Episódios
-
Episode Summary
In this episode, Cole Cornford is joined by cybersecurity experts and IRAP assessors, Kat McCrabb and Toby Amodio, to unpack the latest updates to the Protective Security Policy Framework (PSPF) for 2024. They explore the significant changes introduced in the PSPF, such as the heightened emphasis on IRAP assessments, the potential strain on resources due to increased demand for assessors, and the impact on government agencies' compliance efforts. The discussion delves into the restructuring of the PSPF domains, including the separation of information and technology, and the challenges this presents for reporting and governance. They also address issues with self-attestation in agencies, insights from ANAO reports, and the critical importance of managing legacy IT systems. Kat and Toby offer valuable perspectives and practical advice for organisations navigating these new requirements, highlighting the need for proactive planning and adaptation in the evolving cybersecurity landscape.
Timestamps01:27 - What is the PSPF? Toby explains the framework
03:07 - Kat discusses the biggest changes in the PSPF 2024 updates
04:20 - Challenges with IRAP assessments: time, cost, and limited assessors
06:18 - When are IRAP assessments required? Clarifications
08:13 - Changes in PSPF domains: splitting information and technology
10:08 - Implications of the changes for reporting and governance
12:15 - Comparison with NIST framework and governance considerations
13:38 - Issues with self-attestation and insights from ANAO reports
15:09 - Strategies for improving reporting and assessments in agencies
17:36 - Managing legacy IT systems under the new PSPF requirements
18:52 - Key takeaways and final thoughts from Kat and Toby
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Episode Summary
In this episode, Cole Cornford speaks with Anand, an API security expert at Traceable AI with over 18 years of experience in crafting innovative IT solutions. Anand's expertise spans API design, microservices architecture, cloud technologies like Kubernetes and AWS, and security architecture including IAM and OAuth. Together, they delve into the critical importance of API security in today's digital landscape, discussing why traditional web security measures are insufficient, lessons learned from incidents like the Optus breach, the challenges of managing API inventories, and how AI and machine learning can enhance security practices. Anand also shares his experience writing a book during the pandemic and the value of continuous learning. This episode is packed with insights on modern application development, cybersecurity, and plenty more.
Timestamps4:20 - Understanding API security challenges
9:30 - The role of AI in API security
16:55 - The importance of API inventory management
24:00 - The business impact of API security
28:00 - Cole & Anand discuss books & writing
34:00 - Current state of API security in Australia
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Estão a faltar episódios?
-
Episode Summary
In this episode, Cole Cornford speaks to two guests on the topic of robotics: Damith Herath, a Professor at the University of Canberra, and Adam Haskard, co-founder and Director of Bluerydge, a Canberra-based cybersecurity and technology firm. Together, Damith and Adam are conducting research into Secure Robotics, an emerging field of study that addresses the intersection of robotic safety, trust, and cybersecurity. In their conversation with Cole, they discuss the growth opportunities for robotics, how someone interested in the field could pursue a career in robotics, potential risks of the common household vacuum robots, and plenty more.
Timestamps2:00 - Robotics: definitions & applications
8:45 - The intersection of robotics & cybersecurity
10:00 - Trust & safety in robotics & cyber
15:00 - Emerging risks in robotics
18:40 - The role of cybersecurity in robotics
20:30 - Regulation and innovation in robotics
40:00 - Growth opportunities for robotics
29:00 - Future of robotics & AI
32:00 - Career pathways into robotics
39:00 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Episode Summary
Ilkka Turunen is the CTO at Sonatype, a company that helps millions of software developers use open-source software while minimising security risk. In this conversation, Ilkka chats with Cole Cornford about the benefits and risk of using open-source software, how Maven helped standardise software development processes, the different approaches to AppSec regulation in Australia and Europe, and plenty more.
Timestamps1:33 - Ilkka's career background
4:00 - Varying quality of open-source software
6:10 - How Maven helped standardise software development processes
13:00 - The balance between speed of delivery & quality
17:00 - Importance of environment parity in software dev
21:40 - Risk of using 3rd party code in software
25:10 - Regulation of AppSec in Australia vs Europe
32:10 - How new European software security regulations will be enforced
35:00 - Recommendations for compliance with European regulations
39:00 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Summary
Daisy Wong is the Head of Security Awareness at Medibank, as well as a disability advocate. Originally from a marketing background, Daisy gained experience in the cybersecurity industry working as part of penetration teams, before making her way into the security culture and awareness space.
In her conversation with Cole Cornford, Daisy discusses using the tools of marketing to educate people on cybersecurity, what are the hallmarks of a good security culture and awareness program, and the importance of diversity in cybersecurity.
Timestamps
4:00 - Daisy's transition from marketing to cybersecurity
8:10 - The importance of security culture and awareness
11:00 - Building effective security awareness programs
14:15 - The role of diversity in cybersecurity
17:00 - Strategies for inclusive hiring practices
19:40 - The power of communication in security awareness
23:20 - Creative approaches to security awareness campaigns
31:45 - Daisy's personal perspective on the importance of diversity
43:40 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Summary
Antonio Deliseo has been in the information security industry for decades. Currently working at Telstra, Antonio has enjoyed a long and winding career path and has plenty of stories and insights to share as a result. In this conversation with Cole Cornford, Antonio discusses how he got started in his career studying physics, overseeing cybersecurity at a goldmine, how to advocate for cybersecurity within a large organisation, and plenty more.
Timestamps
1:40 - Antonio's career background
3:30 - Advantages of coming from a non technical background
8:30 - Stories from Antonio's early career working at a goldmine
14:00 - How Antonio moved into the GRC space
17:30 - The role a board of directors plays in cybersecurity
20:00 - Cybersecurity is less like IT, more like gambling or insurance
25:30 - Calculating the cost of a breach in dollar terms
30:30 - How to advocate for cybersecurity as a CISO
40:00 - Cybersecurity often seen as unaffordable by small businesses
42:30 - Pros & cons of networked technology
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Summary
Ben Gittins is the Principal Security Engineer at Bugcrowd, one of the world's best bug bounty platforms. Ben has previously worked as a Senior DevSecOps Engineer at Canva, as well as DevSecOps Lead at SecureStack.
In this conversation with Cole Cornford, Ben shares his belief that cybersecurity needs more generalists, how coding and AppSec have changed over time, whether cybersecurity qualifications are overrated, and plenty more.
Timestamps3:50 - Why is Aus cybersecurity lagging behind?
9:50 - Over-reliance on purchasing cybersecurity products
14:40 - We ask too much of our AppSec professionals
19:00 - How App development & cybersecurity have changed over time
24:00 - "Greenfield projects" are often not realistic
28:20 - How to bring new people into the AppSec industry
32:00 - Importance of communication skills
38:20 - Cybersecurity qualifications are overrated
43:00 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Summary
Shan Kulkarni is the co-founder and CEO of Nullify, a product designed to augment AppSec teams with AI agents capable of carrying out multiple levels of product security work autonomously. Prior to Nullify, Shan worked in roles such as Cloud Operations Lead at UNSW Redback Racing, and Cloud Security Engineer at CMD Solutions Australia.
In this conversation with Cole Cornford, Shan discusses the challenges of starting a business, and in particular the challenges of hiring, the state of AppSec in Australia, what the future might hold for the industry, and plenty more.
Timestamps
1:30 - Shan's career background
5:30 - Why AppSec is so often inefficient and expensive
9:00 - Bigh tech has a monopoly on AppSec talent
12:30 - Shan's journey from consultant to founding a company
15:40 - Biggest mistakes when starting a business
19:20 - Selling products/services to devs is extremely difficult
25:00 - Where Shan sees AppSec going
28:00 - Consolidation of security products
32:00 - What security leaders are struggling with: visibility
34:00 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Summary
Dan Draper is CEO and Founder of CipherStash, a data-storage platform that helps customers keep data secure. As well as being fascinated by Cryptography and data security, for most of Dan's career he's either been a founder or worked in the leadership team of startups, so has plenty of experience in both business and getting into the nitty gritty details of technical problems.
In this episode Dan chats with Cole Cornford about Cryptography, the challenges and rewards of founding a company, best practices for securing funding for a startup, and plenty more.
Timestamps- 2:00 - Dan's career background
- 8:00 - Dan's lessons from working in government
- 9:30 - When Dan became obsessed with cryptography
- 12:40 - Reflecting on Dan's 1st failed business
- 17:10 - The founding of CipherStash
- 23:40 - Managing data a major challenge in large orgs
- 28:00 - Different types of data breaches
- 32:00 - Potential and limitations of AI in cybersecurity
- 37:00 - Experience raising money for a startup
- 44:10 - Dan's 3 tiers of investors
- 46:00 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Summary
In this episode, Cole Cornford chats with Matt Jones, co-founder of Elttam, an independent security boutique that provides security assessment services. On top of his role at Elttam, Matt is active in the infosec community in a variety of ways, including helping with BSides Canberra's call for papers and writing open-source tooling such as talkback.sh. Cole and Matt chat about the motivation behind founding Elttam, why Australia's infosec industry is lagging behind other parts of the world, the exploit development space, and plenty more.
Timestamps
2:00 - Matt's career background
7:00 - Matt's early challenges finding an opportunity in cybersecurity
11:00 - Why Matt chose to co-found Elttam
13:00 - Cole: Australia's infosec industry is immature compared to US
19:00 - The importance of specialisation
20:30 - Better to do 1 thing really well when bootstrapping
24:00 - Using the right approach for the right context
25:30 - Risks of using a bug bounty program
31:10 - Cole: the bar for pen testing reports should be much higher
37:10 - Training & education for infosec
39:00 - Cole: is infosec a cottage industry?
44:00 - Product vs service approach to cybersecurity
47:50 - Cole: I like looking at source code from 80s and 90s
49:00 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Summary
In this episode of Secured, host Cole Cornford interviews Bruce Large, a security architect and evangelist at Secolve, the OT security specialists in Australia. They discuss the importance of threat modelling in operational technology systems and the need for engineers to consider the potential for cyber attacks. Bruce also shares insights from the ISA/IEC 62443 series of standards, which provides guidelines for secure system development in OT. Additionally, they touch on the significance of unions in the tech industry and the benefits of joining organisations like Professionals Australia. Tune in for a fascinating conversation on application security and more.
Timestamps1:25 - Bruce's professional background
2:40 - Defining "engineer" in different contexts
6:20 - Differences between computer engineers and civil engineers
8:20 - Threat modeling
12:40 - How we treat safety in software vs other industries
18:30 - Bruce: we should be encouraging lifelong learning
24:00 - ISA/IEC 62443 safety standard
29:00 - The Year 2038 Problem
34:20 - Unions & industrial relations
43:40 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Summary
Paul McCarty is CEO and founder of SecureStack, a DevSecOps visibility & automation company, and GitLab's Red Team leader. Paul's been involved in software security in Australia for decades. In his conversation with Cole Cornford, Paul discusses how Australia's software security industry has changed since the early 2000's, whether security professionals aught to know how to code, and plenty more.
Timestamps
2:50 - Paul's career background
7:00 - Spicy take: people on LinkedIn are too blindly positive
10:00 - Understanding what went wrong when there's a breach
13:00 - Cole doesn't think "zero trust" is feasible
14:10 - Cole: maturity of cybersecurity in Aus is weak generally
16:00 - Cole hires for dev experience, not sec ops, because dev is harder to teach
18:30 - Aus market different to US, which has lots of software companies
21:50 - Paul: we've devalued the importance of operations
22:20 - The "holy trinity" of offensive security
26:30 - What percentage of ASX companies have a bug bounty program?
28:50 - Cole's free pizza exploit
31:00 - Got to be in security for the long haul
31:40 - The book that changed Paul's life
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Jay Hira is a cybersecurity director with 18 years of experience working in a variety of roles both in Australia and internationally. Today he is Director of Cyber Security: Financial Services at KPMG Australia, and Founder and Executive Director of MakeCyberSimple. In this conversation Jay and Cole Cornford avoid getting too deep into technical details, and instead discuss a zoomed out perspective on cybersecurity strategy for large organisations, how the current macroeconomic climate affects approaches to cybersecurity, tips for clear communication between technical and non-technical stakeholders, and plenty more.
Timestamps
1:40 - Advantages of generalisation vs specialisation
4:00 - Tips for communicating effectively to leaders
6:00 - Clarity comes from simplicity
9:30 - Importance of reporting structure in a large org
14:20 - Core foundations of a cyber strategy
20:00 - How current economic climate is affecting cybersecurity budgets
24:30 - How do you maintain intrinsic motivation?
27:00 - Work life balance
30:30 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Tara Whitehead is Security Engagement Manager at MYOB. Prior to becoming a cybersecurity specialist, Tara had an eclectic career, including working in advertising and international relations. In this episode Tara chats with Cole about how her non-technical background has in many ways been an asset working in security, leading change management in large enterprises, the importance of great communication skills, and plenty more.
Secured by Galah Cyber website
Timecodes
7:15 - Tara's first days in AppSec
10:00 - How to influence people
12:30 - Why we should dial back on the doomsday conversation
14:10 - Find your change champions
21:30 - Is a non-technical background help or hindrance?
23:30 - Communication and influencing key skills
26:00 - Communicating with execs
28:20 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
Episode summary
Daniel Grzelak is currently the Chief Innovation Officer at Plerion, and has had a storied career at a variety of technology firms around Australia. In this conversation Daniel brings his experience and insight to the topic of common myths and misconceptions within the cybersecurity industry, and with Cole Cornford tackles questions like:
Does a cybersecurity professional need to know how to code?
Is there a workforce shortage in the industry?
Should pen testers write remediation advice?
Timestamps
1:50 - Does a cybersecurity professional need to know how to code?
5:40 - Is there a workforce shortage in cybersecurity?
9:30 - Questions to ask when interviewing potential cybersecurity hires
12:30 - Are people in cybersecurity bad at promoting their own skills?
17:00 - Should pen testers write remediation advice?
20:20 - Daniel's career advice: start writing
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
After working as a cybersecurity consultant in Europe for over a decade, Jacqui Loustau was struck by how cybersecurity professionals in Australia were overwhelmingly male. This led Jacqui to found the Australian Women in Security Network (AWSN), a not-for-profit association and network with the goal of increasing the number of women in the security community.
In this episode, Jacqui chats with Cole Cornford about how businesses can change their approach to hiring to improve diversity, the importance of supporting kids and students of all backgrounds who have an interest in the field, as well as some of her thoughts on the future of the industry.
Secured by Galah Cyber website
Timestamps4:30 - Jacqui’s career background.
9:30 - How Jacqui became inspired to tackle the issue of diversity within cyber.
10:00 - At Jacqui’s first cyber event in Aus, struck by a sea of men.
13:00 - Achievements Jacqui is proud of from the last 10 years.
15:20 - What can businesses do to encourage diversity.
19:00 - Cole: what are some systemic issues we need to tackle?
22:00 - Jacqui: you can always teach technical skills.
23:00 - How we can support kids & students to move into cyber.
25:00 - Rapid fire questions.
27:10 - What will be the theme in cyber for 2024.
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
While working as Head of Cyber Security Business Services at Australia Post, Susie Jones worked on a product that was designed to support small businesses that had suffered a data breach. Susie came to believe that existing cybersecurity tools and support was generally either too expensive for Australian small businesses, or didn’t suit their needs. And so she co-founded Cynch Security, which aims to fill this gap.
In this conversation Susie chats with Cole Cornford about Susie’s career, the benefits of coming from a non-technical background, and they do a deep dive on the security needs of small businesses in Australia.
Secured by Galah Cyber website
4:36 - Susie’s career background
5:40 - benefits of coming from a non-technical background
7:15 - Challenges of running your own business
7:40 - Cole: you’re selling protection, it’s a pure cost
8:10 - Susie’s motivation to become a founder
9:00 - Consequences of breaches “the worst working day of their life”
10:30 - Most common security challenges for small businesses
13:00 - Big businesses that work with small businesses share cyber risk
14:40 - Supply chains and small businesses in Australia
17:20 - 90% of employers in Aus aren’t served by our current cyber solutions
18:00 - Worst examples of advice not suited to small business
19:20 - Tips Susie would give to small businesses
21:20 - Password managers are a no brainer
25:00 - Rapid fire questions
26:10 - One cybersecurity myth Susie would like to debunk
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
In this episode Cole Cornford chats with Nathan Morelli, Head of Cyber Security and IT Resilience at SA Power Networks, which is the sole electricity provider for the entire state of South Australia. Making sure that 1.7 million people have electricity is a pretty important job, and Nathan shares his perspective on how the organisation maintains resilience in the face of potential breaches.
They also discuss the importance of financial management skills in a management role, the Australian government’s updates to the Essential 8 and the national Six Shields cyber strategy, the importance of work life balance, and plenty more.
Secured by Galah Cyber website
4:00 - Nathan’s career overview
8:00 - “Not if, but when” and the principle of acting like a breach has already occurred
10:40 - Cyber resilience is critical
11:00 - Finding value in the impact of your work
15:00 - Matching cybersecurity strategy to the resources available
17:20 - High regulation/barriers to entry restrict quality security advice
19:00 - Importance of access to affordable cybersecurity tools
19:30 - Australian government “Six shields” update
23:50 - Australian government update to “Essential 8”
27:40 - Why Nathan adopted financial management concepts in his cybersecurity work
31:10 - Cybersecurity decisions are made for financial reasons
33:10 - Typical career trajectory: follow money, then people, then problems
35:40 - Importance of work-life balance
40:40 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
In this episode, Cole Cornford chats with Mat Franklin, founder and managing director of the consulting firm MF & Associates. Founded in 2019, Mat has quickly grown the company to be 70 or so employees, with their largest team being a cybersecurity team. With a focus on diversity and representation, MF & Associates are made up of approx 70% women, as well as having strong representation of LGBTQ+ and people with disabilities.
In the conversation, Cole and Mat chat about the importance of diversity and representation in tech and cybersecurity, what Mat looks for in a potential employee, what lessons cybersecurity professionals can learn from other industries like health and law, and plenty more.
Secured by Galah Cyber website
14:40 - How to improve diversity within a team
17:00 - What Mat looks for in a potential employee during a job interview
19:40 - The stereotype of cybersecurity professionals
20:00 - The movie The Web, and portrayal of cyber in film
24:00 - Cole: example of bad behaviour at a cybersecurity expo
26:30 - How did Mat build his business?
30:40 - Taking inspiration from how other industries operate
31:40 - Mat’s company targeting ex-nurses for employees
33:30 - The importance of brevity in corporate communication
35:50 - It’s not possible or useful to try and know everything in cyber
37:20 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ -
The cybersecurity industry is made up of people from all sorts of different backgrounds, and Michael Collins is a perfect example. After spending 8 years in the Australian navy, Michael moved to Cairns and became a diving instructor. After 5 years, Michael decided it was time for a career change and enrolled in a course to become a Microsoft certified systems engineer.
Today, he’s Chief Information Security Officer at Judo Bank. In this episode we chat about how Michael has managed major transitions in his career, the importance of aligning cybersecurity strategies with business goals, systems thinking as a framework for approaching cybersecurity, and plenty more.
Systems Thinking Made Simple - by Derek Cabrera:
https://www.amazon.com.au/Systems-Thinking-Made-Simple-Problems/dp/1520740492
Secured by Galah Cyber website
2:20 - A good summary of Judo Bank
7:10 - How Michael became a CISO
9:00 - How Michael almost bailed on his cybersecurity training after day one
12:00 - The joys of scuba diving
14:30 - Advantages of systems thinking
16:30 - How someone can get started with systems thinking
17:40 - DSRP thinking (Distinctions, Systems, Relationships and Perspectives)
24:20 - Delivering AppSec by meeting the business where it is, not being idealistic
25:20 - “It’s not all about downsides”, businesses succeed by taking risks
27:10 - How we can promote more business-mindedness in cyber
32:50 - Michael’s transition from techie role to CISO
39:50 - Cole: “Leadership is a funny thing”
43:30 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
This podcast uses the following third-party services for analysis:
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/ - Mostrar mais
