Episode Transcript
[00:00:14] Speaker A: This is KB on the go. Joining me in person at Cisco live in Melbourne is Emma Carpenter, CRO security from Cisco. Emma, thanks for joining and welcome, welcome.
[00:00:25] Speaker B: Thank you very much for having me.
[00:00:27] Speaker A: So with your role. And I know we had a brief chat before we're doing the interview because I haven't seen you present yet. Maybe I want to get a bit of a macro view of what's sort of coming up in conversation with customers that you're sort of seeing across the globe.
[00:00:40] Speaker B: And it's a great question, but I obviously want to make it relevant for the region that we're in right now, which, by the way, my husband was born in Melbourne, Australia. So it's kind of close to my heart.
But when I look at and think about security, I joined Cisco about 15 months ago, and honestly, probably at that point you would have said, why are you going to Cisco for security? Because we are very well known for networking, clearly, but not necessarily as well known from a security point of view. And honestly, the last 1516 months has been about making sure we put security on the map, making sure we go back to a base level and innovating at the product level, that's foundational to what we wanted to demonstrate to both our customers and our partners and the world at large out there. Making sure that we have the ability to integrate that into the network as well. If you've seen our advert, if it's connected, it should be protected. That is foundational for us.
[00:01:32] Speaker C: Right.
[00:01:32] Speaker B: Really making sure that we protect those networks out there because we actually have the data and the telemetry. From a network perspective, that is second to none. And you think about utilizing that to basically be proactive around the security landscape, it's pretty critical to what we're doing fundamentally, but we go from literally the inception point into the network. So think, like where a user wants to access that network and making sure that that access is a trusted access zero. Trust gets overused as an industry term, but it really should, in my view, be because it is a marketing term, it's not a product. It should be kind of foundational to how does our user access a network and make sure that they are trusted in that environment or any particular industry and any enterprise, whatever that insert into the network is, it's about making sure it's trusted. So we go from there with things like our duo product right the way through the network security landscape. Think again. How do we protect the edges of the network? How do we protect networks from an overall perspective? Things like adding thousand eyes into our capability so that you've got network visibility, as well as ensuring that you've got firewalls on the edge. You've got cloud based firewalls now with our multi cloud defense solution as well. And then as you move through, think about what we recently announced, our SSE platform, our secure access platform, and the ability from a cloud security perspective to really offer a solution to a customer that really is that ease of use. I've got a VPN in the cloud. I've got the capability from a cloud based security perspective to deliver an offer to a customer that meets them where their needs are. It doesn't matter whether they have applications or workloads in the cloud. I'm going to protect them in the same seamless way. And we foundationally built that solution on the Meraki framework so that our network and security capabilities, when you think SASE, SDwan and cloud based security, they work seamlessly together. And we're integrating into our catalyst portfolio as well. That's coming up soon. To really offer that single way of managing and operating from our customers perspective, you move all the way through then on the right hand side, to making sure that you then power the sock. What do we do foundationally for customers that can be in various stages? Some have socks, some don't. They need the capability from an XDR perspective to provide a solution to their customers.
[00:04:02] Speaker C: But we do this.
[00:04:03] Speaker B: And G two will probably talk to you about this later as well in a way that says, okay, we recognize there's many, many solutions out there. Some customers can have over 100 different tools in their infrastructure. That's really difficult to manage. So how do we bring that together from a security cloud perspective? How, when we're helping those customers to power the SoC, do we foundationally make sure that they can do that in an environment that is multi vendor too?
[00:04:30] Speaker A: So, okay, you mentioned a couple of things. So you're right. Cisco historically isn't known for security. So you said before as a company, are trying to get it on the map. So what does on the map look.
