The Voice of Cyber®

Episode 155: Elliot Dellys and Daniel Hood
First Aired: January 11, 2023

Elliot Dellys (PCI QSA, CISSP, CISM, CIS LA) is the founder and Chief Realist (CEO) of Phronesis Security, Australia’s first B Corp certified cyber security consultancy, with a mission to do ‘cyber security for good’. Previously, Elliot worked for the Australian Signals Directorate and a global managed service provider, where he led the Strategic Consulting division across the Europe, Middle East and Africa region. Elliot is also an industry-recognised information security content publisher, with articles appearing in Computerworld, CSO, Australian Cyber Security Magazine, and InfoSecurity Magazine, covering topics such as cyber security in diplomacy, threat forecasts, and the challenges of coordinating cyber security efforts across government and private industry.

Daniel Hood is the Chief Optimist (CTO) at Phronesis Security, Australia’s first B Corp certified cyber security consultancy. But more importantly, when Daniel isn’t helping organisations build secure architectures or sitting on the boards of charities, he is playing hockey in his tuxedo for nachos. A former Director for a global MSSP, Daniel has seen it all – from misconfigured security technology to out-of-control cyber incidents to misspent budgets. As the Chief Optimist, Daniel runs the Penetration Testing and Security Architecture teams and believes deeply in helping his clients reduce wastage and headaches. He has been in the industry for over a decade in a variety of roles, ranging from network security engineer for Australia’s largest network to a security architect performing an uplift to the cyber security of a few small nation’s governments.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:17) You are listening to KBKast, the cybersecurity podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:32) Joining me today is Elliot Dellys, Chief Realist, and Dan Hood, Chief Optimist from Phronesis's Security. And today we're discussing what diversity of thought really means in this industry. So thank you both for joining. I know it's taken us, like, almost a whole year to get around to recording today's episode because I've been sick. You guys have been busy, I've been following your journey, so I'm going to go to you, Elliot. I want to start with the mentality you foster, which is diversity of thinking and diversity of thought. Now, talk to me about this, because I've definitely got some theories, but I want to hear it from you first. Elliot Dellys (01:09) Yeah, for sure. Look, first, it's great to be finally talking to you, KB. We've been trying to line this up for a long time and I appreciate you giving us the time to have a chat about it. Diversity of thought, it means a lot to me because it's quite close to home for some context. I started my career with a philosophy and communications degree and entering a highly specialised and technical field. I was very self conscious about this. I'd go as far to say I was even kind of embarrassed about the fact that I had an arts degree and I was surrounded by people that had sort of, at least at the start of my career, forgotten more than I even knew. But as my career developed, I found so many of the root causes to security issues were fallacies or gaps in reasoning and confusing correlation with causation and a lack of good critical thinking and a lack of good communications. One of my favourite sayings is, those who are good with the hammer thinks everything a nail. And I think that's so true of specialist industries. And that's not to say that we don't need deeply technical skills. Elliot Dellys (02:08) Obviously we do. They're critical to making it all work. But the more specialised we get, it becomes easier to become blinkered. And the deeper down the rabbit hole you go, the harder it can be to sort of recognise that you might have become blinked in your thinking. And I've seen it firsthand. The best example I can give is I've run threat modelling workshops where the admin staff just have the best insights because they're the people that know all the gaps and all the workarounds that they use to actually get things done. So whenever we run these workshops, I always encourage EA's and Pas to get involved because often they're the ones who know how things really work. I've also seen it in things like, for example, doing some work with law enforcement and having these sort of field cops come in and starting to get some cyber training and they just come up with these weird and fascinating attack vectors that are built from their real world experience of doing policing. Because, you know, they're investigators, they're detectives that know how people hide their behaviours, they know how people operate. And then when that gets translated to the cyber realm, they come up with these great insights that you just don't get if you just see the world entirely through an It lens. Elliot Dellys (03:10) And also, as well, this is reflected in our job titles, the reason that we call each other the Chief optimist and the Chief Realist. Even though I think we sort of go back and forth between who's the realist and who's the optimist on any given day, this is really about what we talk about. We talk about penetration, testing each other's thinking. And what we mean by that is Dan and I have very different backgrounds, we have different perspectives, we have different solutions, and we often find that we'll come up with a different approach to a problem and then we sort of nut it out together and pick the best of both of our ideas. And often that's what comes up with really cool