Episode 11 - A Journey In Cyber

[00:00:06] Tom: Welcome to the DevSecOps podcast, where we explore the past, present and future of computing in the modern workplace. [00:00:12] Scotti: Your hosts are a trio of experts from Cordant, each representing different areas within it. A bit like a nerdy A team. So join Tom, James and Scotty for a regular, mostly serious podcast providing you with pragmatic advice and insights into modernizing your IT environment. [00:00:30] Tom: Welcome back to this week's episode of devsecoops. My name is Tom Walker and I'm joined by my partner in crime, cyber Scotty. How are you, Scott? [00:00:36] Scotti: Yeah, well, thanks, Tom. How are you? [00:00:38] Tom: Pretty good. So I'm really excited about this week because we're joined by another ex colleague, but unlike the other ones, he's actually really interesting. I jest. They've all been wonderful, but we work with this guest at Secure Pay, although I think we've done that with just about every other guest we've had on the show. Look, he's a fascinating man and one that I love sitting down and chatting with whenever we get the opportunity to do so. It's George Abraham. Welcome to the show, George. [00:01:00] George: Thank you, Tom. And thank you very much for that very flattering introduction. I don't think anybody has described me as eloquently as you have just described. Thank you for having me. [00:01:13] Tom: Wonderful to have you here and we strive to please here on DevSecOps. Now, George, you're CISO of Influx. Tell us a little about your professional journey and what's brought you to this point in your career. [00:01:23] George: So my professional journey started way before I became a professional. I got interested in cybersecurity, actually, when I watched the movie Ferris Bueller's Day out. And if you remember the movie, there's the scene where Ferris Bueller changes his attendance record. So the principal is taking a look at his attendance record and he goes like, yeah, 10 days absent. And it goes from 10 to nine, eight, seven, all the way to zero. So when I watched that, I went like, yes, this looks cool. And back then, the world was not as connected as it is right now. And I thought, yeah, if connectivity becomes global, this is also going to be a problem, okay? And I would like to solve the problem. So that's how I started getting interested in cybersecurity. But it was not really a field. It was not defined. There was no cybersecurity professionals. I don't think even that word cybersecurity came into common usage. [00:02:24] Tom: I think we're all just nerds at that stage. [00:02:26] George: That's right. And I studied engineering because I knew I didn't want to go into medicine or law, and engineering seemed like a field connected to science, which I really liked. And I was doing a course called Telecommunications Security. That was what it was called at rmit. I sat for that lecture for five minutes and straight away I knew, this is what I want to do for the rest of my life. Project management was the, was the in demand and everyone was rushing into project management, but I thought, yep, telecommunication, security, this is what Ferris Bueller was doing. I want to do this. And that's how, that's how the journey started. I started as a checkpoint firewall engineer and when I started, Check Point was the number one firewall. Right now, I don't think it's. It is maybe in the top three. It's definitely not in the top two. That's how I started working in cybersecurity. I did firewall engineering for a few years and then moved into ids, IPS systems, moved into managed services, and after building a foundation in technology, I moved into PCI DSS auditing as a PCI DSS auditor and did some pen testing. And then I met you wonderful guys at Secure Pay solving a PCI DSS challenge. That's how it all started. [00:03:52] Tom: Brilliant. And what about the years since we've gone our separate ways at SecurePay? What sort of brought you into Influx? [00:03:59] George: So after we parted ways, very, very reluctantly, with a heavy heart. [00:04:06] Tom: It was definitely with a heavy heart. [00:04:08] George: I took up a leadership role in cybersecurity in critical infrastructure, did some work in payments and financial services, also in a leadership role. And now at Influx, I'm the CISO for the organization. Influx is a global organization that does customer experience and customer support. [00:04:29] Tom: Brilliant. [00:04:30] Scotti: So not to be confused with Influx database. Influx is, you said a services company. So do you want to give us a bit of. A bit of background around what Influx does? [00:04:38] George: Influx is a customer support organization. So we provide customer support to startups and scale ups. The way I like to think about it is it is customer support as a service that can be scaled up or down. It's like an auto scaling group. It's the AWS of customer support. In my research, I listened to the previous podcast where you guys had the cloud infrastructure wars between Tom and Scott. I don't know who was aws. I know Scott played OCI and Tom played Azure. [00:05:19] Tom: Yeah, it was James. That was aws. [00:05:21] George: I slightly feel bad now for describing Influx as the aws. I think I should have kept it more more general as, hey, it's A scalable customer support organization. [00:05:34] Tom: Thank you for listening. That's where our one listener came from last week. [00:05:37] Scotti: Yeah, so that's actually really interesting. So in terms of what do customers typically come to you when they say, hey, we've got these problems? What are the challenges that Influx solves? [00:05:46] George: So most of the customers, what they're looking for is things like, hey, I ordered a pair of shoes last week. You guys have got five day delivery. Okay, this is day six. Tell us what is happening with the delivery. And we do both channels. We do the digital channel where we respond via email if you call us. And if the organization has signed up as a voice channel, we also answer, answer with the voice. [00:06:13] Scotti: That sounds really interesting. I definitely know there's a customer that could potentially use your service. I ordered a PC and it's now, I think day 17. And they said their delivery time was seven to 10 days. So it sounds like they, they could definitely use Influx as services. [00:06:28] Tom: Scott's angling for a referral bonus here. [00:06:31] George: Always unhappy customers come in and we try to make them, make them happy after we have answered, answered the question. [00:06:38] Scotti: Interesting. [00:06:39] Tom: And what are, what are the biggest security challenges for the business at the moment? [00:06:43] George: So we are a global organization. We are 1,200 people, give or take 10%, all over the globe. Our head office is in Melbourne. 20 people. That's where the exec team is. So managing a global workforce from Melbourne over multiple time zones and multiple levels of technical expertise. So there are master's degree students who are doing this part time. They're quite clued in. And there are people who are just doing this as a hobby who, who are not very technical. So managing different levels of expertise over multiple time zones, that is quite a challenge. [00:07:24] Tom: With you as ciso, I'm sure they're in good hands. And when it comes to your role as a ciso, I guess we've sort of had a discussion in previous podcasts about the different types of CISOs, and you've got your business oriented CISO who's about budget and compliance and very sort of risk focused. And then you've got your, what we call your technical ciso, I guess, who tends to be very invested in the technology and operations and the like. And personally, from knowing you for a long period of time now, I sort of see you as a bit of a unicorn in this space. You sort of introduced yourself, you know, you're very, very hands on and technical. You started off in that sort of space where you're, you were working with firewalls and the like. But then you got into governance and, you know, I feel you're one who understands that technical side. But by the same token, you have a, you have a serious presence in the boardroom as well. So it means you understand both realms, both what's going on in the boardroom and the challenges of the business, and also what the troops on the ground face as challenges as well. Do you see yourself this way? And it's something you always aspired to, being someone that was, for lack of a better term, a man of all people. [00:08:25] George: So this is definitely not something I aspire to. So none of this is by design. Okay. So what I've always wanted to do is I want to do something that interests me. So when I started up, I loved firewalls. Then I wanted to do auditing. But because I knew firewalls properly and knew technology really well, I could audit really well too, because of my technical background. After I got a good background in auditing, when I got a leadership position in compliance at Secure Pay, because I knew auditing really well, I knew what auditors were thinking. And because I knew technology really well, I knew what auditors were looking for. So every previous step I've taken have helped me to be a better security professional. And none of this is planned. It just all fell in place. What I'm looking, looking for in my future growth is to tune up my people management expertise. Because security is a lot of it is managing expectation, it's managing what the board wants to achieve and in some cases what the board wants to hear. It's also managing your peers. There's competing priorities all the time and also managing a big workforce. So people management is something that interests me really well and I think it'll help me in my next step. [00:09:57] Tom: Yeah, I think security leadership is, is a really important role because I think there are a lot of lone wolf security practitioners. And being able to lead and corral those people to achieve great things is something that we certainly need more of in the industry. And I think you're selling yourself short. I think it takes a particular type of person that can bring that. Like the time at Securepay that you mentioned earlier, the fact that you could communicate and talk to what the auditor is looking for, but in technical terms, for the technical team, it made it that much easier for them to get on board with the journey that we were on. [00:10:31] George: Absolutely. And see information security and cyber security, this is a technical field. I firmly believe that non technical people will not make good sizes. And it's all fallen in place. And I'm glad it's fallen in place