Michael van Rooyen:
0:01My interview today was so interesting we had to break it into two parts. Here’s part one of that interview.
Darren Hopkins:
0:09
A negotiator will come up and say look, we’ve had 120 interactions with this redactor and we’ve facilitated more than 100 payments and not once have they gone back on their word. Not once have they leaked the data if they said they weren’t going to. Not once have they not shown a video of them deleting the information. Not once have they re-extorted. So therefore, they’re 100% honest as a criminal and their business model is that the moment they deviate from that, their business model fails, Because if it was a 50-50 chance, you’re not going to risk it unless you’re absolutely desperate.
Michael van Rooyen:
0:39
Today I have the pleasure in having a chat with Darren Hopkins, who’s a partner at McGrath McNichol. Mcgrath McNichol specializes in all sorts of things that Darren will talk about, particularly around forensics and computer related crimes and incidents and advisory and all things around cyber. Darren is well known in the industry for the work he does. Darren, welcome to the podcast. Thanks very much, looking forward to it. Yeah, great, and before we start, do you mind just talking a little bit about your career journey and particularly how you transitioned from working in forensics, computer examination, from your history at the Queensland Police Service into becoming a partner at McGrath McNichol?
Darren Hopkins:
1:18
Yeah, no problem. Look, I actually didn’t intend to be in the career I ended up in at all. I did an IT degree and I started doing software engineering and realised I’m a pretty rubbish coder and not something I enjoyed. So I stayed on and did a second major in information management and I thought, yeah, I can do this, that’ll be fine. Like most good students when they finish uni, I wanted to do some travel. I promised my mum I’d apply for at least one job before I disappeared and unfortunately I got that job and it was at Queensland Police. And it just happened that the person who was interviewing me was an alumni from the university who I used to see around all the time, so he didn’t want to work with someone that he didn’t know and that just worked for me. And I never got to travel and I started my first job in Queensland Police actually doing IT.
Darren Hopkins:
2:01
I was actually helping run a network and do all the things that you would normally expect to do in technology. I worked out very quickly that the major problem any IT professional has to deal with is the issue between the keyboard and the chair, which is the person, and it was just the right place at the right time. The year I started they created what they called the Forensic Computer Examination Unit, queensland Police, queensland police, which was, I guess, the start of what ended up becoming a computer crime and digital forensics capability and at the time there was really only victorian police in queensland police that had a capability and then we saw the other services start. I was the young it guy in the right area, which was crime operations. That’s where I, supporting this, was part of fraud squad, got moved into this unit, did some training and then over time just sort of got the experience of understanding what investigations into digital forensics was and really back then we were creating the industry. There wasn’t frameworks or methodologies or really even tools back then to do these things. We were relying on traditional then to do these things. We were relying on traditional tools to do the things and a lot of it was understanding the real underlying technologies to enable things.
Darren Hopkins:
3:12
I did that for a few years and I was working in areas such as organized crime.
Darren Hopkins:
3:18
I did a bit of work with the drug squad fraud squad. Towards the end of that part of my career, I started doing a lot of work with what ended up being Task Force Argos, which was part of the crime ops, which was dealing with organized pedophilia and child abuse and those issues, and my last two years was effectively looking for perpetrators online and other places, trying to track them down and identify and bring them through to courts and hopefully beyond that, to protect our kids. So that was a pretty important part of that end of the career. Then I got asked if I would leave police and start a similar capability with one of the big four KPMG at the time and we helped create a digital forensics capability there, did that for a while and seven and a half years at KPMG. I then got the opportunity to do the same thing at McGraw-Nicoll, so effectively had three jobs in my life and all three have been a bit of a startup and I’m still here 19 years in.
Michael van Rooyen:
4:14
Wow, wow, it’s been 19 years. That’s fascinating. I knew that police force from brief chats we’ve had but I didn’t realize you actually started in doing the basics of technology right and then really leading into that and it’s a long career to be dealing with threat actors, criminals et cetera. Is that just a natural progression to lead to motivated and specializing in cybersecurity and privacy and digital forensics? Or just the way the market’s moved and you’ve just been in that kind of that transition as we’ve matured and being more digitally connected?
Darren Hopkins:
4:44
I’ve also had a look at how did that career transition? Early days, even at McGranicle, when we were first starting, we were a traditional digital forensics, e-discovery type practice a lot of insider threat and work predominantly for courts and lawyers. The skill sets we had we worked out pretty quickly. We’re really useful in collecting evidence from incidents. And one thing that we’re looking at with incident response and those types of capabilities that if you don’t have a client that’s been collecting data the right way and doesn’t have a SIEM and doesn’t have a security operation center and hasn’t invested in technology, they have an incident. It’s really hard for them to work out what’s happened, whereas the digital forensic side of our backgrounds enabled us to find the evidence to support a breach or an incident through those methods where not traditionally it wouldn’t be available. So we had a lot of people asking us to help on incidents and IR and then we thought, well, the world had moved on and information security was now being called cyber. So we said let’s just jump on that bandwagon. That sounds great. Yes, how do we as a firm build a brand that recognizes that we’ve got real skills here when traditionally we haven’t done that? So our incident response practice sort of built out from there and as a combination of digital forensics and if you have a look at a lot of incident responders, they call themselves dfir digital forensics and incident response. It’s that combination skill set.
Darren Hopkins:
6:05
So we had the digital forensics and incident response. It’s that combination of skill sets, so we had the digital forensics. I had some really good information security professionals in the team, so the SOC operators and the analysts and the network engineers, so those people that sort of know the security side. We have some pen testers in our team. I mean these are the guys that can look at what’s actually happened through the external view or the insider view or the vulnerability piece. And that combination of all of those skills sort of meant we all of a sudden had something a bit different and the business got known for having a good reputation for being able to work out what’s happened in an incident and how it occurred and where to go from there. And naturally that enabled us to then have a practice of cyber GRC people who can help post the event fixings, provide advice and guidance on how to get better.
Michael van Rooyen:
6:55
Yeah Well, I mean, even for me in the years that we’ve kind of engaged or done some cash engagement together, certainly you know the name McGrath Nickel becomes the one that they go to particularly. You know, just from the experiences you touched on that broad portfolio and the parallel of moving to cyber and connectivity. I know you spend a lot of your time dealing with incidents all the time and I think Scott Reid, who works in our organisation, says these are the people you call. Right, when things have gone sideways, these are the people you call. So I know you lead a big team of people that really specialize in that and I think it’s important and we’re just seeing the continuation of this landscape of threats everywhere. Right, it would be interesting for you to comment on what kind of trends you’re seeing in the cyber landscape today and how that’s changed over the years, from where you started, and also what are some of the emerging threats that businesses should be thinking about today.
Darren Hopkins:
7:42
It’s a tough one, isn’t it it? I start most of my presentations with the cyber security landscape and where we’re going to today, and often I I have a look at what jobs I’m doing at the moment and are they changes in what we’ve been doing in the past? Are they different? If I have a look back, maybe five or six years ago um, just go back to there far less sophistication in in what were seeing the tools and technology that threat actors were using weren’t that great. I even think something as simple as a phishing email back in the good old days you could generally in our industry we’d pick up these things because they couldn’t spell Google correctly and the language is average and it was really obvious what they were trying to do and they used to sort of just try to catch the people who are unaware or just not paying attention. And then over the last sort of three or four years, we’ve seen this move where organized crime has realized that there is such a large market to exploit and so much money to be made by focusing on cybercrime, and we then had these groups become more sophisticated and have access to more funding and more R&D and capability and realize that there’s a genuine serious market for making money and therefore some of the industries that used to drive organized crime, like drugs, were starting to reduce in their relevance to funding organized crime and terrorism and all these other things. So, unfortunately, that meant for all of us that we were seeing more and more of these threats emerging and they were getting better and better.
Darren Hopkins:
9:08
And then we started to see the the evolution of attacks like ransomware and and I still remember ransomware started in people’s homes. Yes, the first lot of ransoms that we would see would be someone would break into your home computer and find your photos and lock up your photos and say, if you want to get all the pictures of your kids back, it’s going to cost you $500. All right, and at the time they realised well, people will pay $500 to get memories that they can’t replace of all of their children’s photos. Fair enough, in early days it was such a successful, thriving little business and it just kept growing and then becoming bigger and bigger. And then we started to see businesses getting hit more and more and then becoming bigger and bigger. And then we started to see businesses getting hit more and more and then the way that the attacks would work and the tactics would change.
Darren Hopkins:
9:49
Early days it was disruption. Can I disrupt a business and effectively cripple them and then make them pay to get back online? And how do we respond? We all got better at disaster recovery and business continuity. We all started saying how important backups are and how important is it for you to be able to respond and recover, and we focus there. So then they started dealing with extortion. Well, if they can recover, what else could I do to make somebody sort of pay? And then we saw this evolution of data exfiltration and data thefts and then extorting, and then the information that was taking was more harmful, more likely that we all want to pay to limit that harm to others.
Darren Hopkins:
10:27
And I’ve just seen this evolution of more sophisticated, better tools and certainly larger quantums and much more sophisticated and bigger attacks crippling really large businesses that you would hope could be doing better. Yes, we’re all now being exploited with the things that in the past we didn’t really worry about, things like vulnerabilities and misconfigurations and all these things. They’re the doors that we left open that in the past maybe weren’t being looked at as much, but now you just can’t ever avoid your hygiene. Yes, because the tools have enabled groups to automatically scan the world. Every IP address, every external network has been scanned all the time for threats, and if they find them, they’ll exploit them.
Darren Hopkins:
11:09
And then I’ve seen in the most recent times is the use of some new technologies and really good social engineering to step it up again. So, unfortunately, you know, the evolution is more sophistication, bigger and larger attacks and far, far bigger impact on businesses, from that what started small to now being something that’s crippling even some of our biggest businesses. And then the worst thing is that this response from governments and others, which is to regulate, to try to reduce it, and we all then feel the impact of that, of course, of course, and then with crime syndicates, et cetera, spending more money in the space because they know it’s quite lucrative and has become quite lucrative, particularly with connectivity.
Michael van Rooyen:
11:45
Do you feel that there is a tipping point? Are we fighting against something that just continues to grow? Are we fighting with one arm behind our back from our investment, from the vendors and government and ourselves? You know? Is there a balance? Is it balancing out, or is it just it’s a balancing act? I guess.
Darren Hopkins:
12:05
Oh, there’s an acknowledgement everywhere that we could all be doing more. Sure, our vendors and our tech products that are out there are absolutely creating incredible technology to help defend us and safeguard us, and they see the opportunity for what it is. Our governments are completely focused on this. You only have to see the amount of effort that they’re putting into reminding us how important this is. Yes, our regulators probably move beyond education and awareness to enforcement and the big stick approach. If you get this wrong, I’m going to hit you really hard and there’ll be a giant fine attached to it and you won’t like the ramifications. So you need to do something, and businesses, I think, are now really acknowledging that security and cyber and any of those elements of securing your technology are just as important as the operational efficiency you get from good tech. So there is more money to do things, but there’s only so much to go around and we still got to budget all of the risks that an organisation has to manage.
Darren Hopkins:
12:52
Some really positive things I’ve seen in the last 12 months is boards and directors are very conscious of the risks to the organisations that they are supporting and are asking more questions and expecting more from their executives and the businesses themselves. Businesses are doing more to actually try to safeguard themselves. You know, a real challenge in a country like Australia is that, you know, almost 90% of our businesses are SMEs. They don’t have the big budgets to deal with these big threat actors and they can’t afford the great tools that are potentially available. So how do we balance enough that’s affordable and achievable with the other side of it, which is a full defence piece? So a lot’s been done. One thing I always hate to see is I think we sometimes the money that goes out to threat actors versus what we invest is probably disproportionate.
Michael van Rooyen:
13:40
Right, wow.
Darren Hopkins:
13:41
I’ve had some instances where I’ve seen a payment to a ransomware operator of almost $10 million Wow. And then six months later I’ve seen a board approve a cybersecurity budget to future-proof and safeguard this business, and they approve $500,000 a year for three years. I thought, well, that’s good, it’s $1.5 million, we’ll get a fair bit done, for sure. Sure, but I wonder what the Russians will do because it was a Russian threat actor with the $10 million they made after they have their nice holiday and a visa and a few other things.
Darren Hopkins:
14:12
I’m sure they’ll reinvest some of that back into their own business, and probably a little bit more than what we’ve preserved to go off and safeguard ourselves.
Michael van Rooyen:
14:19
Yes, and that’s an interesting point you make there around it is treated as a business. Right, these guys are running it as a business. It’s not just something. They’re dabbling with threat actors and we go back to movies in the 80s it was a dabble dial in play with things. You know, this is a real, serious business and I think one of the conversations I heard you have once is become a real thing. Right, I mean, it’s happening and there’s a lot of consciousness about it, but for people listening, I don’t think they realize the magnitude of how serious this business is. A question.
Darren Hopkins:
14:49
I get asked if I’m doing a tabletop or a simulation for a board and we get to the part of one of these simulations. This is a ransomware event we’re trying to emulate and we want to make it hard. Often you get to this part where you’re talking about are we going to negotiate with a threat actor which potentially is a terrorist? You don’t know at this point and would you consider making a payment? And there’s all of these legal reasons why you may or may not want to do those things. There’s certainly ethical reasons why you wouldn’t do it, but there’s also commercial reasons why you might go down that path. And I always get asked by somebody how can you trust the criminal? How do you know that they’re going to do what they’re going to do? And it comes back to well, how honest is our hacker? And that’s effectively what someone’s asking why should we trust them? And a lot of that is because their business model is that without trust they would have no business. And often you’ll see statistics on the threat actor group you’re dealing with and how honest they have been. And I’ve seen instances where a negotiator will come up and say, look, we’ve had 120 interactions with this red actor and we’ve facilitated more than 100 payments and not once have they gone back on their word. Not once have they leaked the data if they said they weren’t going to. Not once have they not shown a video of them deleting the information, not once have they re-extorted and not once have they not provided the tools to unencrypt. And not once have they publicly announced that they’ve had a dealing with you. So therefore, they’re 100% honest as a criminal and their business model is that the moment they deviate from that, their business model fails Because if it was a 50-50 chance, you’re not going to risk it unless you’re absolutely desperate. Yes, and you’ll even see instances where new attackers come in and aren’t honest. Just take the money and then you’ll hear of other groups trying to shut them down because you’ll ruin it for the rest of us. Right, and you know, the business model includes you know I like to compare it to a franchise type model that we’re comfortable in aust You’ve got these operators who are the big groups that have the cool name they can name themselves, yes, and they do the R&T and they build the tools and they’ve got the capabilities to attack.
Darren Hopkins:
16:53
They often also help manage the money laundering side of it. It’s all well and good to get a bunch of Bitcoins, but you’ve got to turn it into cash one day. True, so they’ll have that Then. But you’ve got to turn it into cash one day True, so they’ll have that. Then they’ll go off and recruit affiliates and affiliates are your franchisees and as a franchisee or an affiliate, you get access to the franchisor’s capability and their tools and their support and their marketing and their Q&A and their help desk. These things are provided. They’ll train you on how to do better and you can ask questions and you give up part of your fee for that service no different to a franchise fee. That’s fascinating. And then sitting around the outside are all the others that support it. There’ll be recruiters who are out there looking for the next affiliate who’s good. They’ll be out there trying to target those young, great security professionals to come to the dark side. And there’ll be brokers and their job is to find a backdoor to exploit. They look for that opening in that business that they can get in and they’ll test it and they’ll make sure it works and they’ll sell that. So they’ll sell access to your business to an operator or to an affiliate.
Darren Hopkins:
17:49
And these days, when we see the attacks. If someone has bought access to your business, they’ve already got skin in the game. They’ve paid some money to attack you and that’s why we’re finding they’re less likely just to walk away. They want to get some return on that investment and this is a whole business model that sits around it. Even thinking about campaigns, you would have seen it with phishing emails. Why is it the phishing emails start to tailor based on the time of the year and the event that’s happening? Why are we getting the scams around romance scams during Valentine’s and why, at Christmas, are we getting the package scams? Because their teams build campaigns around what’s going to be relevant to attack us in a way that would likely make us fall victim. And they’ve got teams that think about these things and design those attacks, and no different to our own marketing teams that think about a successful approach to winning work. Of course and it is it’s just a really successful business network that can work outside, I guess, the moral constraints that we have there’s no rules.
Michael van Rooyen:
18:43
There’s no rules. Yeah, I mean that that’s just super fascinating and I love the analogy about how it related to a franchise right, how franchise model works and you know how serious again that this is a. This is a business right and they’re there to make money in there and that’s what the mission is, right. And, uh, that breakdown. If I think about the physical aspects of going back um a couple of decades of of crime, it’s no different to how they structure these to recruit people to do certain activities to do it. It’s just digitally now, right that that’s almost the same structure yeah, it would mean hard to be a drug dealer.
Darren Hopkins:
19:11
to be honest, in the last five to ten years you sort of think you know, if you want to make money with drugs, you’ve. You’ve got to have a product. You’ve got to either create it, you’ve got to grow it, you’ve then got to convert it to something. And you’ve got to either create it, you’ve got to grow it, you’ve then got to convert it to something, and you’ve got chemists and others that are all involved in this. You may have a plantation or something. You’ve got to hide and keep going, and there’s a whole bunch of people involved in that. I mean lots of people who could blow the whistle. You’ve then got to go off and get that product to market. So you need to package it and brand it and then get it to foot soldiers to sell, and all of these things have points in time that you can get caught.
Darren Hopkins:
19:43
Something could go wrong. Law enforcement are great at waiting for the perfect time. They’ll let you spend all that money doing all these bad things until the point where all the products are together and you’re about to get a whole group and then they’ll take you down yes and remove all of your profit from all that investment and catch a whole bunch of players at once. It’s deliberate, it’s well constructed. Cybercrime is you’re sitting in a country with no extradition treaty and you’re all anonymous. You don’t have to see anybody, you don’t have to walk out the door, the money turns up in a wallet and you can convert that very easily into cash and you can live a pretty good life. The hard thing is you’ve got to be in a country that maybe I wouldn’t prefer to live in, but you’ll live like a god there.
Michael van Rooyen:
20:22
So it’s not too bad. Yeah, fair enough too. That’s just fascinating. Going back on a point you made earlier around there’s quite a lot of brilliant tools out there from vendors to really help protect it, and obviously that’s come at a cost. Is your thinking, as we progress and mature in this industry, trying to holistically in the technology industry, do you feel that vendors, the big ones Microsoft, google, apple are going to really drive that continuously so that customers and consumers expect the security by design and all that? Do you think there’s a tipping point where you see this drop off? Or you think that as we get more hyper-connected, it’s the opposite, we’re going to still see more opportunity for threats and breaking in? What’s your view on that?
Darren Hopkins:
20:59
I think our leading tech players your Microsofts, your Apples, your Metas and all these other sort of providers out there providing large services. They’re completely invested in securing their ecosystems. They have to. That’s what we all expect them to do. Without the trust in their products, they’re going to struggle to maintain the positions they have. The good thing I see coming from all of these vendors, as well as the acknowledgement that they need to provide tools and capability and security to everyone small, medium, large. If you take on their ecosystems, the expectation is that, even as a little player in their market of their tools, you’re getting something good. And we’ve seen the likes of Microsoft really demonstrate over many, many years how they’re continually embedding security into their products, eventually then making it available to everyone. And then they’re making it available to everyone free and then they’re actually forcing it on everybody for free, and that’s, I think, a good organization that understands the value of these things. I also see it with a lot of our other tech vendors that have got fantastic products who deliberately have some incredible technology to protect us.
Darren Hopkins:
22:00
And E is exposed endpoint detection response, the thing that is looking for threats on your devices and will hopefully block and stop and tell you before it becomes a real issue, that tech used to be difficult, hard and expensive, and we would often rely on the smaller products for small businesses. What I now see is that tech providing an ecosystem that deals with small, medium and large, and actually even breaking their products up into areas to support different organisations of different sizes, using the underlying core technology, delivered with maybe less or more managed services Fantastic. And the other thing I love to see now is that these core technologies are very open to working with service providers. Open to working with service providers. So we’ve got the technology, we can’t provide the service, so how do I get that then, to teams who have got the skills and experience and the connections to deploy and run those things appropriately, rather than a tech vendor saying I need to own everything. I need to own the tool and the people and the relationship.
Michael van Rooyen:
22:54
yep, yep, fair enough, and uh, it’s a good point, and I even realized I’ve noticed that you’re actually right about some of these big big players pushing on. You know, thinking about adding things like Defender into people’s personal subscription for three-star companies, just choosing Microsoft here as an example. And I think that’s what we’re expecting right as consumers, that we’re going to be more and more protected, so we should see some sort of decline in some areas, but of course there’s still lots of exposure. We think about OT networks being connected that are well, not patched and maintained, and this hyper-connectivity, I think, is still a huge area where there’s probably going to be problems living.
Darren Hopkins:
23:24
Yeah, a huge amount of risk still out there. Ot is one that in the last sort of 12 to 24 months has really come to the forefront of being a risk. We talk about critical infrastructure in this country and the fact that if someone was to attack us as a nation, the easiest way is to attack the critical infrastructure of that nation, and you do it digitally through a cyber type attack. I have a look at ot traditionally the way it’s been managed and we’ve worked on jobs together in those providers and it’s always an eye-opener to have a look at what you find and the expectation is that there’s almost if it’s not broken, don’t touch it mentality with ot. Sometimes we think that we can get as much life out of it as we can and at some point someone stops supporting a product but we’ll keep it until we can no longer get parts on eBay, if we can keep it fixed and it does its job and it doesn’t change.
Darren Hopkins:
24:13
It’s a technology that’s on or off or it does something that’s okay Probably not even thinking that there’s a vulnerability that’s been there for the last six, seven years of its life and we don’t apply the same rigor of risk management that we do with our IT world to our IT world, but we’re getting better at that as well. Yes, and in the past we used to say you know, it’s air-gapped, no one can get to it, so it’s safe. And then someone says but I need to see if that OT is working. So can you maybe not completely gap it and let me have a bit of a view in, or I need a vendor to be able to come in and support it. So you know, they’re the changes in the world that we’re seeing and they open up that risk completely.
Michael van Rooyen:
24:47
Yeah, and I see a lot of this OT-IT convergence. In fact, a fairly large operational technology organization we’re doing some work with at the moment has actually gone the other way, where the OT team, OT management and OT manager has taken over the IT function. Now they’re very heavy OT related. It used to be the other way around technology provider service. We know there’s a difference between the two, but the connectivity and I don’t think we’ve ever found an air gap network as such so far there’s always somewhere it’s been touched right, especially with shadow IT deploying 4G, 5G.
Michael van Rooyen:
25:16
It’s so easy today to get connectivity in and that’s where the problems are Now moving into, kind of what keeps you busy. As we touched on at the beginning of the chat, you’ll really spend a lot of time helping customers with incident response and digital forensics when they’ve been and incidents happened and customers with incident response and digital forensics when they’ve been. An instance happened and of course, it’s crucial that it’s continuing to grow and increase in the amount of these that are happening. What are some of your recommendations to businesses on the first steps that you take to kind of mitigate that as a first point? I know we’re touching a lot of solutions, everything like that, but when you, when you’re advising customers to avoid these breaches, uh, have you got some advice for them?
Darren Hopkins:
25:51
the area of incident response, which is pre-breach, is the area I’d much rather meet clients in. Yeah, of course, I think the journey pre or post-breach ends up being the same, but one costs a lot more than the other. If you’re doing it post-breach, it’s hard, it’s fast and it’s undocumented. The things that you end up doing are very similar and many, many others. In this industry. I think we all sort of sing from the same playbook and the prayer book, which is hygiene, is where you need to start. So we all have technology, networks, infrastructure, applications, the things you need to get right first of the basics. So make sure your technology is up to date, it’s patched, you’ve got appropriate backup procedures in place so if something happens, you can recover, and there’s a lot of frameworks out there for assessing your cyber security maturity. They all have an incident response. If I have a look at nist as a framework, which is a common one we see in australia, you’ve got can I respond and recover. I always want to focus there. To start with. You’re never going to be able to do everything at once, so be able to get back up and running if something goes wrong, and assume it will. So backups, business continuity, all of those things instant response plans then get all your basics in place so you’re reducing the likelihood of you falling victim. Make sure things are up to date, they’re patched, that you’ve got good technology that is supported and good vendors and others around you to do that support At some point. We then want people to invest in the ability to detect an issue when it comes up. Often we see it, you just don’t know it’s happened until it’s happened. And in many cases I do an incident response job where we have to work out the root cause and how this happened and we realized that they could have known months ago that they were compromised and things were happening and that is no one knew. So there was all of that lead time to have prevented the real issue. So get some capability to detect and never forget that there is a focus around governance here as well.
Darren Hopkins:
27:44
So it’s not just a technical solution. Normal sort of rules apply. It’s people, it’s processes, technology, it’s education, awareness. Make sure you got the right people, the right skills and people know what you want them to do and how they do it. Make sure you’ve got rigorous processes around all of those things so you guide people in the right directions. You put guardrails up and they understand what is able to be done and what’s not able to be done and set those ground rules and then good tech to support all those things. So if you pull those things together and it can be, just set yourself a plan, maybe put a few years around that plan to give yourself time and budget to do it and then just hold yourself accountable to it. There’s some really easy low-hanging fruits in all those plans that you execute, but you’ve got to start somewhere.
Michael van Rooyen:
28:23
Of course, of course, and I know that you spend a lot of time with senior executives and boards. You get brought in to do technology strategy and talk to boards really taking that seriously now, because I know what they’re on the hook for. Is there any additional advice besides that, where you really start to get some insights that you give them around cybersecurity and privacy for the leaders to consider as they mature and get to understand the criticality of this aspect?
Darren Hopkins:
28:44
of their business Boards are certainly far more interested in what their businesses that they’re supporting are doing. I think part of that is our regulators, like ASIC, being very, very vocal about their expectations of directors and board members and the fact that you are on the hook and you are responsible and you need to make sure that your business is doing the right thing. So we’re seeing executives and boards asking more questions, and that’s good and asking the right questions and needing to see what a business is actually doing and is it effective, and seeing those results, being aware of the obligations that sit around those particular roles because as a director of a business, you’ve got some liability that sits there if you get these things wrong as well. For executives themselves, one thing is make sure that you have adequately resourced those executive teams to do their job.
Darren Hopkins:
29:28
In the past, a security professional was an optional role that most businesses would have. They’re more than happy to have a technologist, and sometimes that technologist would be not at a C-suite level. Yes, it might be an IT manager, but then you still have a CFO and you still have a CEO and you still have a few other C-levels and then you had this technology role, that sort of sat down. I think the seat at the table is needed. It and security both are absolute, critical drivers to every business.
Darren Hopkins:
29:56
Without technology, I don’t know any business that would be able to operate anymore. It’s critical to our ability to do work, to engage with clients and just to be connected. Security is the thing that keeps it safe. So if you don’t elevate those roles to the area that they should be and given the ability to actually engage at a senior level, that’s going to be tough. You’re going to have to rethink the way you budget for roles and head count and those things. That’s something there and see the value in those things. And the boards need to be supported so that they can see the things that you’re doing. Yes, I’m a champion for every CIO, cto, head of IT that needs a budget right now. You never get enough and you should get more yeah, fair enough.
Michael van Rooyen:
30:31
Fair enough, that’s a. That’s a good point for those listening. Uh, take that, take that advice on board. When I was in the us last year they were talking a lot around that even boards are now needing to have a size or a security, cyber security role on the board. Maybe it might be by a certain size of business in the us, but I think they’re mandating that now as part of their asset or their, their federal policy. You think something like that should be not necessarily mandated, but really encouraged by ASIC or maybe even one step further, to help with that journey.
Darren Hopkins:
30:59
I’d like to think so. I saw that change in the US as well. It made sense. Boards should have someone who’s got expertise around accounting and finance. Someone should have expertise around legal. You should have just some people that can support business operations, and IT is just such a fundamental driver to all of those things. To have someone without that expertise is severely lacking, and in the US they acknowledge that, because a lot of the risks that businesses were trying to address were technology risks, and I would expect that in some point in the future there would be either guidance or encouragement that we need to make sure that we have technologists on the boards. I’m actually seeing it in many businesses we support now. I’m actually seeing board members being selected based on their CV around their technology and their security capabilities to support and augment the skill set the board has. That’s encouraging.
Michael van Rooyen:
31:51
Whether or not it’s mandated, who knows, it wouldn’t be a bad thing tune in next week for part two of my ongoing discussion with darren hopkins.
