Aaron Bugal [00:00:00]:
The cultural shift and attitude adjustment towards good cybersecurity culture starts at the top. It starts at the top with better governance around what it means to be cyber resilient, understanding the risks and the threats to the business, and then deputizing people to come up with a plan to mitigate, defer, or accept that risk so that if business does suffer an incident, they can move forward.
Joining me today is Aaron Bugle, field CTO, APJ from Sophos. And today, we’re discussing cyber burnout across Australian businesses. Aaron, thanks for joining and welcome.
Aaron Bugal [00:00:53]:
Thank you so much for having me, KB. I’m pretty excited to be here today.
Karissa Breen [00:00:57]:
So we’re referencing the recent Future of Cybersecurity in APJ 2024 report, which was produced by Sophos. Now I wanna get into some of the key findings in this report, which was quite interesting. And I know from being in my sort of role that cybersecurity, you know, burnout across the space is becoming quite prominent. So I wanna dig into that a little bit more. And for people listening, we will be linking, full version of the report in the show notes. But for this sort of interview, let’s we’re just gonna go over the main sort of points, the main insights. So maybe let’s start with one of the main key findings. So I’ll read it out here.
Karissa Breen [00:01:32]:
Burnout is impacting 86% of cybersecurity and IT professionals in Australia. So talk to me about this. 86% is quite a substantial number.
Aaron Bugal [00:01:41]:
Yeah. It’s quite large, KB. You’re right. And I guess first and foremost from from my own perspective, I just I just wanna make sure that that everybody who is here, everybody that is is listening to this this podcast, that cyber burnout in our industry is an absolute real thing. I think there’s some naysayers maybe out there. There’s some people that perhaps are feeling these feelings and they’re not too sure what they’re feeling, and they’re pushing them down. It’s it’s absolutely okay to to feel a bit confused and over overwhelmed, which I’m really looking to getting into. So, hopefully, this report and and the discussion that we’re gonna have is gonna shed a lot of light on what we’re gonna talk about today.
Aaron Bugal [00:02:18]:
But, yeah, it was a bit interesting, this this research topic for this year, our our 4th iteration of cybersecurity, the future of it in the APJ region, and taking the tact of of mental health. It’s quite a interesting and cathartic look about, you know, we are we, UKB, myself, we’re both we’ve bone both been practitioners in this cybersecurity industry that we call cybersecurity, which I have a little bit of a of a bone to pick about that word. We’ve seen it all right. We’ve been there, done that, And it was quite interesting as as a result of the pandemic and even my own self working working at home for, you know, almost close to 6 years now and coming out of the pandemic, I there was just this this odd feeling about, you know, being cooped up in the same place for for a long period of time. And it wasn’t until we sort of started getting out and seeing people in the industry face to face meetings that that sentiment was was real, that people were feeling a little bit disconnected, a little lethargic, bit despondent, bit disillusioned even. And it was it was quite a good set of research to dive into to sort of say, is this a thing widespread? What about the region? And, yeah, 86%, 85% of of respondents that we we spoke to have got a bit of a problem with cyber burnout in, this cybersecurity industry of ours.
Karissa Breen [00:03:36]:
So did that number sort of surprise you? 86%?
Aaron Bugal [00:03:40]:
It did a little bit. I mean, it surprised me a little bit. Shocked, I think, was was probably more of a word that that I’d attribute to it being it being so high. But my surprise is, like, it explains a lot. It’s a bit of a of an interesting situation when you sit down and you think about, are we so beleaguered as cybersecurity professionals? And and, you know, of course, there’s both technical and nontechnical roles in the industry, but it’s all facets of an organization, whether they’re directly within the cybersecurity field that people that need to accommodate and account for or be responsible for cybersecurity outcomes. They’re being impacted as well because it’s a hard thing to to get right, let alone do right a 100% of the time.
Karissa Breen [00:04:22]:
So you said this sort of explains it. What specifically do you mean by that? What is this number sort of explaining from your perspective?
Aaron Bugal [00:04:29]:
So the 86% or the 8 I think it’s 85% in the report, actually. I’m not too sure there might be a digit off there. I could have misread it from, my small font on my screen, but the particulars around that number when I was coming out of, of the pandemic, I was feeling quite monotonous in in what I was doing because I was staring at a screen or staring down a camera. I was talking 2 dimensional image of of whatever it was, usually my Zoom client or my Teams client. And I was just it was a a little bit a little bit on the repetitive side. And it wasn’t until I connected with other individuals in the industry and even spoke to some of my my friends in the industry as well about how they’re feeling. I had one of my best mates who packed up shop and went back home to Scotland because he was cooked. He was in digital forensics, and he just said, oh, this is done.
Aaron Bugal [00:05:20]:
I’m done. I’m going back home, and I’m gonna find something else to do. So I think that sort of sentiment with people becoming overwhelmed and not feeling that they they are doing a good enough job just because there’s a fair bit of disconnect, job. I really wanna dive into from my the executives and boards and people that are on the coal face dealing with cyber issues. Yeah. This this explains that this this high percentage of of people that have got this this feeling of burnout just sort of marrying up with with how I was personally feeling. Yeah. It’s it’s no wonder that that this is the state that we’re in.
Karissa Breen [00:05:53]:
Maybe let’s start with your definition of burnout. Now it seems like an obvious question, but, again, depends on who you talk to, depends what sort of industry you’re sort of saying the phrase burnout. What does that mean to to you from your perspective? Because just so we’re all on the same page here.
Aaron Bugal [00:06:08]:
Yeah. I guess for from from my perspective and the people that I’ve spoken to and and looking through the the results of the report, a lot of the burnout is attributed to exhaustion, especially around the the mental capacity of people, which then sort of affects their emotional sort of attachment to what they do and who they are. Physical, absolutely. I mean, a lot I felt personally lethargic coming out of of the pandemic and being stuck doing the same things. And there’s a lot of other people that feel that, you know, a combination of being emotionally drained, you know, physically drained and mentally drained, that overwhelming amount of of stress that contributes to those factors is the result of people becoming burned out. And I think that’s probably a good summary of of where I see burnout overall for people in our industry.
Karissa Breen [00:06:55]:
But do you think a lot of that number that we’ve been talking about today has been significantly increased since the pandemic? What about before the pandemic? Would you sort of envision that that 86% was lower than that before the pandemic? Do you have any insight on that front?
Aaron Bugal [00:07:09]:
I reckon maybe yes, but I I can guarantee you that the industry as a whole, the way in which the threat landscape, the requirements from regulations, business structure, the delicacy of of some organizations like operating on a knife’s edge, you know, pre and post pandemic. They were big contributing factors to making people feel very stressed. So I wouldn’t be surprised that if there was continuity in these sort of feelings retrospective to to the pandemic, maybe not to the level as what we see now. But I think these sorts of numbers that we’re we’re seeing in these reports because we’ve we’ve starting to normalize mental health, you know, just just agnostically across everything that we do in life, which is fantastic, then really starting to sort of pick up on it in this cybersecurity industry, which is highly strung in demand of people and, you know, threats coming at us left, right, and center. I think that that increase is is now more exacerbated than what it would have been pre pandemic, but, I think it’s always been there.
Karissa Breen [00:08:14]:
And do you think these people are aware that, hey. I’m I’m burnt out. I’m fatigued. I’m tired. I’m exhausted. Your point about your friend saying, I’m cooked. I’m going home. Are you starting to see that more sort of come into the the conversation, or do you think people still are unaware and maybe they say, oh, I’m just a bit tired this week?
Aaron Bugal [00:08:29]:
You know, because it it creeps up on people slowly, they don’t notice that small glacial shift in their attitudes towards what worth they feel that they have to the business might you know, and if they feel it’s diminishing or, you know, am I doing a good enough job, or is the business putting, you know, more requests on me? And that’s just, you know, business as usual. They’re not noticing that that that culmination of requirements of their their physical and mental self is slowly being eroded because there there’s no additional help and and things are just getting harder. So I think some people would would notice it. I don’t think a lot of people do. It’s not until like that time that I went in and sat in front of a couple of customers that I hadn’t seen before. And there was a new face in the, in the IT team who was tasked with cyber. You could just tell the look in their eyes, they were glazed over. They were thinking not another meeting, not another vendor, not another piece of tech that I’ve gotta deal with to to to be the cyber person.
Aaron Bugal [00:09:28]:
You could see that they’d they’d almost partially checked out. It wasn’t until I sort of sat down and said, you’re right. You you’re looking a bit, you know, overwhelmed, but you got something else on your mind. I said, yeah. It’s it’s, there’s buckets to do, and they just they just unloaded on me to say, you know, we’ve gotta do so many things, and these things are changing. And and it was it was a bit confronting at first, but after speaking to other peoples, it’s quite similar. Like, there is definite a need for more assistance in organizations to help people that are in tasked with the responsibility of dealing with quote, unquote cybersecurity, but they’re only 1 person or they’re a small subset of people, not necessarily with the ability to to look after everything that that requires attention.
