Episode 2 - Decision-making For Organisations

[00:00:06] Tom: Welcome to the DevSecOps podcast, where we explore the past, present and future of computing in the modern workplace. [00:00:12] Scotti: Your hosts are a trio of experts from Cordant, each representing different areas within it. A bit like a nerdy A team. [00:00:19] James: So join Tom, James and Scotty for a regular, mostly serious podcast providing you with pragmatic advice and insights into modernizing your IT environment. [00:00:29] Tom: Welcome back to the show. I'm once again joined by my good friends James Vincent, Cloud Guy, and Scott the Cyber guru. How are you today, gentlemen? [00:00:37] Scotti: Very good, Good, thanks. [00:00:39] Tom: That's good. In the last podcast, we talked a few times about the business context. We mentioned the business context in relation to IT and how it isn't the business itself. But I'd be really keen to get your views on what the business means to you guys. Maybe start with James. [00:00:54] James: Yeah, sure. I love it. Jumping straight into the heart of things today, Tom. Good one. Yeah. Look, I think to me, you know, business context is everything, right? If we think through the notion of the technology programs that we deliver, really that business context, the business setting, it's why we're there, right? It's why our project is funded and it's really all about the impact that we can have for an organization or for the customers or users of whatever systems we're touching on behalf of an organization. So if you zoom out, ultimately, what we really should be seeing is a business case around any particular program of work that we're doing. And what that business case should be doing is defining really clearly in terms of business context, what is the benefit for the organization, how is that measured, what are the objectives and how do we go about realising those? And it's a really interesting one. I know at times, you know, when we've been chatting offline, we've spoken about this notion that when you're younger in your career and the places you start, you tend to focus very deeply on the technology aspects of what you do. So you think, you know, hey, my job's there to write some really good code, or my job's to be a really great security engineer or build the best cloud in the world, whatever that may be. Right. But you don't tend to think too much in terms of, well, why? Why am I doing it for this particular organization at this particular point in time? And I think one of the things that happens as you gain more experience in this industry and as your career evolves and ultimately as you become a really good consultant, is you start to think about that business context more and more. So to me, I think it's really just putting yourself in the position of understanding what's the organizational objectives and why are we undertaking these programs of work in the context of technology. Scotty, what are your thoughts? Similar. Different. [00:02:37] Scotti: I think you've nailed it really well, James, it's always hard going second in these types of things because I'm like, well, I have to say something really smart now. I think business context, it goes both ways. So the business needs to understand a little bit of the technical context, but also the technical people need to understand the business context from a security standpoint. I think in many cases we see cyber people, how, how often have you guys heard the cyber team says no, that's kind of the sum total of it. No, we can't do this, we can't do that. And I think, Tom, you, you mentioned it last time, it shouldn't be a, you can't because it should be. You can. If. And I think from the context around security there definitely needs to be more understanding and more empathy as well. In some of the work that I've been doing recently, I've gone in and said this is what best practice looks like and the businesses, we just can't implement it. And so you've got a choice of either saying, well do we do, is that where we leave it? Because they're not in a great state in their current position, but what can we look at doing? I've actually had a lot of inflection on how cyber is done in relation to business context. And to your point James, it's there to deliver an outcome. And I think one of the things that cyber, cyber companies, cyber consultancies, cyber managed services, a lot of the time they aren't delivering something that's easily measurable and therefore how do you calculate that return on investment? So I think the business context is, I think probably more important in the cyber world than it perhaps is in the others. [00:04:13] Tom: Yeah, hands up. I was, I was guilty as being one of those young, fresh faced IT folk that it was my world and to me it was the business as well and I was striving for IT perfection. If it meant it was being done well in it, it meant the business was thriving. But it wasn't until I sort of progressed in my career and found myself in more of those business facing type roles that I realised that there were macroeconomic pressures at play. There were business strategies and in fact it, unless you're at a startup or a software development house, it was part of the business supporting the business and supporting the initiatives of the greater organization, it wasn't the business itself. So, thankfully, frank conversations that I had with some mentors and leaders during my ascension to the heady heights of mediocrity that I find myself at now, that put me into my place in terms of where it actually sits in context of the business. And there are many things that we need to consider when we talking about IT initiatives as to whether they are the right thing for the business, not just the right thing for it. [00:05:16] James: To pick up on that theme, Tom, and perhaps keep you on the spot a little bit, this notion of what are the right things for the business and how we can get more contextualised in it. Do you have a view from the clients you're dealing with as to what are some of the key problems that organizations are trying to tackle at the moment? And then we can perhaps start to touch on how we might go about prioritising those and measuring business value. But just as a starting point, know what are the key things on the radar at the moment? [00:05:43] Tom: Yeah, I think there's probably two or three consistent themes that I'm seeing across our client base. Money is probably the largest at the moment, so everyone's looking to tighten their belts. It's a interesting economic landscape at the moment. Some people sort of suggest that we may be at an inflection point in turning things around, but I've sort of seen it historically in my career where you go through this sort of sinusoidal progression of spending to innovate and then tightening the belts. So I think we're in that period at the moment where everyone's looking to do more with less effectively. So that seems to be a pressure that's placed down on it, reducing team sizes, doing things smarter, et cetera, et cetera. Security, of course, is always a big one and probably a. A more emerging consideration and concern given the recent breaches we've had here in Australia in particular, but also with the likes of the CrowdStrike incident, there's more of a focus on security and security's role within it. And I think probably the last one is just the general pace of change and pace of change of the competitive landscape as well. So keeping up with your direct competitors, but also internally the pace of change and new technologies that come out and the pressures on IT teams to continually innovate, whilst that ability to change from a cultural and practice process level probably can't keep up with those demands at the moment. So there's no doubt more, but they're probably the big three that I see as consistent Challenges there? [00:07:20] James: Absolutely. I think from a technical context very much holds true. I love the fact that you touched on this notion of the economic circumstance at the moment as well. And this is where your business context comes in and becomes so important. Right. Because it has so much influence over what we end up doing as technologists. You know, I see a couple of other really interesting ones kicking around at the moment around things such as supply chain security as well, which is really broadening that business context and that business horizon. And obviously aspects of that are very technical in nature, but others of them are far more business centric and business governance in nature. Then the other big one, you know, that we talk a lot about is this notion of productivity and try to lift productivity in organizations and in government departments, you know, across Australia. But it's also a global trend as well. And you know, what do we even mean by productivity? How do we measure that and how can technology impact that stuff? But Scott, I'm keen to sort of pick on you a little bit. Right. Because one of the things that the rest of us in the IT community tend to complain about is that there's no money left over because we're spending it all on cyber. Does that hold true? How do you view that from your perspective? Is it one of those things that there's never enough money for cyber? You guys are line the budget. Can't you see this as important? [00:08:33] Scotti: And you can see the look on my face right now. Cyber is expensive. I'll be honest with you. You touched on one there as well around supply chain risks. I want to start with supply chain risks. It is very technical in nature, but there are some really simple ways you can solve these things. But what, what has actually happened is your business operates. Let's see, let's use a fictional example. Let's say you sell forklifts, right? And you've got some software that runs on these forklifts, but the hardware for that's manufactured overseas. The software is manufactured by a third party. You have no access to the software, you don't know what's in it. It comes as a black box. These types of risks are inherent. And then you might be a customer buying a forklift, but you're actually inheriting the supply chain, that you actually have no idea where it started, who's involved. And there've been some really interesting geopolitical events recently where that's become quite important to actually understand your supply chain. That is both a organizational governance problem, but also a cyber problem. Cyber people are very good at this because the same way that an attacker will get inside your network, you can also use a cyber kill chain to stop that. I think we'll talk about that a little bit later on if we think about cyber more generally. One of the challenges I was going to add as well is around retaining good staff. If we think about how do you keep those costs down? Your largest cost for cyber is people. So if you are constantly having to find new people because you're losing them to other companies, then that's actually a cost. It's a hidden cost. A lot of organizations aren't factoring in. They just look at the very first order issue, which is we pay this person x amount of money, we'll find someone else. We'll find someone else cheaper. Well, actually, they. They walk out with all that knowledge and understanding that is kind of intangible. But then you've also got recruiting costs. You've then got to pay a recruiter because it's really hard to just go out to market. I've been involved in recruiting people and we tried the seek approach. We tried the seek approach. It didn't work very well. So we end up going to a recruiter. So there's a lot of hidden costs in cyber, not just in licensing and products that you would purchase. In saying that, though, this is where you can be really strategic. And we'll talk about this a little bit later as well, about potentially, and we talked a little bit last time as well, around not just picking the top right quadrant of Gartner because that comes with a particular price tag. You can get similar outcomes without needing to spend large amounts of money. If you architect things and have really solid cyber foundations at the beginning. [00:11:06] Tom: Yeah, and I think you touched on it there, Scott. How does an organization balance that need for innovation with the need to maintain robust cybersec within the organization? How do you build that into the culture? [00:11:20] Scotti: This is a really good question as well. It applies not just for innovation or R and D. So there's a very interesting quote. It says the most sustainable path to innovation is a secure one. This doesn't just apply to R and D or innovation. This applies to your entire business. You want it to be sustainable. You want it to be in perpetuity. You don't want to have things come out of the woodwork that are going to upset that. You don't want to end up having to report to the ASX that you've lost all your data. You've had a major data breach. You don't have to report that to the oiac. So this is one of the things having those solid foundations is really important. And if I apply the same principles more generally, so my background's in software development, specifically secure systems and software design. The way that we would advocate is you don't hire 100 developers and expect that they all understand how to write code securely. What you do is you adopt frameworks, you adopt policies, and you layer those controls in such a way that it means if you hire someone, you're not specifically 100% reliant on them to understand how to implement a piece of code in a secure way. There are controls that will highlight that early on in the development life cycle. Then you have more detective controls. When you go through build pipelines and it goes through security testing, someone will peer review it, it'll get released, it'll have dynamic security testing tooling applied. There's a whole bunch of things in there to mean that if you hire someone, they're not essentially going to make one mistake and then it's game over for your business. So that that applies to everything, that applies to how you do cloud configuration, that, that workload design, any of the things that you run on prem all of those controls. And that approach holds true. And I think if you follow those really well, you're essentially taking away a lot of the risk, and so then you can actually innovate faster. [00:13:10] James: It's an interesting angle on what you've described here, Scotty. Joining the dots on a few things, we've touched on this notion of using frameworks to bring consistency into the way that people work in an organization and coupling this with the notion of the cost of hiring staff. And it comes back to this point of staff productivity as well. So I think what you've described not only goes a long way to addressing risk, but it also can go a long way to addressing the notion of staff productivity and also keeping things in a manageable context as well. And then if I sort of join the dots on what Tom was saying earlier about cost control being massive. Right. Probably priority number one for most organizations as well. I think these two things go hand in hand really, very, very well. What I find really interesting, though, is you mentioned also the word intangible. Right. There's a lot of intangible things that happen through technology. And when we start to look at this notion of benefits realization and how do we as technologists bring some value to the organization? One of the big challenges we have in technology is a lot of the innovative things that we do and a lot of the more Interesting work that we undertake tends to focus on intangible benefits. You can call out things like FinOps in cloud and say, hey, FinOps is all about cost control. FinOps is something that people are deeply engaged in at the moment because it's a really easy business case to justify and stand up. Because you basically say if I invest in this, I will save the organization X amount of dollars. And that can be very, very compelling. It's very difficult to put those arguments together for a lot of the other things that we might want to do. Say investing in a data analytics platform for business decisioning and enablements. How do we actually measure that? Is there a reduced time to market for building a framework and a pipeline in our cybersecurity practice? All those things are quite fascinating. And you know, I look at it and I sometimes wonder, you know, Tom, I'd probably love to get your thoughts on this, you know, from this notion of business context and prioritisation of initiatives, do we sometimes fall into the trap of focusing too much on the things that have a really obvious dollar return or maybe even a bit of cost avoidance? Maybe it's refactoring a licensing agreement, something similar to that, as opposed to looking at the things that might drive business innovation and maybe open up new customer markets or new customer segments. [00:15:24] Tom: It's a tricky one that balance. If I sort of look at my prioritisation, my typical prioritisation of where I look at investment, it probably starts at the keeping the lights on. So that's like your baseline of your input into your IT budget. That's sort of followed by your best bang for buck. And that bang for buck usually comes from things you have solid tangible business cases for the sort of the known knowns around the business, things that we need to do. And then last on that list typically comes innovation. And I think what, what tends to get missed in that whole budget cycle and the whole risk framework that organizations tend to adopt is we have the cost of security incidents and the cost of failure of hardware and all this sort of stuff. But we tend to miss on the cost of lack of innovation and keeping up with again I mentioned it earlier, but that pace of change. So it's something that gets lost quite often I think in the, in the business framework. It's a tough one in terms of how to drive that value and ascribe a value to innovation. It's a constant challenge. I wish I had the answer to it. I think like everything though, it's an awareness that this is something, if you roll this up into the strategic drivers of the business. And, and if innovation keeping ahead of that pace of change is one of your strategic drivers in the business, then you can cascade that initiative down into it and then you can have a valid reasoning for investing in innovation. One thing I was going to touch on just earlier too, and it does relate to that, you know, we were talking earlier around the. How do you innovate whilst maintaining that robust security posture? I think one of the key things is awareness too, at the leadership level. And that's awareness not just of that want to innovate, but I've seen many organizations where some of the leaders are actually dubbed cowboys because they'll go off, they'll throw the credit card around, we've got shadow it everywhere. They'll actually encourage at all costs innovation. And what that actually tends to find is all the costs. So I think it's important that at that leadership level you have a level head and can balance that innovation with the need to remain secure, the need to remain financially responsible. And that all plays into that prioritisation as well. [00:17:47] Scotti: Yeah, there's two parts to that as well. I think you touch on it when you said that you need to have executive level visibility. So security does need to be at the board level. The board are the ones that are making the decisions. I know this is a controversial point of view. I think some people say security people shouldn't go anywhere near board people. And I think for a lot of organizations and we're talking about understanding business context as we did before, sometimes it makes sense that they. They don't. I do think it makes sense. Certainly if you are an organization that does like to do a lot of innovation or have had issues around innovation and doing things in the right way, the view should be that it should be security should be by design and default rather than after or never. And I think that's a very simple approach that if you take that and you apply that to your whole business, you don't just apply it to the innovation part of your business, you apply it everywhere, you apply it to how you do BYOD policies, you apply it to remote work, you apply it to cloud workloads, you apply it to the whole part of your business. And I think the other part is planning an ability to execute. Most people just say we want to do innovation or, you know, we want to, we want to have this great R and D part of our business, but they don't really think about executing it. What you really is, what you really need to be thinking about is getting Those solid foundations, right. If you've got the design principles laid down, you understand how to build secure code, you know how to release it securely if you have. And I know I'm focusing on the cyber elements here, but if we, I am the cyber guy, right? So if we align to have our processes to making sure that we can build and deploy these things in a fast and secure way, then innovation becomes kind of by just gets included because you want to try something new, you can do it, it goes in, it goes into the standard pipeline. We're not doing something different for innovation or for a new thing. It's just how we do, how we do it, how we build, how we release software, I think. So instead of having like innovation as a separate thing, it should just come as a side effect of doing the other parts. Right. [00:20:02] James: Scott, I love this notion of having security at board level, right. And having this as being a board level conversation and even the notion of innovation and what are our business drivers. You know, the classic way that we would typically align technology initiatives to a business is to look at what are the business priorities, right. What is the business strategy overall? The reason it's become so complex in recent years is because increasingly technology is driving business strategy. It's not just a seat at the table anymore, but it's a partnership in its truest sense. I'm really interested to know though, in the experience of you guys, are you actually seeing this manifest at board level? Are we actually now looking at the fundamental pillars of business strategy saying security is forming one of these pillars and it may be under the banner of something like trusted brand or initiatives that relate to that, or, you know, how do we increase our reach to different customer segments in a way that's safe and secure. But I do wonder whether we see it as technologists and we see this need to have board level or executive level buy in. But I wonder if the businesses are actually restructuring their initiatives, prioritisations and strategies in accordance to that. Tom, what are your thoughts? [00:21:15] Tom: Yes, Scotty would probably have more of a finger on the pulse on that one. What I am seeing, I've certainly seen it where we work with critical infrastructure and utilities. Traditionally, safety has always been one of the key pillars of the organization. I think what we are seeing now is that that is perhaps subconsciously extending to security in the ITOT sense as well. In the ITOT sense as well. Not just security, physical security and the safety of people in the particular industries that we work in. I think people, now, the general public sees these things as synonymous With IT safety and online safety is synonymous with safety of themselves. Yeah, I'm seeing it creep in that way. I can't say I've hand on heart, seen the presence of IT security in an explicit sense as one of the focus pillars of an organization. But Scotty may, as I mentioned, Scotty's probably more tuned into it and has seen it there and takes pride in the organisations that do have it up there. I may have just been unaware of it. [00:22:23] Scotti: Yeah, I think the human element's quite interesting. You mentioned that human safety is actually the most paramount and most important thing if you are designing a secure system. Things should fail in a secure state. A lot of the time. People, technologists, all of us, we work in a digital sense so we're dealing with data, we're not really dealing with the impact of physical systems in the real world, but we should be applying the same concept that the data is also an element of human safety. If we think about domestic violence or if we think about data breaches which contain information of government workers or defence personnel and those types of things and those breaches have occurred not specifically in Australia, not to the same extent that it has overseas, but there is definitely a human element safety of cyber security. I'll answer the other part of that question in a very straightforward way. The short answer is no until they've had a breach or a major cyber incident. Because why would you. It's a simple view of, it's almost like a confirmation bias. Hey, we must be doing everything right because we haven't been breached yet. And if we use this analogy, if we go back, say five years, we were talking about, you know, beware of scams and all these types of things. Back then everyone was like, ah, you know, it's like Chicken Little, the sky is falling. We've not been scammed, we don't really hear of it much now. It's mainstream media because it is happening and it's happening a lot and it's affecting a huge number of people, it's wiping out people's life savings here in Australia and it, it's a bit soul destroying to actually see that this is, this is where we've ended up. So if we take the view that once you've been breached it becomes one of those paramount pillars, largely due to build and restore trust in the reputation and the organization's brand. If you've got the right people in it and you've got the right type of board, it's great working more at the executive level now than definitely when I was younger, it wouldn't have interested me earlier. Now I think it's, it's our job as technologists and certainly as cyber people to understand and speak the language that boards and executives understand to actually communicate that risk clearly. You might remember, Tom, there was, we worked on a project many years ago and we found some really bad security things. It didn't really resonate a lot of people that the message got diluted, shall we say, as it went from myself through a few other people. Eventually the CIO sat down with me and I showed him exactly how easy it was to extract specific details out of a production database. And then we started getting traction. Sometimes the simple way forward is to just show people what the impact is and how easy it is to do and then things start, start to change. [00:25:11] Tom: It kind of leads to the fact that we are diluting this message like that almost that head in the sand view of things that we, we get to the top and it's like, it's not a big issue. [00:25:20] Scotti: Yeah, you see it a lot, right? So someone unauthenticated, so without that shouldn't have access to a system. Getting access to your production database, adding, editing, modifying, deleting, destroying, wiping out your ability for that system to continue to operate becomes like, oh, we've got a minor problem at the board level. And I think that's where we really need to be focusing on having cyber people that can talk business language, but also educating those board members and those senior executives to understand what it means in a technical sense. And I'm a huge advocate. If your organization hasn't done board level cyber training, it doesn't have to be as boring and dry as it might sound on the surface, but essentially you get someone that can talk to your business stakeholders and explain what all these things mean, but also what their personal liability and the organizational's organization's liability is in the event of a cyber incident. Most organizations are focused on ransomware at the moment, but that's just a very small subset of what's really going on. [00:26:25] James: I love this notion of education at executive and board level. Most of the large enterprises that I work with are really, I think, still palming this notion of cybersecurity off to some kind of governance risk type team or framework. And that's not necessarily to say that having that laser focus and a group responsible for it is a bad thing, but I do think it's a way of perhaps deflecting the notion of investing a little bit more deeply in understanding at board level. And ultimately I've yet to see an organization really look at cyber as a way of trying to gain competitive advantage in business. And I think it will come in time. I think with the right context and the right framework, that is absolutely something that can be put to good utilization and to achieve great outcomes for business. But I'm sort of interested, Scott, with what you were describing. You know, we've had things like mandatory reporting on breaches in law in Australia now for quite some time. And I'm thinking if the executive level and the board level is still not deeply understanding and deeply aware and has bought into this notion, do you think there's something else that we need to be bringing to the table or do you think it's just going to take a little bit of time for that notion to catch up that hey guys, this is pretty serious and it can actually be a genuine existential threat to your business if you don't get this stuff right? [00:27:43] Scotti: Yes, that's exactly right. So I think if we look at the data breach stats that were published and I actually looked some up the other day, 2/3 of incidents are malicious, one third is human error and 10% was inside a threat. So it's also a bit catch 22 because these stats I think are underrepresented in market because you a have to have technology and know that you were breached. So it is reliant on you being able to detect or someone reporting or someone noticing that something was wrong in the first place. So I imagine these numbers are much, much higher. And also you don't have to report everything. You only have to report them under certain conditions. And this is going to essentially skew the results to look, to make things actually look better than they are in the real world. Once again, I'm not trying to be chicken Little, but we should very much be looking at, well, okay, what can we do to improve our ability to detect incidents as they occur? And one of the other interesting stats I pulled out here was that 60 incidents reported incidents were simply because someone emailed the data in an attachment to the wrong person. [00:28:48] Tom: Human error, effectively, yeah. [00:28:50] Scotti: It's essentially human error, basic human error. [00:28:52] James: But your point's valid, right? This notion of human error and it just goes to this thought about the landscape hidden cyber being so complex and so broad. You know, there's so many things to consider. Right. And to again zoom out a little bit, I think, you know, putting it back in context of this notion of how do organizations prioritise and make decisions around the spend of their maybe their ICT budget, but maybe Even looking beyond that, I think it raises this interesting question. I don't know that we've really solved right is we've got obviously a lot of emphasis on cyber, we've got some innovation projects that we want to do. There's probably some regulatory things that we just need to get done. If we really want to focus deeply on strategic utilization of resources from a business context. How do we actually go about calling out what represents business value? You know, are there specific things that we can look at? Because we've touched on this notion of cost and we understand that the dollars and saving money is going to be a very real driver. We understand that the notion of risk and protecting the organization is a very real driver as well. Are there other things that we should be looking at? You know, I've seen various frameworks proposed by different organizations, different consulting groups will look and say this is how you prioritise business value, this is how you measure it. But I sometimes feel that that can perhaps miss the nuance of what an individual organization is actually aiming to achieve. And there's a lot to consider in these things. Sometimes it's really trivial. You know, it says you should spend money on the things that are really easy to achieve and gonna have the most strategic impact to your business. Well, of course you should. Right, That's a no brainer. But maybe you don't have the resources lined up at that point in time. Maybe you don't have the right people on deck to do the things that are obvious. [00:30:37] Tom: If I look at things, every sort of solution seems to be bespoke for the organization, more or less, you know, work with a customer recently where, yeah, most of the frameworks were based around risk and those risks were really around business risks rather than IT and security risk. When we started rolling up those risks to an enterprise level, they were barely a blip on the radar though they were critical from an IT innovation standpoint. So it was really difficult. What we ended up having to do was effectively sound out the things that were starting to resonate with people around the businesses. And there was no particular framework that that really led to this outcome. But it was really almost a trial and error to see what was hitting the mark around the business, what was getting support and then building a business case around those key elements. And we went back to even rewrite the enterprise architecture principles of the organization to something that resonated. So it came back to really working down to the fundamental level of what are we trying to do here? And working backwards to the proposals that we had in play. Really, really difficult one to answer. And I wish there was a one size fits all. But I think it's problem manifest by culture in organizations, and it's more of an art than a science. [00:32:01] James: I love this notion of being willing to actually revisit some of the existing organizational knowledge, like those enterprise architecture blueprints, patterns and approaches as well, to ensure that they are constantly evolving to deliver greater business value. You know, one of the things that I see is a bit of a deficiency in a lot of organizations when we look at this notion of prioritisation is that it's not revisited frequently enough. So what tends to happen is technology front up to the business once a year to either stake a claim for a chunk of money or defend the existing budget that they have, but they're not really thinking through in terms of, hey, this program of work's been running for 18 months. Is it still on track? Is it delivering the right business value or is it becoming a bit of a money pit? And how do we actually approach this and say, should we actually put some different constraints and parameters around this delivery program? Should we break it down into things that are more tangible? Should we revisit our strategy? And it's something that I see a lot in organizations. And then the other one that crops up a lot in very large organizations is the duplication of effort where we see a lot of different departments basically trying to tackle very, very similar problems. And, you know, we see it a lot in, say, development groups, right, where it's great to have these principles that every development team should be able to choose their own tools, build their own pipelines, create their own processes and structures, and have a great degree of autonomy. And it's a lovely thing in principle. But what it does do is it leads to a lot of overlap in terms of we've got to buy multiple tools, we've got to solve the same problems over and over again, is perhaps not particularly efficient. And we end up in a place where, unfortunately, from a cyber point of view, we've also got a whole myriad array of things that we have to manage and look after longer term as well. So I think, to me, this notion that we have to work alongside our business sponsors on a much more regular and frequent basis, and we have to be willing to say that something's no longer working for us, right? So it's this notion of being very, very transparent with our business as technologists and not losing the sight of the fact that we are there to actually achieve a business outcome, not to achieve A technical outcome for its own sake. And it's very, very easy to lose that objectivity when you are neck deep in our program and under pressure. And particularly if you are 12 months into a 9 month delivery program and people are saying why are we three months past the deadline? When are we getting our outcome? [00:34:22] Scotti: Yeah, I'd also add to that as well that a lot of the time, certainly in the cyborg, we don't make it easy because you talk to any vendor these days and they'll say, yeah, buy our product, it'll solve all your problems. It's a real true measure of a cyber, cyber vendor or even systems integrated that says, hey, we should probably sit down and understand your current environment and how you operate before we try and sell you something. One of my favorites is around Identity, specifically privileged access management. And there are some vendors out there that have been around for a long time and everybody just seems to buy it, but it doesn't seem to integrate very well with a lot of systems that people use these days and their solutions and workarounds aren't very good. I'm talking about the, the vendors proposed solutions in some cases. There was one the other day where it was like, oh, Android app doesn't work. And their solution was don't use it. And I was thinking, well that's great for all the people that use Android phones. So I think if vendors look at where they can actually improve existing operational processes and actually help the business, that's going to be great rather than just saying, hey, buy it. Because if we're looking at budgets and how do we show value as you said, James, showing turning up once a year and saying hey, we've delivered a thing well, does it really work? Is it the best solution? Is it still the best current fit? All of those things need to be taken into account, but most of the time that comes after the investment has been made and the commitment has been made with the vendor to purchase a product. So I think that's something that organizations can look at is actually picking a better set of partners and they don't, doesn't have to be one size fits all. So you don't have to buy all your products from one vendor, but you should definitely be looking to make sure that they integrate and work well with one another. The other thing I see as well with reporting certainly cyber initiatives and value to executives is what are the actual metrics that we need to be reporting on? They're not usually agreed up front and most of the time I see it, I see a Lot of reports that say, hey, we've. We've got this many spam emails and we blocked this many requests. If we'll pick web application firewalls is one of my key favorites. You see, we blocked 50 million requests. Well, those 50 million requests could be from one IP address. That doesn't give me any value. It doesn't give me any insight. Why, why are we even reporting this as a metric? [00:36:43] James: Right. [00:36:43] Scotti: Because it's, it's actually showing the wrong thing. It's saying, hey, we're doing a really good job when it's missing all of the context and all of the business piece behind that as well. So I think understanding what your business cares about from a cyber point of view and where I have seen this done really well, the organization I'm working with at the moment has, the cyber team has a very strong relationship with the risk and fraud team because risk and fraud directly impacts the bottom line. So you can essentially, if you are in one of those organizations where you have a risk and compliance team and I'm talking about fraud and risk here. So specifically, retail is a really good example. Having a good relationship with that means that you are essentially involved and you get a lot more executive visibility. [00:37:27] Tom: Yeah, I think contextualization there is the key and it just triggered a memory of. Actually the first time I was asked, I thought I'd come up with a brilliant technical solution to something and it was shot down in flames because the simple question was asked, why does the business care? And I didn't have a good answer for it. And I think back when I worked at Coles, we had a very good saying that was used as the metric for all business cases is how does this help us sell baked beans? And it was a really great way of tying everything back to the business. I mean, people in the distribution centres with an iPad, if we took it at a micro view, the technical teams were focused on getting a technically getting a working, functional solution out to these people on the floor, but even to those people we tied everything back to. This helps us sell baked beans because it streamlines the distribution chain, which means that we can get more cans of baked beans, fewer empty shelves, customers are happier and they walk out the door with their baked beans and don't walk into the doors of Woolworths instead. So I think repeating that business context to everyone inside of ict, he's critical in that cultural adoption of this appreciation of the business context. And you touched on it there perfectly, Scott, in terms of don't just have a metric for metric's sake, make sure that that metric actually means something to the people consuming that report. [00:38:48] James: I think this is the key lesson in this whole thing, really. If we look at this notion of how do we make what we do in technology more understandable to the business, and how do we take the things that we often consider intangible and turn them into something tangible? You know, this notion goes two ways, and I think the big one is really we have access to a lot of data, we have access to a lot of metrics in technology. What we've got to do is reframe those in the context of what they mean to our business. And I love this notion of it's X number of cans of baked beans. And a very good mentor of mine who's helped me for years, over the course of my career, many years ago, worked for a particular chocolate manufacturer and he tells a very similar story where one day he actually wheeled a crate of chocolate into the technology room. And so to his guys, you know, you keep saying you want to buy more servers. How many, how many boxes of chocolate do you think we actually need to sell to be able to afford every one server that you guys want to buy? And it was a really interesting thing just to put the reverse psychology in there, to say to the technology teams, hey, there's a real business here, right? There's people out there that actually need to really, you know, create, ship and sell product in order for us to be able to afford what we do as technologists. So it really reinforces the notion that we can actually then use the insights that we have and the information that we gain through technology to actually help inform our business as well. And we see this increasingly in operations that rather than look at things such as availability of a platform and say, oh, we were down for 3% of the year, or we achieved 99.83% availability looking at, okay, so how many transactions was that? What was the dollar value of those transactions that couldn't flow through our platform in that time? How many accounts didn't get opened by potential new customers because we were down in that window as well? And this is where we start to really translate the notion of technology performance into business impact as well. And again, it goes hand in hand with this notion of how can we justify a business case for the things that we may want to do moving forward, when all it really looks like to the business is we just want to spend more money on tools and toys because they're shiny and they're new. [00:40:57] Tom: Spot on. I actually just recalled Another oh wow moment. And Scott, you might remember, I don't remember the exact metrics specifically, but I recall we were running a platform for a third party and it was a transactional platform. And when this platform went down, oh hell would break loose even if it was down for a couple of minutes and couldn't quite work out why so many knickers were in such a twist. But then when it was relayed to us that for every second that that platform was down, $4 million worth of transactions or something akin to that was lost. And then you, you extrapolated that out over the, over the four or five minutes the platform was down, you actually understood that this is not people, people aren't kicking up a fuss over a couple of dollars here. This is life changing sort of dollars for organisations and ultimately businesses. So critically important in framing the importance of what we do to the people who work in it. [00:41:51] Scotti: I think the other view to that was not even dollar value. I think it was just the sheer number of transactions and each one of those was an angry person when their transaction didn't go through. If you're talking 100 transactions a second times 60 seconds times five minutes, that's a lot of angry people ringing up your help desk. So sometimes it isn't even the dollar value, it's actually the impact to the human element. [00:42:13] James: Scott, I love this notion that you've touched on around simplification and I think, you know, we mentioned earlier about the notion of having the ability to revisit some of the things like enterprise architecture frameworks or principles as well. And I think it's something that perhaps is often overlooked and particularly as it relates to addressing the notion of tech debt and the legacy problem as well that, you know, we all encounter in technology is how do we actually appropriately simplify the landscape and is that actually a really important business metric that we should be focusing on as well? You know, we sometimes see it in terms of vendor rationalization and I think there's an increasing trend towards buy versus build as well. You know, a lot of organizations are starting to understand that it's not important to be unique or a snowflake in the things that are not business differentiating. So in other words, if you need a tool for doing something, keep the use of that tool as vanilla as possible so that you're focusing your efforts on customization around things that are actually unique to your business and adding genuine value and differentiation in market. So it's really fascinating and I think there's a few things from a very PRAGMATIC sense that I think people can take away from this notion of how do we actually prioritize decisions around investment, particularly investment in technology, from a business point of view? And I think it would be, first of all, you're never going to escape the notion that you do need to be investing in some fundamental risk management, regulatory capabilities, investing in things that are going to help you with cost control. But don't lose sight of this notion that you also need to be investing in business outcome. And the best way to get that right is communicate closely and regularly with your business partners to say, hey, what's important for our business? What's working well today and what isn't? What do we think we could do better through the applied use of technology? And then weave that into your business case and proposals. And I think you probably find you'd also get a lot more support from your business around investment and may even have some impact to the budget that's made available for technology if we can actually demonstrate that value proposition to our business partners more effectively. [00:44:15] Tom: Probably a good litmus test is if you find yourself constantly working against your strategy and working against your principles to get things done, it's probably time to revisit those and just. Are they still working for us? I think the case study that I was referring to earlier, for us the focus was coming up with really solid, simple principles that could be communicated across the business and understood. And not have 50 architectural principles. Yeah. Have as few as possible. And again, Scott and James, you were both alluding to simplicity is the key here. It's easy to bake simplicity into the culture of an organisation and if you do that, if you've revisited your principles and they're aligned right, then prioritisation should actually be a result of having the right strategy, which then again rolls up into the right vision of the organisation. And again, Scott, you sort of alluded to it as a. Where are we trying to get to? That vision needs to be clear. And I think you need to have in IT too, a business linked vision when you come up with your vision for what you're going to do in IT as well. My final thought, I guess, is James touched on it as well. Take the technology out of strategy as well. If you start baking those, those particular solutions into your strategy, then you find yourself saddled with all potential tech debt down the future. So really focus on outcomes, what you're trying to achieve, rather than pinning those strategies to a particular technology if you can avoid it too. So I guess rather than a true blueprint for Things. It's probably just a set of things that I've picked up and we've picked up through our experiences that then can all make a difference. [00:45:59] James: Love it. Very well said. All right, is there any words of wisdom we can sort of put to bring this one to a close? Scott, you got any sort of thoughts around? [00:46:10] Scotti: I guess I would love to leave everybody with the thought. And I said it earlier, things and security should be by design and default rather than after or never. And I know we'll talk about that a little bit later on in the podcast show. [00:46:24] James: I think for me, you know, looking forward, the real key message is that I think that as technologists, we are learning to get better business context around the things that we do. And I think it not only comes with experience, but I also think as an industry we're evolving. And hopefully what that means is that that notion of being able to articulate the business value proposition is flowing down more and more, even into younger people in the industry today. And they're understanding that, you know, economic circumstance and business objective are a really important part of why they're playing a role in an organization. And I think this question of prioritisation and the role of things like architectural practices and principles is becoming really clear and sound as well to what we do. So, yeah, I think if we can look at this notion of prioritisation against cost impact, risk management, but also driving the business forward and creating new opportunity, I think it's a really healthy outlook for technology. I think the sort of emerging technologies that we're seeing are becoming very industry aligned. A lot of the uses for AI are opening up some very interesting business opportunities as well. And just goes to this notion that increasingly technology is becoming a part of the business strategy and having a genuine position in those vertical pillars that most organizations align themselves to. So I think we've got a bright future in technology. I think it's one that we just need to apply a lot of very creative thought to and collaborate really closely with our business partners and do things together. [00:47:53] Tom: I really agree with that, James. I think it's a really exciting time in history at the moment for it. There's a lot of change going on. You alluded to it, the emergence of AI and other game changing technologies. I think there's an awareness, look, it probably started with cloud, to be honest, that there was an appreciation of the business, that there was something in it that we could be doing to make the business better. And I think that's just becoming a stronger and stronger voice. And it's important that we cascade that down and in turn feed that back up to the C level in terms of harmoniously working together with the business in achieving the outcomes. Because it's when ideas and vision and strategies are communicated and shared that they're most successful. [00:48:41] James: Scott, any final thoughts around pouring all of the investment budget into cyber? [00:48:46] Scotti: So if we look at the cloud security space as a particular case study, you can see what happens when you get the business context right. So we've been working with a few cloud security posture companies at the moment and when they talk to the business, the business stakeholders understand and it becomes a very easy sales cycle. In fact, some of the easiest sales cycles I've seen in my 15 plus years working in cyber. So I think if you are one of those companies and you've been using the same tooling for several years, it's probably time to start looking at the market and seeing what else is out there. Can I get a better deal? Can I get more features, better functionality, better integration and better business outcomes or the same or similar spend? [00:49:31] Tom: I'm going to take your cyber budget and buy baked beans myself and cut out the middle man and get them onto the shelves for our customers. [00:49:39] Scotti: I like it. I like baked beans, they're a great source of protein. [00:49:43] James: So, Tom, it's been interesting listening to all of this because what I'm starting to see is that really this notion of protecting business value and enhancing business value from technology is a bit of a two way street. It's not just about bringing the technology perspective to a bunch of business executives or the board and hammering them over the head and saying, hey, you need to be more aware that we need to do these things in tech. There seems to be a bit of a cultural dynamic that we want to shift in the technology organisation as well. Isn't there to sort of gain a deeper appreciation of how we can better represent the value of technology to the business? Would that sort of be a consistent way or a correct way of understanding some of the things that you've been raising? [00:50:20] Tom: Yeah, I think that's a really good place to start. And if we can drive that culture of business awareness across the organization and start talking about why we're here, then I think ultimately we're going to make decisions that are based on the best outcomes for the business. As that culture pervades and in conjunction with the emergence of new technologies, the likes of AI, etcetera, I think we're in for a really exciting next chapter in ict. Thanks to all our listeners and we'll catch you for the next episode. [00:50:54] Scotti: If you could use a little help or advice with modernizing your IT environment, visit Cordant Au to start a conversation with us. -------- This has been a KBI Media production.