November 9, 2022

Cultivating Client Trust at Cybercon with NTT’s Dirk Hodgson & Adam Green

by Hacker Valley Studio

Show Notes

Hacker Valley: On the Road is a curated collection of conversations that Chris and Ron have had during conferences and events around the globe. In this episode, NTT’s Dirk Hodgson, Director of Cybersecurity, and Adam Green, Senior Cybersecurity Executive, speak with the Hacker Valley team at CyberCon in Melbourne, Australia. Dirk and Adam cover the intersection of their roles at NTT, their experiences at conferences like RSA, their country’s cybersecurity industry, and their team’s cultivated trust with clients. 

 

Timecoded Guide:

[00:00] Reuniting at CyberCon after years of COVID limiting security conferences

[06:30] Differentiating Australia’s cybersecurity industry from the rest of the world

[10:48] Watching current cyber trends with CMMC & the Essential 8 frameworks

[25:41] Creating interpersonal communication in a technology-driven industry

[34:58] Building trust by knowing your clients & your adversaries equally

 

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone

How are Australian cybersecurity practitioners different from the rest of the world?

According to Adam, the past 3 years have led to a massive shift in maturity for Australia’s cybersecurity industry. Previously, Australia relied on its physical isolation as a country as a means of security, but breaches have become more high profile and more impactful for Australian businesses in recent years. Now, Adam is pleased to see there be a greater understanding beyond the 101 of cybersecurity and more collaboration with security teams.

“Three years ago, we used to say Australia was 5 years behind the rest of the world [in cybersecurity]. We used to think, because of proximity to the rest of the world, we were pretty safe, but it's definitely become more of a professional approach to security now.” — Adam

 

How do your roles as Director and Executive work together at NTT? 

For Dirk, cybersecurity is the ultimate team sport— and Adam is an impactful element to his cybersecurity team. While Adam often focuses on strategic planning through his background as a practitioner, Dirk enjoys how his business-driven perspective contrasts with Adam and with other members of the team. With a variety of experiences and perspectives in the room, NTT can cover issues from all sides, instead of falling victim to tunnel vision.

“Adam is the person on the team, who's great at that scenario planning piece. ‘Here are the things that are gonna go wrong.’ Whereas myself and a couple of the other people on the team, look at that go, ‘What's that going to cost the organization?’” —Dirk

 

Where are the strengths and weaknesses in communication in cybersecurity?

Just like Dirk’s thoughts about cybersecurity being a team sport, Adam believes that you have to cultivate a team member-like trust with your clients. The client in an initial conversation might seem defensive of your advice or critical of your actions. However, Adam explains that establishing credibility, especially in the business-focused cyber industry in Australia, goes a long way to creating the opportunity for more casual conversations down the line. 

“What we find is, in Australia in particular, it's about not just the company, but you as an individual. Do you have my back? Can I trust you? If I don't like you, will you at least mitigate my risk for me? You have to establish credibility real fast.” —Adam

 

What advice would you give to someone interested in cultivating more trust between clients and their team?

Dirk loves a good James Bond villain, but the average hacker attacking the average business is nothing like the movies. Establishing trust with clients starts with not only understanding what they need, Dirk explains, but also knowing the most likely threats beyond the showstopping Blackhats of media fame. Being able to explain to and protect clients from the most common threats keeps their data safest and strengthens their trust in your team.

“I think it's about making sure that you know what the worst case scenario is, what the most dangerous course of action that the attacker or a potential attacker could follow, but also, being able to talk credibly about what's the most likely threat.” —Dirk

---------------

Links:

Keep up with our guest Dirk Hodgson on LinkedIn

Keep up with our guest Adam Green on LinkedIn

Learn more about NTT on LinkedIn and the NTT website

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase a HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio



Transcript

Hacker Valley on the Road is a curated collection of conversations that we've had during conferences and events 

[00:00:26] Ron Eddings: around the globe. In this collection, we'll be sharing the most surprising moments from each conference that might change your work in cyber security.

[00:00:38] What's going on everybody? Welcome back to the Hacker Valley Studio Podcast. I am so glad to be back again here doing something different. A podcast from Melbourne, Australia. We just did AA Cyber Con and now we've decided, you know what? Let's have some of the people at the conference sharing the experience.

[00:00:57] Join us on the podcast today we have with us Adam Green, Cybersecurity Executive, and also Dirk Hodson, uh, Cyber Security Director, both at ntt. Gentleman, welcome to the podcast. Thank you. 

[00:01:12] Adam Green: Thank you, Rob. 

[00:01:13] Ron Eddings: Absolutely. So let's start off with sharing a bit about who both of you are. I know that, you know, we met.

[00:01:20] About a week ago, the team at Exons was so excited to have you on. They said that you all are great partners, you share a lot of experience, industry experts. So let's start with you, Adam. Tell us a bit about your background and what are you doing today? 

