Episode Transcript
[00:00:00] Speaker A: Security is not difficult. It's the basic stuff, but it's done well and it's done well every single day. That's the essence of cybersecurity.
[00:00:12] Speaker B: This is KDCAN as a primary target for ransomware campaigns, security and testing and performance risk and compliance.
[00:00:21] Speaker A: You can actually automate that, take that.
[00:00:23] Speaker B: Data and use it.
Joining me today is Adam O'Donnell, CEO from Convergent Systems. And today we're discussing cybersecurity for SMBs. So, Adam, thanks for joining and welcome.
[00:00:39] Speaker A: Thank you very much indeed. Absolute pleasure to be here.
[00:00:42] Speaker B: So, Adam, I want to start with you and your background. Now, I know you've given a lot of talks, presentations, et cetera, about your background. And my audience always loves hearing about people, their cool backgrounds. You've obviously got Special Forces experience. I'm really keen to maybe hear some of your thoughts, your experiences, anything that you've got for me, anything the audience might enjoy learning from.
[00:01:07] Speaker A: Yeah, sure. My career started off like a normal career. I worked for a bank back in the days when the best way of getting money, unauthorized money out of a bank, was a sawn off shotgun. And we did actually have, I think, one of the West's biggest robberies with 22 million pounds at Altwint, using, should we say, the traditional methods. I then moved from that into networking IT networking. I then got kind of bored with that and the opportunity presented itself to join lesser known branch of UK Special Forces, the SAS Reserve. And so while my friends were off having fun at weekends, I was running away the Brecken beacons with what seemed like a house on my back and from about 280 of us started and about eleven of us inning. And from that point on, my career was two separate careers in parallel. I would quite literally be doing my work in it. And then I would get a call from the regiment and they'd be looking for volunteers to go on a deployment. So I was in Bosnia, various parts of Africa, and even night to get a trip to climb Mount Everest. I was part of a successful expedition to climb Mount Everest, Afghanistan. And as a result of a one night stand on Mount Everest that got possibly a bit out of hand, ended up moving to Australia and then did the whole thing over again. So joined the Australian commander Reserve and Madoff got shot at for Queen in a different country this time, thankfully, with a deplorable degree of accuracy, and found my way into cybersecurity. And what I found was there was a lot of crossover, maybe not of some elements of the skill set, but definitely the mindset and the way we approach problems has really helped.
[00:02:54] Speaker B: You had the opportunity to climb Mount Everest.
[00:02:57] Speaker A: An officer that I did selection with, so went through the whole selection process. He and I deployed Toront to Bosnia together. So we were in Bosnia and he was putting together an expedition, a civilian private expedition. The boss, the colonel of the regiment, heard about it and said, we'll tell you what, open it up to the regiment and I'll fund it. I got the gig of running the it. I had a bit, obviously an IT background. So I was in charge of comms. I was in charge of the website update. So I wrote a blog. At the time, Prince Charles was our patron. And I got an email from Prince Charles at one point telling me how much he enjoyed the blog.
[00:03:35] Speaker B: Wow, that's amazing. So he wrote to you personally to say he enjoyed your blog.
[00:03:40] Speaker A: The blog got blown up, as in the website got blown up a long, long time ago. This was back in 2000. But I kept all the posts and I kept the invitation to Highgrove. We all went after we got back, Prince Charles, or like King Charles, invited us to Highgrove. And so we had about a dozen SAS blokes in high growth all trying to individually steal one of its wine glasses because they all had the flirt of laser.
[00:04:06] Speaker B: Sorry, boss, that's incredible. I've done a lot of interviews in my time and I haven't heard that yet, so you're the first. But one of the things I've found over doing this podcast for so long is I've interviewed people like yourself, Special Forces background, military, governmEnt, whatever. Then they move more into the cybersecurity world. So is there anything in terms of your experience that's helped shape the way you approach cybersecurity today?
[00:04:35] Speaker A: Yeah, first of all, I think a lot of us get into it.
We're protectors by nature. And I know certainly for myself, I, from a very early age, did not like bullies. I despise bullies. I despise people who oppress others. And I had a natural tendency towards security or some shit, fashion or form. In terms of how we do business, I think the military people I've worked with are very good at breaking a problem down to its constituent parts and solving it, coming up with an approach and communicating it without rambling.
My company, convergence, we're all ex military. And so sometimes the meetings can be very not clipped. But it's to the point because we're used to talking over low bandwidth or low capacity links, radio links, for example. You have to be very efficient at how you communicate. And so we are also, I think we're very good at planning and contingency planning, though, the what ifs. And we're also very good at communicating ideas simply and convincingly.
[00:05:40] Speaker B: Okay, so, Adam, you raise a great point in terms of you're all ex military. I'm a person who likes to get to the point as well. Admittedly, I've never worked in the military, although people probably would describe me as militant in my approach, especially in my interviews. So would you say then, sometimes, from my understanding of dealing with people who are ex military going into, in your terms, a civilian world, does that rattle people a bit because you are so efficient, you're so direct, you're so to the point, does that rattle everyday people?
[00:06:10] Speaker A: I think some people, what I would call the old school, can be a bit, should we say, less human centric. The people I've worked with, even over the last 20 years, I think, have been. They've had to work with a lot of people in a lot of very different environments. It hasn't been full on war fighting. It's been, say, counterinsurgency. It's been support and influence. It's been tasks that required a high degree of human focus, and you simply cannot do that by pointing your head.
We never point in the military. We always use what we used to call the Brecken hand, that you would use the full hand and point at someone with the hand. You can't do that in civilian world. It just doesn't work. And so the people that are doing well, the ex military people who are doing well, are the ones that really get that there is a human dimension to everything?
[00:07:04] Speaker B: Yeah, most definitely. Okay, I want to press on this a little bit more because this is really, really important in terms of communication skills, the approach. Would you say that people that are working in the private sector historically never worked in public sector or military or whatever, do you think that perhaps they over talk points, they're not so direct and to the point. And then as a result of not being direct and to the point, they just lose people. They lose people in terms of getting budget for cybersecurity, they lose people in explaining the benefit of cybersecurity. Do you think there's something with the experience and skill set and the caliber that you bring from your experience by being direct and to the point that maybe you're not convoluted people with your points?
[00:07:48] Speaker A: Absolutely. I remember my first ever run out as a team commander. I was giving what we call a back brief to the boss. So you're given a mission, which is very much, here's the task, here's the purpose. Come back and tell me how you're going to achieve it. And it's a way of achieving alignment. That's a whole different topic. And I came back, I would say, not as prepared as I could have been. And to be brutally honest, I think some of it I was making up as I went along. And he told me, Adam, he was very friendly. Adam, if this doesn't get better in the next three sentences, I'll send you away and you can come back in an hour when you're ready.
And it was a very gentle way of letting me know that I had to raise my game. And so he didn't want to hear well, yes, and he didn't want to hear, well, hopefully that's one word that if you ever use that in a briefing in the military, your credibility disappears. And so I became very good because I had to be very good at understanding my task, understanding my approach, because if you don't understand it, you can't explain it.
[00:08:55] Speaker B: That is a really great point that you raise. And I think I'm just trying to understand the correlation of people in our industry, perhaps where they're going wrong, because maybe if you don't understand what's happening or the task, it's hard to then tell other people what's going on. So would you say that's where maybe some of the gap is? Maybe in the private sector as well, that people are just very focused on, maybe not the task at hand, they're probably focused on other things. And then as a result, people are confused, they don't know what's going on. I think there needs to be more alignment to that task. So what would be your approach with your experience? If someone's listening and they think, well, I'm going off task, how do you sort of get back on the right path?
[00:09:36] Speaker A: So we use this concept called Commander's intent, which is a narrative to story. It's where the boss brings the task alive in a way that you actually get what effect he's trying to have and what that does, it enables us to use our initiative, because, as the old saying goes, no plan survives contact with the enemy and we can't keep going back for new instructions. What do I do now? And so on. The commander's intent is a key part of unleashing initiative. And ask himself the question, if the boss was here right now and knew nothing except what I know, what would they tell me to do? I've worked in this space quite a bit. I've worked in incident response and I've helped organizations to get ready for the daily camp plan for. And yeah, I would say the majority of organizations, they may have a plan, but it's what I would call Shelfware. It's been written to satisfy an audit box, but they haven't actually executed it. They haven't given it a go on what I would call race day conditions. We have this beautiful phrase in the military, the enemy always gets the final vote, or the enemy is the final auditor of your plan.
[00:10:48] Speaker B: Yeah. Okay, look, I think you're so right, and I think that, again, this is what's really important to me, is getting these answers for people. And that's why we're focused now on SMBs. So would you then say from your experience, like, everyone's very focused on the big guys, the enterprise clients? I get that. But then what about the smaller companies, the SMBs, you think? Just like no one is thinking about them, I mean, outside of maybe what you're doing and your company is doing, but I don't hear a lot of that, and I speak to a lot of people in this space. So would you say there's a very massive gap that people just. I don't want to say the words don't care because I think that's a bit full on. But forgotten about, maybe.
[00:11:35] Speaker A: Yeah, I think forgotten about or possibly ignored. Or they're being offered a solution that's potentially either a watered down version of an enterprise grade product, or sometimes the SMBs themselves don't know what they want. They're a difficult, should we say market segment. They're a difficult market to engage with because they are so diverse. For example, you can generally assume that enterprises. Okay, we can debate the level of cyber maturity. There are some large enterprises that are remarkably lacking in cyber maturity, but generally they're increasing, they're getting better. Whereas you can have, in the SNB market, you can have people and organizations who are still using free versions of software or free versions of security products, because that's all they know. They know about firewalls, they know about antiviruses, and that's it. And that just doesn't really work in the cloud.
[00:12:38] Speaker B: I know. And look, you are right. And I think it's just something that people do talk about, but just not often. It's usually the conversations that I have is more at the enterprise level, the larger organizations. So then that brings me to my next point. What do you sort of see are the biggest issues facing SMBs?
[00:12:56] Speaker A: There's a wonderful concept called the Availability bias and I think a little bit like zebras in a herd, they kind of hope that the predators will pick the other one. I think there's a little bit, there are people who have been the victims of an attack and for them it's all too real. And there's the ones that haven't yet been the victim of a cyber attack.
Some of them are using hope as a method. I would say they struggle with the fact that ironically, people like us make cyber too expensive.
They generally run the smaller end of the market. They have one person, a small team that is usually responsible for all of it. So not just the cyber, but the running of it, the maintenance and so on and so forth, finding expertise at a reasonable cost, very, very difficult.
They know they need to do something, they're just not sure what. They get bombarded by articles and top three things, top five things and so on and so forth.
They know they need to do stuff. They just don't know how far is far enough.
[00:14:08] Speaker B: Yeah, I totally hear what you're saying. Okay, so a couple of things in there. So definitely hear your point around. They're being bombarded by articles content. How come not many people, and I mean, I look at this stuff all day, so I think I'm pretty well versed to ask this. Why aren't people actually focused on this is how you secure more of a small business. Now I understand that's what you're doing with convergence, but again, that's sort of rare because again, everything is at that bigger end of town. And then I'm just curious as to why that's the case. But then also you said before that things are quite expensive then. So how are companies, I mean even if you want to talk about what convergence is doing, but it's just more so how are we going to cater for smaller organizations or else then we're going to constantly be having the same problem because these smaller companies can't afford some ridiculous overkill product or service that they probably don't need anyway because it might be overkill. So I'm just trying to map this all out because it's something like these smaller companies are still suppliers of large enterprises, so these are part of our ecosystem. So it's in the best interest of enterprises to make sure that they are secure.
[00:15:19] Speaker A: Absolutely. Because we're seeing 2nd, third order or organizations, small businesses being hacked and then Ireland hopping up the food chain. We're seeing that. And so yeah, they are part of the ecosystem. I think enterprises buy things differently. Enterprises tend to buy best of breed. You want a mill filtering system, you go and buy a mail filtering system. You want a firewall, buy a firewall, you want intrusion detection, et cetera, et cetera, you go and buy what's best for your situation. SMBs haven't got that luxury. They haven't got that budget, and they haven't got that.
So I see the future for SMB market being like a suite, a product that's modularized and that they can buy what they need. Like, for example, you need your social media monitors. Cool, we'll do that.
You've got this product. Yes. We can take in feeds from there and so on. What convergence does, what we're doing is we've made the call to go purely for the cloud based SMBs. Heading towards 26% of small region business is purely cloud. We recognize that as soon as you start going on premise, then things get a bit more complex. At this point, we're focused purely on cloud. We make it simple. And because cloud is repeatable, it's relatively straightforward for us to onboard new clients because it is repeatable. It's a pattern. So I think those simplified products are designed with, I'm going to say, lower maturity. Audiences in mind are the way forward.
[00:17:01] Speaker B: Do you think as well, Adam, that companies out there have tried to maybe approach SMBs, but just their solution is just overkill? Right? So it's like, we don't need this military grade thing that's going to cost $4 billion a year for some company that's Only making half a million bucks a year. Do you think there's a lot of that that goes on?
[00:17:18] Speaker A: I think what they do, what we're seeing is effectively paywalling, or we'll give you product light, we'll give you a reduced feature set so that we can justify dropping the price. We'll take out a lot of stuff, and so we'll just give you a watered down version of our products.
I think also you've only got to look at the three six five admin panel when you go to security and privacy and just see it's an absolutely bewildering array of settings. And so even Microsoft have introduced enforced security default button just to make it accessible to the low maturity of organizations.
[00:17:58] Speaker B: Great word, bewildering. Why do you think that's the case? I mean, look, I'm a Mac person, and I have been for years, so I haven't seen the back end of three six five in any sort of fidelity. So I'm just curious to know what's going on there.
[00:18:13] Speaker A: It's an incredibly comprehensive ecosystem environment. And so it is the very nature of the environment. Yes, there are so many settings because it has to be tailorable to so many different applications and uses. So it has to be complex. It has to have those options. The trouble is knowing how they all interact and knowing that if I turn that particular one on, what are the following effects? Like Microsoft. And I'm not targeting Microsoft here. I think I use it regularly.
I'm a Mac apple acolyte, but I use Microsoft products.
The whole thing was usable out of the box. And so the security settings originally were pretty low because they wanted it to be usable by work groups. And as time moves on, that didn't work.
There's always this trade off between usability and security, and we're never going to get it right for all possible situations.
[00:19:17] Speaker B: And I was just going to get into that because, look, you're so right. I understand when there's so much stuff going on, there's complexity, which I kind of get from a security point of view. But then if I switch to my consumer hat, it's like this is just too much going on. It's over the top, it's excessive. And then as a result, people can be bothered. They don't turn on two FA or MFA or whatever because it's like, oh, there's too much rigmarole involved. So do you think because people see whether it's the admin or the back end of 365 or whatever it is, the rigmarole, therefore they're like, couldn't be bothered. I'm just going to forego this because it's all too hard to understand and it requires a lot more time for me to just access a very rudimentary system.
[00:19:58] Speaker A: Totally slight diversion, but many of it. 30 years ago, I rebuilt an old MG sports car down to the very last nut and bolt. Now if I open the bonnet of my car, it basically says, put oil here, put water here and leave the rest alone. And I can imagine for someone whose day job isn't cyber, opening up an admin panel with the task of implementing two factor authentication. I think at one point it was something like 13 different steps you had to go through.
It's quite a task. It's not hard, it's just knowing which steps to do. And if it's not your bread and butter, it is daunting. And so one of the things that our app does is it will actually, using APIs, go into your three six five environment and it will do an assessment based on better practice and identify a number of, for want of a better term, quick wins, easy wins. We notice that you haven't got MFA turned on for these accounts. Swipe here and we'll do it for you. And so what we've done is we've made cyber accessible to people whose day job is not cyber by putting it in easy to understand terms.
If they want to drill into a bit of an explanation, there's an explanation available, but it makes it simple.
[00:21:19] Speaker B: Absolutely. Because, again, as a practitioner myself, I understand the security side of things, but then, as a consumer front, and I like to always look at all angles, it's annoying. I mean, if I'm going to a doctor and they're like, hey, Carissa, there's something wrong with you. Here are the steps you need to follow. This is it. I don't want to hear about the science and the biology and how your bloodstream works, and I don't want to know that. I just want to know there's something wrong. Follow the process, because, again, I'm not a doctor by trade. I probably don't really have an interest in that. The same way that if you're just in a company, you know, you've got to do some security stuff, but they don't want to get into how all the stuff works and the blinky lights and this on that. So I think that this is where I believe the industry has missed the mark of who they're selling this stuff to. Because if you're just ten person company, you want to be able to get it right and secure yourself as best as you can at a reasonable price point. But also, you don't want to know all the ins and outs and the history of cybersecurity. You just want to get on with it.
[00:22:24] Speaker A: Yeah, it's a concept that I call just enough security. And the zebra analogy works here, because there are something like 350,000,000 SMBs in the world. And even looking at the 25, 26% cloud, purely in the cloud, at some point, the idea is to make us all a tough enough target.
Will the threat evolve? Of course it will. And we have to keep evolving as well. But I think we can still evolve at a reasonable, sufficiently advanced pace to at least make it difficult enough that they'll go somewhere else and then to cybercrime. No, of course we won't. Not in our lifetimes. But I do agree with you that, yes, we can make it simple enough. There's a beautiful term. Simplisticity is the ultimate sophistication. And we can make it simple enough for someone to understand where they don't have to understand, as I say, the ones and zeros, the difference between TLS 1.21.3 and so on.
They can sit back knowing that they've done enough. And that's probably the most. That feeling of reassurance is what I think we deliver.
[00:23:37] Speaker B: Absolutely. So I'm just curious. Now let's look at the other side. So if I'm an enterprise, we mentioned before about, obviously, SMBs are delivering into enterprises, some of these banks would have 50,000 plus suppliers that they work with that are all different shape, sizes, levels. So if I'm an enterprise, I now know that, yes, okay, you've got to do third party risk management, all of that. You might have some tool in there doing it. You're not going to completely avoid issues in your supply chain. So what sort of the impetus now for enterprises that are working with smaller organizations that they need to work with? Because, again, it's an ecosystem. Do you think that there's sort of a push now to be like, we need to help smaller companies secure themselves? Is there any sort of talk around that, or what are your thoughts?
[00:24:24] Speaker A: Absolutely. I think a rising tide should lift all ships. To a certain extent, banks are, if I say part of the problem out there. I mean, there has been a magnetic draw for cyber people to banks because that's where the money is. And so they are an obvious target. And so they are part of the reason why cyber people are so expensive, because there's such a competition for talent.
We've got this draw of cyber talent into these large companies. And as you say, it is an ecosystem. So I think what I know, I was at a presentation a while back by a major bank, and what they've done, I think it's very clever, is rather than giving their staff mandatory security briefs, what they do is they help their staff become their domestic CISO, which I think is a very great step forward. I think rather than just sending your vendors a tick and flick third party risk assessment, I think larger organizations need to provide some level of, rather than just pure audit, like tell us that you're good enough and sign here to say you're good enough, there needs to be a level of consultation and actually going in and helping them identify the gaps and saying, look, you read it, here's the top three thing. A mini audit, effectively. In fact, I'll go even further and say that I love to read, I'm a voracious reader. One of the books I was reading a while back was turn the ship around, military book by Commander David Marquette. It was a Story about an underperforming nuclear submarine, which is possibly the most terrifying concept I could think of. And one of the things he talked about was embracing the auditor. And so, rather than regarding the annual audit as an ordeal to be endured, it was something he transformed into a chance to learn. And therein lies a problem, because whenever I do presentations to audiences, I ask a question, what's the biggest insult that you could ever receive in your professional world? And the overwhelming response from the corporate audience is always some variation of incompetent. We don't like to look incompetent. When I speak to military audiences, it is always a variation of Jack, as in, I went Jack on my mates, I let my mates down.
Incompetence or looking incompetent is something that we shy away from massively in the corporate world. It triggers us to thinking we're not good enough. And how do I. Then I lose standing, I lose status in my professional career. And that's something I think, at a cultural level, we have to overcome.
[00:27:04] Speaker B: Yes, absolutely. Okay, I want to press on this a little bit more. This is interesting. So you said embracing the auditor. Now, there are words that will trigger people. Audit, compliance, governance. Those are usually any of those sort of words. People are triggered. So for people listening, what would be your approach, Adam, from the book you've been reading or you have read, how do you embrace the auditor? Because at the end of the day, and I almost went into it, security auditing, and I didn't, but because I'm very meticulous with things and I'd be a tough auditor. So what I want to know from you is, how do you do that? Because everyone, I wouldn't say they're scared, but an auditor, there's a very large gap between an auditor and then the rest of the company. Right. Because they're not someone that you sort of call up to say, how's it going? It's usually them calling you and you're incompetent. Right?
[00:27:54] Speaker A: Correct. So things possibly have to change on both sides of the equation. I'm going to make the assumption that the person doing the audit has got wide experience. Isn't some work experience kid with an excel spreadsheet. Tick and flick has been around a bit and has seen this done in different places. Generally, if I'm an auditor and I come into your company, I'm going to make the assumption that your cybersecurity person has been doing the best they can with what they've got. There'll be problems, there'll be gaps, there'll be things that they want to do but simply can't, because if they do, something will break. And so whenever I point out ad, you haven't got this setting or you haven't got this enabled or this set up. If he was adopting an embrace the border to approach, he would say, well, yeah, you're right. The reason I haven't done it is this. And I'd be really interested to hear your views on how we could make that better, because here's the challenge. So based on your wide experience seeing this done in other places, how are other people, how are other organizations solving this problem?
[00:28:56] Speaker B: Yeah, see, that's a better approach. But I think when you say it like that, it makes more sense. But I think that, again, what's coming up in my mind is just an auditor with, like, a clipboard. I know this is me, figuratively speaking, but then it's just coldness, perhaps, and it's like, oh, you stuffed up there, Adam. That's what I think people have in their mind when it comes to auditors. It's like there's that gotcha part, even though that might not be the case, but there's that element of I'm really nervous because they're going to highlight and illuminate how incompetent we may be, even though I've tried my hardest.
[00:29:29] Speaker A: Yep, I can't disagree with that. I think it depends very much on your inner view towards how you view yourself and how you view people passing judgment on you. There's another wonderful book I was reading, the Gift of Imperfection by Brene Braun and whole different topic of conversation. But this idea that, yes, we do fear the judgment of others, and moving past that, to be comfortable in your own self, I get up every day and I do the best I can with what I've got. I may fail, I may come short, but I will get up and I will try again. And I think that's the Special Forces mindset. The idea that I will open myself up to judgment, and if I'm found wanting, then fine, this is not for me. Otherwise you pass selection. And that willingness to be open to judgment, I think, is critical because as soon as we start approaching these things, if our culture looks at the audit results and immediately uses them as a mechanism to, should I censure or beat up on an executive? Now, we failed. We have absolutely failed as leaders. If we instead look at it as an opportunity for what can this teach us? Maybe we need to invest more than the $500 per person annually that we're currently investing in cyber. Maybe we need to do things differently. I would strongly encourage. If you're a senior executive and you're getting these sort of order reports, the first thing you have to ask yourself is, what was my role in your mistake?
[00:31:01] Speaker B: Okay, you raised a great point there. Now, you said before, if people are beating up potentially on the executive, so why do people do that? Do they just want to blame someone and sort of deflect the blame onto someone else? And usually it's the executive.
[00:31:12] Speaker A: I think we are a very heavy compliance culture in Australia. We love green, love Amber. We cook with a couple because they make the greens look good, but we do not like red boxes.
We love compliance. And I'll quote Alston McGiven, he made the observation along quite a few years ago that security brings compliance, but compliance doesn't bring security.
When you're a manager who's tasked with compliance, and any non compliance is therefore a. Put it harshly and bluntly, it's seen as a failure. If you're punished for or in some way censored for a failure to comply that will affect your actions, that will affect how you report, it will affect how you see things.
[00:32:02] Speaker B: Why? Okay, I'm really curious about this. Now. Why are we as Australians or as a nation? Why are we so compliant, though? Where does that sort of stem from?
[00:32:10] Speaker A: I have a sphere, and I'm more than happy to put it out there because I'd love feedback on it as a Western nation, without wanting to get into the whole first people's debate. As a Western nation, we are 200 years old, plus change, and we got here by Royal naval ship, and the journey takes about five months. Now, whether you are a criminal being relocated, whether you're free settler, regardless, you are subject for five months to naval discipline. Everything happens by the bell. Everything happens according the captain's word is quite literally law. And so everything happens to a cadence that is dictated by the captain. Now, that's a cultural induction program if ever I heard one. The first leaders and the first communities were under the control and command of naval officers. Again, they've got a certain way of doing things, especially in those days, they had to, because if you didn't have a strict compliance regime on a ship in those days, a lot of bad things happened. Disease outbreaks, lack of discipline. The ship relies on everyone pulling in the same direction at the same time. And I think I would contend that that's only 200 years ago. That's not a long time. In cultural terms, we learned as a people to comply. We learned to basically follow the rules as they were set down. Yes. I know people will talk about the country Larican being very different, and I would totally agree. I think there is a huge cultural difference between city Australia and rural Australia. And I think in the cities especially, which is where obviously most large enterprises are, we're very compliance driven.
[00:33:56] Speaker B: Wow. Okay. That is really interesting. And look, again, I know it's a bit of a hard question, but again, it's just your opinion, it's your theories. I love that it's just us having a conversation which people can learn something from. So, okay, I want to press on this a little bit more because this is really interesting for me. Now, you mentioned that obviously you're a very compliant nation. So would you say if you had to pick one option on who to be, is it best to be non compliant in terms of the mindset or more compliant? What would get a better outcome overall if we focus on security? Because, I don't know, maybe places like the United States less compliant in terms of Australia, what would be better in terms of the mentality to have in order to get a more secure nation, for example? I know it's a bit of a hard question to answer, but I'm just curious to see where your mind goes.
[00:34:46] Speaker A: When you focus simply on a per control control. One by one, you get a very poor outcome. When you take a risk based approach. When you take an asset and risk based approach based on a credible threat assessment, and in your treatments for those risks, you reference ISM controls or whatever control library you're using, then you get a better outcome.
[00:35:10] Speaker B: Wow, that is so interesting.
Okay, well, thanks for sharing that. So I just want to go back a step now back to the auditing side of things, because you are a avid reader. Have you read the book mindset, I think, by Dr. Carol Dweck around the growth mindset on when you fail the growth mindset, people, like you said before in the Special Forces is try again. But the people who probably don't get as far are like, oh, well, I'm just going to give up now.
[00:35:34] Speaker A: So. Yeah, I'm familiar with what she talks about.
[00:35:36] Speaker B: Yeah. Okay. Well, I read it a while ago and I thought it was really interesting. And I think as you were talking, Adam, that's what was coming up in my mind around when an auditor is, in people's words, criticizing you, it gives you an opportunity to go, okay, this is where we're at, but we now have a great opportunity to be better rather than getting upset, which is not that growth mindset.
[00:36:01] Speaker A: Organizational culture is something that absolutely fascinates me. It's one of the things I love about being a startup, especially that effectively, the team is military or ex military. And my friends, we have what I would say is an incredible culture of growth and learning and so on. It's a cultural thing, and people find the cultures suit them. And when we make a mistake, we look to our peers, we look to our tribe.
I call it the Circle of sacrifice. The team that we're in, and we have to give something up to be part of a team. But we look to that team for how failure is handled here. And if everyone kind of takes a step backwards and goes, oh, dear, then we very quickly learn that either failure is not to be shared and talked about, or it is to be hidden, or it's to be excused by, well, I wasn't totally responsible. There was someone else involved as well. It is very rare, I would say, in most organizations, for someone to hold their hand up and say, you know what? I staffed up, Mayor Culpa. That one was on me. I've done it once. I've actually done it quite a few times. And I just said, you know what? I put my hand up, and the next day, and I tendered my resignation, and the boss said, well, I'd rather you didn't do that again. But I finally found someone who's willing to, A, take a risk to make progress and B, own their stuff up. So you're going nowhere, sunshine.
[00:37:30] Speaker B: My goodness. Okay, that's pretty wild, but at least you're honest about it. And, look, I think that's the challenge, and I think if I focus it now back on to SMBs, I've spoken to many people that have just, they know, work in cybersecurity, and they're like, hey, they're involved in some type of security related incident or some type of scam, phishing scam, whatever it is, phishing email. And just, I think they feel afraid to be, like, put their hand up and be like, I made a mistake, because they're embarrassed.
[00:38:00] Speaker A: To go back to the Special Forces analogy or the world of Special Forces, we have a concept or a philosophy of getting stuff done. It's called Mission Command, and it relies completely on trust. It relies on trust that you will act in the best interest of the tribe given any given in any given situation. But it goes both ways. It relies that if you get it wrong and you have acted with the best of intent, but it goes wrong that I, as your boss, will back you 100%. And as soon as a two way relationship. And I think a lot of Managers forget that. They forget that mistakes will happen. You want people to take risks and try things and use their initiative. I guarantee you it will go wrong.
If I'm going to stick my neck out and have a crack and use my initiative, I want to know that if it doesn't work out, that you've got my back as my boss.
[00:38:58] Speaker B: Absolutely. And that's not always the case for a lot of people, especially working in larger organizations.
[00:39:04] Speaker A: I've met a lot of people who say they would put their life on the line for me. I'm interested in the manager now who have put their career on the line.
[00:39:13] Speaker B: Yeah, look, I think probably not a lot of people can answer that. Right? I think a lot of people don't want to do that.
[00:39:21] Speaker A: I have known Managers who will stand their ground, and when people have stuffed up, they have actually gone into bat for them and said, no, that person acted on my direction, and I gave them that free rein. And so anything that's coming their way is shared with me. And that breeds a tribe that will follow. They will follow you into hell and back because they know that you've got their back.
[00:39:48] Speaker B: Absolutely. We want to be around people like that, and I don't see enough of that, if I'm honest, like working in corporates myself. There wasn't a lot of that going on. I've found, in my experience.
[00:40:01] Speaker A: Yeah. So when you join the military, you are part of a team. You are no longer Adam or Dormont. You are a Rifleman in a New Function because of that team and turns your value system on its head. And this idea that you are there to work with your Mates, it's a unique mindset. And when you're in that environment, you know that even though you may not like the guy you're working with, you know that if it goes wrong, he's got your back.
[00:40:27] Speaker B: And I love that. And I think it's great to have interviewed you today because it gave a very different perspective to the show and a different dimension as well from your background, your experience, and you've sort of brought that forward into the work that you're doing today. So is there anything, Adam, you'd like to leave our audience with in terms of closing comments or final thoughts?
[00:40:49] Speaker A: Security is not difficult, I think, especially if you're a small medium business or if you're servicing small medium business.
One of the misconceptions about the SIS special forces in general is that it's supermen leaping buildings in a single bond and underwater knife fighting, et cetera, et cetera, et cetera. It's not, it's doing the basics well and consistently. Cybersecurity, it's a lot of basic stuff.
Multifactor authentication, backups, it's the basic stuff, but it's done well, and it's done well every single day.
That's the essence of cybersecurity. Just because it's simple doesn't mean it's easy. And so get help. One of the things I will say is that what convergence is doing, we're looking to make it easy and to make it accessible. But I think those vessels apply to anyone in security.
[00:41:47] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
This is KBCAT, the voice of cyber.