Episode Transcript
[00:00:03] Speaker A: Gather round, my little hackers and defenders. You must have heard of big scary terms like SOC save our careers.
[00:00:11] Speaker B: Not quite. It's actually SOC Security Operations Center.
[00:00:14] Speaker A: I wasn't entirely wrong.
Speaking of careers, this lady who's completely confused about which cyberpath to take is Chahat Bagla.
[00:00:25] Speaker B: Hey, it's not that bad. I'm just curious.
[00:00:28] Speaker A: And so she is giving herself 12 episodes to explore 12 cyberpaths by asking professionals the right questions. Just curiosity leading the way. And if you're in your figuring it out era, come along for the ride. This season we're talking red teams, blue teams, AIGRC and all the juicy stuff. So plug in, scroll less and learn more. This is Destination Cyber Season 2. Powered by KBI Media Press Play. Your cyber origin story starts now.
[00:01:15] Speaker C: Hey there, my cyber explorers. And welcome back to Destination Cyber Season 2, where we sit down with the people shaping up the future of Australia's national security.
Today's guest is one of the industry's most respected leaders, someone whose career spans defence, aerospace, critical infrastructure, national security and global cyber policy. For more than 25 years, he has operated at the front lines of security spanning over two decades. As Thales Chief Information Security Officer for Australia, New Zealand and the broader APAC region, his role has involved navigating the high stakes environments from managing national security and export control requirements to briefing the Thales Australia board on emerging threats compliance and the evolution of global cyber standards. But what makes his story even more compelling is the second chapter, the one focused on people. As co founder of Harmonia and the advisor at Cyber Minds, he champions mental resilience in an industry where burnout is becoming as dangerous as any cyber threat. He sets on national advisory boards including ISA or Cyber Ovation Ventures, and has helped shape cyber innovations across Australia. In this episode, we explore it all.
[00:02:20] Speaker B: Hi Ben, thank you so much for carving out time to chat with me today. Especially with this heat. I feel like even my laptop is sweating. So, really excited to hear about your journey and get some insider tips for grads or anyone who is trying to survive in this crazy cyber world. So you've been in cyber security for over 25 years? Long before it became a buzzword. It is today. I'm curious what pulls you in cyber security? Was it the chaos, the curiosity or pure coincidence?
[00:02:45] Speaker D: Probably a bit between the chaos, actually. All three, to be honest. So realistically, I probably didn't know back then, but I do know now. I work by being challenged. So if I'm not challenged, I get bored. Went back there. It's Just by, I guess, the coincidences going through as a telco back then I had fixed a lot of issues on what was a value added ISP help desk in terms of the network and the systems. I knew I was going to get bored, man. This was with Hutchison Telecoms and they're about to build the CDMA network, the Orange network, and they decided they needed a IT security manager for that because, you know, if they were going to grow up and be a real telco. And so they gave me that job and basically that's where I started from. So it's a dive from fixing network system level administration stuff into IT security and basically it's challenged me ever since.
[00:03:34] Speaker B: So when you talk about challenging, is it what sort of stuff challenges you?
[00:03:38] Speaker D: I can find challenge in anything these days. Back then, probably for a good portion of my career it was technical challenge. So whether as a system, network, whatever. But yeah, probably for the last, I'd say eight years or so as that moves up into executive and things like that. It can be international law, trade agreements, policy development, governance, system response, all the soft skills stuff, the politics, internal politics or external politics.
In the end, as long as it's a challenge of some sort, key to my interest.
[00:04:08] Speaker B: I feel like most people try to avoid this sort of stuff, but you are the one who is more inclined to it. That's very interesting.
[00:04:14] Speaker D: You need variety.
[00:04:15] Speaker B: Yeah. So what made you realize that this is what you wanted to focus on?
[00:04:19] Speaker D: I don't think I necessarily realized it. I think as I said, I sort of fell into it and it's kept my attention. It does help also when you look at Telus and understand what Telus does, it's an extremely diverse company. It pretty much does everything underneath when it comes to high tech electronics. You just never see the. And I guess I learned very early also how to take advantage of that from my technical curiosity. So if you actually spend the time to find the engineer that's an expert on some specific unique part of technology that we may do, space delays, do all sorts of stuff, they love talking but most people don't spend the time to go chase that down. So. And I just learned that. So I've been having fun also internally talking to all sorts of unique engineers in the last 20 years.
[00:05:02] Speaker B: So you've spent over two decades as a CISO at Thales. So what was your entry point into the Thales entry point?
