Telstra is \u201cstill working on\u201d calculating the cost of reliably securing the mass of metadata that will be collected under the government's controversial telecommunications data retention legislation, the company's chief information security officer has confirmed.Speaking in a panel discussion at today's Cisco Live! technical conference, Telstra CISO Mike Burgess reiterated concerns that the accumulation of telecommunications metadata \u2013 which Telstra is expected to manage as part of a government effort to improve its ability to track criminal suspects online \u2013 would create a \u201choneypot\u201d of private information that would be actively targeted by cybercriminals.Telstra was committed to securing the repository and was still unsure how much it would cost to do so effectively: \u201cwe will make sure we have the appropriate level of security,\u201d Burgess said. \u201cHow much is that going to cost? We're still working on that.\u201dSecure controls over access to any metadata retained under the legislation has emerged as a sticking point in discussions about the controversial legislation: in a recent Protiviti survey, for example, 64 percent of respondents supported the legislation but 78 percent of respondents said that any such legislation would need to be carefully controlled and access should requite a court order.Echoing Burgess' concerns, fully 62 percent of respondents to the Protiviti research were concerned that concentrating massive quantities of metadata would create new security risks. And 87 percent said telcos should be required to apply specific security standards to protect the information they hold.The question of just what standards should be applied, however, is still up in the air. Appropriate security for the metadata repository would involve both a technological investment \u2013 providing new security systems and augmenting existing controls to prevent unauthorised hacking of the data \u2013 as well as a human element.This is because, Burgess said, rather than simply relying on brute-force attacks, cybercriminals were most likely to target the credentials that allow authorised users to access the metadata repository after a request by law enforcement agencies.\u201cThey will hunt down the person who has that account information, to get that [metadata] in response to a lawful request,\u201d Burgess said.Protection of privileged-user accounts is being increasingly recognised as an important part of a cybersecurity defence, with the growth in cloud-based access adding additional pressure on cybersecurity defences.The challenge had been exacerbated in the wake of the introduction of new privacy laws in March 2014, forcing organisations of all stripes to revisit the security controls they apply to personally identifiable information; regardless, however, some security experts warn that many companies are still leaving open avenues for attack.Not all panel members believed the cost of the security was the most salient point, however: while Telstra is still weighing the cost of securing the metadata it collects, Cisco chief security and trust officer John Stewart said simply putting dollar values on security projects was \u201cthe wrong measurement.\u201d\u201cI don't talk about it in dollar terms,\u201d he said. \u201cI have watched an incredible amount of good and bad spend, and what is important are the risk controls in place \u2013 and whether you can prove that the protection of the data is done by the means through which it is supposed to be done.\u201d\u201cIf a truly dedicated team is coming after you and they're coming for a very long period of time, the probability of them being successful at least once does go up. The key is not only to stop everything from happening, but to handle it in a very transparent way when it does.\u201dThis article is brought to you by Enex TestLab, content directors for CSO Australia.