[00:04:39] Speaker B: Like on the map really means that it should be synonymous to everything that we do right from our board, from our CEO, Chuck, right the way through our organization. Security, even for our network teams, is the foundational owner. It's the most important thing that we are focused on, that we continue to deliver on, that we're innovating in as we move forward. So it takes time, as you well know, being sort of an analyst there in the industry where you're talking about some of this innovation to make people really believe in the direction you're going. You can't just say it once, you're going to say it multiple times to make people understand, not only are we talking about a story, but we're actually delivering on that story for our customers and partners as well. So it's continued iteration of that, continue investment in different new technology areas. Think about things like with the acquisitions that we've done over the last six months, armor blocks, AI capability that we've embedded in with some of the things we've been announcing this week, think about ought that identity capability that we're embedding into our solutions. Think about Voltix, which we reskinned and put in as part of the firewall capability, that multicloud capability, multicloud defense, as we now call it, to protect those environments where a customer is working in multiple cloud environments. So lots of it's innovating, it's talking about that story, it's making sure we're investing in the right way, and it's making sure, in all honesty, every single one of our sellers out there, not just my specialist sellers from a security perspective, but all of those thousands of sellers from a Cisco point of view, are out there and can give the security pitch. We recently did a competition, and it's still ongoing at the moment, where every seller, every engineer in the field has to do a 15 minutes pitch, which is quite a lot of commitment if you think about what you have to prep for that to be able to tell the security story and how it fits and pertains into the network, they get a chance to win a Porsche for a year, six of them actually, over that period of time.
[00:06:44] Speaker C: So it can't be bad, right?
[00:06:45] Speaker A: So you mentioned before, telemetry makes sense from a network traffic point of view. That's probably part the acquisition of Splunk, then.
[00:06:54] Speaker B: It absolutely is. Yeah. You think about like, we have the network capability or network cloud, we have the security cloud that we have been delivering on as well. And Splunk really gives us that data capability as we move forward. And you integrate those things together. When you look at what's happening in the marketplace, you're definitely seeing the transition of data being a foundational element to allow you to make those networks, to make security better for our customers as well.
[00:07:21] Speaker A: So in terms of evolution, so historically, people would outsource the whole capability to large vendors do it all, and then we sort of saw a shift with, no, we're going to outsource it to specificity of, you might have 1020 different vendors that each specialize in their areas. Now, are you starting to see full circle because, I mean, acquisition of Splunk, Cisco then could do everything. So are you starting to see people now the pendulum swing the other way? I think there's so many different systems you've got to look at now, so many different dashboards. And part of what you guys are doing, from my understanding, is bringing that all together. So you just have the one dashboard to look across everything. So are you seeing that shift now in terms of buyer behavior?
[00:08:00] Speaker B: We definitely are. And look, I still think you have to look at customers want easy to operate, easy to manage solutions. At the end of the day, right now, they often choose a different SDwan provider to a different kind of cloud based security provider, et cetera, et cetera. What we're doing is trying to bring those things together, but also recognizing that we have to operate in a multi vendor environment too. So that's why our XDR solution is so key, that we're integrating those APIs into our XDR capability so that we can give that single view to our customers through our partners. At the end of the day, it's fascinating to watch the market change so much. There's so much cost that a customer wants to take out of what they do today, but they also want to make sure that they, because it's really a question of when they get breached. Not if at this point, which is terrible thing to say, but still, the area that we really get breached on is from you and I and all those other people out there. It's the email, it's text messages that ask you to click on that link and then start that kind of process on your computer or on your phone, and then you're in trouble because they've got into the network. So how can we protect against those things and bring things together from a customer's point of view?
[00:09:13] Speaker A: So obviously, with your global role now, Australia aside, because of all the large breaches we've had in the last twelve plus months, so obviously that's on the map to your comment before. What about more broadly speaking, are your customers that are saying like, hey, we need to really be focusing on security? Obviously that's my specialization, but also I've had multiple executives who are at the conference already today really touch on it, even if it's not their area historically. So are you sort of seeing that your customers are really prioritizing cybersecurity?
[00:09:47] Speaker B: They definitely are. Look, we know that it's a board level initiative. It's probably at least one of the top three in terms of those focus areas for the board now as they move forward, we're seeing more and more like actually making sort of a set of priorities for the executive, the CXO type teams that are in our customer base as well, to make sure that they're all focused on that risk that is inherent in what they do. And certainly it means that they're very interested to talk to us as we bring that together from a network perspective now as well. But you're right with the other thing that we've done recently is we often sort of poll the marketplace, and I will tell you, we did a readiness index very recently as well. And it sort of said like 85% of those companies out there across the globe feel like they are not ready to deal with a breach when it happens. And that tells you there is still, even when the market can pull back a little bit, there is still a focus on how do they invest in security in the right way as they move forward. And it's so, so important for what they do.
[00:10:53] Speaker A: So you said the top three in terms of board focus areas. What are the other two areas, would you say?