and innovative ways of tackling these tricky issues. Karissa (03:44) Wow, you've nailed it. So I think that those are really interesting thoughts and observations. So I'd like to ask a few more questions, but, Dan, I'm going to get to you to hear your thoughts first. Daniel Hood (03:53) Yeah. So, for me, diversity of thought is pretty key to cybersecurity. I think it's a really underplayed major value that every organisation should have. My career, especially, started at Telstra. I dropped out of high school, didn't go to university, and really no degrees existed at the time for cyber security. Security specifically. It was really shown in cyber security team I was working in. At Telstra, we had someone who had a Bachelor of Town Planning and had been an urban planner for a while. We had someone who had done civil engineering as their background. We had other people from marketing and all of these different really interesting backgrounds. It was great because when we had problems come up, we would have these people throw in solutions from their backgrounds and it was just really interesting to see what solutions would come out of it, because a lot of times other industries have already solved the problems that we have in cyber. Marketing especially, is probably a pretty key example of this, because they just know how to communicate with people, how to get an idea across, how to communicate it well, how to get people engaged in that idea. Daniel Hood (04:53) That's almost such a key piece missing of cyber is finding that way to really get everyone involved. Another good example I always like to tell people about as a friend of mine studied computer science previously decided he absolutely hated it. This was quite a few years ago, but finished the degree anyway. He ended up going into working on a couple of ships and was doing I think it was some kind of navigation or something like that. To be honest, I don't actually know what he was doing on the ships. But he watched, basically, as some of the captains and some of the guys working on these ships would spend days mapping out trips on these big paper maps especially. I think they were doing some kind of, like, oil or resource discovery type work, where they would go and have to hit like, 100 points in the ocean, measure something, and then come back and bring that data back. And so he immediately looked at these paper maps and was like this is the travelling salesman problem. It's the standard problem taught in computer science. So he created some software and was able to reduce this planning time from days to basically seconds. Daniel Hood (05:49) And now he's ended up turning this software into his business and it's pretty much his main job these days, is just creating this maritime software. And I think you see that across, I guess, every industry where people come in from other industries that have solved these problems that we've got, we don't even realise that they have solved them and got these elegant solutions. And so bringing in this diversity of thought is really cool. I think personally I've seen people that have done jobs before and really like the diversity of thought that I think comes into value, as well as people who have worked in the industries that we're trying to secure. So, for example, I used to work with basically someone who was a nurse and worked a lot in healthcare It and things like that. They moved across into cyber. And it was really cool because they were able to give these cyber recommendations, but understanding how they fit into the wider process. And also as they were communicating them with these nurses and other healthcare workers and explaining the recommendations they had to do, they understood the pain and had empathy for just basically how big of a task this is, or how some of these recommendations would harm the Usability or accessibility of their business. Daniel Hood (06:53) And just understanding that it would take extra steps or extra process. They understood that pain and we're able to talk to that pain and really empathise with the people. I just thought that was absolutely awesome because it just got us such a better outcome on those kind of projects. Karissa (07:05) Yeah, those are excellent stories and I think you're spot on with especially your friend that didn't like doing the software engineering degree but then worked on a ship and how all that sort of played out. So I really appreciate you sharing those stories. And the marketing one is an absolute winner. So the thing that I really want to know from both of you is, and I mean, I'm going to ask a hard question, is there's so many people in the industry like, oh, diversity, diversity afford, and this is what we need to do, but is that genuine? Note, and I say this because I've worked in big corporates before, they've got to say these things. And sometimes, and I'm not saying all people like this, there are some people out there, it just doesn't feel genuine to me. Now, I know that you will both have very different views because Chief Realist, Chief Optimist sort of vibe going on here, but I really want to hear it from both of you. So, Dan, I'm going to go to you first and Elliot, you can jump in after. Daniel Hood (08:00) I think in my own career, it's been kind of an easier one for me to take on the diversity side of things, because I've had so many just natural diversity type things come up that I've had to hire. And so, you know, for me, I see diversity as it's diversity of backgrounds, culture, thought, experience, knowledge, degrees, all of that. There's not really one thing that I'll say, oh, yeah, that's diversity. But