October 18, 2023

00:44:41

Episode 218 Deep Dive: Annie Haggar | Putting Together A Complex and Evolving Jigsaw Puzzle: A Discussion on the Intersection of Cyber and the Law

Episode 218 Deep Dive: Annie Haggar | Putting Together A Complex and Evolving Jigsaw Puzzle: A Discussion on the Intersection of Cyber and the Law
KBKAST
Episode 218 Deep Dive: Annie Haggar | Putting Together A Complex and Evolving Jigsaw Puzzle: A Discussion on the Intersection of Cyber and the Law

Oct 18 2023 | 00:44:41

/

Show Notes

In this episode, we dive deep into the intersection of cybersecurity and the legal world, as Annie Haggar of Cyber GC takes us through the pros and cons of additional barriers to entry in the industry, the impact of regulations on quality assurance, diversity, and the existing skills gap. Annie also discusses how businesses can navigate and strategise in terms of compliance with industry-specific legislations, and how governments can strike a balance between effective regulation and reasonable costs for compliance.

Annie is the founder and principal of Cyber GC – a legal and consulting practice dedicated to helping Australian businesses prepare for and fight cyberattacks. Annie is a multi-award-winning cybersecurity lawyer and was recently awarded General Counsel of the Year (Australian Law Awards – Lawyers Weekly – 2021).

She brings to Cyber GC the experience gained in 20 years as a technology lawyer, 12 years working for one of the largest technology companies in the world and 6 years as global legal counsel for Accenture Security, one of the largest security companies in the world. She specialises in advising on enterprise security risk, cyber regulation, procurement risk management, and the impact on the whole organisation of cybersecurity issues.

Based in Canberra, Australia, she lives with her two little girls (3 and 5), husband Tony and fur baby, Scout the Jack Russell-Foxy cross. Outside of work and volunteering, you will find her tending to her bees, cooking Ottolenghi, tending her veggie patch and sewing, quilting, knitting and crafting.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: In cybersecurity, I think it's much more difficult task to say this is the minimum level of skills or qualifications you need to practice as a cybersecurity professional because the breadth of skills and inputs that we need is so wide. [00:00:16] Speaker B: This is KDCAT as a primary target. [00:00:20] Speaker A: For ransomware campaigns, security and testing and. [00:00:23] Speaker B: Performance and scalability, risk and compliance. [00:00:25] Speaker A: We can actually automate that, take that data and use it. [00:00:31] Speaker B: Joining me today is Annie Haggar, principal from CyberGC. And today we're discussing the complexity of the legal environment. So, Annie, thanks for joining and welcome. [00:00:41] Speaker A: Thanks for having me, Carissa. It's really great to be on. [00:00:44] Speaker B: So I really want to start with a little bit of a lay of the land. What is happening in the legal world? I am not a lawyer, but you're sort of bringing this intersection between the cyber world and the legal world. So I'm keen to know more. [00:00:57] Speaker A: That's right. I specialize in cybersecurity law in Australia, but also globally. And when you say, what's happening in the legal world, Carissa, that is a big question, because the legal world is complex, as everybody knows. That's why we still have lawyers. We need people to help decipher it. So there's a couple of big areas in the legal world that as they change and shift, it impacts on what the law is in Australia. So those big areas are legislation and regulation. What's happening in the courts, what's happening with regulators, and also what's just happening in the market, in the commercial world, because that actually also does impact on what's happening in the legal space. We might talk about some of the changes that are happening in each of those sections because there's some big things happening across the board on the legislation and regulation side, there's been a lot of things happening over the last few years, and they will continue to change because regulation really never is set in stone. It has to continue to evolve as the world around us changes. I think of regulation and legislation a bit like a jigsaw puzzle, but helpfully, it's one of those jigsaw puzzles where you've lost the box and the picture and where you're not sure if you have all the pieces. And in fact, maybe you've got some pieces thrown in there from other jigsaw puzzles, and it's really hard to work out how to put the puzzle together. So that's because in Australia, we've got numerous pieces of legislation that impact on the world of cybersecurity. The biggest one is probably the Privacy act, and that is currently undergoing a review that was started in 2019. There was a major report issued in February this year, and that contained 116 proposals for the reform of the Privacy Act. But it also said, hey, we actually have more review we need to do because there's some areas of this we still haven't got to the bottom of. So the process of actually finishing that review will involve public submissions, further investigation, and then a whole process to go through the drafting of the changes to the law. So we won't likely see the next iteration of the Privacy act come through until about 2024. But note that actually, the Privacy act, which was brought in for the first time in 1988, has actually been impacted 93 times by changes. So this is not going to be the final change. It's going to continue to evolve. So that's the Privacy act, and that includes all of the notifiable breaches legislation, which is where you have a breach that involves data covered by the Privacy Act. What do you have to do in terms of notifying the Office of the Australian Information Commissioner? So that's the Privacy Act. Then we've got the Security of critical Infrastructure, or the SockE act, which was passed in 2018 and has actually had two major amendments since to introduce the mandatory incident reporting, the mandatory critical infrastructure Risk Management plan and adoption requirements, and mandatory board reporting. And it also now has expanded across to over eleven sectors of our community who now need to get across legal obligations in there that include reporting time frames, risk management processes, et cetera. Then we've got the Telecommunications act and the Telecommunication and Interception and Access act, which was also updated recently. And that involves how those telecommunication functions have to operate, who can intercept communications, who has the power to do that, who's prohibited from doing it, et cetera. Then on top of that jigsaw puzzle, we've got the Crimes act, the Criminal Code act, the Surveillance Devices, and the Cybercrime act, and also other pieces of criminal legislation across each of the different states. We've got the Corporations act, which involves how companies have to operate, and the responsibilities of directors. And then we've also got legislation that specifically applies to our national security agencies and explains what exclusive powers they have in terms of monitoring, intercepting communications signals, et cetera. Now, that's just Australia. So if you're an Australian only corporation organization, that's a picture of some of the laws that apply to you. If you are a multinational, then you have to apply the jigsaw puzzles of similar kinds of legislation for every single country you operate in. So the complexity of legal regulation and compliance gets really tough as soon as you start operating in more than one jurisdiction. And in my previous role, I used to work for a security company that operated in 134 countries all at once. One of my jobs was to be across what was the legislation that impacted on cybersecurity in each of those countries, and how could we operate as a security company without breaking the law, but also helping our clients to comply? So you can imagine the complexity of that. [00:05:48] Speaker B: My goodness. Okay, so you mentioned something before around losing the box and then trying to put the jigsaw puzzle back. That is like the worst, especially like 1000 piece puzzle. [00:05:59] Speaker A: Right. Where do these pieces go? How do they fit together? [00:06:02] Speaker B: Well, they even look the same when they all look the same. Anyway, those large puzzles do for sure. Even looking at the box is hard, right? [00:06:10] Speaker A: So no wonder if people find it hard to understand what they need to comply with in this space, because there isn't a jigsaw box puzle picture for this complex picture we've got. And then the fun thing is, at the moment we've also got this proposed Cybersecurity Act. So the Cybersecurity Strategy 2023, which there was, the submissions all came in a few months ago, and the government is looking at what the cybersecurity strategy for Australia is going to look like for 2030. Right, 2023 to 2030. And they've said, hey, should we have a cybersecurity Act? And maybe we should, but it's not clear from the strategy draft strategy submission discussions whether that would replace some of the things that we have and simplify it, or whether it would simply add another set of jigsaw pieces to the puzzle that we've already got. [00:06:59] Speaker B: Okay, there's a couple of questions here that I really want to get into before we progress is, you are right, there's a lot of stuff going on, wrapping your head around it, especially when you get into legal terms. Obviously, I've got contract and stuff for my own company, and it's like drafting them with my contractual lawyer is like, yeah, but what does that mean? And normal people speak, so you're obviously a lawyer, you get it a bit more. But for the average person like myself, if I was in a position where it's like, oh, I've got all these legislations I got to adhere to, especially if I'm a cybersecurity company, and there's a lot going on. But you mentioned before, we don't really have a picture with how all these things work. Why don't we have a picture. Why wouldn't we? To make it easier for people to get. [00:07:38] Speaker A: It's a great question. So that's actually one of the things I do with my clients. I'm a picture person. And so I literally put together a slides that go, okay, for your business. You have these jigsaw puzzle pieces in your jigsaw, and this is how they fit together for you. The problem is that every organization has a slightly different jigsaw puzzle because they are in a different industry. They are incorporated. Maybe they're a corporation or maybe they're not a corporation. That means that maybe the corporation's act applies or it doesn't. Maybe they're in the telecommunications space, so that act applies. Maybe they're a critical infrastructure provider. So that act applies. So each organization actually needs to do their own jigsaw puzzle and they need some help, because, as you say, this stuff's complex. It uses a whole nother language. And so you can get help to draw your own puzzle for your jigsaw puzzle and to help understand how those pieces fit together for your business so that you know what you have to do. [00:08:37] Speaker B: So would you say any as well? So I was speaking to a CIO of a utilities company, which we met, Socky Act. Oh, this is probably around towards the end of last year. And I was like, so in your experience, for some of these regional areas, or these people running like, I don't know, water plants or whatever it is, do you think they understand about the socky out? He's like 100%. No way. [00:08:54] Speaker A: Yeah. [00:08:55] Speaker B: So how does that look? [00:08:57] Speaker A: Well, it's really tough because they've got their head down just trying to keep the water running and clean and meet their day to day operations. And their teams, if they've got an in house legal team, are excellent at what they need to do to keep the lights on or the water flowing every day in this case. And it's really hard to get your head out of that everyday, crazy busy work that everyone has to go, oh, my goodness. There's a whole new piece of legislation that I have to now comply with. And