: Is your cybersecurity training reaching the right people?

Want to Take Better Notes? Ditch the Laptop for a Pen and Paper

An interesting read about how using pen and paper helps you to take better notes than using a computer: Want to Take Better Notes? Ditch the Laptop for a Pen and Paper, Says Science

I personally always struggled taking notes on a computer and have been a fierce user of notebooks (especially since I discovered reusable ones). Well now I will have an even better excuse to continue doing so πŸ˜„

πŸ’‘ Conference Transcript: Building an Information Security Policy Framework


Following my presentation on Building an Information Security Policy Framework at the "Implementing CPS 234" conference held in Sydney in May 2019, I received many requests to publish a transcript. Thank you all for your interest and for the large amount of feedback you shared with me. As promised, here is an augmented transcript of my presentation.

It covers an overview of what a Policy Framework is, and why it is an essential part of any Information Security program; the various existing frameworks used across the industry, their strengths and limitations; a methodology to create a flexible framework, supported by a risk assessment and a strong understanding of the assets owned by the institution and the threats they are exposed to; and an approach to define an adequate control set and how to prioritise its implementation.

Read More…

Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003

Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a “wormable” flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017. Read more at

Tapping into the power of humble narcissism

No, “humble narcissism” is not an oxymoron; it’s a combination of qualities that the best leaders and companies have. Organizational psychologist Adam Grant explains why in this interesting TED article.

First State Super integrates advice, overhauls leadership

First State Super has fully integrated its financial advice business, StatePlus.

In a move aimed at making financial advice accessible for all its members, the $70 billion fund has brought its financial advice business StatePlus in-house. Read more at

πŸ’‘ Creating a Secure Bring-Your-Own-Device Strategy


Corporate reality is that there is a growing interest from employees to use their personal devices for work. This can have a very positive impact on business – choosing which device is best for them and when, empowers workers and makes them more productive – but it also raises many security concerns for the enterprise – especially around access, confidentiality of information, compliance, security and privacy.


In order to define how employees will be able to interact with the corporate resources, the Bring-Your-Own-Device (BYOD) strategy is a critical part of your journey toward BYOD. It is there to define the capabilities your organisation offers to employees to use their personal laptops, smartphones or tablets for work.

To assist you in your journey, this article covers how to answer these questions and what are the options available for you in order to create a secure BYOD strategy.

Read More…

How to keep human bias out of AI

As I have recently been working on a new Data Strategy, taking into consideration how Artificial Intelligence (AI) can help us to provide better insights and advises to our customers, it is also the right time to consider the risks associated to such technology. I'm not talking about πŸ€– Skynet taking over the world πŸ˜‰ but how, if not well use, AI can reinforce human bias instead of helping us being better advisors!

Here is a great talk from Kriti Sharma @ TED on how to keep human bias out of AI.

"Implementing CPS 234" conference

I am very proud and excited to be one of the key speakers at the "Implementing CPS 234" conference on 3rd May in Sydney.

I will be talking on how to build an information security policy framework that is agile to changing threats.

πŸ’‘ Public Cloud ☁️ - Australia and New Zealand Regulatory Landscapes


More than ever, financial institutions in Australia and New Zealand are moving toward public cloud computing as a way to benefit from easy to use, flexible, cost effective and reliable infrastructures and services. Despite its substantial benefits, cloud computing also creates a complex new environment for financial institutions to navigate. Regulators in Australia and New Zealand are evolving their requirements and guidelines. It results in a growing expectation that financial institutions have a robust governance over their outsourcing process and ensure a high level of oversight of their cloud service providers. This article discusses the regulatory requirements around usage of Cloud Services in Australia and New Zealand and how to satisfy them.

Read More…

Microsoft is privately testing 'Bali,' a way to give users control of data collected about them

Some cool stuff coming from Microsoft... Microsoft Research is looking to provide users with access to their own 'personal data bank' via its 'Project Bali' effort.

How to break bad management habits before they reach the next generation of leaders

How to break bad management habits before they reach the next generation of leaders | a great talk by Elizabeth Lyle

Happy New Year 2019! πŸŽ‰

The New Year is here! Look ahead, embark on the road to success. May you have a great journey to your destination! Happy 2019. Read More…