Episode #84 Change is the only constant - part 2 with Samm MacLeod
In part 2 of Claire’s chat with Samm they discuss her sabbatical, starting a new business, and the operating model changes she has seen since returning to the security industry.
Samm is responsible for driving The Security Collective’s Interim CISO and Virtual CISO business. She also supports our clients with cyber security strategy, security operating models, and advice on security risk management, with a focus across multiple industry verticals including financial services and critical infrastructure. Samm’s experience with boards, audit & risk committees, and executives allows her to bring a unique set of experiences and perspective to the management of technology and cyber risk and the delivery of security best practice. Based on the Bellarine Peninsula, Samm is a mum to two grown up children, an industry speaker and writer, and an advocate for diversity in cyber.
Links:
Transcript
CP: Hello, I'm Claire Pales and welcome to The Security Collective podcast. In today's episode, we welcome Samm MacLeod back for part two of my most recent chat with her. In part one, we talked about some of the changes that she's seen in the industry while she's been on sabbatical. And we also looked at the Security Of Critical Infrastructure bill and how organisations have changed over the last couple of years. In today's chat, we talk about Samm and the lessons she learned about leadership from running her own business. And also looking at some of her reflections from when she was with us last time in Episode 46. So please enjoy my chat today, part two with Samm MacLeod.
CP: I want to shift the focus a little bit back to your sabbatical. And while you're away you and your husband purchased a business. And I'm wondering what you learnt about leadership and even cybersecurity from running your own business? Because, obviously, it's a completely different world to a big enterprise, you know, from being a CISO, and then moving into where you are the board, you're the CEO, you're the customer service, you're everything. So what was different for you, and what did you learn?
SM: So I learnt that I'm not a fit for a small bricks and mortar store, but I'll get to that in a second. I got bored relatively quickly. But I did have fun while I was doing it. So we did buy a small retail store, I think, eight weeks before the pandemic really hit Australia. So the timing was amazing. And but we bought a store that was, I guess, had been around for 20 odd years had a great reputation, but wasn't well looked after in the last five years of its life. So there was lots of improvement opportunity. And that's what appealed to us. So we're both fixers. We like to go in and fix things, and then figure out what we're going to do next. So we took the leap, and we jumped in, and we're both into health and well being etc. So the kind of store that it was matched all of that. And I guess for me, it was getting in and looking at how it had been operating. So I was doing a lot of work around automating and improving processes that just didn't make sense. I automated everything. We got full inventory management, you know, digitised and got all the POS working and geez there are some great cloud tools out there, I've got to say. And so integrated a whole suite of technologies to improve the way that the business was working and just make it much, much easier on hubby and the staff to be able to do everything from purchasing through to serving the customer, which was fun. But the one thing that I found quite amazing was how much that changed the attack surface at the store. So because it had been, you know, a very old set of weigh scales that plugged into a very old register, where you pressed a couple of you know, buttons that had the word broccoli written on it, and, you know, it gave you a printed out receipt. We went from that to you know, having Square up as the full platform, immediately we're on the internet. And then we had that integrating with other tools. So then we had, you know, API's to think about and how they were working and what the security around that looked like. But at the end of the day, you know, given my background, I found it quite easy to figure out the ways to support all of that and to make sure the staff had their own identities and that we're able to track and timesheet and all that sort of stuff. But the constant phone calls, and I'll just never forget in one day, I marked off 18 different phone calls that came into the shop. Whether it be claiming to be Amazon, NBN, Telstra, whomever and no slight on any of those organisations because I know it wasn't you, all trying to trick us into providing login information. Even the Microsoft one to provide login information to help us with issues with our platforms. And you know, we didn't have Amazon, and I knew it wasn't NBN. But it was constant. So I ended up spending quite a bit of time training our staff, none of them came from a background of having any kind of knowledge about cyber. But so far as trying to help them with anything coming in on their phones, as well as how to deal with the calls coming into the shop or whether it be responding to email and knowing what was spam. And I think the other thing I found when COVID hit was it was probably about maybe six months later, as everyone was transitioning online if they hadn't been before and certainly lots and lots of stores transitioning online to be able to do their click and collect and their online ordering. All of a sudden, every man and their dog was able to offer you advice and guidance on your website or your SOE. And so the amount of spam coming in that was actually malicious into our mailbox, that wasn't getting blocked, and it does now, but it took the providers a long time to catch up with this concept of spam with links associated with people offering to help us with our website to try and get the, you know, the number one SOE position on Google. Or to improve the way our products looked in and all of those sorts of things. And even today, heaps of them, and from all over the world, we blocked most of them now, but I never thought in a small bricks and mortars, you know, mum and dad kind of store that's all about health and well being and, you know, majority of our customers being very much on the, you know, the hippie scale. But do you know what I mean, dealing with cyber issues. And so I guess I was really lucky having done some work with CyRise when I was back in my CISO role, seeing a number of founders coming through who are trying to solve that problem for small to medium organisations. And that explained it to me, and I'd go really, really would they be the target? But I did have one particularly gnarly incident in one of the organisation's I worked with before my sabbatical, that involved small to medium businesses that were impacted in a really bad way around identity. And I kind of had a bit of an 'aha' moment then, but geez, that grew being in the shop and looking at how we help and support each other. And so really, what was funny is on the strip that we're on, whenever there was something going on like that, we would talk to our customers about it, but we'd also talk to the other shops and the peers beside us. And, you know, fraud was huge. So I don't mind saying that a particular time because of online ordering, I'll do this really quickly, but you know, online ordering/phone call ordering, we were dealing a lot with taking card numbers over the phone and entering them manually. And from a fraud perspective, that's, you know, you've got to be careful, you've got to know who you're dealing with and make sure who that customer is, to make sure that you're actually going to get paid at the end of the day or that it's not a fraudulent credit card. But we had a huge issue on our strip for us, for a number of shops, where individuals who were new to the area, came in, spend a couple of weeks becoming friendly with each of us, and then came in shopping minus a credit card, suggesting that their significant other has the card because they're in another suburb, and can we pay over the phone? And because they'd spent a couple of weeks spending small and getting to know each of us along the street, we were like yeah, sure, no worries. But at the end of the day, we got pinged in our shop for over the course of a couple of days, about $1,200. A couple of the other shops, which different kinds of shops that sell very unique products that are quite expensive, got done for a lot more than that. And it was really interesting to see during that timeframe where COVID was changing behaviours, and you had to be flexible to help customers shopping and get what they need, that we were taking advantage of a number of times through fraudulent activity related to credit cards. And one of the other stores in particular with a lot of online ordering had lots and lots of products to the tune of about $5,500 ordered. But because we'd already had this issue, we’re able to come down and go what do you reckon? So I became the kind of the resident cyber advisor on the strip for a small period of time, and probably saved a couple of us from a shops point of view having any more damage done than the original, you know, couple of grand.
CP: Adding trust and safety to your suite of skills in the bricks and mortar store! When you were with us in Episode 46, we talked a lot about well, a dedicated episode to operating models. What do you see now in relation to how security functions are operating? Are you seeing new trends? Is it kind of status quo? Are we ever going to get to the enterprise wide security operating model where it's not just to focus on the CISO and their team? What's been your observations on your return to the industry about how security operating models have shifted?
SM: Yeah, so I guess I've had the opportunity to work across a couple actually and quite large ones too. And what I'm finding is a lot of discussion and conversation around what they call converged security. So I don't know who coined the phrase, but certainly bringing in you know, privacy, physical security and now even talk around bringing in the concept of security resilience into the capability model for security as well. So there are a number of organisations out there looking at do they need a CISO, would they prefer to have a CSO, and then what is that CSO accountable for? What actually makes sense to bring together so that you do have that enterprise wide model that's got all of the relevant streams looking after the organisation. What I'm also seeing is a couple of organisations going through IT transformation. So I guess it's been ongoing for a while for others, but I'm starting to see a bit of catch up from those who have just sort of continued on the status quo, who now want to embrace more agile practices, or who want to adapt their ways of working or who want technology because they're becoming more of a technology company, bringing the Business and Technology closer together. So with that kind of IT transformation where you're seeing, for example, a, you know, a number of service domains being created that kind of bring in IT and the business together, that enterprise wide lens from a security point of view is really, really important to help all of those domains be successful. Because they start to take on the enterprise wide responsibility of how you ensure everything is secure or safe, or that data is well protected. But you need that lens over the top that says are you doing it well, and are you doing it in alignment to all the commitments we've got. But then also to whatever risk based approach that we want to take. And it's hard to put the cart before the horse. So some organisations have dived into ‘we need a new security operating model’. And we really want a CISO and we want to be able to see, you know, privacy and data protection and consulting services and physical security and all these things well aligned with, you know, cyber defence. But at the same time, IT is kind of lagging a bit, going yeah, yeah, but we're making change, and we want to change our op model. And the two really have to happen closely together. So what I'm finding is a bit of a pullback, I guess, on the levers around changing anything for security, until IT transformation has kicked off and is at least well defined around what they want to achieve and how close to the business they want to get. But so I guess so far as trends are concerned, it's definitely convergence. A lot more focus on partnering and looking at the role, third party play, third parties play in all of that. As partners, as creating one group, but then also keeping them honest from a third party security perspective. And then the talent stuff. So you know, once you know what your services are, once you know what your capabilities are, are the people in the seats, the right people to be delivering the outcomes? And in, I guess, an environment right now where it's really hard to attract and retain talent, what do you do to grow your people, grow your teams, or to convince those who are out in market to come in and enjoin you on this journey of what's going to be a bucketload of change? And where they're going to have to not only be able to do their BAU day to day, but work in that cultural and organisational pivot to whatever the organisation's going to look like in 12/18 months time. So it's interesting, there's a few different organisations doing different things and trying to figure out what they're going to look like moving forward.
CP: And the scary thing about all of that is that the statistics tell us that 75% of digital transformations fail. So while the security team is sitting back waiting for the IT team to make their bold moves and shift to the cloud, you know, the risk, you know, just rises. And there's a lot I guess that, a lot of trends that hopefully will be ironed out in the coming months, I suppose. But with every organisation going through their own journey, and I feel for all the security leaders out there who are trying to navigate that at the moment in a market, as you said, where it's really, really hard to get the people to fulfil the capabilities and services that you want to give to the organisation.
SM: Yeah, absolutely. It's going to be tough. And not only about the fact that digital transformations fail, they also introduce risk. So at the same time that a security team's waiting and doing their best from a BAU perspective, but may not necessarily be positioned in the best way around their services and capabilities and those going out into the business to support them. They're taking on more risk, because of the change that's going on around them. And potential loss of talent in other areas as things change. So it's a little bit of a what's the word, it's not diabolical, but it's certainly a bit of a cataclysm around wow, how do you how do you manage all of those aspects at the same time and all the new things that are coming in?
CP: Samm, it's always good to have you on the podcast. It's great to have you as part of The Security Collective and I'm sure this won't be the last time that we chat. Thank you so much for coming back to join us. I really appreciate you sharing your story about your sabbatical and how things have changed over the last couple of years for you and for the cyber industry.
SM: Thanks for having me. I really enjoyed the chat.