JASON WILK - THE CHAT (raw transcript)
Jason Wilk, welcome to the cyber security cafe. We are so excited to have you here. Jason, you are managing director of blueZoo. You're also co author of the cyber for directors course, by the Australian Institute of company directors. And we know you're going to have some fantastic insights for us today. So a very warm welcome to you, Jason.
Jason Wilk 3:36
Well, thank you so much. And it's a pleasure to be here.
Louisa V 3:39
So we're going to start with our first question, which is, could you tell us how you landed in cyber security,
Jason Wilk 3:46
like most things, for me complete an oddly accidental, I took some leave. And a fairly large audit came down and someone needed to become the new IT security manager as this was last century.
It sounds horrible when I say that.
Jason Wilk 4:05
And essentially, I was volunteered, because my peers were like that, I want to do that. And it was an absolutely fantastic change. I was just in it, heading up a team of open network systems people, and I got exposed to this amazing world. Back then it was all mainframe security. And we were just opening up to the internet. And so I was right on that early CUSP. And fortunately, the organization committed to it. I was able to build a team, we got to go to black hat conferences. And, you know, the people we were up against back then, most of the hacking. It was people doing it for thrill and prestige. It didn't hadn't become a business yet. So it was a it was a strange time in a very early time to be in the industry. But still very, very focused on that command and control, put up barriers and perimeters.
Yeah, but accidental.
Louisa V 5:10
So if we fast forward to what you're doing today, could you tell us a bit more about what that looks like?
Jason Wilk 5:15
So about 13 years ago, I moved out of the commercial sector, started my own business.
And tried very hard to get away from it.
We started up a corporate governance strategy and risk organization, taking those skills from it, and translate them across to the corporate world. And what we find is having one foot in that technology camp, and one foot in the boardroom, we're highly effective translators. So kind of our journey through business has really been in that describing what goes on in both worlds to the other parties, I still find that as an industry was still not particularly good at translating the whole cyber world and not just the cyber, its technology. Because I think one of the things that I've learned as a facilitator for the Australian company directors, is when we teach corporate governance, we teach directors about their duty to find a balance between the performance and the conformance aspects of an organization. So it's inquiry about how far and faster the organization go. But are we complying with the laws? And I find that when we look at the cyber world, there is still a focus on the that compliance aspect. And it's one of the great questions I asked, and it's a good question for every Dorito to ask out there. In our organization, we've got people responsible for compliance and cyber security. But we've got people responsible for how do we use this technology stuff to get into new markets? do new things, optimize more efficiency? The people that are doing the performance? How do they interact with the puffy the people doing the performance? Because often, they're different groups? And they should be, but how do they interact those two groups? And how do they find the balance? And I think that's one of the true challenges for directors? How do I apply the skills I already have, into a spice, I probably don't need to truly deeply understand. But how do I go the organization and verify that they are finding the balance between finding these new opportunities, but also staying in compliance and conformance and making sure that the organization is safe.
Louisa V 7:49
So it's that sort of being able to innovate with with the right guard rails in place, is that how you would describe it,
Jason Wilk 7:57
one of one of my staff is a in the Formula One space as well. And we got to talk to one of the drivers, and was trying to explain what we do in the cyber world. And he came back at straightaway at me and said, all you kinda like my brakes,
the better the brakes, the faster I go.
And it's like that, if I've got the right controls. And if I trust them, then I'll be more inclined to go quicker and faster. And that was his interpretation of what we do in the cyber sphere. And there's challenges with it. But that was an interesting perspective.
Louisa V 8:37
And do you think that accurately reflects where we are today? are we providing effective working breaks that people can trust?
Jason Wilk 8:46
I think cyber industry, is doing some fantastic things. And I think some of the innovations and that perpetual arms race, the bad actors will come up with a new way of getting controls. And then the industry will come up ways to effectively block that. But it is an arms race. And I think that we've been doing reasonably well, getting funding, being part of the organizational journey, and getting involved. And I think this is something that's changed from my day. Cyber people tend to get involved a lot earlier. I was always finding out stuff right before it was due to go live. I think that's definitely changed. I think as a society, your problem, I'm not sure that we in the cyber industry are connected with the emotional feeling e type stuff outside our organization. So we think a lot about the cyber controls entire side, our organization, and in our third party supply chain ecosystem. But I'm not sure we is an industry yet thinking about the societal impacts and the emotion aspect of cyber.
