玩偶姐姐

Cathy O'Sullivan: Hello and welcome to 玩偶姐姐 leadership Live. I'm Cathy O'Sullivan, editorial director for 玩偶姐姐 in Australia and New Zealand. And today, I'm joined by Collin Penman, who is the Chief Information Security Officer at Datacom. Thanks for being on the show today, Collin. ?

Collin Penman: Thank you, Cathy for inviting me. ?

Cathy O'Sullivan: Great stuff. So look Datacom recently released its state of cybersecurity index, and we'll get into the findings the report shortly. But first tell us a bit about your career in tech and the roles that have led you up to taking on the CISO position at Datacom.

?

Collin Penman: That's a tough one to talk about yourself. I've always had probably a foot in both camps. I've been very technical at the same time as business orientated and that's shown within my past. I started off actually maintaining and restoring telex machines for telecom in Australia.

So, I've seen, certainly seen a lot of technology changes. But those technologies changes wouldn't have come unless there is a level of business and moving forward, the business from a from an engagement point of view. So, everything technology wise has really been coupled from a business.

And I've been very humbled by some of the companies that I've worked for, not only telecom and Telstra, but other companies like IBM, Oracle, Salesforce, in the early days, and areas where I started to be more focused, from a CISO point of view, is around kindred in Australia, New Zealand, the spin out of the managed services from IBM, and then from there, joining Datacom, and leading Datacom as they transitioned, and really stood up a CISO's office internally.

?

Cathy O'Sullivan: So Datacom has released its State of Cybersecurity Index and have found that AI driven cyber-attacks are now the number one concern for security leaders. So how do you think 玩偶姐姐s should rethink their security posture to adapt to you know, it's an ever-evolving landscape?

And are Australian and New Zealand businesses adapting fast enough? ?

Collin Penman: I think they're slowly maturing, I would use the word, but I'll take a step back, because I think AI affects companies in a couple of different ways. We see AI coming through the supply chain.

A lot of the products that we actually using, from a supply chain point of view now has AI actually embedded within those products that we're consuming that may be utilizing the data internally to learn and teach those products as an example.

So supply chain, I certainly see the requirement to not only include AI questionnaires as part of that supply chain risk point of view.

We're starting to see itused internally, obviously, to build out the business value from applications point of view, really reduce, you know, a lot of the manual tasks, repetitive tasks internally, but actually to to really start to engage customers and our internal staff around what we can do better around the applications that we have.

And then two things, one is the defence from AI based security attacks. So starting to look at how AI helps us from a cybersecurity point of view, and then the way that we see, and a lot of discussion, is around AI utilized within cybersecurity from threat actors.

And we're really starting to see that, not only from phishing emails. Previously, you would have seen a phishing email that was poorly worded or all the English wasn't spectacular, it's very, very now targeted to the individuals using AI.

So those are the frameworks of what we're starting to see.

But I think back to your question around how 玩偶姐姐s really rethink -? I think they really need to think about their security posture, the landscape that they're operating in, from a market point of view, adopt AI as part of that defense mechanism, but the other thing is to upskill and educate the internal teams about the use of AI internally with external AI providers.

And what does it mean from a development point of view as well? Yeah, that's interesting. The third-party risk as well. And it look, it sounds like a lot of organisations think they're more secure than they actually are.

So what are some of those common blind spots that leave them exposed? You know, even when they think they're covered? I think, I mean, certainly our index showed that there was a gap between where the leadership of organisations were versus the actual employees.

And the employees -? their awareness and the education training on the use of AI is certainly not there.

And I think that's, I know where, that's where our focus is even within Datacom is is not to stand up a separate artificial intelligence, but how do we actually bring that into the current organisation processes, not only from a change management point of view, but from a governance and security and even a cyber awareness training so that we actually now incorporate AI training.

And what does it mean to specifically the service desk from a deep fakes point of view or from a fishing point of view? What do we have from a AI around phishing for our finance teams? And what do we look for around that?

So really, it's to make sure that the development and the ecosystem around AI is is secure, to educate and up skill the teams, but it's also around doing the right hygiene things, you know, patching, making sure we have early detection and continuous monitoring around some of the tooling.

And I know a lot of companies are moving towards a zero trust framework around multi-factor authentication and access to applications, and certainly that's where AI also adds a lot of value. ?

Cathy O'Sullivan: And I found the findings on the report around the human impact of cybersecurity really interesting. It showed that 61% of security leaders in New Zealand and 58% in Australia are dealing with cyber fatigue.

So can you talk to us about, you know, what is causing that burnout? What do you think organisations can do better to support their security teams? ? ?

Collin Penman: I think cyber fatigue is tough, right? I mean, we all take this personally. As a cyber professional, if something happens to the organization, we really do take it personally.

I think the causes of cyber fatigue is really that escalating threat landscape, so it's continuously being ramped up, and we're seeing more and more obviously adversaries trying to get into the organization, not from a breach point of view, but it's more from a compromise of users is the main, main access point, but we started to see resource constraints, budgeting from a business point of view, as being very constrained.

We've seen that across a lot of the landscape of customers that we speak to, but other things like disconnect with leadership and the finding really shows that gap.

You know, 71% of New Zealand leaders think that staff are cyber ready, but only just over half or 51% of employees agree. So there's always going to be a level of cyber education and awareness.

But I think also the employees are starting to be, you know, a bit numb to this, and we started to see that tick and flick as far as compliance and the yearly annual attestation around cyber training.

So I think that's where we've really broken it down, to smaller engagement, gamification of individuals internally, where they're doing from a cyber awareness point of view, but also focusing on the profiles of the business. So what do privilege access users?

What's their responsibility and what's the training that short training courses that we need to do with them throughout the year?

What are the developers, from an AI point of view, the use of AI open source technologies, from a library's point of view, what do we need to do from the training in that site, but also going back into finance and HR, who are very targeted within the organizations, because they're receiving emails from people externally, saying, open my resume as an example.

So I think training is 100% there. I think the other thing is that that lack of recovery time, because we're getting, you know, so many incidents throughout the year, we're not having the recovery time to actually focus on that mental health point of view from an organisation. ?

Cathy O'Sullivan: You spoke about it a bit there, but you know, we do hear that, you know that disconnect and that employees are the weakest link in cybersecurity. But you know, you spoke about training, and maybe that it's not the right level of training for employees.

So what is the difference between a security training program that sticks and one that employees just tune out and tick and forget? ?

Collin Penman: Yeah, it's interesting when to come into an organisation and see a culture. And certainly, the way that we've looked at it is, how does training stick?

And so certainly there's been a lot of engagement with third parties around learning styles of individuals and what the training we need to do from a cyber security point of view, so that that training sticks with individuals.

And I think I touched on role specific scenarios, I think, very specific within the business.

So it's just not a generic 'one fits all' type of scenario, I think if it's very tailored with the language and the nuances and examples of incidents that have occurred specifically with that specific portfolio or team within the organisation that's what sticks hands on and interactive is also, you know, gamify that with leaderboards and phishing drills as an example.

But it just can't be a one big, awareness program for the year, I think, breaking it down into short, more frequent doses, and swap it into like a five to 10 Minute, because that's where people's, you know, attitude, as far as focus goes anything more than 10 minutes, then it's the people have gone.

And the last one, I think, is that real world context with continuous feedback, I think those are the things that really makes the cybersecurity program stick with individuals. ?

Cathy O'Sullivan: So another area that the report looked at was around business continuity planning and cloud security. And the research from Datacom suggests that Australia is ahead in this area over New Zealand. So what are Australian businesses doing differently? And how can New Zealand companies catch up? ?

Collin Penman: I think there's been a stronger regulatory push from an Australian point of view, around the ACSC and certainly they're reporting a larger increase of cyber inquiries yearly around that. But I think there's a larger investment from a tech point of view.

I can't remember who actually spoke about it. Effectively, the cyber security firms, Australian firms, are spending, you know, 6.2 billion in cyber security in 2014 and that's a jump of over 14% from last year.

But we see that that continuity planning only 26% of Australian leaders lack BC - business continuity - plans, compared to that of 67% in New Zealand. And I think this is a key indicator.

I think Australia and the push from a regulatory point of view, but also the number of breaches that have actually occurred within the market.

Australian market has actually meant, from the board down, of these organisations, there is a question of, what are we doing from that resilience point of view, and business continuity planning is obviously where that fits into that governance of the organisation.

I think finally, around the cloud adoption, certainly, Australia has been probably a little forward as far as cloud adoption and a multi-cloud strategy, and I think where New Zealand is coming into that fold.

Now, with the obviously, with as you're being in New Zealand, we started to see a lot more focus on workloads moving to the cloud in New Zealand as well. ?

Cathy O'Sullivan: Now the use of tools like ChatGPT and Copilot is becoming more and more commonplace, and I think your report found 40% of employees are now using these tools, but less than a quarter of them have actually read their company's AI security policies.

So you know, why do you think that AI governance piece is lacking behind actual AI adoption, and what needs to change from that point of view? ?

Collin Penman: I think there's a few things here.

I think from an adoption of AI really is outpaced a lot of the policy decisions and makers and so certainly with our team, you know, raising the level of maturity from Ai awareness before we write a policy and actually engaging those teams who are doing a lot of application development and agent development, and we've started to see, how do we actually communicate with people about the security risks, and then actually have a policy discussion associated to that?

So realistically, I think there's been a outdated security policies that hasn't actually include AI and my belief is that we shouldn't be standing up separate AI policies. We should actually be embedding them in change management, in in patching and in data security and privacy as well.

I think there's certainly a leadership blindspot as far as people wanting to adopt it and thinking that where they're ready, but they haven't done the basics of, for example, data classification, you know, rolling out an internal AI agent, for example, that has complete access to every data and document internally.

Be surprised that you know people will go searching, 'oh what's the payroll of this and this person', 'or is this customer', for example. So I think you know, making sure that those blind spots and pre work is done around data and risk that also.

So the governance associated to that, and I think the last one is around, if there is policy that exists, a lot of them are not AI ready. So development is a great example of that, and also the supply chain, which we've spoken about. ?

Cathy O'Sullivan: Now, Collin, I know you speak to it leaders all around Australia and New Zealand, so I'm sure you encounter organisations that really are getting cybersecurity right, although none of us is ever in, you know, impenetrable. So what are the ones that are the best of breed?

You know, what? What are they doing differently that you think others can learn from? ?

Collin Penman: I think there's a few things I go back to the blocking and tackling the cyber hygiene that we need to do. It's no you look no good looking at new shiny objects.

If we're not doing the vulnerability assessments, we're not doing the patching, we're not doing this daily cyber hygiene and thinking on security first.

And so, I would say those, those are who are doing security very well have got those programs of cyber hygiene and the day-to-day activities and the cyber first mentality in the organisation, I would say that they're doing that correct, and it's and it's very proactive from the board and the GLT down, that it's very proactive and not reactive.

And so people who are doing red teaming exercises regularly and doing phishing as an example. And as I said, doing that cyber awareness training, not just once a year, but breaking it down and multiple components.

And I think the other thing is around that employee empowerment, the training in hands on. But how do you think those fishing drills are if there's a deep fake coming in through an AI, coming through HR or into a Service Desk team?

So there's always that constant employ employee empowerment, to say, how do I report this? Or ask the question you know to say this doesn't feel right.

How do I actually ask that and make a mechanism of of reporting and asking the question from a resilience point of view easier, because if they have to go through multiple escalations and report the incident and they want to know right now, hey, do I respond to this?

So making it easier for individuals around collaboration and and the employee empowerment around that and and don't, don't be negative if they've actually called out something and it's actually wrong. I think it's very empowering. And taking that as a use case from a learning point of view.

So always trying to act before the breach is a big one, getting that leadership on board and making training stick are probably the key indicators of a successful cyber security program, and those companies that are doing it well. ?

Cathy O'Sullivan: So I've heard about CISOs being referred to as the Department of know, and you know, security is often seen as a cost or a blocker to innovations.

So how do you think 玩偶姐姐s or CISOs can reposition cybersecurity as that business enabler rather than just that defensive function? ?

