• Garrett O’Hara

    Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.


    Add comment

Gar O’Hara speaks with Nigel Hedges, Head of Information Security at CPA and adjunct professor of cybersecurity at Deakin University. Nigel walks us through his journey and how that’s shaped his security thinking, his approach and mindset for building and iterating security strategies, his way of communicating cybersecurity to audit and risk committees, and the value of automation and machines vs the humans in cybersecurity.



The Get Cyber Resilient Show Episode #46 Transcript

Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Gar O’Hara and today, I'm joined by Nigel Hedges, Head of Information Security, at CPA. Nigel is in security leadership with his strong foundation built as a practitioner. He's been in vendor land, customer land, and now leads security strategy for CPA.

And if that wasn't enough, he's also an adjunct professor in the field of cyber security at Deakin University. Nigel talks us through his journey and how that's shaped his security thinking, his approach and mindset for building and iterating security strategies, his way of communicating cyber to audit and risk committees. And we get into the value of automation, and ultimately the value of the machines versus the humans when it comes to cybersecurity, Skynet here we come with. With that, over to the interview.

Welcome to the Get Cyber Resilient podcast, I'm Gar O’Hara, and I'm joined today by Nigel Hedges, Head of Information Security over at CPA, how you doing this morning Nigel, are you well?

Nigel Hedges: Yeah, I'm doing quite well, thanks very much.

Garrett O'Hara: Awesome.

Nigel Hedges: And yourself?

Garrett O'Hara: Yeah, good, it's a Friday recording, so I think everyone always has that little, little bit of Friday feeling going on, for them-

Nigel Hedges: Mm-hmm [affirmative].

Garrett O'Hara: ... And the weather's amazing here in Sydney today. So, one of those days where I'm definitely glad I, I made the move 20 years ago to live in, uh, in Australia.

Nigel Hedges: Yeah, it's really nice place, Sydney, [laughs].

Garrett O'Hara: It, it definitely, definitely is. So, before we get into it, uh, Nigel, like one of the things we always like to do is just to understand, from the guests, wh- how they got to where they are today. So, obviously you're sitting as head of information security at CPA, and, um, yeah it'd be good to hear from you just, you know what your journey was, how did you arrive at that as a position?

Nigel Hedges: Yeah, um, so I think I've, I've done a road less traveled. Um, when I started off, I, uh, I was starting off as a, uh, network administrator for a, uh, automotive, uh, air conditioning company back in the late 90s. Um, and, uh, from there, got an opportunity to join a company called VET Antivirus, which was Australia's, uh, leading antivirus, uh, uh, technology provider, software vendor, uh, which got acquired by Computer Associates in 1998. And it was from there that I spent five years working for a, a very large global consultancy software company, which is what what CA was.

And, um, that really set me up, uh, to move into, uh, a pre sales, and sales engineering type of, uh, role, which I really enjoyed. I got to see the world, and travel around here and there, and, um, visit a lot customers and get exposed to a lot of different sectors, uh, within IT. Uh, and then from there, moved into the customer side, so I really wanted to explore a different side of the business. So I worked in, um, insurance, and state government for about three years, um, before getting itchy feet again, and returning back to, uh, the, the vendor space.

Um, and so did some more senior roles, uh, at that point, um, working for Kaspersky for three years, setting up the technology department, uh, IT, uh, the support for, uh, the consumers and also the support for, uh, the business across Australia and New Zealand, and, um, representing Kaspersky in, uh, uh, journalists and SME in the media for, for Kaspersky Labs. That was fantastic time. Uh, but really started to then think about moving back into the customer side again, so another, um, you know, Ying and Yang or TikTok, [laughs], uh, and, uh, that really got me moving into the s- security architecture, and then through to, uh, being a head of information security at Computer Associates, sorry at CPA Australia.

Garrett O'Hara: A, a long and winding road.

Nigel Hedges: Yeah, [laughs].

Garrett O'Hara: Um, s- s- sales engineering, e- you just as you said, I, I mean I've, I've spent quite a lot of time doing that, it is, it's one of those... I don't know what your perspective is, it's like a funny job in that it's not something anyone, I think grows up thinking, "I wanna be a sales engineer, or do pre sales." But it is phenomenal, you know, now you get to travel a lot, you get to fe- I, I feel like you get a sense of both sides of, you know the, the, the business, you know the business side, and then the technical side at the same time.