for me, personally, I've just seen so many, so many times in cyber where we've hired people with just odd backgrounds and they've come in and just absolutely owned the place kind of thing. They've just delivered projects that we thought were pretty undeliverable and, you know, timeframes that were pretty undeliverable and things like that. It's really interesting to see when you take a chance on someone who's really keen and passionate about getting into cyber and just seeing how they go with that diversity of thought thing. Elliot Dellys (08:49) Yeah. Look, continuing on from what Dan said, I think that to your point about lip service KB, I think this is really important because I think organisations do genuinely recognise the importance of diversity. I think it's not having a good vision of how to execute on that. That's the core issue. So what do I mean by that? I love this analogy of the blindfolded people who are touching the elephant. I don't know if you know this one, but the idea is that you've got three or four people with blindfolds and they're all touching an elephant, one person's touching the trunk, another person's touching the tail, another one's touching the body, and each of them in their mind, has a different image of what this elephant looks like. And based on their experience, I mean, it's completely rational to think that this thing looks like a long snake if the only part that you have touched is the trunk. And really what the industry needs is more hands on the elephant. The more perspectives that we have, the more complete a picture of the elephant that we ultimately get. And this is where, coming back to this idea, dan and I pen test each other's thinking. Elliot Dellys (09:49) This is why diversity, I think, is so important. We need to be able to pen test each other's thinking. And that comes down to having different lived experiences, different cultural backgrounds, different skills and training, having worked in different industries and different organisations. Exactly. As Dan said, diversity is this sort of mosaic of all these different experiences that someone has had up to this point in their life that gives them a different view of what a cyber challenge or what their elephant actually is. And so if we want to avoid having a lip service approach to diversity, we really have to think about, okay, if we want more perspectives, if we want a broader variety of lived experiences in our people, well, how do we tackle that? And if we tackle it just as a recruitment challenge, then I think it is going to be, unfortunately, a bit too superficial in doing to fail. Because really what we need is to be getting in early and encouraging people to think about these big picture problems, most importantly, having a vision of their place in the industry, because that happens years before someone actually puts in a. Karissa (10:46) Job at yeah, very interesting way of looking at it. No, I haven't heard that analogy about the elephant, but I like it. Okay, so here's my next question, and both of you would love your thoughts on this. You go to a conference, someone gets up there, they start talking about something technical, but there's going to be some Johnny in the audience will say, oh, well, son, I've got like 30 years in this space and this person may have two, but this guy is a weapon. So then I think it sort of then is counterintuitive to the whole diversity of thought, because both of you are absolutely correct in what you're saying. But then I think if you actually were to go out there in the market, yes, some people think like that, but then again, there's always someone who is pessimistic that's always saying that, oh, but I really earned my straps in this space and you haven't. What are your thoughts on that, Dan? Elliott, who wants to jump in first? Elliot Dellys (11:35) Look, I might jump in at first with my two cent, but then I know Dan's got an awesome example about this one. So I'll hand it to you. My view of this is the key to change is getting in early. What we want is early education. We see this in Europe, is actually providing cyber education programmes in schools so children can develop a vision of their place in the industry and have role models and feel like they have a part to play. That is really I think, the heart of this is that you need to get in early, because if you're trying to convince people by the time that they've finished university or maybe they're looking to make a career change, then you're kind of relying on luck and talking from personal experience. I never thought that I'd end up cyber security security when I was at school or university. I more or less fell into it and ultimately that's what we need to change in the long term. And I also say, well, this is also reflective and the way we put together our resumes. Everyone always talks about the importance of soft skills, but if you look at a standard cyber resume, the first thing is for the technical certification. Elliot Dellys (12:30) Again, they are critically important. But what I always ask candidates is we need to focus on outcomes as much as skills and capabilities. And we need to genuinely invest in those soft skills, things like project management training, leadership training, management training, negotiation training, de escalation techniques. Because so much of cyber security, security is about achieving compromise and that's a real skill. And we need to make sure that we're encouraging investment in not just getting those technical certifications, but also understanding how to apply those in a pragmatic and empathetic way, because that's what it's like in the real world. And Dan, I know your example about the way that cybers approached in Germany is a fantastic case study of that. Daniel Hood (13:08) It's not so much the way cybers approached, it's computer science. I lived in Germany for a while and lived in a university town and they had a really good programme around. Basically I believe it was a four year degree and you did sort of three months per year as almost like a TAFE training course in computer science. So they would teach you how to develop code and the concepts and things like that. And then they had all of these internships set up for IBM and places like that, where for nine months of the year you would then go and work in an organisation developing code. I believe the organisation would get some kind of tax benefit for having all of these internships. There were so many internships available and things like that, but it meant at the end of that four years, people would come out with basically like four times nine month internships plus this year of great PewDiePie's experience. And it gives them a chance to really apply the theoretical and the practical. And I just really liked the way that that was set up. Going back to your comment before KB around basically those people at conferences and things like that, that basically say I've been in the industry for 30 years. Daniel Hood (14:14) These people coming in with no experience and sort of looking at that and talking about diversity of thought, I think, look, there is some validation in their understanding that, look, people with that 30 years of cyber experience or ten or five, look, they have seen a lot and there is value in that skill. Just remembering that those people. Yeah, look, they have seen a lot. I think there's some validation there, but in saying that, I found myself that I've seen it all before, but I often get locked into my own thinking where I've seen the way something goes ten times and it's gone X way ten of those times. So I then get locked into thinking, all right, it's going to go that way every time. I've actually got a really good grad at the moment that works with methodsis and basically he questions this every single time. And it's so valuable because the numbers number of times I'm like, yeah, here's how this is going to go. It's going to go X-Y-Z. And he's like, well, what about a and it's like, look, that's a good point. I haven't really thought about that in a while. Daniel Hood (15:09) And a lot of times we find that it then does end up potentially going another way. I've done a lot of these projects, but some of my knowledge is years old and things have changed over time. So it is really valuable getting both that sort of junior experience where they're coming into the industry, they're fresh eyed, they haven't seen it all before, they've read it in books, but they're kind of questioning, but also that old. I've been in the industry for 400 years, or whatever approach of I've seen a lot of before and here's how it usually goes and here's some of the risks we see and things like that. I think you really need both as part of your diversity and thought. There is real value in those grads and those juniors coming into the industry who are just passionate and want to ask those questions and want to understand that, yeah, there is some really good value from them. Karissa (15:52) Yeah, you're absolutely right. And I'm definitely not trying to negate people's experience because I've almost got 15 years of experience, generally speaking. And I think that when you reflect back on it, you're like, yeah, I do know some things. So I genuinely absolutely I'm hearing what you're saying, but what about this sort of elitism of so probably a little bit in terms of arrogance or a little bit further on from your point? There's people sitting there saying, well, yes, I've got 30 years of experience and I'm more better than you, rather than, hey, I really value your opinion, because what I'm hearing from you, Dan, is you're saying, like, the Grad, for example. Like, yeah, of course you got more experience than the Grad, but you're also willing to take on board that feedback. So maybe for both of you. How do each of you go about pen testing each other's thinking? And do you ever get into sort of debates over it? Breen to hear your thoughts? Elliot Dellys (16:46) Elliot yeah, constantly. This is one of the wonderful things about working with Dan is that we can argue tooth and nail about something, but we're able to distinguish our personal beliefs, our feelings, from the argument in front of us. And that's super, super important. I think the key to this is it's staying humble regardless of where you are in your career. Having humility is super important. And obviously I've been doing things a particular way for a long time, but I'm always willing to consider the possibility that I'm wrong. And I think that's super, super important. And that's pretty much all I have to say on it. Daniel Hood (17:23) Yeah, I'm always happy to debate things, especially since I'm usually right and Elliott's usually wrong. No, I'm kidding. I usually find it's really interesting because even our diversity of backgrounds, where Elliot's got this very government based background, where he's dealt with some really complex threats, and there's a lot of organisations that talk about wanting to defend against APts. But I think Elliot's probably one of the few people that I've seen in the industry that actually has experience dealing with APts, where a lot of my background is a lot more of that simplistic. I'm just dealing with a lot of, like, smash and grab incidents is a good