Balancing Compliance and Risk: Kat McCrabb on Cybersecurity for Mission-Driven Organisations

Cole Cornford 

Hi, I am Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. Today, I have Kat McCrabb. She’s absolutely brilliant, incredibly smart GRC professional. She runs a consultancy called Flame Tree Cyber, and I was really excited to bring her on because I know that her discipline is in the education space, specifically in schools, and some universities, and federal government. What I liked about Kat is that, not only is she also previously a Novocastrian, but she has a little bit of a sardonic sense of humor, but also brings a wealth of knowledge and experience into these conversations. So I hope that you have a fun time listening to her, and go say, “Hi,” to her if you are up in Brisbane. I’m sure that she would love to have a coffee with you or essentially get bird spray and spray you with those, because we see them at all the coffee shops where the crazy ibises are now anyway. So, right, enjoy.

Hello everybody. Today I am joined by Kat McCrabb, who is the founder of Flame Tree Cyber. Kat, how’s it going today?

Kat McCrabb 

It’s really good. I had my air conditioning repaired earlier today and life has really improved since then.

Cole Cornford 

Yeah, air conditioning, I would like to get the ones you stick on the walls, and you have to get the stuff on the outside, but we have ducted, but the problem with the ducts in my house is that they’re all yellow and from 1910.

Kat McCrabb 

Oh, yes.

Cole Cornford 

And so the guy, I’ve had two air conditioner blokes come over, walk into the ceiling, look at me and said, “Oh, mate, she’s carked it.” It’ll be like a billion dollars for me to fix and they can’t be bothered, so I’ll see you in two to three years, so-

Kat McCrabb 

Nice.

Cole Cornford 

And at that point, I’ve just said, “I guess the air conditioning isn’t happening.” I don’t really have anywhere to put my air conditioners so that they can have the outside, face outside and the inside in the house. So it’s probably a significantly worse problem for you being in Brisbane, right?

Kat McCrabb 

I’ve made do, it’s been most of the summer, but I will confess, it’s nice to have a little bit of climate control.

Cole Cornford 

I guess, what we do is we just go to libraries and customer sites, and then we’re okay, right? We don’t have to worry about our own air conditioning, we can leech off everyone else’s.

Kat McCrabb 

Fair enough.

Cole Cornford
So that’s the purpose of Westfield, right?

Kat McCrabb 

That and the cinema.

Cole Cornford

Yeah, that’s it. Sit in the back of the cinema, to, I’ve just go take a Zoom call, and it’s nice and dark here, full cyber. So don’t worry, no one’s going to watch this movie. Who comes to cinemas anymore? But anyway, moving away from those niceties, do you want to give everyone a little bit of a background besides being someone who recently acquired air conditioning, one of the greatest things you could get in Australia?

Kat McCrabb 

Yes. So yes, my name is Kat McCrabb. I started out my career in federal government. I was there for about 12 years, and then I moved into Brisbane Catholic Education in their CISO role. I had a really significant program of uplift there, and most recently I’ve started Flame Tree Cyber with the intention of helping as many mission-driven organizations as I can.

Cole Cornford 

Yeah, so did you want to expand on that a little bit? When you say mission-driven organization, what does it mean to you? Because lot of people might think it’s because they’ve got a charitable purpose, but others, their mission is just to make shit tons of money, so-

Kat McCrabb 

Yeah. Well, yes, valid point. I’m looking more at the organizations that have a purpose that isn’t purely driven by financials.

Cole Cornford 

Yeah. So what kind of organizations, for my audience, are your perfect customer bases?

Kat McCrabb 

So I work with government, with organizations that support government, in the non-for-profit area and healthcare, those sorts of industries.

Cole Cornford 

Yeah, I think it’s quite challenging to get access to good cybersecurity advice and especially for those sectors, because often they’re priced out of the market or they’re grappling with just a lot of problems that bigger businesses have invested in projects and uplift to be able to take care of. But it’s harder to do that when you’re an NFP or government agency.

Kat McCrabb 

Absolutely, and often they have these fairly, let’s call it, prescriptive control environments or frameworks that they’re trying to align to, and that can just add a whole layer of complexity to managing cyber in those organizations.

Cole Cornford 

So when we say, “Prescriptive controls,” what are we talking about here? Because-

Kat McCrabb 

Yeah, well, the best example of that is the frameworks and control environments that government have to operate within, and equally, if you’re a critical infrastructure organization, your supplier to government. So the ISM, that’s really quite rigid, and then when you move into the critical infrastructure area, you’re looking at aligning to the Essential Eight, which are your level two now. Similarly, if you’re a supplier for defense, you’ve got the DISP environment that you have to operate within. So if you’ve not got a cyber background or a technology background and suddenly you’re obliged to operate within that framework, there’s definitely a lot of value in getting external advice.

Cole Cornford 

Yeah, I find that there’s been a definite uptick in companies that accelerate compliance outcomes, so the Scytales and Vantas and all of them of the world, to try to assist with this. Do you think those companies are helping to get people to just achieve those outcomes, or do you think those companies are meaningfully improving security?

Kat McCrabb 

I think they’re doing a really good job of getting people to increase their compliance. That’s very helpful, but sometimes organizations need to take a bit of a step back, understand the threats and their risk, and that is a more meaningful benefit them, to improve their risk posture or their threat posture and understand exactly what the cybersecurity concerns are for their own organization.

Cole Cornford 

I guess, you say, “Threat posture, risk posture.” What do you mean by that? How does an organization determine what their posture is in the first place? I guess, having a compliance framework is helpful, but-

Kat McCrabb 

It is helpful. It’s a reasonable start. In the threat modeling space, I quite like the MITRE ATT&CK framework, so using that to understand exactly who… Well, understanding who might be after your organization and you can get that information from research that’s available, or again, the consulting with expertise, and using those frameworks to understand exactly what techniques, threats might be using against you, ensuring that you make your control environment appropriate to mitigate those threats.

Cole Cornford 

So with MITRE ATT&CK, because the threat intelligence space for me is an area I don’t really understand or pay terribly much attention to. I’ll be very honest about that, and the reason I’m like that is I figure that there’s just so much baseline IT quality management that we need to do. And I’ve just figured that if you’re a threat actor, yeah, you can have all of these sophisticated techniques, and procedures, and tradecraft, and buycraft even, or whatever, but if everybody just leaves large, vast sums of applications of basic vulnerability classes, like SQL injection or cross-site scripting, do you actually need to worry all that much about the TTPs when you can’t just get your ship in order?

Kat McCrabb 

You raise a valid point and it is for a more mature organization. If you’ve got Windows XP across your environment, having a stronger understanding of who your threat actors are and your TTPs is… Your efforts might be better spent elsewhere. But equally, it can really help with understanding, if you’ve got a limited budget on controls, understanding the TTPs can help you to allocate that budget towards the area where you’re going to get the most value for money. It can also help you with determining what skill sets you need within your teams, so the expertise that you bring on, and making sure that you are defending yourself against what’s actually going to effectively target you, and the most likely outcomes of events. You can also use it when you’re looking at incident response. You might be mid-incident and you’ve got some idea of who your threat actor is, and then you can gain a bit of an understanding of what may have happened to perpetuate that incident, and you can start to cut it off a little bit more effectively, and target your incident response efforts.

Cole Cornford 

Yeah, because you’ve had to be involved in a number of incident response scenarios yourself. It’s a sector that, I’ve taken active steps over my life to try not to participate in DDR situations. I’m happy to solve issues in advance, to strategize, to solve, to work out plans and roadmaps, and focus on protection and detection. And I’ve never really wanted to do the response or recovery remediation aspects. How has that been? Because I know that that’s something that you’re potentially going to be talking about at a conference I’m running later this year as well, the /NEW Conference, right?

Kat McCrabb 

Great. Yeah, prevention is better than cure. A hundred percent, I’d rather spend my time in that space. I’d have less gray hair, but-

Cole Cornford 

I think that everybody in cybersecurity either goes bald or gets significantly grayer hair. The funniest thing, I was looking at some statistics on my podcast recently, and I just looked at most of the A lot of my male guests happen to be old bald men, and I wonder if they’ve all worked in IR capacities.

Kat McCrabb 

Yeah.