[00:10:57] Speaker B: It's funny because for some companies, it's actually they make one, two and three security because it's so foundationally important. We're still seeing that digitization of the story of kind of how do I move things to a place where I can think about how I digitally operate all my networks and bring that together as well. So that is definitely a top focus for us. AI is often creeping into those top few at the moment as well. They don't necessarily always know what they're going to do about AI, but they're certainly looking at how do I protect against my workforce now using those AI capable solutions and potentially putting my network at risk because I'm about to click on something and then they have access to all of your data. So that is definitely top of mind in the mix of there as well. We're seeing a lot more focus on automation as well. How do we make things simpler? And actually, at the exec symposium tomorrow, we have all the CXO people from all the different companies within the industry in, and I can tell you that certainly top three focus areas, security, AI and automation.
[00:12:05] Speaker A: And so maybe just to conclude our little mini interview today, Emma, you said before 85% feel they are not ready to deal with a breach. What does that feeling look like?
[00:12:16] Speaker B: It means that they have to start thinking more and more about what do they need to do to prepare themselves.
When I talk about the tool sprawl and saying that they have many tools out there, they also need to think about how do they make sure that there's not a threat coming in from one of those tools or the access that that tool has, or even from third party vendors. They're connecting their list of suppliers into their network as well. And that can often be another point where you can cause a breach into the network, too. So it's not just thinking about your own landscape, it's thinking about those that connect to you and make sure that everybody in that ecosystem are truly protected for you as well.
[00:12:53] Speaker A: And just one last question as well, or statement. What's come with my interviews is people saying, customers, when they get breached, stop blaming your vendors. I'm seeing that a lot. Why do you think that's the case? I mean, it's easy to pass the buck on to the vendor, but it doesn't really solve the overall problem as an industry that we face by pointing the finger at a vendor. It also makes potentially the relationship like that could jeopardize the relationship. What are your thoughts on that?
[00:13:22] Speaker B: Yeah, we still see, like, it's easy to go and try and blame a vendor in the first place, because invariably, that's your first port of call, often as a customer. But the reality is the threat vectors are so vast now that, like, I talk about the ecosystem, you've got to think about your ecosystem of vendors as well, and how they're operating together, because the more secure you can make all of that, the better, basically, for the environment that you're in. So I think there's a lot more work to do there to support the customer base in that exact eventuality as well. But certainly the more we can kind of bring different tools and opportunity to streamline right the way across the board and link it into the network, the better for us as we move forward, and the better for our customers, the better for our partners.
[00:14:09] Speaker A: Joining me now at Cisco Live in Melbourne, is G two Patel, EVP and general manager of security and collaboration from Cisco. So, g two, thanks for joining.
[00:14:18] Speaker D: Thank you for having me. Carissa, how are you?
[00:14:19] Speaker A: I'm good. How's the last couple of days been? Are you tired yet?
[00:14:24] Speaker D: I've been on the road for a long time, so I'm looking forward to going home. But it was a fantastic event, and I think the energy and the customers and the partners and the feedback they gave us was palpable.
[00:14:36] Speaker A: Yeah, look, it's my first Cisco live event. I've been pretty impressed. I know cybersecurity is a very big focus now for Cisco. And I was at the welcoming session yesterday. Sorry, the welcome session, and you mentioned a couple of things that I wanted to talk to you about. And you said, we, as an industry, haven't done a good job at making security simple. So talk to me a little bit.
[00:14:55] Speaker D: More about your thoughts on every aspect of security. I think for the average citizen, it comes across really intimidating. It's complicated. It's jargon filled. I think it's hard to use from a product standpoint. People don't know how to actually keep themselves safe when they're keeping themselves safe. They don't really know what they're doing to keep themselves safe. So I do feel like there's an opportunity for us as a community to simplify it, because the addressable market is about 8 billion humans, the entirety of humanity. And you can't build something for the entirety of humanity. That's actually so complicated that it's hard to understand and grasp. I just don't think that's how you can make the world safe. So I think simplicity and removing friction is probably one of the most important aspects of how security can be democratized.
[00:15:45] Speaker A: Yes, you did mention democratizing security. So how do you think we got into this web of making it so complex? How do we get there?
