May 24, 2024

00:40:30

Episode 258 Deep Dive: Aaron Bugal | Addressing Cybersecurity Burnout

Episode 258 Deep Dive: Aaron Bugal | Addressing Cybersecurity Burnout
KBKAST
Episode 258 Deep Dive: Aaron Bugal | Addressing Cybersecurity Burnout

May 24 2024 | 00:40:30

/

Show Notes

In this episode, we’re joined by Aaron Bugal (Field Chief Technology Officer – APJ for Sophos) as he delves into the crucial yet often overlooked topic of burnout in the cybersecurity industry. We  explore how burnout and apathy can contribute to major breaches, stressing the need for organizations to support their cybersecurity professionals effectively. From the impact of the pandemic to the prevalence of lip service in the industry, Aaron shares insights on improving mental health support, fostering a positive cybersecurity culture, and the significance of addressing burnout for a more resilient defense against cyber threats.

With close to 18 years experience at Sophos, and over 20 years in the cybersecurity industry, Aaron Bugal has spent his time helping organisations throughout Asia Pacific and Japan effectively understand and deploy strong cybersecurity measures to keep their business safe.

As Field Chief Technology Officer for APJ, he is able to flawlessly articulate to business leaders, partners, and companies the ever evolving cybersecurity landscape and emerging cyber threats.

His humorous demeanour and witty analogies has shined in discussions with a range of media, conferences, and events, where he provides practical insights for both business and consumers audiences to take on board.

Read the report here.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: The cultural shift and attitude adjustment towards good cybersecurity culture starts at the top. Starts at the top with better governance around what it means to be cyber resilient, understanding the risks and the threats to the business, and then deputizing people to come up with a plan to mitigate, defer or accept that risk so that if the business does suffer an incident, they can move forward. [00:00:28] Speaker B: This is KBC, primary target for ransomware. [00:00:33] Speaker A: Campaigns, security and testing and performance risk and compliance. [00:00:38] Speaker C: We can actually automatically take that data and use it. Joining me today is Aaron Bugle Field, CTO, APJ from Sophos. And today we're discussing cyberburner across australian businesses. Aaron, thanks for joining and welcome. [00:00:53] Speaker A: Thank you so much for having me, KB. I'm pretty excited to be here today. [00:00:56] Speaker C: So we're referencing the recent future of cybersecurity and APJ 2024 report, which was produced by Sophos. Now, I want to get into some of the key findings in this report, which was quite interesting. And I know from being in my sort of role that cybersecurity burnout across the space is becoming quite prominent. So I want to dig into that a little bit more. And for people listening, we will be linking a full version of the report in the show notes. But for this sort of interview, we're just going to go over the main sort of points, the main insights. So maybe let's start with one of the main key findings. So I'll read it out here. Burnout is impacting 86% of cybersecurity IT professionals in Australia. So talk to me about this. 86% is quite a substantial number. [00:01:41] Speaker A: Yeah, it's quite large, KB, you're right. And I guess first and foremost, from, from my own perspective, I just, I just want to make sure that everybody who is here, everybody that is listening to this, this podcast, that cyber burnout in our industry is an absolute real thing. I think there's some naysayers maybe out there, there's some people that perhaps are feeling these feelings and they're not too sure what they're feeling and they're pushing them down. It's absolutely okay to feel a bit confused and overwhelmed, which I'm really looking to getting into. So hopefully this report and the discussion that we're going to have is going to shed a lot of light on what we're going to talk about today. But yeah, it was a bit interesting. This research topic for this year, our fourth iteration of cybersecurity, the future of it in APJ region, and taking the tact of mental health. It's quite an interesting and cathartic look about. You know, we UKB myself, we're both. We've both been practitioners in this cybersecurity industry that we call cybersecurity, which I have a little bit of a bone to pick about that word. We've seen it all right. We've been there, done that. And it was quite interesting as a result of the pandemic and even my own self working, working at home for, you know, almost close to six years now, and coming out of the pandemic, there was just this odd feeling about, you know, being cooped up in the same place for a long period of time. And it wasn't until we sort of started getting out and seeing people in the industry face to face meetings that that sentiment was. Was real, that people were feeling a little bit disconnected, a little lethargic, bit despondent, bit disillusioned, even. And it was quite a good set of research to dive into, to sort of say, is this a thing widespread? What about the region? And, yeah, 86%. 85% of respondents that we spoke to have got a bit of a problem with cyber burnout in this cybersecurity industry of ours. [00:03:35] Speaker C: So did that number sort of surprise you? 86%? [00:03:40] Speaker A: It did a little bit. I mean, it surprised me. A little bit shocked, I think was probably more of a word that I'd attribute to it being so high. But my surprise is, like, it explains a lot. It's a bit of an interesting situation. When you sit down, you think about, are we so beleaguered as cybersecurity professionals? And, you know, of course there's both technical and non technical roles in the industry, that it's all facets of an organization, whether they're directly within the cybersecurity field, that people that need to accommodate and account for or be responsible for cybersecurity outcomes, they're being impacted as well, because it's a hard thing to get right, let alone do right 100% of the time. [00:04:22] Speaker C: So you said this sort of explains it. What specifically do you mean by that? What is this number sort of explaining from your perspective? [00:04:29] Speaker A: So the 86% or the. I think it's 85% in the report, actually, I'm not too sure. There might be a digit off there. I could have misread it from my small font on my screen, but the particulars around that number, when I was coming out of the pandemic, I was feeling quite monotonous in what I was doing, because I was staring at a screen or staring down a camera. I was talking two dimensional image of whatever it was usually my Zoom client or my teams client. And I was just a little bit, a little bit on the repetitive side. And it wasn't until I connected with other individuals in the industry and even spoke to some of my friends in the industry as well about how they're feeling. I had one of my best mates who packed up shop and went back home to Scotland because he was cooked. He was in digital forensics. And he just said, oh, this is done, I'm done. I'm going back home and I'm going to find something else to do. So I think that sort of sentiment with people becoming overwhelmed and not feeling that they, they are doing a good enough job, just because there's a fair bit of disconnect job I really want to dive into from like the executives and boards and people that are on the coalface dealing with cyber issues. Yeah, this explains that this high percentage of people that have got this feeling of burnout just sort of marrying up with how I was personally feeling. Yeah, it's no wonder that this is the state that we're in. [00:05:53] Speaker C: Maybe. Let's start with your definition of burnout. Now, it seems like an obvious question, but again, depends on who you talk to. Depends what sort of industry. You're sort of saying the phrase burnout, what does that mean to you from your perspective? Because just so we're all on the same page here. [00:06:08] Speaker A: Yeah, I guess from my perspective and the people that I've spoken to and looking through the results of the report, a lot of the burnout is attributed to exhaustion, especially around the mental capacity of people, which then sort of affects their emotional sort of attachment to what they do and who they are. Physical. Absolutely. I mean, I felt personally lethargic coming out of the pandemic and being stuck doing the same things. And there's a lot of other people that feel that a combination of being emotionally drained, physically drained and mentally drained, that overwhelming amount of stress that contributes to those factors, is the result of people becoming burned down. And I think that's probably a good summary of where I see burnout overall for people in our industry. [00:06:55] Speaker C: So do you think a lot of that number that we've been talking about today has been significantly increased since the pandemic? What about before the pandemic? Would you sort of envisioned that that 86% was lower than that before the pandemic? Do you have any insight on that front? [00:07:09] Speaker A: I reckon maybe, yes. But I can guarantee you that the industry, as a whole the way in which the threat landscape, the requirements from regulations, business structure, the delicacy of some organizations, like operating on a knife's edge pre and post pandemic, they were big contributing factors to making people feel very stressed. So I wouldnt be surprised that if there was continuity in these sort of feelings retrospective to the pandemic, maybe not to the level as what we see now, but I think these sorts of numbers that were seeing in these reports because were starting to normalize mental health just agnostically across everything that we do in life, which is fantastic, then really starting to sort of pick up on it in this cybersecurity industry, which is highly strung, in demand of people and threats coming at us left, right and center. I think that increase is now more exacerbated than what it would have been pre pandemic, but I think it's always been there. [00:08:14] Speaker C: And do you think these people are aware, like, hey, I'm burnt out, I'm fatigued, I'm tired, I'm exhausted. To your point about your friend saying, I'm cooked, I'm going home. Are you starting to see that more sort of come into the conversation or do you think people still are unaware and maybe they say, oh, I'm just a bit tired this week, you know. [00:08:30] Speaker A: Because it creeps up on people slowly. They don't notice that small glacial shift in their attitudes towards what worth they feel that they have to the business and if they feel it's diminishing or am I doing a good enough job or is the business putting more requests on me? And that's just, you know, business as usual. They're not noticing that culmination of requirement of their physical and mental self is slowly being eroded because there's no additional help and things are just getting harder. So I think some people would notice it. I don't think a lot of people do. It's not until like that time that I went in and sat in front of a couple of customers that I hadn't seen before and there was a new face in the, in the it team who was tasked with cyber. You could just tell the look in their eyes, they were glazed over. They were thinking, not another meeting, not another vendor, not another piece of tech that I've got to deal with to be the cyber person. You could see that they almost partially checked out. It wasn't until we sort of sat down and said, you're right, you're looking a bit overwhelmed, like you've got something else on your mind. I said, yeah, there's buckets to do. And they just unloaded on me to say, we've got to do so many things, and these things are changing. And it was a bit confronting at first, but after speaking to other peoples, it's quite similar. Like, there is definite a need for more assistance in organizations to help people that have been tasked with the responsibility of dealing with, quote unquote, cybersecurity. But they're only one person, or they're a small subset of people, not necessarily with the ability to look after everything that requires attention. [00:10:11] Speaker C: So just going back to your comment around, oh, not another vendor, do you think perhaps, and this is more broadly, this isn't just aimed at you or so forced or anyone, do you think, like, vendors are sort of contributing to that burnout? Perhaps because I say this because I speak to a lot of sizes, very senior people on this show, and they're saying, like, they get hit up repeatedly, multiple times a day, to the point where it's almost haranguing people. So do you think vendors in general are contributing to that? [00:10:37] Speaker A: Okay, being gonna flat out say, absolutely, couldn't agree with you more. And I know that's probably not the corporate line that many of our PR agencies would like to hear, but I think there is a fair bit of attribution towards how complex a lot of organizations have become with their cybersecurity tools and processes as a result of things being sold to them for a reason. Now, everybody who runs an organization's in charge of an organization organization, they're grown adults, and they can make their own decisions on whether or not they, they sign pos and buy things. But I think there has been a slight element of FUD before in the past from some vendors, some more than others, that has definitely leant into the exacerbation of the threat landscape. And people have just bought shiny tools to deal with the threats, thinking that that's a tick box, that's done, we can move on. And that's not necessarily the case. And when we go in, or when some of my colleagues from other parts of competitors go into to review things, things have been purchased to fix up a system or a problem, not necessarily have been exercised to their full potential. So therefore there is gaps in their protection. So I'll agree with you, absolutely, yes. But at the same time that there's been very little optimization and the approach into optimization of what those tools can provide to make the job a lot easier and the outcomes a lot better for the business. So I guess that's all right. Stand on that yeah, absolutely. [00:12:10] Speaker C: I hear your point. I think the average australian business, like larger business, has between 70 to 100 tools. Now, going back to your point about optimization, that is very obviously not the case. There's a lot of things that overlap. So I definitely hear your point. Probably just more so, just, oh, it's another vendor person trying to call me more so that. Because I can relate to how that feels. Sometimes when people sort of, you know, always wanting your attention, so it's more so from a changing of your hats all the time and trying to be like, okay, I've got to focus on this. Then I've got 50 people calling me a day. Like, it's probably more so that. And then feeling like, hey, they want to get back to everyone. I just physically can't. [00:12:50] Speaker A: Yeah, yeah, there's. There's a lot of activity. I mean, interestingly enough, like this, I've only been in the field CTO position at Sophos here for the APJ region for just over twelve months. And I noticed a very sharp incline through the professional social media websites. Let's just leave it at that. That when my title was changed and my public profile advertised it, it attracted a lot more people asking me questions about, hey, have you thought about this? What about that regulation, this AI framework? That? And I was like, well, that's a lot of noise. And that's like, you know, I might be taking 1015 seconds to glance and go, nah, I'm. I got to get to get back on task. But if that was amplified by ten times a day for a nominal CISO in their position, that's a lot of wasted cycles and they need to be aware of everything that's happening. So they look, they review, they read, and then they start to either decide, do I need to compartmentalize that knowledge or shift it away? It does take focus away from a lot of the things that they need to be doing and effectively evangelizing to the rest of their teams. [00:13:57] Speaker C: So let's be a little bit more about wasted cycles. So from my understanding in the report, it does say that people are tired, fatigued, burnt out. Obviously it impacts the quality of their work. Right. Quality to deliver, quality to respond. Talk to me a little bit more about that and your thoughts. [00:14:13] Speaker A: Yeah, so it's that, that disconnect through either apathy or maybe feeling that their capability in their. In their role is diminishing or they're not getting the right guidance. And therefore they feel that the effectiveness of their own self towards that the mission is becoming ineffective and they just get overwhelmed quite quickly and that level of stress and then draining of their ability to mentally operate and physically operate really then takes its toll. So in a say a typical breach that our incident response team would sort of account for and help people recover from, a lot of those engagements have been around a trivial issue being overlooked. Somebody forgot to patch a gateway system, somebody forgot to tighten up the acls on a, on a firewall, somebody forgot to install security software to the best practices of the vendor that they purchased it from because they had other things to do. And it was those little things, those little minor events that oh, if they could have been adjusted at the time they wouldn't have turned into a full blown breach. So yeah, when people are not operating to the best of their abilities or even worse they're doubting their own abilities because they've got it in their head that, you know, they're not valued or they just, they don't have the help of resources to do their job properly. That can manifest in some pretty bad situations. Case in point, in a couple of the incidents that we've handheld. Yeah, that's all I had to say about that one. [00:15:47] Speaker C: So there is a stat around that. But just to your comment there, do you think that in the future people are going to come out and say, well we got breached because we're burnt out and we're tired and we're exhausted, give us a break. Are we going to start seeing that now? Coming through. [00:15:59] Speaker A: I would be a little concerned if an organization was going to take the public line that they were burnt out that was because they got to breach it. It's not an excuse because then the natural flow of discovery and conversation was all well, you're the governing body of this organization, mister and misses, board member or committee team. Why didn't you implement the correct governance functions to ensure that those that are on the coal face and responsible for defending against threats are armed with the best knowledge and tools possible with the right processes. So what is I think, you know, that could be used as an excuse and wield out, but I think it'll quickly blow back on the organization going, damn, we're the ones responsible for looking after our defenders and it really brings to light who's defending the defenders. It's not going to be the organization. I really think that the defenders should be getting up and moving somewhere else where they're going to be valued, they're going to be fostered and nurtured and their natural interests and curiosity within the cybersecurity field can be directed to an area where they've got passion or expertise in. So if it's, you know, technical, non technical policy, right, governing functions, you know, or operating the new fancy shining tool because they've got the skills, then that's where we need to start directing. People just sort of like to finish up on that as well. The australian government has, has really started to adopt the nice framework, the national initiative of Cybersecurity Education, which is a framework that was authored in the United States, but it really teaches about cybersecurity fundamentals at a younger age and teaches basic skills to people as they move into the workforce, mostly because we get a lot of new players in our industry, KB, a lot of new players coming in and say, I want to be in cybersecurity. And they go, we go, cool, you hired. Come on board and dump and dump yourself into the sock and start looking at all these speeds and feeds all day, and by the way, you're doing detection engineering. And then people go, I didn't sign up for this. I don't want to look at logs, I don't want to write Yara rules to look for dodgy pieces of code on my cloud containers or whatever. So they get a little bit tired, quickly burnt out because they can't do their job. They like the money, but at the same time it sort of starts to sort of like breed that spiral of like, things are too hard. Where's the bailout cord? So I think there's a lot of room of improvement around organizations better looking after their employees to help sidestep a lot of these big systemic issues that are now starting to rear their heads. [00:18:34] Speaker C: I want to get to better looking after employees. I want to get to that in a moment. But I asked you the previous question because there is another insight here, which I'll read out again. 19% of australian respondents identified that cybersecurity Burnet author T contributed to or was directly responsible for a cybersecurity breach. Now, someone who works in media, I wouldn't advise someone to come out and say, hey, we're tired here. We sort of stuffed up when we have a breach, but that stat saying it's contributing to it. So I want to talk a little bit more about this. [00:19:08] Speaker A: Okay. Looking at that statistic about the 19% attributed to respondents saying that, you know, outburn out affected us by, you know, being breached. As a result, that goes directly back to the employees that were being tasked with the responsible functions of dealing with, you know, better cyber resiliency and outcomes were very much, well, self doubting themselves they were into a point and a position on their downward spiral in self doubt and the drawing and the upcoming of apathy towards their position that their lethargy then allowed them to say, well, something's happening, I should probably look into that, just click the button and suppress the alert. And that's probably the worst case scenario. I'm not saying that everybody is in that position. Most people will genuinely try to defend, but when you've got to be mentally razor sharp to identify a precursor event, as I said, one of those little minor issues like perhaps your vulnerability assessment platform has suggested that a security device is being probed on a exposed web interface. Maybe there's not a known CVE or exploit for that unknown vulnerability yet, but it could be a clue that somebody knows something and they're probing you. And typically like a, like a managed threat response, a managed detection response, these, these socks as a service, as we tend to call them in the industry, they would pick up on these, these weak signals and action it, investigate, conduct a hunt, understand that is this, you know, benign activity like DOS attack, or is it somebody trying to gain access into the environment and then shut it down? Right. Make sure that the system could be patched, if it could be patched, otherwise isolate the attacker from being able to progress any further. But if somebody who is in charge of that is not on there at their mental best because they are overwhelmed and they are, as I said before, hooked because of everything that's happening in the industry, then how do we expect them to respond and pick up on that weak signal? No wonder things sort of like spiral out of control quickly for the environment and people get hot. There's been a lot of little mistakes over a lot of the publicly disclosed breaches that we've all read about in the media over the last couple of years, that could have been easily avoided. They just were missed. [00:21:30] Speaker C: Yes, easily avoided. So you made the comment around overlooking the alert, for example. So would you say, and again, if you had to wait, it would come down to due to exhaustion around, hey, I'm tired, I'm overworked, I'm drinking ten cups of coffee a day. Or to your previous comment, that overlooking alert because hey, I'm not really interested in this job. Didn't sort of realize this is what was involved in doing this type of job, which, how would that sort of sit? Would it be 50 50, 60 40? What are your sort of thoughts on that? [00:22:00] Speaker A: It entirely comes back down to the individual. It could be 50 50, let's just say, say it's that. But it's very much all dynamic. Depends on the organization, the position the person's in and the position that they want to be in. So that that apathy level is very much all dependent on where they are versus where they expected to be. Right. They're very different things. But then there's the other side of the coin. There's a person who's striving at their absolute best, burning the candle from both ends. They are just so overwhelmed and overworked, they just miss one little thing. So through no fault of their own, they're trying. They're trying their best. They miss it. So going back to that statistic, it is a very. It's a pointed statistic, but it comes down to the individual responding like how they were feeling at the time. And I don't think that that resolution of data will ever be available, not unless we go sort of bailout. [00:22:49] Speaker C: Okay, so I want to now move on to part of the report which really focuses on the board side of it. So the report also found that regardless of the australian government's big focus on cybersecurity awareness, as you know, boards remain uneducated when it comes to cybersecurity and teams are not ready to respond appropriately to cyber attacks and breaches. There's two questions in that. One, I want to know more about what these bored people are thinking. And two, what does not ready mean? [00:23:18] Speaker A: This is a good question. Thanks, KB, for bringing it up. Because the data. There's a response here which I'll give, which was going to be a little bit, I guess, polarizing, but I'll get to that in a second. So 84% of the organizations have an incident response plan. Now, I know an incident response plan is part of a much broader business continuity plan, but nonetheless, out of those organizations that have had it, that have an incident response plan or declared they have an IR plan, 75% of them have said that it only came about after they had an incident. But that's quite telling that from a preparation standpoint, there was none. That's that old adage, if you fail to prepare, you prepare for failure. I mean, it's a bit catastrophic in its saying, but it sort of sums up the situation quite succinctly, that a lot of organizations have had a she'll be right attitude towards being cyber resilient in the face of an oncoming threat, but not really sort of sitting down and say, what happens if we do get knocked around the head and we can't operate for a couple of days? Can we sustain it? A lot of organizations are not having those discussions. There was another statistic I think was close to a third of the respondents said that if they did have a cybersecurity incident, chaos would break out. People would run around clutching at their hair, perhaps shrieking in the halls. I embellished, perhaps, but they would say that chaos would break out and things would be left to, well, whoever could help them and whoever they could call at that moment of pain. So going to, I guess, the second part of your question, what are boards thinking? Well, I think they're thinking one thing, and the expectations are a broad array different to what they are expecting to get around that sentence. So in essence, boiling it down. There's a definite mismatch and expectation between resiliency of what the board and the executive committee see and what the business is able to provide when an emergency strikes. I don't think a lot of organizations are sitting down and going, right, let's do a tabletop exercise. Let's play out if we get attacked by ransomware and go and then redoing the same scenario, okay, we're going to get attacked by ransomware, but our chief financial officer is now on two week holiday in Phuket. Whatever. They're unavailable. How do we respond? And really sort of refining the resolution around those types of scenarios. So my phrasing to a lot of executive committees and more so it managers and team leaders that are tasked with cybersecurity and also those at the board level who are accountable for the results of a cybersecurity incident. It's time to get awkward. Get awkward and have some discussions around the hard truths. What is your actual incident response plan? What is the net result of something happening? You know, and I challenge the people that are listening today, that are in those positions of ultimate accountability in their organizations to balk at these comments and scoff, but actually go ask the hard questions about if we are taken out of, out of action, are our backups going to be instantly deployable? How much time do we lose? What's our recovery point objectives? But these sorts of, I guess, response actions, they first need to come from the rest of the business as risks, as articulated as risks. So I think, from what I'm trying to say, is that there is a little bit of a lack of governance around organizations and maintaining the right expectations between people that are responsible and people that are accountable for cyber. [00:26:44] Speaker C: So when you said before, go down to your employees and get awkward with them, what does that look like? Start asking them questions around if the CEO's on a holiday in wherever, who's the next guy in charge? Or the next lady in charge? Is that sort of what you mean? Because, like, you're right. A lot of people don't really know those answers because they're just like, well, you know, I'm just here doing my job and, you know, yes, everyone's responsible for it. Yes. But really, at the end of the day, there does need to, there needs to be a plan, but also people need to remember the plan when there is chaos going on. [00:27:14] Speaker A: And the plan's got to be put into a safe that has a physical pin code in it and not connected to an it system, let alone your CFO's desktop file storage solution that's just been locked up with ransomware. Yeah, these plans need to sort of be in existence in physical form, too. So, yeah, just to go back to your question, kb, getting awkward is a big collective sort of phrase around just asking the right questions about what expectations the business has in the forms of how much cyber resiliency do they want, you know, how do they articulate and how do they quantify risk in their environment? And when it comes to threats that face their business, are they doing enough to actually counter them, not give lip service to the people that are asking the question? So from the employees that I say are responsible on the coalface, if you feel that you're getting lip service from your executive team and your board, challenge them. Ask them. Well, hang on. You say that she'll be right. Or we can survive for a couple of days. Is it two days? Is it three days? Is it over a long weekend when it's Easter time or Christmas? Can we survive, though, for those periods when there's loading and so forth? So being finite, I guess, being specific in these types of disaster scenarios and what applies, I think there's been too much of a cultural aspect where boards and committees rule and you don't, you don't go against them. That it is okay for us that have been, you know, we've been paid, we've been put in these positions to look after cyber. Why wouldn't we want to make sure that the things that we need to know to do our job and make the business survive are answerable and can be, you know, put down in paper so that when we need to do something, it's been authorized to do so from a response action. [00:29:01] Speaker C: Okay, there's a couple of things in there that I want to get into a little bit more. So just going back to the awkward statement. Is it awkward because people don't know the answer? So it's like, you know, if you ask me a question about my job and I couldn't answer, it is a bit awkward. Right? Same thing. If someone asked you a question and you can't answer it, is that what you mean by the awkwardness? [00:29:18] Speaker A: Yeah, absolutely. If people struggle to answer a question, that's okay. It's okay to say, I don't know, I'll go away and I'll find the answer for you. I'll seek out the people or the groups or the teams that have this information that I can use to give you the answer you need. Not giving an answer or making something fluffy can be somewhat detrimental in the future when it comes back to bite you on the. On the backside. So, yeah, that's what I mean by awkward, is to really, really go through things correctly and succinctly, and if there's not a good answer, then it's okay to ask for a different answer or for that person to go away and find it. As long as people are doing the right thing, that's all we need to do. [00:29:57] Speaker C: And then you made another comment around lip service. Now, there is a bit of that. There's a little bit of virtue signalling that happens in this space. Talk to me a little bit more about what does lip service look like, why is it the case and what can people do about it? To actually say, hey, when rubber meets the road, I'm actually going to, you know, walk, talk, not just do a lot of talking, because, again, you're not really getting the outcome that you say you're going to do anyway. [00:30:22] Speaker A: Yeah, I think. I think it's pretty dangerous as. As a cyber practitioner, to be either pledged or it'll happen type of things, which is okay from a. From a planning and from a speculatory phase of like, sort of trying to build like a. Like an enterprise security architecture. There's a lot of moving parts. So I understand roughing out a framework and. And a plan of attack is good to get the high level in, but when it starts to get down to details, if those details are still fuzzy or they're non committal, that's a problem. So the lib service that I particularly have seen, witness in other organizations is that we'll get onto that. We'll get onto that. Those metrics you need will get them for you. And if it's delay, delay, that's a red flag. If there's a third delay, there's a critical problem. Or maybe they just don't understand what you need. So it's then if it's lip service, don't accuse and go after the jugular, but rather sort of like, rephrase the question. Perhaps the information that I'm requiring needs to be provided in a different manner so that the understanding of that request can be better handled, interpreted, and then the right sources can be provided. So lip service is typically a result of people not understanding of what they're being asked for, and the actions are very much, well, delay style of tactics, and that should be a red flag to anybody who's experiencing that. [00:31:48] Speaker C: So when you're saying what they're being asked for by the security team, I'm assuming because with the lib service, is it more. So they don't understand because head of security scissor isn't explaining what they need to a board member who is perhaps not a tech person or technical at all. Do you think there's a bit of blame on both sides? [00:32:07] Speaker A: Sometimes? Sometimes I think, I think definitely it takes two to tango. Right, KB. So I think in the situation where if theres a c level executive asking the board for more investment in cybersecurity and the board goes, weve already given you enough, well consider it for next year. Well, I dont think the board are fully aware of maybe what the risks and the threats are to the business if they dont invest in the corrective action or the control that the CEO or the CISO wants to implement. But at the same time, the board could turn around to the c level executive and say, right, we need to be 100% secure. Go. And the board member goes, well, we'll get onto that. Sorry, the c level executive might sort of like, stumble. We're striving for 100% effective, you know, security effectiveness. Both parties are just kidding themselves, right? There's two different expectations right there and then. And they will struggle to deliver on what they actually meant at the board level and what they can actually deliver as a metric to show that they're 100% security effective. Like, what does that mean? So I think, you know, when lip service is being paid, a, it's hard to spot, but b, when we notice it, because it's, you know, very overt, and we go, oh, yeah, it's probably a good point to maybe rephrase or just lightly challenge that because it's not in the best overall interest of the resiliency for the business. [00:33:31] Speaker C: Okay, so let's flip now into solution mode. So, obviously, we've spoken a lot about the report, the stats things that frustrate the industry, etcetera. What do we do about it? Because it's all well and good for, like, you guys to come and talk about these, these problems, but how do we fix it? And do you have any advice so people can actually get off this interview going? Well, actually, Aaron makes some great points. I'm going to start implementing that today. [00:33:54] Speaker A: Yeah, yeah, there's a few. And, you know, first and foremost, I just want to declare that I'm not a medical professional. I'm not a doctor by any stretch of the imagination. So when it comes to the mental health thing, I think any employee is entitled to go seek assistance, at least, at the very least to talk to somebody about how they're feeling, to share that load, to share that mental load, to share that anguish, to help potentially dissipate it or find that small step to move forward. So I know in my organization and many of my friends that work for vendors and system integrators as well, there are employee assistant programs that are available. And traditionally they've been sort of wrapped around, you got to go see a psychiatrist or a psychologist to help you with a mental problem. But gee, they've expanded so much in capabilities these days. For example, the calm meditation app, that's a perk for the business. So if I want to take ten minutes and go sit down and do some breathing exercises on the floor, yes, people might go, hey, Aaron, what are you doing lying on the floor? But I'll be telling them that I'm regulating my breathing. I'm just trying to get back out of my own head and sort of see things as the bigger picture, and that works wonders. Right? And there's a whole host of different options and arrays out there through asking your employer, booking with your friends, even going, seeing your medical practitioner for some structured guidance on that. But other things which are probably a little bit harder to implement is culture. Culture and organizations is extremely difficult. And I think right now that the cultural attitudes towards cybersecurity are very much, well bucketed onto a small subset of individuals in the business. And I'm not, I don't want to sort of like peg everybody into the same pigeonhole, but some organizations are much more mature than others and have realized that cyber security is a team sport and everybody has a part to play play from the board right down to person who's, you know, collecting the coffee cups at the end of the day. Right. So that that's a good improvement, but a cultural shift and attitude adjustment towards good cybersecurity, culture starts at the top, starts the talk with, with better governance around what it means to be cyber resilience, cyber resilient, understanding the risks and the threats to the business and then deputizing people to come up with a plan to mitigate, defer or accept that risk so that if the business does suffer an incident, they can, they can move forward. So I think there's, there's a lot of cultural things and that can, that can come down to security awareness. You know, as a basic thing is to start breeding in positive attitudes towards cyber, expanding the scope of who is included in cyber and when within your security awareness training that can really help. But also go and look at some of the resources that the ACSC and cyber dot gov, dot Au have published and specifically, too, that the NIST, the National Institute of Standards and Technology, their v two cybersecurity framework, which has just been released, has an ad governance function which is spectacular because it gets people out of that technical policy based control mindset and really forces the board to answer questions. So when we were talking about being awkward before, looking at that sort of a framework and looking at the governance functions which somebody as a team leader in the SOC, they can't succinctly answer because they're not accountable for the business, you can take those questions up the chain and say, how are we discussing this? How are we qualifying this plans that we have in place to sort of tick these boxes to ensure we can remain resilient when we do have an incident. Not to be doomsday sayers, but if something does happen, more often than not, it will, will be prepared. And that's all we ask for of our organizations today, is just being a little bit more prepared in the response to an attack that comes. [00:37:42] Speaker C: So what happens if this sort of doesn't improve? Like what type of territory are we getting ourselves into now? I asked that question because I like to look at the full spectrum of things, like does. If it doesn't, what do you think's going to start happening? Does that mean we're going to see more breaches? What does that look like from your perspective? [00:37:57] Speaker A: I hate to think. I hate to think that if we don't address the mental load burnout elements that are happening to our cyber defenders out there, the people that are in positions that are looking after our cyber defenders, we don't address it. Yeah, I think you're absolutely right. We're going to see more misses, more mistakes, more disconnected people checking out and things becoming a lot worse. You know, the attackers have got nothing but time and resources as it appears on their hands. And I'm sure they suffer the same sort of mental anguish and stress that a lot of us face. Maybe it manifests in a different form, but gee, they've only got to get it right 1% of the time. We as defenders, we as the business owners, we've got to be 100% all the time to ensure we don't get fucked. So why wouldn't we take a better attitude to ensuring that our people are healthy, then emotionally unloaded? Their well being is above board so that they can do their jobs and enjoy it and do the things that they like to do. And it's just going to, it's going to promote a much more healthier outcome for everybody. [00:39:02] Speaker C: So, Aaron, is there any sort of closing comments or final thoughts you'd like to leave our audience with today? [00:39:07] Speaker A: The only thing KB is I'd really like to stress is just pay everybody to talk about it. Talk about your teams. Talk to your teams. You know, if you're a team leader and you've got some people in some really grueling positions, and I said sock position and support positions is ask them how they're going, really engage with them at a personal level, take them aside, out of the work and talk to them and see how they're going. They like what they do? Do they want to be doing what they're doing? Just start a conversation like we do with all mental health aspects and take those small little steps towards resolution. [00:39:47] Speaker B: This is KBCast, the voice of cyber. [00:39:51] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:40:00] Speaker B: This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes