The Get Cyber Resilient Show Episode #8
In this working from home edition of the Get Cyber Resilient Show, Garret O’Hara chats with Craig Ford, author of ‘A Hacker I Am’ and Senior Security Engineer at Davichi Computer Services. Craig and Gar speak about careers in cyber security including what employers look for, mentoring and diversity in the industry, along with current cyber threats and how to get back to basics. #getcyberresilient #cyberresilience
The Get Cyber Resilient Show Episode #8 Transcript
Garrett O'Hara: [00:00:00] Welcome along, everybody, to another episode of The Get Cyber Resilient podcast. This week I'm joined by Craig Ford, who is the author of A Hacker, I Am. Craig is also the senior security engineer over at Davichi Computer Systems. And this week in the interview, we talked about careers in cybersecurity. What people look for when they're hiring security talent and those talents that are sometimes hidden? And we talked about mentoring. Uh, we talked about diversity in the cybersecurity industry. We definitely talked about current threats. And Craig has some comments around how to get back to basics there. And we round out the conversation with the human side of cyber security, which is one of my favorite topics.
You will hear in the background some noises. Um, both of us were recording at home because of the coronavirus situation at the moment. So, you'll hear some of the sons of humanity in the recording potentially. Uh, but either way, so I hope you enjoy the conversation.
Welcome, everybody. I'm today joined by Craig Ford of Davichi Computer Services. Craig is the Senior Security Engineer over there. Uh, he's also a CSO journalist and a blogger. And recently, he's the author of A Hacker, I Am. Welcome along, Craig.
Craig Ford: [00:01:12] Thank you. Uh, pleasure to be.
Garrett O'Hara: [00:01:14] Awesome. So we've met a few times at conferences. Um, I've sort of avidly follow you and s- sort of other people in the security industry on LinkedIn. And you're a regular poster. Um, you've obviously got a pretty broad knowledge of cybersecurity, and, and you certainly seem to be into it. And one of the chapters in your book is you want a career in cybersecurity, are you crazy? So, are you crazy?
Craig Ford: [00:01:36] Yes, sometimes, I, I think I am. [laughs] It's a, um, definitely a crazy job. Um, get you in troubles all the time. And I think it's, um, yeah, definitely it was a good topic to go through, particularly, on my book, um, just to sort of give people a bit more of an insight of what it would be like, as part of the cybersecurity industry, sort of the day to day sort of grinding. Um, just to give them a bit more open in understanding of what it really is like to be a security engineer.
Garrett O'Hara: [00:02:00] So, do, do you run VBScript to find the IP addresses, uh, you know, all that stuff that you see in the movies where, um, you know, it's all UI-based, weird, gooey stuff? Um, does that [laughs] i- is that how it really is?
Craig Ford: [00:02:12] I wish it was that [laughs] easy sometimes but, um, no, it- it's definitely more mundane, a bit more dry, um, definitely not the, uh, Hollywood style you would see on the TV. But, um, it's still definitely an interesting sort of career you, you learn quite a lot, and you, you get to see quite a lot. So, yeah, it's definitely still a great career, but definitely not the, uh, Hollywood style you would normally see.
Garrett O'Hara: [00:02:32] So, what type of person do you think it would suit? Like if you think about the, be it from a hardware perspective and its selection criteria that people would be maybe looking at? Like what, what's the kind of the profile of a good se- security engineer or somebody working in cybersecurity?
Craig Ford: [00:02:47] I think probably, in my personal opinion, I think the biggest traits you'd be looking for is someone that has a keen interest in technology, to start with. Um, and one that sort of has an attitude was sort of like a, a dog with a bone kind of scenario where they sort of find that sort of an issue and they just want to keep digging until they find whatever the result is or whatever the issue is until they get that end result. I think that, that kind of attitude and that kind of sort of mentality is definitely a big thing in security, particularly, in the incident response, kind of arena.
Garrett O'Hara: [00:03:20] So, uh, that sort of sense of tenacity. So, uh, I mean, m- fair to assume, you need the technical skills. You can't get away from that, but there's probably a bunch of kind of soft skills or, you know, personality types that would, would suit this kind of gig.
Craig Ford: [00:03:34] I think the, um, sort of the technical skills mostly can be taught. I think those soft skills that you're talking about is probably the, the biggest component, um, particularly, someone who's coming into the industry. We can always teach them how to do things. Um, so, I think if you've got someone that has those right, sort of, personality fit and has that tenacity and wants to continue to learn and push through that, um, I think that would be better than someone who already has the particular skills as they're coming in.
Garrett O'Hara: [00:04:00] Yep, definitely. So, how did you get into it?
Craig Ford: [00:04:03] Um, it was a bit of a strange thing actually. It was just, um, one of the decisions I had as a, um, general manager. I started to, um, do a Masters of IT Management with Charles Sturt. And, um, I've got a unit... I just chose it, uh, randomly. I just thought it sounded interesting in, in, um, incident response. Um, and I sort of just got a bit of a, a taste, I supposed you would say, the security sort of environment what they do, what sort of scenarios you'd be looking at, and just sort of I got the bug, uh, and having stuff since it's just sort of a maybe constant push since then towards security.
Garrett O'Hara: [00:04:39] Yep. It sort of seems like, uh, something that could... I suppose drags people in, in a way. And, and, yeah, I find it kind of really interesting. I came from a completely different background, also. And it's probably one of the... yeah, for me, it's been probably the most interesting job I've done so far because it feels very human. Um, you know, you're not, you, you're not kind of abstracted. You're actually just very kind of close to protecting people's businesses and making sure that they kinda, uh, keep their doors open sometimes.
Craig Ford: [00:05:05] Yes.
Garrett O'Hara: [00:05:06] And, uh, yeah, it's sort of, like, a talk about the, the fight between good and evil. Um, and I feel, like, yeah, we're on the, the good side of things. What are the, the sort of hidden talents you might see when you're looking to hire security talents? What are the kind of things that you would be looking at for?
Craig Ford: [00:05:21] I think, um, particularly, as we sort of move further and further into more of the human side notifications of security, which is a big component of security these days, I think, it's that ability to connect with people that you wouldn't normally have had in a technical person before. I think that is definitely a bonus. Um, so in that, I can sort of easily relate with people and sort of bring them into the fold and help them be part of the security, sort of, protections and part of the whole program itself. So I think, yeah, definitely, the, the human interaction and the ability to connect with people is a, is a huge, sort of, talent I think we need to pull in more into the industry.
Garrett O'Hara: [00:05:57] Definitely. It's funny how often that comes up when we talk to CISOs, that, yes, you, you kind of are a security leader, but actually the people thought of it is incredibly important. Um, you know, you've got to be persuasive. You've got to know how to work with other parts of the business. And it's not enough to just be really, really good at security. Actually, you need to be a people person, more than a security person sometimes in those kind of more, uh, senior roles. So I definitely, definitely take what you're saying.
Um, there's, there's obviously quite often, um, a big gap in skills with somebody like yourself who's been around for quite some time. And, um, I actually had a coffee with a guy recently, got called Michael, who is looking to get into cybersecurity. He's a graduate. A really sharp guy. Um, and you can tell, he will be amazing. But he's starting at like, how do you, how do you kind of... how do you get somebody who's brand new to the point where you're at? What are the sorts of things you could see as being useful?
Craig Ford: [00:06:53] I think the, the biggest thing was, particularly, as you're sort of moving into the industry, I've, I've, I've talked to a few people about the same sort of scenario. I think what they sort of need to do is be persistent, um, continue to keep working at. And a lot of them get sort of disheartened, I suppose, you would say, um, as they sort of try and come in if they get a few knockbacks and the things like that, as they're trying to get into the industry, which we all have. I had many myself before I actually got that first gig, doing security work.
So, I think they need to be persistent, join up with your sort of local groups, like, you know, ISI or, yeah, you know, security meetups, sort of become part of the industry, read some blogs, learn... just continue to learn, continue to push, and you will get the opportunity. It's just gonna be that persistent and not take things personally when you don't get those first opportunities you try for. I think that's probably the biggest thing is just keep at it. You will get the opportunity. It's just, you know, something you got to work at.
Garrett O'Hara: [00:07:49] Yep. And, and that's the thing I kind of see such, and a huge amount of talent in Australia, like an astonishing level of talents, a, a huge pool. And then sometimes it is just getting that start and, and then away you go. You know, you're on your track. Um, did you see mentoring as something that's kind of been becoming more and more common in our industry?
Craig Ford: [00:08:09] I think so. I think, particularly, as sort of we need to feel that sort of pool of talent faster and faster all the time because of the demand that we, that we sort of have at the moment. I think, um, I actually have an involvement with, uh, CCM, Cyber Century Mentoring, um, which is that sort of same scenario. It's a way of trying to bring in that talent as they come through and sort of help [inaudible 00:08:30] in the right direction. And I think that is extremely important, sort of, as we move forward in the, the industry in Australia grows more. Um, I think it, yeah, it's, it's really important that we sort of, sort of push that mentoring, sort of, thing and help sort of guide them in those right direction. So, hopefully, they can make a few less mistakes on that journey in the industry, like, some of the rest of us already have.
Garrett O'Hara: [00:08:51] Yeah, yeah. Definitely will put my hand up on, uh, making many mistakes, not just in this industry, but pretty much every industry I've worked in so far [laughs]. That's where we-
Craig Ford: [00:08:59] [crosstalk 00:08:59] on it [laughs].
Garrett O'Hara: [00:08:59] Uh, yeah, 100%. But that, that's, that's kind of where you're learning in my experience. Um, so, you know, the, that's the, I call it the human side in terms of the talent pool. I suppose the other side of it then is the humans, uh, we protect, you know, day to day. And, you know, one of the things that you and I, I'm pretty sure, have talked about, I feel like everybody in the security, uh, end up talking about the, the humans, you know, the, the human firewall, um, education, you know, call it whatever you want. Like what are your thoughts on, on that? You know, how do you kind of connect with users? What are, what are some tips that you would have or, or things that you've seen, maybe, work really well?
Craig Ford: [00:09:33] Personally, I, I have done quite a few of these, sort of the security awareness training, sort of, scenarios and sort of the user interaction side of things. Uh, what I find is kind of try and talk on their level. Uh, I see a lot of, sort of, particularly security professionals, where they try and talk to them in our technical language, which really doesn't sort of work. Um, we need to sort of talk on, in their language, um, something that they understand. If they're accountants, they're not gonna understand anything in our technical side of things. So, sort of try to talk them as best as possible in the language they understand, and then, yeah, you'll, you'll definitely have a, um, an improvement, I think, on that sort of buy-in and the interaction if they can sort of understand a little bit more, and your kind of, uh, technical jargon. Um, I think that technical jargon is a, a big killer for buy-in, for sure.
Garrett O'Hara: [00:10:22] It, it's unbelievable. And I think we take it for granted that everybody else understands, you know what, uh, what... even the metrics that we report on, you know, things like spam numbers. You know, in the email space, it's spam numbers, things like malware. And, um, you know, but, to your point, like, what does that really mean, you know? I- is 50 million spam messages bad, or is it good or, you know, where does that sit? But from an end users perspective, the, the confusion over, like, what it means if they actually click on the link, or if they plug in the USB drive that they've had in the carpark. It's amazing how often there is that disconnect, um, in the language. Do you, do you think we're getting better as an industry?
Craig Ford: [00:11:01] I, I, I definitely think it's improving. I think we've got to keep working on it. I don't think we're quite at that point where we sort of get that real buy-in and a, the real understanding that they need to sort of get. Um, I, I definitely think it, it is improving. We see lot of the conversations now in the sort of the security awareness sort of training scenarios, where they actually will bring up those things that you don't plug in a USB, you pick up or you get from a trade show or something like that. They, they understand that sort of basic. So, it must be working. I just think we could probably continue to work on it and try and get that, sort of, buy-in a little bit better. But yeah, definitely I think we're going in the right direction and just not quite there.
Garrett O'Hara: [00:11:39] Yeah, definitely. I, I think we're seeing a move away from the, the, uh, like, for one of a better expression, compliance approach to training, and which I'm, I'm guessing, you've probably seen, or you have probably been through, actually [laughs]. You know, you, you watch the, the one-hour security video, sort of, maybe you watch it, maybe you don't, but you tick the box to say that you have. And the compliance team are pretty happy because they see their 90% or 95% completion, but you know, everybody still, it's the same stuff. But I feel like, uh, in conversations I've had with security leaders, they're doing some pretty interesting things where they're using gamification, um, they're using more of an advertising approach, they're using, uh, the approach where we'll... people will bring in like personal laptops and said, you know, "In a workshop we'll learn how to secure their personal laptop," but they'll learn from that and actually apply the same things to their work environments.
Um, it's, it's definitely feels like there's a, a change happening. And... But to your point, I think, yeah, we're, we're probably still atin early days. So, you know, obviously the, the end users, we're trying to protect them, um, from all the threats that are out there. Like what are the, what are the current kind of threats? What are the current things that you, day to day, are seeing pop up in the environments that you're helping to protect?
Craig Ford: [00:12:50] I think probably the biggest coverage Mimecast and yourself, uh, are deeply involved in which is the, the phasing side of things. I think, that is not going anywhere. And it's definitely escalating to a bit of an extreme point. We see that quite a lot. And that's where a lot of the... your sort of ransomware and your crypto sort of viruses are coming through, which I think is probably the biggest threat at the moment. And probably other than that, I think it's the fact that a lot of businesses are ignoring those basics that they should really be covering.
Garrett O'Hara: [00:13:20] Right.
Craig Ford: [00:13:21] Um, so they're not making sure their backups are working properly, doing tests and getting all their updates applied because a lot of the actual breaches that aren't caused by phishing or something like that, uh, because that there hasn't been a security patch applied or something like that, that does actually let the threats through. So, I think people are gonna get back to some of those basics and sort of really get those basics covered to make sure that the, the threats are patched, sort of protecting themselves as best as possible, and particularly with that human side Mimecast is great. That's been an applaud for you guys.
Garrett O'Hara: [00:13:53] [laughs]
Craig Ford: [00:13:53] I think the quick protection side of it is really awesome. I think that's something that is great for users because it does help keep that, sort of, protection between them and the links. And I think it's, um, you know, quite great, that sort of scenario. And, and, and not a lot of people have that yet. And I think it's, um, something that everyone needs to sort of look at, I think that quick protection side of things.
Garrett O'Hara: [00:14:15] Definitely. I, like, 100% agree with your, your comments around back to basics. Um, can, can I ask you a question? So, as you, as you are working in environments, like, what, what do you think the reasons are when people or organizations haven't taken care of those basics? So things like backups or, um, you know, isolation, s- network segmentation, those kind of, those kind of things. What, what do you, what do you reckon the reason is?
Craig Ford: [00:14:38] I think from the general conversations, which I have a lot, which I'm sure you probably do as well with a lot of people about it, the general answer is, usually, it's too hard-
Garrett O'Hara: [00:14:47] Okay.
Craig Ford: [00:14:48] ... which I think is a little bit of a fallback sometimes. But, um, in some situations, yes, it's quite hard, like, with your, um, IoT environments instead of your, your normal IT, ICT environments. I- it is a lot harder because they're not normal, sort of, easily patchable environments, but with the normal base Windows environment. It, it's something that people can automate. I think they really need to, sort of, try to do it, spend a little bit of money, if necessary, just to get that down path. But, yes, it's usually they say it's too hard. And, uh, and I think we've, we've got to just, sort of, put your head down and actually push through that, and sort of figure out the, the right solution to do it. Simply something that I had to manage too often. It just does it for them.
Garrett O'Hara: [00:15:30] Hmm.
Craig Ford: [00:15:30] I think it's the best sort of scenario. And the other sort of answer I normally get is that it's boring. They don't want to do that kinda scenario. They wanna play with the blinky lights and the new flashy toys. But I think, yeah, I love the new blinky lights and flashy toys, but just get the basics covered first, and then everyone will be happy.
Garrett O'Hara: [00:15:50] And, and do you think, uh, as you, as you talk to that, one of the things that pops into my head is the, uh, like the separation sometimes between the people who signed the checks and that kind of boring work, as you say, sometimes, you know, it's seen as too hard.
Craig Ford: [00:16:02] Yes.
Garrett O'Hara: [00:16:02] Um, and in our experience, you'll have conversations where there's very, obviously, a security requirements and security leaders understand that they're trying to get budget from the business to do something that really is gonna risk m- management's, um, you know, project or process, and they will struggle to do that. Do you, do you feel like there's a change happening on the, you know, kind of the business side of the fence, where they're starting to understand more that, you know, this stuff is actually qui- quite important really and could be, could be the difference sometimes between, you know, being profitable or, you know, staying in business, or being able to keep head counts versus, you know, some of the horror stories that we see hitting the news on a regular basis? Do you feel like there's a change in the business side of things?
Craig Ford: [00:16:43] I think, slowly, yes. Um, i- it's still a bit of a, a very slow turning wheel. But I, I think, that, particularly with the media coverage, which sometimes is a little bit more Hollywood style, but, um, I think with that, sort of, media outlets sort of pushing those sort of stories all the time, it is becoming some more front of mind, so they, they are listening more, and they are sort of opening the budgets a little bit better, which is great for the security teams to, sort of, cover the... cover what they need to and do the protections they need. But, um, yeah, very slowly, but, um, yeah, at least, it's heading in the right direction. Hopefully, it continues to go that way. So-
Garrett O'Hara: [00:17:18] It's, yeah. It was, uh, like one of those dashboards that you've got a green arrow with a slight, kind of, uh, upward pointing, uh, direction, which, uh, yeah, I agree with. Um, so, g- I'm gonna, sort of, change tack here a little bit and just talk about the authorship. Um, you've written a pretty bloody good book, I'm gonna say. So like 50 chapters that cover a fairly broad range of topics. How's that, you know, sitting down to actually write something like that and, and get it out there into the world?
Craig Ford: [00:17:46] It's, um, a bit of a strange thing. Like, if you'd asked me sort of three years ago, I, I would have laughed if you said I was gonna write a book. So i- it's a different experience. Um, surprisingly, though, it's something I, I, I really enjoy. I, I love the, the writing side of things, which I never thought I would ever say, but, um, yeah, it's definitely a, a long-winded process. It, uh, took me about six months to put the book together. Um, but i- it's, it's on a, a bit of a benefit is the fact that it's on a topic that I'm pretty excited about and pretty, a big advocate for. So I think that probably helped push through. Um, it's a bit of a surprise for most people when they say it has 50 chapters. That's-
Garrett O'Hara: [00:18:23] Yeah.
Craig Ford: [00:18:23] It sounds like a lot, but they, they're nice, sweet topics that, sort of, try not to be too technical, and try and help educate as you, sort of, go through. And, uh, uh, uh, I liked a little bit of a twist, where you can just pick it up and choose any topic you like and just sort of read through it as you want.
Garrett O'Hara: [00:18:38] Yeah, 100%. I'm, I'm gonna describe it as a toilet book, but I mean that in a good way.
Craig Ford: [00:18:42] [laughs]
Garrett O'Hara: [00:18:42] Um, so, books like that-
Craig Ford: [00:18:44] [crosstalk 00:18:45] I've had that.
Garrett O'Hara: [00:18:45] Yeah. No, it's, it's a compliment.
Craig Ford: [00:18:47] [laughs]
Garrett O'Hara: [00:18:47] Um, and really what I mean is, uh, it's a book that you can sit down, you know, where you're somewhere for a couple of minutes, and you know open any chapter.
Craig Ford: [00:18:53] Mm-hmm [affirmative].
Garrett O'Hara: [00:18:54] You don't need to read the others to have, to have a chapter kind of makes sense in and of itself. So, a, it's a weird compliment, but you know, they're kind of... That's how [laughs] I, I think about post like that.
Craig Ford: [00:19:03] It's good. I'll take it. Yeah. [laughing]
Garrett O'Hara: [00:19:05] Um, yeah, definitely. Yeah, it's a good one. Um, where do you get your information from? So as you kind of go day to day, obviously, our industry is unbelievably fast moving, and there's new stuff every day, new threats, uh, new things to be across. Like what, what's your go to, I don't know, a good deal of websites you go to, magazines you read, books like what, what's yours, what's your source of information?
Craig Ford: [00:19:27] Um, a bit of a varied sort of environment, I suppose, you'd say where I get most of my stuff from. Um, if it's something highly technical, um, that I've sort of sent around, I've got a few go-to people that I would probably go and have a chat to saying, "Have you seen this?" Um, just sort of some close connections I have in the industry itself. Um, but I als- I read, um, Craig's, uh, online articles all the time. I think he's quite good, and just put some right amount of details, doesn't go over the top. And just sort of I try and read as many of the sort of industry-related security blogs that I can, but obviously, it's a, a bit hard to, sort of, find the time to read them all. But, you know, you just got to try and pick and choose the best topics, the ones that sort of relate to what you're doing and sort of try and get a decent coverage out of it.
Garrett O'Hara: [00:20:12] Yep. 100%. And I asked many people like what podcasts they listen to. Um, is there any kind of go-to stuff? There's a lot of good ones out there I think on cybersecurity.
Craig Ford: [00:20:21] Yeah. The- there's a few around. Um, I've recently started checking out the Mimecast one, which is a bonus for you guys [laughs].
Garrett O'Hara: [00:20:27] Yeah. Good, good answer [laughs].
Craig Ford: [00:20:27] Um, but, yeah, this... I sort of, um, don't really do too much with the podcast side of things, I'm more of a reader. But, um, yeah, definitely. Craig is the mind one that I read a lot of the time. I think he's quite good stuff, but there's, um, I can't think of the name of the podcast off the top of my head. But there is some I listen to when I'm on the train.
Garrett O'Hara: [00:20:45] Yep.
Craig Ford: [00:20:46] Um-
Garrett O'Hara: [00:20:48] And it does not feel like-
Craig Ford: [00:20:48] ... I can't think of the name [laughs].
Garrett O'Hara: [00:20:49] Yeah. Um, it does feel like, sometimes, with the podcast, it's a slower way to consume information. Like, I mean, for me, I like them because I'm on the bus-
Craig Ford: [00:20:56] Yes.
Garrett O'Hara: [00:20:56] ... and it's, yeah, it's how I absorb a lot of what, kind of, I suppose I learn. Um, but I know-
Craig Ford: [00:21:01] It's great for trains or buses. It's perfect for that.
Garrett O'Hara: [00:21:03] It's phenomenal, yeah. But as far as getting information, I feel like reading is just so much quicker. You know, I can read as much more quickly than I can listen to a conversation, but weirdly the conversation seems to stick with me more than [laughs] reading.
Craig Ford: [00:21:15] Yes. So, this sticks in the back of your head, and so you can bring it back [crosstalk 00:21:18].
Garrett O'Hara: [00:21:18] Yeah. Yeah. It, uh, it helps me sound like I know what I'm talking about, you know, just basically repeat things I've heard other people say on podcast. It's... And so far, it's worked [laughs]. Um, and I know you're, you're kind of working on something else in the background. Are we... Are you able to talk about that? I know you've been posting on LinkedIn about it, so I suspect it's okay to [crosstalk 00:21:36].
Craig Ford: [00:21:36] Yeah. No, that's fine. It's, um, two things actually. I'm, I'm working on the volume two of A Hacker, I Am, which should be out in the next couple of months, and, um, also a hacker fantasy, uh, called Foresight, um, which is a little bit different, writing the fantasies down in sort of the more serious cybersecurity stuff, but, uh, quite enjoying the process. But it will probably, I would say, three or four months, six months, at least, away.
Garrett O'Hara: [00:21:58] Awesome. So, you, it's amazing to me that you find time to, to do it all. Um, I'm always in admiration of people who manage to, like, you know, you've obviously got a, a fairly new, uh, child arrived.
Craig Ford: [00:22:09] Yes.
Garrett O'Hara: [00:22:09] And, um, you're a full-time employee and an author and a journalist and a blogger. It's, uh, you know, people like you blow my mind. So much respect. Um, a question for you. So, one of the things I know I th- well, I think is important to you, um, is the idea of diversity in the cybersecurity industry. Um, and to kind of get your thoughts on that and like what does that really mean.
Craig Ford: [00:22:30] I think, particularly, diversity in our industry, I think, it's probably a way we sort of should look at it. I, I think I covered pretty well in the book as well. Um, but, generally, I think what we need to do is to look at outside of just the, the male and female side of diversity and, sort of, stretch that a little further. I think we need to look at sort of your industry experiences, backgrounds and sort of get a really good coverage. I think that's the way we're going to find the right solutions moving forward, and how to protect our sales and how to work a little bit better together. I think if we can, psychiatry or psychology, that sort of scenario, and just even arts backgrounds, I say quite a few security people that actually have an arts background. So, it's, I think if we can bring people from areas outside of the technical side of things, I think it gives us more of a courage and a different way of looking at things, which I think is very important moving forward.
Um, obviously, w- what we're doing isn't solving all the problems, so we need to sort of-
Garrett O'Hara: [00:23:30] Yep.
Craig Ford: [00:23:30] ... have a bit of a look in a different way, and try and see if we can get that different perspective, which we can get from that true diversity, I think, you could say in the, uh, the industry itself.
Garrett O'Hara: [00:23:40] Yeah. Do you see moving that way? Because I, I kind of agree with you, and I wanna think about conferences, and I visualize the audiences, their, their other type. Um, and you know-
Craig Ford: [00:23:50] Mm-hmm [affirmative].
Garrett O'Hara: [00:23:50] ... and be kind of all we're in the industry, so we know exactly what that means. It's probably the same in many industries, unfortunately. Um, w- what do you think will change that or, or sort of, you know, move to change more quickly?
Craig Ford: [00:24:02] I think it's the conversations are definitely there. I don't know if we really, as you said, if we're really sort of pulling that diversity across yet. Um, I think it's definitely something we need to work out. I'm not entirely sure how we solve it simply.
Garrett O'Hara: [00:24:16] Yeah.
Craig Ford: [00:24:16] But I think we definitely need to, and we need to continue to have those conversations, and try and find talent pools where we can pull in from. Um, maybe look at a few different locations where we've never done before maybe in that sort of psychology arena. You know, the arts arena and see if we can pull in that same sort of ambition and drive that we need, and teach them the technical side of things. And particularly, when we're talking about the human side of the scenario-
Garrett O'Hara: [00:24:43] Hmm.
Craig Ford: [00:24:43] ... which is growing for sure. I think, like the psychology and the, the more human interaction side of, um, people's personalities will be huge. So, if we can pull that kind of diversity in, I think we'll be much better off.
Garrett O'Hara: [00:24:56] I think that's an incredibly important point because, like, as you're saying now, what I'm thinking about when it comes to the human side. And by that I mean the end users, you know, and, and behavior change. The best people in the world that are probably psychologists and advertisers, and neither of those kind of disciplines have anything to do with security, but they're very, very good at changing people.
Craig Ford: [00:25:16] Yes.
Garrett O'Hara: [00:25:17] And so like, yeah, it's, it's a, a spot-on perspective, you know? I think, we... Yeah, and, and almost relates back to what you were saying about the language that we use. And, you know, those as, for one of a better expression, technical people were quite often not the best people in the world to do the communication side of things, who are gonna try and attempt behavior change, because we're very, very good... Well, you, you're certainly very good at what, [laughs] what you do. Um, and, you know, I'd like to think I am, too. But when it comes to being a psychologist, like that's just not part of my kind of, um, repertoire. So, yeah, I think there's definitely a, a point to be made about ge- getting people in from other places.
Um, we're just ahead of our time, Craig.
Craig Ford: [00:25:56] Okay.
Garrett O'Hara: [00:25:56] Um, I really... Yeah, at this point, I wanted to thank you. I know you've got a very busy, uh, busy life. So, I really appreciate you taking the time to, to kind of chat to us today. And, um, yeah, I look forward to seeing the, the volume two of A Hacker, I Am, and, uh, and the next books that you're gonna produce, and also the, the journalism.
Craig Ford: [00:26:16] No, it is a pleasure, uh, having to chat with you. Um, hopefully, it's put a little bit of insight there [inaudible 00:26:21].
Garrett O'Hara: [00:26:21] Awesome. Have a good day, Craig.
And there you go, that was Craig Ford, the author of A Hacker, I Am. Craig's book is available on Kindle. And Chapter 35 is, is your mobile workforce secure? Probably a fairly important chapter to read at the moment with the coronavirus stuff that's going on. And folks, thanks, as always, for joining us on The Get Cyber Resilient podcast. I look forward to talking to you on the next episode.