In this episode we sit down with Arjun Ramachandran, Principal at elevenM to talk about all things cyber security, the changing needs of University degrees, the challenges of working from home and some key resources he recommends for those in the tech community.
We hope you enjoy the episode!
Here you can source all the things we have talked about in the podcast whether that be books, events, meet-up groups and what’s new in the newcastle tech scene.
welcome to another episode of new tech people today we have arjun ramachandran from he’s the principal at uh 11 m where today we’re going to talk all things security welcome arjun thanks james good to be here i like a guy by the name of trent mcclanahan at nib introduced me to uh to you i didn’t know of you you’re obviously a really i really seen you guy in the security space um and i think it’d be an interesting conversation to to hear your your perspective on a few things but a lot of people newcastle might not know of who you are could you give us a bit of an overview of who you are and what you’ve been doing yeah sure so i’m i’m a principal at 11 m we’re a uh a specialist cyber security and privacy consultancy uh we work with large organizations enterprises startups government agencies on privacy and security challenges everything from you know understanding what their kind of risks are through to coming up with strategies to meet those risks and implement those strategies i have a sort of communications and a media background so i look very specifically at strategic communications and culture and training and education when it comes to cyber security and privacy as a you know as many people know it’s a very complex technical area so there’s you know a lot that has to be done to kind of get people to understand what’s going on uh to kind of get workforces to know what their responsibilities are so there’s a lot that needs to happen in terms of culture and behavior and that’s kind of where i step in nice you mentioned that right right there and i think it’s super important cyber and security as a whole i think strikes fear into a lot of people and people think oh it’s very extremely technical but our conversations pre pre podcast a lot of it’s been around changing culture and changing the understanding and importance of cyber you mentioned that that’s a big part of your role is that is that the biggest challenge for a lot of organizations to buy into cyborg and security as a whole yeah i mean i think it’s i think it’s a big part of the challenge um you know there’s a there’s a lot of work that goes into sort of you know the discipline of it and understanding you know the technicalities and the risks and the cyber threats and then putting in the right technical controls but what ends up happening is it’s so like organizations today are so heavily dependent on data and technology right across the board and so everyone in the organization really needs to sort of bring to the table some understanding of the risks around cyber security so when you start talking about everyone at the organization you’re talking about culture you’re talking about does everybody know that in their role they have a you know they’re on the hook or they have a a role to play and so i think that is one of the biggest challenges and it kind of goes all the way across the board like depending on the organization it’s almost you know you’re sort of starting that culture conversation at the very top you know like does the board and the c-suite actually have a have a mindset that where they recognize that security is important to their business you know do they know why is it because they’re you know they’ve got a lot of valuable data about customers that they need to protect or are they producing a lot of ip do they even get why it’s important for their business and then you know are they then able to sort of talk to the organization about that and get everybody to understand their roles and responsibilities so you know cultures are is absolutely a really tough one and i think you know there’s a real disconnect sometimes in sort of education and culture you know you see sometimes this kind of urge to let’s just tell people what they need to know what they should and shouldn’t do the do’s and don’ts and we’ll educate them but if you do that without a kind of working on the culture side of things sometimes that disconnect can mean it doesn’t work yeah um and you know like just as a sort of parallel we were i was talking to a colleague of mine about the whole sort of the way coverts playing out and the advice we’re giving about masks and social distancing and what’s happening all around the world but depending on the kind of culture of the country and the way the country works the advice either falls flat or it doesn’t and i think there’s a similar parallel in organizations you know you need to sort of really get everyone understanding culture and that comes down to sort of values and leadership and role modeling to get those those very simple do’s and don’ts to stick yeah there’s that um super popular book uh simon cynics start with why right yep it’s obviously not a security orientated book whatsoever but it’s that understanding the why and if people understand that why then you can understand the what’s and then what to do is and why we’re actually doing these other things if they can understand why as as a whole it’s the same as the covert scenario like why are we actually wearing masks as to you know your reverse engineering back so yeah i think it’s a very very similar type of um totally i love that i love that um concept to start with why concept and i and i find myself using it all the time even just as a way of communicating um you know it’s it really i think you have to treat people as adults you need to sort of give them a bit of a sense of you know they they will buy into this if you let if you give them the information if you explain why it’s important and so from a you know from a security perspective you know going back to the why often comes down to saying well what are we in this for why why do we exist as a kind of company or a business and what are we trying to achieve and you can often draw the line from the security advice you want to give through towards