way to put it, from smaller cybercrime groups and smaller threat actors, basically. And so we have this constant debate between us where I'll create a standard or something that really applies well to those sort of smash and grab attacks and the low risks. And Ellie, it's like, well, you thought about the more complex ones, because here's what I've seen in the past. You get this really interesting output of basically trying to cater to those two environments and we kind of meet somewhere in the middle that actually works out being a better product overall. Daniel Hood (18:20) I mean, you realise that it's almost like in the debates and in those ones where we almost have disagreements, that's where the best product comes out of and the best outcomes come out of, because it comes out of two sets of vastly different experience. It's everything. Even in the way we work, I find where the number of times Elliot's like, hey, I've got this technical problem, or, hey, I just need this finance sheet whipped up quickly. That's my forte, is just getting something out quick, getting the sort of 80% done as quickly as possible. I then find Elliot's really good at the communicating with people, really, you know, writing elegant words where I'm very much the engineering type of, you know, black text on a white background is perfect and, you know, Elliott swoops in and really like, polishes it off and and works well. And it just seems that the more you recognise that everyone's got experience and knowledge and things like that, and no one's really better than anyone else, we're just different. We've got different benefits and different disadvantages. We just need to realise where we've got weaknesses and things like that. Daniel Hood (19:18) In KVT, for example, I've seen a lot of those elitist personalities at cyber security conferences and yes, you're right. I've seen those people around. I've heard those comments, and it is very frustrating to deal with. But equally, I've seen just as many people who are so excited to see these new people come in. At the Acer Conference, I went to one of the presentations. I can't remember what the title of the presentation was called, but it was someone basically, who had just recently come into the industry and they were talking on threat Intelligence. It was really cool because there were some older, more experienced personalities in the room and they were kind of like, look, they've got some points wrong, but in the same respect, it's really cool that they've jumped in and they've given it a go and they're learning. They were like, I want to go up and chat to them afterwards, give them some points of feedback, tell them where they've got it right, and just kind of help them along where they've got it wrong. And I'd love to hear more of their thoughts on this particular topic or thing. It was really cool to see people who are passionate about helping others at the conference as well. Karissa (20:13) Wow, that's excellent. That's awesome. I'd love to hear that. And you are right. So hopefully over time, those elitist people will fade out. But one thing I'm curious to know now, actually, after hearing both of you and your sort of philosophy and pen testing each other's thinking, for people who are listening, that are in a start up like yourselves, or they're running a team, how do you sort of foster that environment? How do you sort of say, all right, guys, we're going to take this pen testing approach? Because I heard Dan and Elliot speak about how this complements each other's skill set. Where can people start? Elliot Dellys (20:49) I think transparency is key, and this is also something important. The pen testing our thinking isn't just between Dan and I. It's something that we invite from everyone in the business. And exactly as Dan said, some of our best suggestions have come from our genius staff. And obviously, there's a line to take. There's an audit methodology. And an audit methodology is not really up for debate because there's good reasons why we have, you know, defined audit criteria and we have to respect the segregation of duties there. There are some elements to the assessment process that you just don't tamper with, but other than that, really, I would advise every assessment that we make, every finding that we have to be critiqued. And if you look at things like open encryption standards, the reason that we have such trust in them is because they're subject to so much scrutiny over such a long period of time. And that's the sort of philosophy that I like to foster within our business as well, is that if you genuinely want people to pen test your thinking, then you have to create a culture that's conducive to it and you have to create a safe space where people can feel comfortable, to put up their hands and go, why do you do it that way and not feel like they're going to get penalised for doing that? Daniel Hood (21:57) Yeah, I reckon it's also about setting aside time and making it a priority. If your team is pretty busy all of the time working on things, you don't really get that time to actually sit down and brainstorm and have discussions and things like that. You'll really struggle with it. And I think yeah, and struggle to find time to really think about it and come back with that interesting feedback and those interesting questions. A thing that Elliot and I often do is just take an hour out of our day to have a bit of a discussion, discuss what's going on, question each other, all of that sort of thing, and it's really helpful. Or one of us will be doing a project, writing the proposal for a customer to then propose it to them