Episode #80 Leading with culture with Dan Maslin
It has been several years since Dan Maslin last joined Claire on the podcast. Dan shares what has changed since their last chat, they discuss cybersecurity awareness, the benefits of a deputy security leader, and the Security of Critical Infrastructure Bill.
Dan Maslin is the CISO for Monash University, the largest university in Australia. In addition to 20+ years enterprise IT experience, Dan is committed to playing an active role in the cyber security community, participating as a volunteer Executive Advisory Board member with AISA, Executive Advisory Board Member for Cyber with Deakin University and is an Industry Advisor with CyRise. Dan is a Fellow of the Australian Information Security Association (FAISA), a Graduate of the Australian Institute of Company Directors (GAICD) and holds the CISSP, CISM & CRISC security certifications.Links:
Episode #14: From Security Architecture to Senior Leadership with Dan Maslin
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today we welcome back Dan Maslin. We first met Dan way back in episode 14. Dan, it's great to have you back on the podcast today.
DM: Hi Claire. It's been a couple of years, so thank you again.
CP: Pleasure, it's good to have you. And this season, we're asking guests what's changed since they were last with me in the studio, so to speak. So for you, what would be the three major changes you've seen in cyber since you were last on the podcast way back in episode 14?
DM: Yes, I think there was already focus on cybersecurity back then, it was a couple of years ago. But there's definitely a lot more focus now and it's coming from a lot of different angles. So there's a lot more in the media around cybersecurity, we've got a lot more focus from boards and governance groups on cybersecurity. Governments are talking about cybersecurity a lot more, as well as regulators. So there's definitely a lot more focus on cybersecurity, from all aspects. Also seeing collaboration, so a lot more collaboration within industries. And more broadly, I guess, across the whole spectrum of the cybersecurity profession, and real recognition that we're all broadly facing the same problem. So I think there's a bit of recognition that, you know, together we're stronger, and people are happy to collaborate a lot more, whether that's informally or in a more formalised groups. I think, as well, the impact of incidents is much more significant and frequent as well. So, for example, ransomware events, you know, most days you'd see something in the news around an organisation that's impacted by ransomware. And those incidents, they're much more frequent. And they're much more significant in terms of impact. I think probably the other thing that's front of mind for me is around, it's a lot harder these days to find and retain talent at all levels of experience. So I think related to that, as well, compared to a couple of years ago, salaries are steadily rising, as well as probably stress and burnout levels at all levels of experience as well.
CP: Yeah, I have definitely seen salaries skyrocketing, and the number of organisations just grappling to get really great staff into roles and the right people into the right roles as well. I mean, it's, as you said, it's that rising recognition of cyber and it's in the press, and more and more companies are experiencing it. And with some of the leaders that I speak to, what they're most concerned about, is that uptick in in ransomware. And what we're seeing in phishing as well, how do you think this growing threat should be addressed when it comes to things like security awareness and influence? Because as an organisation, everybody panics and goes out and hires more cyber security staff or tries to? Is there more that an organisation can be doing around awareness and influence so that there's more going on across the employee community and not just the cyber team?