Louisa V 10:07
Yeah, and we've talked about this on previous podcast, the fact that, you know, we're still seeing a comment tree, I guess the terms stupid user is still used, and it's that lack of connection to to what the impact might be on everyday humans, and the fact that they're not, you know, they're not understanding cyber security. Where does where does the fault lie, you know, is that us as an industry for not communicating effectively enough? So I think there's still still some challenges in that space,
Jason Wilk 10:36
I'm sure. And I think we've gotten a lot better at communicating How do people do cyber, but it's much more around the doing of it, rather than all of the emotional stuff around it, and thinking through the humanistic impacts and consequences. And I was talking to a young gentleman who did his masters in psychology, and is now flipped across to doing his PhD in cyber. And I see that there's the double threat. That's the kind of people we need in our industry, to be understanding the psychological, societal impacts, that cyber impacts, you know, this what they're causing, yep, I was talking to a customer and he had a fantastic story. He has minor dyslexia. There's just a few words that he spelled backwards. And he got a phone call, he was on holiday. And he got a phone call from his CFO saying, I just got an email from you. And I'm just doesn't quite feel right. It's, we're opening up a new thing in China. And you've asked me to pay these legal fees. But it just seems more than we normally pay. And it turned out to be a whaling attack. But they picked up on the CEO is mine dyslexia. And they had the words he misspells wrong, they'd actually got them. And both of them quite sophisticated in terms of understanding cyber impacts, been on training, did the, you know they've subscribed to a fishing internal testing process in the business, but we're up against people that are using psychologists and behavioral specialist. That's where they've moved to. And we, as an industry, we have to move there too. And it's no longer about the technologies. It's now about the human behavioral aspects. And I think that's where we've got to improve.
Louisa V 12:40
So, Jason, we mentioned earlier that you helped you co authored the cyber directors course for the Australian Institute of company directors. And, and that's where we actually met, because I did did that wonderful course, and for a cyber security professionals very insightful and helpful to me to kind of understand better the language of directors. And so thank you for that. And I'd love to hear more about how you went about creating the content for that course.
Jason Wilk 13:09
That was a really interesting journey. And I mentioned earlier that I've been trying to get away from the IT world. And so I've been teaching, corporate governance strategy and risk for the Australian Institute of directors for nine years now. So it's one of the facilitators, they knew of my background. And it originally, it came out of a review of the Australian cyber strategy, the government's cyber strategy, they ran it for the first year. And like all the strategies, they did a review of it and said was not working. And one of the things they found was the education, vertical of that cyber strategy. Lots have been going on in universities. But there was this big audience of critical decision makers that were being left behind. So the Australian Government, then, through data 61, which is the cyber of Cicero, they approached ICT, and said, What we'd like to do is build a course. And they laid out what they felt was the content and the theory, started to pull that together as a three day course. And that's when it started to get a bit. It was a bit too technical in, that's when I was brought in, as someone that could sort of see both sides. As a professional director, I know what it's like to sit in a boardroom and receive these reports. I'm used to being a consultant that is giving those reports. And I've been a Cisco, and I've been the one generating those reports. So I, I see all the different angles.
it began that interesting journey, and I co authored it with Michael business partner, Mark Wallace. And we worked for three or four months to take the headings, the data, 61 and the the areas of content. And we translated that into what the directors need to get their heads around, and how to boards tackle this problem. And I don't have to manage, they need to do oversight. And it's one of the big lessons. We often see boards, even today, delegating this to management.
the thing, the technique we use is, if you look at the Occupational Health and Safety world, we've got three decades of corporate knowledge, we have an organizational risk, where we could kill people, there are catastrophic outcomes for that risk. We've got an organization that has a culture, we've got the change that culture, we've got cyber, which can generate a catastrophic risk for business, we've seen organizations essentially aimed because of cyber impacts. It's still predominantly a people problem. But there's a huge technology connection in there. So we tried to go through and figure out how to directors and organizations leverage the skills that they already have. Because most directors come to our course. They're very well versed in how do we deal with operational risk, especially the oversight of it, we try and figure out how do we use your existing skills, but apply it to this? I can't say new because it's been around for a while. How do we apply those existing skill sets to this realm of cyber, which does look very scary, very daunting and quite challenging. And it's a consistent feedback from people that come on the course, cyber, isn't it broader problem, then they originally thought a lot of directors Come on the call still feel they're going to learn about the technology aspects, and we hardly touch on them.
Louisa V 17:10
Do you think that's because we've set their expectation as an industry, or maybe it's the media?
Jason Wilk 17:19
I think it's the media, the fear, uncertainty and doubt that's created. There is an expectation that the problem is a technological one. And the solution is therefore a logical one. Yeah, and I don't believe they've ever been the case. And I remain to be convinced otherwise. But it's still one of the things that when we broaden their perspective of what do we mean by cyber, and it's not just the it, it's the IoT, and it's the people. And it's the breadth of it, and scale of it. It's not just your organization, it's all the organizations that you deal with the idea with the idea with is this huge ecosystem. We're accountable for it. And it's scary, except when you go back to the 1980s. And you look at the journey directors had to go through then, when they were being told you can go to jail for negligence and occupational safety. But that was a huge societal problem. We can train everyone in organization, but then someone new comes in. It's that problem, but we as a community, and we as a society, we solve that. And I think that's our next step in the cyber realm, to see beyond our organizations, borders, and to think society about the cyber issues.
Louisa V 18:43
So you mentioned that the boards have come into those courses, with the perception that that security, the technology problem, is there anything see without breaching confidentiality, but is there anything or any insights you can share about what else they were saying about cyber security or anything that the sun security community could learn? from how, how they feeling about it interactions with the cyber security community? Bit of a long question,
Jason Wilk 19:09
feel free to unpack that.
And we we do operate the course under a Chatham House Rules. Yeah. So I can't get too specific. But we've been running it for a couple of years now all over Australia, and there is some very consistent things. Directors by and large, don't understand the breadth. And the fact that one of the ways of addressing cyber is leveraging existing control systems and governance structures. Turn to the Occupational Health and Safety people. And well, how do we change the culture back in the 80s? And the 90s? what worked, what didn't? That tends to be a consistent thing? One of the other things that we also find is a bit of a surprise, is the amount we talk about emotions, and feelings, and how often in technology we focus on. We need this technology to do this for our business. And we test doesn't do it. But then do we test what happens when it goes wrong? And we might test how does the system fail? But we're generally testing it against from our business objectives. But it's the powerless emotionally. if this fails, how will this emotionally impact staff, customers, their body suppliers? And I think that connection between the technology world and the human being world? I think that still we've got a way to go. Yeah.
Louisa V 20:46
And moving on talk a little bit about culture. And we often hear that a good security culture needs to start from the top down. So from from the board, executive level down, do you think the boards and CEOs are ready to set that culture for a good security culture? Or is there still a little bit way to go in their understanding of how to do that,
Jason Wilk 21:10
I'd like to challenge you on that.
Louisa V 21:12
Go for it.
Jason Wilk 21:16
We get a fairly consistent pushback. When we talk about cyber culture. Lots of organizations have spent time thinking about their organizational culture. And directors in particular, get very nervous when we start talking about a siloed culture. And I agree with them, I get nervous. I have to talk about our cyber culture. But I actually get it when directors and senior executives push back and say, What do I need another culture or organization should have one culture. Now, before any of the Sabah, people jump down my throat, I get it that in the cyber world, the behaviors actually sometimes need to be different. When someone walks into our branch, we want a certain culture, we want certain behaviors that are welcoming and customer support. When someone comes to our organization digitally, we still need that we want to help you. But we need to have a lot more distrust. We need that verification up front. And it's sometimes called zero trust. But one of the things that is a consistent theme, having a cyber culture that actually starts you off on the wrong foot with directors, before you even begin talking about it. We and this is a bit semantic. But we talk about solving behaviors. Part of the organization's culture, one of the things we're seeing coming out of the Royal commissions, both into banking and the disability. And HK is organizations are talking about this risk culture. And again, it's an organization's culture at the top. But then we want to talk about behaviors, and how do we make sophisticated risk based decisions. And this is actually a brilliant opportunity for our industry. We got a whole sector in the financial services, and a lot of other industries looking at how will they deal with this most sophisticated how they implement this most sophisticated risk culture. Cyber is one of those risks. So we actually have a really good opportunity of organizations that are thinking about how do we improve our risk decision making processes and great plug for the ISO 31, the 2018 standard, it talks about how do organizations use risk management to make more sophisticated business decisions. And that is a perfect lever to get in for the cyber people and say there's cyber decisions that have to be made. And it it's not in the boardroom and it's not in management. It's actually right at the coalface that those sophisticated cyber decisions need to be made. Sorry, that's okay. Let's be clear. We need cyber decisions in the boardroom management and frontline. But this is a great example, when a board is building this cyber risk appetite, which is an extension of their corporate risk appetite. One of the things I'm constantly pushing is, how will that cyber risk appetite be consumed by people at the coalface when it's written by executives for board and executives in very big, generic terms, we often find that we need that translated for the everyday person that is an employee that wants to come and do the best job that they can do, and then go home to what matters. And they have to translate. And they come across these scenarios where they have to make a cyber decision. And the guidance is still quite esoteric engineering. And that's a really powerful thing to consider them as an audience for a cyber risk appetite, and involving and we've done this, we've gone out and asked them and said, when do you need guidance to make those decisions? And that question is brilliant. The responses you get back are quite insightful. And for someone that's been in the cyber industry a long time, it's really interesting to get people that don't understand what we do to get their feedback on when do they need to make decisions related to my world. One of those circumstances and it's always surprising.
Louisa V 26:07
So one of the much debated items, we here today is about the reporting line of cyber security. So I would love to get your thoughts on this. Because, you know, we hear that, for it to have true impact the chief information security officer should not potentially sit under it under the CIO, that they should sit somewhere else in the organization. Because there's a potentially a conflict of interest between those availability targets that a CIO might have. I would love to get your thoughts on this, because I'm sure you've, you've dug deep into this one in in past conversations. And yeah, and you've been at a size. So what are your thoughts on that?
Jason Wilk 26:54
So my first it was wasn't siloed. Back then it was head of IT security report that a facilities management manager, who reported to the CIO, who reported to the CFO who reported the CEO, so that was a long way down. From a director's perspective, this is actually a really easy one to answer. Have you had the discussion in your organization? as a director, that's all I need to ask, has management actively thought about this?
That's not something I see common.
The discussion as to where it should sit? I think we in our community, talk about it a lot. I'm not sure that the CEOs of the world focus on it terribly much.
It's one of the things that I think directors take away from the course, we actually do a whole exercise on it. Where should it sit? What are the pros and cons? And I think it's that, how do we balance the performance of the organization with the conformance and as directors, that's where this discussion needs to occur. And I think one of the things is that if we want to make this not just an IT problem, and for all the CEOs out there, giving up a little bit of control, to broaden it. So it can sometimes work in your favor in the sense that when the big thing happens, it's not you walking out the door is the resolution, you're the only point of call. But one of the things we find is, and I think this is a genuine change in the last year, we are definitely seeing traction across all of the business unit type leaders. They know this is a problem, they've been hurt. They actually want to do the right thing. Last year, we saw the financial institutions really focusing on this this year, I've certainly seen a huge, huge focus by the utilities and the transportation type organizations, there's been a real focus on how do we structure this right? And how do we make it not just an IT thing? How do we make this everybody's problem and everybody's the solution? So where should it sit? And I think the answer to that is a discussion in the organization with this concept of how do we find the balance between not just being about command control? How do we involve everyone else in the organization? And how do we get the business to have some agency, because for me, if moving it out of it into anywhere else is going to foster the business people, the people that own the information that are in the relationship with the customers is going to give them more agency. That's where it should live.
Louisa V 29:59
And Jason, what about shareholders? I'd love to hear from you whether in your conversations with with directors or shareholders asking questions about data breaches. Is this even on their radar right now? Or they got other things that they are worried about? Asking questions about?
Jason Wilk 30:22
I can't say that I haven't heard the mention it. But I think the focus is still very much around. CEO remuneration, remuneration reports, how we're going to deal with carbon tax how we're going to deal with the environmental aspects, I think what's on their radar is different. Until organization gets hit, and then the questions come.
Louisa V 30:49
Do you think it's that data breach that actually drives the questions from from shareholders?
Jason Wilk 30:55
Yeah When we look at it, the Equifax, one in particular.
Even then, yep, huge blowback from the shareholders, because it was a big impact on the organization. I think this is one of the things that for me, connects back to an area where I think one of our regulators is not quite spot on. I still don't believe that cyber in itself is a material risk to the organization. And I think the shareholders and other activists are kind of in that space. And let me be clear, we see cyber risk, as the vector is the way in to hit fraud, reputational risk, those are the things that will truly impact the organization. And cyber is just, it broadens the geographical inputs, and it increases the speed and the velocity at which things happen. But by and large, the risk of cyber itself tends to be a bit low, who we see it as being controlled witnesses or strings in the other corporate risks. And I think, probably not intentionally, but just the fact that CR remuneration tends to be the headline grabber at the moment. And the environmental impact, I think those are the spaces that shareholders get active about.
But that's not to say it's not coming.
Louisa V 32:27
And Jason, some recent research here in Australia, and I think there was about 1800 organizations surveyed found that around two thirds of Australian businesses don't have a cyber security professional staff. And we'll put the link to that research in the show notes. But I'd like to understand from your perspective, what would you be advising? They do?
Jason Wilk 32:47
Can I broaden a twist the question, of course, subtly. One of the things in our experience, that is the constant question is you're always talking about boards and large corporations that can throw resources this if they deem it got high enough priority. What about the rest of us? What about the not for profits, the small family businesses, and we know that a one person businesses just as at risk as a large corporation, but we don't we outsource technology, we're dependent on them? How on earth? Can we deal with this? And that tends to be one of those really hard questions. There's a wide range of advice out there on how does the small business deal with this, and the fundamental principles that a corporation use, apply perfectly? the governance of cyber, and if you're thinking about, you know, sort of a, a 10, person, not for profit, that outsources their it to an IT provider? What the executive and the board think about is exactly the same? It's Do we know, what we're trying to protect? Where we're protecting it from? How do we do that? And how do we recover? Its risk management? What are we at risk from? How good are our controls, we have to stop thinking this is a big problem, it's just a nother operational risk, that a small business is just as liable as a large business for killing their staff. But we deal with that, we think about it, there are norms, there's guidance from regulators, and for 10 person, not for profit, the controls that they implement around operational and safety are not the same, you would see in a large corporation. But the risk is the same. We think about it, we just can't implement everything. But in that cyber sphere, how do we do with it when we don't have a cyber security professional? type the word cyber out? As my number one tip, for anyone that's an executive or director, drop the word sada thing? That thing? How would I do it? In a normal corporate sense? If I'm thinking about a risk to my business? What's the likelihood? What's the impact? How do I reduce those to a point where that's the best I can do. And as a director, that's delivering on your fiduciary duty as a manager, that's when I then turn to my outsourced IT service provider. And I asked them the question, how would we recover? And I'm not talking about backups. That's where they'll go. But come back to the human side? How more Will my staff continue working? How will my customers be impacted? And what could we do? And you know what, sometimes you can't do anything about it, because your organization doesn't have the resources. But doesn't mean you shouldn't think through it. And there's a dozen there's dozens and dozens of guidelines out there that lay that simple concept out. But again, a lot of people don't go there because they see the word cyber, they get a mental block. Go, I don't understand that you don't need to just yet another operational risk.
Louisa V 36:06
That's fantastic. Common Sense advice there. Jason, thank you so much for that. And we are almost out of time, I'm really sad to say because there's so much more we could talk about. But maybe is our last question. From your wonderful and insightful perspective of having one foot in the boardroom and one foot in the cyber security camp, as we call it. What do you think the cyber security profession could do more of to help boards better understand cyber security?
Jason Wilk 36:35
easy one, it's straight back to the we've got a obligation to make sure that from a technology perspective, we're continuing to deal with the technology challenges and issues. But I think as a, as an industry, we've got to broaden, we've got to be thinking about the impacts, our saw the controls have on the operational performance of our staff, and third parties, because I've seen so many large corporations, say to their small service providers, you're putting us at risk, you have to have all these controls in place, effectively making it impossible for small businesses to work with large corporations. And that's a human problem. We have to think beyond our business and here in our supply ecosystem. And we have to think what else societal impact. And I think that's our next step. And the thing that I constantly go back to is, this has all been done before with the Occupational Health and Safety journey. And when we were building the course, we went back, and we started to find all these wonderful stories about organizations and peak bodies responsible for Occupational and safety. How do they deal with changing society. And so the lessons have been learned. And we've got this generous history to go back and say this work this in. Some of the most senior people in occupational and safety have got amazing war stories, that they willingly volunteer, when we in the cyber industry, partner with them. Great story from a customer. We had with a technology team that had got a budget to go out and do a huge cyber awareness program. And at the same time, the occupational and safety people had gotten a huge budget to go and do a huge, those two are going to clash. Staff only have so much bandwidth. And what was fantastic, we we got both of them to come together, pull their budgets. And it was much more effective, because they were able to get out and do road shows and talk about digital well being. And that's a term we use a lot. It's not just physical well being and mental well being it's digital well being it's that journey that most staff instantly get. And it's the lamb pitch we have it's this organizations talking about their duty of care to the digital well being of their staff and their customers. And when we put it in those terms, people not of our world go I understand what GK means I understand what the well being stuff is. And it's a great question, does your organization's aap program, if one of your staff rings up and says my kids being cyber bullied on being cyber bullied? Does your IP service provider have the ability to provide cyber assistance to help them through? And you know what, this is a great one, put out a training program on how do you deal with Facebook and Instagram privacy settings. You might block Facebook and Instagram on your work systems. But your staff there a addicted, be struggling with it. Because we all struggle with how do we exist in this digital ecosystem that those courses are over subscribed. And a really sophisticated trick is get them involved in dealing with their cyber well being at home, and then show them how if they're making sophisticated cyber decisions at home, they'll bring that to work. And that's the final thing that I think is a learning point. research is showing here in Australia, that most people know this is a problem that everybody knows cyber is a problem. But we're still not seeing everybody making sophisticated cyber decisions and exhibiting sophisticated cyber behaviors. And that's where we've got to lift everybody's game as a society, not just in my organization. And again, we've still got to do all the technical controls that stuff is critical and important. And we can't not do that. But I think our field needs to broaden out into how do those human behaviors and those psychological aspects and feelings. And just quite like this not weird. technologists have been the strongest in the past. But how do we deal with those human feelings in this really complex world?
Louisa V 41:13
Jason, thank you so much. I really feel like your unique insights are gonna bring so much benefit to our community. Thank you for coming and joining us in the cafe today. Just one last thing, how can people follow you or get in touch if they'd like to chat to you more? And do they reach you on Twitter or go to your website?
Jason Wilk 41:31
Yeah, so not on Twitter, Not on Facebook?
Louisa V 41:35
Jason Wilk 41:36
Well I have placeholders So no one can take my identity.
Louisa V 41:40
Good. Call there
Jason Wilk 41:41
But I am on LinkedIn, under Jason Wilk. And, and our website is www.bluezoo.com.au.
Louisa V 41:51
Fantastic. Thank you so much, Jason.
Jason Wilk 41:53
And I think he loves this podcast is truly fantastic. Its what our community needed. Wonderful initiative.
Louisa V 42:01
Thank you so much.