Episode #83 Change is the only constant - part 1 with Samm MacLeod
To conclude our season of returning guests, Claire is joined by our very own partner, Samm MacLeod, for a two part podcast. In part 1 they discuss Samm’s career break, what she has noticed since returning to the cyber industry, the SOCI Act and reporting to the board.
Samm is responsible for driving The Security Collective’s Interim CISO and Virtual CISO business. She also supports our clients with cyber security strategy, security operating models, and advice on security risk management, with a focus across multiple industry verticals including financial services and critical infrastructure. Samm’s experience with boards, audit & risk committees, and executives allows her to bring a unique set of experiences and perspective to the management of technology and cyber risk and the delivery of security best practice. Based on the Bellarine Peninsula, Samm is a mum to two grown up children, an industry speaker and writer, and an advocate for diversity in cyber.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales, and today we're welcoming back Samm MacLeod to the podcast. Samm, thanks for joining us again.
SM: Hey, Claire, hi everyone. Thanks for having me. I'm glad to be back.
CP: So there's been a lot of water under the bridge since you first came on the podcast way, way back in episode 2. And we have met again since then in Episode 46. But we'll come back to that later. I've been asking all of my returning guests this season, what's changed for them over the last 2 years? But I feel like for you, that's a pretty loaded question, because most people are going to talk about COVID. But I don't think that's where we're going to go. Let's start with talking about your sabbatical from the cybersecurity industry. And it will also be great, obviously, to hear about your recent return.
SM: Thank you. Yeah, look, COVID waylaid my plans actually. So at the end of 2019 I decided to take a six month break, and get back on top of my health really. So I know, it's word bandied around quite a lot, but for me, it was definitely burnout. So it was an opportunity for me to take some time to stop and rebuild, and my employer at the time was quite supportive of me doing that. But just to give you a bit of an indication, you know, this morning, I woke up what I would consider relatively late, 7.30, got out of bed, made a coffee, went back to bed with the dog and a book, and spent half an hour having a coffee and having a really good read before I then rolled out of bed and did some yoga for about an hour. And then my day really kicked off. But a couple of years ago, my day would have been up at 5.30, contemplating where I was going to fit in some exercise, and then going for a quick walk and jumping on the ferry across the bay and being at work in time to start working. And so that's just rush, rush, rush, rush, rush against a timeframe where you're really committed to get somewhere on time. Whereas this morning, it was quite chilled and quite relaxed. So and I guess that's what I'm aiming for now in my day to day. So I took the sabbatical mainly to travel and you know, Eat Pray Love style, maybe. There was a lot of backpacking planned and a lot of sort of transversing the Asian continent and trying to get on top of health and well being. But unfortunately COVID stepped in on that and said, yep, that's not going to happen. So what it ended up being was just lots of yoga, lots of meditation, lots of walking with the dogs, throwing in some weight training here and there. They say lifting heavy things is good for your health, and just reassessing and trying to figure out what I was going to do moving forward. I had my you know, maybe just one small hand dipped into cyber still at the time, which was doing some work with you Claire in the background and trying to ascertain what it was it was going to keep me excited about cyber. Because previously, for me, it was all about attaining a certain role within cyber that gave me the accountability and the authority, I guess, to be able to do really cool things. Be involved in decision making that was going to help organisations to move forward on their cyber journeys, and ultimately protecting the communities that those organisations operated in. And, you know, the passion part for me is being able to sit there and work with organisations who are struggling to, you know, whether it's implement cyber or it's to just understand cyber or who have boards or subcommittees of boards who are struggling to understand how they take a principled approach to govern the issues that are being put in front of them. All of those sorts of things are my passion. So being able to work in that interim executive capacity and go into organisations and be in the chair and help look after them and bring them along on a bit of a journey, but then step out and have someone else take custodianship of it from an operational perspective, really appealed. So I am loving not having operational responsibility for cybersecurity, but being able to still have a lot of those conversations where there's a lot of coaching and mentoring and education and training and general chitchat around what all of this stuff means and how it can be applied.
CP: I want to come back to your passions in a second. But just off the back of what you just spoke about being a role model, and you can show others what's possible. Do you feel like you can do that now, because you've got a couple of decades of experience behind you, and you can do the type of work now that allows you to work three or four days a week? Do you feel like you're in sort of a privileged position to be able to do that now? Or could somebody who might only have been working for 10 years, be able to shape their day and shape their week and shape their career in the way that you're able to now?
SM: It's a really interesting question. It's funny, actually, yesterday, I was taking the time to go through where I'd been and what I'd done and what that had looked like. And you know, I actually had a bit of an epiphany of what might have contributed to my burnout. Because during my last tenure as a CISO, I was not only doing that role for a large ASX listed organisation, but I was also an advisor on an industry board looking at cybersecurity regulation. I was also on an executive board for education, I was spending time supporting founders in CyRise and I was doing, you know, as much as I could to be out there and contribute more broadly to the condition for Australia and the community than just sitting in the in the CISO chair. So, I think, and I enjoyed every minute of it. And I think I am very privileged that I have had such a fantastic career even going all the way back to the opportunities that presented themselves, way back stepping outside of university. I've been incredibly fortunate to have, you know, no one has that linear trajectory, and I've bounced all over the place and done lots of different things. But somehow all of those puzzle pieces have culminated into something that's a pretty solid career that's given me lots and lots of experiences. And I guess I use all of that to shape and look at what it is I want to work on and what I'm passionate about, and what's important to me. But also, I want people to see that there's a couple of different pathways, or many different pathways that could be taken to step in to cyber. And I'm a living example of that. So I think whether you're 2 years in, 10 years in, or like me over 20 years in, I think there's always that opportunity to stop and reassess. And look at what this is doing for you. What your passions are, what you're actually contributing, and then shape along the way. It'll never turn out the way you expect it to, you can't predict everything. And there's always something that, you know, I read something this morning about everything's going wonderfully and smoothly and you've reached all of your goals, and you've hit that pinnacle. Cosmically, there's something that's going to jump up and bite you, and say to you just remember this, because you're getting too cocky. And I think, you know, maybe that's what happened to me. But that happens to everyone. So it just, you know, you can't predict everything.
CP: When you spoke earlier, you spoke about what some of your passions are, and you know, particularly around things like board reporting and risk and having been out of the industry for a period of time, you know, sort of around 12 months, I suppose. Do you think that when you came back in at the end of last year, there was a shift in the industry from a risk perspective? What did you see that was different through a risk lens, than when you left at the end of 2019?
SM: There are a couple of things and, you know, I'm going to avoid talking about the risks that a global pandemic presented, I think lots of people have spoken about them and what they mean. But, you know, coming back in and certainly having a, I guess, an opportunity to look at a couple of different critical infrastructure organisations over the last 18 months. I guess my perspective is slightly different, because these organisations are having to deal with a whole heap of regulation or legislation that's changing around them. But from a business perspective, a number of them are in, I guess, a bit of a state of flux on how to keep up with advancing business practices, or digital transformation, or I guess, just big pivots and swings in the capability of the technology or the need to protect data that they were kind of, I guess, from a risk perspective, starting to think about what does security really mean, and where does it start and where does it start particularly security risks. So, you know, to put some examples on that, terms like shift right are coming up. We've all heard of shift left around, you know, getting in front of all your development. But shift right being all about getting in front of your need to recover, or be resilient, and just starting to consider things like, where does business continuity planning intersect with cyber security? And given that, you know, or even just security in general, you know, there's a lot of talk about different converged models. And you know, does security now encompass elements of privacy that need to be looked after outside of your privacy officer within the security team. And you know, a few different organisations talking about something called dynamic risk management, which is completely resetting the way you look at how you do risk and, you know, taking risk management, I guess more into an aspirational kind of approach. Which is all about agility, using data and analytics, looking at talent, being able to, I guess, create a risk culture that is all about an appetite for taking risk. As opposed to the past I guess, where it's all about prevention of risk. So I am not aware of any organisations yet of the security risk layer that have started to embrace that approach, but there's certainly a lot of talk about it. Which is a fundamental shift in the way organisations are looking at risk. It's about the appetite to take it as opposed to the closing the door on anything happening. There's still lots of controls assurance and so forth in that, but it's shifting and pivoting that thinking and that culture. You know, similarly, the auditors, Internal Auditors Association in Australia is changed from, you know, three lines of defence are vernacular to just the three lines, and trying to now talk about the importance of the segregation of duties between what everybody is doing, but not necessarily saying that it's putting in defence based processes. So it's wanting to link I guess, to more to that dynamic, integrated risk management approach that organisations are starting to look at and doing things differently. And I think the other thing that's come up for me, which I find absolutely fascinating, stepping back in after a bit of a break is the changes to insurance, and cyber insurance. So fortunately or not, with a couple of the organisation's I've been working with, it just depends how you look at it. I've had an ability to sort of step in and look at what's happening with the insurance industry and for organisations who are looking at cyber insurance. And anyone listening to the podcast involved in this stuff would know, if you're looking for a new policy this year, it's really hard to get your hands on one, you know, from a underwriters point of view, given the changes to COVID, given the extensive amount of you know, ransomware attacks and payouts etc. There's just no funding available for underwriters to be able to bring in and take on the risk of any new policies and renewals are incredibly difficult. So the amount of hurdles and hoops that organisations are jumping through, whether it's, you know, having to actually provide controls evidence, present to underwriters and brokers on where you're at from a security perspective and be able to show and present evidence around how you're managing your cyber. They're just a couple of the things that are coming out from insurance perspective, just to be able to renew. And then we're seeing technology coming in to support the insurance companies, whether it be rights for them to step in and do scanning, and actually test and assess your environment for themselves to see whether or not you're secure. All of those things are coming into policies and you know, things like shared responsibility and financially in the event that something goes wrong. So pay up to changing and there's just so much changing in that world that, you know, insurance three years ago, was a 'do I actually need it or not?' kind of conversation and what other policies might cover me instead of silent on cyber. And that would give me a little bit of assurance that if a cyber incident caused me an issue in a plant, that I would actually use my building and plant protection to support me, all of that stuff's changed. And so it's gone from that conversation of, should I?, to I absolutely need to be doing this. I'm going to need that coverage, whether it's for responding to an incident, helping me mop up brand and reputation, or deal with a regulatory response. And the difficulties now in obtaining that insurance or having it at the level that you need, and knowing what it's going to do and how it's going to perform for you is becoming quite topical in the industry. So it's been, there's been some interesting shifts, I would say in the last couple of years.
CP: I have definitely seen myself, having consulted as an interim over the last five years, certainly in the last 12 to 18 months, much more involvement around cyber insurance and organisations as you said, not thinking about do we need it or not, but more thinking about, can we live without this coverage? And what does this coverage mean? And at the end of the day, it's a it's a financial tool, really, it's not a cyber strategy, despite the fact that some organisations and boards are still, I think, they are under the impression that having that insurance is a strategy. And, you know, as I always say, that's probably a podcast for another day. But, you know, it's actually come up in the recordings for this season a number of times, and I think it will continue to come up as we reach the end of the year and move into 2022, organisations trying to understand what their policy actually gives them and how to integrate that policy into their incident response plan. Before you went on sabbatical, you were in the critical infrastructure industry. And since you've come back, you've also worked as a consultant in a number of critical infrastructure providers. If you think about risk for them, what's been your observation coming back as to the risks that that particular industry continues to face. And I know there's legislation going through and we don't necessarily need to concentrate on that particular bill, because the organisation's we're talking about here, we're already covered by the act that's in place. Do you have observations about any risk that's changed for critical infrastructure, as we know it, the traditional definition of that industry? Or do you think it's been pretty consistent?
SM: So I guess when I stepped down, the initial SOCI Act had already been put in place, and a number of energy companies were responding to, I guess, the new world around expectation and obligation under that. And it was challenging for them to interpret what their requirements were to understand all of their obligations, and then to figure out how to bring everything together to respond in the event that they were asked to do so. So the data and the reporting components were complex and hard to consider. And I guess it was taking a lot of organisations away from their ability to take a risk based approach to the way that they were managing their environments. Whether that was, you know, all the way over on the operational side, or whether that was on the security side. So there are already challenges, I guess around all of that. What I'm seeing coming back in is quite a lot of stress and a little bit of fear, really, with regards to the expectations of the act moving forward. So I guess we're cutting across a number of industries, I do have to call out that, you know, having been in the energy sector before taking leave and supported by an organisation like AEMO, so the Australian Electricity Market Operator. I guess, they spent a lot of time working with industry to define a framework for cybersecurity, that was not necessarily one to be mandated into the future. But it was one that gave them a lens across the entire energy sector, as to how well it performed, knowing it was critical infrastructure, and looking to help and support those who needed it. So if you think of all the different kinds of organisations, you've got the ones that look after distribution, you got the ones that look after generating, you've got some retailers, and then you've got some of those really cool, I guess, emerging type energy organisations that are doing, you know, wind farms, and solar and hydro etc. You know, some of those smaller organisations who are quite innovative, but hadn't had the opportunity at that point to do a lot when it came to security, but they probably carry quite a lot of risks. So by doing that, and bringing all those organisations together from the huge ones down to the smaller ones, it gave a really good view of the energy sector. But it also brought everyone together to talk around how we strengthen and move forward. And it was all about strengthening the sector. And I guess the cool thing that comes out of that is, as you're reporting from a SOCI point of view, you're getting that industry view and you're getting a view from all of those organisations because I've already done the work. I think, now that SOCI is looking to extend itself across a number of different industries, I haven't seen yet the same approach in other types of industry as to how you bring the group together collectively to deliver an outcome that has benefits on both sides. So I think there is a little bit of fear around well you know, what are stepping rights mean? And what's that going to mean for us in the event that something happens to the organisation and how far can they go? That's a challenge. I think, you know, the malware reporting side of things, and the potential mandating of that is making a number of organisations a little bit nervous around what that looks like, and how exposed they'll be. Ideally, to date if you have any issue, or a threat within your organisation that you need help with, it is a logical conclusion to involve ASD or involve the ACSC, to help you coordinate, manage. You've got your insurer to help you do that as well. And a number of organisations do that. But they also tend to do things on the quiet. And I think this idea that they could be opened up, not unlike from a data breach perspective to people knowing that there's been some security challenges, I think that makes them nervous and understandably so. But if I got right back down into the guts of it, it's lots of questions from boards and executives around hygiene. And, you know, in a lot of these organisations, they're still missing hygiene from a security point of view, whether that having the right framework in place that enables you to understand your threats, your risks and your controls. Whether it's just an IFMs to help guide all those moving parts around what security is and what it means for the organisation and enabling you to explain that. Or whether it's just reporting and you know, that's something I've been in the industry a long time and I don’t think anybody has solved the problem around how you report operationally or how you report to your executives, and then how you get your papers right for the board so that they understand what's going on around them from a cyber point of view. So I think this concept of having another interested party to report out to, from a cyber point of view, has a few people wondering how they're going to do that when they haven't even yet got it right in their own backyard. So I just think there's a number of things and, while there's been a lot of consultation, there is this one particular industry I'm aware of where the consultation has been significant, trying to, I guess, get the feedback, but then also explain decisions made out of the Department of Home Affairs, there still seems to be a challenge on both sides around listening and understanding the intent of some of the feedback that goes in there. And they're still not, particularly for that one industry, agreeing on frameworks, which then becomes a challenge on how you report out. So if I look at the energy sector, having the ASCSF supporting them, and reporting out and having CIO sign off to what that reporting means before it goes out to AEMO it's quite helpful to have that they're supporting an overall framework. Which is, you know, a combination of NIST and C2M2. But, you know, that's not for this other particular industry, that's not been the approach. And at the moment, it's a choose your own adventure around the framework, which means reporting out will become complex and challenging for that particular sector against the act. So I just think there's going to be some challenges moving forward that actually make things harder for a little while.
CP: Yeah, and just picking up on your comment around reporting and metrics and getting your board papers right. Again, you know, I could do a whole podcast on that topic. But I think what some people forget as well, is that reporting for each organisation is contextual. And what's meaningful to the board of one business is just of no use or can't be understood by another business. And so you make the point that no one's necessarily got it right yet. But I wonder if there is a number of things at play there, in terms of, you know, the CISO or the CIO bringing forward the metrics and the board papers, and the board having an expectation of seeing something that maybe they're not seeing. So there is a conversation, potentially, in some organisations, that's not happening around what the security leader might be bringing forward to the board and to the executive. And what that board and executive actually need to govern cyber, and maybe potentially the gap that's in the middle. So, you know, for people who feel like they haven't got the reporting right, it might not just be, what you're presenting, it might be how it's being received, and that there's an expectation on the other end that that's not being met.
SM: I think you're right. And I think, you know, one of the other challenges that I've seen is where board directors are on multiple boards, but across different industry sectors. And I think sometimes it's difficult for them to context switch. Meaning that a particular director may be sitting on a utility board, but they also have a position on a financial services board, and may bring a slightly different perspective and in some ways, highly beneficial perspective to this other utility board around the robustness of what happens in financial services. But conversely, there are a number of things within that utility board that are different and contextual, and meaningful to the way that they operate, and particularly having operational technology and the need to protect that and have a number of different kinds of digital assets integrated with that, that's very different, that you don’t see in financial services. So I think there's a lot of complexity around how you present a message so that it can be well understood, given people come from different views, and have different contexts themselves on how cyber is being managed in all different sorts of sorts of industries. And of course, you've got directors too, who are grappling with the concept of their own accountability from my corps act around cybersecurity. And then looking at what are those principles? How do we govern? And thinking this is a whole new space that they need to learn about, and how do they do that. And so I think, from board down, lots of people just try and understand what this all means. And how do you get some consistency and some clarity out of the data that you've got to show that you're actually doing things as well.
CP: In welcoming Samm back to the podcast for a third time, we still had far too much to talk about to fit into one episode. So tune in next week where we have part two of my chat with Samm MacLeod and we talk through some of the lessons she learned from running her own business, and also some of the trends she's been seeing in enterprise wide security operating models. So I'll see you next week for part 2 of my chat with Samm MacLeod.