Cybersecurity in healthcare and how the Red Cross created cyber resilience after a breach with Laurie Joyce

This week’s guest is Laurie Joyce, Head of Security Compliance at The Australian Red Cross Lifeblood. Laurie has worked in counterterrorism intelligence analysis for the Victorian Police in Australia, and has experience in enterprise compliance and risk management across a number of organisations including his current role at Red Cross Lifeblood as Head of Security Compliance.

In an episode focused on healthcare, Gar and Laurie discuss medical device compliance, the challenges of holding highly sensitive personal health info, and the Red Cross breach which is considered by many as an example of a good breach response. Laurie also walks us through his work in the Reconciliation Action Plan Working Group which ties in nicely with the fact that it was NAIDOC week when this episode was recorded.

Note: There is a brief mention of sexual violence in this episode, please be mindful that this may upset some listeners.

Where to listen

The Get Cyber Resilient Show Episode #39 Transcript

Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast, which was recorded during NAIDOC Week. I'm Gar O'Hara, and I'd like to acknowledge the traditional custodians of the land on which my feet are placed today, which are the Kayemai and Karegal people of the Eora Nation.

I'd like to pay my respects to their elders, past, present, and emerging.

This week I'm joined by Laurie Joyce, head of security compliance at the Australian Red Cross Lifeblood. We met recently on a cyber resilience panel discussion for health care. Laurie has had an interesting path to his current position. His degree is in fossil pollen analysis, but his career started with Vic Police, doing intelligence analysis and counterterrorism. He's been the CEO of Knox Basketball, he's done enterprise compliance, and risk management, across a number of organizations, and now serves as head of security compliance for Red Cross Lifeblood. Laurie is also a member of the Reconciliation Action Plan Working Group, which was a happy coincidence, as we recorded during NAIDOC Week.

In the episode, we talk about the nuances of healthcare, for example, the struggles with medical devices' compliance, and some of the changes coming from the TGA to help with cybersecurity. We talk about the challenges faced by health care organizations, given their relatively unique position of holding highly sensitive personal health info, and providing highly critical services.

We go through the Red Cross breach, which is held up as an example of a good breach response. Laurie talks us through what that led to for the organization, and the improvements that resulted.

We finish the episode with Laurie's work in the Reconciliation Action Plan Working Group, and note that there is a brief mention of sexual violence near the end of the episode, so please be mindful of that if it would be upsetting for you. Over to the interview.

Welcome to the Get Cyber Resilient podcast, I'm Garr O'Hara, and today I'm joined by Laurie Joyce, head of security compliance over at Red Cross. How are you going today Laurie?

Garrett O'Hara: [00:02:24] Welcome to the Get Cyber Resilience podcast, I'm Garret O'Hara, and today I'm joined by Laurie Joyce, head of security compliance over at Red Cross. How are you going today Laurie?

Laurie Joyce: [00:02:32] Great Garr, and thank you very much for having me.

Garrett O'Hara: [00:02:35] Absolutely pleasure. Uh, we got to connect on a healthcare panel recently, where it was yourself, Rosemary Cooper, and Sadeed Tirmizey. And, uh, I found the content really- really interesting, and I could see a little twinkle in your eye, so I was kind of keen to get you- get you on, to have a conversation, so thanks so much for, uh, for joining us.

Laurie Joyce: [00:02:52] Always a pleasure mate.

Garrett O'Hara: [00:02:53] How's everything going, uh, during COVID for you? Life, uh, going okay?

Laurie Joyce: [00:02:58] Yeah, look, we- we've been working from home since March. Um, our- our workforce is three and a half thousand people around the country, many of them still on the front line in terms of, uh, collecting blood, and blood products. And then of course, our scientists, and- and our, uh, processing people in our manufacturing facilities are still working.

But the vast majority of our, um, admin staff, including myself, have been working from home for the last, uh, six months. And- and- and like many, uh, organizations, we faced those really early challenges of being able to step up and, um, make sure that our- our staff can work, um, appropriately, and- and, uh, efficiently from home, so there were are a few challenges, uh, in the very early days, but, uh, it's largely gone seamlessly, it's worked really well.

Garrett O'Hara: [00:03:40] That's, uh, that's good to hear. So you're currently sitting as head of security compliance. Um, we always kind of start the conversation with just asking people how they got to where they are. And, uh, I had a look through your LinkedIn profile, I have to say, it's one of the most varied, and broad, se- [laughs], sets of experience, uh, I think I've seen for anyone, who's been on the- on the show.

Uh, it'd be lovely to hear your- your journey, how you got to where you are.

Laurie Joyce: [00:04:03] Yeah, you know that classic question about where do you, where do you see yourself in five years' time, for... that usually gets thrown at you at any job interview? I would've been wrong each time. So, um, uh, I- I'm, [laughs], I've got a degree in palynology, that's fossil pollen analysis, um, from Monash University. Um, uh, I sort of graduated back in, uh, a recession in- in the, uh, late '70s, early '80s, and couldn't really find a job in that- that field. Well, not surprisingly, there's not a lot of jobs for pollen analysts.

Um, but, um, ended up through a, um, a series of, uh, accidental, um, uh, opportunities I- I suppose, as- as a policeman, and, uh, s- spent 16 years with Victoria Police, much of that with the Protective Security Divisions. Uh, I was a hostage and [inaudible 00:04:55] and we did a lot of close personal protection. And- and, um, I then moved into another section within that, uh, division, uh, called the Counter Terrorist Explosive Information Service, at the time. Um, so I spent, um, uh, time there as a case officer, and then was in charge of the intelligence and the hostage section of the- the counter terrorist section, so, um. Got out, bought a business, business fell over, um, ended up, uh, spent a lot of time on, uh, basketball communities as my kids, um, grew and, um, got asked to be the, uh, chief executive officer at Knox basketball, which I- I did for six years. Um, ended up being sacked.

Uh, which is a whole nother story. But, um, the interesting part of that was, that a friend of mine, um, uh, whose wife had been on the board there with me, uh, not at the time I was sacked, um, rang me and asked me whether he could help me out at all. And- and I said, "Well, I hadn't had to write a resume for a while." So, we organized to meet a few days later and, um, I walked in, and he threw a job description at me and said, "I've got this role going at the moment." He was the, uh, chief operating officer on our myki project, our transport ticketing system, here. Um, he said, "I haven't been able to fill it, and I think you can do it. Um, have a look and see what you think."

Um, lots of double Dutch there for me, uh, Gar, I didn't have a clue what ISO meant, or, um, any of that stuff. So I did a little bit of research, and thought, yeah, I can have a crack at this. And, uh, they took a punt on me, and- and- and employed me, and I was there for, uh, a couple of years. Um, uh, then went to a- a start up, starting up a- a- a new data center in Port Melbourne, and the money from that fell over, uh, four months after I got there. And- and, um, an opportunity came up to, uh, work at, um, the- the blood service, you know, Lifeblood. Um, and I've been there ever since, so coming up to 11 years next month.

Garrett O'Hara: [00:06:44] That's a- that's quite a long time to spend in a role these days, which is probably a good sign, you know? Um, something- something's gone right there.

Laurie Joyce: [00:06:52] Um, I- I count myself as lucky to have worked with the organizations that, um, uh... if we talk about, sort of, a higher purpose, um, Victoria Police, uh, I- I loved my time there, would- wouldn't swap it for anything. Um, you know, I- I've... we feel like it... there's- there's- there's a real, um, purpose to what you do, in terms of providing, uh, safety and, you know, for- for the community. Um, uh, Knox Basketball gives opportunities to, uh, for- for kids and people to be involved in sport, and- and team sport in particular. So I mean, I'm quite passionate about, and- and loved my time there as well.

And- and Lifeblood certainly has a higher purpose. What we do, uh, automatically, uh, you know, has- has a lot to do with keeping people fit and healthy, and- and saving lives in lots of ways. So, I'm really fortunate to have worked with three really great organizations from that point of view.

Garrett O'Hara: [00:07:38] Yeah, most definitely. And you've sort of covered it, I suppose, but like you... with that broad range of experience, was it really just you- you were looking for jobs you had a go at, kind of thing, to get into security compliance? Or do you feel like there was something... something in you that was kind of drawn to that as a- a career path and a specialty?

Laurie Joyce: [00:07:55] Um, look, I think my- my time in the police force, uh, policing... and- and I've had this discussion with some squad mates of mine, um, and, uh, that's actually coming up in, uh, next week, uh, the anniversary of going in the police academy, which is 39 years ago now, back in 1981. So there's not too many of my squad mates, uh, of the 50 odd or so, that are left in the police force.

Um, but when we get together, we talk about what opportunities are available for- for police members outside. Um, the one thing it teaches you really, is to be able to communicate with people, and- and people often in crisis at the time.

Garrett O'Hara: [00:08:28] Mm-hmm [affirmative].

Laurie Joyce: [00:08:28] So, you know, being able to, uh, talk calmly and- and, um, and- and problem solve, is really important, and it's as important in security as- as- as much as anything. So, uh, whilst I didn't necessarily feel like... I mean, [laughs], my first three months on the myki project, I felt like an imposter. I'd sit there in the corner and, uh, uh, try and duck your head when someone asks you a question. Um, but I've never been afraid of saying, "Look, I- I don't have the answer, I'll find out for you." And then I think that's really important as well.

Um, uh, you know, I- I guess I've- I've been fortunate to have been regarded as- as being a subject matter expert in a number of different areas now. Um, and that whole thing about, you know, "What do you want to be when you grow up?" Um, uh, people shouldn't pigeon-hole themselves, or think that that's the only thing they could ever do. Um, there's lots of opportunities out there if you- you have- have a bit of a crack, and if people are prepared to take a punt on you like, um, uh, the myki project was with me at that time.

Garrett O'Hara: [00:09:25] Yeah, definitely. And- and maybe there's an opportunity to not grow up either, which I think has been my approach. You know, uh, what do I want to be when I grow up? I'm just not going to grow up. I'll just pretend I'm 17 for the rest of my life, [laughs].

Um, look, healthcare organizations in general, like, you guys are in a fairly unique position, I would say, when it comes to cyber resilience? There's, uh, there's nuances, things that are very specific about that as an operating environment. So, like, the data that you guys, uh, store, is particularly sensitive. And the services that you're providing are- are extremely critical. Um, it's not like, you know, a retail store going down, which is not great but it's, you know, if somebody can't buy a new pair of sneakers, it's not the end of the world.

But if, uh, blood products are not available, that's a big, big deal. You know, and that, uh, that stuff... what are the... what do you see, like, some of the key challenges that you face in this kind of en- environment?

Laurie Joyce: [00:10:15] Well, you- you're right. Um, health information is, obviously, on the- on the dark market, is- is far more lucrative than, uh, non-health information. And- and when you think about it, uh, it provides a platform for people to steal identities, you know, generally you- you get, um, all sorts of stuff associated with it including, you know, dates of birth, and- and- and not the normal, um, personally identifiable information. It's- it's alco- also lucrative from a, um, a targeting point of view. Um, uh, I'm not... I was speaking to people recently about, uh, some situations in the US where, uh, uh, people who are terminally ill had been specifically targeted by, uh, unscrupulous people ringing up and saying, "Listen, um, we- we- we know you've got this sort of condition, or this type of cancer, uh, we're doing a secret, um, uh, trial on people, it'll cost you $100,000 to be involved. Um, and just pay us the money." And, um, uh, knowing those people that don't have a- a, you know, if they're in stage four or worse, um, they've got a limited lifespan anyway, so they're, sort of, um, really easy to, uh, exploit.

Um, health industries traditionally also, um, because you- you're prime focus is health, um, uh, security has become, uh, in- in lots of ways, uh, something that's been put on the back burner. Um, so, you know, if you've got a doctor with a patient open on the operating table, who- who, um, uh, needs- needs, um, a laptop next to him so he can Google images of what the- the area he's operating on, that have been taken previously. Um, uh, if that sort of stuff gets knocked out through ransomware, or- or denial of service attacks, and things like that, the- the consequences are enormous, people die.

Um, so, uh, you know, but the focus is on helping the patient, not necessarily on- on an understanding that, um, uh, if you've got good security, you're also helping the patient, um, uh. We- we had a, uh, data breach ourselves back in 2016. Um, uh, that was a bit of a wake up call for us, um, even though it was, uh, it was a third party. But, um, uh, do you want me to go into- into this a little bit of detail? I can-

Garrett O'Hara: [00:12:20] Yeah, yeah, it'll be great to hear about it actually.

Laurie Joyce: [00:12:23] We had a website donateblood, uh, .com.au which, uh, at that time had some web forms on it. So if you wanted to make a- an appointment to give blood, or you wanted to check whether you were eligible to give blood or not, you filled in the web form, that triggered an email to our contact center, and they would call you back, and- and discuss, you know, how to make an appointment, or whether you were eligible, you- you know, you might have had tattoos that make you ineligible for six months-

Garrett O'Hara: [00:12:45] Mm-hmm [affirmative].

Laurie Joyce: [00:12:45] ... or whatever. Um, unbeknownst to us at the time, uh, that was being collected in a database in the back end, and- and it, um, the manager of that website was outsourced, and they were setting up a new test environment for us, and the guy who was setting it up, um, took a copy of that database file, and put it on a web-facing server, exposed it, um, on the internet, as opposed to being behind their firewalls on the database server, where it- where it was supposed to be.

Um, and I keep saying a young bloke in the Netherlands, but I don't know whether he was young, or whether he was a bloke, or whether he was actually really in the Netherlands, but, um, someone surfing the web for database files found that, um. He contacted Troy Hunt from Have I Been Pwned, uh-

Garrett O'Hara: [00:13:27] Yep.

Laurie Joyce: [00:13:27] ... fame. Um, and Troy then spent the next, uh, little time, uh, verifying the database was real. Found his- his own name, and his wife's name, who were blood donors, on it. Um, and then set about trying to contact us, so. Uh, in the end, there were 550,000, uh, unique records that were exposed. And some of those, uh, contained phone numbers or email addressing, or- or physical addresses and- and we had to kick in a full blown, uh, you know, incident management, and crisis management, um, uh, uh, time.

Um, you know, set up war rooms, um, work the problem through, and- and then, uh. These things have ongoing, um, issues because, uh, it- it doesn't end when the incident ends. There's- there's lots of other things that you need to follow up, and ensure that, uh, your systems are robust, and you've got the right protections and controls in place. So that hopefully it never happens again.

Garrett O'Hara: [00:14:19] Mm-hmm [affirmative]. And- and s-, like, on that, what were the things, like, post-breach I'm guessing... uh, and it might've actually been you who made the comment but, you know, there's nothing like a breach to kind of get buy in for change, and sort of funding for security. Like, how did that go post-breach, 'cause you mentioned there's a lot of, kind of, tidy up and, you know, it's not just the, I suppose, the immediate remediation, but the longer term, uh, implications from a resilience perspective, and organizationally processes, like, all of that stuff?

Laurie Joyce: [00:14:46] Um, I- I- I guess my first point is that, um, it's not just a security issue at the time the breach occurs either. Um-

Garrett O'Hara: [00:14:54] Yeah.

Laurie Joyce: [00:14:54] You know, we- we had two war rooms going si- simultaneously. Uh, one within the ICT division that was actually working the problem, trying to, um, find out what had happened, why it had happened, who else might've had access to the information that we didn't know about at that time.

Um, and then there's the, uh, executive too, and the board that are- that are working at it from a, uh, you know, public and, uh, community relations, um, you know, point of view as well. So, um, it's a muli- multi-disciplined team that's required to respond. Uh, communication's experts, you know. We- we had to decide, um, what we were going to tell people and when. Um, we didn't wanna go, uh, live with what had happened, um, before we actually knew what had happened ourselves.

Um, so it took us 48 hours to actually, uh, gather all that information together, and then- and then make the announcement that we had been breached. Um, so af- after that first week they, uh, the board, uh, set up a few reviews. So, Ernst and Young, who are our internal auditors, um, uh, started a review of the incident itself, and how we had responded to that. Um, PWC were brought in to, um, look at a full end-to-end security review. So they looked at governance and, um, processes and controls, and our policies. Um, whether we had the right tool sets in place, the number of bums on seats, um, uh.

The Privacy Commissioner launched an investigation, um, and at the end of all that process, we had around about 120 recommendations, many with multiple action points, that we needed to address. Now, um, that's not to say that we were insecure at the time, it was to say that there was lots of room for improvement for the stuff-

Garrett O'Hara: [00:16:35] Yeah.

Laurie Joyce: [00:16:35] ... where- where- where we had gaps. Um. Anyone would have gaps. Um, if it took us 18 months to work through those and resolve all of them, um. And we didn't have the bums on seats to be able to do it either, I mean, uh, up- up till a month prior to the incident, there was me, [laughs]. We had one new- new bloke in security operations that arrived a month before-

Garrett O'Hara: [00:16:57] Yep.

Laurie Joyce: [00:16:57] ... um, so we- we had a- a- at a time, we had around about 20 to 30 people working on the remediation actions. Um, and we- we closed up all those off, at a rate of around two and a half, or three per day. So, after 18 months everything was done. Um, and then EY, and PWC came back in, and- and verified that, um, uh, looking at the evidence, that we had closed everything that they'd recommended. Uh, and that.

And we also entered into in an- an enforceable undertaking with the, uh, Privacy Commissioner as well. And- and, um, uh, whilst the, uh, the company that had ex- exposed the information, um, copped awake for exposing it, um, we copped awake for two things; one- one was, we kept information beyond its use-by date.

Garrett O'Hara: [00:17:44] Yeah.

Laurie Joyce: [00:17:44] So there was no need to keep that information in your database in the back end, once the email had been sent. Um, uh, but it was just, you know, had been building up for around eight to 10 years. Um, and the second was on our, uh, vendor management, so we had to set up a new system of, uh, doing information security assessments on all our vendors that handle personally identifiable information on our behalf, or that have access to systems, which, if breached, might give someone access to that information.

Um, so, um, uh, we- we'd already had a security improvement program in place prior to that, um, and had started to invest in things. We had a new, uh, chief executive, and a new chairman of the board, who arrived six months prior to that as well, and both of them had a- a- an interest in securities. Um, so we were starting to, uh, get some more resources, in terms of, um, looking at what we- we needed to address. Um, and I guess, like most of the people, many people now, looking at, um, uh, the fact that, uh, you know, tools aren't your first line of defense, or- or your first, um, control weakness either. It's- it's your people. So, you're putting a huge emphasis on, um, up-skilling our people around how to recognize threats, and- and how to respond to them, in case there's something happening.

Garrett O'Hara: [00:19:05] It's such a huge one, uh, which I'll- I'll... I'm gonna actually ask you about that a little, uh, a little later. Uh, I was keen to maybe drill into the idea of, um, I think in- in sort of good data governance, they call it defensible... defensible retention? You know, the idea of... I suppose there was... it felt like there was two psychologies when it came to data, and probably, you could almost split them, the US versus the rest of the world. And the US was, you know, burn it all, shred it all, um, the less stuff you have, the less, [laughs], they can pin on you.

And it felt like Europe and Australia were probably more around, look, can we just retain everything? You know, and that way, we can prove, you know, that we were good to go, and- and didn't do anything wrong. Um, but I think with regulation changes, PII, PHI, and just, I mean, just data in general, I think there's a better understanding of not storing stuff. And you see that all the time, even in- in kind of, retail websites, where you just wanna buy a... I don't know, um, just looking on my table, a pair of sunglasses, and for some reason the store wants to know your date of birth, and, you know, whether you're male or female, or something else, or whatever. And you think, "Well, like, well how's that relevant?" Um, you know, that over-collection of data.

Um, do you feel like that's- that's changing now? I mean, obviously regulations are pushing that but, you know, is it being adopted, and not necessarily from your organization, but just more broadly? Do you feel like there's a- a better approach to data retention?

Laurie Joyce: [00:20:23] Well, I think there's a huge education piece that's required, because we're all bower birds, basically, we like to collect stuff. And, you know, you- you do a download from a, uh, a database and create a mailing list, or, um, you know, a certain, uh, segment of your- your customer base, or whatever. Uh, it gets stored in a spreadsheet on- on- on a file server somewhere, and no one ever goes back to look at it again. But it sits there, uh, forever, un- until, uh, someone might stumble across it inadvertently, and- and, um. You know, people leave organizations, and- and their stuff sits on file servers that they've created.

And, you know, we- we're not really good at cleaning stuff up after its use-by date. Um, and I think we really do have to get better on- on that. Um, it's way easier said than done, um-

Garrett O'Hara: [00:21:05] Mm-hmm [affirmative].

Laurie Joyce: [00:21:06] ... it's- it's- it's an education question. Um, uh, I mean, the first thing you have to do is know what you're holding, and where it is. Uh, and- and that was one of the criticisms of us during the data breach as well. And we- we didn't know, uh, that that databa- database existed, let alone what was on it at the time. We had to rebuild it to f- work out what was... what it would, um, it had contained. So, um, uh, we- we've still got a long way to go. Uh.

Garrett O'Hara: [00:21:33] Yeah.

Laurie Joyce: [00:21:33] Legislation will- will help, I mean, you know, the privacy act, what the privacy principles are, you keep stuff for as long as you need it, and no longer than that. Um, but really, uh, uh, there's still, um, lots of carrot, and not a lot of stick at the moment, [laughs], in- in terms of the enforcement. So. Uh.

Garrett O'Hara: [00:21:53] Yeah, mm-hmm [affirmative].

Laurie Joyce: [00:21:53] Knowing that... you'll run into a breach, um, there'll be more data breaches. Um, there will be many of them as a result of silly errors, human error, uh, because people just click on bad links. Or like, you know, they just don't recognize bad stuff when they see it.

Garrett O'Hara: [00:22:09] Yeah, it's- it's the eternal problem, I think. You- you kind of mentioned the... I suppose, shining a light on where the data lives. And, I think, you know, part of what we talked about in the- in the panel was the idea of shadow IT. And I think that's probably a part of that problem where, you know, little silos within an organization can spin up a platform, potentially store information on that platform, you know, from outside of the view of security, and IT, and compliance officers.

Um, like, what- what's your thought's on, like, how to, I don't know, "Fix" that problem, or at least try and contain it a little bit?

Laurie Joyce: [00:22:44] Well, I mean, you've got to start with policy. One- one of the things we did immediately was to, um, say that if- if anyone wants to use a cloud service, a SaaS, or what- whatever that, um, it needed the approval of the chief privacy officer, or our chief information officer, and the relevant executive director of the part of the organization that was responsible for it. So, um, we've put in quite clear guidelines to people around policy, basically, to- to the people about what they needed to do.

Um, that's been really successful, but, um, you know, we- we uncovered in that first 12 months, post-breach that, um, there were round about, I think it was 120-odd organizations at that time, that had information of ours that, um, there was no central re- repositories for. Because, um, I- I mean, you touched on it before, it's really easy to go and get a SaaS now, you don't even need a corporate cre- credit card, in lots of-

Garrett O'Hara: [00:23:35] Mm-hmm [affirmative].

Laurie Joyce: [00:23:36] ... lots of cases, usually you use Zoom for no cost, or- or, um, you know, Miro, or lots of other, uh, collaboration platforms and things like that. Um, so you've got to educate them again, like, it gets back to education. So people like, um, um, you know, you- you tend to use these tools if you use them in- in this way, um. I- I think, um, our remote working over the last six months too, has told us that, uh, people cry out for collaboration tools.

Garrett O'Hara: [00:24:02] Mm-hmm [affirmative].

Laurie Joyce: [00:24:04] So, um, IT departments and organizations really need to get ahead of the game for that as well. Because, um, if you don't supply the right tools to people, they'll go out and find something that's useful for them. Um, if you give them a suite of stuff that, um, uh, they can use, then they will use it.

Garrett O'Hara: [00:24:18] 100%. I think that was... and we were talking about desire paths? Uh, I don't know if you remember that, uh, you know, if you think of a park where, you know, the council builds a pathway, because they think that's where they want the people to walk. And then when you come back, you know, five years later, there's a- a kind of, a dirt track etched into the lovely grass, because people kind of see, "Well, the playground's there, the gate's here, I'm gonna walk directly to it."

Laurie Joyce: [00:24:40] Yeah.

Garrett O'Hara: [00:24:41] Um, and it's very much the same, uh, it feels like in- in, sort of, security and IT. And, like, you made that point actually on the panel, and I totally agree, if you don't get ahead of it, people will just figure out a way to do it. You know, they've got a job to do, and- and pressured to achieve outcomes, or perform, they- they're going to figure out a way to do it. And if you're not part of that, God it sounds like a movie quote but, you know, if you're not part of the solution, [laughs], you're part of the problem, in a way.

Laurie Joyce: [00:25:05] That's right. And people- people like shortcuts as well. Um, we want things to be easy, uh. You know, everything is at our fingertips these days, um, and in that ways, it makes- makes life a lot easier. But from a security point of view, it can make things, um, uh, challenging as well. You know. No... I mean, at some stage in- in- in terms of data protection, uh, the next five to 10 years we'll have a wrapper around every- every, uh, document, and every email that we send. That means that, you'll be able to control it forever. So, if- if, uh, you know, someone on forwards something they shouldn't, uh, it'll automatically be, uh, prevented from doing so.

But, we're not quite there yet. I know there's a few companies working in- in that space, but I don't think we're quite there yet.

Garrett O'Hara: [00:25:47] Yeah. It'll be... I think there's interesting times ahead. There in... there's a conversation kind of happening in the- in the security world around that end to end, kind of, encryption, and what that means for third part security platforms. Where, uh, you know, if you think about a- a, um, well, an email or a document, or really anything, if it's encrypted at one end, you know, the normal security players, "Well let's, uh, you know, analyze the thing as it goes along," whether that's a, you know, CASB, or a Web, or, you know, a- a security on a gateway. If you can't analyze it, then you can't apply the security, and then you're- you're sort of reliant on those larger vendors, you know, and they're the service providers for whatever, you know, say email.

They're this... I- I think that sort of monoculture... it- it's... I don't know, instinctively, that just feels like risky to me. Um, but, you know, I suppose I... it's swings and roundabouts isn't it? There's a balance there.

Laurie Joyce: [00:26:38] Yeah, it might be it's that, uh, mythical block chain that's gonna provide the solution.

Garrett O'Hara: [00:26:41] Oh, right, [laughs].

Laurie Joyce: [00:26:42] [crosstalk 00:26:43] if you have it, uh, to, uh, hand off an authentication that says, "Yes, this person's allowed to have it," and, "That person's allowed to give it." Um.

Garrett O'Hara: [00:26:49] Yeah, you'd hope so, there's got to be a techsin- technical, uh, solution to be able to do both. You know, that sort of, um, encryption and- and control, but also the- the security side of things. And actually, when- when I think about your organization and others in health care, the idea of data leak prevention is obviously pretty important, you know, for PHI, I mean, in- in sort of medical organizations the, you know, patient information of... the- the very sensitive stuff that could be going on for somebody, um, you know, as their reason for being in those kind of organizations, or being a- a customer or a patient.

There's... there's some pretty interesting things, I suppose, from a healthcare organization perspective, when it comes to DLP. Like, for you guys, what are- what are your big considerations, and do you have any things you do to manage them?

Laurie Joyce: [00:27:38] Uh, yeah, look, we have DLP. If we- if we were starting in I wouldn't... um... it- it's- it's a beast to try and write the rules that will pick up stuff that's meaningful.

Garrett O'Hara: [00:27:49] Yeah.

Laurie Joyce: [00:27:49] Um, you- you know, you get so many thousands of alerts in a- in a day, with a DLP tool that, um, you spend all your time trying to triage, and work out what's important, and what's not. Um, I- I- I think the move towards behavioral analysis, uh, in recent years-

Garrett O'Hara: [00:28:04] Mm-hmm [affirmative].

Laurie Joyce: [00:28:05] ... is probably the way to go. So, um, uh, if someone logs in from a- a spot they don't normally do so, or they're a member of a- a, um, you know, an AD group that doesn't normally have access to that particular type of, uh, well, particular folder, or type of information, then you raise an alert that way.

Um, uh, I th- I think that's probably far better than trying to, uh, a rules based, um, [inaudible 00:28:28]. I mean, it's the same with antivirus, isn't it? Um, uh, really good for stuff that's been seen before, not so good for stuff that's, uh, un- unknown, uh, use Donald Rumsfeld as well there, unknown unknown things-

Garrett O'Hara: [00:28:39] [Laughs].

Laurie Joyce: [00:28:39] ... but, um... which when I first saw that, I was, like, I just got it... the goose, I don't understand what he's talking about. But, um, if you listen to it a f- a few times, you actually do understand that he's- he's- he's very perceptive, and- and that really applies in- in lots of areas, particularly in the security, and cybersecurity world. So, um. Being able to recognize stuff that- that goes somewhere that it doesn't normally go, or is used by someone who doesn't normally use it, um, is probably the best way to, uh, protect it, I think.

Um, and we always talk about security in depth, um, uh, but the- the crooks are always one step ahead, they- they always have been. Uh, you know, all the castle walls worked until you had aircraft or, uh, or, uh, artillery that could lob shells in the... in- inside the coop. Um, uh, and then you've got to work out some- somebody from [inaudible 00:29:29]. We don't have castle walls around cities anymore, because they're- they're particularly useless in mod, [laughs], in modern wa- warfare.

But, um, the same, uh... an analogy I often use is that, um, back in my early days in the police force, in the 1980s, um, there were bank robberies here in Melbourne every day, uh, robberies of banks. Um, the banks responded by, um, you know, putting armed security guards out the front, and then the flyaway screens up to protect the tellers, and things like that. The armed robberies didn't stop, the just moved to the next easiest target, which happened to be, uh, our service stations and 7-Elevens, and stuff at the time.

So, um, you- you've gotta... you- you don't necessarily have to be the fastest runner when you're being chased by a bear in the woods, you've just got to be the second slowest. Um, and it's the same with security, you- you've gotta, um, harden stuff as much as you possibly can, um. The balancing part of it is, uh, making sure that people can still do their job.

And in the health industry, doctors still need access to patient information with- with us, uh, and our- our doctors still, um, have the right to access their, um, their blood test results, and all those other things that we do with- with them as well. You can't just put up walls and say, "No, no one's going to do anything."

Garrett O'Hara: [00:30:39] Yeah.

Laurie Joyce: [00:30:39] Um, so, it- it's a matter of being able to control the stuff, and make sure it gets to the right person at the right time, when they need it.

Garrett O'Hara: [00:30:44] Yeah, definitely get you. So, I wanted to ask you about the legacy devices. This is something that, um, the panel raised as well on that, uh, the- the healthcare panel a couple of weeks ago, and I thought it was particularly interesting. Um, so it's the idea of medical devices, and how they're r- rated as compliant from the TGA, and I think it was raised that, if you changed, or up- updated the OFs, or the- the security software on these devices, that actually, they then become non-compliant. Which has, obviously-

Laurie Joyce: [00:31:16] Yes.

Garrett O'Hara: [00:31:16] ... big implications to the medical organizations, or healthcare organizations. Um, can- can you walk us thought that? I think that's particularly interesting, and- and what the risk is there, I mean, it's probably pretty obvious but, um, you know, how does it play out in practical terms?

Laurie Joyce: [00:31:28] Yeah, well, um. Medical devices often have a very long shelf life. Um, they're- they're- they're expensive, they're- they're very complicated, so when you invest in them, you need them to be around for, um, a long period of time. Uh, so you get your return on the investment and, um, uh... so, uh, often, that means that you are left with... excuse me... with legacy, uh, operating systems that can't be patched anymore.

Uh, you know, we had a lot of XP devices, uh, across our network, and even a Windows 3.11 device, uh, which- which as been decommissioned over the last couple of years. But, um, th- there's a long lead time to getting these in place in the first instance, and- and then maintaining them, uh, is critical. So... but they are a major issue for health organizations, uh, in terms of being able to protect them, and make sure they are patched, and- and that, um, uh, potential breaches are kept, a- a- to- to a minimum, when and where you can.

Um, but the TGAs, uh, uh, in the process of releasing new guidelines that- that says that, um, a system will only remain validated if it is patched. And that'll make a huge difference, um.

Garrett O'Hara: [00:32:39] Yep.

Laurie Joyce: [00:32:39] Whereas in the past, they said, "Okay, th- this particular device is validated to, uh, Windows XP, and therefore, if you make any changes to it, you've got to revalidate." And validation's not only, um, uh, expensive, it's very complicated as well, for- for those types of things. And again, you wanna make sure all of the- the devices, um, are delivering what it should be. It- it could be, uh, you know, uh, blood test results in- in our case, for example. And you wanna make sure that- that- they're right, because if they're wrong, again, the potential is that, um, a person can get quite ill and, uh, potentially die. Uh, very rare events, obviously, but, um, it is a potential outcome of- of, um, um, having those sort of results scrambled.

So, um, the TGA new guidelines, um, if we get to the stage where the- the manufacturers are forced to maintain them, then that's- that's a great thing. Um, uh, and again, you know, I mean the... the only way to really protect yourself, is to ring-fence them as much as possible. So-

Garrett O'Hara: [00:33:38] Mm-hmm [affirmative].

Laurie Joyce: [00:33:38] Um, you know, um, make sure that your... your communication is either mono-directional, or- or bi-directional, but locked down to specific IP addresses, or you've got the right controls in place to, um, to- to alert you in the event that they are fiddled with by anyone, uh, that shouldn't have access to them.

Garrett O'Hara: [00:33:57] Yeah, it sounds-

Laurie Joyce: [00:33:58] It's a problem for, uh, healthcare industry across the board.

Garrett O'Hara: [00:34:01] Yeah, do- it does sound enormous. And you kind of wonder what... like, where my brain goes and that sort of stuff is, who- who absorbs the costs then? Um, you know, obviously, the... it gets pushed back to the manufacturer to, um, make sure that they stay compliant, but as you said, I mean, that's presumably quite an expensive process. And then do the machines become more expensive, and then, uh, you know, does healthcare become more expensive as a result of that as well? You know.

Laurie Joyce: [00:34:25] Yeah, well maybe a validation is pushed back to the manufacturer, so, um, rather than each organization that sets the machine up, and then has to validate it internally. So-

Garrett O'Hara: [00:34:34] Yep.

Laurie Joyce: [00:34:34] Um, um, which- which happens to a degree, but you've also got to make sure that your own test environments and everything you do, uh, mirror the- the, uh, the actual validating environment that you're able to operate in. Uh, that's where it becomes complicated and- and problematic in lots of ways. So, um.

But look, I think, um, I think things are changing, and I think they'll get better over the next few years, uh. Long lead time with a lot of this stuff they own. You know, some of them might have a shelf life, uh, an operating life that's, you know, 10, 15, 20 years in some cases.

Garrett O'Hara: [00:35:08] Yeah.

Laurie Joyce: [00:35:09] Uh, hugely expensive to upgrade and replace.

Garrett O'Hara: [00:35:12] Yeah. You know, I get it. Um, b- but- but... you've mentioned cyber awareness a few times now as we've kind of talked, you know, the don't... get people to not click on links, and, you know, fol- follow policy, and then there's probably an element of, uh, awareness when it comes to even things like DLP. What- what's your approach to this stuff? And- and is there anything that's maybe different, or nuanced, when it comes to healthcare organizations? When it comes to cybersecurity awareness?

Laurie Joyce: [00:35:39] I thi- I think there's a couple of things, um, that we need to get better at as well. I mean, everyone's got a compliance as- aspect to it, you know what I mean? Um, you- you do your online training once a year, that says that you've done, um, information security awareness training, or privacy awareness training, or- or whatever it happens to be, workplace health and safety, et cetera, et cetera.

Um, but with those sort of, um, click and move to the next slide, type things, uh, also have a shelf life. People get bored with them, they say, "Oh, I did this 12 months ago, and why do I have to do it again?" You know, click- click through to the end without actually, uh, getting any real value out of it. So, the challenge is, making it interesting for people too. Um, particularly in a world where there's lots of other competing, um, uh, you know, uh, needs on their attention as- as well.

So, um, we are, uh, and- and have done it the last 18 months, uh, run quarterly campaigns about specific things that, um, they should be looking out for, whether it's phishing, or whether it's social engineering or, um, uh, a big emphasis on cyber safety at home.

Garrett O'Hara: [00:36:46] Yep.

Laurie Joyce: [00:36:47] Um, uh, even more so now that people are working from home. Um, it's important for people to understand that, uh, um, what you do at home, follows you through to the workplace as well. So, bad habits there could reflect on bad habits in the work place.

Um, uh, threats that you might think only happen at work, can also happen at home. Um, you know, phishing and- and those sorts of things, uh, where you might not necessarily have the- the protections that the organization gives you, um, in- in the enterprise. Um, uh, you've gotta make it fun and interesting, um. You know, we- we're running, uh, [inaudible 00:37:23], uh, regular sort of brown bag sessions with a- a specific, um, uh, topic, um, uh. Brian Hay is- is a partner of ours, who's- who's great at talking through, um, some of those things with people that are in- in... sometimes, uh, scaring them, uh, but- but it's all about, um, having people recognize where the threats might come from. Um, and threats change all the time as well.

Garrett O'Hara: [00:37:49] Mm-hmm [affirmative].

Laurie Joyce: [00:37:49] So, you know, if you expect the- the same, um, security awareness package that you've been giving people for five years to be relevant, then you're full of yourself, you really should be looking at the things that are, um, that are relevant to your organization. You know, what- what are our critical assets? Um, why would people want them? Um.

We touched very early on on, uh, I think you mentioned story telling? Story telling's really important. So, and we- we've had people whose, uh, family members have, uh, have, um, uh, been caught in various scams, tax office scams and other things. Uh, just, uh, short, sharp, uh, three or four minute talks to tell people about what happened to them and their family, and what the impacts of that were.

Um, an- and that makes it more real. Um, instead of me sitting there as this- the security guy preaching about stuff, uh, they're having, uh, uh, a chance to listen to their peers that have been- been caught up in stuff that's actually cost them money, or- or, uh, you know, time and effort to, uh, repair it, um. So story telling is really important. Um.

Identifying cyber champions across the organization, uh, people that-

Garrett O'Hara: [00:38:59] Yeah.

Laurie Joyce: [00:38:59] ... that have an interest, that don't necessarily work in- in, uh, uh, security. Um, and hopefully amplifying the message through them. Um. With so much sitting around the kitchen table now, 'cause, uh, not many of us are doing it, [laughs], at- at the moment but, um, and being able to amplify the message and- and, um, spread it more broadly, uh, is- is important as well. Um.

And we- we're not alone in that, there's lots of organizations are going down that path. Um, really, uh, way further ahead than what we are. Um, uh. But I think you need to under- understand the threats, um, uh, put things out, um, vary them, make them interesting, gamefy them if you can, 'cause everyone loves a good game, [laughs].

Garrett O'Hara: [00:39:41] Uh, yeah, and I definitely agree.

Laurie Joyce: [00:39:42] Yeah.

Garrett O'Hara: [00:39:44] Um, and- and- and I completely echo the idea of having evangelists, or supporters, in other departments that are non-tech.

Laurie Joyce: [00:39:51] Yeah.

Garrett O'Hara: [00:39:51] 'Cause I think that's probably one of our biggest failings, is that, you know, we- we sort of shout off the cliff, uh, of- often, you know, and there's no one really listening, because it's- it's just security, or it's IT, or- or whoever it is, that's doing that kind of function.

Um, but when you start hearing that messaging coming from, uh, other functions, HR, or finance, you know, operations, all of a sudden it just becomes much more real. And, uh, yeah, I love the idea of story telling to- to make it really real. You know, it's- it's not academic, "Here's an example of a thing that might happen," you know.

Laurie Joyce: [00:40:20] Yeah.

Garrett O'Hara: [00:40:20] It's- it's actually Alice, or Bob, and this- this is their story. Um, so that's powerful.

Laurie Joyce: [00:40:26] Yeah, look we- we've had staff members who's, uh, family have been ripped off in, uh, real estate schemes, and, um-

Garrett O'Hara: [00:40:33] Mm-hmm [affirmative].

Laurie Joyce: [00:40:33] You know, others, uh, have- have responded to the tax office threats that come over the phone.

Garrett O'Hara: [00:40:37] Mm-hmm [affirmative].

Laurie Joyce: [00:40:37] "Give your credit card, and pay this now, otherwise you'll be arrested, and dragged out in- in jail." And- and, um, uh, the- there's also a challenge for, uh, you know, small and medium enterprises as well, who don't have the resources of bigger organizations.

Garrett O'Hara: [00:40:50] Yeah.

Laurie Joyce: [00:40:51] You know, what- what do they do? Um, uh, I- I think the Australia Government, through the Australia cybersecurity centers, and the- and the joint cybersecurity centers around the country, are doing their best to do that. But, then how do they get the message out to those small or medium enterprises and- and- and offer them support, is a challenge for us as a country too.

'Cause, um, uh, you know, I, um, if- if you look at some of the attacks that have occurred on critical infrastructure in the States, in particular, over the last four or five years, um, many of those breaches have, uh, have occurred through third parties. So, the big telecommunications or electricity companies, and things like that, have a- have a raft of, and a wrath of, personnel, um, protecting their systems. Um, but the people they let in to, um, you know, support them, may not have that same degree of protection or resources available to them. So the- the- nation states, in particular, are really good at, um, understanding who the support people are, uh, and- and attacking, uh, organizations and enterprises through those support people, rather than trying to go directly in the front door.

Garrett O'Hara: [00:41:55] Yeah, and I think there's an opportunity nationally, uh, as part of the, uh, the strategy document that came out earlier in the year. Um, but, you know, they call it that sort of small to medium enterprise space-

Laurie Joyce: [00:42:05] Yeah.

Garrett O'Hara: [00:42:05] ... and, you know, the- the work that needs to be done there. And, I- I agree, like, we- we all kind of rest on them in a way, you know. Th- they're suppliers into the larger organizations, it doesn't matter what size you are, they're part of the ecosystem; if they get popped, it's gonna affect, you know, more organizations than just them.

Um, so it feels like a good- a good place to invest is, in how we kind of lift that- that space, when it comes to cybersecurity. Not just, I suppose, I mean, certainly in the awareness side, but probably the technology side as well. Is there ways to, you know, offer things that scale, where they can take advantage of the- the things that have traditionally only been available to those larger enterprises-

Laurie Joyce: [00:42:42] Yeah.

Garrett O'Hara: [00:42:42] ... or organizations? Um. Yeah, hopefully we get there, um, hopefully we get there. Um, conscious of- of time, I did wanna finish out with, uh, what I think is a- an important question, and probably a little bit different from the general cyber res- resilience stuff that we've been talking about. It is, uh, NAIDOC Week, uh, this week. Um, which is just a happy coincidence, um, interestingly.

Um, but you're actually a member of the Reconciliation Action Plan Working Group, um, over in- in your organization at the moment. Um, and, like, for me, that seems important from a societal resilience level. You're kind of acknowledging and working to reconcile problems of the past.

Can you... do you mind talking us through the- that sort of, that work, and what you're doing there?

Laurie Joyce: [00:43:27] Yeah, absolutely, it was remiss of me not to mention that fact that I'm currently sitting on Bunurong land, so I add my respects to their elders, past, present and emerging. And- and to, uh, First Nations People around the country as well, uh, particularly in NAIDOC Week.

Um, reconciliation action plans are a way of- of, um, um, recognizing and promoting issue around reconciliation a- a- across the country. Um, but it's quite a formalized process. There are a number of different levels of wraps that, um, uh, uh, you- you work through over a period of time. And- and there's stepping stones that- that are brought on, upon one... one upon the other. Um, I basically provide- provide a framework, uh, to support the nat- the national reconciliation effort. Um, and the- the... I mean, there's five pillars to that one, is on, um, race relations, uh, equality and equity, um, institutional integrity, community, and historical acceptance.

Um, uh, you know, we- we... uh, I- I hesitate to call Australia a racist cou- country, because I don't think we necessarily are. But, um, there are elements of, um, of racism, and there's certainly a lack of recognition of some of the inequities, um, between, um, Aboriginal, and non-Ab- non-Aboriginal people around the country as well. I mean, um, if my family, uh, were going to die 10 years earlier than- than the, uh, broader population, or- or a 15 year old, um, children, grandchildren, um, and nieces and nephews were- were five times more likely to commit suicide than others, and- and, um, uh, you know, they're three times more likely to have diabetes, or- or, um, you know, issues with, uh, alcohol and drug dependence, and- and family violence, than- than other parts of the organization, I'd be jumping up and down it, and that's... that's some of the things that, um, we don't hear enough about.

Um, uh, personally, um, uh, we- we touched on this before we went- went to air. But, um, uh, my great-great-grandmother was Aboriginal. Um, when I asked my grandmother about that, she said, "Shut up, don't ask questions you might not like the answer to." And I sort of, um, like, that- that- that comment saddens me now, as I think about it. Um, but I sort of understand it in the context of, uh, when and where she grew up.

Um, so I found out, um, from, a cousin of hers, Uncle Charlie, who's 85 at the time. I said to him, "Look, can you tell me about this, um, black blood we had in the family?" And he said, "All I can tell you is, I was around four or five years old when my, uh, my mom took me to meet my grandmother for the first time, in Shepparton. And I looked up and I said, 'Oh, mom, look at that big black woman,'" and he said, "She clipped me across the ear and said, 'Shut up, that's your grandmother.'" [Laughs]. So that was, um, the first, uh, confirmation I'd had of someone who'd physically met my- my- my great-great-grandmother. She, um, her mom died in child birth, um, and when she was a few hours old, she was, uh, taken and raised by a missionary couple, who brought her back to Melbourne at the time.

Um, and the second confirmation point was, we found a newspaper article from 1862, which talked about the rape of a 12 year old girl, and that 12 year old girl was my- my great-grandmother. Um. And, uh, then I had my DNA tested, and, um, my mitochondrial DNA, which is the DNA passed down from mother to child, is- is Aboriginal. So, that's a direct line of decent, through- through my mom's, mom's, mother's mom-

Garrett O'Hara: [00:46:56] Yep.

Laurie Joyce: [00:46:57] ... um, is Aboriginal. So, uh, I had a personal interest in- in this. Um, I don't identify as Aboriginal, I'm very proud to have Aboriginal heritage. I think it's a great shame that, um, you know, most people don't know much about it. You know, um. They were the first mariners, the- the only way they could get here to this continent, was by boat. Um, the oldest artwork on the planet is found in- in- in The Kimberley, in the Pilbara regions. Um, you know, we- we've all seen those photographs of the Lascaux Caves, and the beautiful, uh, paintings by, uh, "cavemen," of- of, uh, you know, wooly mammoths, and- and reindeer and stuff. That's sort of 10, or 12,000 years old. The artwork here is, uh, somewhere between 45, and 60,000 years old.

So, um, we should be celebrating those sorts of, uh, things of the oldest, uh, living culture on the planet. Um, it's still here now, and there's lots of, um, inequities, and inequalities that we should be addressing as much, and- and- and as passionately as we can. We've failed today, and we need to do something about it.

Garrett O'Hara: [00:47:59] Agreed, agreed, um, and I do... I genuinely do think it's part of, uh... a societal resilience. You know, you- you sort of have to [inaudible 00:48:06] up in my opinion. Uh, just acknowledge that stuff, um, as much as you can reconcile with it and then, you know, ideally, everybody kind of moves- moves forward, together in a, um, a more congruent way, is maybe the way I would think about it.

Laurie Joyce: [00:48:20] Yeah. Um, I don't know whether you've ever looked at the Milky Way, and- and, um, we tend to look at the stars, and the bright points of light there, but, there's a big dark spot that, um, Aboriginals call the Dark Emu. Um, and there's all sorts of tales around- around that. Um, uh, I saw it for the first time on a trip to Laroo, um, probably 10, 12 years ago. I never- never knew about it, or seen it before. But I find it really interesting that, um, uh, in modern indigenous culture we tend to talk about the constellations, and those bright points of light. And in Aboriginal culture, they see the dark spots between. And the- and there's truth in the dark spots, as much as there is in the- in the points of light as well. And we just need to look for them.

Um, we- we've touched on story telling a number of times, uh, through here, and- and it's really, really important to, um, be able to listen, and- and actually hear what people are saying. Uh, um, uh, lots of people still hurt, so it's not, um, uh... because of the way they've been treated over- over a long period of time, and, um, I'd urge everyone to look at the Adam Goodes stock imagery, and- and- and see what that's about. And- and look at it with an open mind, and an open heart. Try and understand... put yourself in someone else's shoes, and understand what they're feeling, um, when they hear disparaging comments, or- or belittling, or just dismissive comments about, uh, you know, it's not important, it is important.

It is important, you know, um, again, off- off, uh, recording, we- we touched on, uh, events in the US and, um, anytime we marginalize people, uh, society's got issues that are- are- are deeper beyond just that surface sort of s- scratching stuff. Um, we- we need to uncover those, and shine a light on them, and talk about them openly and honestly. Um, irrespective of where you are on the planet, or- or where you are around the country.

Garrett O'Hara: [00:50:12] I- I totally, totally agree. Um, and I think it's- it's probably where we- where we end the- the conversation today, 'cause I think it's, uh, wise words, and probably stuff that, hopefully, people can reflect on, and- and have a think about it. Especially giving, uh, given that it is, uh, NAIDOC Week this week. So, um, yeah.

Lau- Laurie, uh, really appreciate you taking the time out today. Um, s-, really enjoyed the conversation, and as you said, [laughs], we- we- we talked for about 25 minutes before we started recording. I think it's probably, uh, our Irish heritage kicking in there, [laughing]. And inability to not have a... have a yarn. So, uh, really enjoyed the conversation. Um, you know, thank you so much for taking the time, and- and sort of talking, especially about the cyber resilience stuff, but also the, um, you know, your work as part of their, uh, the, uh, Reconciliation Action Plan Working Group as well, so thank you.

Laurie Joyce: [00:50:58] Thank you Garr, appreciate the time.

Garrett O'Hara: [00:51:08] Big thanks again, to Laurie for the conversation, truly a pleasure to speak with him.

As always, thank you for listening to the Get Cyber Resilient podcast. We do have that back catalog of episodes, so please have a listen to those. For now, I look forward to catching you on the next episode.