Cloud Reset – The Podcast | Episode 4: How Do You Know If You Are Over Or Underinvested In Security?

November 21 2024, by Cloud Reset | Category: Cloud Services
Cloud Reset – The Podcast | Episode 4: How Do You Know If You Are Over Or Underinvested In Security?

Show Resources:

Here are the resources we covered in the episode:

Follow Jono Staff on LinkedIn

Follow Naran McClung on LinkedIn

Cloud Reset’s YouTube Channel

Listen on Spotify

Listen on Apple Podcasts

Contact us at enquiries@macquariecloudservices.com with any questions, suggestions, or corrections!

A great no-cost way to support us: Rate/Review!

Episode Summary:

In this episode, Cloud Reset welcomes cybersecurity expert Jason Murrell, Chair of the Australian Cyber Network and Dynamic Standards International to discuss the evolving landscape of cybersecurity for Australian businesses, with a focus on SMBs and mid-market organisations. Jono, Naran and Jason unpack the importance of accessible and dynamic cybersecurity standards, practical strategies for managing cyber risks, and the challenges of insourcing versus outsourcing security operations.

Why you should tune in:

  • What the launch and significance of the SMB 1001 standard means for Australian SMBs.
  • Addressing anxiety in SMBs around cyber threats and creating cost-effective, accessible solutions.
  • The growing need for sovereign cybersecurity solutions to support Australian businesses.
  • Evaluating the insourcing vs outsourcing debate for security operations centres (SOC) and SIEMs.
  • Practical analogies to simplify cybersecurity for business leaders.
  • The role of dynamic standards in addressing emerging threats, including AI-driven cyber risks.

Episode Transcript:

All right, Jono, we are back. This is episode four, and this is the podcast where we get stuck into cost and risk. What else would we need to speak about? Nothing. Cause it can all be encapsulated in cost and risk.

That’s right. Cloud reset. Uh, welcome back to episode four. Welcome to our loyal listeners.

And, uh, and that’s why we’ve got a special guest today. And I think it’s going to be an interesting episode just for something different. Uh, we’ll probably talk about cybersecurity because, you know, who’s had enough of that. Don’t panic. We’re going to make it interesting and, uh, ask a few curly questions.

Absolutely. I don’t think we need to apologize to talk about security. It’s always a hot topic. So, uh, and I think our guest is really going to help us bring that to life. So let’s get rolling. Let’s get into it.

Okay. So we are here today with our special guest, Jason Murrell. Um, Jason brings to us two decades of experience in startups in the technology industry. He’s the chair of the Australian Cyber Network, and also The chair of the Dynamic Standards International. As the chair of the ACN, Jason leads a national effort to position Australia at the forefront of global cybersecurity through collaboration with us today, of course, innovation and advocacy.

Uh, he’s also a champion of, and the does, has created and promoted, sorry, the Affordable and effective cybersecurity standards that benefit businesses of all sizes with a strong focus on supporting SMBs. Jason, welcome to our podcast. Thank

you, mate. Uh, good to be with you. Last time we were recording, I think we were around an even bigger table, weren’t we?

Yes, we were. Yeah, so I think we had a few extra bodies around, but good to be with you and Jono today. So looking forward to this. Excellent. Thanks for coming. Thank you, mate.

Now, Jason, I think you, you travel around a lot, uh, and you speak from Brisbane to Sydney this morning. Exactly. Yep. So you are, you are in front of people all the time talking about this stuff.

What’s it like traveling around, being an advocate in your capacity, doing what you do? What, what’s that like? It’s give us a feel for, for you and what you’re doing.

Yeah, I think, uh, Australia is very different, like, you know, in all the markets. So I think, you know, we. and tend to, because the bigger cities are Melbourne and Sydney, that most people tend to focus there.

But it’s the nuance of the differences between each state is, is quite stark. Like, you know, somewhere like I was in Perth last week, Perth, completely different market. You know, they’re having a, again, a mining boom over there and, and the needs and the wants and the money that’s floating through there, you know, with the large mining companies, they’re actually able to afford really big cyber teams.

Right. Unlike a lot of other, Markets around where people are tidying the belt. You go somewhere like Tassie, completely unique in a lot of ways. Um, and, and Darwin where I was last week as well. So, uh, and then you got Adelaide is sort of moving more towards space cyber in a lot of ways as well, you know, so each city has something a bit different, you know, North Queensland, again, different to being in Brisbane yesterday.

So, uh, we have a very unique country. And then obviously Canberra being very, you know, sort of government centric. I think in the country here, we have one in five people actually work or linked directly to government, either at a state or federal level. I think Elon Musk is trying to clean that up over in the U.S..

At the moment. He might want to come over here and do a follow up. You’ve gone straight there. It took us three minutes to get into that. Well, you said you wanted to make it interesting. Let’s go. Let’s, let’s, let’s hook it up. I’m ready. Yeah.

Fabulous. Well, look, we’re stoked to have you here. Um, and we’re going to get into it.

Yeah, let’s go. I think, um, look, we always start the show with a bit of a, an industry insight. current events, you know, this sort of thing. And I think there’s, uh, there’s some interesting topics that Jason in your capacity, you’re probably uniquely positioned to offer us some, some commentary. Um, earlier this year, uh, the standard SMB 1001 was launched.

Uh, that’s a cyber standard that’s targeting specifically Australian mid sized businesses. And I know, uh, offline you and I and Nara were discussing. Uh, what that is and why it’s important. Um, it is a new standard, but I think, uh, I think it’s going to help us get some real cut through and make a difference, uh, to help Australian businesses protect themselves from cyber threats.

Look, there’s a lot of new legislation, compliance legislation. Uh, maybe we can just start off with why do we need a new standard in this market in Australia when it comes to cyber security?

Yeah. Um, that’s multi framed, you know, that question really the, the fact is that, you know, 98. 3 percent of businesses in Australia are classed as SMB, which is, you know, 20 or less staff.

Now, it only ticks up to 99 if you add that up to 200 or so staff. So that’s a, that’s a big chunk of the market. So backbone of this country and not just Australia. So we started here, it was called Cyber Certification in Australia, you know, like when we first started. Um, but, and we were doing it really in alignment with what the government here in Australia was looking to do.

So when Claire O’Neill was the minister here, I remember she was looking to do a, a cyber health check, you know, for small business. So you need to tailor it pretty specifically. It’s a different need to what we look at and see when we look at the top end of town, you know, with banks and critical infrastructure where the Sokiak sort of has focused.

Um, so basically what, what happened with that framework, you know, with Peter Maynard and Ryan Coe and the team is we basically said, you know, we Let’s look at the best standards around the world and take out almost that pre dose principle, that sort of 80 20, you know, principle of what’s the best bang for buck for business.

Where can you start at a bronze, silver and gold level and give them something that they can be handheld with an MSP or an MSSP to get up to the standard as, as required. Um, so, you know, ultimately the goal is if you want to go black belt, you can end up at ISO 27001. But it is a mix of the best parts like NIST, you know, the Essential Aid, all those other frameworks which come in.

So we were looking local to start with, Jono, and then to your question there, we’ve gone international as of November 1, uh, 2024. So it’s now Dynamic Standards International as an international standard, and we’ve had a lot of interest from around the world since, uh, since launching.

Would you, if you were to say, Do a temperature check on SMB in Australia.

Would you say that there’s, there’s a degree of anxiety and apprehension around threats? Because obviously security is a hot topic. We know that our audience, for example, are always eager to hear from us. We’re obviously a SOC provider. So this will always be a hot topic, at least in our customer base, but within SMB particularly.

Uh, and to your point, if you’ve, um, allowed, provided for a consolidated position as you have, um, to make the guidance perhaps more digestible, is that in the face of real anxiety and perhaps some apprehension in the SMB world around

cyber and cyber threats? Definitely. They just don’t know where to start.

Right. Right. So, you know, we talk about even the basics that the government tried to launch early this year with. Act now stay secure, which was, you know, pass phrases, multi factor authentication updates when available. Now, most businesses don’t even have that as a baseline to come into, right? Uh, let alone what you actually need and the sort of software.

You know, services you guys offer, right? You know, so, uh, sock ideally, you know, is, is where, you know, you’d want to be, you know, and that’s what we, we look to attain and we want to get people to, but you’ve got to start somewhere, you know, you can’t build a house or put the roof on without the foundation.

And I think a lot of businesses get into business often accidentally. They realise I need to do a business name. I need to, you know, register for GST and, and. They’re the parts that they get guided in, but cybersecurity is still fairly new and businesses don’t know where they start. And then they just plug their computer straight in, start interacting with the rest of the world and start collecting people’s personal identifiable information.

And, you know, and their systems are wide open to attacks, you know, and, and the quickest way to get out of business is, you know, the strike rate is pretty low. I think 80 percent of businesses go out of business in the first five years. Right. Right. You throw on top, you get a cyber attack. I can bring that on a lot quicker because, you know, you can stuff up an order or, you know, not pay your GST and, and there’s consequences.

But if a cyber criminal gets into your business and wipes out your bank account, that can be game over.

Yeah. Look, so important. And, um, I think that’s right. You know, Australia is a unique market, something that Narin and I grapple with, uh, out there, you know, speaking to customers in the mid market, you know, SMB and up into mid market.

A lot of the, um, leading technology vendors in this space are based out in North America. And I think, uh, their view of SMB. Is, is very different to, to ours, you know, where we’re a smaller market, it’s a little bit unique. Um, something that a lot of business leaders that I speak to struggle with is they go, you know, every time someone mentions the word cyber, I just cringe because, you know, I, I’m, there’s people with their hand out, you know, it’s like cyber equals, I’ve got to spend some money on something.

I’m not like, I feel like it’s important. There’s a lot of. Fear, uncertainty, and doubt thrown into how those products are positioned. They seem expensive. Um, I don’t even know what good looks like. You know, somebody told me I need to comply with ISO 27, 001, but then I looked into that and it’s a hundred grand just to get an audit.

Yeah. Um, you know, and I feel like maybe this standard is trying to get some cut through and bring some practical, uh, practical things. That those organisations can do to be secure that might not even cost a lot of money. It’s exactly that, right? The thing

is that I think if you have a sort of third party that sort of says Here’s something that you can actually fill in and with, you can be handheld by your MSP or MSSP to go through that process.

And at the end of it, we can almost do a diagnostic and see where your holes are, you know, and we’re looking across all industry then, you know, like it’s, I think an MSP or an MSSP’s hardest point is exactly that. They think they’re just being sold to, right. And we all got to live, we all got to make money.

And I think generally speaking, most MSPs or most businesses are actually trying to help the customer. And they will be looking for, well actually you don’t need that, that’s overlap, you’re sort of, you’re paying double here, you don’t need that sort of thing. I think the SMB 1001, what it does is it sort of says, it’s not us saying it, it’s this sort of third party framework that you’ve filled in, and from that we can see here’s where the holes are.

You then can have a sit down conversation with them and say, okay, let’s have a look at what your budget is. And then we can really recommend what your biggest bang for buck is. So we can say, let’s focus, especially in year one, if you only got that budget, on this part. This is key. This is critical. We need to fix that up.

And then in years two and three, maybe we can roll out and look at these other things. And you’ve got a guidepost then. And being a dynamic standard, it means it changes year on year. You know, so, uh, unlike other standards that sort of sit stagnant sometimes for five or six years, this is a dynamic standard.

So as a steering committee, we’re always looking and saying, what are the new threats? AI, You guys probably wouldn’t have mentioned that in this show before, um, but, uh, you know, AI as, and what consequences that have on cybersecurity and how, how does the standard need to reflect that? So I think that helps everyone in the industry is saying that it’s not us.

So you, you feel this in, it’s almost like a doctor’s diagnostic, you know, how much you drink per week, what’s your blood pressure, all that sort of thing. You make recommendations based on samples that you’ve taken from the person themselves, and this will help with the business and suggestions.

Yeah, look, um, great conversation.

I think it’s, I think it’s definitely needed, right? Definitely, it is something that Australian business can anchor themselves to that’s relevant to them, independent. They don’t have to be speaking to five different organisations and be getting five different answers. You know, recommendations around what good looks like it’s, it’s really hard to navigate and it usually results in spending too much money or buying the wrong thing.

Yep. Um, so yeah, really, really important.

And I think John on that too, I think we need to really push sovereign, right? So Australian businesses, you know, to help out and assist there as well. I think, you know, part of what we’re doing with the Australian Cyber Network is to actually set up, we’ve got the assets for AU CyberScape, AU Cyber Explorer, that’ll be a place where people can go who are looking for solutions as well.

And they can get married up with the right sort of solutions providers as well and try and push sovereign first because you spoke about North America and other areas. Uh, that’s where most of the product tends to be bought and the government talks about buying sovereign solutions, but do they do it?

You know, and, and we need to find out that, that build that bridge between how does government procure sovereign solutions and how does sovereign solutions match up so they can actually jigsaw that together and actually make sure that matches. That’s not happening at the moment. That’s something we’ll look to do as well.

Australian buying Australian for Australians. It’s almost like the buy Australia, you know, like the logo. We’ll do a similar thing with the saga, right? And I think we can almost pie chart it on our, on our system to say how much is sovereign owned. So like, uh, you guys know, Jono and I, uh, Jono, I set up like cyberware and assisted with a business here in Australia.

That’s fully Australian owned Australian servers hosted here, Australian code base, everything like that. So you could say that’s a hundred percent Australian. And then when people are buying in the market, they can actually say that’s a hundred percent, you know, whereas other companies might have, uh, you know, share ownership and servers offshore and stuff like that.

People need to know that sort of stuff as well. If we’re really talking about proper sovereignty, we need to be clear with that. Yeah.

Super important. Look, uh, great conversation. We’ll be right back after this break.

All right. So we’re back. Now we’re going to get into the customer scenario here and I have to say, this is one that we come across quite often that we laid on you, right? You’re a new CISO, uh, you’re contemplating building a team. You’re formulating your own roadmap and vision and you’re trying to evaluate, do I need a SIEM?