Cole Cornford 

So-

Kat McCrabb 

Yep. I wouldn’t put money on it, but I’d be close to doing that. But yes, prevention, far better than cure. When I’ve done incident response, quite often when you walk into the boardroom, one of the earliest questions you get is, what happened? What went wrong? What can we do to fix it? These sorts of, let’s call it, attribution questions, and that’s not about assigning blame. It’s just, they’re coming from a place of wanting to understand. And so knowing your TTPs can be really helpful for understanding, it’s this threat actor, this is likely what has occurred, it’s a common technique that they use, this is likely how it will play out. We have triggers for responding to those events that we anticipate will happen when the threat actor enacts their usual path, and this is the plan that we’ll use to bring our systems, contain the incident, do the remediation and recovery activities. So when you can use a framework to anchor that conversation, it first of all helps to demonstrate your credibility, and it builds confidence, and then it helps guide decision-making.

Cole Cornford 

Yeah, it comes up in a lot of my conversations, am I spending my money effectively and where do I need to be spending it to get an adequate level of protection for my investment? And because I know that as a cybersecurity professional, we often think in terms of capabilities and coverage, I think that most executives don’t really like to think in terms of assets, and not as assets protected? It’s more about is my business able to execute safely and what’s the cost if something does go wrong? So how do you go about using a framework like MITRE ATT&CKs to apportion costs appropriately?

Kat McCrabb 

That’s a difficult one. I’m not sure I have a straight answer for you there, because there’s-

Cole Cornford 

That’s the thing. There’s a reason that you have a CISO-level role is because you can have those strategic conversations and it always goes back down to diagnosing what the problem is, right?

Kat McCrabb 

Yeah, absolutely. That’s right, and understanding the organization’s priorities, and their risk tolerance and appetite, and prioritizing your efforts where the business’s priorities are. If I spend time and effort on an area of the organization that is a lower priority and something happens in the critical system space, that’s a very difficult conversation to have with the board when you’re asked those questions. In the education space, the greatest priority was in protecting students and their welfare. So that’s where the majority of efforts went. If I had spent some time working on let’s protect the financial system and something happened to a student, well, first of all, I’m not sure I’d be able to sleep at night for a long time, but secondly, I know I’m going to get asked questions about that because that is the priority.

Cole Cornford 

I think that’s one of the reasons that the CISO role is quite challenging is you need to be able to take a step away from any of the technical context whatsoever, and actually really, really meaningfully understand what your stakeholders across your business do care about before you go about anywhere near building a security program. I guess then, rather than thinking about, oh, where do I portion costs? What would you say is a good way to then present this information to those stakeholders to convince them to spend money? Because this conversation happens a lot. I speak with a lot of head of securities, security managers, even CISOs and smaller, they have a CSO title, but they’re in a smaller business. If they’re in a big business, usually they know what they’re doing, and they say, “Oh, how do I get more money?” Or, “How do I convince people about the need for this?” But yeah, framework makes sense, but what’s been successful for you other than just crying wolf, which I think personally is ineffective, so-

Kat McCrabb 

I would have to agree with that. If you start crying wolf and it never happens, you’ve lost trust, and you’ve lost credibility, and it makes every subsequent conversation really difficult. I like to leverage other stakeholders in the business. I go speak to legal, I speak to heads of risk compliance, assurance, internal audit. They’re going to help me to build my context of the organization’s priorities. Audit is a really great example because you can speak to them about, well, what areas of the organization do my board or executive want you to provide assurance over? That helps me to understand priorities. Whenever you can anchor the security conversation or the technology conversation to those organizational priorities, you’re a step ahead, especially if you can have those business advocating on your behalf. You can speak with legal counsel about the privacy risk. You speak to your fraud team about digital fraud that’s enabled, or fraud that’s enabled through technology, and just help build that holistic picture across the organization, that technology is an enabler of most business functions and when it’s at risk, business functions are at risk.

Aligning really strongly with the enterprise risk framework is also really beneficial. I look at monthly metrics and measures, and ensure that they align with the enterprise risk framework, the metrics and measures that are easily understood. It also becomes a bit of an education piece for the board. My report goes up monthly. I’m going to use that as an opportunity to explain why multifactor is important. Anchoring it to current events in the news is really important. I never waste a good crisis. So when Optus, Medibank, those are the two really common high-profile examples in Australia, when those occurred immediately, executive briefing, this is what we believe happened in those organizations, and this is how we’re postured against those threats and risks. All of that helps to build confidence and credibility, and then when you do say, “Look, I’ve got a concern in this area, it relates to this enterprise risk. You’ve had an audit report in that area that has also demonstrated a weakness. I think it could be exploited through X, Y, Z. May I please have funding?” Very often, you will receive that funding.

