Introduction (00:17) You are listening to KBKast, the cyber security podcast for all executives, cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:31) Joining me today is Tony Jarvis, director of Enterprise Security Asia Pacific in Japan from DarkTrace. Tony, it's good to have another conversation with you and a little bit more fidelity about topics that I think people really want to know answers to. So, firstly, thanks for coming back on the show while a different form of the show. But then I want to sort of start with there's a big push about Australian sovereignty and I want to hear your thoughts on it, because there's a lot of things in the press and the news at the moment, so I'm keen to sort of hear your perspective. Tony Jarvis (01:02) Yeah, sure. Hi, Karissa. Really good to catch up again. You're right, sovereignty is a big thing. We're hearing that word again and again in the media from various departments. What does it mean? What is it all about? I think at the heart of the matter, there might be one or two things that resonate with the majority of us, but it will be a case of different people may have slightly different takes on what this really means to them. Certainly happy to share my take on it. To me, when I hear sovereignty, what I'm really thinking is, if we're talking about a country such as Australia, can we trust that what we're being told or what processes being followed or what sort of operations, even that's in the technology space is being controlled 100% by ourselves, for ourselves? Is there any danger of some outside party, some foreign nation interfering in any way with what should be domestic matters? That, to me, is really what I think of when I hear the word sovereignty. And it brings to mind all of the typical things you might have seen in headline articles over the past few years. Tony Jarvis (02:13) Right? We want to avoid things like misinformation, we want to avoid things like election tampering. We've got lots of cases of if you're building telecommunications networks and putting certain devices in there, is that safe? Will they be able to monitor what's actually flowing over the wire? And if you look at it in a little more detail, we could also potentially talk about something like resilience. So not only the sovereignty itself, but are we resilient as a nation? Can we rely on ourselves to do a lot of the things we need to do independently? And I think in the last two years or so, having our own vaccine supplies is a phenomenal example because it really drives home the importance of being self sufficient. So to me, that's sort of my high level take on sovereignty. I totally understand that. Different things to different people, though. Karissa (03:04) Yeah, that's a good point that you raise, and I think maybe even going back a few years ago, do you remember? I mean, I know that you live in Singapore, but you're Australian, so you probably would have heard this story when they were going to roll out the Huawei and then they did it, they cancelled it because they like, oh, this actually poses a pretty big threat to Australia and wanting to sort of take back that sovereignty piece. So I guess maybe that's when the conversation started to emerge a lot more. I guess in recent times, because of what's happening in the world, it's meant that Australia has to focus on that. But what are you sort of seeing in terms of where do you think that conversation has sort of started, or do you think there's just been a slow burn? But now, of course, what's happened recently, it's meant that the government had to focus on this more? Tony Jarvis (03:46) I think that's a really good point and I would actually argue it's a case of both. I mean, there has been a slow burn, for sure. It's something that we have been talking about as an industry, even in the public domain, for quite some time. But when you do have cases like the Huawei debate as an example, it's not the only debate, but certainly a noteworthy one. For better or for worse, it serves a really good focal point of bringing these matters into the public domain, getting people talking about them, getting people interested in things like national security. And that can be somewhat hard to do at times. So I think that's great for debate, for people asking the right questions, for people genuinely being interested in finding answers and actually being able to rely on those answers as being accurate. So, yes, this does really pave the way to governments, organisations, individuals all working together, sharing information and being part of the greater conversation. Karissa (04:47) I guess if we zoom out a little bit more and focusing on the consumer level just for a second, people were complaining back in the day, like, oh, it's Australian made, it's a lot more expensive. Do you think that is potentially the apprehension as to why we don't have as much sovereignty as perhaps we should have? Because things are more expensive in Australia, because in the last X amount of years we've been relying on other nations to supply us with good services, even people. What are your thoughts on that? Are people still going to have the same complaint, like, oh, it's too expensive, or do you think that that's going to dissipate now? Tony Jarvis (05:24) It's really tricky to say. It's a really good question, though, if we're talking about Australia made and prices being somewhat higher, there's different fields where this is going to be scrutinised in different ways. So if we're shopping on a supermarket shelf and we see two products side by side. One is Australian, more expensive, one is foreign and cheaper. Well, that may really come down to a dollar and cents decision. But if we're talking about security, if we're talking about governments and the security of our nation, well, that's somewhat different in terms of the conversation we're having. That comes down to trust and being able to rely on what you're seeing is really legitimate. Is anything being tampered with in some way? We cannot build everything ourselves, I don't believe really any country can. There will always be reliance on other countries to provide us with certain goods, maybe certain services. But I think at the end of the day, it just comes down to, let's look at this carefully. Does it make sense for us to build certain things ourselves? Does it make sense to outsource it? If we do outsource it, who are we outsourcing that to? Tony Jarvis (06:33) Do we have visibility over the quality controls in place? Can we do our own cheques on? Is this what we're signing up for? Are there any hidden surprises? Can we trust the party that we're actually receiving this from? So I think there are some of the questions we need to have in mind when we sort of embark on these conversations. Karissa (06:51) It's going back to the dollar and cents. So, for example, it's got a security company and the government is like, all right, we're going to leverage all of our capability in Australia, for example. Does that then mean that security companies know that the government is going to use them so that they can drive their prices up? And if so, will it drop their prices up? Tony Jarvis (07:07) Again, a really good question. I know that I've been working in security for a while, especially from a vendor space, and there really is price sensitivity. A lot of organisations will have a policy of if they are considering putting certain protections in place, they will shop around, they will go to a number of different vendors, get a number of different quotes and prices are certainly one aspect, one criteria they look at. So I don't believe that price hiking is necessarily going to be something that is tolerated by the people signing off budget. At the end of the day, that's something I don't really see happening too much. And you've really got to temper those expectations with the quality of the service or offering that you bring to the market. If there is a significant price attached, people really do want to expect that they are receiving a superior product and so those two do really need to go hand in hand. Karissa (08:12) So, just moving on now, in terms of switching gears, the Australian government is concerned about the growing attempts by foreign governments or their proxies to exert inappropriate influence on and to undermine Australia's sovereign institution. So how do you believe we, as an industry can address their concerns? I know we've touched a little bit now, but if we go in a little bit deeper, I'm keen to hear your thoughts on it. Tony Jarvis (08:39) Absolutely. I think collaboration is key, but how should we go about that collaboration? In my personal opinion, I believe it really comes down to acting with integrity and honesty. It is sometimes difficult to get a listening ear in certain government departments. They are by nature very guarded about the information they're willing to share, who they will choose to trust, and for very good reason. And so when the opportunity does arise that they open the door and they invite you to come and sit down and have a conversation. I believe being upfront walking the walk, it is paramount, as is doing a lot of listening. There's no point coming in with a predefined agenda and saying this is what we want to talk about. I believe in listening more than talking. Asking them to actually advise what is on their mind, what are priorities for them, what are they looking forward to over the next six to twelve months or longer and how can we potentially help? That's really why we're being brought into the conversation. We're there to help in some way. So we need to work with them, certainly need to understand their specific requirements. Tony Jarvis (09:53) Every industry is vastly different. Health care has completely different needs to something like transportation as an example. Sure, technology does play a part, there's a lot we can talk about there, but there's more. So we do need to partner with them. And sometimes we actually get asked, vendors do get asked to collaborate when there are significant events taking place that might be elections, that might be working with them during elections and making sure we're not seeing anything unusual taking place. It might be collaborating for major sporting events much to the same effect, just different industries. So I think listening is key, working with them and really trying to do your best to be a trusted adviser and that term is bandied around a lot in the industry. I know, but trust is critical and you do have to earn that trust. Karissa (10:44) Okay, so a couple of things in there. You said collaborate. Do you mean collaborate with the government or do you mean collaborate with other vendors and service providers in more like a tech stack? Tony Jarvis (10:53) I believe it would be all of the above. So collaboration with government? Yes. We cannot help the government if we don't understand their needs and