[00:01:32] Adam Green: Yeah, so I've been in the industry for, oh, about two decades now and, and I focused most of my industry experience on the disruptive side of technology, so that's obviously led me through to cyber security.

[00:01:45] Obviously everything's cyber these days. It's a bit of a catch all phrase for everything. But, um, yeah. Now working with ntt, we focus very much on, um, how we provide our clients with greater insights into what their threat landscape looks like and trying to get them to think more in the mind of a hacker mm-hmm.

[00:02:02] so that we can, we can then work it backwards from there. But we don't just, we don't just look at what's currently happening today, It's looking much more future focused and uh, and then offering protections that. 

[00:02:12] Ron Eddings: Love that. Helping everybody protect themselves. Let's keep it over to you, Dirk. 

[00:02:16] Dirk Hodgson: Absolutely.

[00:02:17] Ron and like Adam, I've been, been around for probably a, a little while in this industry. I actually started my, my first career in military intelligence with the Australian Air Force. And from there moving into technology, it was kind of natural to gravitate towards cybersecurity, which now I've been doing for a while.

[00:02:36] And look after one of the cybersecurity. Here at NTT and just picking up and building on what Adam said, you know, we try to build a team that has a bit of everything in it. We've got people like Adam who are great with the offensive, disruptive side of cybersecurity. We've got people who really focus in on architectures.

[00:02:55] We've got some great technologists as well. And then, you know, my job and where I try to, to, uh, position myself is to be the person that kind of brings it all together for the costume. To make sure that, as you said, we're we're helping to keep them safe and that we're kind of on their team to protect them from the bad guys out there.

[00:03:14] Ron Eddings: Yep. So I, I gotta say, When Adam, we met on the Zoom and now in person, there was someone that you look like and everyone at the company was saying that this guy looks like someone that seen in a movie and the person's Chris Hemsworth, and you were just telling us before we hit record that someone at the conference came up to you and said, Hey.

[00:03:35] what are you doing here? I didn't know that you were given a keynote at the conference, , and that's hilarious cuz you guys do kind of look alike. But tell us a bit about what the conference experience has been like for you so far. 

[00:03:46] Adam Green: Yeah, it's been great. This over 4,000 delegates. Uh, it's been a whirlwind of, uh, two and a half days.

[00:03:53] Many, many, you know, really good client conversations. Uh, it was a little bit of. A rockstar entrance to start with. I think because we'd all been in this lockdown phase for so long that, um, it was like you're walking through and you're seeing people you haven't seen for nearly four years in some cases.

[00:04:09] And, and, uh, and reconnecting those networks that we used to, we used to do this stuff quite regularly, so right. Uh, it, it felt like going back home again. Uh, and, you know, we're in Melbourne. I, I moved up from Melbourne to Brisbane, uh, about three and a half, nearly four years ago now. So, um, yeah, so it was like a coming home party for me to start with, but, but the business aspect side of it, there's been some great conversations and, and definitely reconnecting those networks.

[00:04:35] It's been, it's been great. Um, and then obviously the, uh, the after hours networking's also. , robust . 

[00:04:44] Ron Eddings: And that's something that you don't really get to appreciate until it's gone. Being back in person. A lot of people will say, Oh, it's about the talks, it's about the keynote. But like you're saying, it's really about the lobby con, it's about the things that happen around the conference because you might meet someone that you didn't intend to meet.

[00:05:00] Like there's a lot of people that we wanna see and watch, uh, giving the talks. But you know, What about all the delegates, all of the people that helped organize the conference? I also heard there was a. Students here as well, learning, volunteering, and I think it's really magical to see all of that come together.

[00:05:18] Dirk, we miss you. We wish you were here in person with us, but you know, we are still gonna be sharing some of that information back to the world. That's why we're doing the podcast. But Dirk, from your perspective, what is something that you hope Adam brings back to you not being able to join the. Look, 

[00:05:34] Dirk Hodgson: it's, it's a local conference, so I can't say duty free or anything like that.

[00:05:38] But, uh, , I mean, I reckon that the most important part of these conferences are those, those little hallway, hallway chats and really the connections that you would just never otherwise make. Um, but I am gonna pick up on something you said there, Rod, about the, the keynote speeches as well. You know, a lot of the time in, in our, in.

[00:05:59] We tend to get very task focused, right? There's a particular cyber problem at hand that we need to solve, so all of our conversations end up being about that problem at hand. What I think these conferences are, are so good at is giving people a chance to just get outside of their, their daily box a little bit and perhaps turn up to a, a talk that they wouldn't have ever otherwise thought to research or, or attend or, or listen to.

[00:06:23] And, you know, maybe they learn something or make a connection in their mind that helps us to grow that cyber body of knowledge. 

[00:06:30] Ron Eddings: Yep. You know, I was actually really nervous to come here. I was nervous for a few reasons. One, I was given a talk. Title cover your SaaS, managing Misconfigurations, shadow users, and Excessive Spending.

[00:06:41] And I was telling some of my team members, Hey, I'm given this talk. And they were like, Ah. I don't know if the Australian audience would respond well to it because a lot of financial institutions are on-prem. A lot of big organizations, logistic companies are still on prem. And they were like, Ron Australians do it differently.

[00:07:00] And going to some of the talks, I started to realize that there are some differences. One of the things that I was really impressed with is how. We in Australia, the focus on the business providing business outcomes, identifying business requirements. Adam, for you, you know, working with so many organizations, how do you consider the Australian audience, the Australian cyber security practitioners to be different than the rest of 

[00:07:25] Adam Green: the world?

[00:07:26] Yeah, so I think there's definitely been a big maturity shift in the Australian market, especially over the last, let's say three years. I think that cyber threat landscape has really evolved quite rapidly. If you think back to when we started in the industry, your cyber threat cycle or the, the disruption cycle was a matter of years.

[00:07:43] We'd say, say like three years, and you start to review what you were doing around, back then we called it network security, right? But then we've seen a lot of high profile breaches, and those high profile breaches have become more and more regular and. More sophisticated and in some cases not so sophisticated.

[00:07:58] So we've noticed that the Australian market has definitely moved in time with the rest of the world now, uh, look back three years ago, we used to say we're about five years behind the rest of the world, . Um, so I think, I think that education has happened quite rapidly. We've understood, uh, we used, we used to think because of proximity to the rest of the world we're pretty safe.

[00:08:17] And that's in that, you know, the kinetic warfare terms. Yeah, yeah. We're, we're pretty isolated. But, uh, it's, it's definitely become a lot more of a professional approach to security. And, and you've got, you've got people with greater understanding. They do their own research. So when we are coming in and speaking with clients now, we're not, we're not there to teach them about cyber security.

[00:08:38] The same way we used to. Now it's more about, well, how do we help you achieve those business outcomes? Right. And it's a lot more of a, an interesting conversation now. Because we're not going in doing 1 0 1. Uh, so, so I think yes, Australians do it different, but we're also pretty good at being early adopters.

[00:08:57] So, uh, so I think your speech would've been very well taken because anything that's going on anywhere around the world these days, the Australians are, are looking at it going, How can we be first to market with these things? So great. So it's a great, great melting pot of, of new technology and, and leading edge thinking now.

[00:09:15] Right. 

[00:09:15] Ron Eddings: Dirk, anything you would add? 

[00:09:17] Dirk Hodgson: Yeah, a few things. I mean, look, I, I think that generally speaking, Australia as a market really loves to try to be, you know, the first in the world or the best in the world. And we also love to find innovative and different ways to do things. Um, I used to spend a lot of my time in and around the defense industry, and it was, it was well documented via a number of government reviews that most arms of the Australian Defense Force, which really are kind of a microcosm of, of our society in a lot of, Had this, um, you know, just do it.

[00:09:49] Let's find a way, let's make a way kind of culture, which can be a good thing and can be a bad thing. It means that you, you get the outcome, but perhaps you cut some corners along the way. Um, I think that really what's happened over the past couple of years with some of the exceptionally high profile, Breaches that, that Adam, Adam talked about there has kind of made us, um, you know, almost not necessarily catch up with some of those workarounds that perhaps we've done over the years, but it's made us as a, as an industry look really closely at everything across the board that we've been doing and going, Okay, we're, we're leading in these areas, but what about these other areas?

[00:10:27] Let's bring them up to, to where they need to be. And as a result, there's been this really rapid modernization. You know, I think that's gonna continue for, for some time as, as we see the threat landscape continue to worsen as such. Um, but also, you know, we're probably gonna find some new and different ways to do things, which is pretty exciting as well.

[00:10:48] Ron Eddings: You, you know, I, I'm glad that you brought up, you know, some of these topics because in the United States, one, uh, framework that a lot of practitioners look at is cmmc, the cyber security maturity model certification. And when I was at the conference, This week a lot of people were talking about the essential eight, the essential aid, this, the essential eight, that it was almost like everything was around it.

[00:11:10] And when I did my research, it actually was very similar to CMC and a few other frameworks. Uh, what trends are both of you two seeing, like what are, what are your focus areas right now? Cuz the world is just evolved, especially through the pandemic. Yep. Uh, Dirk, what have been some things that you're focusing on today and what are some of those?

[00:11:28] Yeah, 

[00:11:29] Dirk Hodgson: absolutely. And yeah, just pick it up on the essential eight point that you raised there, Ron. No, I think that's a great example of, of Australian innovation and really where that came from was the Australian Signals Directorate doing a quite a quite detailed research into how they could help to protect government and, and, um, whole of economy systems from, from the bad guys essentially.

[00:11:52] And what they worked out very early on was just doing a few things exceptionally. Meant that you were protected from 85 plus percent of all of the potential attacks out there. And you know, when I say, well, research, they actually really went to a lot of effort to look at what was happening around the world, but also to actively test those, those controls using some of their own capabilities within their, their own organization.

[00:12:17] And as a result, it's, it's pretty robust and it's something that the, the economy has really picked up on. And now the cyber security center is really promoting well, and we're seeing a lot of people, um, ask a lot of questions about that, but they're not questions about what is it? The questions are really, how can we go and get to maturity level four?

[00:12:36] How can we make ourselves the best in the world against this framework that we certainly, a lot of people see as. World leading in that sense. Uh, the other big trends that I'd, I'd talk about is, you know, we've obviously still got the work from Home piece and the work from Anywhere piece, which is, is absolutely continuing out there, seeing a lot more people ask questions about, you know, Hey, what happens in an incident and how can we get better prepared for an incident?

[00:13:02] Whereas maybe in the past they were thinking more about the how do we stop the incident piece. There's more of that recognition that sooner or later, uh, you know, resilience means that sooner or later, May happen. We don't want it to happen. We try to stop it from happening, but if it does happen, we're able to respond and recover really, really quickly.

[00:13:20] So I'm, I'm seeing the market, a lot of movement towards keeping, doing what we're doing well around the prevention and, and detection. But also really growing that resilience piece and, and getting the response and recovery happening. Well, 

[00:13:32] Ron Eddings: resilience is everything. And you know, that was one of the things that we were speaking about a few weeks ago when we first met, uh, Adam.

[00:13:38] And you, you mentioned that you did incident response for years and you, you worked on some 20 plus really high profile security incidents. What was that like? Tell me, you know, a story. What, what stood out? I mean, 20 incidents, it must have been many years over the course if it was major. And you're probably seeing a lot of different types of attacks, different situations.

[00:14:01] Adam Green: Yeah, absolutely. So, so my role in those incidents was, was very much a fly on the wall. Um, so coming in at an advisory layer, not, not hands on tools, not doing any actual forensic investigation, but more someone who's. Looking from the outside in to understand what could be done different. And one thing that was, one thing I can tell you across all of those incidents is you've got commonalities.

[00:14:24] So I, I always have my three golden rules. And the three golden rules are, First of all, you, you don't disconnect from the internet because if it's a particularly malicious attack, you've gotta be mindful of, um, anything that's placed in what we call a red button or, you know, the, the potential for an absolute oblation of all of your hardware, So of the, of the drive.

[00:14:44] So, so we say don't disconnect if you, if you can avoid it. Mm. Um, and then from that you start to consider, well, that device has already been hit, so let's use that to learn what we can. So, Roll golden rule number two, isolate what's being owned and let it like, let that be your forensic tool. Let you, you start to learn from that.

[00:15:03] And rule number three is if you can avoid it, you don't pay the ransomware . So, um, but, but if we look at those 20 attacks, so. One thing that was common was rule number one generally got broken. Um, in a lot of cases they ran along and they pulled out the cord and, uh, disconnected the internet. Um, rule number two about isolating what was already owned.

[00:15:24] Generally we didn't see that done very well. Uh, and rule number three about paying the ransom, uh, on, in most cases there was, there was anecdotally some ransom paid or negotiated, but what we see across all of those attacks, Is in every case they had the right technology in place. Mm-hmm. , I mean, look, it's 2022.

[00:15:46] We've all acquired a lot of cyber security technology. But what wasn't done well and why those attacks actually occurred is because they hadn't done the, the basic things right. The basic hygiene things, right. So, um, they hadn't, they hadn't patched to the latest version of endpoint protection that they had.

[00:16:05] But if they had have done that, that endpoint protection would've been good. To pick up what was coming in from the, from the start. In every case, they had something for email filtering, but it was in passive mode. So if they had have applied that compensating control the way that it was intended, probably wouldn't have happened in every case.

[00:16:26] They had state of the art, next generation firewalls. But they hadn't reviewed the latest rule sets, which is something that we advocate quite heavily when we speak with our clients is do regular, um, rule reviews right on your firewalls. Because if that's your, your, you know, your last line of defense or your first line of defense, depending on how you look at it, you wanna make sure that you're up to date with how fast your business is moving.

[00:16:49] Not, uh, let's review it every three years or even. copy and paste the rules when we change from vendor A to vendor B, so , So then we see that they didn't, they didn't apply the same compensating controls that they know they should be applying. And then, you know, another thing that we see every time is they had the best outsourced security operations center that they thought they could get.

[00:17:13] But again, it's outsourced. So when we see something's outsourced, there's, you need to have someone on the. Who can respond to the outsourcer, and in every case there was, there was no interface between the outsource and inside for, for a rapid response once something was seen, or as we say, when the balloon went up.

[00:17:33] So you learn a lot from being in those rooms. The other thing that was very common was they were learning or writing up their incident response plans on the. Right now, what we have noticed in the last 18 months because of so many high profile breaches, is that incident response plans used to be rare and.

[00:17:52] People spoke about them potentially, and they may have them, and you know, generally they were in a, an electronic format. So if you get owned, you can't reach the, uh, can't reach the incident response plan sometimes. But we have seen a big push in maturity towards actually getting incident response plans in place.

[00:18:11] So now our conversations aren't so much about, have you got an incident response plan? Our conversations are more about, well, how can we help you to update and modernize and test under live fire those incident response plans and continually reiterate and continually improve them. 

[00:18:28] Ron Eddings: So let's break that down a bit further.

[00:18:30] You mentioned the three steps. I love the three steps, but I'm curious as to the first step and why that is. Unplug. What is the consequence? What have you seen when someone does unplug after a 

[00:18:42] Adam Green: breach? Yeah, so, so once they unplug, you stop, you stop getting all of that rich telemetry and, and the rich information that could continue to flow.

[00:18:50] Um, luckily in the, in the rooms that I've been in, we haven't seen the red button situation. It just liquefies the hard drives. However, uh, in, you know, in working with a, uh, forensic investigations responders and working with, uh, some of the world's best ethical hackers and slightly unethical hackers, , um, we, you know, we know of instances where an unplugged meant that the red button activates because, and what we say by a red button is it's a constant handshake request.

[00:19:22] From the commander Control mm-hmm. , and it's, it's doing that. Are you there? Are you there? Are you there? The moment it doesn't get for a certain period of time, it doesn't get its handshake back. It says, Time to liquefy the hard drive. So in that instance, you'll never recover the data. And if it's a particularly malicious attack and the intention was absolute chaos and disruption, then you're not gonna get that information back.

[00:19:46] And, and restoring from that point, very, very difficult. So that's why we say don't unplug. , one for the red button and two for the continual forensic. Capability. Um, but you know, I think, um, when you realize you're under attack, human nature and muscle memory says, let's go unplug what's being owned. 

[00:20:06] Ron Eddings: Right.

[00:20:06] Sometimes you can't help yourself. I mean, I would wanna do the same thing, especially if I didn't have any cyber security experience. If I saw that my work station, my laptop was doing something weird, first thing I'm gonna do is close it up. . Yeah, exactly. . But it sounds like that might not be the best case and probably not Especi.

[00:20:23] That means the attackers watching your move. And what I love about you two is it seems that you all are a dynamic duo. Like there is some synergy here. You guys light up when you guys talk to each other. I want to hear more about like you two's relationship. How do you work together? What is, you know, your role as the director and then you as the executive.

[00:20:42] How do you all ping pong off of each other and work together? 

[00:20:45] Adam Green: Do you wanna take that one Turk or do you want me ? 

[00:20:48] Dirk Hodgson: Um, mate, um, I'll, I'll, I'll say all sorts of great stuff about you shall . No, look, it's, it's great question, Robin. You know, I think I'd probably bring that one back to saying cybersecurity is the ultimate team sport.

[00:20:59] Yeah. In a lot of ways. Adam's got a lot of great experience in, in those war rooms that you've both just been been talking about. My experiences are a little bit different and we've got other folk on the team who have very different experiences again, As one example there, um, Adam was talking about, uh, by wall migrations and you know, the fact that quite often when you move from vendor A to vendor B, one of the initial things that a lot of projects look at is go, Alright, let's just pick up the old rule sets and migrate them like for like to begin with.

[00:21:31] Or you can say the same about a lot of endpoint protection suites, application whitelisting, suites and the like. And you know, at the end of the. What we like to do, and I think the thing that our whole team brings out is, is that bit of a, you know, viewpoint of, Okay, well let's think forward from that. All right?

[00:21:47] Sure. We'll do the, the lift and shift initially. Maybe that's the lowest risk way to do it, but if we, if we move forward three months, six months, 12 months, or even three years, One of the things that could go wrong if we don't actually go down the road of mitigating for the latest, greatest threats, but also the biggest risks to our organization.

[00:22:09] So, you know, I tend to find that Adam's, the the person on the team who's great at that scenario planning piece and going, Hey, here are the things that are getting to go wrong. Whereas say myself and a couple of the other people on the. look at that and go, Okay, cool. What's that gonna cost the organization for one, what's the actual consequence in a risk management sense?

[00:22:29] And, and therefore, you know, what's the reasonable budget and the options to implement a, a solution or a set of controls to make sure that that risk is, um, either never realized or if it is realized, we can mitigate the scale of that consequence through some other form of control framework. So, you know, it's.

[00:22:47] You say dynamic, you, I think it's a bit y yang as well. It's just all those, making sure we use them. 

[00:22:56] Adam Green: So that was a really, um, professional response. I was gonna say, we, we both love craft beer and fine whiskey. That's how we work really well together. Also true. And you look at our, you look at our backgrounds and, you know, similar backgrounds, but, but as Derek said, yin and yang.

[00:23:13] Um, and you look at how we. Our personal lives. There's a lot of synergies in our personal lives. In fact, the the way that Dirk and I got together working together was I used to work at a competitor and I was, so, I was Dirk's direct competitor and, uh, and one day there's the yin and yang right there. Yeah.

[00:23:31] and I, and I was, I kept coming across this. Dirk Hodgeson in the market. And, and I couldn't compete because he had this 500,000 pound gorilla behind him. And I'm just this little, uh, consulting practice that was local. And, uh, and one day I went, Oh, I think I should, I think I should have a coffee with Dirk.

[00:23:49] So, you know, we did the five minute little small talk and we're, we, we have a lot in common, so that five minute small talk went real fast. But, but Dirk being an ex-military man, he's got, uh, he's got a certain way about him and he just went, right. So what are we doing here? and, uh, . And then we, oh, we had a conversation about the way we both operate and we found that we have very complimentary ways of operating together.

[00:24:11] So we decided let's join forces and. And I think I've, I've heard quite a few times that, uh, out in the industry we are referred to as the dynamic duo and yeah, especially when we go present on stage together at conferences and yeah, we, we go out in front of clients together, but as Dirk said, it's a team sport.

[00:24:27] It's not, it's not just Adam and Dirk like. We we're fantastic when it's us and the other 15 in our team and, and clients just really feed off that passion that our entire team has. Yeah, I, I 

[00:24:38] Ron Eddings: love the analogy of team and team is everything. Like we can't do things alone and we've tried it in the past, especially in cyber security.

[00:24:46] We tried this one man show idea and. , it can get you somewhere, but it's not gonna get you robust. It's not gonna get you diversity on your team and other types of thought. Uh, what we always like to say on the podcast is cybersecurity practitioners or mental athletes with no off season. We're constantly chasing the threat, having to evolve and, and adjust.

[00:25:05] But I think what it, when you boil it down, a lot of it comes down to communication. And I love what you were saying about Dirk. Put his fists on the table and said, What are we doing here, . But I think it's also important to have the ability to have some of that small talk. I see some teams, they wanna like really live in the small talk and not really get to the meat of the matter quickly enough, and that will kill a lot of time in meetings.

[00:25:27] And then, you know, maybe there's not that person that's direct and getting that information from you. So how would you all say. Communication works in cyber security, What works well? When are there breakdowns? What has been your perspective? I'll start with you, Adam. 

[00:25:41] Adam Green: Yeah. So I think when you walk in, especially if it's a first conversation, it's a very defensive position that comes across from the other side of the table, right?

[00:25:50] So, so we have to establish credibility real fast and um, and what we find is, especially in the geographies we work in, in Australia in particular, it's about not just the company, but you as an in. Do you have my back or can I trust you? Mm-hmm. , Or if I don't like you, will you at least mitigate my risk for me?

[00:26:09] So it's, you have to establish that credibility real fast. And I think we have a great, especially when we do it together or we do it with other members of our team. Collectively, we have amazing experience and we've been involved in some really cool cyber projects or, um, you know, really cool stuff we do on the side as part of our give back.

[00:26:28] And that gives us that credibility when we walk in the room. And we're really good, especially when it's Dirk and I together. We're really good at reading each other's cues and we need to bail each other out, so we establish that credibility real fast. And then once you've done. And that may be a bit of small talk, but it's always focused on how can we help you in your career and mitigate risk for you.

[00:26:51] Uh, and then once we've established that credibility, then we, we start to see the clients start to open up. And, you know, we, we have some, we have some clients that, uh, that, that like to talk to us just because. They know that we're pretty, um, giving with our experience and knowledge. We have other clients that come and talk to us because we have a very strong brand and reputation behind us, and they know that we've got strong global delivery capability.

[00:27:16] So, so it's. It depends on the type of client. Yes. The small talk is always, is always there. We generally save the small talk for once we've established the credibility and then we, you know, we figure out, oh, you drive a really big V8 U, or what do you call it? Pickup truck. Yeah. Uh, so you drive a ram, why do you drive the ram?

[00:27:33] Right. What are you towing with that? And then it becomes a completely different conversation. I think we're unique. We've had some of our clients with, we've either gone to their houses or they've, they've come to our barbecues or, you know, we have clients who, who lean on us for, for help me write my business case, even though it's got nothing to do with working with ntt.

[00:27:52] Right. So we, we do well at the small talk, but we're pretty direct and pretty business focused. Especially Dirk . 

[00:28:00] Dirk Hodgson: Yeah. Rod, I, I guess. It. It's interesting, isn't it? Like cyber, despite being inherently technical, is all about people, you know, when you think about it. On the other side of the table is a threat group and you know, they may be a nation state threat group in some industries in particular.

[00:28:17] Um, or they could be a cyber criminal group or they could be a hacktivist or they could just be somebody who has too much time on their hands. You know, like when we have to understand our own team and our own customers and the organizations that we protect, if we're on, on the customer side, we also have to understand what the threat groups are are likely to do.

[00:28:38] But I think, you know, the people who are really successful in this industry are good at just working with people. So, you know, I'd go right back to your point about communication there. I think the key is, is just understanding what the person is there to say and giving them the opportu. To say that I read a lot of books and one of the books that I really quite like is the Trusted Advisor by David Mester, and he talks about trust being a factor of credibility that Adam talked about there, but also reliability and intimacy and, and getting rid of self-orientation completely.

[00:29:12] So, you know, I think when we talked about teams, when we talked to our customers, when we talked to the stakeholders in our organizations as cyber defense teams, it's really about, you know, getting away from ourselves and getting 'em back. What they need, what their risks are, the things that we need to work together as a team to protect them 

[00:29:30] Adam Green: against.

[00:29:31] Ron Eddings: Right. You know, what is interesting is there's three pillars, maybe even more pillars, but three pillars I see for cybersecurity practitioners are a vendor. A consultant and also someone that is practicing the practitioner doing the corporate security or the enterprise security. And those are three different hats.

[00:29:50] And you all kind of sit in the middle of kind of all three of those, right? Yeah. So what has been the difference, you know, especially for you, Adam being an incident responder in the past focused on the the alert or the incident and now you're helping many organiz. Like focus on those types of activities.

[00:30:10] What's been the biggest difference from your perspective, from those points of view? 

[00:30:15] Adam Green: Uh, so I think the main thing is having a passion for what we do. Yeah. And keeping relevant. And I think I learn more about, learn more about myself and the cyber security industry from when we get involved. So some of the, some of the really fun stuff Dirk and I get to do is we get involved in TAFE and university and higher educat.

[00:30:35] Uh, lecturing. Yeah. And we do a bit of, um, a bit of mentoring and coaching with some students as well as, as well as other, um, other people with career aspirations to get further into cybersecurity. So when we have those conversations, we learn more about the cyber industry as a whole and, and ourselves as well, and how we, how we fit into this landscape.

[00:30:56] So I think I've, I, in my own experience, I've had to stay. Um, gotta say 

[00:31:02] Ron Eddings: sharp 

[00:31:03] Adam Green: research. I was gonna say. Yeah, I was gonna say he's sharp, but also, uh, just agile and, and open-minded. And if I look, actually had this conversation. So at the conference there was someone who used to be a mentor and coach of mine.

[00:31:16] About eight years ago, and when he saw me, he said, Oh, wow, you've really changed. You've got a lot more gray hair. , the beard's a bit longer. But, um, but no, you're a completely different kind of person to who you were when I met you eight years ago and coached you and mentored you eight years ago. Because back then everything was focused around, we, we had to sell a product and, and clients would buy on value facts and logic.

[00:31:38] And then trying to understand how a client dynamic has changed in that time and how the Australian cybersecurity industry as a whole has matured in that time. It's now become a case of right, mitigate my risk. What's in it for me as a client? Like, how are you gonna help my career progression, but can I trust you?

[00:31:54] And that's that side of it. Whether you come from a technical background, a full on sales background, or you know, in a, in a case of one of the guys in our team used to be a registered nurse and now is a really, really good technical cybersecurity practitioner. It's about evolving, adapting, and just being passionate and caring about what it is you do.

[00:32:14] Love it. 

[00:32:15] Dirk Hodgson: I'll just build on that one a little bit, Ryan, if it's, if it's okay. Um, yeah. You mentioned three pillars there and No, I always, I love going back to sporting analogies. One of my favorite sports is, is basketball. And you always think about these, these great pairings or duos, you know, the big three in, um, in the Brooklyn Nets, um, last year at least.

[00:32:34] Or, you know, in, in the past you have Scotty and MJ or Shaq and Kobe, you know, individually they're contributors. But really at the end of the day, what makes them successful or otherwise is how they worked together. So I I, I, I take your point that there's three pillars, but I think the key to. Really is, is not viewing them as different, just viewing them as part of one team.

[00:32:57] You know, as a, as a vendor, um, you, you absolutely need to have the customer's best interests of mind. You know, everybody has sales targets, everybody has aspirations to kind of grow their business and the like. But if you go and try to, try to give, give something to a customer or make them buy something that just fundamentally doesn't work for them, that's not good for anybody.

[00:33:18] So the, the good ones in that, Tend to understand that and really focus on where they can add the most value to customers. Similarly, on the, on the practitioner side that you talked about, where you're inside an organization, you know, you never have all the resources you need, you never have all the knowledge you need.

[00:33:34] It just doesn't happen like that, right? If you are, if you're working in a Australian mid-sized bank, for example, uh, you know, you are never gonna be able to see some of the attack types that are perhaps happen. In global banks or in large banks or in other industries that are moving across in the banking or anything like that.

[00:33:51] So you've gotta go out and talk to, say the integrators, practitioners in other organizations, vendors to just sense and understand what's going on there. And back to your point about us being in the middle of it all. Look, Yeah, yeah. We are in the middle of it all. I think there's a few companies like NTT that do sit in the middle of it, but you know, for us it's all.

[00:34:13] Okay. How can we help to connect these amazing technologies that we work with and the great people at those technology companies with these amazing customers that we work with? And how can we just make sure that the sum of those parts is, is greater than the individual parts themselves as such? So, you know, I kind of look at it as.

[00:34:32] When Shaq and Kobe finally started working together, and when that mob passed, went up from Kobe and Shaq did the, the huge dunk in the, uh, in the finals, that was the day that the Lakers started winning. Similarly, I think when our industry gets to the point where vendors, integrators, and, and customers are working perfectly in sync like that, That's, I think when we've been successful and when we'll be able to start to reverse that trend of, of attacks going up every 

[00:34:57] Ron Eddings: single day.

[00:34:58] You, you said it best, it's about trust and also about team. It's really not pillars, it's not stovepipes. This is all integrated and connected. We have to help one another and that's the only way we're gonna move forward and help the business, help ourselves, help our data, our privacy, and I wanna. Ask one more question because this is the, the topic and the theme is trust and team.

[00:35:19] So I'm gonna ship it to both you two, but first you, Adam, what is that one piece of advice that you would give for someone that's listening to this podcast, that is interested in cultivating a bit more trust in their team? Get to 

[00:35:31] Adam Green: understand the client intimately, so not. Not so much the person who you're talking to, but understand the client, their business imperatives.

[00:35:41] So one thing I always advocate when we talk with our teams and we, and we, um, you know, coach them on how to work with our clients and, and understand our clients better, is to do goal-based research. Mm. So don't, don't show up. To a client and say, Oh yeah, I looked at your website. It's, it's actually understanding.

[00:35:59] And so go through three years of annual reports to have a look at the trend of where their business is focused and have a look. Is there any pattern where they've missed things they said they would do? Or is there a pivot that the business has made and what was, what was behind that pivot? Uh, but I also like to go a little bit deeper and do the same for.

[00:36:17] They're closest competitors. So then you can understand, well, hang on a minute. There's an opportunity here for you. Let's turn risk into opportunity and potential revenue that you can bring back. Or how do you, how do you turn the cybersecurity conversation on its head and make it a positive conversation?

[00:36:34] Because we all know it's at board level now, so how, how do you come in from a different angle? And not sound like the other 90% of representatives or consultants or vendors who've gone in to speak to this particular client. Mm. 

[00:36:48] Ron Eddings: Love that. And Dirk, for you, what is that one piece of advice you would give anyone listening right now to cultivate a bit more teamwork, a bit more teamwork that involves trust in their organization?

[00:37:00] Look, 

[00:37:00] Adam Green: it's 

[00:37:01] Dirk Hodgson: interesting. I feel like this is a bit of a, a role reversal. Normally Adam is the one talking about the, the threat groups and the the adversary out there. And I'm the one talking about. Making sure that we absolutely know, um, know our, our customers industries and, and really can care about them enough so that we, we, uh, we're there to help them and, and we know enough to be able to do that appropriately.

[00:37:22] But since Adam took my answer and it was an excellent answer, by the way, mate, , I would say that piece around knowledge and really understanding what threat groups actually do is really important. I hear a lot of conversations about, you know, nation state hackers, for example, and, you know, there are, there's some great stories out there.

[00:37:44] I mean, you can listen to both your podcast and many others and, and hear these, you know, it's almost like a James Bond novel when you listen to them and they're amazing. But the great majority of the actual attacks that we see out there each and every day against most organizations really come back to profit Motivat.

[00:38:02] Right. Um, and quite often, instead of being targeted, the organization being targeted, actually it's a vulnerability on the organization's system that's being targeted. So, you know, the attacker has gone out and scanned the entire internet, found a hundred vulnerabilities and then filtered down from there.

[00:38:17] So really, as an organization, you might just be getting unlucky cuz you didn't get your, your cyber hygiene. Up front. It's not about you necessarily. Mm. So I think, you know, it's about making sure that you know what the worst case scenario is, That most dangerous course of action that the attacker or a potential attacker could follow.

[00:38:38] But also being able to talk credibly about what's the most likely threat, What's the thing that's probably gonna come out And, and knock on your door every single day and make sure you can help, help a customer, help a stakeholder in your own organiz. Understand how to defend against both of those in, in isolation, but also simultaneously.

[00:38:56] Cause that's actually the challenge we face each day. 

[00:38:58] Ron Eddings: Love that. I think we have to definitely build more of that in our daily life inside and outside of cyber security. Adam, Dirk, it was an honor and a pleasure to speak to you. Thank you for taking the time outta your day to speak to us on the podcast.

[00:39:12] If you wanna stay in touch with Adam and Dirk, definitely check out the show notes. Wherever you're watching or listening, both of their social are in there. With that, we'll see everyone next time.

Keeping Cyber Course Prices Equitable with Kenneth Ellington

November 29, 2022 Hacker Valley Studio

00:00:00