[00:15:52] Speaker D: For good reason. I don't think anyone was ill intentioned in doing it. But what ends up happening is you've got highly technical people who are power users that actually started in this industry. And as they were building solutions, they were building it for power users. But then all of a sudden, because of the digital revolution, everyone's starting to use devices, everyone's connected to the Internet. And so where it was a solution for a few, now is a mass market solution that every human needs to have in every aspect of their lives. And it was just not designed for that. It was just the people that were there were not thinking of that scale when they were first starting off. And so what you have to do is get people of different walks of life to participate in this industry. We need to have more women in security. We need to have more people with liberal arts backgrounds. We need to have people with design backgrounds. Security products should look more like Spotify, which are easy to use, and you don't have to go out and get. You're not afraid to ever sign up for Spotify and listen to a song. But most people don't know what to do with security. They're just kind of afraid to do something wrong. And so if we can make it more appealing for the average human, I think the world gets safer because the consequence of about half of the breaches that happen in security happen because of negligence. And negligence is not because someone woke up in the morning and said, today I'm going to be negligent. Negligence is because the product is so hard to use and the experiences are so difficult that most people might make a mistake and forget something. And we just have to make sure that that gets corrected as a society and as an industry, because if we do, then security is one of those parts of it's a critical infrastructure component that actually also impacts every other piece of critical infrastructure. If you have a breach, your water supply can go down, your power grid can go down, your financial services can go down. So those are things that are very hard to, in order to get that to not happen, we have to make sure that we can get the dexterity of every human to go up for keeping themselves safe.
[00:17:59] Speaker A: So you mentioned making everything complex, but do you think that, and we haven't, like, no one's woken up saying, oh, I want to be difficult and I want to make the space complex, but do you think we're closing that gap? And I asked this question because I've been in the space now for about a decade and I feel the same sort of conversations are being said and maybe we've moved the needle, but ten years is enough time to sort of see the needle move. But I don't know if it's moved significantly.
[00:18:24] Speaker D: It hasn't moved significantly. In fact, I would say that in some ways we might have regressed because there's 3500 vendors in this market. The way that innovation happened was based on every single time there was a new threat, there was a new company that came in to go out and solve for that threat. Before you knew it, on average, most companies had 50 to 70 to 100 different products in their security in the cybersecurity stack. And that made it hard for the administrators. But then because it was hard for the administrators, now there's 50 to 70 different experiences that also get exposed to the end user. Sometimes there is an opportunity right now to move and have a shift from this point solution based approach to a platform based approach where you just happen to have a very different way of an organization securing themselves. It has to happen at machine scale. I think Generative AI will be a huge contributor to simplification of security because you will have natural language based interfaces for humans to machines which have not existed in the past, in the past, humans have learned the language of machines, not the other way around. Now machines have learned the language of humans, and you can interface in the language that humans naturally know.
[00:19:33] Speaker A: People still seem to be really worried about Gen AI or AI, generally speaking. Why do you think that is? I'm pro for it, but I don't know whether mainstream media is propagating the wrong message, perhaps.
[00:19:47] Speaker D: No, I think, look, I think in any technology that gets innovated on, there is a bull case and a bear case. And I think the tech industry has been notorious to ignore the bear case and just think about the bullcase. Here's the great stuff that can happen with this technology, and there's going to be some collateral damage, and that's okay. I think we can operate that way in AI because the negative implications could be pretty consequential, and so are the positive implications. So the way that I would think of it is there is a healthy level of. I think there is a skepticism in the market about AI, which is absolutely legitimate and people should be cautious about it. But that doesn't mean that we don't progress AI forward. That just means that we progress AI forward in a responsible manner. And how we go out and build solutions should be done keeping in mind aspects about fairness and transparency and bias. When you're training a machine learning model and where are you sourcing your data from and let people know if the data is going to be used in training a model explicitly in plain English and those kind of things. At Cisco, for example, we have a responsible AI framework. Every engineer that builds any AI capability has to actually make sure that they stand the test of the responsible AI framework before we get something out in the market. You have to do that, because I think the downside consequences are pretty profound. And I do think that there will be some kind of regulatory oversight that we will start seeing in this industry because of the downside of AI being so meaningful as well. So I don't think it's an unreasonable thing for people to be skeptics. This is not just a tool for aggregation and summarization. This is a tool that's going to generate original insights that the human corpus of knowledge in the past did not have. And that, in my mind, is the thing that's most underestimated about AI, that it's not just that I'm going to go out and index a bunch of documents and give you a better search engine. No, the next cure for cancer might actually emerge from generative AI. Coming up with an idea that the humans hadn't thought about.
