The latest cyber news and resilience insights - 02/11/21

In this week’s cyber security news we explore the confirmation that the Russian SolarWinds hackers breached 14 of Microsoft’s resellers and service providers, we discuss the Cyber Ready Program recently announced by the Australian Federal government to support the next generation of cyber security experts, we explore why there has been a decline in insurance claims for ransomware and the implications this could have for the cyber insurance space, and the 2022 big budget increase for cyber security predicted by Gartner’s annual survey.

Questacon’s Cyber Ready Program: https://bit.ly/3muu3kJ

The Get Cyber Resilient Show Episode #78 Transcript

Daniel McDermott: Welcome to episode 78 of the Get Cyber Resilient show. I'm Dan McDermott and I'll be your host today. This week is our in the news episode, and I'm joined by our resident cyber security experts, Bradley Sing and Garrett O'Hara. And we will start by exploring the confirmation that the Russians have been at it again. This time, the SolarWinds hackers have breached 14 of Microsoft's resellers and service providers. On a positive note, the federal government have announced the cyber ready program to support the next generation of cyber security experts to help fill the skill shortage in Australia. We will then explore why there has been a decline in insurance claims for ransomware and the implications this could have for the cyber insurance space. And we'll end on another potential positive story, the Dartmouth annual survey on predicted budget spends for 2022 forecasts a big budget increase for cyber security next year.

Brad, lets kick off today's with a review of the Russian SolarWinds hackers being at it again.

Bradley Sing: Certainly. I mean, it seems like we just keep talking about SolarWinds in this podcast but we wouldn't be a cyber security podcast if we didn't. Um, so there's some guidance which has come out from the Microsoft Partner team around a list of targeted attacks on Nobelium effectively looking at the, kind of the supply chain or, or kind of more of the, the reseller network in terms of ultimately trying to gain access to, to end users or, or rather the, the clients of these resellers. It's interesting if you think about it, because we've seen a string of kind of supply-chain based attacks where they've, you know, they kind of go or vendor attacks rather where they go for the core platform opposed to attacking the company directly. Um, but I think the reality again is, is this is a live scale attack by a large nation state, and with a lot of resources and a lot of investment in kind of cyber fence for in, investigations.

And I'm kind of reading through Microsoft's blog, just, just, you know, the, there's recommendations for end users, sorry, the downstream customers recommendations to the partners. Um, but also, you know, their recommendation is MFA and always, you know, we would always recommend multifactor auth and those different things. But there has been times when, when MFA itself, you know, has had exploits in recent times.

Garret O'Hara: It's an interesting shift, as you said, Bradley away from popping the, the technology and actually going directly to the suppliers. And, and I suppose what they're going to do is exploit the fact that, you know, many of the kind of resellers and suppliers will have admin privileges into those, you know, the, ultimately the target organizations that they're really going after. So like, it is a fairly interesting compromise of technology, supply chain, especially given the ubiquity of Microsoft. Um, interesting, I don't know, like this is trivia, it's not cyber related, but I did go and look up what the Nobelium was.

It's [laughs] it said no known biological role. It said no use outside of research and it's got an atomic number of 102 and it was named after Alfred Nobel. There you go. Nothing to do with cybersecurity, but I was just curious as to where the names come from. These advanced persistent threat crews, like where do they, like, who decides these names, but that's quite a nice one.

Daniel McDermott: So I think, on this as well, it's not only like who they're attacking in that, but I guess what are they getting out of it? I mean, we, we've, we discussed many times, you know, something like ransomware and, you know, most of it is financially driven, right? And we're seeing the increase or the rise of, of the ransoms themselves. And in terms of the cost of it what is it that is underlying?

This, this is all, I think just equally as interesting as to, you know, a lot of the commentary is around the fact that it is a surveillance activity, as much as it is a hack in its own right and a breach of the, of those providers. But it's actually looking at a long-term sort of view of actually getting information for who knows what sort of purposes in the long-term.

Garret O'Hara: Well, that's it, I think it's [BAU 00:03:57] nation state stuff, isn't it? I mean, the resellers are not the target here. The customers of those resellers and the customers of the technology service providers, that's the targets. And, and you get a... When you think about it, you get a pretty big multiplier. You know, if you pop a reseller then, and if you do it well, you potentially get access to all of their customers.

So, you know, if you're, if you're just trying to be efficient, as I'm sure the, you know, the Russians are, then, you know, you get a, a one-to-many approach as you do with the technology supply chain, it's the same thing. Right? So like to your point, Dan, like getting in at that level, at that reseller or the service provider level, you know, if that gives you access to then, you know, 100 clients per reseller, that's a pretty efficient use of your time. Um, but it, yeah, I mean, it's the longer-term stuff, isn't it? You know, they get in there and, and I'm guessing if, I mean, who knows there could be specific targets and, and it's partly what a nation state will, might do is go broad because then it disguises who the real target is.

And, you know, it's kind of hidden in the noise of all these other people who've also been compromised. So do we really know who they're going after? I mean, it could be a specific target, but I suspect it maybe as you said, just to get in there and get to these, the, the ultimate targets, which is not the reseller, this service provider. Um, and then who knows, who knows what you, what you get. I don't know if, either of you know if... was there any patterns in terms of who those resellers were, like, what kind of verticals they sold into? 'Cause that's probably a good signal to look what the Russians are after?

Bradley Sing: It was the the CS, CSP program. So like they're the kind of the tier one, tier two resellers of like Microsoft Office 365 licensing and things like that, but that could be like a website where you go to purchase Office 365 by yourself. But if Telstra would be an example of, of a company like that, so if you purchased service through them. Um, one thought I had and back to your point around the, the, I guess the economics of it. And I know we've talked a lot about the, the economy of, of, of dark web and, and ransomware.

Um, interesting enough, I was trying to find out if Nobelium was, was a ransomware as a service and I did find some Nobelium isotopes for sale. Um, and there were apparent, allegedly sorry no, they were first correctly identified by a Russia nuclear physicist in 1966. So maybe it's a little bit of a, a phone home to that. I'm not sure though, but, um-

Garret O'Hara: Don't know. But be careful I'm, I'm reading here it's toxic due to its radioactivity, So-

Bradley Sing: It has a half life of 50 minutes-

Garret O'Hara: Maybe, maybe don't buy them.

Bradley Sing: They're selling them. This is on the [inaudible 00:06:18], by the way. Um, but yeah and I just, I get, I guess it's a really good point. And because if we think back to some of the more, well, this is high profile, but the the recent Pegasus kind of hack that was one where the exploit, or services, whatever you want to call it were sold. And, and we know that a dark web exploit goes for potentially millions or 5 million, whatever, you know, large sums of money. Um, if it's active and it's zero day. So whether or not this group initially exploited it for foreign intelligence and potentially sold on it later and again, an, it's a successful attack.

Garret O'Hara: Yeah. And it sounds like, I mean, they're going in with password spraying and, and fishing stuff. So, you know, like here, "Here we are, again, turn on multifactor auth. Like so many of your problems go away, just turn it on. It might be a pain, it might have a little bit of an extra bump as you log into things, but just turn it on."

Daniel McDermott: Hmm. Definitely good advice. And I do think though that there is the notion of, of, you know, are we, are we looking too much into this and is their target Microsoft? You know, like I think there has to be some degree of concern around like, you know, are they trying to get my, you know, understand Microsoft it's, it's relationships, it's information, get into it as a, as a source, if you like. Um, because like you say, Microsoft being fairly ubiquitous and also having connections into, you know, well, things like the US government and that type of thing. Is it being seen as a potential way, hidden in that back door to those type of organizations and systems you know, through, you know, the world's largest sort of, you know, software provider?

Bradley Sing: I th, I think Microsoft don't, well, they're not allowed to really sell their services in Russia anymore. The same kind of in China. And I think over the past five years, we've seen a huge rise in the kind of local IT economy of Russia, because it kind of wasn't really there, right? Like they've got a thriving cybersecurity industry, which is quite interesting that the kind of the ru, I guess the rules of the battlefield where they, they won't hack or do anything against each other, but I guess anything outside of that is potentially fair game. But you're definitely Dan. Well it was definitely a kind of nationy state kind of bigger thing going on here. Right? Um, and ultimately, you know, every, everybody uses Office 365. It's the world's biggest cloud platform for corporate uses. So if you get into it, you're going [crosstalk 00:08:36] to be able to [laughs]-

Garret O'Hara: LibreOffice, LibreOffice all the way, you know, uh?

Bradley Sing: It's free one, right?

Garret O'Hara: [laughs] It is, it is, it is. Yeah. It's an interesting point though. You kind of wonder what the what are the sort of technical integration points between my, my Microsoft and those customers. 'Cause on my head, I think good practice security would be separation of kind of production platforms from the Microsoft operations side of things. But that said, there's going to be billing systems, presumably, and there's going to be some level of, you know, call back into Microsoft sort of the broader Microsoft world. Um, but who knows?

Daniel McDermott: No, indeed. It's certainly, you know, pretty scary proposition and and obviously one that I think we're gonna unfortunately continue to hear about as we go forward. Taking a bit more of a positive note locally, and we saw an announcement from the government regarding what's called the Cyber Ready Program and dedicating money to actually help build out I guess the future of cyber security skills right from primary school, secondary school, as well as tertiary across Australia. Brad, what can you tell us about this program and what do you think it will actually deliver for the Australian economy and for the skill shortage that we know we have?

Bradley Sing: Yeah. It's like, I think news like, this is great. It's, it's good to cover, I guess, things more positively on the show sometimes instead of just talking about, all of the, you know, kind of the negative consequences of breach. Um, but this is fantastic. Effectively, there's an announcement by the Morrison government quite recently as a couple of days ago, in terms of extra spend around it. Part of this looks like it's going to be based kind of, I guess, you know, to support different areas around Australia as well, including getting indigenous Australians and people in different groups and, you know, might have access to computers or technology as much and really try to build that capability locally.

Um, we are all, we're all very aware that, you know, I think, think we think we need more people in the industry. But we really need that homegrown capability. I think I'm always kind of jealous. I'm like, I mean, we, w, we all work in cybersecurity, but I'm like, "I wish I kind of had this access to programs and stuff like this when I was younger." And it's kind of nice, it's, it is the, we're on, we're on the front line of it. And it's, it's good to see the government kind of recognizing that, that we need to invest in youth.

Garret O'Hara: Yeah. And it's the future, right? I mean, that's the reality, everything's going to be digital. Everything's going to be needed to be defended. Um, Dr. Chase Cunningham, who was just on the last episode you know, talks about cyber warfare, you know, all of that stuff is going to happen digitally. So, you know, getting a generation of people who are not just digital natives, but, you know, have that kind of cyber security mindset. And, you know, how many times have we talked about security by design and, and s, you know, privacy by design. And I think a large part of the reason for failure in businesses and organi, and organizations in general is that we just weren't raised that way. It's not part of our psyche.

But if you get it you know, get in there early and sort of brainwash these kids as they kind, as they come through you know, primary into secondary and tertiary education, then, you know, hopefully we will have a generation of people who, you know, understand the value and are happy to spend the money on doing these things right. And, you know, I dunno, does that paint a rosy future for us? It's a little far away. I mean, I don't know if the three of us will massively benefit from it, but you know, hopefully some generation will.

Daniel McDermott: No, it's pretty exciting stuff. Like, and I think like there's a few aspects that I can see of this. One is it's obviously that, like you said, Brad, that, that boosting the participation and the diversity you know. This is diversity month and and one of the areas is, is, you know, having, you know, a broad church, right?. I think we need that in cybersecurity and, and getting greater participation from all sorts of parts of society and bringing that to bear. And and I think that's really important. I think from my perspective, you know, personally, you know, I was, I had my grade five on Scratch this morning, doing some coding. Um, he was pretty excited with what he could do which was pretty cool.

So, you know, if we can embed a, a cyber security element as well it be interesting to see, and so I'll suddenly play a, a front row seat of seeing how this rolls out and um, and hopefully, you know, he gets to participate in the program. 'Cause I think he'd enjoy it and have a, have a lot of fun and then obviously, you know, and build skills and then hopefully, you know, like you say, Gar, sort of embed those practices right in the start, from the outset, which would be cool.

Garret O'Hara: Do you guys, were you, were you old enough and maybe don't give your age away, but like, did the BBC Micro hit Australia? It was a little computer that was made way back in the day and may or may not have been part of my, my childhood [laughs]. And but you know, it was almost a little bit like the Raspberry Pi. And, and the reason I mention it is because I think this stuff is so wonderful when you see the, you know, amount of dollars being spent. The actual ROI on that is enormous given how cheap it is to provide, these days to provide amazing technology. You know, Raspberry Pis, which are, and I mean, anyone who's kind of played with those recently, they're, they're solid. You know, your fully functioning computers that you can stick on a, you know, a Linux operating system.

So you could do a lot of this stuff for fairly cheap. And I should have really researched this, but I'm pretty sure that there was a like a study I'm, I'm fairly sure I saw a TEDx talk in this where they dropped literally a bunch of Raspberry Pis into a remote area of some kind of developing part of the world and sort of, kind of stood back to see what would happen and, you know, came back a year later. And these kids had just done astonishingly well at self-learning because the appetite was there at that age, just to understand and to, you know, pull things apart. And, you know, it's, maybe it's today's version of Lego. But I, I think it's just incredibly exciting and, you know, paints for a rosy future.

Daniel McDermott: Did you guys ever do the electronic kits when you were kids? Like, you know, how you make the FM radio, the like, you put battery in and there's usually like a one to-

Bradley Sing: Yeah.

Daniel McDermott: Thing-

Bradley Sing: Yeah. I actually, went to try and look for some of those when the pandemic started for a bit of nostalgia and couldn't find any. Um, but it kind of reminds me a little bit of that. Right? That's, that's kind of just making kids think, making them question things. One of the really key things about this program is that I think it's aimed for eight to 13 year olds. So they, some may be a bit young, but you can contact them. So maybe reach out, they might have some material, some swag I'm not too sure, [laughs] exactly for the contents of the program.

But yeah, I, I think it's an absolutely fantastic thing. And again, kind of jealous in a weird way, but, you know, we were working, we're breeding it. And in terms of who it's going to help, like it helps us out Australia, right? Like we need this capability. I think that's, that's unfortunately, one thing that we've, that we've kind of grown to learn.

Daniel McDermott: Terrific. We'll we'll include the link in the show notes as well. And yeah, also they take a look and encourage our listeners with any kids in that sort of age bracket to, to take a look and dive into it as well, which is great.

Bradley Sing: Yeah. That's for their National Cyber Design Challenge. So yeah, it's a fairly, fairly cool can, workshop.

Daniel McDermott: Awesome. Thanks for bringing it to our attention, Brad. Really appreciate it. The next story we wanted to look at is, is one that seems a little counterintuitive in some ways. We've been speaking a lot around the rise in ransomware and it's, it's, you know, proliferation across so many sectors. Um, yet what we're seeing is, is a decline in ransomware insurance claims. Um, can you tell us a little bit about, like, why is it a decline in claims when we know attacks are going up all the time? Um, and then what is that flow on implication, I guess, for the cyber s, cyber insurance industry as well?

Garret O'Hara: Yeah, it is. It's so counter-intuitive Dan. [laughs] Uh, I feel like the anecdotal evidence seems to go against the, the quantitative analysis that have come back from Corvus Insurances risk insights index. Um, but they basically look at and analyze several risk mitigation and claims data. And when you look at the trending through your Q2 2020 through Q1 2021, there was a drop of 50% in Q2 2021. So like that's a weird... it seems to go the opposite way that we would expect it to go, given how much we time we spend on ransomware.

Uh, you know, an observation that maybe is relevant is the amount of money that is spent or expended on [BEC 00:16:37] is substantially more than ransomware, like massively. I think it's 64 times more money lost through BEC, but we spend most of our time talking about ransomware because it is such a impactful instant, you know, when it does happen. Um, the, you know, the analysis here and, and the the conclusion that this organization has come to is that maybe what we're seeing is the kind of lagging indicator for better cyber resilience, and that organizations are protecting themselves better. They're building better data backups so that when, or if the, the worst does happen, that they're in a position to have an option to not pay ransom. So therefore they wouldn't have to go to the insurance companies with a view to kind of paying out on those.

So it is interesting. Um, it is one study. So you know, I don't know about you guys, but I tend to be waiting for, you know, multiple studies to say the same thing before I kind of jump up and down and, and think that ransomware is on the decline or we're somehow coming out of what has been a horror show couple of years. But certainly an interesting set of data. And I would hope it does actually point to what they've suggested, which is better cyber resilience. You know, that organizations are really thinking about protection, but they're also thinking about it's going to happen. Let's have backups, like let's have the systems, secondary systems in place for data assurance and also service assurance if the worst does happen.

Daniel McDermott: I honestly didn't believe the stat when I first heard it. Someone was telling me about it the other day and I, I kind of questioned it. And then I think you sent through that article earlier today or whenever it was. And yeah, again, I kind of thought about it a bit and I was like, "You know what? Yeah, that, that kind of makes sense, right? Like, I mean, premiums are going up, like it's sort of become expensive is it's the cost of doing business right. Cyber security to a degree. And I know we're going to talk about kind of budgets and forecasts and, and what companies are looking to do locally next year. But I think you're a 100% right, Gar. And I, I think part of the challenge is, is well, what, and I'll say, sorry, just on that, you, you mentioned before something around the cost of ransomware versus BEC.

And just curiously, I wonder what is the uncalculated cost of ransomware? Because disruption is huge, right? But again, who knows? That's, 'cause like, if we think about a, a platform such as Microsoft and some of the issues and challenges they've had, or the companies that have been ultimately hacked through some of that I don't know. It's just, I think, yeah, it's a fascinating thing if we add up the true value of a lot of these things, probably, probably going to be a lot worse than is actually reported.

Bradley Sing: I think that it's an interesting area for me is just that, you know, hopefully the good news is, as you say, Gar, that basically, you know, our organization's better prepared. They've got back up in place, they've got, you know, resilience and redundancy in their systems and processes and therefore able to react and get back online and continue to deliver the services that they need to without paying the ransom. So that's pretty cool. And that's a, I think that's a great win and that's something that, you know, should be celebrated, right? If that is the case and the organizations are getting ahead of it. I wonder whether though what's the implication for the whole double exploitation, right?

So you've, it's like, so you may not pay the ransom upfront because you don't need to anymore. But if there, if the ransom provider, ransomware providers are saying, "Well, we're still going to release your data onto the dark web." Um, and you may not want that data out there, whether if it's sensitive customer information or health records or whatever, well, you know, IP. Anything else that they may have got of a sensitive issue. Um, I wonder what happens in that scenario where there is that double exploitation on the other end, does that get covered by cyber insurance? Do you still have to make a payment because well, you may be okay from your own systems and internal capabilities, but you know, you still got that risk potentially of data being leaked and exploited elsewhere.

Garret O'Hara: So my take on that is that one of those things is incredibly damaging from an operations perspective. You literally cannot continue if you've been hit badly with ransomware, like it's kind of doors closed, you know, everyone's scrambling around trying to fix things. Um, the second one, which is the data exfil side of things becomes a, you know, communications and PR exercise, which you, it's not good, but you can recover from. And, and especially if you're transparent and you know, we've talked about it in this show many times.

Uh, you know, good communication and being open, being transparent, telling, you know, telling your customers or your stakeholders, what they need to know as they need to know it. Um, but my, my 2 cents would be that, you know, as far as kind of financial responsibility goes, keeping the business operational far itsy, exceeds the "Okay, we've got a PR problem. Uh, you know, we've got a, a, you know, a marketing issue here, but that we're going to have to get past." And, and the reality also is that with the amount of breaches that are happening at the moment, you know, if, if we roll back to when the three of us started talking on the show, it was a big deal. A relatively big deal when a breach happened and, you know, it was really big news and we got excited about it.

Like, and this sounds terrible. I care, but I kind of don't care anymore. You know, I read about a breach every day and it's, "Okay, the data is probably out there anyway." Um, and I wonder, is there a little bit of kind of cloud cover for organizations where they, you know, they, they worry about the data exfiltration is just less than it was because people, you know, their, their customers, their employees are probably less concerned than they were two years ago.

Bradley Sing: I think there's one thing coming as well. And it's probably something we should cover in a couple of weeks. We do the next news episode, there was a 217-page consultation report provided by the attorney general about the privacy acts. Basically, effectively a review of the current privacy laws. And they make reference to GDPR. They make reference to the effectiveness of the notifiable data breach scheme and the impact of that. They also make reference really to kind of the, I guess, the digital age of technology we're in. So I guess from the aspect of operationally staying up to, to your point Gar, if your company's taking on the ownership of making sure that their backups are good. Then hopefully that, that helps more from the resilience side of things.

And then if the government come in with good frameworks around and protections around the, the, um how, how data must be kept, and stored, and treated, and de-identification and things like retention. Which is something I don't think we've, we've probably managed too well here in Australia in the past. But the government comes with a good framework around that. Then hopefully that should at least minimize some of that data that is actually getting out there because right now potentially we're holding far too much.

Daniel McDermott: And I think the last point on this then is, is what does it mean for cyber insurance as we go forward? So you know, is it supply and demand, the premium's going to go up? Uh, what does it really mean? I guess what happens from here?

Garret O'Hara: Well, I reckon, I mean, insurance companies have a, a big reputation for dropping their prices as the risk scenarios change. Uh, so, you know, I suspect what we'll see is a massive drop in premiums across the board, by all the cyber insurance companies. Yeah, probably not.

Daniel McDermott: Wow, that's a very positive take there, Gar [laughs]. Very...

Garret O'Hara: Call me cynical, you know, my life my life and my interactions with insurance companies have been uh, look interesting. You know, I'm, I'm sort of being a little bit salty there, but in reality, they provide an incredibly useful service when it comes to cyber from advisory services perspectives, maybe less so than the, the covering of course. But yeah, they've, they've definitely got a strong and key role to play here. So, you know, I'm getting a little bit flippant, but also I find insurance companies very frustrating at a personal level. So... [laughs]

Daniel McDermott: [laughs] That's always good to get a a personal insight as part of the show as well-

Garret O'Hara: [crosstalk 00:24:10] Sort of vent. You know.

Daniel McDermott: And you would get, you would get your own soap box to to just the hand on, which is good.

Bradley Sing: Who could say they like insurance though? That's, uh-

Daniel McDermott: Very relatable.

Bradley Sing: Very relatable.

Daniel McDermott: Terrific. Uh, the last story that we didn't want to talk about today that we have foreshadowed already is the notion that Gartner has done their annual CIO survey looking at budgeting for next year and what's coming. So what are going to be the big issue items? Where will budgets be spent? Um, and what sort of changes in that will be happening? Um, and what we see is a, is a forecast in an increase for cyber security, which I think is music to everyone's ears on who's listening. And it who is part of the show. So definitely it feels as though, you know, that's a great, I guess, lead indicator that, you know, people, organizations are looking at this, taking it seriously and putting in place, you know, actions and activities now to start to get ahead of it.

And like we see, it might see a continued drop in, you know, ransomware claims because things are actually in place, more things are getting stopped. They seem, becomes less of a problem because we're actually addressing it. Um, and we actually, you know, move forward and increase the, I guess, the security posture that we're all hoping for. But Brad, can you tell us a bit more about the survey and, and what is being forecast from a spend point of view for next year?

Bradley Sing: Yeah, sure. So this is a annual survey with Gartner conduct. Um, I think they do if for all the CFOs. I'm not sure if you received one Gar, for the, sorry, and, and for the CMO one. But the idea behind the surveys are that we asked a whole range of questions. Um, I think it's about 1,800 COOs globally. And part of me does wonder, I guess, do they do a CISO one as well, and with the intersection of stats overlap there. But it's respondents from 77, 74 countries, including over 111, 111 on the dock for A and Z.

And so really good local data in terms of what companies are doing here and then kind of benchmarked against the global average. Um, some of the things that call out is that during the pandemic, there was huge support for remote work. And if we all think back to the start of it, a couple of years ago, companies scrambling to get people in teams, that people have with the internet access ergonomic chairs. I think I was sitting on a milk crate for a, for a periodic there. Gar, you had a horrible setup as well. Um, but we were, you know, working on making sure that our workers could stay productive, digitally communicate. And one of the huge benefits of that is now we can kind of work anywhere. Um, but with that comes huge levels of risk, right?

You know, when now, a lot of these companies, they were kind of almost forced to move to the cloud. They should've done that earlier. Maybe they didn't, you know, it's up to them to assess their own risks, but now there's something in the situation potentially where they don't have enough maturity in security, and they've got to go through and start planning budgets. And what we can see from this report, it does look like there is you know, a, a projected increase, its the biggest part of the increase.

But interestingly enough, globally if we look at the increase locally, I think we're at about 3% and then globally, we're looking at about 3.6% increase. So Australia is still lagging potentially a little bit behind it in their investment in cybersecurity. But, but as, as a, as a whole it seems like we're kind of on the right track.

Garret O'Hara: Yeah, it is. It's definitely, I f, I feel this is, it's heartening to see the to your point, Dan, it's a lead indicator to the importance of cyber security and that CIOs, are backing their CISOs. That you know, presumably at least some of this is coming from projects or, or budgets that CISOs are putting forward for new technology or, you know, whatever it may be, headcounts within the, their organizations. But it's gr, great to see the spend here. I think one of the, the comments from one of the Gartner analysts was that it was kind of creating a service through the attacks and potentially hindering other areas of investments for future innovation.

And I kind of look at that and think, "Well, actually it sets you up for innovation more than anything else." And, you know, I know I certainly got my biases given the industry that we work in, but it, you know, it feels like how many times have we had the conversation around using good security as a competitor, a competitive advantage so that you can actually speed up innovation? Because if you do it well and you do it by design and you do it early like as you go forward, you don't have that technical debt that you're probably gonna have to fix at some points. And, or you don't get run somewhere or attacked or, or whatever it may be, you know, kinda oversimplifying. But it seems like a very, very positive thing that we're, we're seeing that increased spend.

Daniel McDermott: Yeah. I noticed that commentary as well and feel like it's, you know, we all feel as though what a positive news story this is, right? Like an increase in cybersecurity spend, you know, it's, it's, you know, at the boardroom level. It's top of budget lists, it's actually making, you know, making the grade and being seen as so important and yet somehow kinda find a way to steer from that. So there's still a problem in doing that. So I don't know, you can't please people all the time, unfortunately.

Garret O'Hara: You, you can't. I mean, the, the point and the guy's name is Andy Rowsell Jones-

Daniel McDermott: Yep, he's based here in Australia. Andy-

Garret O'Hara: He's a Vice President at, at Gartner, yeah.

Daniel McDermott: Yeah.

Garret O'Hara: And like the, the point is valid. It's, you know, a risk-based approach is needed to make sure that organizations are not spending too much is what he's quoted as saying. And that, that is true. Like one of the good things you want to do is just cyber security practitioner, right? Anybody who's, who's kind of creating projects or budgeting is you don't want to spend more than the assets are worth. I mean, that's, that's a core principle of cyber security and that let's be honest. That has been a thing that we maybe have seen some of where and, and there was stats that went around in this, where organizations have, you know, 300 security applications. But they actually only use 50 of them.

And they're trying to consolidate and rationalize the, the sort of security ecosystem into meaningful things that have real outcomes. Um, so like definitely take that point. But I think in our industry, we've probably felt hard done by for a really long time in terms of like the allocation of budgets. And I don't know if it's just because of the work that we do, but I spend a lot of time having conversations where CISOs security managers, IT managers complain about the lack of ability ability to spend money on cyber security. And you know, this seems like a positive indication that maybe that's some of that sentiment is, it's changing.

Daniel McDermott: For sure. I think we'd definitely take the, the good news story out of it now, and I hope hopefully look forward to 2022 continuing those investments and improving that, that cyber security posture, like you say, in a balanced, risk-based way. So it makes sense for everybody. So thank you, Brad and Gar that brings this episode to an end and appreciate your insights as always. Gar I believe that next week, not only do we have some special guests, but we also have a new host as well for a very special episode. Um, and continuing the theme of broadening the church and having diversity who's on for next week, Gar?

Garret O'Hara: Yeah. It's a, it's a ripper of an episode. So Amy Holden, who I've had the pleasure of co-presenting at with at AusCERT earlier this year is going to host and it's basically on kind of women in technology broadly. So she's got [inaudible 00:31:12] here from here and and Berys as well, who's one of our customers, who's going to come on and talk in detail around, I suppose, their experience of being, you know, female in, in tech and, and probably more specifically cyber security. So I think a robust conversation. Amy was very happy with how it turned out. So I'm definitely looking forward to to tuning in.

Daniel McDermott: Indeed yes Berys is the CIO of Corrs Chambers Westgarth, one of the largest law firms in, in, in Australasia and has been in that role for some time and has done incredibly well and driven a lot of innovation for the firm as well. So yeah, really looking forward to, to that episode and and hearing some new voices on the show as well, which is terrific. So, like I said, that brings this week's episode to a close. If you'd like to continue exploring key topics in cybersecurity, please jump onto, getcyberresilient.com and check out some of the hottest articles, including an article from the CIO of Grant Thornton, Mr. Andrew Pritchett on the field guide to building a positive cybersecurity culture.

Also look at insights on why threat analysts need both soft skills as well as technical skills in order to get ahead from Brad himself and take a look at the booming digital economy and the corresponding boom in attacks on retailers posted by myself. So thanks for listening. And until next time stay safe.