• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara

The Get Cyber Resilient Show Podcast Episode #2

Content

Show Notes

Hosts Gregor and Gar talk about the influence that CIOs and CISOs need to wield within organisations in order to effect better cyber resilience and turn security into a competitive advantage. They also explore what ‘security fabric’ is and should be...plus more!

If you enjoyed The Get Cyber Resilient Show, head over to GetCyberResilient.com, a new online destination for cyber professionals in Australia and New Zealand.

The Get Cyber Resilient Show is brought to you by mimecast.com.

The Gartner IT Symposium: www.gartner.com/en/conferences/apac/symposium-australia

Listen to it on Spotify, Apple Podcasts, Anchor or just hit 'Play' above.

Content

The Get Cyber Resilient Show Episode #2

Transcript

Gregor Jeffrey:[00:00:00] Hello, and welcome to the Get Cyber Resilient Show. My name is Gregor Jeffrey. In this episode, we are live at Gartner IT Symposium 2019. We all know it can be challenging to secure your business, especially when you have limited time. The Get Cyber Resilient Show, brought to you by Mimecast, is the perfect way to stay up to date with the latest developments across Australia and New Zealand.

[00:00:25] Whether you're listening to this podcast commuting, cycling, jogging, or walking the dog on the weekend, you hear real stories from IT and security leaders, just like you. Don't get angry at downtime and data breaches. Get cyber resilient.

[00:00:38] So here we are at the Gold Coast in sunny Queensland. How, how are you enjoying that sunshine, [Gar 00:00:44]?

[00:00:44]Gar:[00:00:44] I am loving it. I'm getting out there for runs some of the mornings, and, uh, little bit of a swim, uh, today. So it's a great way to start the day before, uh, all the conversations that we've [laughs] been having over the last, what, three-four days. And, so yeah, great great location.

[00:00:59]Gregor Jeffrey:[00:00:59] So, four days at Gartner Symposium. It's a long conference. Uh, I think it's 120 sponsors here. Just looking at what socks you've got on, vendor socks. Once again, you're rocking the home team, Mimecast. I am wearing these socks from [Insight 00:01:14].

[00:01:15]Gar:[00:01:15] They're actually quite pretty. I feel like I'm going to get in trouble because I actually stole a bunch of the Mimecast socks [laughs] when they, when we c- when we brought them out. So, uh, they're on rotation. And people maybe think I don't change my socks; I do, they're actually different pairs. So. In case th- those rumors have been spreading-

[00:01:30]Gregor Jeffrey:[00:01:30] Well, we do have a new batch of socks for you-

[00:01:32]Gar:[00:01:32] [laughs].

[00:01:32]Gregor Jeffrey:[00:01:32] ... at Mimecast, so a- actually someone was like to me, "This is not an IT conference at all. It's a sock conference."

[00:01:39]Gar:[00:01:39] A Security Operations Center? Or-

[00:01:41]Gregor Jeffrey:[00:01:41] No, it's-

[00:01:42]Gar:[00:01:42] Is there a K in there? Or- [crosstalk 00:01:44]

[00:01:44]Gregor Jeffrey:[00:01:44] No K.

[00:01:44]Gar:[00:01:44] [laughs].

[00:01:45]Gregor Jeffrey:[00:01:45] Everyone is giving away socks and I think the, the IT component is just a backdrop.

[00:01:50]Gar:[00:01:50] I think it's our excuse to do a sock swap. Yeah, I agree.

[00:01:53]Gregor Jeffrey:[00:01:53] Yes. Okay. Ah, we met with three Gartner analysts over the last few days.

[00:01:58]Gar:[00:01:58] We did.

[00:01:58]Gregor Jeffrey:[00:01:58] Ah, we had some really interesting conversations. Uh, one guy from the U.S., couple of guys from Australia-

[00:02:04]Gar:[00:02:04] Yep.