what they are asking for. That comes down to having the right conversations and having them in a way that there is trust in the room that they feel they can talk honestly. But I think we also need to collaborate with other vendors and other parts of the technology stack because we do need to be working together. No one vendor will solve every single challenge in the It domain. It's literally impossible. Collaboration, integrations and working with other vendors is a very big part of ultimate success. Karissa (11:33) So just pressing on that point a little bit more, one of the things that I've noticed in our space, and I've spoken to a number of people in interviews as well, we talk about sharing and collaborating. I think in Australia we say that, but I don't think we do it. And I want to know why. Is it because we are a small nation and everyone's trying to keep, quote, unquote, their contacts for themselves? I would say people are apprehensive to collaborate with other vendors. I don't see it as a zero sum game, but I'm also not a vendor. But you are, so I'm keen to understand what's your thoughts on that? Tony Jarvis (12:02) It's a really interesting question and I think there are answers from different perspectives. There are certainly answers from end user perspectives, there are answers from vendors focal points. So end users have a really tiring job. They're working nonstop, trying to defend their organisations and trying to defend against what they're seeing, improving their security, that's their number one focus. So for them to sort of take time out and say, look, we've seen this, let's go and share that now with someone else and try to help them, that may not be at the very top of their priorities and somewhat you can certainly understand that. So I think we all need to be cognizant of sharing is ultimately helping ourselves. The more we share with others, the more it sort of comes full circle. But from a vendor's perspective, yes, I have seen certain vendors try to close up and run as a closed ecosystem and really not open the door for integration, but I think that's really shooting yourself in the foot to a large extent. I know in Darktrace we place a huge emphasis on integration because not only do we feel we bring a really great product to market, but we also want to help organisations get additional value out of the existing tools they already have in their security stack. Tony Jarvis (13:24) So I think that's something that really is ultimately helping everybody, the vendors and the end users, something I would certainly love to see more of. Karissa (13:32) But why do you think there is a closed ecosystem? Is it going back to my point before, where it's like, ha ha, I want the contact for myself? Is it that self serving, do you think? Tony Jarvis (13:42) I think it could be a number of different elements. That may be one, yes, certainly. But I think some vendors may just have an unrealistic idea of the extent of their capabilities. It might be a case of why would we bother integrating or working with other vendors if we think we can do it all ourselves? So that is something I do see from time to time and I think that's something that we really need to work on as a conversation between industry and end users or organisations. Because even if you can do something yourself, I have always been a proponent of multi layered security. You never just want one security tool to do a certain thing that needs to be done in terms of keeping your organisation secured. You want to have these multiple tools in place. If something does slip through your first line of defence, you want a second sitting there waiting to sort of take up the reins and see what might slip through potentially a third. So I think this is something that we do need to keep in mind, something we definitely need more of. Karissa (14:48) Do you think as well, if we collaborate more in the industry, so provided people are a little bit more open, they're not so close ecosystem to your point, we would get better traction with the sovereignty piece then, because we are saying, like, hey, we can actually work together rather than trying to work independently. So would you see that then changing over time? And then, if so, would that then help the government's enforcement of the sovereignty piece? Tony Jarvis (15:15) I think so. And I think it does have an onus on multiple parties here. So we've talked about the end users, we've talked about vendors, but government as well. Sometimes it's very difficult for a vendor to walk into a conversation and not have a higher level understanding of where it fits into the grand scheme of things, what other parties are involved, what their responsibilities are. So it's really hard to figure out where they fit and what role they're supposed to play. And again, I do completely understand the nature of things. We are talking about government, we are talking about national security, and so we have to be somewhat guarded on a lot of these things. But certainly the more information each of the stakeholders have available to them, the more they're able to understand what is trying to be achieved overall and how they can potentially work towards that and help make a success out of that as well. Karissa (16:12) When you say somewhat guarded, what do you mean by some? What? Tony Jarvis (16:16) Well, I have had a number of conversations with government agencies in the past over a number of years and depending on the stakeholder, they can go a number of different ways. Some will be very, very prescriptive. So there is a very specific agenda, it's somewhat a fact finding mission, a number of different questions they're interested in answers to, those maybe not so much of a two way conversation. Then there are others that are certainly the other way around. It is a conversation. They're looking for advice, they want guidance and they're willing to share information to help make sure the guidance they're receiving is correct and accurate. Then there are the ones in the middle where it may start off guarded up front at the start and they're not really sure how much they can share. They're not sure what sort of things are going to be told or what sort of agenda someone they're inviting in might be bringing. But then as you earn their trust through that conversation, you do see it start to change, you see the walls come down, you start getting more information being shared and that to me is a real win because if I'm walking in, I am there to help, I genuinely want to help. Tony Jarvis (17:26) The more information I have, the better I understand how I can potentially help and what I can bring to the table. So I think that's something we should all strive to work towards. Karissa (17:36) And then you spoke about trust before and you raised that again, which is the operative word, trust and yes, trusted advisor is floating around in the space. What would be your definition of trust? Tony Jarvis (17:48) I think personally, if I'm talking about trust and I'm talking about conversations between various stakeholders, it's really having the confidence that when you are told something, that is really what the message is, there's no hidden agenda, there is a genuine interest in helping out, we're not serving to further our own desires at the expense of somebody else, take anybody else for granted. It's really about working collaboratively together for a greater goal. So to me that is trust. If we can achieve that, I think we've solved the majority of the issues that might potentially hold us back in terms of moving forward together. Karissa (18:30) Would you say we are achieving that? Tony Jarvis (18:33) It's really difficult to say, every conversation is different. This is one of the things I really love about my job no two days are the same, no two conversations with any given stakeholder are the same, it's always different and things change, it's a very dynamic environment, threats are changing all the time, priorities within organisations, companies, end user environments also changing. So I think it really is being able to adapt and say, look, this is what we were talking about yesterday, things have changed, what else can we bring to the table today? What more do you need? Are you aware what's changing? Can we help? Can we share information? So really I can't give you a hard yes or no to that, but certainly the more we're able to accommodate that and work in that way, I think the closer we are to earning that trust. And trust is a long term thing, it's not transactional. We had one meeting and there was trust in that meeting. It is we are happy to be part of a long term relationship, we trust that, yes, we're being given honest information today and we will continue to receive honest information in the future and this is a partner, we want to look forward and build our future together with that to me really is trust. Karissa (19:51) So in a recent decent white paper, there was a statement, now, I know obviously you don't work for the government or anything, but I'm just keen to hear what your thoughts are. So the statement was the government will act to protect the sovereignty, integrity and transparency of our institutions. What do you think this means to you? Tony Jarvis (20:09) To me? I like to take this and I did see this and I did have a look at the white paper. It's a very interesting read. It's a lengthy document, but certainly touches on some very important aspects there. I think at the end of the day, what the government is trying to say is that they're doing a number of things. First of all, they recognise the risk, they recognise that they operate within an environment that is not safe and they need to recognise that and see what sort of threats they are facing. They need to respond. And we're talking about things like policy, legislation, working with other parties, getting information. So that's part of what we're doing here, putting those policies into place, then monitoring. Is this working? Is it enough? Is it too little? If so, how can we adapt? How can we tune this going forward? Constantly adjusting that and looking both domestically at the local challenges and abroad. What sort of things are foreign nations doing in terms of their own critical infrastructure, for example? Is it working for them? Is it a good idea for us that we can potentially introduce? Tony Jarvis (21:18) So, for me, I recognise that that is what government is trying to do. So to me, it becomes all about, I know what they're trying to do, or I think I've got a pretty good idea now, how can I help them? And it's really about being that trusted stakeholder that we were talking about before, giving them the information they need to affect their policies, to decide whether or not the current policies are working or if they're seeing things like notifiable data breaches being reported regarding certain sort of events, certain sort of attacks, specific industries being targeted more than others. Can we advise why we think that might be? As cyber security professionals, as vendors, what insights do we have into maybe this might be an explanation why certain things are happening and then the government may be able to take that and feed it back into changing existing legislation, working with various stakeholders in certain industries more so, to me, that's really the end goal of what we're talking about here. Karissa (22:18) So what insights would you have in your position, at your level, across multiple clients in industries that you're sort of seeing? Is there anything that you can share today? Tony Jarvis (22:28) Yeah, every industry is totally different, which, again, is one of the things I love about my role. And when you sit down with people within those industries, they end up sharing. I think human nature is we really love talking about the things we're doing, we all do things we're really passionate about. We love sharing that with others. And so I get to hear the highlights, I get to hear the lowlights. They do tend to be certain norms that you see get painted out as a picture belonging to specific sectors or verticals. So, for example, healthcare, I think we all really understand really well. We know that lives are literally on the line if medical equipment is taken offline, if hospital systems go down. We know that they traditionally have quite low funding in terms of budget for cyber security. We know that being greatly affected by ransomware since 2016. And there's just so many issues I need to deal with embedded operating systems that are outdated and can't be patched in a lot of their expensive machinery, so they're specific to health care. Every industry has its own challenges, but by being able to sit down with people across a number of different industries day in and day out, we do get a really good idea of the challenges they're facing. Tony Jarvis (23:46) And that is certainly really useful information. We can feedback to government departments when we're brought in for conversations really almost as feet on the ground in the thick of it, as an extension of the security team with some of the customers we work with. Karissa (24:02) Do you think as well, that working with, like a partner like yourself, when you're working government department, you may not see things as broadly and as openly because you're not out there working across multiple different industries? Do you think that they are aware of that or do you think that they are sort of maybe less inclined to work with partners because maybe they think that they've got it all worked out? Tony Jarvis (24:27) Yes, actually, that's a brilliant question. It's a really good question. I'm not sure how much of that comes down to the organisation or the individual working within a given role inside the organisation. What I can tell you is that I've had interactions or engagements go both ways. I have had interactions where it's very prescriptive and the conversation is basically, we know what we need. Here are our predefined questions, just give us some answers, please, and really little else. And I've had exactly the opposite. I've had conversations where I'm brought in as somebody with eyes on specific industries and sort of the challenges that organisations are going through, and that is seen as really critical, valuable information that can shape things like policies. So it has gone both ways. I think it's also about choosing the right stakeholder within the organisation. So there are so many different roles. If we're talking about cyber security, both in end user environments, private organisations and businesses, and the Government space as well. And if you're going to have a specific conversation, that conversation is greatly going to be influenced by the roles that the people you're interfacing with actually hold. Tony Jarvis (25:46) So compliance officers will be interested in different things than heads of security operations centres as an example. So I think that also plays a big part in the ultimate success of how those conversations actually end up. Karissa (26:00) And I'd like to understand from your perspective, Tony, how the Government is committed to protecting the security of critical infrastructure for Australia, which is kind of lends itself to the sovereignty piece you've just touched on before healthcare. If things go down, people's lives could be lost. I think Woolworths is now part of that equation. We can't have a shopping centres going down. So I'm keen to hear your perspective on that. Tony Jarvis (26:28) Yeah, there's a lot to say there. I think the government certainly is doing a lot, in my opinion. Is it enough? Well, that's a separate conversation. I don't think there is ever enough, no matter what country we're talking about. But in terms of how the government is committed to protecting the security here, and we're talking about critical infrastructure, I think a lot of it comes down to legislation and there has been a number of different policies introduced over the years. The one I sort of keep coming back to is the Security of Critical Infrastructure Act of 2018 and its enhancements. And it's interesting to look at some of the things contained within there. So, as an example, we've got mandatory cyber security to notification obligations. So if it's a really critical security incident, then we know that these industries are expected to report those things happening within a space of about 12 hours. And that is, to me, a really good step forward. So we've got, if it's critical, 12 hours. If it's not so critical, it may be up to 72. But the notification, the disclosure is really important because at the end of the day, if the government is trying to help, they need to know what the problem is. Tony Jarvis (27:42) And human nature is nobody likes submitting. Something went wrong. And unfortunately, if we're not required to disclose and this is not Australia, this is globally, this is just the human condition, we really don't want to admit these sort of things. So policies like this, I think, are very much required and the tighter the requirements around. Yes, you must report and if you don't, you are penalised. It does give us a more accurate standing in terms of we see the things slipping through and then we can sort of prioritise, we can understand where we're falling down, what additional measures we might need to take. One of those measures, actually another element of the act is government assistance, the obligations there. So if the government does identify that a critical infrastructure organisation does not have the ability to respond themselves, to actually undertake the incident response, they might insert themselves into that incident response process. Now, is that a good thing or a bad thing? I think you could argue both ways. At a high level, if the organisation is not able to fulfil this role themselves, potentially it's a good thing. If they are, they're really mature, they've got a really good understanding of what to do. Tony Jarvis (28:59) Maybe that might add too many cooks in the kitchen, but I think it's a good incentive to bolster security and. Prove to government departments that you do have this under control, you do have the capacity, you do have the expertise and the skills and the processes. So I think this is really sort of pointing us in the right direction. Karissa (29:19) Okay, so there's a couple of things that you said in there. So you said the government is committed. Now, some people will say they're committed to going to the gym, but they're not. Do you think the government is committed because then it's backed up by policies and it's mandated and it's regulated? Is that them saying we are committed because we are mandated? Tony Jarvis (29:40) Well, I think there's what they say and what they do and it's exactly the same for the gym membership, right? I can pay money, get a gym membership and never use it. It doesn't really do my health much good. But if we're talking about government, we see that there is legislation and we see that legislation is being changed from time to time. That means they are paying attention to it, they are monitoring it, they are seeing what they can potentially improve. I have observed there is a growing interest and support by Australian government, a growing awareness that cyber security is super important. They need to have people in senior positions who are accountable for owning this. So there is responsibility and I do see with things like, yes, we do have mandatory disclosure laws, there are fine. So if people don't report it, they do stand to be penalised. So I do see that as an element that will ensure that it is enacted. So going back to the gym example, if I choose not to go, that's it, I'm just not going to go. If an organisation chooses not to report, they will be penalised. Tony Jarvis (30:50) And we know with the actions, the activities, that we see the information being reported in the media. In terms of government policies, that is not a one and done. We have seen multiple iterations, we've seen extending themselves out, reaching out into engaging with other stakeholders, having conversations, learning more, doing more. So I really do see this going in the right direction. Karissa (31:13) So would you say where we are now is probably just a step in the right direction? Because, of course, like you said earlier, we're never going to ever do enough, no matter who you are or where you're based. But I guess we are sort of traversing on the right path, would you say? Tony Jarvis (31:27) Absolutely. So security is not a destination and I'm going to sound very cliched here, but it really is a journey. Everything changes day by day. Even if we have hypothetical perfect security today, new risks emerge, tomorrow, new vulnerabilities are identified tomorrow. So we have to be working on this continually and we need to be doing that together. We need to engage with outside parties, we need to ask questions, we need to get lots of good information and continuously adapt. So I think we are on the right path. I don't really like to say are we in the right spot today? I don't think you can ever answer that question regardless of what country we're talking about. But what I do like to say is where we are today, how does that compare with where we were yesterday? Has the situation changed? Has it changed for the better? And I genuinely believe that to be the case and I am genuinely optimistic about where we are going as we embark on the months and years ahead. Karissa (32:27) So if we zoom out a little bit more, what do you believe are the potential national security risk to critical infrastructure that you see? Is Australia prepared and what would be your recommendations? And yes, I dropped my pen in the background. Tony Jarvis (32:45) No worries, it happens to the best of us. I think if we talk about the risks to critical infrastructure there is so much we can say. Critical infrastructure involves a number of different verticals. They all have their own unique risks. We really are at the end of the day talking about threats to power grids and power grids going dark. We're talking about threats to water supplies not having water when we turn the tap on. We're talking about threats to transportation. So that is the sort of threat you really want to set up and take notice too. And I know that all of these verticals have suffered some sort of breach in the last twelve months or so. Yes, we do need to do more, we can do more and that is always going to be the case no matter how much effort we put in or how good we think we are today. We know that attackers have the potential to disrupt critical services. We don't just see this in Australia, we see this globally that can in the very worst cases cause harm or death. And I don't like hyperbole and I'm saying that with just tempering expectations. Tony Jarvis (33:53) It is not the default reaction, it's certainly not something we expect but it can happen and we want to do our best to avoid that. Are we prepared? Look, we can always do more. A tax keep happening, we need to be constantly learning but we also need to prioritise security and that means prioritising funding for security solutions, that means additional collaboration with people that can help us. But my recommendations, what I'm seeing at the end of the day, do I feel good about this? Do I feel worried? To me I think we need to look at two things. One is improving the best of what we have today and if we're talking about hey, you've got every single protection, you're doing everything right. I always believe we can do more. If you've got a great big security stack with lots of firewalls and security gateways and antivirus and all of that good stuff, yes, that's going to be really good at finding things we have seen in the past, maybe not super great at catching zero days, new threats. That's where you might want to look at things like anomaly detection, that might be where you leverage things like machine learning, artificial intelligence, automation. Tony Jarvis (35:00) But at the end of the day, I'm more worried about the basics. The basics that just aren't done properly and end up being the reason why some of these breaches happen. So, as an example, RDP being wide open to the internet and all you need is a username and password. And it's probably a pretty easy one to guess, no multifactor authentication being used, seeing users with excessive permissions, being given admin level permissions when they really don't need it. These are the things that really make me worried and these are the things that we really need to crack down on. I don't know whether it's awareness penalties if it's not done properly, but we certainly do need to revisit that conversation. Karissa (35:46) So the first one you said is improving the best of what we have today. So a couple of things. Would you say that we are operating the best we can today or of course there's more things that we can do like you sort of touched on like RDP, MFA, all that type of stuff. So do you think that maybe we just need to sit back and say, all right, we need to focus on doing the basics like patch management and MFA, all these things. But I don't have to say it seems obvious, but don't you think it does seem obvious because there's so many you just spoke about before, like anomaly detection, we're talking about machine learning. This is very far in advanced and if we're still talking about basic patching like this, it seems like we're not getting the basics right at all. Tony Jarvis (36:33) Agree with you on both points and I think they're actually related. I'm a big proponent of getting the basics right. I do remember one engagement I had with a stakeholder in the past and I was talking about patches and patch management and talking about getting the basics right. And after that meeting, one of the gentlemen in the room came up to me and made the comment or observation just because it's the basics doesn't mean it's easy. And that is so true. I think we do sometimes oversimplify how easy this should perhaps be. It's not always easy. There are systems we potentially cannot take down because their mission critical. There are systems in production environments that just said they're really sensitive. We might need to be doing things in test environments first before we even think of doing something in production environments. And we may not even know where all of our assets are. Talking about things like shadow it as an example. So yes, I totally agree with him on that point. Just because we call it the basics does not mean it's easy. So what do we do well, I think this is where we have that other side of the conversation about really looking at the more sophisticated things. Tony Jarvis (37:48) So if you do know that no matter how much you try to get the patching done, there will always be some systems that you either can't or won't get around to. What do we do about that? Can we look at preventative controls? Can we look at things like looking at your attack surface? What sort of systems do you have? What is in the public space? What versions of firmware are they running? What vulnerabilities exist for those? And that would be the things that attackers would try to exploit to get in. So I think looking at it from multiple angles, if I was an attacker and I was looking at an organisation I was interested in going after, what would I find? What would be the top priorities at the end of the day for that organisation to go in and address? You can't do everything all at the same time, but if you have security tools that can tell you what an attacker might see, rank them, give you a priority. If you've got just one thing you need to do today, focus on this, and that will be the best return on your security investment today, I think that goes a long way to countering the negatives of not always being able to patch as an example. Karissa (38:57) So you said before two things that you would prioritise with security. So I think one was, of course, improving the best of what we have today. What was the second point? Tony Jarvis (39:05) So I was talking about the best of what we have today and looking at AI, automation, that sort of thing, anomalies that we're seeing, but also the basics. So I was saying improve the best, but we've also got the worst. The other end of that spectrum you. Karissa (39:21) Said before, like, basics isn't easy, which I agree with. Theoretically, if we read a book about patch management, seems easy, right? But that's not how it is when we're out there doing the stuff day in, day out. But then it's like if you can't do the basics, which isn't easy, how can we introduce complexity then to an environment or to an organisation? Tony Jarvis (39:42) I think, and then this might be somewhat polarising, but I think if we can't do the basics, that in itself introduces complexity into the environment. So, for example, if we've got devices in the organisation, we want to understand what those devices are, we want to make sure those devices are patched, we want to make sure they're compliant with organisational policy. But how does that factor in with BYOD if we have individuals bringing their own devices into the organisation? A lot of companies have tried to say, look, that's just not allowed, and faced huge backlash from their employees, and employees will somehow find a way around that. So what do we do? You really can't enforce having specific sort of security solutions on personal devices a lot of the time. So this might lend itself to reaching out to end users, educating them, user awareness. I think there are multiple angles we need to look at when we have this conversation. Every challenge is different. If the way that we've been trying to do it in the past doesn't seem to be working for us, then I think we need to look at it from a different angle. Tony Jarvis (40:52) At the end of the day, and I can say this with confidence, because I am often asked to come into organisations and talk to their non It staff, the staff that do everything except It and security and talk about security, and they really enjoy it. We talk about the risks to them personally, their personal lives, their family members, but also the organisations they work for. And they do genuinely have an interest in understanding more. Who are these people trying to attack us? Why? What can we do to help out? So I think how our security teams interact with our regular staff, keeping the business running, keeping the lights on, if that is a good relationship, if there is positivity involved, I think we can do very well if we are penalising people for doing the wrong things and they tend to fear the It department that might go against us. So I think a lot of this is relationship building as well. Karissa (41:48) So, in terms of a summary, is there any sort of closing or final thoughts that you'd have in terms of the sovereignty piece or the critical infrastructure you'd like to leave our audience with today? Tony Jarvis (41:57) Tony I think really, at the end of the day, it all comes down to leveraging on what we're doing right now and what's working well, but always trying to find out more, what can we potentially do further, what isn't working today? And it doesn't matter whether we're talking about critical infrastructure, government or private enterprise. I think that should be the daily task of a security function, whether we're securing organisations or securing the country. And you can't do all of that yourself. You do need to talk with lots of different experts across lots of different fields and I think this is a really good thing. Certainly if you reach out, you have different conversations with different people, you're going to get different answers. Is that a negative there? They're all saying different things. No, I think it's a positive. You need lots of different perspectives because at the end of the day, you take all of that away, you filter it, you look at it through the lens of your individual organisation, company, government department, and identify what makes sense for you. So I think collaboration is key. Having that genuine interest in finding out more and being able to accept that what we're doing today isn't enough, in figuring out where to actually take that forward in future together. Karissa (43:10) Thanks very much for that, Tony. I really appreciate you taking the time today to share your thoughts, your insights and your observations about the space. Thanks very much. Tony Jarvis (43:18) It's been an absolute pleasure. Thank you. Karissa (43:20) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit Mercsec.com to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI.Digital. This podcast was brought to you by KBI.Media, the voice of Cyber.