• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara
Content

Gar O’Hara and your regular podcast hosts are taking a well-deserved break for a couple of weeks, so we’ve selected some our favourite segments from past episodes that we think deserve another listen.

These highlights include Joseph Carson on Estonia’s data embassies, Jenny Radcliffe on breaching physical security, Jess Lee on the impact and solutions for CISO and cyber security professionals burnout, and Mark O’Hare on what keeps the CISO of a cybersecurity company up at night.

 

Content

The Get Cyber Resilient Show Episode #61 Transcript

Matt Sprague: Welcome to the get cyber resilient podcast. I'm Matt Sprague, producer, and editor of the show Gar O'Hara and your regular podcasts hosts are taking a well deserved break for a couple of weeks. So, we've selected some of our favorite segments from the past episodes that we think deserve another listen. This week, we're featuring some really interesting topics from some incredible guests, including Joseph Carson on Estonia's data.

Embassies, Jenny Radcliffe, the people hacker talking about breaching physical security, Jess Lee on the impact and solutions for CISO and cybersecurity professionals, burnout and Mark O'Hare on what keeps a CISO or cybersecurity company up at night. First up is Gar speaking with Joseph Carson, Thycotic's chief security, scientist, and advisory CISO. he's the architect behind some of the world's largest cloud environments has worked to digitally transform cybersecurity education to online delivery.

And now based in Estonia, he's been working in areas such as digital identity. Hope you enjoy over to the episode.

Garrett O'Hara: I was kind of aware of what Estonia was, as a, you know, an advanced digital society. Um, Can you run us through where Estonia is today? You're living in a very, very interesting country.

Joseph Carson: Absolutely. And one of the things, you know, we, we started the conversation is I also do find very similarities between Estonia Australia and New Zealand and even Ireland. You know, we're both originally from, from Ireland, me being from, from Belfast

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Carson: originally, and I also do find similarities between Estonia. even though, you know, Australia is, is an island [inaudible 00:01:41], in the same [laughs], far away from them, and has limited borders.

With Estonia, you know, we also we're not an island. Um, but we do basically, you know, have a proximity of very noisy neighbors, [

Garrett O'Hara: laughs] Yep.

Joseph Carson: neighbors who tend to be sometimes aggressive in a cyber perspective. So Estonia, you know, Estonia was part of, you know, former Soviet union, you know, back in, you know, most of the 19th century or the 20th century as well.

And what happened was. Um, the breakup with the Soviet union in 1991, 1990, I can't remember the exact year, but what happened was it set forward Estonia to becoming a really, at the time they became independent what happened was it was the boom of the internet. So Estonia really kind of seen as that let's use this new medium in order to build a government and the services.

And at that time it really wanted to go paperless. But one of the things that Estonia found was that when you're an occupied state or an occupied nation, you tend to lose a lot of your history and a lot of your culture and a lot of your past whatever country's occupying you, changes the textbooks, changes, songs, controls the news and the medium.

They have a very, very control over that uh, kind of educational um, content. And also what, what events happened in the past. And we see that with a lot of countries that control the media and control education that they really have the ability to. You know, manipulate history and Estonia decided that as they went down, this paperless society that they wanted to make sure that that could never happen.

Again Because one of the biggest problems in the early 90s was a lot of people were coming back to Estonia that had left in the, you know, was it 50s, 60s and 70s, who went off to even Australia, to Canada, to us, to UK. They started coming back and as they came back, they found. that their, you know, ancestors or history of the land that they came to visit.

All of a sudden they wanted to reclaim it back and now getting into, let's say the legal side of things, where, who owned what land became a major problem. And that ultimately then paved the way for making sure that in a digital world, they wanted to make sure that their history can never be erased. And this started basically Estonia's path to a digital society. And ultimately a lot of the innovations they realized in order to do. that, You needed to have a very strong digital identity. You needed to have the ability to do digital signatures. You needed to have the ability to do non-repudiation, which also got them into doing blockchain innovation.

And in the early 2000s, when I came to Estonia what happened was, it was really that kind of starting point of this new society of everything and services being delivered online. From tax returns to banking, to even, you know, voting in elections, all of that started to happen digitally online.

And it wasn't, it's not the only method there's other methods of doing it as well, but it was one option. that You had, you had a choice of which way you wanted to to interact with the government. And this really paved the way for Estonia's acceleration of a digital society. I mean, there's lessons to be learned over the years.

Um, you know, so, you know, in today's society, everything, you can open a business online. within a, you know, a couple of minutes. I can do my tax returns in about three or four minutes, depending on how much I need to fill. In most cases, people just need to sign it. They look at it. and say, yep, That's my tax returns [laughs], and sign it. And it's done [

Garrett O'Hara: laughs].

Joseph Carson: using very little, you know, and it's, in... and the purpose of this is it's an interaction.

It's a both direction communication. It's not many mistakes in the past that other governments have tried when they do this digital society is it's a one way feed it's. We need all this information from the citizens, but we control it and we provide little transparency back. And it's important. What made it successful in Estonia is transparency.

Its ability to provide that the citizen owns the data. We're just basically making services for you and making it easy for you to interact with us, both directions where the government can provide proactive information to the citizen when they need to, for example, renew their license or so forth. So today Estonia's very, very much on the forefront of the digital society.

And the government has really evolved into what I refer to as, as a service provider, to the citizens and really making facilities easy for the citizens to interact with the government To so much easier, to, you know, doing online banking, We've got new. Um e-residency ability for, you can now have what is referred to as e-residence. So you can now become a citizen of Estonia electronically and use the services here. So it's a really great place to be. Um, but we also do have to be aware of our location, that we do have a lot of noisy neighbors who do try to manipulate and target the society here.

Garrett O'Hara: Yeah, absolutely. I I was definitely uh, thinking about the e-residency thing.

I watched a few videos and Uh, read, read a bunch of stuff on Estonia, but yeah, I find it fascinating. That idea of attracting talents. Um, you know, I think the comments were made in, in many of the articles it's, it's attracting the type of talent that probably makes sense in today's world, you know, growing internet companies.

Uh, we'll, we'll probably get to this, but the number of unicorns over there is astonishing, you know, the per capita. Um, but one of the things I wanted to ask you about and it kind of relates back to. uh, Your comments on the kind of two way conversation between citizenry and the government. There's an implied level of trust there.

And you're poten-

Joseph Carson: Mm-hmm [affirmative].

Garrett O'Hara: ...probably uh, aware of things like the, myhealth records initiatives in Australia even the CovidSafe app. you know, when, when that was pushed by the government here the, the sentiment was generally that there's a trust problem for want of a better expression, and people pushed back and opted out and.

Um, you know, I've got mixed feelings about that as a, you know, as a citizen because I get the efficiencies and, you know, having read about Estonia now, and like, whoa, that, that just looks like an incredible way to live my life, you know? And if it's five minutes to do tax I'm on board, you know, that, that's way better than You know, 45 minutes sitting with somebody who doesn't care you know, doing the paperwork sort of thing. So Um, like it looks like utopia, but it feels like you can only get there. When there's that trust built. What exactly was the road to get there?

Joseph Carson: The road to get? there. I mean, one of the things in the early years of Estonia's independence throughout the 90s was that they realized, you know, they have a very diverse.

society. You know, just like many countries do right now is that there's a very, almost a 50/50 split in different let's say opinions and, and whether you're left or right. So they realized that in Estonia, there's also, there's a large Estonian, you know, native population. There's also a large Russian ethnic population, still residing in Estonia, in the post Soviet era.

And there's also a larger kind of, you know, other ethnic groups, whether it being other European countries and ex-pats like, myself. And what Estonia realized is that in order to provide stability in order to provide, you know, the government to be a service provider, they need to basically make sure that they're open, And transparent to the citizens that when they're doing an initiative, they had to make sure that they citizens is aware of basically what options you have and how it works. And ultimately, that's one of the things that benefits the citizen. So when you get into really providing that digital society, let's take health care records for an example or, we can, you know, even, even the COVID-19 apps that you know, governments have been looking at methods of doing that Estonia cannot... and they've leveraged also kind of their innovations in blockchain, which has also helped in this as well.

Um, which is all about, you know, it's. uh, They're using it for the reason that it actually was originally developed for was about data integrity, non-repudiation of data, data authenticity. Um, and that's what Estonia kind of really innovated around, which originally if you look back. It was the Merkel tree and hashing uh, algorithms that make sure that files could transfer from one location to another, without being corrupted.

That was the ultimate reason that black, blockchain, and timestamping became really. effective. So in Estonia, what happened, was we have health records? I basically, if I go to a doctor or to get a prescription, which you can do online today that I own the data the data's mine. And what happens is that I actually control who can see the data.

And there's also transparency to when a doctor looks at my records. So for example, I can log into the system and I can actually self audit the government of my own data. And I can see basically if a doctor or nurse or. You know, pharmacist looked at my records and actually gave me a prescription. I have that audit ability. And that's, what's really critical is that, you know, it's not a a, a, [inaudible 00:09:52], a black box where you don't know what's happening,

Garrett O'Hara: Yep.

Joseph Carson: your data goes in [laughs], and you have no visibility is it's really important to provide that auditability to the citizen so they can log in and see what's happening and also control. They can decide that, for example, when you're doing your tax returns as another example, rather than I can go to the bank and say, transfer my you know, financial details for the past year, to the tax office and make it easier for me to auto-do the taxes. But I can also decide not to do that transfer, not to give the tax access to my bank account and do it manually.

Garrett O'Hara: Yeah.

Joseph Carson: So you've got options of doing it. You're in control of really, basically who has access. You've got that auditability to the data as well. And also you own the data. It's your data. It's not the government's data. So, And it gets into, and in a lot of cases, it's also a data rights management issue as well,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Carson: is that our government's going to profit from that data as well, by selling it onto, you know, let's say major pharmaceutical companies to, to leverage that and getting into the COVID-19 as well. One of the things is that many governments took this initiative of collecting everything as much as possible from the phone and centralizing it and not being transparent to the citizen about how long it's gonna be used.

for, or What other purposes it's gonna be used for who has access to it. And also is that data gonna be correlated with other data that has been collected through other means a lot of governments really went the centralized approach. And when I looked at it is that that's basically, you know, it's, it's a massive privacy issue it's a massive data protection issue.

It's a massive security issue if it ever gets compromised. And I really liked it. I liked when Google and apple collaborated, because when you get really massive tech vendors coming together, They really find a way in order to do this decentralized and governments who are really promoting of the citizens and transparency really leveraged that Google-Apple approach that allowed you to decentralize that Your, an identifier can be collected.

They're not collecting anything else other than basically who else you were in proximity. with. And only basically, you know, when you uh, either get verified that you've been affected, then you actually make a notified and other people can actually know that they were in proximity, not necessarily knowing who.

And it really means that the data that's been collected can only be used for one purpose.

Garrett O'Hara: Yep.

Joseph Carson: Um, and also there's transparency as to how long that data's been kept. What other reasons that you know, what it can't be used for and what it can be used for and what it's been correlated with. So it all becomes down to transparency and, you know, even I think it's key for governments to be successful 'cause that's how you build.

trust.

Matt Sprague: Next up is Jenny Radcliffe, AKA the people, hacker, founder, and director of human factor security. Jenny is a world renowned social engineer hired to bypass security systems through a mixture of psychology con artistry, cunning, and gile. Here she is with Gar, speaking about testing and bypassing companies, physical security with smoke.

bombs.

Garrett O'Hara: You've just described kind of starting on the physical side. Right. And the sort of you know, getting into buildings, getting into getting past perimeters, essentially, when, you know, you kind of go in you're working as a pen tester, what's the things that are, you know, the worst or the, the things that when you see them, you're like, ugh, you know, I'm going to got some work ahead of me here tonight, you know, or today, whenever it may be.

Jenny Radcliffe: So, I I mean, you know, one of the problems is, is. that There's often a lot of security in place in a facility, but so, it only works if someone actually uses the security, which sounds crazy. But like, for example, I've seen very secure doors held open with fire extinguishers. I mean, I've seen that in just the last couple of weeks or doors that are fitted badly.

You know, so you've got like a really ultra strong door, but it's kind of like it, it, it's not fitted so well uh-

Garrett O'Hara: Okay.

Jenny Radcliffe: ...so that you can kind of get something in between You can get a tool in between and kind of push the lock through seen doors that, you, you know, and windows that aren't really closed. I mean, there's a... I think I've got on my, on my Instagram feed, but I've got a photograph of a window with a sticker on it saying this window cannot be opened and it's oh-, you know, I mean, it's open.

So, I mean, the first thing is, is, [

Garrett O'Hara: laughs].

Jenny Radcliffe: ...you know, badly fitted. Or equipment, doors, windows, you know, safety, security pre, uh measures that are not fitted properly or broken or, or, or humans have bypassed it. And I mean, and that's the other thing in any building or any facility. What you'll have is, you know, a, a core contingent of human beings, you know, you're in the meet space at this point and the, those humans [laughs] will find the quickest, simplest ways around whatever security is in place. With no mal intent at all, just for convenience. And so when we sort of look at someone we're doing reconnaissance, I really only need to look at what the people who are legitimately supposed to be there, are doing to get around things, to really find out how to, how to get in.

And you have numerous, numerous occasions where the front of a building has been like a fortress I'm thinking of one place, particularly in London where it was just, you know scanning and cameras and security guards. And that, I mean, and that's the thing. If there's a human person, I've got to talk to kind of get in and sign in and be escorted around there. that. That's a good measure. but no, but hopeless because we went 'round to the back of the building, and there's this whole delivery bay. It was a huge big office building. So, you know, it had coffee shops and canteens and cleaners and sort of gardeners you know, maintenance people in and around that put all [laughs], all these expensive office plants that they had, but none of them went in through the front door. Right. Everybody goes in through the like service entrance. which is not At all watched or particularly difficult to get into, and literally just picked up a box from, from a skip round, the corner just picked up a box and just stood there.

And of course, people just oh, they just let me in because you know, your staff, Right. So you're not going to be uh, required to sign in and be shown around. So I think it's, it, it's, it's the, the, e-... the ones that are most. Often is equipment that doesn't work equipment that's broken or badly fitted. Uh, measures that are ignored or just idiotic things like having, you know, the the most secure entrance and then like a a completely open service entrance.

And I mean, those are things that that we see most often and most stupidly, I suppose. So security only works if you. use it.

Garrett O'Hara: Mm-hmm [affirmative].

Jenny Radcliffe: And You use it properly. What, What presents a challenge is a human asking the questions, a human scanning people going in. Um, and just the opposite of all those things. So If people stick to procedure, if the doors are locked, if the padlocks are locked, And we have been, on, I've seen doors where the padlock's there, but open where the combination locks have the combination written next to it.

Um, You know, if people stick to the things that they've already got, that makes life harder because somebody somewhere will have designed some security most of the time, but it's no good unless you use it. You know? So

Garrett O'Hara: Yep, definitely get that. What are the myths? Right. I've seen, I've seen videos posted on LinkedIn.

Some of the stuff that's online where like it may or may not be true, right? I'm not a pen tester, but it seems logical, you know, there's the the famous one of the, the person who walks up to the glass kind of office doors, and they've got the automatic sensor and they just blow, I think it's a vapor cigarette through the little gap between the doors.

It hits a, you know-

Jenny Radcliffe: Vapor? No, uh no. Vapor wouldn't work, It's a, it's an infrared, but we, but-

Garrett O'Hara: Yeah.

Jenny Radcliffe: .. most of the time what you're looking at is an infrared sensor an infrared sensor, if you break it, will open it mostly for safety reasons. If they think there's uh, smoke, right. But people blow, vapor Wouldn't work. Actual smoke might work, but what works very well is all you've got to do is break the beam.

Garrett O'Hara: Mm-hmm [affirmative].

Jenny Radcliffe: So just... uh, if you ever have those do you know when you've got to clean your keyboard, and it's like a can of compressed air? I've probably got one

Garrett O'Hara: Yeah.

Jenny Radcliffe: ...right on my desk. Probably. I usually have one 'round. They come with um like a little plastic straw usually. Uh, so they, so that you basically angle in the air to clean the dust from your keyboard, something like that.

If you put it through and again, the doors, if they're fitted properly, They should close and, and it should be quite difficult to do Maybe not impossible.

Garrett O'Hara: Yeah.

Jenny Radcliffe: but they should fit very tightly, but fairly often, they're just not and there's a gap. And if you can put that compressed, air, as long as you break the beam the door will, the door will open, if it's an infrared beam harder to do with vape smoke, but, but possible.

Garrett O'Hara: Yeah.

Jenny Radcliffe: Yeah.

Garrett O'Hara: And are are there any that you see maybe in movies or. Or even online these days where you sort of think, well, yeah, it looks cool, but it's not the reality of the job, you know? uh, it's Like it's exciting, but that's not practical, you know? any of those kind of-

Jenny Radcliffe: It, Yeah. Yeah. I mean, maybe, so yeah. what we try and avoid is breaking things. [laughs].

Garrett O'Hara: Yeah, okay.

Jenny Radcliffe: So if you can avoid sort of explosions and, and anything that really is, is, a noisy entry,

Garrett O'Hara: Yeah.

Jenny Radcliffe: unless we are deliberately trying to distract.

So I do I have smoke bombs with me a lot of the time as a good way of just getting everybody to dash to one area. Smoke's a really good way. So, you wouldn't do it inside a buil-... This is the thing I've said this before, and I think people were just incredulous. First of all, there's a couple of things we're paid to do this.

Right. someone's asked us to do this, so in that, at that point, Things like first responders emergency services would be aware of the fact that during this particular time. And I might even uh, say, you know, text the team in the office to say, right, we're going ahead with it now. So that there's not like a, an emergency response.

We don't want to waste people's time, but like with a smoke bomb,

Garrett O'Hara: Yeah.

Jenny Radcliffe: ...all they're used for in the UK anyway really is, for, is for chimneys. Right? So you you put a smoke bomb in the chimney and just see if the chimney's clear. But if you light one of those, it really just gives off a tremendous amount of smoke, [laughs] which if you put in a bin, you know, near, not on um, a building, someone will notice it fairly quickly and start running towards it.

And any security that you've got also play a role in kind of you know, sort of watching for the general Peace and quiet of a site. Now, obviously a, a bin on fire isn't peace and quiet and they'll run to it. And we've used that more than once just to get past like, for example, a a security guard watching CCTV.

So there was one that we had two security guards uh, just sitting there all day just watching a bank of CCTV. And we just couldn't, like we no, we saw one guy always went and did something else. I mean, I could tell you what he used to do, but there was this one guy He was very cool. like the two security guards and one of them was a lollipop.

man. And so at the same time, every day he left his security post for like, not even half an hour, maybe 15 minutes, just to cross all the kids from the school, across the road with, you know, with a with a lollipop, right. Leaving one guy. And we thought, well, what we need to do is we need to get, I'm not going to try and bypass your CCTV, Right because that's a technical thing and I'm not gonna do that. All we need to do is get this guy away from the CCTV, just for that 15 minutes, just for even a minute, during that 15 minutes that the other guy is seeing the kids [laughs], is seeing the kids. I'm just laughing because I remember thinking about this, and plotting it out in the hotel with the team.

Um, We just need to get him away just for a couple of minutes. Then we'll just. run past, Right. And then, and then once we're on site, we're on site it won't matter so much, but we just needed. So we wait for the guy to go with the lollipop, to see the kids across the road. [laughs] And then well, I don't, I'm just going to say, hiya to team member, R, who'll, who'll probably listen to this.

Actually [

Garrett O'Hara: laughs].

Jenny Radcliffe: And just went, right. So they just lit this [laughs] this smoke bomb for a chimney, threw it in the, in the litter bin on the other side of the site. and just went and I'm waiting and waiting and waiting and waiting. And then all, and then sure enough it's like, oh my God, the bin's on fire. guy runs away. We just, And that's how I just got onto the general premises.

Now, after that, you know, they're still watching CCTV inside the premises. There's a chance that they're going to see me, but like I'm only going to be about 20 minutes on site. I knew exactly where I was going.

Garrett O'Hara: Yeah,

Jenny Radcliffe: You know, it's a huge site. And by the time he kind of sees me and I'm avoiding it wherever possible.

time he sees me and runs to me. I'll probably be, be gone, but we needed him away. So, you know, when I see Hollywood things where we actually have clauses in the contract that says we will endeavor to use our best efforts, not to use destructive means. So

Garrett O'Hara: Yeah.

Jenny Radcliffe: ...in other words, I'm not going to break a door. I'm not going to blow a door.

up. I mean, you just. don't Use explosions and things the way that it's done in movies, but most of the time, uh... it's funny because people say that there are people who I work with who say, it's not very what they do. Isn't very much, isn't very dramatic. But I think because I don't use tech, a, there's an element of theater to what we do, because you have to think of these big schemes sometimes to get past.

because I can't just shut the computer down or whatever. Um, and B some of it is quite dramatic really

Matt Sprague: in this next segment, Gar is joined by Jessica Lee, founder and owner of Jessica Lee consulting. Jess has a deep background in organizational psychology and talks here on burnout and how the PERMA model can help you build resilience to stress.

Jess Lee: Even if you just, if you look at kind of average tenure for CISO. it's kind of globally speaking. There's a lot of studies to say it's around the 26 month mark. Um, so if you're talking cost alone, let alone anything else, you know, the cost of replacing that level role, the cost to the person who has been burnt out who's leaving after 26 months.

Um, you know, those costs alone are, are, are massive for those individuals in terms of a global scale. You know, the world economic forum basically said that was even a couple of years ago. burnout's costing the global economy, 255 billion pounds. Um, so like you've just gotta look At a, at a micro level to any organization.

Like I work in, in up on grand canal dock in Dublin, so we're basically kind of little mini Silicon dock. So I work across the road from like Google and Facebook and everything. And, you know, I know how you know, the stresses that people are under and you can see if I physically look at the building across the road from me, there's probably about 300 people in the building Imagine If half of those. Were stressed and then you start looking at costs of, okay. Well, if I look at these, you know, 150 people across the road from me, If they're stressed, they might be, you know, what? how many sick days a year are they taking? You know, what, are, what kind of um, environment are they bringing home? Um, you know, what kind of.

um, effects is this having on their personal and professional lives. Those kind of things, depending on how you look at it, you know, there's the whole micro level, which if you take, I think when we're thinking about behaviors and we're thinking about impacts, we should start looking at ourselves because that will give us the the best kind of um, way to relate it back to ourselves.

So, you know, how you've seen, we've all been in a stressful situation how has that impacted us then you multiply that by billions and billions. And then you've got the, the global and economic costs.

Garrett O'Hara: Big personal.

Jess Lee: Yeah. It's, it's just and I, like, you know, I think, I, part of me gets disheartened. And then the other part I get heartened, because I look at even the last six months in Ireland, obviously that's where I'm based there has been a lot of focus and a lot of investment around wellbeing.

And to me, that's, that's really quite heartening where I think if you were leading and managing a team or working in an organization, what you have to be mindful of though, is that, you know, doing talks or. Getting somebody in to to speak about wellness does not a wellness culture create, you know,

Garrett O'Hara: Yeah.

Jess Lee: it has to be much more long term, and has to be what we were talking about earlier on in in terms of kind of doing it from the top and making sure that you're really kind of creating a change and giving a positive impact to the people that are working there.

Because, you know, if you take even the, the 255 billion cost to the economy alone what about the mental health? Of the global population. It's just, you know, it's a massive, massive, massive area. Um, and you know, it's not going to be solved in the next kind of couple of months, especially with everything happening with COVID.

So what are the small steps you can take in your organization and, and you don't have to be a leader in your organization, you can change the way that you speak to people that you work with on a daily basis, you can check in with people That maybe you just haven't really have ever really done before. Um, so it's just taking those little steps.

Um, because sometimes I think looking at it from that macro perspective it can be a bit too daunting.

Garrett O'Hara: Yep.

Jess Lee: Um, so we can look at the, the, The local effects, start small and build out. And if you you take that kind of building a net around the world analogy, it's the same idea Start, start building those those maybe spider webs around the world.

So you've got Spider Man dealing with [laughs], building the webs around the world and creating wellness webs. [laughs]. And then you've got Superman building the net. [laughs].

Garrett O'Hara: This is like the worst uh, superhero movie I've I've heard a script for yet. [laughs].

Jess Lee: Mm-hmm [affirmative].

Garrett O'Hara: But I, I get the point.

Jess Lee: I started watching Avengers recently. so that [laughs]-

Garrett O'Hara: [laughs]. No, I I definitely, get the I get I get what you're saying.

Um, what I would like to do is kind of end on a fairly practical note and, you know, just talk about the specifics of. Uh, some things that maybe people could do to take care of themselves, you know, what are the the things that they could do regardless of whether they're maybe recognizing now that they're in the early signs or, you know, the early stages of stress, o they're maybe further along and they're, they feel like they maybe are burning out or, or, or something.

Um, do, do you have any kind of practical yeah, suggestions,

Jess Lee: Mm-hmm [affirmative].

Garrett O'Hara: you know, things that people could do today or, you know, in the coming weeks?

Jess Lee: Yeah. Um, obviously refer people to positive psychology, which again, if you have any interest is I suppose the father or founding father of positive psychology is a guy called Martin Seligman. Um, and he's based at the university of Pennsylvania and.

There's actually a ton of information that he has. That's all free online. You can actually do a load of kind of psychometrics and questionnaires and get a gauge for how you're feeling and you know, your levels of optimism, and those kind of things on the university of Pennsylvania website, For just, I think some people find really interesting, but what he does is uses a model which is called the PERMA model.

Um, and It's I suppose, a focus or a way for individuals to look at general wellbeing and you know, focusing on the element of, of positivity. So what that stands for is the P is for positive emotions. So it's the, the idea of kind of trying to start proactively looking for the good in things. Um, it's definitely been a kind of contentious one when I've talked to people about this before, because people are like, well, I'm a pessimist, so I'm not going to do that [laughs]. So that's absolutely fine. I'm a realist, you know, we can all debate about that all day, but you know, if you start choosing to look at things in a different way, then you will start doing things in a different way. Um, then the E stands for engagement. And what this means is he, uses a phrase kind of finding flow And I wouldn't be a major fan of that phrase, but ultimately when you think about it, it's like, I always say to people, what's one thing that you do that you would never time was passing you by? Something maybe like surfing or maybe reading. It might be even playing a musical instrument It might be, you know, I don't know, speaking to your family, whatever that is, find that flow find something that you do that you just love because when you think about it, you know, when you're in that moment, you're not thinking about work.

You're not thinking about stress.

Garrett O'Hara: Mm-hmm [affirmative].

Jess Lee: You know, if you're truly loving being on that surfboard, you're like just loving life. and you're, You know, looking at the birds, [laughs], or the waves, whatever, and you're just, it, it, it allows your, your body, your mind to replenish in that moment. And so find more and more of those things to do. Um,

Garrett O'Hara: well, your description of like surfing, there is pretty much my experience, which is much more about looking at the, the waves and the birds than actually being on waves.

So.

[laughs].

Jess Lee: [laughs].

Garrett O'Hara: That resonates.

Jess Lee: Coming back up from under the water when you fell off

Garrett O'Hara: Yeah [laughs]. Yep, pretty much.

Jess Lee: So you still can surf then Gar, Well done.

Garrett O'Hara: Thank you.

Jess Lee: Oh.

Garrett O'Hara: Thanks for bringing that up, Jess [laughs].

Jess Lee: Oh, I'm sorry. I'm sorry. I'm only kidding. You're better than I am. Um, and then the, R in PERMA is for relationships. So that's about authentic connections. So basically when you think about, it, you know what we need as human beings or what we kind of, we crave we're naturally social beings.

and We crave connections. So for some people that might be, I have two or three best mates. that's it. Perfect. You know, other people might be like, well, I've, you know, I'm friends with like 5,000 people and you know, I'm out with those people all the time, What, whatever floats your boat, doesn't matter. It's about creating relationships and connections that are authentic to you, that you can have.

Kind of, I suppose, deep and meaningful conversations with people. Um, because that, again, when you think about it, you know, in terms of building up your resilience, building up your wellbeing, building yourself up and giving yourself energy and and to be able to fight that stress and burnout and, be able to be more resilient against it, then, you know, if you've got great people around you, then you know, all the better The M in PERMA is for meaning, and this is a kind of a huge area in terms of actually, if you're thinking about the the generations, the gen Z-ers are really craving meaning. So it's about finding meaning and purpose in what you're doing. So is what I'm doing, creating something for the better good? or, you know, something bigger than me. Um, so a lot of people are looking to understand what creates meaning for them in their organization. and what does that organization stand for?

And then on a personal level, you know, What's what's meaningful to me in my life. So if you can start asking yourself those questions I think they, they can help us build that resilience and, and create that blocker I was talking about earlier on in terms of those stresses. and then achievement is the, the a in PERMA. So that sense of accomplishment. So if you think of the, the, like, the smallest thing that. I don't know, maybe it's changing the toilet paper roll. Maybe it's changing, you know, a light bulb that has been out for three months. and you finally do it one night and you're like, God. thank God I did that. It's been sitting there for three months,

Garrett O'Hara: Feels good, huh.

Jess Lee: it's this [laughs]-

Garrett O'Hara: Yeah.

Jess Lee: ...smallest little thing, but it feels good.

Exactly. So it, it's just bringing that feeling of, of achievement into our lives. So Martin Seligman would say using this model, this PERMA model. of, of Really looking at those five areas can help you build yourself up and create more ability to be more resilient and to fight against. um, You know, I suppose those negative stresses in your life.

It's important to probably say as well that, you know, stressors can be really beneficial to a lot of people as well, and very helpful and spur your, spur us on to do things. Um, but I suppose if you think about just having a little, a buffer between yourself and the stressor is always a good, a good place to be, because otherwise that's when it starts moving into the burnout and you feel like there is no, there's no end to it.

There's no pause

Matt Sprague: in this final segment. Gar talks with Mark O'Hare. He's the CISO for Mimecast and is at the forefront of challenges facing CISOs in public companies. Gar asks mark where he gets his information from and what keeps him up at night.

Mark O'Hare: Yeah, [laughs] Yeah. well, thankfully I'm a, I'm a decent sleeper. Um, I certainly used to be.

Um, but yeah. The, there are a couple of things that keep me awake at night really we've spoken about this in some of our threat intel briefings, but insider threats. I, I I think that's a really hard thing to deal with. Um, they're, you Know, notoriously hard to to detect an insider and, and, and notoriously hard to prevent them.

Right. So detecting because they to do their jobs, they need an awful lot of access and privileges if they're an administrator on the, on the platform. Um, and, and so you, you're entrusting a lot of power to, to your employees. And, you know, we saw with with Tesla recently where one of their Russian employees you know, a, a, another, Russian citizen attempted to, to bribe them to to plant uh, malware in, in, in Tesla's organization.

Um, thankfully the, the Tesla employee did the right thing and, and, you know, worked with Tesla's security team and eventually eventually some of the um, cyber crime organizations to, to shut that down. Um, but they, you know, it's reported that this person was offered, you know, Potentially up to a million to, to plant this malware, It's, you know, that, that, it's a, lot of money and very tempting for, for cer-, certain people to to then follow through with that.

So, so that is that is obviously a a big problem, not uh, insider threats, they're not always malicious accidents happen too.

Garrett O'Hara: Mm-hmm [affirmative].

Mark O'Hare: And you know, someone could change a firewall configuration and before you're you know, you may have some automation to, to detect firewall changes, but that may not kick in, or someone may may not see that alert in time.

And just for the few minutes uh, or potentially even hours that that's exposed to the internet. Some really bad things can happen. So, so accidents can be a real problem too. Um, so yeah for me, insider threats are probably the thing that I find the hardest to control and the thing that worries me the most, you know, infrastructure we can, we can patch, we can test, we can fix.

Um, but you don't always know what people are thinking. So. you know, that's a problem. The other thing that keeps me at night is, you know, companies like Mimecast, who, who store valuable data, we, we become targets for, you know, sophisticated uh, cyber criminal groups And, and even nation states. Um, you know, we have seen other uh, companies that store valuable information being the targets of, of highly sophisticated attacks that have been attributed to very sophisticated uh, threat.

actors. these threat actors that they have big budgets, a lot of time and some very smart resources on their hands. So, you know, those are the two things that keep me up at at night. There are obviously many other things that worry me. Um, but I, I, I would, I would go with those. two.

Garrett O'Hara: Yeah, absolutely. It's funny, as you were describing the Tesla employee there, I've, I've listened to quite a few interviews with Elon Musk and he's a, like, he's a pretty intense guy.

And I feel like if I was his employee, I, I, you know, the, the opportunity to make a million dollars versus the wrath of the Elon Musk, I probably will walk away from the money as well. [laughs] He's a, he's, he's quite intense.

Mark O'Hare: Yeah. Yeah. Well, I, I've not heard any reports about this, but I suspect that, Elon would have taken care of that.

Uh, you know, the, the the employee himself, I mean, that's. That would have been a very difficult situation to to deal with. Um, in even whistle blowing on that you potentially putting yourself in danger from, you know, the the organization that's trying to attack Tesla. So that person really went out on a limb and it's a very brave thing that you know, that Elon should be respecting and I'm sure he would.

Garrett O'Hara: Yeah, it's a, yeah, definitely kudos to that person. So one of the things um, I think you and I have kind of talked about over the, over the years that we've uh, been working together is uh, really just the, the, the level of change and how quickly all of this stuff moves. And as part of my job and, you know, the things that I've done over the years with Mimecast to get to see because of RFP responses and various other kind of security assessments a little bit of a peek behind the, the curtain of the, effort and the work that goes into Um, securing our platform, but you know, I know other SAS providers will do very, very similar stuff. Um, but one of the big things is just how quickly this stuff all moves and changes and the, just the sheer volume of new threats different types of threats, you know, what's kind of coming down the wire. be very keen to hear where you, where do you get your information from?

Mark O'Hare: Yeah, absolutely Gar. Um, so as a CISO I feel you need many different sources of information. There is no one place you can go to get it all. Um, and this is both internal and external resources as well as technical and anecdotal and, you know, even news articles. So, so just to give you a sort of summary of the places that me and my team will get information from.

Um, so cyber threat, Intel services, like uh, CrowdStrike's threat intel service that we subscribed to uh, recorded Futures, which which is another threat intelligence service that that we subscribe to these, give us curated reports that are are, tailored to, to your, own needs, your business's needs.

You can input search terms and things that you would like to be um, alerted to if there is any threat intelligence related to these things. Um, and it also can include new vulnerabilities related to the technology you're using. The new tactics and and techniques that adversaries are employing. um, as I'm a CISSP, I also like ISC Squared's information security, professional magazine they have some great articles there. Um, there are tech news sites that reports on anatomy of breaches too which give you very useful insight into, you know, what these um, Threat actors are actually doing and how they are breaching organizations.

Uh, I always feel it's, [laughs], it's way better to learn from other people's mistakes rather than your own here. So, you know, reading up on, on how these breaches are, are happening and, and, you know, what were the defensive mistakes that organizations made. Um, and then us making sure that we are not making those same mistakes.

And that's, also important to us. Uh, security thought leaders like Brian Krebs and Dr. Eric Cole, also have some very interesting and useful content. Um, So listening to their podcasts or reading articles that they've pinned, I think is also a great way of just upskilling and understanding what's going on and, and what our, our current security thought leaders are are, are thinking and talking about.

From an internal perspective. Uh, you know, we have a couple of threat intelligence teams. Uh, so they, they bring information. Some of it's related to what our products are, are seeing in the intelligence that's generating. Um, some of our threat intelligence resources are. Um, you know, curating the recorded future and CrowdStrike threat Intel and making you know tuning out the noise, making sure that the threat Intel coming through is, is relevant to, to us as an organization.

Um, I, I think We're all in danger of being oversubscribed to, to threat intelligence and, and actually paralyzed by just the flood of information you've got.

Garrett O'Hara: Mm-hmm [affirmative].

Mark O'Hare: So having a threat intelligence team trim down that information and making it highly relevant for your organization makes you far more effective. Uh, we also have an offensive security team, which is really our our penetration testers.

So they're doing manual testing and they're bringing information to me about, you know, what vulnerabilities may exist inside our network, in our applications either third party applications or our own we have a strategic security team and they, you know, they're mapping our defenses against frameworks like a miter attack. Um, and, and so they can bring in in, intelligence and information to me to say, you know, we, we're we're missing something here. This is where we need to focus some, some more energy and effort uh, into defending ourselves. Um, and then products can help us as well. Uh, so our own uh, brand exploit protection can, can give us an indication of, of whether people are targeting us and, you know, trying to ex-, exploit our brand and, and something like Nessus. So just the uh, automated scanning of your environment for, for vulnerabilities brings you the technical information that that we as security practitioners can, can rely on and and need to rely on. Yeah. So I think in, in some, and a lot of tools that we use, but I think in summary that covers really the, the, the focuses.

Matt Sprague: And that's our show for this week. If you'd like to hear the full interviews of any of the clips featured in this show, dive into our back catalog. of episodes. Your regular team of cyber experts. will be back with a new show in just a couple of weeks, but for now stay safe and tune in next week for another best of episode, .

 

Tags
Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara