106. Who is Foresight? with Craig Ford


We welcome back author Craig Ford as he and Claire dive a little deeper into his latest book 'Foresight' which has been nominated for an Aurelis Award in the young reader category. There is cybercrime, romance, spies and hacking and a few matrix references in there for the fans. Aside from the book, Craig and Claire discuss the ongoing challenges of the cyber skill shortage and the state of cyber in Australia over the past 12 months.

Craig is the CTO for Baidam Solutions where he leads the technical services division of the organisation. Craig is also the Queensland Chair for the Australian Information Security Association (AISA). He is an experienced cybersecurity professional with various qualifications including two master’s degrees and a history in both pen-testing and security engineering.

Craig is a published author with the books “A Hacker, I Am” and “A Hacker, I Am – Vol 2” in his first cyber awareness series and “Foresight” a new cyberpunk/hacker fantasy series published in June 2022. He is a freelance cybersecurity journalist who is best known for his work on CSO Australia (IDG Communications) in which he contributed almost 100 cybersecurity articles between 2018-2020. He is now a regular columnist with the Women in Security Magazine as well as a freelance contributor for Careers with STEM, Top Cyber News, Cyber Today and Cyber Australia Magazines.

Links:

Episode 67 -Getting the Basics Right with Craig Ford

Website

LinkedIn

Facebook

Twitter

The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.


Transcript

CP: Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today we are welcoming back Craig Ford to the studio. Craig is the CTO for Baidam Solutions, where he leads the Technical Services Division of the organisation. For the longtime listeners, you'll have heard Craig on the podcast back in episode 67, when we talked about his journey as an author, and some of the fundamentals needed to secure an organisation. I absolutely recommend you head back to the back catalogue of the podcast and listen to our previous conversation. This time round Craig and I dive a little deeper into his book 'Foresight' which has been nominated for an Aurelis Award in the young reader category. The book is a fictional story about a teenage girl who has a secret life. I won't spoil the plot as I would love for you to not only support Craig by buying a book, but also buy one because it's a really great story. There is cybercrime, romance, spies and hacking and a few matrix references in there for the fans. And in the closing pages, Craig leaves us with enough room for a sequel. Aside from the book, Craig and I discussed the ongoing challenges of the cyber skill shortage and the state of cyber in Australia over the past 12 months. Like many of our guests, Craig gets a lot done for cyber here in Australia and was generous with his time today in sharing his insights. So please welcome back to the podcast, Craig Ford.

Craig, it is great to have you back on The Security Collective podcast today.

CF: It's awesome to be back. I think it's going to be great conversation.

CP: So I wanted to invite you back because last time we talked a little bit about 'A hacker, I am' which was your first book. And I thought today, even though personally, I'm an avid nonfiction reader, I read mostly business books, including your first book. I dived into 'Foresight', a really refreshing change to read some fiction work. But I'm keen to start with where your inspiration came from, given that you'd written a couple of sort of fact based books around cyber in the past and a bit more business style writing, what inspired you to write something that was fiction and really came from a different place?

CF: I think there's a couple of pieces to the answer to that. 'Foresight' was kind of born out of, I guess, a bit of a desire to sort of create this, I guess you would say lead female character that would sort of help encourage a bit of an interest from sort of young women into cybersecurity. So that was where the whole idea was sort of born from because I'd been doing a bit of stuff for Women in Security magazine and sort of getting involved in sort of diversity stuff, like working for Baidam. And, you know, I think, as a general sort of thing I wanted to do, I wanted to help or help encourage that bit of interest, because I still feel everyone sees cybersecurity is kind of a bit of a boys club, which I think it's not. I think we need to sort of break out of that old sort of viewpoint and sort of change the whole perspective. So I guess the original idea was, I just wanted to create this realistic kind of cool sort of hit lead female character, sort of an ethical hacker that would sort of, you know, create that bit of a spark of interest and just sort of want them to have a bit of a more of a look into it saying, hey, maybe I want to be like that, or maybe I could do that. Just sort of change that whole perspective, hey, this is just a boys thing, you know. I think it came out pretty good. I think it was definitely different writing to the sort of, from the cyber awareness into sort of the fantasy sort of novel sort of style stuff. But yeah, it was definitely a change in mindset. It was a lot more challenging, I guess, to the cyber awareness came easy it was, you know, that's what I do for from my day job. And it was just sort of second nature, I didn't really have to think about a lot of the time when the subjects were there. I just could just write it. But I did put a lot more thought into how it intertwined and how it all came together. So it was, yeah, it was definitely a challenge. But yeah, it was definitely around creating that character and that spark of interest. And from the girls, I know and from the young guys that have been reading it as well, they love it too. So that's a bit of a bonus.

CP: Yeah, I was interested in that sort of the strong female character. And obviously I was once a teenage girl, a long time ago. I can relate to Sam, who's the protagonist in the book, how she feels, how she thinks and some of the challenges she's facing, because you do intertwine that sort of day to day life of a teenager into the book. Obviously, I wasn't a teenage hacker, but I can still relate very much to her as a as an individual. I thought he did a really good job of building out her character outside of the fact that she was a hacker, but you know, her, family life and her school life. What was the experience like for you writing from her perspective?

CF: Obviously, it was it was a little challenging. Obviously, I'm a guy, not a girl. So it was a bit of hard to get myself in that sort of mindset. Bit of a bonus I had is I'm one of seven children in my family and I've got four older sisters. So I had a bit of a, I guess a bit of a unique insight of some teenage girls sort of background information. So I think that helped me a little bit. But it was a bit of a challenge. Like I wanted to do it and I wanted to do it right. And I think even through the editing process, my editor, I had a female editor, which was great. So she was sort of going, that's kind of a bit of a guy's way to say things, maybe you could sort of mix it up a little bit, which is great. So I really enjoyed that. But after I kind of got going, though, I think it was easier than I thought it would be, like I sort of just got on that flow and got in that right mindset and actually wrote the whole book in less than three months. Like I just pushed on, and I just sort of yeah, really sort of got the bug and just kept going with it and it just formed itself. I sort of just went along with the flow. But yeah, the mindset was, yeah, I thought it would be a bigger challenge than it was. But yeah, it was, it was interesting, for sure.

 CP: Interesting to hear you say that you wrote the book quite quickly. And the two books that I've written, I wrote really quickly as well. So both of them the research, actually, and the thinking around the central question, and where the book was going to go, took much, much longer than the actual sitting down and writing of the words. Did you do a lot of pre planning around the sort of structure and where you wanted the storyline to go? Because you just sort of mentioned, you know, you just sat down and wrote and let it kind of flow out? What thinking ahead did you do around the plotlines and where it was going to go? Or was it kind of a surprise to you as well?

CF: I kind of, the first sort of 15 or 20 chapters of just sort of a quick blurb on what I kind of wanted to cover it most that first half, sort of my general thoughts of how I wanted to make it form. And then I kind of just went with how I felt as I was writing it, and I think stuck close to kind of what I was thinking and then sort of just went off a little bit on its own. But the general planning was actually probably the hardest part. And then when I started writing those first few chapters it just sort of flowed. But yeah, I think the forming the character idea of how she was going to be and the background of that was probably the most difficult part. Obviously, the having a bit of an ethical hacker background myself at the hacking side of stuff that was kind of easy, it becomes sort of second nature. But yeah, the forming the character, I think that I had to really think about how I was going to do that and how I was going to do it right, because I wanted it to be as realistic as possible, and not sort of go over the top. I sort of wanted it to still be fun and still be about the hacking, but it needed to give her a bit more depth. And I think I pulled it off.

CP: Well, I agree, I can completely agree that you pulled it off. And you know it, your writing makes it very easy to visualise the street she was going down, the car she was in, the people she was speaking to, you know, her father and his character I felt you built that out really well. And I think you have to have that sort of outer shell, but also the innards of what her thinking is like and the type of person she is, so that you can work out how she speaks to people and how the flow of the story goes and the plot lines.

CF: And I think the emotion side of that was probably the fun part. Because as I was going through some of that emotion got a little bit deeper as we're going through the first phase of editing because I sort of wrote the general store and it sort of came together. And I'm like this conversations with the editor was like, can we make this a bit deeper, can we talk a bit more about what she's feeling what she's thinking in the moments? And I think really that first editing phase kind of gave it a little bit more depth to it. So yeah, I think the emotion side of it was yeah, it was an interesting sort of build up and sort of put in there. So yeah, I quite enjoyed that part.

CP: But also, I think, as someone who you know, for even for those who haven't read the book, it's obvious, and you can read the back of the book, and it tells you that it's about a hacker, she's obviously a risk taker, because anyone who's a hacker is going to be someone who's curious and who you know, wants to see if I do this, what would be the outcome. But in the way you've written it, you can still even feel the adrenaline rush with her in certain situations and certain conversations that she's having with people. It's quite visceral, I think, the riskiness, I suppose, of the type of activities that she's doing while trying to live the life of a regular teenager as well. 

CF: Yep. And I think the fact that I wrote it in real time as well, like in her first person sort of view on it, and in real time, in the action, it was hard to sort of keep the pace and sort of not give too much information. But give enough to let your own imagination just sort of flow and sort of follow what's going on.

CP: What interested me as well is the use of technical language in the book, because, you know, obviously, when we read fiction, we're not always subject matter experts on whatever the case is. I mean, when you read James Bond, you're not an expert on, you know, the mechanics of how spy operations work, for example. But I did notice the technical terminology in the book and I know that can sometimes baffle people in the workplace, or, you know, directors or experienced corporate leaders can be overwhelmed by what some would deem as technical speak, or jargon. Was it a conscious decision for you to leverage this language in the book to make Sam's voice more authentic as a hacker? Or was it something that just kind of flowed for you as part of the plotlines of the book?

CF: Probably a little bit of both. I was sort of almost walking that sort of tightrope of giving enough to make her authentic and realistic as a hacker person, and particularly say, the fact that a lot of my general reader or audience is probably in that sort of technical arena or wanting to get into that tech arena. But I wanted to make it that was very open to anyone that was not technical at all. So it was sort of that fine line of, I need to make her very realistic and give her that real world hacker sort of feeling, but not put too much of that jargon in because you probably know, from reading my 'A hacker, I Am' book, I'm very against using too much jargon, I love to make it as simple as possible. So it's a very fine sort of tightrope to walk and going, I've got to put enough in there, but not too much. And then try and make it so it kind of explains itself to a point in the scenarios that you're going through so that you can understand if you don't know what the technical word means, or what some of the jargon is. So it was very much a big tightrope, and probably one of the bigger challenges trying to give it that technical aspect. And even I've had some of that sort of feedback of some of the more technical people going, why don't you go a bit more deeper and like, then you got the non technical people going oh it was a little bit deep for me. So I'm like, I think I got it kind of somewhere right in the middle, so it gives enough technical for the ones that want the techie stuff, and the ones that don't want it to sort of keep that fine line in the middle. But yeah, it was a bit of a challenge, sort of walking that tightrope, and sort of trying to get that balance, right. I think, in some of the sort of scenarios, obviously, without saying too much, I think I'd go a little bit deeper than I probably should have. But I think I needed to, to keep that, that character right and feel out sort of what she was doing and sort of get in her mindset, because you needed to really see what she was going to do and what her planning was, and her thoughts were. So it was definitely difficult challenge to sort of, not make it too technical and not put too many of those words in. But if I didn't put enough, then it would have been a little bit sort of lacking on that side as well. So yeah, definitely a challenge. But yeah.

CP: Yeah, look, I completely agree. And I didn't find it to be it wasn't out of place, it felt right in the book for you to have that technical terminology there. And even the names of, it's so hard because I don't want to give the story away, but the journey that Sam goes on, I didn't find the technical language in it to be out of place. And I also like to think that if it is a young reader who's reading it, then maybe it will sort of force them or encourage them to go and google some of these terms and find out a little bit more. And so you know, in some cases, I thought, oh, that's a really cool thing that a young person who thinks this is this sounds really interesting. I'll go and find out more about that. And so yeah, I was thinking maybe that might have been your thought process as well.

CF: It was a little bit of my sort of plan in the background, to give you enough to go, hmm I want to know more about that. And it was a deliberate ploy. And you'll notice probably a few security lessons that you could probably have learned through the book as well, like I've deliberately dropped a few of my sort of cyber awareness style sort of ideas in here and go, maybe I shouldn't do that, or maybe I should go find out more about that. So there was a bit of a deliberate plan. So it sounds like it kind of worked.

CP: Subliminal messaging, I like it. I have no idea how you had time to write this book, or the other books that you've got, given you are the chair of AISA in Brisbane, you speak at so many events, you've completed loads of postgraduate studies, you've got a full time job, you got a young family, what drives someone like yourself to give back so consistently. But also you're constantly challenging yourself to grow. How do you sort of factor all of this, how do you fit it all into your day, I suppose?

CF: It's difficult, I actually write for about five magazines now too. So I do way too much probably. But there's a bit of a trick with my writing, I actually have a train commute that I do most days into the city. So I utilise the train commute. So I have pretty much 45/50 minutes where I've got to be stuck on the train and the signal is very bad. So usually that's where I write most of the time these days. So that's my spare time, particularly with young family, you don't get too much of it. But I don't know, it's just a bit of a natural thing, I just want to do a little bit more, I always want to sort of, because particularly my sort of journey into sort of cybersecurity, and I see it constantly now, like it's not an easy entry. It's not an easy journey. And I had a 15-year sort of background in IT before I even made that sort of direction towards cybersecurity. And I found it challenging to make that sort of entrance. So it's sort of more about passing on the knowledge, I just want to make some of my mistakes and some of my sort of thoughts and ideas, and if I can help someone else get in a little bit easier just by sharing that, I think it's worth all the effort. But yes, it's certainly difficult to fit it all in. But we do these things, we want to make a bit of a difference, we want to keep pushing forward, so we just keep at it.

CP: I know one of the topics you talk about quite a bit and given your sort of journey into the industry, I can understand this topic as well, is that sort of passion around the cyber, I'm going to call it the skills gap, but people call it a shortage or crisis. And we've been talking about this for a few years. I mean, I've been doing this podcast since 2019 and I think I asked my first guests about the skills gap or skills crisis. So it was going on well before that. What are your thoughts on why this remains such a challenge, both for organisations, but across the industry and many other industries now as well. But for cyber, why are we still facing this particular challenge around getting enough people with great skills and capability into our industry and keeping them in it?

CF: I think there's definitely a few reasons and there seems to be a lot of interest. So there's particularly that sort of entry level space, there is a lot of interest of people wanting to try and get in it. I think it's that barrier, where you sort of as an industry itself, kind of created this sort of roadblock in the middle that we need to find that sort of bridge between, say, your university degree or your certificate 3 or 4 in cybersecurity or whatever sort of study you want to get in, or even industry certs from getting from that, in that theoretical sort of knowledge to actually getting that first job because there is no bridge of that experience. I think we need to find that. I don't know how we do it, I wish I had a simple answer. But we need some sort of like apprenticeship or traineeship style thing of bridging that between, you know, yes, you've got your cert 4, let's all take on two grads a year or something like that, and actually teach them how to do what we want them to do. Yes, they're not going to be a 10 year veteran instantly, we're not going to have that full experience. But if none of us are doing it, all we're doing is poaching from each other, and just stealing all the qualified staff. And obviously, the more qualified staff are getting paid quite well these days. So, you know, cost wise for a business, I think you'll get more dedicated workers, you'll get better workers by actually training some people and getting them through and you'll get really good staff. It's just, we all need to sort of put in that time and stop putting a lot of those roadblockers. And I don't like to like the word of skill shortage, either, I think it's experience shortage is probably the closer statement, I think, because there is a lot of people doing your master's degrees, and doing your Bachelor's degrees in Cyber and IT and there's a lot of people there that want to sort of come into the sort of cyber or stem or all of that sort of space. But we're just putting up this whole, you know, the CISSP, or you need a OSCP, and which is great. But if you don't have any experience or any hands on, it's kind of hard to get to that point. And you can't get a CISSP without five years. So, you know, we're just putting those sort of roadblockers in ourselves and we're making it almost impossible. And they were the same sort of problems we had when I was trying to get in. We're talking about it more. And there's more people saying we need to do something, I just don't think we're doing enough to sort of make that experience bridge and try and help them I guess to a point, get that physical hands on boiler room experience that you're getting like your normal builders trades or your mechanic trades where you actually physically get in and yes, we'll make some mistakes and things will happen. And you know, the threats aren't going away, so we need to bring them in and train them to a point.

