Episode #62 Security Career Advice with Darren Kane
“People understand the risk that cyber presents. It's the knowledge of what they can do about it, and the simple things they can do to improve their hygiene that I think is lacking”.
- Darren Kane
Darren Kane has been the Chief Security Officer at NBN since 2015. In 2020, Darren was appointed to the Federal Government’s Cyber Security Industry Advisory Committee to help guide the implementation of the nation’s Cyber Security Strategy and provide ongoing advice to address emerging cyber security challenges.
Prior to NBN, Darren served in Federal Government Law Enforcement Agencies for over 19 years in the Australian Federal Police and financial markets regulator the Australian Securities & Investment Commission, and 11 years at Telstra Corporation in varied security management roles culminating in 5 years as the Director, Corporate Security & Investigations.
Darren was appointed as an Adjunct Professor in the School of Information Technology, Faculty of Science, at Deakin University in 2020. Darren has a Master’s in Business Administration, a Diploma of Financial Markets and is a Graduate Australian Institute of Company Directors and in 2020 Darren was awarded Male Champion of Change at the AWSNA (Australian Women’s Security Network Awards).
As Darren is so knowledgeable and well renowned in the security industry, it seems fitting he joins me on this episode of the podcast as he shares his advice on security careers.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales, and today's guest is Darren Kane. Darren has been the Chief Security Officer at NBN since 2015. Darren was also appointed to the Federal Government Cybersecurity Industry Advisory Committee to help the implementation of the nation's cybersecurity strategy. Prior to NBN, Darren served in federal government agencies for nearly 20 years in both the AFP and ASIC and spent 11 years at Telstra. Darren has a plethora of academic achievements, which you can read about in our show notes. But for now, Darren, welcome to the podcast.
DK: Thanks, Claire. And thanks for asking me to come along.
CP: So your bio gave my listeners a short history of Darren Kane, we know you spent a number of years in policing. But what was the driver for you joining the corporate world, and how have you gone about finding your way as being a CISO? Have you planned your career to date?
DK: How did I join the corporate world well, four kids one wage, Sergeant salary, it was a natural progression, brought on by necessity, obviously. No, look to be honest, I'm always up for a challenge, in some ways, a bit of an adrenaline junkie. And I've always wanted to actually test myself and be competitive. So I felt that I'd actually achieved some sort of success in my policing career. And even with my six odd years of ASIC, it gave me an understanding of the corporate world. And it was a gradual transition across to corporate. So it was really the challenge that pushed me towards the corporate. And did I plan my career? Look, I have always wanted to be in control of my career. And if that meant being a leader and manager of an accountability, or capability, yes, I probably did figure out how to get to the top. But ultimately, I have learnt along the way Claire that I like operational roles. I like roles where I get to lead and manage people doing interesting things, and supporting large corporates or government departments. And I've actually tried individual contributor roles for a number of times in my career, and it just wasn't me. People management, managing and leading is something that I think I'm better at. So I generally lean towards that, and I plan my career around that. And ultimately, one of the things that I have really tried to do is be a little bit innovative in those roles. Look at what the trends are, and look at where I'm thinking the trends will take our industry, for example. And for example, the security risk industry at the moment, a converged security model where a CISO becomes a CSO is an example of that. The importance of people in the security risk industry, the fact that automation AI, machine based learning will not solve the problem, people will solve the problem. And I think now, the next trend will definitely be resilience. You will not protect your organisation, what you must concentrate on is how quickly you can respond, and how efficiently and effectively you can recover. So I think from that perspective, Claire, I did join corporate for the challenge and the opportunity to grow. And I've done a bit of planning around it, but largely making sure that it was always to do with managing and leading people.
CP: Just picking up on your background and what you're talking then about innovating and looking for where things are going. Did you feel that there was a big jump from your physical security experience in your previous roles, into a role that really is leading cyber and technical security people and having that in your remit?
DK: Oh enormous, it's an enormous jump. And that's the beauty of the challenge of it all and your ability to test yourself. I found that my EQLQ level was probably a little above the folks that I was being asked to lead in the role I was expected to manage. But my IQ levels and their technical knowledge and their actual depth of investment in their mission was far more than anything I'd seen ever before. So yes, to answer your question, and that is where a really trusted relationship between yourself and those you've actually asked to support you comes in. I had to learn through osmosis over five or six years. I picked up on a little bit of what they were doing. But I was very, I think transparent and authentic in making sure that if I didn't know, I said I didn't know, and I asked. And through asking they were very keen to share their knowledge. So, yeah, it was, it was a very, very steep uphill climb to pick this up as quickly and you had to do it on the run. So you couldn't actually, you know, fake it till you make it, you've just got to make it from day one.
CP: Speaking about being a boss of people who have different set of skills to you, for the listeners that don't know many moons ago, we work together, and you were my boss, and a great mentor and leader. I've talked on the podcast before about the importance of a great boss. And you've alluded to the types of people that you hire. But what role do you think being a great boss plays as a mentor or coach in the careers of the people that report to you?
DK: I firmly believe that success in our industry, and I call it the security risk industry, is critical. And my mantra is, these three words, I've pinched from real estate, but it's people, people people. Very, very important in an infant industry like ours, it's only 15-20 years old tops, if you consider the cyber. It hasn't got a cradle to grave cohort at the moment. There's there's some like myself that have been in the industry for 14, 15, 16 years now, or some have been around information security for a bit longer. But that combined security risk accountability in any government department, large corporate, be it multinational, national or even smaller medium, means that anybody that owns that risk is only 10 years old. So therefore, there is no career path. There's no sort of understanding of what the next steps are, and so forth. And so what it is, is, we're pioneers, if you like, for those behind us. I can see at a time when you were doing masters of security risk, which will involve largely what it is we're learning on the job today. You'll come out of a security with science undergraduate degree, and then go on do a masters and you'll join an organisation and you will actually be someone who works in security risk for most of your life. And that could involve information security, personal physical security, it could involve privacy, it will certainly involve continuity, and probably fraud, bribery, corruption, investigations, forensics, it is a whole collective of capability that will sustain most people in a career for decades.
CP: Do you think given the pace of change, study is one thing but do you think it's your bosses and your leaders that are helping you to understand how to evolve that career? Or how are people keeping up, or what would you recommend?
DK: Look really good question and it was something I wanted to get to on the podcast. It's really important for a boss or leader, someone like myself who's a leader and a manager, to actually help people understand where their career is going and what the career might offer them. And ultimately, where possible to provide development and access to further skills whether that be qualifications or on the job. But ultimately to engender in people some self motivation to seek out and succeed on their own. I recall you as a young person working with me way back in the Telstra days. I mean, you were, you were fired with ambition, you were someone that had a journey to run, and you knew where that journey was taking you. And you're a beacon on the hill, I think, to all of that I'm trying to achieve with this new group of people. I can help you, but if you haven't got that, that fire, that motivation to do it for yourself, I can only be someone who offers you a job.
CP: Speaking of ambition Darren, do you think it's ambition that has helped you to have a number of high profile opportunities in the cybersecurity industry, such as the Industry Advisory Committee?
DK: I'm incredibly grateful to be asked to sit on the Industry Advisory Committee, the 2020 Cyber Security Strategy. The people that sit alongside me on those committees, the Chair and the Deputy Chair are incredibly successful, smart and driven folk that understand the importance of the strategy, and the advice that they can provide from an industry perspective. Was it ambition that allowed me to be appointed or be asked to be appointed? Look, I think I've got something to offer. I think I'd come from an industry, our industry, where I've got a probably a broader range of understanding across a converged security model, from cyber to physical to personnel, to privacy, to investigations, to forensics. So I think having that behind me was something that I'd always planned to do. Whether it had been an inner ambition or aspired to be sitting alongside some of them, the captains of industry here in Australia, I'm not sure. I think there's more luck to play out there than ambition. But I do think it's a really important role. And I think the strategy itself, the cybersecurity strategy, has a decade to run in deployment, and is going to be incredibly important to the success of our economy, and the country as a community going forward.
CP: And so how important are these committees in representing Australian industry in relation to the government's cybersecurity strategic plans.
DK: I don't think the government can't do it on its own. I think it's an incredibly important role. I think the advice that this industry committee provides government, from an industry perspective, particularly from very successful folk, from across a broad cross section of the industry. From academia, from mixed government roles, for a not for profit. And most importantly, people who are very successful, and because of that success are able to actually provide government input that is not challenged or contrived by their next paycheck, I think. So from my perspective, having a strong, capable industry advisory board, who are willing to tell government what industry needs from a cyber risk perspective, and helps perhaps to deploy it, is very important.
CP: So given that you have got some experience on these committees, how could others who are aspiring to advise on such topics, find their way onto these government committees?
DK: Obviously, a little like myself it's a huge dose of luck. But I think also, you know, I've got 15, 16, 17 years behind me, it goes all the way back to 2007, when I was on the consultative working group for cyber safety, in a government role. So I do think that being known in Canberra, and being known as someone that provides trusted advice is important. I think it's also important not to be too much of a media darling. You know, you don't want to be too prominent in our industry Claire, and you'd be aware of that on the basis that, you know, social sometimes posts a target on your back. So I'm very careful about that. You have to apply to a decree of decorum of what you say and where you say it. I'm also a big believer in deeds always speak louder than words. I think if you are prominent, and out there, assisting other parts of the industry, understand where the industry is going. And actually offering advice, and more importantly, support is really important. If you do a good job, people always ask you back, I think that's important. And too often we don't, we don't actually figure that in where we're at. And then ultimately, you've got to build out a trusted network, you've got to build out people that actually know that you can be relied upon. And you can be someone who will always present and support. And that to me is the best advice I could give anyone listening to the podcast, is that in our game security risk trusted networks, in an industry where we really aren't that competitive, so competitive advantage doesn't matter, is incredibly important.
CP: It's probably a good segue into another question that I want to ask you about your mention of senior leaders in organisations, and we're starting to see company directors and their duties in relation to cyber becoming part of cyber law reforms. How do you think a move to making directors accountable can support enterprises to truly embrace at least a baseline of cyber security controls?
DK: Coming from a my ASIC background and an understanding of the corporations law and, and the directors duties, which was the more common investigation that I conducted. I think it's really important. I don't know whether it should be a criminal liability. But certainly, security risk has grown to be such a senior focus in any department, enterprise, multinational, national, smaller medium, whatever happens if you're using technology, you should be actually understanding of the risk. And if you're employing folk, you should be understanding of the personnel risks that might be represented by the trusted insider. And then, of course, we've only just come out of a very, very dangerous period of time from 911 forward, we've had nearly 20 years of conflict. So the physical risks of active shooter and the responsibilities of an organisation to understand how to protect their staff should they have to, is something that should be top of mind if you think of health and safety and laws requiring companies to be aware of their liabilities in that space. I believe security risk will eventually, perhaps not as onerously as some, as health and safety, but will eventually be a very important step. I also think that it's, it's a great way to encourage boards and Exco’s to actually be better involved. And I get that they understand, they acknowledge and understand the security risk and how it's represented. I think they need to be better involved, they need to be conscious of the fact that tone from the top is incredibly important. Simple things like wearing a visible lanyard with your pass walking around the building. Actually not sharing passwords, understanding the importance of a passphrase versus a password. There's some really simple things that they should be better engaged in Claire. And I think that's our job in this industry, to help them understand what's important. Sometimes I do believe that me trying to do it from the bottom up and encouraging a better security culture, or what I call security hygiene, is incredibly difficult if you haven't got that tone from the top.
CP: Yeah, I mean, you mentioned before that, that you think that maybe directors know this stuff. What do you think the directors level of understanding is across organisations? Because in big corporates, obviously, there are big security teams. But in smaller organisations, do you think the boards have that level of knowledge to manage cyber risk, or is this an education that they're going to have to really start to focus on?
DK: The bigger corporates and the larger teams, I'm assuming that the directors and particularly C-suite are far, far more professional around organisational risk. So they will be very familiar with the problems that security risk now present them with. In smaller mediums, there needs to be more education, but they're worried about it, they get and understand they're exposed to the risk. I think the big issue is they don't truly understand how easy it is and how cheap it is to actually reduce it. They consistently get bad news from our industry, talking about the technical aspects and us using language they don't understand. And that is the problem. Things like passwords and protection of devices and updates and patching, they're all things that are really easy to explain and don't cost a lot. The problem is it's the way we try and actually deliver that education process, I think is a little bit of trial. But for my belief anyway, in my experience in dealing with boards, and certainly captains of industry across this country and around the world, people get it. People understand the risks that cyber presents. It's the knowledge of what they can do about it, and the simple things they can do to improve their hygiene that I think is lacking.
CP: I want to finish up by asking you for your advice for people in our industry who are aspiring to be in roles such as yours or even just aspiring to get into the industry. What's your advice for people about the security industry and some of the best ways to navigate a career?
DK: Look, I couldn't be more excited about what the industry represents as a future prospect and career for those that are looking for success. basically. .We've got decades and decades, eons to run in a career that encapsulates everything from privacy to digital forensics, across to your basic information security, and then the really tech code sort of protection. Depending on what it is that floats your boat, it might be just simple investigations, it could very well be large corporates, such as the NBN, which has got a very big active network to protect. It exists, it's a thing, it's real, people should consider security risk management as a stepping stone to a corporate role if you're in government, particularly law enforcement or military. People should consider security risk management if you've got a tech bent. You like to understand and support technology. And by that, I mean, if you actually have grown up with a PlayStation module handpiece in your hand or model in your hand, you probably understand how the tech works. But you probably don't understand how important that knowledge is to people that don't. And that's a gift. And if people feel like they want to give back a bit and all want to get into something that actually means something to them, I would recommend security with all of them. And how do you get into it? Start at the bottom. come in and do some security admin work, start giving out passes, start hanging out lanyards. Next thing you know, you've been in a place for six months, and someone will offer you the opportunity to, to go back to school and do a TAFE course. I'm big on the Boxhill TAFE and what they're presenting here in Melbourne, but there'll be all sorts of institutions offering similar courses now. Get a cert IV, get a certificate, show that you're interested in cyber and or security risk, and stay employed in the space and then take the next step and then the next step, and then the next step. And then within four or five years, you know, you might be presented with the opportunity to understand forensics or conduct investigations or be involved in privacy. I see huge growth in privacy and the management of data. So I mean, the one thing I'll sort of say to everybody in our industry is to stop writing JD's that I can't apply for. Stop expecting people to walk in off the street with a PhD. Understand that these kids that have got good tech skills have fallen out of trees in Collin street, and given the opportunity. The second thing is, is that if you're one of those kids, don't be frightened of starting at the bottom. Don't have stars in your eyes and expect to come in and be a Senior Analyst from day one. Don't listen to what the tertiary institution tells you what you should be doing within two years. Listen to your employer, and those that want you in a role. And you know, and learn, your ears aren't painted on. Listen, ask questions and learn. And, you know, over three or four years you will develop firstly a capability. But secondly, and most importantly, a network, a trusted network of individuals who know and build out a like for you and respect for your skills, and that there then will build a career.
CP: I mean, everything you've said today is incredibly helpful. But I think building out your network is one of the key skills in any industry, but especially in security in order to stay in the industry and learn more is to really build your network and meet appropriate people, and share, give back as well as as a mentor and a mentee in the industry as well. So, on that note, Darren, thank you so much for your time today. It's been a long time coming, six seasons in and I finally got you on the podcast. So I really want to thank you for sharing today and for your time.
DK: Thanks Claire. Listen, I think the podcast does a super job and congratulations to you and Anna for The Secure Board as well. I'm really looking forward to a great read.
CP: Thanks Darren, that was not a paid plug! Cheers.