• Garrett O’Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

    Comments:0

    Add comment
Garrett O’Hara

The Get Cyber Resilient Show Episode #18

Content

This week Gar is joined by Shannon Sedgwick, Senior Managing Director at Ankura. Shannon is a seasoned director with deep experience providing future-focused leadership to governments, private enterprises and boards. Shannon has spent over a decade working globally across tech, cyber security as well as government risk and compliance.  Shannon isn’t afraid to share his opinion and often expresses them on broadcast media, through his regular published articles and this week on the Get Cyber Resilient Podcast. Gar and Shannon discuss a number of topics including navigating technologies strategies during COVID-19, the tech landscape in terms of buyers and sellers and ask what’s broken with conferences and how can they can be improved?

Ankura provide fit-for-purpose and cost optimisation analysis and review of companies technology and cybersecurity architecture and vendors to reduce complexity while maintaining governance, risk, and compliance standards, as well as identify opportunities for cost reductions. https://ankura.com/

Couch potato style cyber security event mentioned by Shannon was ComfyCon AU https://www.comfyconau.rocks/

#cybersecurity #cyberresilience #getcyberresilient  

Content

The Get Cyber Resilient Show Episode #18 Transcript

Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Garrett O'Hara. This week, we are joined by Shannon Sedgwick, senior managing director at Ankura. Shannon is a seasoned director and has deep experience providing leadership into governments, private enterprises, and boards. And he does that with a future-focus. This guy is a clear strategic thinker having spent over a decade, working globally across tech, cyber security and governance risk, and compliance.

He is a prolific writer and appearing in publications like [AF4 00:00:35], the Australian and university journals. And anyone who's seen Shannon speaks through broadcast media, so, Sky News, Today Show, Seven News, 60 Minutes, it's a, it's a long list, but everyone will know he doesn't hold back, and I really like that. In this episode, we talk about navigating technology strategies during the COVID turbulence, how that affects timeframes for planning, and also the people chosen to do that planning.

We'll cover the technology landscape in relation to buyers and sellers, and have a pretty frank conversation around what can go wrong there, and how we can do better. We went [inaudible 00:01:07] with a topic that's particularly pertinent during corona virus, which is conferences and what's broken with that model. Given how many of these have moved to virtual environments, much like work from home models, we have to ask ourselves if we're ever gonna go back to how things were done.

I'm grateful that Shannon took the time out to talk to us. So I could have happily talked to him for hours. So as always, I hope you get a lot from the conversation. Please enjoy. Good morning and welcome to the Get Cyber Resilient podcast. I'm joined today by Shannon Sedgwick. How are you doing today Shannon?

Shannon Sedgwic...: [00:01:39] Um, good mate. How are you?

Garrett O'Hara: [00:01:41] Doing well, doing well. A massive drop in the Sydney temperature, uh, which was a bit of a shock this morning, going for the daily constitutional walk. I don't know if you felt where you are.

Shannon Sedgwic...: [00:01:50] Yeah, now it's uh, cold out where I am in uh, in uh, west this morning. I uh, walked out the door without a jacket on, and did an abrupt 360 [laughs]-

Garrett O'Hara: [00:01:58] [laughs].

Shannon Sedgwic...: [00:01:59] ... uh, put a jacket on. Yeah it was um, a bit of a shock.

Garrett O'Hara: [00:02:03] Definitely was. We got to see a, a double rainbow for what that's worth, which uh, seemed [crosstalk 00:02:07]-

Shannon Sedgwic...: [00:02:07] Oh really?

Garrett O'Hara: [00:02:08] ... Yeah, yeah this morning. It was a really strong one, you know, very dark gray skies, beautiful rainbow. And, and I just remembered that the guy who was famous for the double rainbow meme, um, he actually died about a month ago so it felt maybe [inaudible 00:02:21], you know, sort of saw the mean guy in the sky, yeah.

Shannon Sedgwic...: [00:02:25] Yeah, yeah that's it. No, I didn't get to see that unfortunately.

Garrett O'Hara: [00:02:28] Yeah, it was quite pretty. Um, so Shannon, if you wouldn't mind as an opener, if you could just kind of run us through how you got to where you are today, um, not the full, you know, the full bio, but just the, maybe the abbreviated version [laughs].

Shannon Sedgwic...: [00:02:41] [laughs] Yeah, sure. Well, uh, yeah, as a extremely abbreviated version, I am, uh, ex-military. After I left the military, um, I did some uh, private contracting work for a while, and then I started my own business, uh, in the U.S. based in San Diego and, um, scaled up fairly rapidly, uh, and ended up opening offices in Sydney and Singapore. And, uh, my, uh, now wife and I, our visas ran out, and we decided not to re- renew them, and we, uh, came back here to, um, to Sydney.

And, um, I worked at Sydney for a while running the business, um, and it did quite well. But then I saw that there was... I wasn't able to focus on cybersecurity as, as much as I would have liked because we were providing other types of services as well. And, um, yeah, I've been studying cyber for quite some time even while I was in the military, because I knew that's where the opportunity was, and that's where my interests lay.

And, um, so I ended up being bought out. I got made an offer I couldn't refuse. And then I was headhunted by Deloitte to help run their, uh, federal government cyber risk business. After there, I went to Verizon, I did the same thing to help them build up their professional services team. And now I, um, I'm a senior managing director at Ankura. And, um, we... they're based at the U.S. and the UK. And, uh, we've got, uh, uh, quite a strong practice here around strategic cyber security, and digital forensics, and incident response.

I also uh, sit on a couple of boards, uh, one in indigenous not-for-profit and a disabled services not-for-profit, um, which is uh, work I value quite, quite highly. Um, I think it's important that we give back to the community. So, uh, I, I'm really interested in, um, corporate social responsibility and adding to that community services. So, yeah, that's, that's my background in a minute or less. Um, but yeah.

Garrett O'Hara: [00:04:51] Phenomenal. I'm actually even more grateful that you've taken the time out to talk to us today uh, with all of that going on. I'm amazed you, you, you were able to fit us in. So thank you for that. Um, look, one of the things we, we talked about, um, you know, obviously before we started recording, but I think it's a theme at the moment is, what's going on in the world today with COVID and Coronavirus and, um, you know, looking around at very complex operating environments that, you know, you'd be working in at the moment, there's a lot of kind of transitions happening there. Um, how are you seeing those organizations kind of navigate those... the requirements from a technical uh, perspective with the pressure of COVID at the moment?

Shannon Sedgwic...: [00:05:29] Yeah, well, it's interesting, isn't it. You know, it's, um, previous to COVID happening, there was a lot of discussion, um, around, um, five and 10 year strategies, and technology transformation programs and, um, digitization, um, and you know, about artificial intelligence, and the way forward with technology. And now, you know, um, we've seen an exodus of chief executives, and executive teams, and boards that were focused on that.

And now we're, we're seeing the majority of organizations focused on cost cutting and cost optimization, and, um, focusing on their critical business operations and reducing their need for, um, staff cuts and uh, reduction in staff salaries and, and just stemming the bleeding that's coming from COVID. You know, I know there has been some industries that have benefited quite uh, have been wildly successful because of COVID.

Um, but, uh, for the vast majority, it's, it's... a lot of industries have taken a hammering, particularly financial services and real estate, and you're seeing them focus on critical infrastructure, even, even down to their recruitment of replacement CEOs, or executive team, or board members, you'll see them bringing in, um, a bit more, uh, gray around the gills, so to speak, uh, older, more senior experienced hats, um, that have been through, um, that are used to [inaudible 00:07:03] critical operations, and focusing on the nuts and bolts of the organization rather than growth.

You know, um, boards when they're hiring a CEO will often, um, previous to this were focused on, "Okay, what's your five year plan? What's your 10 year plan?" I guarantee you those questions aren't being asked now, they're being asked, "Okay, what are you gonna do in the next six to 12 months?"

Garrett O'Hara: [00:07:26] Yep.

Shannon Sedgwic...: [00:07:26] So it's important for service and product providers and vendors to be aware of that change, that change in priorities, and that focus on business critical operations, and adjusting their services and products to be able to add value, and to still be relevant in these times. So it's, it's, it's difficult for both buy side and sell side at the moment to, um, I hate this word, but pivot their offerings, um, to match the market requirements.

Some are doing it quite well and others not so much, but we certainly live in strange times. Um, and that, that change of focus, and how abruptly it occurred, and also that transition, that mass transition to working from home, and obviously coming from a cybersecurity lens, the, um, inherent risks with that mass transition, particularly with, you know, shadow IT and people, you bring your own device... people using their own devices, because I think those of us lucky enough to have work laptops, we forget that many industries have never been given a laptop before, they worked from a, a desktop in the office every single day.

And now they've been forced to use their own personal laptops to conduct work on. And it's difficult for IT and security teams to maintain awareness of, you know, the IT, um, software, hardware, and the data storage and, um, and use of that data across you know, personal devices. It's, it's certainly a strange environment for everybody involved, but I think there's huge amount of learning opportunity, and also opportunity to, um, both add value and, and remain, and be profitable, and even enhance your profitability if you handle this, um, you know, pandemic or this response to the pandemic in the right way.