Karissa Breen [00:10:11]:
So just going back to your comment around, oh, not another vendor, do you think perhaps and this is more broadly. This isn’t just aimed at you or so far, or anyone. Do you think, like, vendors are sort of contributing to that burnout perhaps? Because I say this because I speak to a lot of sizes, very senior people on this show, and they’re saying, like, they get hit up repeatedly multiple times a day to the point where it’s almost haranguing people. So do you think vendors in general are contributing to that?
Aaron Bugal [00:10:37]:
Do KB that are flat out say absolutely. Couldn’t agree with you more. And I know that’s probably not the corporate line that that many of our our our PR agencies would like to hear, but I think there is a fair bit of attribution towards how complex a lot of organizations have become with their cybersecurity tools and processes as a result of things being sold to to them for a reason. Now everybody who who runs an organization’s in charge of an organization organization, they they they grown adults, and they can make their own decisions on whether or not they they sign POs and and buy things. But I think there has been a slight element of of Bud before in the past from from some vendors, some more than others, that has definitely lent into the to the exacerbation of the threat landscape. And people have just bought shiny tools to, to deal with the threats, thinking that that’s a tick box that’s done. We can move on. And that’s not necessarily the case.
Aaron Bugal [00:11:34]:
And when we go in or when, you know, some of my colleagues from other parts of, of competitors go in to, to review things, Things have been purchased to things have been purchased to fix up a a system or or a problem, not necessarily have been exercised their full potential. So if therefore there is gaps in their protection. So I’ll I’ll agree with you. Absolutely. Yes. But at the same time, that there’s been very little optimization and the approach into optimization of what those tools can provide to make the job a lot easier and the outcomes a lot better for the business. So, I guess that’s where I stand on that.
Karissa Breen [00:12:10]:
Yeah. Absolutely. I hear your point. I think the average Australian business, like, larger business has between 70 to a 100 tools. Now going back to your point of optimization, that is very obviously not the case. There’s a lot of things that overlap, so I definitely hear your point. Probably just more so just, oh, it’s another vendor person trying to call me more so that because I can relate to how that feels sometimes when people sort of, you know, always wanting your attention. So it’s more so from a changing of your hats all the time and trying to be like, okay.
Karissa Breen [00:12:40]:
I’ve gotta focus on this. Then I’ve got 50 people calling me a day. Like, it’s probably more so that. And then feeling like, hey. They wanna get back to you, Ron. I just physically can’t.
Aaron Bugal [00:12:50]:
Yeah. Yeah. There’s there’s there’s a lot of activity. I I mean, interestingly enough, like, this, I’ve only been in the, the field CTO position at Sophos here for the APJ region for just over 12 months. And I noticed a very sharp incline through the professional social media websites. Let’s just leave it at that. That when my title was changed and my public profile advertiser, it attracted a lot more people asking me questions about, hey, have you thought about this? What about that regulation, this AI framework, that? And I was like, well, that’s a lot of noise. And that’s like, you know, I might be taking 10, 15 seconds to glance and go, nah.
Aaron Bugal [00:13:29]:
I gotta get a gotta get back on task. But if that was amplified by 10 times a day for a nominal CSO in their position, that’s a lot of wasted cycles. And they they need to they need to be aware of of everything that’s happening. So they look, they review, they read, and then they they start to either decide, do I need to compartmentalize that that knowledge or shift it away? It does take focus away from a lot of the things that they they need to be doing and and effectively evangelizing to the rest of their teams.
Karissa Breen [00:13:58]:
Let’s speak a little bit more about wasted cycles. So from my understanding in the report, it does say that people are tired, fatigued, burnt out. Obviously, it impacts the quality of their work. Right? Quality to deliver, quality to respond. Talk to me a little bit more about that and your thoughts.
Aaron Bugal [00:14:13]:
Yeah. So it it’s that that disconnect through through either apathy or maybe feeling that their their capability in their in their role is is diminishing or they’re not getting the right guidance. And, therefore they feel that the effectiveness of their own self towards that the mission is becoming ineffective and they, they just get overwhelmed quite quickly and that level of stress and then draining of their, their ability to, to offer mentally operate and, and physically operate really then takes its its toll. So in a, say a typical breach that our incident response team would, would sort of account for and, and help people recover from A lot of those engagements have been around a trivial issue being overlooked. Somebody forgot to patch a gateway system. Somebody forgot to tighten up the ACLs on a on a firewall. Somebody forgot to install security software to the best practices of the vendor that they purchased it from because they had other things to do. And it was those little things, those little minor events that, oh, if they could have been adjusted at the time, they wouldn’t have turned into a full blown breach.
Aaron Bugal [00:15:26]:
So, yeah, when people are not operating to the best of their abilities or even worse, they’re dabbing their own abilities because they’ve got it in their head that, you know, they’re not valued or they just they don’t have the help or resources to do their job properly. That can manifest in some pretty bad situations. Pacing point in a couple of the, the incidents that we’ve we’ve had held. Yeah. That’s that’s all I had to say about that one.
Karissa Breen [00:15:47]:
There’s a stat around that. But just to your comment there, do you think that in the future, people are gonna come out and say, well, you got breached because we’re burnt out and we’re tired and we’re exhausted. Give us a break. Are we gonna start seeing that now coming through?
Aaron Bugal [00:15:59]:
I would be a little concerned if, if an organization was going to take public line that they were burnt out, that was because they got to breach it. It’s not an excuse because then the natural flow of of of discovery and conversation was all, we all the governing body of this organization, Mr. And Mrs. Board member or committee team. Why didn’t you implement the correct governance functions to ensure that those that are on the coal face and responsible for, for defending against threats are armed with the best knowledge and tools possible with the right processes. So what use? So I think, you know, that could be used as an excuse in a wheel gap, but I think it’ll quickly blow back on the organization going, damn, We’re the ones responsible for looking after our defenders. And it really brings to light, you know, who’s defending the defenders. It’s not going to be the organization.
Aaron Bugal [00:16:52]:
I really think that the, the defenders should be getting up and moving somewhere else where they’re going to be valued. They’re going to be fostered and nurtured and their natural interests and curiosity within the cybersecurity field can be directed to an area where they’ve got passion or expertise in. So if it’s, you know, technical, non technical policy, right. Governing functions, you know, or operating the new fancy shining tool because they’ve got the skills, then that’s where we need to start directing people just to sort of like to finish up on that as well. The Australian government has, has really started to adopt the, the, the NICE framework, the national initiative of cybersecurity education, which is a framework that was, was, you know, authored in the United States, but it really teaches about cybersecurity fundamentals at a younger age and teaches basic skills for people as they move into the workforce. Mostly because we get a lot of new players in our industry, KB, a lot of new players coming in and say, I wanna be in cybersecurity and they go, we go cool. You’re hired, come on board and dump and dump yourself into the sock and start looking at all these speeds and feeds all day. And by the way, you’re doing detection engineering.
Aaron Bugal [00:17:59]:
And then people go, I didn’t sign up for this. I don’t want to look at logs. I don’t want to write, you know, Yara rules to look for dodgy pieces of code. I’m on my, my cloud containers or whatever. So they get a little bit tired quickly burnt out because they can’t do their job. They like the money, but at the same time, it sort of starts to sort of, like, breed that that that spiral of, like, things are too hard. Where’s where’s the bailout cord? So I think there’s there’s a lot of room of improvement around organizations better looking after their employees to to help sidestep a lot of these big systemic issues that are now starting to rear their heads.
Karissa Breen [00:18:34]:
I wanna get to better looking after our employees. I wanna get to that in a moment, but I asked you the previous question because there is another insight here, which I’ll read out again. 19% of Australian respondents identified that cybersecurity burnout or the t contributed to or was directly responsible for a cybersecurity breach. Now someone who works in media, I wouldn’t advise someone to come out and say, hey. We’re tired here. We sort of stuffed up when we have a breach. But that stat saying it’s contributing to it. So I wanna talk a little bit more about this.
Aaron Bugal [00:19:08]:
Okay. Looking at that statistic about the 19% attributed to respondents saying that, you know, our burnout affected us by, you know, being being breached as a result. That goes directly back to the employees that were being tasked with the responsible functions of dealing with, you know, better cyber resiliency and outcomes were very much well self doubting themselves. They were into a point and a and a position upcoments of, of apathy towards their position that their, their lethargy then allowed them to say, well, something’s something’s happening. I should probably look into that. Just click the button and press the alert. And that’s probably the worst case scenario. I’m not saying that everybody is in that position, but most people will genuinely try to defend, but when you’ve got to be mentally razor sharp to identify a precursor event, as I said, one of those little minor issues, like perhaps your, your vulnerability assessment platform has suggested that a security device is being probed on a exposed web interface.
Aaron Bugal [00:20:18]:
Maybe there’s not a known CVE or, or exploit for that unknown vulnerability yet, but it could be a clue that somebody knows something and they’re probing you. And typically like a, like a managed threat response and managed detection response, these, these SOCs as a service, as we tend to call them in the industry, they would pick up on these, these weak signals and action it, investigate, conduct a hunt, understand that is this, you know, benign activity like DOS attack, or is it somebody trying to gain access into the environment and then shut it down, right? Make sure that the system could be patched if it could be patched, otherwise isolate the attacker from being able to progress any further. But if somebody who is in charge of that is not on their at their mental best because they are overwhelmed and they are, as I said before, booked because of everything that’s happening in the industry, then how do we, how do we expect them to respond and pick up on that weak signal? No wonder things sort of like spiral out of control quickly for the environment and people get caught. There’s been a lot of little mistakes over a lot of the publicly disclosed breaches that we’ve all read about in the media over the last couple of years that could have been easily avoided. They just were missed.
Karissa Breen [00:21:30]:
Yes. Easily avoided. So you made the comment around overlooking the alert, for example. So would you say and again, if you had to weight it, would it come down to due to exhaustion around, hey. I I’m tired. I’m overworked. I’m drinking 10 cups of coffee a day or to your previous comment that overlooking alert to because, hey. I’m not really interested in this job.
Karissa Breen [00:21:50]:
Didn’t re sort of realize this is what was involved in doing this type of job. Which how would that sort of sit? Would it be 50 50, 60 40? What are your sort of thoughts on that?
Aaron Bugal [00:22:00]:
It entirely comes back to out of the individual. It could be 5050. Let’s just say, say it’s that, but it’s very much all dynamic depends on the organization, the position the person’s in and the position that they want to be in. So that, that apathy level is very much all dependent on where they are versus where they expected to be. Right. They’re, they’re very different things. But then there’s the other side of the coin. There’s a person who’s striving at their absolute best burning the candle from both ends.
Aaron Bugal [00:22:27]:
They are just so overwhelmed and overworked. They just miss one little thing. So through no fault of their own, they’re trying, they’re trying their best. They miss it. So going back to that statistic, it’s, it is a very, it’s a pointed statistic, but it comes down to the individual responding like how they were feeling at the time. And I don’t think that that resolution of data will ever be available, not unless we go to the bailer.
Karissa Breen [00:22:49]:
Okay. So I wanna now move on to part of the report, which really focuses on the board side of it. So the report also found that regardless of the Australian government’s big focus on cybersecurity awareness, as you know, boards remain uneducated when it comes to cybersecurity and teams are not ready to respond appropriately to cyberattacks and breaches. There’s 2 questions in that. 1, I wanna know more about what these board people are thinking, and 2, what does not ready mean?
Aaron Bugal [00:23:18]:
This is a good question. Thanks, KB, for bringing it up because the the data, there’s a response here, which I’ll give, which was is gonna be a little bit, I guess, polarizing, but I’ll get to that in a second. So 84% of the organizations have an incident response plan. Now I know an incident response plan is part of a much broader business continuity plan, but nonetheless, out of those organizations that have had it, that have an incident response plan or declared they have an IR plan, 75% of them have said that it only came about after they had an incident. So that’s quite telling that from a preparation standpoint, there was none. That’s that old adage. If you, you fail to prepare, you prepare for failure. I mean, it’s a bit catastrophic in it saying that it sort of sums up the situation quite succinctly that a lot of organizations have had a, she’ll be right attitude towards being cyber resilient in the face of, an oncoming threat, but not really sort of sitting down and say, what happens if we do get knocked around the head and we can’t operate for a couple of days and we sustain it? A lot of organizations are not having those discussions.
Aaron Bugal [00:24:23]:
There was another statistic, and I think it was close to a third of the respondents said that if they did have a a cybersecurity incident, chaos would break out. People would would run around, you know, clutching at their hair, perhaps shrieking in the halls. I I embellish perhaps that they would say that chaos would break out and things would be left to, well, whoever could help them and whoever they could call at that moment of pain. So going to, I guess, the second part of your question, what are, what are boards thinking? Well, I think they’re thinking one thing and the expectations are a broad array different to what they are expecting to get around that sentence. So in essence, boiling it down, there’s there’s a definite mismatch in expectation between resiliency of what the board and the executive committee see and what the business is able to provide when an emergency strikes. I don’t think a lot of organizations are sitting down and going, right. Let’s do a tabletop exercise. Let’s play it if we get attacked by ransomware and go.
Aaron Bugal [00:25:20]:
And then redoing the same scenario. Okay. We’re gonna get attacked by ransomware, but our chief financial officer is now on a 2 week holiday in, Phuket, whatever. They’re unavailable. How do we respond? And really sort of refining the resolution around those types of scenarios. So my phrasing to a lot of executive committees and and more so IT managers and and the lead team leaders that are tasked with cybersecurity. And also those at the board level who are accountable for the results of, of a cybersecurity incident. It’s time to get awkward, get awkward and have some discussions around the hard truth.
Aaron Bugal [00:25:57]:
What is your actual incident response plan? What is the net result of something happening? You know, and I, and I challenge the, the people that are listening today that are in those, those positions of ultimate accountability in their organizations to bawlk at these comments and scoff, but actually go ask the hard questions about if we are taken out of, out of action, are our backups gonna be instantly deployable? How much time do we lose? What’s our recovery point objectives? But these sorts of, I guess, response actions, they first need to come from the rest of the business as as risks, as articulated as risks. So I think from from what I’m trying to say is that there is a little bit of a lack of governance around organizations and maintaining the right expectations between people that are responsible and people that are accountable for cyber.
Karissa Breen [00:26:45]:
So when you said before, go down to your employees and get awkward with them. What does that look like? Like, start asking them questions around if the CEO’s on a holiday in wherever, who’s the next guy in charge or the next lady in charge? Is that sort of what you mean? Because, like, you’re right. A lot of people don’t really know those answers because they’re just like, well, you know, I’m just here doing my job and, you know, yes, everyone’s responsible for it. Yes. But really at the end of the day, that does need to, it needs to be a plan, but also people need to remember the plan when there is chaos going on.
Aaron Bugal [00:27:14]:
And the plan’s gotta be put into a safe that has a physical pin code in it and not connected to an it system, let alone, you know, your your CFO’s desktop file storage solution that’s just been locked up with ransomware. Yeah. These these plans need to sort of be in existing in physical form too. So, yeah, just to to go back to your question, KB, getting awkward is a big collective sort of phrase around just asking the right questions about what expectations the business has in the forms of, you know, how much cyber resiliency do they want? You know, how do they articulate and how do they quantify risk in their environment? And when it comes to threats that, that face their business, are they doing enough to actually counter them, Not give lip service to the people that are that are that are asking the question. So from the employees that I say are responsible in the coal face, if you feel that you’re getting lip service from your executive team and your board challenge, ask them, well, hang on. You say that she’ll be right. Or we can survive for a couple of days. Is it 2 days? Is it 3 days? Is it over a long weekend when it’s Easter time or Christmas? Can we survive though for those periods when there’s loading and so forth? So being finite, I guess, being specific in these types of disaster scenarios and what applies, I think there’s been too much of a of a of a cultural aspect where boards and committees will you don’t, you know, go against them, that it is okay for us that have been, you know, we’ve been paid with him, putting these positions to look after cyber.
Aaron Bugal [00:28:48]:
Why wouldn’t we want to make sure that the things that we need to know to do our job and make the business survive are answerable and can be, you know, put down in paper so that when we need to do something, it’s been authorized to do so from a response action. Okay.
Karissa Breen [00:29:01]:
There’s a couple of things in there that I wanna get into a little bit more. So just going back to the awkward statement, is it awkward because people don’t know the answer? So it’s like, you know, if you ask me a question about my job and I couldn’t answer it, it’s a bit awkward. Right? Same thing if someone asked you a question and you can’t answer it. Is that what you mean by the awkwardness?
Aaron Bugal [00:29:18]:
Yeah. Absolutely. If people struggle to answer a question, that’s okay. It’s okay to say, I don’t know. I’ll go away and I’ll find the answer for you. I’ll seek out the people or the groups or the teams that have this information that I can use to give you the answer you need, not giving an answer or making something fluffy can be somewhat detrimental in the future when it comes back to bite you on the, on the backside. So, yeah, that’s what I mean by awkward is is to really, really go through things correctly and succinctly. And if there’s not a good answer, then it’s okay to ask for a different answer or for that person to go away and find it.
Aaron Bugal [00:29:54]:
As long as people are doing the right thing, that’s that’s that’s all we need to do.
Karissa Breen [00:29:57]:
And then you made another comment around lip service. Now there is a bit of that. There’s a little bit of virtue signaling that happens in this space. Talk to me a little bit more about what does lip service look like, why is it the case, and what can people do about it to actually say, hey, when rubber meets the road, I’m actually gonna, you know, walk, talk, not just do a lot of talking. Because, again, you’re not really getting the outcome that you say you’re gonna do anyway.
Aaron Bugal [00:30:22]:
Yeah. I think I think it’s pretty dangerous as as a cyber practitioner to be either pledged or it’ll happen type of things, which is okay from a, from a planning and from a speculatory phase of like, sort of trying to build like a, like an enterprise security architecture, there’s a lot of moving parts. So I understand roughing out a framework and and then a plan of attack is good to get the high level in. But when it starts to get down to details, if those details are still fuzzy or they’re noncommittal, that that’s a problem. So the live service that that I particularly have have seen witness in in other organizations is that we’ll get onto that. We’ll get onto that. Those metrics you need, we’ll we’ll get them for you. And if it’s delay, delay, that’s a red flag.
Aaron Bugal [00:31:07]:
If there’s a third delay, there’s a there’s a critical problem or maybe they just don’t understand what you need. So it’s been in if it’s lip service, don’t accuse and, you know, go after the jugular, but rather sort of like rephrase the question. Perhaps the information that I’m I’m I’m requiring needs to be provided in a different manner so that the understanding of that request can be better handled, interpreted, and then the right sources can be provided. So, yeah, lips lip service is is typically a result of people not understanding of what they’re being asked for. And the the actions are very much, well, the lifestyle of tactics, and and that should be a red flag to anybody who’s, experiencing that.
Karissa Breen [00:31:48]:
So when you’re saying what they’re being asked for by the security team, I’m assuming, because with the lip service, is it more so they don’t understand because head of security, Seizo, isn’t explaining what they need to a board member who is perhaps not a tech person or technical at all. Do you think there’s a bit of blame on both sides?
Aaron Bugal [00:32:06]:
Some sometimes. Sometimes. I think I think, definitely, it takes it takes 2 to tango. Right, KB? So I think in the situation where if there’s a a c level executive asking the board for more investment in cybersecurity and and and and the board goes, oh, we’ve already given you enough. We’ll we’ll we’ll consider it for next year. Well, I don’t I don’t think the board are fully aware of maybe what the risks and the threats are to the business if they they don’t invest in the corrective action or the control that the the the CEO or the CIO. So wants to implement. But at the same time, the board could turn around to the c level executive and say, right.
Aaron Bugal [00:32:43]:
We need to be a 100% secure. Go. And the board member goes, well, we’ll we’ll get onto that. Sorry. The the c level executive might sort of like stumble, look at, we’re we’re we’re striving for a 100% effect, you know, security effectiveness. Both parties are just kidding themselves. Right? There’s there’s 2 different expectations right there and then, and, and they will struggle to deliver on, on what they actually meant at the board level and what they can actually deliver, deliver as a metric to show that they’re a 100% security effective. Like, what does that mean? So I think, you know, when lip service is being paid, I it’s hard to spot, but B when we notice it because it’s, you know, very overt and we go, oh, yeah, it’s probably a good point to maybe rephrase or just lightly challenge that because it’s not in the best overall interest of the resiliency for the business.
Karissa Breen [00:33:31]:
Okay. So let’s flip now into solution mode. So, obviously, we’ve spoken a lot about the report, the stats, things that frustrate the industry, etcetera. What do we do about it? It’s all well and good for, like, you guys to come and talk on and about these these problems. But how do we fix it? And do you have any advice so people can actually get off this interview going? Well, actually, Aaron makes some great points. I’m gonna start implementing that today.
Aaron Bugal [00:33:54]:
Yeah. Yeah. There’s there’s there’s a few. And, you know, 1st and foremost, I just wanna declare that I’m not a medical professional. I’m not I’m not a doctor by any stretch of the imagination. So when it when it comes to the mental health thing, I think any employee is entitled to go seek assistance, at least at the very least, to talk to somebody about how they’re feeling to, to share that load, to share that mental load, to share that anguish, to help potentially dissipate it or find that small steps and move forward. So I know in my organization and many of my friends that work for for for vendors and and system integrators as well, there are employee assistant programs that are available. And and, traditionally, they’ve been sort of wrapped around, you know, you gotta go see a psychiatrist or a psychologist to help you with a mental problem.
Aaron Bugal [00:34:38]:
But gee, they’ve expanded so much in, in, in capabilities these days. Like for example, the calm meditation app, that’s a perk of the business. So if I want to take 10 minutes and go sit down and do some breathing exercises on the floor, Yes. People might go, Hey, Aaron, what are you doing lying on the floor? But I’ll be telling them that I’m regulating my breathing. I’m just trying to get back out of my own head and sort of see things as the bigger picture. And that works wonders. Right? And there’s a whole host of different options and arrays out there through asking your employer, booking with your friends, even going, seeing your, your, your medical practitioner for some structured guidance on that. But other things which are probably a little bit harder to implement is culture, culture and organizations is extremely difficult.
Aaron Bugal [00:35:24]:
And I think right now that the cultural attitudes towards cybersecurity are very much well bucketed onto a small subset of individuals in the business. And I’m not, I don’t want to sort of like peg everybody into the same pigeonhole, but there’s some organizations are much more mature than others and have realized that cyber security is a team sport and everybody has a part to play from the board right down to person who’s, you know, collecting the coffee cups at the end of the day. Right. So that that’s a good improvement, but, but a cultural shift and attitude adjustment towards good cybersecurity culture starts at the top. It starts at the top with with better governance around what it means to be cyber resilience, cyber resilient, understanding the risks and the threats to the business, and then deputizing people to come up with a plan to mitigate the 3rd or accept that risk so that if the business does suffer an incident, they can, they can move forward. So I think there’s, there’s a lot of cultural things and that can, that can come down to security awareness, you know, as, as a basic thing is to start breeding in positive attitudes towards cyber, expanding the scope of who is included in cyber and when within your security awareness training, that can really help, But also go and look at some of the resources that the acscandcyber.gov.au have published. And specifically to the, the NIST, the National Institute of Standards and Technology, their V2 cybersecurity framework, which has just been released, has an at governance function, which is spectacular because it gets people out of that technical policy based control mindset and really forces the board to answer questions. So when we were talking about being awkward before looking at that sort of a framework and looking at the governance functions with somebody as a team leader in the sock, you know, they can’t succinctly answer because they’re not accountable for business.
Aaron Bugal [00:37:17]:
You can take those questions up the chain and say, how are we, how are we discussing this? How are we qualifying these plans that we have in place to sort of tick these boxes to ensure we can remain resilient when we do have an incident, you know, not to be, you know, doomsday say is that if something does happen more often than not, it will, we’ll be prepared. And that’s all we ask for of our organizations today is just being a little bit more prepared in the response to an attack that comes.
Karissa Breen [00:37:42]:
So what happens if this sort of doesn’t improve? Like, what type of territory are we getting ourselves into? Now I asked that question because I like to look at the full spectrum of things, like, does, if it doesn’t, what do you think is gonna start happening? Does that mean we’re gonna see more breaches? What does that look like from your perspective?
Aaron Bugal [00:37:56]:
Hey, babe. I hate to think I hate to think that if we don’t address the mental load, burnout elements that are happening to our cyber defenders out there, the people that are in positions that are looking after our cyber defenders, we don’t address it. Yeah. I think you’re absolutely right. We’re going to see more misses, more mistakes, more disconnect people checking out and things becoming a lot worse. You know, the attackers have got nothing but time and resources as appears on their hands. And I’m sure they suffer the same sort of mental anguish and stress that all over the space, maybe it manifests in a different form, but gee, they’ve only got to get it right. 1% of the time we as defenders, we as the business side is we’ve got to be a 100% all the time to ensure we don’t get caught.
Aaron Bugal [00:38:44]:
So why wouldn’t we take a better attitude to ensuring that our people are healthy and emotionally unloaded? Their well-being is above board so that they can do their jobs and enjoy it and do the things that they like to do. And it’s just gonna it’s gonna promote a much more healthier outcome for everyone.
Karissa Breen [00:39:02]:
So, Aaron, is there any sort of closing comments or final thoughts you’d like to leave our audience with today?
Aaron Bugal [00:39:07]:
The only thing, KB, is I I’d really like to stress is just pay everybody to talk about it. Talk about your teams. Talk to your teams. You know, if you’re a team leader and you’ve got some people in some really grueling positions, like I said, soft position and and support positions is ask them how they’re going, really engage with them at a personal level, take them aside out of the work and talk to them and see how they’re going. They like what they do. Do they wanna be doing what they’re doing? Just start a conversation like we do with all mental health aspects and take those small little steps towards a revolution.