Episode #65 Why cyber? with Ian Pham
Ian Pham is the Information Security Senior Manager at Certane, where he leads the information security strategy and capabilities to manage cyber risk for the Group and its subsidiary companies.
Ian has over 10 years of IT experience across finance, health, and higher education sectors. Starting his career in operational IT and consulting roles before specialising in cyber security, Ian has fast tracked his cyber career in the past 6 years by working across all security domains. This has given Ian a broad view of cyber and a mindset of constantly questioning the status quo as to 'why' security is needed in our current threat climate, instead of simply just performing security for compliance sake
Ian shares his career journey; the benefit of using analogies; and we discuss the importance of asking the ‘Why’ of our security people, as well as people outside of the security team.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today's guest is Ian Pham. Ian is the Information Security, Senior Manager at Certane where he leads the information security strategy and capabilities to manage cyber risk for the group and its subsidiary companies. Ian has over 10 years of it experience across health, finance and higher education sectors, starting his career in operational IT, and consulting roles before specialising in cyber security. Ian has fast tracked his cyber career in the past six years by working across all security domains. This has given Ian a broad view of cyber and a mindset of constantly questioning the status quo as to why security is needed in our current threat climate, instead of just performing security for compliance sake. We're going to chat about a little bit about that today. And Ian has a Bachelor of IT security from Deakin University, multiple IT and cyber related certifications, and I'm thrilled to welcome Ian to our podcast today.
IP: Thank you, Claire, thanks for having me on the show.
CP: It's a pleasure. And on the podcast, you will know that the place I love to start is how did you get to here? What led you into security leadership? Did you always think this is where you would land? Tell us a little bit about where you are now?
IP: Yeah, I've always loved IT and technology ever since I was a kid, I was fascinated by the science of it all. But originally, I think getting into IT was one thing, getting into operational IT was an eye opener for me because it allowed me to understand customer service. And I think no matter what industry you're in, you're dealing with people and you're dealing with customers. And for me that that kind of translated into to being able to understand people. And then one of my wishes when I was young was I wanted to be an FBI agent. And it's one of those questions I was asked in primary school. And everyone laughed, but at the same time it was about it was the principal, you know, protecting or supporting someone and helping them. And as a geek, I didn't think I would have the physical acumen to become an FBI agent. So I think cyber security is something that I was heavily interested in. And then after some time in operational IT I thought I'd specialise in it. And the great thing is when I did my course at Deakin, it was a very specialised course that was based on CISSP. And the great thing about that was I was grounded, I had the foundation to set myself on this cybersecurity journey and career. And I think that's a key note for a lot of the other leaders out there that want to take a gamble on graduates. Similar to me, I've only had a six year career in cybersecurity. But the current courses that we see right now are very highly specialised compared to, you know, you did network security or computer science with an element of security. So, I think that's a benefit. And it's a chance that you have to take for some of the leaders out there. And from moving on from my degree, so I went through that started in the deep end in the health sector. It was kind of it was challenging, and then we faced a lot of hardships during that and I was in well over my head, but it built a lot of resilience for myself as well. I was able to adapt and learn quickly through that. And I look back my career in security didn't just start you know, when I finished my degree, it started from when I started working. It started when I was dealing with different stakeholders and people. It started when I, you know, picked up a computer for the first time, all those different experiences and challenges helped me along the way. So when people talk about in their CV, I've only had two years of security experience, no, your career spans more than that. And I think security is more of a mindset than just, you know, a specialised industry. So moving on from those early challenges of trying to get into the industry in cybersecurity, one of the big breakthroughs was working for one of the major banks, and then that opened my eyes to understanding how a well-oiled machine runs. And it's not perfect, but the required resourcing to protect, you know, something like a financial institution, so that was an eye opener. But it also had the negatives as well, in terms of being pigeon holed to do the one task and not understanding of why we're actually doing it in the first place. You're just actually performing that task for the sake of it sometimes. And then from then on, I've moved to UniSuper, which is really good. Because in a small organisation, you're able to do more things, you're able to learn quicker, and because they don't have the resourcing to fill every single security role possible, so you're flexible, and it helps you adapt and change much faster than what you would working in a large organisation. And that's pretty much my career thus far. And then in terms of the leadership question, I think it comes back to my personality. I've always liked to support people, I like to help people. And for me, I never thought of being a leader or being the figurehead or a face, it's just about wanting the best out of everyone and really driving together, to make sure whether it's an individual or a group, but helping them, improving their lives and being able to really affect how you do your job.
CP: There is so much about what you just said that I loved. But one of them was that you wanted to be an FBI agent. Because when I was little, I wanted to be a cop, so I know all about aspiring to work in law enforcement. The other thing I really liked was that it's not about being a leader for you. It's about what you get to achieve through being in a leadership role. And I think that's a really good lesson for some people to learn is that it's not just about the title or the position, it's about the effect that you have on other people's lives. Tell me a little bit about your current role. Because when we've chatted in the past, you've talked about the different way, I suppose you're approaching being a security leader, one of those was around security being a product rather than just being a support capability. So tell me a little bit about how you balance those two things in your current role?
IP: Yeah, I think it's it depends on the structure of your business and your business model. But my current role I work for Certane services, which provides a shared service, not just in security, but you know, whether it's HR, finance, legal, it provides a shared service of the multiple subsidiary business that sits under Certane Group. And we have a lot of trustee licences under this under this group. And a lot of those businesses need to perform almost like a risk management function to their service providers. And I think there is so many layers of supply chain or third parties, that it's hard to do. It's hard to perform security and effective security are hard to understand, you know, where the risks start and where it ends, because the chain is so long. And I think, from that aspect, traditionally, it's always been getting a third party security independent consultant or a company to come in to do the work. And then as the trustee, they determine whether that meets their fiduciary obligations, according to the licence. So I guess all in all, it's about making sure that things are done correctly, according to, one the law and making sure that we are managing our risk correct correctly. So as a shared service provider, we need to think of new ways, we need to think of new methodologies to identify and understand that risk from our point of view, but also being able to provide a service to help them. There's no point in just checking the homework without guiding them of where they went wrong as well. And a lot of times we pass the ball on to an auditor, or third party to provide that, and then we, you know, look at when they're going to remediate their findings, or remediate those gaps that they see. So it's more of, you know, passing the buck, but not, you know, I guess handballing it, but not really dealing with the actual day to day of the operations. And I think as a trustee, there needs to be more emphasis on how you tackle that. And I guess the major benefits I see, of having this as a product is if the intent would be if we're able to perform some of these security services and activities for the third party providers. Since that some of them are small, some of our clients are smaller as well. And then they don't have the resource capacity to do so, and they tend to outsource. One, it can be beneficial, because we understand identify the risk that we're dealing with, as well as, as a trustee, not just the third provider, we're able to understand that business a lot more because we work closely with them. So there's a lot greater collaboration. And I think from a cost point of view as well. It kind of justifies having that partnership with them to begin with. I think the final benefit would be probably from a regulator point of view, and I can't speak for them, but it will show that we're proactively trying to tackle risk and security risk in itself.
CP: Yeah, I mean, a lot of people would talk about not necessarily security as a product, but as an enabler. You're helping other organisations to ensure their security is suitable or appropriate for the customers that they're serving. In a way, I suppose that similar to how other organisations would be saying that their security team is enabling their business to achieve what they're setting out to achieve, their strategic objectives. We've talked a bit on the podcast about this security as an enabler piece, and I've got some thoughts and I've shared them previously, but I'm really interested to hear from you. Given that you're doing this security as a product as well. Do you buy into security being an enabler? How does that term sit with you?
IP: I think it's changed over time. I didn't think it was an enabler. I thought it was a support mechanism and support capability. But I think enabling you really have to tie enabling to enabling feelings or enabling a mindset because security as you know, as part of technology, yes, it helps provide a solution. But where I think it enables and I think that you can, you know, tie this back to your everyday life, but it enables comfort, enables confidence and enables insurance. We hear a lot about assurance a lot, but it enables a mindset to succeed. Ultimately, I think if you're, you know, driving down a road, and it's a rough dirt road, having a seatbelt, having, you know, guard rails, whatever it may be, there's simply security controls, it helps you drive faster. Now, I'm not condoning anyone driving faster, but I'm just saying it enables that mindset to be able to do that. And I think that's what security does. And if that helps people and enables people to succeed in a safe environment, just similar to what risk management is, then I think that's where it's an enabler.
CP: It's interesting that you use an analogy, like driving on the dirt road, because I know that in terms of cyber influence, you're a big fan of analogies. And what benefit have you seen or have you been able to achieve, I suppose, in using analogies in your everyday work as a security leader, and why do you think they work to help the message around cyber risk sink in?
IP: I didn't always think this because I was very technical back then. But there was a couple of people in my career that helped me along the way, especially from security awareness point of view. You're seeing a change in trend of security awareness being people from different orgs of the organisation, from marketing, from HR, and they have that way of being able to speak to people. That's the key thing. And analogies, make it personal, analogies have allowed me to really convey the message. And I like to think that, you know, security is quite scary and technical at times. You know, there's quite a lot of anxiety when someone's breached, or your bank accounts hacked or whatever. But it ties it back into, you know, the paradigm shift of physical security and, you know, cybersecurity. It's not too different. You getting mugged, yes, there's a personal feeling of safety, but at the same time, your bank account getting hacked, the same principles of security are there as well. Access to it, you know, being in a vulnerable area, all those types of things as well. And I think everyone's faced the physical cyber security. You know, whether it be the safety of your house, the safety of your car. I think that the change in mindset is people only seeing it quite now about cybersecurity. And I think if we're able to bridge that gap and create those analogies and those stories, I think that people are more willing to understand.