CP: Yeah, it's actually interesting point because to use your analogy with the building trades, what I'm seeing in organisations is that a lot of businesses have a very small cybersecurity team, they might have a head of or a leader, most mid tier organisations would have probably less than 10 cybersecurity people within the team. And a lot of those organisations will have grad programmes, but they don't necessarily have if they're fortunate to have a grad programme, they don't necessarily have a dedicated spot for a cyber graduate. Or they're too overwhelmed with their own capacity to allow for having a person who needs hand holding every single day. And yet in the building trade, we often see small building companies, you know, or family building companies who do take on apprentices. And you know, because they see the value in the benefit of teaching new people the skills. And so my concern is that organisations are not investing enough in their cyber teams to have enough capacity to have someone who can handhold and also the pace at which things move that they've got to be watching every day, it can't be a part time thing or too shorter term as well. So I totally agree with you that I would love to see more than just the big banks and the big telcos and the Big Four, having these brilliant grad programmes that take in a lot of people. Because I know from talking to grads, too, and I'm sure you've seen this, people apply for grad programmes, and they'll be one of 1000 students who want one of you know, maybe 10 jobs, if that. It is such a difficult balance to say, we want more grads inside organisations, but the cyber teams can be so small and so overwhelmed. You know, how do they prioritise the time to give to grads as well.

CF: It's almost a rock and a hard place, isn't it? Like, yeah, we need to train them and we need to bring them in. But we don't have the bandwidth or the resources because we haven't been doing that to a point to be able to bring them in to start with. So yeah, it's a huge challenge.

CP: A company I was working with recently, we ran a cyber simulation and we invited the IT grads to come in and sit in a simulation, and even just exposure to something like that, where they can see how the CIO operated, how the Head of Security operated, how the privacy person didn't say anything throughout the incident, you know. Just seeing how different things operate and hearing the lessons learned, even that was a really great experience for them.

CF: Yeah, sort of that real world exposure, you know, seeing how they actually respond and act and in the different situations. Yeah, I think that's a good idea.

CP: So it's not just about them, seeing the day to day, back to back meetings of what CISOs and cyber teams go through. But it's actually those scenarios and the incident response plan and seeing how all of that comes together as well. There's so much that grads can be exposed to that I think would help them also to decide if cyber is the right vocation for them. Because people do things at uni, and don't always necessarily end up wanting to do that as a full time job. And you know, as you and I both know, having worked in cyber for a while, it can be a pretty thankless task. And it can mean long hours and quite a lot of pressure. So, you know, we want to make sure that when we're bringing in grads, that they're the right people, for the industry, and also those lateral moves in from people who are already skilled like yourself, you know, coming into cyber later in their career, understanding, you know, almost try before you buy what they're signing up for.

CF: Yep, I think that's a really good idea. And I think that, even for the sort of the people coming through, they can get a bit of a, you know, even if it's psychology backgrounds, or arts backgrounds, like there's so much more than just tech in cyber as well. So we need to go, is it cyber awareness that you're sort of interested in? Or is it risk and compliance, but we need to give them that almost that boiler room experience of this is kind of the real world, how it's going to be kind of everyday scenarios and go is this really where you want to be? Because everyone wants to be a hacker or a pen tester when you talk to me about cybersecurity. But there's not that many jobs in pentesting, or ethical hacking, or the red teaming stuff. So not everyone can do that. So I think, yeah, we've got to sort of widen their perspective a bit. But yeah, find that way to really give them that experience. I like the simulation sort of idea stuff, I think that's a good way to give them some exposure and sort of bring them in. And I think with those sort of grad programmes and sort of bringing them in, I've noticed that some of them are doing like three months, sort of grad programmes and things like that, which I think are too short. I think they need to give them that sort of 12 months, six months, at least, because in first three months, half the time any sort of new job you're still learning, you're still looking. You don't really have that real world, what's it actually going to be like every single day for the rest of my career in this sort of space. So I think they need to give that sort of timeframe a little bit longer, and give them more on the ground view of how it's going to really be so they can really make those decisions. Because, you know, we've all been there, we've all started out in the careers. And if you don't really get that realistic look, that might be completely the opposite to what you want to do every day. And like you said, cybersecurity is not very thankful a lot of the time you kind of just doing your thing, and then you're in the spotlight when you do something wrong or something is found. And there is a lot of pressure on it. So yeah, it's not for everybody. But yeah, it's definitely good career, though.

CP: Yeah, and I it think was mentioned probably before, that some of the jobs in cyber that people will be doing in a few years time, we don't even realise that they're going to be invented yet. Getting a sense of what cyber is like now doesn't necessarily mean that that will be what it's like in the future as well. And as a person who has an arts degree, I'm a walking example of the fact that you don't need an IT degree to work in the industry.

CF: It seems to be a fairly common trait. Actually, I know quite a few cybersecurity people with an arts degree sort of background. So it's actually quite common.

CP: Yeah, I wanted to be a cop, but that's a podcast for another day. When we caught up 12 months ago, things were very different, I think in the cybersecurity landscape. But we talked about the basics back then, and making sure that organisations put the basics in place. What do you see some of the major shifts we've seen in the industry over the past 12 months, for better or worse. Maybe, you know, the three things that come to mind for you that since we spoke, I'm going say last July, what do you think might have changed since then in in your purview of the industry?

CF: I think the focus on some of those basic stuff is improving. I think there's definitely been sort of more on the Essential 8 and sort of getting that foundation stuff right. So I think that kind of stuff I've definitely noticed is at least the conversations are there more, and people are wanting to sort of line up a bit better and be a bit better protected. I think the overall, I don't know if it's just the attention on it, or the amount of sort of attacks and the volume of attacks seems to be bigger, at least in the mainstream conversations, since we have quite more. Ransomware is still around and that's going to be our problem for a long time, I think because it's still profitable. So we will still be looking at that in a few years, for sure. But yeah, I think that the volume is still increasing. I think that's sort of going to be continuing, I think we're going to see that a lot more. And particularly like say, the Russia Ukraine kind of scenario, we're going to see a lot of the military use of the cybersecurity stuff quite a lot more. And I don't think it'll be hidden like it used to be. I think, probably three years ago, they probably would not even have really openly done it, they would have just done it in the background as a bit of a ghost sort of exercise, but now we're just doing it and everyone's just knows about it. And the same with your normal APT stuff like they're just pretty open about it now that they don't really hide it as much as they used to. So that's certainly an issue, I think that's going to ramp up quite a lot more. So I think defences wise, we need to make quite a big improvement and sort of try and figure out how we fix that skills experience shortage thing for sure, over the next couple of years, because I think we're not going to have too long because that's pretty much where most of those sort of battles are sort of fought now, a lot of the time is in that cyberspace. But yeah, definitely, some things have improved, I think around sort of the basic stuff, I think the volume is definitely higher. And I think with the introduction of you know, a bit more virtual reality style stuff and things like that, I think that the way we do some things is going to be a little bit different. I'm not entirely sure how we're going to secure meta very well, on that kind of scenario. That's going to be a different kind of, I'm not sure that'll be me securing it, maybe one of these young, inspirational people that come through might be doing that by the time that's sort of a big thing. But yeah, definitely some different challenges, which is kind of interesting. That's one thing I liked about the industry, personally, is the fact that it is evolving all the time. And it's there's always something else to figure out how to protect or how to fix it, and sort of give you that continuous challenge. So I think that's probably part of the reason why I've stayed in it as long as I have, and probably will stay in it for quite a lot longer. I like that bit of a challenge. But yeah, that's probably I'd say the main things that I've noticed over the last three years, yeah, the volume is continuing. Ransomware is definitely not going anywhere and that drives me crazy. It's my bugbear. But yeah, I think we as an overall sort of industry, I think we're getting better at those basics, though, which is a good start. I think we've got a lot of work to

CP: Yeah, I mean, I wish that we could say that over the last 12 months since we last spoke that culture, around cyber in organisations had improved. And I think it's the least focused on area because a lot of businesses are heavily focused on investing in technologies so that the tech picks up or the tech does the detection and prevention piece. And the culture side of things, I guess, is so imperative, but it's far less invested in and not enough organisations are looking to the top and talking to the board about cyber regularly enough. I know a lot of boards are getting a cyber update you know, this could take us down a rabbit hole, or it could take us to another podcast. But there is so much around culture that I wish organisations could get a handle on and could anchor to around their cybersecurity strategy. But we continue to see technology, because possibly, and I'm interested in your opinion, it's maybe an easier metric to measure that we spent this money, we put this tool in place and look at how many malicious attacks we've prevented. Whereas with culture, it's a slow burn. And it's more about personal interactions. It's almost impossible to measure. I would love to get a guest on the podcast that says in the last 12 months, I've seen culture in organisations around cyber skyrocket, maybe we'll have you back in a year or two.

CF: You won't get that for a while, maybe, hopefully. I think I kind of agree. I think like you're right, like a lot of organisations prefer that sort of the new flashy, blinky lights sort of solutions. They can see it. The problem with that usually is they don't always install them the way they need to be installed. And they're not always configured exactly right. But that's a different conversation, probably another rabbit hole. But I agree, I think we as an industry, and as a general population, I guess we sort of focus too heavy on that tech solutions, like you said. I think it needs to be if we can really sort of grow and improve the overall cyber awareness cultures, in organisations, just the general populace, like the benefit for everybody in their personal lives and in organisations would be phenomenal. It's just, we need kind of like the, you know, slip slop slap, but for cybersecurity kind of scenario. We really need to sort of really lift that whole game of everyone sort of cyber awareness, get everyone better at sort of picking up on scams, and a lot of those stuff will stop being worthwhile for them to do so. Obviously they'll find different avenues, and we'll be continuing that sort of culture thing. But if we can grow that sort of education and that culture, and sort of really push that message across and get people a bit more sort of cyber savvy is probably a way you could say it, I think. And like you said, it's hard to measure that though, because you don't really know if we're actually getting improvements or if there's, you know, we're getting better. I'd like to say that we are getting better. I think that there is better messaging than there used to be. And they're making a few things a bit more fun and people are starting to pay a bit more attention. I think that's a good thing. I'm a bit of a storyteller. I like to educate with stories, so that that kind of rings true to me. So I think you're right, I think the culture and the cyber awareness sort of thing is something that we really need to do that big focus. And sort of we can really make that sort of difference in that space, I think will do wonders, and I think we'll probably hear a lot less of the major breaches because people is where that kind of is. And I hate the saying that the people are the biggest risk because it's not the weakest link I think is the word that most people say and I hate that statement. I think they're our biggest opportunity, our biggest advantage, I think if we can do the education, and help everybody and sort of make everybody understand a little bit more, and be safe to go to the security person or the IT person and go, not entirely sure if that's real, or I accidently just clicked on that, can you have a look for me to be safe and feel like they're not going to be punished for doing the right thing. If we can change the mindsets, make people feel comfortable to come, because security is not the bad guys. We're just here to try and protect people and come and tell us, we'd be more happy with you telling us that you clicked on something 30 seconds ago, than, three hours ago. Like I'm happy with all the false positives, yes, it creates more work, but gives us a better result. And if you can figure out how we make those cultures better and more open and stuff in the industry, I think we'll we will be laughing. I don't know how we do that yet but that's what we definitely need to do.

CP: Yeah, look, I think if somebody works out how to change the culture, from the board level from the executive, and you know, across the whole employee community, they will be very rich person. Before we wrap up, I want to loop back to the start. And you know, I'm definitely wanting to know, if we're going to get another book out of you. Is Foresight 2 coming? What's in store for Sam, when can we expect it? Can we expect to hear from her again?

CF: You can, you can, there's actually the next two have already been written for the series. So there's two in the pipeline, which are both set to sort of come out in 2023. So I won't say too much, because I don't want to give it away. But I've kind of done a, how would you put it, a yin and yang kind of scenario, which was always my plan. I'm actually in book 2, I'm actually giving you the perspective of the bad character. And showing you exactly what sort of happened in the scenarios, their thoughts, their journey, and how they see those same scenarios and give you that other side of the spiderweb. And I sort of, the general idea was I wanted to give you the feeling and so just different sort of choices can make it go down a different path and show you how easy it is to slip down the bad side and not the good side and how similar those kinds of people are. So I've kind of gone for the yin and yang kind of lesson and sort of tried to entwine it a bit more and then I switched back to the Sam in the in the third book completely. So yeah, a bit of a switch up. So we'll see how it is. But I've the sort of pre readers that I've read the first two books, I think they bit mind blown from the way you can see the different perspectives and sort of look at the scenarios that they saw in the first one and go, oh, I wouldn't have thought that that's how they would have seen that or change the whole perspective on some of the scenarios, though. Yeah.

CP: Well, I very much look forward to number two, having read number one recently, in preparation for our chat today. I really liked it. And as I said, I don't read a lot of story books. I suppose I don't, I tend to really just look to business books and what Sam would probably term quite boring. But I really enjoyed your book. And for everybody listening, please, please go and buy Craig's book and so that you're ready and prepared for number two and number three to come out. So, Craig, thank you so much. I've loved having you back on the podcast today. I know that we'll speak again, and all the best with the launch of your upcoming books.

CF: Thank you very much. It's been a pleasure.

Previous
Previous

107. The rise of micro cyber credentials with Naveen Chilamkurti

Next
Next

105. Developing a secure engineering mindset with Stephen Kennedy