because we want to serve our customers well in this way so you know if we want to let’s say be a business that is very sort of responsive to what customers need that’s if that’s our why we want to be really customer focused well we want to you know use information that they give us to be really targeted and personalized in the information that we give them in the services that we give them but then that means we have a responsibility to protect that information or we need to sort of think about what they want in terms of privacy and so then you draw back to then now you’re in the space of sort of privacy and security so you can kind of draw that line back to like the mission of the business yeah and i and like that’s something that i think is really important you know people can hear only so many times don’t click on that email and it starts to sort of just become a background noise but if they understand that context and they understand why security matters more broadly because of the business strategy they’re going to pay pay closer attention to it yeah nice i might get to that next step in a question but for a lot of your i guess engagements our companies buying into security from a proactive or more of a reactive perspective is that is that more so the case hey we’ve had a data breach or we’ve read about one of our competitors or somebody in our industry that’s had a data breach or something really go wrong and we’ve got a you know oh actually and it’s acknowledgement more reactive or are you seeing more companies investing security from a productive perspective thinking hey we are a customer orientated company we’re collecting more data we’ve got to be on the front foot about this yeah it’s a really good question and i think it’s a shifting landscape i would say you know let’s say five years ago there was a certain set of companies or parts of the industry that were starting to be a bit proactive about it they could kind of see the writing on the wall like you know our whole business is now being geared towards technology and data and more than that actually like is sort of almost promised on the idea that customers will trust us with this information but have we really thought about what does it mean to have that trust and to preserve that trust well we need to think about security we need to think about privacy and kind of let’s get ahead of that for the most part i think a lot of businesses are probably still sort of playing a little bit of catch up and a bit reactive and it can actually be both like they what can often happen is they’ll be proactive enough to go i’m starting to read and hear about security and privacy let me be proactive and start to understand what i need to do and they’ll kind of you know we’ll often hear from them and they’ll you know all sort of help them kind of start to think about the problem and then we won’t hear from them for a while they’ll sort of go away with that and the the sort of the impetus to act on it won’t really be there until they have an incident or a near-miss and then they’ll come back and go now let’s like let’s really start to to put this in place but i think it’s changing just because you know the the volume of kind of headlines around breaches is happening a lot um the the regulatory side is also a big driver so there’s you know both on the privacy and security side there’s a lot more sort of you know government regulation and focus from um you know different agencies that are starting to mean that there’s just almost no choice you’ve got to take it seriously and then you know you you only have to sort of like i said pick up the papers and you hear about you know a ceo who’s at the fallen sword because of an incident you know major fines all of these kind of things are just starting to get people to sort of um act on it a bit more the question is kind of what what do they do with that that side act you know how far do they want to take it on that then you’ve worked with companies um both on a technical level hey we’re going to fix xyz but also where your more comes into it is building that culture of you know culture of you know security acknowledgement where where do you start with a company when you know you want to go in and and start those conversations on on changing the company culture around security how does that conversation how does that process begin so i think you know i think it your your point earlier is a really strong one around start with why yeah so i think it’s hard to have a conversation around culture unless you can kind of anchor it in what’s the what’s the purpose of the business so that’s that’s always a good sort of framing point i think what the way i think about culture is you know culture’s kind of a shed of a set of shared values you know that and that behavior that reflects that you are aligned to those shared values so you don’t want to necessarily go in and reinvent the wheels a lot of companies have a set of values already and they have a culture already you don’t want to position it as well you’ve got your culture and then now we’re going to come in with this new thing called a security culture what you want to do is embed security into an existing culture so you start with values you start to understand what the company’s values are what they’re trying to do anyway and then look for ways to express good security behaviors through those existing values so they might be just as simple as you know like there might be a value that’s very much around sort of let’s say doing the best for our customers and you sort of start to understand well what does that mean in security terms let’s express that yeah so that’s one one place is to start with the existing values i really think it’s important to engage leadership um i think culture is often a product of well culture is you know really about sort of internalizing certain behaviors and norms and and often that is done because you you see them role modeled so if you see other people in your organization doing something you see leaders doing something you internalize that as that’s just the way we need to be so when i you know talk to organizations about culture i often say well you need to get the let’s get the ceo engaged in this let’s get him or her saying here’s what matters to us from a security perspective here’s why security matters for us i don’t think it’s possible to really drive culture unless you have strong role models and strong leadership so that’s the other the other piece and i think you know keeping things pretty simple from a culture perspective as well you’re going to have it’s a very complex domain and you’re going to end up saying very kind of technical and complex things don’t click on that don’t do this you know use that cloud storage service you don’t use that one it’s going to get into the weeds but when you want to talk about culture you want to keep the messages very simple and high level and then those other things will sort of all fall in within that yeah nice i completely agree i think uh you know you know it can’t all be you know top down you know i can’t be all bottom up right that’s trying to influence it in both both directions and you mentioned a couple of couple points just there about you know techno technology skills and things like that i’d like to you know get into that from from your perspective but if we want it back for you where did you start and how did that journey lead you into this security space because i know it’s it’s definitely not traditional yeah i had i’ve had a very sort of roundabout wanderers journey into into tech generally and then and cyber um a bit of a double dip i sort of came out of uni and went went into technology i did an undergraduate sort of business information technology degree went straight into a technology role within a sort of big four consulting company and um my first my first go at technology probably wasn’t a good one like i didn’t actually enjoy it so much i um kind of came in it was sort of after you know what like some years after y2k and all these kind of gst changes there was a lot of money floating around in consulting and i went in and i was doing a fairly kind of typical big four consulting job of you know implementing big enterprise packages at big companies and there was a lot of fun from the excess that was floating around from all those big cached up projects like y2k and so i was enjoying that part of it but after a few years realized i don’t actually dig the actual job that i’m doing and i always had this kind of passion for journalism and the news and and and what not and so after a few years i thought let’s just let’s just go after that and so i um i literally sort of put a line through the technology career and went off and did a journalism degree learned very quickly that a degree in journalism doesn’t actually help a great deal to get to where i wanted to get in journalism just to write for a newspaper you need a portfolio so i went kind of right at the bottom rung of media you know and just worked my app writing for small publications um you know packaging magazine and these kind of things just to build up a portfolio and found my way eventually up into the sydney morning herald and so i worked as a journalist for a number of years and i remember even while i was there sort of act like because i had a technology background and a degree that often kind of looked to me to write on text stories and i’d sort of push back on it i was i had this thing about i don’t want to be boxed in that way and i was running away from tech for a long time yeah but but at the same time was really sharpening up my kind of writing skills and and and research skills and went from media into a media advisor role for a government minister state government minister and deputy premier at the time and that just again broadened out my comm skills from sort of being very sort of being able to write a news story to this kind of more strategic kind of approach where you know in in government there’s just so many different elements you’ve got to try and get in the one message like you might literally provide like five paragraphs to a newspaper but you’ve got to sort of come up with the kind of political considerations you know try to make sure there’s something that puts the you know public at ease i got good at sort of thinking quite strategically about words and went and then went back into tech on the back of that but as a comms person and when i went back in that second time i found that i was just i was in love with tech again like it would like i think the timing was was interesting because it was you know the smartphone had just come out well smartphone penetration was just starting to pop up and cloud computing was sort of taking off and social media was happening and all of a sudden it just felt like everything was changing and you know the society was being transformed through technology the way we were interacting with each other was changing um industries were being kind of disrupted including the ones that i had just come out of like media was having a real hard time of things yeah so i was just seeing this kind of massive shift in the world and suddenly like it was it’s exciting to me again and and i felt like i also had a role to play with my comms background um i was working for one of the banks at the time cba and they had a very strong cio who had a very big vision for what technology was and what it could be from the bank’s perspective and he wanted help telling that story and you know i just found myself really fortunately in this place where all of these trends were happening i had this skill set to help positively tell the story about why the bank wants to invest in technology what it wants to do and that was kind of both an internal and an external focus it was sort of you know right do a bit of raira and get people within the organization excited but also externally you know like you know getting customers investors to understand why the bank was putting so much into technology and you know while it was trying to also unpick all these legacy systems and glitches and all that happening kind of put that in context and say well this is part of the pain we’re going through because we’re going to get to a better world through tech and so i got really energized by that and and again like i said saw that i had a role to play to actually sort of help move that mission and that that strategy forward and so i was doing that sort of generally in the sort of tech space within the banking sector for a while and then started to hone in on this idea of security and privacy and that was kind of mainly because i was just seeing that a lot of the plays were starting to involve data and there was this real kind of question of like trust underpinning what organizations wanted to do you know they want to collect a lot of information they want to deliver better services but at the end of the day they’re going to need to get this kind of security and privacy thing right for to really to to really underpin that and and edward snowden happened like literally at this time as well he came in and launched this dossier about you know what facebook was doing and so that kind of blew it up again and so i just sort of really suddenly found myself in this space where i could kind of help do some advocacy within the organization and outside around trust around privacy around security and so that’s kind of how i just sort of sort of landed and i like i said i was fortunate to kind of have a couple of you know very charismatic leaders that kind of they had the seeds of the story and they wanted me to help them tell it they wanted me to help them kind of promote promoted and so that’s that’s sort of how i landed in those spaces and then from there it kind of grew so it sounds a hell of a like just providing value right you’re in a spot you had a particular skill set that was able to provide them value at that point and i think that that a lot of things as simple as it is just being able to provide value it goes a long way but that’s a super interesting story and i think there’s probably a couple of parts there i’d like to pull apart i think uh for technology professionals these days the the old-school thoughts of you know let’s go a lot of software developers or i t people in general are you know in a in a dark room banging away on a keyboard right that’s changed and that’s just not the case anymore yeah obviously there’s still a place for extremely technical people but that communication element you that you’ve gone down has obviously led to a lot of success for you i’m not saying all tech professionals need to go and do journalism degrees but that ability to communicate the ability to communicate value the ability to actual talk with other people or provide your value communicate that value proposition from a technology perspective it’s just a rising and rising importance in the technology landscape or business landscape in general do you think you agree that you know the journalism obviously provided you that opportunity is there any advice you give to other people without going to your your lengths but advice for others to to help position themselves in that way or grow as better communicators yeah well i think you’ve hit it on the head which is i think you know you sort of start by you sort of understand or recognize how important it is i think um you know i’ve just seen organizations you know very skilled people in a particular domain and you know technicals can be technical can be a broad term in a sense it can be someone who’s kind of technical in the sense of they’re you know they’re a great coder or you know they’re very um knowledgeable about a particular technology or it could be you know they’re um they’re a risk professional or something like that and they know those frameworks really well but being able to sort of express their value and advocate for their value i think is is a really important skill i think you know there are so many kind of competing interests around technology and and so being able to sort of stand up for the value that your thing delivers is really important and comparing interest on a business on a business side right like if if a technology teams are fighting for extra budget for more head count or for another project or to invest in a particular platform um being able to communicate that that that value prop is massive right yeah so i think you know i think i totally agree so i think um you know you can’t no it’s it’s unrealistic like you say they expect everyone’s going to sort of have a journalism background or whatever but but there are any number of sort of professional writing courses and things like that that people can do to sharpen up that skill set the but the other thing i think is just to find you know good allies within an organization as well who can help you tell that story i’ve i’ve been lucky enough to be that ally for for a lot of people who sort of you know come to me and ask for you know what ways that um they can tell their story but also there are i think there are within organizations people whose job it is to sort of surface up things that are of value and and but you don’t necessarily know what they are so those people kind of can put themselves forward and say here’s what i’m doing you know how do i get this into the briefing that we give to the cio every every month or the the report that goes up to the board like this is a good piece of work that i’m doing and so often those people that are pulling those reports together i know in my experience when i’ve had to do those you don’t know all of what’s going on you don’t know what great value is being delivered and often when people come forward with it it’s like great that’s absolutely thank you i need that so you know just you know being quite open and transparent about what you’re doing and why you think it matters yeah nice obviously that’s uh that’s attacking i guess attacking you know your roles from a communication perspective now the security side of it have it’s been a a sharp learning curve for you from a learning the technical side of security again having that time out of you know technology and then back in has been a you know a sharp learning curve massive massive learning curve you know i didn’t i didn’t know a great deal about security or privacy when i kind of got into it it was like i said i was sort of pulled in purely on the basis of this kind of skill set around writing and research but it wasn’t because i had any subject matter expertise so i had to i had to learn it on the job and that was that was really challenging i think i was lucky in the sense of i had had a profession that required me to always kind of go and chase down new things and research