Episode #55 Transitioning from physical to cyber security with Nic Martin
“I found, depending on where you are in the physical security structure, if you are looking to move across [to cyber], it's really challenging”
- Nic Martin
We open our latest season with Nic Martin whose career of over 25 years spans defence, major events, senior corporate positions, and strategic and risk management consulting, Nic has experienced first hand the challenges of successfully delivering security and crisis management programs in both corporate and complex operating environments.
Nic shares his story as he transfers his physical security skills to cyber security, how they differ, and the resources he has found that have helped him with this transition into the cyber space.
Links:
Transcript
CP: Hello, and welcome to the security collective podcast. I'm your host Claire Pales and today, my guest is Nic Martin. Nic has over 25 years of experience that spans defense, major events, senior corporate positions, and strategic and risk management consulting. Nic has experienced firsthand the challenges of successfully delivering security and crisis management programmes in both corporate and complex operating environments. Nic, it's great to have you on the podcast today.
NM: Thanks for having me, Claire, great to be here.
CP: So most of my guests talk about cyber or information security. Tell me a little bit about physical security and the scope of that what it entails and maybe a bit about why you got into it.
NM: Interestingly, when I started down the security path, cyber was in its very, very early days, and I'm talking going back into the early 2000s. And a lot of it was very much focused on the basics of protecting firewalls around, you know, very, very young networks at that stage. When I say networks I'm talking about from a complex complexity point of view. So really, the physical security side was what was known as security in most businesses, you know, the traditional guards and gates aspect, through to dealing with activism through to executive protection, travel security, all those traditional parts of security, which is still around today. And still a big part of how businesses operate.
I got into it interestingly, because I had just come out of major events, but also looked after a lot of resilience activity, the crisis management, the emergency management, business continuity. So that's where I went. And that's where I've been on and off pretty much since the early 2000s.
CP: And then when we caught up recently, you were telling me that you were trying to explore some of the ideas around cyber security skills and capabilities. So given what you've just told me about your physical security experience, and your desire to work in the resilience side of things, what's made you consider broadening your skills into cyber, and I guess what's been your experience so far in acquisition of these cyber skills?
NM: So the motivation to look at cyber more closely and get an understanding of it was driven, driven by two things. One is, I think, the cyber and physical security teams need to work well together. And to do that, you've got to understand each other's languages. So that's at a basic level. But at a larger level, an organisational level, there's a lot of talk about convergence. And so if you think about convergence, someone's going to have to run those combined programmes, if that's what the business decides they want to have happen. So you either have the physical person running it as a CSO, or you have the CISO running it as a CSO. So I thought, rather than wait for that to happen, why not get ahead of it, why not upskill, the cyber aspect of my knowledge base, and I'll head down that path and, and I'll just get a better understanding of the cyber concept and the terminology associated with it, so I can talk to it. So what I decided to do was, I thought, and this is the real challenge, I think, if you're a person in the physical security space, the transition across into cyber is much easier. I went into, so the natural step for me was to do a CISSP type accreditation. So I thought, you know, I'll go and take that on and do that. The big premise in the big sorry, the big caveat in that is you theoretically meant to have had experience before you take on a CISSP, I thought, Well, I'm not going to be able to get that I can't do that with my role. I can talk to the CISO maybe do some work with his team, but never really going to get the level of experience that I need. But I'll try it. And I started it. And it was just way, way, way too technical. The concept of security, exactly the same threat risks mitigations. That sort of, that whole process, is very, very familiar to me. But the technical components of cyber, what it said to me was, I really did need to come from an IT background before I walked into the cyberspace. So I thought, ok I can't do that, so I'll go, I'll drop back a few gears and go into the security plus level. And I've done that. But once it doesn't really give me any sort of skill set that would allow me to lead a cyber team. So that's what I found today is that depending on where you are in the physical security structure, if you are to move across, it's really, really challenging. If you're too senior, if you junior, I think you've got much more chance of making that transition across.
CP: I actually think it's a really interesting experience that you've had. I'm not from a technical background. You know, I when we met many moons ago, I worked in corporate security and you know, I, I don't have a computer science degree. I don't have a CISSP, but I've read the CISSP book, but I've never actually sat the exam. And I tend to sort of live by the rule that I surround myself with technical people who complement my skills. Do you feel like your skills as a leader in physical security are transferable to being a leader in cyber? Or as a CISO? Or do you feel like without that technical knowledge that you've experienced in trying to upskill, you can't lead a cyber team?
NM: So when I was at AGL, I was the head of security. And about two years ago, they came and saw me and said, can you take on the property portfolio? Now I've got no background in I mean, look, I've dealt with property in major events and consulting in bits and pieces like that. But I've never actually been responsible for property. And when I talk about property, it's multifaceted. So there's the real estate piece, which is where you do the commercial leasing deals. There's the facilities management, which is keeping the buildings running and operating. There's the Employee Services, which is the concierge. And then there's the people who manage the workspace. So you know, you've got activity based working and how you re stack buildings and get the optimization. So I had no experience in that. But I lead that now and have led that for last two years successfully. So I guess to answer your question Claire, do I feel like I could lead a cyber team without the solid knowledge? Absolutely. Because management is management. Giving teams direction, giving them the support and guidance to be successful, making sure you're constantly looking at where your team's going, how they're performing, are they relevant to the business? All those concepts they apply to any team you lead. So I think the challenge, the challenge for me is, I think I could lead a team, I'd need someone senior to me to have the confidence that I could actually combine both those programmes and run them. And look at it from a management point of view, and to your point, making sure that my management team had the right technical capability to deliver those various elements.
CP: Yeah, I mean, I think you have to have a technical literacy, about you to understand what your team are telling you, because while you say management is management risk is risk. And you know, as you said, you dive into CISSP and you saw that, you know, all the principles remain the same. It's just that, you know, the risk, I guess, the foundations of the risk of coming from a slightly different place. And, you know, traditionally, these roles have been kept quite separate, physical and information security, but you spoke earlier about convergence. That's really something that's coming together in the business side now, as well you know. Just about every physical device you can think of, is now having the ability to connect to the internet, it's got a degree of IT embedded in it. What's your view, as an organisation should should we bring this together? Like, you know, they added property to your portfolio, could you move into an organisation where you had physical property, and cyber? Do you think that with the way the world is going with, you know, IOT, as we call it, that this is where the leadership is going?
NM: I've been thinking about this a bit Claire, because, you know, I chair the forum of Australasia Security Executives, which has had security from most of Australia's large organisations in it. And we do talk about this a bit. And interestingly, across that group, we have people who have that that genuine CSO role where they're looking after security end to end. We have other people that have just a physical security piece, and hardly any team. And we have other people that are actually part of, they will report to a CSO who was previously the CISO. So there's all these different models that we're seeing in our team. And we've got a very good relationship with CISO Lens and James Turner, because some of our members are also members of that forum. So you're starting to see it, whether it's within organisations, whether it's in peer groups, like we've got with FASE or whether it's across different peer groups like CISO Lens and FASE, you start to see it come together. And I've sort of started to formulate my own theory around this. And once again, this is Nic Martin's theory, nothing to attach to my role, or the organisation I work for - I actually think we've, we're going to have to move to a point of Chief Resilience Officer. And where I go with this is that the physical security risks, the cyber risks, they're just essentially vectors coming in and impacting the business and then and they're just things we have to deal with. So you're going to get that from different areas, you're going to get that through the fraud channel, you're going get that through IT disaster recovery channels, you're going to get all these different channels will come in, and how you manage that and the resilience of your business. And how it responds to that, I think is a role in a business. I think that's where we're going to evolve to. And I've left out privacy, which I think is horrendously under done, you know, as far as an awareness point of view. So how do you, I mean the privacy role is huge, but it doesn't seem to get the same amount of airtime? So what I would say is if if someone said to me come in and design your whole programme for a large Australian business, I'd probably look at it in three elements. I'd say, how are we detecting threatened risk? So what's our process? What does that mean for the business? How are we delivering against that day to day? So what's your day to day operations to maintain to allow the business to perform its function? And that's once again, a big thing for me is we need to enable the business to do its job, not block it, so how are we doing that day to day? And then finally, if we don't do a good job at identifying the threats and risks, doing it day to day, how we're responding? So that's, that's a whole range of other things. That's Crisis, Emergency Management, Business Continuity Planning, ITDR, all that stuff. So, that's my perfect model. It runs across those three elements and it brings in anyone that has a role to play in that, to make sure that the business is protected and supported in the event of some sort of disruption.
CP: It's funny using the term enable, because I wrote a blog about security being an enabler, and how that seems to have become this term that CISOs are using or that, you know, we're trying to say, you know, we're here to help the business achieve something. And I think that, in many ways, security can get, as you said, can become the blocker where we're actually enabling, or influencing people to go around us. And so, you know, trying to have the right culture and mindset around that stuff as well. And and encouraging people to come to security and showing the business that we're there to support them as opposed to slow them down, or, you know, kind of get in their way. And that's not always the brand, I suppose, or the image that the cyber security team has got. And from your perspective, you know, is there a difference with physical security, is physical security is seen as an enabler? Is it seen as something that helps the business to achieve. What do you see is the most significant similarities and differences?
NM: I think running a physical security programme, in some ways is quite a lot easier than running a cybersecurity programme. And I'll explain why. In the physical side, you're dealing with people, and you're dealing with their well being. So they can really relate to that. On the cyber side, they can't see or touch anything. So you could tell them that we had this many penetration tests yesterday, and they're like, but if we had 10, protesters out the front, you know what, at least I can see, understand, touch and get a visible outcome of some of the work that I do. On the cyber side, it's almost like if you think about Lord of the Rings, Helm's Deep, you've got all these people massed on this great big wall, and you've got all the orcs out laid out in front of you, and they're just trying to get over the wall. So I can see that, do something about it, experience it. But if that's in a cyber sense, that's invisible. And day after day, you've just got this stuff pouring into your business, and you're trying to keep it out and keep it out. But try and tell people that, there's not I don't, I don't know, I can't touch it, I can't feel it, I can't see it. So I think where I'm going with this is, on the physical side, I think it's much easier to have a human impact on the business and show them how you're supporting them and helping them achieve what they need to achieve than it is on a cyber side.
Because all I say to your point is, there's another restriction being put in place. So there's another thing I can't do. And I'll give you an example taking away USB ports. Now, at a theoretical level, we understand why we do it. But for most people they don't. And that's just cyber being annoying again. So whereas with us the security access pass, which is our way of stopping people coming in and out and taking things, that's the sort of it's a an ingrained way of working people know that we're doing this because we don't want unlike, we don't want people coming into our building that we don't know who shouldn't be there. And so that's what I think is the benefit of running a physical programme. And then conversely, one of the challenges running a solid programme, you just can't see, touch, feel what they're doing day to day, and you don't really get a good sense of how it's impacting your work life.
CP: It's interesting, you say that, because I think that, and this is probably a podcast for another day, but that's where sometimes boards and executive fall short as well in their understanding of cyber because it's not so tangible. And you know, the road between a cyber incident and somebody's safety is much longer than, as you say, you know, somebody ghosting someone in through a door, and then you've got sort of a person who's in your organisation that shouldn't be there. And it's the same on a building site, you know, a foreman would never let a construction worker come on without a hardhat because we just know that it's a tangible physical risk. And yet with cyber, it's virtual, it's so much more difficult to quantify and to sort of wrap your head around.
Look, I want to finish up by asking your advice, because obviously, you're on this journey, and anyone who's in physical security that's considering a path towards more formal cybersecurity skills - What would you say the pitfalls to avoid? You know, what have you found is good resources to help you? Where can people go?
NM: So we were fortunate that we in the organisation I work for have access to LinkedIn Learning. And I think that's a great place to start. There's so much good content in there. There's courses that maybe run for about 60 minutes on cyber basics. You start there, get your head around it, then you can start moving through those CompTIA courses like I was talking about, Security+ and start working your way up. And you can do it all online, then you can order the books from CompTIA, sit the exams. And then the other thing I've noticed as well is if you really want to, whether you're doing it through software vendors in the cyber space, or whether you're doing it through groups of people in cyber, that are coming together in forums, whether it's physical or virtual, just jump into those, and they're really inviting and welcoming. One of the managers that works for me, spends a lot of time with the cyber team, matching up some of our open source intelligence. So we're seeing this from a group - what are you seeing and building those relationships in that way? So I think it's not one thing Claire, I think it's like a lot of those things, it's a multitude, it's the, there's the formal education slowly building that getting the understanding and the confidence from the, from the technical aspects of the content. So then you can go and converse with people in cyber, see building that common link and language, and then starting to expand outside your organisation through peer groups and through forums and networks. And then I think just a whole aggregation of that will help you make that jump across if you need to. I'm not talking about someone like me who's been in physical for a long, long time, and the jump for me to get those two together has to be driven by someone more senior than me to make that happen, I'm not going to be able to force that to happen. So that's my advice.
CP: The key things that I took from that were, you know, you have to take on some of the responsibility for your own learning, and, but you also then have to try to leverage that learning to have these conversations with others and build on that through peer groups and through, you know, as you say, others in your organisation. But then you know, having that person who would take the leap of faith and put trust in you, that you can bring those two together. You know, it's all about having a great boss and we've had this on the podcast before. You know, have a great boss, build relationships, and be invested in your own professional development. I mean, that, that they are that the principles remain the same, I think for you know, moving laterally or up in your career in security.
Thanks so much, Nic. I'm really glad that we got to catch up today. I think the listeners will get a lot out of it. And I look forward to hearing about you becoming a CISO at some point in the future.
NM: Thanks Claire, thanks for having me.