Introduction (00:19) You're listening to KBKast cyber security podcast for all executives cutting through the jargon and height to you understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:34) Today is Anthony Woodward, CEO of Logicalis Australia. Today we're talking about how to turn security as an enabler within your business. Anthony, thanks for joining that. Full disclosure, my voice is a little bit croaky. It's not too bad, but I hope it's not annoying for you to listen to. So I apologise in advance. But one thing before we do get started, Anthony, it was really great to meet you at the conference the other week. So how did you find that, by the way? Anthony Woodward (01:00) Yeah, thanks for having me, Karissa. Great conference, by the way. Great location, really good deep tech conversations, a really wide ranging group of people, good to hear, lots of innovation and other great ideas being talked about. Karissa (01:15) And I think when we were speaking, the topic that came out really for us is security as an enabler. And I was interviewing someone last night, actually, in the United Kingdom, and this guy is like ex military, 30 years of experience the space and talked about how we're not really good at selling the value of security and security is a cost centre. So I'm curious to know, how do we flip that conversation on its head and talk about it as an neighbor? So maybe let's start with how people view security internally, like many still don't see it as an enabler, I would say. And then I want to know from you, why is that the case? Anthony Woodward (01:52) Yeah, look, I think security generally tends to fall into two areas of a business. One is where it's part of the risk framework. So it could be the case that your head of risk reports up into the risk officer or somebody on the board who has carriage of risk. And the other side of the coin is where you have security as an integral part of not just It, but that part of the It platform that supports innovation. And I think what really governs the decision point about where that risk and where that security capability sits is a function of the kind of business that you're dealing with. So we've tended to see that heavily regulated industries, security becomes a core risk function and that's where it really sort of taps into a compliance option, as opposed to one where we're really thinking about it as an enabler to move more quickly. So I think there is a bit of a shift going on between those two modes. Some industries are going to have to move more slowly because they need to make sure that they cover off the compliance piece as their first port of call. Anthony Woodward (03:05) But other industries are starting to move a bit faster and seeing security as an enabler for them to actually move faster as well. Karissa (03:11) Yeah. So do you think it comes down to a maturation of business? So, for example, like a bank that I used to work in so long to just talk about innovation, but what about the smaller companies that are like, so stretched and yes, they've got to pay for security, but they still don't see it as an enabler. Do you think the conversation shifts depending on the size of the organisation? Anthony Woodward (03:29) Maybe not just the size of the organisation, but the lived experience that they have had. So a lot of leads to smaller organisations, I think, are really yet to have experience to security issues that is threatened to stop their business. And so at the moment. They're looking at security as an add on or a checkbox or something that they kind of have to do. But they want to do it for the minimal possible cost. Thinking that. Generally speaking. We're not going to be under attack. So we don't need to worry about it so much. We don't have anything people would want. So why should we spend a lot of money setting up a really strong security environment? Let's just do enough to protect ourselves from a minimum perspective. And I think that is changing because some of the nature of the reason that people come under security attack is moving very much into an industrialised commercial outcome, as opposed to pranks and things that may have proven security incidents in the past. Karissa (04:30) Yeah, that's a really great point, is that lived experience. So with your experience and your role at Logicalis, what would be your advice? Perhaps people listening that up on that small organisation, how can they sort of change their view of security as well? Yes, it's an expensive call centre. However, part of that cost centre is enabling brand protection and enabling that we are protecting our assets. How would you sort of position that? Anthony Woodward (05:03) Yeah, it's one of those scenarios where you have the conversation in relation to what the potential lost revenue might be. And I think once some of those organisations can see some others who have been in their space and have had significant downtime as a result of a security incident or a security ransom attack or those sorts of things. That suddenly it puts it in the light of. If your security is down. Your security is lax. Then could that cause your core systems to go down and how do you actually recover from that? And then it starts to light up conversations such as how do we stay maintain the continuity of our business during a security incident and somebody's got our data, what are they doing with that data? What does that do to our brand reputation? Do we have legal requirements and law that we're in danger of breaching because for example, a privacy act requires us to notify people if their personal information is leaked. Suddenly that starts to put it in the concept of well, the cost of not doing it could be really astronomical. And so the cost of doing security at least medium to well is quite easily justified by one or two incidents or one or two scary scenarios like that. Karissa (06:27) Yeah, and that makes sense the way you position it. But would you say that a person out there that perhaps doesn't have strong communication skills, do you think that they suffer a little bit with trying to showcase the value from security? Like as you said, part of security is to protect the revenue as well. Right? Karissa (06:48) So if something happens and they've lost revenue, that's an issue. Do you think that maybe they need to have a little bit more communication skills to equip, to speak to executives or their boards, say, hey, this is the situation, if we don't invest in that, so maybe they're just not yielded with the right tools. Would you say? Anthony Woodward (07:06) Potentially that's the case. I think going back to that learned experience or that lived experience scenario, it's probably very easy for people to talk about something that's happened to them compared with something that's theoretical. And I don't know if you need specific communication skills to get across what the cost was and how damaging that potentially was for the business, but again, to flip the conversation around. If you've got a better and more embedded security approach to the way that you move and deliver it based capabilities to your customers than a competitor, then there's competitive advantage in being able to do that. And that's a different kind of conversation that moves it away from the scare tactics and more into the advantage tactics. Karissa (07:55) So just press you up a little bit more so people don't necessarily see the upside value, which you and I know that and even when I'm out of the weekend, I'm speaking to people and maybe they're in other fields I talk to, that some people do see it. Maybe I position it in a way I'm not saying I've put all the answers at all, I just used to do this for a living, communicate security, which I still do. So maybe I'm biden a bit better at it. But I still think that maybe as an industry we're not communicating upside value. And so then I sort of want to get your thoughts a little bit more on, okay, someone's sitting here, they're listening to this, they don't quite get it. They're trying to get more budget, they're not maybe the strongest communicator. Is there anything that you would sort of leave with first? Discuss the revenue, the brand? But how do you craft that message? And do you do that in a presentation? Do you do it in a meeting? Like what would be your advice at a high level? I know it depends on the company and the organisation, but I mean, if you just could spitfall some ideas, I think that would give people real tangible solutions on today's interview. Anthony Woodward (09:03) Yeah, happy to. I think a couple of quick ways to sort of bring the conversation to the point where you need it to be. In my view, and certainly the way that we operate at Logic Carlos, around security is to think of it as more of an enabler and something that enables the business to move faster as it innovates. So bring it into the competitive sphere and say, hey, our competitors have got a better security posture or a more secure platform or regarded better for the security of their customers information than we are. That's costing us business and costing us customers. We can't move as fast that's a conversation that is going to get a wider attention, then this is just another It problem that we need to fund. Karissa (09:49) That's a great point. How do people know that their competitors have better security solutions? Anthony Woodward (09:54) Well, we can see the ones who don't, right? So we can have situations that come up where it's okay, such and such an organisation in our sphere had a security incident that they had to be public about, so we had to look at it. There were people in the organisation that said, hey, can we have a bit of a look at how we sit? Maybe they got an external consultant to have a look at the situation from your company's point of view and they might have said, hey, compared with some of the others out there, you guys are not really doing great. That's the sort of information that is really useful in this kind of discussion. Don't just make it your own view, but add in a view of an external consultant, that doesn't have to be an expensive exercise, it can be quite quickly done and it could uncover some significant risk that you don't even know about, that you might want to jump on quickly. And that's the sort of thing where you can say, hey, you know what? If we don't close this now, that's a major security risk for us. And it doesn't mean boiling the ocean, it means solving this problem today. Anthony Woodward (10:52) Okay, now we've got security on the agenda, we're starting to really talk about this as a cornerstone. How can we now embed security into the way we do business so that we don't have to keep stopping, looking back, fixing things up, bringing external consultants in, patching things up. You know, that cycle. Karissa (11:11) Okay, so just to get this straight, hypothetically, I'm in a company, there is a breach that happened. I go take a look at it. See perhaps where the gaps are. Where they went wrong. Pile it into a deck or presentation or whatever it is. And say. Hey. I looked at this company for example. And they may not be necessarily in the same arena. But maybe someone in Australia that had some incident. I present it back to say these are the gaps. This is where we don't have security in these areas and this is exactly what happened with this coming up bridge. Is that sort of what you're saying? I want to hear it. Anthony Woodward (11:43) I think that covers it from a compliance and risk perspective. So here's where the risks are, what's the downside risk and those sorts of things. But what is probably useful to add to the conversation, potentially, those organisations that for whatever reason, have a view of having solved this problem, hey, look, these guys have got security sorted out and they're able to move faster in this way. They're able to bring out new features or new capabilities or add new markets or access new customers more quickly than we can because they don't have to keep stopping and kind of retrofitting security into what they're doing. Karissa (12:18) Got you. Okay, so I want to jump into that in a second, but before we do that, I want to talk a little bit more about the cost. So everyone's very focused on cost, how much it is. And it's curious, it's not tangible. So at least like, I don't know, when you buy a website, you see the amazing site and the colours and the brand and all that, but you can't really see it, right? And it's something I get breached, it's sort of done its job. But I guess my counterpoints that is like running development, like development costs quite expensive still. So I'm curious to know, from your experience, because you worked in this space on that development side, why are so many people fixated on security? CISOs? Because they have some, like doing that development work is still expensive, right? I guess you can kind of see it a bit more, but is that really what it's about? I'm curious about your thoughts on that. Anthony Woodward (13:10) So, when it comes to cost, I think people really need to see the value and that doesn't change whether it's security or development or any other investment that they make. So to some extent, if we can move security from a have to have so think about it like insurance, for example. You have to be insured, but people usually try and find the most cost effective way of putting insurance in place because they're not thinking of necessarily all the other downside risks that could happen if this insurance fires. So there's that component of it. But on the flip side. If you say. Well. Hey. I can actually see on an ongoing basis how I'm able to move faster. How I'm able to deploy things within my organisation where I haven't had to wait or I haven't had to be concerned about going back and retrofitting security. Which is a more expensive way to do things. Suddenly. Then it comes down to the value conversation. And I think you can get some really good value conversations going when you have some instrumentation, some visuals, some way to actually visualise. Hey, since we put this security thing in place, we've had a reduced incidence of people clicking on malware links or potential ransomware attacks or viruses running around inside our organisation. Anthony Woodward (14:29) And a lot of the good security technology and capabilities are really starting to bring that instrumentation into an actionable insights for you, rather than just a great light that says all is well but don't really know what's going on behind the scenes. Karissa (14:43) Okay, so let's jump into that. Let's look at the innovation side of things. So we often do talk about the ability to innovate because of course companies were saying to be aggressive, to stay relevant, we need to innovate, but of course we also need to be secure whilst we do that. So how would you go about managing that balance? You obviously touched a little bit before, including security and the conversation from the get go. I'm assuming you're also talking about dev stack Ops or SEC DevOps or whatever you want to call it. Talk to me a little bit more about that balance. Anthony Woodward (15:13) So if you go back to the start of our conversation, we're talking about the sort of two modes where security plays a role in an organisation. So if it's part of the compliance and risk part of the business, then security would tend to be reactive to a process. So let's say you want to go through a process of innovation. You want to stand up some software. You want to try it out. You run some testing. Get us some focus groups together. You really like what you've developed and now it comes time to put that into production for tens or hundreds or thousands or even millions of customers. Depending on the industry you're in. There might be really strong regulation about how you put something into production where security is a core consideration. And so at that point, just when you're thinking about putting something into production, you now need to bring in the security analysis and the security consultants and look over everything and disassemble code and really dive deep. So if you do it in that reactive way, well, there's a long period of time between when you are ready to go live into production and when you actually can. Anthony Woodward (16:19) It is all just doing the security assessment and potentially fixing whatever is wrong with the platform from a security perspective. So that's when you keep the. I guess the development and the innovation cycle separate from the security acting part of the business. When you have the security as part of that development cycle. Not only can you make sure that you think about the security of the information and the platforms that you're developing while you're designing them and while you're having the conversations with the end customers to what they want. But then it gets baked into the software and the platforms that you're building and the platforms that you're using to build with. So security is baked into those and by the time you get to, you might still get to the same point in time where you need to go through a risk assessment before you go into production. But so many of those issues that might have been discovered through that review cycle have already been dealt with, have already been, if you like, coded out through the development cycle. So it's much more of a compliance cheque as opposed to everything coming to a halt for months on end while you get that fixed. Anthony Woodward (17:25) If you think about that from a point of view of how often do you want to release new capabilities to your customers or to the market, you can just do it more often, which means you can move more quickly and you can react more quickly to competitors in the market. Karissa (17:41) I guess also for what you're saying, it's more efficient way, right, rather than doing this whole thing and then security up being, we've got like six major risks, we've got your back and started again, or fix these things here. So do you think people see it as efficient? Because not everyone is still operating like this. Anthony Woodward (18:01) No, and some organisations may never be able to combine the security function with the innovation function, but if you bake security into the innovation function, it should really still see the function of compliance and risk management become more efficient as well. I think people have got to go through a few cycles of it to really understand that's going to work and see it happen, see how it actually plays out as they release capability into their customers or into the market and discover that, hey, they can actually go faster. But even thinking about the security and privacy of information at the point in time where they're developing the idea and doing that ideation phase can make a big difference to how the software or the capability is actually built in the first place. Rather than getting to the end and say, hey, we should have designed it a different way, that is going to be a very inefficient and expensive route to take. Karissa (19:00) So why aren't people banking security in from the get go? You said that some people just can't. Is it that they can't because regulation they can't. Why? Well, they don't want to change. What's the reason? Because, like he said, he only gets the whole land of some two year thing and then it's like, oh, actually, we've got like 50 gaps we need to fill, which then costs more time, more money, more resources. So to me it seems obvious, but maybe it's obvious for people listening, but I'm just curious as to, like, why. Anthony Woodward (19:28) So organisations that potentially have those functions in separate silos of the business that don't talk to each other very much, you could see how that would be hard for them to make that change overnight. It could well be a cultural change, it might be a governance change. The way in which governance is handled inside the business. Perhaps the innovation part of the business is being seen as being necessarily not as critical and so therefore doesn't really come under the watch for life of security and risk management until late in the piece with what they develop. So I think organisations are at all different points on the spectrum of maturity around that is how I would view it. Karissa (20:10) Okay, this is interesting. Now, I know from my own experience working in security and then going to dev teams, there's a couple of things that come up in my mind which I want to understand from you. Like you said, operating independent sellers. Yes, absolutely right. And then maybe they aren't speaking to one another. So what would be your advice? And as a leader, if you're working with a customer or you're just in your experience, how do you get these people to talk to on Earth? They come from very different worlds. Anthony Woodward (20:34) Yeah, it's a great one, isn't it? One of the things that we at Lodge Carlos are doing about this is to really think about the instrumentation of the security platform. So where the security issues get surfaced, who knows about them? How do they get addressed? If you have a platform that's set up to have the telemetry and have the, if you like, the rating of this is how secure our various platforms are from the beginning of the conversation. It's a much easier conversation to have with, for example, those parts of the business that might not see themselves as responsible for that security, where you can say, hey, this is what the baseline looks like, this is where we're trying to get to. If you can be involved in that conversation earlier, then in that effort earlier, in terms of the conversation we're having around innovation, that would be a lot easier. Breaking down that silo, I think, really gets to having that common capability, that common platform that people really have access to and can take their actionable insights from. So, in other words, you're both looking at the same scoreboard, is ultimate the outcome that you want. Karissa (21:41) But if you look at the same scoreboard, don't you think they're looking at different scores though? Because what a dev cares about is functionality. What a security person cares about is it secure? So how do you get them to sort of align? Because, I mean, I've seen organisations before and it's like, oh, the security person is going to come around again and it's that whole police thing and then it's awkward because you're going to say, no, your project can't go live because of these issues. And you know, I'm curious to know how do you get that further on? And I'm hearing what you're saying, but I'm also looking at the reality of the people that make up these types of roles and the calibre of people that are in these roles and how they think so differently. Anthony Woodward (22:18) What we're seeing a lot of is in the innovation and the dev side of that dichotomy that you just described is increasingly actually having secure aware and security aware people in that team. So for starters, you break down the barriers of conversation. So it's much easier to have a conversation across the parapher if you like. And then the other side of it is that people can say, well hang on, just before you code that or just before you build that, have you thought about the security aspect of that? Now that's for someone coming from inside their team, as opposed to like, you say that we've gone this far down the road and then we get an external view as to what's going on. But it really comes down to joint accountability of saying the accountability for security does not just sit with the guys who discovered it, it sits with everybody who's involved in the creation of the platform that ultimately could have a security risk. And when you can have that conversation, then I think you end up having different outcomes. Karissa (23:16) Yeah, okay, that's interesting. So if you're a leader in a company like, hey, I'm going to start this project, join accountability with dev, see dev team as well as security team, is that going to then enable them to look at the scoreboard the same way? Because it's just not being just a dev problem or it's not just some security guys problem or girls problem. It's just more so this is our goal, this is their vision. Go get this life by this statement. It does need to be secure. But then I think historically in my experience, this has been like, oh, it's security's problem. And then you're getting into conversation and I've been in the rooms before where you've got some project manager, contractor, they're KPI on go live dates and then it's like, hey, actually you've just been working with for ages and we've just picked up all these additional problems. Not only is your project going to run late, we're going to have to charge you like another half a million bucks to fix all these gaps that you don't have because you've already run all of your budget already and you're already late as well. Karissa (24:16) So do you think that these conversations start to get really tricky and interesting? Because again, there's a lot of moving parts, there's a lot of complexity to it, things that maybe you shouldn't see but you didn't see. But do you think that having this joint responsibility and accountability alleviates a lot of this frustration, a lot of this, I guess, political conversations that happen internally when you're dealing with a dev team as street team. Anthony Woodward (24:41) Yeah. You mentioned the word KPI, whether it be a KPI or some other measure imagine as a dev team, as well as the release dates or the number of release cycles, the number of features or the number of lines of code or all of those other KPIs, you were also measured against a security score for the platform you're building, which was independently tested by the platform itself. So as you committed code, as you ran through the automated testing, that could give you a security score. And if your KPI was it has to reach this level before we talk about it going into production, then suddenly you're in a different conversation and that then pulls the requirement, the skill of secure capability around coding and design back into the development team, rather than just having it outside that innovation part of the business. So you can see how you can reflect the joint accountability through having the measures on the right people that they can influence. Right? There's no point having a score that I won't know the answer to until months down the road. I want to know the score every day that I come to work and what I'm doing and how am I moving that score. Karissa (25:52) So, just hypothetically, I'm a debt. I was at my security score and it's not where it needs to be. Have you seen it before? What are people's responses to that? Is it like eye rolls, oh my gosh, I need to go and get another coffee because I need to redeem it. What's the responses being? Because if you look at a traditional dev or science degree, you don't get taught security. Right, so it's not necessarily their fault. But then do you think it creates a lot of frustration then, for them? I understand that you've spoken about security coming in and assisting them, but they're not going to get it right each time. Anthony Woodward (26:23) No, they're not. But interestingly, there's an industry of organisations now that are in the business of setting up the training and the platforms and even gamifying some of that to help software developers to really get their heads around the security that they need to bake in lots of template. I think rather than the worst thing you can do in a software scenario where security is concerned is to cook up your own, because there's been a lot of peer reviewed answers to the problems you're probably trying to solve out there available for you to use, or examples of how you should do it. There are actually now platforms that can help train developers in these capabilities in a gameified way and I know that there are a number of those out there. So that's one way you can sort of put the tooling back in the hands of the developers to get themselves up the skill curve and test what they want to do. Okay, I want to build this capability. What would be the most secure way to do it? There will be ways to get trained up on how to. Do that. So I see that moving quite fast. Karissa (27:29) And has that been effective in your experience? Has that reduced again, people are hitting their security scores each time, each time they're doing things or do you think it's a bit of a process and of course people are not going to know this overnight or what does that look like? Anthony Woodward (27:44) It will certainly take time, but I think the point that it's going to make the biggest difference and that will continue to make the biggest difference, is for the joint accountability to be backed up by the capability to see where what they're doing is influencing the outcome. So you've got the platform, it can measure your security score of what it is that you're putting into production or would like to put into production and the accountability for maintaining that security score is on you. And incidentally. Some of these platforms. With new information from the telemetry that they gather and from real time streams that they get from security incidents around the world. Your security could actually drop overnight with you not doing anything. But at least you now know. Hey. We need to go and handle this situation to continue to keep our school where it needs to be as close to real time as opposed to months down the road where you discover a vulnerability that's been out in the wild for some time. Karissa (28:45) Well, yes, it's a good barometer, because, I mean, otherwise you're just having a stab in the dark and then like I said, get to the end of it and go, okay, well, I wish I would have known this. So in terms of the joint accountability in your experience, do you think a lot of people are taking this approach or do you think it's still a little bit immature from the customers that you're sort of working across or what you're seeing in the market? Anthony Woodward (29:06) So what we're seeing in Logicalis, is the full spectrum. A lot of our customers that we deal with on a day to day basis are kind of coming at security from the perspective of understanding the core compliance need for it, understanding the risk and the potential upside that being well secured as they go through digital transformation and go down that road of transformation can help. But the main thing that they almost universally say to us is that there's a number of options out there and a number of ways to solve this problem, just too many to process. What they really need is guidance and help and an understanding of how they should be solving these problems. That generally tends to be the case. So it's those organisations that have a big greenfield innovation capability that are tending to put some of these joint accountabilities and devs and ops and the platforms around that in place at scale. But for the most part I think that's kind of the early adopters. I think for the most part a lot of organisations are still in the mode of looking at security as something that they come to later. Anthony Woodward (30:20) And that's really why it does come down to the supporting platform that enables you to see the scoreboard, that then you can determine how you want to split the accountability. But literally, there's no politics. You're just looking at the scoreboard and you can work on how to move the needle of that. And that's why we think that the core platform that you use to manage that security in that sort of scenario has to be one that everybody can see and work too, and have joint accountability for the scores that it reports. And it's, if you're like, an independent umpire of how secure you are. Karissa (30:52) So for business executives or leaders listening to this and they may be aware that they are looking at security leader, what would be your top three advice you could sort of give to people they can take away from today's interview that they can start to talk to the team about internally? Anthony Woodward (31:10) Number one, I would say, is to whenever you're thinking about an innovation cycle. So solving an external customer problem or internal customer problem through the cycle of innovation really have people who are security aware in that conversation from the start, because they can ask difficult questions, but they can also have the design process think about how to put security into what's being built from the beginning. And people who are able to hold those conversations would also be aware of the different platforms that might be available to the platforms of instrumentation, such as what we've been talking about here. So if I think about from a logic Alice perspective, we have a product that leverages Microsoft Azure Sentinel and there's a lot of telemetry that can feed into that. So you start to build the lexicon and the scoreboarding and the visualisation and the actionable insights around the security of your organisation, even before you've developed anything new. Where are we right now? And what will adding these new things actually do to our security rating our security score. So that's one component of it. I think the second one is to really not think of how you release new capabilities and the results of innovation as two separate components. Anthony Woodward (32:35) First we innovate, then we secure, then we go into production, try and get that security built into the innovation cycle from a coding perspective so that's that dev step ops capability, think about what platforms could support doing that. And then, of course, the last one is to sort of just always remain vigilant. So don't think that that's going to solve it. You still need that independent umpire checking in on a regular basis to say how we going with our security, is there new stuff coming that we need to be thinking about? Do we need to do more end user training, which, as you and I both know, so much of cyber security. Security incidents comes from what end users do, mistakes they make, links they click on that they shouldn't, etc. So it has to be part of a holistic conversation around security. It can't just be just about the innovation cycle, but if you have the right platform in place and you can innovate faster, that's where it starts to become an enabler and something you can actually outpace the competition on. Karissa (33:38) And so, just to clarify, independent outpie, do you mean then a security person sort of coming out and overseeing things a bit more manually? Is that what you mean by that? Anthony Woodward (33:47) Instead of checking in, it could be independent penetration testing, it could be external security auditors, it could be somebody coming in, even as simple as someone coming in and helping you road test your BCP, because the recovery of information off the back of a security incident is a lot of times where organisations get stuck as well, so that goes down a different rabbit hole of recovery. But the point is, you need to think about security as a holistic part of the business and ultimately, like with financial results or any of those other things, at some point, there is a role for an external dispassionate view of your security capability to be leveraged. Karissa (34:33) Operative weather. You just said there was holistically. Do you think, in your experience, people think about security holistically or do you still think it's still this independent, it won't happen to me, I'll think about it later, I'm not going to embed it at the get go. Is there still a bit of that that you're hearing? Anthony Woodward (34:49) We're seeing something like 70% of organisations acknowledging that security is a potential problem for them, so in the vast majority, it's definitely front and centre. It's one of the top three concerns of CISOs, measured both locally and globally. So I think the era of people thinking it's not going to happen to them as past the era we're in now is, I know it's going to happen, but I'm not sure what to do about it. And that's really where the opportunity is for a lot of organisations to lose their way because there are so many different options for how they can solve that particular problem. Space. So while such a high percentage of organisations know that security is an issue, there's probably a similar number who don't believe their security is adequate at the moment for the situation that they're in. So if you think about that, that means there's a lot of sleepless nights out there. Karissa (35:47) Great point. I totally agree with you. So do you think people are starting to do something about it now, like sleepless nights? They know it's a potential problem, they don't have all the answers. Are people starting to do their reconnaissance and then starting to do their due diligence on organisations? Or do you think that they still feel perhaps overwhelmed because there is a lot of cybercurity players out there is a lot of people saying we're best in breed and we're the best consultants you've seen. How do you navigate that if you're a customer? Anthony Woodward (36:17) I guess what we see quite a bit is security now starting to get on the agenda from a board perspective and not just from, hey, it's that time of year, let's have a look at our security score from an external security consultant perspective, but something that is a core risk that comes onto the agenda of a board meeting, every meeting. What does our security score look like? How are we rating our security capability against threats that have come up since the last time we met and what might have changed in the meantime? So it's definitely becoming part of the conversation and you can bet that if security becomes a risk that the board has a focus on, then they're going to want to know what the execution is off the back of that. So they're going to want to ask the CEO and the CEO's team, what are you doing about our open security risk here? We need to close this out so the conversation is definitely not going away. Does that then lead into the overwhelming situation? Quite a bit, we find it does quite a bit and that's really where rather than having lots of different little bits and pieces that solve the different parts of the security problem inside an organisation, we feel like we can see a lot of scenarios. Anthony Woodward (37:34) We're having more single platform makes that easier for organisations to do. Can you find a platform that can touch all of those parts of your information technology platform together? Look at it all together. There's not very many options out there that can do that. There's a few, but there's not a huge number. But that's one of the reasons why we chose the Microsoft Samsung platform as a core component of our security offering, because it is so far reaching and so available. Karissa (38:05) So in terms of final comments, closing remarks, we spoke about security as enabler, we spoke about how to get your team to talk to another. Is there anything you'd like to leave our audience with today, Anthony? Anthony Woodward (38:16) I guess there's a couple of components there. What we are increasingly seeing. Apart from security being literally a top three or a top two or even the top consideration in many organisations when they talk about their information technology platform. You should know that there are. Apart from the different security vendors that are out there. There are a lot of now implementers. Managed service providers integrators like ourselves at Logic. Carlos. That have a very deep understanding all the way from the business problem. Which is what is the crown jewels. What is the data that we're trying to protect and why? What are the compliance and regulatory reasons for doing that all the way through to how have we actually implemented the controls right down to the end user level and that approach, there are many organisations now that are starting to get that capability. So I guess the takeaway there is. Don't feel like you've got to cook all this yourself. But on the flip side of that. It's still very important that somebody barely senior in the organisation carries the accountability for managing the risk of information security. Because it's organisations where that hasn't been covered off particularly well is where it's difficult for them to get traction. Anthony Woodward (39:39) To do something about it. And it's difficult for them to get budget and it's difficult for them to have the conversations such as the ones we've been having on this call. I think those are two very important takeaways for organisations to consider. Karissa (39:55) Like I said, it's not easy to have these conversations and again, it's a process, it does take time. Every company is different, everyone's at different stages. Like you said earlier, with the experience, we need to be able to embed the joint accountability. So I think it's been great having you on the show today, sharing a little bit more about your insight, because you've obviously got a lot of experience come from that development background yourself. So you'd really seen it firsthand and now you're seeing it more at the executive level and you'd be able to provide a lot of insight with people that are listening to. So really appreciate your time. Thanks, Anthony. Anthony Woodward (40:28) Thanks so much for having me, Karissa. Karissa (40:31) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit mercsec.com to connect today. If you'd like to find out how KBI can help grow your cyberbusiness, then please head over to KBI.Digital this podcast was brought to you by KBI.Media, the voice of Cyber.