Secured by Galah Cyber

In this episode, Cole Cornford chats with Matt Jones, co-founder of Elttam, an independent security boutique that provides security assessment services. On top of his role at Elttam, Matt is active in the infosec community in a variety of ways, including helping with BSides Canberra's call for papers and writing open-source tooling such as talkback.sh. Cole and Matt chat about the motivation behind founding Elttam, why Australia's infosec industry is lagging behind other parts of the world, the exploit development space, and plenty more.Timestamps2:00 - Matt's career background7:00 - Matt's early challenges finding an opportunity in cybersecurity11:00 - Why Matt chose to co-found Elttam13:00 - Cole: Australia's infosec industry is immature compared to US19:00 - The importance of specialisation20:30 - Better to do 1 thing really well when bootstrapping24:00 - Using the right approach for the right context25:30 - Risks of using a bug bounty program31:10 - Cole: the bar for pen testing reports should be much higher37:10 - Training & education for infosec39:00 - Cole: is infosec a cottage industry?44:00 - Product vs service approach to cybersecurity47:50 - Cole: I like looking at source code from 80s and 90s49:00 - Rapid fire questionsThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

SummaryIn this episode of Secured, host Cole Cornford interviews Bruce Large, a security architect and evangelist at Secolve, the OT security specialists in Australia. They discuss the importance of threat modelling in operational technology systems and the need for engineers to consider the potential for cyber attacks. Bruce also shares insights from the ISA/IEC 62443 series of standards, which provides guidelines for secure system development in OT. Additionally, they touch on the significance of unions in the tech industry and the benefits of joining organisations like Professionals Australia. Tune in for a fascinating conversation on application security and more.Timestamps1:25 - Bruce's professional background2:40 - Defining "engineer" in different contexts6:20 - Differences between computer engineers and civil engineers8:20 - Threat modeling12:40 - How we treat safety in software vs other industries18:30 - Bruce: we should be encouraging lifelong learning24:00 - ISA/IEC 62443 safety standard29:00 - The Year 2038 Problem34:20 - Unions & industrial relations43:40 - Rapid fire questionsThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

SummaryPaul McCarty is CEO and founder of SecureStack, a DevSecOps visibility & automation company, and GitLab's Red Team leader. Paul's been involved in software security in Australia for decades. In his conversation with Cole Cornford, Paul discusses how Australia's software security industry has changed since the early 2000's, whether security professionals aught to know how to code, and plenty more. Timestamps2:50 - Paul's career background7:00 - Spicy take: people on LinkedIn are too blindly positive10:00 - Understanding what went wrong when there's a breach13:00 - Cole doesn't think "zero trust" is feasible14:10 - Cole: maturity of cybersecurity in Aus is weak generally16:00 - Cole hires for dev experience, not sec ops, because dev is harder to teach18:30 - Aus market different to US, which has lots of software companies21:50 - Paul: we've devalued the importance of operations22:20 - The "holy trinity" of offensive security26:30 - What percentage of ASX companies have a bug bounty program?28:50 - Cole's free pizza exploit31:00 - Got to be in security for the long haul31:40 - The book that changed Paul's lifeMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Jay Hira is a cybersecurity director with 18 years of experience working in a variety of roles both in Australia and internationally. Today he is Director of Cyber Security: Financial Services at KPMG Australia, and Founder and Executive Director of MakeCyberSimple. In this conversation Jay and Cole Cornford avoid getting too deep into technical details, and instead discuss a zoomed out perspective on cybersecurity strategy for large organisations, how the current macroeconomic climate affects approaches to cybersecurity, tips for clear communication between technical and non-technical stakeholders, and plenty more.Timestamps1:40 - Advantages of generalisation vs specialisation4:00 - Tips for communicating effectively to leaders6:00 - Clarity comes from simplicity9:30 - Importance of reporting structure in a large org14:20 - Core foundations of a cyber strategy20:00 - How current economic climate is affecting cybersecurity budgets24:30 - How do you maintain intrinsic motivation?27:00 - Work life balance30:30 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Tara Whitehead is Security Engagement Manager at MYOB. Prior to becoming a cybersecurity specialist, Tara had an eclectic career, including working in advertising and international relations. In this episode Tara chats with Cole about how her non-technical background has in many ways been an asset working in security, leading change management in large enterprises, the importance of great communication skills, and plenty more.Secured by Galah Cyber website Timecodes7:15 - Tara's first days in AppSec10:00 - How to influence people12:30 - Why we should dial back on the doomsday conversation14:10 - Find your change champions21:30 - Is a non-technical background help or hindrance?23:30 - Communication and influencing key skills26:00 - Communicating with execs28:20 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Episode summaryDaniel Grzelak is currently the Chief Innovation Officer at Plerion, and has had a storied career at a variety of technology firms around Australia. In this conversation Daniel brings his experience and insight to the topic of common myths and misconceptions within the cybersecurity industry, and with Cole Cornford tackles questions like:Does a cybersecurity professional need to know how to code?Is there a workforce shortage in the industry?Should pen testers write remediation advice?Timestamps1:50 - Does a cybersecurity professional need to know how to code?5:40 - Is there a workforce shortage in cybersecurity?9:30 - Questions to ask when interviewing potential cybersecurity hires12:30 - Are people in cybersecurity bad at promoting their own skills?17:00 - Should pen testers write remediation advice?20:20 - Daniel's career advice: start writingMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

After working as a cybersecurity consultant in Europe for over a decade, Jacqui Loustau was struck by how cybersecurity professionals in Australia were overwhelmingly male. This led Jacqui to found the Australian Women in Security Network (AWSN), a not-for-profit association and network with the goal of increasing the number of women in the security community. In this episode, Jacqui chats with Cole Cornford about how businesses can change their approach to hiring to improve diversity, the importance of supporting kids and students of all backgrounds who have an interest in the field, as well as some of her thoughts on the future of the industry. Secured by Galah Cyber website Timestamps4:30 - Jacqui’s career background.9:30 - How Jacqui became inspired to tackle the issue of diversity within cyber.10:00 - At Jacqui’s first cyber event in Aus, struck by a sea of men.13:00 - Achievements Jacqui is proud of from the last 10 years.15:20 - What can businesses do to encourage diversity.19:00 - Cole: what are some systemic issues we need to tackle?22:00 - Jacqui: you can always teach technical skills.23:00 - How we can support kids & students to move into cyber.25:00 - Rapid fire questions.27:10 - What will be the theme in cyber for 2024.Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

While working as Head of Cyber Security Business Services at Australia Post, Susie Jones worked on a product that was designed to support small businesses that had suffered a data breach. Susie came to believe that existing cybersecurity tools and support was generally either too expensive for Australian small businesses, or didn’t suit their needs. And so she co-founded Cynch Security, which aims to fill this gap. In this conversation Susie chats with Cole Cornford about Susie’s career, the benefits of coming from a non-technical background, and they do a deep dive on the security needs of small businesses in Australia.Secured by Galah Cyber website 4:36 - Susie’s career background5:40 - benefits of coming from a non-technical background7:15 - Challenges of running your own business7:40 - Cole: you’re selling protection, it’s a pure cost8:10 - Susie’s motivation to become a founder9:00 - Consequences of breaches “the worst working day of their life”10:30 - Most common  security challenges for small businesses13:00 - Big businesses that work with small businesses share cyber risk14:40 - Supply chains and small businesses in Australia17:20 - 90% of employers in Aus aren’t served by our current cyber solutions18:00 - Worst examples of advice not suited to small business19:20 - Tips Susie would give to small businesses21:20 - Password managers are a no brainer25:00 - Rapid fire questions26:10 - One cybersecurity myth Susie would like to debunkMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

In this episode Cole Cornford chats with Nathan Morelli, Head of Cyber Security and IT Resilience at SA Power Networks, which is the sole electricity provider for the entire state of South Australia. Making sure that 1.7 million people have electricity is a pretty important job, and Nathan shares his perspective on how the organisation maintains resilience in the face of potential breaches. They also discuss the importance of financial management skills in a management role, the Australian government’s updates to the Essential 8 and the national Six Shields cyber strategy, the importance of work life balance, and plenty more.Secured by Galah Cyber website 4:00 - Nathan’s career overview8:00 - “Not if, but when” and the principle of acting like a breach has already occurred10:40 - Cyber resilience is critical11:00 - Finding value in the impact of your work15:00 - Matching cybersecurity strategy to the resources available17:20 - High regulation/barriers to entry restrict quality security advice19:00 - Importance of access to affordable cybersecurity tools19:30 - Australian government “Six shields” update23:50 - Australian government update to “Essential 8”27:40 - Why Nathan adopted financial management concepts in his cybersecurity work31:10 - Cybersecurity decisions are made for financial reasons33:10 - Typical career trajectory: follow money, then people, then problems35:40 - Importance of work-life balance40:40 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

In this episode, Cole Cornford chats with Mat Franklin, founder and managing director of the consulting firm MF & Associates. Founded in 2019, Mat has quickly grown the company to be 70 or so employees, with their largest team being a cybersecurity team. With a focus on diversity and representation, MF & Associates are made up of approx 70% women, as well as having strong representation of LGBTQ+ and people with disabilities.In the conversation, Cole and Mat chat about the importance of diversity and representation in tech and cybersecurity, what Mat looks for in a potential employee, what lessons cybersecurity professionals can learn from other industries like health and law, and plenty more. Secured by Galah Cyber website 14:40 - How to improve diversity within a team17:00 - What Mat looks for in a potential employee during a job interview19:40 - The stereotype of cybersecurity professionals20:00 - The movie The Web, and portrayal of cyber in film24:00 - Cole: example of bad behaviour at a cybersecurity expo26:30 - How did Mat build his business?30:40 - Taking inspiration from how other industries operate31:40 - Mat’s company targeting ex-nurses for employees33:30 - The importance of brevity in corporate communication35:50 - It’s not possible or useful to try and know everything in cyber37:20 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

The cybersecurity industry is made up of people from all sorts of different backgrounds, and Michael Collins is a perfect example. After spending 8 years in the Australian navy, Michael moved to Cairns and became a diving instructor. After 5 years, Michael decided it was time for a career change and enrolled in a course to become a Microsoft certified systems engineer. Today, he’s Chief Information Security Officer at Judo Bank. In this episode we chat about how Michael has managed major transitions in his career, the importance of aligning cybersecurity strategies with business goals, systems thinking as a framework for approaching cybersecurity, and plenty more.Systems Thinking Made Simple - by Derek Cabrera:https://www.amazon.com.au/Systems-Thinking-Made-Simple-Problems/dp/1520740492 Secured by Galah Cyber website 2:20 - A good summary of Judo Bank7:10 - How Michael became a CISO9:00 - How Michael almost bailed on his cybersecurity training after day one12:00 - The joys of scuba diving14:30 - Advantages of systems thinking16:30 - How someone can get started with systems thinking17:40 - DSRP thinking (Distinctions, Systems, Relationships and Perspectives)24:20 - Delivering AppSec by meeting the business where it is, not being idealistic25:20 - “It’s not all about downsides”, businesses succeed by taking risks27:10 - How we can promote more business-mindedness in cyber32:50 - Michael’s transition from techie role to CISO39:50 - Cole: “Leadership is a funny thing”43:30 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Seth Law is Founder and Principal Consultant of Redpoint Security, an AppSec consulting firm that focuses on code security, as well as co-host of the fantastic Absolute AppSec podcast. Seth has plenty of experience with the nitty gritty details of software development, and Cole Cornford had a great time nerding out with him about static analysis tools and code reviews. They chat about the potential for AI to improve AppSec, the unhelpful tendency to idolise big tech companies, the importance of good communication between developers and AppSec, and plenty more.Secured by Galah Cyber website Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Jeanette Gill is Principal Customer Success Manager at Secure Code Warrior. Jeanette comes from a non-technical background, having worked in the aviation industry for over a decade. When she made the leap into AppSec, it was her communication skills and focus on providing a great experience for customers which proved invaluable. Jeanette chats with Cole Cornford about some common misconceptions about AppSec, the sometimes uneasy relationship between developers and AppSec, the potential for AI to change our industry, and plenty more.Secured by Galah Cyber website 7:30 - Jeanette’s career background in aviation10:40 - Working for airline “best years of my life”13:10 - Giving up career to move to Australia15:20 - Jeanette’s current role at Secure Code Warrior16:40 - Developers being wary of appsec20:40 - Cole: I don’t think education issue, but incentive issue24:00 - Using AI to improve appsec24:40 - What is Secure Code Warrior28:00 - What do teams struggle with in terms of Appsec?36:00 - Management leading by example38:40 - Often, devs don’t want to hear from appsec team43:00 - How did Jeanette get involved with appsec after moving to Aus46:50 - Value of webinars, podcasts, and people sharing knowledge online47:30 - Developers, programmers or engineers, what’s the correct term?51:50 - The importance of titles and job descriptions52:30 - Rapid fire questions59:30 - Jeanette: hug your appsec teamMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Edward Farrell is Director & Principal Consultant for the Australian company Mercury Information Security Services. Edward has nearly two decades experience in the IT sector, having worked early on in network design and IT operations, before transitioning into a focus on infosec. He’s an Industry Fellow at the University of NSW, teaching in the cyber security masters program, and a board member and advisor to multiple organisations. In this episode, Cole Cornford chats with Edward about his career journey, using automation to make teams more efficient, his belief that the infosec industry would benefit from further professionalisation, and plenty more. Secured by Galah Cyber website Time Stamps6:25 - Edward’s career background10:00 - Did Edward enjoy living in Wollongong? 11:20 - Value of work experience while at Uni14:00 - What led Edward to start his own business15:40 - Using automation to make a business more efficient18:10 - Career pathways within info security19:00 - The big 4 firms in cybersecurity20:40 - A broader issue with the Australian market22:30 - Financial planning25:40 - The best blog posts that Edward has written recently27:10 - The professionalisation of cybersecurity 32:00 - Too many tech solutions, not enough service providers?36:00 - Edward anecdote: one guy in the company who knows all the systems37:20 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

In this special episode of Secured, Abhijeth Dugginapeddi takes the reins as guest host and Cole Cornford answer the questions for once. Cole discusses some of the ups and downs of his career, what advice he has to share, and plenty more. Abhijeth Dugginapeddi is currently Head of AppSec at BigCommerce, an ecommerce platform used by thousands of companies across 150 countries, as well as lecturer at the University of New South Wales. Abhijeth has worked in cybersecurity for well over a decade, including roles at Adobe and Commonwealth Bank. Secured by Galah Cyber website 2:56 - Cole’s career background4:30 - Cole rapidly becoming head of AppSec function 8:20 - Looking back, was Cole’s career background a good start?10:20 - Cole’s advice for people getting into cybersecurity13:30 - The 3 “A”s of consulting16:00 - Is elitism still common in cybersecurity?16:50 - Cybersecurity: we’re taught an adversarial mindset by default20:10 - What were the motivations and challenges for Cole starting a company?22:40 - Cole’s experience at a recruitment fair25:50 - What a day in the life of Cole looks like31:00 - Tips for leaders on how to build a successful security team34:00 - Importance of good relationships/communication among team35:30 - Does Cole have frustrating days? What are some challenges he’s overcome?44:00 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Karissa Breen is the founder of KBI, a marketing and communications agency that works with cybersecurity and deep tech companies. After working in technical roles early in her career, Karissa saw that the complexity of cybersecurity often made it challenging for companies to communicate clearly, especially to those outside of the cyber industry. An entrepreneur at heart, Karissa took a leap of faith, quit her job, and has since focused on helping those with technical expertise tell their stories more effectively.In this episode Cole Cornford chats with Karissa about her experiences with podcasting, producing a TV show, the ups and downs of entrepreneurship, and plenty more.Secured by Galah Cyber website Time Stamps4:20 - Karissa’s career background.6:30 - Moving away from a purely technical role.7:20 - Cole: is a uni degree important for a career in cyber?11:10 - Karissa being inquisitive in her early years.11:50 - Treating people the same regardless of their job/rank.13:00 - Cole: lots of students think a uni degree will be enough to get them a job.15:00 - Karissa’s decision to pursue entrepreneurship.16:40 - Cole: starting out in business, naivety can be valuable.18:40 - Karissa’s journey building her business and getting into media.23:30 - In the early days of Karissa’s podcasting, what worked well and what didn’t.26:40 - Cole gives a shoutout to W2D1.27:30 - Karissa: podcast hosts need to enjoy/care about hosting their podcast.31:30 - Karissa’s TV show.38:00 - The importance of preparation for a podcast.38:30 - Karissa’s entrepreneurship journey.39:20 - Karissa: Entrepreneurs are a different breed.43:00 - Entrepreneurship is constantly challenging.44:30 - The importance of a good support network.45:10 - rapid-fire questions.Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Jason Murrell is a cybersecurity advocate and consultant with more than two decades of experience in business and entrepreneurship. In this episode Jason chats with host Cole Cornford about both the successes and setbacks he’s experienced in the startup world, including as a founding shareholder in Starward Whisky and co-founder of Altius Mining. In recent years Jason’s career has focused on cybersecurity, including roles such as COO of Cyber Aware and Group Executive of AustCyber. Jason and Cole chat about how Jason’s business experience helped shape his approach to cybersecurity, learning from mistakes, financial literacy, and plenty more. Secured by Galah Cyber website Time Stamps4:46 - Sharks as a metaphor for adversaries in cybersecurity9:40 - Financial literacy12:30 - Need for greater gender diversity14:30 - Learning financial literacy from running a business18:40 - How Jason’s business experience informed his approach to cybersecurity19:00 - Jason’s experience with the company Starward Whisky24:20 - Cle sees similarities between whiskey company and Galah Cyber25:40 - In business, approaching problems differently to the competition25:50 - Jason’s gold mining business26:30 - Raising millions for the gold mining business, only for it to be taken over28:00 - Learning more from mistakes than successes28:30 - In cyber, we shold learn from instances and mistakes better30:20 - Optus breach, and the imbalance of “one mistake and you’re hung drawn and quartered”Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

When Sam Fariborz moved to Australia from Iran, she had been working as an IT manager. While she had plenty of experience and strong technical skills, the move to Australia was challenging, and in this episode Sam discusses some of the barriers to entry she faced. By attending cybersecurity events and reaching out to people on LinkedIn, Sam found mentors and peers who helped progress her career, and today Sam is Cybersecurity Services & Program Manager for Kmart group which employs nearly 50,000 people across Australia and New Zealand. Sam chats with Cole Cornford about how to network effectively, the growth of cybersecurity as a profession in the last couple of decades, the need for greater diversity within the industry, and plenty more.Secured by Galah Cyber website Time Stamps4:15 - Sam’s journey into cybersecurity.5:00 - Sam losing her confidence when coming to Australia.6:00 - Cole has seen people from overseas struggle to fit into Australian work culture.7:00 - Sam’s experience with racism.8:10 -  Sam’s positive experiences meeting mentors.9:10 - Cole’s uni address and why “career ladder” is a terrible analogy.11:45 - Sam: a story of one mentor who changed the path of her career.14:10 - Cole: giving back to the community that fosters you.16:40 - How to network effectively.17:00 - The value of attending community events.19:00 - The growth of cyber community in Australia.20:00 - Sam: today everyone wants  to get into cyber.20:20 - The increasing gender diversity within cybersecurity.21:30 - Sam: the need for greater diversity within cybersecurity.27:20 - Sam’s experience being a woman in a cyber leadership role.28:20 - Sam: most women feel like they need to be perfect to be acceptable.31:40 - Sam: cybersecurity is changing every day.32:10 - Sam: cybersecurity professionals have a positive impact on the lives of people.Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

As a consultant, Laura Bell-Main earned a reputation for being “the Mary Poppins of security”, swooping in to fix problems with her big bag of tricks. More recently, she made the leap from consulting into founding a product company, securing funding from VC firm Blackbird with the aim of building SafeStack into an online training platform that can help orgs of all sizes design secure software.In this episode, Laura chats with Cole Cornford about the challenges of becoming a startup founder, the current state of AppSec training & education, Laura’s vision for SafeStack’s legacy, and plenty more.Secured by Galah Cyber website Timestamps4:19 - Laura’s career background.7:45 - no clear pathway into a career in AppSec.8:40 - Cole’s experience at a career expo @ Newcastle uni.12:00 - Large and small companies AppSec needs are different.14:00 - A large company like Facebook is very different from the average company.16:40 - Security has a tendency to get lax for software not being actively developed.18:10 - Laura: the theme of this conversation “you will fail and this will make you stronger”.19:00 - Why Laura is in AppSec.20:00 - Laura speaks about being a salesperson + having a product company.21:20 - Cole: I anticipate AppSec will grow Laura: software rules the world.25:10 - SafeStack: for profit with purpose, balancing purpose and profit.27:50 - Laura: discussing Blackbird’s investment in SafeStack.29:40 - Laura’s background as a consultant.30:20 - Laura: customers called me “Mary Poppins of AppSec”.32:50 - Laura’s transition from consulting to founding a product company.34:20 - Laura: on building a company, I sometimes joke “I used to be in security”.37:40 - The leap from idea to product.38:30 - Laura’s vision for SafeStack’s legacy.40:10 - SafeStack’s “one hour AppSec”.Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy

Ken Johnson is co-founder of Dryrun Security and co-host of the Apsolute AppSec podcast. Ken has many years experience working in AppSec in a variety of roles, including CTO of nVisium and Application Security Engineer at GitHub. Ken chats with Cole Cornford about taking an agnostic approach to AppSec, transitioning from being an employee to a founder, how AI might change cybersecurity, and plenty more.Secured by Galah Cyber website Timestamps9:10 - When Ken started running AppSec conferences.12:00 - Ken: an “agnostic approach” to appsec really resonated with people.14:30 - Ken: “by nature we are always behind the curve”.15:40 - Ken: appsec is getting much harder.17:00 - Cole also advocates for an agnostic approach to appsec.18:50 - Ken’s favourite thing about Github: the culture.20:30 - discussing Github.25:00 - Appsec education.26:30 - quality software is secure software.27:30 - AI & Appsec.33:50 - Brief overview of Ken’s professional life, transition to being a founder.36:30 - Cole: people who plan to build a product alongside consulting.38:20 - Cole’s experience starting a consulting business.39:40 - Ken’s interests outside AppSec.40:40 - How Ken got into brazilian ju jitsu.44:10 - Cole’s pandemic experience.Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Chartable - https://chartable.com/privacy