From Physics to Cybersecurity: Antonio Deliseo’s Journey from Goldmines to Telstra

Cole Cornford

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Today, I have Antonio Deliseo on the podcast. Antonio is currently working at Telstra. He’s been in the inflation security industry for a long time. He refused to tell me how long, but he has a lot of historical context and wisdom that he imparts in this episode.

One of the things I was really excited to be talking to him about was just dealing with stakeholders, whether it’s managing up or managing down, understanding how effective governance structures look. If you are a policy wonk, then this is probably an episode for you. So without further ado, let’s get into listening to Antonio’s wisdom. And I’m here with Antonio Deliseo. How are you going mate?

Antonio Deliseo

Yeah, doing well, mate. Thanks for having me.

Cole Cornford

That’s no problems at all. I’ve had a bit of a shocker morning. I’ve somehow woke up and ruined my shoulder. I don’t understand how I’ve done it, but you just get those days where you just wake up and nothing’s working.

Antonio Deliseo

I get those more frequently than you do it, at this stage. I know how it happened. It’s a general part of the decay that comes with life, but it’s still reasonably good. I mean, I’m actually looking at a hip replacement, so that’s what happens, but that’s part of managing the risk of living, so it’s all good.

Cole Cornford

Yeah, you’re right. The gradual decay.

Antonio Deliseo

Gradual decay. I’ve got a second law thermodynamics, so everything is tending to randomness, so.

Cole Cornford

And enough about our ill health. Tell us a bit about yourself and Antonio.

Antonio Deliseo

So obviously I work in cyber. I specialize in GRC right now, and loving it. Get up most days very excited, and enjoy the challenge that cyber security gives you. It’s still one of the best roles you can have right now, I think, and I obviously actively encourage people to get involved with it. It’s all of the excitement of solving mysteries and puzzles, able to chase after the bad guys, and able to just keep building defenses, which is great. And there’s lots of scope to it, so if you want to focus on one specific area, you can, and if you want to focus on something else, it’s there available too.

Cole Cornford

So how did you get into GRC? Where did you come from? What’s your background?

Antonio Deliseo

So I did a degree in physics many years ago. Ended up working whilst I was still studying in the physics lab, they were running their tests, I was working on helping them with their data and helping with their IT component. Because a lot of these guys, brilliant in physics, probably catching up with computing at the time. This was in the early 80s, so did a lot of that. I ended up working, one of my projects was on telescope positioning, bit of software, so it was all in assembler, and we were helping telescopes get into position a lot quicker and cheaper. Ended up observing a supernova, and wrote my little thesis on Supernova 87Am it was published by the Smithsonian. So-

Cole Cornford

Oh man, I love these kind of stories where people don’t just say, “Oh, I got a computer science degree, and then I started building web applications, and then I did pen testing, and now I’m in security.” Instead it’s like, I’ve done cool, interesting things with physics and telescopes. A while ago I had Michael Collins on, he’s the CISO at Judo Bank, and he said that he spent the first 20 years of his career being a naval instructor and diver. So all he would do is go diving underwater, and it eventually messed up his ears and he had to find a new career, and said that, “Microsoft’s doing something in the early 2000s, maybe I need to look at that.” So keep going. Sorry, I digress. I just think it’s really cool.

Antonio Deliseo

Well, I think it’s great because obviously, it is obviously the personality that you bring into these roles. We touch on something, I know you’ve mentioned this earlier in one of your other podcasts about this concept of an inch thick but a mile wide. And we need that sort of level of the ability to say, look, this is a different environment from here. And unless you’ve got that sort of background… So for me personally, I like to think, yeah, that inch thick, mile wide. I’m sure there are those guys who, and obviously you’ve worked with them, they know everything about one very specific set, and you will rely on them heavily for that. But you do know that they can’t really contribute in some other areas, but then that’s not what their specialize is, and when you need a [inaudible 00:04:24], you know you’re a specialist.

So yeah, I enjoyed it, it was great fun. Probably was going to go do more physics, but then got a job with a company called Honeywell in Industrial Controls, and met with my supervisor at the time back at the university and sort of said, “Oh, I’ve got this job, and it’s not too bad, but I still want to do my honors, do my PhD sort of thing.” Said, “What are you getting paid?” And I said, “Oh, about $30,000 a year.” At that time, $30,000 was serious money. It probably still is serious money now. He said, “I’ve got a PhD, I’ve been doing research for 12 years. I’m probably getting a little bit more than that. You should take that job, don’t come back.” And I sort of thought, oh, okay. It was probably good advice. Obviously I get the romance every so often pretending I was Dr. Tony would’ve been nice but, you know.

So worked in industrial controls, this was the biggest mecanos you have in the world. One day you’re at a factory that’s making cigarettes and you’re programming their little controllers, or the next factory you’re at a chemical factory, that sort of stuff. And obviously again, that scenario like, “Oh, you’ve got assembler. Hey, would you like to program our industrial controllers?” And it was one of those scenarios that you’ve got to realize just how lucky you get. Now, most of us are reasonably lucky, I consider myself luckier than most. That probably is my superpower, lucky and timeliness.

Cole Cornford

You’ve got to have a healthy dose of luck though, but you also need to set yourself up so that when there’s opport… You are creating as many opportunities as possible so that you can take advantage of the ones and have options. Because we all encounter lucky breaks every now and then, but it’s better to encounter more frequently because you set yourself up to take advantage of them.

Antonio Deliseo

I think the only other corollary to that is at the harder I work, the luckier I get. So I spend a lot of time, I did some martial arts, and I remember constantly looking for that sort of Karate Kid crane kick sort of thing. And my instructor said, “Yeah, look, you can look for that magic technique, but in the meantime, turn up the training and do your push-ups.” And it’s those fundamentals you still need to do. You still need to work, you still need to do the effort. And then when you get a break, gee, if you are able to get your hands on it, then appreciate it and run with it.

So yeah, so I joined a big company. I was flying around the place, flying around the world doing jobs and projects, and did that, worked for them overseas for a year. At that time in OT, physical security was cyber security, everything was air-gapped. We didn’t need to worry about that. So even though we were doing a lot of Unix work and a lot of networking, cyber security still wasn’t on the radar for us.

Cole Cornford

We still, like I was talking with Bruce Lauge earlier, who’s a really, really smart OT security engineer, and he was saying to me that the amount of mining companies or power grid companies that just think that having a lock on your stuff is fine, and the intermingling nowadays between IT systems and OT systems is crazy. Whereas back in the day they were completely separate systems, and they had no integration whatsoever. I know I come across that every now and then when people are like, “Well, I’m not too worried about, [inaudible 00:07:28] in a military context, because in a live fire zone or kinetic warfare, we’re not worried about the outcome of a system being unavailable.” And I’m just like, “Yeah, okay, I can see that makes sense.”

Antonio Deliseo

Not anymore. I remember we had a mine site that was monitoring production data, and what they worked out they could do, they could have… They did some integration. They had something over here tracking gold price. It was a gold mine.

That’s something over here tracking the ore extraction rate and the percentage ore quality rate. So they’re able to basically say, “It’s costing us $300 an”… This tells you how long ago it was. “It’s costing us $300 an ounce, and we’re currently making $360 an ounce.” So they could literally say, “Hey guys, we’re going home for a week.” And their contract that they had with the team, they were on individual contracts, they could do that. Because what they didn’t realize was that suddenly someone in the office was able to open up a page within this, and they suddenly click something which turned a valve off and click something, and then suddenly we had conveyor belts just stopping out of nowhere.

And we’re trying to work out, where did this come from? Until we then realized that, oh, okay, so it’s someone in the office just having a cruise around our screens, and thinking they could stop something. And there was no say because the guys on the floor, the control there was, if you’re going to push the wrong button, you’re probably going to get fired. And that was the control that worked for so long. So suddenly we now said, oh, we had to put in a firewall so that we could control the flow of data. So I got to see that. Now it was probably the, oh, 90-something. I have to normally time this based upon how old, which of my children was born. So that was-

Cole Cornford

That’s going to be a problem for me one day I’ll be like, “I remember when we started Generative AI, and Monaco was about two years old.” Just in 20 years time, so.

Antonio Deliseo

Yeah, you need to have a certain number of children spaced out evenly so you could easily remember when something happened, otherwise it just doesn’t work out. So yeah, so obviously I worked overseas for a while, and then came back and then I said, “Oh, it’s time to start my own gig.” They were saying we probably need to have a few people who have been there for five, six years.

So I started up my own environmental monitoring business, working for a large copper smelter, and this is the first time we actually really got hacked. We used to have leased lines to send data from our remote monitoring equipment, looking at gas analysis of the air samples, pollution levels. And obviously these were very expensive in those days, $1,000 a month across 12 sites. And obviously having come out of the Department of Physics, I did some ham radio stuff, because that’s what us old blokes did.

I said, “You know what, we could put just a simple transmitter,” and we had a 200-meter high stack that we used to dump gas out of, pollution out. “We could just put a nice high gain aerial out the side of the stack, and even with a two-watt little transmitter on the back of our PC, we could go the 10K south and the 10K north, and we can cut this $12,000 a month out.”

And the factory said, “Yay, do it. We did it, loved it.” Of course, obviously someone else in the community who worked out, “We don’t like this factory being here.” And they didn’t, and we had a lot of people. They just started jamming us. We started losing our ability to communicate. We weren’t getting data, if we don’t get data you can’t produce. So obviously we had to do some analysis. This is before [inaudible 00:10:56], so we couldn’t monitor packets.

Cole Cornford

Yep, no packet captures.

Antonio Deliseo

So all we’re actually monitoring is monitoring signals into an oscilloscope and looking at, are we getting a good proper signal? And then seeing it go crazy, said, all right, we’re being jammed. Someone’s obviously worked out that they’re just broadcasting on these frequencies. We weren’t frequency hopping, we weren’t doing anything like that. So it was a hacktivism because they wanted us out because of pollution, environmental concerns. It was just that we had no controls around this and we just basically said, “Hey guys, come and frustrate us.”

So we got encrypted units from a company called Kingfisher, which they actually did encrypted signals. They actually did what’s called frequencies, and spread, and all that sort of stuff. I suddenly thought, oh hey, this is interesting. And obviously I’d read that book, The Cuckoo’s Egg.

And I’m sort of thinking, oh, okay, maybe this is what we’re seeing. So I kind of started working out, oh okay. So, did more see programming, and then a Unix reseller, the Unix distributor in Australia said, “Hey, why don’t you come and work for us?” So I did. So now I’m running training courses on Unix, doing networking, first into networking sort of stuff. So this is true, before slash notation was really a thing. This was true IP masking, every IP is precious, and getting that just right, and again, it was fantastic.

The big thing from cyber at the time was really around disaster recovery and backups. Again, so little connectivity, things weren’t getting hacked, but you know what, people were the biggest problem, and equipment failure was so high, disaster recovery was… And it really came to me, I was working for a company called Computer Associates and they had a big conference, and they had all these managers flying in, and they had people turning up. And one of them, the CEO decided he wouldn’t come out from the US, and a whole bunch of other people said, “Oh, well I’m not coming, so we can’t present our papers. So hey Tony, do you want to present the following papers please, because the speakers are no longer here?”

So I’m doing a paper on DRP, backup and recovery. I had the most experience of that of the guys in our team, and it was so full, literally out the door there was like 200 plus people turning up to me talking about backups. And this is at the time where backup robots were just happening, where you could buy proper little robots for a few thousand dollars. So ’97, ’98. And I’m thinking, oh yeah, this is where the money is Antonio, you should be doing this.

Cole Cornford

And then you’ve had a career in cyber security ever since that day then, right?

Antonio Deliseo

Basically.

Cole Cornford

Hopping around doing lots of different consulting here and there. And then I guess after spending a bunch of time doing technical implementation across a bunch of places, you moved more into leadership ease/GLC kind of space, right?

Antonio Deliseo

So I ended up working for a UK-listed firm running the APAC region. They were a vertical market integrator in the payroll, HR recruitment space. And obviously all these firms are needed because of suddenly huge volumes of data, big push into it, that they all needed the governance that came around that. And we were selling obviously our software, our services, but we were also selling this whole consulting side around DRP. And then suddenly someone says, “Hey, one of our staff trashed their PC deliberately when they left.” And we said, “Well, we can do forensics,” although we hadn’t.

Cole Cornford

Traditional consulting, right? Can you help with this problem? Of course, always, just tell me every problem. We can solve all of them. Disclaimer, my problems are APSEC problems I solve, I don’t try to play outside my lane. But I know most other consultants, they’ll be like, “Yes, happy to help. I’ll find a way. Give me money.”

Antonio Deliseo

And it’s also for the fact that they probably had limited people they could go. The reason they came for us is they could say, “I don’t want to go and get $5,000 approved as an expense, but I know you can do it, and you can bill me through our regular agreement.” So they’ve got other reasons why they need to work with you as well. So we’re suddenly now doing forensics, and it was great, profitable business, it was really valuable stuff. And obviously we then built web hosting, we had web solutions to update time sheets, and then obviously we suffer from the usual ID in the URL, and-

Cole Cornford

Ah, yes, bowler and IDOR issues. Yep, traditional web application security, my bread and butter.

Antonio Deliseo

Yeah. So suddenly we’re now thinking we’ve got to fix this. And so obviously this is that, they talk about that warfare sort of scenario about it’s a mutual, it’s an arms race. Well here we are rapidly skilling up as we are seeing these things in the wild. And obviously we started needing to do monitoring, so we are now deploying things like Elastic, or what was the early days of that, Snort and things like that, because obviously we couldn’t buy some of this kit… Or we couldn’t afford to buy these kits, and our customers couldn’t do it.

But again, we were always bailing out the boat, and I realized that we needed to start patching the holes. And there’s that scenario, when do you plant a tree? Well, 50 years ago, when’s the second-best time to plant a tree? Well, today. Once we then had to actually move truly to the cloud, because obviously the guys started developing a SAAS model. We had the traditional Unix green screen, so VT5-20s, still got some if anyone needs to buy some VT5-20s, got a couple lying around. But that sort of thing to PC running, emulators, to then actually Windows servers, all the way through to then now moving to the cloud. We then realized, and obviously we’re a publicly listed company, our board said, “Look, you’ve got to do this right. We need policies. Our investors are telling us you better get this right, or else.”

Cole Cornford

So that’s an interesting conversation there, because a lot of the time the board of directors and the management team, it’s often, I speak to a lot of security professionals who don’t understand the difference between what is the purpose of a board of directors, or what even is a board of directors, and what is an executive function, how they supposed to support the board of director’s vision. So would you be able to talk maybe in simple terms about what are their roles in cyber security?

Antonio Deliseo

Yeah, so I actually did the whole institute of company directors thing, was a fellow, I was on the board of a very large, not-for-profit child care company, board of a couple of sporting bodies. So when you’ve got the board, the board is responsible for which way the ship is going to go. So we’re setting the big course, we say, “This is how we go, and this is what we believe in”. And unfortunately I’m going to use terms that I hate like North Star and Wheelhouse, which annoys me a lot. But so the board then has the responsibility for all shareholders. So if you’re a publicly invested company or if you’re the not-for-profit, you sort of say, “Our main aim here as an entity is to do X. Provide good quality child care, promote archery in New South Wales,” etc. And then there’s a whole bunch of day-to-day things that need to be done.

What the problem is when the people who are on the board no longer are looking at general directions or the general values and want to do day-to-day things, and then it’s also when the day-to-day things, now people now start saying, “Well I want to set new values and new directions.” And I guess if you come from the project management aspect, and obviously I’ve done some project management a while ago, it’s sort of like was you really got to get a project management charter in hand. So they didn’t exist before, they suddenly became a new thing. I sort of said, oh okay, this charter is interesting. But it is, it’s like, “Guys, if we have to make a decision, you should be able to say, ‘You know this doesn’t line up with our overall compass point'” sort of thing. So the board is supposed to say, “Hey, we’re making a decision, this does line up, and there are reasons we should go with it.”

The board also is going to say, “You’re asking me to spend $1,000 here, I don’t see where it’s going to give us any benefit.” Or, “You want to spend $10,000 here, and I’m prepared to go into debt for that because the benefit is X further down the line.” You now, Mr. Executive go make that happen. And the board also has these other values are their networking and their connectivity so that you can say, “Oh well I know this person, and we can work with that organization,” so help bring that.

So the big issue with cyber security, and I’d like to probably say cyber security probably is less like IT, and more like gambling, or more like insurance. And hacking was always a thing. So all systems were possible to be frustrated. We have the double entry ledger system because hey, a couple of Italian monks in the 400 years ago said, “You know, it’s very easy for these guys to steal our meat. We can stop that if you do an entry over here and an entry over there, and then obviously that is the control.”

Cole Cornford

Yeah, there’s always been a, in history, humans are going to be adversarial against other humans to achieve some kind of outcome. And it’s why we have simple controls like walls, and guards, and scouts, locks, doors. I know those metaphors break down a lot when you start working in like cyber security, but I do agree with you that it’s not… Like IT operations and managing IT quality are quite separate to having meaningful security conversations with leadership. But how do you go about distinguishing the two? Because almost everyone I speak to immediately just says like, “Oh, I don’t understand these firewalls, and all I care about is keeping people alive at my hospital, or teaching my children about Jesus Christ,” because our kids go to a Catholic school. So those visions are completely disconnected away from IT.

Antonio Deliseo

And this is where we have to go through the storytelling, and where you have to be able to say, “You’re right, you want to stop infections in your hospital, and how you do that is by washing your hands. Every hand that comes in here goes through a cleaning process before it moves on to the next stage. What we want to do with a firewall is wash the stuff before it comes in, only let the clean hands in, and the bad, the dirty hands can get thrown into the bucket.” Now obviously someone now says, “I’m not happy about having a bucket full of dirty hands,” but there is always a way where you say, “You are making this decision already. It’s just not involving packets, it’s involving X. This is why this analogy makes sense, and you should be able to see that.” So I want to wash all the data that comes in. Also, I’m going to go one step further and if the data is really bad, I’m going to start raising an alarm.

So you guy can actually start doing your infection controls now based upon the fact that you’ve got an alarm and hey, what did we just talk about? Intrusion protection, intrusion detection. But it’s down then being able to say, “You need to help me understand what your business is, and I’m going to help you why the control has to do this around data.” And again, auditors do that, financial controllers do that. They look at that, and so we’ve got that. It’s why, obviously, I often think cyber security aligns best with the financial sector, because they’re making that call.

And cyber security then has an other… And it’s like gambling, and we’ll talk about poker maybe at a later stage. It’s gambling, but you’ve got to pick the loser. The amount you wager determines how much you lose. So if you wager a bit more, you might lose less. However the odds are not really fixed, and the race could run at any time. But it’s going to happen.

And then you say, “Well, it’s like insurance,” because obviously when we’re running a childcare company we are saying, “Look, the insurance on this centre has gone through the roof because X of flooding.” And we very quickly worked out it was time to move. Moving, which is not cheap, was actually the cheapest solution than paying a $10,000 insurance premium because it was going to be over five years, that’s an additional $50,000, the cost of moving we could get done for 20, and we would actually be a lot better off.

It’s those sort of conversations. But insurance is easy in one sense because we’ve had actuarials running for years, they’ve got their tables, they know these things, so they’re pretty tight. So when you’re saying you’re paying $10,000 a year, you know what that means. And the finance guys are able to immediately say, “Yeah, sorry, I’m going to back moving.” Or another guy’s going to say, “No, the lease runs out in two years anyhow, it’s actually cheaper to stick around for two years. Know the fact that we’re probably going to have a $30,000 impact in terms of a flood, but it’s cheaper than the cost of having to break our lease and do that.”

So likewise with cybersecurity we are now saying, “This is the flood that’s going to hit you. This is what the damage.” And again the problem is that then from the GRC point of view, how subjective are you about this or how, the whole quantitative and qualitative sort of thing. I think the thing that’s got easier about it now, and certainly in the last year, is that companies know that simple things like losing data; two years ago if you’d say, “Oh, we’ve lost… Had a data breach, we’ve lost all of our data.” You would say, “Look, this is really going to have a big impact on you.” They would say, “Well, I can’t qualify that.”

And now, and I had this conversation a few weeks ago, say, “Look, if you lost your data and it went up on the web, we’re not paying a ransom, and you’ve still got access to your system. Question is, what’s that going to do to your reputation, and how much do you have to spend to get that reputation back in terms of running ads to get people to think, ‘No, no, we’re good.’ Two, discounting your price so people say, ‘Okay, yeah, I know they’re risky, but I’d rather pay 10% less on my power bill or my medical bill than going with XYZ because you know what, even if I lose my data, look what I save.’ So if you do that some and say, okay, you’re going to lose 10% across 20% of your customers, you’re going to have to spend $5 million in advertising, how much is that worth to you?”

So your reputational damage… And the big problem is with reputation, people always thought good for goodwill, the brand Arnott’s is worth $10 million. If they have a data breach, it’s now worth 8. We don’t even take goodwill in it. Now.We’re just saying what’s it going to cost you to get your customers back in terms of impact?

Cole Cornford

I find that a lot of people end up in as executive or any D roles often come from a CFO/accounting kind of background. And so when you can start talking to them about the cost of acquiring a customer, or having to directly spend to offset a security incident, not so much in remediation capacity, but marketing, advertising, and retention, and minimizing churn, I think that’s a really good way to influence behavior to get people to be spending in advance. Is that common for people who don’t come from that financial background? Do you find it still effective for people that say move into a COO role or a CTO kind of role, where their backgrounds are pure operations or technology?

Antonio Deliseo

Yeah, and that’s where the problem is because you’re right, again, it’s knowing your audience. So if I’m presenting to the board and the majority of the board are going to be finance and accounting people… Legal and accounting, sorry, I just said finance and accounting. Legal and accounting.

Cole Cornford

That’s all right. We all know that there are a bunch of bank kids, right?

Antonio Deliseo

And we know they majority came out of one or two universities. They went to certain number of schools, majority of them are called John, followed by, apparently Fiona now is the largest representative of boards. There you go.

Cole Cornford

There you go.

Antonio Deliseo

Yeah, I’m sorry to say, for all this talk about board diversity, etc, the majority of them fit a very standard mold in terms of their experience. So that’s where majority of your conversation is going to be having. But if you are in a mid-level cyber role and you’re talking to an IT person who’s above you, the problem with them is they’ve come out of this model whereby, hey, if I spend a thousand dollars to update our UI, it will mean that we will have less errors by our guys, which will mean we’ll have less errors in processing. So we will save $500 in calls to help desk in reworking stuff, and that will be paid out in, ROI is two months. You’re going to want to do that. People say, “Oh yeah, ROI for two months I’ll do. ROI for six months I’ll do.”

Then it’s just saying, well now we want ROI is what, the next 10 years. Next 10 years, the likelihood of us suffering this issue is going to be that. And they say, “Well yeah, I have trouble spending that money, and I don’t really see that that loss is going to impact me.” So the cyber stuff, but it’s back to the guy who’s making the insurance call on, hey, we want insurance for flood on our work sites and stuff. Or slipping, or work cover sort of thing, which obviously you have to, the government says you have to. And it’s always going to be tricky because the talk that we’ve had, and if you come through an IT scenario and you learn about this, you learn about the return on investment, and you learn about if I spend X, I get Y.

Back on the cyber scenarios. If you spend X, you might avoid this. We don’t know when you’re going to avoid it, but it’d feel great if you did, and if you don’t, yeah, okay. And that just isn’t as convincing. But I guess again what’s happened in the last two years is that people now say, “Yeah”… Because that scenario’s about, not only the return investment isn’t only now, “I would like you to get double, spend X to get Y, which Y is more than X. But now I’m going to get you to spend X to avoid being embarrassed, and my mum had to ring me up and say, ‘I see that Optus in the paper. Is that you?’ ‘What do you mean is that me mum?’ ‘Yeah, I see that Medibank is in the paper. I know you work in computers. Is that you?’ ‘Yeah, no, that’s not my thought mum.'”

But when you now have cyber security and cyber incidents as being front page on the Herald, or The Age, or whatever, all papers, it is obviously scenario where it’s easy to motivate people. People obviously, what’s it called? That they’ll run to comfort, avoid pain. In this scenario we are now saying, “Let me show you just how painful or embarrassing this is.” And look at this scenario about, if we saw the one with the blue screen of death that happened recently. It’s no point just saying, “These guys had a bad day.” You’re not paid $20 million a year so that you accidentally have a bad day. The surgeon that’s going to do my hip surgery, he can’t have a bad day. Well he’s going to charge me $50,000 for the pleasure of doing the work, so he can’t say that.

Cole Cornford (: 29:27
That’s why for lawyers and for doctors, their indemnity and liability insurance is through the roof. They have to pay like, almost a third of their wages goes straight to the indemnity and liability insurance. And that’s why people are like, “Wow, doctors, practices get paid so much money like surgeons.” I’m like, yeah, the practice gets paid a lot of money, but think about if they make a mistake, what happens, right? You can cripple somebody for life, right? Or you can mess up a divorce for two people. It’s insane.

Changing tact a bit. So let’s say I’m an executive, and I’m a newly minted CISO or CIO, CTO type person with responsibility to be talking to a board of directors about security. What do you think is the best way for me to communicate about where are we, and asking for funds to be able to solve a problem?

Antonio Deliseo

So in that sort of model, you’ve really got to say, “Let me show you where the threat to the business is,” not the threat to our IT system. And you need to say, and we’ll take the childcare model. If we lost children’s data, if we lost photos of our kids because we stored and ran badly, et cetera, that’s probably going to cost us X number of people’s in this one center, and X number of people across the whole center.

And you can then say to the marketing person, to our quality people say, “Hey, if we had this happen to us, and we know this happened to another agency, what do you think that would do?” And I say, “Mate, we serve a bad sandwich to some of these parents. We don’t see them coming back straight away.” So that stickiness or the elasticity of some customers in some sectors, so say we know in the childcare model the elasticity is really quite high. A small impact here in pricing or in terms of their perception of safety of their kids. So we now know that the data, which is how we’re going to most likely impact the safety of the children is critical, this is why we should be protecting it.

But obviously you’ve come in having spent the last 20 years programming in C, then programming web, then doing this sort of stuff, and now I have to be focused on all of these other skills. So it is all that other skill set. It’s not necessarily possible where you can say, “Oh, I would like to spend a day in every department.” You really have to build those bridges to those other departments so you can say, “If this happened, what’s that going to do to your day?” And most people are happy to talk about themselves. So as long as you are asking them, “Tell me how this is going to impact you, have you thought about it?”

And if they say, “No, I’ve not.” “Okay, look, have a think about it. Like realistically, if this issue with our customer data appearing on the web, like we saw that happened to Medibank just recently, what do you think that’s going to do to us?” The marketing people probably could tell you, and they would go… So now you’re presenting to the board saying, “This is where I think we’ve got an issue in terms of what’s going to happen. We’re going to lose data, it’s going to be out there, it’s going to be unstable.” The scenario is, this is what’s going to happen to the revenue over the next 12 months, and these people are going to contribute to that. Then you’re now saying, “So we’re wanting insurance on this,” and we’re back to that scenario on gambling… Back to that scenario on insurance, which is gambling. So then that’s the sort of conversation you need to be able to have, and that’s not easy.

Cole Cornford

Especially for people who are coming from usually an IT or technical backgrounds, because they… Oftentimes they’re focused on, at least what I usually see if they’re doing a board report it’s something like, here is the CIS or NIST CSF, and here’s how we’re progressing across a bunch of different things, and some are red, some are amber, and some are green.

And the board of director says, “Cool, that’s great. That’s NIST CSF. That looks kind of cool, but what does that mean? I’m a shoe store.” And then the CISO says like, “Yeah, but this is the industry standard that everybody uses. It’s a CSF, like this is governance, identification, detection, protection. This is how we solve cyber security risk.” And the board’s like, “Yeah, I still don’t get it.” So what are you going… Moving over a little bit, CISOs, who are fairly newly minted into the role, what do you think the most common issue that they have when communicating to their peers or to their leadership is?

Antonio Deliseo

Communicating to peers or communicating to leadership? Which one are we going to do first?

Cole Cornford

Let’s go peers.

Antonio Deliseo

So for a CISO communicating to peers it’s really, they’ve got to get to their guys to say, you are telling me, again, you mostly talk to me about vulnerabilities, because vulnerability is the easiest thing for someone internally to understand and to get visibility on. Run a scan, I’ve got a list of vulnerabilities, I’m a champion.

But that doesn’t necessarily mean much in terms of what happens to the entity. We’re back to that scenario about if this is a hospital, you’ve identified these bugs, but the question is, how likely are they to spread? Do we have antibiotics that will treat them? Do we have disinfectants? So you really need to make sure you’re communicating to your people, really where is this an issue? You see something where you get a scan run on some code and you’re saying, “Oh, well this is a library that we’re using, and the library’s got a poor cryptograph sort of stuff.”

“Well okay, you’re telling me that’s critical, but realistically who’s going to, what happens if they do break [inaudible 00:34:45], what’s that really going to mean? In the wild, what’s that really going to mean to us? Oh, they might be able to forge a signature on a document. Are they really going to run away with stuff? Are they really going to do… Okay. Yeah, maybe it might make their phishing attack a little bit better because they can spoof someone, but on a whole, we can leave that one,” you know what I mean? And help me do the [inaudible 00:35:07].

And obviously from a GRC point of view, we get the vulnerability, we then have to be able to say, “Well really, where’s that going to exploit in the business?” Obviously it’s not always possible, but certainly trying to say to people, look, no point just telling me a list of vulnerabilities, you really got to help me understand. If you’re going to use that as a vector, why is that going to be… Where that’s going to hurt us? And then tell me what I should be focusing on. Because people might get really excited about, we’ve got to patch all of this, but that’s just going to maybe lead us to more issues. Actually, if I had someone tell us, oh, we are now going back to our N-2 patching model after the patching end is not working for us, and yeah, probably a good idea.

So it’s really being able to then say as a CISO saying, “I want you to help me understand, vulnerabilities do not mean necessarily… Many vulnerabilities have zero impact. Help me understand the impact.” Walking under a ladder is a vulnerability. Black cat crossing your path is a vulnerability. Not for the superstition reason that most people have, but the fact is something’s most likely going to fall on your head If you walk under a ladder. How many times are you going to walk under a ladder where nothing happens? A lot.

If something does fall, it’s going to hurt. So that sort of scenario, really wanting to get people that. When you’re talking up, you’ve got to be able to say, it’s not about vulnerability. Say, “You know, if our data is stolen. Because we don’t care about how they got it, we don’t care about what system they violated, we don’t care about any of those things. If it gets stolen, this is how it’s going to hurt the business. Or more importantly, if one of our staff member walked away with all of our data, how could that hurt our business?” And someone’s going to say, “Well, I think it’s going to do this.”

Very sad story from my local area. Trucking company, courier company that I worked with and they did a lot of shipping for us. Lovely bunch of guys. They had the ransomware, they’ve been in business for over 35 years, and they just closed up shop. The ransom situation was so bad, they couldn’t get their data back. They actually, I have to say may, he, allegedly. So some money may have exchanged at hand. Not only were they bad as ransomware guys, but obviously they weren’t, no honor amongst thieves. You’d think at least you’d stick to the plan.

Cole Cornford

Yeah, generally I think that’s the business model is if you pay a ransom, then you get your data back, because then you can refer to that as a happy customer.

Antonio Deliseo

Yeah, exactly.

Cole Cornford

But it kind of makes sense to me to also, now that the Australian government’s really cracking down on ransom payments. And I think there’s legislation coming out not too far away to basically say that every time you pay a ransom to, you could either be held liable as a company director for that, and there are criminal sanctions I think associated with it as well. In which case I think we’ll start to see a lot more companies instead of saying that the cost of paying the ransom is our insurance against the cybersecurity incident, rather than having to pay for the uplifts, like the IT quality uplift program that we need to invest in to get to a point where we’re comfortable. But that’s probably a conversation for another day.

Antonio Deliseo

Yeah, but if you frustrate the vector, if you now eliminate that as an option, then you now saying you really know DRP is much better for us. Really good backups that we can actually recover from is much more important of a thing for us. And again, is the company just, honestly. So again, they were presented with a whole bunch vulnerabilities, not presented with what is the impact to the business so, yeah.

Cole Cornford

And it feels really bad having a small business go out of business. But ultimately, because I speak to, I try not to stay within large enterprise, the cybersphere where you just walk around and everybody’s whinging about, “Oh, I’m using this enterprise seam, and I’m using this API security product over here.”

I also spend a lot of people that are dental surgeries where they’re like, “I have two Windows XP laptops, and they’re not connected to the internet, but that’s how we have do all our accounting.” Or, “The only thing I use is Xero, and I go out and hammer nails or do fencing.” And I feel like that gives me a broad range of perspectives, but almost all of those businesses will choose, and elect I’d say 98% of the time, to never invest in cybersecurity because the cost to enter versus having to close the business, it’s just not worth it as far as they’re considered for their risks. We don’t have an option to give good quality advice outside of what the ACSC is providing, unfortunately. But I guess that’s the case for most professional services. Legal fees are pretty expensive for small business owners to even start considering when they’re charged per hour anyway, yeah?

Antonio Deliseo

Yeah, and if you’ve run a business and obviously that, you’d look at what you’ve paid in legal fees. But again, you work out that it was a bet worth placing. The times I spent the money to chase money from one of my clients, it was well worth it. And also for the fact that you don’t want… Someone told me many years ago, “You want to always have one account in dispute and you want to have one client you are suing, because otherwise you’re too nice and you don’t take enough risks.”

So there are business people who do say that, well then now it comes to cybersecurity. Again, what insurance are you paying? What are you doing to protect these inputs to your business? And the IT system is such a big input to their business now, you need to protect this. You’re protecting your skills by upskilling, you’re protecting your professional identity. Yeah, you want to protect your reputation, but your IT system really is going to allow you to trade or keep trading.

So yeah, I think that’s quite interesting there. So it is a tough conversation. Again, if you’ve worked with someone who’s sold insurance, they’d tell you, how do they sell insurance? You’ve got… And again, you don’t want to work on the fact that you’re just selling fear. You want to tell them, this is where your whole entity can be better. You are inoculating yourself, back on the virus sort of analogy we started off with, you’re wanting to protect yourself from getting sick. You want to know if you do get sick, you can recover quicker than the next guy. And sometimes it’s just going to kill you, but you want it to be the very small percentage job. And again, it’s back to scenario. Where do you bet?

Cole Cornford

Let’s hope there’s not too many situations where it’s going to kill us. But anyway, it looks like we’re here at close to time, so it’s great to talk to you, Antonio. Do you have any final recommendations or things you’d like to our audience?

Antonio Deliseo

No, just hope that was helpful. Yeah, I guess again, back to the scenario, the threats to systems has been around for a long time. I like to always throw in the one about the Jacquard loom where we get the word sabotage from

Cole Cornford

Sabotage.

Antonio Deliseo

Yeah, the first punch card system to drive a loom, and the guys threw their thongs into the machine, and so this is the first denial of service attack. I think we should recognize that one for what it is. So saying like, “Oh, you IT people, you made this happen. It’s your fault. You gave us a really dodgy system, and now you’re trying to patch it up with cybersecurity.” Well, no, we honestly went into this and suddenly the landscape changed, and we now are having to put these safeguards around the fact that the landscape has changed, and is changing.

Controls have always existed, all we’re trying to do is give you the controls and the best controls for the best value for money, for your data, which is critical for you to do business, regardless of what sector you’re in, or your size.

Cole Cornford

Honestly, everybody I speak to who always complains about the quality of IT systems, you can points to basically every other profession that has something that they thought was a good thing to do at that time, and has subsequently been debunked as bloody terrible. Let’s just deal with two very simple ones like, hey, we discovered that cholera spreads through fountains and people wash their hands. Maybe we shouldn’t all be drinking from that poisoned fountain. That would be a good one.

Antonio Deliseo

Yeah.

Cole Cornford

Or wallpaper that contains-

Antonio Deliseo

Arsenic.

Cole Cornford

Arsenic.

Antonio Deliseo

But green, it’s a good green mate. I really like that green.

Cole Cornford

It’s very, very nice. And even in Australia we got like, oh, we have lots of bushfires. Let’s use a fire-retardant material to build houses, and have people dying 30 to 40 years later from inhaling fumes, so asbestos is everywhere.

Antonio Deliseo

Yeah.

Cole Cornford

And so I think that it’s a bit short-sighted for us to be saying, “Hey, all of those IT people 20 to 30 years ago built these Java spring applications that are full vulnerabilities.” It’s like this is the asbestos of our time, and we need to be start addressing it.

Antonio Deliseo

Well, let’s go with TCPOT. Any address, I will listen to any packet that comes from any address, and you can send it to any address, and just fine. I trust you. And if I didn’t trust you, I could pick up the phone and ring Jeff over at DARPA site number 6 and say, “Jeff, what are you doing?” But hey, built on trust is never a good thing.

But yeah, look, I guess what’s that scenario I said, the guy who invented ships actually really invented shipwrecks. There’s always got to be a downside. There’s the yin and the yang. And yeah, great systems, interconnectivity, all that sort of stuff. You tell people, well let’s go back to the scenario where you had to ride it out onto a form and fax it to some guy, and do it that way. Yeah, because that’s not really less harder to hack. It’s like well, no, I do like the web, I do like interconnectivity. Well yes, it’s fantastic for most people’s lives, now let’s make sure we can enjoy the fruits of it. And what we’re going to do is protect it.

Cole Cornford

Technology is always marching on, but so are we. So thank you so much Antonio for coming on, it’s been a pleasure.

Antonio Deliseo

Cheers, buddy. Appreciate it. Speak soon.

Cole Cornford

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business Secured, go to GalahCyber.com.au.