Secured by Galah Cyber

Episode SummaryIn this episode, Cole Cornford is joined by cybersecurity experts and IRAP assessors, Kat McCrabb and Toby Amodio, to unpack the latest updates to the Protective Security Policy Framework (PSPF) for 2024. They explore the significant changes introduced in the PSPF, such as the heightened emphasis on IRAP assessments, the potential strain on resources due to increased demand for assessors, and the impact on government agencies' compliance efforts. The discussion delves into the restructuring of the PSPF domains, including the separation of information and technology, and the challenges this presents for reporting and governance. They also address issues with self-attestation in agencies, insights from ANAO reports, and the critical importance of managing legacy IT systems. Kat and Toby offer valuable perspectives and practical advice for organisations navigating these new requirements, highlighting the need for proactive planning and adaptation in the evolving cybersecurity landscape.Timestamps01:27 - What is the PSPF? Toby explains the framework03:07 - Kat discusses the biggest changes in the PSPF 2024 updates04:20 - Challenges with IRAP assessments: time, cost, and limited assessors06:18 - When are IRAP assessments required? Clarifications08:13 - Changes in PSPF domains: splitting information and technology10:08 - Implications of the changes for reporting and governance12:15 - Comparison with NIST framework and governance considerations13:38 - Issues with self-attestation and insights from ANAO reports15:09 - Strategies for improving reporting and assessments in agencies17:36 - Managing legacy IT systems under the new PSPF requirements18:52 - Key takeaways and final thoughts from Kat and TobyMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this episode, Cole Cornford speaks with Anand, an API security expert at Traceable AI with over 18 years of experience in crafting innovative IT solutions. Anand's expertise spans API design, microservices architecture, cloud technologies like Kubernetes and AWS, and security architecture including IAM and OAuth. Together, they delve into the critical importance of API security in today's digital landscape, discussing why traditional web security measures are insufficient, lessons learned from incidents like the Optus breach, the challenges of managing API inventories, and how AI and machine learning can enhance security practices. Anand also shares his experience writing a book during the pandemic and the value of continuous learning. This episode is packed with insights on modern application development, cybersecurity, and plenty more.Timestamps4:20 - Understanding API security challenges9:30 - The role of AI in API security16:55 - The importance of API inventory management24:00 - The business impact of API security28:00 - Cole & Anand discuss books & writing34:00 - Current state of API security in AustraliaMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this episode, Cole Cornford speaks to two guests on the topic of robotics: Damith Herath, a Professor at the University of Canberra, and Adam Haskard, co-founder and Director of Bluerydge, a Canberra-based cybersecurity and technology firm. Together, Damith and Adam are conducting research into Secure Robotics, an emerging field of study that addresses the intersection of robotic safety, trust, and cybersecurity. In their conversation with Cole, they discuss the growth opportunities for robotics, how someone interested in the field could pursue a career in robotics, potential risks of the common household vacuum robots, and plenty more.Timestamps2:00 - Robotics: definitions & applications8:45 - The intersection of robotics & cybersecurity10:00 - Trust & safety in robotics & cyber15:00 - Emerging risks in robotics18:40 - The role of cybersecurity in robotics20:30 - Regulation and innovation in robotics40:00 - Growth opportunities for robotics29:00 - Future of robotics & AI32:00 - Career pathways into robotics39:00 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIlkka Turunen is the CTO at Sonatype, a company that helps millions of software developers use open-source software while minimising security risk. In this conversation, Ilkka chats with Cole Cornford about the benefits and risk of using open-source software, how Maven helped standardise software development processes, the different approaches to AppSec regulation in Australia and Europe, and plenty more.Timestamps1:33 - Ilkka's career background4:00 - Varying quality of open-source software6:10 - How Maven helped standardise software development processes13:00 - The balance between speed of delivery & quality17:00 - Importance of environment parity in software dev21:40 - Risk of using 3rd party code in software25:10 - Regulation of AppSec in Australia vs Europe32:10 - How new European software security regulations will be enforced35:00 - Recommendations for compliance with European regulations39:00 - Rapid fire questionsMentioned in this episode:Call for FeedbackCall for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryDaisy Wong is the Head of Security Awareness at Medibank, as well as a disability advocate. Originally from a marketing background, Daisy gained experience in the cybersecurity industry working as part of penetration teams, before making her way into the security culture and awareness space. In her conversation with Cole Cornford, Daisy discusses using the tools of marketing to educate people on cybersecurity, what are the hallmarks of a good security culture and awareness program, and the importance of diversity in cybersecurity.Timestamps4:00 - Daisy's transition from marketing to cybersecurity8:10 - The importance of security culture and awareness11:00 - Building effective security awareness programs14:15 - The role of diversity in cybersecurity17:00 - Strategies for inclusive hiring practices19:40 - The power of communication in security awareness23:20 - Creative approaches to security awareness campaigns31:45 - Daisy's personal perspective on the importance of diversity43:40 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryAntonio Deliseo has been in the information security industry for decades. Currently working at Telstra, Antonio has enjoyed a long and winding career path and has plenty of stories and insights to share as a result. In this conversation with Cole Cornford, Antonio discusses how he got started in his career studying physics, overseeing cybersecurity at a goldmine, how to advocate for cybersecurity within a large organisation, and plenty more.Timestamps1:40 - Antonio's career background3:30 - Advantages of coming from a non technical background8:30 - Stories from Antonio's early career working at a goldmine14:00 - How Antonio moved into the GRC space17:30 - The role a board of directors plays in cybersecurity20:00 - Cybersecurity is less like IT, more like gambling or insurance25:30 - Calculating the cost of a breach in dollar terms30:30 - How to advocate for cybersecurity as a CISO40:00 - Cybersecurity often seen as unaffordable by small businesses42:30 - Pros & cons of networked technologyMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryBen Gittins is the Principal Security Engineer at Bugcrowd, one of the world's best bug bounty platforms. Ben has previously worked as a Senior DevSecOps Engineer at Canva, as well as DevSecOps Lead at SecureStack. In this conversation with Cole Cornford, Ben shares his belief that cybersecurity needs more generalists, how coding and AppSec have changed over time, whether cybersecurity qualifications are overrated, and plenty more.Timestamps3:50 - Why is Aus cybersecurity lagging behind? 9:50 - Over-reliance on purchasing cybersecurity products 14:40 - We ask too much of our AppSec professionals 19:00 - How App development & cybersecurity have changed over time 24:00 - "Greenfield projects" are often not realistic 28:20 - How to bring new people into the AppSec industry 32:00 - Importance of communication skills 38:20 - Cybersecurity qualifications are overrated43:00 - Rapid fire questions  Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryShan Kulkarni is the co-founder and CEO of Nullify, a product designed to augment AppSec teams with AI agents capable of carrying out multiple levels of product security work autonomously. Prior to Nullify, Shan worked in roles such as Cloud Operations Lead at UNSW Redback Racing, and Cloud Security Engineer at CMD Solutions Australia. In this conversation with Cole Cornford, Shan discusses the challenges of starting a business, and in particular the challenges of hiring, the state of AppSec in Australia, what the future might hold for the industry, and plenty more.Timestamps1:30 - Shan's career background5:30 - Why AppSec is so often inefficient and expensive9:00 - Bigh tech has a monopoly on AppSec talent12:30 - Shan's journey from consultant to founding a company15:40 - Biggest mistakes when starting a business19:20 - Selling products/services to devs is extremely difficult25:00 - Where Shan sees AppSec going28:00 - Consolidation of security products32:00 - What security leaders are struggling with: visibility34:00 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryDan Draper is CEO and Founder of CipherStash, a data-storage platform that helps customers keep data secure. As well as being fascinated by Cryptography and data security, for most of Dan's career he's either been a founder or worked in the leadership team of startups, so has plenty of experience in both business and getting into the nitty gritty details of technical problems. In this episode Dan chats with Cole Cornford about Cryptography, the challenges and rewards of founding a company, best practices for securing funding for a startup, and plenty more.Timestamps - 2:00 - Dan's career background - 8:00 - Dan's lessons from working in government - 9:30 - When Dan became obsessed with cryptography - 12:40 - Reflecting on Dan's 1st failed business - 17:10 - The founding of CipherStash - 23:40 - Managing data a major challenge in large orgs - 28:00 - Different types of data breaches - 32:00 - Potential and limitations of AI in cybersecurity - 37:00 - Experience raising money for a startup - 44:10 - Dan's 3 tiers of investors - 46:00 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryIn this episode, Cole Cornford chats with Matt Jones, co-founder of Elttam, an independent security boutique that provides security assessment services. On top of his role at Elttam, Matt is active in the infosec community in a variety of ways, including helping with BSides Canberra's call for papers and writing open-source tooling such as talkback.sh. Cole and Matt chat about the motivation behind founding Elttam, why Australia's infosec industry is lagging behind other parts of the world, the exploit development space, and plenty more.Timestamps2:00 - Matt's career background7:00 - Matt's early challenges finding an opportunity in cybersecurity11:00 - Why Matt chose to co-found Elttam13:00 - Cole: Australia's infosec industry is immature compared to US19:00 - The importance of specialisation20:30 - Better to do 1 thing really well when bootstrapping24:00 - Using the right approach for the right context25:30 - Risks of using a bug bounty program31:10 - Cole: the bar for pen testing reports should be much higher37:10 - Training & education for infosec39:00 - Cole: is infosec a cottage industry?44:00 - Product vs service approach to cybersecurity47:50 - Cole: I like looking at source code from 80s and 90s49:00 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryIn this episode of Secured, host Cole Cornford interviews Bruce Large, a security architect and evangelist at Secolve, the OT security specialists in Australia. They discuss the importance of threat modelling in operational technology systems and the need for engineers to consider the potential for cyber attacks. Bruce also shares insights from the ISA/IEC 62443 series of standards, which provides guidelines for secure system development in OT. Additionally, they touch on the significance of unions in the tech industry and the benefits of joining organisations like Professionals Australia. Tune in for a fascinating conversation on application security and more.Timestamps1:25 - Bruce's professional background2:40 - Defining "engineer" in different contexts6:20 - Differences between computer engineers and civil engineers8:20 - Threat modeling12:40 - How we treat safety in software vs other industries18:30 - Bruce: we should be encouraging lifelong learning24:00 - ISA/IEC 62443 safety standard29:00 - The Year 2038 Problem34:20 - Unions & industrial relations43:40 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryPaul McCarty is CEO and founder of SecureStack, a DevSecOps visibility & automation company, and GitLab's Red Team leader. Paul's been involved in software security in Australia for decades. In his conversation with Cole Cornford, Paul discusses how Australia's software security industry has changed since the early 2000's, whether security professionals aught to know how to code, and plenty more. Timestamps2:50 - Paul's career background7:00 - Spicy take: people on LinkedIn are too blindly positive10:00 - Understanding what went wrong when there's a breach13:00 - Cole doesn't think "zero trust" is feasible14:10 - Cole: maturity of cybersecurity in Aus is weak generally16:00 - Cole hires for dev experience, not sec ops, because dev is harder to teach18:30 - Aus market different to US, which has lots of software companies21:50 - Paul: we've devalued the importance of operations22:20 - The "holy trinity" of offensive security26:30 - What percentage of ASX companies have a bug bounty program?28:50 - Cole's free pizza exploit31:00 - Got to be in security for the long haul31:40 - The book that changed Paul's lifeMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Jay Hira is a cybersecurity director with 18 years of experience working in a variety of roles both in Australia and internationally. Today he is Director of Cyber Security: Financial Services at KPMG Australia, and Founder and Executive Director of MakeCyberSimple. In this conversation Jay and Cole Cornford avoid getting too deep into technical details, and instead discuss a zoomed out perspective on cybersecurity strategy for large organisations, how the current macroeconomic climate affects approaches to cybersecurity, tips for clear communication between technical and non-technical stakeholders, and plenty more.Timestamps1:40 - Advantages of generalisation vs specialisation4:00 - Tips for communicating effectively to leaders6:00 - Clarity comes from simplicity9:30 - Importance of reporting structure in a large org14:20 - Core foundations of a cyber strategy20:00 - How current economic climate is affecting cybersecurity budgets24:30 - How do you maintain intrinsic motivation?27:00 - Work life balance30:30 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Tara Whitehead is Security Engagement Manager at MYOB. Prior to becoming a cybersecurity specialist, Tara had an eclectic career, including working in advertising and international relations. In this episode Tara chats with Cole about how her non-technical background has in many ways been an asset working in security, leading change management in large enterprises, the importance of great communication skills, and plenty more.Secured by Galah Cyber website Timecodes7:15 - Tara's first days in AppSec10:00 - How to influence people12:30 - Why we should dial back on the doomsday conversation14:10 - Find your change champions21:30 - Is a non-technical background help or hindrance?23:30 - Communication and influencing key skills26:00 - Communicating with execs28:20 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode summaryDaniel Grzelak is currently the Chief Innovation Officer at Plerion, and has had a storied career at a variety of technology firms around Australia. In this conversation Daniel brings his experience and insight to the topic of common myths and misconceptions within the cybersecurity industry, and with Cole Cornford tackles questions like:Does a cybersecurity professional need to know how to code?Is there a workforce shortage in the industry?Should pen testers write remediation advice?Timestamps1:50 - Does a cybersecurity professional need to know how to code?5:40 - Is there a workforce shortage in cybersecurity?9:30 - Questions to ask when interviewing potential cybersecurity hires12:30 - Are people in cybersecurity bad at promoting their own skills?17:00 - Should pen testers write remediation advice?20:20 - Daniel's career advice: start writingMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

After working as a cybersecurity consultant in Europe for over a decade, Jacqui Loustau was struck by how cybersecurity professionals in Australia were overwhelmingly male. This led Jacqui to found the Australian Women in Security Network (AWSN), a not-for-profit association and network with the goal of increasing the number of women in the security community. In this episode, Jacqui chats with Cole Cornford about how businesses can change their approach to hiring to improve diversity, the importance of supporting kids and students of all backgrounds who have an interest in the field, as well as some of her thoughts on the future of the industry. Secured by Galah Cyber website Timestamps4:30 - Jacqui’s career background.9:30 - How Jacqui became inspired to tackle the issue of diversity within cyber.10:00 - At Jacqui’s first cyber event in Aus, struck by a sea of men.13:00 - Achievements Jacqui is proud of from the last 10 years.15:20 - What can businesses do to encourage diversity.19:00 - Cole: what are some systemic issues we need to tackle?22:00 - Jacqui: you can always teach technical skills.23:00 - How we can support kids & students to move into cyber.25:00 - Rapid fire questions.27:10 - What will be the theme in cyber for 2024.Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

While working as Head of Cyber Security Business Services at Australia Post, Susie Jones worked on a product that was designed to support small businesses that had suffered a data breach. Susie came to believe that existing cybersecurity tools and support was generally either too expensive for Australian small businesses, or didn’t suit their needs. And so she co-founded Cynch Security, which aims to fill this gap. In this conversation Susie chats with Cole Cornford about Susie’s career, the benefits of coming from a non-technical background, and they do a deep dive on the security needs of small businesses in Australia.Secured by Galah Cyber website 4:36 - Susie’s career background5:40 - benefits of coming from a non-technical background7:15 - Challenges of running your own business7:40 - Cole: you’re selling protection, it’s a pure cost8:10 - Susie’s motivation to become a founder9:00 - Consequences of breaches “the worst working day of their life”10:30 - Most common  security challenges for small businesses13:00 - Big businesses that work with small businesses share cyber risk14:40 - Supply chains and small businesses in Australia17:20 - 90% of employers in Aus aren’t served by our current cyber solutions18:00 - Worst examples of advice not suited to small business19:20 - Tips Susie would give to small businesses21:20 - Password managers are a no brainer25:00 - Rapid fire questions26:10 - One cybersecurity myth Susie would like to debunkMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

In this episode Cole Cornford chats with Nathan Morelli, Head of Cyber Security and IT Resilience at SA Power Networks, which is the sole electricity provider for the entire state of South Australia. Making sure that 1.7 million people have electricity is a pretty important job, and Nathan shares his perspective on how the organisation maintains resilience in the face of potential breaches. They also discuss the importance of financial management skills in a management role, the Australian government’s updates to the Essential 8 and the national Six Shields cyber strategy, the importance of work life balance, and plenty more.Secured by Galah Cyber website 4:00 - Nathan’s career overview8:00 - “Not if, but when” and the principle of acting like a breach has already occurred10:40 - Cyber resilience is critical11:00 - Finding value in the impact of your work15:00 - Matching cybersecurity strategy to the resources available17:20 - High regulation/barriers to entry restrict quality security advice19:00 - Importance of access to affordable cybersecurity tools19:30 - Australian government “Six shields” update23:50 - Australian government update to “Essential 8”27:40 - Why Nathan adopted financial management concepts in his cybersecurity work31:10 - Cybersecurity decisions are made for financial reasons33:10 - Typical career trajectory: follow money, then people, then problems35:40 - Importance of work-life balance40:40 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

In this episode, Cole Cornford chats with Mat Franklin, founder and managing director of the consulting firm MF & Associates. Founded in 2019, Mat has quickly grown the company to be 70 or so employees, with their largest team being a cybersecurity team. With a focus on diversity and representation, MF & Associates are made up of approx 70% women, as well as having strong representation of LGBTQ+ and people with disabilities.In the conversation, Cole and Mat chat about the importance of diversity and representation in tech and cybersecurity, what Mat looks for in a potential employee, what lessons cybersecurity professionals can learn from other industries like health and law, and plenty more. Secured by Galah Cyber website 14:40 - How to improve diversity within a team17:00 - What Mat looks for in a potential employee during a job interview19:40 - The stereotype of cybersecurity professionals20:00 - The movie The Web, and portrayal of cyber in film24:00 - Cole: example of bad behaviour at a cybersecurity expo26:30 - How did Mat build his business?30:40 - Taking inspiration from how other industries operate31:40 - Mat’s company targeting ex-nurses for employees33:30 - The importance of brevity in corporate communication35:50 - It’s not possible or useful to try and know everything in cyber37:20 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

The cybersecurity industry is made up of people from all sorts of different backgrounds, and Michael Collins is a perfect example. After spending 8 years in the Australian navy, Michael moved to Cairns and became a diving instructor. After 5 years, Michael decided it was time for a career change and enrolled in a course to become a Microsoft certified systems engineer. Today, he’s Chief Information Security Officer at Judo Bank. In this episode we chat about how Michael has managed major transitions in his career, the importance of aligning cybersecurity strategies with business goals, systems thinking as a framework for approaching cybersecurity, and plenty more.Systems Thinking Made Simple - by Derek Cabrera:https://www.amazon.com.au/Systems-Thinking-Made-Simple-Problems/dp/1520740492 Secured by Galah Cyber website 2:20 - A good summary of Judo Bank7:10 - How Michael became a CISO9:00 - How Michael almost bailed on his cybersecurity training after day one12:00 - The joys of scuba diving14:30 - Advantages of systems thinking16:30 - How someone can get started with systems thinking17:40 - DSRP thinking (Distinctions, Systems, Relationships and Perspectives)24:20 - Delivering AppSec by meeting the business where it is, not being idealistic25:20 - “It’s not all about downsides”, businesses succeed by taking risks27:10 - How we can promote more business-mindedness in cyber32:50 - Michael’s transition from techie role to CISO39:50 - Cole: “Leadership is a funny thing”43:30 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/