the government does try to give industry time to catch up. Right. So the sockey act came in. It said, you're going to have to do this by this date. It gives you time to understand, get advice, do the preparatory work, but eventually they do have to put a line in the sand that says you have to meet it by this day. And that's coming up. Right. We've got. August is the date for the risk management, the critical infrastructure Risk Management Plan has to be in place. The crimp. Crimp, there's lots of acronyms for it, and then you've got another twelve months to then have it fully implemented, and then there's another deadline beyond that for the board reporting. So they're giving businesses time to get across this. But if you've got your head in the sand, hoping, just trying to keep the lights on every day, you're going to start to fall behind. And that will eventually have consequences, because non compliance with these legal requirements comes with consequences, that there are fines and there are other impacts on your board directors and your executives that will start to come into play. So I hope that people out in the regions are getting some good advice, but if not, they need to get their head up, they need to start understanding what's coming and get some help. [00:10:35] Speaker B: So do you envision that by August all these thousands of people out there will comply, or do you think that. I didn't think so, no. [00:10:46] Speaker A: Look, that would be what the government's hoping. We all know that that's not going to be 100%, but it is going to be. Hopefully the majority of people have understood their obligations and got it across and that there'll be a trickle in for the rest. But compliance does take time. But unfortunately, the government will start to run out of patience, particularly for ones that are critical infrastructure, where if they go down because of a cyber attack, it has serious consequences. Coming back to the water company example, if you think about the Florida water breach a couple of years ago in the US, they had an attack where somebody, the threat actor, had got in and was changing. The chemical balance in the water could have poisoned and made lots, hundreds of thousands of people very, very sick. Thankfully it was caught, but there's serious consequences for cyberattacks on our critical infrastructure that can mean life and death. So whilst you do have to, it is tough to do this compliance, it's there for a really good reason and so you have to get across it. I don't expect 100% will be compliant by the August date, but they're going to need to start doing it, because the consequences if they do suffer a breach will not only be the hideousness that is a breach, anyone who's been through that knows it's awful, but the long tail of that will then include even more serious penalties because they will discover in the breach, wrap up, that you weren't complying with the minimum requirements, and so you will then not only have the cost of the breach, but you'll have the fines and other penalties that will follow. [00:12:17] Speaker B: Yeah, look, totally understand. Especially critical infrastructure. Like it's one thing losing money from a bank. It's another thing people dying because they're drinking contaminated water. So I think I do understand what you're saying. The other thing, from my understanding as well, and you probably know better than me what I've been told from other people in the industry is like some of these socky acts, it's still pretty broad, though. If I focus on space technology, it's still very broad strokes. So how do people make sense of something that is quite high level and then to try to be in inverted sort of commas compliant? [00:12:49] Speaker A: Yeah, it's a good question. And it's about putting that jigsaw piece puzzle together and getting that picture for your organization. So it's really hard to write laws that apply to everybody in a really prescriptive way. But what also happens if you write laws so that it's a checklist is that you do checklist compliance as opposed to really understanding the risk and doing the things that are going to produce the outcome that's needed. So what the government has really tried to do, not only with the Sockey act, but also if you look at the ISM manual, et cetera, that instead of written being written as a tick, I've got this box covered. They're written in a more principles based way that says we need you to achieve this outcome. How you get there is up to you as a business, because it will be different for every business, the same way as what your jigsaw Puzzle looks like for your business. Depending on which acts apply to you, how you need to comply with things like the Sockey act will also be different depending on the data you'll run, the type of critical infrastructure you're running, et cetera. So that's where you need to get some professional help. I think there are some excellent people who have stood up businesses specifically dedicated to critical infrastructure, and I've been working with some of them on the legal compliance side. But you can't just write one piece of legislation and have it provide a detailed checklist for everyone. It just doesn't work that way. So every industry covered by that legislation is going to have a different flavor. So it's a good idea to not just look at the sockey act, but then to go to your industry areas and see whether they've produced guidance. Has the water industry regulatory bodies produced additional guidance on what that would look like? Sockey act for Water providers Socky act for Food and Grocery providers, socky act for space. Right? And that's where we, as a cybersecurity community, working with industry, can really add value by layering in the detail with the understanding of what we're trying to get to and the complexity of that industry. [00:14:49] Speaker B: Okay, so let's keep going with the complexity of the industry. And I want to talk more to you about the convergence between cyber and legal. Two worlds combined. A lot of stuff going on, as you've alluded to, a lot of different things that people need to be across, especially if it's not what they know, then they're not a lawyer, they don't understand the terms. It's a different language. There's a lot of obligation timelines. You've got the government on your back, you've got other people that are questioning you about everything. So would you just say generally, in your experience, Annie, people are just getting it right with these two worlds being merged together or. Not really. [00:15:23] Speaker A: I think they're playing catch up, but that's not unusual. The law is actually a space that's always in catch up mode, because you can't legislate for things that you don't have yet, and people don't want to be over legislated. So people are doing business, we're setting up new services, we're facing new cyber threats. We are, as a community defending against new attacks every day. And the law is trying to work out where they need to put minimum standards in place, where they need to put new laws. And so people are. It's this constant catch up process, which means people are facing a breach, they're trying to work out what they need to do from a legal compliance perspective. And then the law is going, is that enough? Do we need new regulation? So the government's going, do we need new regulation in this space? And then you've also got the courts catching up as well. So people are bringing court cases as a result of breaches that then have impact. So are people keeping up? Are they on top of it? No, partly. That's because it's really hard to do that because the law and the case law is constantly changing. I think there's a couple of really interesting things that have come out in the last few months, though, that are changing the way that the law is impacting in the cybersecurity space. The first one of those is all of the class actions that have come out. So since the Optus breach, the Medibank breach, latitude, we've seen what they call class actions being brought against that. So instead of it just being you have a breach, it's awful for you, and you lose data, your systems go down, you lose money, there's a huge amount of cost to recover, you lose customers and trust, et cetera. And your world of pain is just within your business. What you're then now finding is that all of the customers and stakeholders that are impacted by that are getting together and bringing a class action lawsuit. Class action lawsuits have been relatively uncommon in Australia. They're really common in the US, but in Australia, they have been relatively rare. But now we're seeing them issued really quickly following a cyber breach. Medibank has, in fact, had another one issued, just hit the news this morning. So I think it's up to three, four maybe different class actions arising out of that breach. You've also got ones against Optus and latitude all following that. So now you've got court cases following the cost of a breach. But the other thing that I've noticed that's come to fruition is two other things. There are small breaches that are now ending up in court. So we had a small matter, actually, in the act where I'm based, where a small business was impacted by a business email compromise. They sent $5,000 to pay for an invoice to a bank account that actually turned out to be a hacker's bank account. So they lost the money. The provider of the goods never got their money, so the provider took them to court and the court said, actually, yeah. You know what you still owe? Yes, you lost the $5,000, but you still owe the $5,000 to the vendor, so you need to pay that. So what's happening is the consequences of small breaches. $5,000 worth are going to the courts because that's one mechanism that businesses are using to recover losses that are coming out of cyber breaches that are small scale. [00:18:39] Speaker B: Never even heard of that for $5,000. Is it worth it, though? [00:18:43] Speaker A: Well, if you're going to the smaller tribunals that you don't need, lawyers, you can self represent. Yeah, absolutely. If you're a small business, you'd lose $5,000. You can turn up yourself then. Yeah, it's worth the time. The court fees are low. It's designed for that sort of case. [00:18:58] Speaker B: Small claim stuff. [00:18:59] Speaker A: Exactly. So we will likely see a lot more of those. The other really interesting thing that's just happened in the last few weeks is that I don't know if you've heard the big law firm HWL Epsworth got breached. [00:19:10] Speaker B: Yes. [00:19:11] Speaker A: So they had lots and lots of clients, including government clients and other banks. Other banks, et cetera. In a moment of real irony, the office of the Information Australian Information Commissioner had files with them, so they were impacted. But what their legal team, as part of the wrap up and the investigation into the breach has done is to actually bring an injunction in the courts to stop anyone else using that data that was taken as part of the breach. So they've got this injunction and it basically says anyone in the media and anyone else in the world who has access to any of the information about the breach can't use it. And they've done that because it could help to stem further damage. So if the data has been released, it's published on the dark web, a couple of things can happen with it. The media can get hold of it and talk about it in terms of, did you know this client's been breached and this client's data is out there? And draw parallels and further implications in the media, make more news about it. But also other threat actors could take that data and use it, and also just anyone who knows how to get access to it, that is, could use that data. What HTML's lawyers have done by getting an injunction is to make it illegal for that data to be used. So it's one mechanism that can be used to help stem the damage. And it's really interesting. It's the first time I've heard of in Australia of a entity who's been breached using the courts as part of their breach remediation and recovery techniques. So that's a really interesting development. [00:20:48] Speaker B: Wow, these are super interesting, everything you're going on about. Okay, so there's a couple of questions that I have. Is going back to us is very litigious country, as we know. But then I've been hearing Australia is starting to get to that level. Would you agree with that? [00:21:02] Speaker A: We're certainly not at the same level as the US, but we are on a trajectory which is increasing the legislative action in response. And there's a couple of reasons for that. I think one is that we are seeing. And that's a general comment. Right, Carissa? So there's. The general attitude of Americans has tended to be, well, I'll take you to court. Whereas Australians have been, well, let's negotiate this and keep it out of the court over a right. You know, if you were in the commercial space, it's very rare for companies to sue each other because actually it costs us more in the end. And we all try to use alternative dispute resolution mechanisms, if at all possible, and to come into a good commercial arrangement, because honestly, lawyers, lawsuits, they're expensive. And if we can use our business relationships and come to a good commercial outcome, that's the best thing for everybody. But cases do still end up in court where the parties simply cannot reach agreement. However, when you're dealing with a one to many situation, like a big breach that's impacted thousands, millions of customers, it's not practical for them to try to come to an agreement with Optus or Medibank. It's impossible. So they get together as a group and bring that case, which is the situation of the class actions. And that's becoming much more common because law firms are also seeing that there is opportunity there to represent their clients, to get a payment, a damages award, an apology, and various other mechanisms that are available through the courts. [00:22:35] Speaker B: Okay, totally hear your point. Now I want to also just press on something a little bit more about legislation. We don't want to be over legislative. Would you say that we are? But back to your original point in your previous role that you said you oversaw 134 countries, would you say Australia is pretty, like, locked down with their legislation, regulation, compliance laws, acts, all these things in comparison to potentially other parts of the world, and maybe even focusing on that 134 countries you were across? [00:23:05] Speaker A: Yeah, it's a good question. So I think about regulation as a continuum. So when you start out thinking about an issue, there's not a lot of legislation. And then as the community and the government become more sophisticated in their understanding of an issue and how it's impacting on the community, the legislation gets more complicated and often more controlling. Right. So wouldn't it be nice if we could put this magic piece of legislation in place that everybody had to comply with, and that would make Australia 100% protected? This magical world, this magical law, it's not going to happen. It doesn't exist. So governments have to work out what's the minimum they can do that's going to be able to be complied with. That's not going to be an unreasonable cost on business that they can also enforce. And they talk about that as the social license. So do we have a social license to legislate on this issue? And how far does that social license go? So the government has been making these changes over time to the Privacy act, to the Sockey act, et cetera, over time to increase those requirements. So coming to your question about how does this compare with the rest of the world? The rest of the world is also on this journey. So some countries or regions are much more sophisticated than others. And that tends to be the countries that are quite mature. So the US is quite mature in this space. But helpfully, they have 50 states, 50 plus states with each of them has their own laws, so they have federal laws, but they also have state by state laws, which if you can take that 134 countries and then add another 50 stacks of jigsaw puzzles on that because of the individual states and of course, Act, Australia's got multiple states as well. So where you've got countries that have multiple jurisdictions within them, you layer in even more complexity. But then you've got developing countries that are also looking at these issues but trying to work out where they want to sit. Do they model laws from somewhere else, which might make it easier for companies to comply with? Because if you can model laws, say, and I'm just going to use this as an example, say New Zealand looks at Australia and goes, hey, you know what? We want to be able to have a good, solid security industry that knows how, and we want to have business that understands how to comply. And we do a lot of business together. So it makes a lot of sense for New Zealand's laws to mirror Australia's because we have similar needs, similar risk profiles. They might take a similar path, but a country that has a completely different set of industry, a completely different set of social requirements, might need to have entirely different laws that in some respects are more restrictive, but in some respects are more relaxed. So some countries, just as an example, have gone down the path of requiring people providing security services to have a license to do so. We don't have that in Australia. You don't have to be licensed. Our cybersecurity professionals aren't regulated, not like lawyers. Lawyers have to have a license to be a lawyer. Essentially, we have to renew that every year. So it's a regulated profession. The cybersecurity profession in Australia is not a regulated profession. In some countries, they have brought that requirement in. And actually what that does is really interesting. On the positive side for those countries, they know that people providing cybersecurity services in their country meet minimum levels of qualification and sophistication, and that they know they're getting a minimum level, which is great. What it also does is discourage companies from coming and setting up operations in those countries because they have to then comply with this licensing regime that often has lots of penalties and cost. If you're a smaller nation and you want to attract world class cybersecurity professionals to come and help your community, your business, and your individual community, then putting barriers to entry in place like that can actually do the opposite. It can discourage people from setting up business there. And that was something that my old company that I worked for used to look at. We'd go, okay, we're not actually going to provide cybersecurity services in this country because we need a license, and the license requirements are too hard, so we won't do it here. And we did used to look at that. So the question about are we over regulated? Other countries are in different places in this journeY, and they've chosen to go on that path for different reasons, and it then has different impacts. But I don't think we're at the over regulated stage. I think we're actually at a pretty good balance for the level of maturity of our country and our business, for where we need cybersecurity professionals and businesses to be operating. And we're going to need to see the legislation and the community adapt as we face new challenges. But I actually don't think the balance is too bad considering where we want to get to, which is off the top of the list of being the most attacked country in the world. That's where we are. It's not a great place to be. So we obviously need to do something. And I think the regulatory balance that we've got and that we're working towards with the increased sockey requirements, et cetera, that will help to trickle down and bring our security levels up as a country overall. [00:28:23] Speaker B: So do you envision any, with the whole 2030 being the most cybersecurity, most secure country in the world, do you envision that Australia may bring in regulation similar to being a lawyer, that you have to have a license? [00:28:37] Speaker A: It's one of the things that has been discussed, and as I said in the previous bit, it has benefits and it has drawbacks. And one of the things that the industry has been talking about is, well, what are the drawbacks? Because when you produce a barrier to entry, it does mean that it's harder for people to do it. But you do get the benefit of quality and assurance about the levels of qualifications once you're there. But you also then have to regulate it. So naughty lawyers, naughty accountants, et cetera, are disciplined and they are struck off. So whenever you put a requirement in place, you then have to also put in place the bodies to monitor and to control it. But one of the things that's been raised as a concern is we have a huge skills gap in the cybersecurity space as it is. And we also have a lack of diversity. We don't have enough women, we don't have enough people from diverse backgrounds of all kinds in the cybersecurity professional space. And the concern with adding in barriers to entry, making us meet certain minimum education qualifications, meet annual professional regulation requirements, is that that could further discourage the diversity that we want in the workforce. I also think it's dangerous because I don't have any certificates in cybersecurity. I've been working in this space for a decade, but I don't have a certificate in this or a qualification in that. I'm a lawyer. So you have to be really careful about what is it that's going to be regulated and what is that going to exclude. Because cybersecurity isn't just about the technical side either. It's about the people, the processes, the laws and the overall risk management and education. So it's not as simple as saying, if you have X qualification or equivalent, you can be a cybersecurity registered professional, because we need such a diverse range of skills to really fight the cybersecurity battles that were ahead of us. And so whilst you can say, to be a lawyer, you need a law degree, you need to meet these things. That's relatively simple. But then once you're a lawyer, you can be all sorts of different types of lawyers. In cybersecurity. I think it's much more difficult task to say this is the minimum level of skills or qualifications you need to practice as a cybersecurity professional, because the breadth of skills and inputs that we need is so wide. [00:31:03] Speaker B: Well, I guess I'm out because I don't have any degree or any certificate or anything. [00:31:08] Speaker A: Right. But think about what if the industry was without your thoughts, your expertise, your contributions, it would be so much the poorer for it. [00:31:18] Speaker B: Thank you, Annie. I've only conducted 250 plus interviews, maybe even more than that, 200 on the podcast alone, so I guess. Yeah, look, you raised great points, and I understood when you were saying the for part, but then I stood your side about the against part. I think until we get be more mature as an industry, there's probably no point in it, becaUse, like I said, it will discourage people. People can be bothered even getting into the field. There's going to be a lot more work, a lot more rigor around being regulated and everything like that. So I don't predict that happening anytime soon, if I'm honest. [00:31:54] Speaker A: No. And it's actually been interesting. I've seen a few of the big cybersecurity bodies actually make statements about withdrawing their support for a regulation of the profession for those reasons that they want to encourage people to enter into this space, not put up barriers, and to encourage diversity. And to encourage diversity not just of gender and sexuality and background, but also of skills. And the minute you put up walls, you start to narrow that down. So I think it could be something we look at in the future, but it's certainly not something that would help us on our cybersecurity journey in the next little while. [00:32:28] Speaker B: So how do we get on top of everything? Going back to your jigsaw analogy, how do we start forming the edge of the puzzle, I'm assuming? Is that the right way to do a puzzle? You do the edge first and you start filling in the middle. [00:32:40] Speaker A: That's the way that grown ups do it. I've got a five year old, and we do it by color. We look for the colorful bits and put them together. So I guess my point is there's more than one way to put a jigsaw together. Some people are edge pieces. They're first type people. And getting on top of what's happening in the legal space is a bit the same. How do you like to get your information? How do you like to organize your professional reading? Your professional information intake differs from people to people. I'm a podcast person, and I also like snippets. And then if I find an issue I have to dive into, I'll do really deep reading. But I much prefer to sort of skate across the top of all the issues. You might be a deep breeder, in which case you probably just need to focus. You need to get that jigsaw pieces and go, which are the absolutely critical pieces for me in my role or my organization. And I'm going to dive deep onto those. But first of all, what I would do is try to get a picture of your jigsaw puzzle for you in your role or your industry, your organization. Then you can sign up to some great free media and free information sources. So actually, law firms have some great free articles that they put out whenever there's a change in the law. And you can sign up for I want to see just the cybersecurity ones, or I want to see the cybersecurity ones and the ones on critical infrastructure, et cetera. And so you just Google up Australian law firms and cybersecurity, and you'll see that there are ones you can sign up to. There's actually also, if you are in a business, there are subscription services you can sign up to that will help you track regulatory changes and help you manage regulatory compliance. So if you've got a really big jigsaw puzzle for your business, it might be worth looking at one of those tools. There are platforms that do it that help to automate your tracking and help to bring the compliance requirements to the fore and help you to map your compliance across onto what your organizational controls are doing. So there are things you can do. But I do find I have to read Cyber news every day. Otherwise I start to fall behind. But then again, it's my job to be absolutely at the forefront of what's happening. Other people might have a bit more time to digest and adapt to the information that's important to their business. But without that picture of what the jigsaw puzzle is that you're trying to build, it'll be really tough. So getting that picture sketched out is a really Important first step. [00:35:09] Speaker B: So how does it look? And great points, by the way. I really appreciate you sharing those avenues for people to get that InfoRmation. What about for a CEO that's like, okay, not only have I got to think about what Annie's saying, I've got to think about George and all of his compliance around HR. Then I got to think about Jennifer and all of our regulation around compliance on paying people and fair Work Australia. I've got to think about them in case someone tries to sue us. How do you sort of wrap your head around everything when it's not really your world, and let's maybe focus it on your world? How does someone absorb all that? There's a lot of stuff going on when you're a CEO of a company. It's not just what Annie's saying. You've got 50 Annie saying the same thing, and everyone's saying how important it is. How do you handle that day to day? [00:35:53] Speaker A: Yeah, it's a really good question. And if you are the CEO of a really big business, then you've probably got not just the compliance for the HR and for the industry and for the corporations and all of the cyber stuff. You've also got that times every country that you operate in. So I really think in the people in those operations, you have to have trusted advisors who are experts at getting across that stuff for you and bringing the key things to your attention. But it's also about having a great process because compliance can be organized. There are some laws that are going to change regularly, but it's unusual for all of them to change all at the same time. And it's also, as I mentioned at the beginning, governments tend to give good lead time in terms of compliance. So what you need are people who, if you've got a team, fantastic. If you don't have a team, some external help to do that mapping, to get tools to help you monitor when there's changes. But to do that mapping to your organization so that compliance doesn't become something you have to continually juggle. It becomes embedded into your organization and into your organizational processes, the way that your people work, the way that they're trained, because that way it doesn't feel like such a burden. It's just the way you do business and it's sometimes tough to get there. It's going to require some investment. But once you get there so that your compliance is operationalized, as we used to call it in my previous organization, then it becomes routine. And you only need to worry when pieces of the jigsaw puzzle change. But they're only likely to change one or two pieces at a time, rather than when my three year old comes along and throws my jigsaw puzzle on the ground and they all get muddled up together. That's a bit of a disaster that's unlikely to happen to you. If you have already mapped out most of it and you've got those pieces bedded down. Only one or two pieces will be moving at any one time. Sorry. [00:37:53] Speaker B: Any operationalized compliance is once you've worked it all out, it's all like a well oiled machine and you're just humming along. Is that what you mean by operational? [00:38:01] Speaker A: That's right, yeah. So it's embedded in your process. You go, the law says I have to do this within these time frames, by these dates, I have to issue these reports. So you take that legal requirement and you embed that into the operations of your business, whether that's the operations that your finance team have to do, whether it's embedded into your HR processes, your payroll processes, to make sure you're keeping up with changes to the payroll obligations, et cetera, you embed those compliance obligations into your operational processes and then it becomes just day to day work. And there's actually an interesting thing you can do. One of the big things around compliance in the cybersecurity space is that if you have a cybersecurity breach or a data breach, there's like five or six different time frames. And organizations, you have to tell otherwise. And if you don't tell them in the right order, within the right time frames, you're going to get hit with fines as well as all the nightmare. So if your incident response plan doesn't include your lawyers and doesn't include a really great map of who you have to call first, you're going to get into trouble. So there was actually an article that came out from ASIC and some research done earlier this year that said there'd been 36 major reported breaches by ASX listed companies in Australia in the last ten years. Now, I'm going to put aside the fact that seems like a very low number, but of those 36, only eleven of them had actually met their obligations in terms of telling ASIC that they had had a breach within the right time frames for the others. They had all told other people, including the media, that they'd had a breach, and the shareholders and stakeholders in ASIC found out about the breaches via the media over their morning coffee, and so they were immediately in breach of their obligations. And so if they had had an incident response plan that said cyber breach, who do I call first? Right. I have 72 hours to call. If I'm a critical infrastructure provider, I have 72 hours to call the ACSC and report, and APRA requires you to report within 72 hours. If you're covered by APRA as a regulator, you also have to tell ASIC before you tell anyone else. And a lot of people don't know that. So you need to have your jigsaw puzzle of your regulations. But in your incident response plan, you need to have your list of who has to be told within what time frame in order for you to meet your legal obligations. Otherwise, you're going to find potentially, that APRA is taking action against you, ASICs taking action against you. The OAIC is taking action against you because you failed to meet your reporting timeframes in the midst of a crazy breach response. [00:40:45] Speaker B: And look, I have empathy. There's a lot going on in those times, right? Your whole house is on fire and you got asset barking up your tree, and then they're going to have bringing the hammer down on you. It's a tough position to be in and you've got enough stress to worry about, let alone informing these other people in the time frame. So I kind of get why people don't do it, right. I understand. [00:41:05] Speaker A: I completely empathize with them. And you go, gosh, in the middle of working out who's in our system, what they've got, who's impacted, I suddenly now need to remember to call this regulator that I mostly avoid talking to and what do I even say to them? But this is where I talk about the operationalization of it. If you've thought about this in advance, it's built into your incident response plan and you've done your IR war gaming and practicing, et cetera, so that it becomes second nature. You have a breach, you call your legal team or your lawyer and say, hey, guys, press go on. All the people you have to tell from a legal compliance perspective. And we'll keep focusing on the breach remediation. But you've got that embedded into your IR response process and so you then don't have to worry about the compliance side. You've ticked that box and you can get back to focusing on saving your business and remediating the impact of the breach. [00:42:00] Speaker B: So, Annie, do you have any closing comments or final thoughts you'd like to leave our audience with today? [00:42:05] Speaker A: I think the important thing is that this is really complicated. It's a big jigsaw puzzle. It might be multiple jigsaw puzzles, but you can put it together. The pieces do fit together when you know what your picture needs to look like. So don't stick your head in the sand and think it's all too hard. That's just going to make it worse. At the end of the day, best case scenario, you don't have a breach. But we all know that it's highly likely, if not just guaranteed, that you will be impacted by a breach at some point soon, if you haven't already. So in that case, if you don't get on top of your compliance and you don't get it into the operations of your business, so that it becomes second nature. When you do have that breach, not only are you going to have the consequences of the damage to your business, the loss of money, the loss of data, but you're then going to find it's followed up by investigations, lawsuits, fines. You look at what Medibanks had to do, which is they've had to put an additional $250,000,000 worth of capital into holdings because of an APRA requirement that came down this week. There are going to be significant additional consequences that come as a result of failing to comply and failing to take those actions. So don't leave it until everything settles down. It's not going to settle down. The longer you leave it, the harder it is to catch up. So get started. Get some help in working out what that picture of your jigsaw puzzle looks like for your business, because then you know which pieces go in this puzzle and which pieces you can put away because they don't apply to you and you can focus on the key requirements for your business, what you actually have to do by when, and you can start to break it down and actually get the work done and get help with that work if you need it. [00:43:59] Speaker B: This is KBCast, the Voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. This episode is brought to you by. [00:44:13] Speaker A: Mercksec, your smarter route to security talent. [00:44:17] Speaker B: Merksec's executive search has helped enterprise organizations. [00:44:21] Speaker A: Find the right people from around the world since 2012. Their on demand Talent Acquisition team helps startups and midsize businesses scale faster and more efficiently. [00:44:32] Speaker B: Find out [email protected] today.

Other Episodes