The Story So Far: Inside Secured’s Growth and What’s Coming Next

Cole Cornford
Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. Today we’re going to be doing a little bit of a different one, just going to be talking about the podcast itself. Now next week or maybe next fortnight, we’ll be getting back into our usual programming and bringing different types of guests on. But basically about two years since I started doing the podcast, I’d just go through a bunch of different things about the podcast itself. We’re a little bit behind on recording at the moment unfortunately, because of a Cicada season. I live not far away from a bush reserve and it was ear-splittingly, loud cicadas constantly for the last three or four months, and I’m lucky I had a bunch of podcasts I’d recorded previously before then, but it’s really difficult to produce an audio show if all the audience can hear is a constant drone of mating rituals from little insects that come out of the ground for about two months, right?

They’re gone now. It makes my life easier and so I can record. So that’s great. We’ve hit 45 episodes. That’s a bit of an achievement. I’ve been trying to stick to one episode a fortnight for the longest time now. In the future, I do anticipate to try to go to weekly and maybe take a bit of a month break around Christmas, but I’m open to listening to your feedback about whether you want to have more frequent episodes of Secured or if you think the cadence right now is pretty good. I guess a few things I can ask you guys is if you like listening to the show, just like it, you should go onto Spotify or Apple Music or whatever and subscribe. Subscription numbers help me out and so do reviews of the show.

There’s not many at the moment, but I’ve got lots of feedback on LinkedIn and so on that says that people are really appreciative and they like the work that I do. It would be good if some of that also ended up in a public space as well. So if you’re happy to put your name out there and say that you support the show and that you like listening to the content, just write me a nice review. If you want to be mean, write a negative one or whatever. But in general, yeah, just take five minutes, write a review, give a five-star rating and just help me out a little bit if you can.

I love getting your messages of support and I want to get the show to keep growing, but the only way that it’s going to keep growing is if I get more exposure and that only really happens if I increase the cadence of which I do things and that there’s a lot of positive sentiment about the show, which can only really come in the form of reviews to entice people to want to listen as well as sharing it with your friends or subscribing to the show, which helps with downloads. So yeah, that’s pretty simple. Now, plans for the year. I’ve already mentioned moving weekly. So the benefit is that you get to listen to a lot more conversations with me. The penalty is that I need to record a lot more often and maybe you get sick of listening to conversations from me. So I’m open to hearing whether fortnight leaves a good cadence or whether you’d like to switch it up a bit.

I would look at getting sponsorship. Sponsorship enables a lot for this show. I’ve been running Secured myself out of pocket for the last couple of years and it’s always been a pet project I’ve really enjoyed doing. But if you know any companies or people who are interested in having a conversation on what that could look like, why not have a chat to me. So the main thing is that you’re going to get brand exposure to a lot of different people and you’ll be able to support the show. If we get sponsorship, we could increase the cadence, we could do the other thing which I want to do is move to video content as well and we can get some very special guests on as well. So yeah, let me know if you’re keen on sponsoring. And speaking of moving to video, yes, that’s on the cards and probably what you can see here, you’re in the Galah office and I haven’t decked it out fully, because I don’t really need to.

We have high production value, but I’m not going to go out and fork to get a special studio and travel to it and all that jazz. I’m pretty comfy with my Blue Yeti microphone I’ve had since I commentated Team Fortress two games back in 2009. I know 16 years, technology. Can’t believe it’s been built this long. Before this episode, I actually had to update my headphones and software and it was broken apparently. But yeah, we’re doing video content for a few reasons. One, it helps to show growth. So basically if we could get an hour of content, then we can turn it into shorter clips, like five minute or 10 minute clips, so we can then turn those into sharp, like 30 second to one minute clips. And when you have clips like that, you can distribute them in different formats out to email or maybe you can put them on TikTok or maybe you can put them on YouTube shorts or something.

And turns out that people have really short attention spans for some reason nowadays, so while most of you are willing to as part of your commute, listen to me talk for about 40 minutes or so, there’s a lot of people who otherwise wouldn’t really engage with the show because they only want to do five to 10 minutes, right? Anyway, that’s important. Growth is there. The other thing as well is people have been asking me for it too. A lot of guests have been uncomfortable with having video recorded of them, but they’re okay with an audio version. But a lot of the listeners have hit me up and said, “Oh, why don’t you put this content on YouTube as well? It would be good to go back to it instead of having it kind of secluded in podcast networks.” And I’ve been thinking about that for the last couple of years.

