Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
In a very special catchup episode, Garrett O’Hara sits down to speak with possibly the busiest person in cyber security, Shamane Tan. Shamane is the author of Cyber Risk Leaders, founder of Cyber Risk Meetups and an Executive Advisor for Privasec. Gar and Shamane discuss her journey from IT to cyber security, the success of her meetups and the mega (virtual) c-suite series she’s running, and the state of the cyber security industry throughout APAC.
To get involved with Cyber Risk Meetups you can visit https://www.cyberriskmeetup.com
For a copy of Shamane’s latest book, Cyber Risk Leaders, please visit https://mysecuritymarketplace.com/books-listing
You can watch Shamane’s mega C-Suite series on the Cyber Risk Meetup Youtube channel https://bit.ly/34IGYVI
The Get Cyber Resilient Show Episode #11 Transcript
Garrett O'Hara: [00:00:00] Welcome to the get Cyber Resilient Podcast I'm Garrett O'Harra. Today I'm speaking to Shamane Tan, the author of Cyber Risk Leaders, creator of the very successful cyber risk meetups and also exec-advisor for Privasec. Shamane is definitely doing great things in and for our industry. We recorded this interview last year in a glass walled conference room as you're going to hear, when we were lucky enough to find a spare 60 minutes in Shamane's calendar. So it's definitely taken us a little bit of time to get this one out. And when Shamane reviewed the episode again last week, she actually spotted that she mentioned 120 MITRE ATT&CK techniques and that it's actually now over 170 (PRE-ATT&CK techniques). So you know somebody who's the real deal when they notice something like that in my opinion. And also how quickly things change.
The cyber risk meetup, which Shamane runs, has an official website that's cyberriskmeetup.com, and that has been going in Australia and Singapore for some time, but actually now has launched in Japan, Tokyo and it's going really strongly over there. The meetups are also virtual. So there's quite a few things to talk about, uh, for example, the mega C-suite series that Shamane is running, um, that has its own YouTube channel and that's going to be included in the show notes. And then lastly, the book Cyber Risk Leaders is on Amazon and Kindle and it's also available at My Security Marketplace. For folks in Asia, they can grab the hard copy of Cyber Risk Leaders in their Kino [inaudible 00:01:35] bookshop at times, and any really popular bookstores over there. So please enjoy the episode.
Today I'm sitting with somebody who may be the busiest person in cyber security. Every day I see an update from a meeting or a conference or an event where this person speaks or moderates panels. Amazingly, she's also found, found time to serve as the executive advisor for Privasec in the Asia Pacific region. If that wasn't enough, she's also spent years authoring a book called Cyber Risk Leaders, and that's a collection of insights from the C-suite and walks the reader through leadership and influence in the cyber age. So welcome to Shamane Tan.
Shamane Tan: [00:02:11] Hi, thanks for having me here.
Garrett O'Hara: [00:02:13] You're most welcome. It's great to, uh, to see you. Um, so look, you're a successful author or you run a really, uh, popular Cyber Risk Meetup and you also work as the APAC executive advisor for Privasec. So I'm guessing this must be meaningful work for you.
Shamane Tan: [00:02:27] Yeah, definitely. So something I really enjoy and passionate about, so I don't really see it as a job, but something that I do every day, including the weekends.
Garrett O'Hara: [00:02:37] So you would do it for free?
Shamane Tan: [00:02:40] [laughs]. Oh I do need something to pay the bills, so, yes.
Garrett O'Hara: [00:02:42] So how did you get to where you are today? Like what was the path to, to get to be so successful and to do so much?
Shamane Tan: [00:02:50] Hmm, um, I think it's a journey I would say. Um, and I started out actually not being in the cyber security industry.
Garrett O'Hara: [00:02:58] Okay.
Shamane Tan: [00:02:58] So I started out in IT, and then I found myself just working really closely with the head of Its, some C-suite level, but really in terms of building up your team, and I was more focused on the people aspect. And then, um, somehow I just found myself really intrigued in the cyber security industry. I actually was part of the ... One of the meetings at AWSN which is the Australia Women in Security Network.
Garrett O'Hara: [00:03:23] Okay.
Shamane Tan: [00:03:23] And that was really interesting where you see a lot of different people coming in from different backgrounds, and got really encouraged to give it a shot myself, and Privasec was one of my clients in the past and they've been asking me to do the jump, which I did and that's how I ended up in the cybersecurity industry.
Garrett O'Hara: [00:03:40] That's awesome, and what was the biggest challenge or maybe some of the biggest challenges that you sort of faced along the way? I guessing that wasn't an easy jump to make?
Shamane Tan: [00:03:49] Mmh. Yes. It's, it's a whole different ball game-
Garrett O'Hara: [00:03:53] Yep.
Shamane Tan: [00:03:53] ... because there's so much to learn. You never stop learning. Um, even the CISOs themselves are always funny, hard to play catch up, right. You can never catch up. So I would say the biggest challenge is learning how to prioritize on what are the key things that I can be able to partner together with the different CISOs that I work with and really help them breach their, ga- business gaps effectively.
Garrett O'Hara: [00:04:18] Yep.
Shamane Tan: [00:04:19] Yep.
Garrett O'Hara: [00:04:20] Yep, and I assume that is a big challenge I think for everyone these days. Um, so th- like you've had an incredible journey. You've done all this stuff.
Shamane Tan: [00:04:28] Yeah.
Garrett O'Hara: [00:04:28] What do you ... When you look back at all that you've done and it's a lot.
Shamane Tan: [00:04:32] Mm-hmm [affirmative].
Garrett O'Hara: [00:04:32] I do wonder sometimes when I see your LinkedIn posts, like, do you ever sleep? Because it just seems like there's no way a human being can take as much as you do.
Shamane Tan: [00:04:39] Okay.
Garrett O'Hara: [00:04:39] Um, but when you look back at it all, um, at a personal level, maybe like, what do you feel most proud of it?
Shamane Tan: [00:04:45] Mm-hmm [affirmative]. I think, I just feel like I'm in a really good position where I'm learning a lot from different people that I'm speaking to. Um, the CISOs actually seeing me as a partner where they are sharing confidential information and looking to me to help add value in some way or another. And I feel like that's a ... It's an honor to be able to do that and be a trusted advisor. So for me, what really keeps me fulfilled, and why keep doing what I do, because I feel it's meaningful where I want to be able to be that bridge, and help bring the different expertise, and the different learning experiences that this industry leaders that have gone ahead of me that they have learned and how can I bring that? And so even the next generation, you know?
Garrett O'Hara: [00:05:31] Mm-hmm [affirmative].
Shamane Tan: [00:05:31] Or people coming into this industry, how can I reach there, help them learn from the lessons learned before, so that they don't have to go through the long, painful journey of getting there. So that's why I'm motivated to do what I do, and help bring that together.
Garrett O'Hara: [00:05:45] Awesome. And that almost leads perfectly into, uh, Cyber Risk Meetups. So you founded that back in, in Sydney, actually in 2017.
Shamane Tan: [00:05:53] Yeah.
Garrett O'Hara: [00:05:53] And they've grown now, you've got actually Melbourne, Sydney, Brisbane, and Perth, um, are cities-
Shamane Tan: [00:05:58] Yeah.
Garrett O'Hara: [00:05:58] That you're, you're running those in and thousands of members.
Shamane Tan: [00:06:00] I'm in Singapore as well.
Garrett O'Hara: [00:06:01] In Singapore, sorry.
Shamane Tan: [00:06:02] Yeah.
Garrett O'Hara: [00:06:02] In Singapore also. What do you think has made those meetups so popular? Because there are other ones but yours are particularly popular?
Shamane Tan: [00:06:09] Hmm. I think it was a combination of different factors. So the reason how these meetups all came about in the first place was driven by a desire to learn from different people that, that you don't usually see on the platform. So that was how I started where I wanted to make it as diverse as possible.
Garrett O'Hara: [00:06:26] Mm-hmm [affirmative].
Shamane Tan: [00:06:26] Um, I've been reaching out to people that are not the usual ones that you see as speakers, on conferences. Um, so in a way it gives them opportunity and platform to share their experience. And the difference is that the meetup is not an official association, right? So they don't feel pressured because they're not representing their organization. They don't have to go through the different hoops to get approval. They, they know that they're in a safe place, and the culture that has been built is such that they're just there to share what they have learned. And people learn best when you're being real about your challenges, your mistakes-
Garrett O'Hara: [00:07:01] Yeah.
Shamane Tan: [00:07:02] ... rather than saying things that like the media wants to hear and you know the, the politically correct answers and things like that, yeah. So that's how it's grown actually. And, uh, there's been also I really interesting formats. So we try to do um, like Ted talk style, um, or debates.
Garrett O'Hara: [00:07:20] Yes.
Shamane Tan: [00:07:20] There was once we had a panel, and I had like a different C level, so I had like the CIO, CRO, um CISO, and then coming together and they were debating on, you know, like who should a CISO reporting to. So that was quite interesting hearing different perspectives. So things like that.
Garrett O'Hara: [00:07:35] I'm sure that would have been slightly heated.
Shamane Tan: [00:07:37] [laughs], yeah.
Garrett O'Hara: [00:07:38] There are CISOs and they-
Shamane Tan: [00:07:41] Exactly.
Garrett O'Hara: [00:07:41] ... say if they have to report to a CFO, they won't take the job.
Shamane Tan: [00:07:44] Mm-hmm [affirmative].
Garrett O'Hara: [00:07:45] So to the CEO reporting or not at all.
Shamane Tan: [00:07:47] Oh it depends on the organization as well-
Garrett O'Hara: [00:07:49] Mm-hmm [affirmative].
Shamane Tan: [00:07:49] ... and the leadership and also the culture.
Garrett O'Hara: [00:07:51] Yeah.
Shamane Tan: [00:07:51] So it can't be something that's, um, you know, you apply, um, across every organization. You have to go down deeper into that.
Garrett O'Hara: [00:07:58] Yep.
Shamane Tan: [00:07:58] Um, that's really, really interesting. You do see a lot of interesting perspectives that come up from this. Yeah. So, um, and another thing to add as well, the meetups are not done every like every day or every month. It's actually every quarter.
Garrett O'Hara: [00:08:11] Oh, okay.
Shamane Tan: [00:08:12] So that does keep it fresh and something that everybody looks forward to.
Garrett O'Hara: [00:08:15] I think it's a really good idea 'cause I do feel like sometimes those kinds of things happen just because they're supposed to happen-
Shamane Tan: [00:08:21] Mm-hmm [affirmative], yeah.
Garrett O'Hara: [00:08:21] And to your points, um, they can feel less fresh. So has there been any particularly memorable speakers or any sessions that really stand out in your mind over the last two years?
Shamane Tan: [00:08:33] Mhh, oh, I'm just thinking because there were a lot of favorite ones.
Garrett O'Hara: [00:08:39] Yeah. [laughs].
Shamane Tan: [00:08:39] [laughs]. Um, and they've been quite different. So from, you know, quantifying risk, you know how do you put a dollar value to risk-
Garrett O'Hara: [00:08:41] Yes.
Shamane Tan: [00:08:41] ... which is really interesting, um, to something very different like DevSecOps to, um, artificial intelligence. I mean it's not just saying the buzzword, but we try to like put a different spin to the common topics that people talk about. Um, I would say that my favorite one would pro- probably be the like two panel debate. So one was, um, like I mentioned, you know, the different C-level reporting.
Garrett O'Hara: [00:09:15] Yeah.
Shamane Tan: [00:09:15] How does that work for different organizations? Um, that was quite unique I would say. And then another one where we had a very diverse panel talking about how, um, for people from different backgrounds could be gender, race, uh, even skill backgrounds, um, coming into the industry and how do they ... Have they seen them, um, be effective and grow, grow in the industry itself. And then this is like, um ... It was interesting because you ... I've got like, uh, I think I remember there was a COO all from Safety Culture-
Garrett O'Hara: [00:09:46] Mm-hmm [affirmative].
Shamane Tan: [00:09:47] ... that was there sharing her experience, um, in a tech and innovative company and her perspective on security from that point of view.
Garrett O'Hara: [00:09:54] Mm-hmm [affirmative].
Shamane Tan: [00:09:55] Um, there's someone who wasn't in the industry, I think he was a lawyer, um, a law partner, you know, talking ... So it was really a different mix. So I think it was things like that that stood out. Yeah. And that was very interactive as well because we had the audience just standing up to their feet and you know, challenging the panel, and so yeah, that was quite memorable.
Garrett O'Hara: [00:10:15] And it's incredible that you've created an, an environment where that is okay to do, where you can have different opinions and everyone learns and grows-
Shamane Tan: [00:10:22] Yeah.
Garrett O'Hara: [00:10:23] ... so, um, yeah, it's phenomenal that you've done that. So your, your "job" is as the executive advisor for, uh, Privasec-
Shamane Tan: [00:10:32] Oh right, my real job, yes.
Garrett O'Hara: [00:10:33] [laughs].
Shamane Tan: [00:10:33] [laughs].
Garrett O'Hara: [00:10:35] Um, for those listening, like what does Privasec do? What's the organization do?
Shamane Tan: [00:10:38] Right, yeah. So we are an independent consulting firm. Um, we actually started out in Australia, and then we grew and now in South East Asia, so in Singapore and Malaysia as well. Uh, but we focus in two main divisions, um, governance, risk and compliance. So that's where we do a lot of ISO 27001 well, PCI-VSS, um, [inaudible 00:11:01] assessments, cloud security assessments, things like that. Uh, we also are very well known in the tech assurance space. So that's where we do pen testing, red teaming. More recently, pebble teaming and another niche area would be drone security. So that's where do drones, hardening, uh, forensics. Yeah, that's, that's a whole different, um, ball game, it's fascinating.
Garrett O'Hara: [00:11:23] Yeah.
Shamane Tan: [00:11:23] Yeah.
Garrett O'Hara: [00:11:23] That's, that like bleeding edge security stuff.
Shamane Tan: [00:11:26] Yeah, not people are doing that so-
Garrett O'Hara: [00:11:29] That's pretty cool.
Shamane Tan: [00:11:29] Yeah.
Garrett O'Hara: [00:11:30] Um, so you've given me like so many different services for organizations when they look at things like pen testing, weight teaming, what, what are the benefits that you would see falling out of those if they go to an organization like Privasec, to, to use those services?
Shamane Tan: [00:11:44] Um, so depends on the different levels of maturity of the organizations as well. So for example, if a company is not mature at all, it didn't even have anything, basics, we wouldn't recommend weight to me because it's, um, we'll definitely get in.
Garrett O'Hara: [00:11:58] Yeah.
Shamane Tan: [00:11:58] And if you look at all the past case studies as well, I think it's actually been about 100% successful rates of, of breaking into organization using different techniques-
Garrett O'Hara: [00:12:08] Yeah.
Shamane Tan: [00:12:08] ... from social engineering or sent to physical intrusion as well. So, um, I think we will make sure something that's more, um ... We'll recommend something that's more value added for the company. So it could be, for instance, they just want to start off with the basics first, and then we would help always a security health check to assess where they are at, um, do a pen test for them. Um, but for companies that are more mature, then we would build a partner to get in and do red teaming.
Garrett O'Hara: [00:12:37] Mm-hmm [affirmative].
Shamane Tan: [00:12:37] Um, but what we are solving is that purple teaming is actually probably more value added, uh, because uh, you're familiar with the mitre attack and more-
Garrett O'Hara: [00:12:48] So yeah. Can you run this ... I'm definitely familiar with the mitre attack framework. Can you run for the listeners though?
Shamane Tan: [00:12:53] Yeah.
Garrett O'Hara: [00:12:53] Your history in purple teaming, and what that means?
Shamane Tan: [00:12:55] Yeah, sure. So, um, to put it in really simple layman terms, and what it does is that we sit down with the red- blue team, sorry, the defense team, and then we actually instigate an attack itself. And then we will be showing them, "Hey, are you able to see this is happening right now as we speak? How are you detecting it, you know, what you're doing with it." So it's really, um, actually knowledge transfer as well because we are equipping the defense team to, um, in a real life scenario that this is ongoing. It's live right now. And then we train them on what they need to do to, on the different techniques. You know, there's about, I think one 120 minutes mitre attack techniques these days. Um, and then we walk them through the different cue chain. And so in a way it's, it's, we leave them with, um, a higher level of maturity and ability to deal with incidents.
Garrett O'Hara: [00:13:47] That sounds like a really useful approach rather than doing a red teaming winning and then nobody-
Shamane Tan: [00:13:51] And then yeah-
Garrett O'Hara: [00:13:51] ... really learns anything from that.
Shamane Tan: [00:13:52] Exactly.
Garrett O'Hara: [00:13:53] Yeah, definitely seeing that's, uh, that's awesome. Um, and in terms of the certification side of things that you sort of ran through there-
Shamane Tan: [00:14:01] Mm-hmm [affirmative].
Garrett O'Hara: [00:14:01] Um, do you see the, the alignment to those kinds of well-recognized certifications? So you mentioned things like ISO higher up locally here in Australia, and like aligning to those certifications but then also being assessed by kind of experts, third party organizations like Privasec. Um, is that becoming more critical do you think for businesses to stay competitive and resilient?
Shamane Tan: [00:14:22] Yes. Um, I would say that, I've seen the shift where there is a lot of um, less mature companies realizing now they need to be compliant, and they have actually ... Um, that has helped trigger our desire to ... For them to try to align themselves with certain certifications to get our foot in the door with certain businesses as well, uh, that is a good starting point where they can get more, um, security aware of people coming in. Right. But what the misconception is that being compliant doesn't mean you're secure.
Garrett O'Hara: [00:14:57] Mm-hmm [affirmative].
Shamane Tan: [00:14:57] So that's something that people have to also be mindful of. Um, it has helped. Or like speaking to so many people, there, there, it's a common frustration for them because they are saying the same things to your company and like the board and they're telling them you need to do this. But you know, the board is not really listening to internal people, and then they have to get a third party to come in. They pay a lot of money to independent assessor, who comes in and tell them the exact same thing.
Garrett O'Hara: [00:15:23] Yep.
Shamane Tan: [00:15:24] And then, you know, the board buys into that. But that's how it works. Human nature. [laughs].
Garrett O'Hara: [00:15:28] That is ... It's amazing, isn't it?
Shamane Tan: [00:15:30] Yeah.
Garrett O'Hara: [00:15:30] The third party experts, how, how much weight that carries.
Shamane Tan: [00:15:33] Yeah.
Garrett O'Hara: [00:15:33] And definitely an important thing. And, and speaking of third party experts, so obviously you've written the book Cyber Risk Leaders, so congratulations again on that.
Shamane Tan: [00:15:42] Thank you.
Garrett O'Hara: [00:15:43] Um, how does it feel like after so much work, right, it, it took many, many years and how many interviews? Like a lot, right? [laughs].
Shamane Tan: [00:15:49] Oh, um, yeah, I think I counted actually, that was about 17. Like more than 17 different C level people that I've spoken to around the world.
Garrett O'Hara: [00:15:58] Right.
Shamane Tan: [00:15:58] Uh, I could only name 30 of them in the book.
Garrett O'Hara: [00:16:01] Yep.
Shamane Tan: [00:16:01] Yeah. 'Cause some of it's really confidential and it's a mix of like the ... Ex FBI's, the ex Navy Seals, um, to, um, governments CISOs to Critical Infrastructure to ... You know, so it's a really, really broad spectrum. Um, that's been fascinating like getting through their minds and their heads and just trying to extract out different perspectives, and put that into a book. Yeah. It's also a bit confusing because there's so many voices.
Garrett O'Hara: [00:16:30] [laughs].
Shamane Tan: [00:16:30] So at the end of the day is yeah, trying to figure out what's going to be most relevant to people, but the readers, what has to, you know sift through and, and find out what's applicable to their own world and your own industry and apply that accordingly.
Garrett O'Hara: [00:16:43] But what a phenomenal resource for them to be able to shortcut years of work-
Shamane Tan: [00:16:47] Yes, definitely.
Garrett O'Hara: [00:16:47] ... on your part to be able to have a book that they can go to-
Shamane Tan: [00:16:50] Yes.
Garrett O'Hara: [00:16:50] ... and it goes straight to the important parts for their particular industry.
Shamane Tan: [00:16:53] And actually just speaking on that, that's one reason why the CISOs themselves, uh, are so willing to like spend the time and really give back as well.
Garrett O'Hara: [00:17:01] Mm-hmm [affirmative].
Shamane Tan: [00:17:01] Because they are mindful of leaving a legacy, but also they're mindful of the next generation coming up. So that was something that really stood out throughout that entire experience.
Garrett O'Hara: [00:17:10] It's an amazing industry to me.
Shamane Tan: [00:17:11] Yeah.
Garrett O'Hara: [00:17:11] [inaudible 00:17:12] security, how, how much there is this spirit of collaboration-
Shamane Tan: [00:17:16] Yes.
Garrett O'Hara: [00:17:16] ...and working together.
Shamane Tan: [00:17:17] Exactly.
Garrett O'Hara: [00:17:18] It's, it's unbelievable.
Shamane Tan: [00:17:19] Yeah.
Garrett O'Hara: [00:17:19] Um, it's the common theme and then the conversations I've had doing these.
Shamane Tan: [00:17:23] Yes.
Garrett O'Hara: [00:17:24] It's it's people every single time.
Shamane Tan: [00:17:25] Yeah.
Garrett O'Hara: [00:17:25] It's protecting your grandmother, it's protecting your organization.
Shamane Tan: [00:17:27] Mm-hmm [affirmative].
Garrett O'Hara: [00:17:28] It's working together to, to do security well. Um, so obviously like you spoke to a lot of people when you were doing the book, and obviously you can't name those people, but was there any stand out interviews that you remember where, you know, something really spoke to you or kind of stood at it from an interview perspective?
Shamane Tan: [00:17:47] Um, I think I remember main theme while writing the book is like, keeps coming to me, right? It's like, wow, we have a lot of exceptional people in this industry. They are all really good, really, uh, different experience, but they have so much to give back. That's what that really stood out. Um, so I can't really name a few because their stories also individual and so unique. What I can share, maybe that comes to mind is a recent conversation to have with Steve Katz. So here's the world's ... He's known as the worlds first and actually wrote a LinkedIn article, a little bit of a snippet about what we talked about because it's going to come out in a second print of the Cyber Risk Leaders.
Garrett O'Hara: [00:18:26] Awesome.
Shamane Tan: [00:18:27] But, uh, what's incredible was he took on the role of the CISO in 1994, [laughs] so that was ...
Garrett O'Hara: [00:18:33] Wow.
Shamane Tan: [00:18:33] Yeah, I mean in Australia we're seeing the like CISO becoming really popular these days.
Garrett O'Hara: [00:18:38] Mm-hmm [affirmative].
Shamane Tan: [00:18:38] It's appearing on LinkedIn at such a rapid rate, but like it's only come on like I think about 10 years this title. But Steve actually held the title yeah in 1994.
Garrett O'Hara: [00:18:49] '94.
Shamane Tan: [00:18:50] And he had to deal with the first hack for City Corp back then. And that was when Russia hacked into the bank. And you know when you don't have that previous example of a breach, and you don't really know how to deal with it, you maybe miss a spot right?
Garrett O'Hara: [00:19:03] [crosstalk 00:19:03].
Shamane Tan: [00:19:03] Exactly-
Garrett O'Hara: [00:19:03] Figuring it out as you go.
Shamane Tan: [00:19:04] Yeah, yeah, and for him, what was really key was really recognizing that even back in the days that cyber security is actually a business risk.
Garrett O'Hara: [00:19:12] Mm-hmm [affirmative].
Shamane Tan: [00:19:12] And I was quite surprised to hear him tell me that he was already talking to the board about, you know, it being a business risk. How do you align your conversation about cyber risk in the perspective of how the organization as a whole managed risk. Um, and, and it really brought to mind that, "Hey, you know, we were talking about it now a lot more in the last few years itself." Um, you know, it's funny cause he has been talking about it in the US in New York like ages ago.
Garrett O'Hara: [00:19:41] Mm-hmm [affirmative].
Shamane Tan: [00:19:41] So I think it really brought to mind something someone said as well about how we always talk about learning lessons, right? But maybe are we really applying the lessons if were talking about the same thing many years later on?
Garrett O'Hara: [00:19:51] Yeah.
Shamane Tan: [00:19:51] And maybe-
Garrett O'Hara: [00:19:52] [laughs].
Shamane Tan: [00:19:52] ... it's just lessons identified but not lessons learned yet. Yeah.
Garrett O'Hara: [00:19:55] Yeah.
Shamane Tan: [00:19:56] So food for thought. [laughs].
Garrett O'Hara: [00:19:57] Yeah, most definitely. Um, I think we're just about running out of time. Um, there's probably a couple more, just kind of short questions, but like what did you take out of the process of writing the book? Like, what, what was it from a personal perspective, I'm guessing you would have learned a lot, as the head of security.
Shamane Tan: [00:20:13] So from a personal perspective I would say takes a lot of discipline to write a book. So there were many times that I, I really wanted to give up because you're talking about spending time after work, you know, your weekends-
Garrett O'Hara: [00:20:26] Mm-hmm [affirmative].
Shamane Tan: [00:20:26] ... late in the evening. Um, just trying to consolidate different thoughts and perspective and, and make sense of it, and at the same time also adding your own voice and-
Garrett O'Hara: [00:20:35] Yep.
Shamane Tan: [00:20:35] ... and just put everything together. So there are moments where I really enjoy it so much I couldn't stop, [laughs].
Garrett O'Hara: [00:20:40] [laughs].
Shamane Tan: [00:20:41] Before I knew it, it was so late in the morning already. And and I go to work, but, uh, there are moments, you know, you just don't want to look at it for a while [laughs].
Garrett O'Hara: [00:20:49] Yeah.
Shamane Tan: [00:20:49] I mean you want to leave it there, um, so what kept me going really is I guess one thing to see that finished product being in the hands of people where they can learn and, and just grow from it. And, and it's been very rewarding when I even has students who are in the industry, and they've taught me, they've gotten copy of, of of the book. Some of them have borrowed it from the library. It's in the library in Australia-
Garrett O'Hara: [00:21:11] Awesome.
Shamane Tan: [00:21:11] ... and in Singapore as well, uh, national library over there. And, and they said that it has really helped them, given a perspective of what it's like in the real world out there in the corporate world, and it's gonna equip them when they go out there and they know what to look out for. And, and I guess it's things like that, that really makes it very fulfilling, yeah. And I find like people who are in a new, like new in the industry, they are considering joining the cybersecurity industry, that's one thing as well that has come up. Um, but I do find it really helpful and, and that was something that I guess is bonus, because when I first started writing the book, it was really just ... I'd been speaking to even like new CISOs or aspiring CISOs.
Garrett O'Hara: [00:21:51] Mm-hmm [affirmative].
Shamane Tan: [00:21:51] And they wanna learn from their peers or even experienced CISOs wanna learn from each other, but they just don't have that bandwidth-
Garrett O'Hara: [00:21:57] Yeah.
Shamane Tan: [00:21:57] ... to do that. So that was the original intention to bring it together, to help the security leaders do their job better. Um, but yeah, it's a pleasant surprise to find that, it's just touching everyone on different aspects.
Garrett O'Hara: [00:22:09] Yeah, that's great. And it sounds like such a good shortcut-
Shamane Tan: [00:22:12] Yeah.
Garrett O'Hara: [00:22:12] You know, to consolidate all of that knowledge into one place.
Shamane Tan: [00:22:16] Yeah.
Garrett O'Hara: [00:22:16] I mean, it's a not a normal to do. Um, so you sort of hinted at it. We can expect another book-
Shamane Tan: [00:22:20] [laughs].
Garrett O'Hara: [00:22:20] Book two or?
Shamane Tan: [00:22:23] Well, more of like a second print for now, but I have a few additions that has come up that, um, actually one of, it's really exciting. One of the US ex precedent, his CISO, um, I've actually sat down with him for like one and a half hour-
Garrett O'Hara: [00:22:36] Wow.
Shamane Tan: [00:22:36] ... and like the things that he has shared for the second print of the book is really, really interesting. So that's a work in progress-
Garrett O'Hara: [00:22:42] Phenomenal that's a good teaser. [laughs].
Shamane Tan: [00:22:43] [laughs]. And, and I actually still have [inaudible 00:22:46] I'm sure that we have [inaudible 00:22:48].
Garrett O'Hara: [00:22:47] We've got breaking news, this is exciting.[crosstalk 00:22:49].
Shamane Tan: [00:22:50] Yeah. So yeah, watch the space.
Garrett O'Hara: [00:22:52] Will do. And so where can you buy the current edition or is it on sale?
Shamane Tan: [00:22:55] Oh right. Uh, so it's currently on Amazon and I think it's on them. It's only in Kindle, Google Play books as well. Um, if you want to get up, if you're in Australia or actually if you're around the world, you can get a hard copy through my security marketplace. Yeah. And just search Cyber Risk Leaders and it will come up.
Garrett O'Hara: [00:23:12] Perfect. Too easy. And then the Cyber Risk Meetups, how do people get involved?
Shamane Tan: [00:23:16] Yeah. So just go to cyber risk meetup.com.
Garrett O'Hara: [00:23:19] Too easy.
Shamane Tan: [00:23:19] Yeah.
Garrett O'Hara: [00:23:20] Awesome. Well, we pretty much run out of time, Shamane, so really, again, thank you so much for taking the time to chat today.
Shamane Tan: [00:23:28] I've really enjoyed myself actually-
Garrett O'Hara: [00:23:28] It's been a pleasure.
Shamane Tan: [00:23:28] ... so thanks for having me.
Garrett O'Hara: [00:23:29] Awesome. Thank you.
Shamane Tan: [00:23:30] Thank you.
Garrett O'Hara: [00:23:33] And there you go. Thanks again to Shamane for taking the time out to talk to us and please do check the show notes for details on how to get involved in Shamane's Cyber Risk Meetup and also where to find her book Cyber Risk Leaders. As always, thanks for listening, and I look forward to catching you on the next episode of the Get Cyber Resilient Podcast.