Scaling Cyber at Fujitsu: Laura O’Neill on Strategy, Risk and Growth

Cole Cornford

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security.

Today, I’m joined by Laura O’Neill, who is one of the great cybersecurity professionals over at Fujitsu Cyber. She was really fun to interview. Her background was coming from a fairly different management consulting experience and then moving into cybersecurity and that gave her a huge advantage on professionalizing the conversations around cybersecurity. And she’s been able to eventually grow her firm with Mat Franklin, MF&A, MF & Associates, into a big business which then got acquired by Fujitsu and now she runs a lot of their cybersecurity operations.

Some of the things that we talked about like looking for non-traditional candidates. So, it’s easy if we just go to university and just always hire a compsci or IT background professionals. She knew that we would end up with the same level of professionalization if we kept going down that and has sought to look at other professional services and other disciplines and other entry paths to bring them into the industry. And that’s last year, I think, MF&A won an AWSN award for being one of the most diverse and inclusive businesses within the country, so it’s clearly working for them.

Otherwise, we also just go into the nitty-gritty of GRC and why it can be quite challenging to go between the hard techy stuff and all the way back up to governance and how it fits in with the PSPF and the ISM. So, anyway, I hope you all really love this episode. Laura’s an absolute pleasure to interview. And if you want to go and listen to her, I’m sure she’ll be speaking around the country at many more events in the future.

And I’m here today with Laura O’Neill. How are you going today?

Laura O’Neill

I’m good, thanks, Cole. How are you?

Cole Cornford

Ah, fantastic. I had parent-teacher interviews in the morning and my daughter is very smart, and so, I’m going to absolutely take her to the Minecraft movie when it comes out in early April. And I have no idea what to expect except that everybody I’ve spoken to has told me that it is awful and it has Jason Momoa and Jack Black in it.

Laura O’Neill

I didn’t even know there was a movie coming out. And I have a younger brother who’s a dedicated Minecraft fan.

Cole Cornford

Well, I think you need to go to Dendy and watch the Minecraft movie, April 11, sponsored by Microsoft. Right?

Laura O’Neill

Yeah, I was going to say, are they sponsoring?

Cole Cornford

I’ll hit them up and see if they can just do it because I don’t think that a children’s movie is going to go for our target audience, but…

Laura O’Neill

Who knows.

Cole Cornford

Anyway, moving away from my kid being awesome. Tell us a bit about yourself and your background, how you even got into cybersecurity, Laura.

Laura O’Neill

Yeah. So, I’ll start with how I got into cybersecurity. I was in uni and I was doing a pure maths degree and I realized, I did not want to become a professor of mathematics or be an academic. And I took a course in cryptography, which was a field in mathematics. So, it’s pure number theory. I really enjoyed that. And it’s sort of the maths that underpins cryptography. And then, I was convinced I was going to work in cryptography and I wanted to work in cyber. And then, I found out there’s about four jobs in Australia in actual cryptography and ended up in other functions of cybersecurity. But that’s sort of how I got into the field.

In terms of my career today, I’ve worked both in government and in private sector, majority in private sector, and in consulting firms that work for government. So, I’m Canberra based. I’ve run a company that we sold about 18 months to Fujitsu Australia, and these days I’m head of advisory and assurance for Fujitsu Australia, which is governance, risk, compliance, strategy, architecture, and digital forensics and incident response.

Cole Cornford

Well, I won’t hold the Canberra part against you because I know a lot of very lovely people from there. And I mean-

Laura O’Neill

I’m also a born and bred Canberran, which is, people are always … Yeah.

Cole Cornford

Yep, you’re a Canberran, so yes, it’s okay.

Laura O’Neill

Yeah. Through and through.

Cole Cornford

There’s actually a lot of parallels to how I got into security as well, because in my third year of university I did a course called data security and I remember a few parts of it. A, I’m useless at mathematics, I’m entirely useless at it. I like discrete math, I don’t like any other math, and I like discrete math because it’s related to APSEC. But I thought the course was super interesting, learning not so much like Chinese remainder theorem or Euler’s totient and all that kind of stuff, which is probably incredibly basic small brain, tiny crypto math for someone like yourself.

It’s more that I liked learning about the algorithms and how they got broken, and it’s like the old algorithms, like the Vigenere ciphers and the DES, and what’s RSA? And all this stuff. And I was like, “Oh, this is all kind of cool.” And I know that I started looking for jobs in Newcastle in security because of it and I got laughed at by one of the banks who said, “What? We don’t do security jobs in Newcastle.” And then I moved to Canberra to go work at the tax office. Yeah.