[00:05:09] Speaker D: I was headhunted in so realistically and with touches and telecoms for what, eight years, four years as IT security manager at that point I could have been there for a lot longer. I had a unique role there also. But I realized in my career journey I didn't want to be niched into being just telco security. So I was looking for a different industry vertical to jump into to get different experience. Hadn't even thought about defense to be honest, or defence industry. But the opportunity came up and realistically I thought I'd tread water and learn what I could in defence for two years and then go find a job I actually wanted. And turned out it was the job I wanted.
[00:05:44] Speaker B: Well, that's lovely to hear. So what was the journey like with so when you joined it? I imagine till now the thread landscape has exploded and the technology has also changed and transformed a lot. So. So how was your journey?
[00:05:58] Speaker D: It's probably interesting to know especially I guess with a lot of my peers who were doing security back then. Especially when you get up into the size level. Stuff like that is in many cases, unless you're a very large bank or telco at this stage, if you're a sizer, you pretty much probably doing everything and you're the only person on the security team. So a lot of what you may see in the medium and small businesses today we saw back there probably 2010.
So I'm still a very highly technical, hands on person.
So yeah, whether it was eDiscovery, malware versus engineering, firewall work, network architecture, right, that was all doing myself, all as one person until it got to the point I guess, where the biggest risk to the company was myself being a single point of failure.
And that's where I basically looked back and said, okay, we need to start building out a team because you're fully dependent on me.
And that's where we started to build out the team. From there and from today, sort of even then is the diversification of those technologies and threats and the size of those threats. With the, I guess the E crime ecosystem finding that it's actually worth a lot of money, it's now near impossible to do that as one person.
[00:07:04] Speaker B: Definitely. I feel like that would be a lot of pressure on you as well. Being able to manage all of that. There's a lot of, you know, your brain is pulling you to different dimensions and streams. So when you talk about firewalls or building a network, so. So what sort of tools or platforms do you rely on most to keep the organization secure?
[00:07:21] Speaker D: I think it depends on the organization. So obviously Telus is very diverse globally, but within Australia it's mainly defence industry.
So most of my Career has been defined on the risk profile of what the Australian Defence Force were happy to give to industry and what the data we protect. So it was very much the old everything's on prem and protected and locked down. Even the cloud journey has been very slow because it's just too much risk given the actual government data we're responsible to actually maintain as part of the projects we do. So it's. Many people probably look at it and think about it and see it as old school but there's also benefits in that because it's very easy to lock down on your perimeter and lock down internally. The benefit we also had is obviously coming down defense. It was very well defined data classification scheme. So that was part of the culture. Whereas most corporates struggle with doing data class replication as a culture. So it made life a lot easier also. But in terms of the tools, it's the standard tools, you'll see. So the firewalls pick your brand, it doesn't matter which brand we use. It's all the same but very much two layers of firewalls, different firewalls, egress, filtering from the beginning, just as standard. So nothing goes out for example. So no servers, no endpoints have direct access out to the Internet. So.
[00:08:33] Speaker B: So I know that you mentioned that the cloud on the cloud side it has been a bit slower just because you are protecting the data on prem and it's. It has to be secure because it's on a defensive side of things. So it's one of the recurring questions that I asked most of the guests and the answers have been fascinating. So how do you balance the innovation and the modern technology that's popping? For example AI and how do you manage all that while making it cyber safe?
[00:08:58] Speaker D: In many cases it's more frustrations than not, but in many cases it allows us to slow down the discussion and actually look at the business benefits to make sure that the actual risk is actually worth the actual value get out of it rather than just jumping on because it's the latest trend. So we have to be very precise in terms of when, where we actually move within Australia, globally we globally from a Telus point of view, we've been doing AI deep research for like 50 years. So it's our bread and butter and we've done it for many years. So when you go into this being businesses globally, they're heavy uses of it but obviously we had our restrictions in Australia just because of the makeup of the organization Australia it allows you to slow down the conversation and actually understand what the Actual business justification and value will be to implement whatever the latest trend is and whether it's actually real or not.
[00:09:44] Speaker B: So when you talk about that, there's also like a business aspect to it. So for the cyber grad that's going in, I believe that they would also be interacting with a lot of business teams and any other team within the organization. So do they need to have a knowledge about that sort of stuff or if does it come with time while they're working with company, there's a chance to upscale, scale or learn through the process.
[00:10:04] Speaker D: I think it depends on what sort of role you want to do in cyber. So if you're only looking at a pure technical track, then there's probably less need to be successful. In a pure technical track. I'd probably say you add more value if you do understand the business value because then you can talk risk rather than straight threat if you like, or technical threat what you find. And one of the frustrations we have had over many years is when you do like the university graduation grad degree or something like that, it's based on theory. And that theory teaches you that all technical threats are bad and therefore you have no choice but to remediate all threats within a business. It's just another threat that's balanced against other threats of which then you make a judging call on what, mitigating what you don't. So you don't have to always mitigate a cyber threat because potentially is bad for business. So especially when you think, and good one to think about that is in a production system, on an OT network, it's a very locked down environment, it's actually making the money in the product for a, for the business.
If you have a malware infection on a OT device or a host on an OT device, it's not affecting production. Leave it alone until the next planned shutdown because then you're not going to interrupt the business value. Which is very unusual for someone who's gone through a degree or training because there's no it's bad, you have to block, you have to fix it right now, you've got to take it down. It's bad. I think most cases if you go through a, an advisory GRC sort of role, yes, you'll probably learn it along the way, but the quicker you learn it, the better it is because then you don't actually understand that not all risks are equal. Especially not everything is just a technical risk. You got to understand operational risk, financial risk, et cetera, et cetera. Also balance them across the organization.
[00:11:44] Speaker B: So you mentioned that there's risk in the OD environment. So was there any aha moment for you in a project that really tested your nerve where you wanted to implement something in cyber but then business wise it wasn't really feasible?
[00:11:59] Speaker D: There's always those sort of cases. I think I've always been very forward looking and that's probably because the threat environment we've always had obviously working with national security, we have a very big threat vector being nation states do come and look at us and always have and have done for the last 20 years.
So I've always been fairly bleeding edge in the capabilities I deploy. Many cases a new capability, unique capability may come out of stealth company in the us. I'll be one of the person in Australia to try and bring it into Australia to use just to give that bit of edge and rune on whatever the nation takers may be pointing at us next. And so in terms of the aha moment, I don't think there's been a case where I couldn't deploy something that I really needed to deploy or believed in then that's probably the benefit of the career I've actually had at Telus when I was seismic and the Euthrote actually had to implement the controls I needed to. I think the interesting aha moment if you think about from a technology challenge is one I actually use when I'm talking to other people. Don't get cyber that well. And why it's so challenging is probably go back to the 2010, 2011 RSA breach with the token breach. So that was the gold standard for authentication for decade and a half. So you use RSA tokens, nothing could go wrong. Then overnight the question of could you trust this anymore? And it's a question of okay, what do you do next?
So is the RSA tokens totally compromised? Therefore is your remote access totally compromised? What are you going to do a going forward and what are you going to remediate right now? Could have an unknown risk and that's cyber. What could be a gold standard could change without warning overnight. That's what makes it interesting.
[00:13:37] Speaker B: So when you were dealing with that situation, what was the first point that you thought of? Did you have a clear picture in mind, like an action plan, what you were going to do? Or did it become nuclear like over the time?
[00:13:47] Speaker D: First thing you do is because you don't have clarity of detail is you have to make a decision on what's the impact of obviously shutting down remote access and stuff like that versus taking A risk keeping it open. But then also because the details weren't as clear. It wasn't as clear as in terms of yes, the tokens could not be trusted.
It's the better remediation would be. Okay, do we have enough visibility on logging and anything like that to see anything unusual happening? And just concentrate all your effort instead of response on focused effort, you know, two or three weeks on what's happening on that device looking for anything weird, which is if anything weird happens to happen, have the authority to shut it down straight away until you can work out if it's bad or not. And that's a better way to do it while you're waking for potentially clarity of data and information on what that breach or what the incident may have actually caused you if it's a third party.
[00:14:40] Speaker B: So with the people who are just starting in cyber and they're confused about what lane of cyber they want to go into and they're just like planning to think of what the entry level role is because most of the entry level we see today it says two plus years of experience. So that means we should start right when we were doing bachelor's but that's not possible for everyone out there. So what skills internally can a person develop that you have seen in your time, that you have used in your day to day life?
[00:15:06] Speaker D: I always get back to and I'm a very big proponent on anything to do with cyber is really communication.
Unless you have very strong communication, you have a very strong network just sort of doing cyber with your hand tied behind your back. So a lot of information is done through trusted conversations. So a lot of information is not shared openly then that you have those trusted conversations. And as I talk to a lot of graduates and stuff like that at various events, I say build your network. Graduates have a much harder time now trying to get a role because you're not just dealing with trying to submit your CV with hundreds of others through a recruitment person to filter it down to the hiring manager on the 10Best CVS who the recruitment manager may not be a cyber person so don't really know what what's actually required. You now have all the recruitment AI bots during the pre filtering before it even gets to the recruiter, it gets to the hiring manager. So you build your network and you get the better opportunity where someone may say the network has. They realize there's a job offering for someone else and say hey, you should look at this candidate and your CV straight to the hiring manager. That's a massive advantage.
[00:16:12] Speaker B: And I truly believe that networking is very important.
So did you used to do any networking when you were, you know, just starting out into the industry or did it become more of inner work? Should people stick to their own company or should they like reach out to other people? And what do you think? The So I know LinkedIn is one of the most important, but there's also some sort of IT group gatherings. Have you ever found it useful or do you know a name of such a gathering that could help grads to go there and join them?
[00:16:39] Speaker D: Yes, definitely. So I mean in the early careers it was nothing for sure. I used to do just because of the industry I was in. But even going back pre 2008 globally from a information security or infosec community, not cyber at that point the community was very strong on Twitter. So I used to communicate quite strongly on Twitter with various people around there pseudonyms. So no one really knew what the pseudonym was or where I worked at that point. Just because that point of view socially, I guess from a community point of view there wasn't that much in Australia in terms of meetups and stuff like that, apart from if you were in Melbourne, you had to interbank bigger banks and stuff like that, which are quite strong. I think just before COVID and especially after Covid, there's a lot more in terms of meetups and more generic meetups, not just vendor led. That gives you a lot more opportunity. So whether it's through awsm, whether it's through Acer, in terms of the chapter branches, you have day of the month also when you got Siva neighborhood also in Sydney, also take advantage of them wherever you can.
[00:17:37] Speaker B: So now you're a director at Thales and what does your day to day look like, what part of the job that you enjoy doing and what do you feel like? It's more of a grind and you have to do it well, as I.
[00:17:48] Speaker D: Joke, I don't have to get up at 5am anymore which is a lot more relaxing. I actually get to sleep these days. So a lot of the job and why I jumped over to the job is part of it was again a different challenge. So while you see it on both sides, whether you're on the vendor side or whether you're on the corporate side, you have especially after time you have an idea of how the other side may work, but until you actually walk in their shoes, you don't really understand it. And there's. It's been interesting to jump into the vendor side with Talus Cyber actually understand how a MSSP the cyber practice actually operates. What's the economics of it? What's the financial model? What's the delivery of it? What are their constraints which were assumed constraints? Well, as a sizer which I tried to work within versus the reality of it has been actually quite interesting. That's one of the reasons why I made that jump is actually, I guess broadened my soft skill understanding of cyber as a whole rather than just cyber as a corporate. So it's been quite interesting. The role specifically is really focused on customer experience and industry engagement. So obviously been around a long time.
I can actually have very frank conversations with a lot of CISOs because I can bring my history of CISO to the table and actually understand what they're talking about. Even if they're not very. I may not be as open. I can put myself in their shoes and sort of understand what they're hinting at that openly saying that and come back and if required, whatever we may need to improve as a service offering that day. It's a lot of conversations.
[00:19:12] Speaker B: Yeah. And it. I think that also requires a lot of skills to be able to understand being at that level and trying to communicate effectively because you don't want to give out a lot of information but at the same time you want to gain some out as well. So you've also co founded Harmonia and Cyber Minds, focusing on mental health in cyber and you mentioned that you had to get up at 5am so can you tell me the story behind it? Why did you have to get up so early and what's the focus on mental health? Why did you have a shift towards it?
[00:19:37] Speaker D: Why do I have to get up at 5am? I think I just learned that by default. So where we originally where I was living and where the first 10 plus years of my work life Victalis was based out of the Garden Naval Base. I was living in southwest Sydney. So lovely Sydney traffic. It was now 40 each way in traffic. So it was a case of unless you got up at 5am you weren't going to get to work at reasonable time. So. So I just basically learned to get up there. And when we moved offices more into the Parramatta area, Sydney Olympic park. While it may have only taken me 40 minutes to drive then it was just natural community out there. And in the end it actually became easier because I joke between 6 and 9am I actually got to do the work, I wanted to do my work and then the rest of the day I'd worked for the business and the problems they would raise. So that's why the story behind the 5am work life balance, it's hard. One of the reasons why I changed also was after 20 years I sort of made the realization off the time that the what was my hobby and it really was my hobby. There's no real difference between work and life. It's not a work life balance. It was more a work like Harmony. I've heard that used recently, which I actually believe in. It became a job. So less of a hobby, more of a job. And that's where I sort of knew that I needed to start looking at something else. Otherwise I'd hit burnout because it wasn't. I didn't have that enjoyment, therefore it was harder. And the hours I was using, when you do that long, you're going to burn out after a time.
[00:21:00] Speaker B: Talking about burnout and I know that a lot of CISOs must feel it today. So what are the some practical ways that a leader can deal with burnout and build like sustainable chains physiologically as well?
[00:21:12] Speaker D: I think probably the biggest things people need to understand is to self identify what their triggers are when they're actually feeling burnout or overstressed. In a lot of cases, it'll be the same for many, many people. You're frustrated, therefore your ability to deal with that frustration, you may be short, you're angry, you may take that home and you're angry with your bed and your kids and stuff like that. Understanding that and feeling that and recognizing that early means you can actually give yourself a little bit more room rather than keep going worse and worse. So I think it's also a case of you need to become confident and realize that if you're juggling a lot of balls, then it's all right to drop some low priority balls. It doesn't mean you failed. So I think there's a. Because of the, I guess the way a lot of cybers see a need to actually always win and always be successful and can never lose. It actually puts us in a situation where we don't want to not meet our commitments for anything, which adds to the greatest stress, especially if we're under stress or even personal stress from outside or work out into it where the reality is nothing's really disastrous should happen. If you drop a low priority ball, if you're dealing with high priority balls, because that's what you can actually do. There's another one that was just pointed out to me actually in breakfast a couple days back by someone it's well, think of the balls also as which ones are actually Glass balls. What you want to keep juggling are the glass balls and let the rubber balls drop because they'll bounce and you can pick them up again at a later date. Which is another way to think of it. It goes back to creating the room you need for the period during.
[00:22:40] Speaker B: That's a very good analogy. And I feel like not only being a leader but also being a student. There's a lot of things that people juggle these days when they're starting out to work. Students are not used to having their, you know, calendar filled with a lot of emails and meetings and getting to prepare them and when something like conflicts and they get in like a panic mode as to what to do, how to prioritize and facing that such a high pressure because they're just starting out and they don't want to upset any of the high leader or any of the leaders.
So what recommendation would you give to students?
[00:23:10] Speaker D: I think it's a case of in this or probably is it dual hat. It's actually very dependent on having a good leader that recognizes that also and recognizes that a graduate or a junior is actually overworking because they don't. They feel like they can't fail and they can't drop anything otherwise, you know, they'll have some sort of bad impact. So a good leader needs to recognize that and say, well, hang on, you need to slow down a bit because you're overworking and you're going to make yourself unhealthy. But on the other side then the graduate needs to confidence, actually believe in what's being said and believe that, okay, they actually want me to slow down. So it's actually, it's a direction to slow down. Not that they're trying to be nice and I should ignore it and keep working harder because everyone should work hard. This is not going to do anyone any good if you burn out and then burn out of the industry because it's just too hard.
[00:23:57] Speaker B: I think that's very valid and good leader is the way to get high up. And if you're. I think if you're free to like communicate what your needs are, then there's nothing like stopping you from getting more opportunities in your coming your way as well.
[00:24:10] Speaker D: I think it's also the case of going back to the networking is something. When I talk to and trained the size of the bootcamp that I did, one of the first thing I did is look around Ruru that's the people in your room is probably going to be your best capability for the rest of your career. Because they understand what you're going through, they're your peers. To put the effort into actually developing that capability, which is your peer network, I think that's probably just as important for graduates because you have a unique experience you're going through right now and therefore any other graduates will actually understand that. So the more you actually talk to other graduates inside of a train, to get inside of doing their first role and stuff like that, where you can basically what I call group therapy, talk to people, at least it allows you to vent and download some of that stress and potentially get advice on how others are dealing with it.
[00:24:55] Speaker B: Yep, I think that's very good advice. So with your involvement in AISA or Cyber and Innovation Councils, you've seen the ecosystem from all angles. How would you describe Australia's cyber scene today and what's holding it back?
[00:25:10] Speaker D: Apart from it's small, but it will always be small. This coming, that's Australia. Unfortunately, I find it unusual that taking an estimate, I think it was about 14,000 members of AISA. You know, as a rough estimate, that might mean there's 20 or 25 total cyber people across Australia.
And I find it interesting, if I take a guess, there might be maybe a thousand of those that actually interact with the cyber community.
So outside of work. And to be honest, that's what cyber really is about in the community. Once you understand that community, it's actually where the real value and I guess enjoyment can come from being in cyber. And I find it a little bit disappointing that we have such a low percentage really involved within the cyber community and actually understanding what cyber's about, apart from just being the job or an interesting job. I think they're losing out a bit on that. The other thing I see is, into one of the side frustrations is I don't think we give enough Aussie startups, from a cyber point of view, enough opportunity. We're quite happy to go to many cases, the big vendors and stuff like that straight away with actually looking about what innovation are we doing within Australia and how can we support the Australian cyber ecosystem rather than just going by default to all the big players overseas because it's got big flashy branding and stuff like that.
[00:26:25] Speaker B: I also know that you've worked with building a lot of frameworks and the security policies. Building those policies is fine, but how does it look? So in paper it's all good, but how does it look in action? How do you actually implement those policies even within an organization? What's the starting point of. Yes, the policy frame we have planned everything, but the implementation phase is on. What are the starting steps?
[00:26:48] Speaker D: It's probably where it gets harder, especially in the past when cyber was more technical and we didn't have as many grc, advisory and other fields within cyber. The cyber is not just about the technology, it's about the process and the people also. So writing the policy means you need to go talk to the other departments, whether it's the IT department, the procurement department, the finance or legal, and work out what their processes are and how you actually implement and change or put the gates within their processes that implement the policies you want. The policy doesn't mean you let people follow because there's lots of policy, not just cyber policy out there. And procurement have their own policy, legal at their own policy, finance have their own whole policy.
So you need to do the work to interact with the other people within the organization whether even if it's just the IT department and actually embed the policy into their processes. If you actually want to make it actionable, you can't just throw it over their wall and hope they're going to implement it.
[00:27:41] Speaker B: So when you talk about like embedding like a particular technology, does it often lead to like conflicts with the people resistant, like is there a lot of resistance on their side or is do you need to have good, strong, persuasive skills to be able to persuade them to implementing it?
[00:27:56] Speaker D: I think people need to understand the value, so you need to put the effort into understanding the value. And that value can be explaining why it's a risk reduction and why it's important, what risk it is and how it affects their day to day job or the business and why it's important to do. If you just put technology in that makes it inconvenient or less convenient for what they're doing, then of course there are a number of people that resist that or try go around it because they don't understand why, why and it just seems like you're making their job harder. It's awareness training, but it's not as it's more, it's almost grassroots awareness training rather than formal awareness training is actually sit down and understand their processes, care about their processes, and then talk to them about why it's important to potentially modify it, which may be an improvement for them in some cases, but in some cases it may make it a little less convenient for them to do something, but may actually reduce a significant risk for the organization.
[00:28:46] Speaker B: So as these threats that we are seeing nowadays evolve, especially to the critical infrastructure, a lot of Threats are intensifying. So how do you see the connection between cyber defense and then national resilience evolving?
[00:28:59] Speaker D: If you look at the geopolitical nature of where we are in the world, obviously there is expectation that the South China Sea, Taiwan, things like that could heat up in the next five years. It's well documented in the US in Australia. And I think there's a naivety in terms of how that would then happen and affect Australia as a culture and as a capability in terms of us turning up under an alliance with the US or whatever. So the easiest thing to think about is if you look at how Russia pre positioned themselves before the Ukraine war, before they actually annexed Crimea, also is the easiest way for them to disrupt any sort of response is cyber first and try to disrupt society. And I think Australians, even from a board point of view, don't really understand their responsibility from a society point of view. So something I've been talking about at the moment is we present cyber at boards at the moment as a technical risk for the organization. And I don't think that's right for Australia. We're not America. We don't have hundreds and hundreds of cyber companies and there's always options. We have what, nine, 10 landing cables that kept Australia to the rest of the world. If we get a concerted attack from a nation state that takes down, you know, five of the largest organizations in Australia once and then continues to attack, is how many companies can turn up and help those by companies, let alone the 6th, 7th and 8th, how do we prioritize actual response? How quickly then does those companies, 6, 7, 8, 9 and 10 go out of business and we have a society level disruption which means we can't turn up as part of an alliance, which is what the real reason is about to actually defend Taiwan or whatever like that, I don't think people really understand what that means. And therefore our dependency on technology and services outside of Australia become very interesting when something you can't connect outside of Australia.
I mean, if we only got 9, 10 landing cables coming into Australia, there's not many ships going around with anchors to disrupt that. And as much as people would say, well we can have star limited satellites and stuff like that, they don't do as much capacity, which means if you don't have capacity and can only run to your hypervisor base in the US or something like that at half a second speed, how are you going to deliver the services? It's not going to work. And I don't think people realize that. And that's the conversation with the boards I like to have is okay, it's a society level impact. If we have that sort of attack across Australia as a nation state attack, therefore what is their ESG obligations, not just a cyber risk reduction to protect Australia as a whole, are they turning upright? So which changes the dynamic of the conversation very quickly. Do you want to be around, you know, in 2030 and explains to your family, your friends, your kids that it wasn't important for us to put the effort in to protect Australia. And so we have this Australian society that looks very different to what we have today because of it.
[00:32:02] Speaker B: So you mentioned about the nation state attack. Do you generally work around those, how to like prevent those and what's the scene? So how do you start even figuring out what is a threat to a nation state and how do you implement the policy? Is there any policy around it?
[00:32:18] Speaker D: A lot of it goes back to sovereignty and a lot of it is because of it's, you know, it's controlled around the type of information we hold with the government actually defines what those policies are. It used to be more clear cut in terms of the difference of a capability a nation state can push against you versus A E crime. So there was a very big gap of about 18 months before those capabilities went down to E crime. It's not the case anymore. So in many cases nation states who actually subcontractor a lot of work and that subcontractor are E crime organizations also. So if they're doing nation state detects any crime attacks, there's no real difference these days. So it's just good security capability today and with security technology, policies, procedures, culture and to be able to actually protect yourself against that.
[00:33:04] Speaker B: So looking back at your younger self, what sort of advice would you give yourself when you were just starting out in this industry?
[00:33:11] Speaker D: Persistence. I mean, I guess that's what I talk to a lot of the younger generations also is that seems to be a rush to get to. For example, there's a number of people that single want to rush to get to a sizer total. And yes, many people may get there very quickly, but they haven't learned or had the experience required to then become a more valuable sizer to get larger roles. And what they find is they get stuck for 10 years because they can only get certain roles while they gain that experience.
So it's kind of, I tend to think that it's better to sit in a role and I guess that's probably because I've sat in roles for a very long Time to actually get the most out of it from an experience point of view. And then you move on rather than trying to jump to get the next career break. Because the grass is not always greener on the other side or the higher up you get, it can get a lot harder. So it's fair. So you need to understand why you want to do something not just from the concept of because it looks better or better pay and stuff like that. In the end, pay is good, but sometimes life opportunities and how your life changes will change what how important pay is also.
[00:34:17] Speaker B: So how was your journey of becoming a sizer? And for those of us who are dreaming to become a sizer or a leader one day, what should we be aware about?
[00:34:26] Speaker D: I do jerk around and say, why do you want to be a sizer? You're gonna be mad. But having said that, there are, there is value in becoming a sizer because there's very much a difference between, even if you think about it, a like a IT security manager, put it that way, and a ciso. Same as there's a difference between a finance director and a CFO or an ops director and a coo. Coming to siso, you learn that conversation and the business drivers at the executive level. And that's the real. That's the real learning is operating at an executive level is very different than operating at a operational, technical sort of level. And so you need to understand whether you actually want to be in those roles. And it doesn't mean you have to sit in CISO forever. You might move sideways around that other executive level once you're up there. But it is a unique sort of role with unique problems and headaches and a lot of stakeholder engagement. And it's not what you probably expect it to be. So my journey was I basically got headhunted into the size of role at that time it was ADI Australian Defence Industries, which was a joint venture between Talas and another company because Talas couldn't buy all of ADI at the time until we could get the acquisition in 2006 in Talus Australia. So yeah, I was 21 years as CISO for that. The way and what was unique is because of the amount of defense that we actually did to defense technology into Australia.
Talos Australia is actually a sovereign company by legal requirements. So we actually run a ship and Australian board and it's run by Australian citizens only with clearances and stuff like that, even though we're the parent is owned by French. So I actually had a unique position which is very unique as A CISO where I was reporting into the board probably for the last 18 years, every two or three year, times a year for two hours to the board just on security as well as my peer, the chief Security Officer and the export control officer. It's very rare that someone would have that amount of time with board members in a year, let alone from, you know, the last 18 years doing it. So it gave a very unique role which is why I stayed around quite a bit also in terms of terms of level of conversations we had too. But it also gave me the unique position where I was effectively reporting into the board and because of the maker I could actually veto anyone up to the CEO, including France.
So I had a lot of authority too. So which made the role very unique to many sizers out there.
[00:36:47] Speaker B: That is a very unique role that you have. But was there any sort of certification that you had to do to become a sizer or was it just because of your work experience? Is that why you got head entered into that role?
[00:36:57] Speaker D: It was, yeah, it would have been my work experience and stuff like that. I mean they would have had certifications and stuff back then. But really you're talking what 22 years back, the understanding of organizations, what those certifications actually meant and brought to the table. If I was going to be honest, they probably it was a tick box very much like in many cases it's a tick box ops these days Also back then there was very few sizes in Australia and it started to really become mainstream in the US at that point also.
So it was very early in Australia to have actual sizer role.
[00:37:27] Speaker B: So when you said it's more about understanding an organization now, I imagine organization with the level of talents, that's quite massive. So how do you begin about understanding it?
[00:37:36] Speaker D: Curiosity. It goes back to networking also. So you don't just go out to coffee with the people in your direct team.
So why don't you go have a coffee with someone in marketing or in procurement team or anything like that and get to know what's important in their job. Why don't you reach out and ask for a catch up with various other people and that's why I say this curiosity. So if you're curious about their roles and then actually understand it, you get to understand how your perceptions may be again on how they're operating and what their pain points are and you may be able to tune something in terms of risk reduction that way.
[00:38:06] Speaker B: Yep, that is a very good point because I feel like people mostly restrict themselves to what they are doing and what's their task at hand? And once that 9 to 5 is up, they're out of the office. But not a lot of curiosity or effort going on to understand a lot of things.
[00:38:19] Speaker D: That's not a bad thing either because there will be so those people in your organization that are turning up to do a job to get paid because their passion is outside of work. But I think there's a needs to be an understanding on those type of people to realize their career projection will probably be slower. There's obviously those that are keen and passionate about their career and turning up that way because their passion is their career will accelerate in their career a lot more and a lot quicker than those who just turned up to do a job. It's just a reality of it.
[00:38:50] Speaker B: And have you seen so certifications nowadays, they mean a lot. Have you seen any particular or do you recommend any sort of certification that you think can help young people to understand more about what's going on in organizations in cyber world these days?
[00:39:04] Speaker D: There's lots and lots of certifications now. It's sort of hard to pick. I mean in the past it was very easy. I would have said certificate sans all the time, going back probably five years back. Now there's a lot of competition for those sort of roles that are very similar to what the SANS certifications used to do. In the sans certifications, the way I like them is they'll bend their neutral. You could use them the day after you went to a SANS training. You could actually put it in practice. A lot of it was based on the actual technology and open source technology under there. So basic principles, foundational principles which gave you a good foundation knowledge. So there's plenty of other companies out there doing something similar now. So. And to be honest, I haven't had to do the certifications thing like that for many years. So I am not up to speed with what kind of recommendation on what's best right now.
The past. And that may not be appropriate anymore because I know SANS is extremely expensive now.
[00:39:53] Speaker B: Yes, it is. So thank you so much for your time today, Ren, but I do like to end with a rapid fire so I have like four questions for you. Rapid fire quickly, Whatever comes to your mind.
So what's your go to? Non tech hobby or a stress buster after a long day of dealing with.
[00:40:08] Speaker D: Threats, Exercise, running, reading a book or a glass of red wine.
[00:40:12] Speaker B: Interesting.
The coolest or the most futuristic cyber innovation that's blown your mind lately?
[00:40:18] Speaker D: I actually did think about this. I couldn't bring up one at a moment. But what I think is going to be interesting, just because I've touched on it a bit in the past, is we're doing a lot of technology when it comes to generic LLMs, generic models, AI models. It gets very specific when you do very specific micro models and what that brings to the table. We've explored that. Or people, if you understand what that's going to do as an industry.
[00:40:40] Speaker B: Fascinating. So if you weren't in cyber security, what career would you have picked?
[00:40:44] Speaker D: Cybersecurity.
[00:40:46] Speaker B: I somehow guessed it. I knew you were going to say that.
[00:40:49] Speaker D: No, I did think about that. It's. I'm not sure what else would challenge me in that. So it would be something in technical tech. So deep tech, something like that.
[00:40:55] Speaker B: So one line of advice you would give to every cyber student listening right now.
[00:41:00] Speaker D: Network. Network.
Find your peers. Talk to them all the time.
[00:41:03] Speaker B: Yeah. Thank you so much, Ben. Thank you so much for tuning in today.
[00:41:06] Speaker D: My pleasure.
[00:41:09] Speaker B: Thank you for tuning into this episode of Destination Saba Season 2.
[00:41:13] Speaker D: Knowledge is a gift, but its true.
[00:41:15] Speaker A: Value is in how you use it.
[00:41:17] Speaker B: Whoa. Where did you come from?
[00:41:19] Speaker A: Just dropping by to remind everyone.
Learning is great, but doing is even better.
[00:41:24] Speaker B: Timely advice. If today's episode left you with questions or sparked new ideas, feel free to.
[00:41:30] Speaker C: Connect with me on LinkedIn. And don't forget to follow the podcast so you're always ready for the next stop on our cyber journey. This is Shahid signing off until we re encrypt another conversation on Destination Cyber Season 2.
[00:41:46] Speaker D: Sam.