and they'll say, hey to the other one. What do you think of my approach? And we come back with some interesting things. We get that from the whole team. Working with a few of my team members on the moment on an interesting project proposal and just getting their feedback. And it's really interesting where I think they've probably contributed about 80% of the content because they had more interesting ideas than I did and better ideas to complete it. Daniel Hood (22:52) And I think that's really what it comes down to. Like Elliot said, it's just about creating that safe space to ask for feedback, reminding people that there's no stupid questions, all of that sort of stuff. Karissa (23:03) That's excellent. Yeah, this is really helpful and it's definitely going to be helpful for our listeners as well. Now, I want to move on to the last part of our interview. Now, it was public knowledge a few months ago as I started the interview with, of course, who has Delay X? I had Laryngitis, you guys got busy, et cetera, but that Phoenixes became the first cyber security security company in Australia to become BCorp certified. So, firstly, congratulations. And secondly, and then thirdly, I think people don't actually really understand what B Corp means. And I asked this because I was speaking to someone at a conference the other day that was like, hey, what does that actually mean? And then my follow up question to that would be, what was the motivation to do this? Dan? Daniel Hood (23:45) Yeah, so, look, I'll be honest, and I've seen B Corps around prior to joining Frenesis. I've kind of seen the logo and was like, yeah, I kind of know what that is, I think. And then when I joined Phoenicus, Elliot was like, yeah, we're going full into BCorp and I guess I had to learn a lot more about it. So I've kind of come in from that aspect of not really. Knowing what it was prior to joining Frenetis. So BCorp, if I can kind of put it in some simple terms, is really looking at how you become a socially and ethically responsible company to some extent. It's looking at how carbon neutral are you? What is the multiplier of your highest paid employee to your lowest paid employee? How much leave do you offer your employees? It's basically sort of treating people with decency and respect and treating the environment we operate in with decency and respect. And look, I would try and describe our motivation in the process, but I think Elliot absolutely kicks us out of the park every time he has to introduce it. So look, I might hand over to you Elliot, to introduce why we did it motivation wise. Elliot Dellys (24:43) Sure thing. Look, in a nutshell, the B Corp certification says that as a for profit business, you are also committed to having a positive social and environmental impact. That's fundamentally what it's about, is that you are not simply trying to make as much money as possible to the detriment of the welfare of your employees, the welfare of your supply chain, the welfare of the environment. That's fundamentally what it's about. The reason why it was so important for forensic is because we did establish this corporate philanthropy model as well. We wanted to be accountable. And what I mean by that is we wanted to demonstrate that we follow through on our commitments. Our mission statement is that we want to cyber security for good and we want to be really transparent around how we're doing that. So there's a whole corporate governance structure that sits around becoming a B Corp. So we embedded a commitment to social and environmental responsibility into our constitution, into our shareholders agreement, into every single employment contract. It's a KPI within everybody's performance agreements. It's something that is in the DNA of the business. And becoming BCorp certified was a way of demonstrating our ongoing commitment to that. Elliot Dellys (25:52) And that's also an important point. You know, becoming BCorp certified is kind of like the start of the journey, not the end of it. What I mean by that is, much like an information security certification, there's surveillance audits, there's continuous improvement. And the idea is that you're constantly thinking about and improving the impact that your business has. And that thinking about component is really, really interesting as well. The business impact assessment that you have to do as part of the B Corp, I would recommend every business consider doing it, even if they're not planning on becoming a B Corp, because they just get you thinking more deeply about how you create a positive impact in your work. And I think that this is really awesome for the cybersecurity industry as well, because just by virtue of the fact that we work in this industry, we create a lot of positive impact anyway. We protect sensitive data. We empower people to protect their digital lives. But like one tangible example, there was a component of the business impact assessment that we did that talked about do we have dedicated policies to support victims of domestic violence? Elliot Dellys (26:49) And at first glance, I thought this seemed like a bit of a less shield scene. I thought, well, what can you really do as a company? So I looked into it and I saw that the Queensland Government had produced what they called the Not Now, Not Ever report, where they had a list of different measures that companies could put in place to help support victims of domestic violence. So we ended up going back and amending our HR policy and changing the way that we process some of our lead to be able to accommodate the recommendations of that report. And that's something that we just