102. Cyber in local government with Paul Barrett
Claire is joined by Paul Barrett as they talk about cyber culture in local government, how the governance model for cyber is changing for the better, and Paul shares why he sees audits as a gift. It is great hearing Paul's view on cyber and getting a glimpse into being a CIO and local government.
Paul Barrett is an experienced an IT professional with nearly 15 years industry experience and 7 years local Government experience. His technical background is in network and security with a transition into people leadership, governance and information management over the last 6 years. Paul has a passion for implementing tangible change within organisations and place business process improvement at the core of technology solutions, and enjoys building high performing teams, hiring character ahead of technical ability.
Links:
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
CP: Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today's guest is Paul Barrett. Paul is an experienced IT professional with nearly 15 years experience and seven years local government experience. His technical background is in network and security with a transition into people leadership, governance and information management over the last six years. Paul and I talk today about cyber culture in local government, how the governance model for cyber is changing for the better, and Paul shares why he sees audits as a gift. I really enjoyed hearing Paul's view on cyber and getting a glimpse into being a CIO and local government. So please enjoy my chat today with Paul Barrett.
Paul, it is great to have you on the podcast today.
PB: Thanks for having me.
CP: So I wanted to start by sharing with the audience a comment you made when we first met, which I absolutely loved. You told me that you see audits as a gift. Let's dive in here. Tell me why do you think audits are a gift?
PB: Thanks, Claire. I think the culture that I've experienced and observed in a few organisations around audits and pen test results has often been one of fear with the mention of the word audit. There's a bit of, you know, uh oh, we're going get into trouble. And in some cases, they might be right, but hiding from the result doesn't progress the organisation or improve the risk level if the issues are not being called out. So I think we should be welcoming auditors as a learning opportunity and a bit of a point in time check-up as to where you're at. In your podcasts, even your books clear, you talk about influencing the board. Well, in some cases, an audit can be a really great tool to get you there pretty quickly. And it can be used as an opportunity to advocate for additional funding and resourcing. And I think that that can be one of the greatest outcomes if you managed to pull it off., and of course, you've got a board who's receptive to it as well. Now, with that being said, you have to be responsible with your advice and those findings as well and not create risks that that aren't real, because the board are going to want to see you spend that money, as well as provide the ROI or benefits, which are often hard to show sometimes as we know.
CP: It's funny, because I did a solo episode, Episode 49, it was actually called 'Feedback is a gift', but it was more focused on feedback that helps you grow within yourself, professional development, that sort of thing. But I don't actually think there's that much difference in terms of, I mean, audits are really feeding back to you as an organisation, whether or not what you're doing is working and whether or not you're kind of meeting the expectations or the policies that the organisation needs to meet in order to flourish and, you know, keep risk within appetite. So when you started to say that to me, I was like, I'm sure we've done an episode like this before, but it was yeah, feedback is a gift, and I think audits in themselves are exactly that.
PB: Exactly, opportunity for improvement, areas of development. Maybe they need to change the name of audit to something else.
CP: That's right. So working in local government is I guess not for everybody. It's a place where you're serving the community, but I'm sure it comes with its challenges. I'm really keen to understand from a cyber perspective, how do you manage without an in house team within your organisation?
PB: Yeah, local government is a bit of a unique beast and security resourcing is an interesting one. I think we've seen so much change in cyber activity in the last few years with the risk and likelihood of some form of compromise increasing. Yet as we know, the hardest funding to gain is often the permanent and ongoing resource which is needed. Particularly when in local government, you're managing community services that are you know, in some cases running 24/7. So we do utilise some form of outsource providers who provide us with security and IT resource from an operational and a technical point of view. And we also utilise incident response services through a managed SOC as well. Perhaps I can reference Ellis Brover from a couple of episodes ago, who said that if you don't have services now well you need to be looking for them. And it's about finding the right one for you in the interim. So do you need the technical eyes on glass 24/7? Or are you lacking the strategic component of security, you need to pick the one that you need the most. So I'm just about to start work with a vCISO in the next few months, who I had to bring on board to help me in developing some framework and documentation as well as helping me set the overall strategic direction for security and council over the next few years. So it can be really challenging if you don't have dedicated resources, particularly if you are responding to findings from an audit or a penetration test and there are complex items that need to be remediated. Who do you need to go to? You need a list of trusted providers that can do the remediation for you and give you ongoing advice as well if needed. And these days everybody has a SOC to sell you. As an organisation you need to do your due diligence on those services to and make sure that it's the right fit for your organisation or council in our case, and it's not John Smith working from a garage, you know, in the backyard.
CP: And I guess on that point, we've been talking a lot this season about third party risk. And you know, how do you really know who you're doing business with. And, you know, to your point someone, somebody's working out of their garage, which I'm sure Jeff Bezos would be pretty upset to hear given his success from his garage. But what are some of the risks you see with having outsourced providers doing some of that pretty critical work for your organisation?
PB: For any organisation, it's a big decision. And of course, there's many reasons why you might outsource. As I mentioned earlier, it might be the immediate need that you're trying to fill. But whatever the reason, you're asking someone else who isn't part of your organisation, who isn't from a local government background in this case, and may not understand your legislative requirements to and you may be well outsourcing the keys to your kingdom. And if you're a company who's outsourced their entire security and technical operations, then what happens if that company goes under, or is breached and who is auditing them? Some of that can be mitigated, sure, through contract negotiations, and regular performance audits etc. But again, you need to have a resource that's capable of conducting that review for you too. The other issue that I see is you can't develop the culture or the skill set of those people who don't work for you. You can't invest in mentoring programmes for those staff, or staff wellness events, etc. You're relying on the provider to be taking care of their staff in that manner and developing them, but also does their development programme align with your organisation's needs, and of course, your organisation's values as well.
CP: I really love that point around the fact that you can't influence the culture or develop those people that you, that they're sort of imposed upon you, I suppose. Because you do business with a company, so you know, your organisation engages another organisation, but you don't always necessarily get to choose the types of people who end up on your account, I suppose. And being able to influence them, or especially if you're working very closely with them on a subject such as cyber risk, it is a challenge, because they're sort of part of your team, but they're not. And I guess every organisation goes through this, that the turnover of those staff as well. So even if you could influence them, or you could provide training or support for them, often it's contingent workforce, or it's not always the same people available to you. And that I guess it makes things quite difficult when you're talking about having to outsource something so critical.
PB: Yeah, it does. And look, it is easy to make those your outsourced services feel a part of the team, particularly if they're on site, and they are interacting with staff and your team. But particularly in local government, you know, there's a bit of a dotted legislative line that you need to be aware of as well. Who is an officer of local government, and who isn't an officer of local government, which in this case, would be a contractor. So you know, that something needs to be considerate of too.
CP: And I guess that legislative line can bring challenges too, around the change that's going on in cyber and has been going on in cyber for the last couple of years. And obviously work from home has brought its challenges and having to outsource we've had so much go on in the last couple of years from a threat perspective, both here and globally. How do you feel you're going with managing that change in cyber? And what advice might you have if you feel like you're succeeding?
PB: We have seen significant change in the last two years, as you said, for many organisations, local government, no different. If I think back to six or seven years ago, I think we saw a lot of organisations who thought well, we have firewalls with some loosely configured policies and some antivirus, maybe hey, you know, we're protected, we're all good, was little bit set and forget. In terms of security resources, you might have had one system admin who knew their way around a brand of firewalls and endpoint protection product, but a fairly shallow knowledge of security. There's no threat hunting, no managed SOC services, you know, not a lot happening. Fast forward to present day, as you said, the threat in cyber landscape has changed. And we've seen a number of councils fall victim now to phishing emails, ransomware, even insider threats. So the reality of what is actually needed to improve our security posture has grown. And hopefully now you've got your audit and risk committees asking you what you're going to be doing about it. Just this morning, and another Melbourne Council has fallen victim to a third party compromise. So now you have your community and customers wanting to know what you're doing with my data. Where is it's stored? What information do you have on me? Their expectations have changed too through the years, particularly the last two years. And your average customer and community member now is a lot more tech savvy and protective of their data as well. And they also read the news and look at what is happening in cyber headlines, and that often prompts them to ask questions. I had the pleasure of presenting to our Emergency Management Committee during an exercise recently, and that was on the types of threats that could trigger a BCP event for council from a cyber perspective. You know, at that exercise, we had VicPol, Ambulance Victoria, SES, Red Cross in attendance. So I think that's a really good indication of the change that local government is making and how and how they're taking security and cyber a lot more seriously and how we need to plan and consider these types of events and the impact that they will have on councils.
CP: And do you feel like that is only going to continue? You know, you mentioned that you can see the change or the focus, I suppose, around cyber. Do you have this sort of gut feel that it's more than lip service, and it's actually going to be the way forward in terms of BCP activities or scenarios, and will cyber form part of those ongoing?
PB: Yeah, absolutely, particularly around the governance space and the risk space, we're seeing some big ongoing changes there in regards to strategic risk and operational risks, is something that gets reviewed regularly and updated on regularly. We're being held to account a lot more by our audit risk committees now, as well as your ICT or your technology governance committees who are also across the risk.
CP: And I think to your point earlier about boards and the education at that level too. They've had no choice but to become more tech savvy, and for some people, I guess, who were quite low tech few years ago have now been forced to learn how to use Zoom and how to use their iPads and how to be part of that. And so with a little bit of knowledge probably comes a little bit of fear. And with what the government now is imposing both here and overseas, around directors responsibilities for cyber, it's really good to see that those governance frameworks and measures around audit and risk committees and those types of delegated authorities in businesses, are asking the questions and are inviting you to come and present and talk about these things.
PB: I think it's a really good sign of the times when you're in an organisation where at director or board level, you're being asked the question of where are we at with our cyber risk, not the other way around? You having to explain and advocate as we talk about so often. So I think that's a really good indication of the shift in the maturity change as well at executive and board level.
CP: So given that, you know, you're in front of the board talking about cyber, but you're actually the CIO, and you have so many plates spinning when it comes to leading technology, how do you prioritise cyber amongst all of the other plates that you've got spinning and amongst all the other demands that are on a CIO, whether you're local government or big business? You know, the tech leader now is probably different to how tech leaders were of yesterday, I guess, what's your approach?
PB: So I think I'll start by saying that strategically speaking, and I'm not sure that many of us have this right yet. I certainly don't. But cyber needs to stop being a prioritised initiative or project, and become more of a continuous improvement programme. So initiatives and projects tend to be a one time deliverable. And maybe that's the case when you're looking at a firewall or product replacement. But long term, there needs to be a much bigger focus on the ongoing programme. So I think there's a few choices that you need to make, and it's how you're going to resource projects or the development of your long term programme. Are you going to bring in external expertise or support if you don't have any resource. And in lieu of that programme, you need to continue to manage some of that risk through embedding mandatory requirements or standards in tender procurement, documentation, etc. As well as your day to day procedures or your day to day governance controls as well.
CP: And all of that doesn't just come about through technology or processes, it actually comes about through people and getting them on board with change. And one of my favourite topics to talk about is culture. And back in season nine, we spent the whole season talking about influence and behaviour change and how challenging it is to measure and really embed a cyber culture. What are your thoughts around cyber culture, and how challenging it is to maybe shift culture within local government, specifically.
PB: Culture change of any type, it's something that can take a long time to embed in an organisation. Local government is a very unique beast in itself, we have a very diverse set of services that we offer our community, and the background of staff who we have delivering those services is very different too. They come from various sectors of government and private industry as well. Cyber culture can be difficult to embed, because it's a challenging subject for most people to grasp. It has a list of ever growing acronyms and technical jargon associated with it, it can often be brushed off to the side because it's just too hard. So creating a cyber culture probably needs to start fairly simplistically. You know, we often message out to people in the business, if you're not sure, just call IT because we can make that assessment for you. I think the more communications we put out around that will help encourage people to report or question something when it wouldn't, doesn't seem quite right or suspicious. So to me, that's the beginning of the cyber culture, being aware. Where we need to get to is elevating cyber to be second nature. And as I said earlier, it's not a one time deliverable or a point in time phishing campaign, it's an ongoing practice and ongoing culture. Race car drivers don't get good by reading the owner's manual for a car, and athletes don't become an elite athlete by just eating well or training. It's the ongoing practice and rigour around what you do.
CP: It's so true and you know, looping back to your point right at the very start about audits. I get very frustrated when auditors will say do you have a cybersecurity awareness training module, tick, and you know, to your point training someone when they on board or a little bit better training someone every year is still not sufficient for people to really understand in their day to day work, how they play a role in cybersecurity and protecting the organisation. And so you know that one time training module might be sufficient for the auditors. But actually, it's just got to be, as you said, second nature. So people are thinking with that healthy paranoia, rather than just hoping that a firewall or a mail filter might protect them.
PB: Yeah, I think that's a really good point. Are you implementing this programme just for the sake of compliance, or you're actually implementing the programme to make some real change within the organisation and within the culture itself. I think that's a really good point. And I've heard you talk before about, you know, the DR and the BCP plans that sit on the shelf and gather dust rather than actually being practised. I think that applies to this as well, that you need to have something you can practice, ongoing.
CP: Yeah, definitely. And the training side of things, some organisations forget too that cyber moves quickly. And also people move on from the organisation. And I've seen cyber training modules with old CEOs in them and you know, maybe not the most up to date advice. And while the principles might remain the same, keeping that programme around awareness current and relevant for your organisation is key. You can't buy it off the shelf. And you certainly can't buy it once and teach it once. And yeah, I hope that auditors out there listening, please look at effectiveness, not just the fact that you know, the programme or the module might be there.
PB: Yeah, absolutely.
CP: Paul, it's been brilliant to speak with you today and just get a little glimpse into local government and some of the challenges that you are facing. But also I love the idea that you're seeing the progress within local government and you're trying to make things better, not just for your own municipality, but also for those that are around you. So thanks so much for joining us in The Security Collective today.
PB: Thanks, Claire. I've enjoyed the chat.