I didn’t really understand how easy or hard it would be to move to video. And the reason is because I thought from an editing perspective it’d just be just hard. And the way I got that into my head is whenever you watch a clip or somebody and they’ve decided to edit it’s usually quite stilted and sharp. If you’ve seen any of those 30 second or one minute videos where they’re talking about some kind of cybersecurity content, it just looks like a stream of 20 to 30 different shots taken here, here, here, and here. And I didn’t really like that. I wanted it to be more of a continuous conversation. And so when you do audio, all the dead air, all of the dead coughing and spluttering, all of the people thinking about their answers, all of the ums and ahs and ums and ahs and so on, you can strip it out and nobody will be the wiser.

But I have since learned by actually doing a little bit of research into how people do video editing, that there’s a few tricks you can use so that it can appear seamless, but you may not know it’s that way. And the most common way is I’ll just use these to give a bit of an example. We have two screens going, right, two screens, and if we record two screens, we’re not going to put both screens up simultaneously like the guests and the, what do you call it, hosts. Instead when we need to make a cut between things, what we’ll do is we’ll have one screen focusing instead of two. So you can cut out this person’s screen and just look at this person who’s nodding and not speaking and just smiling and stuff, and then you’re none the wiser.

The other thing you can do is just put an overlay over the top and if you put an overlay over the top, then like an image or stock footage or AI generated stuff. But I really don’t like AI generated content in general, but the main concern I had was creating stilted content. There’s a couple of tricks you can do to get rid of that. Yeah. Anyway, hopefully that’s explained some of why I was reserved about moving to video. Now, next, some fun stats for you all. I think a couple of you’re nerds who like listening to stuff, obviously when the show starts, it’s basically got completely no audience whatsoever. No one listens to it, no one knows anything about it. We’re two years into the journey. We have four and a half thousand unique listeners. So that’s people who across the world mostly in Australia, 80% of people here domestically, but 20% all over the rest of the world. The four and a half unique people listening to the show, 7,000 downloads of it, which is a pretty good amount.

Most podcasts barely get 20 to 30 downloads. So it shows here that there’s a little bit of an increase there. Engagement rate is at 65% and I’ll talk a little bit more about that, but basically it means how much of an episode do any unique listener get through before they decided to stop? And typically the reason the engagement rate is low is because the content is bad or it’s too long or it just doesn’t fit into whatever the podcast listening schedule typically is. I’ve looked at most of my episodes and I’ve kind of worked out a few reasons and we’ll talk about why I’ve changed the format because the engagement rate actually is increasing, but there’s a few specific episodes that have really bombed the engagement rate. That’s why it’s so low. But that’s okay, live and learn, and I have to make sure I bring in stride bad episodes as well as the good ones too.

Mostly men listen to it. It’s two thirds men, one third women. So I think I’ve done pretty good on, if you consider cybersecurity tends to sit around 15 to 20% women. So we’re actually having a bit of an increase, and I have to think that that’s because of the guests that I bring on to the show, as well as being respectful and kind and considerate of not just talking to a male audience. So now who wants to have a guess about the most downloaded podcast? Well, if you guessed Toby Amodio episode number one, you’ll be correct. There was 300 downloads for that episode in particular. But I will caveat with that was episode one, and I’m pretty confident that the first episode of a show is usually what people do. They go to the start of the back catalog, download the first show, give it a listen, see if they like it, and then keep going from there. So I figured that statistic’s a little bit harder to use. The highest engagement episode was from Sam Fariborz.

Now this is when she was an executive at Kmart instead of the chief security officer of David Jones. And the engagements for it is through the roof. It means that on average, most listeners listen to it one and a half times. So they went through and decided it was so good, I better start again and then listened to half of it, and that’s the majority of listeners had basically one or two listens to it. So Sam is phenomenal clearly. So yes, congrats to Sam for having the highest engagement rate across all of my episodes. Now, I’m not going to go into the worst engagement rates or the least downloaded ones because I just don’t think that’s particularly good to do so. I will say that my Christmas episode didn’t have a great engagement rate, but the reason is probably because it was two hours long. So we had 60% engagement, which meant that people listened to an hour and 20 minutes before they got sick of it and turned it off.

So props to all of you who’ve just decided to tough it out and try to listen until you got bored or your commute’s finished or whatever. But yeah, we’ve had to make a lot of changes to try to increase that and make the content more valuable for listeners over time. Let’s talk about a few other things. So diversity, one of the things I’ve been quite cognizant of from the very beginning, starting the podcast two years ago was that every other security podcast I listened to had basically two blokes in a bedroom, or they just kept inviting white Anglo males onto the podcast because that was what the majority of the InfoSec industry is. And so I wanted to make sure that, I don’t think that’s particularly representative of Australia, and so I wanted to spend a bit of time to do direct outreach to people I know going to contribute a lot.

I’ve ended up with a gender diversity split of one-third females, two-thirds males, which I think is pretty reasonable considering it’s about 90% or higher to men when you look at other industry podcasts, which I won’t name because I don’t want to put anyone under the boat. But yeah, that’s been pretty good. Our listenership is actually pretty, it’s not as weighted towards men as I would’ve thought, and that makes me quite happy. And on other types of diversity, we have different types of cultures. We have countries represented, because we’ve got Finland and America and Australia and Indonesia, Singapore, so a bunch of different countries as well. Ethnicities, cultural backgrounds. One of the things I’ve been a stickler for is representation from disciplines. So I’m not going to have, I’m an software security person. I’m always going to try to bring software security people onto my podcast, because it’s the area I care about.

But what I’m trying not to do is only have software security professionals because there’s so much we can learn from people who are in cryptography or in security engineering or who build businesses and so on. So diversity of thought is important to me. The only thing I’ve tried not to be terribly diverse on is waiting for experience. I kind of at a minimum want to have people I like, a senior to principal consultant level or higher, don’t really want to have university graduates, entry level professionals, even junior to mids have reasonably shallow perspectives on issues. And I think that the audience wants to get some really experienced people and it’s kind of hard to take that knowledge out when I could probably have shallow knowledge in threat intelligence just from being in the cyber industry for 12 years. That’s not terribly useful. So yeah, we have a very heavy weight on experienced people.

We will bring in juniors on occasion, but mostly we’re aiming for people who know what they’re talking about and have a great depth for knowledge in a particular category. Any seasoned listener will know that the format has changed quite a lot over the years. The simplest thing was that at the very beginning we just focused very heavily on stories. The reason I focused on cybersecurity stories is because I felt that we either went down two disciplines. We either had hard technical topics, whereas we just have, again, the two blokes in the bedroom talking about something, all news and current affairs commentary, and I didn’t find either of those is what I really wanted to be listening to on a regular basis.

It’s all good listening to how Lock Bit or whoever did something Savage Tiger, it’s not even a real threat intelligence name, but those kinds of things, people did something bad. Woe is me, the world sucks. Let’s all laugh and make fun of all of these different companies who are struggling because cybersecurity is hard, didn’t sit well with me. I don’t like to do those, especially, don’t like criticizing or pulling people apart. It’s just not my personality. I want to see everybody win. The other side, it’s a dry topic and then having to go into a very specific technical niche, it’s even drier. So you’d only end up with a micro niche category of let’s say OIDC PKCE. You’re going to talk about weaknesses for that. I imagine that there’s going to be a few AppSec practitioners who are specifically building authentication systems. I’m going to say that the majority of the people is going to turn off after five to 10 minutes or skip the episode, because it’s just too technical. And so I didn’t want either of those.

I wanted to focus on stories because as humans, we all relate to listening to individuals about where they came from, their backgrounds, what shaped them, how did they get to where they are, what kind of mistakes did they make. That’s all interesting to me. What I’ve discovered since running the podcast is that people care about the stories, but they also want to get value because we’re in an attention economy and there’s only so much time people can put into listening to podcasts, and that time is very finite now because for myself, I drive to go to Sydney once a week pretty much, and that gives me about two hours-ish, assuming I’m not on the phone, calling people up for work. And so I need to be listening to podcasts at a consumable within that timeframe. But otherwise, I’m at home and I’m not going to just put podcasts on because my daughter wants Gabby’s Dollhouse.

My other daughter wants Minecraft, and my wife wants me to watch television with her, so I’m not going to be putting on some nerds talking about the Semgrep explosion a few weeks ago. And so I’ve significantly shrunk down the story section so that we still get a good understanding of the individual and how they came to be. But then we focused on professional development, how do we give you the tools from that person so that you can take them into your everyday job and feel more informed about a particular discipline, cyber security or even just grabbing something that marketing from say Daisy Wong, and taking that into your AppSec program is just amazing. I wanted to also bridge between different types of disciplines. I think that everybody loves listening to fields that they’re not sure of, especially from experts. That’s been really good. I cut the bird question, you’ll laugh, but podcast analytics, you can see when people listen to the episode and when they skip forward and so on.

60% of listeners would skip the first five minutes of every podcast episode of mine, and that’s because the first five minutes worth, I’m talking about the birds. So what kind of bird are you and why? I think it was a good thematic, fun question, and it caught people off guard. They didn’t know how to answer it. Some of the answers ended up being repetitive and a bit of a cop out. We just kept getting owls and hawks and eagles and stuff over and over again, kookaburras, just native birds. I think at some point people say, “Yeah, I don’t need to listen to this. I’ve got only an hour of commute, so I want to listen to this podcast and this one, I’m going to skip these five minutes, because that doesn’t provide me anything useful.” So we cut that question entirely. We also did a fast question round.

Again, the same thing kept happening. Turns out that people who work in cyber security have similar interests and similar types of suggestions for books. And I kept asking over and over again and kept getting things like the Unicorn Projects or Phoenix Project, Code, anything Tim Ferriss, How to Win Friends, Strunk and White. It’s just the self-help books kept coming up over and over again. And so I think other than Jay Hira who answered something that was a little bit more religious, most people had very similar answers. And so we ended up saying that these kind of questions, these fast questions aren’t that productive for folk and they’re not getting much value out of it. Maybe there’ll be a different format that people could listen to in the future if we do an episode where I go out and quiz guests about all the books or something, rather than ask the guests at every single one of our episodes.

But yeah, and the last thing I think I’ve done is sharpening the conversations. So I like having a conversation. We’ll talk with people. I don’t want to sit there and interrogate them or interview them like, “Tell me about static analysis? Tell me about dynamic scanning? Tell me about cyber awareness?” That’s just not me. I like talking with people, not at them. And so one thing that we wanted to do was not let the conversations meander forever. So I’ve built a bit of a backbone and have started to cut people off a lot earlier and say, “Thank you. Let’s move on to another topic,” which you wouldn’t necessarily hear after we get out the edit, but it’s so that we can provide more value for your listeners earlier on. So yeah, I guess that’s a big thing is writing this, doing this podcast for 45 episodes, it’s been a lot of learning about what do people want to listen to and what do I enjoy doing as a host.

And I’ve been making sure I don’t give up what I enjoy doing as a host, because if I turn up to a podcast, I don’t want to be there because I want to do other things. Maybe I want to go kayaking or I want to take my daughters to the park, or I’ve got a lot of deliverables for work, then the podcast episode’s going to be terrible. So I always want to make sure I set aside time and it’s easy for me. That’s why I use a production company, distribution company. It just helps me out a lot. But yeah, I think that by making it easy for me and then always thinking about is this content valuable for my listeners and would I listen to this content and find value in it really helps steer the ship in the right direction.

Anyway, so what do I want to do for this year? Yeah, video, definitely video. Guests, I’m going to look at getting some more international people on. They’ve been some of the highest rated podcasts on my pod. Wozniak Bilka, was very highly regarded talking about supply chain security. So you should go have a listen to that one if you are interested. I also want to try to get more engineering founder types on because they tend to just be exciting and know what they’re talking about and a little bit less to the governance, risky compliancy, high level cyber policy, regulatory stuff. I find that I’m not smart about that stuff, but it’s kind of seined me over and over again talking about we need to make regulatory changes or it’s difficult to comply or maybe we need to have different governance structures. I think the audiences tend to tune out a little bit and just skip over it.

I want interesting, exciting stuff. And founders and engineers tend to be a lot more passionate about those kind of topics instead of reserved and articulate and that’s what you want out of a podcast, a fun conversation. Not one where you’re like, “Oh yeah, I’m talking to this person and it’s really boring. I don’t want to listen to this anymore.” But yes, so international guests throughout the conversations, more engineers, more people who are adjunct to cybersecurity. Hopefully weekly. Maybe we’ll get some advertisements if we get some sponsors. Sorry about that. But it makes the show sustainable. Yeah. Anyway, I hope that this has been a useful episode to give you a bit of a rundown about the different bits and pieces that are going on in my world, and I hope that you can stay tuned for this year in Secured. Thank you. All right, have a good one.

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to Galahcyber.com.au.