probably simply never would have considered had we not done the business impact assessment. So that's what it is and that's why I feel like it's it's so core to, you know, who we are as a business. Daniel Hood (27:24) For me, practically, it was really interesting. Elliot gave me this task of looking through some of the B Corp impact analysis and kind of try to figure out ones that I could add to. So I found this one on sustainably sourced furniture and I was like, all right, this must be pretty easy to give our team sort of a list of here's five websites or stores you could go to to buy sustainable furniture. And I thought, all right, this will be a five minute job. I'll quickly knock this out of the park sort of thing. And about 3 hours in, I was looking at all of this different sustainable furniture and I realised that A, there's so little available, and B, it's almost like each manufacturer or wholesaler has some sustainable furniture. And then you have these websites and stores that sell 50 60 different suppliers of furniture. I had to create this weird complex list of, oh yeah, if you want to buy a side table, or you can go to this one website and it has to be from one of these two manufacturers who make sustainable tables. I just realised how, almost like you take for granted the idea of, oh yeah, it's really easy to be green and sustainable, you've got to spend money. Daniel Hood (28:29) But no, it's actually a lot harder than I thought to find these providers and find these organisations that really care about sustainability and the environment and just the world we live in. It's just a really interesting one for me, where I thought it was going to be a five minute job. Nice easy one. I'm sure everyone wants to be sustainable and stuff like that, but in reality it actually took hours to figure out. Elliot Dellys (28:51) And that's a great point as well around the supply chain that Dan raises there. Because part of this as well is we want to attract clients and we want to attract staff that share our values. And having gone through the process, when you see another business that's got BCorp, you kind of go, we've had a shared experience. We know what that's like, we know the amount of thought that you have to put into this and it provides an indication for people that, hey, these are the sorts of values that we live by, and if you see the world the same way we do, we're keen to work with you. Karissa (29:18) Yeah, I love that. I think that's excellent, guys. I really appreciate what you're both doing. It's definitely come a long way since the Mad Men era, if you've seen that show. So we're taking a very opposite end of the spectrum, which I highly appreciate. So do you envision, then, Elliot, based on what you both said, that more companies will become BCorp certified? Are we going to see a shift in more of them popping up or what are your sort of thoughts on that? Elliot Dellys (29:46) I'd love to see that. I mean, fundamentally, this comes down to a question of what sort of future do we want to live in? Do we want to live in a future where every corporate entity is just out to make as much money as possible? Or do we want to have a future where all hands are on deck to prevent disaster and support the disadvantaged? And I think everyone would share that vision that we want to live in a society where empathy and care and respect is built into the fabric of what we do, whether it's in our personal lives or our professional lives. And I also feel like it's a lot of small changes that result in significant change more broadly. And again, I don't think that Frenchis has all the solutions. There's a million different ways to approach this, but this is our view of how we can contribute. And I'd love to think of a future where every organisation, it is the norm rather than the exception, to think about how you can build in some sort of positive impact into your day to day operations. And also as well to go, hey, this doesn't have to come at the expense of growth. Elliot Dellys (30:44) Either you can donate money to high impact charities or you can do pro bono work, or you can invest more in your people. And it doesn't mean that you're not going to be able to have a thriving, successful business. And I think that's really important too. Karissa (30:58) Yeah, that's interesting. I think time will tell. I think there's a few that have popped up recently, but again, I think it's becoming more ubiquitous, so I guess time will tell on that one. But I'd like to sort of quickly discuss both of your thoughts and your beliefs on the role of corporate philanthropy. So would you like to share any of your thoughts on this? Elliot Dellys (31:18) My view of corporate philanthropy is fundamentally, if we expect governments to do all the heavy lifting when it comes to change. We're going to be knee deep in water before we start seriously dealing with our carbon emissions, for example. So the role of corporate philanthropy to me is really just thinking about how do we spend our time and how do we spend our money again, in terms of spending our time when it comes cyber security, security, so much good is created by virtue of the work that we do on a day to day basis anyway. So even things like, for example, gains and pro bono work, you can generate thousands of dollars of value for organisations because this is expenditure that they don't otherwise have to have. We have valuable marketable skills. So thinking about how you can use that to support organisations that are doing the hard fight, I think is really, really important. But the other thing as well, and something that we've thought very deeply about, is choosing the charities that you work with as well, because there can be orders of magnitude of difference based on the organisations that you support. Elliot Dellys (32:16) And fundamentally, this comes down to the fact that as a commercial business, bad products fail because consumers purchase those products, if they don't like it, they're not going to buy them again. Whereas when it comes to charities, the beneficiaries are typically not the donors. So it can be harder for charities to identify issues and fix issues because that feedback loop isn't necessarily closed. And the other thing is, the reason why I feel like corporate flank you can have such a significant role to play in building this sort of future is because you can just scale impact in such an amazing way that's so difficult to do as a consumer. So, for example, if you've really got a thing against caged eggs, if you convince a friend to stop eating caged eggs, you might prevent two eggs a day coming from a battery farm instead of free range farm. If you can convince your local cafe to make a change to a supply chain that can turn into hundreds of eggs a day, that come from a more ethical source, then if you look at like a global change, you're talking about thousands per hour. So that's why I feel like thinking about the supply chain and thinking about donating money that scales with growth has such an inspiring potential for impact. Elliot Dellys (33:23) Because when you're talking about a corporate scale, you can just create changes that are so difficult to change as an individual or even as a group of consumers. Karissa (33:30) Yeah, that's excellent. I love that. I think I love the way you're thinking. I love the way that both of you are very, again, complementary. One thing I just want to ask quickly on that probably then to you, Elliot. Do you remember back in the day, even when I started working, it's all about the shareholders. It's all about how much money we can get. Are we going to see these types of leaders and people fade out over the coming years. Elliot Dellys (33:54) Okay, now you truly philosophical. Look, I think human greed is something that will always exist. Where I am hopeful is if we can create a system where human greed is harnessed for common good rather than just the success of the individual, then we'll do something that is truly game changing. I don't know whether or not that's going to happen as a result of something like getting a B Corp certification. I think there's components of human nature that will always exist. But what I think is that if we give people a clear path to how they can have a positive impact on the world around them and we can create a society structure that rewards that and supports other people. I think most people are fundamentally decent human beings and will tend towards a system like that rather than one of sort of mutual exploitation and mutual gain. And maybe this is where I become the optimist. I would like to think that a future like that is well and truly within our grasp. Karissa (34:52) Well, those are excellent points. I've loved everything you guys have shared today. I think it's very valuable and it's a different approach that I've had on the show. So I appreciate both of you spending the time today to talk to me in terms of any sort of final thoughts or closing comments. I'm going to give you guys an opportunity each to share what you'd like to leave our audience with today. Elliot Dellys (35:13) Yeah, I'll jump in super quick here. Look, I'd say October of 2022 is probably going to go down as one of the worst months in Australian history when it comes to cybersecurity. And the one parting thought I have here is it's really important to be empathetic. Empathy has to be at the heart of everything that we do, and we need to extend that empathy to the people who entrust us with their data, the consumers, the customers. But we also need to extend that empathy to our colleagues, cyber security, who are having a really hard time this month. Burnout is a major issue in cybersecurity. Mental health is a growing issue and we just really need to be conscious. That when we're trying to get our point across and make it clear why cyber security's, security and good data Practises are so important to us, that that doesn't come at the cost of the care and the embassy of other people in our field. Because we do have to tread carefully and make sure that we are conscious of the fact that there's a lot of people out there in our industry are having a really hard time at the moment. Daniel Hood (36:15) Yeah, probably from my point of view, just start thinking through how you can bring that diversity of thought into your team and especially where you can leverage new grads or new people who may want to sub out from a preexisting role. Cyber security. Security. Look, it will cost you at the start of training them up and getting them experienced, but look, they can be absolute superstars and it can really save budgets with the enormous cost that cyber security skills is costing at the moment. Karissa (36:42) Wonderful. I think both of those points are excellent and a very lovely high note to leave our audience with. So. Thank you, Dan. Thank you, Elliot. Thanks so much for being patient, for taking us almost an entire year to record this. But I'm super grateful for both of you for having me on the show, sharing your thoughts and your insights for your time today. Thanks very much. Elliot Dellys (37:03) My pleasure. Great to chat to you, KB. Karissa (37:05) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KBI Media, the voice of Cyber.
Share This