[00:21:54] Speaker A: So just going back to your skeptical comment, what specifically do you think people are skeptical about, just generally speaking, from your point of view?
[00:22:00] Speaker D: Well, look, when a powerful technology gets in the hands of good people, great things happen. And when a powerful technology gets in the hands of bad people, like adversaries and threat actors, really bad things can happen. And so your attacks are going to get more sophisticated. They're going to get much more bespoke and personalized.
It will be hard to decipher and distinguish between legitimate activity that a person engages in and a cyberattack that's happening. You won't be able to tell the difference. In the past, you would have a phishing email that's sent to you saying, click on this link and collect your $10 million. I'm the prince of an exotic country. In the future, you might have something that says, hey, it was great to see you at the musical last night. Here are some pictures. Kind of click on it to take a look. You're going to have a much higher likelihood of clicking on something if you were in fact, at the musical last night. And those are the kind of things that I think you will be able to find now will start happening with Gen AI. So we have to make sure that we look at it from both dimensions. I think AI can actually help the defenders prevent attacks from happening at machine scale, and AI will also make the attacks far more sophisticated than what they were. But I'll say the net net of it all is, I'm an optimist, and I think there's a net positive in this, where, if you were to ask me, in the past 30 years, we have always looked at there being an asymmetry between the attacker, the adversary, and the defender in the favor of the attacker, because they have to be right once, the defender has to be right every single time. I think this is the first time in at least my 30 year career that I feel optimistic that we will actually see the scales tip towards in favor of the defender, because the defender will have a data advantage, because they'll be able to actually predict and depict patterns in a much more dexterous way than what they could in the past. And as a result, they'll be able to have an advantage over the attacker. But we're not quite there yet. So I think there's a lot of work to be done for us as a community to get there. One of the things we have to do is make sure that we can actually interoperate among different providers of this technology who might have different financial interests. If I compete with someone, I still need to make sure I interoperate with them, because the true enemy is not my competitor, it's the adversary.
[00:24:14] Speaker A: So there's a couple more questions I just want to quickly ask. Now, you've been in the game 30 years, as you've just mentioned. Are you sort of seeing a trend? So historically, I don't know, even 1020 years ago, companies would just outsource everything to big providers. Then we sort of saw a trend of, no, we're going to use 30 different independent vendors because they specialize in an area. And I think over the last few days I've heard some of your talks that are saying, well, there's a lot of different vendors that you've spread across, even to your demo yesterday you should have said, hey, we can integrate it all in the one platform, even working alongside other vendors. Are you starting to see the shift now that people are going away to just specificity of each vendor to try to consolidate it back again? Are you seeing the pendulum shift the other way now?
[00:24:56] Speaker D: I think there is a clear movement in the industry right now for having a few integrated platforms rather than having a bunch of point solutions. That doesn't mean the point solutions go away, it just means that the platforms will have a pretty meaningful role to play. They will aggregate telemetry, they will act as a data platform. They will be able to make sure that third parties can build capabilities on them. They'll have a unified policy engine. So there'll be things that are kind of making the complexity quotient in this industry to be super high. Those things will actually improve quite a bit because of a platform based approach. I also feel like there'll be a greater degree of efficacy because the biggest challenge in security is knowing when something is worth paying attention to and knowing when something is not worth paying attention to. And so detecting when an alert is actually a critical alert that you have to pay attention to versus an alert is non critical. And the only way you can do that is when you start to correlate telemetry across multiple different domains. If I have an email that came in and if I also conducted, I clicked on a link and went to a website, and if I also had a process that started on my computer that I have seen in the past to be initial pattern of a breach, correlating those three low level alerts and actually graduating them to a high level alert is a pretty important kind of dynamic to think about. And I think we'll, for the first time be able to do that because of the data advantage. And I think security is a data game. Whoever has the most amount of data will be able to have the advantage in security.
[00:26:28] Speaker A: The other question that I have for you is you made a comment yesterday that the real enemy is the threat actor, not our competitors. So would you say that sometimes maybe people in the industry lose sight of their vision?
[00:26:42] Speaker D: Of course they do, because there is a finance. No, they do because there is a financial motive that drives society. Because there's a financial motive that drives society.
There are times when people might operate from that motive, rather than saying, I'm going to try to go out and have everything in a customer environment only for me and from no one else. But I think we have to be more broader in our perspective than that, because right now we're in a very kind of critical juncture in humanity where massive critical infrastructure could be at risk, where lives could be lost if we don't share data and telemetry with each other so that we can keep the bad actors at bay. Because if you think about what's happened, the motivation of a threat actor has evolved quite a bit. It started off where they just wanted notoriety. From there it went to financial gain, then it went to espionage, and now it's into pure disruption.
And we have to make sure that as destabilization becomes one of the key objectives of certain threat actors that we don't have in isolated defenses, when the attackers are coordinated, we actually coordinate our defenses so that the attackers can be isolated.
[00:27:56] Speaker A: So, g two, do you have any sort of closing comments or any final thoughts that you like to share today?
[00:28:01] Speaker D: I think we are in a very exciting time and also a very uncertain time. It's exciting in the sense that the technology advancements are so consequential right now that we, for the first time, might see a world where the advantage might tip in the favor of the defender. And that's going to be great, because I do feel like the world needs to be safer. It's a scary time because the implications of breaches is no longer just a little bit of inconvenience. It actually could cost lives, and it could actually have destabilizing effects on society that are very long lasting. As you can now start seeing. And what we're seeing around the world, wars aren't starting. They're starting with cyber first, before they go to land and air. And so those are the kind of things that I think we have the privilege to go out and act as stewards of protection of society and we should take that seriously beyond the individual interests of financial gain, which we all have to do because we're in a capitalistic society. That's a great thing, but it can't just be about that. I think it has to be something larger than that.
[00:29:09] Speaker A: Joining me now at Cisco live in Melbourne is Kareem Vermach, director of cybersecurity, a Z from Cisco. So, Kareem, thanks for joining and welcome.
[00:29:18] Speaker C: Thank you very much for having me.
[00:29:20] Speaker A: Really excited to interview you. We are connected on LinkedIn and people speak very highly of you in the industry. So I'm really keen. Maybe let's start with just your view on the industry, what your thoughts are. I mean, it's such a big space that we can cover, so let's start macro and we can sort of edge our way into going micro.
[00:29:38] Speaker C: Absolutely my view on the industry. I think we had an interesting time in our industry where we are starting to realize a few things. One is that you can do a lot of things right and still suffer a breach. You could do a lot of things wrong and not suffer a breach. I think as technology leaders, we are really acknowledging the fact that we are now not defined by these breaches and that the adversaries are truly becoming more sophisticated. That's the one thing that I think from a truly macro point of view. The second thing that I think is important to recognize is the fact that we acknowledge the fact that we don't have enough people and skilled people to really fill all the jobs. And there's continuously a series of large and alarming numbers, and I generally don't like to quote them, but there's these numbers circulating around that talks about a skill shortage and a resourcing problem. So we don't have enough skilled and trained practitioners coming out of all the different faculties, whether those are academics and colleges and self training. But then we also don't have enough people that are showing an interest. And cross skilling, for instance, it really comes back to that. We don't have enough bums and seats and eyes on screens.
[00:31:06] Speaker A: Okay, so I've got a couple of things on that front, but going back to defined by the breaches, something that I've been asking people, and maybe you're a better person to answer it. Do you think because of all these crazy breaches that are happening in the space, especially in Australia, do you think people just can become desensitized, be like, oh, well, another breach. Who cares? Because I'm already seeing that response come into the market now. So as a know practitioner. Are you worried that as we move on throughout the years, that people just won't care? And then we've sort of lost the battle as trying to tell everyone how important cybersecurity is?
[00:31:40] Speaker C: So I think fatigue is a real thing. I absolutely agree with you. I am sensing that, especially when you talk to non technologists, so people out and about general population, it's just another breach, which is unfortunate, because, to your point, it creates that desensitization.
My data is out there, and actually, something that I'm quite passionate about is people saying, but who cares? Everybody's got my data. In any case, that's not a good place to be in, because it means that people aren't taking their own security seriously. And if people aren't taking their own security seriously, it's really hard for organizations to become the custodian of that safety.
We are now having to protect people that don't safeguard themselves. And this goes in a number of ways, whether we are employing them or whether we are holding their data on their behalf as a client interaction, it shifts that obligation to the organization. What I do think we need to look at is how do we narrate it better? So I still find when I speak to people, I actually just most recently spoke to somebody that owns a series of gyms, and she said to me, oh, you've got such an interesting job. I don't know anything about cybersecurity, but luckily, nobody wants what I have. But when I sat her down for a moment and said, you have all of your gym membership details, very, very private information, all of the coaching and personal training information, which, again, is very sensitive information, medical conditions are relayed. In that conversation with a personal trainer in your gym that you hold somewhere, it dawned on her that she actually does have something that needs to be protected. But before that conversation where I explained to her in very simple terminology that she does actually hold something that can be weaponized or can be stolen.
[00:33:50] Speaker A: That.
[00:33:50] Speaker C: Idyllic idea of theft. Data theft. But the data is still there. Yes, but the data has been copied. Is still something that a lot of people don't understand, which is very unfortunate in the day and age that we see.
[00:34:02] Speaker A: So how do we do that at scale? So, obviously, you've gone and you've spoken to someone one on one, but there's only one korean. You can't go and speak to 26 million people in this country, let alone any other country. So how do we do that at scale? Because a lot of people are saying, we need to even g two Patel has said earlier, we make it very complicated for people. We've been saying that for years. I mean, I've been in this space for a decade and I think it's gotten a bit better, but it still feels very convoluted. People are still leading with speeds and feeds. So how, from your perspective, do we narrate it better?
[00:34:33] Speaker C: So that's a brilliant question. And I actually have an example of that where the New Zealand government has come up with an ad campaign, and this is now specific about something that I'm quite passionate about, and that's the online safety for children. But they take things and they draw this analogy into the physical. So the series of ads really focus on explaining what happens to children online when they speak to a stranger or whether they watch inappropriate content. But they bring it into a physical, relatable format and with a bit of humor. But it really strikes you when you're done watching that ad, it dawns on you. We say the penny drops. I've seen many people have an aha moment to think I never made that connectation that when my child is in a room with a device, they can be watching these two people that are partially closed. What we need to do as an industry is focus on reaching mass media with a very relatable analogy like storytelling mechanism. That is how we're going to reach the populace. You see this in awareness training. You see in awareness training when we train our users, funny little caricatures, and they're not always good. Some of them are good, some of.
[00:35:56] Speaker A: Them are horrible, I was going to say. Some of them feel so cringe.
[00:36:00] Speaker C: Yes, absolutely. And I can't agree with you more.
[00:36:03] Speaker A: When I've worked internally at an organization like, oh, we've created this thing and we've spent, like, $12 million working, I felt embarrassed watching it because it feels like it sets the wrong sort of scene for our industry. And to your earlier point, like, how do we attract people into the space? Not by these little caricatures that make us look like awkward human beings. So I feel like, do you think there's, like, people a bit tone deaf in the space? A little bit in terms of making the connection between what resonates with people, and then also, to your earlier point, of bringing people into the space that actually don't think about cybersecurity as a career.
[00:36:38] Speaker C: Absolutely. So I agree with you.
When we cartoon the perpetrator, I don't think it has the same effect. And I actually invite you to go look at that series of ads that they did in New Zealand, because it's really, really well done. It draws a serious analogy. There's no animation in it, but it really creates an opportunity where you can immediately see that this behavior shouldn't be happening online. And that's where I think many people ask, but what happens with my personal information? So creating a video, let's take an actual example where you showcase how somebody creates a false identity with your stolen personal information, and how that false identity then gets presented at a bank or a financial institute for a loan. And then the person whose identity was stolen need to really deal with the magnitude of having their identity stolen.
[00:37:38] Speaker A: Do you think as well, cybersecurity is not tangible. So what I mean by that question is, let's use money. If you get 10,000 arbitrary numbers stolen from your bank account, you just see numbers on your screen go down. But if you were to actually physically get $10,000 out of an ATM and someone literally stole your bag with it, it feels more like you've lost more than that. There's an element, because of cybersecurity, can't touch it or feel it. It's sort of like this invisible thing that maybe people don't understand what they've lost because it's not like physically being taken from you.
[00:38:15] Speaker C: That's a really good way of seeing it. And what I want to actually say, the problem with that is not necessarily the tangibility. The way I see it is the problem with that is the fact that we don't feel violated when somebody steals online data of us. Think about that statement quickly. If I'm in my backyard and somebody looks over the wall, I feel violated. Like this is my space. Don't look at me. This is private. If I want to lie by my swimming pool and be in my swimmers, look over my wall, you violate my space. But if somebody steals my online information, people don't have that sense of violation. It's really interesting because I talk to young people about this a lot, and something that the high school sort of generation tells me many times is, what's privacy? My personal information is out there. Since my birth, my parents, without my consent, has been sharing this information. So what's privacy? They don't value it, and therefore they don't see the value in safeguarding this. So when they post things on Instagram and Facebook and they've got all of their lives out there, there's no sense of violation, and that it's something to be protected. And I think that's what we're missing. I don't necessarily think it absolutely is intangible. And as humanity, we've always battled with conceptualizing that intangible theft, intangible violence, it's the same thing as what we now facing in the metaverse. Intangible or simulated violence? Is that a thing?
[00:39:50] Speaker A: Look, I think those are great points. So how do we get people to the stage where they feel violent? I mean, look, I say that with more so the outcome of the feeling violated, because then maybe it forces people to move and change their thinking. Do you have any sort of thoughts on that, on how to solve that problem?
[00:40:07] Speaker C: We have got to stand by creating in our own minds a value of our personal information. A value of money will fade out within the next ten years, is being reported in Australia at the moment.
We won't have physical money available anymore. Coins will no longer be around. A lot of things are only moving into the digital. Photography has done that to a large degree. Very few people have got printed photos in their homes these days. All photos are online. Our memories are captured online. So what we now need to do, the mental shift, is we need to make a mental shift to realizing that that is of value. And as our bank account holds value, our photo boxes holds value, our identities hold value, because only when you do that value mind shift will you have that sense of violation when you get breached. Because the sense that you'll find when you interview people these days is a sense of, I want to say discomfort. Maybe inconvenience is the correct word. It's an inconvenience to have my driver's license reissued. It is an inconvenience to have to wait for a new bank card to arrive. What an inconvenience. Cybercrime shouldn't be an inconvenience. It should be a violation.
[00:41:23] Speaker A: And that's where I think the disconnect is. And I see that problem getting worse, to your earlier point, because we're going digital. So like ATMs, I don't know, they probably won't exist in the future. You only have digital money, you won't have physical cash. So it's going to make it even harder for people to feel violated because it's just numbers on a screen. If you were to look at it like that, it's not physically someone taking it as well.
[00:41:45] Speaker C: Absolutely. So do you think we're ever going.
[00:41:46] Speaker A: To close that gap?
[00:41:47] Speaker C: I think it'll be interesting to see, as the now digital native generations make it into adulthood, how they perceive it. So how does the next generation perceive the value of online? Because remember, their reliance on it is much higher when we look at it. Now, you and I, on a day to day basis, have a choice of when and where interact with technology. I choose to have an alexa device in my house, but if you choose not to have an alexa device in your house and do your shopping list that way, you don't have to.
I choose to work on my computer and I choose to interact with technology all over. In ten years time, that choice is going to be less, and in 20 years time, that choice might not even exist. Your fridge will do your online shopping for you. You are just going to say, oh, the milk is done, and then the milk will get delivered. The reality is it's becoming so interconnected that I think the future generation won't have a choice. And that's where the value and the reliance on technology is going to be so high that there may be a value mind shift where they realize, but if I lose my fridge or my connectivity, I can't eat. How do we navigate that time and how do we progress between now and then? Because if you think about it, there's going to be a lot of people that aren't these digital natives that needs to learn these technologies as they become available. And do they then value it? So it's really the same. I recently spoke to a lady that does digital livelihood for the elderly, where she sets them up with a digital personal assistant to help them remember things in the house and help them do shopping lists, and it really becomes an aid in their house and she trains them on it as well. But it's quite a task because they aren't digital natives and they now have to speak to a thing that's standing in the kitchen. But she says it truly proves their quality of life because it becomes an assistant to remind them of things. And I think it's a great effort to get people along on the journey.
[00:43:56] Speaker A: And there you have it. This is KB on the go. Stay tuned for more.