DM: Yeah, I think looking at some of the data particularly, so let’s say with ransomware. In many, many cases, vast majority, it’s back to hygiene practices. So it’s around, you know, patching vulnerabilities, ensuring there’s not misconfigurations. And they’re often the major entry points for ransomware. So when we’re looking at awareness and influence, I think there is still a need for a lot of that to focus on the tech teams and making sure that the skills are there and the knowledge is there to ensure to put simply patches are being applied and configurations are hardened. And I think we really need to focus around setting expectations for remediation and supporting those teams to make sure that there are no blockers. So supporting the IT teams and supporting the technical teams, setting expectations and ensuring that we can have that basic level of hygiene. And I think, you know, a CISO role, for example, plays a key part in that in terms of clearing the road. So clearing those roadblocks and making sure that the IT teams can do those jobs and there’s no excuse for not applying a patch or no excuse for having a poor configuration of a web server, or whatever it is. So I think yeah, that there is awareness. But I think from a general staff awareness perspective, we’re probably doing okay in most organisations. There is obviously the outliers, but most organisations would have a fairly decent awareness programme these days. One of the next steps on the awareness journey, though, I think as boards become more aware of cybersecurity, they become more comfortable with metrics and questioning the data that they’re given over the next few years, I think they’re probably going to start probing and expecting management to be a bit more harsh on non compliance with that data. So for example, if we have people in the organisation that are constantly failing phishing simulations, and we’ve got really, really bad pass rates in phishing simulations, maybe they’re going to expect management to do more about it. So what’s the repercussions for them? Are they going to cut them off from using IT, I a risk to the organisation. So I think from the top, there will be expectations that management will be doing a lot more to protect the environment. So I guess you know, the analogy there might be that people need to have a driver’s licence to drive on the road, they need to take a test, they need to show they understand the risks and the rules on the road. And I think there’s going to be that expectations from governance groups, that they are providing a level of protection for the environment against misuse, or people that aren’t, that haven’t passed a test that they don’t understand the risks and the rules of abusing that environment.
CP: It's a really interesting topic, because there's always been talk about how there's not necessarily enough consequence when it comes to the people who might cause a cyber security incident in an organisation. And most people are not malicious in clicking on that link or downloading that attachment or, you know, putting in that USB stick. They're just doing their jobs. But for the people who are blatantly going around process or, you know, using shadow IT or those types of things, there are security leaders and non security leaders that feel that the repercussion should be greater and that people should be made an example of, I don't know, do you, have you got an opinion?
DM: Yeah, I think it’s a balancing act of supporting people. So we got to play a role in educating people to be able to identify the risks and know what’s the right thing to do. You know, very similar again, to you know, driving a car. You’ve got a driving instructor that teaches you how to be safe on the road, you then pass a test and you get your licence. So, you know, we’ve got a responsibility there to try and influence people to make sure they are less of a risk from a technology user perspective. But then I think at some point, there does need to be consequences, particularly for those that blatantly ignore the rules and the rules of the road. That’s what happens if you ignore the rules of the organisation’s IT and the lanes that we expect you to stay in, then I think there does need to be consequences. Whether that’s cutting them off, or whether there’s some sort of other reprimand. But I think the expectation will be there, that something’s enforced, and those risky users are dealt with accordingly.
CP: I'm interested to know whether or not you think different organisations need different types of security, policy structures, frameworks. And last time we met you were actually just finishing up in your role at RACV. And now you're well and truly settled into Monash a couple of years later. What's different about managing security teams in different sectors, because obviously, RACV is very different industry sector to what education and academia is, is there a difference in how you secure those types of organisations and the mindset shift as a CISO?
DM: With any change between industry, there’s a lot of transferable skills as a CISO, let’s say 80% is transferable. But the rest is really around business and understanding the strategy, how they operate, who the key stakeholders are. And in a large university, it’s probably a six month process to really understand what the organisation does and what the priorities are. And that’s going to be the same whatever organisation you’re moving into. So I think both my skills are transferable, I guess, between the different industries. You know, previously, it was in a membership and insurance industry. Now obviously, in a university, it is more collaborative. And not to say that insurance or membership areas aren’t collaborative, but, you know, within Australia, there’s roughly 40 universities and a number of industry groups as well. So it’s a lot more organised, the collaboration is a lot more organised. So it’s easy for me to meet other CISOs because there’s regular groups that are organised. And the relationships between those organisations have been in place for many years, you know, many decades probably. So it is a lot more organised, the collaboration and people are comfortable in sharing. Probably the biggest difference in the industry and how they approach everything from risk to frameworks, policies, procedures, is that a university there’s it’s a lot more of a balancing act. So a university by nature is open and collaborative. Shares research and shares education, that’s fundamental to university. But we also do a lot of research that is sensitive. So defence research, medical research. To operate, we need technology these days, obviously, with last couple of years, almost everything’s remote, including research, including teaching, but also exams and all that sort of stuff. And so we need to balance that openness, collaboration with the risk to technology, and we simply can’t operate without that technology now. So it is a lot more of a balancing act. I think a lot of other industries are less open and less collaborative by nature.
CP: And where you are now you've got a much bigger team than previously. And from a structure perspective, you recently created a new deputy CISO role. Tell me about how a role like that's come about and what you are hoping to achieve by building that out into your model.
DM: For a number of reasons here but I think to start with I think it’s probably in the best interest of the organisation to have that continuity. And what I mean by that is having a succession plan for the CISO, whether it’s me or somebody else. And, you know, it’s not like I’m going to leave anytime soon, I love working at Monash, but you know, from their perspective, they need continuity. So you know, whether I’m hit by a bus or I win Tattslotto or just want to take, you know, a long holiday, whatever it is, there’s going to be someone that’s there and is kind of up to speed with what the CISO is doing, they can step in. And, you know, these days everyone wants a bit of the CISO’s time and it’s important, you’ve got a lot of stakeholders, a lot of executive and governance groups that you report to, and they really want a lot the CISO’s time, and you can’t always give it to them. So it’s important to have someone that’s clearly a senior leader within the team to go and have discussions with them, have relationships with stakeholders, have some delegated accountability and decision making power, and give that that role. Whether it’s the deputy assistant, whatever the actual title is, give them that ability to own and run with that and make the decisions. There’s that component, there’s a development path as well. So I think for an aspiring CISO, like clearly that the person in the role now and the person/people in the role in future, probably their next step is going to be the CISO, whether it’s in this organisation or elsewhere. So I think it’s an important part of someone’s development, and being able to ease them into the role and understand really what a CISO does. It’s something I do for all of my direct reports, so have I guess, a bit of a succession plan for each of them. So I think it’s a really mature discussion to have that I may not be here forever. And I still think in the best interest of the organisation, we need someone that’s sort of warm and ready to go into the role, whether it’s for the long term or the short term. Whether they’re filling in for a holiday or some period of extended leave. I was having a think about this the other day and, you know, I’ve seen, I mentioned earlier, a lot of burnout in the last two or three years. Particularly from CISOs, and some really, really good CISOs that you think would really be able to deal with the day to day stuff. And there’s been a lot of pressure and coming from all angles. And I guess the CISO role is quite lonely and sort of being at the top of the team, you’re the only one that has the wide view of everything that’s happening. I think a lot of other parts of the team can be siloed, and you know, security operations may not be across what’s happening in the risk and compliance area, for example. But as a CISO, you’re sitting across it all, and it’s quite a broad portfolio. So I think if you have someone you can lean on and share some of that workload, I think that’s quite important as well. And reflecting on some of those peers that I’ve seen that are heading down the burnout path, I think in their cases they may have been able to, if they had someone there to assist them, and a solid deputy to lean on, potentially it could have been could have been avoided, or they could share the workload a lot more. So I think there’s this that aspect to it as well.
CP: Obviously, if every organisation gets a deputy, it's going to put me as an interim CISO out of a job. So I don't know that I recommend every business does that! But I am interested in the background of the type of people that you think might be a good deputy CISO. Or is it not about that, and is it more about where that person's coming from in terms of their leadership skills, the culture fit the, you know, do they need a technical background? Or, you know, do they need a GRC background? What for you is the right set of skills for a deputy to sort of sit by your side and learn the ropes and be able to then step in for you at any given time?
DM: I’d probably say there is 2 or most probably 3 key things actually, around people leadership. So it’s very important to have someone that’s got the right people leadership skills and be able to create a positive culture in the team. I think that’s probably more important than anything. Someone that has a bit of vision, in terms of not just dealing with day to day activities, but someone that can say, we are here today, and this is where we want to be in two or three years time, and be able to sort of move that into a plan. And someone that’s able to have good stakeholder relationships. So they’re going to represent the team, they’re going to represent the CISO, so be able to really have mature discussions with key stakeholders across the organisation. So doesn’t need to be overly technical. Could be really technical. I think that depends on the background. You’re always going to get people with a varied background, but I think those, you’re sort of looking for more of those attributes around leadership, relationships and vision.
CP: And I think on your point just around burnout, Samm MacLeod is on this season. She's come back again to talk about her burnout in the industry, which actually occurred long before COVID, and before everybody was sort of under this additional pressure. And we've had obviously, Graham Cowan on the podcast before talking about R U OK? Day and just burn out across the community, not just in cyber. But certainly the idea that you have somebody there, sharing that load just makes a lot of sense. And I hope for lots of organisations they have an opportunity to do that. Because I think many organisations can't get necessarily, as we were talking about earlier, enough security staff and so the pressure on the ones that are there can be incredible.
DM: Yeah, absolutely. Yeah, I think it's, again, if you've got it structured right, where they're delegated, and they've got a clear role, a senior role in the team. If you're dealing with multiple priorities, at the same time, you can delegate big pieces of work, and they can be accountable for that and help you deal with the amount of work that you've got on your plate.
CP: I want to finish up by just quickly talking about the Security of Critical Infrastructure Bill, because it now lists universities as part of critical infrastructure. And, you know, whereas before, it was very much focused on, I guess, more of a utility group of industries, what does this mean for universities? And how can universities approach cyber in the coming years? Is this going to change things? And obviously, the Bill got through the lower house just a couple of weeks ago. So what's going to shift for universities in general do you think?
DM: Yeah, it's quite topical. And again, this is something we talk about a lot in the industry groups that we have, it is quite collaborative and it is a big topic. And just for context, for those that aren't familiar with universities, so you might wonder why we come under critical infrastructure. You know, it's quite obvious why the energy sector or defence sector would come under critical infrastructure. But universities, you know, they're typically thought of as education providers, but a lot of them are heavy into research. So it depends on the institutes, and some are really research heavy, and some aren't so much. But a lot of the big universities in Australia do actually do a lot of research that is of national significance. So it might be COVID research, or it might be defence research, there are a lot of organisations, a lot of entities that are doing defence research within universities. So it's important that, you know, the right steps are taken to protect that research. So I think at a high level universities they need to be organised and structured in how they approach protecting their environment. So for those who don't have a forward looking plan, and to mitigate the risk, and most do, that would need to be developed. But I think probably the biggest change that's going to come for universities, and it's happening in our industry, and it's happening in other industry as well, is around the culture change. So where cyber risk continues to move outside of the IT department. So when a university case around critical infrastructure, it's going to mean that asset owners, which are in our case, actual researchers or research platform owners, they're actually going to be having government mandated security obligations that they need to meet. So again, it's that shifting of accountabilities outside of the IT department to distributed parts of the organisation. So it's a big culture change. Again, it's not just specific to universities. But yeah, it's happening in our industry, it's happening in other industry as well. So I think it'll drive a lot of that change and make people accountable for security of certain assets that previously they may not have considered so critical. But through the lens of critical infrastructure, and through national significance, through that lens, it is quite important, protect those assets.
CP: And I love the idea that you lead with culture and not with well it just means we're going have to lock things down more and you know, put more tech in. It really is about how people behave with data and how that accountability piece is incredibly important and obviously now with legislation coming, it just puts it through a whole new lens.
DM: Yeah, absolutely. I think yeah, it does. It does go back to what we were talking about earlier. And that’s around collaboration. And universities need to be open, collaborate, sharing of ideas, sharing of information. But now they just are some reasonably sensible obligations on those assets for protection now as well.
CP: Dan, it's been awesome to have you back. Thank you so much for returning to The Security Collective today. And we'll pop some notes in the show notes about a few of the things that we talked about. But for now, thank you, and hopefully we see you again.
DM: Thanks for having me Claire.