In this episode of Secured, host Cole Cornford interviews Bruce Large, a security architect and evangelist at Secolve, the OT security specialists in Australia. They discuss the importance of threat modelling in operational technology systems and the need for engineers to consider the potential for cyber attacks. Bruce also shares insights from the ISA/IEC 62443 series of standards, which provides guidelines for secure system development in OT. Additionally, they touch on the significance of unions in the tech industry and the benefits of joining organisations like Professionals Australia. Tune in for a fascinating conversation on application security and more.

1:25 - Bruce's professional background

2:40 - Defining "engineer" in different contexts

6:20 - Differences between computer engineers and civil engineers

8:20 - Threat modeling

12:40 - How we treat safety in software vs other industries

18:30 - Bruce: we should be encouraging lifelong learning

24:00 - ISA/IEC 62443 safety standard

29:00 - The Year 2038 Problem

34:20 - Unions & industrial relations

43:40 - Rapid fire questions

Summary

Paul McCarty is CEO and founder of SecureStack, a DevSecOps visibility & automation company, and GitLab's Red Team leader. Paul's been involved in software security in Australia for decades. In his conversation with Cole Cornford, Paul discusses how Australia's software security industry has changed since the early 2000's, whether security professionals aught to know how to code, and plenty more.

Timestamps

2:50 - Paul's career background

7:00 - Spicy take: people on LinkedIn are too blindly positive

10:00 - Understanding what went wrong when there's a breach

13:00 - Cole doesn't think "zero trust" is feasible

14:10 - Cole: maturity of cybersecurity in Aus is weak generally

16:00 - Cole hires for dev experience, not sec ops, because dev is harder to teach

18:30 - Aus market different to US, which has lots of software companies

21:50 - Paul: we've devalued the importance of operations

22:20 - The "holy trinity" of offensive security

26:30 - What percentage of ASX companies have a bug bounty program?

28:50 - Cole's free pizza exploit

31:00 - Got to be in security for the long haul

31:40 - The book that changed Paul's life

Mentioned in this episode:

Call for Feedback

Jay Hira is a cybersecurity director with 18 years of experience working in a variety of roles both in Australia and internationally. Today he is Director of Cyber Security: Financial Services at KPMG Australia, and Founder and Executive Director of MakeCyberSimple. In this conversation Jay and Cole Cornford avoid getting too deep into technical details, and instead discuss a zoomed out perspective on cybersecurity strategy for large organisations, how the current macroeconomic climate affects approaches to cybersecurity, tips for clear communication between technical and non-technical stakeholders, and plenty more.

Timestamps

1:40 - Advantages of generalisation vs specialisation

4:00 - Tips for communicating effectively to leaders

6:00 - Clarity comes from simplicity

9:30 - Importance of reporting structure in a large org

14:20 - Core foundations of a cyber strategy

20:00 - How current economic climate is affecting cybersecurity budgets

24:30 - How do you maintain intrinsic motivation?

27:00 - Work life balance

30:30 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Tara Whitehead is Security Engagement Manager at MYOB. Prior to becoming a cybersecurity specialist, Tara had an eclectic career, including working in advertising and international relations. In this episode Tara chats with Cole about how her non-technical background has in many ways been an asset working in security, leading change management in large enterprises, the importance of great communication skills, and plenty more.

Secured by Galah Cyber website

Timecodes

7:15 - Tara's first days in AppSec

10:00 - How to influence people

12:30 - Why we should dial back on the doomsday conversation

14:10 - Find your change champions

21:30 - Is a non-technical background help or hindrance?

23:30 - Communication and influencing key skills

26:00 - Communicating with execs

28:20 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Episode summary

Daniel Grzelak is currently the Chief Innovation Officer at Plerion, and has had a storied career at a variety of technology firms around Australia. In this conversation Daniel brings his experience and insight to the topic of common myths and misconceptions within the cybersecurity industry, and with Cole Cornford tackles questions like:

Does a cybersecurity professional need to know how to code?

Is there a workforce shortage in the industry?

Should pen testers write remediation advice?

Timestamps

1:50 - Does a cybersecurity professional need to know how to code?

5:40 - Is there a workforce shortage in cybersecurity?

9:30 - Questions to ask when interviewing potential cybersecurity hires

12:30 - Are people in cybersecurity bad at promoting their own skills?

17:00 - Should pen testers write remediation advice?

20:20 - Daniel's career advice: start writing

Mentioned in this episode:

Call for Feedback

After working as a cybersecurity consultant in Europe for over a decade, Jacqui Loustau was struck by how cybersecurity professionals in Australia were overwhelmingly male. This led Jacqui to found the Australian Women in Security Network (AWSN), a not-for-profit association and network with the goal of increasing the number of women in the security community.

In this episode, Jacqui chats with Cole Cornford about how businesses can change their approach to hiring to improve diversity, the importance of supporting kids and students of all backgrounds who have an interest in the field, as well as some of her thoughts on the future of the industry.

Secured by Galah Cyber website

4:30 - Jacqui’s career background.

9:30 - How Jacqui became inspired to tackle the issue of diversity within cyber.

10:00 - At Jacqui’s first cyber event in Aus, struck by a sea of men.

13:00 - Achievements Jacqui is proud of from the last 10 years.

15:20 - What can businesses do to encourage diversity.

19:00 - Cole: what are some systemic issues we need to tackle?

22:00 - Jacqui: you can always teach technical skills.

23:00 - How we can support kids & students to move into cyber.

25:00 - Rapid fire questions.

27:10 - What will be the theme in cyber for 2024.

Mentioned in this episode:

Call for Feedback

While working as Head of Cyber Security Business Services at Australia Post, Susie Jones worked on a product that was designed to support small businesses that had suffered a data breach. Susie came to believe that existing cybersecurity tools and support was generally either too expensive for Australian small businesses, or didn’t suit their needs. And so she co-founded Cynch Security, which aims to fill this gap.

In this conversation Susie chats with Cole Cornford about Susie’s career, the benefits of coming from a non-technical background, and they do a deep dive on the security needs of small businesses in Australia.

Secured by Galah Cyber website

4:36 - Susie’s career background

5:40 - benefits of coming from a non-technical background

7:15 - Challenges of running your own business

7:40 - Cole: you’re selling protection, it’s a pure cost

8:10 - Susie’s motivation to become a founder

9:00 - Consequences of breaches “the worst working day of their life”

10:30 - Most common security challenges for small businesses

13:00 - Big businesses that work with small businesses share cyber risk

14:40 - Supply chains and small businesses in Australia

17:20 - 90% of employers in Aus aren’t served by our current cyber solutions

18:00 - Worst examples of advice not suited to small business

19:20 - Tips Susie would give to small businesses

21:20 - Password managers are a no brainer

25:00 - Rapid fire questions

26:10 - One cybersecurity myth Susie would like to debunk

Mentioned in this episode:

Call for Feedback

In this episode Cole Cornford chats with Nathan Morelli, Head of Cyber Security and IT Resilience at SA Power Networks, which is the sole electricity provider for the entire state of South Australia. Making sure that 1.7 million people have electricity is a pretty important job, and Nathan shares his perspective on how the organisation maintains resilience in the face of potential breaches.

They also discuss the importance of financial management skills in a management role, the Australian government’s updates to the Essential 8 and the national Six Shields cyber strategy, the importance of work life balance, and plenty more.

Secured by Galah Cyber website

4:00 - Nathan’s career overview

8:00 - “Not if, but when” and the principle of acting like a breach has already occurred

10:40 - Cyber resilience is critical

11:00 - Finding value in the impact of your work

15:00 - Matching cybersecurity strategy to the resources available

17:20 - High regulation/barriers to entry restrict quality security advice

19:00 - Importance of access to affordable cybersecurity tools

19:30 - Australian government “Six shields” update

23:50 - Australian government update to “Essential 8”

27:40 - Why Nathan adopted financial management concepts in his cybersecurity work

31:10 - Cybersecurity decisions are made for financial reasons

33:10 - Typical career trajectory: follow money, then people, then problems

35:40 - Importance of work-life balance

40:40 - Rapid fire questions

Mentioned in this episode:

Call for Feedback