Cole Cornford 

You got to be able to be logical and back it with data from different business units, so you can show that you’ve done your due diligence, right?

Kat McCrabb 

Exactly.

Cole Cornford 

You’re not just saying, “I just really need to get a SEAM.” It’s really important.

Kat McCrabb 

Yeah, it’s a fun tool, it’s retention strategy.

Cole Cornford 

Yeah, it was just so good. I went and had drinks to these guys and they just said to me, “Buy the SEAM,” and now I just feel like I need to. It doesn’t work so well when the board’s like, “So it’s a little bit of questioning because this one’s a bit expensive now, so…”

Kat McCrabb 

Yeah, especially, yeah, if it’s got a lot of OpEx and the OpEx increases every year. But I also like to really demonstrate that you’ve tried to get value from the tools that you’ve already got. I think that’s really important when you’re requesting funding.

Cole Cornford 

Yep. So I know that you mentioned doing things that are incredibly relevant for the business, and I know that, and some of my previous guests have been all over the different shop. And then I guess, even just in my business, I interact with companies from either really small businesses, they’re just starting up, to really big established ones. And the conversations I have are so different between the two. Some places when I speak to them are not… They just figure that they can just pass off all the risk to cyber insurance and it will solve all of their problems, right? Or they think that, yeah, my biggest issue is being able to ship products, when actually the biggest issue is if their Instagram account gets compromised, then they’re not going to get any funnel and then they can’t, because no one is getting any marketing. No one’s going to come to the website, and in my view, that’s more backbreaking than anything else that they could be doing wrong.

Then you’ve got the big businesses who are saying, “Oh, we just have hundreds of billions of dollars of gift card fraud happening constantly. We don’t know what to do about it.” Right? And you’re like, “Gift cards? Gift card preventions. Get gift card expiries. Get all of these different weird things to do with gift cards I would’ve never thought about, except for the concept of a large retail business.” Right? So I always enjoy that, and going back to what you really do care about, which is not so much just making big companies make more money in a safe way, is that mission-driven one. What would you say, if you have a company with a very specific mission, would you always be aiming to just make them achieve the mission and have security controls that align with that? Is that the most important thing in your view?

Kat McCrabb 

I like to look at the desired business outcomes and often they’re mission supportive, but sometimes they can be a little bit adjacent. So you may have an organization that has their core service offering, but one of their business objectives is to offer donations to a particular community or something like that. And so, yes, I can offer you cybersecurity that helps you achieve your mission, or equally, I can offer you a security program that aligns with all of your objectives, not all of which might support your mission.

Cole Cornford 

Yeah, and that’s always going to be a tough conversation, because sometimes to be able to achieve your mission, you have to be able to pull it back a little bit because you need to have some controls and guardrails in place. We can’t let all the IT people free to go off and do whatever or we’ll end up the United States. I just don’t think that’s where we want to be. So-

Kat McCrabb 

We’d have some really shiny tools, though.

Cole Cornford 

I do like shiny tools. I’m just going to have to go invest in lots of startups, and do angel investing or something, and just see what’s around, and just tell people, “Give me your shiny tools. Let me look at them.”

Kat McCrabb 

I wish you luck.

Cole Cornford 

Oh, we’ll see how we go. Moving away from shiny tools and then back to the federal government, but not to the united one. We’re going to talk about the Australian one. So I know you say you did a lot of work in the Australian Government’s sphere, and that means you must be incredibly familiar with the PSPF, the ISM and the Essential Eight. So I’ve always felt like the E8’s designed for fleets of thousands of Windows devices and Active Directory, Forest and Outlook, and so I’ve almost never looked at it. And the reason I’ve never really looked at it is because every company that I tend to service is going to be having fleets of Macbooks connected to a single OAuth provider that then has a bunch of different very bespoke SaaS services to deliver a very specific functionality, and everyone’s just doing software dev, right?

So it’s a very different type of environment and it means that when I have a chats with a lot of government agencies who are focused on the Essential Eight, it’s a very, I talk past them constantly. I get it. I understand the value of patching. I understand the value of limiting administrative privileges. I just think that it’s not particularly relevant for a lot of the sectors that I participate in, and apparently that’s what’s mandated across all agencies. What do you think of Essential Eight and are there some limitations to it, or is it fit for purpose today?

Kat McCrabb 

Yeah, it has its value. When it was first created and it was the top four, and I could be misquoting this very slightly, but they used to say it would mitigate between 80 to 85% of threats. And that’s a pretty good outcome, really, if that happened to be correct at the time. But we have changed a lot in the last 15 years. The move to cloud has been, I was going to say rapid, but actually perhaps it hasn’t been as rapid as I thought.

Cole Cornford 

I still know places who would say, “Hey, look, it’s time for us to lift and shift.” I’m like, “Oh, God, what are we working in?” It’s lift and shift. I haven’t heard that term since 2015. Gosh, anyway.

Kat McCrabb 

Some days I feel old, some days I feel young.

Cole Cornford 

Hey, we’re young at heart and we’re still not jaded about our industry. We love it. We’re still having fun, right? So-

Kat McCrabb 

yeah, that’s a fantastic metric of success, isn’t it? But yeah, back then when it was the top four and it was 80 to 85% of threats, very appropriate for the environment in which we operated. Nowadays, shift to SaaS, likely less appropriate. It is very technology focused. It’s definitely not a comprehensive security strategy. There are a few people process controls in it, and I like to ensure that any framework I come up with, or even strategy, has those people process pieces of the puzzle filled in. User education is a really great example of that. We all say, “The user is the weakest link.” I say, “They’re your greatest opportunity.” Most organizations will advocate for investing in user education. The Essential Eight really doesn’t have very much in that space. So it had its place a long time ago. Nowadays, I’d love to see whether that 80 to 85% statistic still holds up.

Cole Cornford 

Yeah, I actually really dislike when people say, “Oh, yeah, the users are the weakest link,” because then you’re basically victim blaming. I, personally, I just dislike it. The other thing I really dislike is the us versus them metaphors it creates, because by treating those people that you train as, effectively, internal adversaries instead of people who want to assist and help you to keep the organization secure. Why are we creating these walls and barriers?

So Essential Eight’s hard for me, because I speak to a lot of just smaller businesses, and it can be extremely hard to tell them, “Okay, so you have five laptops or something, and the need AF control on them.” And they’re like, “Oh, but I use it for my accounting, and I use it for my son’s school, and then he can’t use it for school, and then I use it for… Oh, of course, we’ll never tell the ATO that we’re using it for my son’s school, got to portion the device correctly, right? We’re a good business owners”. No one in the ATO listen to this. Podcast is over. But other people, I know plenty of people, but I still… They’re going to be in situations like that where it’s not easy to just do something like disallowing everything on your device, because if you do that, then you’re in a situation where you can’t actually be nimble enough to respond to events or you’ll lock yourself out. And that’s even worse from a security perspective than being compliant.

I was talking to a school, funnily enough, up this way in Newcastle. I won’t mention which one, and the IT administrator was like, “Oh, well, we’ve been told to do multifactor authentication across all of the student’s laptops.” And I basically sat him down and I was like, “Mate, I don’t know how you’re going to do that because it’s just three things, is if you give students a hard token or whatever, they’re probably just going to, like they did with all of the bloody bikes and scooters and stuff you saw, just throw them into the ocean and laugh at you because kids are destructive and annoying.”

Kat McCrabb 

No hat, no play.

Cole Cornford 

Yeah

Kat McCrabb 

just like that.

Cole Cornford 

And then, well, what’s next is, okay, well how about biometrics? I’m sure that there’s going to be something about privacy-oriented with storing facial identification, or thumbprints, or whatever of kids. I just can’t see that working out particularly well. And then, you’re basically stuck, right, to having one factor, which is something you know, right? Or maybe give them a… But even if they say, “Oh, let’s use a mobile device or something,” well, all the schools in New South Wales have a ban on using phones during school hours, so how the hell is that going to work? So their compliance framework, you can never get beyond Maturity Level Zero because you literally cannot comply with this in any circumstances, because of the operating environment of the school. And that’s just schools. I’m sure plenty of other places have different types of constraints, but yeah, he walked away and did a big think, because he wasn’t sure how to tell his boss that he couldn’t do it, so…

Kat McCrabb 

Fair enough. Multifactor’s really great example of the complexities of implementing the Essential Eight across industries, and in education it was… We didn’t do multifactor for students, we did it for teachers, but they’re not allowed to have their phones within the classrooms. So we had to have some creative solutions around where multifactor was enforced and where it wasn’t.

Similarly, application hardening or application control, quite difficult when you are in an education setting and there’s a tremendous diversity of applications in use. And I think it comes back, again, to that risk tolerance and appetite. We’ve got the CIA triad. Organizations will prioritize different aspects of that triad. In the education space, there was certain data of which the confidentiality of it was very important, but there were other aspects of the organization where availability was the greatest priority, and so you’ve got to really balance that across different environments, and the business objectives, and organizational priorities.

Cole Cornford 

I know that I was chatting to another company that’s involved in the education sector, and we were able to do something with modifying data that students would love to increase for a very specific reason when they’re approaching university. And I was like, “Oh. Oh, this is fun.” And he’s just like, “Oh, no, this is backbreaking. Good God, we can’t do this.” So integrity matters too. It’s all about the context, right?

Kat McCrabb 

Yeah.

Cole Cornford 

And that’s why I always rail against compliance frameworks. So not just because I feel left out, because I do, I feel like Australia just doesn’t care about software security. We don’t have anything in any of our frameworks. Even the ISM alone, just has two lines saying, “Do the OWASPs.” And what does that even mean? What is do the OWASPs? Is it like do ASVS Level 3? Is it do the top 10? Is it follow, I don’t know, Sam? What is an OWASP? And I don’t think that’s particularly helpful for any agency to just skip over it, right? But increasingly, all of these federal agencies are relying on digital services and building their own applications internally, and we just don’t have any governance or approach other than telling them to monitor applications that are running on the devices and patch the software, which it’s good. I just think the world’s changed.

Kat McCrabb 

Yeah, and I think they’re a great starting point. If you’re an organization that’s never done cyber before, a framework’s a really good way of trying to target your thinking and your understanding, and build some maturity. But once you’ve reached a certain level of understanding, moving more into that threat/risk-based approach is going to really help you to target your efforts where you’ll get the most advantage from them.

Cole Cornford 

So changing gears a little bit, because we’ve only got a little bit of time left. So I heard recently that you got some kind of position with AISA in Brisbane, right?

Kat McCrabb 

Yeah. Yeah, so I’m on the Queensland committee, which is fantastic. I’m looking at how I can help contribute to BrisSEC and just build more of that community up here. Everyone, when they ask me, “What do you love the most about cyber?” My answer is, “Community.” So it’s really wonderful to be able to spend a bit of time giving back to the community, and hopefully move into some mentoring spaces as well. There’s a group up here that do mentoring for defense veterans and law enforcement officials that want to move in cyber. So I’m really hoping that I can help out a little bit in that space as well.

Cole Cornford 

Yeah, so what are your plans for AISA for the year then? Or how long is your term? I don’t understand. I’ll admit that I haven’t joined professional communities. I’ve created them myself, so-

Kat McCrabb 

Yeah, no, fair enough. It’s early days, and I’ve only been to one meeting thus far, but I’ll be contributing to the panel at the end of BrisSEC. So I’ll be facilitating that and putting my hat in the ring for a couple of events during the year. So if you’re from Queensland, you’re listening to this, you’ve got an idea for what you’d like AISA to do in Queensland this year, let me know. I’m more than happy to try and help out and make it happen.

Cole Cornford 

Oh, well, I guess I’ll be hitting you up a couple of times then, Kat. So-

Kat McCrabb 

Great.

Cole Cornford 

look, everybody, you should all give some feedback to Kat, see what you can do to support growing the cybersecurity community in Queensland. I personally love going to the Gold Coast and to Brisbane, and seeing all my friends. In fact, one time I had a great experience with Kat because we got to sit down in a cafe together and we kept having all these bin chickens walking up to us. But at all of our tables, we had these spray bottles where you could just spray water with quite a strong force at these chickens, and they would just start walking away. And all of the bottles on them had bird spray written on them. So it was clearly their intention. It was just such a fun activity. So I encourage you to go to the Brisbane South Bank Waterfront, find that one cafe with a tealy light color, and then spray bin chickens repeatedly.

Kat McCrabb 

We’ll admit it was a good way to start the day.

Cole Cornford 

Yeah. Get rid of some of your cyber frustrations by shooting little chickens with water that are trying to eat your bacon and eggs in the morning, so-

Kat McCrabb 

That’s it.

Cole Cornford 

anyway, Kat, thank you so much for coming on the Secured podcast. It was great to listen to you.

Kat McCrabb 

Thank you.

Cole Cornford 

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.