them in order to write about them and so that that was that was kind of my trade anyway but to get to get the level of depth i needed to actually be effective was was challenging how did you go about that yes it was you know a lot of conversations a lot um people have told me often that i i’m not afraid to ask dumb questions silly questions and i think and i’ve never been i was not initially conscious of it that that was something i did but i think that helps is like i’ll often say well what does that mean or you know i’ll be the one to sort of ask us to sort of can we go back two steps and so that that kind of approach i think helps just going to a lot of you know conferences and meetups and things where you can kind of you just keep people talking and you know learn from that um so professional networking is is incredibly important and then you know just consuming as much information and news as i could so you know i’d ask you know i’d ask the the pen tester or the um you know the security architect what do you read they’d give me a couple of things and i kind of add them to my my news sources and start just reading and consuming i i’d love love the ability to ask dumb questions um i same thing for myself right obviously recruitment across the technology yeah space uh i have to have a solid level of knowledge across the board yeah um so more deep in some parts than others but you know technology’s changing extremely quickly and i don’t think anyone uh acknowledges oh i don’t think anyone expects a recruiter to to know that at a you know i don’t need to be able to write the code to build the application but i need to know you know how it’s done or and what languages and the differences between a and b yeah and it’s that it’s the ability to ask or just even the fact that you will ask it and not be embarrassed to ask the dumb questions i think most people actually respect you for acknowledging that you don’t know the answer and asking the question rather than sitting there and pretending to know what it is and then being called out at some point in the future yeah and i i think i think it’s a really good insight because i think i think that experience is also more common than maybe people think like you probably feel you know reluctant to ask the dumb question or uh or that you feel a bit reserved about the fact that you don’t know something but the reality is a lot of people are learning like like you say these are fast changing areas and you know there’s a new there’s a new thing on the block every year and people don’t know what it is and it’s okay not to know what it is and it’s it’s important to know that you have an attitude to learn about it and and you know if i sort of talk about security as well it’s full of it people might not necessarily have my background but it’s full of like wanderers and people who’ve gone on weird journeys to get there like it’s there’s a sort of there’s obviously a pathway that kind of is maybe not standard but maybe more common if people kind of go through let’s say a computing science degree do some security electives and then kind of come in but it’s full of people that have you know worked in different areas of technology or different areas of business and kind of found themselves there it is very much a sort of broad church kind of thing and so i i have found that it’s quite common to find that you know any given person probably only understands 20 really well of what the security team is doing and there’s this whole 80 that they need to ask a lot of questions about and learn and that you know no matter where you are you’re going to have it your own 20 80 split but it’s going to be roughly that and so you know and and again you kind of go all the way up to the most senior people in the company a lot of them are not they’re just starting to grapple with what security means and you know what are the different elements and how do we tackle this problem so there’s education and learning and openness required at every level of the stack and unfortunately or hopefully that’s kind of where i kind of see that there has been a role for me is to sort of try to help that even though i don’t have the answers i can maybe have the skill set to help yeah ah i i i just i just think um that they’re not being embarrassed about asking those questions and acknowledging that you know there is eighty percent out there that you don’t know or you don’t know that same depth and people most most of the time you will find people are very happy to share especially if it’s in their 20 wheel house because hey when it comes up and they get the opportunity to share you know their their in-depth knowledge uh you know most people jump at that opportunity right for sure yeah absolutely nice you mentioned securities uh skills and the technologies are changing so quickly as you said every year and that’s probably even you know that’s that’s probably at best right like things changing it’s so so frequently um building security teams is obviously extremely challenging how what’s yours you know sort of state of the state of the world when it comes to building security skills within a team or within an organization or or building that as a talent pool in general yeah it’s a it’s a really tough space i know that most businesses most organizations still struggle to find good security talent um there’s a there’s a real shortage i think last week the australian government put out its cyber strategy and said there’s still like 17 000 you know shortage of cyber skills and there will be for the next kind of five years or so it’s been a you know so it’s been a well identified thing and i think at the at the kind of coal face companies are struggling with it they still sort of really struggle to fill the pool um how do we build that pipeline i i think you’ve you’ve had some experience in around that space in the past yeah i’m providing advice around that i’d be interested to hear you take yeah so in some one of my previous roles we sort of looked at well this is a problem it’s not going away and it’s not going to organically get any better in the time frame we need it to you know we’re all like ramping up our kind of data collection and all that and we need to solve this so what can we do and so one of my roles was to sort of look at a strategy at building out that talent pipeline the i mean the first thing to sort of understand is it really has to be like a full pipeline kind of approach so we’ve seen fortunately i think in the last five years a lot of investment now from governments to sort of increase the number of courses for example at universities and that’s been really good so you’re starting to get more courses that teach cyber security but you kind of want to get the pipeline flowing at all ends you need kind of kids at school knowing that it’s even a career like that it’s funny how low the awareness is that cyber security is actually a a career path like that if you’d like breaking things and you know you know tech from a technical perspective going in and doing that that you could actually do the same thing as a job it’s not a hobby that you need to leave leave behind so you know building out the pipeline so that kids are interested understand it’s a career doing the right subjects at high school getting themselves into a degree that has you know security options and then flowing through is like a full pipeline-wide approach that needs to happen and i think that that is still an ongoing project there’s a bit of a challenge i think now which is that there’s been a lot of focus on you know university courses and we need more of them and so there’s been a lot of investment in standing up of the courses there’s also a teachers pipeline issue so you need that you need to have kind of enough people that are skilled to teach cyber security skills so that’s kind of a slightly different twist on it that actually like you i don’t wouldn’t undersell how important that is to the pipeline like you need to have high quality teachers to get the high quality pipeline of talent yeah and so that’s that’s um you know that’s a tricky one as well very difficult when that skill set hasn’t been around so long to have those those experienced people to be able to teach yeah and like we you know what this was one of the things we sort of stared into when we started which was you know we were starting to kind of see some of these courses produce really high quality um graduates but often they weren’t even getting to the point they were being graduates like they’d be in their second year and they’d be they’d do a couple of let’s say competitions or something and they’d get on the radar of google or someone in the valley and before and they would say to the student don’t worry about finishing your course we’ve got a job for you yeah and so there was this kind of leakage of you know high quality talent and the reason i say that in the context of teachers is it would be awesome if you know you could keep those students in the in the university space completing their degree but then also maybe teaching doing some tutorials yeah you know like you you’re losing all these kind of great graduates and that also means you’re losing a potential pool of teachers so kind of trying to think clever about ways to keep you know that talent in the australian ecosystem and then in the kind of academic ecosystem so they can kind of teach back is is important obviously industry academia partnerships are really important so getting exposure both just in terms of making sure the curriculum is kind of practical and relevant but also getting that kind of exposure of you know industry professionals who are actually working in security or privacy coming back into academia teaching um that’ll help kind of grow the pipeline but it also it goes back to that kind of that role model thing is like you can see what a career looks like when you have someone come and stand so some of that is is you know really sort of been picking up over the last few years those kind of partnerships and that academia i think the other spin on it is kind of diversity is still a challenge as well you know really getting you know like particularly sort of gender diversity and then security is an ongoing challenge and so that’s where i think that early pipeline stuff is important because a lot of um i think the research is something like a lot of girls drop out of stem subjects by about year 10 like that’s kind of where it tends to happen so creating the role models showing you know surfacing the role models and showing them into high schools is really important to keep diversity flowing through but then the and i think the other piece is also like because we’ve talked already about how you know security is a broader church now there’s there’s obviously sort of technical roles and there’s a kind of pipeline that gets you there but secure a security team is comprised of so many different skill sets and so the other way to think about the pipeline is can we embed security knowledge and baseline kind of concepts into other courses yeah you know can we get it into the into law can we get it into communications can we get it into schools exactly so that you could because you know as we said like there’s you know like now security teams have got sure they’ve got like you know good you know incident responders and penetration testers and whatnot but then they’ve also got you know very business focused program managers or they’ve got you know a risk professional or someone who will really value and make use of a foundational set of security knowledge that they can bring to bear on an organization so you know how do you get it into all of those other courses and just lift up the baseline knowledge that’s i think that’s the next maybe thing that we really need to look at yeah i think that sort of that mentorship you may mention of you do use the actual word mentor but from a university perspective keeping people in the system and then that that person provides that mentorship or at least the the clear path to where you can go it’s the same within organizations as a whole if you can hire somebody at a sort of senior level and then grow the people up or bring a consulting agency in that’s got some really strong knowledge and then have a junior grow up or some people from other parts of the business grow and become those internal advocates is a nice way to look at it as opposed to just trying to hire a bunch of experienced people which is extremely difficult because of the lack of talent so it’s having that that senior person or that mentorship or the agency or the consulting firm come in be able to provide that mentorship that that guidance and then have other people either either junior people who want to become a tech a security professional other people parts of the business come in and take that sort of that mentorship that leadership yeah absolutely yeah it’s always more satisfying not and you know to also say like uh probably cost effective to grow your own people but yeah it’s it’s just it’s much more satisfying so yeah thinking about it in terms of mentorship is is critical and i think some of those industry partnerships i mentioned really kind of thrive off doing that there are there are lots of sort of programs where different organizations have gotten together and said let’s like try and profile the different roles that exist in cyber security and we’ll you know we’ll have one person do like a day in the life kind of video series or something to really you know make that real and then create maybe a personal connection a mentorship arrangement i think those things are useful and then like you say within an organization you know like it’s a really good way to do it nice one of the questions i ask on this podcast every time is uh in around that education space you’ve done yourself two degrees and one from technology to begin with and then back into journalism then you mentioned again the universities would you know bring out um cyber professionals or the the next pipeline obviously it sounds like you’ve got a really positive take on your experiences with with university yeah yeah absolutely um i think you know they i mean my like you said i’ve done two degrees so i’m not sure i have a university experience i think you know from what i’ve seen also personally in you know working on sort of the skills challenge there’s some really really passionate people about creating kind of the next generation of you know security professionals and and that means they’re they’re not wanting to create something that’s theoretical and you know outdated the second the students leave university they want it to be highly applied and you know designed by industry and so you know that some of those experiences have made me really hopeful for the quality of education that’s that’s that’s out there at the moment and then you know it’s also sort of expanding into other sectors like the tafe sectors got a lot of great courses now so there’s a lot of opportunities to sort of find your path um and then you know professional certifications that’s a whole other thing as well there’s a little bit there’s a lot of ways i think for people to kind of get that you know formal i i didn’t do it i sort of like i said learned it on the job but um i’ve always kind of looked at and gone that’s probably a good thing to sort of have yeah it definitely sounds like it’s part of the mix there right there are there’s multiple options you can pick from and i think that my gut feel at the moment my personal take is it’ll forever be a part of the mix that it just might not exist in the current format where it’s you know that longer term degree i think you’ll pull you know different parts of it and look at micro degrees and things like that which uh might say you know extremely relevant with the current market and you can pull in something from tay for a professional you know from professional um partner you know service or somebody from uh yeah within the industry who’s providing certifications things like that might you know come together as your education whole yeah yeah and the other the other thing i’ve you know found really um exciting from uh you know looking at the way the security world works as well is the the amount of sort of non you know informal education and play type stuff there is so you’ve got like all your projects and things that you can do you know like kind of let’s say hacking groups and things like that that kind of come together and they you know have different competitions and things like that or people sort of develop their own little projects on and put them up onto github and things like that and you know increasingly the the ability for like a candidate to say well okay here’s my degree and here’s what i’ve done but also check out my github go have a look and for that to be actually uh almost like you know the difference that gets them the job you know and so you’re speaking to my heart i’d love that i i think uh in the tech space in particular somebody that shows an interest outside of what they do day to day and their nine to five or what they’ve done outside their degree hey i’ve done a degree but i’ve also built xyz i’ve participated in xyz hackathon i’ve done this challenge or if you’re you know that maybe you’ve you’ve built your own application your own website things like that uh the differentiator i believe yeah in helping you stand out well and you know for me it’s a nice parallel for me or back to my experiences in journalism as well because i thought you know i’ll do this degree and i’ll do my best in the degree and i’ll do all the kind of assessments as well as i can and that’s going to get me somewhere yeah and then they were saying well show us what you’ve done like show us what you’ve written show us you know what what have you what articles or columns have you just done yourself and submit it off to a publication that we can sort of look at and see what you’ve been doing until we actually see you know you how you apply the skills that you’re learning yeah and at the end blogs for example for journalism having your own blog that you you know you’ve actually put something out there so right writing samples is like the equivalent i guess if you’re kind of your github and and at the end of the day it was what what mattered so you know it’s been cool to see that that that is totally the way it works also you know in many of these particularly in some of these more technical roles as like you know some of these you know students that come out of universities have got amazing portfolios of stuff that they do in their own time yeah it’s incredible yeah completely great completely great we’re getting on we’ll sort of start to wrap it up in a minute so just to go into a little bit about yourself uh obviously a pretty big role i work with you know a number of different companies and things like that uh competing uh competing priorities i imagine how do you manage your day from a productivity perspective it’s it’s an ongoing challenge i think i have fairly kind of you know i could work work with a sort of variety of clients so i tried to sort of have fairly you know fixed days where i’m kind of focused on you know one particular client and i can kind of give myself to them but from a productivity perspective i think the challenge for me particularly in in the world of covert is is getting the balance you know so not just sort of disappearing into you know like the the home office and just kind of working through things i think productivity comes from being able to still have those key breaks those key moments where you can kind of disconnect and pull back because particularly sort of a lot of some of what i do i think i i feel like i need thinking space and one of the challenges i find is that the home working environment doesn’t always lend itself to thinking space you know like it’s yeah you don’t have a commute you don’t have a walk like two minutes down to get go to the bathroom or to the kitchen it’s like everything is sort of nearby so you tend to sort of become a bit bunker down and that can mean that you become less productive because you’re not sort of thinking through problems in a broader way so for me that’s probably been one of the key challenges of late other than that it’s you know i’m a big advocate for like what are the three things you can realistically get done today sort of approach so it’s kind of you know yeah you’ve got 12 things that you could do but you probably won’t do any of them if you try to do all of them yeah um so i’m i’m like the first thing i’ll do on a in a day is right like these are the three that i need to get done off the end of the day a successful day yeah and i’ll keep going back to to them and then that’s that’s a challenge because things change during a day but that’s that’s my sort of overall mindset yeah very nice i’ve uh i’ve used a similar app myself in the past and i haven’t stuck to it i don’t think i’m i’ve i’ve never stuck to a lot of those apps i’ve tried a lot of them but i would say that’s probably one of the stronger ones and i try to you know keep roughly two to something similar where hey what’s my at least one really big win for the day or a couple of wins for the day and then you get them and things come up right emails you know always somebody else’s agenda so if you if you’re just uh at the mercy of your email the whole day you can have many unproductive days yeah and and you know the the work from home thing again things are a little bit more rigid as well like you what used to be maybe a five-minute conversation a chat to your colleague or pick up the phone everything now seems to be like let’s make that a you know a zoom call or a teams call book in 30 minutes for that and so there’s kind of this um like the liquidity of like information exchange between people has kind of broken down a little bit and that can make things harder as well so trying to just you know try to keep it simple yeah i agree you mentioned before you know part of your learning was taking some advice somebody mentioned a good book here someone mentioned you know something here where you can learn from are there any books or podcasts um that you’ve consumed in your days and you think hey this is something i’d love to recommend to people this is one it can be security later it could be life like anything related one of the podcasts i’ve always you know for anyone in tech that i i would recommend is it’s called exponent and it’s it’s run by an american technology strategist um with and his kind of co-host is actually an aussie guy who’s based in the states and they talk about kind of technology strategy and so you know they really kind of break down what a business is like a facebook or whatever are really trying to do and how their whole business model works and all of that and it was one of the ones that really sort of got me quite excited in that sort of second wave i had with tech and so like this is the world is changing and there’s this kind of social business connection going on under power powered by tech so i i really recommend that one and uh as a book like there’s a book i like called fact factfulness and it’s just a book about you know like how we sometimes miss the truth of what’s going on there’s so much information and so this book is kind of like actually the world’s not a you know not going to hell there’s actually a lot of good indicators we’re making progress and here’s how you should think about the world to see that and i always find that kind of thinking is useful because there’s so much information how do you make sense of any of it and you know it kind of ties into what i try to do in my job as well which is just like let’s kind of get to the why to your question nice is there anyone out there that people should follow for some more information obviously that podcast you mentioned is there anyone else that you think whether it be twitter anything else or blogs that you think hey somebody should definitely follow this person probably more for your i guess more on the technical side but you know the risky business podcast guys do a great job on the security front that’s probably a good round up and uh what else is there yeah i like um there’s one from out of the states called morning cyber security it’s by the politico magazine and they kind of do a nice round up so yeah there’s probably a couple there nice man nice you’re obviously you’re based in newcastle mate um if people like what they’re here today and they’re like i’ve got a question about scooter i’ve got a question about you know building a security culture or having those conversations uh what’s the easiest way for people to get a hold of you so they can get me on twitter so our drama yes my handle and um uh also on linkedin we’ll link up both of those in the show notes on the website so may thank you for your time today cool thanks cheers
Work with our specialist recruiters who understand your technology or engineering niche.
Contact us today