Collin Penman: Yeah, I think it's knowing the business like, what's the key indicators of the executives that we're working with as peers, and what are they rewarded upon, from a revenue point of view, from a risk quantification and trying to actually understand a business.

I didn't realise Datacom is such a large elephant, from everything from a digital marketing agencies to SaaS based applications through to managing federal and state and local government agencies, everything from desktop support all the way down to citizen engagement.

So such a large amount of services, and so I've had to learn the business to really understand how security impacts that business, not only from a level of trust and risk, but how does it relate that back to revenue or revenue loss, if something actually occurs from a cyber security point of view, and I think this goes back to a PWC study that I read last year, around 87% of customers ditch brands After a breach, so we need to be proactive.

I think the other thing is that far enable faster innovation. AI is a great example of this.

So instead of saying and being Dr No, how do I provide you a development environment that actually accelerates AI advancement so they can actually try something and learn AI agents provide obfuscated data for LLMs to be trained upon in an environment where we've got the guardrails of security and governance associated to it, so that they're not, you know, connecting to the internet.

It's very secure environment, and if they want to then proceed into a proof concept with a customer. Again, we've gone through security steps and engage the gates of those developments as well.

And I think that's where we start to see cyber security going from a cost center to being a competitive differentiator into the market as well. ?

Cathy O'Sullivan: So look, it's still a tricky economic time for businesses. So with budgets under pressure. Where should 玩偶姐姐s focus their cyber security investments for maximum impact? ? ?

Collin Penman: Yeah, I think, I think going back to that cyber hygiene point of view, I think, you know, the employee training with teeth, you know, incentives around it, role based, focused areas, I think the more from the automation around the incident response and the AI threat detection capabilities.

So we've started to see AI being brought into not only from the products into a security operation center, but how to at a network level. So a lot of the AI components, from a threat prevention point of view, is now coming into those environments.

I think the other thing is just to make sure that security doesn't become obsolete.

Looking at legacy perimeter defence strategies and static compliance tools, it's no use doing a compliance at that point of time throughout the year when customers are coming at us multiple times through every month, about, oh, what's your compliance status at this point of time?

So how do we automate that compliance and come more dynamic and even empower the customers to come into a trusted site so you can actually see your environment at that point of time from a compliance point of view, and that provide that level of trust and so and the last one is, you know, companies don't like being the integrator, so instead of buying siloed point solutions, which is very disjointed and needing a lot of integration and a lot of resource management and training associated to it.

How do I look at more of a platform, type of architecture that stitches and stretches the dollar further from a budget point of view? ?

Cathy O'Sullivan: And finally, Collin, if we're having this conversation a year from now, what do you think will have changed? And you know, what's the next big challenges that 玩偶姐姐s and CISOs should be preparing for in Australia and New Zealand? ?

Collin Penman: Well, firstly, I'd love to have an interview next year. I think it'd be great to take what we've discussed now and actually see where it is. But I think how to prepare is really lock AI down. Now look at the tools that people are using internally.

Look at the policies that we have if there is AI development that's occurring internally, provide the guardrails and the safe place for developers to actually trial and trial fast and build out those proof of concepts.

To really look at security being a part of that process, instead of at the end of it, saying, hey, let's now talk security, I think building resilience, not just defense. So it goes back to that business continuity guidelines and making sure that that's exercises.

It's no use having a plan if you're not exercising that throughout the year, there's always going to be a discussion around upskill or outsource, and I think that's going to be a very interesting conversation in the future, especially around AI so that teams are not getting left behind through the use of AI tools.

And I think the biggest one is collaborate regionally. So, it's not only across Australia, New Zealand, but it's also across different industry sectors.

Some industry sectors are actually doing it, you know, are more advanced from a cyber security point of view, infrastructure as code, they've passed a multi cloud environment, and now it's infrastructure as code. And developers are now pushing all the way through from code to cloud capability.

So the collaboration across not only regionally, but also from an industry point of view. ?

Cathy O'Sullivan: It's going to be an interesting 12 months ahead. Collin Penman, Chief Information Security Officer at Datacom. Thank you so much for your time today. ?

Collin Penman: Thank you Cathy, and see you next year.