Laura O’Neill

Nice. I’ll just say that I realized I wasn’t good at mathematics once I did it at university. You find the 15-year-old prodigies that are in your class and getting 100%, when you’re crying at the end of the midterm exam and you’re like, “I’m not as smart as I thought it was.”

Cole Cornford

See, the way that we deal with it is we pick a couple of things to be okay at and then we combine them together, right? So, that way we have a unique superpower. So for me, I guess it’s wearing pink shirts and being a podcast host. Right?

So, moving forward, I know that you said that you’ve built a company and that was MF & Associates, MF&A. Yeah, Mat Franklin & Associates.

Laura O’Neill

It sounds like a legal firm. Yeah.

Cole Cornford

Yeah, I was going to say, I wouldn’t say MFA is the acronym I would’ve picked for it, but I understand it’s his name, so it’s all good.

Laura O’Neill

We joked it was multi-factor authentication in the end because it was better, but-

Cole Cornford

I like that, multi-factor advisory. Yeah, let’s do that. Did you join that really early on, or were you-

Laura O’Neill

Yeah.

Cole Cornford

Okay, so you’ve been there since day dot, so you’ve seen it grow and then eventually get-

Laura O’Neill

Not quite day dot, but we were about six people when I joined, so I was the sixth hire. And at the time, I was the first hire into the cybersecurity practice to run it, so it was a management consulting firm. And then about two-and-a-half years later, we were 70 people when we sold. So, we had astronomical growth, which is great, but also quite complex to deal with. But yeah, I’ve been there through the hard part, I would say.

Cole Cornford

Yeah, that’s kind of a journey that I think I’m on the early stages of that, because I’m finding that getting a lot of larger businesses who are wanting to work with Galah Cyber for doing software security in different things, and I’m starting to see where the cracks appear as the business will get bigger, and I’m trying to prevent those.

So, what did you find were the challenges of scaling from a small business where everyone wears every hat to just say, around the 20 to 30 consultant mark? Because 70’s nuts, to go from six to 70.

Laura O’Neill

I think the thing was, and you’d know this, when you’re like a 10-person company, you can run on people and relationships. Everyone you’ve hired is someone you probably already knew by some extent in the industry or you’ve worked with before. And once you sort of hit the 15, 20 mark, you suddenly have to run things on processes and there’s not the inbuilt trust, and you start hiring people that you haven’t necessarily worked with before and no one knows. And I think that creates this huge overhead of management and process that you need to have in place. There’s also fun, exciting tax and all the requirements of what kicks in at what point in terms of legal requirements.

But I think, for us, we grew really, really fast and we’d never designed the company to scale at speed. I know there’s some wonderful people that do this for a living and they go build a company to scale it, to sell it, but we weren’t that. We were just planning to run a 10-person business for a long time, and instead we had to deal with lots of things.

And I think also when you hire the first few people, often they’re really passionate about the subject matter or the technical skillset that they work in. Not everyone goes into small business to be in management and leadership roles. So, you also sort of hit that point where you need to hire people that lead people as their core skillset, over just hiring people that are good at what they do. And that often kicks in at sort of the 20 people mark.

We also learned we should have hired admin staff a lot sooner. I think we were about 45 when we hired our first admin person. So, Mat and I were still doing invoicing, everything like that. Would not recommend. If you’re running a small business, I know it seems like an overhead cost to have, but it makes a world of difference versus spending your entire weekend on running the business and doing all the stuff in the background.

Cole Cornford

I make sure I try to … I take tasks and I say, “Is this something that is good for me to be doing? And should I be delegating this to either a third-party agency or should I be delegating it to a staff member who may not be as experienced? Or, is this something I really enjoy doing?”

Laura O’Neill

Cole, you’re way smarter than me. I should have asked you for advice before running a small business.

Cole Cornford

No. No. No. No. Because, I guess the way I’ve learned it is by screwing up repeatedly for multiple years straight and then having to learn about what I suck at and what I enjoy doing. There’s a concept I think of called unteachable lessons and you tell everybody, “Don’t date that guy. He’s bad news, don’t do it.” And then the girl’s like, “Oh, he’ll be all right.” And then she was like, “Oh, he was bad news.” And so, no matter how much good advice you can give to people about stuff, whether it’s financial or relationships or business or whatever, people just have to suffer through things themselves.

And so, I learned a hell of a lot in my first two years of running a business where I had no idea about anything about APSEC. Oh, sorry, about business. I know a lot about APSEC. So, I guess that operationalization thing is something I’m hyper aware of, as well as, I know that one of the big things I see with consultancies is that, because I speak to a lot of consultancy owners, often people don’t have formalized marketing approaches. They don’t have a formalized approach to doing repeatable sales. They don’t have the ability to have an operational process for everything from legals to contracts to sales to delivery to customer success afterwards. And it worries me when I hear the people and they’re like, “Oh, I’ve got 20 consultants in this bank.” And I’m like, “Great, have you done any of the other stuff?” And they’re like, “Nah, the bank takes care of me.” And I’m like, “Until it doesn’t. And then you’re bankrupt overnight.” Right?

Laura O’Neill

Yeah. 100%.

Cole Cornford

So, what would you say … I know you said admin is one of the things that was a scaling challenge for you. Did you have to do a lot of sales and marketing uplift yourself or did you focus on your delivery? What was the aspect you were most interested in?

Laura O’Neill

So, I did a lot of delivery, but I also did a lot of sales. And I would say we actually spent almost nothing on marketing. We had a website because you kind of need to have a website, not because it did anything magical, and that was the most basic of websites, but I think we also had the advantage of being in Canberra, and Canberra’s sort a town built on reputation, and we did the majority of our work to federal government. Mat was the original founder for MF&A. Mat was well known in government. I was quite well known at that stage in government for cyber. So, we had a lot of pre-existing relationships we could build. So, we didn’t do a lot of marketing.

In terms of sales, I think something that we were very good at and probably wouldn’t be as effective today if we were doing it again, is we sort of took an approach running a business where we were not the hoodie wearing end of cyber, and not in a bad way, but we looked at what were all the big consultancies doing and the professionalized version of what is cyber, because we were playing quite heavily in strategy and risk and doing a lot of work to senior executives. I couldn’t turn up to a meeting in a hoodie and seen to be legitimate in that space.

So, we spent a lot of time working through how do we present well, how do we write well? And so, we actually won quite a lot of work off just coming across as professional at a point in time where I think a lot of cyber businesses were winning work just by virtue of saying they could do cyber and they hadn’t put the effort into, how do you do a shiny bid? How do you professionalize that aspect of what you’re doing around BD? So, we came off looking better just by virtue of we were trying on that front, when a lot of businesses weren’t at that time.

I think we’ve moved as an industry and we’re sort of in particular cyber CS coming in has probably made that evolution a lot faster in terms of professionalization of business development for cyber. But at the time, it was the fact we didn’t have spelling errors and things, had beautiful artwork in it as part of the bid, was revolutionary to clients. And we would ask them, “Why did we win?” They’d be like, “It looks like an adult had proofread it.” And I was like, “Okay. You could have told me we’re good at cyber, but I’ll take that as a winning factor as well.”

Cole Cornford

Yeah. I feel that there’s still a lot of companies who get by on pure technical excellence or on price, and I don’t want to play in those games. I never participate in that. I always want to come across and say that, “I understand business. I wanted to make sure that you have a great experience working with Galah Cyber. And I want you to feel that everything that you interact with us, from start to finish, whether it’s the collateral you receive from the marketing to the thought leadership that someone like myself would have, to the experience of an engagement and being communicative, writing professionally.” I don’t know any pen testing companies, other than myself, who hire full-time copywriters to actually take the documents and go through and hard edit them to make the executive summaries, funnily enough, written-

Laura O’Neill

Executive ready. Yeah.

Cole Cornford

Wow. What a crazy concept. The amount of executive summaries where they go into deep detail about how cross-site scripting works without any explanation about what does this meaningfully … How does this help the business make a decision about protecting themselves or investing in the future and controls? Nah, don’t worry about any of that. It’s a pen test. Who cares? It’s for techies, right? And so, I’ve always thought that that’s been a huge gap in the industry and something that I’ve wanted to … Which is probably why I get along with people like yourself and Mat.

Laura O’Neill

I started out my career, my first job, 50% of the time was on testing, 50% of the time was sort of in a GRC and architecture practice. So I quite early on, saw the difference with clients on how stuff was received and it made a huge impact to how I thought about it, because yeah, as you said, you could have the best pen test report with all the meaningful findings in the world, but if it isn’t digestible to people who actually make decisions and have money, which is senior executive, to do something about it, right? It’s never going to happen and it just gathers dust in the corner. And I think that’s sort of been a cornerstone about how you do business, but also how we did business as a small business.

Cole Cornford

And how you still do business at Fujitsu, right?

Laura O’Neill

Yeah.

Cole Cornford

So yeah, nothing’s changed.

Laura O’Neill

Correct. That’s how we still do business.

Cole Cornford

See, there we go. So, you said you started with management consulting before moving into cybersecurity. Does that mean that you’ve had a bit of a strength and advantage about having those board-level conversations? Because in my experience, talking strategy and risk and governance is something that cybersecurity professionals shy away from.

They don’t want to talk about, “How are we going to diagnose what the exact problem that the business is suffering from? And then how are we going to create a northern star and operational plan to move forward to address it?” Instead, they’ll say stuff like, “You need a WAF, you need to SIEM, you need to pen test.” And focus on controls about articulating how they value to addressing the pain points of the business. So, has that been helpful to have that experience and elevate cybersecurity to that level?

Laura O’Neill

I think it was very helpful and I think also consulting probably gets a bad name at the moment, especially in Canberra. I think there is a lot of value in how you think about solving a problem in consulting of you’re never meant to narrow down and focus. You’re trying to holistically look at the big picture. People are better and worse at that. And I think something that cyber has traditionally suffered from as an industry is focusing on a very narrow problem set and having very tactical solutions and often technology-driven solutions to every problem.

And something that I sort of learned quite early on is in particular if you run strategy, you have the money for the future, and if you want investment in cyber, you need to be talking strategy. The board needs to understand what’s going on, or your senior AFR risk committee, et cetera, functions, because they are the people that make decisions around does that get funded or not? And if you can talk about risk, which is common language in business, right? You can talk about the risk in cyber and why that means something to the business, you’ll get the buy-in.

And we’ve taken that to, “Hey, yes, we do a lot of work in strategy and risk, but every function of what we do, we always think about, ‘Okay, how do we aim and target this or help get the connection at the right level to get the problem solved?'” And I think a lot of people in the industry still probably underestimate how important that is. Like, I’m sure you still see, and I still see, walk into a client and they’ve been given 12 different tech reports on problems and there’s a lot of overlap between those problems, but no one’s actually gone and articulated that in a way that they can take to their bosses or the senior responsible officer for a program or a project, so they are getting the buy-in.

I also think fundamentally cybersecurity is in its own little niche and silo. Cybersecurity is part of core business these days and cybersecurity should enable you to run in the way you need to run as a business. It shouldn’t be telling you, “No, you can’t.” And I think there’s for a long time been a big focus on compliance in cybersecurity and that’s probably driven by some of the standards that exist. But also, if you talk about some of the standards, the ISM, a lot of people think about that as a purely compliance function, but in that PSPF and the ISM, it says you should take a risk-based approach because that’s how businesses run. And we sort of diverge and just go, “Oh, we failed a control, we’ve passed a control, and therefore, we need to spend money to make sure we pass every control.” And that takes away from the discussion of, “Is that control appropriate within the context you have, within the threat vectors that your business should actually be worried about?” Because you can never spend enough money on cybersecurity and you can never protect against everything. Right?

So, you have to have a really good understanding of what do you care about in your business? What’s the risk you’re running about the things you care about? And are you going to invest in fixing that, not just investing in compliance? Which I think is where a lot of organizations are at. And we spend quite a lot of time, I would say these days, talking to organizations about how to move from being very compliancy to being a lot more risk-based. And often, they then end up getting a more effective outcome when they go to their boards or senior executive because they’re speaking in a common language around cyber and it becomes a broader discussion about where is the business going and how do we manage all the business risks, not just cybersecurity on its own?

Cole Cornford

Yeah. I like bringing that pragmatism and having those top-level board conversations, and I really don’t like compliance-oriented ones.

Laura O’Neill

You and me both. There’s a place for it, right? But it’s too strongly in the narrative, I think at the moment, that you need to be compliant, not you should be managing your risk.

Cole Cornford

Because I find that with compliance, a lot of the time compliance is enabling a sales outcome or a revenue-based outcome for a business. So, let’s say that you need to participate in the federal government sphere, so then you need to probably look at essentially compliance or you’re participating in financial services, so you want CPS 334 or CPG 230, PCI DSS.

And a lot of those standards, I guess, they tell you to do a lot of things as a baseline, but they don’t meaningfully talk about, is this a good use of your money to be able to spend on that? Right? Because there’s ways to satisfy the control outcome or the control objective that aren’t necessarily oriented with technology. Sometimes it can be process, it could be training, it could be acceptance and just not doing anything about it. It could be delegation. But compliance often just says like, “Okay, I need a SOC, I need a SIM.” It’s like, “Well, do you actually? Are you going to respond to events? Are you?”

Laura O’Neill

Yeah. I think my perfect example of this is always biometric systems, and I’ve done a lot of work in the space of biometrics, and none of the common standards that currently exist deal well with biometrics and the actual security you need on those systems. So, if you go and say, “Hey, we have a biometric system and it needs to meet the ISM and we’re compliant.” It’s like, yeah, it is a generalized baseline based off all of systems. It’s not going to be specific to your particular system. And if you’re not thinking about the risks you run with major biometric systems, you’re not actually going to be addressing the control areas and the security you need to secure that properly.

But I think a lot of people just get in the mindset of compliance is the be all and end all. And I think that’s probably been driven by us as an industry, and to your point, the sales mechanisms around it, et cetera. We’ve enforced to clients that that’s how they should think about security, and then we shouldn’t be surprised we’re in the state we are as an industry, because we’ve been driving that narrative for a long time.

Cole Cornford

Yeah. One of my favorite small engagements I did a while ago where I didn’t win the work, but they came to me about a year later and they said, “I’m sorry, you were right.” Was with a school in the Hunter Region. Right? And then they said, “We’ve been told as part of Safer Technologies 4 Schools or something,” I don’t even know what that is, but they need to do Essential Eight. And then I said, “You can’t do Essential Eight.” And they’re like, “Why can’t we do Essential Eight? We need to do it. That’s what ST4S says.” I’m like, “All right, well, let’s talk about multi-factor authentication. You cannot do it. It’s legally not possible.” And they’re like, “Okay. We don’t agree with your opinion, so we’ll go off and do it ourselves.” Right?

And the reason I came to that conclusion was because there’s a legal constraint for school children in New South Wales to not be given access to devices during school hours. Right? So, you can’t have a mobile phone on campus. And so, if you think about that, that you can’t have something you have like with a text message authenticator application. I also know that school kids are little shits, so if you buy all of them a YubiKey, they’re just going to go throw it in the pool or-

Laura O’Neill

Yeah, you’re going to lose it straight away.

Cole Cornford

That’s just going to be a tremendous waste of money. They’ve got no respect for property. I’ve been a school kid, so have you, we know what’s going to happen.

Laura O’Neill

Yeah. Right.

Cole Cornford

And then, what are you left with? Biometrics, right? And let me tell you something, I don’t think that any parent or even government agency would be happy with like, oh yeah, I did my face ID with a kid to let them in to log into the computer. I feel like that’s got an entirely different can of worms. And what’s the risk for students to log onto their laptops? Well, I assume that most laptops and devices in a school context don’t allow particularly much to occur or have much sensitive information for a student to look at. But yeah, they tried to do Essential Eight, so good on them, good school.

Laura O’Neill

Yeah. I think also, the Essential Eight’s great, but it is incredibly costly and it disproportionately gets more costly as you go up the levels. So, often for small organizations or organizations that have a very small amount of spend on cybersecurity as part of their ICT spend, it’s unachievable. And that’s not to say that they shouldn’t try and focus, and I’m a big believer in both backups and multi-factor authentication where it makes sense. But if you’re asking small and medium businesses, I think it’s something like 90% of Australia’s economy is small and medium businesses, if you’re asking them to all have Essential Eight level one, it’s unreasonable. They’re trying to run a business, they’ve got various other problems and hey, maybe they turn over a million dollars a year, they’re never going to be able to implement it. But we sort of have this narrative of enforcing it.

And it’s not that I don’t think those eight areas aren’t important and shouldn’t be implemented, but you also have to be reasonable in your judgment or is that actually required for something at that scale? And if you had to pick, what’s your one of the Essential Eight that you would actually implement for that organization to get the most bang for buck? And that will look different across different organizations and their core business and what they do.

Cole Cornford

And that’s why I like talking to small business owners and typically founders, because they’ll say, “Oh, I don’t know what to do about security.” And oftentimes I’ll sit down and I get to just draw out how the business works, and you’d be surprised how few times they actually have ever thought about how their business works. It just happens. Right? They never had to draw-

Laura O’Neill

You just grow a business and suddenly you have IT kind of thing.

Cole Cornford

Yeah. It’s like, “What is all of this?” Right? And I’m like, “Well, how do you get customers?” And they’re like, “Oh, they come through Instagram.” It’s like, “Okay, have you protected Instagram? Because if that’s where all your customers come from, then you’re not going to make any sales if you can’t have access to Instagram.” And they’re like, “Oh, I didn’t even think Instagram. I didn’t think that would go away.” I’m like, “Oh, you’d be surprised. Maybe a competitor just doesn’t want you to get any sales anymore. Well, they’ll hack into your Instagram, lock your account, and then suddenly you’ve got no pipeline and then your business will have a cashflow issue and go bankrupt.” Now, the problem is, I don’t think Essential Eight compliance necessarily helps you with securing your Instagram account or giving you a backup procedure for it. But if you’re like a shoe store, that’s probably pretty important. Right?

So, I love these conversations because it’s so far removed from technical IT stuff and it’s always just about, “Hey, how do you verify that someone’s sent an invoice to you that’s not silly?” Or, “How have you protected your bank feed so that people can’t just see what money’s coming in and going out and where it’s going to?” So, all those kind of conversations instead of … The other ones I like is obviously software, which we both know has almost no mention whatsoever in the Essential Eight, the ISM, or the PSPF. Yeah, it hurts me ASD and ACSC, please add software security, it’s my business, but I’ll survive.

So, I know that one thing that you’re really keen on, and I know this is quite topical because we just passed International Women’s Day, is to talk a bit about diversity in the field. Right? And I know that you have been able to grow MF&A before it was acquired by Fujitsu, to have, what would you say, 50/50 or even better?

Laura O’Neill

Oh, our female identifying was 65% and that included our senior management layer, so every level. And we were 40% LGBTIQA+, and we were 40% disability, both neurodiversity and also physical disability. And I would say maybe one day once everyone gets diagnosed, we would have had much higher stats on that in the end. But that’s a journey everyone goes along.

Cole Cornford

Everybody in cybersecurity has some level of autism.

Laura O’Neill

I’m not sure that’s necessarily true, but I think it’s one of those things where you look at the makeup of a lot of teams, and even ASD will talk about this and has programs around this, of they have quite high neurodiversity and there’s a lot of functions of cyber and disciplines where the skillset alignment with the common traits with certain types of neurodiversity very well aligned. So, as an industry, we should probably work out how we support those people, because as an industry we’re probably have incredibly high statistics on that sort of thing compared to some other industries where they wouldn’t have such representation in neurodiversity. I have ADHD, I got diagnosed about 12 months ago after being told for many years I should go get diagnosed. Me not believing people.

Cole Cornford

So, sitting in a chair and having a podcast and talking about the same topic could be very … It’s jittery for you, right?

Laura O’Neill

No, I think it was one of those things, I just struggled with a lot of things and I was like, “This is normal.” And then later found out that was not normal for a lot of people, but because I worked in cybersecurity, the norm of what I saw and what I talked to other people about, it seemed like the norm, but then it actually isn’t. It’s just, there’s such high propensity of neurodiverse people in the industry that it normalizes it and that creates a weird sort of, “Oh, maybe I don’t have it and shouldn’t get diagnosed,” sort of mentality. That I think probably is a struggle for a lot of people because you spend so much of your life at work, if a lot of your colleagues are that and that seems normal, then you don’t necessarily know that not everyone has to do that.

And I think it also leads to a lot of burnout in the industry. There’s good statistics around both autism and ADHD and burnout, and we don’t really talk about how that impacts us as an industry and how we should be supporting people, I think, to make sure that doesn’t happen, because we have lots of people, and I’m sure you’ve seen it, Cole, who they hit a point where they just walk away from the industry or they spend 12 months off and don’t want to come back because they’ve been worked into the ground. And there’s also functions of cyber that can be highly stressful, I think, in particular, incident response. And we don’t necessarily do enough to support people that fall into those categories and to cater for neurodiversity that we have.

Cole Cornford

Yeah. One of the things that I’ve pretty much always, even though customers ask me for it all the time, is I’ve always drawn a line at IR on-call DFIR stuff, because a lot of IR companies often don’t have the skills to interrogate observability in Kubernetes or CloudWatch and GuardDuty, or look at instrumentation procedure calls through AppDynamics and so on, to actually tell what’s happening at an application level.

And so, it’s a software engineering skill. A lot of cyber people don’t come from that background, right? So, there’s demand for it. I just know that I would prefer to at four o’clock today, even though it’s probably pouring out rain outside, I usually take my daughter to go play tennis and just watch her hit balls badly back and forth for about an hour. And that’s really hard to do when you have to jump on an incident.

Laura O’Neill

Yeah. Actually, I’ve forgotten the lady, but there’s a lady who is doing research on this at one of the universities, I think, and her preliminary findings around this is people who are in on-call functions for cyber have the same level of stress as basically nurses and other frontline workers. And it’s not necessarily … People don’t think about it like that and the support structures you need to put in place.

Also, fun fact from AWSN, which we love, they have a lot of nurses and medical professionals who are trying to re-skill into incident response and have a lot of complementary skillsets around basically being able to triage and deal with high-stress situations, which I find fascinating because I’d never thought about it until it came up from Jacqui Loustau that they have a lot of people in that space and it’s a really good lineup of cross-skilling that we haven’t really thought through as an industry on how do we get more people in that don’t necessarily come through the traditional IT pathways?

Cole Cornford

Yeah, because the pipeline’s kind of screwed if we go through the traditional IT pipeline, because inevitably you’ll end up with 80 to 90% of men, and then just the sheer numbers are just stacked against women at that point. There’s almost no way to solve it at even a high school level, because women will self-select out and men will overwhelmingly move into those career paths. Right? So, we need to be looking at other professional disciplines and how do we move them into cyber.

Because like you said, you came from management consulting with pure math background. Management consulting I think has … There’s a lot to say about … Because you can always go and learn tech stuff. Right? The way to do it is you just pick up the book, you sit there and you fucking read the shit out of it, right? It turns out it’s hard to learn professional communication skills and being a person who can build trust and rapport with stakeholders and want them to listen to you and your advice and perspective, right?

Laura O’Neill

Yeah. We actually, we counted it at some stage and we had a point in time where 20% of our team had international relations degrees, which was great for us because we do a lot of governance, risk, and compliance and strategy, and they’re taught to think big picture and what is the problem at a global scale or at a country level, and then how to articulate that and write it in a way that everyone understands, not just them as an SME. And so, we did used to joke that our best hiring stream was people who didn’t get into the DFAT grad program.

Cole Cornford

Oh dear. I do like that you like getting people from just non-traditional backgrounds because for me, I try to do a mix. I try to get pure software engineers and then for every pure software engineer, I try to get someone from God knows where.

Laura O’Neill

I think a lot of people, we’ve come a long way as an industry and we maybe under appreciate how important non-same sort of thinking is. And if everyone in the industry has a software degree, for example, we’re all going to think in a very certain way. And I can guarantee you that the threats we face, not all of those people had a traditional IT pathway into the jobs that they have to be the adversaries, right? And so, assuming that we can protect systems by function of having group think, isn’t going to work.

But I also just fundamentally think there’s a lot of skills that are soft skills or non-hardcore tech skills that are undervalued in cyber. And we’ve touched on it a few times about, how do you communicate to an exec and write something so an exec understands it? That has huge impacts in terms of the money that’s spent on cyber, the investment that goes in, but that’s not a skill that you necessarily learn in a software degree. I learned how to write doing a minor in philosophy when I was in uni, right? I didn’t learn from my maths degree, and a lot of people don’t learn from IT.

Quite early on when we were running MF&A, we actually stripped back the requirement to have an IT degree or certificate to get a job with us, because we looked at the stats and it’s something like only 10% of graduates in Australia with IT degrees are women. And so, yeah, I think you were touching on the 80, 90% are men, but you automatically, if you require that sort of certification, cut yourself down to 10% of your pipeline can be women. And that probably has meaningful impacts on other functions of diversity too.

And I think also we undervalue professionals coming mid-career transition. Accountants are really interesting ones. So, accounting apparently in Australia has pretty much 50/50 men and women, which I didn’t know. A lot of them have very good audit and compliance type skillsets and also risk management, and there’s a really good transition for them using those skillsets and being taught the tech end of it, to come into the industry. But we aren’t really thinking about it like that. A lot of people would be like, “An accountant can’t do cyber.” And I think that’s a fundamentally flawed idea.

Cole Cornford

My accountant always hits me up and says, “When can I come work for you?” Because she’s lovely, but she’s been running her own business for 20 years, right? And so, she’s just sick of having to do all of that.

Laura O’Neill

I like how that’s what your accountant says. My accountant is like, “Can you come work for me? You’re good at spreadsheets.” I’m like, okay.

Cole Cornford

You are good at spreadsheets. The amount of people at school, at even the parent-teacher interview today, they’re like, “Oh, you do cybersecurity, do you think you could help us with our IT rollout?” And I’m like, “I don’t know what IT is anymore. I’m sorry. That’s a different discipline. I just talked to CEOs about how to not get hacked.” And they’re like, “Oh, no, I understand. I understand.” Yeah.

But there’s a lot of really good points that you brought up there. I do encourage people to also get outside of what their traditional circles are. I see IT people go to IT meetups or go to cyber conferences and I’m saying to those people, “Maybe you should consider going to an AICD conference instead.” Or, “Maybe you should consider going to a rock climbing exhibition or a bridal exhibition.” I don’t know, just anything else.

Because last week, I went to this International Women’s Day event for the Gen Collective, and the Gen Collective is a Newcastle professional businesswomen networking event. So, it’s all about elevating women and helping network other professionals running their own companies like law firm partners, accounting firm owners, personal trainers, all these different disciplines. And I’m just like the pink IT token man in the corner, right? And I’m happy to be at these kind of events because if I don’t put myself in these situations, then I’m not going to understand what it’s like for a woman to go to a cybersecurity conference with seven and a half thousand black hoodies.

Laura O’Neill

I was actually listening to, I’ve forgotten her name, but she used to be the Australian women’s basketball coach, last week at an event. And she was talking about one of the things that’s fundamentally flawed about how we progress diversity is that we send a lot of women on women leadership training about how they should be women leaders, but often they’re not the problem that we need to solve and we should be redeveloping how we do leadership training or any type of training for everyone. The problem has two sides. And a lot of the narrative at the moment is women have to fix the problem. And I think there’s a very common saying around if you’re expecting the minority group to solve their own problem, it’s fundamentally going to fail because they’re already disempowered. And so, there’s this big onus on allies to get involved in the problem.

Another thing I always want to point out in these conversations is I think sometimes we focus very much on just gender and we don’t appreciate delineation on people that have intersections of diversity have it worse off. So, there’s a stat that came out in December from the US and it surveyed I think about 25,000 security professionals, and it’s probably applicable in Australia, but it was done in the US, and it was about how much people got paid on average. And so, it was something like $142,000 was what the average white male was paid, and then white women were paid 8K less than that on average. And then, women of color were paid 16K less than the white man, 17K less. So, the gap between white women and women of color was actually bigger than the gap between white men and white women.

I think sometimes we don’t appreciate that we have marginalized communities where they have multiple intersections of diversity, where it’s harder for them and there’s additional barriers we need to address and more things we need to do to address the problem, because we are not fixing the problem for everyone. We failed in the mission to fix the problem. And I think that’s the next frontier of how the discussion goes over just talking about gender or one function of diversity.

Cole Cornford

Yeah. I know one of the things I used to be quite unconsciously just not noticing whatsoever, was elements for disability to help people who have mobility challenges. And as someone who has to get a hip replacement in about two weeks, I have … Yeah, I know.

Laura O’Neill

Hope you’re okay. I watched my mum get a hip replacement and she was up and walking in like four hours, and I was like, this is not how I expected this to go.

Cole Cornford

Well, that’s what I’m hoping, but I know I’m going to be on all the nice, fun drugs. So, if you want to give me a call while I’m in hospital, let me know. I’ll be happy to have a chat with you. So, it’ll be a great chat, lots of fun. Maybe we’ll record a special podcast episode from there.

Laura O’Neill

One that’s heavily edited and only five minutes, but the call lasted an hour.

Cole Cornford

Yeah. But the thing with my hip replacement is the last four to five months for me have been awful, because I can’t walk particularly far and I can’t stand for a very long period of time. And basic things like getting socks on in the morning, I have to ask my daughter to help me put my socks on because I have trouble putting them on. Or, getting up and down chairs. A lot of the bathrooms in the country have railings in them that you would just not notice, but turns out they’re actually extremely helpful for someone who has hip issues, right? And you just think that, “Why are they here? I don’t understand what the benefit of this is.” But it turns out that it is tremendously helpful for someone like myself who after walking for 20 minutes through Wynyard Station, can’t sit down.

Laura O’Neill

I think it’s one of those things about listening to people and having empathy for other people and the situations they come from. And when we have people going into management and leadership roles and we remind them at various points along the way is, “Your job, first and foremost, is to listen to your team and listen to other people because if you don’t listen, you’ll never understand their experiences and the things that impact them, and then you won’t make good decisions on how to make the workplace better for them or help them solve the problem.”

And I think that’s super important because we won’t all experience the same thing. And even if you sit on the same diversity front, you might have entirely different experiences of that, but if you don’t listen and have empathy for other people, we’ll never build the how should this work for everyone model that we should have as an industry.

Cole Cornford

That’s it. So I guess, in closing, make sure to use your two ears and one mouth in proportion correctly. Well, Laura, do you have any parting thoughts to give to our beautiful guests?

Laura O’Neill

I would say, people should remember that security is an enabling function for the business, not a disabling function. And I think for a long time, cyber has been a, “Cyber says no. Cyber says you can’t do this.” At the end of the day, you are there to support core business, whatever that may be for your organization. Your job is to help them do that in a way that is as secure as it should be for their business function.

And if you are providing advice saying, “You should fix this problem,” and the business says, “No, I’m willing to accept the risk.” That is what it is. That’s what they’re paid to do. Senior execs are literally paid to make decisions about risk fundamentally as their job. And you should support that and then work through, “Well, what are the other things we can do to mitigate the problems?” Or, “How can we secure a different front, cost less money, et cetera?” Because yeah, as an industry, I think we still sit in the, “Cyber says no,” type category, and we need to move into, “Okay. Cyber says no, but if you don’t listen, how do we support you anyway to progress to where you should go?”

Cole Cornford

I think the best metaphor I’ve ever heard was about cyber is typically the handbrake to happiness, but you want to be able to brake when you drive your car, right?

Laura O’Neill

Yeah. No, no, that’s great metaphor. I’m stealing that.

Cole Cornford

There you go. Take it to all your senior executive business leadings and be like, “Yeah, look, you don’t want to drive a car without brakes. Right?” Anyway, thank you, Laura, for coming on. It’s been an absolute pleasure to speak with you.

Laura O’Neill

Thanks for having me, Cole.

Cole Cornford

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.