112. Security as a differentiator with Jamie Newman
Jamie Newman has a refreshing take on security and joins Claire as they chat about understanding the security posture in diverse organisations, they discuss about third party contracts, how much money you should be spending on compliance and what meaningful metrics might look like.
Jamie is an experienced IT Leader with more than 20 years experience in applications and infrastructure transformation in varying national and regional roles. His career started in HR, but then quickly moved into a technology path in the late 90's and has worked predominantly in Manufacturing, Retail and B2B environments, working in Singapore, Japan and the Middle East. Jamie moved into senior management in 2008, and has been in C level roles for the last 10 years.
Links:
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
CP: Hello, I'm Claire Pales and welcome to The Security Collective podcast. Today's guest is Jamie Newman. Jamie is an experienced IT leader with more than 20 years experience in applications and infrastructure transformation in varying national and regional roles. His career started in HR of all things, but then quickly moved into a technology path in the late 90s. Jamie has worked predominantly in manufacturing, retail and B2B environments, and has been lucky enough to work in Singapore, Japan and the Middle East. Jamie and I chatted about understanding the security posture in diverse organisations. We talked about third party contracts, how much money you should be spending on compliance and what meaningful metrics might look like. Jamie has a refreshing take on security. And I really hope you enjoy our conversation today. So please welcome Jamie Newman.
CP: So Jamie, thanks so much for joining me on The Security Collective podcast today.
JN: Great to catch up, Claire looking forward to a good chat.
CP: So we've talked on the podcast before about cyber being an enabler to business success. And if you're interested, for listeners, you can go and check out episode 68. But what's your opinion on this? How do you think organisations can turn the conversation on cyber from being about a risk play to being something that will help a business win against its competitors?
JN: Yeah, look, I'm not sure how much your listeners will know about Wilson. But we've got a pretty diverse business and part of our business is we've got a fairly heavy integrated security offering. So we provide a whole wide range of security and guarding services out to a pretty decent chunk of the ASX 200, all the large government institutions etc. So we're obviously going to market trying to win business in a competitive environment. And part of where we're seeing a lot of institutions moving to is okay, so talk to me about your cybersecurity posture. Talk to me about how you regulate your suppliers. Talk to us about what breaches you've had, how you've responded to them, talk to us about your ransomware response, etc. And they're all conversations that we have internally as a CIO, CISO, whatever with our board and with our executive leadership team. And it's always about risk. But now we're getting to a point where the investments that we've made actually, with platforms like Upguard, that can score you against your competitors, and give you a benchmark that you can really turn it into a differentiator when you're at the table, trying to win a customer or trying to retain a customer because you can highlight the things that you do that are over and above what anybody in a competitive bid environment may have. So for us, it is very much turning around to an integrated risk offering approach when we go, so we will absolutely look after your people, we'll look after your premises, your facilities we'll look after all of that. But we'll also look after your data and your brand. Because our cyber posture means that as a supplier, we're not going to be a risk to you. That's how we're turning that into a differentiator.
CP: So if we're thinking about suppliers, talk me through how security needs to be considered in your mind when both parties are third parties?
JN: It's really complex, right? I'm not sure how much your readers have heard, but I don't know the exact entity over in Vegas. But the wonderful story that popped out a couple of months ago about the aquarium that had the unsecured thermostat connected to the Wi-Fi that then led people into, you know, a whole world of pain. There's a lot of moving parts in this, you've obviously got the supplier and customer relationship. And for us, we can view that two ways. I've got a whole stack of consumer customers that are relying on us to keep their information secure. But we've also got some customers that we supply things to that they're expecting we keep their information secure. And so it really comes down to robust conversations, making sure that the contract very clearly outlines what you are going to do. But more importantly, what you're not going to do, because you need to try and remove as many grey areas and assumptions as you can. But when you're in a collaborative conversation about it's in both of our interests to make sure that we don't end up on the front page of the paper. And here's what we are doing from our side. And here's our expectations of you as a customer or as a supplier. And this is how we're going to measure those importantly, so that we can make sure that we remain compliant. It just starts to recraft the conversation into a partnership thing, not a not a threat vector drive oh my god the sky is falling type moment.
CP: If you think about the fact that some organisations third party relationships, even internal relationships with customers, it's about data changing hands. Then when you factor in money changing hands as well, there's a whole new level of trust that's required between parties and customers and your organisation. But often, sometimes the security around that gets lost because we're so focused on meeting things like payment card industry standards or regulations. How do you have that conversation with your senior leaders or within your organisation about that culture of yes, we might be meeting a payment card industry standard for the financial data. But actually, there's a whole bunch of other data that's important as well, for us to secure which might take more than just the 200 and something standards that PCI requires?
JN: Yeah, really good question. And it's one that I'm continually engaged with the Board. We, obviously like a lot of businesses, take a risk based approach and with things like PCI it's that balance of doing enough, but not going over and above that the overhead that you invest in terms of money, time, effort, in PCI is counterintuitive to the money that you're bringing in being protected by it. So when it comes down to having a cyber conversation, I think you need to separate the two out. PCI is a risk piece that has a cyber component to it. But there's also a whole stack of manual information, recording protocols, and all those sorts of things that need to be encompassed in your PCI compliance as well. You can't write down someone's credit card and store it in a drawer, for example. But I think use PCI as the entry point, and you sort of say, look, there's this minimum that we need to be compliant from a PCI perspective. Or if we're going to engage with a customer, and they may say that you need to comply with the APRA control levels, or all these other non cyber related controls, internal/external audit, Sarbanes Oxley, all this sort of stuff is all there and everything that some people need to do. But then you start to get into the cyber ones, and you need to differentiate the two. One is a component of another, but you can't just say, we're going to look after our customers payment card information. But don't worry about their name and address or their date of birth, or, you know, their licence plate number, or site information, you know, who the who the site contact is, what their, what their mobile phone number is, what the what the PIN code is to deactivate an alarm, they're two totally separate things. We're not going to get pulled up from a PCI perspective, because we know how to deactivate the alarm at a bank. But you can be very sure that we'll probably lose a customer and a significant customer, if that sort of information came out. So it's really about, you need to talk to them collectively. But you need to talk about them in isolation, as well, because the two components are very much hand in hand.
CP: I think you make an incredibly important point, that there is so much that doesn't get captured by a PCI assessment or a QSA coming into your organisation to talk about, you know, what you've got in place, and what policies you've got in place and the procedures and the technology. There's so much that sits outside of that, that potentially could get missed by an organisation who's just, you know, narrowly blinkered focused on meeting compliance in order to potentially meet a third party contract requirements as well.
JN: 100%, you've just got to make sure that you, as I said, you separate them, but you include them, you've got to just ebb and flow out of that conversation.
CP: So how have you resourced your team to meet the expectations of the organisation, but also to meet your desire to secure the business? And how did your background and skills influence who you've hired within your cyber team?
JN: Yeah, so my background is applications. So I'm not an infrastructure person. I know, as the good old saying goes, I know enough to be dangerous, but I'm not in the detail. I can throw out a few common consultancy terms about surrounding yourself with the best people and people that complement your weaknesses, and all that sort of stuff. But I assume that the people that are listening to this podcast are already well aware of those. To me, you want a curious mind, you want you want someone who's going to be inquisitive, someone who's going to be able to sniff out something when it doesn't quite add up. Because when it comes to risk, and when it comes to cyber, everybody's worried that they're going to lose their job because they've done something wrong. It's a bit like when you come to have a meeting with HR sometimes and our HR people get a very bad rap for this and our HR team here at Wilson are amazing. But you know, when you get I want to have a performance management conversation with you, everybody goes on, hang on more jobs at risk, but it can actually be a positive one. And that's the way that we try and recruit here is people with an inquisitive mind, but people that can also engage the business in the right way of I'm not coming in to slam your fingers in the drawer so you can never touch that keyboard again. I just want to educate you and help you understand that the way that you behave as an employee of us is pivotal to our cyber compliance because nine times out of 10 and probably not ninety nine times out of 100, it's a person that generates the weakness. And so that education piece. So getting back to how we hire, we hire someone with an inquisitive mind, someone who can dumb it down. So don't talk to me about in technical terms about what that risk means. Talk to me about from a business perspective, if this was to happen, what's the impact. They're the two really important things for us. So absolutely know your tech but be able to put it into business terms, and be inquisitive enough to just go away and go, it doesn't make sense, let me have a bit of a look. That's how we skill up. Now, from my background, as I said, I'm not an infrastructure person, but I know enough about applications. And I know enough about developers, that they'll spend a lot of time making sure their code works, but they might not spend a lot of time making sure it's secure. So I tend to throw that lens over it as well. Just making sure as I said, the people ask the right questions, and they come across in a non threatening way more collaborative, I just want to make sure that there's no surprises down the track, is what's really important in my team.
CP: So thinking about the fact that you do come from an applications background? How do you bring together all the metrics from across the business and get your team to explain to you how those metrics equate to reduction in business risk or increase in business risks? How have you seen cyber metrics used in this way to reflect exactly what you just said, that you've got these people who are doing great things, but you can't get them to talk to you technically. You need them to say, these are the things I'm doing, and this is how we're reducing business risk, because of it.
JN: Comes down to value, right, it always comes down to value prop. And with some people it's going to be very numbers driven. So here's the avoidance that we had this year, with the controls that we've introduced, here's how we've mitigated this person getting the phone call saying I'm from Wilson, Group IT and I need to fix your computer, give me your credit card details XYZ, because we have those, of course. All the way through to contract retention, our positioning in the market against our competitors. That is a very regular conversation I have with some of our executives, how are we performing against the competitors with that scoring that we spoke about earlier? Why have we gone down? Or why have we gone up? Why have they gone down? What are you seeing, what do you know? Because I'm about to go into bid for this contract. And I know I'm up against these people, what can I use for competitive advantage? They're the types of metrics we talk about. We always talk about near misses, we always talk about what we're seeing from things like our scene, what sort of activity, you know. When the Ukraine stuff kicked off, it was it was huge, you know, are we seeing any DDoS type activity, you know, people just liking to bring down payment gateways and all that sort of stuff. But coming back to value every time Claire, it comes back to either, if we have a DDoS attack, and our payment gateway goes down, that's going to be this much in lost revenue per hour. And this is why we're investing in a product to prevent that. So that's a very parking driven one. From a security business perspective, this is how we're giving you a competitive edge. And this is how we’re making sure that you remain compliant from a contract point of view. Because of course, all the contracts have breaches and threat response measures and all that sort of stuff. You know, if you are to be breached, you need to tell us immediately, we reserve full and total right to go through every system in the universe until we find out what you did wrong. So from a parking perspective, it's about how we keep the revenue coming in, and how we're keeping the customers safe, all that sort of stuff. From a security perspective, it's about how we're winning business and how we are making sure that we remain compliant with our contract. They're the metrics that matter. Everything else is purely internal for me, threat vectors, vulnerabilities been patched, that's all internal., That never goes out to the business, because A, they don't really understand why we had this zero day event, we had to patch it XYZ, they're not going to understand that. What they're going to understand is, we patched it because if we had an impact, it was going to mean this to your revenue base.
CP: Which I think is so key because as a CIO, you need to know how your team are performing. So patching is something that might be important. Or it could be incident response times on much smaller incidents that you don't need to let the board know about until you know, your regular reporting cycle. But those are still really important metrics for you to understand how your team is operating. It doesn't mean they're going to mean anything to the board. And I think this is where some people get confused about metrics is that they think the board needs to know how many times the firewall has defended us against something. It's got to be meaningful. And I think what you've just articulated is so important that you guys have been able to work out. This is what's meaningful to that audience. And this is what it's meaningful to me as a different audience of cyber metrics.
JN: Yeah, and leader lag indicators and all those things are really important, you know, trend analysis, all that stuff. But that's important for me, in terms of how we are performing as a team, is there a blind spot that we haven't considered? What's happening out in the market? You know, all the great Twitter feeds and the stuff you get from the Australian Signals Directorate and that is all of huge importance. And I'm not dismissing that in any way, shape or form. The Board and the Executive Leadership Team are going to care about, have we had an issue and how did we respond? That's really what it comes down to it. What is the impact to our business because of that, that's all it matters. It doesn't matter whether I'm going to use a non cyber one, uptime. Everybody wants to report on uptime. Nobody cares about uptime. People care about the impact when the system was down, not how long it was down for. It's just got to be relevant. My advice would be keep the technical stuff within your team, use that as your pulse check, your trend indicators. They're all really super important. I'm not saying they're not. Unless the board specifically asked for them or unless the ELT specifically ask for them, your KPIs to that level should be all about the business revenue, risk mitigation, contract retain, loss, win, that sort of stuff.
CP: For other CIOs listening, what would be your kind of one key piece of advice if they're new to leading a cyber team? How can they effectively lead it leader cyber function, kind of what would be the number one thing you'd want to pass on?
JN: I think making sure that you're well informed, the learning curve is huge, and it's constantly evolving. And it's almost impossible to keep up. But just try and get involved. The Australian Signals Directorate, and the Australian Cybersecurity Commission obviously have a whole stack of content, but they also have trending information. So if you are trying to come up to speed because there's so much to learn, unless you can focus on what the current topical events are, and then start to ask the team, alright, how are we protecting ourselves against this? How are we protecting ourselves? What about the state based actors from Russia? What are we doing about them? What are we seeing on our landscape? Can we see it? If we can't? Why not? And what are we going to do? So to me, getting a couple of really good information sources that you can digest in small chunks while you're having your coffee or you're listening on the way in the morning in the car, or whatever I think is one. I think two, making sure your team understand that when they're in your office, it's a safe room is really important. Let's be transparent, let's be honest, let's understand where we're dropping the ball, at least we understand where the risks are. So then we can put the right mitigation measures in place. And the third one is carry that transparency through to the ELT and the Board. They're always awkward conversations. And my CFO always goes pale when I say to him, I want to look cyber, because he's like, I don't want to know, I don't want to know. But that education piece is super important at their level. Because then you can help educate their staff, because it's all about education. It's always about, you know, don't click that link, don't enter your information here, all that sort of stuff. If it just keeps coming from IT, it just ends up being white noise. But if it comes down from the SLTs down that this is why it's really important. And because Paul did this the other day, that meant that we didn't have this issue with our customer, which meant that we are more likely to retain the contract moving forward, is a game changer. So they're the three. Be well informed, but try and make it digestible, because there's a lot to know. Make sure your team know it's a safe room, and that they can be transparent and honest. And make sure that that transparency and honesty also filters through to the executive team and the board so they truly understand where the position is. Nobody likes a surprise.
CP: I think cyber and the CFO is a whole other podcast. We were just talking before I hit record about budgets. And yeah, I think the conversation with the CFO around cyber is a really challenging one, because obviously they have the purse strings for the whole organisation. And it's a really interesting conversation to have. And yeah, I love your tips, because transparency is key. And I often talk to boards about having a safe environment as well, where directors are allowed, they allow each other to ask what some would tend to be dumb questions. But actually, there's probably others around the table that want to ask the same thing. And it's the same within cyber teams. Be transparent, be open, talk about what's keeping you awake at night, even if that's a scary conversation to be had. And yeah, I think your tips are absolutely spot on.
JN: Even if there is a pile in the corner that we need to clean up, right, it's okay. Let's just acknowledge the pause there and we need to do something about it. I think the CFO, for anybody who's going through budget period at the moment like I am I sympathise with you all. But even cyber insurance, you know, we're seeing we're seeing cyber insurance premiums go up and the level of cover that they're giving you is going down and down and down. Because the risk factor is just so high that it's hard. And then them imposing these very onerous expectations over a business to say, alright, well if you want us to insure you, we're only going to give you $5 million, and for you to get that $5 million here is a whole litany of things that you need to do and a number of hoops that you need to drive through. The CFO needs to understand that. The CFO needs to understand where we're positioned so that when he does have the conversation with the insurers, that he can actually go to market with that information to say, hang on, we've got this in place. Here's our track record in the past, here's how we've reported breaches, here's how we haven't. That's tough really and to have those conversations. And that's where you get the buy in from the finance executives, because they never want spend the cash right, especially at risk. There's no, there's no reward in it.
CP: And it looks cyber insurance is a is a Pandora's box. And I'm daily talking to people about it. And there's grave concerns from organisations about whether or not to insure. Do they self insure, how much information do they share with an insurer? And then at the end of the day, if they were to have an incident, would they be covered
JN: I saw a stat the other day Claire, that the cyber insurance market is expected to be $34 billion next year. Like that's incredible. So yeah, we're having that insurance conversation at the moment.
CP: Most people are.
JN: Do we self insure? Do we run the risk? If it happens, then we'll respond with it, or do we continue to, you know, try and find 10-15 insurance companies that will give us $5 million each so we can get an underwritten value to somewhere where we need to be, it's a real challenge.
CP: Jamie, thanks so much for joining me today. I've really enjoyed the chat, great nuggets of wisdom and I'm really pleased that you've been part of The Security Collective today.
JN: Happy Friday Claire, thanks for your time.