Our People

Biography

Darren is a Director and the National Head of Cyber Security and Privacy Risk Services in Melbourne.

Darren has delivered security and privacy assessments across multiple countries for large multinational corporations, and locally for Australian based organisations in both the public and private sectors across all industries.

"I enjoy translating cyber security risks into business language, combining my deep technology risk knowledge with high-impact communications to c-suite and board levels."

He has worked on an extensive range of technology risk management projects including technical security assessments, governance and strategy, data privacy, third-party risk, cloud security assessments and risk strategy, cybersecurity, and much more. Darren Booth is a Director and the National Head of Cyber Security and Privacy Risk Services in Melbourne.

Darren is also currently supporting the Consumer Data Right (CDR) accreditation for Open Banking and Open Energy applicants seeking unrestricted, sponsor/affiliate, or principal/representative agent access.

Residing in a little beach town in Mornington Peninsula, Darren loves spending his free time with his family and five children.

Prior to joining RSM, Darren worked for a global internal audit and risk consulting firm for over 12 years in London and Melbourne, where he led the Melbourne office’s IT internal audit, technology risk, and data analytics solutions.

Darren Booth is a Partner of RSM Australia Partners and a Director of RSM Australia Pty Ltd.

Significant Projects 

  • RSM Australia recently completed the first CDR information security accreditation for a FinTech (non-ADI Open Banking) and Darren was the lead assurance practitioner for the independent assurance report (ASAE 3150). This involved assessing the design and implementation of controls for Part 1 and Part 2 of Schedule 2 in the CDR Rules.

  • Led the General Data Protection Regulation (GDPR) and Australian Privacy Principles implementation project for an Australian headquartered international cosmetics retailer. The engagement was subsequently expanded to include a new POS risk assessment and a Payment Card Industry Data Security Standard (PCI DSS) advisory project.
  • Performed a cyber security assessment of a diverse conglomerate, benchmarking against a matrix framework based on ISO27001, NIST Cyber Security Framework, Australian Government Essential Eight, and Centre for Internet Security (CIS) Top 18 Critical Security Controls
  • Assessed the secure configuration of a Microsoft Azure and Amazon Web Services (AWS) multi-cloud environment, using the Cloud Security Alliance (CSA) guidance, CIS Benchmarks, and AWS Security Best PracticesDarren has delivered security and privacy assessments across multiple countries for large multinational corporations, and locally for Australian based organisations in both the public and private sectors across all industries. and Well Architected Framework.
  • Spearheaded a vulnerability assessment and CREST accredited penetration test at a financial services organisation to assist with CPS 234 compliance.
  • Evaluated compliance against the Victorian Protective Data Security Standard (VPDSS) and the Australian Government Information Security Manual (ISM), and developed a roadmap to compliance based on gaps identified and remediation of quick wins.

Associations

  • Professional Member of the Institute of Internal Auditors (IIA)
  • Member of the Information Systems Audit and Control Association (ISACA)

Qualifications

  • Certified Information Systems Auditor (CISA)
  • Certified Internal Auditor (CIA)
  • Certified Data Privacy Solutions Engineer (CDPSE)
  • Internal Audit Quality Assessment Reviewer
  • Masters of Engineering and Management (University of Manchester)
Publications

Risk Insider Newsletter - Edition #13

1 September 2022
It is now more critical than ever that businesses take responsibility for, and shape the impact they have on the environment, their community, and stakeholders. Putting sustainable and responsible practices at the heart of the business is fast becoming a pivotal requirement for regulators, investors, and other stakeholders. While profit will, inevi...

Risk Insider Newsletter - Edition #12

31 August 2022
I recently sat down with two ASX listed Board Directors to discuss the board’s role in integrating environmental, social and governance (ESG) criteria into business performance. Overwhelming, we concluded that Boards of Directors can help their companies incorporate elements of ESG into overall strategy by defining short- and long-term objectives...

thinkBIG report: Cyber security

27 June 2022
Just because your business is small, doesn’t mean it’s safe from cyber attack. In fact, a cyber criminal may target small businesses because they’re less likely to have sophisticated cyber defences. Read about what you can do to ensure your business is cyber secure.  ...

Technology Due Diligence

10 May 2022
For private equity and corporate acquirers, identifying and assessing technology that can affect capital allocation and growth potential is critical during the diligence process. Technology risks can consume significant post deal investment or impair long term revenue gains. On the buy side of a deal, this information can validate the asking pri...

Case Study: Verifier

15 March 2022
Verifier is a consent-driven data sharing platform that helps everyday Australians access their own data to simplify time-consuming activities – such as verifying income when applying for a loan.   Ready to extend their platform to solve new consumer challenges, Verifier decided to apply for Consumer Data Right (CDR) accreditation for...

Risk Insider Newsletter - Edition #11

14 March 2022
We hope that this edition of the Risk Insider finds you well. The current circumstances that we are faced with are unprecedented and devastating. We want to take this opportunity to extend our support to any businesses that have been affected during this time

Australia’s digital future: Evolving the Consumer Data Right | Webinar Recording

3 March 2022
Darren Booth, National Head of Cyber Security and Privacy Risk Services at RSM, presented at the Committee for Economic Development of Australia (CEDA) event on Thursday, 24 February. He joined Digital Economy Minister Senator Jane Hume and other key stakeholders discussing the Consumer Data Right (CDR), and how the implementation...

Consumer Data Right and the Australian Privacy Principles

17 February 2022
Consumer Data Right (CDR) was introduced in 2019 by the Australian Government, with the intention of giving consumers (individuals, companies, business enterprises) the ability to ‘opt in’ and share their data between service providers of their choosing. It's now active in banking, so consumers may choose to share their banking data with a pros...

Case study: Zepto

8 November 2021
Zepto is a rapidly growing FinTech company on a mission to deliver innovative products that empower merchants to redefine the payment experience through automation, consent, data, and open exchange of information. In line with their mission, Zepto engaged RSM to assist with gaining Consumer Data Right (CDR) accreditation for Open Banking. L...

The path to becoming an Accredited Data Recipient

20 October 2021
As a potential Accredited Data Recipient (ADR) for Open Banking and Open Energy, the path to achieving Consumer Data Right accreditation may appear complex and time consuming to navigate.   The Treasury’s Consumer Data Right newsletter spoke to Darren Booth, National Head of Cyber Security and Privacy Risk Services at RSM, to break d...

CPS 234 – Tripartite Audit

19 October 2021
RSM is one of those few organisations that are uniquely qualified to perform the audit and report in line with the ASAE 3150 standards required by APRA. A complete assessment – CPS 234 Tripartite Audit Our audit methodology will ensure a thorough analysis of your CPS 234 environment. The ASAE 3150 audit will cover the following areas: ...

Using the Office of the Australian Information Commissioner (OAIC) CDR Privacy Safeguard Guidelines as a FAQ

30 September 2021
There is a lot of reading to do if you want to receive and use Consumer Data Right (CDR) data for Open Banking or Open Energy. Regardless of whether you are an ADI or non-ADI, unrestricted Accredited Data Recipient (ADR), sponsor, affiliate, representative agent or an outsourced service provider (OSP) you must demonstrate compliance with informa...

Submission to Treasury on Consumer Data Right rules amendments

10 August 2021
RSM's experience in completing Consumer Data Right (CDR) information security accreditation reports and applications has informed a recent submission to Treasury on CDR rules amendments. Overarching approach to information security assurance Based on the experience of APRA for compliance with CPS 234, organisations do not know how to comply w...

Risk Insider Newsletter - Edition #8

8 June 2021
After a slow start, investor and regulator attitudes towards environmental sustainability have started to evolve. It is no longer seen as just a nice to have - changing regulations mean environmental sustainability credentials will have a significant impact on investment decisions. 

Small Business Cyber Security Guide

23 March 2021
In February 2021, the Australian Cyber Security Centre (ACSC) released a Cyber Security Guide tailored for small businesses. The guide has been developed to assist small businesses to protect themselves from falling victim to common cyber security incidents. The guide is part of the Small & Medium Business Cyber Security suite of articles t...

Risk Insider Newsletter - Edition #7

1 March 2021
As cybersecurity continues to affect the bottom line of many companies, the need to continually assess and improve your security posture is paramount. As cybersecurity threats and data security events continue to evolve, understanding the costs and resources necessary to respond to a data breach is essential.

Cybersecurity for farmers and the agricultural industry

27 January 2021
As farmers and rural communities’ transition towards greater reliance upon online technologies, the need to protect both their personal and organisational data is paramount. Farming and agriculture organisations must be aware of and protect themselves against the many cyber risks that come with both the standard organisational aspects (emails ...

Beware of scammers this holiday season

2 December 2020
The run up to Christmas is a lucrative period for retailers, as people look to stock up with promotional offers that coincide with Black Friday and Cyber Monday. AUD $28.09 bn of goods were purchased in 2019. All that money changing hands now puts the scammers back on the horizon, where they target online shoppers with fraudulent emails and fak...

Consumer Data Right Options

4 September 2020
As the CDR ecosystem expands, organisations are asking what models are available to access the Consumer Data Right (CDR) Open Banking data. A summary of options available for product owners is outlined below. Accredited Data Recipient (ADR) Standard approach to CDR Rules and accreditation, with the ADR enabling consumers to access Open Bankin...

RSM's Consumer Data Right (CDR) submission

30 July 2020
As the Consumer Data Right (CDR) Rules continue to evolve, RSM submitted a response to the request for submissions related to the draft ‘intermediary’ Rules, which were published in June 2020. Given significant changes to the Rules are unlikely to occur prior to a tiered accredited data recipient (ADR) model being implemented, we focuse...

Risk Insider Newsletter - Edition #5

29 July 2020
Audit Committees, Senior Executives and Boards need to understand the impact of the coronavirus pandemic on internal controls. The pandemic has caused many to transition to a work-from-home arrangement, and your most important internal controls may not have kept pace with these rapid process changes. Now is the time to ensure that any issues with underlying transactions, data or controls are identified and corrected, to prevent misappropriation or fraudulent activities.

Consumer Data Right (CDR) information security accreditation

23 June 2020
Obtaining assurance on the security of your CDR data environment. With CDR going live on 1 July 2020, Accredited Data Recipient (ADR) applicants must demonstrate the security effectiveness of their people, processes and technology. The key is to demonstrate security, whilst minimising the cost. What security controls are needed? The Cons...

Cyber security - what's old is new again

11 June 2020
User credentials of millions of users have been compromised over the years as a result of cyber incidents. Yahoo, LinkedIn, Facebook and eBay are just some of the breaches that are commonly known. There are millions of user names and passwords available on public forums as well as the deep and dark web for criminals to harvest and use, and the mali...

Real estate organisations are a new target as cyberthreats continue to grow

25 May 2020
With the magnitude of security and data breach cases highlighted regularly in the media, most executives of real estate companies are aware that they will likely become a victim of a cyberattack. The First National Real Estate group suffered a data breach in January 2019 when their recruiting company, Sales Inventory Profile, failed to sec...

Which security framework is right for you?

1 May 2020
With significant data breaches and cyberattacks making headlines almost on a daily basis, many organisations have realised the need for more effective security measures. Any breach or attack can result in significant harm to an organisation’s reputation and their customers, as well as resulting in regulatory fines, lawsuits and lost business. ...

COVID-19 and a remote workforce - steps to securing your organisation against cyber-attacks

24 March 2020
The global fear surrounding COVID-19 has forced many organisations to develop ‘Coronavirus Plans’ and consider alternate working methods. In an effort to protect the health of employees during this uncertain time, it is also critical to consider the cyber security health of your organisation.   Malicious attackers across the world ...

Fundamental considerations for digital assets

29 January 2020
Digital assets like cryptocurrencies are a new asset class with a volatility and global availability that excites the investment community. However, the ownership of digital assets comes with risks and its own set of compliance responsibilities. Organisations using cryptocurrencies must ensure their holdings are taxed appropriately, are complian...

How secure is your Managed Service Provider (MSP)?

13 January 2020
Many organisations currently outsource their information technology services to a Managed Service Provider (MSP), with the uptake of organisations engaging an MSP increasing significantly over time. No longer are organisations able to effectively manage their technology infrastructures in-house due to insufficient resources, increasing costs an...

Cyberthreats: More about people than IT

19 December 2019
Health care companies must train staff to be vigilant around security.  When cyber security fails in a health care setting, the outcomes can be catastrophic. Patients can become a victim of identity theft and insurance fraud, two of the many forms of crime that can occur when health care IT systems are compromised by malicious attackers. ...

Cyber Liability Insurance for small to medium enterprises

13 December 2019
To insure, or not to insure? Cyber Liability Insurance, that is the question. Cyber-attacks are becoming increasingly more sophisticated and organisations are struggling to stay ahead of the latest threats to their business operations. Malicious attackers are persistent in seeking out vulnerabilities in the IT environments of small to me...

15 Ways to Improve Cyber Security - Ebook

12 December 2019
Experts predict that worldwide, cybercrimes of all kinds will cause losses of $6 trillion annually by 2021. The biggest cyber security threats to the middle market currently include ransomware, social engineering, business email compromise and data loss from advanced persistent threats. We all know from experience that cyber security is chan...

Cyber Security Tips for SME Technology Enterprises

4 December 2019
Five ways Technology, Media and Telecommunication (TMT) Organisations Can Protect Their Information. Cyberthreats continue to manifest and present a constant risk to all organisations, particularly small to medium enterprises. Obtaining personal and organisational information is a prize for malicious attackers to sell on the black market, o...

CPS 234 - Opportunity for third parties with strong information security controls

13 November 2019
Information security under CPS 234 From 1 July 2019, the boards of the Australian Prudential Regulation Authority (APRA) and regulated entities will be held accountable in the event of a cyber security incident by the new Information Security Prudential Standard (CPS 234).  It is important to minimise the likelihood and impact of informa...

Risk Insider Newsletter - Edition #2

31 October 2019
Middle market businesses, government and the not-for-profit sector need to proactively leverage technology and data to achieve business and strategic goals. Failure to do this could lead to falling behind the competition or not meeting stakeholder expectations. 

Articulating security issues in business language

25 October 2019
The essential art of articulating security issues in business language. Business leaders who aren’t thinking about cybersecurity as a key business risk could be setting their organisations up to suffer the potentially devastating consequences of a cyber attack.  With both human error and malicious actors posing a significant threa...

Risk Insider Newsletter - Edition #1

31 July 2019
Welcome to our first edition of Risk Insider. Recently we have seen some interesting developments around the world that have redefined how companies and government entities view risks. It has been a busy period for risk and compliance professionals. There have been a significant number of changes that Boards, Chief Executive Officers and Chief Risk Officers have had to deal with which has accelerated change and the need to access the right risk and compliance advisors has never been as strong. 
Events

Grace period up: Owners of critical infrastructure assets required to report cyber security attacks

Businesses that own or operate assets captured by Australia’s expanded critical infrastructure security laws could face fines if they fail to report cyber security attacks to Australian authorities from today (8 July).

Happy St. Patrick's Day

We sat down with Darren Booth, National Head of Security and Privacy Risk Services, to discuss all things St. Patrick's Day.  What is the significance of St. Patrick's Day? If I was to sum up Paddy’s Day in a couple of words, it would be a ‘celebration of everything Irish’. I grew up in ‘the troubles’, but I always remember P...