It feels like it's a, a pretty unique and lucky position. And it feels like a really good sort of foundation, I don't know what your thoughts would be for, you know, f- f- further conversations later in a career.

Nigel Hedges: Yeah, I, I think that's why I enjoyed it so much. It was the facilita- facilitation between, uh, what was effectively a, a customer that usually, usually approaching, you know, a problem from a... You know, a problem and, uh, technical, um, requirements. And then working with the, the sales part of it, which is, you know, obviously trying to get a good outcome for the, their company. So, um, the sales engineer role for me was really helping two, uh, different people speak the same language, [laughs].

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: Uh, and so that's what I really enjoyed about it. It was, uh... Yeah, um, working to get the customer to understand, um, you know, the, the offering was a fit for them. Uh, and, uh, I think that does allow you to some really good exposure to problems that are happening, um, on the client side.

Garrett O'Hara: Yeah, I definitely get it. And look, as I kind of look through, and, and sort of hear your, your resume, you, you've spent time when you think about it really at all levels of security. You know, you've been a, a practitioner, and right up to kind of more at the strategic level and, and leadership as you say.

It'd be great to kind of pick your brain just on, on, how do you... Like, what, what have you seen changing your thinking and the things you consider as you move from, somebody who's maybe more on the tools and, you know in the trenches if you wanna put it that way, and then to the point where you're now heading up, uh, information security functions and building strategies? Probably have a lot more, [laughs], anyways weight on your shoulders. Like has your, has your thinking and approach changed over time?

Nigel Hedges: Um, I think probably the largest bit about that is that, when you start off as a, uh, as a technician, um, it's f- quite often easy to see the world as a black and white thing. Um, so, yeah, you walk into an environment and you see a whole bunch of vulnerabilities, and you say, "Why are these, why these things here? Why hasn't this been fixed already" You know, and, and you, you sort of go, "Wh- there's no reason why this should be the case."

And then, as you dig a little bit deeper, you realize that there are lots of different things, competing priorities, uh, there's resource constraints, there's, um, legacy applications that re- rely on a piece of software to be stable, and be on this particular version, and if you change it, everything breaks. You know, and all these types of different things, um, start to play out in, you know, complex environments. Um, you start to get an appreciation for why sometimes things aren't as straightforward as just going ahead and fixing something.

Um, so as I've moved from being more of a technical person to, you know, go into more into the leadership side. I suppose it's been, uh, seeing that we are operating in a fairly gray world sometimes, uh, and, um, and just being a bit more co- cognizant that if you come across a problem, um, you know, just st- take a step back and say, "Well, am I seeing complete picture here? There has to be a reason why this is the case." And so it's just being a little bit more measured in, in the approach, yeah.

Garrett O'Hara: Do you feel like that's something that plays out in the media, and the reason I say that is, when I, I think back to things like Equinix or there's many breaches I would say where a finger gets pointed at the security leadership, uh, [CXO 00:07:57] and the questions get asked, "Hey, why, like... This is ridiculous. That thing wasn't patched." But you just raised exactly why it isn't patched quite often, it's that there's legacy systems, and by fixing, you know, this vulnerability or doing something that changes a, a piece of software, or a platform it breaks a bunch of other things, and there's a cost to the business that's too, too big.

Nigel Hedges: Mm-hmm [affirmative].

Garrett O'Hara: I, I feel like we don't, [laughs], really do a good job of that in our industry, I th- is that a fair comment? Maybe I'm, maybe I'm wrong there. But I just feel like sometimes I've heard reactions to breaches and questions around patch programs where that's not really the reality of, of a CXO. You know, I think CXO understand they need to do it. But, you know people like you are fighting in the background to get budget, to get buy in, to not break a bunch of other things. Is that-

Nigel Hedges: Yeah.

Garrett O'Hara: Am I... What do you think?

Nigel Hedges: Yeah, no, no, no, I, I agree. I think, luckily I think things are changing. I think that if you asked me, um, 5 or 10 years ago, I would have said a lot of the security managers, um, were, you know, fall guy type of position, fall girl-

Garrett O'Hara: Mm-hmm [affirmative],.

Nigel Hedges: .... um, where, uh, it was an element of, uh, if there was to be an issue, um, they usually are the first to, uh, go out the door, [laughs]. Um, and I think what I've seen is, uh, multiple boards now take on better ownership of cyber risk. Uh, they want to, uh, be a lot more aware of the issues. Um, they're not putting their heads in the sand and expecting the problems go away, and I think that accountability, um, is a real positive. Um, and so when there are issues, uh, and, and, you're, you're obvioulsy this out in the market place, um, uh, today's I think there's a little bit more at the more senior levels, as to when these issues happen.

Um, and yeah, like I think that, um, patching is, uh, is one of the fundamentals, people are starting to revisit the fundamentals and say, you know, "We all have all these fancy technologies in the world, and CASB and whatnot, but are we actually do the fundamentals right?" Um, so definitely seeing that, uh, change in philosophy, at the board level.

Garrett O'Hara: Yeah, [inaudible 00:10:09] and like, like as you think about it, you're, you're sitting in, in a position where you've got to create security strategies, and so obviously get buy in, and, and, and do that stuff, look, as you work through that, so either creating or iterating on a security strategy, what's, like what's in your head, what's your attitude as going into that piece of work to, to start with?

Nigel Hedges: Yeah, I, I think about, um, like my process, um... It's really... You sort of can't go in here with a pre conceived conception about what is security, because every environment is different, it has different things you need to protect. And, uh, you know, you can't compare, um, you know, membership organization to say a, a health organization or hospital where, you know, lives are at stake. Um, so the, the, there's, there's different value, um, attached to what you're trying to protect, and utilities and, and all sorts, so forth.

Um, so it's really understanding the, the strategy of the organization. So for me that was really one of the first things that, you know, I do, is I look through the, uh, integration reports, the annual, uh, company reports, uh, the corporate strategy, um, to understand the focus, the, the mission and the, and the values of the organization. And then, once I understand that, um, try to connect, uh, security, business architecture or, or principles to those things. Like how would security help that, um, you know, if, if protecting the reputation of the organization is so important, then what are we doing to make sure that, um, integrity is a core security value, and, um, then flow it down from there.

Um, because when you join an organization, it's not always a green field, so there's things that are there. So the next step is really doing a gap assessment, and that typically takes any, um, security manager, or head off security about two to three months to really do properly. Um, and then work out what are the, the gaps in the environments, uh, that need to be addressed.

Uh, from there, uh, really about putting in a bit of a, a roadmap, um, the first year is quite technical, so it's a little bit e- easier to see what's going on. But as we saw from last year, [laughs], you know, halfway through my three year plan, we had the pandemic and that shifted a lot of priorities and, and changed the view. So being able to, uh, take a, a moment halfway through the program and, and revise and, and make sure the strategy is actually still, um, able to address the ongoing challenges of the organization is a- is another important aspect. Um, and really, I mean, there's a few steps in there as additional, but as you get towards the end of that project, it's really about the, the lessons learned.

We don't always get this right. Um, and there's always things we could do better. So, you feed that into, um, the process, you consult with as many people as possible. What I found is, you know, engaging with developments, gauging with infrastructure, different parts of the IT functions, be part of that security strategy, and to provide the input, um, means you get a richer, uh, experience for the next round of, uh, strategy.

Garrett O'Hara: So, okay, you got, uh, you've got a couple of follow on questions coming based on, on things you've, [laughs], you've just said there. So, first one would be around, you mentioned COVID as a point where you'd iterate on a security strategy, you, or, you know, your, your plan that's in flight. Outside of COVID times, like is there are there catalysts or things that will happen that will make you stop and e- re-evaluate where you're currently at? Um, and then, part of that is on a natural cadence, if nothing, you know... if, in a perfect world, nothing happens in the course of your, kind of three year plan. Is it three years? Or like wha- what's your... When you're thinking about this stuff, what's the iteration, I suppose cadence, and, and what are the things that would maybe make that shorter than it normally would be?

Nigel Hedges: Yeah, I suppose, it is a three year view, I think that's something that's achievable, um, a sort of, think of in terms of culture, I think that, uh, changing a security culture in an organization takes about three years. I think getting the best of investments can sometimes take around three years.

Um, if you need to make a change from a, a legacy technology to a new one, you're gonna spend probably the first 6 to 12 months, uh, getting it stood up. Um, probably another 12 months, uh, trying to get efficiencies, and then, and then you're sort of laughing, you go to the next 12 months of, of having the technology sing for you. Um, but things change in our IT area so much, [laughs], then after three years, some of those technologies are no longer, um, relevant, or changed significantly. So it's good to be able to evaluate.

Um, I think the threat, external threat, um, intelligence is also an indicator. Like we have had other changes in our environments. Um, before 2003, it was all about payloads and viruses making lots of damage, and then he got sneaky after that, you know a lot more stealth, and adware, and, and then organized crime moved in the scene. So we've had, we've had these sort of like generational changes, and it's just got faster and faster. Um, seeing the, um, the speed in which ransomware has become, uh, such a significant way of, uh, of, uh, of attacking organizations. Um, so they're the kind of impetuses for why the change of a, a program, um, yeah.

Garrett O'Hara: Yeah, definitely, definitely, get it. You mentioned working more broadly in the organization, as you're building out that strategy, it's a, it's theme I'm hearing more and more, is, you know, security leaders also being, I mean really, business leaders and having peers in an organization, you know, creating ambassadors for the cybersecurity programs, security, um, advocates, whatever you wanna call it. What's your approach is there like, a- a- as you kind of think about your role in CPA, you know, building those relationships, getting buy in, how do you, how do you approach that in, in your role?

Nigel Hedges: Yeah look, I, I think most businesses aren't in the business of doing security-

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: ... unless you're a security vendor, [laughs].

Garrett O'Hara: Yeah, [laughs].

Nigel Hedges: Uh, and, uh... So therefore it's, it's not really realistic to, to have a, you know, a massive team in every organization just focusing on security. Um, well is more effective is if everybody's wearing the security badge on their jacket, you know when they go to work.

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: Um, uh, you know I, I've often, [laughs], mentioned the, the scenario that, um, you know, many, many millennia ago, there were no doors in the front of caves, but so- at some point, somebody just decided it's all, uh, uh, it's all a door, and then folks were like, "Well, what are you doing that for?" And, and, uh, and suddenly that became the norm until we don't even question that now. Everyone knows we have a door and we lock our front doors, you just don't even think about it, you just do it. So, you know, when you can get your workforce to have that type of thinking where security is not a stretch, security is not something that people-

Garrett O'Hara: Yeah.

Nigel Hedges: ... will have to go, "Oh, God, I have to another, uh, annual, uh, compliance video."

Garrett O'Hara: Yeah.

Nigel Hedges: Or, you know, some kind security awareness training. Like it's something that they think of. Um, that for me, is, is really, really important. So reaching out to the executives of different functions, you know, marketing, and member experience, and, um, education, um, finance, uh, I found that they're all too, um, eager to allow you to come in and do a little presentation, or, you know, a discussion with the teams at their team meetings.

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: It keeps it interes- interesting for them. Um, and, uh, and that probably brings me to the, the next point, is that with security, it's... It can be dry, so you have to really think about ways to make it engaging and interesting, and put a little bit of humor into, uh, the approach, yeah.

Garrett O'Hara: Yeah, definitely. I think there's, there's big conversations around that, um, that change in security awareness trainings. It's good to hear that's kind of landing. When, when you're building this stuff out, you know, we live in an imperfect world, stuff goes wrong, what's... Not necessarily the CPA, but just broadly in your career as, as you think back, where you've been involved or have led this sort of planning and execution of security strategies, what are the gotchas, what have you seen go wrong?

Nigel Hedges: Yeah, I think, um, what can go wrong, is if you have not correctly had a, uh, had a good conversation with, uh, the IT leadership, uh, to get them on board with... And feel the, feel the pain of the, of the risks. Like if you, if you haven't successfully had that conversation, then everything's gonna be really hard to, to, to sell. Um, you need to be able to a- a- establish that you can talk business speak-

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: ... um, because if you can't talk the business, and you only ever talk technical, then you just gonna confuse, uh, upstream management. Uh, so that's where I've seen that not work very well, is when you have heads of security that go in front of a audit risk committee, uh, and they talk about how there's, you know, 60 billion firewall logs that were hit on the firewall over the month of, you know, March. And, I mean the board just don't care about that, they don't even know what that means. So, that's where you lose, uh, credibility and that affects your ability to position the strategy, um, especially when strategy is usually come with a price tag, [laughs], you need to, you need to execute on the strategy, it needs funding.

Garrett O'Hara: Yeah, the stuff is never ever free hey. So, uh, look, I'm gonna dig into that a little bit if that's okay.

Nigel Hedges: Yeah, sure.

Garrett O'Hara: When I think about... You know, you've talked about security strategies, but that's gonna play into an overall organizational risk strategy, so you know, you've... The things that we're used to, right? So far as floods, um, crime, all of those things, economic, macro economic changes, what's gonna mean for business, and all the things that go into planning at a higher level.

My sense is that everyone can point out afar, we know what that looks like, a flood, you know, we might not have b- lived wi- through one, but you, you kind of know, [laughs], you've seen the, the stuff on TV. But cyber security, it feels like you, when you see it, it's re- you know it's the ridiculous, um, CSI version, where it's all bits and bytes and people are using VR to do, you know, amazing attacks that don't make any sense through, you know, VB macros and blah, blah, blah.

How, how have you managed to plug that gap from, I suppose, what, what is essentially abstract from most people if you're not living and breathing this stuff, it's bits and bytes ends, most of the things, I think, in our industry would be very confusing, even in our industry, you know I'm in it and there's times where my head is, [laughs], is spinning-

Nigel Hedges: Mm-hmm [affirmative], mm-hmm [affirmative].

Garrett O'Hara: .... because of the impenetrable language, and just the complexity of some of the things that we talk about. Uh, what's your approach when you go into like an audit risk committee, and you've got to present to them in a way that somehow is meaningful, when the concepts behind it are, are so, so abstract sometimes?

Nigel Hedges: Yeah, I, so, I think firstly, um, it's probably the approach, adjusting the approach first. So, um, to answer that question, I think it's to, to come in with that knowing that cyber risk is just another form of risk-

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: ... That you, that you get that. That you're not trying to suddenly elevate cyber as being the most important out of it. Just, just like you said, you know, fire and, and other types of risks to the organization, are equal is not more important than, than cyber sometimes. So, uh, just going in with a level, level head is, um, is, is firstly very important.

Um, I think in the last decade, the jobs got easier to translate that, because it's just so many examples of companies being breached, uh, that you can pick any of those and say, "This happened." You can pick an example of times that has happened in your own industry, or in your own geography, um, or in a similar sized organization. There's something that can shape it that can resonate with the organization.

And then, when you say, "This happened at X, Y, Z and it caused a data exfiltration, and they're still dealing with it, it's cost this much money." They're gonna ask questions like, "Could this happen to us?" It's always the next question, [laughs].

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: And then, um, you know, it's a, it's a little more translatable I think, when you've got that examples.

Garrett O'Hara: Yes.

Nigel Hedges: Unfortunately, it's just the case that there's so many things going on out there at the moment that, uh, yeah, there's, there's real life stories, war stories to, to relate to.

Garrett O'Hara: Yeah, it's a, a really good point, the, the logos that everybody knows and loves, you know, hitting the news, and, um, yeah watching the impact of businesses. Yeah, um I, I definitely get it. Um, maybe le- let's pivot a little bit in the, the conversation and let's talk about, I suppose the, the new rock and roll in some ways, the thing that I've heard mentioned and spoken about as, as our savior in some ways, and that's really the, the sort of relevance or the future potential for security automation, and obviously driven by a bunch of different things.

So, a shortage of talents and, and an avalanche of threats, lack of time, and you know I suppose also just when you're trying to reduce the risk window through automation, the mean time to, to, uh, detect and respond. I suppose a, a, a pointed question, like how real, how real are the benefits of, like for automation? Is it, is it, in your opinion, a real thing?

Nigel Hedges: Yeah, I, I definitely think so. Um, I think for not only small organizations were 24/7 coverage and socs are a bit more, uh, harder to, uh, financially realize. But also the larger organizations that have, you know, multiple socs or augmented socs, an internal, and then external that's supports that s- that soc, and rotation in different geo- geographies and time zones and.... It's all very expensive.

Um, but beyond the expense, it's just that, you're still dealing with, um, with, with people. Uh, and, um, you know, their mistakes are made. But I believe that, um, automation, uh, is a really powerful thing. I think that, um, if a account compromise happens at 3:00 a.m. in the morning, uh, automation picks it up, and then deactivates the account, and sends a notification to that person's manager, or whatever the processes is, uh, and that gets kicked off in the morning. I mean that's happened in close to real time, as opposed to somebody detecting that in a 24/7 soc, uh, which still has merit by the way-

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: .... Um, I'm absolutely not suggesting the socs that are valuable. But I think you just get a lot better bang for buck out of automation. Um, it is also very hard to do. Um, you know, there's these platforms that are getting better automation, um, but, uh, there's a still a bit of work to do to, to, to bring that on parity, I think.

Garrett O'Hara: Yeah, I definitely get it. And then one of the things I've seen is, I suppose a, a, a... Well, it feels like a more rational or realistic approach to the outcomes of a [SAW 00:26:10], for example. And, um, I think was Ernst & Young had a article to f- a little while ago now, but they talk about the, the reality I suppose of getting to a place where SAW is meaningful to security operations, and it isn't quick, and it does take fairly well documented and well understood response playbooks.

You know, you can't automate everything because you know... And you're... so people can see you're nodding on video, [laughs], but, uh, the, um, like the reality of the potential for huge amount of false positives, or things that are actually really detrimental to the business if they're automated. Um, what are your thoughts on that in terms of like timeframes, and I know every company is different, every organization is different. But things that maybe you've seen work really well from an automation perspective, or things that maybe, maybe you're thinking about?

Nigel Hedges: Yeah, for sure. Um, so, we recognize that, um, everyone get better at incident response, so, you know, we revised the last 12 months our response plans, and, uh, took a fresh look at the, the core risks that we felt from a site perspective would be major incidents, and that, uh, kicked off a bunch of a, a half a dozen or so playbooks, uh, development. Um, and then from there, having the playbooks, you can look at, uh, you know, what can we automate?

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: Um, so, there's been some good quick wins, um, you know when you think about, um, phishing attacks, um, and, um, delivery of ransomware, malware, uh, via phishing attacks, and so forth. Um, most of the time, the really good, uh, platforms out there for email security, uh, that filter all that stuff, that's wonderful, but there's no silver bullet. So occasionally things get through.

Um, and it's what you do when that happens, so there's another 144 emails that come through on a particular day, s- s- sent through to a whole bunch of people in your organization. And you, uh, get a report from somebody, uh, two minutes later saying that email is, uh, is cooked, um, is reported, uh, usually you have a person that then says, "Okay, I need you to remediate." They have to talk to infrastructure person who's always changing the exchange, uh, and rip out those, those emails from mailboxes, and that takes time, and in that timeframe, probably half a dozen people have clicked on those emails, [laughs].

Garrett O'Hara: Yeah.

Nigel Hedges: So, um, you know, looking at au- automation for those scenarios, it's something that we've looked at, and implemented. So, there is the ability for us to be able to, um, flag that as soon as possible. And then, because there is still risk associated with those things, um, you could potentially delete files, and emails that you sho- you shouldn't. So the process needs to be totally regimented and-

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: And checked. Uh, and the same for, uh, dynamic firewall blocking rules, you know, if so- if some threat intelligence feed that you have detects a, a massive spike in activity from certain geography or a certain IP address that you wanna block from a reputational perspective, uh, that can be dangerous if you have, um, if you like crack a walnut with a sledgehammer, you know.

Garrett O'Hara: [laughs]

Nigel Hedges: If you've got the country, [laughs], to solve a problem and then half of your members, uh, from that country-

Garrett O'Hara: Yeah.

Nigel Hedges: .... um, you could, you could prevent real business. So yeah, you have to, you have to weigh those, um, a- with, with some sort of human element of intervention.

Garrett O'Hara: And I'm guessing as you've kind of moved up the ladder into what is now a senior, kind of leadership, do you run your, I suppose the appreciation of the end user impact probably gets bigger as you go along as well, you know, you know, [laughs], it o- or early comments, you know as you start, you look vulnerabilities, or you look at actions and it's black and white, it's like remediate, security, security, but actually it's sort of further into it, you realize the potential impact of productivity and availability of services etc is also part of, of good security.

Nigel Hedges: Yeah, absolutely. Um, I went to a good session a couple years ago now, where, uh, somebody whose business was, was purely on their website, their website was their business-

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: ... And they were asked, you know, why they didn't do more for security, um, you know, to, to st- huge levels of security. And the person said that, you know, if we went all bang, we're spending money, um, there's, uh... The business knows that if we, if we put these features into the products, we will, we will have to have customers. And if we put security at this nth degree, um, then, it's certainly gonna slow down their ability to go to market and make money.

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: So there's just a little bit of, you know, [laughs], reality around the business model that you have to ap- appreciate. Um, and as I said a little earlier, we're not in the business of, um, of doing security. Most organizations are e- e- in some businesses, you know, to satisfy the objective of the organization.

Garrett O'Hara: Yeah no, I definitely get that. And I suppose, thinking about the, you know, automation and you mentioned, you mentioned 24/7 socs and, and potentially having global presence, etc. where, where do you see the, the, you know machines versus humans landing, um, maybe short term and then as you think forward, 5 or 10 years, what, you know, whatever might be, what your... What is it that machines and ML, and its automation excel at? And then I suppose then the human side, it'd be good to get a gauge on, you know, where, where you think the needle is at the moment.

Nigel Hedges: Um, I think that we've come a really long way. I am really impressed by, um, machine learning, artificial intelligence, I wish I knew the answer to that question to be honest.

Garrett O'Hara: Yeah.

Nigel Hedges: Probably would make a lot of money, [laughs]. Uh, I, I d- don't know the answer e- uh, is, is my short answer. Um, uh, I, I think it's bounced around very, very quickly. Uh, I think it will always be a requirement to have human intervention.

Garrett O'Hara: Yep.

Nigel Hedges: Um, I, I just don't think it's possible, um, just, just in terms of doing due diligence, and having the guardrails in place to make sure that, uh, machine learning isn't used for, for nefarious purposes as well. So, um, think that'll always be there as a safeguard. Um, but it is interesting to see, um, uh, the developments in, in technologies that are using Python and, and different types of, uh, um, capabilities to really streamline, uh, integrations between one solution no- to the other, so the ecosystem is getting tighter and tighter.

Garrett O'Hara: Mm-hmm [affirmative].

Nigel Hedges: Um, and that's where I see, probably, uh, the best benefit. And it really, to me means that, um, it's important when investing in this security ecosystem that you're partnering with technologies, and vendors who have a very open kimono type of approach-

Garrett O'Hara: Yep.

Nigel Hedges: ... a- and not to get too locked into a, sort of a native, um, security type of arrangement.

Garrett O'Hara: 100%, I, I have had many conversations recently where it feels like the ability to integrate has become something that's bubbling up higher and higher in terms of priority when, uh, leaders are, and, and teams are kind of evaluating vendor platforms, security platforms ec cetera. It, it feels like it's, it's changed SharePoint integration, integrability, telemetry, the, the richness of data has become much more important in, in  general.

Nigel Hedges: Yeah, absolutely. Um, you know, I think that's 10, 15 years ago, we were still talking about firewalls being the perimeter, uh-

Garrett O'Hara: Yeah.

Nigel Hedges: .... And now ve- I can't remember who coined it, but somebody said the identity is the new parameter, and that sort of stuck in mind. Uh, it doesn't sort of matter where you're traversing, um, it's usually a somebody's doing something. Um, so that really drove home a point that, um, for me a model where you have, you have networks, you have networks that people traverse across. You have endpoints where people do things, you know, data in use. Um, you have gateways where people come through particular technologies to do something, that could be email, could be the web, could be access platforms. And then tying that all together, um, you have some form of security monitoring, um, that could see all those things, um, as you, uh, do something on a computer, or traverse the network, or you use a gateway.

And then in the middle of that is a person doing all those things, so if you tie that together, and it's strongly degraded, um, I think it's gonna help with your mean times to detect or respond to incidents. Um, it's gonna provide a richer information, um, forensically, when stuff goes wrong, which means you can react a lot quicker and, um, uh, reduce the damage in terms of reputational damage, as well as just the cost of cleanup.

Garrett O'Hara: Yep, which is, is substantial, and it almost it, goes right back to the, the those big logos, you know, hitting the news and that's, that's what it's all about, is all the, the incremental changes, things we can do to, to pull systems up, to pull them together, and you know, ideally have, uh, people like yourself less stressed about the day, [laughs], the day to day, and the, the potential for, yeah, for something bad to go... To, uh, happen.

Nigel Hedges: Yep, everyday getting greyer and greyer, [laughs].

Garrett O'Hara: Yeah, [laughs], uh, we, we, we are. Um, Nigel, this has been fantastic. I really, really appreciate you taking the time out. Um, it's never lost on us that, uh, people like, like you're obviously very, very busy these days. So, um, appreciate it, appreciate the insight. So very much appreciated, and then thanks for joining us.

Nigel Hedges: Yeah, no problem, thanks for having me.

Garrett O'Hara: And huge a thanks again to Nigel for that conversation and as always thank you for listening to the Get Cyber Resilient podcast. jump into our back catalogue of episodes and like, subscribe, leave us a review. For now, I look forward to catching you on the next episode.


Chief Field Technologist APAC, Mimecast

Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara