Episode #72 Cyber Security – Global v Local with Aaron Bailey
Aaron Bailey is one of Australia's leading Cyber Security experts and is the driving force behind The Missing Link's Security team. Aaron is the Chief Information Security Officer at The Missing Link, and kick started their Cyber Security business. Today Aaron and his team has become the trusted advisor to some of Australia's largest companies and government departments helping them to develop innovative and robust solutions to solve their security needs.
Aaron shares how The Missing Link is growing locally and globally, and why he is so passionate and proud of the business.
Links:
Transcript
CP: Hello, I'm Claire Pales and welcome to The Security Collective podcast. Today's guest is Aaron Bailey. Aaron is one of Australia's leading cyber security experts and is the driving force behind The Missing Link security team. Internationally recognised for his expertise in IT security architecture, he's regularly engaged in speaking at industry conferences, roundtables and webinars and provides expert security opinions for the media too. He's the Chief Information Security Officer at The Missing Link and he kickstarted the cybersecurity business. As a result of his drive, passion and industry trust, the business grew at a rapid rate and in 2016, became the fastest growing IT company in Australia with 333% growth year on year. In 2020 the accolades continued to flow when The Missing Link was listed again on the financial reviews Fast 100, which recognises the fastest growing businesses in Australia. Today, Aaron and his team have become the trusted advisors to many of Australia's largest companies and government departments. He's respected as a visionary, not just in the security industry, but also in the IT industry. And ultimately, Aaron has been partly responsible for raising the standard of cybersecurity in Australia by helping private, enterprise and government departments develop innovative and robust solutions to solve their security needs. Aaron, it's great to have you as a guest on the podcast today.
AB: Thanks for having me Claire.
CP: So we've heard in your bio, a little bit about you, and most CISOs are battling multiple priorities, and burnout is quite common in our industry. You are not only a CISO, but as we heard, you're the co-founder of an IT service provider, and you've recently expanded into the UK. Tell us what's your secret? How do you prioritise all the things that you need to focus?
AB: I don't think there's any particular secret per se, I'm extremely passionate about what I do. I've been doing cybersecurity for my entire professional career, and even before that when I was tinkering as a teenager. So that drives me to be across as much of the changing threats, vendors, solutions and approaches as I can. And I find it all extremely interesting. I love being in cybersecurity, because I think it's the greatest puzzle that can never be solved. But I'm always striving to master anything. I am quite fortunate that I don't seem to need a lot of sleep. I've been thriving on about five to six hours on average for longer than I can remember. I am very fortunate to have found, hired and trained some of the most amazing cybersecurity professionals in our industry. And I have leads for each of these teams. We now have about 70 staff across all those teams that work very hard every day to help our clients to achieve their cybersecurity goals. And we constantly outperform the market in terms of awards, growth and zero day discoveries. So basically, I try to prioritise my team first, then clients. That may sound a bit strange, but I think if you look after your staff, they will look after your clients.
CP: I think that that is a good leadership trait, to be really focused on how your team are managing because as you say, if they're not doing okay, then they're not going to serve your clients in a way that you'd be proud of. And now you guys are expanding into London, what's driving that expansion given what you're already achieving here in Australia, and what role are you going to play in the new geography?
AB: The primary reasons for expansion, internationally or outside of Australia are basically population and addressable market. By us having an international presence we can obviously help more clients, and we can also find more cybersecurity talent to join our team as well. The UK specifically was chosen as we've got like strong political trade, and government ties which flow through to cybersecurity in terms of the alignment of standards, like the ASD essential eight, aligning with the UK cyber essentials. Things like security, clearances, information sharing, and also being part of the Five Eye’s helps as well. The timezone interestingly, I've had a lot of people say it's kind of it's hard and it works against us. And yeah, the 10 or 11 hours behind depending on daylight savings, but I actually see that as a future strength. You know, initially it's difficult during setup and establishment and we do have people in in our teams, myself included, on very early morning calls or very late night calls to align best we can with new and emerging UK clients. But we do have plans to form another Security Operations Centre in the UK, which will allow us to have a true follow the sun model and work towards moving away from requiring a 7pm to 7am 12 hour night shift in our Australian business which we have today. So my primary role in this expansion is effectively the project sponsor and lead director from the board in managing this aspect of our growth.
CP: It's interesting because I know you've worked overseas before and specifically looking at the UK. They're often said to be a few years ahead of Australia in terms of exposure to cyber security threats and I guess experience handling cyber security incidents. Do you think that's true? Do you think that Australia is behind and how is the experience in the UK going to benefit specifically your organisation but also the people that are working with you?
AB: Yeah, it's interesting. I mean, I've heard that about the UK and the US in terms of them being a bit ahead and Australia being behind. I do wonder if that comes from them or us in terms of that viewpoint. I guess I agree with it mostly. But I'd say that it's mostly related to scale and budgets. The larger the population, the larger the company, the larger the cybersecurity budgets, typically. And therefore, the more maturity, the more security controls and stuff that they can afford. You know, in the US, for example, they have HIPAA, so they have certain standards against the health industry that we don't have here. So there are there are more compliance requirements. Sarbanes Oxley is another now that's US and not UK related, but they're bigger geographies that are more heavily regulated, and bigger budgets overall, allow them to have to do more and be able to do more effectively. When I worked at JPMorgan Chase in the UK, as a security analyst, many, many moons ago, I was part of a small team, looking after more than 180 firewalls across EMEA. And that was just one security controller. That gives you an idea of the sort of size and scale that you can come across in the UK. In terms of new technology adoption now, I do think Australia is at least in line, and sometimes slightly ahead of other regions. We do have some fantastic Australian startup vendors that are creating new technology and approaches, some of which we partner with already today. And we've personally seen some of our clients willing to test new approaches and new technologies alongside us, as long as the goal is better automation and integration within their cybersecurity estate, to achieve more with less.
CP: And so given I mean, even just the comment you made about the scale and the magnitude of how things are just bigger in other places than we have here. What do you think that Australian CISOs could learn from UK counterparts, in order for us to expedite our security maturity to keep up with other leaders across the world?
AB: Yeah, we can't obviously learn for the scale of larger populations, and companies can bring unless you've worked with, or for some of them. We have some very large businesses and governments and critical infrastructure, obviously, in this country too, but it is just a different beast. The UK is three times our population roughly, the US more than that again, you know, five times more than that again. So you can't really learn from that unless you've had exposure to it, and what that sort of size and scale brings but I think some of the hardest things in our role is to justify spend, calculate impact in terms of business impact, or dollar terms, and then how to prove that our investments have actually reduced those risks. At The Missing Link, we've built our skills, expertise and partnerships around this mentality, how can we help our clients understand where they are now? And how to get to where they want to be in terms of cybersecurity, then along that journey, how can we test and prove these changes are actually making a difference?
CP: I think the return on security investment is pretty elusive for a lot of organisations, so if you've nailed down how to do that, then you're streets ahead of some others. And it's a concern, I guess, for organisations about how much money they're pouring into cyber and what return they're getting, because a lot of it is so intangible.
AB: Yeah, I wouldn't say we've perfected it. As I said, I think this year, this puzzle is constant. It's like trying to solve a Rubik's Cube while the dimensions and colours are changing as you go. So obviously, there's new things coming out all the time, we constantly re-evaluate and reinvent our consulting offerings, and its services and all of those sorts of things to try and do that. But one of the main focus we have is, you know, statistical analysis, data driven decisions, and proof where possible. You know, we can prove the time and time again, I've seen companies where they've spent a lot of money on widgets, they've got a lot of controls, but they're poorly configured, or poorly operated and therefore, we go in and do a red team or a penetration test, or any sort of technical validation, control validation assessment, and there's gaps and we still get domain admin, whatever the target might be. So it's not just about they how have the most widgets wins, or the more dollars spent even makes you more secure, you've really got to make the most of what you've got, you know, technology and people and honing those processes to get the most out of it.
CP: Yeah, I want to pick up on you mentioned there of people and post pandemic, I don't know if I can even say we're post pandemic, but post 2020 anyway, I'm talking to a lot of CEOs at the moment, and they're saying that there's heaps of talent out there, but it's really hard to retain them and pin them down. And in an organisation such as yours that's growing and that has some really exciting projects on, how are you attracting talent and retaining that talent in your team? Given it's such a buoyant market at the moment.
AB: Yeah, it's interesting you say so much great talent out there, hard to pin them down. Yes, there is, but I do think there is a numbers imbalance, there's definitely more demand than there is supply. I definitely think that's the case, we need to grow our own talent as well as finding senior talent out there. We have the same challenges as everybody you know, so we don't have a silver bullet, or I'd love to say we have 100% retention and 0% turnover, but we don't. People move countries, people want to change career goals, people move out of cybersecurity and into cybersecurity from other industries. So people as humans are always going to move around a little bit, you know, our job is just to try and make it a great place to work. We invest heavily in them. I believe we have one of the most thorough and expensive training programmes in the industry. In most cases during you know, a six month probation, for example, our new hires will go through a dozen or more certifications, and perhaps be in the first month or two, mostly training, not necessarily working with clients or projects or being billable, etc, upscaling and certifying etc. This is the same for entry level staff, as well as senior employees because we've got a unique blend of requirements in terms of our vendor partnerships, our requirements on the red team and consulting side, our strategic consulting approach. So I think one of the ways that we do attract and retain is certainly that we invest heavily in our team to ensure that we can command reasonable rates with our clients as well.
CP: I think there's an opportunity for lots of listeners of this podcast, but for organisations to learn from that induction, which is probably not the right word, and probably doesn't do it justice to the depths that you go to, to train your staff. But I've talked on the podcast before about the importance of those first few months of someone coming into your organisation and how they feel and do they feel like they've got a values alignment with the business. And now it sounds like from what you're telling me that, you know, you're selective in who you bring on board, you're selective in who you work with, and you want to give your clients the best possible resources that you can. And investing in people so that they work for you, and they work hard and then when you send them off into the world into their next role, they're a better person, and more skilled than when they came into your organisation. That's a pretty great service that you're offering the security industry in terms of our professionals.
AB: Yeah, we've, you know, I'm proud we've had people come through our business that have started their own business as did I. You know, I used to work for Dimension Data it was called then, NTT now, before I joined to launch the security business about seven, almost eight years ago now. We've had one staff member at least come into our business, gained a couple of promotions, and then go on to start their own. We've had a previous staff member, you know, that is head of red teaming for a very large company, I won't name them for their sort of privacy reasons or whatnot. And another staff member who's actually head of blue team, with a very, very large Stock Exchange listed company as well. So you know, see, that makes me proud to see. Obviously we want as many people to stay as long as possible. But as I said, everyone's human and is out there, we're not locking them or chaining them to the desk. By any reason, that would work in the opposite. It's really we're trying to create the environment people want to stay in, we try to have fun, as well we do work really, really hard. We have a monthly staff meeting, and one of the first things we do is goodbyes and hellos. For the last couple of months, we've had 1 or 2 goodbyes per month, and I think 10 or 11 hellos. So it sort of shows you the rate in which we're growing and the number of people that we've hired. Not everyone's met physically, yeah, because we're all on cameras and whatnot, it's crazy. So trying to try to keep, now we have cooking things where we have guest chefs trying to do cooking things with people in their kitchens with the kids, you know, really just trying to come up with anything and everything we can to sort of bring us all together and not just be talking work and clients and tenders.
CP: It's really hard to find great people. So if you're not just investing your money, but also your time in building them as great security leaders, then then I think it's an awesome service. Given that you run an organisation that is a service provider, and it's very hard for CISOs to decide what to insource and what to outsource. And now an operating model, you want to have IP inside your organisation. But there's also a lot of value from using services such as yourselves, because there's a lot of intel that you're drawing in from all your other clients all the time. And so you know, there's a huge advantage from relying I guess, more on outsource partners and so possibly your bias but how would you suggest CISOs could strike a balance between what's the right people or services or capabilities to have inside your business? And what should you rely on, you know, companies like The Missing Link to supply to you?
AB: We've gone through a recent period over the last couple of years of effectively redesigning our managed services from the ground up, we've now been doing security managed services for 5 or 6 years. We launched the 24/7 operation shifts, and secure SOC facility 3 years ago or so, 3 or 4 years ago. Only in the last 1 to 2 years, we've really been revamping how we look at managed services. Now we have a new assessment called a Security Operations Maturity Assessment for example. We're looking at key metrics, like mean time to detect and mean time to respond. We're not the first to do this. But we you know, I think some of the ways that we're talking about this with clients, we used to have, for example, what I call swim lanes, and in most services or solutions, you get your bronze, silver, your medals, bronze, silver, gold, platinum. The further right you move on the table, the more expensive and is the more things you get this, the lower the SLAs etc, etc. Not everyone needs 24/7 etc. So what we found is, you know, we had that for many years, and almost every client was saying, I want this bit from gold, and that bit from platinum and this bit from silver. And, you know, the level of customisation and bespoke, I guess, solutions and SOC proposals that we were doing was becoming quite difficult. So part of that redesign/reimagination we've done over the last year or two, is actually to you know, we have brand new calculators now that we can ask a few key questions, what do you want SLA to be? What do you want your hours of coverage to be? Do you want us to manage everything? Or do you want us to co-manage? You're happy to keep the boxes up and patched, and we just want us to use the application, know what to do with the data, those sorts of things. So we've now got a bunch of questions that we can ask that will effectively automatically calculate and produce a very custom service schedule, basically. So again, I don't think we're the only or necessarily first, but I do think that reimagination we've done is certainly accelerated us forward in terms of the way that we think about these things and try to customise the solution to the client as much as we can. Ultimately, you know, it's an expensive endeavour to run a 24/7 operation. So in most cases, it's more commercially attractive to outsource rather than insource. You know, especially if an area of skills that you need to gain that you don't have now is entirely new or not easy to scale up from existing staff. And shift rotations, you need to count for multiple people on shifts, night and day, people coming on shift off shift. And then obviously you need to cater for holidays and sick leave coverage and everything as well. So people thinking that they can cover their own 247/ with two or four people, they're going to find it very difficult to attract and retain people in those because there will be burnout, you're effectively just overloading them almost regardless of the number of controls you put on them.
CP: The product you mentioned, where you said, you can ask your clients a number of questions and sort of plug that in and make an assessment around maturity, I think was the product, you were talking about...
AB: Security Operations Maturity Assessment, and because we don't have enough acronyms in our business, otherwise known as SOMA.
CP: But my question is, do you find your clients know the answers to that? Or do they really need your support to set some of those parameters?
AB: It's a mixture of both. So some clients are driven by their clients or by the industry or by their sector. So there may be times where they're told they need 24/7 coverage, for example. Rather than just choosing that for their own business risk decision. But typically, when it comes to SLA’s, I see that the clients are either mandated to do something so whether that's their enterprise risk management or business risk internally, or whether it's external pressures from clients or compliance standards, or it's budget related. So they basically say, what's the tightest SLA I can get for this budget. And this is where our quite complex calculator now comes in handy, because we can model some of these questions with them and go, okay, so let's talk and we discuss what their goals are, where they are, what controls they have and where they want to be. We then say okay, so let's model it up, 24/7, 4 hour, P1, you know, regular reporting, mock customers, whatever those things might be, and it'll show a list price, effectively. It'll show a number and we can discuss that and go is this within expectation? Sometimes, yeah, that's reasonable, happy to go with that. Sometimes oh no, no, I have 60% of that budget, or 70% of that budget. So then we can start to play with some of those questions and go okay, well, if we increase the P1 SLA from 4 hours to 8 hours, this is the reduction in the cost. If we do a co-managed service instead of fully managed and we share some of the responsibilities, this is the cost. This is how we can reduce what we are contracted to, effectively, to be able to meet the budget that they need. So it's really those two areas that either have to internally or externally, or it's best bang for buck to budget.
CP: Which is interesting, because they're making a pretty important risk based decision about carrying risk themselves or transferring some risk on to you kind of based on how much they're willing to invest. And yeah, I think that's it's an interesting insight.
AB: Gartner has a report that they do annually that looks that surveys hundreds of CISOs about their cybersecurity spend. What is their revenue? What is the number of staff, how many dollars do they spend on IT, and then how many dollars they spend on cyber security? But all that is telling you is what your peers are doing. That's not telling you how much should I spend. That's a very, very difficult question, because the answer is an almost infinite amount, and almost never be 100% secure. So it's a law of diminishing returns.
CP: Yeah, I was having a conversation with somebody yesterday about what's right for each organisation, and should you believe the hype around certain products. And I mean, when it comes to cyber security, it's all contextual. It's about what's right for your business, as you said, for your budget, for your risk appetite. Every single organisation is different, and there's no kind of one size fits all. And so having that the option of trying to I guess, calculate, what's the best outcome. Yeah, I can imagine that would be really helpful for your clients,
AB: There is a choice, the vendors are not one size fits all. In terms of the coverage they have, in terms of the cost, the value for money, and all of those things as well. But yes, there's a lot of great new technologies and methods out there. And we try to be across things like automatic security validation, I mentioned before, tools that can actually automate some of the validation against mitre and other sort of frameworks. Quite often, we come back to the basics, what is the point of having all this flashy technology giving you all this data, telling you that all this bad stuff going on, if you can't patch everything at least once a month. You know, the ASD essential 8, we've been talking about it for as long as I could remember, it's the basics. Whereas if you do it well and do it rigorously, I mean, level three is patching criticals in 48 hours. We strive for level three, we scan daily to achieve that. We do daily vulnerability scanning on ourselves. Now we're a relatively small business in terms of number of IP addresses and staff and size and whatnot. But that's hard for us to do.
CP: The implementing and maintaining the ASD essential eight is definitely a podcast for another day. We could talk a lot about that. And I know a lot of organisations strive to implement the essential eight or even just four of the essential eight, you know that prioritisation of that is very challenging. And as I said, it's a big topic because it's very, very challenging for the upkeep is, I think, is what I'm trying to say. Aaron, it's been great to chat with you today. Thank you so much for sharing about your organisation and how it started and how you're managing things. And we'll put all of your details in the show notes so that people can find The Missing Link. And thank you very much. It's, it's been great.
AB: Thank you Claire.