Garrett O'Hara: [00:09:25] And, and, you know, with that, what those organizations who are doing it well, what, what do you think they're doing specifically?

Shannon Sedgwic...: [00:09:32] Uh, the organizations handling the pandemic well?

Garrett O'Hara: [00:09:36] Yeah. Yeah, 'cause they pivot as you say to use that, that, you know, that lovely word pivot. Um, like what, what is that pivot? What does it look like?

Shannon Sedgwic...: [00:09:45] You know, I think the ones doing it well, uh, like I said, uh, they've been able to identify quite quickly, quickly what exactly their business critical operations are. Um, I think that a lot of companies would surprise themselves in previously, they would have thought they'd known what was critical to their business and what wasn't. And those of us in the cybersecurity industry, particularly in consulting know full well, that it is rare that these organizations actually have a full awareness of what they're, they're critical, business critical assets and data are.

And I think it would be a learning experience, quite a rapid one for these organizations, but there are some that are doing it quite well, and they've been quite transparent uh, with their customer base about their struggles, and what they've been doing to, um, solve these problems. And again, you know, with like a lot of things that we deal with, it comes down to that clear communication and being able to show... be transparent for the value creation that happens behind the scenes.

And I think that's applicable for not just the buy side or these, these organizations, but also sell side, you know, vendors, product, product, and, um, and, um, services providers, um, to be transparent, and show the, show the value... the behind the scenes value creation. Um, it's becoming more and more important that transparency, um, to customer basis. So there are some organizations that are doing that quite well. And like I said, others that, um, that haven't, um, pivoted [laughs] quite as, quite as well.

Garrett O'Hara: [00:11:28] And, and that's the other side of that question though. So those ones that haven't done it so well, what are the, the [inaudible 00:11:33] there? What are the things that they're not doing um, yeah that they're not doing well as they pivot?

Shannon Sedgwic...: [00:11:40] Well, yeah, poor communication or no communication at all about what they're doing or about how they're adjusting, um, to these changed times. Um, questions... they've been leaving questions unanswered, um, not having, um, staff available or not transitioning to working from home quickly enough so staff aren't available for customer service or complaints or, um, outage- outages, you know, you pick one of the telecommunications providers, um, Telstra, Optus, um, because they relied upon, um, offshore call centers.

There was a time period there of a couple of weeks where they had virtually no customer service available. Um, and one would have thought that they would be, um, you know, incident response plans in place or a business continuity plans in place that would address something of, of, um, of similar ilk but, um, it seems that they are a bit slow in, in reacting to that so. And it is a massive hit on the... in their defense.

It's a huge organization and, you know, losing a complete offshore capability in one go was fairly highly unlikely. So, um, you know, it's, um, you can't point the finger and blame, uh, without knowing what's happening in the inner workings, you know, try and remain empathetic to their situation, but, um, you know, there's... I think it comes down to communication and having a strong business continuity plan in place, and being agile enough to make decisions on the fly without running it through the rafts of legal and executive approval, just do what's necessary.

And I think companies that have a more decentralized management structure, and are able to make decisions more rapidly, have been able to, um, adjust to this, this pandemic shaped world a bit more, uh, quickly than others have been able to.

Garrett O'Hara: [00:13:41] Yeah, absolutely. You raised some interesting points there. And I think one of them that kind of resonates with me is the, the complexity of supply chain these days, and how exposed we are. You know, you can see it in the, the world industry. There was a, uh, an issue last year, I think it was, where the [inaudible 00:13:58] verticalization of the buy sell software in the platform going down caused those issues. And one of the things I noticed as we went into uh, this Coronavirus lockdown was how exposed organizations were to consumer grade everything.

And my experience was... and this is no joke, for the first three weeks of lockdown our broadband connection was out. Um, and I rang our provider. And so I spent four hours. I'm not even kidding, on the phone. I didn't get a resolution. And, um, you know, I had to basically ring them back the next day and, you know, my, my work life very much, I'm sure like yours is, revolving around speaking to people, VC sessions, like I'm literally crippled without internet.

Um, and there you go, you know, when we hit this kind of work from home, at scale organizations are exposed to consumer grade support levels with no options to revert back to a business phone number or priority support, it just doesn't exist.

Shannon Sedgwic...: [00:14:54] Exactly. Yeah. And I, I, I had a similar experience. Uh, we must have had the same provider because I ended up changing providers um-

Garrett O'Hara: [00:15:02] So did I [laughs].

Shannon Sedgwic...: [00:15:04] ... because I, I didn't get the service I needed. I actually... I ended up hot spotting every phone in the house that I had, um, in order to be able to have internet for the first three weeks of this, um, lockdown, um, which was not ideal considering the, um, the work that I need to do. So there was no video conferencing for me, it was all done through audio or just phone calls.

Um, but, uh, yeah, you're right. And that [inaudible 00:15:31] data breach, um, is, is a good example of that. And, um, it's also a really good case study on, um, communication gone wrong because if you, you saw in the news and I believe ABC covered it quite well. Um, the actual software provider, um, got onto the news, and responded by saying that, um, that there is no risk to the client's data, and it wasn't their fault that they got hacked, and a complete denial, and lack of transparency.

And, um, they said that the data wasn't at risk, even though the data had shown to be exposed uh, just completely the opposite of what the actual facts were. And I think they did themselves quite a bit of damage by, um, by doing that. But, um... and also, uh, another third party, third party data breach that was, um, that hit Australia quite hard if you remember, it was the PageUp data breach, I believe that was out of, um, they were based out of Spain. Do you remember, uh, I think-

Garrett O'Hara: [00:16:29] [HR bluff inaudible 00:16:30].

Shannon Sedgwic...: [00:16:30] Yeah, the HR platform. Yeah, that's right. And that affected a number of not only private organizations, but fairly significant government agencies, um, so that, that was uh, disastrous and showed that third party, um, supply chain risk. Um, yeah, yeah very interesting.

Garrett O'Hara: [00:16:49] It's, it's funny. Go back to Bruce Schneier uh, made the comments, it was probably at [inaudible 00:16:53] or one of those conferences, which I think we're going to talk about in a little while. And, but he made the comments that, you know, we, we basically work in a, in an environment where you're forced to trust everybody, but you can't trust anybody. And, you know, the reality that tentacles of the supply chain are so complex these days and, you know, the knock on effects and what it means to you know, have a vendor that you work with if they are breached and, and how exposed you are.

And based on that, um, definitely interesting days. Like one of the things we, we sort of talked about, and I think you, you know, you've got some uh, strong opinions, and opinions on this areas around, you know, when, when things like COVID and uh, Corona virus hit have, you know, sometimes people let's be honest, like the, the technology vendors out there don't really do a good job of uh, treating it with respect, and then maybe use it in a way that's not, um, yeah, not, not sort of uh, seen as kind of, for want of a better word, nice. Um, like, what are your, what are your thoughts in terms of what the problem is there?

Shannon Sedgwic...: [00:17:56] Yeah. You know I think it, it stems back to a bigger problem. So I, I think that when incidents occur, regardless of whether it's COVID or data breaches or IT related incidents, there's a number of vendors and quite a few of them that end up doing something that is akin to ambulance chasing or using that incident to say, "Well, this is something that is terrible, that has happened. But if you used our services or products, it could have been avoided."

And if they don't specifically say that, you know, that, that's what they're trying to say. I think that's really, ham-handed marketing. It's not a way to sell your services. And to be honest, it goes back to a larger problem is that you have a lot of these, it's not often really mature organizations that do that, um, or large organizations 'cause they've got fairly slick um, marketing skills, but they still make these mistakes every now and again.

You find these technical people who are absolute geniuses in what they do, their ability to deliver the work is just brilliant. And they think that because they have a quite adept in the actual skills that they have related to you know, the services or the products that they provide, that they're able to run a successful business. And it, it takes a lot more to run a successful business than just having the ability to deliver those services.

You know, you've got to be, uh, you know, there's capital allocation and finance and HR, and a large part of that is marketing and sales. And they haven't been taught how to do marketing or to do sales um, in a way that engages with the market. So they do this ham-handed marketing, where they sell the people straight off the gate, cold emails, cold phone calls. And, you know, that might work for some industries, but when you're trying to build relationships and build from a, a, a base of trust, like you do have to do in cybersecurity, particularly, um, that that type of approach just doesn't work.

And it's about communicating the value that you add while building trust with the client. And I you know, I speak to a number of people about this, and people always focus when they talk about trust or trust with a client, you ask someone what trust means, and they say, "Oh, it's... usually it's an iteration of a, of a version of, well, it's our ability to, or, um, our promise that we're going to do what we say we can do that or with that we're able to do what we say we can do."

And I would argue that there's a second pillar to trust. That would be the first pillar. Yes. But the second pillar of trust, and it's the one that is most, most uh, often avoided or, or ignored is that you have that person, or that organization's best interests at heart, not your own. So you're not driven by the sale or the revenue, you're driven by your um, intent to help them as a first priority.

And there's not many organizations that can put their hand on their heart and actually say that, and being honest with themselves. And, and it comes down to a lot too incentivization, you know, the incentivizing your sales force with short term, term, term revenue goals, in my opinion is a mistake. I don't think that they should be incentivized that way. They should be incentivized... an option for their incentivization would be project delivery success.

So from start to finish. So you'll see a lot of sales teams, they're at loggerheads with their delivery team because the sales team just gets it up to a certain point and they, they win that project. And then they've promised all these different things that they often don't have full awareness of what they've promised. And then the delivery team are, "Here you go. Here's the shit sandwich that you now have to take a bite off and deliver."

And it creates friction between the sales team, and the delivery team. And there's a lack of trust there internally. Additionally, on an external point of view, when a salesperson reaches out to a prospective client, the prospective client knows exactly what that sales person is after. They know that they're looking for a short term sale, and that they are nothing probably, but a number to them, a revenue, a short term revenue target.

And it... straight away, you're starting off the relationship from a position of mistrust. And I don't think that's the right way to go about it. There are, there are better ways to do things. I think organizations need to be committed to helping their clients, even if it's not them that's gonna be the ones helping them, because it develops that longterm trust. We need to take a longterm picture on how we're going to help our clients, because that's what builds trust.

If you can do something for them that doesn't benefit you, then that's proof there that you are in this to help them not just to pad out your revenue or to meet your... so you can get... meet your targets so you can get a bonus at the end of the year. But going back to my point about being incentivized by instead by project delivery success. So you, and the delivery team both work together on the sales, the proposal, um, and the scope of work. And then, um, the sales team are also engaged in delivery success by measuring customer satisfaction and KPIs, delivering the project, um, with, uh, within margin targets.

And then at the very end of that, that all of those, um, those KPIs or those measurement points come together to form that project delivery success, and both the sales team, and the delivery team are measured, uh, for their bonuses or for their, their incentives at the end of each financial year, based on that project delivery success, just if you have the sales team incentivized by short term revenue targets, but the delivery team incentivized by something completely different, what do you think is gonna happen?

You're giving everyone the same goal, but incentivizing them to do completely different goals, and people wonder why they're at loggerheads. So I think, I think organizations could do a lot to improve that relationship both internally and their incentivization, and to really view what the real purpose of their company is. And having a purpose that goes beyond profits is hugely important in this day and age. Um, and it really comes out in their marketing and in their sales, um, what their focus is and whether they're really committed to helping people.

You know, you can get far more traction, say if you share a post on LinkedIn by commiserating or showing empathy or congr- congratulating on a company on what they've done well, empathizing with them on, you know, the struggles that they're going through without selling your products, you're still going to get far more engagement from doing something like that. But if you put up a salesy post, you, the only people that are gonna be liking that poster, are either the people that work with you or for you, nobody outside of that is going to do it.

And you see that all the time with organizations, they'll share a post that have an internal blog that just is real salesy, and you'll see nobody but people from the organization like, or comment on it. And it's, it's just a waste of content. You need to make it engage with your audience, and show that you're not just there to sell crap to them.

Garrett O'Hara: [00:25:25] So you mentioned uh, to me a trigger word, which is authenticity. And I think, you know, not to sound like [inaudible 00:25:33] or anything, but, you know, I [crosstalk 00:25:35] think that is... Yeah, me too. Uh, my wife is a... she's actually a certified [inaudible 00:25:39], uh, she uh, she spent some time over in Austin, Texas doing that.

Shannon Sedgwic...: [00:25:43] Oh you're joking. Oh, that's brilliant.

Garrett O'Hara: [00:25:43] So, um, I live with, I live with somebody who is trying to fix me, and uh, [inaudible 00:25:48]-

Shannon Sedgwic...: [00:25:48] [laughs].

Garrett O'Hara: [00:25:48] ... is her vehicle [laughs].

Shannon Sedgwic...: [00:25:51] [laughs] That's amazing.

Garrett O'Hara: [00:25:52] So, I'm a huge fan, um, which my wife is gonna find hilarious that I've mentioned her on this, but look, you know, the idea of authenticity, um, I think for me, is something that absolutely resonates and that, um, you mentioned a few things that I think are, are really important. Um, so I feel like there's a tension between authenticity, um, and something that I believe is probably caught in many people, um, salespeople, technical people, um, managers, I think there's a, uh, a sort of craving for that at the moment.

And then I feel like there's a friction, and that's... those people hit against, which is the expectation for growth in, in every business but probably particularly in publicly traded companies where, you know, analysts strive, you know, being honest, it's the analysts that drive more often what's happening rather than what's best for a year or two years out.

Um, you know, putting you on the spot like, what's the fix there? 'Cause it feels a little bit sometimes, you know, it's just, you know, it's just a systemic problem rather than broken people. They're, you know, they're, they're cogs in a machine that you know, I think we'd probably all like to be different.

Shannon Sedgwic...: [00:26:59] Yeah. No, no. And, and I get completely what you're saying, and I agree. If, if you look at... and uh, here's a little bit of, uh, economic history for people who haven't really studied this and it might be a little bit boring, but I find it interesting. So I'm gonna charge ahead anyway. Um, if you look in the nineties, I believe it was 1970s uh, a guy named Milton Friedman submitted to the, um, you know, the business round table in the U.S. that the sole purpose of an organization is to return, or is to return profits to its shareholders, so to speak.

And that was the method of operation for almost all businesses worldwide, um, up until the last few years. And it was then decided, uh, by the business round table to do away or to add to Mr. Friedman's, uh, worldview on the purpose of business, and say that it is to um, is the benefit of all stakeholders, not just profitability. So it really ties into that purpose that goes beyond profits, but there's a lot of organizations who have yet to transition to that manner of operation, or like many have, they've outwardly said that they are for a purpose that goes beyond profits.

And you'll see them spout all of these um, you know, buzzwords like diversity and inclusivity and, um, inclusion, sorry. And, uh, you know, um, all of these words that, you know, if they, if they actually followed through with them and delivered on them, they're brilliant initiatives, and it's everything that we should be focused on, but the... behind the scenes, and anybody who works within those organizations can attest to that their purpose really is just profitability and, and short term revenue targets.

So, I think that does even more damage in the long run because they're not living up to their purported values. So I think there are some organize- many organizations that are still making that transition and are yet to realize the true value of a purpose that goes beyond profits, and a really strong corporate social responsibility that they live and die by. Um, and those that really do commit to those, um, values and being value-driven, uh, in the long run, are gonna be far more successful and others will be playing catch up.

I think that transition is happening quite quickly particularly with, you know, you saw what happened with the Royal Banking Commission. There, um, was a huge public outcry, and I think that's gonna be, uh, when we look back on it, years from now, it's going to be a, a known as that turning point in Australian um, business and government, um, of where the public is holding executives and organizations accountable far more um, than they previously would have.

There's an expectation that organizations have to not only return value to their stake- their shareholders, but all other stakeholders, including, you know, the community, and the um, nation with which in... with, within they operate. And I think social media and technology has only furthered that need for transparency.

Garrett O'Hara: [00:30:32] Yeah. It's becoming a bit of an expectation. You see organizations that are B Corps and, you know, Stone & Wood is probably the one that pops into my mind because I love their beer. Um, but you know, you've got insurance companies like Lemonade and, um, and those organizations were like, what are your thoughts on like, almost authenticity and forced transparency because you've actually been audited by an external organization so that there's some sort of congruence or alignment between you know, what's happening inside the organization versus what the external comms are.

And, you know, the corporate social responsibility programs that are out there, which are lovely and great things, but they need to, in my opinion, be congruent with internal cultures, internal communications, and what happens on a, what are we on today, you know, like a Tuesday afternoon when nobody's looking. Um like, that feels like the important stuff. What are your thoughts on like B Corps and that, that sort of, that idea of call it certifications, you know, to?

Shannon Sedgwic...: [00:31:30] Well, it comes down to uh... and we spoke about it before, but, um, uh, you know, in cyber security, compliance doesn't equal security. And it'd be the same thing with this is just because you're compliant with a certain standard or you have policies in place, or you've ticked these certain boxes, it doesn't mean that's actually what's going on behind the scenes. They can often put a tick the box, you know, um, token effort into these, um, into these, uh, initiatives.

And I think it takes buying and communication from the very top of the organization, from board through to the executive team, and a real living by their values of those individuals, and their teams to show that the company takes it seriously and that that's expected from the, um, chairman all the way down through to the interns. Um, and it does have to come from the top down trying to enforce change from um, the bottom up just doesn't work.

So, um, you know, I think those compliance initiatives and the actual certifications can help, but only if it's organization specific, and they take a, um, approach that is a... they live by that certification or by those, those initiatives, and those values as well as complying with it outwardly. I think if they can pro- do both, and match their external uh, communication with their internally lived values, then that's a very, that's very strong.

Garrett O'Hara: [00:32:57] Yep. Absolutely. So I'm gonna, I'm gonna use that word. I'm going to pivot a little bit um, 'cause one of the other things that uh, we've talked about before is the, the minefield of conferences and, um, you know, what, what that means in, in sort of the modern world. And so I know you've got some thoughts on, on that and the general value of conferences. So, look I'm gonna come out and say it like, I- I'm a big fan of attending conferences for content, and I love the kind of network aspec-, excuse me, the networking aspects.

So for me, these days generally means, meeting people from other vendors, and meeting people from within the industry, academics really like that. Um, and then there is this other side, um, which is probably less useful. Like what do you see is broken in the current kind of model for tech, tech or cyber security conferences?

Shannon Sedgwic...: [00:33:52] Yeah. Conferences. Um-

Garrett O'Hara: [00:33:54] [laughs].

Shannon Sedgwic...: [00:33:54] ... it's, it's a good question. I, you know, I, I feel the same. I actually enjoy, um, going to conferences as well before that networking, and for that engagement with uh, my peers and, uh, you know, prospective customers, and just having a chat with people and learning what's going on in the market and, and hearing experts in their particular field speak. However, we have to think about what really engages with the audience and prospective customers.

And again, does anybody want to be sold to? No they don't, nobody's interested in being sold to. The booths and the sponsors and, you know, you see these hundreds of booths that are lined up around these conferences, and they're all trying to sell you something or show their latest and greatest wears. And, you know, some of them are giving out merchandise, and trying to entice you to enter into drawers, and just to get your email address to spam you down the track.

And, you know, they do have some interesting tech at some of these booths, but a lot of the sponsors they've brought speaking, um, you know, um, brought places as speakers within um, that conference and it's just covered in branding. It's just, it's just a one giant three day sales pitch um, in a lot of cases. There are some speakers that add quite a bit of value, and aren't there to sell their organizations um, with but you get more often than not, you get speakers stand up and say, "This is why we're the best. And this is what we're doing," and salesy, salesy nonsense.

And you see people in- people inwardly groan and um, roll their eyes and you know, everyone's bored and on their phones while this person's pitching their company services but, um... or talking about case studies that they've worked on, just to point out how great they are. In my mind, the investment that goes into booths, um, isn't wor- isn't worth the return on investment, not from what I've seen.

Um, I think it would be far more valuable to, for a company rather than paying for a booth is to buy tickets for quite a number of their staff just to go there and engage. Um, yeah, you don't need to wear branded company marketing, you don't ... in my mind, a really strong conference. And I think we should educate, not sell. Uh, a really strong conference would be where there are no booths, there are no branding, there are no sponsors.

There's um, experts that get up and speak about their relevant areas of expertise to share their knowledge with the people in the room. And the only time they mention the company that they work for is in the introduction. And then after that, if they're int- if people are interested in, you know, procuring their services or products because of what they spoke about during their expert presentation, then they can go up to them afterwards, and speak to them, and network with them.

I think that would be far more beneficial for a conference. And I understand that conference organizers have to make money. I would rather pay double for a conference ticket where I didn't get sold to it, I didn't have to deal with over-aggressive booth, uh, organizers, and [inaudible 00:37:15] sales pitches dressed up as expert presentations.

Then, you know, I'd rather pay double for one that didn't have all that, and just had a place where myself and my staff could go and learn, and be educated, and to learn from our peers without competition, or, you know, um, bragging about what we're doing in the market. And everyone I've spoken to, um, about this idea and about that different way of doing things are quite interested. I just haven't seen that done well yet.

There, there was however, online just recently there was, um, organized by, uh, but his name slips my mind, but, um, it was the, they did the, um, it's like a couch potato themed, um, cybersecurity event over a couple of days organized by a guy in Canberra, and his name's is around the tip of my tongue. Did you see that?

Garrett O'Hara: [00:38:10] I didn't. I feel like I'm on the outside looking in here.

Shannon Sedgwic...: [00:38:13] [laughs]. Yeah, yeah and I'll uh, I'll have to, I'll have to get you the name of it, but they did it brilliantly. They had a whole range of speakers talking about a, a range of different topics, and uh, he's going to kill me for not remembering his name. Um, and, but the, um, but the conference was just amazing. There was no one selling anything. It wasn't branded. It had a bit of a, you know, um, a, a, an image that, uh, they developed, um, that they were selling shirts for, and things like that.

But no, they weren't there to make money out of it though. They were there to just to educate people. And it was by far the most enjoyable and successful conference that I've seen. Um, and if we could transition that from a virtual environment to something in person, I think the benefits would be even, even uh, even larger. So, um, not everyone's going to agree with me on that. Some people might get a good ROI on um, conference booths, but I'm yet to meet the person that, um, that has a... that would agree to that.

Garrett O'Hara: [00:39:16] Yeah. It's definitely an interesting one. Um, and I know I mentioned this to you last week when we chatted, but uh, [inaudible 00:39:22] from [inaudible 00:39:22], wrote one of the, the best kind of breakdowns of the [crosstalk 00:39:26]-

Shannon Sedgwic...: [00:39:27] Yeah I read that, that was great.

Garrett O'Hara: [00:39:28] ... He, he was... yeah just a phenomenal, and, and sort of felt real analysis of what it was like to go to [inaudible 00:39:35] in the U.S. and you know, how much it costs to buy the, the carpet. And, you know, it's an extra 300 dollars if you want to choose the color of the carpet.

Shannon Sedgwic...: [00:39:42] Yeah.

Garrett O'Hara: [00:39:42] Um, so like phenomenally expensive. And I think the point he made was sort of aligned actually with, with what you're saying, which is spend less on the booth. You know, you don't need a huge booth, but what you do need is uh, the ability for, well, your existing customers to come and say hello. So there is that relationship building side of things. And then for folks who are genuinely interested, you know, you've got a demo booth or somewhere you can have a, a real conversation around uh, excuse me, around the value that you can provide.

Um, but it's, you know, back to that word authentic, you know, you're there to talk about the value of what you do rather than potentially selling. I mean you're, you know, we're all adults at the end of the day, we have to sell stuff 'cause that's where the money comes from.

Shannon Sedgwic...: [00:40:20] Of course.

Garrett O'Hara: [00:40:20] Um, but it's, I think it's how you do it. And I thought-

Shannon Sedgwic...: [00:40:23] Yes.

Garrett O'Hara: [00:40:23] ... uh, [inaudible 00:40:24] article, I'll include uh, in the show notes. We'll include a link to that if people are interested and actually, um, we'll maybe get the, the name of that conference that you mentioned as well and just put a little link-

Shannon Sedgwic...: [00:40:32] Yeah.

Garrett O'Hara: [00:40:32] ... in there to, uh, assuming that it's not inappropriate for a vendor to, to be the... to, to kind of [inaudible 00:40:39] promote something like that, and I'd be more than happy to, to get the word out there. Um, Shannon, we have well and truly blown over the time.

Shannon Sedgwic...: [00:40:47] I think so, yeah.

Garrett O'Hara: [00:40:47] Um, so probably uh, I know, I know you're somebody who's passionate about a lot of this stuff so could happily talk uh, for, for long times, I suspect and hope we get a chance to do this again.

Shannon Sedgwic...: [00:40:57] Yep.

Garrett O'Hara: [00:40:57] And, um, but for now, what I will do is say, thank you. I really do appreciate you taking the time to, to talk to us, and really appreciate the, uh, the insights, and, um, and also appreciate the honesty. Um, I think it's important stuff to talk about. And, and you're right, I think some people wont agree, and that's fine. You know, I think we-

Shannon Sedgwic...: [00:41:15] Yeah.

Garrett O'Hara: [00:41:15] ... we need to be able to have these conversations and, and disagree, and sometimes agree, and to, to kind of move things forward. So thank you for the, the honesty and the authenticity [laughs].

Shannon Sedgwic...: [00:41:25] Yeah, no problem. Thanks for having me mate, and uh, anybody who vehe- vehemently disagrees with me, and wants to send me some hate mail uh-

Garrett O'Hara: [00:41:31] [laughs].

Shannon Sedgwic...: [00:41:31] ... you can go to [@shannoncyber 00:41:31] on twitter [laughs]. I'll um, uh, I apologize for my rants, but uh, hopefully somebody gets something out of them [laughs].

Garrett O'Hara: [00:41:40] Most definitely. Thanks. Bye.

Phenomenal stuff. And thanks again to Shannon for taking the time out to speak to us. I'm a huge advocate for having those conversations around the difficult stuff or systems that don't deliver outcomes really just in this period of progress. As always, thank you for listening to the Get Cyber Resilient podcast. And we do have a backlog of great episodes to dig into so please enjoy those until I catch you on the next episode. Stay safe online, and these days offline too.

Principal Technical Consultant, Mimecast

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara