The Get Cyber Resilient Show Episode #12 Transcript
Garrett O'Hara: [00:00:00] [music] Welcome to the Get Cyber Resilient podcast. I'm Garrett O'Hara and this week I'm joined by the founder and CEO of KB industries, that's Karissa Breen. This was a great conversation with somebody who is happy to challenge assumptions. Which is something I always appreciate. And KBI are a digital MarComms company who service the security in emerging tech industry. They help startups get themselves established with their presence in the world. And they help mid-sized and enterprise organizations get their messaging on point. And also get the messaging to the right people through podcasts and written and video content. KBI have a growing media presence across a few different platforms, and we'll include a link to the KBI podcast in our show notes and there's really some great guests on there, so definitely recommend that one. KB Cast features interviews, discussions, and presentations from global leaders. Of course information on security and emerging tech. And in 2019 they also launched KB TV where Karissa sits down with organizations pioneering new approaches and solutions to these security markets. Um, I really hope you enjoy this conversation, I know I did.
Welcome everybody to the Get Cyber Resilient podcast. I'm joined today by Karissa Breen. How are you going today, Karissa?
Karissa Breen: [00:01:23] Yeah, not too bad. I know that when you spoke earlier the weather is making us a little bit tired. But I'm sure once we jump into the conversation I- I'm sure that I will be high energy as everyone always, uh, describes that's how I am. So I'm hoping that I can do that again today.
Garrett O'Hara: [00:01:24] Good stuff it is definitely a funny day out there. I'm not sure what's going on. I woke up to temperatures that don't feel normal compared to what we had the last couple of weeks. So, yeah, I definitely feel you. Um, so you- you've got a really interesting journey, um, um, you're obviously running your own business at the moment, KB Industries. Um, I'd be keen to maybe start there. Like, how- how did you get to where you are today?
Karissa Breen: [00:01:25] Uh, that's a really good way to describe my journey because I have had quite a diverse unique journey. I haven't always been in technology or in cyber security, but I guess where I did start my career was in financial services. And I worked for, uh, Australia's, one of the lar... That's one of Australia's largest banks. And I was sort of working technology there. And then I found or even developed a interest around security because, I mean, back then which was probably about six or so- six or seven years ago now. And it was- I was really intrigued by why cyber criminals did what they did and I was reading a lot of stuff online about the dark web and understanding a little more about when, I guess, money would be siphoned out of the bank, and why people would do that.
And so then I started to build relationships with people in the bank at the time they were expanding their team quite enormously. And then I ended up getting a role as a reporting analyst in the bank. And that's where I sort of started my journey and it was interesting because I had quite a high level overview of the whole security space and what we were sort of doing in terms of all of the different departments working together to combat cyber crime. And my role there was to create the executive and the board reports and put them in ways that people understood that were actually actionable as well. And what I mean by that is, communicating in a way that an executive would understand and sort of moving away from the technical stuff. Yes, that was a component of what I was sort of contributing. But the overall messaging was really to understand where we were sitting in terms of, uh, the posture and what does that sort of look like in terms of the insights that were derived from those reports.
And where we sort of needed to be in terms of a road map. But also where we needed to invest money in because perhaps for example, we would run efficient simulation for a certain area of the bank. An X amount of people were compromised. We wanted to sort of take a closer look on why was that the case. Were we doing enough training? Do we need to invest in more sort of training? And then... It gave me more of an understanding of that disconnect between technical and business people and I think that over time I then became a good reporting analyst. So, then I would report on the other [inaudible 00:04:31] that the bank owned. And, again, it just gave me more of a further, I guess, birds-eye view of how all of these little independent teams actually, uh, were contributing to the overall cyber security goal and the vision.
And so then I ended up moving into more of a consulted lead role between the penetration testing and the business. And I think from there I started to really understand that I probably where my strength was, was really becoming that- that translator. Like, understanding and sitting with the technical guys, getting them to unders- getting me to understand what they were doing, and then putting it in terminology that a regular person could understand. And, I mean, it makes sense. If you're trying to, I guess, charge other parts of the bank for pen- pentesting, which isn't a- a cheap function, we had to, obviously, explain it in a way that people would understand. And to also really not get them offside because sometimes when you are conducting those types of tests it's very easy to sort of turn around and say, "Well, the application that's always there isn't bla, bla, bla." And people can get really offended by that.
So you had to be very careful with- in the way in which you have those conversations with people in order to keep them onside, in order to keep them doing what you needed them to do. Which is to kill the application and to ultimately keep those relationships intact.
Garrett O'Hara: [00:05:54] Yeah, 100%. Interesting that you touch on the people side. It's been a threat in the conversations I've been having consistently with CCOs and security practitioners. Where, um, and you've touched some people in- in what I can see in three different places. The comms side and fixing the disconnect between the security industry and the sort of call it the business side. Um, and, you know, and- and to your point using correct language, understanding user behavior and the people involved in that and- and what causes behavior change. And then lastly, um, you relate that idea that as a security practitioner, a big part of what, I guess, has made you successful is just being good at working with people. And as you say navigating politics and not offending people sometimes, which, uh-
Karissa Breen: [00:06:39] It used to happen a lot.
Garrett O'Hara: [00:06:40] It- it does, doesn't it? It's such a funny thing. I think we, um, some of the best security practitioners I've met are very black and white as they probably should be. You know, that's kinda, that's what their jobs requires. Um, but then, yeah, that they- where you've actually got to then deal with the business. Um, I think that- that- function of, as you say, be the translator, communicator is so important. Um, what do you think-
Karissa Breen: [00:07:00] It's not that they mean to offend people though.
Garrett O'Hara: [00:07:02] No.
Karissa Breen: [00:07:02] I think that's just who they are and I think that takes time with understanding them. But if you're in a different part of the business, it's very easy to turn around be like, "Oh, that pentester dude that work with you is incredibly rude." But that's just who they are and I think when you spend time to get to know these type of people that they're looking at- they're looking at things purely from a security point-of-view and not necessarily from business perspective. And I think that- that sort of really got- gave me insight into two sides of the coin. And I guess that's where I started to notice a massive gap in the market even from back then. And then sort of moving on doing another role in a boutique consulting firm. Same type of, I guess, problems and concerns were being raised. And that's what, to some degree, gave me the genesis of the- the idea of why I created the KBI brand. Simply because I can see that gap between how technical companies and even internal functions were communicating to, not only the public, but to their employees as well and to their customers.
And that's sort of where I can see that gap. And that's where I believe a lot of people do need a lot of help. Even still to this day, because its incredibly important in order to sell your products and services.
Garrett O'Hara: [00:08:15] 100% agree. DO you- do you have kind of things that you've commonly seen? I'm guessing with your experience, you've seen probably threads or themes where, you know, consistently organizations maybe approach things in the wrong way from a communications perspective.
Karissa Breen: [00:08:29] Absolutely, I think probably the larger you go there's more bureaucracy, there's more red tape, there's more people you have to get approval from. That actually does over time has dilute that humanness messaging. And then I think it does become that- that very, "We're very corporate." And I think that, that actually, um, puts a firewall up in between a corporation and- and a customer. Because they kind of feel that they don't have that human connection and I think that, that's where smaller companies actually have a lot of opportunity in the market to do quite well. 'Cause they can sort of tailor that messaging to then accommodate the people that they are- are looking to- to sell to.
Garrett O'Hara: [00:09:05] Yeah, no I definitely get you. Do you feel like it changed? Or like, what do you- what do you see has changed over your- your time, um, you know, from the bank and the consulting services? Like, any- any thoughts on that?
Karissa Breen: [00:09:20] Yeah, I think purely just... What I think has changed is the buying patterns and- and how people are so... Going about purchasing products and services, I think that there a lot of vendors in this space now more so than ever. Uh, there are thousands of them that you and I probably couldn't even name all of them. And- and I think that executives and people that are sitting on an client's perspective feel incredibly bombarded by sales people. They feel that they're pulled in different directions on, "Well, who do I trust? Does this product do what it- what they say they do?" Some of the chances are maybe no, they don't do that. And they overinflate their messaging. And I think that... I think that's probably because a lot of people now want to do learning in the dark, they don't want to be sold to every time. And I think that, that stems from a behavioral point-of-view in terms of behavioral science.
And in the last three or so years I've really taken a step back to really analyze what does that mean in terms of sociology and consumer buying and how people actually are connecting and- and purchasing from brands. And I think that what I've seen in terms of even speaking to people, not just in Australia, but in terms of the globe as well, are people just feeling that they're not really sure who to go to. They're finding it difficult to get synthesized information to understand, probably more at a pre-sales level, about what a product or service does. And they're just feeling incredibly overwhelmed by the amount of people that are knocking on their doors. And so now I feel that we're in this- this space at the moment where it is hard to get that awareness towards your brand. And I think that people that are purchasing these products and services just feel inundated by it all.
Garrett O'Hara: [00:11:05] Yeah, 100%. There's a- there's a really good white paper, uh, I saw around the MNA sort of movements within the security industry. And, uh, it's- it's I think it's almost become a famous picture now where it's got all the security control areas. So, you know, there have been, uh, IDM messaging security and then it's got the logos of the providers in there. And honestly its like a- kind of, Where is Wally? There's just so many logos, so many control areas and it's just like an absolutely overwhelming amount of, uh, choice that's there. Um, uh, can I ask you a bit, like, do you see the- the role of kind of trusted advisor has become more important as organizations kind of navigate that complexity?
Karissa Breen: [00:11:47] Trusted advisor from an external perspective, or from an internal perspective?
Garrett O'Hara: [00:11:51] Sort of both I would say. So like that, uh, one of the things I've seen become more and more important is, to your point, because of the complexity and because when you go to a city conference, there's magicians and brochures and, you know, flashing lights, it can feel hard to get to, like, what's the true- what's the true value here? What- what does this actually do? Um, so I would say, like, both from a vendor side. You know, establishing that trust, you know, doing the right things. And but then also that internal trusted advisor status, could be a CCO role or somebody within the security team.
Karissa Breen: [00:12:22] Absolutely, so there's probably two parts to this. So the first part on the internal side. So, yes, a trusted advisor, yes, from a CCO perspective. What I think is lacking in a lot of CCOs is their understanding of people and leadership. I think what's traditionally happened is people who are probably CCOs in today's day and age have gotten there, probably just by default from being a assistant's engineer working their way up the ranks. Have probably never really intended to be a leader at that scale or at that level. And don't really have the fundamental skills to actually lead and influence people. And then as, I guess, as a by product of that, they need to influence the business to- to get money. And I- and I know this because part of why I used to write those reports was with the intent that the business would hand us money. And they did. They handed us $400 million worth of funding which is quite a substantial amount. And that wouldn't have been granted if we had just been quite anecdotal about the approach.
And I think when you doodling and your crafting messages you need to be quite scientific and mathematical, but you also need to have the other side of it, which is the people side it. And actually understanding from an executive point-of-view what- what do they really care about? And I don't think enough people in this industry are really taking that step back to actually think, "Well, what's really important to these guys?" Or really even understanding people at a fundamental level of what makes them tick and I don't think enough of that is being done in terms of the internal side of it. So, I think that's also been a problem because in universities, they haven't traditionally taught communication skills and influencing and- and- and sales skills. And then as a result of that people are saying that they're struggling to get funding because they can't tell why their business needs to effectively invest in cyber security.
And then they're struggling because of that which again needs to rely on effective reporting, but also shown communication skills which I see is still a problem in the industry that does need to have, uh, people to be up scaling in this space to able to run a team at that scale and at that level to have everything they need to ultimately protect the business.
Garrett O'Hara: [00:14:32] Absolutely, and you mentioned effective reporting there. Because that's one of the things that I think we see consistently. Um, and there's a reporting and then there's meaningful reporting. And I think what's important to somebody sitting in a, you know, sub team, for example, versus an exec whose potentially gonna release budget for a project. They're very different things and, um, yeah, and I think that's traditionally again something that as an industry we haven't gotten particularly right. I think that's fair to say.
Karissa Breen: [00:14:57] No, because I think that for example, if I, I don't know, I've done something for you, I'm emailing you a report. You don't really care about it at the end of the day. Like, "Yeah, cool. Thanks for the figures." But what do these things actually mean? And that's what I sort of mentioned earlier about driving into that. "Okay, so we've run efficient simulation of this part of the bank, this X amount of people were compromised. Why is that?" And why is it different from potentially last month? So what did we do last month? So then you also need to start then evaluating the trend. Is up or is it down? What did you do last month? There's this month. And also how's it comparing against other business units? One of the things that I found was, if it was business unit within a company that probably didn't have a technical background or wasn't into technology to some degree. We found that they are compromised more. Now why that is, there could be a myriad of reasons plus...
Probably because they're not necessarily technology savvy and probably weren't aware as opposed to someone who has studied engineering or whatever it may be or someone that's working in the security team. And then it starts to be able to unpack more insights as to why. That is a valuable piece of information that an executive would want to hear because you're not just throwing a boring and a basic report at them. You're actually doing the homework for them, which means its less work for them to do. Which overall you become incredibly valuable to them and you do become that trusted advisor. Because of like, "Hey, this Steven guy that we're paying X amount of money to- to do this role in terms of quite a senior role, we really need him because not only is he backing it up with the evidence in the report, he's actually providing us with a pretty clear and indicative way forward on what we need to do in terms of our security broker."
Garrett O'Hara: [00:16:43] Yeah, phenomenal. Can you maybe change tech a little bit here? Um, given your- your comments were kind of working from home both of us today, and that's obviously related to COVID. I'd be keen to get your thoughts on how you see that kind of affecting our industry at the moment.
Karissa Breen: [00:16:58] I think one of the things that I'm seeing is probably the- a lot of attempts over capitalism of the back of COVID-19. And what I mean by that is people, uh, tactlessly trying to sell their services off the back of this very unfortunate event. Now, there obviously are companies that can assist in terms of, if their setting up people for- to work from home. Yes, I would say that's valid. But people that are just trying to use this as an excuse to sell their services, I think, should stop doing that. Because it really comes across as probably a little bit desperate and in my perspective of, uh, branding it actually sort of damages that brand. Because I just don't know if that's the right way to really position yourself at this current climate. And I would just recommend if people could probably stay away from probably doing tasteless marketing communications like that. So that's one of the first things I've seen just from a comms perspective.
But then I'd say the other thing is now, is one of the things that I'm hearing is because a lot of especially larger- sorry especially larger corporation. They haven't traditionally had this work-from-home, or work anywhere type of model. So they're really having to adjust their process and policies or even create them if they haven't developed that internally to accommodate for this new way of working. And I think that there needs to be more communications around how do people from home actually secure their WiFi, how they're actually conducting their business at home. I know for a fact that certain people actually have BYOD. They don't even have corporate laptops, for example. So then that obviously imposes another security problem. So I think having correct communications around, what this actually mean, step-by-step guides on how to secure your devices. And then I think having more support in terms of a help desk to be able to answer those questions that people are likely to have.
Because they've never really had to do this. And this is definitely something, the kind of behavior that would probably create a lot of stress and upheaval for a lot of people I would imagine.
Garrett O'Hara: [00:19:13] Yeah, I totally agree. I've heard a story this morning actually. It's a friend of a friend, so it's one of those stories. But, um, its- its a organization. A fairly well-known brand and, as you said, they were never set up for work-from-home. So the employees all had desktops. And, you know, laptops weren't a thing. So, you're in this position where, like, you don't have a portable device at all.
And, um, to your point, you do end up using a BYOD, completely unsecured home WiFi versus, you know, potentially enterprise grade security perimeters. Yeah, it's just, uh, it's- it's amazing to me how much of a transition these organizations have, hopefully, successfully made. Um, but yeah, I wonder what the fallout will be. You know, it's gonna be three months, six months, nine months before we will really start seeing the, I suspect, you know, the fallout from the work-from-home transition.
Karissa Breen: [00:20:00] I agree with you and I- and I'll... I was actually shocked just, again, as soon as your story and I'll say the same thing and they sit there working off a very old laptop that's probably not patched and who knows what else is going on there. Uh, because they were working off desktops in their- in their corporate environment. And so now if the companies were to go and purchase a whole bunch of laptops like that would be X amount of dollars and at the moment might depending on the business, perhaps they're not doing as well as they did before. So, I guess they're trying to do it the best they can. And I think the other thing would probably be embedding cyber security into their- into the business plan in terms of crisis management. Like, how does this actually fit in with what we're doing, and what does it mean when we are potentially in another crisis, like, how are we actually going about that?
I think some companies would have this, but I'd say a lot wouldn't. And I think that's what they're sort of struggling with now, is to trying to keep their head above the water. Still function, still operate, still keep people happy. Hopefully, not letting people go, and still ensuring that they're mitigating their risks at the same time. So, its becoming quite a huge juggling act at the moment. And I would say the larger the enterprise or the organization, I would say, it become a little- a lot more challenging to get the- get people that haven't worked in an environment like this to even consider security at all. That's the last thing they're thinking about is, "Oh, well, I'm using some- some laptop that's been lying around my home for a fair few years. This'll do." I don't know if they're really thinking like, "Is this the right device that I should be using? But that's all I've kind of got." So, I don't know if security is really a first thought at the moment for a lot of people that aren't working at a technology based role.
Garrett O'Hara: [00:21:42] I'd agree. There's probably some Windows 3.1 laptops out there at the moment, um, chucking, chucking away. [laughs]
Karissa Breen: [00:21:49] I don't know if I wanna hear it because I think it stresses me out.
Garrett O'Hara: [00:21:51] No, for sure.
Karissa Breen: [00:21:52] I would say that's the- that's one of the, uh, a big challenge that's happening. Then I would say another thing that I sort of seen is, as you would know that because people have now had to move to video conferencing a- and more cloud based software platforms to conduct their business internally and externally, the next thought and- and question would be like, "What would be the line of questioning that these organizations need to start asking before they are adopting a new technology?" Because as we've sort of seen in the market, now ult- ultimately people need to work remotely, "Oh, we'll purchase this bit of technology because that's what we need right now."
But was that necessarily the best purchase? Maybe not now, in retrospect. And I think that just following what everyone is doing in that herd mentality without doing proper, detailed and in-depth vendor analysis isn't always the best way forward. So, that would probably be my next thing that I'm seeing as well. Just people following the crowd, but then sort of becoming dangerous stage and saying, "Well, well maybe that wasn't the right decision because there's all these security vulnerabilities and privacy issues that are now coming to the surface. And perhaps that I shouldn't have done, but I ran to it because I needed something to help me out during this process because now people can't work from an office."
Garrett O'Hara: [00:23:08] 100%. I- I think the- the SAS model and- and so much cloud, um, solutions and platforms is probably a good thing in situation. Because at least we've moved away from the, you know, the kind of five to seven year buying cycles where, you know, if you did run to something you were kind of stuck with it. At least now, um, in a large part, its not like it's no work involved but it's so much easier to move around between, in my opinion, service providers. So, hopefully, you know, that makes that, as you say that there were people who have run to something who realize then there's maybe security implications.
At least they can kind of back out, I think, more easily than they could have in the past. Do you think we'll see, and based on that, I wonder, you know, 12 months from now do we see a big turn in the cyber security industry as people kind of realize, "Hang on, you know, that wasn't the right decision?" Maybe based on feature set or maybe based on home security concerns. Do you reckon we'll see, like, a spike in- in sort of companies turning from one provider to another?
Karissa Breen: [00:24:04] Absolutely. And I'd say even before this crisis happened people were doing that already because as you know its- there's lot people out there. And by the time you've just purchased something the next guy is popping up with a better solution. So I think that's just the way in which the market's moving and the way in which technology is developed and then deployed is so quickly, it's crazy. And I think that now people would probably look back in retrospect going, "Yeah, that wasn't the best purchase." But hopefully they can put adequate controls around what they're doing and actually put all the Cs in and processes around, these are the types of technologies you can use and these are the things you can't use. And I think that, uh, companies would need to enforce that, because ultimately if people are sort of using whatever they want in terms of cloud based software platforms whatever they need it for or even, um, file sharing platforms, I think that companies would need to establish some type of frame work and ensure that people are- are adhering to that.
Garrett O'Hara: [00:25:08] Yeah, no I definitely agree with that. Um, just as we kinda close out here, um, Karissa, I'd be keen to kind of just talk a little bit about KB Industries as well. Um, I- I think you've got a very interesting business there. Um, and I was just wondering if, yeah, you can kinda run us through, uh, I'm guessing you probably don't have an average day [laughs] but looking at what you do and how that's going, I'm guessing there's probably a large appetite for- for what you do. And given, you know, as we talked about that disconnect between server practitioners, CCOs and- and their audiences, whether that's customers or internal, uh, you know, the ex- ex- the exec making, um, the decision to sign off on a project. Um, what's your most popular kind of, um, service or offering that you guys do?
Karissa Breen: [00:25:52] Mm-hmm [affirmative]. So I would say at the moment it would be running a lot of content marketing for startups, but also large enterprise as well. Startups being they don't have the capability internally so we would act as that CMO function, but from an enterprise perspective we would augment their current marketing team. Because everyone in my team has worked in technology or security to some degree, they have that knowledge and they're sort of bringing it forward. And- and I think that, that's where, again, that disconnect is because you've got technical people that only get tech. And sometimes when you're dealing with marketing people they haven't necessarily worked in the technology space to really understand it at a- a kind of nuance level as well. Because there is so many turns and jargon that people don't necessarily understand. And I think that we sort of bring that knowledge forward.
Garrett O'Hara: [00:26:41] I think you're spot on there. Um, its one of those things that I think is- is actually crucial in security because the accuracy of language. Um, and what you're saying is- is so important. Um, and, you know, the potential for miscommunication, let's be honest, is huge. Um, it's- it's enormous when it comes to our industry. Um, so do you, in terms of like you kinda do, you know, technical CMO, but also, you know, obviously aim for the business side of things as well? Is that fair to say?
Karissa Breen: [00:27:08] So what we're trying to do is understand, at a technical level, what that company does. And then we try to marry it in with being creative in how we approach it because one of the things I noticed working in a consulting firm is that a lot of companies are just really banal in how they were approaching their messaging. And I was really sort of sick of seeing the same stock image- stock images that I've seen on one, the same type of approach, the same inflation of, you know, "If you buy a product you'll never get hacked." You know, so I was a bit over that whole way of approaching the problems in the industry. And so I wanted to take more of a modern approach on how people should be communicating what they do at- at people that necessarily don't really understand from a de- technical level what- what all of that means.
And some of the clients we do work with, they do some really cool stuff but you could probably never really tell that from the outside. And that's where we sort of come in and really bring that forward. Because a lot people really do struggle with, "Okay, I do all these cool things, but how do I go and sell this in the market?" That makes sense to people. But also isn't so boring that people want to fall asleep either.
Garrett O'Hara: [00:28:22] So I- I think the trick there from what I've seen is that you use an image of a hooded person and you make sure that you got the Matrix style, you know, ones and zeros streaming down, stream behind him. Um, and that's it, you know, people kind of get it straight away. Um, I- I find that meme so funny in our industry. And I -I, you know, when you think about the people who are actually out there attacking, they don't look anything like that. You know, they're probably sitting in a coffee shop and they're- they're in a call center somewhere. They're not wearing a hoodie, it's not Mr Robot. Um-
Karissa Breen: [00:28:52] I think Hollywood's to blame for that.
Garrett O'Hara: [00:28:53] Yeah.
Karissa Breen: [00:28:53] Because I think that a scene in a movie. I was like, "I never dressed like that ever in my life. And I don't intend on it." And so guess there's this fantasy that, that's what people wear. And maybe some people do, but a lot of people that I know, don't look like that at all.
Garrett O'Hara: [00:29:08] Not at all. Like, when I- when I go to visit organizations they- they look like regular people, weirdly. You know, they wear business shirts quite often, they look like normal human beings, they have good social lives. And, um, definitely it's- it's not Mr Robot. Um, Karissa we have absolutely blown over time which I think is always a good sign. And it definitely, um, I think the energy was there. So, very much appreciate you kind of getting into it and- and having such interesting things to say. Um, thank you so much for taking time out to talk to us. I- I do know you're a very, very, uh, busy person, so very much appreciated. And, um, yeah, look forward to hopefully chatting again in- in the future.
Karissa Breen: [00:29:46] Well, thank you so much. Really appreciate the chat I didn't even realize that we... [laughs] God, look at the time. But, uh, no, really appreciate, uh, you guys getting me on the show today, and, uh, looking forward to hopefully a future episode.
Garrett O'Hara: [00:30:04] Awesome. Thanks, Karissa.
Karissa Breen: [00:30:04] Thank you.
Garrett O'Hara: [00:30:05] What a good conversation. Thanks again to Karissa for the time and most of all her perspective. And thank you for listening to the Get Cyber Resilient podcast. I look forward to catching you on the next episode.