The Voice of Cyber®

Episode 191 Deep Dive: Fabian Partigliani | Breaking it Down into Buckets: Simplifying Cybersecurity for Boards
First Aired: July 05, 2023

In this episode of KBKast, we are joined by cybersecurity expert Fabian Partigliani. They dive into the world of cybersecurity risk management and how to effectively communicate these risks to the board of a business. Throughout the episode, KB and Fabian stress the importance of making cybersecurity information easy for the board to understand, identifying critical issues, and considering the right level of investment in cybersecurity. The conversation concludes with Fabian sharing insights on how to approach the topic when presenting to a board and the importance of justifying security investments and scrutinizing team performance.

Fabian Partigliani is an experienced Global CEO and Chair/Director, with multi-sector experience in tech, agritech, manufacturing, and fast-moving consumer goods. Fabian has worked across all types of organizations, from blue-chip listed companies to public sector not-for-profits and start-ups. Fabian has always been passionate about helping people and businesses scale to fulfill their potential. Currently, Fabian is the CEO of RedShield Security, an enterprise web application security solution operating in North America, Europe, and Asia Pacific, and Chairman of plant-based food company Smartfoods.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

KB [00:00:26]: Joining me today is Fabian Pertiliani, CEO from Red Shield. And today, we're speaking about companies and boards can make cybersecurity part of what everyone talks about. So, Fabian, thanks for joining. It's wonderful to have you on the show today. Hi, Karissa. Very grateful for having me here. Thank you. Thank you. So, Fabian, I really wanna begin with your point of view because you don't historically come from a cybersecurity background. So it's really imperative for me to get people on the show with your sort of pedigree to be able to, you know, challenge the status quo and provide a different lens on the space on, you know, where we are sort of going wrong, where we can improve. So I wanna sort of start with what do you believe board members are missing from a cyber perspective? Fabian Partigliani [00:01:08]: Yeah. Great question to start with, Karissa. You know, 1 of the benefits I had, which you touched on, I was I'm a relative newcomer to security, So I have an outsider's perspective, particularly from a c suite or a board board level view. In fact, I still sit on a couple of boards and, of course, the CIO report to 1. So in my view, what board members are missing from a cybersecurity perspective is an ability to understand cyber for what it is for the vast majority of companies. KB [00:01:32]: And that is it's just another business risk. Yeah. Okay. So I just wanna press it a little bit more. So why is it that boards don't see cyber as a business risk. And I guess, would you say that people over complicate cyber to their boards? Fabian Partigliani [00:01:48]: There's a few reasons for this. I mean, 1 of the and this may sound strange is that it's a relatively new risk for boards. You know, I know security teams have been dealing with cyber for a long time. But from a board view, you just need to look at the Australian federal government's response to cyber in the last 3 years. You know that cyber security act in 20 20 was passed and sets out obligations for companies to make sure they got appropriate security measures in place to protect their system and data. From cyber threats. You've seen the Australian cybersecurity agency established, which is responsible for the Australian government's cybersecurity efforts and providing help and support to both private and public companies. And then wrapping all this is the National Cybersecurity Strategy, which sets out how Australia's gonna deal with cyber in the next 10 years. And that's all happened in the last 3 years. So, definitely, there's a change in landscape for for the board. I think the interesting implication, and I'll talk a little bit about I'm sure we'll talk a little bit more about health and safety. The implication here is that this legislation and what it has what it means for personal liability is that individuals who are responsible for the security of the organization may be held personally liable for breaches that occurred to to negligence. So as I said, we're most likely to talk about health and safety because there's a strong parallel there. So firstly, it's a relatively new risk for for boards. And secondly and I see this And every day when I'm talking to CISOs and security teams, I see it in North America. I see it here in Australia and in New Zealand. The default language is technology not risk which means it can be difficult for board to engage if they don't understand what you're talking about. And here's a personal anecdote. I was sitting on a board. There's a board member, wrote some new to security. CISO and the CIO came in, probably 20, 25 pages, beautiful PowerPoint presentation. They took 27 of the 30 minutes allocated to the board slot and through every acronym they could at the board. You know, you had Nest, you had PCI, you had an MDM, Science, you name it, DTT, everything was in there. And at the end, you know, no board member was going to ask because they really didn't understand what was going on. And we got to board only time, and the board turned around and said to me, well, we're safe up with Avian. I also said, no. We're not. We most probably already had a breach. If And it's just a question. If it's if it's not, then then it's just a question of when we're going to have 1. And from that process from that moment onwards, status of the process of how do we transform the culture of the of the organization to really understand cyber, understand what the risks are, and therefore, what's the right level of investment for the company to reduce risk. KB [00:04:38]: Yeah. Okay. Definitely that question on are we safe? And I guess it's a bit more of a complicated and complex answer when people ask that. And I kind of understand it because there is this massive disconnect between boards who are ultimately responsible for the well-being of their customers and their organization it's very easy to sort of ask that question, which does require a sort of a a longer longer answer. But When you said before on the acronyms, so why do people sort of get to that stage? Is it because it's habitual for them so they don't know any different? Is it because they're trying to sound smarter than perhaps, you know, they are smart people. But is it more that, or is it more so they're not even aware of what they're doing? And they just assume that people sitting in that room understand all these acronyms and terms meet. Fabian Partigliani [00:05:18]: Yeah. I definitely think that's part of it, Karissa. A lot of the time, people expect boards to know everything there is about all parts of the business, particularly their part of the business. But the boards the board meetings are short, They're concentrated. They have a lot of decisions and a lot of risks to deal with. And as I said, Cyprus is just 1 other risk that they've got to get their heads around and decide. Have they got the right level of support and investment to make sure that cyber doesn't get in the way of what they're trying to achieve with that business? So definitely, I think that's part of it. And look, my my advice is speak to the board so that they can understand you. And by doing that, don't don't use technology as a starting point. Speak their their risk language. And, you know, this is fast changing. You know, a couple of high profile breaches we saw in Australia last year means the conversation is changing very, very quickly. And I'm noticing a lot more that directors are talking about resilience. Yeah. And I know it's a bit of a buzzword but resilience when it's followed up with detect, respond, recover, and starting to notice that language means that the organization is on a good track. So I'm definitely seeing a change here. I definitely agree. Don't assume the board understands your world as best as well as you do. Keep it simple, KB [00:06:25]: highlight the risk, highlight what you're going to do about it to reduce that risk. Okay. So there's a couple of things in there. So I'll press on a little bit more. You said use a risk language. What's an example of a risk language? Like, how do people communicate that? Fabian Partigliani [00:06:41]: So if you think of your classic risk, business, operational, legal, legal or reputation, break it down into those buckets for the board. So the first 1 is, is this gonna stop us from doing our prime director as a business, whether it's making products, whether it's offering services. What is what is the risk? What does it mean to the operations of the business? 2, is it gonna cost us money if we're you know, what is the impact? Is it going to require us to pay ransomware? Is it gonna require us to be down, and therefore, the systems are not gonna support us from doing what we what we do every day. What is the impact legal? Are we legally responsible, you know, thinking about financial services or health care where there's extra legislation in place and requirements or PCI, are we going to have problems around those areas of risk? And and what does that mean for us as an organization? KB [00:07:32]: And until he's pressing a little bit more, you should keep it simple. Now for some reason in our space, people tend to not do this. So from your point of view, coming as an outsider into our space, what would be your advice for people to just keep it simple? You mentioned before around you know, 27 minutes of all these acronyms, like, that's obviously very convoluted and very complex. How would you recommend people if they are doing this what can they make the changes to to be in line with more of your theory of keeping it simple? Fabian Partigliani [00:07:59]: Yeah. Sure. I think the first thing is, as I said, start with risk language. We talked about those risk just a second and go, but give context. You know? So rather than come and say, here's all the fantastic technology that we're deploying, and and this is going to reduce risk is what are the critical systems and processes and data that our business relies on? Give them that context. Now this 1 question allows them to zoom in on the impact if something should go wrong, and that's what you want. There's a real danger that you wanna tell them about everything that you do and show them all the risk. And I would say as tempting as that is, don't go down that path. It's much better to focus them on the main risk, not all the risk. And then bring it to life for them. So what are the likely threat actors? What are the methods of attack they're gonna use? Again, think likelihood and impact You know, if it's dust, does that mean we're gonna have an availability problem? Which means your customers can't get on the website to order products or have services, what is it that is going to stop the business from being successful? Keep it simple, but link it to the actual strategy of the business to reduce that risk. So what is the cybersecurity strategy? What are the objectives? That's the time to get them to understand that. It's way too dynamic and and ever changing. You know, 1 of the facts that I use, and it's very application security centric, is that there are only there are 2000000000 apps in the world and 20 mil 27000000 software developers. And with hundreds of new software vulnerabilities being discovered each week, This can feel overwhelming. So, yes, by all means, give that context, but most of the breaches are coming from vulnerabilities that are known. And that if you focus and prioritize those vulnerabilities, you're gonna seriously change your risk profile. So if you can walk the board through that, give them the context show them where you want to invest and what that will do to reduce the risk, I think that's gonna make a huge impact and and start helping the board embrace the challenges which are significant in security that you face every day. KB [00:10:08]: I like the part where you mentioned the context. So for example, in my field of work, I'm a media. When I'm if we're shooting something, for example, we'll say, hey. We need to record it this way, and people are like, okay. Well, why? Then I give the context, and it makes a little bit more sense rather than just saying, hey. We need to do it this way and complicate things. I always try to lead with that so people understand why I'm doing it a certain way, why it makes sense, because I am walking them through the process, the context, and providing sort of examples around it. I think some reason in our space, people just dive headfirst, and then they don't give that context. And then they're probably almost annoyed that people don't get their train of thought. Have you seen that a lot? Fabian Partigliani [00:10:51]: I agree. And it's just about putting yourself in the shoes of your audience. Right? It's as simple as that. If you understand what a board does, that's a good start. If you understand that the way a board meeting works, again, all good context You would never go in the example I gave before, you would never go in with you know, speak at them for 27 minutes and ask any questions at 3 minutes if you want engagement. It just doesn't work. And there's almost a belief that if you keep it too simple, then you're not really putting forward how difficult the challenge is. And it's really the opposite. If you keep it simple, you'll get understanding. If you get understanding, you've got a good chance of getting buy in. And so, really, you know, it's it sounds very, very simple, but you'd be surprised of how many conversations I'm having with directors, And not only not only boards, but C suite CEOs, CFOs, people that don't have cyber on their mind morning and night. And that context piece, keeping it simple, is really the key to getting engagement. KB [00:11:53]: Absolutely. And why you know, it's not their role data that, yes, they're responsible for it. But, hey, if they're a CFO, they've got other things on okay. Well, I've gotta look at how many people are on the payroll each month and who we owe money to? Who owes us money? They're thinking at other things then as well. So you can't really expect people to be super absorbed, and that's the benefit of having a silo at the board to be able to educate that educate the board on how it works by providing the context and keeping it simple to what you sort of mentioned before. So then let's go back to keeping it simple. You said before, maybe people don't know how a board works. You've got board experience. How does it work? Well, the board is there to provide oversight to make sure that the company's got all the right resources. It's got a clear strategy. It's got access to capital so they can invest in building factories Fabian Partigliani [00:12:42]: or buying IT systems. It's gotta make sure that all the right resources are in place for the company to be successful. Now part of that is asking yourself the question, which is what can stop the company from being successful, and then you get into risk. And that's predominantly a big chunk of what the board does. It looks at all the risks make sure that it prioritize those risks, and make sure that it can minimize the impact of any of them. And, literally, if you've looked at a risk register that a board looks at, it's it's huge. You know? It has has every type of risk that can stop the company from being successful. But like cyber risk, it's a case of prioritizing and understanding what's the context, what's the likelihood, where should I invest to reduce the risk of that impacting my business. And you're only gonna put money in resources where the most important serious risks lie. And that if you understand that and you understand that you're competing for resources with health and safety, with exchange rates, with any kind of operational risk, If you can understand that and go in and provide the board a simple way to say, hey. My risk is here, but if I invest this amount of money, it's gonna reduce down to this level. Then you're gonna be successful. And boards are engaged with cyber. We talked about the changes in the Australian landscape over the last 3 years. They want to know, and it is changing fast. So it's never been a better moment for security teams to present what they do and how they do it and what they wanna do to keep the the organization doing what it does best, which is not necessarily security. And that's the thing. We're gonna make sure that security doesn't stop the business KB [00:14:21]: from doing its primary directive, whether it be a service, whether making products. That's the balance we're trying to achieve. Okay. So I just wanna sort of touch on this a little bit more. And then so you can elaborate more around your thinking, and that's in relation to boards don't look at cyber as a business risk in relation to how they view other business risks, for example. So would you say first of all, I wanna know understand a little bit more about that. Because then I'm curious on if when the cyber risks come up on the risk register, 1, are they even on the risk register? And 2, are they just being deprioritized simply because someone can't explain the context. No 1 understands it. And therefore, what do people usually do when they don't understand something? They ignore it. It's not so much that boards don't look at cyber as a business risk. But if you want effective engagement, Fabian Partigliani [00:15:10]: don't engage them on technology as a starting point. I think that's the key point. Speak their risk language. The industry itself is not really helping. So if you have a look at all the overreach of marketing messages. And in fact, I was at RSA a couple of weeks ago in San Francisco. I was just walking the floor, and the messages coming at you, don't worry. Take this magic tool, this magic technology, and you'll be safe. That doesn't help. I mean, it's almost like a cyber wash equivalent of greenwashing. And, therefore, if you're translating that to boards and not having honest conversations around the likelihood of breaches and that, you know, most companies are gonna be breached at some stage in the future, and focusing their ability to understand that you're trying to build resilience so then when things happen, you can move quickly to contain and recover and get the business back on and even keel, that's the that's the balancing act that I would say you'd be be be striving for. You raised a great example that I wanted to ask you about in today's interview. And the example was, you mentioned the construction worker falling through the floor, and then how that example relates to how businesses should view cyber risk. I'm really keen to understand more about that construction worker story. Yeah. Let me stitch that together for you. So the parallels back to health and safety, which I touched on before, which I think is a really appropriate and helpful comparison, particularly in Australia. So I was running a large company at the time. We just achieved I think it was 5 ISO standards. Quality environment, food safety. I think it was 18001 for health and safety. So we're very happy with ourselves. We kind of identified that health and safety needed to be fixed. And I say that with inverted commas because that's the parallel with cyber. We're gonna we're gonna fix certain We did all the standard operating procedures, and we're feeling pretty pretty happy that, you know, the ISO accreditation reflected that with fixed health and safety. And then about a month or 2 later, we had a contractor fall through a false ceiling at 1 of our sites, which is really serious accident. And, unfortunately, they recovered. You know, we went back and did a root cause analysis and and came out that, yes, there were SOPs, but they weren't they weren't followed the the right way And I think what that brought home to me at the time was there's something very different about having standardized processes and writing them down and then having a culture which embraces them. And that's the parallel that I believe we have with with cybersecurity. And it took us about 5 years, Karissa, fill that culture, that health and safety culture to really bed in, led from the top, all this all all the leaders in the business, making sure that health and safety was part of their everyday thinking when they're in high risk, high risk areas. And the connection I make is that and and particularly with the companies that that we're working with, is the difference between a company that looks at a program versus a project. So the project is the equivalent of, we'll fix cyber, and we'll come in, and we'll do all these things and put all these controls and will be fixed. Where the companies that we work best with are the ones that they look at it from a continual program basis where they're finding vulnerabilities, they're fixing vulnerabilities, they're managing, they're monitoring vulnerabilities. And to be able to do that and not disrupt the business, you need mature organizational processes and a culture. A culture that makes security part of what you do, not this thing on the side that sometimes gets in the way. So that when things go wrong, you know, security issues are quickly resolved without it compromising security. So that's the analogy. And it's interesting to see in Australia, how health and safety and legislation played a real role in improving health and safety outcomes and what that means now for cyber. And I think, as I said before, the time's really good now for security teams to be able to engage senior executives at C suite, engage boards, and help them really understand the challenges that we face because they are significant, but like any risk, You can prioritize, you can focus, KB [00:19:06]: and you can really reduce risk to a level that makes sense for the business to invest in. So going back to your example on the health and safety with the worker. Do you think it's a little bit easier for people to relate to because you can physically see someone being injured versus fortunately or unfortunately, in cyber, it's something, like, tangible. You can't necessarily see it. So, for example, If you're spending arbitrary number, a million dollars a year in cybersecurity, and then nothing happens. That's a great outcome. And so do you think that it may be we people feel a bit more removed from understanding the impacts because it's very different when someone falls through a floor and they get injured versus, oh, like, you know, someone's externally, like, attacking our organization or someone sold money out of your account? Like, maybe that's a little bit more like, people can relate to it. But is it more so that people struggle because they can't see it or they can't touch it. And so, therefore, it just there's this Fabian Partigliani [00:20:06]: dissonance between the 2. Yeah. Look. I definitely think it's a combination, but I do agree with you. Health and safety is a lot easier because you can walk along a floor and go, oh, that slippery. I can fall over and do myself some damage. It's easy to get your head around. There's not much technical language that can get in the way with you understanding that. So then it comes back to how do we reduce some of the complexity that we have in IT and security, make it digestible, make it as easy as it explaining what I just explained with the slippery floor. That's the challenge, and it can be done because you see, I'm fortunate enough to work with lots of really good companies that are able to transact that language and also show what you can do to reduce risk. And I would really encourage everybody to be super focused on that return on investment or return on mitigation even better to show when I invest money, this is the this is what happens to risk. If we have that mindset, I think we're gonna get a better outcome as an industry as well. Because if you look at the industry, we're spending more and more money on on security, but we're not getting less breaches. It's going the other way. So there's a lot of security that is not being successfully measured to actually say this is working or this is not working. And that's certainly going back to what you said to me before, which is, you know, what's your observations coming in from from outside of security? That for me was really quite telling when I looked at there didn't seem to be the same level of scrutiny from a return on investment point of view for security measures as they are for many other parts of the business, whether it be marketing investment, finance investment, manufacturing investment, Security seems because it's difficult to get your head around to to your point, it seems to escape that ability to be scrutinized. But that's gonna change because you we just can't keep spending more and more money to get poor results as an industry. We've gotta get better at that. And I certainly encourage every security practitioner to make that a priority to to make sure they're justifying their investment. If not, you're wasting the company's money and you're not you're not scrutinizing your own team's performance to actually reduce risk. KB [00:22:18]: So just on the scrutiny part, so are you saying that people aren't sort of looking into it as much as opposed to, like you said, marketing or whatever because they don't understand it. So, therefore, they're probably spending a lot more money on cybersecurity. Fabian Partigliani [00:22:31]: There's a lack of understanding and see it from outside the the security teams or the IT team's perspective, which is, oh, look. There's a risk. We've got to invest money it's very difficult for me to understand what they're doing. I'll just give them more money so that I've discharged my responsibility for the company to to say it's got enough money to do security. So that's the worst case. The the best case is we understand risk with prioritized risk. We've invested this amount of money and we've got these results, which means we're confident to keep investing because it's working. And if it's not working, we don't wanna continue. So I think between those 2 extremes is is where the most, you know, vast majority of companies lie, and we've gotta move people towards that, here's what I'm doing to reduce risk. I'm measuring it, and I'm reporting against it rather than just report big, you know, big numbers Here's the return. Here's how risk has been reduced. Here's what we've prevented. Here's how we've taken care of operational risks, financial risks. Reputation risk. I think that's where the industry needs to get a lot tighter. So in terms of, like, a barometer, what I'm curious to know from you, Fabian, is you go into a board KB [00:23:39]: Is there anything that's sort of from your perspective, like words that resonate more or examples or contact that that resonates more with boards So my example would be when I'm talking about content marketing to people, there are certain things that I know that resonates more than perhaps other things I'm a field of work that I do. Is there anything that you've sort of noticed that people start to really listen when you say a certain thing? Because maybe from a security point of view, people think that the thing in their mind that may resonate with their board or their audience just in fact doesn't. And because you've come in from this different lens, there may be something that people can take away on things that are working for you. We talked about legislation. Fabian Partigliani [00:24:21]: Going back to the parallel with health and safety. Now that with the latest cyber legislation, that directors may be held personally responsible or liable for breaches that occurred during negligence means you're gonna get high levels of in high levels of engagement. So I think that's, again, the good news from an Australian perspective for security teams. Then it's back to make it simple for the board to understand don't assume that they've got a they've got a good understanding of everything that you have. Break it down for them. What are the critical things that stop us from doing our bread and butter activities, whether it's selling products, as I said, or providing services. What's gonna stop us? And how do we make sure that that doesn't happen? And what's the right level of investment? Because sometimes, you know, if you can outsource risk to cyber insurance, fantastic, but we all know that's getting harder and harder and more expensive. But there may be a point where the cost outweighs the risk, and therefore, risk acceptance is okay but you really wanna have that visibility and scrutiny. And you gotta present that case so it's easy for them to to get their heads around. But, you know, going back to those key principles make sure the investment is scrutinized and there's a return 1 way or the other, those principles will always mean you're gonna get good engagement from the board and and your c suite. And remember, the board signs off the company's objectives and then and then budgets, but, really, your first gatekeepers are your CEO, your CFO, those teams, the CIO, you've gotta get those guys understanding what you're doing and why you're doing it. And if you can do that, you're in good shape, I think, for for boards as well. So I'm curious to know. I mean, I've been in the space, what, KB [00:26:00]: 10 years now, and people, even 10 years ago, were saying, oh, the language and how we speak to our boards, I mean and now 10 years on, you're sort of saying the same thing. Do you think in another 10 years you and I are gonna have the same conversation And I get that things, though. It's not flick of a switch like we're on now, and everyone's gonna understand and learn. I get that it's gonna take time, but we still seem to be having the same problem even the last 20 so so years. Do you envision in the next few years, it will get better in terms of how we are engaging our board, how we're communicating to our board because Like, I have seen the needle move, but obviously just not enough. So how like, is it gonna be 50 years before everyone sort of gets the hang of it? I definitely think Australia is an interesting Fabian Partigliani [00:26:47]: case in point because legislation you know, I'm looking at all the different markets around the world, and you're looking at, you know, carrot versus stick. And health and safety went down stick and had some pretty good outcomes. And Australia is now following following that path with cybersecurity. So I feel confident that we're not gonna be talking about this in 10:10 years time in the same way. I feel that there's gonna be a real shift. Now I don't know if that's gonna be in 2 years or 5 years, but we're on a path now where this is part of every day for for boards. There's no board in Australia that doesn't have cyber on its on its register and its risk register. It's absolutely no way that that's the case. It's now really up to the security teams to make sure they understand what that risk looks like and make sure they've got the appropriate level of investment to to make sure the business can do what it does best. And for that reason and, you know, overlaid with legislation and all the the the pieces that the federal government's responded to coupled with the high breaches, you know, the high profile breaches that we saw in some of the biggest names in, you know, in Australian brands last year, I think it's gonna be different. I'm I'm I'm very optimistic. And that that comes with the challenge. And I think that the security teams really need to embrace that they can engage the c suite and boards in a different way and embrace it down, keep it simple. It doesn't mean you sound like you're too basic when you reduce it to something easy to understand and digest. KB [00:28:16]: Do you think that some people think that they sound basic? Fabian Partigliani [00:28:19]: I definitely have come across that before. Oh, we don't wanna say that because we sound too simplistic. Absolutely not the case. As I said, the board's got a lot to get through. It's got a lot of business and a lot of key areas that it needs to to to make decisions on during a board meeting. Keeping it simple gives you the best possible chance that they understand what you're doing and and how you're doing it and what you wanna do to help the business be successful. You can never oversimplify it. I think that will never ever come back to bite you. It will only help you get better buy in. So I, you know, really encourage teams to to embrace that. I think 1 of the challenges we have is that in security, we're coming across some really called challenges. You know, the odds are stacked against us in terms of cyber criminals. They just need 1 area, 1 vulnerability, 1 weakness, to to be successful, whereas we need to be right all the time. So it does mean we've got really smart people in the industry. It does mean that we're solving complex problems, KB [00:29:18]: but the reality is the board needs to be able to understand that. And talking to them the default language of technology is gonna make it really hard for them. You're much better to talk their language, which is risk, and keep it simple would be would be my bias. And then I just wanna sort of zoom out now for a moment. Obviously, most of our discussion has been very focused on boards and c suites, but What about sort of, like, broader businesses or the broader community for people to make cyber part of what everyone thinks about? Is there any sort of recommendations you'd like to leave our audience with today, Fabian? I would say the same principles Fabian Partigliani [00:29:51]: apply. I was thinking about it on the weekend because, you know, a lot of friends and families how what do you think we should do? And, you know, I think the same principles apply. You know? I'll give you an example. You know, I was with some friends having drinks on on Sunday, and this topic came up, and they said, oh, tell us what to do. And I was going, you know what? Make yourself a hard target for cyber criminals. Don't let them steal from you. Let them go elsewhere. And to do that, focus on where your wrists are. And I said, who's who's got the same password for 1 or more of their apps? And, of course, everyone has. And I said, well, don't. If you wanna make yourself a a harder target, make it hard for them and make the password as long as you can. And then, you know, so on and so forth, you could introduce MFA. And if you wanna keep it going, you could put a put a diary reminder every 6 months to to change your most sensitive passwords, etcetera, etcetera, etcetera. So the same principles apply. I think there's also a leadership piece as well, which is if security team can get the CIO, the CTO, the CFO engaged in this. They'll have natural champions. And, of course, the CEO they'll have natural champions. And if you've got those members of the c suite on board, understanding what you're doing, they'll become champions because nobody wants to compromise what the business is doing for its primary directive, whether it's selling products or services. That the nightmare for the c the c suite team. It's a nightmare for the board, but it's also a nightmare for the people running the business. So if you can explain to them, engage them, they want to know because cybersecurity is really important. It's you know, just think of how technology is transformed all parts of our lives and in our business, our working environment, it's just gonna keep getting more and more scrutiny. So I think, as I said, I'm really optimistic because we've got attention now through legislation. We've got high profile breaches, which has bent that cyber securities on everybody's KB [00:31:46]: lips. Well, I think that's excellent because some of these things are not easy to do. I totally understand that. But, again, it's getting people like yourself on the show to share your insights and your thoughts, the intent that people take your insights, and they can start implementing than straight away in their organization. And I understand that things do take time, but I'd like to hopefully say that it's not gonna be another 10 years before we start to really see the needle shift. And I would even say even in the last 5 years, I've seen the the taken. Also, the the line of questioning, even coming from, like, general everyday people that aren't even in their space to start asking the right questions, So, hopefully, we are now on the right track, and we'll start to accelerate faster towards that. So, Fabian, really appreciate your time. I've that you've given quite specific examples about how this applies to boards and and to c suites as well. So so much for your time, and thanks for coming on the show. Oh, it's been an absolute pleasure. I really enjoyed our chat, and, yeah, all the best. Thank you.
Share This