Episode #76 Securing a distracted workforce with Craig Searle
One of our original podcast guests, Craig Searle, returns to discuss how cyber has changed in the few years since we spoke - from navigating the pandemic; awareness of supply chain security issues; to achieving diversity in the workplace.
Craig Searle is the co-founder of Australian cybersecurity consultancy, Hivint, and the security collaboration platform, Security Colony – both of which were acquired by Trustwave, an Optus company, in December 2018.
Craig has over 12 years of experience in the security industry, working in the finance, government, telecommunications and infrastructure sectors. He has been directly responsible for the delivery of a number of strategically-critical security programs for a range of clients, including a $10m PCI DSS compliance program for one of Australia’s leading health insurers, achieving compliance on-time and on budget.
Links:
Episode #3 Security Sourcing: Cracking the Code with Craig Searle
Transcript
CP: Hello, and welcome to The Security Collective podcast, I'm your host Claire Pales and today's guest is Craig Searle. For those long-time listeners we're welcoming Craig back. We met with him last in episode 3 right at the beginning of the podcast a couple of years ago. Welcome back to the podcast, Craig.
CS: Thanks Claire, great to be part of it again.
CP: So since we left you a couple of years back Hivint is now well and truly settled into Trustwave. We've had a pandemic, quite a bit has gone on since we last met. I'm interested to see what your thoughts are around what are the three big things for you, what's changed in cyber in the past few years that you've experienced since we last chatted?
CS: Well, I think probably the single biggest change has been the amount of time I've spent working while wearing my PJs! I think that's definitely been a trend globally. In all seriousness, there's been some really interesting changes, some of that I think is reasonably attributable to being driven by COVID and what COVID has done. But also I think there are some trends that we've seen that probably would have happened anyway. So look the first one think is probably enterprise and organisational awareness of supply chain security issues. We've had some really big and far reaching attacks such as we had SolarWinds, we've also had the GoldenSpy banking trojan. And so organisations are now really starting to understand that it's not just the security of their organisation, but also the security of the organisations whose products and services they consume. And the fact that an organisation that is on the other side of the globe, that you probably don't have any real commercial relationship with, they could be a vendor of a vendor, and if they have a major security incident that can have quite serious repercussions for you as an organisation. And so there's been a lot of thinking around, well what does that mean for my organisational risk appetite? And how do I get a better understanding about what my exposure is and also what I can do about it? I think for a lot of organisations, there's almost a sense of acceptance that you might have a vendor that you think represents a security risk, but there's largely not a lot that you can do about it, other than just have them in a risk register. But as a stepping stone, I think that's a really big change, is that organisations are now understanding that those risks do exist, they've got to track it, and manage it and understand it. They might not necessarily be able to do a huge amount about it, but just having the awareness is probably a big step. The next one, I think, which is quite sort of closely related is, you know, we're seeing a really big uptake in requests for sort of the design and execution of programmes for assessing vendors on behalf of our customers. So, you know, we'll have organisations that might have hundreds or even thousands of vendors that they're trying to understand what the security posture of them is, and what the security implications are for their organisations. So we now run large scale manage vendor risk assessment for our customers, so that they can then make a sort of a risk informed decision around which vendors they continue to use, or which vendors perhaps they need to reassess their relationship with. And the third one is, and it's sort of a, I guess, a fairly well worn joke now. But you know, COVID, has been the single biggest driver for your digital change and digital uplift over the last 12 to 18 months. In a cybersecurity sense, I think what that's done is a lot of organisations have had to really rapidly rethink their entire approach and architecture. So, you know, while I think zero trust is a really overused buzzword, the fact is that a lot of organisations have had to deal with the fact that their perimeter is now drastically different to what it was in 2019. And so there's a real shift in thinking required around what that means. And where I think it actually gets really interesting is not just the technology elements of it, but the process and the people parts of it. So how do you deploy really effective security awareness and cultural change programmes when a large portion of your team don't spend a lot of time in close physical proximity? So how do you influence culture? How do you get people to accept that security is a part of their day to day role and they exhibit the right behaviours, when you're delivering that training over, you know, traditional sort of online training platforms, that sort of thing. Which aren't as effective as getting that kind of corporate sorry, cultural buying and that sort of stuff. So yeah, look it's been a really interesting sort of 18 to 24 months and I think probably there's still some change to come. But you know, so I'd say they're the three sort of trends that we're sort of seeing as setting the direction for probably the next 12 months or so.
CP: I want to pick up on two things you just talked about, and particularly, I agree one and two are very well linked - the supply chain concerns and that assessment of third party vendors. Do you think that most of what you're seeing in the industry is being driven by regulators like APRA, where they're coming in and saying, you must know who your third parties are, you must know what their security requirements are of you and vice versa. And you must know that your information security values or principles align, so that you're doing business with people who are protecting your data in the same way you would. Do you feel like organisations that are regulated are much more likely to be more mature on that path? Or are you seeing across the board that people are starting to pick up, okay, we really need to know who we're doing business with?
CS: Look, I think it's fair to say that the regulated organisations are definitely leading the way. The regulators like it might be APRA, or we're also seeing, say, the Critical Infrastructure Act, which is sort of starting to really take hold in terms of the expectations and obligations of the relevant entities. I think ultimately, what's happened is that at a regulatory and legislative perspective, the government has sort of identified that supply chain risk is going to be a major issue for Australian organisations. Like it really doesn't matter what sector you're in, or your organisational site, supply chain risk is going to be a big deal. And so using tools like the APRA regulatory mechanisms, the legislation that we're seeing, is really their way of trying to get those organisations to uplift quite rapidly. And so what I think you see is that the larger, more heavily regulated organisations are, you know, they're on the journey now. But that then has knock on impacts for the organisations that they deal with, and their partners and their suppliers, who in turn now actually have to also lift their game. I actually think it's a good thing. There's this saying, you know, a rising tide lifts all boats and I think, actually, that's what we're starting to see, is that as a broader cybersecurity ecosystem, we all have to do better. And regulation is really starting to drive that. If you're a small, medium enterprise, and you want to be engaged with the large, highly regulated organisations, you've got to be able to demonstrate you've got a good cybersecurity posture, because otherwise you represent a risk to their business, and the chances of them wanting to do business with you are drastically reduced.
CP: Yeah, and I think that's a good point that, you know, the top end of town, that sort of six or seven hundred organisations that are regulated by APRA, APRA regulate all of them, you know, there's tens of thousands that aren't in the financial services industry and beyond that. But there's got to be that ripple effect, where if they want to do business with the big players ongoing, then they're going to have to step up to the plate from a security perspective.
CS: Yeah, absolutely.
CP: The other thing I wanted to pick up on from your top three things that have changed, apart from living in your pyjamas, is the COVID side of things around culture. And, you know, we talk about security awareness and delivering security awareness training. And now, you know, it's more online than ever. All these organisations that have sort of an annual quiz that you have to do or an online course you have to go through. Now, that's, as you said, most of that's what people are sort of reduced to in terms of security awareness and culture in organisations is changing, because there's no water cooler anymore, there's no brown bag lunches, you know, people just aren't in close quarters with each other. And I just wonder, are you seeing a concern that staff who are out of sight are out of mind when it comes to cyber security, and therefore, are organisations really aware of where their data is now? And you know, the laptops on kitchen benches. And I don't know, you're saying that cultural shift in organisations where they're recognising that, you know, if they didn't before, maybe now they do have a culture of complacency around cyber?
CS: Yeah, it's an interesting problem, because I think there's a lot of organisations that are realising things like you know, your workforce, a proportion of them don't work in an environment that would be considered secure in a traditional sense. You know, they're trying to do home-schooling, they're trying to get their work done from the kitchen bench, as you said, like, all of those things, contribute to a workforce that's somewhat distracted. And so it's hard for people to sort of pay attention, which I think then leads them to be, you're more susceptible to clicking on the wrong email because while they're reading emails, they're juggling, childcare, they're juggling, home learning, all of those sorts of elements. And also, as you said, like security awareness and cultural awareness development and training around cybersecurity issues, it's really difficult to get that to take hold. If you're not having things like your lunch and learn sessions and those just conversations in meeting rooms and around the coffee shops and that sort of thing like that they're just not happening anymore. So I guess what we're seeing is a few things like, in some regards, organisations are just recognising it first and foremost that the risk exists. And there's not a huge amount we can do about it right now. The second thing and sort of my belief that the right way is to sort of take a fairly transparent view of it in terms of the way that's communicated out to the team and being upfront and saying to the team look, we know that you're not operating in an ideal environment, you know. You're juggling heaps of different priorities, you're, you know, the way we work is very different. And so the way that impacts our security posture is now drastically different. And so having that really honest conversation, that is saying these are the things that we need from you as a team. Sometimes this will be difficult, sometimes this won't always be possible. But the biggest single thing that we need is to have those really high quality, frequent lines of communication and have those conversations so that people can sort of still feel connected to the business. They still feel that sense of ownership and responsibility around the data they handle and the interactions that they have. And that ultimately, you know, having lots of smaller but frequent messages and touchpoints around cybersecurity is going to be much more effective than having, you know, a singular, once a year quiz and a fairly crappy sort of video setup or something like that. That's been proven to sort of not be effective. And I think it's even more the case now. So the organisations that we're seeing doing it best, are doing less pieces of security, but they're doing it much more frequently, and taking a longer term view that actually this has got to be about high touch consistent messaging.
CP: Yeah. And not always the messaging coming from the security teams.
CS: Yeah, absolutely. I'm a big believer in that security has to be a part of the organisational culture and DNA. And in the same way 20 years ago, work safe practices in your sort of traditional office environment were a big thing. But now, you know, work safe practices is a big deal. If you see a spill, people will report it, you know, you don't have someone just standing up on a random desk to change a light bulb, because those practices are considered to be unsafe, and your colleagues and co workers will pull you up on it. And as well they should. And so that same sort of cultural DNA around what's an acceptable practice around cybersecurity, that's really got to become part of it. And so it really starts to be around policing each other. And also setting an example. And it can't just be the cybersecurity team saying, you know, thou shalt do the thing, it's got to be about the individuals that make up the team, regardless of what team that is, sort of holding each other to the right standard and displaying the right behaviours that they expect to see in their teammates and in themselves.
CP: Well, because anyone in the organisation can cause an incident.
CS: Yeah, there's any number of case studies around people that have no real direct involvement in cyber security causing major incidents, because they've clicked on the wrong email, or they were social engineered, or could be anything like that. So it's really getting the individuals in the organisation to accept that, that is an unfortunate fact of life in today's working environment, and that everyone has a role to play. But also, security doesn't need to be really difficult or really expensive. But it just takes a little bit of thought, and a little bit of, shall we say, uncommon sense around the way people behave and operate. And also, you know, not feeling uncomfortable about raising questions around something that if you if it seems suspicious, not feeling so uncomfortable to raise the question or feeling like you'll be, it's a silly thing to ask. You know, once organisations get over that sort of cultural hump, that actually I think they find that cybersecurity awareness and culture actually becomes a lot easier because it really does just become part of daily business process, part of their standards of conversations and ultimately part of the sort of the business DNA.
CP: Do you think that organisations are still in that mindset that it won't happen to them? I mean, we're seeing some huge brands, global brands, but also locally here in Australia, being hit by ransomware. It's definitely been an increasing trend over the last two years. It's in the press a lot more, there's a lot more questions about it. As you mentioned earlier, the critical infrastructure bill going through the APRA regulations going through all talking about taking this up to the level of directors. Are you seeing organisations getting prepared or they still thinking, okay, well we've invested a bit in cyber, but the incident is probably going to happen to somebody else.
CS: Yeah, so we're definitely seeing a trend towards organisations understanding that this is something that they have to get prepared for. And in the same way, you know, BCP and DR is for a lot of mature organisations that's a big part of their business planning and processes. We're seeing sort of cybersecurity incident response now being a big part of their plans. And so that's everything from we're seeing a lot of uplift in requests for things like, you know, forensics retainers and the like. But also, we're seeing a really big uptake in demand for things like incident response exercises, tabletop exercises and the like. And what's getting interesting is that previously, you'd be sitting in a room with a bunch of people from IT and that will kind of be the extent of it. But the exercises that we're now running, dragging people from a really wide variety of roles within the organisation. So you're getting the legal team, communications, HR, all of those people are all getting involved in these exercises, because organisations are recognising that if you have an incident, all of those people are all going to be involved. And I'd argue that the decisions they make actually probably even have bigger ramifications for the organisation. Because, the way you communicate to the market, the way you communicate to your customers, the way you communicate to your team, the decisions you make around your legal obligations, all of those have major consequences for the organisation that's experiencing an incident. So I'd say there is a definite mindset change in terms of getting prepared, but there's still a lot to be done. One of the things that we're seeing that is an area for improvement is a lot of organisations have cyber insurance, for instance, but very few organisations really understand a detailed level. What their level of coverage is, what's their obligations? What does having a cyber insurance policy actually get you in the event you have an incident? And how does that change your decision making processes? So I would say there's absolutely an improvement. But I believe there is still probably some, some work to be done for a lot of organisations.
CP: I've got a really bad habit of saying, this is probably a podcast for another day. But insurance is definitely a podcast for another day. There's so much going on in the insurance market at the moment. So much change happening, exclusions, and certainly I think I totally agree with you organisations buy cyber insurance and don't necessarily understand how it fits into their incident response. You know, are they thinking through at what point are we ringing our insurance company? At what point are we relying on them? What do we get, you know, as you say, we pay this money, but what does the policy mean? There's a lot of change going on around ransomware as well, probably a podcast topic within itself. And the other one that you mentioned around drills and scenarios and those tabletop exercises, you could talk all day about the benefits of those and the learnings that you get from those and implementing the learnings and the number of executives I speak to who say IT run those drills, you know, and still have that mindset. I just, there is so much that organisations can learn from just spending a couple of hours sitting down and walking through the incident response plan. And you know, you would know having been part of those scenarios, some of the key things that come out are key person risk when you see one person making all the decisions, well what if they're sick that day? What if they're on holidays? What if they get COVID? Like, you can't, people don't realise until they're in the thick of that, the importance of those drills, because when you're in the face of a crisis, like a fire drill, you want to have known months, years before that, what decisions you'll make on the day, or at least what process you'll go through on the day to come to a decision.
CS: Yeah, absolutely. I think in terms of the scenarios I've run recently, the issues we most commonly come across is what I would call sort of decision paralysis where an organisation will get to a point and it's not clear about who can make the decision. And particularly, you never get an incident that happens neatly at 9am on a Monday, it's always at 2am on a Sunday or something like that. And finding a person that can make a really major decision at short notice under any number of different pressures is a big issue. And that's where a lot of organisations are finding that their incident response plans have some room for improvement. And most of that is about empowerment of the right people that are involved in incident response to make the decisions they need to make at short notice, and so that's kind of the gap that more frequently than not pops up. And the other one is also is just going back to the cyber insurer point, is also your understanding how you can get benefit from your insurer during the year like having those sort of regular conversations and understanding those sorts of things. I often liken it to your travel insurance. It's pretty uncommon for someone to buy a travel insurance policy and then go heli-skiing, and then wonder why they're not covered. But a lot of organisations will buy cyber insurance, then engage in something that is directly contradictory to the policy requirements, and then be surprised when the insurer like doesn't really want to have a conversation around making a claim. And so it's that constant conversation rather than making it a once a year kind of thing.
CP: I want to change direction a little bit and revisit some of the things we talked about way back in episode 3. When you came on the podcast the first time, we were heavily focused on the skills crisis back then, and we talked about diversity and how it happens naturally through a good hiring process. I guess I want to understand if you feel that you've been able to continue to achieve that diversity, as the employee numbers grew for you, within the organisation, has that been something you've been able to sustain?
CS: When you're a smaller organisation, you can sort of get away with diversity by you know, focusing on hiring policies and that sort of thing, that you don't have to put as much time and effort into it. Where as you get bigger, it is something that you absolutely have to make deliberate effort about, think about how you're approaching the problem. And also be quite honest and reflective around saying, okay, there are certain things that we're not doing well, we need to fix those and how do we sort of learn and evolve that programme over time. So for us, things like our intern and grad programmes have always been a big part of our business and will continue to be. But it goes from having like a preference to hiring interns and grads to now having a fully formed structured grad and intern programme, where we sort of say, okay, we want to intake 20 grads and interns over the next 12 months and out of those, we expect that we will give full time roles to 10 or 15 of those people and really makes it a hiring decisions and planning around that, as opposed to just kind of letting it happen organically. Because I think if you do let it happen organically, you run a real risk of sort of moving away from diversity, because at times diversity isn't easy. Like it can be quite a challenging and confronting part of your business. And I think if you're not, you know, not proactively addressing that and going after it, you can actually find yourself taking the easy option. And so then you actually, you end up with a less diverse workforce. So we've done things like we've stood up a dedicated diversity network now and brought in team members who feel strongly about different elements of diversity, and then given them the space and the remit to say, alright, how are we going to approach that problem? What are we doing about it? And what are the things that are important to that group? So for us things like cultural diversity, looking at, you know we have a hugely culturally diverse workforce, and that brings with it certain challenges and certain conversations that we need to have. But rather than sort of sitting back and waiting for that to happen, we've got to go out there and actively pursue the conversations and really sort of go out there and say, look, we want to talk about this stuff. Why is this important to you? Things like LGBTQ+, you know, how do we have conversations about, you know, sexual preference, and people that work in our team, that are members of that community? Like, what does that mean? How do we change our work practices to make sure that they feel included, and that that's something that we're proud about, and that we can do more with. One thing that I'm sort of particularly really passionate about is building out an indigenous focus programme. And when we are launching that shortly. Because it's a hugely underrepresented part of, of not just the cybersecurity community, but just the community in general. And so that's an issue that I personally feel and the company as a whole feels really strongly about and that's something that needs to be addressed. And, you know, why sit back and let someone else solve the problem? Like, we should be proud to say, look, we're trying to lead the way. We don't have all the answers, we're not always going to get it right. But at the very least, we're going to sort of proactively go forward and say, look, this is what we're about. We're going to try and do these things. And, you know, we'll take on the lessons as we go and be open and transparent about the conversations that we have with people about that. The problems that we encounter and the way we sort of go about trying to solve the problems we encounter as as they pop up. So I find it to be one of the most difficult but also the most rewarding element of of my job is looking at how do we always improve the team that we've got? Improve the conversations we have with that team and really sort of not just pay lip service to diversity, but actually do something about it and make sure that we, you know, we're walking the talk.
CP: Look, I think it's going to continue to be a topic of great discussion as organisations navigate their way through diversity. It's, you know, as we said, not something that any organisation has not adapt perfectly. And it's a learning process. So yeah, I think it's going to be tough until we're all back in the office as well. And, you know, we're talking before we hit record about not having a water cooler to stand around. And you know, not having that that connectivity with people in the office. And it's an ongoing challenge, I think, to get the culture, right.
CS: Culture over the next sort of 12 to 24 months, in my opinion, is going to get really interesting because we've gone from having this real sort of short, sharp shock around people primarily working in the office, then we've had sort of the best part of two years of people primarily not working in the office for a large portion of Australia in the cybersecurity industry. To now, this sort of environment where some of the people are working in some of the offices, some of the time. And so how do you have good quality conversations around things like culture, about diversity, about cybersecurity practice, and that sort of thing, when there is no consistency in the way people interact, the way that work, where they work, all of those sorts of things. So it's going to be a really challenging time around what are the things, what are the commonalities that we can leverage, and how do we get benefit out of our team, and cybersecurity in general, when there is no such thing as a level playing field anymore in any sense.
CP: Craig, it's been lovely to have you back on the podcast and awesome to catch up again, and we could keep talking. But I tried to keep the episodes tight. But I really appreciate you coming back. Love everything you do for the industry, both the people that are in the industry now and those that are aspiring to join us in cyber. So thank you so much, and hopefully we have you back again in coming seasons.
CS: Absolutely. It was great to be part of it. Thanks very much.