Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
This week’s guest is Mark O’Hare – Mimecast’s CISO. Originally from South Africa, Mark has worked in IT and security in the UK, the US, the Cayman Islands and has been in Australia for nearly a decade. As Mimecast’s CISO he is at the forefront of the challenges facing CISOs in public companies.
Mark walks us through his long and winding career and provides us with some great insights in this episode. He talks about the cybersecurity issues that keep him awake at night, where and how he consumes the avalanche of information he needs to each day, regulatory influence, finding and keeping the right people, and leaves us with his ‘one important thing to do per day’ recommendation.
The Get Cyber Resilient Show Episode #36 Transcript
Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara and today we're joined by Mark O'Hare, Mimecast CISO. Mark quotes The Beatles to describe his arrival into the CISO world. It's been a long windy road. He started in computer science and law back in university. Went over to sports science and then boomeranged back into a contracting career in networking IT and security. He's worked in the UK, the US, the Cayman Islands, and has been in Australia now for nearly a decade. As Mimecast's CISO, he's at the forefront of the challenges facing CISOs in public companies. In the episode, we talk about what keeps Mark away at night when it comes to security. Where and how he consumes the avalanche of information he needs to each day. What his wish should be for the cyber genie, or if he had a magic wand. [laughs] The relationship with the board and [XCO 00:00:53]. Regulatory influence, finding and keeping the right people. And we finish with his one important thing to do per day recommendation.
I've wanted to speak to Mark for some time now, so I really hope you enjoy the conversation. Over to the interview.
Welcome to the Get Cyber Resilient podcast. Today I'm joined by Mark O'Hare, CISO for Mimecast. How are you doing, Mark?
Mark O'Hare: [00:01:14] I'm really good. Thanks, Gar. Thanks for having me on the show today.
Garrett O'Hara: [00:01:17] Absolute pleasure. We've been talking about this for [laughs] it feels like about a year. And obviously with your role, you're a fairly hard guy to catch. So I very much appreciate you taking the time.
Mark O'Hare: [00:01:28] No problem. Yeah, glad that it's finally happening.
Garrett O'Hara: [00:01:32] Yeah, me- me too. How are you doing? You're based out of Melbourne, right? So you're part of the, uh, the crazy times that is Victoria in COVID.
Mark O'Hare: [00:01:38] That's right. Uh, we are, uh, we are here down in, in lockdown. Um, so, uh, yeah. Not leaving the home very much, and, uh, focusing on, on [laughs] work and the things we can do.
Garrett O'Hara: [00:01:50] Good times. So the, the first thing we, we pretty much start with, uh, every episode, is just really how people got to where they are today. And obviously you've been CISO for Mimecast for some time now. Um, it'd be great to hear how you kinda got to that position, and what your journey was into like, cyber security.
Mark O'Hare: [00:02:07] Yeah, sure. So, uh, to quote a Beatles song, uh, [laughs] it's been a long and windy road, really.
Garrett O'Hara: [00:02:13] [laughs]
Mark O'Hare: [00:02:13] Um, I started ... Uh, so I started my university, um, degree in, in computer science and, and law. Um, but inter- interestingly after the, uh, after the first year of doing that, uh, neither of those two grabbed me. And I, and I actually switched over to, to sports science. So my background, uh, at university... I did, uh, I did sports science and an honors in sports science following, uh, following that. Um, after university, uh, as, as I'm originally South African... and as most South Africans did back in those days, we, uh, we'd head over to the UK, uh, London typically, to- to do a two year, um, sort of working holiday, um, uh, stunt. So I did that, um, along with many other South Africans. And, and that was around 1997.
So when I got there it was, uh, you know, pre-, um, Y2K bug and all of that sort of s- s- side of things. So the computer industry was booming, and, um, I took the opportunity to actually, uh, do some, some IT courses. So I did, uh ... You- you'll be familiar with the NCSC and, uh, SISCO. So the networking side of things, as well as, um, Checkpoint on the, on the firewall side of things. Did some of those courses to just to, you know, get ... As I didn't really have the experience fresh out of uni just to, to, uh, get some certifications to help me get a foot in the door. Um, I'd been contracted in London from, uh, 1997 to around about 2003. And that was in various roles, you know, starting in desktop support, to again, get some experience. Um, but moving through into the server, s- server support side of things.
Um, but, uh, you know, just shortly after 2000, I- I shifted more towards the networking and networking security side of things. So that, that involved doing my- my SISCO courses, and, and Checkpoint courses. And, um, you know, I think that was probably where I got my first taste of, of, uh, dedicated security on the firewall side of things. Um, and the early web proxy and web security side of things.
Garrett O'Hara: [00:04:20] Mm-hmm [affirmative].
Mark O'Hare: [00:04:21] So then in 2003, I got an opportunity to, to move to the Cayman Islands in the Caribbean. And I spent three years there, uh, in a, in, uh, one of the local bank's IT departments. Um, you know, doing, doing all sorts of things. Again there, from desktop, server, and networking, uh, networking support. It was a fairly small IT department, so you know, we were, uh ... Well, I had to be a jack of all trades really.Um, that was a great experience for me. Um, you know, it was also my first permanent, uh, permanent, permanent role I had contracted as most people did, um, in, in the UK, um, uh- uh, prior to that. So, uh, following, um, Cayman, I moved back to the UK. That was around about 2007, um, and, uh, interestingly worked for, um, [LOCA 00:05:10], which was the London Olympic Committee. Um, because the, uh, Olympics were coming to, to London, I think it was 2012. And, uh, yeah, I was helping set up their their networks and, and infrastructure. Um, so that was 2007. Early 2008, I got an opportunity to work for Mimecast, um, and, and join the company. So I started in the London office, and not long after that, um, Mimecast decided to, um, ope- well, they, they'd already decided to open, uh, North American offices. But they, they ... That was the point where they were actually sending people over.
Garrett O'Hara: [00:05:45] Hmm.
Mark O'Hare: [00:05:45] Um, so I moved from, from London, uh, to, to Boston, to help set up the, the North American, um, operation there. Uh, initially I was, uh, Director of, of Technical Operations. Um, you know, so looking after our, you know, the full stack from hardware through to operating systems, and applications that, uh, ran our customer services. Um, also looking after the co-locations of the data centers, power cooling, all of that sort of stuff, um, making sure that was running. That obviously wasn't my responsibility to make it run. That was the co-location's responsibility, um, but ensuring all of that stuff was running and monitoring all of that kind of, uh, kind of thing.
It was a ... It was a lot of fun setting up new offices and a new operation in a new co-, uh, country. And as we were, uh, you know, we start, the landing party was fairly small. Uh, what was really nice, a- and very memorable about that period of time was, was just being able to get involved in all sorts of different things. So while I was Director of Technical Operations, I also did all of the IT related stuff. I helped out in service delivery. I ran ingestions of, of customer data. You know, all sorts of things, that in a larger organization, uh, far more siloed, and certainly today in Mimecast far more siloed, and you wouldn't get that breadth of experience, um, when you joined a company of our size.
So that was interesting about joining what was essentially a start up office. Um, then in 2011 ... So, so 2008 to 2011 was in Boston. In 2011, um, I immigra-, I immigrated to Australia. Um, and at that point, I couldn't do the Director of Technical Operations role and shifted focus into more, um, specific security side of, of things. Uh, we had a CISO at the time, um, and I was the second employee in the security organization at that point. Um, that CISO, then in 2012 or late 2011, somewhere around there, um, moved on from Mimecast. And, uh, I took over as, as CISO, um, at that point. So I've been CISO at Mimecast since about, uh, 2012. Um, initially it was just myself in the department, uh, but now we are around about 25 people in the, in the security team.
Garrett O'Hara: [00:08:07] Phenomenal. In, in terms of, um ... Like the CISO role is a, a stressful one. I think it's pretty well understood. Last week's episode was, was actually about CISO burnout, and we had a- an organizational psychologist, Jess Lee, on talking about stress in general and burnout, and, um, there ... [laughs] You know, it's a job that I don't think I'd be wired for. I think I'd e-, uh, I'd [laughs] either end up in a ... In the Betty Ford clinic, or ... Yeah ... So just, I don't know you , know, that [laughs], yeah ... Um, in terms of that like, what about things that keep you kind of awake at night? You know, with this, the responsibility that's on your shoulders is not small. So I suspect you maybe are awake at night, uh, w- worried [laughs] about things.
Mark O'Hare: [00:08:48] Yeah. [laughs] Yeah. Well, thankfully I'm a decent sleeper. Um, I certainly used to be. Um, but, uh, yeah. Th- there are a couple of things that keep me awake at night. Um, really we've spoken about this in some of our [inaudible 00:09:04] briefings. But, um, insider threats, I- I think that's a really hard thing to deal with. Um, they're, you know, notoriously hard to, to detect an insider, um, and, and notoriously hard to prevent them, right? So detecting because they ... To do their jobs, they need an awful lot of access and privileges, if they're an administrator on the, on the platform. Um, and, and so you, you're entrusting a lot of power to, to your employees. And, you know, we saw with, uh, with Tesla recently, um, where one of their, uh, Russian employees, um, you know, a- another Russian citizen attempted to, to bribe them to, uh, to plant, uh, walmare in- in Tesla's organization.
Um, thankfully the, the Tesla employee did the right thing and, and you know, worked with Tesla's security team and eventually, um, eventually some of the cyber crime organizations to, to shut that down. Um, but they ... You know, it's reported that this person was offered, you know, potentially up to $1 million to, to plant this, uh, malware. It's, you know, th- that, it's a lot of money and very tempting for, for, uh, c- certain people to then follow through with that. So, so that is, uh, that is obviously a, a big problem not ... Uh, insider threats, they're not always malicious. Uh, accidents happen too.
Garrett O'Hara: [00:10:30] Mm-hmm [affirmative].
Mark O'Hare: [00:10:30] And, uh, you know, someone could change a file or configuration, and before you're, um ... You know you may have some automation to, to detect firewall changes. But that may not kick in, or someone may, may not see that alert in time. And just for the few minutes or potentially even hours that, that's exposed to the internet, some really bad things can happen. So, so accidents can be a real problem too. Um, so yeah, for me, insider threats are probably the thing that I find the hardest to control and the thing that worries me the most. You know, infrastructure, we can, we can patch, we can test, we can fix. Um, but you don't always know what people are thinking. So, you know, that's a problem.
The other thing that keeps me at night is, you know, companies like Minecast who, who store valuable data. We, we become targets for, you know, sophisticated, uh, cyber criminal groups. And, and even nation states. Um, you know, we have seen other, uh, companies that store valuable information, um, being the targets of, of highly sophisticated attacks that have been attributed to very sophisticated, uh, threat actors. These threat actors that ... They have big budgets, a lot of time and some very smart resources on their hands. So, you know, those are the two things that keep me up at, at night there, obviously many other things that worry me. Um, but I, I would, I would go with those two.
Garrett O'Hara: [00:11:50] Yeah, absolutely. It's funny, as you were describing the Tesla employee there, I've, I've listened to quite a few interviews with Elon Musk and he's a ... Like, he's a pretty intense guy. And I feel like if I was his employee, I, you know, the opportunity to make a million dollars versus the wrath of the Elon Musk I probably will walk away from the money as well. [laughs] He's a, he's, he's quite intense.
Mark O'Hare: [00:12:10] Yeah, yeah. Well, I've not heard any reports about this, but I suspect that Elon would have taken care of that, uh, you know, the, the, uh, the employee himself. I mean that's ... That would have been a very difficult situation to, to deal with. Um, even whistle blowing on that you potentially putting yourself in danger, uh, from, you know, the, um, the organization that's trying to attack Tesla. So that person really went out on a limb and it's a very brave thing that, uh, you know, that Elon should be respecting and I'm sure he would.
Garrett O'Hara: [00:12:40] Yeah, it's a ... Yeah, definitely kudos to that person. So one of the things, um, I think you and I have kind of talked about over the ... Over the years that we've been working together is, uh, really just the, the, the level of change and how quickly all of this stuff moves, and as part of my job and, you know, the things that I've done over the years with Minecast to get to see because of RFP responses and various other kind of security assessments, um, a little bit of a peek behind the curtain of the effort and the work that goes into, um, securing our platform. But, you know, I know other [inaudible 00:13:11] uh, providers will do very, very similar stuff. Um, but one of the big things is just how quickly this stuff all moves and changes and the ... Just the sheer volume of new threats, um, different types of threats, you know, what's kind of coming down the wire, be very keen to hear where you ... Where do you get your information from?
Mark O'Hare: [00:13:30] Yeah, absolutely Gar. Um, so as a CISO I feel you need many different sources of information. There is no one place you can go to get it all. Um, and this is both internal and external, uh, resources as well as technical and anecdotal and, you know, even news articles. So, so just to give you a sort of summary of the places that me and my team will get information from. Um, so cyber threat, Intel services, like [inaudible 00:13:59] threat intel service, uh, that we subscribed to, uh, Recorded Futures, which, uh, which is another threat intelligence service that, um, that we subscribe to.
These give us, uh, curated reports that are tailored to, to your own needs, your business's needs. You can input, um, search terms and things that you would like to be alerted to if there is any threat intelligence related to these things. Um, and it also can include new vulnerabilities related to the technology you're using the new, uh, tactics and techniques that adversaries are employing. Um, as I'm a CISP, I also like [ISC]2 information Security Professional Magazine, and there's some great articles there. Um, there are tech news sites that reports on anatomy of breaches too, uh, which give you very useful insight into what these, um, threat actors are actually doing and how they are, um, breaching organizations. Uh, I always feel it's, it's way better to learn from other people's mistakes rather than your own here.
So, you know, reading up on, on how these breaches are, are happening, um, and you know, what were the defensive mistakes that organizations made, um, and then us making sure that we are not making those same things, and that's, what's so important to us, uh, security thought leaders like Brian Krebs and Dr. Eric Cole, also some very interesting and useful content. Um, so listening to their podcasts or reading articles that they've pinned, I think is also a great way of just up-skilling and understanding what's going on and what our current security thought leaders are thinking and talking about. From an internal perspective, uh, you know, we have a couple of threat intelligence teams, uh, so they, they bring information.
Some of it's related to what our products are, are seeing in the intelligence that's generating. Um, some of our threat intelligence, uh, resources are, um, you know, curating the recorded future and CrowdStrike Threat Intel, and, uh, making, uh, you know, uh, tuning out the noise, making sure that the threat Intel coming through is, is relevant, um, to, to us as an organization. Um, I think we're all in danger of being, um, oversubscribed to, to threat intelligence and actually paralyzed by just the flood of information you've got. So having a threat intelligence team trimmed down that information and making it highly relevant for your organization makes you far more effective. Uh, we also have an offensive security team, which is really our, uh, penetrate patient testers. So they're doing manual testing, um, and they're bringing information to me about, you know, what vulnerabilities may exist inside our network in our applications, um, either third party applications or our own ...
Uh, we have a strategic security team and that, you know, they're mapping our defenses against, um, frameworks like a miter attack. Um, and yeah, and so they can bring in intelligence and information to me to say, you know, "We we're we're missing something here. This is where we need to focus, uh, some, some more energy and effort, uh, into defending ourselves. Um, and then products can help us as well. Uh, so our own, uh, brand exploit protection, uh, can, can give us an indication of, of where the people are targeting us and, you know, trying to exploit our brand, um, and, and something like Nessus. So just the automated scanning of your environment for, for vulnerabilities brings you the technical information that, uh, that we as security practitioners can, can rely on and need to rely on. Yeah. So I think in, in some, and a lot of tools that we use, but I think in summary that covers really the, the, the focuses.
Garrett O'Hara: [00:17:34] In my mind, uh, I'm now visualizing you in the like ... In the mornings with the minority reports glove, and, you know, a wall of screens in front of you with all these different sort of information sources. And you're, you know, you're plucking things out of the air and the priority ignore, um, is, is that, is there any version of truth in that, or is it ... Is it a laptop screen? [laughs].
Mark O'Hare: [00:17:52] Yeah unfortunately we are certainly not as cool as, you know, as some of the Hollywood actors, but, um ... But it- it's something similar to that, right? Uh, so while we don't have the, uh, the, the really geeky, um, techno screens and gloves and things like that, you know, we have dashboards and screens and, and, um, search engine specific threat Intel search engines that, uh, that we're using on a, on a daily basis. So, yeah. Uh, you know, I like to think of myself like that, but I think I'm the only one. [laughs].
Garrett O'Hara: [00:18:25] You- you'll always be Tom cruise in my mind on your, uh, on your high end Ducati Mark. So yeah, if you, um ... Here's a question. So if you had a, a genie or a magic wand, you know, whatever sort of magical device, and you could sorta, you know, have one wish for cyber security, um, and maybe there's two parts of this, maybe it's broadly for cyber security as a practice, um, and then, you know, kind of zoning in, on your kind of world. Um, so what would your wishes be, or your one wish if they're both the same thing?
Mark O'Hare: [00:18:58] Right. So, uh, you know, it, it would be unfair and unrealistic to say something like "Make all technologies ... All technology systems, 100% secure." And I'd wave my wand and they would suddenly become secure.
Garrett O'Hara: [00:19:10] Mm-hmm [affirmative].
Mark O'Hare: [00:19:11] Obviously, um, the more realistic and achievable answer though, is, I, you know, I'd, I'd like the internet to act a little bit like, our, [inaudible 00:19:20] like our, uh, our body's own immune systems.
Garrett O'Hara: [00:19:21] [inaudible 00:19:22].
Mark O'Hare: [00:19:22] So, so the reality is, you know, someone's going to get sick, uh, and, you know, that's, uh ... In this analogy, someone's going to get hacked, but if we are all connected to a centralized immune system, as soon as that cent- that centralized immune system figured out what had happened, how it happened, you know, it could then go and update all the internet connected systems and, and, uh, we don't have immunity against, uh, that attack. And so, you know, you can imagine if, if only one organization or, or maybe just a very small number of, of organizations would ever get hacked before all other organizations and entities became immune, it would then be very expensive for the, the, the, the, the threat actors to be changing technology on a wide, wide scale, you know, after every successful attack. Um, this, obviously, uh, we don't need a wand for this or a genie. Um, but it does rely on better, uh, collaboration by, by some of the industry giants like Microsoft and Apple, you know who have sort of tentacles into almost every end point, um, globally and potentially in a matter of minutes through pushing out, you know, um, signatures and behavioral detection updates, um, can then protect these end points almost in real time. So, so I'm seeing this like, uh, like the immune system to ... Our body's immune system for the internet.
Garrett O'Hara: [00:20:49] Very cool. Um, w- wouldn't it be amazing? Um, there's, there's so much to, although we'd maybe be out of jobs, is the only thing. So that part wouldn't be so good if everything was secure and safe. So yeah, partly, partly kind of-
Mark O'Hare: [00:21:02] I think the central immune system still has a lot of work to do, and, you know, we'd maybe be more coordinated around that and feeding information to that immune system. So that in almost real time, we can protect all organizations, everyone who is subscribed to this immune system, you know, the, the whole body
Garrett O'Hara: [00:21:22] Yep. Rush- rushes to protect the ... Yeah, I get it. Um, yeah, interesting idea.
Mark O'Hare: [00:21:28] Yeah. The way I look at it is we can't prevent 100% of breaches and, you know, it's a, fool's errand to try and do that.
Garrett O'Hara: [00:21:36] Yep.
Mark O'Hare: [00:21:36] It's how do we, how do we, um, figure out what happened uh, and put the fences in place and push that out to every organization as quickly as possible. So we limit damage rather than prevent damage at all.
Garrett O'Hara: [00:21:51] And, and in a way, it takes care of a big problem, which is the supply chain issue, you know, where you're kind of reliant on, um, partner organizations, vendors, and all of that kind of stuff where you have that kind of global immunity was happening. Um, large part of that problem goes away too.
Mark O'Hare: [00:22:04] Yes.
Garrett O'Hara: [00:22:04] Yeah, we can, we can, we can dream, I dunno. Is there ... Do you think it's the kind of thing that we'll eventually get to?
Mark O'Hare: [00:22:11] Uh, I think we will make our way towards it. Um, you know, but you can't force organizations to subscribe to this either to pull, uh, the, the updates down or push information into this immune system. But I think, I think we will move towards that model. And, and I see this today through kind of the API APIs that, uh, organizations like ourselves or CrowdStrike or many other security organizations, security providers provide, is that, you know, you can learn something from one of your systems and push it into another one. And that gives you ... And it's a much smaller scale than I'm talking about, um, at this point. But I think as we move towards that model yes, that could, that could become a thing. And I-I hope it does because I think that is a ... It's a, it's a, an effective way to, to make the cost of attacking organizations incredibly high.
Garrett O'Hara: [00:23:01] Yeah.
Mark O'Hare: [00:23:02] Um, when someone knows that it's a single use, every ... You know, they may work for six months on something and it's probably a single use attack, uh, because as soon as people find out about how it was done, um, everyone's, everyone's automatically protected.
Garrett O'Hara: [00:23:16] Yep. And I'll get you. You know, while I take your point that it's a, a small step, you know, the kind of point to point solution and threat intel and sort of telemetry sharing. The logic is the same, right? I mean, it's just an extension of the same idea, but in, you know, a, a kind of global and collaborative scale, it's sort of maybe naively me saying ... Thinking this, but like, it feels like technically it's possible to your point, it's just more of a people problem.
Mark O'Hare: [00:23:41] Correct. Correct. And it's, you know, where all these organs, all organization or these security organizations need to turn a profit. Um, and sometimes working together, they see that as, you know, um, you know, someone else eating their lunch. Um, and, and so that can ... That can be a problem that, uh, you know ... So, so there's sometimes reasons, uh, you know, uh, financial reasons not to work together, um, which is going to make this, uh, you know, I don't know, a larger scale immunity, harder to achieve. That's sort of why I feel like it's the giants that need to do this. Um, the, the Microsoft's and the Apples, um, because they can reach, they can reach everywhere. They don't have to coordinate with a lot of other organizations to share data. They have the ... They have the data or the, um, you know, that their operating system is on every single, pretty much every single endpoint. Um ...
Garrett O'Hara: [00:24:34] Yep. Yeah, it is. It's a phenomenal reach that they have these days. I'm gonna be pivotal a little bit and, um, I wouldn't mind getting your thoughts on how you've sort of perceived the ... Call it, I don't know the importance of server security or, you know, the level of attention it gets from EXCOS leadership teams within organizations. Um, obviously, you know, you're, you're in Mimecast, but I, I suspect you are connected to many peers in many other organizations and kind of a, a pretty good finger on the pulse in terms of, um, yeah, the visibility or the, the level of importance that's given to cyber security. My suspicion is it is getting better and it's changing a lot. Um, but yeah, I'd love to hear your thoughts.
Mark O'Hare: [00:25:13] Yeah, absolutely Gar. I mean I see that in our ... In our organization, as well as, uh, uh, customers and prospects that I talk to, or other CISOs that I ... That I talk to. So, um, you know, these days, I think in the, in the, in the fairly distant past, certainly at Minecast you know, you as a security organization, you, you operated a little bit in a, in a silo, um, and you know, the, the, the C level or the executives just expected, you are getting the job done, and didn't ask a lot of questions. They probably didn't even know what questions to ask to be fair.
Garrett O'Hara: [00:25:49] Yep.
Mark O'Hare: [00:25:49] Um, but today, you know, we getting questions from the boards. So boards want updates on, on your security. Um, cyber security has hit most companies, risk registers, um, and, and organizations are, are now highly aware that breaches can impact bottom line in a really big way, as well as the organizations, you know, reputation. And, and so cybersecurity, um, amongst the ex- executives is now far more of a focus. Um, I saw something interesting from Gartner recently and that's, uh, that C level employees may even be held ... CEO's, they were calling out and CISOs, uh, may even be held liable for cybersecurity negligence, um, and could potentially do jail time, depending on, you know, depending on the level of negligence and the impact of the breach, um, that happened. And while I don't want anyone to end up in jail, I think you need those sorts of repercussions and, you know, serious consequences for people really to, to, to take notes and give cybersecurity, um, the kind of focus that it needs in, in, in many organizations. Um, so yeah, I mean, I, I'm seeing far more questions, far more interaction from, from the executives and, and C level people in, in organizations today.
Garrett O'Hara: [00:27:11] Yeah that makes sense. So in a completely unrelated, uh, thing, in a way I'm sort of prepping for a talk, I'm I'm doing. And one of the things I saw yesterday was that in the SMP 500, about 84% of the value is locked up in intangible assets. So it's things like IP, uh, customer relationships, but also data. So customer lists, databases and all of that kind of stuff. So, um, they ... You know they were comparing that to the sort of mid seventies, I suppose, when it was almost flipped, the other way where, you know, the value of an organization was the buildings you owned and the, uh, you know, the machines, the ... Yeah, yeah. So it's definitely, um ... It makes sense to me, I suppose, that a sort of an academic level of why that stuff has changed. How does that look for you with that sort of elevation in terms of importance? Like, how ... Does that affect your day to day or the planning that you do in terms of that business visibility, the board questions, you know, that, that level.
Mark O'Hare: [00:28:06] So to be honest, we don't take, uh, we, we, we already ... On the operational side, we are already doing everything that we can, so it's not like we can run any faster. Um, we, are you know, we're going as hard and fast as we can at this, each and every day to prevent an attack from being successful. However what has ... The changes that it has really made, um, is, is the transparency of the security program. Um, so it's made that far more important because executives now are interested in, in seeing how well the sec- the cybersecurity program is doing-
Garrett O'Hara: [00:28:44] Mm-hmm [affirmative].
Mark O'Hare: [00:28:44] ... and keeping up to date with the ... You know, they want to keep up to date with the changing threat and, and risk landscape. And I mentioned earlier, you know, back in the day, I think, uh, the boards and executives didn't actually know which questions to ask ... What questions to ask, and today, there's far more understanding, um, amongst the C level and executives around, um, data breaches and, and the, the repercussions, the impacts to organizations, you know, we've seen so many examples of, of organizations either that have not recovered from a breach or have taken many years to recover from a breach. Um, so executives are learning, uh, what are the right questions to ask. What do they need to see, um, in, in order to understand how effective and well run the cybersecurity program is in their organization.
Garrett O'Hara: [00:29:29] Mm-hmm [affirmative].
Mark O'Hare: [00:29:30] So at Minecast we, you know, we achieve this through, um, monthly security committee meetings where we have our CEO, head of legal, head of engineering, uh, many executive level employees in it. And we discuss our current, you know, risk levels, how we're tracking on fixing vulnerabilities that we've identified, you know, what are our, un-remediated vulnerabilities, and when will they be fixed. And so making sure that, um, these things are being fixed, these vulnerabilities are being fixed within our own internal SLAs. Um, so yeah, certainly put more focus on providing evidence that's kind of the trust, but verify even your own security team. Makes sure that they are, you know, doing the right things and looking in the right places and have the right, um, detections and controls in place.
Garrett O'Hara: [00:30:19] Yep. So good to have that transparency. You, you sort of mentioned maybe something that's a little bit related, but, um, you know, they idea of, uh, C-levels or directors, um, being on the hook personally, um, you know, sort of that they will have obviously fiduciary responsibilities in those roles, and then more and more the link between cyber and, and sort of the money side of things is ... I think is a stronger link so that, you know, they're doing potentially time, but they're also getting fines and, you know, getting lawsuits, uh, against them. Um, is there ... Is there something going on for you as a CISO in terms of like regulations, either locally here in sort of Australia, New Zealand or globally that sort of plays into maybe things that you've changed, or stuff that you have to think about that you didn't have to think about last year or five years ago?
Mark O'Hare: [00:31:05] Uh, yes, for sure.
Garrett O'Hara: [00:31:07] Okay.
Mark O'Hare: [00:31:07] Um, my role being global, I will say there's a local Australian, uh, regulations, uh, here and also, you know, global regulations or legislation. So, you know, GDPR was, you know, it's a big one. Um, um, and, and as we operate in many regions I need to know what our responsibility in those regions are. We actually have a legal team that helps with this area, so that legal team has a, uh, contract component in it, and an assurance risk and control team, um, that work with identifying what the, the requirements or, or, or local legislations in each area we operate in are, um, and then ensure that we have the right people process and technology in place to, you know, to deal with those regulations. Some of them is ... Some of it comes down to, to even breach reporting. You've got to make sure you in advance, um, have a, a breach reporting policy and process in place in case you do unfortunately get, get breached.
So also due to our pretty robust certification program, you know, we ... It includes ISO 27001, 27019 22301 SOC2 type two IRF for Australia, FedRAMP for the US. You know we have found that by and large, we're actually through those certifications, we were already doing all the things that these local and, ans global, um, legislations or requirements require us to do. So actually our, our certification program has certainly helped there. And many of these things are framed around, um, common certifications. Uh, so it's, it's certainly helped us, uh, by, you know, us getting on the front foot there with the ce- certification side of things that has meant we're also by and large compliant with, with any legislation currently existing or new that may come out.
Garrett O'Hara: [00:32:56] So maybe a little side question here in terms of those certifications and, um, you know, having reasonable conversations with our AOC team on how they kind of approached this stuff. And, you know, the, the way they can map common controls across different certifications and, you know, how much overlap there is between, you know, different, um, whatever you want to call them, like types of certifications that kind of achieved the same thing. And some are local and, um, you know, in the US I know there's some conversations happening around state level privacy laws, and how onerous that is on, you know, organizations that are operating nationally in America, having to comply with all these different state legislations versus, you know, kind of unifying into something simple for the US. But I would say there's a question here around the value for just one single global certification that, you know, the, the kind of super set of them all. So that rather than doing ... You know, you've, you've listed to many, many [laughs], certifications there, you know, that there's one that's recognized around the world that does the job. If you see it, you kind of know that you're done, you don't have to go for the regional or local ones. Do you think we'll ever get to that? Or is there a reason why that, that doesn't work?
Mark O'Hare: [00:34:07] Yeah, I, I suspect we won't ever get to, to that point. Uh, in fact, I suspect we will diverge from that.
Garrett O'Hara: [00:34:14] Okay. [laughs].
Mark O'Hare: [00:34:18] Uh, so, you know ... But it, it would be a nice ... It would be a nice thing to have, right? Have one common set of controls, but there are, um, there are technologies today or services that help you, um, map across all of these different, uh, certifications. And, um, you know, I think using, using that where you have your sort of single pane of glass or single input, um, to, to what you're doing, um, about a particular control and then that tells you, you, how does that ... How does that help you on the SOC2 type side of things or, you know, on the, the NIST CSF side of things or the ISO side of things. Um, you know, so I think some sort of service that ties that all together is very helpful in that area. Um, yeah, but I, I don't suspect that we'll ever see a, uh, a single framework that will be globally adopted unfortunately.
Garrett O'Hara: [00:35:14] Yep. It's the, of humanity, isn't it? It's, uh, you know, you only have to look at electricity and how many different types of plugs there are around the world and voltages and yeah. We're never going to get there. That's, uh, I think safe to say. The, the other side of, um, like one of the things you'd obviously have to think about fairly consistently is people and, you know, building teams, getting the right people, you know, filling out roles. And, um, it's talked about quite a lot in the industry, you know, the, uh, skill shortage, um, you know, where to get talent from, what's your approach there? Like, how do you, how do you feel the ... How do you ... Do you feel your team with the, you know, the right people within reasonable amounts of time?
Mark O'Hare: [00:35:55] Yeah. Uh, so this is very much been a challenge for my security organization. Um, and it does actually depend, uh, a bit on the role. Uh, so for example, um, our offensive security. So, so the penetration testers that we hire, um, those ... You know, there's a very small pool of, of, of highly talented penetration testers that are currently looking for work. Most of them already have work. Um, and when they ... When they, um, are looking for roles, they get snapped up really, really quickly. So that's been an area that has been extremely hard for us to, to hire into, um, some of the other roles like, uh, you know, our security operations center. We do find it a little bit easier to, to fill those and especially roles where there are ... Areas where there are some junior roles we can bring people in and say, they don't have to be highly skilled, um, and highly experienced, experienced already.
And, and, you know, we'll bring them in and we'll train them up and give them that, uh ... Give them that experience. Those, those are the are- easier areas for us to, to recruit into, um, you know, and we can recruit on aptitude rather than, uh, experience-
Garrett O'Hara: [00:37:04] Yep.
Mark O'Hare: [00:37:04] ... and, um, an existing, existing skill, uh, but, you know, for a penetration tester, you can't take someone with no experience and just put them in front of a terminal and ask them to start hacking, uh, that's just not gonna ... That's not gonna happen. Um, so that's definitely the area where we've had more challenges. Uh, what has changed a little bit for us is thankfully Minecast has a good reputation in the security world. And so that's made it more attractive, um, for, for, um, security engineers, um, analysts and architects, to, to join our organization. So certainly finding it easier these days to, to attract attention. Uh, now- nowadays the challenges around retaining them, you know, you ... Once these ... Once your, um, employees have a, have a good level of skill, um, and now they've got some good experience, you know, they've become very attractive in the marketplace because of this skill shortage we were speaking about and, and organizations will throw a lot of money at them, and it's, you know, it's highly attractive to, um, to your employees. So, so really we have to focus a lot on, on retaining existing resources.
Garrett O'Hara: [00:38:16] Yeah, I get you. So my, my dreams, you've just dashed my dreams of becoming potentially a pen tester. 'Cause I thought you just had to download a VM of Kelly Linux, you know, away you go. And it sounds like there's more to it than that. Dammit, I'll have to ... I'll have to do that.
Mark O'Hare: [00:38:29] We'll start you in the stock-
Garrett O'Hara: [00:38:30] Okay.
Mark O'Hare: [00:38:30] Uh, you know, level one and then we'll build you up.
Garrett O'Hara: [00:38:33] In making the tea for the people, doing the real, the real work I'm guessing and bringing them sandwiches when they're hungry, uh, is probably ...
Mark O'Hare: [00:38:41] There's a, there's a lot of fun to be had and, you know, level one security learning about what, uh, the defenders do, what the attackers do. Uh, it's, you know, it's a fascinating area to, to get into and the recruits that we bring on, um, in that area, I think they really enjoy it.
Garrett O'Hara: [00:38:58] Yeah, sounds good. And we're, we're kind of rapidly approaching time here. Um, I think maybe, maybe the last question, um, the one to end on, um, is maybe the idea, like if there's one sort of important thing or something that you feel is very important that you do on a day to day basis as a cyber leader, um, wh- what would that be? Anything you could share with the audience?
Mark O'Hare: [00:39:21] Um, yes. So couple of things, and then generally just reminders to myself. Um, first one is assume positive intent. So when you're dealing with people and, and there's been an incident, uh, you know, not to, uh, assume that whoever did it, did it intentionally, um, you know, first assume positive intent with things. Um, and then, um, the other thing that I, I try to remind myself about and my team is that people outside of my security team have different priorities to mine and, and my team. And I need to take time to, to listen to their side of things and to take time, to explain my side of things. So they understand why I'm asking them to do something or to stop doing something.
Um, I think it's extremely important to realize that, uh, sec- while security is my main priority, um, you know, if I'm working with our engineering teams or IT teams, they have different priorities. And I do have to justify why something of mine may take precedence over one of their priorities or slotted it in the right place in their priority. So those, those are the two things, um, I feel you get, you get the most out of people and teams you, you work with by co- collaborating and being respectful to them rather than trying to steamroll them. And those two, two things helped me do that better.
Garrett O'Hara: [00:40:49] So, uh, Dr. Kate Jerome, who's being on the podcast, who works out of the University of Adelaide made that points around, uh, culture and how important that is when a breach or a bad thing happens. And it sounds like, you know, assume positive intent is kind of a version of that. Where is there some elements of people ... Like if you, if you would trust that there is positive intent, um, they will be more likely to be honest about what has happened rather than as you say, going in aggressively and they'll just shut down. They won't tell you what really happened, they'll pretend they didn't open the file or click on the link and, you know, you don't really get to figure out what happened because they're embarrassed or they feel like they'll get scolded.
Mark O'Hare: [00:41:28] Correct. And sometimes we haven't done our jobs and trained them properly. And so, you know, how would they know how to behave, um, appropriately, um, in certain scenarios. You know, you want to cover that all off in awareness training and onboarding, and, you know, various other components to your cyber security, um, program for your ... You know, to educate your ... To educate your staff. Um, but I think, you know, you want to have an approachable security team, because like you say, if people are hiding things, people make mistakes, like we, we all make mistakes.
And if they feel like they have to hide, hide, these mistakes from the security team, then you have a real problem. And I feel like Minecast we've for the most part, got that culture right. We get a lot of ... You know, we get a lot of, um, reports from our users saying, you know, "I received this email, I clicked on the link. I didn't input my credentials, but can you help me?" You know, "Can you just make sure that I didn't, um, I didn't do anything wrong here that may jeopardize me or the organization." Um, and hearing that from our staff is, is very encouraging, um, having that sort of open door to ... For them to come and talk about mistakes they may have made and, and then have us help them sort that out.
Garrett O'Hara: [00:42:40] Good stuff. Good stuff. Well, Mark, we've, we've certainly kind of run out of time a little bit here. So I really just want to thank you. I know you've got a, a lot on, and given your global role, you tend to have, um, fairly long hours. So not lost to me that you've taken the time out to talk to us. So yeah, very much appreciate it.
Mark O'Hare: [00:42:56] Great pleasure Gar, and covered off some good topics there.
Garrett O'Hara: [00:42:59] Awesome. Thanks Mark.
Mark O'Hare: [00:43:06] Cheers.
Garrett O'Hara: [00:43:08] Thanks again so much to Mark for taking the time out for that conversation. It's always so good to speak to somebody on the front lines. As always thank you for listening to the Get Cyber Resilient Podcast. Do you get into the back catalog so much content in there and subscribe, like share, let your friends know and let us know of people you want to interview or topics you want us to cover. For now, keep safe, and I look forward to catching you on the next episode.