Coming Soon

The 2FA Show On-demand security-based streaming content. A new initiative from KBI:

Episode 111: Peter Soulsby

 

Peter advises CISOs on how to increase their business’s Cyber Resilience by transforming their Cybersecurity landscape. Peter is similarly passionate about building high performing teams with an emphasis on people and culture. To achieve this, he relies on his three key strengths: leadership, logic and numbers.

Peter has been fortunate enough to hold senior leadership positions in both the Cybersecurity and Applications industries. This has given him experience on how organizations function and what applications enable this, together with the inherent Cybersecurity risks that exist from infrastructure through to core business and client facing applications.

Peter is at his best when given the opportunity to overcome a challenge, together with the resources, space and support to get it done.

 

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:11)
You're listening to Kbkast, the Cybersecurity podcast for all executives cutting through the jargon and height you understand the landscape where risk and technology meet. Now here's your host, Karissa Breen.

Karissa (00:26)
Peter, welcome to the show. I'm excited to have you on this afternoon because when we were talking about the angle of the topic, this is an interesting one. I haven't covered it before, so I'm keen to get into that. But before we do that side of things, I'm keen to understand a little bit about you and your journey. Now, we did discuss this originally when we spoke, but I'm really keen for our listeners to hear a little bit more about your journey and talk us through where you started to where you are now.

Peter (00:57)
Super KB. And can I just say, thank you so much for having me on the show. It's a real privilege to be here. So my career, that's an interesting question. So I have held various It and finance type roles before joining Dimension Data back in 2011 in South Africa. I started as a management accountant and got a promotion to be a financial manager of the applications business for Dimension Database in South Africa. And despite the fact that I studied a Bachelor of Accounting, the one thing I told myself was that I'd never be a financial manager and ended up in that position and to be honest, was pretty unhappy. So having always captained the cricket team and the hockey team and sort of run sports clubs, I said to my boss at the time, I'd like to run a business. If you can run a sports team, surely you can run a business. So he took a bit of a risk on me. He moved me down to Cape Town to run the applications business back in 2014 and since then I've been running businesses within Dimension Data and Int that spanned across both applications and security.

Peter (01:52)
I moved into the world of cybersecurity in around about 2017, actually left Dimension Data fairlyly enough around the middle of 2018 to start my own business. I didn't get very far from the group. My first client in my business was Dimension Data. My second client was a subsidiary of Dimension Data and then they asked me to come across to Australia to run the security Practise here for Dimension Data and our NTT in Victoria, which is what I've been doing for the last three and a half years. It's been an interesting run. Our business in this market has doubled, my head count has tripled, and we have a major role to play in Victoria and securing sort of Australian businesses and KB hot off the press. One of the things that I'm proudest of is our talent development in our business and we have just been awarded an accolade of having the best internship in Australia.

Karissa (02:40)
Wow, that's awesome. Tell me a little bit more about it. What do people get in the internship?

Peter (02:45)
So for between six and twelve weeks, we take five students from Deakin University who are studying either their Bachelor of Cybersecurity or an It degree and bring them into my business here in Victoria. And the focus of the internship is not teaching them how a firewall works or how an EDR technology works. It's teaching them the business of, I guess, cyber more broadly. So how does the sales team work? How does a presales team work? What do our consultants actually do? What is a day in the life of an engineer? They spend time with our key strategic technology partners, and we really just ingest them into the business and let them sort of run free, so to speak, and learn how a business actually works. A lot of what you don't necessarily get in a University degree is what your job is going to look like when you get into the market. So that's what we try and give the students to join NTT for that time.

Karissa (03:38)
Yeah, it's so true. I guess I like that because it's like a zoomed out approach around the mechanics of how a business runs, because I think sometimes when we do operate an independent site, we do forget that there are other people that help with the overall operations of an internal and external business. I think that's great. I think there's a lot of people doing that, though, in the market, if I'm honest.

Peter (04:00)
Yeah. I think what makes it sort of unique with NTT is we don't sort of hide anything from the students. They really get exposed to the inner workings, the mechanics of a business, the careers of our executives, of our leadership. And we feel what we do every year with the internship is we try and on board as many students as possible into our graduate programme when they've finished their degrees after they spend time in NTT. And the observation that we've had as a business is when they come into NTT, having done an internship with us, they're able to hit the ground running from day one as they join the business. So the time to value, so to speak, for the students that have already done an internship within NTT is incredibly short. So it really helps us as a business. It helps us develop talent. It helps sort of me develop my business. And I view that internship as a key tenant or cornerstone of the future of my Practise here in Victoria.

Karissa (04:55)
Yes, I think it's important to start to develop that talent pipeline from University, even schools. So I think it's awesome. I think more people need to take a page out of what you guys are doing and start doing that. So we do have enough people to secure, I guess not even Australia. But globally, they keep talking about a talent shortage, but it depends who you speak to get different answers. So I'm keen to now, when we spoke, we spoke about a breach. So a breach happens, which is not ideal. The company manages it and then the media stops talking about it. So according to the public, that's sort of the end of the breach, right? Everyone, people move on, the next thing happens in media and that's really just how it works. But the key thing that I really want to speak to you about today is what happens after all the publicity dies down, people forget about it. Like, what are companies realistically dealing with, like, beyond the breach? Right. Because it's something that people don't speak about. They're like, oh, a breach happened and then you hear about it and you hear people on social media, like hammering people.

Karissa (05:59)
But then what happens now? The analogy that you and I spoke about was with the bushfires, for example. That was huge. I think it was 2019. I remember even in Sydney, I was flying back from Melbourne and Sydney and the sky was yellow. It went on for months how it was. And people are still recovering from those bushfires that happened years ago. But since then, so many other things that have happened that have taken over the media. So I'm really keen to hear from your point of view, what is the reality of what people have got to deal with after a breach happens?

Peter (06:31)
That's a great question, Kevin, and there are so many different sort of angles to that question or ways to answer it, probably. I'll start with the first and most notable, most obvious one. So breaches tend to get sort of organisations very excited and lots of people involved. And the first couple of days after a significant breach, people are working pretty much around the clock to try and identify, isolate, remediate, and just make sure that whatever has been impacted is known and you can sort of start getting to the bottom of what happened. Fatigue at that point sets in pretty quickly. You'd be absolutely astonished, KB, to see how quickly fatigue can fit into people as they go through the process of uncovering and remediating from a breach. It's quite sad to see, in fact, because you see people burning out after a week or two. So the first thing I'd say that happens sort of behind the scenes that maybe people aren't aware of is that people aspect of a breach and heart, it can impact the likes of you and me if we're involved pretty heavily, both from a business point of view and from a personal point of view.

Peter (07:44)
That time away from family, that time away from friends. I've got two young kids, so if I'm working around the clock, I don't get to see them. And that fatigue and burnout can settle in faster than you'd think. So it's something to be aware of up front for anyone who's involved in the technology market, who's involved in cyber is beware the fatigue factor in the event of something going wrong. The second interesting thing that happens, that people don't necessarily get to see your experience through the media, is, I guess, what I call a loss of memory. So we've worked with a number of different organisations that have gone through challenges, cyber security incidents and some deal said very well and they make sure that they future proof their business from that happening again. Others forget. You'd be surprised at how many people go through an incident, how many organisations go through an incident and six to eight weeks later, when everything's back up and running, or longer as can be the case, they move on. So it's not just the media that moves on, it's the organisations themselves. And that's really disappointing for me as a sort of a practitioner in the market, because I've seen it too many times where organisations undergo a breach and incidents and not even twelve months later, they go through it again.

Peter (08:57)
And the challenge that was or the vulnerability that was exposed the first time is pretty similar to the vulnerability that gets exposed the second time. So that loss of memory is not good. It's not spoken about in the media, it's not visible. I mean, not many people will admit to that, but it happens.

Karissa (09:17)
So just hold that thought for a second. Sorry, Peter, I'm keen to understand. You said people just move on internally. Is it because there's other work to be done or they're like, oh, well, that was awkward. We've just got to kind of get on with it now. Forget the breach. What is it specifically that people just forget about it and move on on to the next thing now?

Peter (09:34)
Fascinating, fascinating question. There's no simple answer to that, Kevin. It could be priorities change, it could be that cybersecurity was never taken seriously in the first place. So when the breach happens, it's more irritating than anything else and they just kind of move on afterwards once they've remediated and their business is back up and running. And both of those are really disappointing outcomes because the more vulnerable organisations are, the more lucrative it is for hackers and nation States threat actors to be doing what they're doing. The less secure we are as a civilization, as a country, as organisations for which we work, the more attractive it will be for hackers to be in their jobs. I suppose so variety of things, but definitely seeing people move on very quickly after an incident happened. And I think you raise a great point there. It is a bit awkward, so the quicker you can put it to bed and move on, the better for certain people. That is absolutely the wrong approach. One of the things Katie we were talking about when we spoke initially was staying the course. And I think it's so important after a breach to just remember why you're doing what you're doing, stay the course.

Peter (10:50)
Make sure that you remember the breach, if that makes sense, and make sure that you don't find yourself as a business in the same position that you were when you were breached in the first instance. And that happens. You talk about patch management and making sure your vulnerabilities are dealt with, so to speak. It's amazing how quickly organisations bring their patch management and vulnerability management processes up to date after they get breached. So it's amazing, again, how many businesses forget. And that good Practise that they learned because they realised that they had to keep everything patched and up to date because of a breach. They sort of slowly transitioned back to that state where patching and good vulnerability management becomes too hard, which is, again, that's not where you want to be as a business. You want to make sure your hygiene is up, you want to make sure that on a daily basis you're doing the right thing and that you're as resilient as possible to cyber security incidents.

Karissa (11:42)
Now, there's a great point. Do you believe so the media, they go on and on and on about eventually something else happens, they move on. But then you've also got your industry peers hammering you right, like, oh, they should have done this. And that which I find frustrating because it's like, well, you're not there, you weren't there, James. You don't know all the ins and outs. You're not an expert in this particular breach because you weren't there. So you cannot speak as intricately as people like to think that they do. Do you think that because of the media industry peers that causes people to want to just move on quickly because they're like, oh, my gosh, if I'm going out somewhere and someone knows a promise company I've been breached, I just get hammered with questions.

Peter (12:24)
Interesting observation. I think that's absolutely there. There's still this behaviour in the industry where something happens, an organisation gets hit and quietly, people start talking about it and all of a sudden everyone's finding that organisation to try and sell them something because they can fix all their problems. And I'm afraid to say that behaviour is absolutely terrible. To be quite Frank, the empathy that I think we need as an industry around breaches and being in the moment, the empathy that we need is far more than I think that we've got at this point in time. It still comes down to a lot of sort of hard selling of, hey, I've got a technology that can fix your problem, or I heard you've got a problem. Have you looked at this piece of technology over here that definitely doesn't encourage the right behaviour? I'd like to see a shift there, KB. So I think having been involved in a breach or an incident should be something I wouldn't necessarily say you should be proud of, because maybe there's a bit of hygiene or maturity that wasn't there or that could have been there, but it should be something we encourage people to talk about.

Peter (13:28)
It should be something that we encourage conversation about. We spend a lot of our time in the industry talking about preventative controls and keeping people out. We don't spend a lot of time talking enough time talking about breaches and recovery, I often say. And my advice to my audience is spend 50% of your time keeping people out and spend the other 50% of your time figuring out how you're going to rebuild your core applications, your core business, in the event that someone gets in. Because we certainly don't spend enough time there. And I think to your point, it comes down to potentially there's a hesitant surrounding that person or that organisation that had a breach, a bit of awkwardness, a bit of shame. That really shouldn't be the case.

Karissa (14:10)
So why would you believe people aren't speaking about breaches and recovery as often as you'd like them to be?

Peter (14:19)
I think there's certainly still a bit of a stigma attached to breaches. So to your point earlier, a bit of shame, a bit of sort of embarrassment there's. Definitely. I've worked with a number of businesses who have gone through this for some pretty severe incidents, and there's definitely a directive still from certain organisations leadership to keep everything quiet and not let anything get out, to not make the market, their suppliers, their clients, aware of the fact they've gone through a breach, and that's from the top down. So when you get told directly from your board that you're not to discuss whatever it is that just happened, then that's that your hands are tied. I don't know. I think as an industry, we could certainly take a different approach to this. Think of it this way. If your business is architected to recover within 24 hours from a severe incident, then a breach isn't a problem. If you can build your business again quickly, because you build your business with recovery in mind, then having a breach, well, at the end of the day, it's not such a serious incident if you're only offline for a couple of hours or a day.

Peter (15:34)
So I think the more we talk about it, and that's why I think we need to change our tech as an industry. The more we talk about it and the more we talk about the recovery piece and what doesn't get covered in the media, the better off will be because we'll know what's going to happen, we know what to do, we know how to recover, and everything can be a little bit smoother as a result.

Karissa (15:54)
Would you say, though, that many businesses in your experience can't recover in 24 hours?

Peter (16:00)
No, absolutely not. Something as simple as backups. So backups are often architected with restoring files or parts of the business. If there's data corruption or someone loses a file, they're not architected to bring a business back up the line within 24 hours. There is technology out there that does it, but there could certainly be more investment from businesses and just making sure that backups and disaster recovery and business continuity plans are built with speed in mind, as opposed to where I think we were in the past, which is just making sure that everything is done regularly and there's tapes around and we have the data. But how quickly you can restore the data is the question we should be asking ourselves.

Karissa (16:43)
Gosh tapes around. Well, okay. I'm curious then to know. So most businesses and now everyone's working from home remotely work from anywhere. If you don't have some sort of a plan, it's going to get quite hard because you got people working from wherever. Right. So how has that shifted people's mindset to be like, we got to get a plan if something does happen, we've got to get people working online quite rapidly. I mean, the amount of money people could lose depending on what type of business they are running if things are offline. So I'm curious to know, like, has that mindset shifted or are people still just doing the same old, same old.

Peter (17:22)
From where I'm sitting? And I'm very pleased to say this, I think there's been a huge shift in the market over the past couple of years because of remote working and the shift of the perimeter. I mean, your perimeter in the past would have been your office. Your network that you're worried about is at the office. Any breakout connectivity was from the office. So you secure your data centre, you secure your office and you're fine. Now your perimeter is your home routers, your home switches, your home WiFi and connecting to applications. Often people don't even go through the data centre anymore. They go direct assess applications, applications in the cloud. And that mindset shift has been, it's been incredible to watch and it's been incredible to be a part of because now all of a sudden in your data everywhere, you've got to think very differently about how you secure everything. And now for me, visibility is key. So one of the things that we used to spend a lot of time on in the past as an industry is heavy network and perimeter security to keep people out. Now the shift in the industry has gone to I'm not using my data centre anymore because everything's sitting in the cloud or in SaaS applications.

Peter (18:26)
So where is my data? Do I understand how it's moving across those different cloud networks and between SAS applications and something, for example, like log four day towards the end of last year? What that exposed is visibility is absolutely key. Kabi, I can tell you, you can't secure what you don't know exists. And unless you have full visibility into your environment, you stand almost no chance of keeping it secure. So the shift that's happened over the past two years has absolutely helped from a Cyberpunk view to I guess, allow businesses to be more resilient in the way they approach their applications, their data, who connects to what and having visibility around all of that.

Karissa (19:07)
That's good. That's a good win. I think you are right. And of course, if you don't know what you don't have, that's impossible, right. People aren't Nostradamus. They don't know everything that I'm a magician where they just know exactly every endpoint whatever. Right. So I think that that's terrific news that we are moving in the right direction, which of course maybe isn't level that we'd like it to be, but at least it's in a positive direction. So talk to me a little bit more about would you say people aren't thinking about what happens after a breach, though? As in companies are still recovering six months post breach. So I'd like to hear from your point of view, what are some of the realities a company can face? Six months on.

Peter (19:51)
Some of the realities are you may not even be filling you back online with all the applications and data and connectivity that you had pre breach. After six months, I've sort of witnessed businesses still struggling six months after a breach. I guess a few observations there. The first is inevitably there's going to be some sort of audit, may be internal, maybe external, and the findings of that audit will get lots of people excited, specifically organisational leadership, and especially when that's done by an external third party. What I've seen is a view that whatever that third party says went wrong or whatever those audit findings are, we just have to implement the remediation items no matter what. That's kind of okay. But my advice there would be to at least cast your eyes, a CISO or a security team in your business and apply your own lens to that. Because often audit findings, whilst they're very useful and helpful to show where potentially things went wrong and what could be improved, they're also done from the perspective of an outsider. So you have to apply your own lens and your own thinking to those audit findings and challenge them.

Peter (20:57)
Stand up and challenge something if you don't think that it's the right thing for your business. Too often I've seen organisations take those audit findings run into ground. Spend twelve months just doing what was in the audit report. Yes. Maybe you get some more security controls. Maybe you get new technology and your processes to get bigger teams or more investment at face value. That sounds great. It can often introduce more complexity and as a result, make your sort of management of day to day operations more complex as a result. And inevitably the harder things are to manage and the more technology and different services and what have you that you introduce, the more risk that you have as a business. So that's one thing. Just take those audit findings, apply your own lens over that and make sure that whatever you're doing as a result of the breach is applicable to your business and the right thing for your business. Because to just accept that the audit findings are correct and you just have to do what they tell you, I don't think is necessarily helpful longer term. I think the other thing is, it can often introduce, if you alluded to it in the other findings, it can introduce a whole lot of complexity, new technologies, new service providers.

Peter (22:12)
Remember that when a breach happens, the less different organisations, both internally and externally, that are involved, the better. Because to have multiple different parties running things down, different SLAs, different organisational processes, makes things complex, makes things hard when you need to be agile and as quick as possible to sort of run an incident to ground and rebuild your business, introducing all that complexity as a result. Again, I run a cybersecurity business, make no mistake, I'm quite happy for people to do lots of different projects and introduce new technology, because guess what? I'm a business manager and at the end of the day, I need to turn a profit from our business and that's good business for me. But also, you run the risk of actually putting yourself in a worse off position longer term because of all that complexity that you introduce. It's just simple things like maturing your processes to handle different technology and different services is not actually at face value as easy as it seems. And the more service providers you introduce into your business, the more challenging it is to coordinate sort of operational activities across their service providers. So the second thing I'd say is just again, apply your own lens.

Peter (23:21)
Remember that complexity doesn't actually help longer term, even though getting a hold of new technology and capabilities into your business may sound good in the short term. And again, back to our original point. Stay the course, do what's right for your business, and make sure that you remember that the reason that you're doing all these things, the reason that you're remediating all these items, is because of that breach.

Karissa (23:44)
Okay, so let's talk about staying the course. Now, I think the analogy we use is like going to the gym. So I remember in Lockdown, where I live in Sydney, everyone going for a walk. It was packed and I was like, oh, my gosh, it doesn't feel like a Lockdown now. Maybe people are doing other things, but it feels like now people have gone back to their life before. They've forgotten about working out and going to the gym and all these types of things. So I'm curious to know. It's very easy to set an intentional I'm going to get fit, I'm going to do the thing within the company, but then it's a week goes by or like six months goes by. It's very hard to have that level of stamina, to keep doing that and staying the course. So explain to me a little bit about this and maybe some advice you have around staying the course.

Peter (24:32)
Yeah. And then the gym and walking analogy, that's spot on. And it's very much the same when it comes to staying the course after a breach. Introducing new technology, new controls into your business after a breach is all well and good. I think one of the things that we need to focus on is processes. Processes are introducing process and making sure the process is embedded across your business to encourage good hygiene. So again, back to things like patch management and making sure that vulnerabilities are managed in an appropriate way. A lot of that comes down to process. So it's great getting a vulnerability management tool into your business, but if there's no process to sort of deal with that longer term and make sure that that's embedded into your business, then that vulnerability management tool is just going to overtime get used less and less and less to the point that it probably gets shelved until the next breach happens. Making sure that cybersecurity and this is a term often used in the industry but probably not practised enough. Making sure that cyber security sits at both an executive and a board level in terms of visibility, it's not something that should be dealt with when it goes wrong, it's something that it's a continuous process.

Peter (25:45)
No organisation ever reaches a point where they are secure. Some organisations are more mature than others, that's obvious. But there's no Nirvana that any business has reached that is absolutely secure. You have to treat cybersecurity as a monthly, daily, annual thing within your business and keep improving, keep measuring, keep monitoring and making sure that you're continuously moving the dial. Some of the things that we look to do as a business by the example is continuously going back in and assessing maturity of organisations that we deal with to make sure that both us and them are continuously turning the dial and moving their operations forward so that at no point does anything become stagnant. You have to figure out a way to not just do a roadmap and strategy every three years and then sort of execute against that and then pop your head up in three years time and think about it again. You need to constantly go back and review your priorities, review your strategy. Times change, organisations change. Covert was a great example of that. No one knew that we'd be sitting at our desks at home doing remote working in December 2018, yet by March 29, sorry, December 2019, yet by March 2020 3 months later, everyone is sitting at home using remote connectivity to getting to critical business applications and have access to critical business data.

Peter (27:06)
So keep moving, keep changing. Never accept that now we're secure and be done with it. And I guess the final thing I'd say there, KV, or the final piece of advice is I mentioned this a little bit earlier. Spend more time on recovery. Spend more time and understanding what it takes to get your key application back up and running that runs your business. So that key application might be a financial application, it might be a student system, it might be a logistics system, it might be a management or manufacturing system. The quicker that you can get that application back up and running or those applications, there will be multiple applications in your business that are key to your business. The quicker you can get those back up and running, the more resilient you are going to be as a business. It's all well and good focusing on keeping people out. But resilience, organisation resilience, cyber resilience doesn't just imply keep people out. It's about how you rebuild your business from the ground up when everything gets taken off. And so if you focus and continue to focus as a business on how to get those key applications back up and running, then a breach becomes less important.

Peter (28:13)
It becomes less of a problem. It becomes less sort of Earth shattering or organisational threatening. So keep at it. Make sure systems and processes are built and maintained to continuously improve your business and make sure that you spend time in recovery.

Karissa (28:27)
Would you say that people have this view in their mind about reaching this Nevada state, perhaps? And then it's like, oh, well, I'm never going to get there because sometimes it's like, oh, I want to lose 50 kilos. And then you're like, oh, I can't even lose one kilo. And then you sort of end up giving up anyway because you set the bar really high, which is absolutely great. But then do you think that people set this bar of this Nirvana state of security and they just know they're never going to get there and so they just give up or what's the mindset behind that perhaps? Yeah.

Peter (29:00)
It's interesting, KB. I think a little bit of fatigue sets in, so there can be lots of excitement when an audit happens or a breach happens and there's lots of attention and budgets allocated and so on and so forth. Much like the media you referred to earlier, finding something else to report on organisations find something else to be concerned about or prioritise. And that absolutely happens.

Karissa (29:25)
And it just goes by the wayside, I'm assuming.

Peter (29:28)
Yeah, yeah, very much. It does go by the wayside and it's understandable. As regrettable as it is, it is understandable. And I guess that comes down to them, the quality of the individuals that you have in the business. Right. A good CSI will constantly keep their board under pressure to make sure that they're aware of the risks that an organisation faces. They've signed off in any sort of major risks and have taken an accepted responsibility for them and they know that they're going to get Sage advice from that's applicable and in line with their business strategy. I guess there's a number of ways to keep going, so to speak, and keep up the pressure. And as simple as it sounds, Kevin, it often comes down to the quality of individuals within a business. You need someone who's going to be dynamic. You need someone who understands business risk, running your security operations or the office of the CISO. You need someone who can clearly articulate what risk means to business and speaking English or layman's terms to the board and represent what that risk means to their business. So akin to gain to the gym.

Peter (30:32)
I'm probably one of those who've said I'm going to lose 20 kilos quite a few times in my life whether or not I've actually managed to get there or not. I won't necessarily disclose on the podcast, but I guess it also comes down to a bit of muscle memory. I guess it's like running a business. You can't just come and spend six months trying to fix the business and then take your foot off the gas running a business every single day. There's lots of little tasks you have to do that culminate into one big operation and you have to keep your pressure, keep going, keep the pressure up and keep the business moving forward. Otherwise it will slip very quickly. It's the same with cyber security. You have to keep the pressure on, you have to keep going, you have to keep the team motivated and you've got to stay the course.

Karissa (31:16)
Well, I guess that sort of leads me to my next question. Would you say it's fair that organisations are just too focused on getting their head above the water, then perhaps focusing on what do we learn from the bridge or how do we go wrong? And maybe that because, yes, that was stressful, but then business as usual, things still need to go on, right? The world keeps turning.

Peter (31:38)
So what I've noticed to talk about keeping ahead of water and what I've seen in many organisations is that the office of the site, the security team run around responding to audit requirements, legislative requirements, executive requirements, and just spend a lot of their time just answering questions and making sure things are compliant and things are in line with management expectations and they don't actually manage to get their head up of water to your point. So it's a very difficult thing to do because if you're spending all day and all night just responding to demand as opposed to thinking about what you need to do a little bit longer term and what actually isn't right to your business, it is very challenging. I'm seeing this more and more. I was chatting to an It executive the other day who reckons he spends more than 50% of his time just on responding to legislative and sort of government requirements around certain things that they needed to do as a business because of the industry in which they operate, more than 50% of your time just responding to legislative requirements and the like. That's not going to help your business be more secure or move forward.

Peter (32:49)
That is literally just trying to keep your head above water. It's not slowing down. There's more legislation that's coming as organisations or not organisations, but countries look to reduce their risk profile and globalisation. We spent 1520 years sending things offshore to low cost destinations and to reduce optics and reduce operating costs. Now, as an industry, we're bringing everything back onshore because we want all of our data and services to be in Australia. That's a fundamental shift in how we work as sort of an industry and how organisations manage and operate there in the information technology and that legislation that's driving that. It's not going to stop anytime soon. So I'm not too sure what the answer is, what the golden bullet is, other than having massive teams in your business, just to make sure that certain legislative requirements and government requirements are being adhered to because it often falls onto the office of the Sasso. And so to your earlier points, when you're not responding to those requirements, you're trying to make sure that your operations are safe and secure. But to be Frank, you're probably not spending enough time just thinking and reflecting on what's right and what's wrong for your business.

Peter (34:06)
So challenging one. Very challenging one. I haven't seen many organisations get that one. Right. KB, if I'm honest.

Karissa (34:15)
I guess it's hard. I mean, there's analogy that they use when you're an entrepreneur, like, are you working in the business or are you working on the business? Right. And so how I see in the business is doing operations, responding to the legislative requirements, for example. But then on the business is having that reflection and the introspection on all this is where we went wrong and having that team around you. So I'm guessing my question is why? I mean, if you're an executive, that should be a role, right. You should not be sitting there doing operational stuff. You should be saying, this is the vision, this is the plan. We've got to get these people to project manage these big It projects that we need to run or whatever it may be. Right. But isn't that your role in that executive? Others, I'm curious to know why people perhaps aren't doing that, even if it's not 100%. But even like 50 to 60, 70, 80%.

Peter (35:05)
80% will be different for every organisation. The gentleman that I was referring to. Yeah, I agree. It's not necessarily what you think an executive should do in a business, but so be it, I think with KB. And then it also comes down to financials and costs. Right. As organisations are trying to make sure that there is operation efficient as possible and return the highest possible margins and operating profit to their shareholders, the questions will often come about dollars and whether or not those investments are required for people to actually go and do that. I think we underestimate the impact of all these different legislation and requirements on our businesses and the industry more broadly. I'll give you a case in point there, and I'm sorry, I'm staying away from sort of the executive question, but in bringing dice and services back on shore during COVID, funny enough, with the Border's closed, it's a real challenge. The supply and demand curve in Australia has been very set over the past couple of years, or certainly the supply curve, because we haven't been importing talent into Australia if the Borders Coast, but we've put a lot of pressure on businesses to bring services onshore where they haven't been additional people to go in case of that unsure requirement.

Peter (36:26)
So it's put more and more pressure on the industry to find people that, quite frankly, don't exist. And if you can't bring in from overseas because the borders have been closed, fortunately, with everything opening up now, again, that's going to, I think over the next two, three years, we're going to slowly start solving that problem. But we face a very real skill shortage problem in this country and there's no easy way of solving it. And again, I apologise. I digressed a bit from the executive question, but it made me think about some of the industry challenges I guess that we're facing.

Karissa (36:58)
No, I do hear what you're saying. That's definitely been a problem, especially on getting overseas talent in country. So would you say then that the board, perhaps this is an ideal world. Right. I get it. Things happen. Ideally we want things to run like this and it may not always happen because you said talent shortage financials, there's not enough people that we have on site can't afford to hire more people. But don't you think a board should be almost like pushing their executives to be like, right, a breach happened? I really need you guys to focus on how you got to think about it and you touched on it before, like focus on the recovery side of things. Don't you think they should be pushing for that though, versus let's just get ahead above the water. Let's just keep things operationally running. Like maybe it's a shift in mindset so this doesn't happen again or how to get it better. Like they should be actually saying to their team, you guys need to spend a week or whatever it is to think about what is the plan to get us out of this mess long term and for it to never happen again, hopefully.

Peter (38:02)
KB, I would love to say that I've seen that happen a lot, to be honest. I haven't necessarily not to say that it doesn't, but I agree with you wholeheartedly. If we're going to take this seriously and if we're going to make sure that we protect our organisations, the businesses that we work for, then it has to come from the top down. It has to be taken seriously at a board level. And I think often it is, to be fair, I've certainly seen lots of evidence of cybersecurity being elevated to a board level and being taken seriously. I still think we're a few steps away from managing to invest both time and money into appropriate time and money into making sure that we're as resilient as possibly we can be as an industry. So I would love to see sort of a team, organisation security team officer being given a couple of weeks break, so to speak, to make sure that resilience and recovery and everything else is sorted out, because to deal with that on top of everything else is challenging. The good news there, KB, is I've seen very real evidence of the officer to see, sir, being allocated more responsibility, which is good.

Peter (39:13)
So when things like organisational resilience or cyber resilience start falling under the Office of Security, when things like physical security start falling under the Office of Security, when disaster recovery and business continuity plans are directly under the Office of the CISO, that's good, because, firstly, it gives acknowledgement to the fact that the Office of Security is ultimately the ones at the end of the day that can and should be responding to breaches and have operational control over the response to a breach. It also means that I referred to it earlier. The more complex your business is, the more complex your technology estate is, the more service providers that you have in your business, the more difficult it is for you to functionally operate both day to day and in the event of a breach. And as more organisational responsibility gets consolidated into the Office of the Sea. So I think longer term, that can only mean good things for businesses more broadly. So if you're listening to this and you're thinking about the function of the Office of the Caesar in your business, I'd ask you, consider the role of the Office of the CISO and his or her team more broadly in your business, what they are and aren't responsible for and thinking about what you could potentially transfer into that part of your business and allow them to take more operational control over it.

Peter (40:31)
So the more may sound a little bit controversial, but the more operational controller see, so has, the better he or her, the more chance he or her has of actually functionally recovering a business in the event of a breach.

Karissa (40:46)
And so just a little bit pressing on that point a little bit more. Do you have any other sort of strategies that companies can share, like learnings from a breach to disseminate that across their team, but then also upwards to their board as well? Yeah.

Peter (40:59)
I guess the first thing I'd say is, don't panic. I've seen a lot of people and businesses panic. In one instance, I was even writing an email on behalf of the managing director of a business to send to their direct reports on what's happening and sort of next steps to send it on their behalf. Because the individual at that point wasn't, I guess, calm enough to be able to put that together in his own mind. And that was a pretty daunting thing to see. Right. So the owner of a business is not able to currently put an email together to his direct reports to explain what was going on was a pretty interesting situation to find myself in and putting together an email on their behalf. Don't panic. Understand that at the end of the day, yes, it can be potentially devastating, but it's technology, it's process. You can get it back up and running. And I just don't feel the need to hold everything to yourself, keep everything to yourself, and not tell the market, your clients, your suppliers, because cybersecurity is an interesting one. So in the event of an incident, if you don't inform the market, I guess, or share your experience and inform key people as part of your supply chain, you can fundamentally break down trust with your business, both within your business and within the market in which you operate more broadly.

Peter (42:32)
These things get out. The more we pretend they didn't happen or decline to comment, the more distressed it creates in your market more generally. And it may actually negatively impact your operating revenue, your market share. Because if people lose trust in you as a business because they're aware that something happened, but you're denying it flat out, that may have a direct impact on the trust that they have in your business more generally, and they may take their business somewhere else. So don't feel the need to keep it from the market. Don't feel the need to hide everything, because the first thing you'll be doing is breaking your own business, potentially hitting your own market share, your own revenues and profits. And the second thing you'll be doing is you'll not allow others to learn from you and allow them to make their businesses more resilient. One of the things, Katie, that I believe in is a community approach to cyber, and that's a pretty broad statement. But one of the things we did back in South Africa was we bought what we termed a retail information security community. What that was, we had all the retailers in South Africa across multiple locations signed up to the community.

Peter (43:41)
We met once a month for 3 hours. So a fairly lengthy meeting, quite a big commitment. We had representatives from Security and it joined that community and share their experiences. Not necessarily breaches, but their approaches, say, to either 27,001 or we had an organisation present their cyber security strategy to all their competitors. And that was really interesting, right? It took a lot of time to build up that trust and that's the safe place for them to be able to share. But when we got beyond that, those organisations learned and benefited greatly from sharing their experiences. So before we built that community, no one ever speaks to each other across those different businesses. After we built that community, we created a network of people that could share experiences, could share approaches and those organisations learned as a result to do things faster, better, spend less time and money on difficult challenges and it materially moved the maturity of the retail community back in South Africa. So approaches like that where you feel safe to share things, you can share your experiences and it doesn't have to be in the media, KB it doesn't have to be in sort of ABC or SBS.

Peter (44:52)
It can be in communities in which you feel safe. It can be industry communities, whatever that might be. But get out there, share, make sure that there's trust in your brand because people will trust you. If you open up and make sure that other people learn from you, both will be helpful.

Karissa (45:09)
Wow, that's excellent. No, I like those ideas. I don't think the people I've spoken to in Australia, we're not doing enough of that. So definitely some food for thought for people to take away from this interview today. So really appreciate your time. Peter, thanks for coming on the show. Really appreciate it.

Peter (45:25)
Thanks, KB. Thank you. Cheers.

Karissa (45:27)
Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. If you'd like to find out how KBI can help grow your cyber business then please head over to KBI Digital.