[00:02:04]Gregor Jeffrey:[00:02:04] Uh, they, uh, at the forefront of, you know, what's going on in the industry-

[00:02:10]Gar:[00:02:10] Mm.

[00:02:11]Gregor Jeffrey:[00:02:11] ... they're speaking with all vendors and also, um, CIOs and CISOs, uh, at large companies right across the world. Uh, some great insights in terms of, um, you know, what really was interesting for me is that notion that, uh, CIOs and CISOs need to be able to, um, influence in a stronger manner-

[00:02:32]Gar:[00:02:32] Yep.

[00:02:33]Gregor Jeffrey:[00:02:33] ... up and down the tree within their organization. Uh, perhaps coming from a technical background, uh, they, you know, they have those table stakes of, um, sec- cyber security knowledge. Uh, and, you know, working knowledge too. But, how do they transfer those skills into a proper risk conversation-

[00:02:50]Gar:[00:02:50] Mm.

[00:02:50]Gregor Jeffrey:[00:02:50] ... uh, and also business conversation. So, you know, how can they influence.

[00:02:55]Gar:[00:02:55] Yeah, look, it's, it is a different world, isn't it, when you think about it. Uh, five, 10 years ago, even. Um, how the IT functions and certainly the security functions were seen in organizations as kind of a barrier, right, that's a cost to doing business, and um, the sort of psychology behind that.

[00:03:11] Uh, I feel like played with the ability or maybe, you know, hamper the ability for CIOS, CISOs to get things done. Because it's a course in turn that's kind of a, the way they're seen.

[00:03:23] And I really like some of the ideas around, kind of flipping that and seeing, um, IT obviously is a business enabler. And I think that is starting to be understood pretty well. But security as a competitive advantage.

[00:03:34] I think that's really, like it's a really nice way to look at this stuff because more and more, it's not really option, right? Everyone has to do it. Uh, the cost of the, you know, customer loss or uh, reputation damage; all the stuff that, you know, hits the news all the time. Like that's understood now. Within businesses. And it's understood by boards. We, we see that, you and I, um, with our customers, right?

[00:03:55] The, uh, the uptick in them wanting visibility into the value we're providing. Like we don't get to say, "Yeah, we're good" anymore. We have to prove that we're good through management reports and dashboards.

[00:04:05]Gregor Jeffrey:[00:04:05] Yes.

[00:04:05]Gar:[00:04:05] Um, so I guess for me, that interest from the board in the C-level is now transferring into like security as a competitive advantage. So if you're going to have to do it, why not do it well and, and be the, um, you know, be the company that uses it as an opportunity rather than friction or a barrier to getting things done?

[00:04:23] I think that's a really, it's an important distinction. And, and to your point, then around the, that ability t- to influence, I think those roles are changing dramatically, where it's, your words, like it's table stakes to be good technically. But now you've got to be an influencer within the business.

[00:04:38] And, and I think it was the last episode where we had [Shane 00:04:41] from [Reson 00:04:42]; that's a pretty good example of someone who's very very good at building relationships and being seen as somebody who gets the, the, you know, the business moving forward in a useful way, rather than the person who's saying "no" to, to, you know, programs at works or things because you need to build in security and sort of privacy, I suppose, by design, these days, you know.

[00:05:01]Gregor Jeffrey:[00:05:01] Yes. Uh, and look, the public's much more aware of security.

[00:05:04]Gar:[00:05:04] Yes.

[00:05:05]Gregor Jeffrey:[00:05:05] Ah, certainly with, uh, Facebook Cambridge Analytica scandal.

[00:05:08]Gar:[00:05:08] Yep.

[00:05:08]Gregor Jeffrey:[00:05:08] Uh, and numerous ones we hear in the news every day. Uh, the public, uh, demanding, you know, a stronger sense of security, uh, from the companies that they give over their sensitive data to.

[00:05:19]Gar:[00:05:19] Yeah, definitely. Um, and, and it is consumer [inaudible 00:05:22], I would say business level uh, also, you know, the supply chain we, we talked about that quite a lot over the last few days too. Where yes, you've got customers, absolutely.

[00:05:30] But you've also got your supply chain and there's a, I would say a, a starting to be [laughs] a requirement for good security and c- cyber resilience to be able to service this supply chain that you're a part of, whether you're a, a consumer or you're providing services to another organization that, uh, I think that's kind of an important, uh, important thing as well.

[00:05:50] And we talked a lot, actually, about the regulations, so things like [GDPR 00:05:54], the stuff coming out of California, like the stuff popping up all over the, the world at the moment. And uh, you know, that, that idea, that you, you're going to have to do this stuff anyways.

[00:06:03]Gregor Jeffrey:[00:06:03] Mm-hmm [affirmative].

[00:06:03]Gar:[00:06:03] So get ahead of it. Do it well. Build it in to your business.

[00:06:05]Gregor Jeffrey:[00:06:05] Yeah.

[00:06:06]Gar:[00:06:06] So, as, as the regulatory, uh, pressures and legislations come down, you're already set up and it's not a, you're not playing catch up.

[00:06:12]Gregor Jeffrey:[00:06:12] Yep.

[00:06:13]Gar:[00:06:13] You're already ahead of the game. So again, competitive advantage by doing this stuff now rather than kind of lagging from a tech perspective and sort of having to play catch up.

[00:06:21]Gregor Jeffrey:[00:06:21] Yeah. Um, and, okay, we've talked about security as a competitive advantage. What about, uh, I guess CISOs and CIOs being those drivers of change within IT, within the business?

[00:06:32]Gar:[00:06:32] Mm-hmm [affirmative].

[00:06:32]Gregor Jeffrey:[00:06:32] And we've, you know, a- again, we heard a lot of business buzzwords [laughs] this week too.

[00:06:36]Gar:[00:06:36] Did we ever.

[00:06:38]Gregor Jeffrey:[00:06:38] And we, I've got to say, [GARD 00:06:38], digital transformation-

[00:06:39]Gar:[00:06:39] Oh.

[00:06:39]Gregor Jeffrey:[00:06:39] ... was bandied around there.

[00:06:40]Gar:[00:06:40] Sure.

[00:06:40]Gregor Jeffrey:[00:06:40] [laughs].

[00:06:41]Gar:[00:06:41] Could you-

[00:06:42]Gregor Jeffrey:[00:06:42] However [laughs], you know, one of the analyst positioned it to us, uh, quite eloquently, how IT leaders can be those, uh, agents of change [laughs], air quotes.

[00:06:52]Gar:[00:06:52] Yep.

[00:06:53]Gregor Jeffrey:[00:06:53] Uh, by really, you know, rather than having to regulate everything that's going on in a business, which is traditionally, you know, quite often this defensive position that a cyber security leader has to take. Uh, but they can, you know, work with the fundamental, uh, you know, drivers of the business of creating value. And, and do new and exciting things.

[00:07:12] And which we see a lot of, you know, your Californian-style tech companies. They, you know, that's, uh, part of their DNA, the way that they think about, you know, changing the world. Uh, you know, in more traditional companies, they also have those opportunities because they've already got great customer bases and products out there in the market. But how can they evolve into something new?

[00:07:33]Gar:[00:07:33] Yeah. No, it's, it's definitely a different world. I think, um, your agents of change, I think, that's an okay, you know, that's, that's true.

[00:07:40] It's a, you know, it's sort of funny, and I know there's air quotes around it, but, um, that's probably going to be a transformation that happens more and more when the CO, CIO and CISO roles is that, um, they're a part of the, the strategy to get to business objectives rather than to use your words, like the reactive "We're going to do this so how you do you fix, how do you fix things?"

[00:07:59] It's more of a, "How do you get ahead of that, so build technology in a useful way, platforms and services in a useful way, to service the business objectives and, w- who else is going to do it, right? It's, it's going to be the technical C-level execs.

[00:08:12]Gregor Jeffrey:[00:08:12] Yes. Uh, one analyst we spoke to, uh, we went quite deep into security fabric. What, what's your definition of security fabric? We're hearing, um, this term bandied around somewhat.

[00:08:23]Gar:[00:08:23] Yeah. Uh, it, it's funny because it almost come back from security fabric. Yes, absolutely, like that's kind of what we do. But um, to, to the idea of a, you know, fabric um, that's [laughs] a different, different words that get thrown around, I suppose, in the industry around that stuff. Hyperscale, Web scale architectures.

[00:08:39] Um, but to me, the, the essence or the important parts of it are that it is true, hyperscale. So, you know, things that run, ah, in a way that was built for the age we live in, which is the Internet, so it's not a, a, you know, repurposed appliance. It's a VM and hosted somewhere. But actually the, the core fundamental architecture's built around just massive scale.

[00:09:02] And when you have that in place, then, what you're able to do is really service lots of different functional things. Or drop applications onto the fabric and see if applications run on top of that. And then on the other side, uh, so you've got all the, you know, Web, [CASBs 00:09:17], um, you know, email security, whatever it is that sits on top of the fabric running at scale.

[00:09:22] But on the other side of that is the, the huge data leaks that will then exist from all the things that are happening there. And the valuable information you can get from that, whether that's looking at, um, maybe patterns within an organization.

[00:09:36] Like, you know, we're in email, so you might be looking at, you know, natural language patterns that indicate tone of email. And you might be able to pick up that a particular person [laughs], when they communicate with your customers, y- may be a little bit uh, maybe there's a [laughs] coaching opportunity in h- how they're communicating.

[00:09:51] Uh, so when you scale up, you start getting to really interesting insights from, you know, based out of r- rolling out information that's usable by a business. And then if you roll forward a little bit further, the op- opportunity for kind of decision making systems, based on a huge set of data, where ... I'm going to say, I'm going to say two, four words, you know, artificial intelligence and machine learning. But using those technologies to, to pull out useful things to make decisions in a fast way that humans just can't.

[00:10:21] So, uh, again, you know, I was actually having breakfast with, um, with Nick, our country manager this morning and [laughs] we were really talking about this stuff. And he commented, or he was, his, ah, suggestion was if you think about people writing emails, and if you're able to use, uh, those technologies to analyze what has happened in the past, um, when somebody's writing a particular type of email, you get to the point where using this kind of scale, you can suggest an attachment. Because when we've seen this type of email before, this is the attachment that people use to convey information.

[00:10:54]Gregor Jeffrey:[00:10:54] Yep.

[00:10:54]Gar:[00:10:54] Or it might be that, you know, there's a body of an email that becomes almost like a template. But it's based on just this huge kind of insight into all the emails that are being sent from a company to, to a company, ah, to build that, those kind of, uh, those kind of things.

[00:11:07] So, efficiencies, time saving, uh, insights. There's a lot of cool things to hang off the back of that. And, and then the, the big thing is around APIs into that. So you're not just, you know, it's not a fabric that's kind of encapsulated and doing its own thing.

[00:11:21] But with an API, you're opening it up to other, uh, use cases, other platforms that can then come in and also take advantage of, you know, could be processing power within the fabric, but also the data that sort of sits in there as well.

[00:11:34] I shared the cyber conference in New Zealand's, uh, earlier this month. Uh, I was talking to a, a guy from one of the banking organizations. And his comment was that he doesn't even look at the features anymore for, for security [laughs] platforms. His thing is like, "What's your API look like? You know, how open is it, how many end points do I have access to, to feed into other systems?"

[00:11:53]Gregor Jeffrey:[00:11:53] Yes. Uh, and I guess, the, with, you know, the SOC corps, this cyber security team, uh, we're getting more into that DevSecOps because you're integrating between all these different platforms.

[00:12:06]Gar:[00:12:06] Mm. Yep.

[00:12:06]Gregor Jeffrey:[00:12:06] And, you know some are pre-built those integrations; others, you know, depending on your business or, uh, your company requirements, you can customize those.

[00:12:16]Gar:[00:12:16] Yep. And, and they both have use cases. Uh, a lot of them we see the out of the box stuff is easy because you can just turn it on. So, uh-

[00:12:23]Gregor Jeffrey:[00:12:23] So perhaps for smaller businesses?

[00:12:25]Gar:[00:12:25] Yeah. Ex- so, exactly. So if you think about, uh, [SEEM 00:12:29] or [SOR 00:12:29] use cases, you know, [slumcacereal 00:12:29] algorithm, you know, some of the ones that we integrated out of the box with. And that's pretty nice, right, because you don't have to build anything. You just choose it from a, you know, a drop tent. It's part of a playbook and, and you're good to go.

[00:12:40] Uh, in the Uni space over here, uh, what I've seen is that they, even though they have systems that are integrated out of the box if they wanted to, they'll actually build their own. Um, because they might have a requirement to store less data within the seam, or they might have a, a particular thing that they want to do that's not part of that kind of the out of the box.

[00:12:58] So I almost think of the, the out of the box integration is to me, it's like Pareto's Law. You know, they'll probably cover that 80% and if you're a smaller business, perfect.

[00:13:06]Gregor Jeffrey:[00:13:06] Yes.

[00:13:06]Gar:[00:13:06] You don't have the access to a developer? Sweet. Just go, go do it that way. And, but if you do have the option, potentially you get more value and more power from, you know, this book integration.

[00:13:19]Gregor Jeffrey:[00:13:19] Very true. Uh, we actually spoke about some of the integration challenges. Uh, we presented the other day at Gartner.

[00:13:27]Gar:[00:13:27] We did. Yeah. Yeah, that look- that the, you know, I felt good about our talk actually, because when I looked at the keynote that was given, uh, big chunks of that were around similar stuff. You know, the, the sort of notion of choice within an organization and what that leads to.

[00:13:43] And the, I think the core message from the first day's keynote was around what they were calling techquilibrium. So, the technical choices to, to get to a, you know, maybe moving away from legacy approaches to more, you know, more digital transformation. But like the somewhere on the scale that makes sense for a particular business. And then making those good choices along the way and definitely integration is, is part of that.

[00:14:04]Gregor Jeffrey:[00:14:04] Yep. Uh, now one of the cool phrases that I heard was, "You can go faster in a car if you know the brakes work well."

[00:14:11]Gar:[00:14:11] It's excellent. I'm going to be using that all the time.

[00:14:13]Gregor Jeffrey:[00:14:13] [laughs].

[00:14:13]Gar:[00:14:13] Yep.

[00:14:13]Gregor Jeffrey:[00:14:13] Uh, yeah. And i- it's funny, because a- as I heard that phrase, it conjured up, well, you've got to crash sometimes if those brakes don't work well and you're trying to go really fast.

[00:14:26]Gar:[00:14:26] Yep.

[00:14:26]Gregor Jeffrey:[00:14:26] So inevitably, and invariably [laughs], businesses, yeah, if they're, they're, um, flying too close to the sun. Uh, they, they can get burned sometimes.

[00:14:37]Gar:[00:14:37] Yeah. Understand it's back to the comments around the competitive advantage for good security. And that's, that phrase, w- which I'm probably going to end up in [laughs], I'm going to use it in post meetings, I think. I'm brutally honest. Um, so I'm going to steal that.

[00:14:50] But it's that, right? It's competitive advantage. Because you can go faster if, you know, you know your brakes are good, your security, your resilience is good. Cool, let's innovate more quickly. Let's grow more quickly because, you know, we've got that stuff kind of taken care of.

[00:15:01]Gregor Jeffrey:[00:15:01] Yep. Now, awareness training.

[00:15:03]Gar:[00:15:03] Hm.

[00:15:03]Gregor Jeffrey:[00:15:03] Uh, that was a big topic, uh, with one of the analysts we spoke to.

[00:15:06]Gar:[00:15:06] It was, yeah.

[00:15:07]Gregor Jeffrey:[00:15:07] Uh, I joked to you earlier that perhaps in 2020, Gartner will call it, um, next generation security tr- awareness training.

[00:15:13]Gar:[00:15:13] Yep.

[00:15:14]Gregor Jeffrey:[00:15:14] Uh-

[00:15:14]Gar:[00:15:14] Trips off the tongue. Oh, I'd get the trademark on that now, Gregor, if I were you.

[00:15:17]Gregor Jeffrey:[00:15:17] I think I should.

[00:15:18]Gar:[00:15:18] [laughs].

[00:15:18]Gregor Jeffrey:[00:15:18] But what comes after next generation?

[00:15:20]Gar:[00:15:20] [laughs]. Post-next-generation? [laughs]. [crosstalk 00:15:22] I don't know. Next next? Next next gen gen? [inaudible 00:15:26]. Who knows?

[00:15:27]Gregor Jeffrey:[00:15:27] Next next?

[00:15:27]Gar:[00:15:27] That sounds like a panda, doesn't it?

[00:15:29]Gregor Jeffrey:[00:15:29] N, N-squared generation.

[00:15:32]Gar:[00:15:32] [laughs].

[00:15:34]Gregor Jeffrey:[00:15:34] I suppose. N-cubed?

[00:15:34]Gar:[00:15:34] Th- there you go.

[00:15:35]Gregor Jeffrey:[00:15:35] Anyway [laughs].

[00:15:37]Gar:[00:15:37] [laughs].

[00:15:37]Gregor Jeffrey:[00:15:37] So; awareness training.

[00:15:38]Gar:[00:15:38] Yep.

[00:15:39]Gregor Jeffrey:[00:15:39] It's obviously a, a big item for most companies at the moment.

[00:15:43]Gar:[00:15:43] Yeah.

[00:15:43]Gregor Jeffrey:[00:15:43] Uh, many have implemented something, uh, rudimentary, uh, within the organization. So we're really seeing, you know, people wanting to formalize that some more and then not just sort of tick the box that's, uh, someone's done some training, but see there's actual behavioral change.

[00:15:59]Gar:[00:15:59] Yeah, th- you're spot on there. Um, the evolution we've seen last 12, maybe 18 months, uh, it's exactly what you described.

[00:16:07] I think we've all woken up to the fact that u- using an [LMS 00:16:11] for security awareness training is probably not going to give you the outcomes that you want, because what people do is they ... like I've done this, and I'm guessing you probably [laughs] done it at some point where, you get the email saying, "Hey, you've got to watch the new policy video or the security video or, you know, pick the thing." And you're busy, right?

[00:16:29] So what you do is you put it on your second screen and as the video plays, you're working away, and then, you know, you notice that it's finished, and you click Submit, and CLMS says, you know, "You've trained, your training's complete."

[00:16:39] And I'm going to put my hand up; I'm probably going to get in trouble for this, but, you know, traditionally, I have never watched them. Uh, but I would show up in a report somewhere as having completed the training. So that's the issue here.

[00:16:50] Uh, and that, that applies to even excellent things like I would say, you're having a classroom environment, and having someone come in to deliver training. Incredibly useful, but six months later, people don't think about that. You know, it's a Thursday morning, maybe they had a big night on Wednesday; it's just not in people's minds. It's just, we know it doesn't work.

[00:17:09] And the evolution has been, I think, twofold. It's accepting that the content has probably been [laughs] missing the mark, really. Very dry information and we know information does not change people's behavior. That's, that's a fact.

[00:17:23] And if you look at the advertising industry, I mean, people do things that are bad for them because advertisers are [laughs] amazingly good at making things look delicious and, uh, fun, even though they're not good for us as people.

[00:17:36] So they're, they're kind of informing some of the changes that I think we're seeing in, uh, what I would almost call behavior change, security behavior change. Rather than awareness. And, um, and that's powerful.

[00:17:48] So you're starting to see content that really cuts through and, and uses much shorter, punchier messaging with, with simple messaging. So one thing to remember rather than 15 things where you're going to forget more. I think that's the first part, is the content has changed.

[00:18:02] I'm also seeing much more of a focus on, uh, not just doing the stuff, but actually being able to prove that the stuff is working. So things like risk scores, [Rollup 00:18:12] and, you know, insights into w- we're doing this stuff, we're doing a behavior change program for security. Is it working? And measuring that, and looking that over time in a useful and meaningful way.

[00:18:25] So I'm not just kind of running a program; and then maybe doing a phish campaign, and that's your, you know, that's your, uh, your metric. Wh- what we're seeing is that cyber security leadership are looking for more than that. And actually boards are looking for insights into where we sit. You know, how do we compare to other companies like us? How do we compare to, uh, companies of similar size?

[00:18:45] And, so it's a, uh, changing behaviors. But then also being able to, you know, very clearly see the business impacts and the ROI for the money you're spending on a program.

[00:18:55]Gregor Jeffrey:[00:18:55] Yep. So aligning that with the risk objectives, depending on their style of business-

[00:19:00]Gar:[00:19:00] Yes. Yeah. Yeah. Absolutely. Look at; what you just said there is so spot on. That, to me, is another thing that ... we're seeing change, you know, we, we, [inaudible 00:19:10] took security controls and was dry and, you know, we're doing this thing to protect against this threat.

[00:19:15] And more and more at conferences like this, the language is that. It's, what are our business objectives? What are the risks that we're seeing that may impact us achieving those objectives? And cool, let's build some stuff around mitigating those risks in a smart way.

[00:19:29] So we're not spending money on stuff that might be risk, but probably doesn't really impact our overall organizational objectives. Let's look at the, the things that really are meaningful, and spend money on those. And mitigate those.

[00:19:42]Gregor Jeffrey:[00:19:42] Any other sort of key messages you're seeing within the, the Xpo hall? There's 120 sponsors here.

[00:19:50]Gar:[00:19:50] Um-

[00:19:50]Gregor Jeffrey:[00:19:50] There's a lot of dark blue [laughs].

[00:19:54]Gar:[00:19:54] [laughs]. There always is.

[00:19:54]Gregor Jeffrey:[00:19:54] [Blanc 00:19:54] is right next door to us, and they're pink. Ah, they're r- rocking pink sneakers-

[00:19:59]Gar:[00:19:59] They look amazing.

[00:19:59]Gregor Jeffrey:[00:19:59] ... so they are standing out from the crowd.

[00:20:01]Gar:[00:20:01] They do. They look fantastic. But do you know what I like about this, Gregor? And we, we've kind of joked about this before. Because it's more of a generalist sort of CIO and IT leader summit. I don't think I've seen a single banner or picture of a, a person with no face and a hoodie. Uh-

[00:20:16]Gregor Jeffrey:[00:20:16] Ah.

[00:20:16]Gar:[00:20:16] ... it's beautiful, like it's so refreshing. You know, it's technology and sort of IT and, and CIO conference, rather than a pure cyber security conference. And I l- you know, I love those, those are fun. But, yeah, I'm, I'm so happy to not have seen a single hoodie here. It's just, it's a beautiful thing.

[00:20:33] In terms of the overall theme, sorry, to-

[00:20:34]Gregor Jeffrey:[00:20:34] No.

[00:20:35]Gar:[00:20:35] ... go off on my little hoodie rants there, but uh, I ... So one of the things I've noticed is that as we're turning up at these events, um, and I can just see you're having the same experience. So like we know the other vendors, and there's definitely this spirit and, this kind of an essence of collaboration. And we're looking at ways we can work together. So, I, I think that's a, that feels different to me. Uh, the, that, that spirit, you know.

[00:21:02]Gregor Jeffrey:[00:21:02] Mm-hmm [affirmative].

[00:21:02]Gar:[00:21:02] And it sounds cheesy and fluffy, but I think it's, that's where the industry's going to go. You know, it's almost back to that security fabric.

[00:21:07]Gregor Jeffrey:[00:21:07] True.

[00:21:08]Gar:[00:21:08] We all have to work together.

[00:21:08]Gregor Jeffrey:[00:21:08] Yeah.

[00:21:09]Gar:[00:21:09] How do we integrate with you guys? How do we, how do we deliver value to our, and combine, you know, customers that we have in common? In a, in a useful way? Like it's just more and more, what I see-

[00:21:18]Gregor Jeffrey:[00:21:18] Yeah, we are seeing that positioning of APIs front and center.

[00:21:21]Gar:[00:21:21] Mm-hmm [affirmative].

[00:21:21]Gregor Jeffrey:[00:21:21] On the stands and even to a point where traditional competitors, ah, almost have their logos on other, um, vendors' stands because-

[00:21:31]Gar:[00:21:31] Yeah.

[00:21:32]Gregor Jeffrey:[00:21:32] ... we're all integrating together.

[00:21:33]Gar:[00:21:33] Yep.

[00:21:33]Gregor Jeffrey:[00:21:33] And yes, this crossover with products and solutions experts, there's that greater strength of being able to work together.

[00:21:41]Gar:[00:21:41] Hm.

[00:21:41]Gregor Jeffrey:[00:21:41] For a, a, an organization or a company, it's great to be able to pick and choose from those different solutions that fit you best. You may have some legacy, uh, platforms in place that have, uh, evolved over time.

[00:21:54] So you're still, you know, you're still sometimes beholden to those platforms. But once, uh, those companies start integrating, uh, it just, it makes that move and evolution, um, of your security, of your IT infrastructure, that much easier than having to sort of rip and replace everything.

[00:22:12]Gar:[00:22:12] Yep. Yeah. We, we definitely live in interesting times, is, is what I would say. Um, yeah, I think that th- cyber resilience um, actually, you know, it's a general CIO sph- IT leaders conference, but cyber resilience is a big part of that, right? It's just that's, you have to do it. You can't not do it.

[00:22:31] And, yeah, I've seen the collaboration from the vendors and, you know, seeing, seeing some of the, the use cases and the stories with how people have ... I mean, the Gold Coast city council talk, Matt from there, amazing talk, was great.

[00:22:44] Ran through their operating model and how they had used Splunk with an extra service provider. I'm sorry, a managed service provider, um, to deliver their outcomes. A great talk.

[00:22:54] And, you know, that, that stuff where you're, you're hearing these great stories of how people have used those kind of platforms to, to really get in, get good outcomes for their organization.

[00:23:02]Gregor Jeffrey:[00:23:02] Yep. Yes. Okay. Well, that brings us to the end of the time we've got. Now here at Gartner Symposium today, Gar. It's been good catching up. [crosstalk 00:23:11] See you in sunny Queensland next time.

[00:23:12]Gar:[00:23:12] Yeah, definitely. And I think this was like our third take? Because we kept getting interrupted. So glad to, glad to make it all the way through [laughs].

[00:23:19]Gregor Jeffrey:[00:23:19] [laughs]. Thank you.

[00:23:20]Gar:[00:23:20] Thank you.

[00:23:22]Gregor Jeffrey:[00:23:22] That's all for this episode of The Get Cyber Resilient Show. If you enjoyed the show, head over to getcyberresilient.com, a new online destination for cyber professionals in Australia and New Zealand.

[00:23:33] We all know the constant battles and challenges of addressing cyber security. Getcyberresilent.com is a place that brings together the local cyber community to problem solve innovative solutions on how we can all be more resilient to the challenges and risks that exist online.

[00:23:47] Point your favorite Web browser to getcyberresilient.com.

Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara