Gaming Her Way to the Top: Madhuri Nandi on Security & Diversity

Cole Cornford
Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Today, I’m joined by Madhuri Nandi, head of security at Till Payments. This conversation is great because Madhuri brings some real awesome stories from when she was starting out. It was not easy for women back in the early 2000s to break into security or even technical positions since it’s just awesome. She’s been able to shatter that ceiling. So now, she’s leading a cybersecurity function at a FinTech, so she’s got a great career to draw upon. She’s also the co-chair of the Australian Women’s Security Network. We had Jacqui Loustau asked as a guest, and so being a co-chair means that she can bring a lot of board experience to our conversation as well. I like her because she’s really frank and articulate and she’s an excellent human to boot and we are very similar tastes in video games. So anyway, I hope you enjoy this conversation. And I’m here today with Madhuri Nandi. How are you going?

Madhuri Nandi
So far, so good, Cole. Nice meeting you.

Cole Cornford
It’s good to meet you too. It’ll be really great for our audience, Madhuri, if you could tell us a bit about how you got into cybersecurity. I heard it had something to do with cheat codes.

Madhuri Nandi
Yes, it is the games that I used to play back in my college days of third year and second year. To just steal the weapons, win the wars, and have full army or the greatest score, I would say that. As it is all a fortune, I would say that I went to my hiring manager and spoke like, “I’m a database admin, please just change my team.” And they were like, “No, Madhuri, you’re into security.” And I was like, “What security am I going to do it? Is it physical security that I’m not trained for any police officer or I don’t have that much of stamina to conduct the trolls and I’m part of IT, right, in the corporate world?” And they said, “No, no, no, you will be doing cybersecurity. It’s all IT related.”

And I had the ID pass with me in induction where they said, “We will monitor everything. We’ll have web cameras, we will manage the people logins, the usage of devices.” So I said, “Is it going to be hardware security that I’m going to look at?” They said, “No, Madhuri, it is cybersecurity.” I said to my manager, “Let’s go talk to HR. I don’t know what language you’re talking about. I just would want to know if I’m database admin or not.” They took me to the hiring manager and then the HR team that interviewed me and then questioned them, “How did you end up me putting in cybersecurity? Can you just let me know?” So they digged up the notes and they told that, “You have told in the interview, Madhuri, that you play games, online games, and you use cheat codes to win those games.” Because I don’t like losing the games. Back in those days, you used to get them for free.

And I said like, “But how is that related to security?” And that is kind of a security where you use cheat codes and win those games will get some interest in you that you do the cybersecurity is in line in one stream towards that. Especially in application security, most of the consultants would love the skill in yours where you do stop the traffic. And at those days, I used to even use a proxy to stop the traffic and use something that words that I want to display in the webpage, some vulnerable pages which I didn’t knew that it is cybersecurity, but I thought it is for fun. That’s why we see even the statistics these days, right? Cyber hackings are all mostly done by kids and script kiddies. And that’s how I landed up in security.

Cole Cornford
Oh, that’s really awesome. I think you’d be surprised the sheer amount of people have had come onto the podcast who’ve said that they’ve come from a background where video games, in some capacity, was able to help them move into cybersecurity. For reference, do you know what video game it was that you were playing back then?

Madhuri Nandi
I would think it’s Need for Speed and Age of Emperors.

Cole Cornford
Yes, yes. So I know was it pepperoni pizza, give yourself 1,000 food and… I played a lot of those. It’s all… I think the thing that got me into programming actually was the Warcraft II or Warcraft III scenario editors, and the Age of Mythology scenario editors where you had these concepts called triggers and where a trigger would occur, which is basically the same as an if statement, something would happen and then another action would occur off of that. And I like to use, build these mazes or scenarios when I was seven or eight years old to just have people walk around to map, hitting levers, and then zombies would fall out the air or something, right? And I didn’t realize at the time that I was basically doing programming and it only occurred to me when I went to university, why I picked it up so naturally was because I spent a lot of time when I was younger thinking about this kind of stuff. Right?

Madhuri Nandi
It’s fun, isn’t it, winning the games and then up playing the scene towards a certain part of your work? It’s definitely fun, a fun-filled road, I would say.

Cole Cornford
Nowadays, I’ve been trying to play Baldur’s Gate 3 because my family’s been overseas in China and I’ve just realized the sheer amount of content within the game is insane and that I’ll never be able to get on top of it. But yeah, there’s a lot of lessons that I learned from playing online games back in the day, which there’s pros and cons to playing League of Legends or to playing Team Fortress 2 and so on. You meet interesting and awesome people and I know I met a lot of folk who are at university or in their early careers. And as someone who was in high school, it was really good to get some mentoring from people who are just like five to six years forever in life.

But then you also meet some of the most awful people who just have misogynist and racist and just terrible because there’s no anonymity, there’s complete synonymity and there was no policing about what people said online in these communities, right? And any kind of place that you participate in, you’re going to end up being more like that ecosystem. And that was one of the things that I had to break out of when I moved into the corporate world, was to just release my shackles and make me become a normal person again.

Madhuri Nandi
Whenever we have that gaming mindset, when we come into the corporate world, it’s always not about winning, but you like to play and have fun towards your work.

Cole Cornford
Yes. But anyway, let’s move away from having fun and going into something a little bit more modern. So nowadays, you’re a head of security and there’s a lot of things in that kind of portfolio of responsibility. I know that it’s something that you’re deeply passionate about, is moving from individual contributor roles directly into management and then into executive leadership. What would you say it’s like being in that executive position as opposed to being, say, a manager?

Madhuri Nandi
I would say if you’re looking at a function or a specific stream or domain within cybersecurity, you would call a manager for that particular function. But if you have got a function or a role as a head of cybersecurity wherein you have got, I think, I don’t know how many streams we have, maybe 18, that’s what the mind map’s showing at the moment, we just have to have control in each of these respective domains. And that many domains, it’s not possible for one individual to function in an individual contributor perspective. You need to be an executor wherein you can have influence that the team functions for your multiple teams, it’s necessarily can’t be all of them done by security team. There can be some IT functions, there can be some business functions, there can be some finance teams, there can be some operations. Every team has quite a role to play and all of them will upwards give you the outcomes of holistic cybersecurity and that’s why I would always want to see security positioned in an executive role.

Cole Cornford
Yeah. So when you say executive, are you talking about someone who’s hired by a C-level person with their own area to completely govern as its own call center effectively or would you be saying that it’s more someone higher up in an NED position instead?

Madhuri Nandi
It’s not about the budget, Cole. Again, it’s a different conversation when we bring in the concept of budget. It’s now a little bit shared with risk, right? So it can be with chief risk officer as well, but it is about the cyber function. So if you’re not placed in the executive leadership role, you can’t have the strategy downflow across the business units into them. So if you are in part of business unit as an IT, that’s most of the organizations have got security placed in, your strategy will revolve around IT security or information security for longer period of your strategy, but you will have important pieces.

Like you need to have your HR team having security like onboarding and offboarding of employees, your finance team knowing how they are doing their financial reconciliations, how they are doing the auditing of the people who is getting outsourced, the job functions within wider teams. Within your operations, how the sales teams are having help desks offloaded the jobs to different countries or different regions. So every business unit will have the power to consent or to absorb security functions only if it is at the board level or C-suite level.

Cole Cornford
I see it a lot where you see a CTO or an engineering leader and then underneath them, they have effectively the security professional. And then the focus is almost universally on either achieving compliance outcomes or on just doing technical IT work like observability or doing a penetration test, a code review, doing DevSecOps pieces. It’s very rarely on, okay, what is the business trying to achieve and how do we get it there without being a handbrake to happiness, right?

Madhuri Nandi
It’s just the storytelling, Cole. So if any of the executive or the senior leadership is coming to you and say, “If I do a pen testing, am I done for secure? Am I secure? If I get a compliance certificate, am I secure?” No, compliance is only for the CDE or the regulatory that you are getting complaint against to, it’s not going to include all of your enterprise. Take for an example PCI, you will have the card data environment so you’re only securing the controls for that environment and not rest of your business. If you’re looking at any other compliance regulations, ISO, okay, what is that that you’re putting into the scope for ISO that you’re certified against?

So compliance will give you a level of security, but it is not complete enterprise security. And again, pen testing, yes, pen testing is needed within your projects for any of the newer changes that you do in the business. But what about the day-to-day operations that you’re going to live with and the transformation that you’re going to do? So never a compliance certification or just a pen test is going to give you a holistic approach for you. You need to have, as I told you, all the domains, you need to look at what is the organization consisting of and what I would need as a business growth, what business is going forward, and how I need to secure all of those elements together. So having the strategy is the first place for you to drive the business.

Cole Cornford
Yeah. What would you say for someone who wants to move into those executive positions or is recently in an executive position, what would you say would be the absolute most important thing for them to begin their journey of establishing a cybersecurity strategy or program of work? What should they do?

Madhuri Nandi
A cross-scaling call. So it’s never that your security knowledge alone is sufficient for you to talk to business. You need to know each and every function. So I’m not saying that go be SME of all business units within your organization, but you need to know actually the essence of the business that you’re working with to know, say for example, I’m coming from FinTech background, what is the essence of the business, how they’re running the business, and how they want to move forward, and how we can contribute and what role am I playing for the contribution and others are.

If from that perspective, you would understand that okay, settlement team is doing this piece of work, finance team is doing this piece of work, HR is doing this piece of work, then you apply that lens of security onto them, then you become to the executive position to that particular organization or the business units in any organization, I would say. It’s not the silo that you advocate for security, but you need to know the business functions they’re contributing towards the overall business growth of the organization or industry that you are in. That is the key point.

Cole Cornford
I think this is why I’m quite successful now, whereas I may have in the past not been as good as I am because I’ve been running a company for four years and so I understand corporate governance, I’m doing it at a small level, but I understand what is the purpose of the board of directors, why do we have different levels of audit functions, internal and external audit, why do we have [inaudible 00:12:19] governance risk and compliance teams creating these kind of structures? And I am ultimately accountable as the CEO at Galah Cyber for managing everything from recruitment of individuals, to the delivery of outcomes for our customers, to the marketing funnel that creates sales opportunities for us to execute upon, running payroll, going speaking with lawyers, dealing with HR complaints, doing of IT stuff. All of these different aspects collate into what is a business. I wear many hats, some hats I don’t like wearing, but I think as a CISO, you have to learn to wear all the hats or at least be able to talk to people who wear different hats and even if they’re Santa hats, right?

Madhuri Nandi
Rightly said, Cole. As a founder, you have explained that you will run the payrolls. You’ll hire people, you’ll go to business, you will talk to board. You’re accountable for all these functions. Similarly, CISO is accountable for different roles, different functions, and he needs to know everything. He or she needs to know everything that they are responsible or contributing towards. That’s where they can get into leadership roles.

Cole Cornford
So why I like in the Australian public sector, one of the things I think is interesting is that there’s a clear delineation between an accountable authority and someone who executes on a program of work. And so if you take an agency like the ATO, you’d have a chief security officer who would ultimately be in charge of executing upon cybersecurity programs of work, but they’re not the one who decides how much money is there or whoever other business units needs to be listening to them and stuff. That is maintained by the accountable authority who is the commissioner of taxation. So I like that kind of approach as well for other businesses that you don’t need to be across everything. You can be hiring something into security leadership and tasking them with operations and delivery of a program, but ultimately, the accountable authority is the one who’s in charge of managing a program. What do you think of that kind of governance model as opposed to having a CISO as part of the exec team?

Madhuri Nandi
It is even CISO needs governance for different various domains that we are talking about. Having a program committee or a group that runs and delivers the programs and then hand them over to I would call [inaudible 00:14:23] or operations, isn’t it? Because every time you can’t have [inaudible 00:14:27] operations run the programs or programs forever to run and not end up having a [inaudible 00:14:33] function, but this level of governance would give comfort for CISO that the programs that they’re defining or getting delivered and have been implemented.

Cole Cornford
Yeah. Cool. So let’s switch gears a little bit. I know that you’re working at a FinTech at the moment and that’s going to be quite different from all your previous roles. What’s the most challenging thing for you, going from a large enterprise down to a small startup and then into a scale up?

Madhuri Nandi
I would say it’s not most challenging, it’s most rewarding, I would call, for anyone. You just need to change the perspective.

Cole Cornford
I love small business. I tell you it’s so fun going and speaking to people and not having to worry about, oh, sorry, you need to go to 20 levels up to be able to deal with anything.

Madhuri Nandi
Correct. Coming to the point, Cole, I used to remember back in my days, to do a change, I needed to get 20 approvals, and sometimes get frustrated that you would not even end up doing that particular change and it might cost you two to three weeks of planning and execution of a single change, wherein you can’t see the fast learning or growth. But yes, on the pro side, you have the maturity of process, you have the governance and assurance functions, making sure that you deliver the delivery in the right way. But as coming to the scale up or startup, you have the autonomy or liberty that you can wear multiple hats but never take that as a burden. Take that as an opportunity for you to learn. You can talk to a CTO or a CIO or a CEO very directly and understand from them why the direction is this way or why they would want to do so-and-so project prior to the other one, which you’re not able to understand.

So you can talk to them and take their understandings and planning so that you can learn soon through them. And you have the option to go talk to any business function. So because the team sizes or the functions are very reachable to you, you get to have more learning opportunity. As I’ve told you, you need to grow into senior leadership roles. You need to talk to the business to understand all of the teams and which you can’t easily navigate in a large enterprise, but within a scale up or a startup, it’s easy for you to get that level of learning going through.

Cole Cornford
I guess it’s a lot easier when you got one general counsel to go talk to them about law than it is when you have 20 different types of law functions and you’re like, “Wait, this one’s for procurement, this one’s for corporation, this is the regulators, this is for contracts, this is torts, this is…” You’re like, “Hang on, who do I speak to and what’s the difference between a barrister and a solicitor and a…”

Madhuri Nandi
You pick two or three points, Cole. I remember all my history, like to do the procurement, to get the approvals of changes and talking to legal, releasing of one policy can cost you that, no, the coloring of the policy is not as per company’s brand or the color shades. So those kind of things also can stop the release of a policy, which is true, it’s critical. But you will have people at your tips where in a startup or a scale up, that you can go reach to and say that, “Can we fix this up together?” Done. That’s it. And you walk happily that you achieved something for the day.

Cole Cornford
Yeah, a bureaucracy, I remember many situations being quite frustrated with it. I understand having guardrails in place because if you have processes and procedures and people follow those, then it’s hard to make mistakes. But at the same time, if you give people autonomy, they should be able to just get things done a lot faster. And so there’s pros and cons to both, but I have a couple of core instances. One of them was we were procuring an AppSec product and the product was best in breed and then it got purchased by, acquired by a larger business, and then I think we spent almost the entirety of our project funding on lawyers with this new multinational company that acquired a small little vendor just back and forth in red lighting contracts once a week because they were based in the States. And that project ended up being an awful experience because we didn’t actually get to do anything. We just spent all our money on just lawyers. And things like that-

Madhuri Nandi
It’s a learning.

Cole Cornford
… you don’t have to worry too much about it because I feel like when you’re of a smaller business, you do one of two things. As you say, I accept it because if we’re going to go to court, we’re probably screwed anyway, so-

Madhuri Nandi
Correct.

Cole Cornford
… I’ll give up on that. Or yes, this is worth making sure we dot our Is or dot our Ts.

Madhuri Nandi
You make quicker decisions and you move fast, I would say. It’s a different way of learning. So you want to fast learning is the scale up.

Cole Cornford
So with the scale ups, I know a lot of them that I speak to are required to move towards a compliance outcome, and compliance almost always drives their thinking because they need compliance to participate in additional markets, right? Take a product like Vantor or Drata or so on, Scytale, almost all of them, they bill themselves as a compliance tool, but actually, they’re a sales enablement tool for the SMB/scale up market. So I know that this is something that I… But whenever I speak to most companies, I always get them to focus on risk. And so just this bit of this tension between why do we go and invest in a compliance outcome and go get SOC 2 Type 2 or ISO 27001 when it’s… I think that it works and makes sense if you’re looking for sales enablement, but I don’t think it’s the best way to be running a security program. What do you think about that kind of challenge there?

Madhuri Nandi
Sales-driven achievements that companies want to get like SOC 2, PCI. PCI is a regulation. These things. I would say that yes, they would give them ticks that yes, you are certified, you are regulated, so we can buy your products and you can get some marketing. But look at the true picture, the word that you have used, risk. Are you really eliminating the risk with advertisement that you’re going to give to your merchants or customers that see your complaint for SOC 2? So does that mean that any function that you’re executing within your business is cyber resilient? Are you cyber proof that you’re giving this particular stamp onto your services that you’re going to sell to your merchants or customers, I would say? No. So that’s why have a lens in your talks, have a discussion in your boardrooms or executive rooms. “Yes, I would want this. My sales team want experts at books to be advertising and selling my product to the customers.”

But I can give you one advice for the executives is that expand that particular scope. Say for example, you want Australian Essential Eight, that is what you want to tell that you meet that particular requirement, do that one for complete enterprise of the organization. Don’t cut the corners and don’t do it only for IT functions or only for the engineering functions. Make sure it is endpoint security, roll it out throughout the business. It’s vulnerability management, roll it out for the complete organization. Don’t descope the enterprise into the program. And that’s when even if you get certified of something, you’re assured that you’re not only securing a piece of your puzzle, but you’re protecting all the puzzle.

Then you go say that, “Yes, I’m certified for so-and-so.” That way, you are compliant, you’re regulated, but you’re secure enough. But if you don’t include full scope, you’re not secure enough. All those regulations are trying to say the same thing to you. Apply prevention controls, apply detection controls, apply all sort of things, but then why do you narrow it down to only business function? Where do you think your code is sitting in or various new APIs are hosted? Expand it for all the business. You get in a solution to see what could be the scope of protection that I can apply this particular control against.

Cole Cornford
Yeah, I know that that’s a common thing that comes up is where do I scope my audit? Do I want to be scoping it over a period of time where we just rushed to try to get everything done and then we basically drop doing all of those practices until we get to the next audit? So that’s kind of a timeframe thing. So I don’t like when they’re like, “Oh, we’ve only got a three-month window to randomly audit practices.” I think that it has to at least be a year for it to actually kind of make sense for a sample size.

So I like how an external auditor provided by a regulator tends to do over a year or multiple years for those kind of practices. But all of these smaller SOC 2 audit providers, they only look at doing over a three-month period. And yeah, it’s great to be doing a lot of these practices over three months and then abandoning them as soon as you get the check so you can enter the market kind of frustrates me because it means that people achieving the outcome of SOC 2 for sales enablement to get a tick, not to actually meaningfully address risk for their businesses. But at the same time, I have to accept that I know that that’s just how the market is, right? People want to be spending money on things that enable them to do sales. And if the entire purpose of these kind of frameworks as far as business owners is concerned-

Madhuri Nandi
And we have that certificate, but expand your scope of inclusion, that’s wherein you get your certificate but you get your security as well.

Cole Cornford
Yeah. So I always say, “Oh, they’ve got SOC 2 Type 2. You should ask them for the letter of attestation.” And when was the last time they had their re-certification audit and so on. And most of the time, a lot of the things like, oh, we don’t want you to provide that to you. We’ve got our checkbox, please don’t talk to me anymore, Cole.

Madhuri Nandi
True.

Cole Cornford
All right, so moving a little bit away from compliance because I could rant about Essential Eight a lot and I don’t want to because I love my friends in the federal government that no, it’s not really applicable for small business all that much. But diversity, right? It’s something that’s important to you, it’s something that we need to be doing better in the industry. I’m speaking to [inaudible 00:23:46] I think in December and she’s doing this good documentary called 17%, which is about the representation of women in cybersecurity, right? It’s not great, one in five. And just below that even, honestly. So what would you say, how do we do better at helping solve that kind of problem, right?

Madhuri Nandi
Taking myself as an example, Cole, it’s been two decades that I’m into security from day one. And as I’ve told you, as a campus grad, I was put into services company as in security and I was assigned SOC team. And SOC team in the daytime, you never used to get tickets or incidents I would call those days, they call them tickets because it’s a services company, because the client is from United States and you won’t get any incidents in the morning time. Only the incidents come in the nighttime that I used to work in India that time. So nighttime, I’m not allowed to work. Again, diversity issues, cultural issues, women’s safety, health issues. So I was not allowed to work in the night shift. It took me three months to talk to HRs and challenge them that I can have a security guard along with me to take me to office. I want to be in the night shift because that’s when it’s US daytime, I get to have instance, I can talk to engineers to have my mentorship and learning going in.

Why am I bringing this example is that there are some cultural aspects that stops women from growing faster and advanced. Had I not have taken that step of talking to the HRs and having my issues sorted out that I’m allowed to do a night shift back in those days, I would’ve never got the opportunity to work in SOC 20 years ago. Now, the things would’ve changed now, but those days, woman is not allowed to work in the night shift in India. And if I have not worked in the SOC team, I would’ve never understood what threat management is. So I would’ve lost a big piece of puzzle within security and I would’ve become a GRC professionalist or an audit and compliance officer and I would’ve never known what engineering is from there on.

It is that those small elements that everyone in the industry need to understand from every region, women will have challenges to get into. So along with me, eight campus grads were hired in 2007, of which there were five boys and three girls. And after five years, I’m the only one who is continuing the cybersecurity. Rest two has dropped because they thought cybersecurity is something… It’s a job of boys and they will not get alliances to get married to or they would become weird professionals, that they would become psychopaths those days, people used to call that. You remember the black hoodies people used to wear, I’m sure this is how cybersecurity professional look. No, but people look so cute and smart. They don’t need to have a black hoodie or scars and be a psycho to be in security, right? And challenges. that-

Cole Cornford
It’s the reason that my company is just like a giant pink bird, is to just kind of kill-

Madhuri Nandi
That’s all.

Cole Cornford
Yeah, I don’t want to kill that bloody stereotype. If we’re trying to… I get annoyed constantly when I see people saying like, “Oh, I’m really smart. I did all this rad and techie stuff to break into this really cool place.” And it’s just a picture of them sitting at their keyboard pitch black at night, like green screen or terminals on the… And they’re just looking at SED and ORC and GREP and it’s just like, yeah, this is great. All you’re doing is basically removing a lot of people from participating in the industry because they just think, “I don’t want to look like that person. Why would I have an interest in being like that?” I even think about how gaming culture has evolved over the last 20 years. So it’s totally streamers and the types of games that are available for women to play is totally accepted and there’s different demographics and ways to appeal to those demographics too. I just hope that our industry can move away from cool hoodies to just maybe more Galahs out there.

Madhuri Nandi
And that’s the thing. There’s one of the challenges that many call, if you take the topic, it’s a Pandora box, right? You can’t see women to be working in pen testing or application security or threat management, kind of sidelined only for GRC functions. But I have come from SOC team, so I do threat management. I have even hands-on experience of penetration testing and application security partly to some part of my experience. Then now, I can say that no, it is not something rocket science that only boys can do and not girls. And the notion has to be broken that yes, girls can do the engineering work and be in threat management, not just GRC.

It’s one thing that industry has to break the domains for women and the two for leadership roles. Go talk to any CISO forums or you will be talking or presenting, right? 90% or 95% of the time, you see the executives to be men. You rarely have one or two women representing from different industries coming up. It’s the reason being that women are not given the opportunity to come into leadership roles. So that is one barrier that many women know that okay, after 10 years or 15 years, that I’m mature as a principal consultant or a principal engineer, I would not been given opportunity to become a head of or an executive into that particular [inaudible 00:28:48]. Those are the critical challenges the industry has to support women towards him.

Cole Cornford
And it’s like I don’t have a silver bullet, I don’t think anybody does, but the things that I think are quite challenging is the, A, pigeonholing of people into what I call it glue jobs. A lot of time, you’ll have a graduate position in a big institution like a bank or a telco and the boy will go work as a pen tester or a code reviewer or a SOC analyst. And so the woman will work in security awareness or she’ll work in project management for the security function. So from day dot, they’re already effectively ostracized from building technical ability. And I’ve seen this less commonly when people come from a technical background. I think that I’ve seen it in Southeast Asian and Asian culture. It happens to be a lot more women who do perceive themselves as being a technical person want to pursue a technical career. But in Anglo culture, I often see to just disappear from the conversation before they even get to it. And that’s really disappointing and I don’t know how to change it. I wish I had some good suggestions.

Madhuri Nandi
True. I think in 2013, Cole, when I have entered Australia, when I’ve given my interview as an application security consultant those days, the interview panel told me that, “You’re the first woman, Madhuri, that we’re interviewing a woman for application security role.” But back in India in 2007, I started using application security tools and products that time and I would say, “Oh, so women are not there in industry here to work for? And it was like, it’s like seven years that I’m in the industry already. And in Australia, I get to hear that you’re the first women we are interviewing.” And it’s a big organization, big consultant company.

Cole Cornford
Yeah. So we’ve got to do better on that. But yes, I think if you see other people who are in those kind of positions where they’re stuck in project… I wouldn’t say stuck because you can absolutely enjoy doing a governance risk and compliance role, you can enjoy doing project management. But I’d encourage secondments, I’d encourage you to look at going and doing a technical training course or like re-study university, building some of those technical skills. And it’s just hard though because if your cohort’s 80, 90% computer science graduates and they’re all just white men, you’re going to feel pushed out. It’s not like you belong in that industry. I know plenty of people who’ve gone into mining engineering or mechatronics up in Newcastle. And then they’ve had to… They’ve decided to go into medicine or law or something because they just didn’t feel comfortable in that cohort. And it’s really disappointing for me as a dad with two girls. I want them to go learn nerd stuff.

Madhuri Nandi
We would have a world created for them, Cole. It would change for sure. If you see, I’m not from computers background as well. I’m from [inaudible 00:31:25] electricals and electronics engineering for my bachelor’s. And hardly, I think, I know how to play games. Well, as I’ve told you in the past, nothing much. You just give me a game CD and put me before the computer and say that you finished the game and come, it takes a week or a month, I would be playing again and again and again and again searching in internet for codes if I’m not passing through, finish the game and come out.

But for the people who is getting to the glued up jobs that you have called GRC or project management, I would say that engineering and threat management is much more interesting than GRC, which they’re also interesting. I would ask all of them to step out of those roles once when they get opportunity and try it because you never know which is more interesting. And I would want to be an example for all of them to say that no, it is not boring. It’s very interesting that you get to fix a server, that you get to implement a control within security engineering, you get to implement them and you see that the things are functioning, so which means you’re a doctor, you just fixed it or you can assume you’re a mechanic, you fixed it.

Cole Cornford
It’s good to have that hands-on experience as well. So because I know that a few of the executives I’ve spoken with, they often say that, “One of my senior IC people bamboozles me every now and then because they just tell me all this stuff and I don’t know if it’s correct or wrong because I’ve got no technical background to be able to argue with them about. So I kind of have to let it go.” And I think that that’s a really bad scenario to be in because oftentimes, your executive’s going to be pushing for one direction, and underneath you, if your ICs are able to kind of put the wall over your eyes, something may be on fire, but they’re just worried about it and you can’t really interrogate them and understand why.

Madhuri Nandi
This way, continuous learning, you need to learn. It’s not like you need to learn, I would say, from alphabets to having the essay writings done, but you need to know the essence of what you’re delivering or doing on, that right approach of learning will get you there.

Cole Cornford
That’s it. From crayons to perfume, right?

Madhuri Nandi
And it’s not mandating you for four years of degree, it’s just maybe a four hours of course also sufficient. But targeted learning, what you’re learning towards, that gives you right outcome.

Cole Cornford
I think the other thing is you want to really yourself with mentors and people that you… Especially from backgrounds that you are not participating in. So me and you, obviously, are quite senior in our careers at this point. I’m a CE of a company or head of security at a FinTech. So I imagine that a lot of other people may not have the extensive networks and understanding of just how important it is to build relationships with other company founders and CEs and CIOs and understand where they’re coming from. But what other piece of advice would you give to someone who has just tried to go up to management chain one step at a time, especially if they’re a woman?

Madhuri Nandi
Networking, Cole. I wouldn’t say Australia is small country, but it is a small community. I would say that knitted community. So you need to get through all of them, have talks. It’s the after talks that gives you the connections. You need to know the perspectives, you need to know the experience, the challenges that each one of them brings to the board that you get to answer in your later part of the life. And I would say that there is no limitation of conferences or events we have in security world within our country, but pick and choose one or two, at least quarterly, one or two. Step out and have a talk to them.

If you don’t have right mentors and not getting into the community, you don’t know where the world is going towards. You can’t learn how many different controls are coming or how many different products are coming in security and who is changing roles to where the opportunity can come for you. So there are many answers that you get from the people. It’s not from the box that you’re sitting and working. So mentoring is critical and community is very critical. You have to step out.

Cole Cornford
Well, one suggestion for everybody is to go and follow Madhuri on LinkedIn and hook up with her and ask her for a coffee.

Madhuri Nandi
If we’re buying that much coffees in Australia, Cole, we need to be definitely [inaudible 00:35:21].

Cole Cornford
You could buy her a coffee, but I’m not going to sponsor it. But look, it’s been an absolute pleasure to have you on the podcast today. Thank you so much, Madhuri.

Madhuri Nandi
Thank you, Cole. It was nice talking to you.

Cole Cornford
Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.