Introduction (00:19) You're listening to Kbkast, the Cybersecurity podcast for all executives cutting through the jargon and hype to understand the landscape where risk and technology meet. Now here's your host, Karissa Breen. Karissa (00:34) Russell, welcome to the show. How are you doing? How are things going? I mean, I've known you for a while and I definitely want to get you on the show for a while. So it's great to have you here today. But like, yeah, how's everything going since we last saw each other? I think it was a Google event or I can't even remember now. Russell (00:53) Yeah, it has. It's been a while. I'd say almost two years, if not a little bit more. It's been very busy. It's been quite good in the sense of both work and life. Had a bit of fun around the recent floodings, but other than that, everything has been pretty good. Karissa (01:15) Yeah, that's also it's different now, I guess, with the whole COVID thing, even in my role in my capacity, I do feel somewhat isolated because we're just not doing as many conferences anymore or as many face to face. I hope that sort of changes. But, yeah, you do still feel there's that distance with people. Russell (01:36) 100% recently, I went to one of the first conferences I have in more than two years, and just having that connection again with people in the industry, just getting out and about, it just brings that dynamic back to what we all love and being able to bounce ideas off each other. Some of the challenges people have been facing, some of the good innovations and what people have been doing to overcome some of the challenges over the past couple of years. It was really great to see everyone. Karissa (02:11) Yeah, you're so true. I'm keen to get into some of the challenges that you faced recently and how you've overcome some of those. But before we sort of dive into that, I'm really keen to hear about your story, your journey, because I know you've obviously come from a military background now. You're sort of transitioned to what you're doing today. I'm keen to understand how that went. But also I've had a lot of ex military people here on the show, and I've always asked them, like, is there a lot of crossover between what you are doing in the military to what you're doing in your sort of everyday job? Like, what are some of the key lessons? So, yeah, over to you keen to hear what you have to say. Russell (02:53) Yeah, certainly. So when you look at my history and my involvement in technology, it's kind of hard to actually do it without a little bit of a history lesson as well. So I really grew up, I was very fortunate with the evolution of technology from a very young age where my parents actually were able to get hold of the old Commodore 64, you may have remembered them old systems and I actually started programming on them before I was even a teenager. So my interest was piqued very early on and throughout growing up through that entire evolution, through the consoles coming out, technology evolving. I was even on the old bulletin board systems before the internet was fully rolled out in the then as things were progressing, I actually was dabbling in cybersecurity and it at a very young age. I remember some of the very first releases of tools such as Cain and Abel overcoming some challenges that I had back in the time when I had games on CDs. And one of the challenges was I would always scratch my CDs. So working out how I could actually still play my games. But if I damaged my CD, how can I do that? Russell (04:29) So I was working all these challenges out myself as I was growing up until when I was 17, it evolved into me joining the military and from there. Karissa (04:41) Scratching off CDs, I remember that like when you get a CD that you'd have to spend like $30 on and it would be like one song, it's like the main singing and then all these sort of songs that are on there that no one cared about anyway and then you'd scratch it and. Russell (05:00) That was the end of it, 100% and you had that with all of the games. Karissa (05:04) What about the games as well? I remember N 64, it didn't work so you had to get the dust out. That would be like a 30 minutes endeavour. Russell (05:13) The old blow on the cartridge far out. Karissa (05:17) Like it really just brought back those stressful, anxiety related memories. Russell (05:23) Exactly. So it's amazing how we've gone through technology, how we've evolved and really embraced everything. So even back in the days as we're talking about scratches on games, a lot of the time, some of the protection we had was a simple batch file where you could change some loans and code and you can bypass your CD altogether so you no longer needed that. So there was quite a bit of elevation there and understanding around technology and as I mentioned, joined the military and at this stage I had already a number of years within the field and while I was in there, I spent a good eight years in the military and it was one of the best decisions I ever made. It taught me so much about independent looking at solutions and problems from more of a strategic detached standpoint. So you are able to see the full picture. Exactly. So from there, when I come across any complex problems, really being able to detach yourself, take that breather and say, okay, what are all the little bits and pieces that you need to address in order to overcome this complex situation. And these are some of the things that help me to really understand how I'm dealing with stress really internally, reflect on a lot of that and have that ability to use my innovative ability to really try different things to solve a problem. Russell (07:00) And these were some of the tools that the military gave me while I was in there. I joined back in the early 98, I joined the military and I spent about eight years there. While I was in there, I started off in artillery communications. We're working quite a lot with radio frequencies and UHF, EHF encryption, all of that. And while I was there, we had a bit of a challenge and I saw a need for a little bit of innovation and I did quite a bit of work on really developing some battlefield technology that really helped us gain a little bit of an advantage. And while we were doing that, I went through and did a lot of work in producing this and we ended up getting it to a stage that we rolled it out and I was awarded accommodation, everything for my input and my work involved with that, and that really took me further into it and security and how everything can piece together to really solve these complex problems and leverage technology to a desired outcome. So spent time in the military, spend a lot of time in core signals, working again with all these different types of technology where you just wouldn't get that exposure in many other places, so you would be there. Russell (08:32) I'm talking early 2000s where you had the capability of rolling into an area that had nothing and then within a couple of hours you had a full wide area network set up, you had satellite communications up and running. So being part of that was quite an amazing part of my career. Then from there, obviously one of the hardest bits and you've probably heard this from a lot of people you spoke to that have been in the military. Transitioning out is a challenge. Yes, I have one of the biggest challenges and I had to be very strategic on how I transitioned because I had a lot of friends that had spent quite a lot of time in the military that went out and being able to articulate the skills and all the different bits of technology and everything that you worked on in the military, translating that into when you're going for a job interview, being able to have the private sector really understand what value you're bringing to the organisation from the levels of exposure that majority of people haven't had. And you've got kids that are 18 that comes through responsible for multi million dollar systems. Russell (09:55) These are quite amazing things that such in an age to be exposed to that you're bringing that value into an organisation where you can understand and you've had that responsibility already. One of the big things for me was one transition out of the military that I'm still going to have a level of if we have a look at hierarchy. So I've been quite used to over that time being within an environment where it is quite structured but also transition out. So I've still got structure, but I do have flexibility and I don't have that desire or that need to go back into my safety net with, which is what I've known for so many years. So I left Australia. Karissa (10:48) But I get that. Russell (10:51) It was one of those things where I went and worked in the cruise industry for a number of years. Karissa (10:56) Wow, the Ruby Princess. Russell (10:58) Yeah. Because as I was getting towards the end of my military career, I was a qualified personal trainer. I was running a successful business out into south of Australia area and then I ended up being awarded a contract working as a fitness director for a company that was contracted on cruise liners. Karissa (11:21) It's so random. Russell (11:22) Yeah. And it was one of the things that was strategic for me for the simple fact that on a cruise ship you've got structure, you've got hierarchy. But at the same time I was far away from my comfort zone of what I've been used to for eight years prior and that support network that I had within the military, that it would be hard for me to just want to jump back into it. So I forced myself really to do that transition now, but still stay within there. So I continued that for a little while and still being in touch with It and security and keeping up with technology while I was doing that. Then I did that for a number of years, working as a fitness director and then also had a bit of an Apache cruise liners, setting up different business management level challenges. So taking all of this and working with, again, all the underlying It infrastructure that you would need to be able to be successfully running business on a global scale. So understanding the limitations you have with the technology, especially when you're out in the ocean. So understanding all of that, working on that until I eventually came back to Australia for a number of years and then left and worked in China. Russell (12:55) China was an amazing place for me to work. It taught me so much in the cultural aspect, understanding for myself, leadership experience, for how to understand and change my management styles based on where I'm communicating with teams around the world, having that ability to understand what the complexities are within the technology space, within the different areas of operation that we're working in as well. So having that experience, working in the entertainment industry, working with operation technologies, multinational organisations, working in, within the casino industry, spent a number of years in Macau, working in the entertainment industry, which was part of the casinos over there as well, and then spend a bit of time with organisation you may have heard of called with you? With me. Karissa (13:57) Yes, I do. I do know those guys. Russell (14:00) Yes. Karissa (14:00) I actually interviewed one of the guys, Thomas Mynott, and a while back, actually, maybe like two or so years ago. Russell (14:06) Yeah. Amazing organisation. Their mission is really to solve this problem that I mentioned earlier about the challenges service personnel have when transitioning out of the military into civilian workforce. So I spent a bit of time there working alongside some really talented people in developing course content that was relevant to the industry today and bringing a lot of the skills that I actually gained overseas, working with bleeding edge technology within casino environments and everything and all the learnings I've had from working globally back into teaching these military veterans, giving them a heads up and a bit of a lead into transitioning into the workforce. So that was a very rewarding experience. And I left there and now I am actually at the City of Newcastle as the Chief Information Security Officer, looking after the digital and information security for the City of Newcastle. So really rewarding role. Been there for two years now. I'm also sitting on the I'm a Chartered member of the VigiTrust Global Advisory Board as well, where we work with various law enforcement around the world, helping to really inform on policy how it impacts information security ground business, as well, as I said, on non for profit boards as well. Russell (15:45) In a big sort of history of technology and my roundabout experiences, that's from where I started to where I am now looking after the security for the City of Newcastle. Karissa (16:01) That's awesome. I love your journey, I love your experiences. I mean, look, I've interviewed well over 100 people now just doing this and everyone because of their experiences, their backgrounds, like military, non military, whatever it is corporate, it's helped them shape their thoughts, their beliefs, their opinions on security. And I guess that's the main thing that drives us to combat cybercrime, because not everyone is cut from the same cloth. Not everyone has the same pedigree. So I always want to talk about that because again, it's where someone started to where someone is now. And perhaps people listening can be like, oh, well, I don't need to become an engineer and then work my way up. Maybe you can come through another avenue. That's exactly what I did. So I think that always like to hear everyone's thoughts and their journey because we don't expect to have these people working in security that haven't come from that traditional background. So I really appreciate that. So I want to talk to you about something. Russell (17:04) Yeah, certainly. Karissa (17:05) And it's cost optimization because, look, when you're running things at your level, it's always about we've got to save costs and reducing costs and all that. But I'm really keen to see how you've managed to do this, because sometimes when you're working in a company, it's not your money you probably don't really care as much, but when it's your own bank account, your own money, your own company or whatever it is, you probably care a bit more. So I'm really keen to understand how this has gone for you. You can start from wherever, but I think this is a big one. People are cost sensitive in the market when they're talking to a vendor or supplier, whatever it is, this is a big question that people usually potentially could go here or there, depending on how much time is going to cost, right. Russell (17:55) 100%. And when you speak to majority of security teams, you ask them, okay, what's one of the biggest comments that you receive when trying to pull forward a project or trying to get traction into running any type of security initiative? And most of the responses you get cybersecurity, it's too expensive, we can't afford to do all of that. So it's a very interesting topic and it's something that I would almost put. Well, I believe it really comes down to maturity. And when I talk about maturity, it requires a fundamental shift in how security teams are perceived within a business, within an organisation. When you look at information security, cybersecurity, these are people that are specialising in risks around digital technology and you're hard pressed to find an organisation these days that is not impacted or does not have technology touch points anywhere. Karissa (19:13) Yeah. Russell (19:14) So organisation information security teams, security teams really are advisors to the business. So what I mean by that is they have their fingers on the pulse. They understand what the threat landscapes are they are studying, they understand what the compliance requirements are, they understand what legislation requirements are. They understand from a technology standpoint what's happening out there, where the thread actors are, what techniques they're using. So to bring this into a context of cost optimization, you look at how do we support the business in achieving their objectives from a risk perspective? Because the underlying things that drive an organisation, the organisation needs to be profitable, as you can imagine, and they need to have the ability to innovate. So if you put in the customer first, you're having that ability to go through and where we have had a lot of challenges in the past, especially with in cybersecurity, it is easy to get a reputation of being the nose. Okay, we're saying, no, you can't do this. No, you can't do that. Karissa (20:42) Yeah. Familiar. Russell (20:44) Yeah, exactly. So when you change this shift in mindset into, okay, the security teams, they don't own any risk in the organisation. The business units and the business own the risks. But your information security teams and your cybersecurity teams, they advise the business on the mitigated controls to enable them to deliver the value to the customer. So when you start to look at it that way now, the security teams have taken on more of an advisory capacity, looking at the risk management of the organisation. So when you look at risk and cost optimization, you are now looking at, okay, what are the business processes that are potentially costing overhead that are not allowing this business unit to solve their problem that they're trying to deliver value to the customer? You're looking at potentially? Have we, what's our asset life cycle like for our infrastructure? Have we got technology in place that is over spec? Are we utilising it correctly? Do we understand what our infrastructure looks like that it's optimised? So we're not spending money trying to protect everything instead of just protecting what is absolutely necessary for the organisation to be operational and to meet the risk appetite of the organisation. Karissa (22:24) I just want to interrupt there for a second. So when you say protecting things are absolutely necessity, I agree. What would be the mindset behind someone saying, all right, we got to protect every single thing? Why do people think like that? Russell (22:39) Well, it comes down to a lot of culture and also education and asking the hard questions. So when you look at maturity in an organisation, one big question is, who actually owns the data? Is it, if you're looking at employee data, does it on that data, or does your people and culture team own that data? Karissa (23:05) And then no one can usually answer that question. Russell (23:08) Exactly. So when you're starting to really unravel this and then look at, okay, how critical is that information to the organisation? Are there any legislative requirements that are part of that that needs to be secure and then put a classification next to it? Ok, is this actually a critical piece of data and information for the organisation that needs to be sensitive? If so, yes. Then have that also separated down into your asset classification. So if you start to then ask them questions and getting the buying from the organisation, that okay. If there is a sensitive bit of information that has a control that is administrative and this is why I come back to the risk should not be owned by security teams, because if the business owns a risk around now, that piece of information, but that mitigating control is actually an administrative control in a business process change, you now have more of a buying from the business to actually effectively address that control, rather than the It teams or security teams trying to tell the business they need to change their business process. Karissa (24:34) Do you think it's just easier for people to sit there and say, let's just protect everything versus all right, well, let's go and do a deep dive. Let's go into an audit, let's get everyone out there. Let's go and troll through everything in our company to find what's necessity. Do you think it's just easier to just go, okay, well, it's going to cost us an extra half a million Bucks for arbitrary numbers to protect everything. It's just a lot easier if we do that because I'm struggling to get my head above the water. Do you think that is a mindset people have? Russell (25:01) Definitely. And that's where it also comes down to that maturity as well. Information security and cybersecurity. It's a journey for any organisation. And doing that shotgun approach can only last for so long because that then in itself will create a lot of additional challenges for the organisation. So it will begin to snowball. And that's where it comes back to asking them essentially the hard questions. Because if we take that shotgun approach and just say, okay, let's protect everything, you're essentially not protecting anything. You're going to overspend in areas and you're going to blow out your budget dramatically. And that also comes down to burnout within the security teams and your It teams frustration within the organisation because you can't innovate as quick because you are outside your risk appetite of the organisation. So you've got all of these other layers that will continually build. When you say, okay, we really need to look at our maturity and how we're managing our information and how we're managing our assets and our technology within the organisation, we know, yes, okay, it's not going to happen overnight, but if we begin to work on this and start to bring our control and understanding and insight into what we're running in the environment, if we, for example, segment all these sensitive data over here, but we've got a part of the business that wants to really push this innovation piece around this public classification, for example, that doesn't need as much security or overhead. Russell (26:54) You've got a lot more flexibility to take on more innovation, trial new innovations and really push the boundaries to try and get that maximum value out for their customer while at the same time not over exceeding what the risk appetite of the organisation is. Karissa (27:11) So you mentioned when we spoke investing in the right areas and security. So I'm keen to understand what you mean by that now. It depends on who you speak to. People are going to say, oh, more firewalls, more this, more GRC, more consultants, more external consultants. So what do you mean specifically when you say this and then my follow up question to that would be, where do people in your experience typically overspend? Russell (27:37) Yeah. And that is definitely one thing that is a challenge for many organisations. So for me looking at that and it links back to that maturity piece and really understanding your asset classifications, information classifications requirements. And I'll use an example of PCI DSS, so the payment card industry requirements, if you've got that within your organisation, you want to described that as much as possible. So if you're looking at having all the requirements in a small subset, you can actually reduce the amount of controls that you need to invest there. So you're reducing cost. That way, when you look in at your organisation as a whole, you need to really understand the infrastructure? If you're looking for cost optimization, especially around that firewall piece that you mentioned, what's the set up are you really using the capacity that you need? So you really need to start to correlate and understand the metrics that you've actually got on that infrastructure. So how much of the compute or how much of the utilisation of these devices are you using on a daily basis? And start to leverage that data to make informed, intelligent decisions on how you invest in into the life cycles of that infrastructure, in essence. Russell (29:12) So when you're looking at that, understanding what the makeup and the structure of your organisation is, making sure that you're ticking the boxes of any regulatory or compliance requirements, then making them hard decisions, okay, what are the operational necessities that would then fall into a different classification? And from there, you can start to work with your CIOs, work with your enterprise architects to say, okay, truly, are we fit for purpose in this area, or are we actually overspending? And when it comes to information security, cybersecurity, there's a lot of products out there and this is where it becomes a challenge. Karissa (30:00) How do you know if you're overspending? Like, if your budget is, I don't know, 500K, you've gone to 600. That's obvious. You've overspent. But is there any sort of key indicators that you would look for? I've overspent there, yeah. Russell (30:13) And this is where it comes down to, okay, one example might be you've got some firewalls in place for the organisation, getting some metrics on that, on how much of the utilisation and how much of the functions are actually being used on that particular purchase, measuring that over a period of time and then asking that question, okay, is this actually too powerful for the traffic on the data flow that we're actually sending through? And if the answer is yes, again, bring that back and say, okay, let's look at downsizing that to ensure one we're not overspending on yearly subscriptions for particular firewalls or anything like that, is the information that's being protected from that particular firewall hypothetically doesn't require all of the assets within there? And it comes down to, again, if you got the asset classifications optimising your networks or your infrastructure. So if you've got a highly powerful firewall that is protecting public information and public accessible, that doesn't really require the same amount of security, that potentially sensitive information, ask that question, do they both need the same firewall? And then start to continually improve as you're involving? Because technology is continually changing and you're finding there's more and more options out there that are potentially less expensive, but they keep you within the appetite and meeting the functional requirements that the organisation needs, giving you that opportunity to reduce the cost. Karissa (32:08) So, going back to my question, where do you think people typically overspend, though? Because you are right, there are lots of products, you could get it cheaper elsewhere. But is there like a rule of thumb that you've just sort of seen that people just go, we'll just lump a whole bunch of money into that area. Russell (32:26) There's a number of things and for example, depends on what's happening in the industry. I do see quite a lot where people say we'll cheque everything into the cloud, for example. Now the question would be, is that really the right option for the organisation and does it suit what you're trying to actually move in there? So when you're coming up with the strategy of moving into the cloud, is the cloud really the best place for your critical infrastructure to be moved to? Karissa (32:59) Are people not asking these questions though? Russell (33:03) I do come across it where there is a lot of times people would want to just go with where we think the industry is going, but not taking that step back because you will get a lot of questions from the boards and different arenas where it's like, okay, how come you're not going to declare, why aren't we using this? Because it is popular within the media. Russell (33:28) The press, Karissa (33:29) and everyone else is doing it. Russell (33:30) Exactly. So it's really making them informed decisions. I'm really drilling down into is it really the best move and the long term solution for the organisation? And again, this comes back to being that advisor and understanding that risk. If we do that, what is the actual long term risk to the organisation? So if we do a full jump into the cloud, at what point do we make a decision that maybe that's not the best move and what's our rollback strategies. So you will see a lot of these great new products coming into the market, all these same solutions coming out. You've got so many cybersecurity vendors, threat intelligence coming out, that as information security is becoming more and more part of the business makeup, you've seen the market flooded with all these different solutions and quite a lot of them are great and it's really understanding what is the value that they're actually giving your organisation when you're going out and just purchasing this, are you purchasing to solve the problem and to ensure that the organisation is meeting the appetite for their risk? Or are you doing it because you saw it on the Gartner Quadrant or that's being talked about within the community? Russell (35:05) So you just want to get it for yourself. Karissa (35:08) So on that note, yes, of course it's a flooded market. There's so many products and services out there that a lot of them are quite good. But would you say that perhaps as an industry we are paying for products and services that we don't really need? Because I don't know someone's mate that they go play basketball with on the weekend bought that product, makes sense that you're going to buy it. Everyone wants nothing draws a crowd like a crowd. People like to follow what the next guy is doing, especially in Australia is a lot of that. That sort of happens in terms of mentality? Russell (35:39) I believe so. And the reason I say that is it's widely known that we do have a skill shortage across the industry. So when we have skill shortages within the industry, we look for how we can manage that risk. And if we're seeing a product that is promising to solve that problem, we will go out and buy it. And then, unfortunately, sometimes it doesn't live up to the promise. And then we're left with technology and multi year contracts that are not really serving the purpose and we're still left with that same issue of developing our people. Karissa (36:24) Can you define promising? A lot of people often say that you're like, oh, that's promising, and then it is a bit of a letdown, which happens. But is there any, again, key indicators that would allude to a product is promising. Russell (36:39) So if we use threat intelligence, that's a hot one at the market at the moment, there's quite a lot of organisations now are providing threat intelligence. And there's a difference between an organisation providing you with raw data that they've been able to scrape off the dark web versus threat intelligence. That is actionable to your organisation. That is some of the questions you really need to be asking when talking with these specific vendors is understanding, okay, is this a generic solution or is this going to specifically help my organisation and my teams to reduce the management overhead, but also give us that competitive advantage to really address a lot of the threat landscape? Karissa (37:42) You are right. It's a great question. Hypothetically, have you ever asked someone who's in threat intelligence, hey, did you scrape this from the dark web or is this actually actionable insights for me? Have you ever asked someone that? And if so, what was the response? Russell (37:58) Yeah. So it is one of my general questions that I do ask. Karissa (38:04) I figured as such, yeah. Russell (38:08) Because it's one of them things. Okay, if this is actionable to my organisation, what have you found? What is the likely impact and how old is it? How old is this information? So when you have a look, there's a lot of open source, it's red intel out there, you've got Alien Vault, there's quite a number out there. So if they're just providing you the same intelligence that you get from open. Karissa (38:41) Source, you can get yourself for free. Russell (38:43) Exactly. Karissa (38:44) But it's just a fancy UI UX Russell (38:46) 100%. Karissa (38:48) So then why would anyone buy that? Russell (38:50) Again, it comes down to that skill set and that school shortage, understanding the questions to ask. And is it a compliance piece to tick the box? If so, are they asking the right questions? Do they have that skill set? If they don't have that skill set, are they approaching consultants that specialise in it? Do you aid them in, for example, a tender process or an evaluation process? How can they leverage additional skills that they may be lacking to ask them questions. But when we look now, I think a lot of it is kneejerk reaction, especially with a lot of the news coverage. So we all know the increase in cyber attacks, especially within the last two years, the activity. Karissa (39:40) So do you think people like running out as we did with COVID, like buying of the toilet paper, whatever's there, we'll buy it, we'll take it and we'll take it from everyone else. Is that sort of what's happening? Karissa (39:51) A little bit, Russell (39:52) yeah, definitely. With everything you want to feel that you are doing something to protect yourself. Karissa (40:01) Yeah, I get that. Karissa (40:02) So it's like an assurance piece? Russell (40:04) Yes, exactly. And then what you need to do if you have brought something on, asking them questions, but again, never stop evaluating them. Karissa (40:17) So I like that as well. So as a rule of thumb, you've obviously, like you said, technologies change, your business requirements change. Sometimes things can be left there that no one's been using for like seven years and you're still paying for it. How often should you sort of do this exercise from what you're doing in your day job, what you've done before, which has made a big impact to your organisation in terms of how much money you've saved? Russell (40:43) Yeah. Continuous improvement. You should always be looking with technology, with everything you do in business. You want to continually look for areas where you can improve your offering and your support to the organisation. So when you look at that, you're understanding the business, you're out there every day talking to your business partners, you're talking to the people in the business, understanding what challenges they're facing. Because from there you can advise back of what potential options are to improve a process where some of the bottlenecks are some of the technology improvements that are coming available on the market, which as a security team, 90% of the time, the guys are already researching it and they're understanding the limitations within these products to be able to do that. I see that as a daily thing, to be able to continually improve the whole risk profile of the organisation because we are doing it as security. We're continually monitoring the threat landscape. And this is not just from external threats. We got to look internal threats, legacy systems, legacy processes, how we onboard people. So this is where, again, linking back to that fundamental shift in how we see security teams within our organisation because they understand, OK, what are the potential risks and what are some of the things we can do to reduce complexity? Russell (42:27) And if you reduce complexity, less things can go wrong. Karissa (42:31) Yeah, that's so true. I think that stuff about mindset continuously looking as well. I don't know. Do you think people are looking at other products? Perhaps that is a better solution. It may not even necessarily be cheaper, it may be the same price. Do you think people are doing that, though regularly enough that it makes sense that they should jump ship to another one because it makes sense for them. Do you think people are doing that as often as they should? Russell (43:02) It's a balance and it can be a challenge. As you know, many security teams out there, they're doing it tough. The workload is considerable and many teams are understaffed due to our skill shortage, being able to train people to really understand what they're looking at. So, yes, I believe it would be happening quite frequently. However, can we do better always? We can always do better. Karissa (43:37) Yeah, true. So switching gears for a moment, what do you believe some advantages that you've gained as a direct result of doing the cost reduction exercise? I mean, everything you've gone through today makes perfect sense, right? Love it. It's great place to start for people perhaps that are listening that are like, oh, my gosh, I need to start asking that question first. I need to ask these vendors that question. So I'm not purchasing a product potentially I don't need. So can you talk through some of some of the wins that you've had as a result of doing this exercise as regularly as you are doing it currently? Russell (44:12) Yeah, definitely. So when you look at starting to improve the material, starting to understand these little building blocks from an enterprise and business standpoint rather than an It issue, what you begin to see and some of the things that I've really been able to see across different organisations over the years is it allows you to one free up capital to invest in other areas and really have that innovation product, have that innovation bucket to take that additional risk to support the organisation and try and get that competitive advantage. At the same time, because you're having them conversations within whether it is to your board of directors, your leadership, you're now talking in terms that they understand. You're not talking technical talk, you're talking in terms of risk, financial impact to the organisation, as well as opportunities for further innovation and potential for revenue creation. So by allowing and shifting gears, by optimising cost and getting your risk appetite for the organisation to where they happily accepted it, it gives them a bit more freedom to be empowered to push forward a little bit quicker, take on additional risk. But if we relate that to the last couple of years, imagine how much it may have made a difference in Pivoting to now remote workforce. Russell (46:03) So if an organisation was already within their appetite, or at the time, if the organisation their risk rating for information, cybersecurity, it, etcetera. Was already well outside their appetite, imagine how much exposure they had then had to create due to the global pandemic. Karissa (46:30) Yes, those are great points. So for someone that is taking your feedback makes sense. They've gone through this exercise. In your experience, if someone to do this, what would be sort of the or how might a board or executive sort of respond to someone perhaps that have gone and done these exercises and have said, oh, we can save a whole bunch of money here because I've gone and asked these very fundamental questions. Can you share some insight perhaps, as to what the response may be? Russell (47:02) I'd be very surprised if anyone goes to any board or anything and tells them they can save them money through cost optimization. They've got a plan and present that the board would not be happy. When you look at governing an organisation, you want to make sure that you're not over exposing the organisation to any type of risk. And that might be legislative risk, it might be cyber risk, whatever. So if you're then presenting to these governing bodies with solutions to problems that you've identified that is in line with one in the organisation into their appetite, but also optimising spend that allows them to free up capital to spend in other areas, that's very advantageous for the organisation. And I would be very hard pressed to find anyone that would not be happy with that and would not get support in running them initiatives. Karissa (48:09) So ask that because just so hypothetically, you're the board director, and I come to you and say, hey, Russell, I'm going to do this cost optimization exercise, but you've still got a figure in your mind, and I come back to you after like three months and say, okay, this is how much we've saved. Do you think it's possible that potentially an executive or board could turn around and say, you just spent three months and you've literally saved like $7,000? Do you think perhaps there's a figure in their mind that they're going to save like $200,000 a year or something like that? And maybe the figure that perhaps someone's come internally with doesn't marry up to the figure they have in their head? Perhaps. Is there sort of a level that you need to give education? Yes, I'm going to do this. I may not find anywhere where we can squeeze anymore. I may, but it may not be as much as you think it is. So it's about that level of framing that conversation correctly, because at the end of the day, every board wants everyone to save money, but perhaps they have a figure in their mind which may potentially cause consternation because it's like, well, actually, you didn't save as much money for three months when you've been going to Recon work and you've only saved X amount. Karissa (49:19) So how do you handle that conversation? Russell (49:22) Yeah, definitely. And this is where it is really being upfront and doing that planning before you actually have that conversation. If you're going to present to the board, you really need to have all your Ducks in a row. You need to understand what you're going to be doing and marry that back to what are you trying to achieve? Are you actually trying to is the focus of this project you're going to lead right now to identify opportunities for reduction, or are you running this project now to reduce our risk rating down to meet our appetite and some potential outcomes of that may be the identification that we can reduce cost in certain areas. If you had done that Recon prior to actually having that conversation and you've already identified some quick wins. Yeah. 100%. Bring that to the table with that. So you really need to make sure you've done your due diligence before presenting anything to the board or to any type of organisation leader. Karissa (50:34) Do you think people do it prematurely, though, because they have every intention to go, I'm going to go save some money and that doesn't kind of work out that way? Or perhaps they save $5 and it doesn't live up to the expectation? Perhaps, yeah. Russell (50:48) And 100%, it's one of those things that you have an idea, you've got something you want to get the support from this executive sponsorship. You need to curb expectations, but you need to be very clear on what you're actually wanting out as an outcome. But also you need to be able to measure exactly what you're doing and have essentially your evacuation parachute. So at this milestone, if we have identified that this project is going to now blow out X amount of money, we're now going to come back to the board and then reassess and see if the board wants us to continue with the project or we take a. Russell (51:35) Step back Karissa (51:36) or change it. Russell (51:37) Exactly. And refocus somewhere else so you don't get six, seven or even eight months down the line. You've spent hypothetically $200,000 on a project that isn't actually going to be beneficial to the organisation in either reducing their risk or reducing other cost. Karissa (51:58) I hope not. Russell (51:59) Yeah, exactly. I do firmly believe if you cannot measure anything, you shouldn't be doing it. Karissa (52:08) Yeah. It's sort of like measuring twice, cut once. Russell (52:12) Exactly. And that's been around for a very long time for good reason, right? Yeah, exactly. And that's one of the things that you really need tagging or what is the thing that you're trying to solve. So we link that bag. We're looking for cost optimization. That's a financial risk. If we're overspending in certain areas, you now got an exposure of overspend to the organisation. So if you're running a project that is looking to reduce overall risk of the organisation or to keep it within the risk appetite, there's lots of different elements of risks that you are looking for and you try to reduce for the organisation. And if it happens to be, you come across an opportunity to reduce the financial impact. 100%. Put it forward. Karissa (53:03) Love it, love it. Very good practical advice and let's say people can take this away today and do something with it. So love your approach. It is very straight down the line because you are obviously ex military is what everything is great about you and it's tangible things that people can do. So really appreciate the time today, Russell and yeah look forward to getting you back on the show. Thanks a lot. Russell (53:27) Excellent been a pleasure. Really appreciate it. Karissa (53:30) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. * This is an auto-generated transcription.