On this episode of the NTP podcast we interview Cole Cornford, Director at Galah Cyber. We talk about his experience working in cyber security, his interest in the Newcastle technology community and growing cyber security in the area.
Hope you enjoy the episode!
Here you can source all the things we have talked about in the podcast whether that be books, events, meet-up groups and what’s new in the newcastle tech scene.
Can you tell us about your role at Galah Cyber and what technology you work with?
What do you enjoy about remote working and how do you manage your day?
What was your experience at university?
What can the Newcastle community be doing to encourage new graduates to move into cyber security?
Can you tell us about Newcastle Cyber Security Group?
What resources can you recommend to our listeners to up-skill in their tech career?
How does our audience get in touch with you if they have more questions?
hello cole welcome to the new tech people podcast thank you for having me here awesome um look first things first who are you what do you do let’s keep it broad yeah it’s pretty broad in it so i’m cole i’m the director of a small cyber security consultancy called glass cyber what we’re good at is making clear actionable advice for small businesses but also having a technical capability to do a big end to town as well awesome oh this is a hard question is that we had a glass start well i so it’s a it’s a pretty unique story in that i well actually not that unique for a lot of folk but i was going to move overseas to go work for a tech company a big f if you has a lot of ace on the end of it so you know it’s got a different name now yes not the big f anymore um but yeah that that didn’t eventuate because i wanted on site so i found a different tech company that was the polar opposite of ethics called change um which is pretty interesting they let me work remote and during that time i was always under the expectation that i’d be able to move to canada move to san francisco just have the good tech boy life right in silicon valley um i never eventuated because i covered but i did meet my wife during the pandemic so which led me to make the decision that you know what maybe i don’t need to go over there like australia can actually do really well in tech as well so why not stick around here so um i i quit change um because i didn’t like getting up at four in the morning yep understand this it’s very hard yep that’s fair yeah a lot of folk i spoke with um who’ve since left the company said that they just didn’t understand how i’d consistently do that and it’s as well you know it didn’t have much else to do during a pandemic did you right so but um when things started to get a little bit back to normal i was thinking well i just kind of want to do a nine to five kind of gig but i’ve always wanted to own my own business and i felt like it was just a great time to just start a consultancy and start doing it because i know a lot of folk in the appsec industry and like remote gives me so many opportunities to just go out talk to all sorts of folk on zoom and just do my work from home right so compared to all my other jobs where i had to be on site and just like traveling between workplaces which would eat up most of my time now it’s like yeah i’ll just download everything off git and let’s go awesome awesome another hard question what’s what’s your vision for the company what are you actually i mean money is what you’re trying to achieve profitability it’s a mix actually so like of course money is important for pretty much any business owner but for me one one thing that really got me going was about 10 years ago the neck knock city council gave me two and a half k right yep um to study at university and at the beginning of the pandemic they cancelled the meryl scholarships because they couldn’t get business sponsorship and i thought that that was a bit disappointing so it’s i wanted to give back to the community where i could especially in the newcastle region which is why i really got involved with like you know newcastle cyber the new slack and just a lot of like kind of philanthropism of it you know so why not gonna have a sponsor in a few awards this way out says not quite because like you know that money makes a big difference for like a uni student you know i got like a hundred stunner meals out of that scholarship yeah you know like that’s that’s meals for three months not great meals but it’s not a bit of keeps me moving right so and i want other students to maybe not have 100 meals but at least like you know they can buy textbooks and a laptop and like look after themselves and not just like sitting there worrying about money on a day-to-day basis they can focus on their career so yeah so that’s one opportunity is like you know financial support for students in the like regional area but i really want to help the university just grow tech in newcastle so i’m working very closely with um karen um at the uni to help make the it program get uh stronger graduates who come out with more technical skills because that’s something that i had to really invest my own personal time in at university compared to most of my cohort and so i really want to like help those people have better outcomes there and yeah just locally like cyber security is not really common in newcastle i knew i don’t think so um a lot of small businesses have approached me and said like what do i do it’s like well usually the pattern is relatively similar which is you know patch links turn on multi-factor authentication strong passwords but they don’t have someone to ask and contextualize the advice to locally so i’m giving back to the community in that way as well by trying to give free advice to as many small businesses who ask for it so which i don’t know those are my ways of trying to help out but i think it’s it’s better than just like making money and then going and buying a house in pots point or something you know that’s yeah fair enough um we’ll get the plug out of the way a bit early uh i know you’re hiring people who do you want to talk to yeah uh software engineers um yeah because the type of consultancy i do is either relatively simple advice for small businesses so this is great for people just starting their like careers they’re interested in cyber security because the advice is not complex you just need to be approachable and you need to help people and hold them through something that’s a very scary topic right now on the other end of the spectrum i’m looking for principles so you be good at what you do you can communicate clearly and i’m going to get you in and do lots of engagements with nasdaq and asx listed companies so let’s go cool and presumably fully remote work wherever yeah yeah just um you let me know what you kind of want we’ll get you going so nice and easy really i i try to be a flexible employer a few things like kind of differentiate us a bit is we want to give folk a bit more leave so um instead of 20 days if you take 20 days in the year we’ll give you an extra week so which to me it probably suits a lot of people just want to have extended vacations and like you want to go learn stuff i will make time and pay for you to go to conferences get training probably up to about four to five thousand dollars a year so just come come work for me it’s great awesome so changing tack a little bit you grew up here you kind of went and worked elsewhere um can you tell me a little bit about that process and i guess to some extent what was missing in the newcastle community i’d say like number one was probably jobs and education really like so i have always been interested in cyber security from and this is going to be a little bit of a nerd plug but i like video game hacking so i don’t do it i’m ethical i’m a good man so but i love to learn about it yeah so all sorts of old school games like zelda and mario that’s what i love just seeing people like finish games fast and create exploits and glitches to help them achieve that right and that was where i really got into the whole cyber security thing because if you think about it a video game is the same as an application right they both run code it’s just one of them is a little bit more fun to think with than the other now i i want to be honest i was going into newcastle with not really particularly much idea about where i want to be um in the future and over time i just like kept gravitating more and more towards security and got solidified over the course of the unit called data security right at the time i think that was the only course that actually had any remote security like cyber security stuff going on at all and it’s a very niche topic within cyber security so because you know we do care about data protection but as security practitioners we often say cool cryptography we’ll leave that to mathematicians and we’ll just follow the advice right um which is what i ascribe to because i’m terrible at math so
but going back to the original question is because there weren’t too many firms locally who were hiring people specifically in this space there’s not much of a gap to actually get into it so i had to go work for the federal government for a few years and i did rotations in different places it was a grad program that’s how they are and end up landing in the application security space right and yeah that kind of set me up so i had a lot of experience with static analysis tools dynamic scanning interaction with risk and governance across a huge enterprise and then moved to just different industries like telecommunications banking fintech big tech um just all sorts of clients right and they all approach security very differently but if i didn’t get initial foothold in the um application security space within the federal government i’d probably be stuck with this kind of idea that data security is security and that’s that’s not a great place to be right now i do know there’s other employers locally but most of them are in the i think defense and the problem with the i wouldn’t it’s not it’s just a different career path right so like what you would approach for a defense oriented like company is completely different to a consumer focused one so they just diverge so there’s different ways to do security locally it’s just those avenues weren’t really exposed early on we’ll say 10 years she is on do you think a prospective university student is in a better position to pursue a security career better i think it’s better there is the university has definitely taken feedback on board to provide a lot more cyber security like courses some of them are focused on network security which is great if you’re going towards a defense sector some are focused a bit more on software security which is good for me and a little bit about governance risk compliance um pen testing all of those different things but we’re seeing a lot of like i guess tech firms popping up in a newcastle region because hey we’ve got good beaches and we’re cheaper than sydney so well for now we’re almost sydney too right yes yeah yeah pretty much and if like fast rail happens yeah yeah yeah so so um i just think there’s like there are a lot more opportunities for people to pursue cyber security out this way and especially with remote but that said remote opportunities are not great for juniors to be learning skills as far as i’m concerned so that’s why i really wanted to create a pathway for juniors to come into my business and then get exposed to different types of cyber security like practices because you know we do strategy we do advice we do technical consulting in cloud devops and application security what more could you ask for really net second pen testing we don’t do that but there’s there’s enough places around that do you you can have that need served elsewhere yeah there’s a lot of companies available in australia that do penetration testing but that’s not like a place that i want to be playing in the the newcastle tech community we’ve we’ve all seen quite a lot of growth in the last few years um but cyber security as you mentioned still a really small industry locally what can the tech community be doing locally to bring more people into cyber security how do we actually grow that community for lack of a better word well that’s a that’s a that’s a challenging question um i think the focus actually would probably be on employing more software engineers rather than cyber security professionals right because um dedicated cyber security professionals are really good if you have those really big firms like we’ve got the banks locally we have a health insurance provider those places are great for employing what we call line two risk which is people who are good at telling people what to do but they’re not implementing the actual solutions right but if you want to introduce more security practices into smaller tech companies that don’t have the budget or the time to bring someone on board then it’s best to get your software engineers up skilled and bring more of them on board because you’re gonna have to it’s um it’s something i advocate for quite a lot especially my larger companies i work for is that software quality is like completely underpins cyber security in the application security space if you don’t have a good architecture for your application that meets your business needs you haven’t fought through how you’re going to manage your source code from cradle to grave and you haven’t really considered about training your developers to make sure they use the right methods for implementing things then you’re going to introduce bugs right default patterns are the way to go and having engineers implement them is important one thing we haven’t kind of brought up we both organize the newcastle cyber security group it’s not just us we’ve got andrew and jay as well which we probably shouldn’t uh leave them out of it um what made you get involved in that to begin with oh jay initially um he was like well this exists come along to a few of them and i kind of graduated into more of an organizing position after a few events because well you know i started doing a couple of technical talks and um just figured that it’s important to you know demonstrate that there’s there is a big community of people who care about security locally what can we do to get this going and um i wanted to have consistency i wanted people to feel welcome and i wanted to just you know have a bunch of like-minded security practitioners come along and have a beer or something you know just chill it’s those kind of communities tend to exist in other places around australia as well um sex talks and seasides are the most common ones i’ve been to but the focus usually on those ones is offensive security and it’s not particularly welcoming especially for new people so we wanted i really wanted to make sure that we could turn ncsg into something that is good for people from all sorts of demographics whether you’re an asd like xasd person who’s just got lots of signals intelligence background or you’re a graduate of the university of newcastle and you just want to learn a bit about what cross-site scripting is or i don’t know threaten awareness people who just like to learn about what the cool stuff happening in the world is you know um and that’s that’s why it’s not like an oauth branded event or anything we i just wanted to be focused on newcastle and serving newcastle people what role do you think ncsg has in growing cyber security in newcastle what role do you think community groups in general have in growing the community dude it’s it’s it’s so important we have to do it because when i was like around i didn’t even know that a lot of these existed i think the only one that was really prominent was ndc or ncg newcastle coders group um and that’s expanded into lots of niche ones right and that’s really good because it means that you can find your people right and having a shared interest makes it really easy for people to network and find the other people i can help them with like problems that have in their workplace or to chat through and get you know network of folk who if you’re looking for a job you can you have an entryway into a place that would be you know incredibly intimidating if you didn’t do that in the first place right and you get to learn from some of the best professionals right because newcastle isn’t a slouch we’ve got some really talented folk here right like i don’t know why we’re not just like bringing more and more cool speakers on board and just doing it as often as we can right but yes yeah i really i just want to make sure that like anyone who comes along to it feels welcome and that they get value out of it and then they get to meet lots of cool people so that they can share their experiences and hopefully find better jobs and yeah just and improve security broadly across newcastle like it doesn’t matter if you’re a software engineer you’re a cio you’re just someone a university student come along learn it takes all types of cyber security it’s not just a security conference awesome who who do you think should attend that probably isn’t attending at the moment i i should say everybody but no that’s that’s definitely not going to be the case um i i think it depends on the talk that we have right because the governance risk and compliance talks are really good but they’re not very good if you’re a software engineer right because the relevance to your day-to-day job is going to be so far removed very hard for you to get value out of it same with like going to a penetration testing like talk is probably not the most useful for the grc folk who would not really understand the technical details in a lot of circumstances right so i i do think there’s value if it’s outside of your discipline you do go to a few of those ones because you could just pick up all sorts of things that you can apply like you know agile i talk about t skilling get get in there and get t skills right yeah um but also just like broadly people who are just like starting out at university at tafe it’s just good to get exposure to a lot of different people i i think that it’s underserved as far as networking goes and you have such a friendly group of people willing to tell you anything because even though it’s cyber security you just have lots of professionals at different stages of their lives who are willing to impart their wisdom from their wisdom teeth directly to you right so do it takes it that’s yeah one thing i experience in my role a lot is talking to graduates and graduates really not understanding the i guess first steps they should take uh when it comes to networking when it comes to you know building that community around them what do you say to those those people trying to get into the space um maybe not sure if they should attend an event because it’s you know a group of 40 people who they know none of them it’s a subject in which they probably have little knowledge about it it can be an intimidating environment so what do you say to them yeah look it i i’m a naturally outgoing person and the first few different events i went to i kind of sat in the corner and just listened to the speakers and i didn’t talk to the guy with the green hair and the mohawk in the corner who is the presenter because he terrified me and um that’s all right you can come along and be a passive observer until you get the confidence to go out and actually reach people and there’s a good chance that someone’s going to be talking about something that’s interesting to you so you can just find your way to merge into the circle like oh hey man how you doing i’m cole i’m learning can i can i chat with you almost everybody will be you know welcoming and would love to have you join the conversation so don’t just um don’t be scared of turning up to the events um outside of your risk tolerance for covert of course very true but but it’s um i think it’s okay to approach people like speakers um anyone at the event and ask them i don’t think we’ve really ever had people who are disruptive to my knowledge um no yeah i i think the real value comes from like speaking with people after the main event and just learning about their lived experiences yeah and i think something to add there it’s sort of it’s implied that if you’re attending a meet up as a senior individual like if you know if you’ve got c in your title in some way shape or form if you’re a senior whatever you’re kind of going there expecting that someone will hit you up for advice so people that are there they’re pretty open to talk anyway they’re pretty comfortable imparting any sort of wisdom they have so don’t feel like you’re intruding or anything like that it is i mean ncsg especially it’s a super welcoming community how did you actually get into this space so you started what degree did you study i studied a bachelor of it at the university of newcastle how i structured my degree was very technical so i basically only had like 20 to 30 units of fun subjects the electives were almost entirely computer science and my directed courses were about like web engineering data security um just all sorts of techy things right kind of throwing you right into the weeds with this one that’s all right security professional or prospective security professional trying to get into it should they do university i think university teaches some really critical concepts especially around like basic programming but also why you need to do certain types of programming but the foundations of like software architecture the foundations of just how different protocols work foundations of like big o notation and data structures that stuff you can learn online but when you’re doing a cyber security course online it usually focuses you very heavily on how to use tooling not on fundamentals and in my job fundamentals are almost like the most important thing so i would prefer to go and hire someone who can explain different layers of dns to me you can tell me what like how a you know tcp handshake works in detail and just explain to me what happens when they send a web request to google.com right but i’m not going to go out there and be particularly happy with someone who’s learned just like how to run a couple of different pen testing tools because anyone can you know write a script if they just copy it from the internet but it’s not value for the business you mentioned earlier that you had to do a bit of upskilling sort of external to university before you you know you felt ready for lack of a better word in 2022 what do you think the missing piece is for uni student to get into cyber security and where do they find that piece i’d say that university misses practical system administration and practical software engineering skills um to break those down they do teach at university how to use like chmod and a couple of command line arguments but they won’t really teach you why you need to use these things or how to use linux or why this needs to occur right so you’re kind of given an operating system and you’re given a couple of entry level commands but then you forget about them over the course of your degree until you move into the workforce and then you’re like well how do i how do i navigate linux at the on the terminal right let alone do anything cool like you know ipconfig or um nsh so now going onto the software engineering one um bokeh university aren’t particularly taught like enterprise practices like what’s the source code management tool like yeah github gitlab tfs bitbucket i don’t care i’m agnostic you use what you want to use but you need to know one of them right and they all work off of git so that’s not taught and it’s okay because you’re supposed to basically expect the graduates come out of it like having just put all their code in dropbox or something right where do people find you oh yeah um ncsg good start yeah i know newey slack um i don’t really do socials all that much because i work in cyber security so it’s understandable less i don’t have an insta i have a linkedin so you can look on there for glass cyber um but otherwise just go to my website dub dub dub dot alar cyber dot com dot eu hit me up on the contact form whether it’s for recruitment or just for you know your um you need a problem and i can help you solve it right sweet wait i think that’ll pretty well do us um look thank you so much for coming on and to whoever you are out there thank you for listening