 Think Tech Hawaii, civil engagement lives here. Welcome back to the Cyber Underground everybody, I'm Dave Stevens, can't call myself the cyber guy anymore. Still looking for a title, I've had a couple suggestions on the web, take it easy, keep it clean. We have to remove some of the comments, still looking for a title, there's a cyber guy out there that's not me. Once again I teach from the University of Hawaii, Kappie County Community College, KT Network Security and Ethical Hacking, and today my great honor to have one of the other spin-off hosts from the Hibachi Talk, we're coming up with Andrew, the security guy from Security Matters. Welcome. Aloha. It's so good to have you here. We have a far better guest than me though. So let's introduce our remote guest, Karissa Breen, of Karissa Breen Industries from Australia. She's calling in from Sydney, so thanks for getting up on a Saturday morning over there, Karissa. Can you hear us, Karissa? No, I think, yes, I can, thank you very much for having me, I appreciate it. Well, tell us a little bit about yourself, what do you do out there down under in that country that basically it's your Americans that have a better nickname for their word barbecue? So what do you do down there, Karissa? I run a cyber security media company as well as a communications agency servicing cyber security and the emerging technology industry. Wow, that's impressive, because you look pretty young and you're really conquering it out there and going on to two paths on the same channel and my respects to you, Australia is a huge continent, do you cover the whole thing? Cool, media company, and I think the how, the reason how I started the business in the first place was I started off with a blog I had, which was quite bad, but I wanted to interview, it works quite bad, I actually look back on it and I feel a little bit like I have no one ever to use those blogs I use to write. Yeah, once it's on the internet, it stays forever, yeah. Especially the Americans who be like, well, those Australian people are really weird. We've got no room to talk anymore, sorry. I think you understand more about the minds of cyber security practitioners, what their thoughts were on the industry, but as you know, it's still quite an immature industry, especially within Australia, and there was a lot of talk around security, awareness, education, and then I could see a gap in the market, because a lot of security companies were complaining that they couldn't really get the buy-in or the traction, and that of my career in a large bank, actually, the largest bank in Australia, and then I sort of progressed my career, but then ultimately going out of my own a few years later, because I could see that a lot of people in security had this issue with this communications piece, and I think that it's a piece that a lot of people with super technical probably undervalued, we see it as a critical point to one, get the buy-in, but to get people to actually understand more about the industry. That's a great point. We're still today trying to convince, trying to explain to boards of directors what cyber security is and why they should fund it, and unfortunately, it is technical. The work itself is fairly, I mean, you know, you have the phishing pieces and the social engineering pieces, which... Just getting through terminology is difficult. The hard work is technical, and when you start talking, I get their eyes glazed over. We have to go from geek to human, right? We have to translate this for people, and we have to educate them, and that's a difficult thing. Not a lot of people can speak both languages. Yeah. So that's interesting that you identified that gap as a communication gap, which I rarely hear it called, but that is what it is. Yeah, it's a significant gap, and it would be better for people like Carissa, I think, to be in this industry approaching that gap and trying to fill that gap rather than the boards of directors and CEOs and other upper-level executives shocking themselves awake with a breach. Oh, yeah. You know, Starwood today. I mean, Starwood, it's a huge industry. 500 million people. Wow, that's a huge breach. Yeah, that's my hotel chain. That's where I stay. So I'm sure my credit cards are floating around. Nobody is safe, and it doesn't seem like any of the old schoolers are listening. The younger people coming up the ladder have a little taste of this, but what Carissa says is necessary. Sure. So, Carissa, how are the audiences for these events in Australia? Are they... Are you getting the old gray-headed, bald-headed board of director guys? Us. Are they in the audience? Or is it just the young techie guys? Or are you seeing a broad spectrum? Only a broad spectrum. And I think because I... You know, people say, you know, I'm the security person, and when I first started security, everyone's like, no, you're not. And I'm like, well, you're just a girl. You're not a security person. And I'm like, yeah, I am. So I think I naturally break that status quo of a security person. And I think maybe because I do break that, people are sort of willing to listen because I'm already breaking out of that mold. So there's definitely a spectrum. I feel because we have been doing this for, quote, unquote, long enough to sort of earn our strikes in this industry that people are willing to listen because they know that they can't communicate at a level. And the right discourse to the people that they want to talk to, so whether that is a technical guy, it is their customer, or it is someone from a C-suite level. And it's about changing the language about who you are talking to. And that's the disconnect. And I don't feel that a lot of people in this industry might understand the language as one, influential, and two, to actually get that buy into people to want to listen because security people can be quite dismissive and very high in my view that they're a security person. Yes. And forgive me, I love them because a lot of them are my friends. But that's a common trait that we see globally, not just in Australia. It's very prominent all over the world. That's a good point. You know, the dismissive, and she's so polite about it. Yeah. We call many worse things than that. Dismissive is a kind, that's a gentle descriptor. So nice of you. Yeah, we can be kind of arrogant with that. And that's a hard one to overcome, really. Well, I was going to say that it, I don't know that I think it might come off as arrogance. We want to be helpful, but it's frustrating to explain something over and over and over why you need money and not get the money and you can explain it again and then not get the money and explain it again and not get the money. And it's like, hey, I've warned you and warned you and warned you. How many different ways can I explain it? And at the end, when the breach happens, then they pay the money. Well, they pay the money, but they blame you. Yeah. Why was I prepared? Well, because you didn't get me the check. But that doesn't mean anything at that point. It's often hard for me to not only convince people that this is necessary, but when they do the buy-in of the C-level suite and Chris, tell me if this is what you encountered too. In my experience, what I get is a partial buy-in and they say they want to invest in certain security products that say they cover the whole spectrum of security and they want to hire one or two security people. And I try to tell them, no, security is a hive mentality. Yes. You have to train everybody. Everybody. The whole team's got to be playing. Everybody's got to be in the field. Or there's one person that's not playing and that's the whole. Yes. And all your security devices, the cost of millions of dollars are bypassed because somebody clicked on a link and you didn't know it's a zero day. And you're done. And there's Starwood, 500 million people, which is probably what happened. Yeah. Yeah. I mean, so do you have... Let me ask you this, Chris. Have you seen a shift in the rooms that you're in? Do you think more of a willingness for the C-suite to get engaged? Now, rather they may be moving slower, but I feel like they're moving faster and they're finally listening. At least, and I would say that's been in the last 18, 24 months. It's surely we weren't getting hardly any response before that. No, but money talks. Yeah. And there's a lot of money being lost. And a lot of bad PR. So, Carissa, give us your opinion. What's your view of this? How's it going in your field? Yes, I agree. There's definitely been an incline in people buying into it. There's still going to be that resistance and that point of contention. Because at the end of the day, you are talking to business executives that aren't technical people. So all they really care about is bottom line and risk about how you communicate that. And I think what we're trying to do as an Indian company is actually communicate that in ways that these people, one, care about and to understand. Because if you look at a security person's perspective, it's always going to be on the technology and it's not really broader than that. So it's really about getting out of your own headspace and taking that up a level to be like, what's important to these guys? Reverse engineering their thoughts as well. I have seen an uptake, but again, it's incredibly immature and it's further behind than you guys are in the US and that's why we are trying to build that communication and awareness and education around what this actually means. Because security is actually needed to consume it. And consume it to the people that make up these businesses that effectively are clear-heading these business from, you know, a CIO point of view or a CEO point of view. And it's about understanding from a psychological point of view what makes them tick and then how to, I guess, contrive the language to get them to get the buy-in. The reason why it's being such a slow uptake is because people are just trying to do a blanket statement to every single person and it's not working because you can't communicate to every single person the same type of language. Right, and 100% agreed. I also feel that it's also hard to communicate. Once you do get buy-in, it's hard to, and Karissa tell me if this is wrong, it's incredibly difficult to get people to accept the change in a threat landscape. So based on current events, some businesses have to change their threat landscape based on changing threats to their business model and not every business has the same threats, right? So how do you get people to change and tell them, yep, thank you for buying, thank you for telling me security's important, here's your name on this, but now we need to make a change because global events have changed your threat landscape. I was wondering if the, is the government active, the Australian government in supporting business cybersecurity problems in Australia? Yes, they are, they are, but again, I don't think it's, again, communicated in a way that people really care. It's like, oh yeah, security, and then everyone that looks at it acknowledges it and then dismisses it because the issue is no one's giving people a reason to really care about it because I don't, you know, do you guys really care about other particular problems because like, unless it's your industry, you don't really care, but if you can give people ways to care that's relevant to them, they're going to care. Well that's, I think that's a human nature. Security, absolutely, and that's the thing, but security people can be a little bit television and think, oh well, I'm a security guy and it's all about this, but at the end of the day, you need to understand the differences between what people actually care about and understand from a psychological point of view what makes them tick. And that's what we're noticing now because people are saying that there was a report done in Australia for CIOs and ESOs and the biggest concern they had was actually not the technology or the technical skills, it was about communication, training, education, and awareness. They, to me, all come under communication piece. Yeah, I agree. That is the toughest part, educating your users and getting the buy-in from every level of the organization. And also there's a component of communication that's persistent. You know, how do you keep it top of mind? Right, you can't just leave it and not fire once and forget. Right, every link that you look at, every email that you get, like you really got to be thinking from a security mindset, that's what's difficult to communicate is the persistence of it, you know? I see that in businesses currently, right now they try to save money by over-tasking people and using people for multiple tasks at the same time. Sure. And that over-tasking, I think, creates kind of a security apathy because they just want to do their job. Yeah, yeah. They just got to go through 200 emails a day. And when they get a link, they got to get on it. Right, so over-tasking can be part of the problem. And then again, you're hitting the bottom line profits. Okay, we got a break for one minute. I think we're right at the break, so let's take a break and pay some bills and we'll be right back. Everybody, until then. Aloha. This is Winston Welch. I am your host of Out and About where every other week, Mondays at 3, we explore a variety of topics in our city, state, nation, and world and events, organizations, the people that fuel them. It's a really interesting show. We welcome you to tune in and we welcome your suggestions for shows. You got a lot of them out there and we have an awesome studio here where we can get your ideas out as well. So I look forward to you tuning in every other week where we've got some great guests and great topics. You're going to learn a lot. You're going to come away inspired like I do. So I'll see you every other week here at 3 o'clock on Monday afternoon. Aloha. Aloha. I'm Wendy Lo and I'm coming to you every other Tuesday at 2 o'clock live from Think Tech Hawaii and on our show, we talk about taking your health back and what does that mean? It means mind, body, and soul. Everything you can do that makes your body healthier and happier is what we're going to be talking about. Whether it's spiritual health, mental health, fascia health, beautiful smile health, whatever it means, let's take healthy back. Aloha. Welcome back everybody. I'm the former Dave the Cyber Guy. Dave the Professor. Dave the Professor. Okay, that's cool. Let's go with the Professor. We're here with Andrew the Security Guy and Karissa Breen. Aloha. Aloha everybody and we're back. We're talking remote with Karissa. She's on the phone. Yeah, we're trying to get a, really trying to get a feel for what's happening on the cyber side in Australia and it sounds similar to what's happening here. You know, Karissa, I heard you mention you thought maybe we were kind of ahead of what you've seen there and I feel like we're behind almost everybody else I talked to in North America. I feel like one out of every 10 companies is doing something and nine of them aren't. Well, you know the message of our current administration is to pull back. I don't know if you know this Karissa, but right now the Trump administration just cut funding for the National Institute of Secure Standards and Technologies. They took $6 million at a next year's budget and NIST is our standards organization for things like the 800-171 and 853 that help us audit organizations and make them more secure including the DoD to be harm and offense. Ridiculous. So the current administration Karissa here in the United States is actually kind of working against us. We can go and get the information to small and medium business owners, but it's on us to create a plan to implement those strategies and really no one's coming back to us and auditing us from the government saying, hey, are you not flying? Not at all. Yeah. Is the government active in the audit? Do they take care of your electrical grid and your wastewater treatment facilities, for example? Are they working on your critical infrastructure from a cyber perspective or is that left to the businesses themselves in Australia? Probably two parts of this. Yes, they are and they aren't. I think that they are, I guess, quite a lot of campaigning to do more of that because they can see that if it's tied to the government, people need to have a level of compliance. So if it's not, people aren't going to really do much and that's why they're trying to implement that because people need to be held accountable and obviously you've got government bodies auditing like financial institutions and things like that and that's why that's important because if it's not, then I think that people would just go a little rogue and just kind of do whatever because they're not being audited. They're not being held responsible or accountable for any of the potential risks that, you know, it could potentially damage their customers and their business reputation as well. I would think it would be sort of, because it's not as big. I think you said there were $22 million across Australia. $32 million, right? $32 million. Yeah. So... $22, but... $22. $22. So someone might call me out and say $24. Yeah, so let me say $25 million. But it's definitely... It's small enough... I just thought of that. Yeah, small enough that it could be done. It's like, you know, there's more people like I think in California than that. Yeah, there's almost twice as many people in California. Yeah. So in other words, it would seem that, it could really with some... not heavy hands, but weigh in pretty quickly to have a broad effect on a population that size. Well, they need to set a good example, I think, first. Yeah, definitely. Leading by example is something that even our government needs to do. We've had so many preaches and so many carry-downs already. That's true. But, you know, once you lead by example, then you share that information with others and say, like, this is how we're accomplishing the task. It's this easy Ask Us For Help. And I think organizations in the U.S. are attempting it. Yeah, yeah. Yeah, they're attempting it. So does insurance play in in Australia? Do they have, like, cybersecurity insurance? Is that a popular thing that's being adopted or is it available or not available, I guess, is the question? It's available and there's probably two responses to this. The first one is, yeah, it's cyber-insurance. It's a safety blanket. Yeah, right. And then other people are like, oh, well, you're not really implementing very good security then. So it then becomes this all like a Mexican standoff because people are like, oh, well, you're not really implementing good security control and practices because you're just going to rely on the insurance. The insurance says, yeah, but what if you get breached? What are you going to do with the clients? So it's kind of this awkward talk around, I guess, the security table about what do we deal about this? And so it's something that is something that's going on in the U.S. And so it's something that is becoming, I guess, more commoditized now because insurance companies are adopting to it. But there's still the issue with how do you underwrite for that as well? And I mean, I think something in Lloyd's in London, they've come up with a framework. But again, it's still quite an immature place because how do you underwrite for that? Because everyone's at different levels. And I think it's not going to be a one-size-fits all because you can't commoditize that because everyone, it's quite a bespoke problem because everyone's at different stages, maturity levels, have different levels of risk attachment as well. I agree. It's tough for small and medium business owners to implement a level of security. You're different. You've actually implemented a tremendous amount of security in your organization. With the government, to do government work here, we have guidance here for government contractors in the defense industrial base space. That's a little different. But I still think that her points well made because the actuarial tables on cyber are difficult. I've seen, just for example, I've seen cyber security applications that ask nine questions. And then I've seen what I would consider real and ask about 300 questions. So very in-depth. So that's, I think, someone who's giving you actually really ensuring the level of risk that your organization represents versus the six question ones are absolutely ludicrous. I wouldn't trust that insurance at all to cover anything. It would be difficult to file any cyber security claim. Sure. Any cyber security insurance claim right now is going to force an incident response and that IR team is going to come to your business and they're going to do some forensics and they'll find out in their opinion, was that your fault. And if you haven't implemented one of those standards like 800-171 and have a professional and they can pretty much say, no, it was your fault. That's your only defense is using one of those standards? Yeah, I wouldn't give them the logs. I would definitely keep a copy. Make sure it's defensible. Whatever defense you're putting in, you better be monitoring it. So I understand about the cyber security insurance. To do business in the state, my company has to have cyber insurance. But I've read it. I think that if I file the claim, it would be tough for me to get money. Yeah. Oh, I think that's the way they're set up currently. There's a lot of holes in that. Yeah. Is it recent? Yeah. Has cyber insurance been available and I'll show you like for five years or is it just like in the past year? For five years, I've only really heard of it coming into practice. Probably like 18 months. Yeah. But again, it's still something that is not adopted. And to your point, I heard someone say the other day they had cyber security insurance something sucked up. But they weren't covered for something. So there is a lot of discrepancy but yeah, by the way, we're not covered for that. So that's what I mean but there's still a lack in the process of that framework around how to underwrite for it because the last thing you want to do is have a problem and then, oh, sorry, you're not covered for that and no one cares for that. So I think that's a problem. Yeah, for sure. I think this is a neat example of pieces of technology that have come into companies throughout history. If you just look through the 20th century, every time we adopted a new technology driving in cars and trucks and highway rules and driver's licenses and air travel and air shipping and, you know, each time we get more technology we have to shift our business model somehow to compensate for that and then we have to shift our policies, our procedures, our safety measures and how are we going to ensure that and how do we reduce our risk and reduce our liability on that and here's a new industry we're adding to the growing pains just like every other technology that we've added. So you think we'll get there? I think we'll get there and then we'll add another technology and we'll be at a loss again. Well, how long did it take? So how long when did we get seat belts in the U.S.? Like 1974. Oh, that's Ralph Nader's area, right? That's 66. But it was in the 70s, right? Before it was actually a law. Right. I think the Corvair was the impetus, right? And it saved lives. But do you have a seat belt law in Australia? Yes. Yes, absolutely. And did it predate the U.S.? Or was it after us? Or do you know? Well, I don't know. It's probably after because you're pretty behind here on every single front. So it's probably after. But you do get massively fine if you're found without a seat belt. Wow. Really? So they take it seriously. So again, we're regulation. I mean, they fought it here for years. The automakers fought it and I'm wondering if industry, because of the expense, because implementing good cyber practices is not inexpensive. Oh, they will fight it. Do you think persistent audits is not, you know, inexpensive? And so the cost of business, I mean, I think ultimately when we can pass this onto the consumers at all levels, of course, we'll, we'll graduate to hardened business. Our government is talking about purchasing uncompromised, right? They want the solutions that it provided them to be uncompromised. And currently, they're saying they want that at the same cost. So I don't understand how that occurs. That's not going to happen. Because they've not been buying it hardened, and now you want it hardened at the same cost. I don't see how business can deliver that. So I think IOT will be the impetus. IOT? Yeah, the Internet of Things, the little devices that we have that are barely secured now. I call it Internet of Theft. But, you know, people like the organizations like the Underwriters Laboratories, they're coming out with the new standards, right? And that will force IOT to be more secure, but you're right. It's going to get passed onto the consumers. That's a good question. Do you have a body, like, so we have you, you actually work in Australia, too. Yeah. Do you have Underwriter Laboratories down there working on guidance for products, you know, like the router that you buy for your home, you know, home Internet, for example, or, you know, cameras for your house and the sort of the consumer grade stuff. Is there a lot of that and is it, does it have any cyber hygiene or is it all pretty much, you know, scary stuff to plug into your network at home? Well, I'll be honest. I think it's good stuff. Thank you. We agree. Honestly. Okay. I think there should be and I think I think a big reason to get people to get buy it, honestly, it has to be, if it affects them as an individual, then they're going to move. So it impacts their family, their social media, their privacy, their bank. Then I think it's going to give people a reason to move because they have one then. So it's like, oh, who cares? It's a security problem. No one really cares. It's nice you got a problem. It's just sort of kicking the can down the road of the metaphor. But I think if we give people enough reasoning without scaring them, then I think people will absolutely, you'll start to see a massive hockey fix because of the adoption to this because it affects them directly. So the reward is security, but we have to convince them of that. We can't just scare them and make it a state of mind. Right. But I like scaring them. That's my favorite. I love them. How's that working? I think a lot of people do that. Yeah, yeah. My favorite toy is the human mind. Yeah, I'm in favor of trying to, you know, the carrot is thick approach, but I don't know what the sweet spot is to tempt people to go this way. Let me give an example. There was a Republican congressman just about two years ago who was completely against adoption of LGBT rights. Okay. And then it affected him. And he changed his position. He completely changed his position because it affected him. Oh, there you go. Right. Well, that's Chris's point, you know, if it has to resonate with you as the user. Absolutely. We have to get that common resonance across the board. What's, what's going to play in, you know, does it affect your mom? Does it affect your kids? Yeah. IoT affects your kids. It affects us all. Well, we've got one more minute. Chris, you want to do a promo for your company? Yeah. So what do you want me to talk about just a little bit more about what we do as an organization? Yeah, definitely. If you want some business out here in the islands, give us a little play. Yeah. Yeah, cool. So we're working companies all around the globe to help communicate their message better to their executives as well as to their customers in a creative way that's more engaging, palatable, and digestible so people are willing to adopt their products and their services. And again, they get that, they make some stand out from everyone else because security is such a dry industry, so we help them stand out and really take over their competitors. Wow. Awesome. That's awesome. We need that here. Yeah, we need that here. Please come and I get some business in the islands. We could really appreciate that. Okay, well, thanks for being with us, Carissa, today. Aloha. Thank you so much for having me. I appreciate it. All right. Thanks for being with me, brother. Yeah. Thank you for being with me and think of a new nickname for me. Go on to YouTube, watch the Cyber Underground, give me some comments and tell me, what else besides a Cyber guy I should be calling myself? Also, Season's Greetings coming up. Aloha, everybody. Until the next time, stay safe.