• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.


    Add comment
Garrett O'Hara

This week Gar is joined by Prescott Pym, Head of Managed Security Services for Verizon’s APAC SOC and still a self-confessed ‘cyberholic’. With 14 years under his belt at Verizon his experience and insights run deep. 

Prescott brings his wealth of experience along with his passion for cyber resilience to this discussion focused on Verizon’s 2021 Data Breach Investigations Report. Prescott walks us through the changes to Verizon’s approach with the DBIR this year, key findings, some of the nuances in the industry and regional data such as the prevalence of social engineering in APAC, and what the data can be used for in terms of planning. 

To get your copy of Verizon’s 2021 Data Breach Investigations Report please follow this link: https://vz.to/3A15sYM


The Get Cyber Resilient Show Episode #65 Transcript

Garrett O'Hara: Welcome to the, get Cyber Resilient podcast I'm Garrett O'Hara. Today, we're joined by Prescott Pym, who is head of managed security services for Verizon's APAC SOC last time Prescott was on the show. He confessed. He was a cyberholic and it's fair to say. He hasn't recovered with 14 years under his belt at Verizon, his experience, and insights.

run deep. He joins us to go through this year's data breach investigation report, which is a mainstay of cyber reports and much referenced by anyone building PowerPoints. We talked through the changes to Verizon's approach with the DBIR this year key findings, some of the nuances in the industry and regional data e.g., the prevalence of social engineering in APAC and what the data can be used for in terms of planning.

Prescott is always a pleasure to speak with. So over to the conversation a second time on the show, Prescott, how are you doing? today?

Prescott Pym: Yeah, very good. Thanks. So, I really appreciate you having me back out. It's great.

Garrett O'Hara: So, so good to see you again. Um, and yeah, just off the back of the the AusCERT conference where you were one of the speakers there, which is pretty cool.

I heard the talk went really well.

Prescott Pym: Yeah, now that was really interesting.   I've been to AusCERT a number of times myself over the years and, you know, I was really taken by a lot of the, the quality and the caliber of the people sort of the, on the other side was you know, it was, you know, quite, You know, a feather in the cap for, for me, I was really   nervous to go through and do a presentation, but luckily it was remote. Because I couldn't make it up to Queen's land. So there was actually a couple of my   yeah, plants in the audience giving me some, some feedback on how it went. So that was, that was good.


Garrett O'Hara: Very cool. Very cool. Um, and your, your talk was on how not to run a SOC, which is kind of fits in exactly with you with your role, which is, you know, a perfect segue to, to kind of give us maybe a little bit of a background in your bio, you know, how you got to, to where you are today and what you're currently doing with Verizon.

Prescott Pym: Yeah, sure.   happy to talk about that. So, I've been in the information security for around about 20 years now. Um, but seven years in, in government doing you know, sort of a security gateway management and. for the last 14 years been at Verizon as the current role is you know, leading the security operations center for Verizon. number of roles, in that I've been able to travel the world, help   spin up our SOC teams around the globe.

So I've had really you know, fortunate experience to you know, not just learn about running cyber SOCs in Australia, but across the globe as well.

Garrett O'Hara: Yeah, very cool. And the, and the talk was on how not to run a SOC. What, What was the theme or the sort of broad message in the, in the talk at AusCERT?

Prescott Pym: Yeah, now it's an interesting topic   had, had a lot of content to, to draw on from experience there.

Um, but yeah, these days, I think it's, it's about managing your data. Um, you know, How is that relevant to what you're doing? And then how can you scale that? Um, what does it mean when you're presenting information to analysts? What are they gonna do? What are the actions they can take out of that and how.

they can Yeah, correct. Yeah. Knowledge and experience for an organization to help you tackle, you know, risks and business problems. So I think in the old days a SOC was just something that sat in the corner [laughs] and uh-

Garrett O'Hara: Yeah.

Prescott Pym: ...it's like, yeah, we've got a SOC tick.   but now it's okay. Well, it's an integral part of the business as part of a broader cybersecurity strategy, you know with the tension up into the CEO and board level.

So what the guys do really matters to the business these days,

Garrett O'Hara: Yeah, phenomenal. What we'll do is we'll include a link to the talk as it is it's been published. Right. And we will include that in the show notes for the for the episode. So people can go and check that out. Cause yeah, like I, I saw the feedback in the comments on LinkedIn and it was, it was very, very positive.

So it would be a good one to yeah. To push. push out to the audience? Um, yeah, look, I suppose today the, the main.   topic for us was the data breach investigations report you guys have put out for 2021. Um, which is one of, I think it's probably the report that everybody waits for every year.

[laughing] And I kind of said it last time. It's um, you're guaranteed to see the, the stats that are in that report in, in Prezzo's for the next 12 months, you know, it'll be kind of, yeah, it'll be the one that's quoted when it comes to the cyber security industry. Um, But I thought a good place to start Prescott would be if we could just kind of run through what the report is how you guys generate it some of the things that are different in terms of the approach this year you had the updated patterns, et cetera. Um, and then we can sort of, we can start getting into yeah. what did the report actually say? But yeah, if if you don't mind kind of running us through what the report is, how you guys generated, et cetera.

Prescott Pym: Yeah, sure. Yeah. So the data breach investigations report is, is exactly about that. It's Investigating data around data breaches particularly and security incidents. We're looking at information that's got out there from companies that they don't necessarily wanna have out in the, the public domain. So it's been running for about 14 years now, I think roughly the same time I've been at Verizon.   and I think it really started out as like, Verizon. Um, and you know, in previous forums, such as CyberTrust and other companies.   we've done a lot of investigations into data breaches from a forensics type practice.

Garrett O'Hara: Hmm.

Prescott Pym: So initially it was, yeah, how can we publish some value from that? Because quite often it's quite.

Sensitive these types of information that would be you know, released during a breach. So yeah, taking a da- data science approach to that. Um, how can we find some, some trends in activity it's gonna mean a lot to other people and, and help them out. Um, so that's, that's sort of that's where it started. from. Data that we had internally at Verizon, but then sort of after, you know, a few years of running sort of, we extended that out to say, well, how can we bring in some other partners who might have some other points of view data that, they can add into it.

So we started to get some external contributors, USCERT or JapanCERT Australian cybersecurity center previous incarnations as well.   so so marrying up that data and finding across the industry, some reports will be just, you know, what does that company see? Which you know, is valuable.

Um, but when you can bring in a broader data set, you can identify some, some, some bigger trends. And we've had a a range of good contributors, you know, over the years, including our own internal services as well to give a really good snapshot. over time.

Garrett O'Hara: Yeah, very cool. Um, it's and it's big, right? I mean, it's, it's a couple hundred pages long.

There's a full report of, and you know,

Prescott Pym: Yeah.

Garrett O'Hara: ... you the the, the exact summary is 30 pages. So it's it is really a, a, kind of a rich set of data, which is phenomenal. Um, And I know, look, I, I personally lean on it. It's one of those ones when it comes out, I kind of send it around and make sure everyone kind of is aware that it's there as a kind of resource.

So yeah, good times W- look at last time you're on you know, we talked through this and I sort of asked you back then, if you're able to summarize the kind of findings, the big trends that you're seeing. And yeah, it'd be good if we could start with even a, a repeat of that, you know, what, what do you see as the, the changes that you know, maybe since the last time we.


Prescott Pym: Yeah. Yeah, sure. So as part of the report, and we've got, I should mention some of the contributors from around the region here, particularly Australia, where, where some of the audience might be from, but you know, department of premier and cabinet in Victoria are contributor Paraph Lay, which is a managed services organization out of Sydney.

Um, for instance, Malaysia, Japan. Um, so there's a, there's a, there's a. Good you know, selection of organizations, different types of feeding data into the report. So all up the DBIR, our team managed or looked at nearly 30,000 security incidents in the data set.

Garrett O'Hara: Okay.

Prescott Pym: So when we say we've investigated, we pull those into a common format called VERIS, V-E-R-I-S. It's actually an open source. Um public domain taxonomy for describing security incidents, security breaches. Um, so if you can sort of think like MITRE as a framework we can sort of plug in the VERIS format into MITRE and other things as well. Um, so it just gives that consistent method of describing the same sorts of.

a- attributes of security incidents.   so so if there's 30, 30,000 security incidents, there around 5,000 that were confirmed breaches. So some sort of loss of data that's an increase from last year's report.   and, and to your point about what's changed we've actually seen a lot more.   The incident slash breaches from the APAC region as a, as a whole.

And there's some of that because of changes in different types of organizations that are contributors as well. So we're just gonna you know, keep in mind that it's not necessarily a static base of the same data being looked at it over and over again,

Garrett O'Hara: Yeah.

Prescott Pym: ...but you know, there, there was a bit of an uptick. in, in APAC. Um, and, and you know, another key takeaway from, from me from the report was that, you know, in in APAC, we see, we see, yeah, more often than not, it's gonna be external you know, attackers that are you know, causing a a data breach in in the global data set in Europe and the USA.

  there's, There's more sort of. internal Focus data breaches as well. Um, but in the APAC region, it's, it's, it's heavily slanted towards external attackers and being financially motivated to you know, trying to [laughs] get some, some outcomes.

Garrett O'Hara: Yeah. I'd be interested to, oh, I'm, I'm so fascinated by data when it appears like that.

because yeah, I'm, I'm always just gonna think of it, what's the underlying cause for those trends, which I think we'll get to a little bit later in the conversation because there's definitely some interesting things when you compare different regions like north America, EMEA, and say APAC for, you know, some of the the patterns, et cetera.

Um, you know, one of the the other things that I I noticed and it's fairly early on in the kind of exact summary. Is the, the you know, the first point that ransomware is still on the rise, which I don't think there's any surprise. Um, and the stats saying that it's appearing in 10% of breaches. And I I thought that was quite interesting given the, the amount of coverage that we see on ransomware and the amount of coverage that ransomware gets in the media and you know, at a political level these days.

And you know, I was kinda wondering, unlike are we missing something that we focus so much time on ransomware when you know, it's, it's really, It's in 10% of breaches like, is there, what's the data telling us there?

Prescott Pym: Yeah, that's a   a great question. Uh and, and yes, certainly you're right. Um, Yes. One of those changes in the past you know, 12 months to two years, particularly with COVID is sort of phishing and ransomware are the big increases in, in the, in the data set.

So phishing increased 11% over the past year. And a lot of that was really COVID targeted and ran ransomware increased 6% in the dataset as well.   so it's, it's, it's really about the changing attributes of the types of attacks that are successful. Um, and the, the Criminals will [laughs] go after what's successful and what's making them the money.

  and, and we can see, you know, ransoms being paid. Um, they're making a lot of, a lot of money out of it. So yeah, but that, that doesn't necessarily help it encourages them to, to try again somewhere else. It was really interesting to see just in the past few weeks that one of the Japanese manufacturing companies also got hit with ransomware and refused to pay it and restored everything from, from backup.

Um, so that. That that sort of gives me hope, that, [laughs] you know, there, there's organizations out there that are resilient enough that they can restore from these types of activities. And then, and then, you know, get their business back in operating again. Um, but so it, it's definitely to your point that it's in the media and it's quite you know, on the top of everyone's list.

And a lot of CEOs for instance, are are worried about, you know, this is the number one attack that we don't want to be. In the news. Um, as you know, someone who's been hit by ransomware and operations have stopped because that's really embarrassing. Um, whereas Traditional other types of   breaches or or thefts. make are a little bit unnoticed.

Um, I think the mandatory data breach reporting legislation helps a little bit with that, but ransomware is one of those things that [laughs], like we saw just in the last   couple of days around you know, the, a lot of the banks being offline with yeah, [laughs], an issue, not necessarily cyber related,

Garrett O'Hara: Yeah.

Prescott Pym: ...but these things are making the headlines immediately when they happen.

Garrett O'Hara: Yeah. So that one hit yesterday on my I think like everybody, my, my brain just goes straight to cyber attacks, [laughs], but I think it was from what I read, it was, a ECMA, we had some sort of tech issue and then caused the outage for a bunch of a bunch of the banks. And one of the other kind of interesting points in the the data breach investigations reports was around this idea of social engineering.

And there was a few interesting. Sort of data points.   one of them we'll get to a little bit later around this sort of difference between the APAC and, and   other regions. But one of the things I did notice was that you guys had looked at click rates on things like simulated versus real phishing attacks and also click rates on on our, sorry, open rates of emails that were coming through.

in, in sort of phish campaigns and, and I suppose real phishes. And yeah, I thought it would be interesting to maybe have a chat about that because that, that that those kind of benchmark data points are things that come up quite often for us in conversations, you know, given what we do as a, as a company. Um, but yeah. What, what are your thoughts on, you know, I suppose, phishing emails and, you know, inbound stuff, and then maybe some of the stuff that the data shows.


Prescott Pym: Yeah. And, and I think it was, as we just mentioned. you know, That's, that's the biggest growth in our data set is is 11% at phishing. So it's still, still a challenge that we need to, to get across. Um, some of the, the partners that we worked with in the report this year, I think we've got roughly about 1.1 million you know, data points around, around phishing showing that.

On average around about, yeah, sort of 25% click rates for most of the templates [laughs] put out there, And in some cases, those go up to you know, nearly 75% for the, I guess, the really crafty and successful ones. Um, and yeah, and then curious, also. I Can put it back to you guys. What, what do you see from your industry around phishing rates and things like rates?

Garrett O'Hara: Yeah, like honestly, it, it's around that, you know, we, you know, we often talk about and, and depending on where people are, I suppose, in terms of awareness training that's probably a, a, a deciding factor.

Um, but if you go into green fields, you know, they've never done security awareness training   before never done Phish campaigns, which is, is getting more and more rare. Um, but you'll see. Yeah. 20, 30 depends on the phish campaign. Also if you've done something really clever and with amazing social engineering, you know, and pushed it really hard, you can get incredibly high um, open rates and and different click rates and even people providing creds.

Um, But, you know, the, the air quotes or bunny ears standard stuff you know, we'll often talk about 20, 25% open rates is, is sort of a starting point. And then also while you, what you want to do is over the course of a behavior change program, bring that down, you know, and you want to get to the, the sort of low single digits you know, ultimately that's where you want to land.


Prescott Pym: Yeah.

Garrett O'Hara: So, yeah-

Prescott Pym: yeah, I think I think also it's, you know, the the, the criminals are quite crafty at the types of campaigns. Like they, they, they put out there, [laughs].

Garrett O'Hara: Yeah.

Prescott Pym:   and.   you know, As as a security professional, it's important to keep on top of some of these types of trends.

Garrett O'Hara: Yeah,

Prescott Pym: I I think, yeah, probably my view is probably over the next couple of months, we're gonna see a lot of you know, crypto opportunities because crypto is making the cryptocurrencies and making the news quite a lot.

And people starting to get a bit more aware of it. Um, I've seen, you know, covered on, on national news and things like that. So as people start to think, oh, here's an opportunity. [laughs] that's when, when people can, can start to export it. But it's also interesting. I read an article. Yesterday about a a social engineering attack, not necessarily you know, phishing, but you know, for, for people who have been investing in cryptocurrencies, they often use a USB hard token to download install their cryptocurrency.

And, And this particular attacker had, had got   details of someone from an exchange. Physically mail- mailed out a new you know, crypto USB device that had been tampered with, to you know, send back their private keys to obtain their, their crypto. So you know, these guys are pretty incredible [inaudible 00:16:53] they go to,

Garrett O'Hara: They, they are just clever is I don't know.

It's it's, it's one of those weird ones where you just think. The amount of talent that's there on the you know, dark side, you know, the, the thinking the cleverness man, if we could apply that to getting tomorrows quicker or, you know, [

Prescott Pym: laughs]

Garrett O'Hara: ...curing some of the diseases out there, the world would be an amazing place.

Um, you know, Like, I, I definitely take your point about the, the sophistication of the phishing attacks that are coming in and, and stuff coming in through email. And, you know, is clearly one of the, the main factors for that stuff, it's, it's astonishing. The, you know, the level of detail and crafting   that goes into the attacks is, is amazing.

And the social engineering aspect to, to, to really push people's buttons including, and you know this, that you you've probably seen the reports where server security. professionals Get popped by phishing campaigns. [

Prescott Pym: laughs]

Garrett O'Hara: You know, we, we think we're clever and we'd spot them. And and in reality, when you're busy and distracted, you, you sort of don't.

Prescott Pym: Yeah.

Garrett O'Hara: Um, maybe pivoting a little bit. um, Do you see any kind of noticeable trends in the types of threat actors? So as you move between different industry types, which is one of the, the, the sort of slices of data that you guys do. Um, so like for example, you look at the the financial and insurance vertical, And you see the, you know, the threat internal threat actor numbers jump up to 44%, which seems to be the highest compared to the other industries or verticals.

Um, is there, like, a, is there any kind of background explanations for the kind of internal, external ratio between those different industries?

Prescott Pym: Yeah. Yeah, no, it is interesting. And the, I guess a lot of the internal. type threats and breaches really come up through misconfiguration and, and

Garrett O'Hara: Okay.

Prescott Pym: ... mis-delivery and things like that.

So you know for instance, accidentally publishing something with the wrong permissions as publicly available. Um, that's been an internal threat. has been, that's been realized. Um, yeah, just the last 24 hours, I've seen an issue at a large   pharmaceutical company in the us.   w there's a data breach of it, it was 200 something million records.

Um, and yeah, that was because there was a cloud database left, left. exposed. Um, so that's still a huge challenge, particularly as we're thinking about digital transformation. I know it's a bit of a buzzword but getting some of those, those basic hygiene tasks around it programs is, is, is really critical to stopping data breaches from happening.

So Maybe that's something we're good at in the APAC region, [laughs] because most of the breaches are coming from, from an external perspective, but we, we say, you know particularly in, in the US a number of data breaches where you know, it could have been prevented, um because there was some sort of human error, and it's not just necessarily the individual humans, it's the, the processes and structure around how you organize a information security program.

Garrett O'Hara: Definitely. And I think the complexity with the, mainly the cloud services, out there and where data is stored, how it's stored, how it's accessed like the configuration of those systems. Um, these days is just so incredibly complex, you know, and to the point where I know there's plenty of tools out there that kind of do it auto- you know, automatically where it can kind of scan, you know, Amazon set up or, you know, pick your, pick your thing

Prescott Pym: Hmm.

Garrett O'Hara: ...and, you know, almost do a configuration assessments and then point a bucket, you know, S3 buckets, not encrypted, or, you know, th this thing has default settings, blah, blah, blah, blah, blah. Um, but it's definitely, it's something I'm hearing more and more about is just, you know, we're moving all the stuff to the cloud, but the, the ability to secure data processes, all of that stuff in the cloud can be just so incredibly complex and to get right.

Prescott Pym: Yeah. And, And indeed sort of some of the, the data from the report shows that in the past, while there might've been a lot of on-premise.   type devices impacted or, or breached more and more increasingly that that's, that's growing to cloud-based services that are being breached. And I think a lot of these providers do great job like with shared responsibility models and trying to get out there the information.

And like I said, have the tools to allow people to configure them, but there's still a lot as it professionals we need to do to make sure that you know, we're doing the right things for the companies.

Garrett O'Hara: Yeah, no, definitely. I get that. It's such an interesting one. The on-prem versus clouds you know, that arguments, it's not even an argument, I suppose, but you know, one of the things that I I've sort of had the conversation about so many times is the, the, the amount of budget and resources that a cloud service provider can put behind securing their tech in their platform.

And they've got way more at stake and in my mind, anyway, if it goes wrong, it goes wrong in a really bad way. Reputationally.

Prescott Pym: Yeah.

Garrett O'Hara: And I think for me, it's often the it's the configuration stuff, rather than the kind of baseline is the tech platform safe. It tends to be, you know, Bob forgot to change the default password or, you know, Bob, you know, as you said, is a process issue, you know, it's spinning up a service or, or whatever that, you know, it hasn't been secured correctly.

Um, Yeah, such a complex wor- world. We live in you know, thinking about the regional split outs. Um, one of the things I, I circled in highlighter, sort of like, [

Prescott Pym: laughs]

Garrett O'Hara: ...what does that mean? Um, was the regional data around social engineering and how much more prevalent it appears that is in the APAC region. And the stats being around 70%.

Um, and then that number drops to   just under 40% for north American breaches   where social engineering's involved and then below 20% for. EMEA w what's that telling us, are we just easily, social engineering [laughing] those down there?

Prescott Pym: Yeah. we're a bit more gullible.

Garrett O'Hara: Yeah.

Prescott Pym: Since   I think part of that is a function of you know, the, the types of attacks that we're seeing.

So we we talked about,

Garrett O'Hara: Yeah.

Prescott Pym: ...  primarily external. phishing related is probably you're aware of what that's coming from, whereas in the in the US the actual breaches. Yeah. Seem to have an increase in you know, internal misconfiguration and, and and things like that. So, yeah, maybe, maybe we are a little bit too trusting, [laughs] uh here and we need to do more on, as you said, the security awareness front getting, getting those messaging out.


Garrett O'Hara: Yeah, which I I think there's there's still happening, even at the government level, the CASE is starting to do campaigns on ransomware and it definitely feels like that that's been dialed up more and more. And to me it feels like anyway, in 60 minutes as the, the p- the piece on cyber I think this Sunday am Ellis from, a givens on there and under hasty.

So, you know, he's definitely starting to see the.   this stuff hit this ghost in, in a much more useful way I would say. And then, so like what does the, the DVI or DVIOR, I probably shouldn't say all the letters but what does, what does that sort of data tell us about potential changes in approach, or maybe even thinking for security planning for the next 12?


Prescott Pym: Yeah. I, I think a lot of that still comes back to you know, we're getting some of the, the real basics and the, the cyber hygiene. Right. Um, it was interesting to note that the federal government's looking to mandate the, the entire essential eight to to all government departments over the next 12 months or so.

  so that's that's gonna be interesting to see how that develops and particularly, you know, we've seen a lot of organizations. or Government organizations not able to leave and keep up with the top four. So I think that's going to be a big one for a lot of CIO's sizes in, in, in government. How do they, how do they, [laughs], they get to those targets and stretch their programs further?

Is there increased funding to go along with it? Um, and, and for, you know, enterprise yeah. Um, I guess what I'm seeing as well, as A lot of, a lot more visibility at the board level. Um, or more of the work that we do in the SOC is sort of floating up you know, towards the CIO towards the boards so they can make investment decisions about how can they address some of these, these problems.

But you know, it's not necessarily just a cyber problem. It is a, a wider you know, it problem with getting your it systems, right. Cyber is sort of you know, the layer over the top, protecting it. Um, and it still addresses a lot of the core, you know, we need to get it governance and investment, right. For an organization.

Garrett O'Hara: Yeah, I, I, I definitely get everything you're saying there, it it feels different.

You know, that there's something that's changed in the last 12 months. And I, I don't know if it was our prime minister getting up on a, a podium. Was it June last year? And you know, we're under sustained cyber attack, but it, it just feels, it feels like things are moving. You know, there's a focus on this stuff, the, the focus groups that are happening, you know, the, the governments new south Wales, government and private enterprise, the federal stuff.

Yeah, it does feel like there's a lot going on. Yeah, the Essentially. [

Prescott Pym: crosstalk 00:25:46]. I would I would also say I've seen a lot of, as you say, a lot of traction within, you know, things like the Australian cyber security center, they've been doing a lot more consulting with industry.

Garrett O'Hara: Yeah.

Prescott Pym: Um, and I think there's a, there's a real,

Garrett O'Hara: yeah.

Prescott Pym:   change sort of swiping through there.

Um, as they they look, how can we really make some impactful difference across the economy?

Garrett O'Hara: Yeah, and I definitely get that into the reports of parliaments and the cyber posture have just came out last month as well. And I noticed that it probably reflects actually what you've just said around, you know, we, we wanna do these things.

You know, maybe want to get the essential aid in place, which I, I also   want to call it like this. There's differing opinions in that one too. And you know, whether that's going to be effective or or have the impact in the way. that We wanted to so, you know, that's a whole topic of conversation, maybe not for today, but one of the things, as I was reading through the the posture, cyber posture report to parliament, was the, the problems that are being reported are kind of the same ones from the previous year.

Prescott Pym: Hmm.

Garrett O'Hara: You know, lack of the ICT kind of life cycle is at a whack. Um, there's a lot of legacy systems or systems, which it's, it's almost impossible to do the essentially let alone the, you know, the top four when you can't do it because of, of hardware, or software issues. Staffing you know, attracting talents and then fundamentally it's to your point Prescott, if we want to do all this stuff, like it does it cost associated with it.

Prescott Pym: Yeah.

Garrett O'Hara: ...And we're like, where's that money come from? Where does that funding come from?

Prescott Pym: Yeah. I'm just gonna be careful not to turn it into a compliance activity. Um,

Garrett O'Hara: Yeah.

Prescott Pym: ...it's, it's got to come back to managing your key risks and threats, and that's where

Garrett O'Hara: Yeah.

Prescott Pym: ...things like the data breach investigations report can give you a, a really good understanding of what's changed.

What's going to happen. Um, where are your threats gonna specifically come from, particularly for, for your industry as well?   is it going to be an internal, [laughs]   type of   data breach or an external you know, these, these are decisions that you should be looking at to make sure that you're making the right investments for your program?

Garrett O'Hara: Yeah, I know, definitely get it. It's, it's one of those ones where I think that without getting into the weeds, but I feel like we try and oversimplify things in society sometimes and you know, not take a step back and see what are we trying to get? What's the outcome. And yeah, to your point, compliance is not the outcome.

Security is the outcome. And you know, they're, they're two different things. Um, Maybe, maybe last question. So, you know, last time around I, I asked you about kind of better reporting and have visibility sometimes makes things or makes it seem like things are getting worse, but actually all that's happening is we're we're getting better reporting.

So, you know, the numbers go up, but it's not because there's more things it's just that we're a mere, aware of the things that were happening before. Um, And I noticed multiple places in the report that   highlighted like really high discovery   of breaches by external parties. Um, so it sort of feels like department's getting worse, but are we just seeing better tooling pending internally and then more focused from external parties in discovering breaches?

If that makes sense, like, is the data telling us something there or is the reporting just getting better so that we're seeing more of the stuff that was already. happening?

Prescott Pym: Yeah, this is a really interesting area. And, you know, you look at parallels with other you know, types of   issues in society, like domestic violence, right.

And so that going up is that a case because people are getting better reporting it or feeling like they can come forward [laughs], about that sort of stuff. Um, in, in a similar way.   I think, you know, w we started with the you know, The, the legislation around mandatory data breach notifications, like it's still a long way.

We can go to making sure that we're exposing what's really going on as much as possible because that's, while it's really impactful for those organizations. It helps lift everyone else up before we ever aware of what the trends are and where it's going.   so I think it's really important to apply some, some data science across that sort of data.

release it publicly so that we can, we can get a a track of going on. So I think you, you, right, it's, we're continuing to see issues. We're continuing to see it, it growing from, from a data sets perspective. Um, that's a good thing in my view that we're, we're getting that visibility. Um, but obviously there's still an underlying challenge that we need to deal with.

Um, as a, as a profession, as society.

Garrett O'Hara: Yeah. Yeah, definitely get that. as a Peter Drucker, you know, you can't manage it if you can't measure it or whatever, that you're that famous quote. Um, so yeah, like I, I definitely   get that side of things and um, yeah, a hundred percent think that like, yeah, the the um, data breach investigation report is it sort of feels like the gold standard or the one report every year that has such a depth of information and data and broken down by industry broken down by, by region. Um, it is phenomenal. We we should almost have a in our industry, you know, photos of people who are quoting the, the variety of reports [

Prescott Pym: laughs]

Garrett O'Hara: ... in, in PowerPoints in the next 12 months, and whoever gets the most photos of, of people on, on a stage or in a webinar using it   you know, wins a prize from Verizon. [

Prescott Pym: laughs], Yeah.

I w I would also say some, some of the the data can be a bit hard to understand in the report. And then I I had a presentation. I gave an overview of the report the other day. And someone said, I really don't understand how the graphs work. Um, so I, I I'd encourage, you know even the executive summary, as you pointed out, it's like 30 pages, long worth of data.

So we, we do run some sessions um, where people can come and ask questions. So, I encourage people to, to look for those avenues. as well.

Garrett O'Hara: Yeah. Maybe if, if it's doable, we can include that in the show notes for the episode as well. That'd be fantastic if there's any of those coming up or, or where people can then find them on the, the Verizon website.

That'd be awesome.

Prescott Pym: Yeah.

Garrett O'Hara: Um, and I'm a big fan, by the way. I love the, the, the, I'm gonna say the interesting and kind of quirky approach to data presentation is something that I've always kind of put that's cool. I like the thinking, you know, it's like you know, the book that data is beautiful. I think there's also a website actually, but showing data in different ways.

Um, and visualizations, I think is yeah, it's something I've always kinda looked at the report and kinda, yeah, that's, that's interesting. What [crosstalk 00:31:46]-

Prescott Pym: Yeah. That's its a good point because it wasn't until I hit present on one of these these slides that I did, I noticed that some of the charts that they've pulled out of the report actually move.

So   at the, the line grows and thins to show the, the deviations   standard deviations from from the norm. So it gives you an insight.   visually of how the data is burying in the data set, not just static, like it would be on a PDF or on paper.

Garrett O'Hara: Yeah, definitely a little bit more advanced than pie charts and [

Prescott Pym: laughs]

Garrett O'Hara: ... [crosstalk 00:32:18] next, next level data representation, which look, I think you need right.

there's context here when it comes to this stuff that, yeah, sometimes, sometimes the pie chart is just not enough. [

Prescott Pym: laughs]

Garrett O'Hara: Awesome. Well Prescott it's, it's been so good to have you on again really, really lovely to chat to you today and yeah, lovely to see you kinda out and about on the, the speaker circuit.

So definitely somebody to kind of keep an eye on. Um, we will include the, like I say, the, the link to the AusCERT talk in the show notes and also the the link to wherever people can find those sessions that you guys are running on the DBIR   for 2021. But yeah. Thank you so much. for joining us.

Prescott Pym: Not a problem Garrett. Thanks for having me.

Garrett O'Hara: Thanks so much to you, Prescott again, for joining us links to his AusCERT Talk are the show notes. So check that out for sure as always thank you for listening to Get Cyber Resilient podcast, jump into the back catalog of episodes and like subscribe and leave us a review for now. Stay safe. And I look forward to catching you on the next episode.

Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara