Mimecast Logo
Commencer
Obtenir un devis
    Resources
    All topics
    Email Security
    Web Security
    Security Awareness Training
    Brand Protection
    Archive and Data Protection
    Threat Intelligence
    Podcast
    Threat Intelligence

    Get Cyber Resilient Ep 32 | Building a career in cyber security with Beverley Roche

    Gar’s guest this week is the host of the Cyber Security Café podcast and Interim CISO for Sigma Healthcare, Beverley Roche.

    CR_podcast_general.png

    Like many IT professionals, Beverley started on a help-desk and did training and consulting. Looking for something new, Beverley completed a postgrad in eCrime and hasn’t looked back since. Beverley has worked in a number of roles in data privacy and security for a range of companies including The Office of the Children's eSafety Commissioner, ANZ, BHP and Australia Post.

    Beverly speaks about what has changed during her career —the good and the bad, the human side of cyber security and the myths. Gar and Beverly also discuss the importance of digital literacy and how to approach that in broader society, specifically during the employee lifecycle. And we round out the episode with Beverly speaking about her involvement with the Security Influence and Trust Group, their mission and outputs.

    Check out the Cyber Security Café podcast here: https://apple.co/3hPmu2s

     

    The Get Cyber Resilient Show Episode #32 Transcript

    Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara. And today, we're joined by the host of the Cyber Security Café podcast and interim CISO for Sigma Healthcare, Beverley Roche.

    Beverley started on a help desk, like so many of us, did training and consulting, but got bored. Looking for something new, Beverley went out and did a post grad in econ. In her words, that got her going and she hasn't looked back since. Beverley has worked in a number of roles in data privacy and security, the eSafety office, ANZ, BHP, Australia Post and, currently, as I said, with Sigma Healthcare.

    In the episode, we talked about what's changed during Beverley's career, that's the good and the bad. We talked about the human side of cyber security and the myths when it comes to humans, the importance of digital literacy and how to approach that in broader society and, specifically, during the employee lifecycle. And we rant out with her involvements with the Security, Influence & Trust Group and their mission and outputs.

    I suspect we could have happily talked over a cup of tea or maybe a pint of Guinness, but time overtook us, so please enjoy, and over to the interview.

    Welcome to the podcast, everybody. Today, I am joined by Beverley Roche, uh, CISO for Sigma.

    How are you doing today, Beverley?

    Beverley Roche: [00:01:20] I'm fabulous. Thank you. Melbourne lockdown, so enjoying the opportunity to go on someone else's podcast instead of being on the other side of it. So thanks, Gar.

    Garrett O'Hara: [00:01:34] Well, it is great to have you. And- and I've started listening to the Cyber Security Café as well. We'll actually put links to that in the- the show notes. And so, um, yeah, definitely one to, uh, to recommend.

    And Beverley, look, we always start with the guests kind of introducing themselves, just telling the audience how they kind of arrived to- to where they are and- and also what they're kind of currently doing. Um, did... do you mind just kind of running us through I- I suppose your journey. You've had a- a pretty, um, solid career in cyber security.

    Beverley Roche: [00:02:02] I have. And, look, thank you. Um, look, it's really... the short version is I started off in IT, and I worked on a help [laughs] desk. And I did training and all sorts of things. And I've held technical roles, consulting roles, and then got bored, and realized that there had to be something new for me to do. And of course, with anyone that wants to segue into another career, and some brave people have gone from being lawyers to becoming chefs, I just didn't feel like I could confidently, you know, pivot that far. Right? So, I had a look at security and ended up doing a post grad at Melbourne in e-crime, and that was really the only course that was a match for my intelligence because a lot of the other courses that were available were heavy in mathematics, and I'm embarrassed to say my maths was good but not that good. So, um, I really had to find something that, um, was a good match for, you know, where I was at.

    And so I undertook that, met some amazing people. It was really a kind of collaborative course between, uh, police and IT people. And we taught them the IT stuff, and they taught us the policing stuff. So we really got to learn a lot about forensics, a lot about the Internet, so we had really big deep dives. So think of it in terms of the current certs that are around like a CIS, but it was a-

    Garrett O'Hara: [00:03:44] Yep.

    Beverley Roche: [00:03:45] ... much deeper body of knowledge. So that kind of got me going into, um, cyber. And cyber really looked vastly different back then. And we can talk [laughs] about that a little bit more. But then sort of moving forward, I ended up having a number of different roles from data privacy to just whatever was going because, you know, there were a lot of compliance roles then and, you know, compliance was important, but it wasn't really my bag.

    So I moved around a lot. And by moving around a lot, I really love starting things from a blank sheet of paper-

    Garrett O'Hara: [00:04:24] Yeah.

    Beverley Roche: [00:04:25] ... which is kind of the role that I had at the eSafety office, when Alastair MacGibbon was, um, the first eSafety Commissioner, blank sheet of paper. You know, how do we tackle these societal issues? So, I really love that to working at ANZ Bank to, you know... principally, I'm a cyber security adviser. I love that. And right now, I'm the interim CISO at Sigma, helping Sigma. You know, a lot of the pharmaceutical companies are starting out and they're starting small, but it's a lot of fun, you know, 'cause I get to do all of the things that I couldn't do somewhere else 'cause, typically, you want to pick up one domain. I'm doing all the domains, SOX, SIM, um, incident response, you know, setting them up f- for success, basically. That's fingers crossed.

    So, thank you.

    Garrett O'Hara: [00:05:27] Fantastic. Yeah, it's- it's definitely... um, I love talking to people who have the- the sort of breadth and the depth in their careers. And they tend to have a fairly, um, yeah, like a solid perspective on where we are. And that sort of leads me into maybe the first question. You- you've lived and breathed cyber security for quite a while now. And you- you sort of mentioned it just there but, like, what have you seen changed over your career?

    Beverley Roche: [00:05:51] Yeah, look, I think that I tried to think about the- the easiest way to encapsulate it but... and I think that the place to start with that, uh, in an answer is that anybody that was in security, you know, 20 years ago, came from... came into security from completely different perspectives, lawyers, risk, um, HR, you know, all sorts of different views on what it looked like. And we had these big, clunky things called ISMSs, basically. And, you know, so where did you start? How do you make a start in this big thing that was just m- more than you can im-, possibly imagine? So what's really changed is attitudes have changed, uh, people have changed, people have, you know, realized that they won't be tolerated in the workplace if they just think they're the sharpest tool in the shed, to put it-

    Garrett O'Hara: [00:06:59] Mm-hmm [affirmative].

    Beverley Roche: [00:06:59] ... really basically, and- and they have to work out how to get on with everyone. You know, it's a team sport now. It's not I'm a he-, I'm the hero, and I'm the only one that can fix this security issue. So the really positive trends, I think, have really been, um, you know, we've got good baseline tools now, like NIST. We've got-

    Garrett O'Hara: [00:07:24] Mm-hmm [affirmative].

    Beverley Roche: [00:07:24] ... things that are really easy to adapt to help us look at... So I'm just gonna work on defend, what are the things that I need to do about that? What are the things that I need to do and respond? And those things kind of really get us all together, thinking about the problem in the same way. So that was the thing that, historically, wasn't working. We all came into it, and kind of didn't know how to tackle it. We were tackling the big elephant, but we never met in the middle, you know.

    Garrett O'Hara: [00:07:57] Mm-hmm [affirmative].

    Beverley Roche: [00:07:57] Someone working on that, y- you know... if you're... if that's a... it's a quick metaphor. Right? But we just couldn't get to the center of the problem. Now, we can because we talk about it in the same way. We talk about... We don't have to spend hours, say, "Are you talking about this?

    Garrett O'Hara: [00:08:16] Yeah.

    Beverley Roche: [00:08:17] Are you talking about something else?" So good baseline tools, great... good vendors with really good products now that are really helping us, um, solve really challenging problems. And I think that's kind of one of the significant things.

    The other thing is with threat sharing, the threat intelligence-

    Garrett O'Hara: [00:08:41] Mm-hmm [affirmative].

    Beverley Roche: [00:08:42] ... sharing across industry and government is really making a big difference and the ACSC are really reaching out as part of the newer cyber security strategy to identify whose critical infrastructure, why do you matter? You feed stuff to us and we'll feed stuff to you, and that collaboration, uh, just couldn't come fast enough because-

    Garrett O'Hara: [00:09:06] Yeah.

    Beverley Roche: [00:09:06] ... we were all working in little silos, you know. We eventually got to talk at ASC meetings, but we still came from a, from very different perspectives. Um, one of the other-

    Garrett O'Hara: [00:09:20] [crosstalk 00:09:21]

    Beverley Roche: [00:09:20] ... questions that... Oh, sorry.

    Garrett O'Hara: [00:09:22] Oh, I was just... so I was gonna just gonna comment 'cause, today, I'm coming off the AusCERT's conference, which we spoke about just before we started recording. Um, and it just echo that- that collaboration spirit; you can really feel it. You know, there is a really, really strong community in AusCERT and ASA, um, and I totally agree like that collaboration that's happening between vendors that, you know, traditionally would have been potentially competition. It feels like some of the guards have dropped. And there's an expectation. It feels like in the broader community that we all get along and we do... you know, we work together rather than, you know, being competitive, if that makes sense. So, yeah, I totally agree with you.

    Beverley Roche: [00:09:58] Oh, it absolutely makes sense. You know, this is a team sport. We're trying to secure humans and society. And the only way that we can do it is not one person at a time. It's... and I'll talk about that a little bit later around some of the amazing things that Six's been doing. But the other part of the question, um, about so what's change? I think there's probably just one other thing that you asked me a little, um, in some of the notes was so what worries me. And I think the things that kind of worry me now are we've had this immediate IT transformation. Thank goodness, we did. Right? But the network has no boundaries now. And it's much harder for those of us that have to protect that boundary. And- and that's gonna need a lot more ongoing support now focused to combat... to really help people combat all the attack vectors that are kind of coming towards us.

    The other part is Australians are now losing, you know, almost a billion dollars in scams, which means the cyber criminals are really upping the ante. They're winning, you know. Uh, we haven't lost, but you can see that they're attacking us from all sorts of angles-

    Garrett O'Hara: [00:11:27] Mm-hmm [affirmative].

    Beverley Roche: [00:11:27] ... you know, moms and dads at home, absolutely everyone. So we really have to work harder as a community to help address that. Um, I think I mentioned... you know, I interviewed the Deputy Commissioner, uh, for the ACSC that are in Scam- Scamwatch. And, you know, they're doing a lot collaboratively. So, if you're a scammer, and you try and take your money to the banks, the banks now are onto you. So with... they've got... they're starting to run out of places to flush their cash, right, because they have to run- run it through the black economy.

    Garrett O'Hara: [00:12:11] Yeah.

    Beverley Roche: [00:12:12] Um, so that's... s- so they're doing quite a lot of work around that as well.

    I think just the last point, if I may, is really, that we know that AI is just absolutely brilliant. And we know that AI is gonna solve some really big problems for us, but we need to remind those that are kind of developing all the AI that the human needs to be in the center of it, that we need those ethics. We almost need an ethics, mantra or some-

    Garrett O'Hara: [00:12:52] Yeah.

    Beverley Roche: [00:12:52] ... sort of, some sort of sign up to this, um, because the- the ethics and the guardrails are the things that are kind of really kind of bothering me a bit.

    Thank you for that question.

    Garrett O'Hara: [00:13:05] Yeah, like this is the... on the AI side of things, there's some very, I think, interesting conversations starting to happen around how we deal with the, you know, the robots, and it's almost back to, um, you know, Arthur C. Clarke, I think it was, wasn't it, with the AI robot stuff, and, you know, the rules of robots and, you know, the idea that they had to protect human life. But you get into the, uh... I can't remember. Is it called a tram... the trolley problem, you know, the one where you, um, have to choose whether you, you know, pull the brake, pull the handle to make the trolley go left or right and, you know, you've got a choice between killing- killing multiple people or one person. Um, and, you know, the- the sort of ethics but, you know, parlaying that then into things like autonomous vehicle- vehicles where, how do they make the decision to maybe, you know, choose which human life potentially. Um, it's an absolute minefield, feels like, with so- so many pitfalls that could be there.

    Beverley Roche: [00:14:01] Absolutely. And that's what I'm worried. I guess that's my biggest concern is I don't want robots to make those decisions. They shouldn't be part of the decision making process. That should be an alert for human intervention, just as we will... you know, we've got all these fantastic, um, autonomic, automated tools that tell us what's going on. I wanna make... We want the humans to make the decisions. The automation piece is great, but the decision making about those big ethical issues, that- that's the bit we want humans-

    Garrett O'Hara: [00:14:43] Mm-hmm [affirmative].

    Beverley Roche: [00:14:43] ... to be, um, "Ha, alert, alert, I need a human here." A human needs to make the... that decision, hence this idea of, you know, kind of the [laughs] ethics. But you know, growing up in Ireland, you've seen some pretty amazing human behaviors. Right? I think you've probably got some interesting stories about what humans do and can do.

    Garrett O'Hara: [00:15:11] Definitely, um, definitely what humans can do after 10 pints of Guinness is- is- is something to behold, I probably would say that. Well, it- it's- it's funny, though. We're talking about AI. And you know, before we started recording, we were kind of getting chatting. And, um, one of the things you mentioned was some of the stuff that's happening around the, you know, the sort of, um, the- the tech, the big tech companies out of Silicon Valley and some of the commentary that's been happening, and the news and propaganda. Um, and I know that there's a documentary on Netflix at the moment called The Social Dilemma, um, which talks to some of the AI stuff in the background, you know, that does the YouTube, um, curation of recommendations and, you know, what shows up in your Facebook feed. And, um, yeah, I'd be, I'd be very keen to get your thoughts on that 'cause, you know, we- we sort of started talking about it but, um, we didn't really get-

    Beverley Roche: [00:16:00] Yeah.

    Garrett O'Hara: [00:16:00] ... to get into it.

    Beverley Roche: [00:16:01] Thank you. Well, look, the- the thing that's impressed me this way that's really newsworthy is someone... you know, I- I see, someone who is an intellectual giant is also someone who has an awesome sense of humor. And that would be Sacha Baron Cohen. And this week, he's been very vocal on the Silicon Six and propaganda. But not only just propaganda, you know, we know that the longer, um, we stay online with some of these technologies, the longer we can be, um, lose the fresh perspective, if you like.

    Garrett O'Hara: [00:16:49] Mm-hmm [affirmative].

    Beverley Roche: [00:16:49] And, you know, I do it, I do it with Netflix. You know, I don't have to click another button or two clicks or three clicks to watch the next episode. Right? It's rolling-

    Garrett O'Hara: [00:17:02] Yeah.

    Beverley Roche: [00:17:02] ... into the next episode. YouTube does the same thing. They're lining up everything- everything online, so that we can stay online longer 'cause the... if we stay online longer, we're likely to view their ads longer. You know, there's all sorts of things going on here.

    And there's great TED Talk, as well, and pull me back if I'm [laughs] deviating too much but- but it- it really is timely and, um, it really is timely for- for us to start considering the influence, not only, um, Cambridge Analytica issue, but the- the manipulation and the fake news that's going on, and, um, understanding and, uh, understanding how that influences the decisions that we're making, e- especially around our social justice, basically. So I think that's really important.

    Garrett O'Hara: [00:18:06] I agree and I don't think you can kind of unpick the... like everything you've talked about there, to me, kind of relates directly to our industry as well. Like, it's got a very material effect on, uh, I would say, cyber security and resilience and- and particularly human resilience, you know, and it's... One of the things we haven't really gotten to but I know it's one of the things you're passionate about is the- the human side of cyber security, and, you know, this- this whole wealth of, I think, conversation we could have around that. What- what do you think when it comes specifically to cyber security? What do you... what do you think we maybe haven't gotten right so far?

    Beverley Roche: [00:18:44] Oh, [laughs] that's such a good question. Um, uh, we- we've taken a while to put the human i- in- in- in the, uh, cyber security, um, mix, if you like. You know, uh, um, I can certainly talk to you about what we are doing about it now. But it- it really took us. We really haven't put humans. We thought it was all about tech, you know, that w- we get that technology piece, right, and with... problems solved, you know. And, you know, we know that look if we've got good working brakes on our car and the windscreen wipers work and the engine's well serviced that, you know, it's good to go. But- but now that human's behind the wheel and the, uh, we've got very little control over what's going on and that aha moment happened really a- about five years ago where we started thinking, "Okay, tech's starting to really mature. What's next? What do we have to do next to help us solve this issue?" And, um, you know, I really see the human side of cyber security as we've got a lot of people working on the human side of it now. And I think our best chance of surviving a cyberattack, um, is- is human based because we're really good. In a crisis, humans, we're really-

    Garrett O'Hara: [00:20:27] Mm-hmm [affirmative].

    Beverley Roche: [00:20:27] You know, when we understand what we need to do and I think, um, it's something a little bit unique to Australians as well because we live in a country with a lot of challenges. It's a beautiful place but, you know, we have bushfires and the way that we deal with the challenges that we have, if we can apply some of those things to cyber security, I think we're... we've got some really good things to showcase around that.

    Garrett O'Hara: [00:21:04] Yeah, no, absolutely. And it's a couple of weeks ago now but when we spoke about doing the interview, something you mentioned was the- the myths about humans when it comes to cyber security. And I'm- I'm wondering, could you run the audience through- through those?

    Beverley Roche: [00:21:17] Uh, I think there's lots of myths about... and- and I still hear them and- and I think it's just, um... So the myths, uh, humans are the weakest link. Um, humans don't care about cyber security. You know, how do you get them interested? Um, well, there's some counter things to that and that is humans love their highly engaged digital life. And when humans work out that they can stay safe online and have a great enhanced digital experience, they embrace them, so those myths are starting to really be undone, um, by helping your workforce, if you like.

    Don't talk about what it's about in the corporate context, just show... sit down with people and say, "Now, you use Facebook. Here's some Facebook settings that will change your privacy and keep your kids safe," and they go, "Oh, okay, I'm really interested in that." And guess what, they start amplifying that- that- that by telling their friends and telling their family. And that role that the eSafety office plays is really good at doing that because even though they haven't worked out how to push, you know, we're still doing a pull with that, you have to go the safety website. But the most amazing resources on there for the whole of society to share, um, how to have a great digital experience. And, um, I think the last myth is, you know, it's- it's not safe, just turn the device off or manage. You know, we're not building resilience with humans by telling kids to do that because that is their life now. What- what you need to be able to do is help them understand that you will see bad stuff in life. And here's the coping mechanisms to-

    Garrett O'Hara: [00:23:37] Mm-hmm [affirmative].

    Beverley Roche: [00:23:37] ... learn how to deal with that so that you can avoid those things so, you know. [laughs] Um, putting filters on- on things, so, just don't work. They work for really little children. They work for little humans, but big humans need to, um, understand how to navigate through that.

    Does that answer your questions?

    Garrett O'Hara: [00:24:04] [crosstalk 00:24:05] It- it definitely does. You've got me thinking about the sort of analog analogy. I'm just thinking about when, you know, little me was running around the... [laughs] where I grew up in Ireland. And, um, you- you sort of have to make mistakes as a kid, right? You gotta fall out of the tree and you gotta get scraped and break- break your arm at some point probably for many people as they grow up. And I- I think you're- you're right. Part of, maybe part of the approach is, yeah, I mean protecting people from the- the worst of things if you can but I think, um, you're absolutely right that this- this may be a missing piece in the- the life skills to deal with things and be resilient and based on maybe not just what you see but how you interact with those social media-

    Beverley Roche: [00:24:47] That's right.

    Garrett O'Hara: [00:24:47] ... platforms as you, you know, you mentioned this already, you know, the- the feelings you might have if you're on... I mean, n- n- not on any of these platforms but something like Instagram where, I understand, people kind of feel bad about how they look because they're seeing all these other people that look amazing or Facebook that you- you feel jealous about other people's lives because you only get to see the highlights of what's [laughs] going on for them rather than the reality. Um, so- so, yeah, really interesting, really interesting point. Uh, like riffing on that a little bit and- and it I- I think maybe what you're hinting here towards is something like digital literacy for-

    Beverley Roche: [00:25:22] Yes. It's one of my favorite topics and I think-

    Garrett O'Hara: [00:25:26] Yeah.

    Beverley Roche: [00:25:26] ... you'll have to kind of shut me down.

    Garrett O'Hara: [00:25:28] [laughs]

    Beverley Roche: [00:25:28] Um, so I need you to kind of follow the bouncing ball 'cause I think there's a good place to start with this.

    Garrett O'Hara: [00:25:36] Yeah.

    Beverley Roche: [00:25:37] So esafety and security and privacy are one thing now. They're not separate. Your privacy, your safety online, and your security are really one. So a CEO said to me a couple of years ago, "Hmm, what- what's this thing about digital literacy? Why does it, why does it matter?

    Garrett O'Hara: [00:26:02] Mm-hmm [affirmative].

    Beverley Roche: [00:26:03] You know, what is it, what is it?" And I said, "Okay, you are the CEO of a bank. And your business is run on digital engagement. In fact, you're spending an enormous amount of money transforming your business to have that digital engagement. Anywhere, anytime people can use your products and services.

    Garrett O'Hara: [00:26:27] Mm-hmm [affirmative].

    Beverley Roche: [00:26:28] So your workforce, you've got a big skill mix in your workforce but everyone uses a computer in your workforce. Digital literacy is just about ensuring, a, for the organization that they're hiring people with contemporary skills, and digital literacy is definitely part of that. And the other part of it is that you're building a workforce that will be engaged in the rest of society. So digital literacy is just like being able to read and write.

    Garrett O'Hara: [00:27:06] Mm-hmm [affirmative].

    Beverley Roche: [00:27:06] It's just about being able to navigate your way around digital enablement. You don't have to be an expert, but you need some basic skills to ensure that you don't get tripped up. And that's really what digital literacy is all about. So we- we're trying to give digital literacy to young preps and early learners, you know, using a little bit so that they can start understanding more about... You know, everybody needs digital literacy because, really, it's industrialization version four. You know, we all needed... our grandparents needed to navigate their way on the railways safely, h- how to get on, how to get off, you know, how to hang on when the train started moving.

    Garrett O'Hara: [00:28:00] Mm-hmm [affirmative].

    Beverley Roche: [00:28:01] It's no different. It- it's just the new, it's the new digital transformation and it's new industrialization version four. So it's important because it's about having skills that, um, enable a society to flourish and enable people to have jobs. You know, uh, I've worked in the mining center, and if you talk to a, um, someone who's driving currently, driving a truck, they'll say, "You're gonna take my job away because you're going to run this truck autonomously." And I say, "Well, no, I'm not. I might run the truck autonomously but you're gonna keep an eye on and make sure that it does all the quality things that you know about." If that's a terrible analogy [laughs], by all means, pull me up. But, you know, people see it as, you know, digital is taking their job away. Um, we've had... we've been facing this in... ever since we industrialized. So, you know, I'm saying to people digital literacy is just 5% of the skills that you need. You still need all your other skills but, you know, having some digital literacy will really help you. It'll help you maintain your work, be employable-

    Garrett O'Hara: [00:29:34] Mm-hmm [affirmative].

    Beverley Roche: [00:29:35] ... be economically... be economically stable.

    Garrett O'Hara: [00:29:39] Yeah.

    Beverley Roche: [00:29:39] So I think there's a couple of wins in there.

    Garrett O'Hara: [00:29:44] Yeah, there- there d- definitely is. And, I'd be keen to get your s- sort of thoughts in the practical side of that, right. So if you think about most organizations, when people are hired, they're in finance or legal or, um, human resources marketing, whatever, but they're not, you know, "cyber security people," and it'd be interesting to hear from you what... like what does an employee life cycle then look like if you map it across to, well, digital literacy first of all but then good security outcomes, like what does it look like as an employee?

    Beverley Roche: [00:30:16] Okay, so I think we'll probably, um, unpick the life cycle of an employee. So the life cycle of an employee starts with the day that you join the organization. And the first day that you join the organization, you get a laptop. And the first message that should come up is a bit about organizational values. So it's important. What- what I don't try and do is create a separate culture for cyber security. I look at the culture of the organization and say, "What do the organization value and align those?" because we... what we don't want to do is create a separate thing.

    Garrett O'Hara: [00:31:03] Mm-hmm [affirmative], yeah.

    Beverley Roche: [00:31:03] We wanna work with the organization. So the organization's values should then come into sort of some sort of user-acceptable policy. And it's very easy language to understand. "Hey, you're just about to log on and you're going to use our asset to do your job. Right?" This is day one. We'd like you to be cognizant of that or some nice language that says, "Hey, when you're using our stuff, you know, by all means, you know, do this, this, and this but we'd prefer it because we're a public company with shareholders that you, uh, don't post out to these things and you help us protect our brand. And it kind of starts from there.

    Then the next piece, so you start layering the li-, the life cycle of the employee through other means which is... and we talked about these values. Um, we're gonna talk about them again but we're gonna talk about them in a different way. So maybe we've got a cyber awareness program. We bring those val- values back into play. You know, we value the things because we need to protect them so that might be you're an accountant, you need to protect our financial position because, if you protect our financial position, then you're protecting our shareholder value, and our share price. Right? I'm in human resources and I'm using, um, a SaaS cloud environment to store, um, information about employees about their performance, reports, about how much they get paid, all those sorts of things. W- why does it matter that I have to be the guardian of that? Well, we wanna hire talent, and if we can't be trusted to look after that information, then if that information gets disclosed, there is a trust brand issue for us in relation to that.

    And then the next one [laughs] is the life cycle of marketing, if you like, 'cause I'm trying to thread the life cycle of an employee into some of the examples that you... You know, marketing scrapes everything in the Internet. They wanna know about brand loyalty. They wanna know about who does what, how do they do it. And they collect data inadvertently that ends up being packaged and some of that can be our IP.

    So you talk to marketing about how to protect some of the data that they... and when- when you start having those conversations with marketing, they start going, "Oh, okay, I kind of didn't realize that, you know-

    Garrett O'Hara: [00:34:11] Mm-hmm [affirmative].

    Beverley Roche: [00:34:11] ... what I was doing in my day job, so correct me, you know, correct me if you don't think... you know, am I... if I'm answering the question that you asked. So what I'm trying to do is thread through what do all these people do, and what's in it for them? Why is digital literacy important? And it's not cyber security really. It's just about things start mattering when eyepiece walks out the door, when plans of future... future plans get shared, when disgruntled employees work out that, you know, they didn't get a salary increase or someone else got- got the job that they were after. And, you know, they're disgruntled and they've got privileged access to things. So when they understand it's about all of us contributing to protecting the assets of the organization, digital literacy is just part of that. They're using technology all day, every day so they start getting the "what's in it for me?"

    Garrett O'Hara: [00:35:18] Mm-hmm [affirmative].

    Beverley Roche: [00:35:19] So that outcome that we talked about or the life cycle is it's a constant flow. And if you like, I can kind of segue into some of the things that we know that really work around human behavior to get them to an endpoint that is really about making them your strongest link, the people... because all the attack vectors that are coming in right now are through email compromise. Right? And who receives those [laughs] emails? Humans. And, you know, we can filter out as much bad stuff as we like but, you know, stuff gets through, right? So in their day jobs, we're really trying to help them understand, you know, what to look for and-

    Garrett O'Hara: [00:36:15] Mm-hmm [affirmative].

    Beverley Roche: [00:36:15] ... you know, I guess a way of encapsulating it is that our role is to change behavior to manage human risk. Right? And-

    Garrett O'Hara: [00:36:30] Yeah.

    Beverley Roche: [00:36:30] ... that life cycle is directly related to the human's experience in the workplace. How are they sharing? So we're not trying to get them to do anything over and above their day jobs. And sometimes we do get people that say, "Well, I'm just too busy. Um, I- I can't deal with that." Well, I'm not actually asking you to do anything that you're not already doing. I'm just asking you to consider doing it in a way that protects you and protects the company-

    Garrett O'Hara: [00:37:06] Yeah.

    Beverley Roche: [00:37:06] ... with the way that you do it. So the... you know, um, so there's lots of ways of kind of really doing that, and that is through storytelling, you know, and highlighting people love real world experience. You know, we used to use fear a lot in our language, and it doesn't work because humans can't relate to something that they don't know. And the other part of that is so what can I do about them?

    Garrett O'Hara: [00:37:41] Mm-hmm [affirmative].

    Beverley Roche: [00:37:42] If it's so scary, can I make a difference to that? So this relatable storytelling which, you know, some people are really good at... you know, Netflix have created some really good storytelling, right? Short little vignettes. So real world experiences and the thing that's kind of really helping us a bit is that cyber attacks used to happen a lot somewhere else, and it's not great that they're happening in Australia but people can relate to their friends are getting scammed, a family member's getting scammed and they're talking about it, and companies in Australia are being cyber attacked. And it's crime. And so they-

    Garrett O'Hara: [00:38:33] Mm-hmm [affirmative].

    Beverley Roche: [00:38:34] ... start being able to connect. So my job, our job as a community is to say, "You can do something about that." You know, we used to have this thing in Australia called Neighborhood Watch. I don't know whether you had it in Ireland where-

    Garrett O'Hara: [00:38:47] We certainly did, yeah.

    Beverley Roche: [00:38:50] [laughs] And, you know, people would, "Oh, I saw something suspicious." Well, you know what, this is just an old... [laughs] new version of that. We want people to tell us what they're seeing and what's going on. And they can be all helping us work through, um, to- to help us create this line of defense. You know, the troops are out there and they're coming in and saying, "Oh, we saw the enemy over there." Well what did they look like? What were they doing? Tell us more." And then we can set up lines of better defense the more they tell us, and then the big question is, "So how do you do that? How do you... how do you achieve that?"

    Garrett O'Hara: [00:39:39] So, Beverley, you're actually part of a, um, group called the Security, Influence & Trust Group as well which was formed back in 2015. And it's got a pretty important mission. Would you mind talking us through, first of all, what the group is but also the kind of learnings that you've had over the last kind of five years?

    Beverley Roche: [00:39:55] So, I can't take credit for establishing this group. Uh, a group of, um, like-minded people did, and I've been part of it. Um, look the idea was that in the top 200 companies, they were investing in people that were security awareness or influence as they called them. And some people had trust in their title because they came out of the privacy- privacy world. Um, I can create, uh, uh, send you the link for it but I think what's really fabulous about this particular group is they all have very... they have a common mission, and the common mission is to collaborate, and what's working and what's not working in relation to the programs that they're implementing. So did those videos work on your audience even though they're not in the same business sectors? So there's Telstra, there's NBN, there's Macquarie Bank, there's ANZ Bank, there's NAB, you know, all the top brands in Australia. And now we're starting to see some of the sort of tier twos, um, kind of come into it if you like.

    Um, so the mantra is very much about moving the dial and in relation to engaging the workforce. And some of the ideas that I've already shared and some of the things that I'm passionate about, they are really passionate about it, you know, to the point where that's all they do. They're not doing all these other things. They're just focusing on what- what's working and sharing what's working to change behavior, to manage human risk is basically, and they are doing that through storytelling, through crafting messages in one particular area. They're using it to amplify those messages.

    So they all participate and Stay Smart Online day, and they all have campaigns, you know, campaigns that engage the safety office, the ACSC, Stay Smart Online. They're just all over it in terms of the things that the... the tools that they're using, some of them have bought or created really interesting videos, um, little storytelling videos, little Netflix style videos.

    And I think if I- I may just some of the real highlights, um, I covered... well, we did. Louisa and I covered last year's, um, conference that was in, I think, early December, and I think there were some things that will tell you how far they've come in four years. And they've created things like a security behavior index. Now, if you just think about-

    Garrett O'Hara: [00:43:07] Mm-hmm [affirmative].

    Beverley Roche: [00:43:07] ... that what is that? W- what does that look like?

    Garrett O'Hara: [00:43:10] Mm-hmm [affirmative].

    Beverley Roche: [00:43:10] Well, it's an index that says we're getting great engagement over here, and we're low here and we need to start working on this but that's not working in this group because they're really different. And so it used to be, we use phishing, fantastic, as a baseline, or we'll keep test... we used to call it testing, now we call it campaigns. They just, they just give us an indicator. It's like the dashboard on your car. Oh, we're here. Oh, we might need to move. Our phishing isn't the- the great panacea. It's an important tool but it's not your awareness, it's not your awareness program. It's- it's a part of it basically.

    So we're seeing... so [laughs] some of the amazing things that we saw are self-served portal for awareness so that... because you can't scale, right? And investment's really hard to do in this space because it's usually the last thing on the shopping list. So you go to a self-service portal 'cause you've heard that that's working for another group and you can get the awareness brochures, you can get... everything that you think for your business or you might have, you might have a group, a startup group within the organization where you're developing a new product. It's everything that they need to start, um, the right level of communication, the right level of messaging about-

    Garrett O'Hara: [00:44:45] Yes.

    Beverley Roche: [00:44:45] ... digital, digital enablement if you like. I think the other great things that we saw was some really good gamification. We know that we've taken fear out of the equation. Fear does not work.

    Um, the other thing that was amazing was people showing how hackers behave and the ransomware kill chain. And when people see it live-

    Garrett O'Hara: [00:45:10] Mm-hmm [affirmative].

    Beverley Roche: [00:45:12] ... they go, "Aha, now I know how they worked, I know how important I am, and I'm in the center of this, you know.

    Garrett O'Hara: [00:45:21] Very interesting. Can I ask you, uh, Beverley is this, is this freely available? Is this kind of a volunteer organization or is it a commercial operation?

    Beverley Roche: [00:45:28] It's a volunteer, yeah, no.

    Garrett O'Hara: [00:45:30] [crosstalk 00:45:30]

    Beverley Roche: [00:45:30] It's a volunteer. It's a volunteer and- and the idea is that you can... absolutely, you ask them, "Can I be a member?" and you get to see all this amazing. You know, once a... you know, once a year 'cause they've all got day jobs, right, there was a little bit of bad criticism about what are these guys doing? Well, we've all got day jobs and we come together and showcase all the things that we're doing and people come away and go, "Wow, I can, I can use that, that would work," or "That won't work in my organization."

    I think the most-

    Garrett O'Hara: [00:46:07] Yeah.

    Beverley Roche: [00:46:08] ... important thing is in the same way that, uh, we have Slip-Slop-Slap in Australia and Buckle Up, and we know that those change behavior programs work for Australians, the other thing that they're really working on is something like that for Australians. So, you know, um, we come up with a couple of hashtags like IsThisForReal. When you see something, ask someone else, "Is this for real? Does this look real?" because we know that, in the moment, when we're busy, we can get caught out so... because instinctively, something in our gut says... because we're good at this... humans, we're good at saying, "Ah, something's off. I know something's off but I can't see it." But we just have to stay with that for a moment and that ask out loud or IsThisForReal, uh, hashtags that just we're trying to get out to people to say, "Just have a look for a minute or ask someone else or validate it."

    So, look, Gar, thank you. It's... look, it's been so much fun talking about all the things that... you know, it's not about me. It's not what I'm doing. It's what our industry is doing and the people in it that are really trying to make a difference to everyone's digital life, you know, really-

    Garrett O'Hara: [00:47:45] Yeah.

    Beverley Roche: [00:47:45] ... when it comes down to it.

    Garrett O'Hara: [00:47:47] I- I totally agree [inaudible 00:47:49] you're definitely one of those people. And, um, yeah, I think luckily on the podcast, I get to talk to one of the, one of those people every week. And as you've said so-

    Beverley Roche: [00:47:57] Mm-hmm [affirmative].

    Garrett O'Hara: [00:47:58] ... eloquently, uh, it is a community. Right? It's- it's about sharing, it's about collaborating, it's about trying to, you know, fight a good fight. Um, I don't think... to go right back to your, um, you know, y- your comments around, you know, the introduction of trains like technology is not going away that's the reality so I think we need to, you know, as a community. And by that, I mean cyber security community but I also mean as the Australian community. Um, you know-

    Beverley Roche: [00:48:20] Mm-hmm [affirmative].

    Garrett O'Hara: [00:48:22] ... make sure that we're all, as you say, keeping safe online and- and doing the right things. So really appreciate you taking the time. Um, I know you've got a lot on your plates. And like I say, we'll link to your, um, your podcast, the Cyber Security Café, um, which-

    Beverley Roche: [00:48:35] Thank you.

    Garrett O'Hara: [00:48:35] ... highly recommends and, um, yeah, we- we- we will keep in touch, I'm sure, and, um, yeah, thank you, thank you so much for joining us, Beverley.

    Beverley Roche: [00:48:44] Thanks, Gar. Appreciate it.

    Garrett O'Hara: [00:48:47] Absolute pleasure.

    Thanks again to you, Beverley, for the conversation. I really enjoyed that. We'll link to Beverley's podcast in the show notes, and I do recommend checking it out. There's some great stuff in there including the design thinking approach to cyber security, so a great one to get across.

    As always, thank you for listening to the Get Cyber Resilient podcast. Back catalog continues to grow every week, so dip into those. And subscribe, like, share, let your friends know and let us know of the people you want interviewed or topics that you want us to cover.

    For now, keep safe and I look forward to catching you on the next episode.

     

    Haut de la page