CP: Yeah, I mean, I think until recently, people found security quite intangible. Whereas now we're saying, the colonial pipeline where you can't buy fuel and the JBS Meats where, you know, not only can you not buy meat, but all these workers are not required to pack meat. And, you know, it's starting to hurt and even Channel Nine, I mean, the the impact of not being able to, to print news, receive news, push news out, it's really saying to become much more of a community and society, or recognition within community and society. And I don't think we had that before. And so, you know, the analogies we were using before were much more around safety. But now we have real life case studies that we can talk to, around impacts to people's everyday lives, I think it's definitely shifting.
IP: Yeah. And what I'd like to see is, previously we had Neighbourhood Watch, where you'd look out for your neighbour. If they're on holidays, you take them out in for him, or you take your bins in for them to help them out. I'd like to see the change of people, you know, from a digital point of view to help each other out, you know. It's not only on me, it's, it's it's on everyone in cybersecurity, to help our family and friends and the community. And I think that will go a long way into actually keeping everyone safe.
CP: I think in line with that, we have we need people to understand why cyber security is important. And we talked a little bit or I talked a little bit in your bio about this why around current threats and not just simply performing security for compliance. And when we chatted recently, you know, you mentioned that the 'why' has become very important to you, and particularly around buy in and I think, you know, probably harks back to the conversation we just had around analogies. But when the business challenges security policies or principles, how are you using the 'why' for security to help you to get the outcomes that you want?
IP: I believe a 'why' helps break down the objective and the principle of why we actually need to do something. And it may not just be security, why we need to do anything at all. And I think if you're able to bridge the gap of you know, why are we doing something to make it better, to improve or to help or to prevent, then I think that really helps convey that message to the challenges and the objections that you have within the workplace, and in life in general. I think it ties back into the business effectively if you do it that way. Because the business is always thinking from a business driver model plan point of view, what we're doing here, how will that help? It has to, and that message has to be conveyed throughout the business, not just from the top level at the Board, it's all the way down. Where if you're asking a threat hunter in your team to perform their function or perform the actions they do on a day to day, you should be able to ask them why they are doing this and that should eventually tie, if you ask why enough that should eventually tie back to what the business needs. They're their business drivers and models and plans. And I think a good strategy that I've seen or a good tip would be to spend that time on your one on ones with your team members and go around to them and ask him, why are you actually doing this thing on a day to day basis? Why? you shouldn't have to answer the why for them. And if you do have to, then there's those gaps that you can understand from their point of view of, are they aligned to what the business wants? Do they understand the business objectives? And because if they don't, if they're not understanding that, then ultimately, there's a lot of things that you're doing that could be inefficient, not maybe not ineffective, but inefficient. And therefore, your prioritisation of work is misaligned as well. Ultimately, you know, so for example, superannuation company, you're about protecting members data, and their money. And everything you should be doing on a day to day basis, especially in security, should be helping towards that. And that's, that's kind of how I break it down to in terms of explaining the why. And the benefits of the why.
CP: When I asked you that question, I thought you were going to talk about talking about the why to people outside of this security team. So you know, marketing says, why do we have to have data security in place, when we work with third party, direct mail operators, for example. Or the board might say, why do we need to invest in these things? And where I thought you were going to go was you saying to others why we're doing this. What I loved about your response to my question was that you're talking about asking security people if they know why they're doing what they're doing. And that's a really powerful thing, because lots of people come into work each day and never question, why they're doing what they're doing, and especially insecurity. Doing it for a compliance measure or doing it to align to an industry standard, that's not necessarily the right type of work or delivering the right capability. You know, we want to be looking at this from a risk perspective, but also from a business outcomes perspective. And if your team, if your security team don't understand why they're there, and what role they're playing and what benefit they bring into the business, how on earth will they explain the why to anybody else?
IP: Exactly, yeah. And it's, it's a joint venture. So the security team, we're all representative of one another. It's not just from the leadership position. When they're there in project team meetings, they're supposed to explain the why to change management, they're supposed to explain the why to the business or the legal team, whatever it may be. And if they understand their purpose and what they're trying to do, there is a much greater collaboration with the rest of the business as a whole. And I think you know, that you were expecting me to answer the why different, I think, from my analogies and explaining that way, it kind of gives a bit of insight into that. But ultimately, I like to think that back on the principles point is if you can, if you're able to tie back everything to the principles, then you're seeing through their lens. If you're able to see through their lens and empathise of them, then security that you provide, will be that support mechanism or that enabler it won't be a blocker. And I think that's the bridge you have to cross.
CP: We've covered a lot today in a very short space of time. And I feel like there's some really clear nuggets of advice in our discussion today for the audience. And I really want to thank you Ian for your time and for your contribution and for diving into security six years ago and, seeing the benefit in shifting your career out of, not out of IT, but in IT but from a security perspective, I suppose. But, you know, I think you've got a lot to give our industry and certainly from a people perspective, you're really thinking through how do we influence change in cybersecurity. So yeah, thanks very much for your time today.
IP: Thank you Claire, I think it sends a message that it's never too late no matter what your age, if it's something that you're intrigued and passionate about, I think give it a go. I'm here to help as well so reach out to me on LinkedIn.
CP: Great, thank you. You will pop your details into the show notes and, and we'll speak again soon.
IP: Thank you Claire.