Threat Intelligence

    Get Cyber Resilient Ep 122 | The evolution of managing a crisis with Grant Chisnall, CEO and Founder of Left of Boom

    In our first interview of season 9 we are joined by Grant Chisnall, CEO and Founder of Left of Boom and host of the Crisis Talks podcast.


    In this episode, Grant covers the changes he has seen in crisis preparation and management, how organisations change after being through a crisis event and also the importance of people vs process when crisis events happen.

    The Get Cyber Resilient Podcast Episode #122 Transcript 

    Garrett O'Hara: Welcome to the Get Cyber Resilient Podcast. I'm Garrett O'Hara. In our first interview of season nine, we are joined by Grant Chisnall, CEO and founder of Left of Boom and host of The Crisis Talks Podcast. Grant and his organization specialize in crisis management, risk and business continuity management and stakeholder engagements. He's got a huge breadth of experience in crisis preparation and management and has been involved in product recalls, cyclones, civil unrest global cyberattacks, and air crashes. So definitely someone we can learn a lot from.

    Grant covers the shift he is seen in management attitudes to crisis preparation and management, how organizations change after they've been through a crisis event, what those first few hours are like when the brand stuff hits this spinning thing, the importance of people versus process when crisis events happen, and how we can balance empathy with accountability when cybersecurity events are unfolding publicly over the conversation.

    Welcome to the Get Cyber Resilient Podcast. I'm Garrett O'Hara. And today, we are joined by Grant Chisnall, the CEO and the founder of Left of Boom. How are you doing today, Grant?

    Grant Chisnall: Yeah. Really well. Thanks, Garrett. Thanks for having me.

    Garrett O'Hara: Absolute pleasure. I'm really, really excited to have this conversation. It- It's one of those ones that we were saying just off mic we, we sort of had to stop chatting which I think is always a good sign when you you meet somebody. And you, you realize you could happily sit down with a couple of points and probably get lost for many, [laughs] many hours. So I think that's always a good sign.

    Grant Chisnall: You're never too scared of a chat, mate.

    Garrett O'Hara: Yeah. [laughs] That's, it's good to hear. Well, so look. Really, welcome along to the pod, Grant. And thanks so much for taking the time out. I know it's never lost to meet you know, folks like you are very busy. So very much appreciated. And thanks in the, the audience's behalf as well.

    Okay. I, I suppose a couple of opening things. But lovely to hear how you kind of got to the point where you're the CEO founder of Left of Boom. And and then, you know, it was appropriate that question like it's an awesome name love to hear where that from as well. [laughs]

    Grant Chisnall: Yeah. Well that's the boom was a term that we used within the military and intelligence services where it's talking about all the things that you can do prior to an incident occurring. So prior to that bang occurring prior to the, the attack or the first shot where, you know, the old stories... story goes that, you know, everyone has the best plans until that first shot rings out. So, so anything Left of Boom is what you can do to ideally preempt and prepare yourselves and ideally prevent situations from occurring to start with.

    So it's a great metaphor for, you know, in risk management what you can do again to prevent, prepare and ideally ensure that you're really well a- arranged before anything does occur. Once something does happen, you're in that chaos mode. And Right of Boom is really trying to get control very quickly trying to ensure that you're responding, you're reassuring your stakeholders, and you can recover as efficiently as possible.

    So it's worked out to be a wonderful metaphor for the work that we're doing in preparing organizations for the worst case and making sure they're confident and proactive in any situations. And that sort of came from the background that I had which was a military background initially I went into a corporate affairs firm thereafter. So I've got this real weird mix of, you know, corporate affairs stakeholder engagement with then the background and strategy and tactics around risk and, and how we apply those in a leadership context.

    So it's been, it's been a really good journey. And I think in the last sort of... It's funny now though too 'cause the military's sort of formed a lot of what I've done. But then, I've been out longer than I was in the military now. So... And that's the last 15 years particular, I've been really privileged to, to work with some amazing organizations and develop, I suppose, an understanding of some of the real challenges that exist in a corporate and business environment and how you can prepare not just for the, the things that can really, you know, affect your operations or your people, but the things that can also affect your overall reputation in the marketplace.

    Garrett O'Hara: Definitely. And you have been privy to some of the organizations and, and things you've worked on. And it's a... Yeah. To say it's an impressive resume. It's probably not doing it [laughs] any, any justice. So I mean, you know, maybe we get to touch on some of that as we have the conversation today. But like one of the, the sort of biggest things we've seen in recent years, and I guess you're very much aware of this is that there's, you know, kind of pretty significant kind of increase in the, the volume of those very high profile, high impact cyberattacks.

    It felt like, you know, the calendar Q4 last year was, you know, it was different. There was, there was a coverage in the media, a conversation business that I, I personally haven't really felt in the same way. And, and it feels like there's finally getting this kind of really a good focus on cyber kind of being nearly certain right, you know, that the boom is gonna happen. And, you know, to your point, I get to think of it staying left of it as much as possible. Whi- So as you work in crisis management and then prep for that like have you felt that shift or what's your perception of that.?

    Grant Chisnall: Yeah. It's sort of weird because we... It sort of waved over the last 10 years. So going back again sort of 10 years ago, it was off the back of stocks net. You had a lot of focus around SCADA around the potential for cyberattacks to impact infrastructure. And that sort of came off the back of, you know, the folks on terrorism and the effects on again critical infrastructure in, you know, in our living environments.

    So, so we sort of had a wave of that sort of focus back then. It sort of dropped off a bit. But in the US, they've been really focused on it for, for quite, an, you know, an extended period of time. And they're quite open about what they're doing in their identification and then response to tho- these types of scenarios, so particularly when you're looking at data breaches.

    And I had a stint with a firm called UpGuard. They're amazing firm that do that do a lot of data bridge hunting essentially. And they... they'd found such breaches as like the Cambridge Analytica bridge and things like that. So seeing what they were doing in the US and how, how more advanced the US was around a- accepting this as a risk acknowledging that it's something that's gonna happen to most organizations at some stage, but then also not victim shaming them.

    Garrett O'Hara: Yeah.

    Grant Chisnall: And, and I think what we've seen over the last, you know, particularly the last quarter of last year was a fair bit of victim shaming aimed towards the organizations that were actually the victims of an attack. Now, now, it's easy to say you're a victim in some cases. But there is a responsibility that clearly came out of those last few attacks. So Optus, and then into Medibank in particular.

    You know, they definitely have an obligation as a as a, a capture of, of those people, those organizations capture private data. They have to retain any appropriate, appropriate ways. And they also have to dispose within the appropriate ways.

    Another, I think, was some of the key messages that came from government last year around data as a... should be treated as a liability versus an asset. But I don't think really we're still there yet. And I think what they were doing last year, I think, we're mature enough, yet sorry is what I'm saying here. I don't think we're mature enough to se- really accept that data is a liability or an asset.

    We... We're at that sort of point now where, where we recognize that if we're holding this data and it is breached that there is an exposure. But I think the, the reality is we're not really mature enough to have a, you know, a mature conversation with organizations around if this goes wrong what are you gonna do to make sure that you are protecting the reputation and the people that have been affected by these things in an effective way?

    What are you doing to also recover the organization and restore the faith and trust that they have with you as an organization? And then, thirdly, you know, how can you make sure you're learning from these things and sharing those learnings across the... across a wider business spheres so that we can actually learn from these mistakes and make ourselves more resilient in the future? I don't think we're there yet.

    Garrett O'Hara: Yeah. I, I really like your point around data as a liability 'cause I think we've got this cultural thing in most corporates of like more data is better data, is the new oil, you know, data, data, data.

    Grant Chisnall: Yeah.

    Garrett O'Hara: But actually, I think if you kind of financially incentivize it or, or regulatory incentivize so that it becomes more of a liability, at least there'll be more, I think, curation of the stuff that maybe is actually useful. You know, even for something like marketing, you know, it's not, it's not the, the evil that [laughs] you sometimes just made out to be.

    But, you know, if it's, if it's good marketing and clean and sort of ethical marketing, then, that's fine. And, but that sort of over-collection of data, it blows my mind. I, I talked about this a little bit. I went karting recently, you know, little carts that you kind of bumper and track. And, and to do the... to do the thing, they have a little app where you go to on your phone. And I couldn't believe the stuff they were asking for.

    You know, for, for something as trivial as jumping in the cart and having a bit of fun, it was bonkers, you know. It's address, date of birth the mother's maiden name, the weights, like, like, "Really?" And absolutely insane.

    Grant Chisnall: It da- It does. It really begs the question about why you're actually capturing starters.

    Garrett O'Hara: Yeah. Yeah.

    Grant Chisnall: [inaudible 00:09:05] who the attorney general who said that it should be a liability, trader's liability not an asset. What that should then translate to business terms is or is it on your balance sheet? Are you treating it as a I do have a depreciation schedule against that? Are you treating that as a cost or are you treating that as as an asset on your register? And if you are treating in either way, you're actually you're actually managing that data in a much more effective manner.

    And I think that's what that was signaling. So that's why we had a big focus on these. And they'll be high profile events, you know, nine, nine million plus records, personal records affected. So that's going to attract a lot of attention. But equally over the break here, we've had the Fire Rescue services in Victoria here being targeted. They've been shut down since 15th of Jan- 15th of December rather.

    And there's not been many comments made by any of the ministers from the responsible departments at all around what's going on. So, so I'm... I think there's some real challenges for business now about what they're gonna do and how they're gonna respond. You need to definitely have the right measures in place to prevent these things from occuring Left of Boom. You need to make sure you're well prepared left of Boom for these things to occur. And you're treating it as if it's going to happen.

    And then, when it does occur, you need to have really strong plans in place to respond ideally manage the data breach notifications process in a proactive and effective manner. And o- likewise, you need to have the ability to manage the multiple other issues that happen during these things. So how you're gonna restore, how you're gonna recover, how you're gonna maintain operations. What's your business cu- continuity plans to continue the business that you're in, in order to reassure your stakeholders that you can be trusted?

    Garrett O'Hara: Definitely. You, you sort of mentioned the, you know, the increase in empathy which I think is, is spot on. I think more and more is the cybersecurity industry. There's less finger pointing because I think there is an acceptance, you know, that this stuff is gonna happen to pretty much everybody. And one of the things that I originally read this in a kind of Garner paper. But it was about the idea of you know, if it is inevitable that there's gonna be a breach. And assuming there's no negligence in terms of the sort of controls that are placed in the, the security strategy at a Caesar or a security leadership perspective and have you seen any kind of change in perspective of the value of a CSO rising when they've actually been through the, the incident through the breach or whatever? So, you know, rather than something happens, hey, we're gonna fire the person as a PR move, actually, we're gonna keep them. We're probably gonna pay them more because now they've sort of been through it, and they get it.

    Grant Chisnall: Yeah. There's, there's definitely... I mean the rise of the CSO has been happening for a while now. I think the value has been, has been seen really from Toyota onwards here in Australia around the impact that they can have and, and ideally how they can prevent again these things from occurring that. And that's primarily where you want their role focused on what are you doing to to reduce any opportunities for attack? How are you doing... How are you limiting your threat profiles? How you're also looking at your own defensive postures to make sure that you are again preventing these attacks?

    I think the challenge for CSOs now though is that with the increased attention from, from these different high profile events, that's actually distracting from their primary jobs at the moment. So they're actually having to go back and re-educate the business a lot more around what the threat means in the context of their organization.

    And let's... I mean. So if you look at the Optus situation from late last year that's caused a lot of boards to go and ask their own businesses what does that mean for us? And in many cases, not, not many of these businesses that are a business consumer business, you know. So in a B2C environment, when you have a cyberattack you've got the real potential for, for a liquidity event to occur straight away.

    So that's a different type of threat profile not just notwithstanding the, the data breach, notwithstanding the, the loss of sensitive information for customers or commercial sensitive information, notwithstanding the loss of PIIs. So the context of each of these is slightly different. So CSOs need to be more and more effective active now in educating the business about what the risk means to their organization.

    And then, what they are doing more and more to prevent these things from occurring to start with. And I think that's the challenge that they're facing at the moment that there's... That focus means that they are being drawn away from doing their [laughs] job which is we, we want them more and more so now out there protecting the organizations like never before.

    Garrett O'Hara: So, so if I understand you correctly there, you, you reckon they're spending more time explaining what they're doing than actually doing the job of-

    Grant Chisnall: Yeah. Yeah. I think there's a balance that they have... Look, I think that's, that's naturally that has to happen though because, you know, the, the the, the threats shared. So that we all know that Cybers now is owned by a CSO anymore. And I think that that's becoming more and more apparent within o- organizations.

    So... But in that meantime in this interim period now, what we're finding is that these CSOs are being drawn all over the place now trying to educate the business further about what these risks actually mean to them. And, and the ones that are really effective at in- at, at, I suppose articulating the risk and articulating what they're doing describing what they're doing to prevent these things from occurring are succeeding more in enabling the whole organization to understand the threat in the right context.

    Garrett O'Hara: That... That's sort of a maybe a nice segue then into like... I said this at the start. You've worked at a really long list of organizations. And I'm guessing over the time, you'll sort of see patterns emerge in, in terms of kind of leadership's understanding of that need for a sort of strong crisis management.

    Look, what are those patterns or I'm assuming they do exist. [laughs] There's a bit of an assumption there. But you're assuming they do exist. Like what, what are they?

    Grant Chisnall: I think the, the organizations that are embracing failure as a... just a general mindset, they're embracing the, the things that could go wrong within their, within their operations. They... They're, they're embracing things that could go wrong within their strategic environment. They're looking ahead at these sort of situations and looking the way things will emerge and affect their own organizations.

    Those people, those leaders that do that are, are the adaptive leaders that are able to see these things occurring to start with and start to preempt them before they even get to the point of being a realized risk. And those ones, those people that are doing that, they're the ones who, you know, they're not necessarily seeing something like COVID coming. But they're looking what the effect or the consequences is gonna be on their organization. And they're able to adapt their organization more effectively. So those ones that are doing that, I, think are, are generally... Are generally positioning himself a lot better than, than most in the marketplace.

    And what they're able to do then is look at that consequence, look what things I need to do to prevent that thing from affecting them even further. And those people, they had the right strategies in place to really address those challenges before they really arise. So those... I, I mean there's a few of those that we're dealing with in a few different in a few different fields.

    And they are generally what would sort of... I can't speak about them specifically. But I think the characteristics of them are, A, they have a really solid understanding of the purpose, you know. They know exactly what they're about and what value they create within their communities or their shareholders and stakeholders they're dealing with. And they really value it.

    And B, they are proactive in everything they're doing. Anytime they see anomaly or change within an operating environment, they're onto it. And they're either working through an option or a number of different options that I could work through to, to address that risk before it emerges, or if it does emerge [inaudible 00:16:44] even the way they're handling.

    And so, that embracement failure means that they're looking constantly at the way things are working. And they're making sure that they're ready and ada- ready and adapting if anything does occur. The ones that are more reactive, unfortunately, they're... They, they tend to be a bit chaotic when something is happening. So you can see that they're, they're probably a bit like the old analogy of the, the tail wagging the dog. So there's things occurring within the marketplace. They're trying to constantly adjust to what's happening rather than just adapting and continuing that steady flow through.

    So, so those organizations when something does strike them, they seem to be found wanting. So you get the two ends of the spectrum. And there's a lot there in between that realistically, we're seeing those that are really adaptive and thinking ahead and others that are more reactive and chaotic when something goes wrong. And, and there's, there's no doubt. There's, there's always gonna be some element of chaos when you've got a big bang event.

    So the... There's always an acceptance for those adaptive organizations that's, that's going to occur. But you just find they're a bit calmer. [laughs] And, and, and they're more ready for what's gonna come next.

    Garrett O'Hara: And, and so often, the way is, you know, I think it's preparation. So often leads to, you know, reduction and not necessarily to your point like the, the mess isn't gonna happen. But you sort of... You, you kind of feel calmer about it because you've already thought about it, you know rather than, yeah, just kind of, as you say, reacting. It, it leads me to sort of think in broader business terms how, I mean so often, the, the shorter term costs aren't really considered in terms of the longer term consequences.

    And I think crisis and, and servers often in that bucket where there's an overhead to operations or, you know, there's, there's sort of a, a big blip in te- in terms of spending or, you know, impact to productivity to get something done. But you're actually so much better in the longer term. But that's a hard one to get across the line so often. Is there any... anything you've seen that works particularly well to convince the... convince of the value of things like crisis management and the o- the overhead? Yeah.

    Grant Chisnall: Yeah. There's nothing better than a crisis to, to again [

    Garrett O'Hara: laughs] Yeah. Yeah.

    Grant Chisnall: ... I suppose reinforce the need for that preparation. But what we find that those ones that ha- have used have been through something. Yeah. They're generally more willing to engage in the department sectors and see the value of them. But that does weigh in overtime. And, and let's face something, businesses on... Businesses... A business of just managing crises, you know.

    So as much as I'd like to think that they are thinking about what the work that we do every day, I'm, I'm also pragmatic enough to know that they've actually got a business to get out there and run.

    Garrett O'Hara: Yup.

    Grant Chisnall: But I think it's back to the point before, you know, the, the more, the more sort of adaptive organizations are the ones that are thinking about risk not just for what it means to... From a negative perspective, I wanna manage from an opportunity.

    And, and so there's opportunity, I think, now with the way that that organizations are preparing themselves to think about, okay, if this does go wrong, there's an opportunity for us to do something completely differently in the future, and maybe change or adapt the way that they're operating.

    And, you know, you hear a lot of innovation that comes out of crisis. What we're trying to reinforce now is that why wait for a crisis to happen? Why don't you start to innovate now or change and adapt now? And that's where... That's where these activities that we can do, and we are doing with organization. We run this like a two-day strategic risk workshop last few days.

    And we're looking, yes, at what the risks or issues might be for a particular program that the team were working on over the next few years. But equally, it turned out a heap of opportunity. And those are those opportunities, I think, you can garner from these types of risk activities which to be frank, these professionals aren't selling well enough in terms of what their... the value that they're delivering.

    So therefore, if you're going to everyone, so I'm gonna run away especially, oh my goodness, it's gonna take two four hours out of my days, [laughs] the whole executive team versus-

    Garrett O'Hara: Mm-hmm.

    Grant Chisnall: ... when are we looking at opportunities. We're gonna be looking at the way that we can present ourselves or prepare ourselves. But we know it's gonna be a, a challenging market over the next 12 to 24 months. And here's how we're gonna prepare ourselves for that for that challenge. And it's, it's a slightly different proposition.

    Garrett O'Hara: Yeah. That definitely makes sense. Yeah. And the- Here's the thing. So you... Look, you obviously work very broadly. We're, we're focused on some resilience. It's just the nature of this podcast. But you're across things like bushfires, COVID, cyclones you know, standard IT outages and things like civil unrests and, and natural disasters, obviously, you know, on your list of your long list of crises that you manage.

    But, one, one of the things I've often heard talk about is like server's sort of unique. And, you know, it's, it's sort of driven by humans in a way that, you know, maybe a, a fluid or COVID sort of isn't. But let's get your thoughts on that. Is there any kind of unique attributes of crisis events that are the result of cyberattacks that are maybe gonna lead you to recommend different approaches to how you prep or, or how you manage them?

    Grant Chisnall: Yes. Yeah. So the... I think the, the fundamental difference I've seen in cyberattack, we've been involved now in, in two global cyberattacks with the, with the client. We've been involved then in another cyberattack where, where we're a third party who are a client of ours were affected by a, a... I suppose a, a client of theirs had the attack that they were affected by it.

    Garrett O'Hara: Mm-hmm.

    Grant Chisnall: I've been through a number of system and IT outages as well. So they're, they're more own goal style sort of activities more than anything else. But these events are very different from most other crises. And on the other side of the fence, we've been involved in, like you said, some operational and, you know, natural disaster events the most highest profile one were involved in was the Sundance air crash where, where 11 people were killed. And the whole board of the... of Sundance resources were, were killed in that air crash.

    You know, the- those are deeply distressing and deeply impacting crisis events on, on the people. And all the... Like all the stakeholders are affected by that, the family members the next of kin clearly, the, the employees of the organizations, et cetera there. You know, those are deeply distressing situations that, that that, that any organization should never have to go through.

    The, the... Definitely with a cyber event and then, probably the next most challenging events that we've ever been involved in is that they are all encompassing. So, you know, in the two global ones we had all ITs were shut down. There was zero means of communication across the business. All frontline employees had no means of communicating with or, or responding to any demands that might be occurring aside from if they'll receive a mobile phone call from a client.

    So you've got these situations where it affects your whole organization. Normally, a crisis event might affect, you know... It might start out in a scene somewhere you might have an instant or emergency. There might be a number of fatalities that might have occurred there. But it escalates up. So you have a team comes together. In the field, you have a team comes together at an office.

    And you have a team come together with a crisis team. So it's generally like three tiers come together. They're working together. You're coordinating with each other. You're working through generally a pretty standard playbook on, you know, manages the scene, control the scene, contain the situation, deal with the family member stakeholders or otherwise. And then, deal with the wider issues and stakeholders in the media, government regulators, et cetera, et cetera. Pretty standard stuff playbook.

    Cyber, everything's down all at once potentially. And then, you've got flow on consequences of, you know, how you're managing your business, how you maintain the continuity and implementing continuity plans to start with, how you're communicating with your own employees how are you then also communicating and, and managing your customer expectations.

    And then, by the way, you've got a... an active threat working against you in some cases who might be demanding a right- a ransom off you, might be demanding payment for access to the systems again or might be running a ransomware virus throughout your whole environment again requiring you to shut everything down completely. On top of that, you've then got to, you know, assess this whole situation, look what the threat is, try and work out where they're coming from, at the same time, as looking at things such as data bridge potential or everything else.

    So, so the challenge on the... on these things are immediate, file reaching, centralized and affect everything around them. So the preparation for these is very different because you're normally looking at IT incident management, for example, stepping up an escalation point and a pathway. So they might have a number of anomalies that they might be picking up. Security operations center might be identifying issues. And then, presenting issues or anomalies that they might be seeing in the operating environments.

    But when that big bang happens, it's meaning that you need to have all these teams working simultaneously, coordinated, communicating with each other often without a platform to do so. So that challenge in its own right is the starting point for these cyber events which means it's very, very difficult to communicate to a wide forum outside of just the response, but also, what you're doing with your stakeholders, your customers, everything globally.

    So I think that, that, that... What we find unfortunately is that most of the preparations are really focused on that point of incident. They might think, "Okay. We're gonna... We'll identify a threat. We'll then, you know, stop a few things. We might have to do a DR or disaster recovery for certain certain systems." The reality is what they should be planning on is complete shutdown-

    Garrett O'Hara: Mm-hmm.

    Grant Chisnall: ... because everything else is all your consequences management. So you're then practicing how you're gonna communicate under that, under that pressure. You're practicing how you're implementing your multiple streams of investigation, forensics, and other sort of things that need to occur. And you're on top of that. You're practicing them. What are you gonna do around your stakeholders, your customers your data breach identification, notification process.

    All those things need to be brought together simultaneously. And practicing that is really hard. So the ones that do that well, they're really thinking about it not just around the, you know, how do we stop this thing from occurring or, or how do we make sure it's only just an IT incident. We're thinking about it from a whole of business impact and bring a whole business response.

    Garrett O'Hara: It- It's a funny one. I. I do wonder if I was wearing like a Garmin hardware monitor or something, even the verbal description so viscerally done of, of like [laughs] whatever you... would you see a sort of an increase in heart rate. And it, it blows my mind the complexity. And I think it's often misunderstood because I think, you know, I think it's misus- understood in a couple of ways.

    I think it's you know, people visualize this stuff. It's like Bob encounter clicks on a link and, you know, five minutes later, all the systems are locked up. And then, you... All you have to do is turn the machines off, you know, maybe re-image. And then, you know, boot them up. And away you go. And, and actually, it's just incredibly complex and when it actually comes down to it.

    Grant Chisnall: Well, you know, what it's like. I mean you go to a normal help desk situation any, any day if something's not quite right with your, yeah, with your computer. You got to turn it on. You call the help desk. You might log a ticket. You then might get a response. So you're sort of sitting there waiting. That's literally what's happening across hundreds or thousands of people potentially which means that you're starting to get these lagging what the IT help desk is able to do.

    Garrett O'Hara: Mm-hmm.

    Grant Chisnall: All of a sudden then, you've got these other, other triggers that might be starting to happen. So it's not always like that apparent. You turn your computer on. And you being hacked is on your screen.

    Garrett O'Hara: [laughs]

    Grant Chisnall: So, so that's the challenge. You've got these, these emerging situation. It's got a... There's no- nothing more uncertain than, than a virtual environment and, and trying to educate a non-technical person about uncertainty in a virtual environment. It's like two or three steps remove. It's like them watching The Matrix for the first time, you know.

    And so, so for these... for the non-technical people, particularly, you know, people like myself who are generally older as well in business trying to think about, "Okay. Hang on. Everything's shut down. Why can't we just turn it back on again?" Oh, you mean you had to shut it down? So what about our customers? You authorized to shut that down? Oh, and by the way, you've got a ransom now that you need to think about, well, are we gonna pay or not? All these decisions start to flow out that you need from people pretty quickly or otherwise you have this lag in the whole organizational response which affects everything.

    Garrett O'Hara: And, and with all of that, and you mentioned a sentence which I mean that just sounds so awful. But, you know, we're, we're starting to have the conversation around you know, with a Critical National Infrastructure and the potential for human life to be impacted and potentially a significant way.

    And, you know, I don't think we've really seen that in the way that I think we're all obviously quite frightened of. But how do you think that changes the equation? You know, we've seen a few attacks on healthcare organizations. And I think was it Germany, we've got the first kind of line of sight between a cyberattack and loss of life? But, you know, it's starting to feel different.

    What do you think changes in the equation for prep and management when human life gets starts to be involved?

    Grant Chisnall: Yeah. I think... I mean it, it, it sort of sharpens the focus obviously. And and that's a good thing. But I think that the, the risk when you're talking about operational systems versus you're talking about information systems are often, often quite different.

    And... But you are seeing, like you said, now that connection between the two occurring a lot more. So the threat now is, you know, someone could use IS in order to access OS, in order to do something that might cause fatalities is what the risk is really about at the moment or it might cause an infrastructure piece to shut down.

    Organizations have actually been preparing for that for a fairly long time, the IS to OS connection. And they've had... You know, they've had sort of separations of infrastructure and the like to enable that or prevent those sort of things from occurring. So I think there's some good preparedness around that.

    I think the... I think the, the Critical Infrastructure Act changes are going to more and more highlight the, the impact of cyber as being a major risk-

    Garrett O'Hara: Mm-hmm.

    Grant Chisnall: ... Category. And I think that's a positive thing as well. I'm just worried right now about still about the victim shaming of big organizations which I feel it will drive them more underground in what they're doing to prevent these things from occurring.

    Garrett O'Hara: Mm-hmm.

    Grant Chisnall: So, you know, for example, the situation with Optus where they'll suggest there was an unsophisticated attack, it was reported as being unsophistic- unsophisticated attack. I think that, that really forces now whatever review they're doing or have done to look at what the cause was, they're gonna be more reluctant to share the results that now which means that another organization might have the same situation ready to go, might have the same risk ready to go.

    But the consequences might be more life-threatening. So I think, you know, the challenge that we're seeing with all these events and the challenges with the Critical Infrastructure Act is making sure that we're making the whole community resilient to these things, make sure that starts with the awareness make sure that the organizations are actually working together where they can to prevent these things from occurring and working with government where they can to prevent these things from occurring. And they're really well prepared for something does happen, what's the response gonna be to mitigate, and limit the impact on that potential for loss of life or the potential for disruption of operations. So, so if they can do those things effectively, then, I think we're gonna be in a better position. But I do worry right now still that we're, we're sort of... We're attacking it from the wrong end in some ways.

    Yeah. Oh, I think, I think the... And this is where I think the victim shaming is gonna be a challenge because now you know for example, there's, there's obviously a push towards not going down the path of paying a ransom. And, and having a collective view on that will reduce that ideally reduce the threat because if, if, if more people are paying, then, the argument is that there's gonna be more attacks.

    The reverse could be true as well that if some are paying, then, they're actually just... They're actually just reducing that risk in some ways as well. Now, if we look back, you know, 10, 15 years ago, kidnap for ransom was taking people. Now, the ransom or the ransom guys have shifted their business model from physical taking people to actually now virtually taking data for ransom. So that adaptation has meant that we are now again having this question. And well, should we pay a ransom or not?

    Now, my point here is, is that is that all these different mechanisms that are in place to try and, you know, collectively prevent these things from occurring will only work as long as organizations are more willing to share, communicate understand and and actually appreciate a threat. And then, take collective measures to prevent them from occurring.

    Now, if, if every time something is happening in the future where victims showing the ones that have been affected, then, of course, it's gonna throw them underground. Of course, there's probably gonna be payments for these guys that are gonna be the net result because they don't wanna be the next one in the spotlight facing the, the scrutiny that was occurring last year.

    And arguably, I spoke a lot of different organizations about what they would have done versus what they've seen from Medibank, for example. And there's some quite... some some substantial arguments there which suggests that paying would have actually reduced the threat to those individuals that lost their data in such a, such a terrible way.

    So there's always gonna be these two sites that for... These preparedness equation here. And I think, I think more and more as long as we're... if we're trying to over if we're trying to either victim shame or trying to over legislate these things, then, what we're gonna find is that people will be more and more reluctant to share when something does go wrong which means they're not gonna be well prepared.

    Garrett O'Hara: Yeah, which is never never where we want to be. And we're amazingly quickly running out of time here which I think we both said was gonna happen. And it's, but, you know, that's a good, good thing. I, I would love to kind of come back to you and maybe touch on your in-room experience because, you know, we, we sort of talked, I think the high level stuff. And, and now, [inaudible 00:35:36] you're gonna zoom in a little bit because you've been in the room, I'm suspecting, in the hours as the, the boom happens.

    And yeah. Like what, what are those first couple of hours like? And I'm assuming there's just a lot of very elevated heart rates and emotion. And, or maybe there's not when it's when, you know, the prep is in place. But be great to hear from me on that.

    Grant Chisnall: Yeah. The, the reason why is that, that element regardless. So being prepared for that and, and acknowledging that is part of the, the process of preparation. So but, you know, the chaos comes often from within. And and the chaos is really in the questions that, that are being asked of, of a team to make decisions in, in very uncertain circumstances, so... and very volatile circumstances in some situations.

    So having a, a, a clear approach to activating, having a clear appro- a clear approach to assessing these situations and having a process for working your way through problems is the best means of just getting that, that personal control-

    Garrett O'Hara: Mm-hmm.

    Grant Chisnall: ... or that collective organizational control in a situation because again, you know, the, the initial activation should be along the lines of here's an initial assessment. We've got this potential threat we're, we're dealing with. Therefore, we're bringing our team together. The sooner you bring that team together, the more effective you find the whole response. The longer you leave that initial activation, we find that people are really chasing their tails.

    Garrett O'Hara: Yup.

    Grant Chisnall: And they're left further behind. So if that's one o'clock in the morning when you first get the, the, the notification that your systems have had to be shut down, then, you wanna be active within, you know, within half an hour to an hour. They'll position you ahead of any news, any customers, any other issues come six o'clock in the morning that will start to float. And you are going to get those messages, those issues regardless how much you're trying to contain it, regardless whether you think you've got another control. You always need to prepare as if it's gonna be broken regardless.

    So, so getting ahead of these things, getting that initial activation, getting that initial assessment and then working through what your decisions you need to make is a crucial path. And look, I mean in think, without over generalizing it or over, over simplifying it. There's not a huge amount of decisions that you actually need to make funny enough. Like the first big one is, you know, we're activating.

    Second one is, well, what is the assessment of the situation you're dealing? So what's your immediate strategy? So that might be shut down, control. Second decision might be who and when, and how are you gonna communicate with your stakeholders?

    Third one is really about how you're gonna restore recover. So that's gonna take you a bit of time. And then, the fourth one is about when you're shutting this whole thing down and restarting it.

    So, so over the pathway of, that could be in the first few hours. It might be in days. It might be over a month. There's probably about four broad phases you might need to work through from decisioning. And so, therefore, it's really about simplifying it back into those key things you need to do at critical parts of that sort of whole path. And what we do is make sure that all the different streams, all the different functions are supporting and oriented towards that critical path to get them back into full operation whilst maintaining the continuity of the business and minimizing impact on their reputation.

    Garrett O'Hara: Fantastic. Grant we've pretty much hit it hit time here. It has been an absolute pleasure speaking to you. And I think we actually get to hear more from you. You're gonna be part of our MonCast Connect events, right, in, in both Melbourne and Sydney?

    Grant Chisnall: Yeah. Really looking forward to to, to meeting some of the clients and some of your ecosystem out there on the 23rd and 28th of February Melbourne and Sydney. So I'm, I'm really looking forward to be a part... being a part of those events.

    Garrett O'Hara: Yeah. Likewise. And we'll get to meet in person. So let me buy you a coffee or maybe we get to have those those couple of pints and, and have a good old [inaudible 00:39:35], [laughs] who knows? And what I'll do is I'll I'll include the, the link or whatever for the events and the show notes for today as well. So people can come along and check you out in, in person.

    Grant Chisnall: Awesome. Thank you very much, mate. Appreciate it.

    Garrett O'Hara: And also kind of give a shout out to you. You've got a part as well that talks in, in much more detail about this. I don't know if you wanna give a bit of a shout out for your pod too. And we can include a link to that.

    Grant Chisnall: Yeah. That'd be wonderful. So, yeah. Crisis Talks is the name of my podcast. And in that, I, I really speak with people have led through crises and share their stories of adversity, and resilience in the face of some really, really difficult situations.

    Garrett O'Hara: Yeah. I'm, I'm subscribed. So reco- recommended. Grant, thanks so much for taking the time today. And yeah, look forward to, to seeing you in February.

    Grant Chisnall: Thank you very much. Take care.

    Garrett O'Hara: Thanks so much to Grant for joining us for the podcast and for being a keynote at the MonCast Connect events in Melbourne on the 23rd of February and Sydney on the 28th of February. Registration details are in the show notes. Thank you for listening to Get Cyber Resilient podcast and do jump into our back catalog of episodes. And like, subscribe. And, please, do leave us a review. For now, stay safe. And I look forward to catching you on the next episode.

    Haut de la page