Do I need one? Right? Is that a worthy investment? Uh, and then in addition to that, should we run this thing ourselves? Um, or should we outsource? Are you hearing this Jono? Uh,

all the time, right? This conversation is such a mixed bag. Bag, right? I think we’re even talking about this, um, this morning. I kind of see three types of, uh, call it levels of maturity or requirement out there in the market.

We’ve got an organisation who’s as you described, like, you know, we’ve made some investment in some security skills. There’s some acknowledgement that this is important to our business. And now we’re exploring, okay, how do we, how do we level up? Do we need a SOC? Do we need a SIEM? Um, log ingestion, you know, MDR, XDR, all of the acronyms.

Can we assume everybody knows what a SIEM is at this point?

Well, and do you guys kind of just say, do you get the SIEM versus EDR question or like, what’s the difference in?

Yeah, we, we get, we get a lot of those conversations. I think, you know, that’s a certain type of maturity level. These are organisations that probably have Figured out Essential 8 maturity level two, they know passwords are important.

You know, they’re on a journey to zero trust. They’ve got some things sorted out and now they want to level up. Right. Then we’ve got organisations who are already doing that. They did it. They bought in probably two or three years ago. They’re on their first, you know, refresh cycle. You know, is the tech still relevant?

Am I paying the right amount of money for that tech? Should I insource? Should I outsource? Can I do this better? Um, there, there’s those ones. And then there’s the ones who are going. Um, maybe I need to reconsider my tooling strategy, right? I’ve, I’ve been all in on this cyber thing. You know, we’ve had maybe two or three different people in charge over the last five years and, and they’re actually building up technical debt.

As it relates to cyber and they got a lot of disparate tools to now consolidations becoming important because it’s getting too expensive to stay one step ahead of the threats and everyone’s sort of cutting budgets or just not not expanding on that. That’s right.

So, so we kind of get, you know, I think a mixed bag.

Um, but obviously the specific scenario we’re talking about, you know, new size of building a team, do I insource, do I outsource all the time. all the time. I think it’s very, um, customer dependent. I’ve got some strong views on what you should probably do based on what I’ve seen. And I know you do too, Naran.

Um, love to talk it through. Like what are you seeing out there?

I think it’s a lot of responsibility on CISO shoulders here. And I think the hardest one, the hardest place to be a CISO is in Australia. It’s one of the ones where if you make a mistake, you’re gone. There is no, there’s no second chance. And I think Their teams, generally speaking, are pretty small.

Um, they’re often inheriting a team that’s already been there before. And it takes a while to find the right people and bring them in as well. So any support you can get externally, the good thing is if you get the external help is that they’re tapping into the rest of the market as well. Sometimes you’re only in your own environment and if you’re reliant just solely on yourself, uh, you can miss some stuff, right?

So if you can tap into external sources, then that actually gives you a broader range feedback from the rest of the market and what’s being seen. So. I think it helps to have some, some assistance. Well,

look, I think we’ve seen the guidance firm up on this thing. Like wasn’t that long ago, there was recommendations on central log management, and then that, that has now, um, matured to reference SIEMs specifically, I would say, hopefully most organisations know what a SIEM is, there’s various SIEMs out there in market.

So that is obviously a key decision when we talk about. insourcing or outsourcing, um, contemplating 24 by seven and what does minimum viable product look like for 24 by seven? Now I asked this question internally this morning. In fact, how many people do you need to run a 24 by seven service? And the answer I got back was seven.

Minimum of seven. Minimum of seven people. And imagine

we’re coming up to Christmas time as well. Now the biggest time to attack in Australia Right. Everyone knows we’re, uh, you know, Christmas, New Year, pretty much shut down. That’s right. And that’s when the businesses get attacked the most. So again, if you can rely or lean on someone that can give you that coverage outside your own team.

That’s right. There’s two key questions there. One, do I need a SIEM? Two, is 24 by seven important? Now, if I think about the incidents that our team manage, for example, that they’re busiest. At like one, two, three in the morning, they are busiest. Right. So I know what my answer would be to that, but this stuff has a cost attached to it.

I think, um, I think that’s right. You know, one of the strongest arguments for insourcing versus outsourcing. is do you actually have the budget to put together a dedicated model and do that 24 by 7 coverage properly? Like if that’s the direction that you’re going, and that’s what good looks like for you, gold, silver, bronze, ISO, or whatever standard you want to use.

But if that’s the direction that you’re going in, you know, seven people, we know that in our own business, we’ve been doing it for nearly 20 years, seven people minimum because of the shift patterns, you 24 by seven, people get sick, they need to take holidays, there’s weekends, people need to sleep. Um, do you have the budget for seven people now, uh, for most Australian business, especially, you know, we’re talking about Australia being unique, you know, it’s only really in the big scheme of things, a handful of businesses in Australia that actually employ more than 200 people.

Yep. Seven. That’s, that’s a lot. That’s a big investment. Shifting to a. outsource model or rather what I’d prefer to call it would be a co op model, you know, and leveraging, leveraging a pool of resources to help augment your, your team is hard to do numbers, isn’t it?

Right. Because if the, you know, if you do sales and marketing, it’s pretty easy.

I marketed, I’ve got this many leads, we make that many sales. It’s a pretty easy sell, right? But as a CISO, so talking to the CFO or the CEO and pitching that, If we get an attack, we could lose this much money. But what’s the chance of that happening? Pretty high, but how high really, you know, like, do I give this money out to try and protect the possibility of that happening?

And, and the only benefit of an attack for the market is that it actually scares the shit out of those sort of people. They’ll go do something. So when we had those high attacks that happened, you know, within, you know, sort of seven month period, Uh, that everyone knows about here in Australia, that, that actually got everyone on their toes for a while.

And then they actually started to look at it more seriously and saw the effect. It sort of dropped off again, right? You know, so, and now budgets are tight. We’re in a, you know, a tight budgetary sort of sense from a, from a business point of view. But it only takes an attack or a series of them to cause some real damage.

And the cost of that’s pretty high. So that, that overlap, that’s, that’s a, it’s a challenging thing. If you guys come up with the, uh, way you could do numbers on that, I’d be interested because that’s the, that’s a difficult part of the equivalent.

I would open that up to our audience. Here’s a, for anybody listening to this podcast and hopefully it’s all of Australia, but whoever’s listening, it’s a question.

How important is 24 by seven in your security strategy? We’d love to hear from you. Give us a message, give us a DM, something. Um, I’d love to know how important that is. Would it be important to you to. detect, detect an anomaly or a threat, um, before the start of business. Right. Before your team shows up at nine o’clock.

Yeah. Cause you do said those patterns are exactly as you said, early hours of the morning. Yeah. I know, you know, people are off duty or less likely to be alert. That’s, that’s a time of game.

That’s right. And to the question of SIEM. So, um, for businesses deciding, do I need a SIEM or can I live without a SIEM?

Perhaps I think, and you in part answered this prior, um, there may well be other investments that are more important before you land on, do I need a SIEM? Yeah. Getting the basics right.

But something you should be talking about early, like that’s, we go back a step when we talked about the SMB 1001. If you’ve got a roadmap where you want to be, sometimes if something happens, you can sort of move things forward or back, you know, dependent on that at least you’ve got a plan.

That’s right.

I think that saying that most people aim at nothing in life and hit it with tremendous accuracy is pretty accurate in cybersecurity. A lot of time, you know, people are only reactive to things happening rather than actually planning what they’re going to do. Yeah. And especially we talk about incident response, you know, a lot of people miss the boat there as well.

Yeah. Shuffling a bit of paper around the tables, not. An instant response plan.

We’ve talked about this before. Um, I think just thinking about cyber. Do you know what good looks like for your organisation? I think that’s critical.

And, and also your sector. Yes. Because I think it’s sector specific, a lot of this stuff to, you know, you can, you can say, you know, for, for you, but, and how do you compare to peers and other people are doing well in that, in that sector as well?

Yeah, I think that’s right. Um, that speaks to that question of, You know, am I over invested or under invested? What is actually the appropriate level of investment? This is something that the C suite grapples with, boards are grappling with, business owners are grappling with. I

use an analogy, right, it’s similar.

And I think if you talk to them, and what we use is, how do you protect your physical security? So at your business, what do you have in place? Do you have cameras? Do you have alarms? Do you have deadbolts? Do you have, so what level of security? Do you have passers to get in and out of the building? Now business is deciding when they’re doing that, how much we need to protect the physical aspects of our business.

Now transfer that to online. And I think you need to say, okay, well, how much risk are you willing to take or not take based on a budget and what you sort of think you should be protecting and sort of work it out from there. You know, so you’ve got to choose what your risk is. Some people like we always talk about the crown jewels.

What’s the main thing you want to protect? Now, often people are protecting stuff because it’s in their benefit from a financial sense, not because it’s protecting someone else’s data and stuff like that. Okay. They couldn’t care less about that, right? So there’s a balance on what the business is about and what they actually care about.

So intrinsically, it’s what the business actually gives a shit about is actually more key. Yeah,

really interesting. I think that that physical senior security analogy, um, is a nice one, you know, say, well, actually, if you can, if you can get your head around, um, the investments that you make on back to base alarms and, you know, security patrols or whatever it is, because you want to protect your inventory.

Or maybe you’ve been broken into before and you understand what that meant for your business. And so then that’s why you haven’t made these investments. Or a fire, you know,

like I’ve seen it, I’ve been made out of fire in his business, a 12 million cost, you know, and it was just massive warehouse full of stuff, you know.

a fire is like a cyber attack or something like that as well, right? You know, so you just, you got to try and cover it. And that was early hours of the morning. Yes. Now when they’d put it out, the fire brigade get there, but it’s well alight and it’s all over. I think that’s a good

practical advice, you know, for, um, any CISOs listening or even, you know, in a lot of businesses, it’s the IT guy.

Yeah. Who’s just trying to, you know, now this is on their plate as well. Yeah. Right. How do I tell a better story? Because I can see we need to go from here to here. Um, But, but actually telling the right story, having analogies, making it real for business owners to understand. We’ve got to

change the conversation.

So us talking here, we understand, you know, SIEMS and EDR and all that sort of stuff. But when these CISOs are having that conversation with the next level, whether it be the CFO, the CEO, they’ve got to put it in terms that they can relate to. I think too often they get stuck in the technical conversation.

So this is, this is why it’s important that if you give the basics of analogy and going back to that one we spoke about before, uh, when I spoke to the government, when they were doing that act now stay secure, I said, you’ve got to make like really a password manager. I think it’s better than passphrases.

Um, and we’ll say that’s a seatbelt and, you know, multifactor authentication is the airbags. And then, you know, the updates when available is like servicing your car, people understand cars. So I know seatbelt, if my seatbelt doesn’t work, the airbags there to take me. And then if I get my car service, I know the brakes are going to work and that the windscreen That’s how you sell a campaign, right?

To the Australian public. You don’t talk about get pass phrases, multi factor authentication updates. Yeah. What the fuck does that mean? You know, it’s a, to the average person, you might not be hitting Mark, but if you talk in those sorts of terms, they get it.

You’re bringing it back to the working man, Jase.

Yeah. Well, that’s what we’re here for. That’s fine.

Singlets are in our future on this podcast. I think it definitely could be. That’s what it’s all about. Straight talk, real solutions for our listeners out there. Think about some great analogies, you know, tell a good story, bring it to life that way. And, uh, look at, you know, some, some practical use cases and standards to figure out if you’re underinvested and over or overinvested.

And if 24 by seven is important to you, there’s a real life stat. Seven people you write back up. All

right, let’s rip in. We’re back with a subscriber question, right? Now this one’s, I’m actually I’m going to claim this question because I’m curious, Jason. That’s not how this is

supposed to work. Look, I’m

hijacking the show. I’m hijacking our guests. Um, and, uh, and it’s my perogative. Okay, so let’s go. Um, Jason, how did you become a LinkedIn top voice?

I think that complete accident, I got onto LinkedIn very early. I think when it first started, um, back, I think when I was doing start with whiskey and maybe the gold business or something like that. So well before I got cyber and I think then I, when we did sort of new domain and then into cyber aware, I started to sort of advertise a bit on there or sort of just talk about, so cyberware was about, uh, cyber education and phishing and stuff like that.

So it was good to sort of talk to the audience and, and educate. I think I sort of came from the educate rather than sell sort of part. Yeah. And I think it’s sort of just sort of flowed on from that. And then you just sort of pick up followers. And I think it’s over 32, 000, something like that. Followers now, you know, sort of, but they’ve, they’ve just come mainly from, I think I don’t try and sell stuff on there.

So I try to love the message that we’re talking about here, get the message out there. How can you help or give something to the audience that actually helps them? And then they’ll go reshare and stuff like that.

There’s a bit of a serious aspect to this, you know, I think, um, I think everybody’s, you know, interested in people who, who’ve built a bit of a profile and a following and, you know, social media is so important for getting messages out there.

But I feel like specifically within the security industry, um, we could all do well to tell better stories.

Yeah, a hundred percent. I think I’ve only really focused on, on LinkedIn, but. I really probably should. And I’ve sort of thought about this. I had some friends that do really well on um, Instagram. I got amazed at 75, 000 polls.

Another one did a faceless channel that got up to, it was sober renewal for people who were trying to get off alcohol or drugs or whatever. And it was a faceless channel. She’s over 200, 000 subscribers since the start of the year when she started, you know? So I think I’d love to get the message out, but I think it is from telling stories and from doing this.

So these sorts of things I’m always keen on because like some of the topics we’ve covered. Getting cutting through, right? So the, the getting the message, it’s a bit outside the norm, you know, and, and trying to say that paradigm shift would look at stuff a bit differently because what we’re doing is not working.

So if we keep doing it, it’s that definition of madness, do the same thing over and over and expect a different result. We need to shift it up a bit. And that’s what, you know, we’re trying to do with the Australian cyber network and with, you know, stuff I do with DSI and, and Murph and all the stuff I’m doing, each one is trying to basically move the needle on, on cybersecurity.

You’ve said something interesting there. Um, are we winning? Are we heading in the right? We’re not winning.

No, no, we’re near it. Like, I think we’re actually going backwards, although the figures in some ways, you know, Don’t show that I think it’s an underreporting issue rather than that it’s not happening.

Right? I think people are getting ransomware or there’s a sort of stigma and embarrassment. I think getting a cyber attack. Um, I was on 6PR last week over in Perth and the guy said he got one of those letters, you know, it says, Oh, we recorded you, you know, interfering with yourself and you know, we’ll try and blackmail them to get some money or something like that.

Uh, he says, I do that all the time. And if they’ve got that recording, that’s fine. You know, he’s not, no problem. You know, but some people might take that a bit more seriously. Right. Um, but, but you know, these things are happening all the time and people, I don’t think with AI now the targeting of that, it’s actually getting a lot better.
we don’t get the support in the back, I mean, it’s a not for profit. We’re doing, you know, so it’s not like, and we’re looking for charity status. I’m not going to make a lot of money. I make no money out of it at all, but if someone doesn’t try and do something and then nothing’s going to happen and you get the right sort of people following in, we’ll, we’ll be able to move it.

But yeah, doing what we’re doing now is not working.

Yep. Okay. Great conversation. Um, some really interesting insights there. Uh, and for all of our CISOs and IT leaders out there trying, trying to do better in cyber. Thanks a lot. Uh, telling great stories.

Yeah, I think, look, the size of Australia, I know a lot of them and they’re good friends.

They have a decent crack and they’re trying their best and they’ve got great teams and they build it up, but it’s, uh, you know, you’re pissing up against a strong breeze at the moment in Australia, so.

Oh, there you go. We’ll be right back after this.

Okay, we’ve got a whole new segment. Jono, We like this, right? So this is from the, the brains trust. That is our, our podcast architecture. Here we go. New segment. This is something that we’re going to ask every guest.

So you’re the first one look forward to this, Jason, here we go. So I’m going to ask you three questions.

Uh, these aren’t specifically related to security, but you can answer however you would like to. It’s your prerogative as our guest question. Number one, if you had to cut 20 percent from your budget, Tomorrow, where would you start?

20% of my a budget? Uh, I don’t, wouldn’t even have a clue. That’s, yeah, no clue.

Okay. No. What do you reckon, Jono? You’d have to have a budget

to cut in the first place. Is that right? That’s pretty much it, like, it’s

actually, you know, seriously, we are hand in, uh, hand in, you know, the hand in the hat out at the moment to try and get cash at the moment. So it’s like, I’d love to see some money coming in.

You know, like, so many startups I’ve done and it’s, I’m very frugal. I think I start with that. Every dollar is key. Uh, and I try and always like whether we started whiskey or the gold business or any of the business done, it’s that the value of dollars are key, right? So I start very frugally and even, you know, traveling around everything like that.

I’m always into the cheapest and best. And I think keep that in all facets of life. I think we always try to overextend in any, any part. Especially with cybersecurity, it’s that, again, I’ll go back to Preto’s principle, you know, like, go, go for where you’re going to get the biggest bang for buck. I think some people are spending money on stuff they just don’t need or don’t do. A hundred percent.

It’s a core pillar of our service. It relates to both security and cloud. Quite often, um, we have to find savings to generate the interest in new projects and initiatives. It’s on us. It’s a prerogative that we take on as a service provider. Um, and you can get

25 or 30 percent savings from most, if we’re talking cybersecurity, when I’ve looked at most businesses and I’ve done stuff internally and looked at stuff, You can pretty much cut 25, 30 pretty easily without too much effort.

That’s right. Security, particularly like consolidation of products, going back to the value of the ecosystem, Jono, many of our customers don’t realise the capabilities that they’ve invested in, particularly as it relates to Microsoft products. We bring that to life. Microsoft’s a classic, right? Yeah.

That’s, that’s what it. There’s so much in there now that some people are paying for separate products, which is actually covered within there. That’s right. That’s

exactly where I was going to go with this. You know, as it relates to cyber, um, I don’t know if you wanted to talk about my household budget now or no, I don’t want to go there.

I don’t know what I’d cut it for 20%, but you know, some different people. I probably wouldn’t ask you that question. But, um, as it relates specifically to cyber. Yeah. Tool consolidation. Sure. Right. Most of the organisations I’m out there don’t actually realise they’ve already bought stuff that’s overlapping with other stuff.

Sometimes three times, four times. That’s right. Yeah.

And you know, I go in and go, Oh man, you know, you classic, a classic on
Uh, the amount of data that’s out there from Australia, we’ve got the most personal identifiable information per capita out there than anyone due to Optus and Latitude and Medibank and all that sort of stuff. So there’s a lot of information out there about Australians. We are very targeted. Yeah.

perceived as being a wealthy country as well. So all these things together make us a prime target, you know, to focus on, but I think it’s under reporting. So if you do see, if you read the ASD report, you see there’s a slight drop from the ACSC numbers of report. How is that when the attacks are going from eight, uh, every eight minutes to every six minutes, how is it increasing in attacks, but we’re getting a drop in numbers?

It just doesn’t equate. So I think it’s under reporting issue. So we’re not winning, not close.

Wow. Um, that’s a sobering statement. And I think, uh, I think one that’s, that’s pretty interesting.

Well, we want to fix it. That’s why I’m doing what I’m doing. I’ve really, in my, in my own head, given it two or three years to try and crack the nutters best I can ever crack.

But if e is, um, They’re on E5 and they’re not using Defender and they’ve bought three other endpoint protection tools because just reasons, you know, a guy who left bought it and it’s still there.

So that’s the legacy stuff. I would be attacking that technical debt as well. Good,
good answer for somebody who said he didn’t have an answer, Jason. You came up with one.
All right. Question number two. Here we go. What is the one piece of advice that you would offer for attracting the smartest talent to your team?

Uh, everyone’s smarter than me, so that’s not hard. Uh, I just have to hire anyone. Um, no, but I think you really hire where you’re weak. So really stick to your strengths. I think a lot of people say, okay. Focus on your weaknesses, but I think get your strengths even stronger and then hire people that actually cover the stuff that you’re really shit house at, whether that be, you know, whether it’s numbers or whatever the case is, uh, any aspect, you know, whether it’s data, you know, just get people that love doing what you hate doing and just hire those people. Hmm.

Okay, cool. Question number three, when you’re evaluating a prospective partner. How do you spot the red flags that tell you they’re not the real deal?

Uh, that’s been experience. I fucked up a lot early on. Right. I got really rodged over pretty badly in a few businesses. And I think, uh, I, I find it’s in your trusted network.

So it’s people that you trust as well, actually referring people to you, uh, just hiring someone unknown is a difficult thing. And I just find that I hire people that I know or know through people. That I know and trust that I actually get people that way, I think is the best way.

I agree with that completely.

We take advantage of that, Jono, right? So happy customers talking to other customers in the same vertical. Like you asked before we came in,

you said, Oh, do you know someone who, you know, the role that you’re also looking at? Correct. That’s what I do as well. So I like, Naran, I’d say, okay, I’m looking for this, can you help me with that? And then I know that if they’re referring them, it’s usually a pretty decent person.

Yeah, I think referrals are pretty important. Um, it’s interesting, not every new customer that we deal with. wants a referral, they may have, although, although most of the time they have had some experience or trust somebody who’s dealt with us before.

Yep. Right. They’ve probably already done that due diligence before they come to us. So. Um, referrals are a pretty powerful way of, of, of vetting and like the tracks like,

or you sort of hang in the same circles, right? So you find that if they’re dodgy, they usually hang around together. And if they’re usually pretty decent, they’ll hang around with each other as well. So, you know, that’s usually a good guide. All right. Very good.

All right. Thanks for listening in everyone. If you’ve enjoyed the show, then don’t forget to subscribe to Cloud Reset on Spotify, Apple podcasts or YouTube. And of course, follow us on LinkedIn. So you never miss an episode until next time. Stay tuned.

We drop a new episode every two weeks and we have more special guests to come. That was Cloud Reset. Straight talk. Real solutions.


Cloud Reset

About the author.

Cloud Reset is the podcast where no-nonsense meets cloud strategy. Hosted by Jono Staff and Naran McClung from Macquarie Cloud Services, it’s all about cutting through the noise with straight talk and real solutions for IT leaders. With decades of experience on both client and vendor sides, Jono and Naran arm listeners with strategies to save costs, reduce risk, and maximise cloud ROI.

See all articles by this author

Get in touch.

1800 004 943 +61 2 8221 7003

Enquiry Sent.

Thank you for contacting us. Our specialists will get back to you shortly.

From the Blogs.

Cloud Reset – The Podcast | Episode 6:...

Show Resources: Here are the resources we covered in the episode: Follow Jono Staff on LinkedIn Follow Naran McClung on LinkedIn Cloud Reset...

Read More

Cloud Reset – The Podcast | Episode 5:...

Show Resources: Here are the resources we covered in the episode: Follow Jono Staff on LinkedIn Follow Naran McClung on LinkedIn Cloud Reset...

Read More

The AI compute crunch: How MSPs and hybr...

Artificial intelligence (AI) is transforming the way businesses operate. It’s driving smarter customer experiences, creating new efficienc...

Read More