Episode #68 Security as an enabler with Charles Gillman
Charles has 20 years hands-on experience across multiple security disciplines including Security Consulting, Ethical Hacking, Cybercrime Research, Security Architecture, Security Operations and Security Leadership. He has also held a role as a part-time lecturer in the Masters of Information Security course at RMIT. Charles has built and led security teams at two of Australia's big four banks, before moving to senior roles in the Cloud & Managed Services spaces. His diverse experience has given him the technical understanding of the current threats faced by organisations, as well as the knowledge on how to uplift the security posture of the organisation in a pragmatic way to address those threats.
Join us as Charles shares his career journey, and we compare our views on security as an enabler.
Links:
Transcript
CP: Hello and welcome to The Security Collective podcast, I'm the host Claire Pales and today's guest is Charles Gillman. Charles has 20 years of hands on experience across multiple security disciplines including security consulting, ethical hacking, cybercrime, research, security, architecture, security operations and security leadership. He's also held a role as a part time lecturer at the Masters of Information Security Course at RMIT. Charles has built and led security teams at two of Australia's big four banks, before moving to senior roles in cloud and managed services spaces. His diverse experience has given him the technical understanding of the threats faced by organisations today, as well as the knowledge on how to uplift security posture of the organisation in a pragmatic way to address threats. Charles, it's great to have you join me on the podcast today.
CG: Oh, thank you, Claire, you always seem to get really good guests, so I'm very honoured to finally have made it onto your guest list!
CP: It's really good to have you. And I want to jump in straightaway to the fact that you've just started a new job. Are you one of those people who mapped out your career to date, in terms of the roles you wanted, and the industries and the styles of jobs or things you are keen to achieve? How have you gone about your career sort of working out what your next moves out? It's probably a good place to start.
CG: Right! So to answer the first part of your question, very early on in my infosec career, I had an aspiration to be a CISO by the time I was 50. And I didn't necessarily think I would get there or how long it would take. But I thought it was worthwhile setting the bar high. So I didn't have my career path mapped out as such, but rather identified gaps in my skills or experience that I needed to round out in order to move to the next role. And so therefore, I chose roles that would give me the skills and experience that I was lacking to close out that gap. So I could have those well rounded skills once I'd got to that senior leadership level, like a CISO. I've been very lucky in my career path. I've had some very good mentors, and people that have believed in me and given me the opportunities that were nothing short of a stretch, a huge stretch for me at the time. And I was lucky that happened multiple times in my career. So I've always tried to pay that forward and invest in others, as they've come up in their careers.
CP: It's such a common thing for people to say that someone has seen something in them or believed in them. Are you as a leader now seeing that in others? How is that sort of played out in you maturing as a leader to be able to see that in some of your direct reports?
CG: Yeah, I've had it in direct reports. But I've also seen it in, you know, key talent in other parts of the business. Whether that's someone that's had an interest in security or someone that's had a different reporting manager. And so, you know, I've tried to either mentor them, or when I've had the opportunity to create a role for them.
CP: Speaking of your opportunities to look at leaders and look at talent in the organisation, in your role at NTT, you were a CISO but you actually had CISOs reporting to you. And so how does that work in terms of the mechanics of one company having so many CISOs, because most companies don't even get to have CISO. How complex is it to understand how they needed to serve different businesses, and then your sort of overarching role?
CG: It sounds crazy, right? So I was a CISO, that reported to a CISO, with CISOs reporting to me. It's almost like russian dolls. It was a very complex business. So you kind of need to step back and understand that business to understand why it made sense at the time. So NTT limited, was a conglomeration of 32 disparate companies that were brought together two years ago. So you know, they mashed them together and created a single brand, and then on the back end, started to try and bring those businesses together. So some of your listeners might be familiar with some of the brands like Dimension Data, which were successful multi billion dollar companies in their own right. NTT Ltd is hug, right, they own five data centre businesses around the world with 160 data centres globally. Three cloud infrastructure as a service businesses, four global network businesses. So this is a company that owns submarine cables. And, you know, 40% of the global Internet traffic passes through them every day. And then sitting on top of all the infrastructure they had the manage services businesses. So managed security services, managed comms, managed networks, and then they had a presence across 20 countries with 40,000 employees. So by its nature it was an incredibly complex business to navigate. And many of those businesses operated independently so they had their own CEOs, their own CIOs, their own infrastructure. And the complexity was always multiplied by 32. So if you look at common things that we all face insecurity, like, you know, end of life and support, you know, you often have to multiply that by a factor of 32. So, while the CISO structure sounded odd and complex, it did make sense for that business. So we had a global CISO, with oversight of the entire entity limited business, and he interfaced with our parent company in Japan. Then we had CISO for the infrastructure services, so that those data centre type businesses and cloud. And then a CISO for managed services. And then my role, which was the CISO for group services, which was essentially all the go to market services, which included the oversight for managed security infrastructure and all the other managed services. And then finally, we had a CISO for the corporate it that served the 40,000 employees. So we had some very distinct towers, and each of those CISOs could operate independently in their own right, and I know that you, you've met a couple of them, they're very capable security leaders.
CP: Now you explain it like that, it absolutely makes sense. I mean, I still imagine that there would have been times where collaboration between all of you would have been incredibly challenging. But it also I think, would have given potentially given you the opportunity to get a real vast experience, not only with a variety of diverse direct reports, but also the challenges and the problems that they would have come up with day to day would have been quite different as well. Purely based on geography, but also, as you said, the many different types of businesses, did that sort of give you a really broad spectrum of knowledge around cyber or what how did it impact you?
CG: It was great in many respects, and then there were negatives. You know, you're often spread too thin, you couldn't necessarily become an SME in something like data centres security, or IOT. It was, but it was great experience. And we had really good people, great, great leaders in that business. So even if you didn't necessarily have the skills, there were, there were people in there that did, that you could rely on to skill you up. But it was really sometimes quite challenging. Because you know, one day you're dealing with something in a data centre, the next day, it's, you know, an issue on the underlying infrastructure and cloud. And then, you know, we had quite an extensive R & D arm that was building a lot of software. So you know, you had all of the go to market software issues and issues around software security and the secure development lifecycle. So it was fantastic, and really good and a great way to skill up. But I think part of the reason that I've moved away from that is, I needed something that I could really roll my sleeves up and really get stuck into. Which was not always the case, in that environment.
CP: I mean, it makes sense, given that sort of vast experience that you would also do something like the work you did at RMIT, around lecturing and, and giving back but also, I guess, just using that a different side of your brain as well, in terms of sharing with students and other lecturers as well, within that academic space. How do you think things have changed in security in the decades since you were doing that work back at RMIT? Because, you know, everybody keeps saying our industry is changing at such a fast pace. What have you seen, I guess, in that time from when you were teaching, you know, the leaders of tomorrow back at RMIT to now?
CG: If I look back on my old course material, it's really funny how some things have changed so dramatically. Yet scarily other things have stayed the same. So, you know, if you go back a decade and look at the role of the attacker, you know, we used to talk about the script kitty or the hacktivist. You know, there was some DDoS in there and a bit of cybercrime thrown in, but cybercrime was only just starting to get monetized. So it wasn't the real threat. And now, we're dealing with complex cybercrime gangs that have specialties like initial access brokers that will compromise an entire fleet of systems, and then go and sell that access to another cybercrime vertical like ransomware. So it's a hugely different threat landscape. And then the security tooling changed massively. What we had a decade ago was quite rudimentary by today's standards. It was expensive, bloated, it was typically on premise, it was complex, it needed a lot of feeding and watering. And now we've got security tools that exist in the cloud, that leverage AI or machine learning and they allow was to focus on the alerts and not keep, you know, not work on trying to keep those tools up and running. But on the flip side, sadly, a lot of the vectors use the compromised systems. You know, whether that's by nation state sponsored ABT groups going after intellectual property or ransomware groups, you know, other financially motivated cyber criminals, the vectors are still the same. And I'm speaking from experience, you know, having I think I calculated once that I've been involved in well over 100 security incidents, that the attack vectors are overwhelming the same. It's unpatched systems. It's misconfiguration. It's poor coding practices and an invariably the human element. You know, I've very rarely in the last 15 years, have I seen something, you know, where it's been a zero day exploit utilised. 95% of it is the same issues that we were, that I was lecturing on a decade ago. And we were running labs on and getting the students to, you know, utilise tools against those same sort of vulnerabilities that exist right now.
CP: I mean, it's an interesting point because some things have changed. But obviously, there's always the constant of unpatched systems, I think that that will go on for some time, unfortunately, but also that sort of human element. And this has been coming up a lot in the episodes I've been recording for this season around, not just awareness, but the impact of cybersecurity, on the community, and to individuals in general, but also in corporations. And I guess, thinking from the human perspective, it doesn't feel like over the last decade or so we've done much to innovate in that awareness side of things. Or, I mean, I'm not a big fan of that term security awareness, I think it needs to be more about behaviours. And, you know, just because somebody is aware doesn't mean that they do the right thing. Are companies really relying on posters in the kitchen, and those sorts of things to educate their staff, or have you seen innovation in this respect, given, you know, the number of companies that you've been the CISO for?
CG: Yeah, this is a real bugbear topic of mine. No, I don't think we're doing enough. And to be blunt, all security awareness training that I've seen sucks! You know, we've all sat through that security awareness training as part of onboarding or annual compliance, it's horrible. It's some scenario and the cheesy video and, you know, terrible multiple choice questions, and I've never seen it done well. So we need to do more. You know, when I was running those, the ethical hacking training, it was so satisfying to see the penny drop when someone understood how attacker tools and techniques worked, you know, through hands on experience. And we need that kind of level of engagement and understanding when it comes to security training. And some of the most security aware non-technical people I know, are actually the ones that have been a victim of some sort of scam or cybercrime. And if we could kind of distil that level of awareness or understanding, without the pain of being scammed, I think that'd be great. And I don't think anyone's doing it well. But that said, there are companies out there that I think are doing innovative things. And Secure Code Warrior definitely comes to mind in the developer space where, you know, where they're gamifying some of that awareness training. So if anyone's listening that knows of someone that is innovating in the security awareness space, please ping me on LinkedIn, because I'm looking for a new vendor. And yeah, I'd really like to know what is out there. That is interesting, because like I said, I've never seen it done well.
CP: Yeah, ping me too. Not that we've failed as an industry in this space. But it really feels like everything we create becomes sort of this compliance measure. And, you know, to your point around the training, and you know, it's often it's when you onboard, and then you never hear of it again, or it's annual, and it's the same assessment that you're doing over and over. But then also organisation's being willing to invest in that space as well is often a battle and often the security awareness budget is what falls away first. But look, I really wanted to talk to you on the podcast about your opinion around security as an enabler. And I've talked to a few people on the podcast about this, but I know it's a particular interest to you. So I'm keen to hear what your views are, because I don't necessarily see it as an enabler. What are your thoughts?
CG: Yeah, look, I know, it's something you and I've touched on in the past and I was thinking about, you know, why are we so not aligned on this and I think we have very different perspectives on it or have different experiences with it. So I've got multiple lenses. So you know, my first lens is to say that security isn't an enabler is to imply the opposite, that it's a disabler. And so when a business decides to engage security late, or you know, or they treat security as an afterthought, you know, then yes, security can slow down project delivery and time to market and it can be a disabler. But I think poor security or the lack of security has the potential to be an even bigger disabler. And if you want to talk about the biggest business disabler at the moment, it's Ransomware. You know, you look in the last 12 months, especially how it's impacted companies around the globe, we've got a great example here in Australia with Toll. You know, if you were waiting for your eBay deliveries that were coming via Toll in that month, you were waiting a long time. So I think the lack of security that enables a breach or malware or a fine from regulatory bodies is a business disabler. And then there's the cost to the business in terms of lost productivity from an incident. The time and cost to investigate, remediate, especially if you've got to go to a third party to do that for you. Then there's the lost opportunity costs, delays in the time to market for products and services. You know, I've seen mop ups take months and derail a business, and then you lose a competitive edge in those delays, you know, especially in highly competitive markets. And then the worst of all is the loss of trust from your client base and brand damage, which are really hard to measure. You know we've seen big examples of that, like Equifax, for example. And then another lens is, you know, is a punitive financial lens. So if you're operating in a regulated environment, or you're subject to country specific or regional specific regulations, GDPR is probably the best example. The lack of security that results in a breach can result in material fine. So GDPR levies fines of 2% of global revenue, not profit revenue. So depending on the profitability of the organisation, so business with high overheads and low margins, a 2% fine of global revenue can be the difference between, you know, profit and loss for that financial year. And you've just got to look at some of the fines that GDPR has levied. Marriott was fined $24 million for a data breach that occurred in a business that they bought before they bought it. British Airways was fined $26 million. So 20 odd million dollars, that can fund a lot of headcount, innovation or business uplift. And so fines responding to malware and ransomware costs the business, that can have the likelihood and impact be reduced by security. So security is a business enabler, because it aims to prevent business disabling events. And then the thing that I'm most passionate about is the sales and compliance lens. So we used to say that security was a differentiator. But that hasn't been the case for a while. In speaking from my seven years in a services business, security is table stakes, it's not just expected. But in a B2B context, it's demanded and often written into contracts. At NTT it was regularly part of a contract. So that NTT exposure gave me that unique perspective on client security expectations, across the various services businesses, my team and I had to consistently field client security inquiries, but you know, be it taking bespoke client security questionnaires or meeting with clients, or dealing with contractually mandated right to audit, which is a horrible thing to have when your client decides to audit you, you know, when you've got other events going on. And in one business unit alone, that was consuming like one and a half FTE a week, just to meet that. So I think we've got a distorted view of it here in Australia compared to the rest of the world. So, you know, with my services lens on outside of federal government, ADF and the big banks, I haven't seen requirements to demonstrate your security from Australian businesses. But that was very different globally. So the biggest demand for security certifications or to actually prove that you had security, came from Singapore, so Monetary Authority of Singapore, AUSPA, IMA. Then the US we used to get soc one soc two into just about every contract. And Europe was always looking for ISO 27001.
CP: I see what you're saying from that perspective that an organisation who is wanting to say do business with a vendor or with another company and if organisation A needs organisation B to have a certification or a certain level of security, then yes, that enables those two companies to work together. But if you think in terms of inside an organisation like where you are at the moment at Moula like the definition of enabler, well, there's a couple of definitions of enabler. But one definition is that it can be a positive thing that makes something possible. But I would argue that the security team doesn't necessarily make it possible for organisations to deliver new products or, or meet new market demands from their customers. Security can be part of that process. But unless you're heavily regulated for an example, or you have the structures in place already, where security is involved from the very start. Often, if you got to the Go, No Go meeting at the end of a project. And the project said, we're ready to go, but security put their hand up and said, actually, we've got some concerns. There's still a good chance that that project will go live. In some organisations.
CG: I would say there's a high chance that that project will go live.
CP: Yeah, so security is not enabling that.
CG: No, look, no, and I agree with that. But that project is generating sales. And, you know, in the examples I was giving with the international companies, if you didn't have those certifications, they wouldn't even buy your product, you couldn't even respond to attend or an RFP, unless you, you know, you met certain security criteria, which was often demonstrated in a certification. So I think, like I said, I don't think we see it as much here in Australia, but I think we're going to see it more on the back of the solar winds hacks. You know, the number of client inquiries, and, you know, questionnaires that when we saw, you know, from the in that B2B space, where businesses are becoming more aware of their supply chain risks. So it's, I think it's an enabler because it's just a cost of doing business and part of doing business, and you're going to get precluded from sales or doing business in certain sectors, unless you meet certain security requirements.
CP: Yeah, look I would definitely agree with that. And I also have seen in the industry, quite recently, a lift in the number of organisations who want their security leaders to have security clearances. And, you know, your ability to get a job based on whether or not you're a citizen, or whether or not you're able to achieve a particular clearance. And that, in itself enables an organisation to use those security professionals, you know, in third party relationships, or to serve clients. And so, you know, it's not just the organisation needing certifications, but we're seeing more and more security professionals needing those, I guess, certifications or clearances that prove that they are who they say they are, for starters, but also that they have a certain level of authority that comes with getting one of those clearances. And so I would agree that there are certifications and clearances and that style of compliance that would allow for enablement. But I guess I still argue that inside an organisation, security, the security team doesn't necessarily enable a business to do business, if they're in an unregulated environment, or if they're not doing business with regulated third parties.
CG: Oh, look, I would agree with that. But then, you know, in a connected digital world, I don't think any sort of digital business can do business without security. Because as you say, you know, you gave the example of the business leaders, you know, having to kind of prove their credentials. And it all comes down to trust. And I think the more that we give businesses, the more that we need to trust them. And I remember years ago, sitting in on a talk by the CEO of CBA at the time, and he said we're not in the business of money, we're in the business of trust, he said, because if people didn't trust us, they go bury their money in the backyard. And I think it's some sort of measurable security that's getting our clients to trust us that enables us to sell our services and products. And if I look at the Moola context, then you know, that's an interesting one, because you're buying a loan, but part of you know, their unique selling proposition is that they turn that loan around quickly because their using machine learning to have a look at your accounts. So now you're trusting them with access to you know, your accounting data. And so I think, you know, the buy now pay later space is probably going to get regulated at some point, based on the security concerns coming from the market. You know, it's just going to take one media article to start shifting some of that focus of the politicians as to how we regulate, and it all comes down to trust.
CP: ‘Buy now, Pay later’ is, I use this term all the time, but it's definitely a podcast for another day, because it's in the press so much. And, I agree with you that at some point, it's going to have to be regulated because of the amount of activity, financial activity and regulatory style activity that goes on around it. But I really liked your use of the word trust, because whether or not it's with a third party, or if it's with internal stakeholders, I couldn't I guess, impress upon my clients enough around building those trusted relationships with the CISO or whoever is that dedicated security resource in your organisation, it's not always a C level leader. Sometimes it's a lead or a head of or even a technical resource, having that person out and about in the business and building those trusted relationships, that's actually what is the enabler. Not necessarily just the compliance and the certifications and that side of things. That's the, I guess, the tangible piece that you can pull out your certificate and say, okay now we can do business together, because we're both talking the same language. Those trusted relationships inside an organisation that I guess can be forged, that helps to enable. Because people will be more likely to have conversations about what they're trying to achieve, and much more likely to not get to the 11th hour without security having been involved, even if that's just procurement, not necessarily project.
CG: Oh, look, I couldn't agree more. You know, something that, you know, we've always aimed to be is that trusted advisor to the business, you know, to help them make those, you know, those decisions, informed decisions, especially around risk. And as you say, you know, you gave the example of a project going live, we've seen, you know, the risk of missed revenue or missed opportunity is far higher than, you know, some risks that we we've raised about a misconfiguration, or how they've coded a particular application. So it's being able to be trusted. And for them to seek you out for that trusted advice.
CP: You know, as someone like yourself, who's new to a role, I mean, you're in the thick of that now, you know, building those trusted relationships, working out who's who, and who's influential, as well, and making sure that you're able to leverage those relationships when you need to.
CG: Yeah, exactly. And I think that's, that's always the, the hard bit, I think that was one of the difficult things for me with changing the roles was, I was known, you know, you were in a business for seven years so people understand your, your share price, and what you bring, and then you go to a new business, and you have to re-establish that trust and you know, that people believing in you and understanding the skills and what you bring to the organisation.
CP: I think it's a challenge for every security way to to start again in a new organisation, and, you know, rebuild or start to build those relationships. Charles, I've really enjoyed chatting with you today, I knew that it would be a robust discussion around security as an enabler. And I think at the end of the day, we are on the same page, and just coming at it from different perspectives. But I really want to thank you for coming on the podcast. I do get some great guests, you included and, and so thanks heaps for your time.
CG: Great. Thank you very much for having me. I've really looked forward to it and really enjoyed it.