• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara

Breaking down fear in cyber security with Jason Duerden

Content

This week Gar is joined by Jason Duerden, Managing Director of BlackBerry Spark. From beginnings in events and hospitality, Jason says he “fumbled his way into cyber”. He started out working with a hotel group running their IT ops and security, then dived into systems integration before ultimately finding his place in cyber business operations. Jason has worked with Aquion and Cylance and now leads at BlackBerry Spark after Cylance’s acquisition.

Content

The Get Cyber Resilient Show Episode #34 Transcript

Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Garrett O'Hara and today we're joined by Jason Duerden, managing director of BlackBerry Spark. From beginnings in events and hospitality, in his words, he fumbled his way into cyber. To me, it looks like he found a home. He started at working with a hotel group, running their IT ops and doing their security then onto systems integration and ultimately into business operations in cyber. He's been with Equine and Cylance, and now leads the BlackBerry business in the region after Cylance's acquisition. We talked about the problem with the perception of vendors in cyber resilience and get Jason's insights, since you have the vendor side of our industry can be better.

We talk about fear as it relates to cyber security, the impact of fear, the messy problem of IOT, the recent New South Wales cyber security strategy work and the national cyber security strategy. And we [inaudible 00:00:57] with Jason's thoughts on protecting the SMB space. I hope you get as much from the conversation and as I do, so overdo the interview. Welcome everybody to today's episode. Today, I'm joined by Jason Duerden who's the MD for BlackBerry Spark and [inaudible 00:01:13] how're you doing, Jason?

Jason Duerden: [00:01:14] I'm good. Thanks, [inaudible 00:01:16]. How are you? Thanks for having me.

Garrett O'Hara: [00:01:17] Doing well. Yeah, thanks. It's great to, to have you here. Where, where does this podcast find you today?

Jason Duerden: [00:01:24] Uh, I'm currently in my attic at home. I've re, refurbished the attic at home into, uh, a work from home office. Uh, I mean, we were pretty flexible anyway before the pandemic, but set up for, you know, a multi-screen desk and I'm overlooking, uh, Everly train tracks and the Commonwealth bank building across from my house [laughs] out the back. So it's not about, um, it's not about urban jungle view, I guess. Uh, so yeah, happy to be here.

Garrett O'Hara: [00:01:55] Happy days. So the first question I pretty much ask everybody is how did you get to where you are today as the MD for BlackBerry Spark? What's your, what's your journey been? How did you get to, to today?

Jason Duerden: [00:02:06] Yeah, a pretty interesting one. I mean, I, I originally started, uh, more in, uh, you know, events, hospitality, leisure industry, you know, coming through school as most, most people do, you work in bars and all the rest of it. Um, studied business at school, you know, always been highly interested in gaming and technology and you know, creative aspects like web design, um, and you know, creative design and managed to really, I guess, fumble my way into cyber, um, which, you know, funnily enough, or, or not, many people I speak to are kind of in a similar boat.

Um, you know, I think it, it draws you in the attractiveness of, you know, adversary versus defender and nation versus nation, and that sort of excitement that comes along with that. Um, uh, so yeah, I kind of fell into that. I, I spent some time, uh, working with a hotel group, running IT operations and really kind of got into the security aspects of, uh, managing their internal, um, security functions from a technical aspect, so administration and operations. Um, from there moved my way into systems integration world and started on, you know, the dark path to, uh, to, [laughs] to sales, as they say, um, and slowly moved my way from, you know, the more technical architecture aspects through to the business operations in cyber.

So spent a bit of time with a company in Sydney called Equine, um, from there I moved to a startup world, a company called Cylance, [inaudible 00:03:46] pretty crazy, uh, few years. And most recently I'm now leading the BlackBerry business and, and I entered after the Cylance acquisition. So, um, yeah, not, not necessarily a traditional entry into, into cyber and IT, but, uh, extremely happy that I made those choices. It's a, it's a wonderful place to be. And I think you would agree it's an exciting industry to be part of.

Garrett O'Hara: [00:04:12] It definitely is. And I echo your, uh, comments around people falling into it, or kind of having a fairly windy [laughs] travel for trail to land in cyber. It's amazing the, uh, the places that people have come from from, you know, recruitments, hospitality, uh, pure business, like there's just such a, um, heterogeneous set of people and skills that kind of all seem to land in this place where, um, yeah, we do this thing called cyber security. So yeah, it makes it fun. And I love that you've called us the, the dark arts of sales as a little in joke [laughs] in, uh, in our company around, um, me describing sales as you know, the, the dark side sometimes. So, um, [laughs] thanks for getting, thanks for getting me in trouble. Um-

Jason Duerden: [00:04:52] [laughs] [inaudible 00:04:54]

Garrett O'Hara: [00:04:55] So look, when we spoke, um, you know, we did a prep call for the interview today and, um, when we were doing that, um, we talked about what's really a problem in cyber resilience in general. It's kind of related to the, uh, the perception of vendors. And I've heard other guests talk about this kind of problem. Um, but from your perspective, can you kind of run us through what you, what the issue is?

Jason Duerden: [00:05:17] Yeah. I mean, uh, if we kind of break it down to the, the fundamental lack, the goal of, you know, security vendors at the core is to protect people and systems and devices, right? Like, you know, I, I don't think you could argue with the reason for manufacturing security technologies as for anything else. Um, you know, they're obviously designed to do a purpose. Um, but I think the majority of it really stems from perception, um, and the perception comes from that dark art. So being on, on the sales, uh, sales side, right? The sales motivation that comes with being the manufacturer of a product and, um, sometimes can be positioned as a higher priority from a sales person than actually helping solve a problem, right?

So I think there's been a bit of a behavioral perception piece that's elevated that I think over, you know, over time, not just in our industry, I guess in any industry where there's a sale and, and a purchase. Um, and I guess the result of that is whether you're a customer or in a, in a government agency or you're in a, you know, a bank or retail or whatever industry you might be in, um, not by default, but sometimes by automatic engagement, the, the vendor is held at a bit of an arms length, right?

Garrett O'Hara: [00:06:36] Yeah.

Jason Duerden: [00:06:36] Um, you know, just until you figure out, is this person someone that I can trust and that they have motivations in the right place, they're really trying to help me. Um, and you know, once you work your way through that, you build lasting meaningful relationships, which you know, you have no doubt would have experienced in your career, and I've definitely experienced in my career where it moves beyond this house discussion. It's really about how do we help each other, how do we innovate? How do we grow? How do we protect the people, protect the staff?

And then, you know, the ultimate goal is contribute to the company goals that you're working with, right? Um, but it's definitely difficult I think, to cross that, to cross that bridge. So I think the issue really stems from just that perception piece. And I think there's a fair, a fair bit of work that we can do to help. And I think it's already happening, but help change that, uh, perception pretty quickly.

Garrett O'Hara: [00:07:29] Uh, I definitely, I agree with you. I think there is stuff happening there, and I think there's an expectation more and more, uh, for sales, uh, functions and, you know, sometimes that's technical people and, and pure salespeople, um, to you'll be trusted advisors, as you say, problem solvers, you know, be partners rather than just trying to sell some stuff and then walk away to the, to the next kind of, um, next gig. Um-

Jason Duerden: [00:07:53] Mm-hmm [affirmative]. And it's not transparent feeling too, right? It's like, you know, solve a problem you can solve and don't try and put a, you know, a square... a round peg for a square hole, so to speak.

Garrett O'Hara: [00:08:04] Yeah.

Jason Duerden: [00:08:04] Um, so I think if you can get to that level of being out to say, look, we can't really solve that problem, um, or I guess we can solve that problem, that's help... that helps you build that trusted advisor status for sure, and something we try and instill with, with our teams, for sure.

Garrett O'Hara: [00:08:20] Yeah. I'm sort of glad we live in a SAS world because back in the old days, you, um, you had this thing where the platform was what it was, but it was really maybe too easy to say, yeah, we don't do that right now, but you know, we, we will, um, so people would sell something and then scramble back to get the developers to include [laughs] a new feature or change something. And whereas now I think, you know, SAS kind of keeps everybody honest, which I think is a, a really good thing.

How do you think, um, leaders in sales roles or in sales roles, I should say in the vendor space, push for that good behavior? So, you know, the machine sometimes is if we're all honest kind of set up in a position, like, what do you think? Yeah. How do you do that? How do sales leaders do that stuff?

Jason Duerden: [00:09:04] Yeah. I mean, you, you're able to quickly [inaudible 00:09:08] determine, you know, with any organization that you work with, the cultural aspects of the way the sales team interacts with you as a customer and partner. Um, whether you're the end user of the, the products or whether you're part of the supply chain, which is delivering the products to the end, uh, the end user, you know, what the goal of the solution is. Um, there's a couple of things that I guess we've tried to do and what I've seen be successful. Um, number one comes down to the consideration of hiring. So how you... what sort of things you look for in terms of personality traits, um, you know, bringing people who, who are the right cultural fit. And it's really that men, mentality of, uh, banding together.

Um, so people who really believe in teamwork, who really believe in, in trusted relationships, who really believe in being part of, uh, something bigger than, than the individual's goals or something that we really concentrate and, you know, asking questions of history and you know, how they, how they act in, in other areas of their life, not just in, in work. So we really focus on, um, those aspects and the authenticity of that as well. You can pretty, pretty quickly determine whether you feel like someone is transparent and authentic, right?

Um, so we focus a lot around that in terms of bringing the right people in because at the core of any company is the people and they will shape and drive and determine the A, perception, but also B, the lasting relationships that you can build for your organization. So that's number one at the core. The second one that we really look at is what are some of the community service initiatives that you can be part of, um, which, uh, not necessarily... you can't measure ROI and stuff like that, right? Um, and if you, if you feel like you have a mentality of trying to measure ROI and community service activities, you're probably not thinking about it in the right way [laughs].

Um, so thinking of ways to support other, you know, child development initiatives or schooling initiatives, or ecosystem initiatives, whatever it may be, right? Where you can't necessarily measure a return on investment on sponsoring that, but you know it's for the greater good, you're part of the ecosystem, you're helping mature and develop the, the wider, broader picture of what is cyber security in industry. A good example is something like CyberTaipan or where you... you and I were, um, on the call a couple of weeks ago in terms of the New South Wales cyber security strategy, so having inputs into things which don't necessarily directly draw, uh, business benefit in an immediate effect is, I think is really a good way to, to instill that culture in the business.

Um, and the third thing from a cultural and engagement aspect with a customer or an end user, or a partner, or however you like to categorize is always thinking of how do we solve the problem first? How do we just roll our sleeves up and get in and get things done rather than the driven based on a contract or a purchase order or a sale, or, you know, a signatory. An example is if you're dealing with a, you know, someone who's in the midst of an incident response, um, they've had a major, major ransomware incident where the house is on fire, you know, people are screaming, don't really understand how we're going to grasp this because you're in the throws of, uh, something terrible. Um, having that ability to put the financial motivation on the back burner for, for a while, and just get in and help solve the problems, especially if it's in critical industries like health or utilities or whatever services that impact the public.

Um, because what that does is not only instills trust for you as a, as a vendor partner, but it opens up a bit of trust for maybe other vendors as well with, you know, our communities and always just driven by financial motivation. So they're sort of the three key principles. Um, so I think we can focus on in, in sales, absolutely.

Garrett O'Hara: [00:13:09] Phenomenal. So you, you've just kind of mentioned the idea of, you know, authenticity and transparency, and I think that's incredibly important these days. And one of the things, you know, when it comes to authenticity is how that could just potentially be in an overuse of fear and not just our industry, but cybersecurity is I think, particularly guilty of, you know, the food sell. Um, you know, it's all very scary, people in hoodies in dark basements and, um, you know, people could see a screenshot of you and I, we look like normal people, in my opinion, you know, you walk past us and you wouldn't even notice, you know, it's not, um, it, ain't what they say it is in the movies.

Um, and we did chat at the time, um, we were prepping about how much fear there is around cyber security. Where does it come from? Like, where does it all stem from?

Jason Duerden: [00:13:56] Yeah. And funnily enough, I, I, I did, uh, an interview with [Triple J 00:14:01] about a year ago on a similar topic of trying to get, you know, uh, new, new people into the industry. And there is that perception of, of, of the dark arts and people in basements in hoodies and hackers and all the rest of it. And I think that that's part of the problem is, uh, lack of understanding is one thing. And I guess, um, to expand on that, you've got, I think primarily the human nature aspect. So if you think about it as a, as a generational topic or a generational question, um, if I look at my, my parents, my mom, for example, she was born in the 50s, um, still kicking strong, God love us. Like, very thankful for that.

Um, she, she didn't have, she didn't have a TV when she was, you know, in, in her very early, younger years, in her formative years. Uh, and fast forward to today, she's, you know, running around with an iPhone and an iWatch and an iPad and everything you can possibly imagine 'cause she loves it [inaudible 00:15:00] And she's, she's fortunate to be, you know, be in a, in a position where she can, um, utilize technology and she's loved the innovation and change. But if I broke it down to her as a person in comparison to myself or yourself, growing up with no understanding of tech, you know, very basic understanding of technology to a world today where your shoes can be connected if you really want them to, um, is the complete lack of understanding of [laughs] cyber security, right?

Because in my mother's generation, that was all about physical safety and physical security. So, you know, lock your door with your key, don't walk in dangerous areas at night time, you know, don't talk to strangers, slip, slop, slap to protect yourself from getting skin cancers, look before you cross the road. And all those things still exist, right? They didn't go away.

Garrett O'Hara: [00:15:52] Mm-hmm [affirmative].

Jason Duerden: [00:15:53] But I think what we haven't done as generations have gone, and technology innovation has increased is thinking about the campaigning aspects, which bring the cyber awareness and cyber education along with the new technologies that come out to market. Um, and it also comes down to the innovation of change, right? We, today, wouldn't be able to talk on this podcast about what we think the technology industry will look like in 10 years, maybe even five years time, because we just can't predict that. And that's also a human nature aspect where when we start to lose control, um, humans don't really like that, right? Like we like to know, we like to be able to predict it, we like to be able to control that, you know, within our realms of what, what we feel is comfortable. So I think that's some of the issue of where that stems from as well.

Garrett O'Hara: [00:16:45] Yeah, definitely. What's the impact? So, I mean, fear obviously exists and depending on your generation, probably at different levels. I've got a, I've got a father who I actually just bought a new machine. I'm going to say something on the podcast that has me really embarrassed. My dad was running a Windows 7 machine that had no business, uh, ever been turned on, but, um, finally got around to getting that replaced and he's back in Dublin. So there was a little bit of kind of legwork to do that from, from Sydney.

But, um, so you know, very different version of fear. Like I get emails and, and WhatsApp messages from him where he's taking a photo of an email and said like, "What is this? So this is okay?" And, you know, so there's obviously some, something has rung a bell in his head and, and, and I think that's good. I'd rather, he was afraid than just, you know, [inaudible 00:17:29] clicking on links and, you know, putting in [laughs] his credentials all over the internet.

Jason Duerden: [00:17:32] Yeah.

Garrett O'Hara: [00:17:33] Um, but when you, when you bring that into organizations like yours or mine, or, you know, that potentially our customers, um, what's the impact that you see, like that fear, um, has for organizations?

Jason Duerden: [00:17:47] Yeah. I mean, if, if you think about it in a, in a business sense, businesses everyday take calculated risks, right? Um, you know, you, it's a risk reward that scenario has existed for eternity and will continue to exist. And businesses take those calculated whether it's, you know, conservative, low risk, medium risk, high risk, there's a risk decision that happens when you're innovating within a business. And where those fees can... I've seen, can impact in two ways. One, uh, fear to quickly adopt or rapidly, uh, enact change.

COVID-19 has been a prime example of that where, um, we've seen examples of many organizations had already embraced the new working model, right? Of cloud infrastructure, [inaudible 00:18:41] as a service platform as a service software, as a service, flexible working environments, digital workplaces, and they haven't had too much of an impact, right? They were like, okay, well, we were already ready for this because, you know, we, we took, we took the journey, we went, you know, we took... we went down the path. Um, we understood how we could benefit both from productivity and security by embracing these new opportunities with cloud services and all bunch of other stuff, right?

On the flip side, companies who were too scared to, uh, you know, put the crown jewels outside of the, outside of the, [laughs] the data center with all the padlocks on it, um, and, and trusting their vendor partnerships or trusting their ecosystem partnerships to help them enhance business has struggled. Like there's been prime examples of people having to deploy VPNs to everybody, and then the VPNs are falling over and you have to input more load balances in, and now you've got direct access into the network from any device, and that creates huge security implications. So um, those companies are now being forced to adapt and change. Uh, and it's gonna end up being more costly for them because what, you know, some of what those organizations have implemented today won't necessarily be what the solution they'll use for the future, so they'll have to double pane in terms of their innovation.

Um, so I think that that's the real, tangible impact of that. I think the other piece is also, you know, the back to the generational thing, if you think of as an individual, uh, whether you're an individual at home or an individual work, sure, maybe behaviorly, you're a little bit different in terms of what you do and, and the conversations that you have, but at the core, you're the same person. So, um, if you're not educated at work, especially if you're in a senior executive position, if you don't really understand cyber and the risks that pose, uh, from you as an individual at home and an individual at work, plenty examples of people being fished or reconnaissance being done on senior executives at high profile companies to find the weak spot, right?

Garrett O'Hara: [00:20:49] Mm-hmm [affirmative].

Jason Duerden: [00:20:50] Um, and maybe that's through your personal device, or maybe it's through your Facebook account where you put pictures of your children playing soccer or whatever it may be. Um, it happens, right? And that's not to spread fear again, but the reality is that has happened. So it does transition to both individual and personal, and, and it's really why things, podcasts like this and, and education programs are really important for people to be aware what are the risks and how can they start to educate themselves around them?

Garrett O'Hara: [00:21:18] Yeah. And like to reflect on that though with the, the really, the speed of innovation. 'Cause I think that's shocking to me sometimes just how quickly, and hopefully it's not too much of a function of my age, but just how quickly everything is changing around us all, so, so, so very fast. And when we were chatting, uh, last week, I think it was like we talked, and then part of the problem being that like for many people, there's no way for them to really understand what they're being warned about. They're being warned, but they don't necessarily get it when it comes to cyber resilience. It's not their, it's not part of their kind of life, it's not in their [wheelhouse 00:21:53] Um, and that's like going across non-tech citizens to board members for a public company, like there's no particular type of person. But how do you reckon we can change that understanding of cyber resilience, cyber security for everyone, if like, if we can even do that?

Jason Duerden: [00:22:10] Yeah. I mean, that's, again, I think that's a, that's a long term generational shift that will happen. And I think we're doing some really good things, right? Like, I think that the concept of cyber awareness and education in pretty much every corporate environment you go into today is pretty well, pretty well known, pretty well understood, there's better implementations than others, of course, but I think most people, uh, or most companies and most organizations are on that path, which is tick number one. Um, there's now examples and you've got, you've got also got common, uh, society campaigns like Stay Smart Online week or, you know, cybersecurity month, et cetera, et cetera that come out as well.

But I think we can... that's where we can really change the game more effectively, is educating at a level where you're not necessarily in any level of understanding. And, and what I mean by that is if you think about a child in a school, for example, we teach them, we teach them about, you know, uh, putting on sunscreen before you go outside and you go to the beach, so slip, slop, slap. Um, you've got to do the five stay alive before you, you know, you, you go swimming in the pool or you learn to swim or you go to the beach or whatever else. Right?

So there's campaign examples where we're teaching, uh, at, at, at a core human fundamental level, during the formative years of how to be safe in certain situations. Um, and we also educate about the heroes in those situations, like, uh, you know, a policeman or a police woman, um, a paramedic, a firefighter, for example. And I think if we started to think about cybersecurity in that context, where cyber security is not just about someone hacking you, it's just about safe use of technology.

Garrett O'Hara: [00:23:59] Yeah.

Jason Duerden: [00:24:00] Um, so it becomes less of a pointed thing, it's more of a broad understood spectrum. I think that's how we can really change things. Um, and I hope to see some of those grassroots programs come through. You know, we've been talking a lot with government recently around some strategies and ideas, and that's certainly one of our recommendations, is thinking about how can we impact the next generation of people that are, are coming through. And it's not to forget about the generations that exist today, we still have to continue that education. But, uh, start, start of this, uh, this session you know, teaching an old dog new tricks can be less, less impactful than teaching a new dog, a new dog before they, before they start. So um, thinking of that concept, I think a great campaign around slip, slop, slap or something similar would be, it would be a great way to do that.

Garrett O'Hara: [00:24:48] Yeah. Yeah. I totally agree with you. And you know, u, u, using your example, um, where you call it the hero, you know, the pharma and, or the, uh, the doctor, um, I wonder, are there going to be like two year olds kids when, you know, they're asked, what do you want to be when you grow up? They might say like cyber security analyst and, you know, we're in that same category or they're in the same category as, uh, people who are saving lives, you never know. Um-

Jason Duerden: [00:25:10] And we laugh about that, but the reality is some, some of these analysts who, who do work in critical industries like hospitals or utility sectors, if I go down, that's a major impact to us as citizens of a country, right? So they are, in fact they do save lives. Um, I think we talked about last week, there was that example, you know, I'm sure there's many other examples, but the prime measurement example in Germany about, um, that person having to be diverted to a different hospital because of a ransomware attack on the hospital and they actually died. Um, you know, so that's a prime, prime example of how these people cannon our heroes in, in, in many instances, for sure.

Garrett O'Hara: [00:25:51] Yeah, it is, it's like, I totally agree with you. I think that they're reporting that, uh, case out of Germany as the first, like you can draw a direct line to what they're considering homicide, which I think that's an interesting change also, you know. When you're moving away from cyber crime charges into a homicide, uh, but I think it's the Canary in the coal mine, if I'm honest. And I think you're spot on like, the job of doing security keeps people in jobs and keeps people physically safe. And, you know, I think that's partly forgotten sometimes that, you know, this work that happens sitting behind computers, obviously for the most part, it's not as visually, um, impactful as somebody in a farm and [inaudible 00:26:32] you know, fighting big flames, but...

And I'm, you know, sorry, I'm not before... I'm not joining any equivalents, um, but you know, the, the point being you're spot on, like, they are heroes and, um, it is an incredibly, incredibly important, um, kind of role in society today. We, you know, we're in a position these days where, um, cyber security has gone from, you know, we've talked about clicking on links and, and some of the stuff that's very obvious when you're sitting, you know, we're both sitting at, uh, computers here, having a conversation.

Jason Duerden: [00:27:01] Mm-hmm [affirmative].

Garrett O'Hara: [00:27:01] Um, but when we spoke, you used the example of somebody walking into Bunnings, you know, and buying a smart light bulb. And that's a really different threat, right? Because it's not my... if I'm buying a light bulb, my mind is not in the I'm going on a computer, so now I need to be staying safe online. I'm buying the light bulb, you know, it's a really different thing.

Jason Duerden: [00:27:22] Yeah [laughs].

Garrett O'Hara: [00:27:24] Like, it's a huge cyber security problem, I think is the fair statement, you know, and in, in ways, I feel like the horse might've already bolted, you know, that the, the sort of market dynamics where, what consumers want is cheap, but cheap means generally not secure. Um, do you have a magic wand? How do we [laughs] how do we fix this problem?

Jason Duerden: [00:27:50] [laughs] Yeah, and I wish I had a magic wand, there's hopefully a few other problems I could solve as well [laughs].

Garrett O'Hara: [00:27:51] It could be an IOT, it could be an internet connected magic wand, you know and [laughs]

Jason Duerden: [00:27:56] Yeah. Well, I'd, I probably wouldn't buy it if it wasn't.

Garrett O'Hara: [00:27:59] Yeah [laughing]

Jason Duerden: [00:28:02] Um, I mean, it's a really difficult area, as you said, you know, there's a few questions that really come to mind is I, you know, where did, where does the responsibility sit for something like that? Does it sit with the manufacturer? Does it sit with the, the retailer who's selling the product? Does it sit with government for legislation? Does it sit with, um, you know, uh, again, education, edu- uh, institutions to educate people and, you know, kids, uh, to make sure that once they get into adult world. Again, not to say that we're, we're [laughs] we're a lost cause, but, uh, we're, we're privileged enough and educated enough to be able to see and understand those various crimes. So we really need to focus on the people who, who can't.

Um, and I guess if I look at that, my view is number one starts with government legislation. It has to, because you need to stick to, to, to [inaudible 00:28:56] when you need it. Um, human beings by nature, we won't do anything unless [laughs] we really have to. It's, that's not an individual, it's just a kind of common understanding. Um, and the government did recently release the IOT code of practice, um, standards.

Garrett O'Hara: [00:29:12] Yeah.

Jason Duerden: [00:29:12] Uh, I think it was this year, 2020.

Garrett O'Hara: [00:29:15] Yeah.

Jason Duerden: [00:29:16] But a little bit behind, other, other countries, UK's had one for a while, US, but at least we're making some steps, right? Like we're, we're getting towards understanding that a little bit closer and it is that example. And that, that's what the core of where I believe that the issue and risk is. You know, large corporates investing in IOT, they already have understanding of cyber and risk, right? And they already have an appetite for cyber and risk and, you know, not that they're perfect, but they make really... and as we talked about earlier, like calculated risk [inaudible 00:29:48] decisions to drive innovation and speed of change and all the rest of it, right?

So I think that there's still a risk of IOT in corporates, but maybe not as large as it is in the general consumer space, where again, using my mom as an example, she's probably gone [laughs] down to, you know, Bunnings or Kmart or whatever it may be and, and purchased a, a widget that can be connected through the WiFi, to her phone, to manage X, Y, and Z. Even smart TVs, they've been around for a long time. There's plenty of, plenty of examples of people using smart TVs that were built 10 years ago that are still connected to the internet, that haven't had a software update in 10 years that are probably the most vulnerable device you could possibly own.

Garrett O'Hara: [00:30:28] Mm-hmm [affirmative].

Jason Duerden: [00:30:29] Um, which store your credit card information and a whole bunch login information for apps and passwords that you probably use on multiple, multiple systems as well. Um, so there's a huge area there, which we don't really talk about. Um, but I guess if you were a consumer listening to the podcast, you know, there's a couple of tips you can, you can take away is A, buy a device that, that does have a regular update structures or commercial product where the software has an update, updating lifecycle, so you can stay up to date with, you know, making sure security patches and everything done.

Um, you know, as much as I can say this in a position to privileges, try not to have too many old devices [laughs], um, you know, update your UTVs and, you know, your widgets on a regular basis from a hardware and firmware perspective, that's really important. So having a look at that, um, and also asking if you don't understand, I think it comes back to that notion of convenience where, you know, being able to open your garage with your phone app or unlock your door if you know, you've got a friend coming over and you're not home yet, so you could let them in. That's a huge convenience thing, but we, we also, as a human, drive towards convenience, rather than thinking about risk, because no one wants to think about negative, negative stuff.

So I think if we can get a mindset around... well, it's not a negative to think about the risk, it's actually enabling my convenience. And if we just understand that risk, then you know, whatever convenience and innovation you want to drive can be, can be put forth for you. But I also think at the manufacturer level, and this is something that, you know, [inaudible 00:32:11] for BlackBerry, but it's something that we really do well, uh, not across the whole IOT ecosystem, but in the IOT spaces that we play, namely things like drones, automotive, medical device equipment, et cetera. Um, and that, that comes down to the software layer that gets implemented in these technologies.

So BlackBerry today has over 150 million cars on the road where we power the infotainment systems, which also power the driver engagement systems, which also power all of the digital displays and dashboards that you see. Um, and if you think about that as a risk, man, if someone took over your car, like you, that's probably one of the most vulnerable positions you've ever been in. And there is a, there is an ongoing debate about how are we going to manage that as a society with connected vehicles and, you know, smart cities and all the rest of it. So fundamentally in that notion of secure by design is before the car even gets out onto the road, that's where we, as a company have been really, uh, heavily focused on ensuring the secure by design aspects of the operating system, the software, you know, the, the communications, all, all those aspects, which come with, um, delivering products.

Garrett O'Hara: [00:33:25] Mm-hmm [affirmative].

Jason Duerden: [00:33:26] But again, that's a, that's a company, uh, goodwill thing as well as we want to make sure we're doing the right thing for society, not every company does it, right? And it comes back to your comment before of, you know, cheap routes to market, competitiveness. Um, there's many examples as I was reading an article a couple of days ago where the drone market is dominated, I think 70% market share by a manufacturer from a country up North. Um, and, and, you know, we've always talked about political tensions between these countries and other five of those countries.

Uh, and the article was talking about, well, if that nation state company was instructed by that government to, you know, collect surveillance, take photos, videos, that's all possible through these devices, but we as citizens go and buy them because they're cool and you can find them around, and we don't even think about that stuff. So not that I haven't answered to that specific use case, but that's a question of how do we sell something like that? Who's, who's responsible for something like that?

Garrett O'Hara: [00:34:32] Yeah.

Jason Duerden: [00:34:33] That's a difficult one to, to cover off.

Garrett O'Hara: [00:34:35] It is interesting. Uh, [Prove A Sec 00:34:37] I don't know if you're aware of them as a company, but they've got a, a division or a part of their organization I believe, dedicated to drone security. So, um, yeah, look, we live in strange days. It's a little bit blade runner 2049. It feels like sometimes, you know, we've kind of arrived here and , it's, it's like, you know, the, the boiled frog analogy where it, it does feel like, you know, the, the two based side of the tube and all these devices are out there and they are cheap, they are unsecured.

And I agree with you. I think the big stick, like it's sort of has to be there in situations like this. And I think the UK actually went for the guidelines, but um, in parliament when they were discussing it, I feel like the MPs had actually, the guidelines, it's just not enough. Like we need to kind of make this stuff law and, and that's where maybe the rubber hits the road, but yeah, who knows, who knows if we get there?

Jason Duerden: [00:35:27] And the other, the other example of that is, you know, if you look at the medical industry specifically, and if you're working in this industry, you're listening to the podcast, you're probably going to be like, God, I wish it would, would change or improve. But if you go and buy an MRI today, um, nine times out of 10, it will come with Windows XP built into it, uh, because when the device itself was designed, created, you know, put together essentially and meet legislation and, you know, the outcomes of what the product needs to do, um, that costs millions and millions and millions of dollars.

And [Tarrant 00:36:05] legislation stipulates that if you change the initial design from a hardware or software perspective, you have to recertify that device to be able to be used in a hospital. So if you go and then implement, you know, install a security technology on that particular device, it becomes technically noncompliant and the, and the manufacturer doesn't provide warranty. So you end up with all these devices that have outdated, uh, operating system, hugely vulnerable [laughs] operating systems, um, but performing innovative functions in society, so that itself it's a catch 22. And that's, I guess that comes back to that legislative piece, which you were talking about, is it has to be enforced, that rather than being certified based on builder design, it should be that plus keeping up with the security, uh, security landscape as well.

Garrett O'Hara: [00:36:56] Yeah. I think you're spot on. Like it's legislation, and then I wonder, is there, you know, a version of the green tick for IOT devices that, you know, there's some strict global standard where if you see the, you know, the IOT green tick, you know that it's following the guidelines, the best practices around firmware updates around, you know, no default [inaudible 00:37:15] well, you know, passwords that are, um, you know, reasonable and change and all the [inaudible 00:37:19] just good security, uh, practice type stuff.

Um, like sort of pivotal a little bit here, and, um, you know, we've talked about legislation in relation to IOT, but where we kind of connected was that, um, the focus group that asked me Ryan, for the New South Wales government, um, it was this sort of comment, um, on the cyber security strategy. What were your thoughts coming away from that session?

Jason Duerden: [00:37:45] Yeah, I mean, it's great to see, right? Like any, any think tank that... and I love the fact that they put together a think tank [inaudible 00:37:53] right? Because if you're sort of, you know, someone who was a little bit agnostic and didn't have their own motivation, so it was really good to see that that type of initiative was put together. Um, and I, and I think a lot of the ideas that came out of the think tank were, were, were really good. Um, one, one perspective, and it comes back to that grassroots piece, I think again, that's where some of the biggest impacts could occur in society, around building a cyber safe New South Wales, uh, is you know, starting not just marketing to the, to the people in, in privilege.

And when we talk about people in privilege, it's like, if you're already going to UTS and you're in SW and you're studying IT, then sure we can market to you, but you're already on a pathway and you're lucky to be in university [laughs] in the first place. Um, it's, you know, what about the rural areas? What about indigenous communities? What about, you know, other, other [inaudible 00:38:47] religions, people who you, you know, may not feel like they could be afforded the opportunity to be part of our industry.

Um, I think that was a really cool discussion to have about how we can broaden the ecosystem and really diversify and, and make this, you know, not, uh, you know, hoodie, hoodie, basement, kind of, um, industry, uh, make it a broad industry for anyone that anyone can be part of. And there was an idea actually talking, um, uh, a bit around, you know, how apprenticeships could work and traineeships could work, you know, to enable other pathways to come in where you don't necessarily have to be, uh, you know, going to a big fancy school to, to get educated and then come into the industry.

Um, which I think is a common, uh, you know, uh, common incorrect perception of, of how we do what we do, is you don't necessarily have to go to a fancy school to, to come into our industry, but, uh, it does make it harder if you don't know someone who can help you get in, right? Um, which, which is, I think something, some of the walls that we need to break down and it was great to see that was part of the discussion. And that's probably the biggest takeaway that, that I, that I got from it.

Garrett O'Hara: [00:39:52] Yeah. It was, it was, uh, it was a, a great session and I totally echo what you said about us being involved and, and sort of moderating the, um, the session. So 100%. Um, like going from state level and up to really kind of national level, um, what, what are your thoughts on the Australian cyber security strategy? And that was published fairly recently. I think actually just in the weeks before the [sting 00:40:19] focus group.

Jason Duerden: [00:40:20] Mm-hmm [affirmative].

Garrett O'Hara: [00:40:20] Um, so kind of timely, but like do you have any thoughts on that?

Jason Duerden: [00:40:24] Yeah. I mean, a great strategy. Um, one thing I think was, at least from my perspective, the biggest potential shift and change is really diving deeper into risk management, um, as an approach. So a lot of the identified key areas, you could map directly to the NIST cyber security framework, which is a, you know, global standard that many organizations, um, adhere to. And what it does is it gives you a common language and a common understanding, um, so that you, you make it easier to transition across the ecosystem, whether you're going from government to banking, to you know, critical infrastructure, whatever it may be.

So it was, it was really good to see that. Um, I don't think it's any secret that, uh, you know, Australia's cyber capabilities in that space have been backing. Um, I mean, even this week, I was reading an article on Innovation Oz, uh, you know, around the, um, server, uh, index survey for 2020, I think Australia was ranked 10th overall in, in terms of cybersecurity index ranking. But the most alarming piece was Australia was ranked 16th in cybersecurity capability, which is, which means there's a huge disconnect between our awareness and intent, which I think we were ranked eight or something.

So it was pretty, pretty good, um, to actual downstream investment in capability. And one of the things, and you and I were talking a little bit about this is, um, how do we make it easier and simpler and faster for government to evaluate and adopt new capabilities, new technologies, new approaches, um, because you, you know, many people would know today, it, it can take two years from initial conversation about new capability enhancement to actual practical implementation with a government agency.

So I don't know if you've got any thoughts on that, but that, that was something I thought that was, that was lacking, or at least it wasn't clear on how all of this investment and change and, and interest from government would actually come into practical sense now, and not 10 years [laughs] 10 years away when we'll be another 10 years behind everybody else.

Garrett O'Hara: [00:42:41] It, it feels like something needs to, to change, is the reality though. Um, and I would say there's the two parts, right? There's the projects within government entities where they're looking to procure, uptake or change something, or run a program and to do security better. But as you say, like it's the machinery of, of government and, um, they are, you know, internal policies [inaudible 00:43:03] And my wife worked for a semi-state body and their hiring practices, um, were so rigid in terms of what they had to do to fill a role as a completely, you know, um, different type of analogy was set questions, the same questions for every candidate, you know, very, very much on rails because there was just a bunch of policies that they had to be compliant with.

And, um, I don't know. I mean, it feels like that's, that's what... I, I don't know how you solve that problem because there is a, for me, you know, there, there are elected, um, representatives and, you know, or the people that can do the administration essentially for the country. So pardon me, does kind of buy into, there needs to be some level of compliance and, you know, procurement has to be sort unrailed so that we all know, um, you know, we don't end up as a country where, you know, money is just getting funneled out through to governments to you know, fake projects, which, you know, is, is obviously all, always worry.

So it's probably some balance in the, the more agile procurement and change management and project management and all of those things within government, without giving too much away to protect Australian citizens and taxpayer dollars and all of that stuff as well. So I, I totally agree. Like, there needs to be some sort of a conversation because... and, and you said it, I think when we spoke last, you know, you, by the time the, the thing is done in the end, it's already on next gen or two, two generations past.

Jason Duerden: [00:44:30] Yeah.

Garrett O'Hara: [00:44:30] You know, it's already at a date by this time, the thing has actually been implemented. So, um, and [crosstalk 00:44:36]

Jason Duerden: [00:44:36] And I think one thing I've seen that's interesting in like, if I, if you look at, and this came up on the SP call for New South Wales government, if you kind of look at Victorian government in a sense, they've become really a, a leader in Australia in terms of their approach to cyber, right? Um, and the way that they've structured the policies and they've structured the investment and they've structured the, the head department working with the other key agencies. Um, and I think one interesting thing that we can, you know, we can look at that as a bit of a case study and potentially other governments could, could assess is, um, you know, the, the transition of people into some of those leadership positions within Victorian government from the corporate sector.

Um, so bringing some of the agility, some of the innovation, um, some of the communication skills from the corporate environment into the government environment, and there are some examples in other governments where you can see that starting to, to take hold as well. Um, but, but maybe that's how it can start to chat and drive this, not foregoing the principles of, you know, responsible business and procurement, you know, compliance 'cause that still has to exist. But I think the more and more we're able to cross pollinate between private and public sector, um, and have, you know, not just everybody within a department who's come through the government ranks, you know, because there's no one who's really trying to drive change.

We've got a good mix of people. I think that's been an example in Victoria where you're starting to see more innovation happened, more adoption happen, um, and some really good outcomes. And I, and I think, you know, they are seen as a leading, uh, definitely a leading government in terms of the way they're approaching cyber security.

Garrett O'Hara: [00:46:22] Yeah. Spot on. Um, so I think we've probably got time for one last question and, and sort of relates, I suppose, to the, um, the national cyber security strategy which talked a fair bit about SMBs and some of the sort of, um, like the issues potentially and protecting them and some of the gaps that we have at the moment. And I know you've written about this, um, in your, in your kind of blog articles, what's your perspective, um, on the, on the kind of SMB protection from cyber attacks?

Jason Duerden: [00:46:53] Yeah. I mean, you know, it's a totally different conversation if you're thinking of big corporates, uh, or government agencies or utilities, phones, whatever, they're more of a discussion around, you know, national security impacts and, uh, or, you know, large populations of consumer data impact. Um, if you think about it at, at an SMB level, uh, it's the, in essence, the lifeblood of the country, because 98 or whatever the most recent stats is, but it's a very high 90s percentage of, uh, Australian businesses are SMBs or SMEs, right?

Um, and, and functionally drive the, the, the country forward from an economic, um, standpoint. So, you know, continually impact in that space, and this comes back to our earlier discussion around, you know, the fear and lack of understanding, the lack of education. Um, the more that SMB market is impacted by cyber incidents, the more impactful it will become on our economy, right? It's more unlikely for a large corporate like CBA and Westpac or anyone to experience a cyber attack 'cause then they understand it, right? They're very well prepared.

Um, but smaller businesses that employ people in rural areas or even in the cities, um, that can have huge economic impact to society and families. And if, if we don't find a way to help them, uh, both either, you know, funding wise or at least education wise, uh, I, I think that puts us in a really vulnerable position. Um, and I think it comes back to the, the campaign aspects, right? We do, we do a pretty good job at promoting Stay Smart, Stay Smart Online week and cybersecurity month.

I think we can do more there, um, because if you think of the people that are in SMBs or SMEs, both those workers or business owners, they're the majority of people who are the individuals that we're talking about as well, that crossover from, you know, I know a little bit about technology, but I don't really know anything about cyber security. So I think government, um, can make a, an investment there that would dramatically increase the country cyber resiliency for sure.

Garrett O'Hara: [00:49:10] Awesome, man. I think that's a pretty positive note, um, to, to finish off on. Um, Jason, I really, really appreciate it, um, you taking the time. Um, yeah, like I say, so your commentary in the, um, the state, um, cyber security focus group, and I was like, hey, that's a guy I would, I would [laughs] very like, pretty much like to talk to. Um, so appreciate you, uh, taking the, the time [inaudible 00:49:33] to do the interview today. So yeah. Thank you.

Jason Duerden: [00:49:36] Yeah, no problem. Thanks for having me, Garret. It was a, it was a good chat. I really appreciate it. I could talk for hours on [laughs] some of these topics, but, uh, you know, we need more people having the conversation, right? Because that's how we, we generate the awareness and we impact change eventually.

Garrett O'Hara: [00:49:53] Eventually. Wise words. Wise words to, to end on. Uh, thanks so much, Jason.

Jason Duerden: [00:49:58] Thanks.

Garrett O'Hara: [00:50:01] [silence] Thanks again to Jason for the conversation. It's amazing how quickly time goes when you're speaking to someone like him. As always, thank you for listening to the Get Cyber Resilient podcast. The back catalog grows every week, so [inaudible 00:50:19] those and subscribe, like, share, let your friends know and let us know of the people you want interviewed or topics you want us to cover. For now, keep safe, and I look forward to catching you on the next episode [silence].

 

Tags
Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara