Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
Gar is joined this week by Andrew Bycroft, CEO of iResilience and author of ‘The Cyber Intelligent Executive — Securing the Future of your Organisation’. Andrew has had an interesting career progression, moving from studying the ionosphere as a physicist to following his passion and becoming an IT manager.
From IT manager, Andrew then moved towards security and did managed security services, operations consulting, architecture and even went to the dark side to work in sales. Six years ago, Andrew started his own company to work with execs and boards to help them understand the difference between cyber security and cyber resilience and the role that culture plays in transforming organisations to solve cyber related issues.
In this episode Gar and Andrew spend some time discussing cyber security vs resilience, what we need to think about beyond People Process and Technology and the importance of communication and transparency. Andrew also details his 8 attributes for a healthy cyber culture, how to navigate the change of culture in complex organisations, resilience profiles and Andrew’s model for resilience maturity.
Get your copy of Andrew's book here: https://amzn.to/32s2I99
The Get Cyber Resilient Show Episode #31 Transcript
Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast, I'm Garrett O'Hara. And today we're joined by Andrew Bycroft. CEO of iResilience and author of The Cyber Intelligent Executive: Securing the Future of Your Organisation. This is a man who moved from studying the ionosphere as a physicist into IT, which was a passion for him. From IT manager, he moved towards security and did managed security services, operations consulting, architecture, and even went to the dark side and did sales for some time.
About six years ago, he started his own company to work with execs and boards to help them understand the difference between cyber security and cyber resilience. Obviously linking that to business outcomes. He realized culture played a massive part in transforming organizations and helping fix cyber-related issues. In the episode, we'd talk about security versus resilience. What we need to think about beyond people processing technology, the importance of communications and transparency.
We dip into Andrew's eight attributes of culture, which go wider than the traditional cyber thinking how to navigate the change of culture in complex organizations, resilience profiles and have they mapped onto organizations of different sizes. And we round out with Andrew's model for resilience maturity. There are some novel ideas here, which I really enjoyed. I hope you do too. Over to the interview. Welcome to the podcast I am today joined by Andrew Bycroft, who is the CEO of iResilience. Morning, Andrew?
Andrew Bycroft: [00:01:31] Morning Gar, how are you?
Garrett O'Hara: [00:01:33] I am doing well. Thank you. I'm, I'm sort of, uh, my Irish, uh, constituency, what's my, what's the word I'm looking for, metabolism, uh, is struggling with the, the very quick change to like 30 degree weather, weather here in Sydney. So, um, otherwise I'm doing well though. Yeah, I'm doing well. How about you?
Andrew Bycroft: [00:01:49] Um, yeah, pretty good. Um, certainly was a nice weather yesterday but I think it's cooling down today. It's quite cloudy.
Garrett O'Hara: [00:01:55] Good. That makes me very happy. I just realized I'm [inaudible 00:01:58] enough to change away from weather. Um, also as an Irish person, that is our go to conversation topic. We're just obsessed by the weather. So, I just realized I probably do that every, uh, every episode I need to find new food material. Um, Andrew, we always like to start with the guests introducing themselves and kind of giving the audience just to an idea of how they arrived to where they are in their career today. And so, I'm wondering if you could just do that for us. How did you, how did you get to where you are today in your cyber security career?
Andrew Bycroft: [00:02:26] Um, well, I guess I'm going to go back about 26 years. So, I actually started out as a physicist, um, studying of the upper atmosphere, um, looking at the atmosphere, which is the part of the atmosphere that actually radial waste bounce off. So, that's what I traveled for at nighttime. And whilst that may sound quite interesting it actually gets pretty boring really quickly. So, I pivoted away from that into IT. Um, IT was always a passion of mine. I didn't study at uni, but I did actually like playing around with technology.
So, I found myself in IT pretty quickly, never looked back. Within about four years of doing that. I worked my way up to being an IT manager, I decided to move towards security because seemed to be quite dynamic which is always throwing something new at us, something quite challenging my way. So, I actually liked that idea of never knowing what the day ahead would look like. And I got into many security services pretty quickly on, I moved into operations consulting.
Um, also beyond that, um, looking at some architecture and even sales, some even have a sales career in cybersecurity as well, worked for a number of companies, including vendors, um, also systems integrators, many service providers and about six years ago decided to start my own company, um, which was also in cybersecurity. And it was more around helping people understand the difference between cybersecurity and cyber resilience. And in order to do that, I actually needed to work with the executives.
I needed to work with CEOs and the board of directors, um, because they actually play a very important role in this. And that was actually quite a fruitful exercise. And one of the interesting areas that I've found and we'll probably talk about this a bit later in the podcast today is that culture played a massive part in transforming the way we become cyber resilient. And because culture is obviously important, part of that, um, involved, really embracing, um, the CEO to, to help drive that.
Um, but also in fixing a lot of the cyber-related issues, I also found that if we attack that cultural layer, it also solved a lot of other problems in the business. And since then, I've actually gravitated more towards becoming a management consultant who talks about resilience in general. Cyber resilience just happens to be one of those areas.
Garrett O'Hara: [00:04:51] Phenomenal. Interestingly here. So, here you went to the dark side and did some sales. It's a [laughs], always, always an interesting thing to do in cyber security. Hey, look, you've just mentioned, um, the idea of the difference between security versus resilience. Can you walk us through what the, the differences actually are?
Andrew Bycroft: [00:05:11] Um, yeah, it's a really interesting phenomenon. Um, it was about six years ago that I discovered this. And if you look up the definition of security, it means to be free from danger and I don't believe that's possible. In fact, if, if you remember back to your days and mathematics, um, a long time ago, when we're at school, there was a concept of an asymptote, which is basically a line that could never be reached. Um, but the closer you got to it, um, you realized that you would never quite get there.
Um, and you would actually spend a lot more time, money and energy in trying to reach that line. Um, the closer you got to it. Well, that's pretty much what security is like. Um, in fact, it's, it's either, effectively, security is on or off. It's binary. It's a bit like, um, pregnancy I've never met anyone who's three quarters pregnant.
Garrett O'Hara: [00:05:59] [Laughs].
Andrew Bycroft: [00:06:00] Resilience on the other hand is about being able to, um, predict, circumvent, prevent, detect, respond, recover, and grow. So, there's a whole breadth there. Now, a lot of people tend to think of resilience as being about waiting for something to happen and then responding, recovering a bit like disaster recovery and business continuity but there's so much more to it. And that whole concept of resilience means that we can actually achieve the outcome we're looking for, which is to be able to obviously predict, drive through to, to being able to grow.
Garrett O'Hara: [00:06:32] Yeah. So, it's a really a bigger business concept that sort of, yeah, just the notion of security kind of preparing before and events. What happens during events? What do you do after events, um, much more broadly than your security? I definitely get that. You know, one of the things we talk about actually, when we were prepping for today, um, was the, like the idea that, you know, people process and technology are well understood. We, you know, we, we talk about that all the time in this industry, like many things right there.
There's almost like a bingo you could play in, in many of the talks and the conversations that we have. You know, we all kind of say the same stuff. Um, but actually doing the job of security, like it's, it's reasonably well understood or resilience maybe, you want to maybe say that. Um, but we still see big security issues and lots of organizations that are actually struggling. W- what do you think is going on there?
Andrew Bycroft: [00:07:20] Well, I think they're believing that people process and technology is the complete solution. And if we look at some of these large organizations, they've certainly invested very well in people. They've got probably some of the brightest minds on the planet working for them. Um, they've also got well-documented processes. In fact, some of those processes, if you would have read those, you would think they must have it down pat, because they, they describe everything from how to detect an issue to responding to it, to recovering from it, um, and even learning from past mistakes.
And then of course, when it comes to technology, some of these organizations investing billions into technology every year, um, yeah, oddly enough, they're still struggling and it's because they're missing two additional elements. So, there needs to be more than just people processing technology, there needs to be communications and there needs to be culture. And when we talk about communications, we're talking about unfettered the communications throughout your organization.
So, keeping everyone in the loop. Um, we often find that probably one of the biggest firewalls in organizations, it's not the technology itself, it's the actual people stopping communications from going up to the managerial layers of the business. And then the other element of course, is culture. And culture underpins pretty much everything we do. That's actually the amalgamation of our beliefs, our thoughts and our actions. And when I'm talking about culture, I'm not talking about security culture.
We often hear this term security culture, which is all about helping people understand what their role is in cyber security or cyber resilience. This is more about culture in general, across the organization. So, how do we leverage that diversity among mindsets? How do we actually leverage the different beliefs that people have and how do we unify those to actually achieve a common purpose, which is obviously, um, making that business run and grow and be protected in the process.
Garrett O'Hara: [00:09:14] Yeah, no, understood. With the communication side of things, and you talk about kind of the communication going through layers. I think it's fair to say that it's often a problem in most organizations, whether that's cyber security communication or just comms in general. Um, you know, it's a thing that comes up all the time. What, first of all, what do you think the problem is? We know what the problem is, sorry, what, what is causing that problem? Like why, why do comms not sort of traverse up and down well within organizations?
Andrew Bycroft: [00:09:43] Um, it's a really good question, Gay. There's a number of reasons behind it. So, probably the biggest one is the fact that organizations work in silos. And typically communications tend to flow to some degree within those silos. Um, but when, when those communications break down within silos is when you've got, um, people who are obviously trying to hide information for personal gain, for instance. Um, we've, when we go beyond silos, um, sometimes the communications, if you might, for example, have, um, interdisciplinary projects, which involve silos coming together.
But again, I think people assume that, um, they're already understood, um, without the need to communicate somehow, or they believe that someone else's job would be to communicate. Um, and, and I think in the, in the worst case, um, they actually assume that, well, communications aren't necessary anymore because it's assumed that we've, because we've got so many means to communicate, they assume that it's already been done somehow. Um, you know, maybe someone has communicated through email or someone's communicated through social media or, um, you know, through, through some other means. Um, but what's interesting is the more devices and capabilities we have for communication, the worst that seems to get.
Garrett O'Hara: [00:11:02] Yeah. Yeah, definitely have that, uh, that sense. Uh, not just in, in sort of corporate life, but in, in life, in general, I agree. There's a there's noise versus kind of valuable information. I think maybe that's part of the problem sometimes. Um, so, like, what does it look like when it's good? What, what do you see in an organization when communications are done well? Like what are the, w- what do you see in an organization?
Andrew Bycroft: [00:11:27] Um, well, I think transparency is the major one. Now, when I talk about transparency, you have to put it in context. I mean, to be transparent means to be open and, and, and honest and, um, in, inclusive, have that inclusivity, but of course, um, there, there are limits. I mean, you're not going to share all of your secrets would-be competitors, for example. So, it needs to be taken, um, you know, within reason. But I think we've been an organization and anyone that interfaces with that organization.
So, be it business partners, um, employees, shareholders, um, investors, um, you know, right through to, um, the customers and anybody else as well, that plays a part in the success of that organization. Um, it's important to be fairly open with all of those people, tell them what's, what's going on. Don't hold back. Um, so that's, that's the first time. The second element is around, um, making sure that your communications are simple.
So, um, don't use jargon. Um, one of my rules is if a 10 year old can't understand what you're saying, then you're probably not communicating it in the best possible way. And then I think another important element is around, um, being open to, to dialogue. So, not just one way, um, a lot of organizations that typically for example, get the executives to stand in front of people. And it's pretty much a broadcast where they're going talk about how the company is doing, uh, deliver their, their message, and nobody else talks.
But it needs to be a two-way dialogue. Um, the executives need to invite people in. I mean, I, that brings in, um, the face, um, set of, of skills and, and ideas, um, because the, the great thing about an organization is, usually it's quite diverse. There's a lot of different thinking there and tapping into that means that you actually broaden your ability to solve some of these more difficult challenges. And then of course the other thing as well is it's better for the organization that people feel like their, their voice can be heard as well. It's, it's they like to be included. They like to feel like they're doing something for the organization.
Garrett O'Hara: [00:13:31] Yeah. And, and from that, you will get buy in, right? People feel like their voice is heard. They, you know, it creates a loyalty, I presume within an organization, if, uh, if your voice is heard, you feel, uh, valued at some level. Um, and then I know there's the whole psychological safety, um, that idea which has been sort of certainly gaining attention to momentum over the last, um, yeah. Over the last little while. I've certainly heard that being talked about. Yeah. I think quite a lot, actually. What, what do you see as some of the gotchas? So, you, you've kind of described what good looks like, where does it go wrong?
Andrew Bycroft: [00:14:03] Um, it goes wrong when people have ulterior motives. Um, so, we've all heard about insider threat before and that's typically when someone has a different agenda to your organization, and sometimes it, it may be the fault of the organization. Sometimes it may be the fault of that individual. Um, so, when I talk about the fault of the organization, it may be that they haven't actually set a clear agenda. Um, they actually haven't defined what the purpose of the organization is. They don't have a clear vision or a clear mission, for instance.
So, people don't know what their role is within that organization but then of course we can have people that go in there with malicious intent as well. And, um, despite the best efforts of the organization to try to curtail that, um, obviously, they, they need extra measures in place and perhaps different ways of, um, of hiring people or additional checks when hiring people, um, additional ongoing processes to monitor. I mean, I've certainly seen cleaner these screening exercises, which look for malicious activity in the past.
Um, but they don't do ongoing checks for instance. Um, so, once that person's seen they're trusted, um, I think there's a, a, a need to actually do some additional checks as well. Um, you know, random checks from time to time just to see whether that person is still aligned with the interest of the company.
Garrett O'Hara: [00:15:19] That's a really insightful, uh, comment in my opinion. So, we actually had a conversation yesterday. We did a threat Intel webinar and our CSO was on that. And we were talking about, um, Tesla, the, the sort of story where, um, the, there was an employee that was approached by an ex-employee, offered a substantial sum of money, uh, to essentially, you know, compromise Tesla as an organization. And we got onto the idea that, uh, life circumstances change and it's people, it's your, it's your point.
People's belief and the, you know, the, the mission of a company or their life circumstances might, might altar so, they could be, um, you know, having an affair was the example I used yesterday or something that makes them easy to blackmail potentially, or, you know, be compromised. So, even if they were aligned to the business values, that's through blackmail, but, and you know, and then Tucker could socially engineer them or literally use leverage, uh, because they might be of a lifestyle they didn't want to be exposed or any of those things that potentially could cause somebody to be easily leverageable or persuadable.
Maybe it's a nicer way to say that to, to kind of do the wrong thing. And, um, I don't think there's a, a clear answer for that, but like, to me, what it said was the world of cyber resilience security has just changed dramatically. The things we have to think about are so much broader than they were 10 years ago. It's not, you know, as far as signatures, it's actually people, um, in terms of what are, what is the risk to the organization if they are compromised? Um, yeah. I don't know if you have any thoughts on that, but it, it just seems like a really complex world we live in today.
Andrew Bycroft: [00:16:52] Um, yeah. I tend to agree. And I think when there's any kind of crisis in, in the world or even just locally, I mean, obviously we're facing COVID-19 right now, which is global, but even just a local crisis, we've been an organization for instance. Um, it's, that's a key time to look for where people might be vulnerable for instance. Um, and that normally they may be, um, model employees, but, um, when push comes to shove and they're in a fairly precarious position, they may actually resort to some kind of illegal activity. Yeah.
Garrett O'Hara: [00:17:27] I hadn't actually thought about that until right now. Um, and yeah that, that is kind of unnerving actually, as you, as you think about the kind of instability in many people's lives that, um, like what we've been talking about is they're distracted, right. They're anxious and that means they might click on a link, but actually you're, you're spot-on like that, um, that anxiety, um, you know, potential redundancies, horrible things like that.
Um, yeah, certainly change mindsets and yeah. Okay. You got me slightly on nerves with that, with that idea. Um, so, in, in terms of the transparency, um, look, is there a balance, then you have that idea of enough or too much transparency, and, y- I think you kind of mentioned this briefly a little bit earlier, but like, what are your thoughts there?
Andrew Bycroft: [00:18:13] Um, y- yeah, I, I think there is a case for, for too much transparency. I mean, I could share a story with you. I was in a plane, uh, one time and, um, the captain came over to the PA system and said, we're actually gonna have to make a, an unscheduled landing in Adelaide because we've miscalculated the fuel. Um, and that's something which I probably would not have wanted to hear. I would have been better if they just said, look, we're having to make an emergency landing in Adelaide.
Um, talking about why they had to make that landing, um, was obviously probably a little too much information. So, I, I do tend to agree that we can have too much information sometimes. Um, and we can share too much information. And I think in this day and age with platforms like social media, it's very easy to share lots of information. And sometimes people get caught out because they share things that they probably later regret. Um, I, I think also there are times when not enough information is shared as well.
And I, I, it is, it's very hard to gauge, but you need to be somewhere in the middle. And I would say it's probably for most people, it's going to be somewhere between, um, looking at the information that you're in possession of and deciding which 60% of it can be shared. And then the other 40% probably shouldn't be shared.
Garrett O'Hara: [00:19:31] Yeah. And just kind of being mindful of that. And circling back, you made, uh, really, an interesting point about culture and that we talk about cyber resilience, you know, the security culture and, um, but your ideas of culture go well beyond that. And, you know, like I say, we obsess with cyber security culture, but for you, like, what are the attributes you'd see in a broader culture within an organization that delivers that resilience?
Andrew Bycroft: [00:19:59] Yeah. So, the organizations I've seen at a well on their way to achieving that resilient state, um, typically have eight values. Um, the first of those is gratitude and that's followed by compassion and then we've got transparency, simplicity, focus, competence, courage, and then adaptability.
Garrett O'Hara: [00:20:24] Let's say, um, sorry, I'm just trying to write those down so, I can actually [laughs], kind of circle back and then sort of drill into those. Gratitude is an interesting one. Um, I'll be honest, like, uh, in, in our industry it does feel like we're, we're heavily data-driven, you know, we're, you know, we look at the facts what's happening. I think there's a change where we're starting to see the understanding of how important the human side of it is, navigating politics and the people.
And, but gratitude is, it's interesting, you know, it I'll be honest it's I expect to hear that on an Oprah interview rather than coming from a cyber resilience expert, but it's, it's actually really good to, to hear we're, we're starting to see that change in the industry. W- what does that mean? If, if you see an organization, how does gratitude show up?
Andrew Bycroft: [00:21:08] Okay, well, gratitude shows up in being thankful for, for what you have in front of you. Um, I mean, we can always feel pessimistic. I mean now, sort of a time when you would expect gratitude to be quite low because of the current world events, but we probably need to be thankful for the fact that, you know, some of us still have jobs, for instance. Um, a lot of people did lose their jobs. We need to be thankful that we're still alive. Some people obviously lost their lives.
So, um, and that being grateful then sets you up to actually serve the organization better. So, that leads on to compassion, which was the next one, for instance. Um, and I mean, you can be granted, you can have gratitude for a lot of things. Some, I mean, one of the things, um, which I used to say to people, and in fact, I still do from time to time and they look at me like I'm insane is I'm grateful that I pay taxes and, you know, they give me a strange look.
And then I say, "Well, let's think about it. If I didn't pay taxes, it would mean one or two things, either I'm not earning enough money or I'm dead." So, there's, there's a reason to be thankful for even something like paying taxes, for instance. Um, and I think the more thankful we are for what we've got and the opportunities ahead of us, the better, it helps us as well as the organization and everyone around us.
Garrett O'Hara: [00:22:24] And so, as you kind of say that I'm going to riff on it, because I think there's a little bit of a, uh, a sense I would get of coming from an optimistic place and, you know, gratitude and all those kinds of things actually psychologically sets you up to be clearer thinking. Um, and I think that studies I'm going to put it out there. I'm pretty sure the studies that show kind of optimism and gratitude that sort of mindset actually makes it easier to think. It makes it easier to focus.
You can be better, you know, you can get, get to solutions much more quickly versus kind of fear, which, you know, shuts down your [inaudible 00:22:59], you know, your lizard brain takes over and you just go into a kind of a, a spin out. And you actually, like as a, an operator within a normal organization, if you're feeling that, that shut down thing will actually just make you less productive really. And so, you know, th- this, this probably those kinds of benefits too, right?
Andrew Bycroft: [00:23:16] Yeah. That's right. And we talked a bit before about, um, people being more anxious and perhaps that leads to, for example, insider threat. Again, I mean, if you've got gratitude, um, it's more likely to get people thinking about, okay, what do I have? You know, maybe things are not as bad as they could have been. And then obviously being more optimistic and basically taking a course that leads them towards a better future rather than having to resort to something they might later regret.
Garrett O'Hara: [00:23:44] Yeah, absolutely. And something like courage. So, in terms of broader organizational culture, but, you know, given the outcomes here are generally cyber resilience, how does courage show up?
Andrew Bycroft: [00:23:57] Okay. Courage shows up in, um, I guess understanding risk and realizing that risk is something that can never be eliminated. We can reduce it, we can take managed and calculated type risks. And, and that's where it, it basically plays a role. So, it's understanding, well, what are the risks? Um, which risks should we actually try to avoid, which we specifically try to, uh, reduce which risks can we accept? Can we even transfer some of these risks to, to someone else, for instance.
Um, and then obviously recognizing that sometimes we need to do something different to what we might've done in the past. Um, and especially now with COVID-19, that's certainly shown that what we were doing a year ago, isn't going to work right now. So, we've actually had to adapt. And that's why adapting comes after courage because you need that courage in order to adapt. Um, if you're not willing to change, well, you're certainly never going to adapt. And it does take courage to do something different.
Garrett O'Hara: [00:24:55] A hundred percent. And I, I'd, I totally agree with the idea of courage being the thing that kind of moves any organization or an individual forward. And it's very easy, I think to sit in comfort zones, you know, as a human being, I think that's, I think we're, not we're all, but I certainly am guilty of how easy it can be sometimes to stay in the plateau and not, not try and push forward because, um, you know, putting yourself out there or trying to learn something new and, you know, at some level it takes a little bit of courage to say, well, I can do that or I can achieve it.
And then same, you know, as you scale up to an organization, I definitely would say that too. Um, what about focus. So, how does, like, day-to-day operations? What, what do you see in organizations where that's one of the, the cultural attributes?
Andrew Bycroft: [00:25:34] Hm, um, we've focused, they, they typically have a laser-like targeted approach to, to what's important and what's unimportant. And we see a lot of organizations typically fighting fires. Um, they're very reactive. They wait for something to happen. And then of course, um, they tend to be quite sporadic and in how they deal with the, with fighting those fires as well. And I mean, sometimes they need to be sporadic because the fighter fighting now was different than the one they're fighting yesterday.
But, um, sometimes because they're just so caught up in the moment, fighting the same kind of fire two times in a row, they might actually approach it completely differently. Those organizations are focused and typically more proactive and then they've actually anticipated what could happen. Um, and they've actually prepared, um, I guess a, a course of action to take when, when that happens.
Garrett O'Hara: [00:26:24] Yeah, I understood. And so, look, one of the things that would say about service security leaders, practitioners, um, is that they're often very, very good at the, the work of cyber resilience and you know, what that looks like and navigating politics, building programs to, you know, get change from a often technology perspective, but people are, um, l- let's be honest, they're just messier. They're much more difficult to, to change. Um, how do you see security leaders, practitioners go about something as complex as culture change within an organization?
Andrew Bycroft: [00:26:58] Um, well, I guess it's very difficult for them to try to change the culture by themselves. And I mean, I wouldn't recommend anyone single-handedly, um, think that they can go and change the culture of an organization. The bigger the organization is the harder it is for the culture to change. Um, what they should do is they should actually, um, have an action plan around that. Um, presenting that to the CEO and the board, for instance, as in, if we were to change the culture, we could actually make this organization a lot more resilient.
Um, the culture obviously needs to be driven from the top down anyway. So, the CEO certainly needs to play a role. And typically the board of directors will become involved in that. And I, I think if everyone can work together, if they can actually define what that culture needs to look like and those eight values, certainly a good place to start, um, that goes a long way then towards putting people in the right mindset to deliver their best to the organization. And that means still living their best, um, when, when, when times are good and also when times are bad.
Garrett O'Hara: [00:27:57] Yeah. Yeah. Culture is not a thing that you can just switch on when you need it to like, it, it really has to be all the time, every minute, every day, you know, three, three, what's it? 24/7, 365, like there's no bit where, um, it's a little bit like fitness, right? It's, it's one of those things that take some time to get, and then you kinda, you have to maintain it. If you take your eye off the ball, like it just goes away naturally and atrophies. Um, yeah, definitely take that point.
One of the things we've talked about previously was the other call it resilience profile of organizations and that kind of depending on their size, so a smaller organization versus a large organization, or even, you know, what government looks like. I was wondering if you could kind of maybe talk us through the cyber resilience profile of say a small organization versus a large organization and, and even government.
Andrew Bycroft: [00:28:45] Okay. So, we talked about those, those five elements. So, obviously the people processing technology and then we've added the additional to communications and culture. Now, if we look at a small organization, typically it has communications and culture down [pat 00:29:00]. I mean, it's very easy to have a consistent culture when you've got only a handful of people, for instance.
Garrett O'Hara: [00:29:04] Mmh...
Andrew Bycroft: [00:29:05] Um, it's, it's certainly easier to attract people that have the same beliefs as you do when you're a smaller organization. And that typically sets you up for having that consistent culture. And unfortunately, it's over time that that culture typically gets lost as we take on more people. Um, and, and w- obviously we're not, we don't seem to define what their culture is. So, we lose track of it. With, um, communications, again, it's quite easy.
I mean, it's very easy for someone, especially if they're in a single office to even like shout over to the person behind them and say, "Hey, Bob, you know, can you take a look at this for me?" In a large organization, those communications typically need to happen over, um, other kinds of mediums, like email, for instance. And there's no guarantee that someone will read that or even understand what, what the message is, for example, um, there's certainly no queers for example, to say, "Hey, do you understand this?" And demonstrate that you understand what, what I just said.
Um, so that's why smaller organizations typically have those under control because they are small. And those things typically flow a lot better in smaller organizations. Where they tend to suffer is in the people processing technology. Um, that's to some degree they can obviously combat the people by, um, leveraging outsourced services, um, leveraging, for example, even, um, cloud-based services for technology these days, it's certainly given them, um, an, an advantage that they wouldn't have had previously, the processes is obviously their weakest.
Um, typically they don't have those well-defined, um, and it's certainly not documented. So, that's, that's what I mostly fall over it's processes predominantly but people in technology to some degree. When we look at a large organization, it's pretty much the reverse. So, people process and technology, they've certainly got a lot of money invested in those but it's the culture and communications that, that suffer because of the fact that they are. So, um, so, so fast and it's often distributed across the world.
Um, there's also even language barriers as well. Um, sometimes, may, things get lost in translation when we actually have to obviously translate into another language and even cultural differences may mean that sometimes ideas get lost as well in communication.
Garrett O'Hara: [00:31:16] It's funny you say that, you know, the language barrier. So, you know, like I'm from Dublin, Ireland originally. And it is amazing, as an expert. We talk about this quite often where, um, and, my wi- [laughs], my wife has South African and, you know, we've had this conversation where we think we're saying something that's understood by local Australians, but actually we're using the nuance or some phrase that existed in Dublin.
And, you know, sometimes my wife will look at me blankly because I've said something that just doesn't translate. You know, if you use slang or whatever, um, that I assume, because we're both speaking English will make sense to her or, you know, to somebody in, in Australia. And I'm sure it happens for Australians, as they've said things to me where they're looking at me and they, they probably register that I haven't really got what they're saying, because it refers to some cultural thing in Australia, you know, before the 20 years that I've been here.
I did wonder do we ever get to the point where, um, if you send an email as a webcam and you could use AI and face recognition to see if somebody kind of squints their eyes and, you know, do they give some sort of version of, uh, I don't know what this email actually means. I know that's probably way too far in the future to, to, to be realistic [laughs]. Um, um, so, Andrew, one of the things you've also done and, and spent on that is looking at resilience, maturity in organizations, and kind of looking at their mature maturity levels, codifying them. Um, could you run us through your levels?
Andrew Bycroft: [00:32:39] Um, yeah, so, um, I actually adopted a slightly different model to what most people use. And it was because I didn't like the language that those models used and things like repeatable, optimized, um, also initial website that, which just didn't seem to make sense, um, in the context of resilience. Um, so, I achieved defined six levels and the first level is vulnerable and that's typically organizations that have no way of defending that they pretty much wait for something to happen and they scrambled to try to do something, uh, about it.
Um, and often they, they don't really succeed. So, um, typically they, they've actually lost something in the process when, when they face a cyber incident, for example, they actually haven't gained, they've actually lost. The next level up is reactive. And this is where a lot of organizations sit and that's typically where they have pretty much a finger pointing mentality. Again, they, they wait for something to happen, but they typically do have the capability to at least respond and they may learn something in the process, or, or they may not learn something in that process.
Then the level up from that is compliant. And typically this is the best you can achieve if you focused on security as opposed to resilience. And this is pretty much a minimalist type, um, mentality whereby you look at what's the bare minimum you need to get by. And often that's dictated by things like the essential aid or a PCI DSS compliance, or ISO 27,001 nest, whatever, you take one of those frameworks. And you say I'm doing just that and nothing more and sometimes less, but hopefully nothing less.
And that will get you to that compliance level. Beyond that we've got adaptive. And this is for those that actually realize, well, that minimalist type approach didn't quite get what we wanted to get. And, so, we actually need to try to take that into some other areas of the business. So, for example, if they were PCI compliant, well, maybe they'll apply some of those controls to other areas of the business, for example, outside of the, the cardholder data environment.
And then we've got proactive and these are the ones that typically take on risk ownership. They actually understand risk and they want to do something about it. So, they think about it be, before time. And they put in controls that happened to, to obviously mitigate that risk where possible, and in the process often they're also compliant.
So, by aiming for being proactive, they get, they end up being compliant in the process anyway, as opposed to trying to just aim for compliance. And then the top level is resilience. And this is where they've actually got a growth mentality. So, how can I actually use risk, um, as an advantage? How can I take across this example and benefit from that?
Garrett O'Hara: [00:35:22] Hm, I'm going to ask what may be an impossible question to answer. Um, but as you kind of go and consult and work with kind of, you know, C level execs and organizations and CSOs, obviously I understand this will be difficult to answer, but if you had to it down, what do you actually see in Australian organizations in terms of their maturity levels? And like, how often do you actually walk in the doors and see a resilient organization, you know, versus a, a vulnerable or reactive or compliance? Like what's the, do you have any insights on, on the kind of frequency of those?
Andrew Bycroft: [00:35:54] Okay. So, so far I've, I've, um, probably seeing that fewer than 1% of organizations are resilient.
Garrett O'Hara: [00:36:00] Yeah. Yeah.
Andrew Bycroft: [00:36:00] Um, probably about, um, 5% around the practice level and in the rest uh, about many [inaudible 00:36:09] and most of them tend to be around, um, that reactive level or compliant level, one of the two.
Garrett O'Hara: [00:36:16] Yeah. And trend-wise, do you see that kind of, you know, people are trying to climb the mountain and, you know, they, they understand that the value in kind of stepping up in those levels.
Andrew Bycroft: [00:36:27] Um, yeah, yeah, I, I think a lot of those organizations that are, that are reactive are certainly aiming for compliance. And I think those that have got to comply and thought, well, now we're actually safe. And then obviously they've had any incidents since then. I realized, well, yeah, obviously that wasn't enough. That was just the bare minimum to get us by. And I think they are working their way towards that adaptive level now, um, to get beyond that, I think it's going to take some time for most organizations to reach up into the proactive and the resilient areas.
Garrett O'Hara: [00:36:57] Yeah. Understood. And, I suppose, another thing then, is it appropriate for all organizations to strive for that highest maturity level? Um, and, you know, by that, I mean, with budgets and, you know, resource limitations, especially in these days, is it realistic for all organizations to actually get to that kind of [nirvana 00:37:16], the utopia of a truly resilient state?
Andrew Bycroft: [00:37:21] Um, I would say that proactive is probably good enough for most organizations, um, [crosstalk 00:37:26] listening it's still, it's still the aim, but one of the important things is that how much you invest to get to resilience depends on the, the value of your assets pretty much. Um, I, I mean, if you take a bank, for example, they should be spending millions on this because they've got billions of dollars in assets. Whereas if you were a small organization, you might have under a million dollars in assets, which means you should be spending tens of thousands for instance.
Garrett O'Hara: [00:37:51] Yeah, absolutely. Um, yeah, it's, it's back to that security practice, right? Of what's the value of the assets and then protect it accordingly. Don't over secure there's no point, um, yeah, totally get that. What are the, what, what are some of the key strategies that you've seen work to actually progress through those levels?
Andrew Bycroft: [00:38:09] Well, o- obviously, um, the culture one is, is certainly important. So, I would say that's, that's the foundation here. If you get the culture, right. You're probably about 80% of the way there. And, um, I mean, if we looked at some of those values, for example, that competence, um, focus, courage and adaptability, those are all really important when you've got a crisis, for instance, um, having people stay focused, um, rather than losing their heads and running around like, like chickens, um, that's, um, competence. So, actually having people with the right skills when, when you need them. Um, well, I've certainly seen organizations when they've actually been in a crisis, um, struggle to find the skills that they need. Um, they, they assume that they could get access to those people quite easily. And-
Garrett O'Hara: [00:38:53] Mmh...
Andrew Bycroft: [00:38:53] ... unfortunately that didn't happen, um, so that, they basically didn't have the competence I needed to help them get through. Um, then of course, um, courage is certainly important because when you're in a crisis situation, things are very different to when you were not in that crisis. So, you need the courage to, to do things differently. Um, you, you kind of expect to do the same things, um, you were doing previously and get the same results. And then of course, that adaptability is all about, well, in this changing environment now, now that we've had this crisis, what does the future look like?
So, so that was certainly very important. Um, beyond that, um, when we start getting up into, um, for example, the processes, I think being very clear about what the purpose of the organization is because effectively everything you do in cyber resilience is to help protect the, the purpose of the business. It's to help the business carry on what it does for its purposes. Um, that purpose may change over time.
Um, but even if it changes, the ongoing, um, sovereign extended strategy is to protect whatever that purpose is. So, that's certainly important. And then of course, we, we get up into the technologies as well, which should help with those resonate outcomes. So, that, for example, predicting, circumventing, um, preventing the, taking, responding, recovering in, in growing.
Garrett O'Hara: [00:40:11] Yeah. Phenomenal, I think, we have, um, we're, we're about to hit time. So, I think that's a perfect, perfect, um, positive place to, to kind of end the interview today. Um, I really appreciate your time, Andrew. Um, I know you're, like many people, very busy these days and, um, I appreciate and it's not lost to me when people take the time out to have the, the conversation with us and very valuable for the audience I'm sure as well today. So, thank you so much for taking the time today and yeah, really appreciate it.
Andrew Bycroft: [00:40:40] Thanks for having me on the podcast, Garrett.
Garrett O'Hara: [00:40:50] Absolute pleasure. Thanks again to you, Andrew, for the conversation. And certainly some new things and perspectives to think about. We'll also link to Andrew's book in the show notes. As always, thank you for listening to the Get Cyber Resilient podcast. The back catalog grows every week. So, dip into those and subscribe, like, share, let your friends know. Let us know of people you want interviewed or topics you want us to cover. For now, keep safe. And I look forward to catching you on the next episode.