like this, and I'm glad for the opportunity. [00:10:49] Tom: Brilliant. [00:10:49] George: So, Tom and Scott, I've got a question for you guys. You guys deal with a lot of CISOs of different expertise and experience. Do you guys agree that a technical CISO would make a better ciso? [00:11:05] Scotti: I'm going to answer this first. I'm going to get in early. Before Tom answers, I'm going to say yes. I guess I'm heavily biased. Being a fairly technical person myself, I find that being able to talk to a sizo in terms that I understand. If you think about a CISO being a leader as we've described, having a leader that understands people that work for them or work in adjacent business units, I think certainly gives a level of perspective that you're not essentially requiring the people that work for you to be able to translate into business terms. I look, if you look up the tree and you go, well, your siso is someone that is supposed to understand these things. It's supposed to guide. I think it makes more sense. I would expect them to have the skills to interpret and understand what's being presented to them. I certainly see in a lot of cases where information is having to be presented to executive leadership or CISOs or boards, and you look at the material and you go, you'd know this. You look at a risk report and you go, well, this is missing all of the context, it's missing the granularity, it's missing all of the detail. So I would even say it goes beyond just the siso. I would say it would be really useful for businesses certainly in making strategic decisions if certain board members or a certain percentage of a board running a company actually understood the technical detail. So more of the subtle nuance could be communicated clearly. [00:12:26] Tom: But that's fascinating, Scotty, because it's not too far off where I sort of sit in responding to that. It's not necessarily that. I think when I think of the term technical siso, I probably conflate that with some SISOs that we've dealt with that are probably too hands on and too connected to the technology. And technology is still there. They're raison d' etreux and, you know, they're in it every day and they want to be pouring over logs and coming up with the solutions to the problems. To me, I really think it is that sort of balanced personality where they understand and it's probably where you were getting to, George. People that understand the technology but have the business acumen and business sense and understand, I sort of found this challenge myself and I agree, I'm not there myself either, where as you proceed up the sort of management chain, up to those sort of senior senior management positions, it's a different world to the technical world. You've got to be able to adapt and realise that you're having different conversations about different things that matter in the business. And what it ultimately comes down to is being able to translate those technical and security challenges into a speak that resonates with the rest of the board and converting security risk, for instance, into business risk. That's a skill, I think, a skill that unless you have that technical understanding, I think you're going to find it very difficult unless you have a team around you that supports you. And in that case, it would certainly be beneficial to have someone that doesn't need that support team of people that they just get it themselves. So, yeah, I think a successful CISO has that technical background, but they're not just a technical CISO who is a really good security analyst or whatever. They have to have that business acumen as well, whether that's an MBA or otherwise. But that real sense of understanding what a business is all about, it's that. [00:14:04] George: Ability to zoom in and to be in the detail and then zoom out and see that helicopter. Strategic view 100%. Scott, you made an interesting point about boards having the expertise to understand technology. Right. And see, this is a prediction and it's always a brave thing to make a prediction online. But if, if you take a look at board compositions, they will always have an accountant, somebody with a cpa, they will always have somebody with a law background. And it is my prediction that in future, boards are going to look for somebody with a security or a solid IT background. I can see that kind of play out in America a lot. It will definitely happen in Australia. [00:14:54] Scotti: Do you see that as being. Primarily because America is a lot more litigious than Australia is at the moment. There's really no impetus on boards to really be accountable for security incidents that occur. Like if we look at share prices, we look at the number of notifiable breaches. I think I looked at the statistic, estate was up like 23 or 24% on last year. But we really don't see anyone being accountable. We don't see any. We don't see any fines being issued. So I just don't think that we're there yet in Australia. But I would agree. I think I would really like to see someone that had a Security focused mind that could interpret it and the people sitting adjacent to them on the board also trust because I think that's the primary issue when you go and present to boards and we have you walk into the room and they ask you some questions and you give them some answers and you go. I feel like you've listened to what I said but you haven't heard me. And that's primarily because it's based on trust. Security is a trust driven industry and I just don't think that at the moment we're quite there. But I would like to see it, I really would. [00:15:52] George: I think, I think we are getting there. So we are, we have taken those first baby steps. I think in a few years time boards would have in house security or technical expertise. I already see boards consulting security experts when you submit a board paper. Because sometimes when I submit board papers like a very non technical board member would ask a very technical question with references to a standard. I know they haven't read that 300 page standard so I know that that question has not come from a board member who's an expert in accounting. They have consulted a security consultant or expert, you know, they've taken a look at my board paper, they've got an external person to give an opinion and the question comes from that opinion, sir. So those first steps are already there. I think we will get there pretty soon. [00:16:48] Tom: I think we're definitely seeing that because the evidence is there. The number of organisations now that are traditional organisations and we would have siloed them as particular verticals. Whether it's retail, whether it's healthcare, they're all coming out and saying we're a technology company first. We are technology companies that deliver healthcare. As that progresses and proliferates, I think we'll have to see more. They'll have to explain how they can be a technical company without a technical CISO and a technical cto. It's not just about business anymore. [00:17:15] George: Excellent point, Tom. I remember a time where very good technology leader had an argument with MD about a company being a technology company or a payments company. Wink wink. That's nuts to Tom that say a lot of things that we do, this is a technical world, a lot of things that we do is all connected by technology. You take the Internet down, okay, 90% of the companies are going to have some issue or the other. It's a connected world, it's a technology world. So totally agree Tom. [00:17:51] Scotti: Speaking of technology, what are some of the other exciting technologies in the security space at the moment that have kind of piqued your interest. [00:17:57] George: I try to stay away from actually implementing and playing away from technology because it takes my focus away from being a strategic leader and makes me more of a technical leader. But I've been playing around with some osquery tools because I think query can be possibly weaponized to do some solid damage. I'm looking at a tool called Fleet. It's all open source and I've also been playing around with a platform called Go Fish, which is an open source phishing platform. If you take a look at the way a lot of phishing companies companies work is their license by user. I think there is a case to be made where the licensing model can change to effectiveness of the phishing campaign. [00:18:49] Scotti: So what you're saying is. So what you're saying is if I have a really good phishing campaign, I'm going to make you pay based on the number of people that click it? [00:18:57] George: Yep, pretty much, yeah. [00:18:59] Scotti: Well, look, I'll be honest, I've spent a lot of time with a lot of phishing platforms and the, the one thing that I, a lot of organizations just go and do it is a tick box exercise. So we need to run monthly or quarterly phishing campaigns and you look at it and you go, this is so obvious obviously to me, I guess people that's still successful to. When you're looking at a wide range of users that potentially gonna receive those emails or aren't potentially aware of what phishing is. But yeah, I think that's an interesting one. There's definitely something to it there. I don't know how receptive organizations would be base to pay, but there is an incentive. [00:19:35] Tom: Right. [00:19:35] Scotti: Because you're wanting to test it. So you might be looking at having a quite a high investment initially, but hopefully that would drop off. But there's also incentive to train people to make the costs go down 100%. [00:19:46] Tom: Yeah. [00:19:46] George: And the real metrics for a phishing test or a phishing attack is the number of clicks. That is what makes it a win or a loss. And I have a lot of test or actual attack. So I think there is a case to put for a different model. [00:20:06] Tom: Yeah. Because I think a lot of the rhetoric around phishing campaigns is around awareness to the users and there's no point if a user's gonna be able to identify something that's as obvious as the nose on their face. It's actually interesting because it's. To me, I've always seen people say that the phishing's about awareness and you've gotta Be aware that the scammers are out there, they're not doing something that is super obvious. What they're actually trying to do is try trick people into clicking on things. So it's more than just an awareness thing and I think we need to take staff on a journey that scammers are getting increasingly intelligent about things. And the most effective phishing campaign I ever saw was company I used to work with where the phishing, the friendly phishing company actually sent out an email posing as the internal employee portal. It was just after end of financial year. Hey, congratulations everyone. Due to the great financial performance of the business where we're offering a bonus. Please click here and log into the portal to find out what your bonus is. That actually caught and captured the login details of like 30% of the organisation. The most hilarious thing was including the CEO of the organization itself. So that's where it's, you know, you've got a clear problem there. And it was, it was, it was a clever phishing campaign and I think where you incentivise and off the back of that, that introduced a raft of things like for one, the business itself said we need to introduce multi factor authentication obviously for our internal employee portals as well. But two, it just an awareness that hey, our security culture is not at the level that we need it to be. And it's not because they had something that is, hey, click here for free, $5,000 and it's obviously a spoofed link. It was something that was very, very close to what they'd otherwise receive. And it's very easy for someone to get an email like that in larger organisations as well. So I'm all for that. George. I reckon an incentive based on effectiveness of a phishing campaign we'll actually see. And to Scott's point, there's an incentive for the business to improve the security awareness culture there because it drives that cost down of subsequent phishing campaigns. [00:22:04] George: I've got an interesting story. It's a phishing campaign gone wrong, right? Okay. So I was working in a government organization and at that time we were just closing down due to Covid and my security engineer, he came up with a campaign and it was, hey, we know that we have canceled the Christmas party this year. Here is Uber Eats voucher for $100. Click here, enter your details and we'll have Christmas party at home. Pushed out the campaign, huge spike in the number of clicks. So there is clicks, that's people who click and there's compromise when people enter the credentials. So high Click rate and high compromise rate. But after people started typing in the username and password, the splash screen appears to say, hey, this was a test from the cybersecurity team. The backlash that we faced is comparable to being a victim of a hate crime. But to that organization's credit, HR did tell us, hey, George, in this instance, you guys have stepped that line. Okay? But because the intent was there and because these are the techniques that hackers actually use, they had our back. They, they defended the team. You know, we didn't, we didn't have any trouble. Informally, I was told that, hey, the, this was, you know, one step too far. [00:23:35] Tom: It's a bit of a sensitive time at quite an emotional high during COVID. [00:23:39] George: See, hackers play on these emotions. [00:23:41] Tom: You're right. [00:23:41] George: So one of the big giveaways in phishing emails is, you know, there's a sense of urgency. Accepted that that previous campaign I spoke was a bit too much. But hackers use these techniques. [00:23:53] Scotti: Yeah, the artificial time pressure is the key one. Although I was just thinking, you know, like I would 100% want my A hundred dollar Uber Eats voucher. I would probably get, I would probably be a click through and then look at the URL and go, oh, hang on a minute. This is a test. So yeah, this is, this is an interesting one. And I actually worked for a company that during COVID used to send out Uber Eats vouchers. Like I get scam emails and phishing emails all the time. I'm not interested in a water bottle or a yeti backpack or anything from racv. But a hundred dollars Uber Eats voucher, I think you might get a click. [00:24:23] George: Through from me as well with the right context. And it was a pretty good campaign. Yeah, a bit of a happy story also with a semi unhappy ending. [00:24:35] Tom: Love it, love it. What about AI? I guess both as a threat and an ally. And we've had chats on previous podcasts as well around there's the benefits of AI to security and being used as a tool to prevent, collate information and respond to it. But by the same token, AIs when weaponized is something that's very, very scary. What's your position there and have you had a play around with it? [00:25:00] George: Yes, at Influx we have played around with different gen AI platforms and our thoughts are each of these platforms reflect the emotions of the founder. For example ChatGPT, very agreeable Gemini, zero personality, but fact based. You know, you cannot get Gemini to write an email that would sound pleasing, but you can get ChatGPT to do it Grok, you know, very disagreeable. At Influx, we use a lot of gen AI platforms, but if you think of AI for cybersecurity, it's being used for attack and defense. So CrowdStrike, for example, has been using AI and ML for more than five years. So I started taking notice of CrowdStrike after they spoke about there are no signatures, we send the telemetry and from our platform we run AI. So we have been using it for defensive purposes for a very long time. And you've got CPT platforms like WormGPT that you can use for offensive attacks. I think we briefly spoke about phishing attacks. So right now it's things like, hey, you click here to get an Uber Eats voucher, click here to track your Australia Post parcel that you have never ordered. You know, it's quite easy to pick out a phishing email. [00:26:34] Tom: Hey, I don't ever bank with inz. Why are they sending me an sms? [00:26:37] George: Yeah, but I think the next evolution of phishing emails will say, hey George, at rmit, for the 2021 group alumni, there is a meeting or a drinks, catch up at the Imperial Hotel. Your friend Scott, who attended the same course is also attending. Please click here. And I think AI platforms will make phishing emails much more convincing. That's the bad side. [00:27:11] Tom: It can do that, personalize it at scale that we just can't do as individual hackers. [00:27:16] George: But the other side is, hey, email security platforms are also going to use AI to go like, hey, this is not the language that RMIT uses for invites. Maybe I'll flag it red. So it's a tool that will be used for both attack and defense. [00:27:33] Tom: The new battleground, isn't it? [00:27:35] Scotti: Yeah, and I have some experience with some of these AI platforms for the defense, certainly in the email space. And the thing that certainly has jumped out in terms of where the true positive and false positive rates have kind of moved is that in the early days it was quite easy for an AI or LLM or machine learning to identify those kind of patterns. What, what we've, what I've been seeing and certainly from talking with customers, I've been saying, well, actually our AI platform that used to be, you know, 80 to 90 or more than 90% effective at detecting and blocking these things is actually, it's really hard now for them, for them to detect and block these AI and generative AI specific type emails. So I really hope that that does get better because otherwise we're going to be ending up with a lot more people complaining that They've been clicking and entering their credentials to get Uber Eats vouchers. [00:28:24] Tom: And speaking about battlegrounds, just before we came in here, we were talking about fighting the ever encroaching and unavoidable element of age. Now George, you keep yourself very fit and I know you're heavily involved in a running group specifically for CISOs. Tell us a little more about that, your involvement and how can other people get involved? [00:28:43] George: You need a healthy mind and a healthy body to be effective in our profession. And I was attending one of the cybersecurity conferences and I just felt that our security community is not really healthy. I was thinking about doing something and one of my friends who works in the security community said, hey George, why don't we have a run group? We will do it for anyone who is interested in becoming fit. We'll go for a run and after the run we'll just catch up to have a chat and to build the community. So we had a bit of a chat about it and now I run Cybersecurity Run club. On the last Thursday of every month we do it in Melbourne, one round of the 10. Most of the time it's on, it's at 6pm in the evening we go for a run. If you're not into running and if you just want to have a walk, that's perfectly fine too. And after the run we speak about cybersecurity and the challenges we face. Sometimes we go out for, for a drink. Even though running and drinking, you know, it's, it doesn't go intuitive. Yep. But you know, the sharing the battle stories, it's part of, part of staying, staying healthy mentally, I think that's great. [00:30:05] Tom: When you, when you do it with like minded professionals, it's both a professional and a personal sort of growth thing as well. [00:30:11] Scotti: I'm just here for the walk. So. Yeah, count me in. [00:30:13] Tom: Yeah, I was going to say both by name and by activity. I'm a walker more than a runner. [00:30:18] George: So see, there are a lot of. See, walking is so underrated. There are a lot of studies that, that when you're walking and if you're thinking about a certain idea, it helps you to crystallize that idea really well. [00:30:33] Scotti: All I can think of is every time I have to walk my dogs in the morning, I've got one, I've got two Australian shepherds, one's four, one's 18 months and all I can tell you is all I'm thinking about is why are they running over there? No, come back. [00:30:44] Tom: I think you're 100% right. Because I actually have that every morning I sort of walk to the station and I need that 15 minutes to climb. Crystallize my plans for the day as well. I can't do that if I'm focused on driving and not running into people. I can't do that if I'm running about as well. It's almost a solidarity and cleansing moment that you get that only walking brings. [00:31:04] George: I'm a very restless person when I'm in the office. I'm constantly standing up, putting my standing desk up, then sitting, then going out for a walk. I close the door and then I come in and I open the door and. And I'm a bit of a disruptive colleague. But what I'm doing when I'm walking is I'm thinking about, hey, you know, this challenge is quite tricky. What are the different aspects to this challenge? I see it in this way. Is there a different way to look at this problem? Somebody is being a bit too stubborn at work. What is the real reason that. So I do a lot of, lot of thinking while I'm, while I'm walking. It's an underrated thing. I call my Run club a run club, but I think we should call it Walk and Run Club. [00:31:54] Tom: So how can people get involved in that? [00:31:57] George: You can get involved through LinkedIn. I make the post two weeks ahead of the day and I put the day and the time and I put all the details the week before the run. My friend Kristanich, he does a repost and all the details are there in the post. We have got a group on LinkedIn called the Run Club. If you add yourself into the group you get all the notifications. [00:32:22] Tom: Brilliant. And being a restless mind myself, I sort of, I like to do a bit of fishing, I like to obviously go for walks as well, do a bit of work on the car. That's my way to quiesce the mind or get it thinking and focused on something that I need to. I know George, you're a very well read individual. You just talked about studies in fact in the last response to that question. Is there anything you're reading at the moment and are there any books you'd sort of deem as must read material for a budding security professional or ciso? [00:32:53] George: Well, the book I'm reading right now is Andrew Grove's High Output Management. Andrew Grove was the CEO of Intel in the 70s and the 80s. Okay. [00:33:05] Tom: That's my sort of time of computing. [00:33:07] Scotti: I was going to say that's the golden era. [00:33:08] Tom: Yeah. [00:33:09] George: And the book was published in 1983. Wow. And Andrew Grohl, he puts a lot of principles very clearly in the book that we still use. So like for example, in, in technology and in software development, we speak about test early and fail fast, right. He puts that idea of critiquing a plan when it is at the lowest phase, okay, when this, when it is at the lowest value. So there's no point progressing further down. So as you progress down a certain plan, you are investing your time, you're investing your resources, it becomes a costly failure. But if you critique an idea very strongly right at the start, when it's at the lowest value, you have got your plans in place. If the idea fails, it fails at the lowest value, the company, company has got a lower loss. So he speaks about a lot of things that we use right now from a management focus in 1983. And I think it's one of the most fascinating books I've read recently. [00:34:18] Tom: It's amazing that these people had these ideas and you sort of, you know, you talked about it earlier, whether it was by design or whatever, but these were just people that natively and naturally did things that are the keys to success effectively. And we've crystallised that into methodologies and the like since. But these are just people that just instinctively got it and through their own development of seeing what works and what doesn't work, they put that into play. And it's no surprise that intel is alive and still thriving to this day. There are very few companies that are because they didn't take on and have this approach early on. [00:34:52] George: And I think there are ideas in the book that still relevant right now that can solve future problems. So for example, I have disliked attending meetings. You know, I think, I think my calendar gets filled out by meetings. I sit in for an hour and I come out thinking, you know, that's one I will not get back. The best run meetings have got a purpose, there's context, there is somebody who takes responsibility for the meeting and there are follow up action items that get done and followed through. These are the best one. Meetings comes from Andrew Groves book. I think there are a lot of these ideas that are there in the book that can solve problems that we face right now that are just not put in practice. So it is the best read I've had and it is highly recommended to anyone who is working professionally. Even though I should say, hey, don't use a lot of these techniques at home. You know, you're having a catch up with your partner. And kids, if you go with an agenda and follow up action items, I think you're going to be in trouble. [00:36:04] Scotti: Oh yeah, I'm going to try that one. I'm going to try that one tonight and see how it goes. [00:36:08] Tom: One way to kill the romance. [00:36:09] Scotti: I definitely know I get it on the receiving end so maybe I should try and exercise that as well. No, I like the idea of that. And look, I, I probably should read more but that's a great recommendation. That's definitely something I'll be, I'll be picking up. So George, we might leave it there seeing as we've had such a great conversation. And I think I speak for Tom as well when we say we'd love to have you back on the show. For anybody that's interested in reaching out and having a catch up with George, how's, how's best to get in contact with you? [00:36:35] George: The best way to contact me is via LinkedIn. I had a fantastic time too and thank you Scott and thank you Tom for having me. [00:36:44] Tom: Thank you George. Would love to do this again because as Scotty rightly said, thoroughly enjoy this. I think there's something for everyone across our entire listening base, for everyone who is listening. Continue to stay safe, have fun, stay fit, keep your mind well oiled and we shall see you again on the next episode. Thank you. [00:37:05] Scotti: If you could use a little help or advice with modernizing your IT environment, visit Cordant Au to start a conversation with us. VO: This has been a KBI Media production.