Get Cyber Resilient Ep 71 | Creating a cyber aware culture and fighting complacency - with David Fairman
Gar is joined this week by David Fairman, Chief Security Officer APAC for Netskope, venture partner for SixThirty, and advisor for Istari Global.
He has also been a CSO for NAB, as well as Group Chief Information Security Officer for Royal Bank of Canada and spent time in JP Morgan and Royal Bank of Scotland.
David shares his experience and thoughts on the difference in approach and outcome between cyber security and cyber resilience, the creation of a risk aware culture in an organisation and how to fight complacency. Gar and David also discuss zero trust, digital risk vs cyber risk, and the integration of fraud, cyber and physical into a broader enterprise security approach.
The Get Cyber Resilient Show Episode #71 Transcript
Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Gar O'Hara. Today, we're joined by David Fairman, who is Chief Security Officer APAC for Netskope, Venture Partner for SixThirty, and Advisor for Istari Global. It's fair to say, David does a lot today, but has also done a lot in the past. Having spent much of his career in security, in banking and finance. He was the CSO for NAB across fraud, physical and cyber group. Chief Information Security Officer for Royal Bank of Canada, and also spent time in JP Morgan and Royal Bank of Scotland.
In this episode, we covered the difference in approach and outcome come between cyber security and resilience. The creation of a risk aware culture in an organization, how to maintain that risk or culture over time, and basically fight complacency. We talk about zero trust integration of fraud, cyber, and physical into a broader enterprise security approach, and what that can deliver. And then also digital risk versus cyber risk. David is an endlessly interesting person to speak with. So please enjoy. Over to the conversation.
Today, I'm joined by David Fairman, the CSO for APAC for Netskope. How you going today, David?
David Fairman: Gar, mate I'm good. I'm good. Glad to be here. Thank you for the opportunity to um, support this conversation.
Garrett O'Hara: So, so good to have you. Uh, yeah, we've- we've been sort of crossing paths a little bit recently and definitely have enjoyed the conversations uh, off mic. So get to have one on mic now, and uh, hopefully the quality continues. [Laughs].
David Fairman: All good. All good. It should be a... I- I'm looking forward to the content we've got- we're going to cover today. So that'll be a- it'll be a fun conversation.
Garrett O'Hara: Good stuff. Hey look uh, you're- you're fairly well known in the industry. Um, but it would be good for maybe those listeners who don't yet know who you are and what you've done just to get a little bit of a bio, like how did you get to where you are today?
David Fairman: Yeah, sure. Look I guess really, you know, the- the big part of my- my career has been in the banking and finance space. I moved into the technology industry about a year ago, after spending 15 plus years in banking and finance. Uh, here in Australia, I was the Chief Security Officer at NAB. Um, so I brought all the fraud investigations, physical, security, cyber and intelligence teams together. Uh, prior to that, I was the Group Chief Information Security Officer for Royal Bank of Canada uh, in New York. Splitting my time between New York and Toronto for about three and a half years. Part of that ran check risk and controls for JP Morgan globally, about three and a half years. And that was in New York.
Prior to that had a couple of roles with Royal Bank of Scotland, a couple of uh, CSO roles. So CSO for the Americas, CSO for EMEA out of um, Amsterdam. The Americas roles was in- was in Boston with RBS. So, that pretty much takes you through my- my- my long time banking career almost to when I left the country originally. So but yeah, and then in the past year moved into technology and the technology space and getting back to my roots as I like to think of it.
Garrett O'Hara: Full circle.
David Fairman: Exactly.
Garrett O'Hara: Elton John needs to write a song about that uh, that moment. Full circle. Cool.
David Fairman: [Laughs].
Garrett O'Hara: Um, look, I'd- I'd really like to start um, with what the suspect is going to be a fairly core part of the conversation that we're going to have over the next kind of 40, 45 minutes. And um, the idea of sort of cyber security versus cyber resilience and those two phrases. How often... they're kind of almost used interchangeably, sometimes it feels like, in our industry. Um, but just as a framing for the rest of the conversation, can you kind of walk us through what you see as the difference in approach and outcomes is between those two terms?
David Fairman: Between cyber security and cyber resilience? Absolutely. I think um, well, one... I think it's difference in mindset. So, I think in cyber security, cyber security is about taking proactive action to minimize the impact of a successful attack, whether that's an external adversary or an internal adversary. So, it's about bringing all these controls, understanding your risks, putting together all your controls and building that capability in that program to minimize and allow you to- to build the strongest defences against such an attack.
Cyber resiliency, however, is a difference in a perspective in terms that it- it almost assumes, or it does, it- it assumes the fact or- or it accepts, which is probably a better word. It accepts the fact that an adversary will be successful. And therefore, how does a organization need to prepare for to be able to sustain and operate in uh, you know, throughout the course of a successful attack? And, you know, they- they're two different things. Actually. I want to delve into this a little bit- bit deeper as well. I see, I... you know, the cyber security program itself and cyber security being a subset of a broader cyber resiliency program, right? And it's very, it's foundational, it's fundamental to an effective and robust cyber resiliency program. And I think cyber resiliency program is the- is the bigger picture and the end state that we're trying to achieve.
Garrett O'Hara: And what does that show up like in an organization? So practically thinking, you know, if I had a Venn- uh, Venn diagram say of cyber security, cyber resilience, there's obviously some overlap or actually, if it's a subset, it's probably, it's a circle within a bigger circle.
David Fairman: Yeah.
Garrett O'Hara: Yeah. What's the stuff that's outside of the cyber security circle that sits in cyber resilience?
David Fairman: Yeah. I think there's um, a- a few elements. One is specifically around cyber fitness. And when I say cyber fitness, what does that mean? I think it's about being able to... How do you bring business continuity, business resiliency together with your cyber response capabilities? How do you manage, and conduct, and orchestrate the organization when an attack is being felt? Is- is being undertaken? How do you respond to that and maintain that? I think um, and- and I think that's during the course of an attack. But, there's a piece around, well, what, when you're, when there isn't an attack, what's cyber resiliency actually mean there?
It's about getting into that- that- that mode of thinking, or that discipline, that focus of having uh, rigor and discipline around how we're thinking or how we're practicing for these events. Right? How are we testing our response capabilities and our recovery capabilities? Not just our defense capabilities and testing and defense and our cyber security controls, but actually testing our capability to respond and act and behave during those- those events. I think that's really, really important. That for me, is what I consider sort of cyber fitness. And it's- it's that rigor and discipline around pulling that together and making sure that your organization is well rehearsed, well practiced, so that when these events do happen, there is a fitness to it. There is a muscle memory. So, how, you know, to what action we need to take and how that decision making needs to- needs to- to come to fruition and all those different complexities that come around- come through that.
Garrett O'Hara: One of the things I've noticed with many, of the kind of, and certainly the more senior security leaders we've had on the pod is, as you're describing that, I'm guessing there's a- a fairly core attribute of you as a leader, which is influence, and it's kind of getting buy-ins for that fitness. Because there's cost associated, presumably, with, you know, whether it's tabletop exercises or you know, full simulations. All the people that are going to be involved in comms. And like, it's not a small- small sort of piece of work. How do you go about kind of negotiating that within an organization to get them on board with that sort of idea of fitness? And especially if it's successful, because in reality then you're potentially going to be in a good security position. So they kind of think, "Well, do we really need to, you know? Everything's been fine."
David Fairman: Well, I think there's a couple things, right?. So, one, there is an education and an acknowledgement that regardless of how well we build our defenses and how well we've built our security program, we do expect that there will be an incident that will need to be res- uh, responded to, right? And that's just facts, right? Now I think there is an element of educating our organizations around that. No security leader, I think will say that they're infallible to an attack. And I think a seasoned uh, security leader will be preparing their organization to say, "We're doing everything we can to minimize the probability and to minimize the impact. But we do need to prepare for something at a point in time um, for when there is this successful element and we can't guarantee against that." So there's- there's getting that mindset through. That's the that- that's point one in terms of influencing and- and getting that buy-in.
Then there's a second one around... well, think about how, you know, whether it's a military forces, whether it's sports teams, whether it's um, you know a- any other analogy you can think of around how do they know that they can perform at a point in time in the live environment? They practice, they practice, they practice. They have simulations. So, if we're not going to invest the time and effort into practicing and into thinking about how do we need to adapt and improve our current practices and our skills in this space, how are we expected to be successful when an event does occur?
And it's very... you think of special forces in the military or any military force, quite frankly. They do exercise, after exercise, after exercise. So, that when they do fall into that live situation, there is a muscle memory, there is a fitness, there's a discipline, there is a rigor. And I like to call it a battle rhythm around how that uh, process or, hell, that- that- that- that how those events are to unfold in a coordinated and controlled manner. And I think that- that's imperative. I think if you can start to, you know, have those conversations at the right level with rational people and put it in within, you know, frame it that way, people start to accept it, start to recognize that- the value of that.
Garrett O'Hara: Yeah, absolutely. Um, as you talked through kind of, resilience, humans are going to be pretty fundamental to- to that at any kind of level. Um, and you've got to... look, you- you- you've kind of run through your bio and your journey there. It's a pretty diverse set of experience. Like, how have you gone around creating kind of, risk aware cultures in those different organization types?
David Fairman: Yeah, look at- good question. I think um, for me, there's a distinction between training and awareness, and building out a risk aware culture. And I think most people would recognize that and accept that. I like to describe culture as, you know, the way people behave when nobody's looking, right? That's the- the- the natural behaviors and actions and mentality that they- that they take to work or that they- they execute day in day out. That for me is a measure of the culture. So how do you pull that together? I think there's a few things. But, you know, organizations have cultures within their organization today on- on different things. So I think a really, really good example... I was having this conversation just the other day, actually with the CIO. And um, you know, he's worked very much in the mining space and now he's- he's working in the- in the banking space. And we're talking about the safety culture in mining, right, where that is really well embraced. And it is about the- people recognize the importance of that. But the rigor and discipline, the focus they present, they have a very safety driven culture.
Well, hang on, let's take those great things that we've learned from those elements, and how do we bring that and apply that to cyber, our- our cyber risk, from that perspective. And I think there's a few different things. You know, if I'm... it's about making sure that the organization is clear around its objectives. And I don't mean its safety objectives, or its- its, its uh, risk objectives, but its core strategic objectives. And then how do you tie back what you need from that discipline, whether it's safety or whether it's cyber, how the behaviors, outcomes, expectations, processes, however you want to frame it. How does that tie back to achieving that organization's strategic objectives? I think there's that one piece. Clearly there's tone from the top, and um, leaders demonstrating the behaviors that are expected, right?
So, it shouldn't be all right for some people to have to behave a certain way or- or to have a mindset in certain way. It needs to be embraced and pushed throughout the entire organization. I think there's a piece around, how do you tie these requirements back to performance review? Right? There has to be, you know, bringing back to the core of how people are evaluated in the workforce. If we want to- really want to drive a security and risk aware culture, there should be some core performance objectives around that. And then that naturally follows on to consequence management as well. So, if you're not demonstrating the right behaviors, what are those consequences? Is that a poor performance review, which then impacts potential, you know, discretionary bonus measures or... you know, or does it- does it overall just impact your overall career progression within your organization? You know, there needs to be a consequence.
Now the big- you know, one of the key things from the issue, if you really wanna... if you really expect people to change their behaviors, if there's nothing in it for them to change their behavior, they're not going to do that. And now that doesn't have to be a negative thing either, it can be a positive thing. So, how do you recognize and reward the positive behaviors? And how do you reinforce that? And this is a really bad analogy, but I'm gonna use it. Thinking about training a dog, right? When you train a dog, you want it to change its behaviors, right? You reward it when it's doing the right thing in some way, shape or form. And it learns, "Well, hang on. If I keep doing this, I'm going to get rewarded. This is, this is encouraged. This is great." So there's positive and negative consequences in some way, shape, or form. And that's how I like to think of it. You need to reward the right behaviors. You need to address the inappropriate behaviors.
And I think if we start to pull that together... and you need to think about how do you start to measure that behavior over time? So if you really want to build out this culture across an organization, you can't manage... I'm a big fan of the saying, "You can't manage it if you don't measure it." Right? Or if you can't measure it, you can't manage it. So how are you figuring out how you manage it? Or are you measuring these cultural uh, behaviors and this cultural attitude, if you like, over time? There's different ways you can do that. And I think I'm a big, you know, data-driven guy. So show me the data so we can demonstrate where we're being successful, where we're not being successful. And therefore we can take the right uh, action for areas where they might not be as successful as we wanted. So, I know that was a very long answer to your question, but there's not one easy answer to it. There's a multiple... there is very much multiple elements to building out that- that uh, building out the right culture and driving a culture change in an organization.
Garrett O'Hara: Yeah, no, definitely. I- I get you, and I agree with you certainly in the animal training analogy. Because I use that... my wife used to work in Taronga Zoo. She was the person who trained the trainers how to train animals. And uh, so she had a clicker and could literally train what seemed like anything. Parrots, rats she reckoned she could train fish. It was uh, yeah. So I- I definitely get the uh, the analogy there.
David Fairman: How was she at training you?
Garrett O'Hara: I- I think she's failed in some areas. Um, I suspect. Probably I don't realize I've been trained. Um, and maybe that's the, maybe that's the key to success is-
David Fairman: [inaudible 00:16:32] the treat, right there.
Garrett O'Hara: ...You don't even realize it's happening. Um, yeah, I dunno. Yeah, it's a bit of a weird one. I did want to ask you about um, measuring behaviors. Because that's something I've kind of had a few conversations around and I've- I've I think there's some good things there and I think there's some things that we struggle with. You know, we do things like fish campaigns and, you know, some information, knowledge checks, but the culture side of things is difficult. Right? It's, I might know that I should have a ch- ch- like a good password or that I shouldn't let somebody come into the office um, through the turnstile after me. But practicing those behaviors, like that's a different thing. Like what have you done around, I suppose, acknowledging, you know, that- that sort of- that side of things? It's not does Bob know these five pieces of information? It's on a, you know, Monday at, yeah at half 12, like is Bob doing the right thing?
David Fairman: Yeah, look, I think um, monitoring is very, very hard. Uh, I think there are, yeah, I don't want to start sort of calling out dif- different products out there in the market today, but there's definitely some- some advances, honestly, in the past sort of 12 months, 12 to 18 months where, you know, how are we starting to get more data from what we're seeing out in our organizations? Right? So if you think about it, we have all these security controls out there. So we have endpoint protection tools. We have, you know, web protection tools, cloud security tools. And we can see events that are happening across our environment. And a lot of those events are driven by human activity in some way, shape, or form. So how do we bring that human element back into the overall security posture of the organization? And we can get near real time, you know, if not real time data from that. From all these different security tools.
And I'm seeing a couple of um, organizations or companies, startups, that are really starting to address this space. So it's actually being really, really effective. And I- I- there's one company that I'm aware of that, you know, you can get a view of behavioral actions for each individual within your own organization. And you can actually start to curate and tailor the uh, the- the- the messaging that they need based on their individual specific behaviors. So I think that's really good. And I think it really comes back to the point of, and I like to say this a lot and anyone who's heard me talk in a few different things will recognize that I'm a big believer in this, but digital transformation. Why are organizations going down that path, digital transformation?
They do it for two reasons. One, to take cost out of the operations and automate as much as possible. But two, data is that true value creation asset of organizations today. Organizations want to digitize their information, digitize their processes, so they can reap value and gain greater insights from that data. Think about it from a security perspective. We have so much data out there about what's happening in our environment. How can we map that back, based on human driven activity? Use that data as an information source, as an intelligence source to allow us to be able to- to drive the right activity and- and get an understanding of how our organization operates and therefore, how can we measure that change in progress over time?
Garrett O'Hara: Yep. And- and so, that- that sort of change and progress over time. I'm- I'm sort of thinking back to your analogy on- on mining. And um, it- it's funny because you reminded me of one meeting I had with a large mining company up in Queensland. And when we all walked into the room the guy who was the host from their side basically did a around the grounds of a good security action they'd seen that week. And they had to do a very quick share. It took like, literally three minutes. They were clearly used to doing it. And one of the things I was thinking as an outsider was, wow, that's, that's kind of an interesting thing to- to do internally. But then, as visitors arrive, obviously that culture is so important to them that they will do that as well.
This was the question that I have in my head is, like the overall organizational culture. And you know, I'm guessing you've been the person who's arrived into many different organizations and you can probably tell when you speak to the person on the front desk, what the rest of the organization's gonna be like. That's... I think that's a- you're, you're smiling. It's- it's a video so people can't- can't see, but I'm guessing there's a recognition of that experience. I'd be very keen to get your- your thoughts on how that broader culture plays into a sort of risk aware, cyber security, you know, human risk, type stuff.
David Fairman: I think it's um, so, I've been saying this for a long time, like uh, you know, cyber culture, cyber risk culture, cyber aware culture, it's a subset of a broader risk culture, period. Right? So, you know, as we're thinking about this, I'd be tapping into... and I think it's very important to- to partner with operational risk teams and other risk teams around how do we bring the cyber content into that, right? And actually what you'll find is it's an easier step for an organization that has a strong risk- risk culture to apply the cyber content lens over that and start driving that, versus if there's just a poor or weak uh, risk culture period, right? So that's actually a broader thematic issue for the organization to try and solve for.
But, as a executive or a leader in the organization, maybe it's your responsibility or the security exec's responsibility to help shine a light on that problem and help drive that problem more holistically. For me, risk culture is the- the bigger topic, not so much the cyber risk aware culture. I think it's about [inaudible 00:22:14] on how do you get the organization and the workers. The third parties, the partners, the contractors, to embrace, you know, a safe working environment and to take the- make the- take those positive, proactive actions that they need to- to- to work in the environment and uh, as expected.
Garrett O'Hara: And one of the things that, like, you know, we kind of spoke when we were prepping for this, was that idea that um, you're kind of... any awareness campaign or change, whether that's cybersecurity or social type stuff, there's danger of complacency. You know, people kind of... it's exciting that the start, people are bought into it. They, you know, they- they've just done the classes or, you know, being- done the online training, had the campaign for them um, sent out. But then you kind of run into that potential problem of, you know, moves from front of mind, to middle of the mind, to the back of minds. And then, you know, it's- it's Monday at 12:29. And you know, you're just not really thinking about that stuff. What- what have you done or how do you maintain that sense of kind of, constant vigilance when you think about like a diverse workforce who maybe care, maybe don't? Um, how do you get them to continue caring?
David Fairman: Sure. It's never going to be perfect, right? So, there's always gonna be uh, moments when individuals aren't necessarily thinking, you know, top of mind, the way they need to. And they will do, you know, we're- we're human beings that are prone to error, right? All of us are susceptible to that. So, I would hate to think that this conversation is me saying how we can make that foolproof, because we can't. But, I think there is a piece around how do we make that as top of mind as we can? You know, I think that's what we, as leaders need to- to try and figure out what we... how do we get to that point?
I think there's a number of different things we can do. One, there's constant reinforcement of these areas. And that comes back to that point I made earlier about how do you measure it? How do we- how do we take that real time data based on all those different data sources that we have in our organization today, to give us a view of how that is being maintained and understand where things are trending in the wrong direction, you know? And therefore, what course of action do we want to take? Off the back of that, is that individual, you know, course correction for specific employees, is that for a group of employees, is it for the organization overall?
Actually I, even, if you start looking at this and you know, let's double down into this or- or double click in this for- for a little bit. We're talking about a very data driven approach to- to how do we solve some of those problems? Okay. If we recognize, if we say that a lot of security issues are a result of human- in human uh, activity in some way, shape or form, and that's what's causing these alerts in our software and our security tools, because a human being is trying to do something. Obviously not always a human being, but sometimes a human being. You know, vast majority of it is driven by that activity. Maybe we can actually take that information and understand what our biggest areas of attack, or attack vectors are um, that we're seeing hit our end users. And then we can start to say okay, now we can see that these are the more risky users. These are the u- and these are the avenues that they're being attacked by. Well, let's not just think about how do we solve the human problem, keep training them. What more does that tell us?
It actually tells that maybe you run and say, "Hey, these are our top areas of attack. Let us go back and review our technical controls that we've put in place. Do we have the right technical controls to help address this specific you know, threat scenario or this specific, you know, attack vector?" So, how do we... because for me, building out a true security capability and security um, program is not about... you know we talk about people, process and technology, but what does that really mean? It's not just about throwing out tools. It's not just wrapping process around it and making sure you have the right skill of people and that. It's making sure those right skilled people have the capability and the skills they need to operate those tools and operate those process but more broadly across the organization.
It's making sure that we've done all we can to maximize um, the benefit that those employ- that employee base brings to that- brings to the table. So for me that, that building it adds security. Building that security capability is marrying the technical and the process elements with the skilled individuals. But also the- the- the mindset of all employees or all- all workers. All um, end users in the workforce bringing that together.
Garrett O'Hara: Yeah, I get that. And you know, you- you mentioned technology as part of this and thinking about what the, you know, what are the- the surfaces that could be attacked or the data that- that, you know, folks are gonna go after. And um, but I've seen- seen you kind of speak a lot about zero trust and that sort of philosophy and it feels like what you've just said sort of is- it's sort of inching and- and kind of leading us the- in that direction. Does that kind of approach you know, when you think about it, does that offset some of the human risk? If you can use very granular kind of micro segmented controls at a data level, does it sort of soften that risk of- of the humans?
David Fairman: Well kind- I- I think it does to some degree. Um, look, zero trust for me, I think the industry has used the word, the terminology or the term "zero trust". I think we've abused it. If you go back to 2010 when the first paper was written around zero trust, it was actually talking about trust between two individuals in a transaction. It wasn't talking about technical or digital systems trust, which is sort of where the cyber industry, frankly, has sort of taken us. Right? And really what that first paper was talking about was, you know, how does those two individuals on the end of those transactions trust each other? And should they trust each other? You know if we apply that to you know, where we are today, really what we're talking about is levels of confidence of what we're seeing in our digital systems. What's the level of confidence have we got on that transaction. Uh, you know, and whether that's an individual to an individual, whether it's individual to an application, to a piece of data, or whether it's machine to machine. What's that level of confidence that we have?
Now, if we go back to some of the very, you know, origin, principles that good security practitioners have been working with, which is around... and- and have been you know, built our- our profession on which is least user privilege. Well, zero trust sort of blends itself into that right? You know it's not about removing all trust, removal of trust and- and only granting it when you can. You can't really do that. It's about making sure that we're enforcing things like least user privilege. But also what are those other signals that we can get to understand whether or not we have that high level of confidence?
So, when I- if you- with that as a c- certain level set, how I think about zero trust is I think about the term "zero trust". I like to describe it as continuous evaluation throughout the course of a transaction or a session. That gives us that- and continuous evaluation of different signals. Whether that's signals from the endpoint, the data, the end user, user behavior, the network. To give us a level of confidence at a point in time for that transaction. That's how I like to think about zero trust.
And there- therefore, coming back to your question recognizing that we haven't regressed too far away from the point of your question, is does it remove some of that human element? Yes, I think it does. Because we're- we've got this continuous evaluation of signals from multiple elements of that transaction allowing us to get a level of confidence as to whether to not we want to allow that or take a corrective course of action for that transaction or that session. And that corrective course of action might be something which then helps minimize that human element or that human concern that we might have.
Garrett O'Hara: Definitely get that, and is there an element of uh, you know, the- the sort of principle of transparency where security gets out of the way of the end user. Do you... is that something you see gonna practically play out in a sort of zero trust philosophy? Because the security controls get dolloped all down and very intelligently, using lots of telemetry from lots of systems that in a way can, hopefully, can start getting out of the way of the user. You know, they don't have some complex authentication/authorization process that actually you know, the- the sort of ZT philosophy maybe takes care of that in the background? So they can get their job done easier? Or is that a little bit uh, too hopeful?
David Fairman: It's an interesting point, right, it's an interesting point. And I think for me, having built a number of security themes and functions and capabilities, there's always been three things I've always been trying to measure at a high level. Um, you know the- the overall team or the overall capability. One, am I reducing cost of operations? Two, am I reducing my risk and increasing my security posture? And three, am I reducing friction in the process? And I think that's the piece that you were just honing in on. Our reducing friction. I think- now the zero trust, remember zero trust is not a product, it's not a- it's not a vendor solution. It is a framework of how do we pull together, or, it's a- it's a framework allowing us to- to dial up and dial down access as needed.
Now, does that mean we'll reduce friction? Uh, we should always be trying to reduce friction as much as possible. We want to enable the organization to do what it needs to do, and our end users to do what they need to do when they need to do it. But, in some cases, and again this is gonna be a risk engine, risk driven um, decision. There might be elements where we will introduce friction [inaudible 00:32:28] step up authen- authentication or we might revoke access, we might terminate that session depending on what sort of risk score we've seen based on that evaluation of those signals. But, in some cases, to your point, we might be opening up more access. Making it more, you know, easier to execute and transact, depending again on the risk level of what we're seeing. On- on that scenario, and on those data points. So, the- there's no... it's hard to say yes or no to that question. I think it's a balance.
Garrett O'Hara: Yep. As- as it seems like most things are. You know, there's never a there's never a point... or hopefully people don't, so, hit pause or stop on the podcast because you haven't given them the categorical "This is gonna fix everything for you."
David Fairman: [Laughs].
Garrett O'Hara: I think that uh, hope, yeah hope people- people kind of get that. Um, and David, something you've advocated for is the- the broader, enterprise security approach in integrating fraud, cyber, physical, um all those kind of different modes. And- and you're like obviously there'll be sort of overlap in some those, certainly physical and cyber overlaps. But what's the advantage you see in that kind of deeper integration of those uh, risk areas?
David Fairman: Yeah. Look um, you know, I think uh, and anybody knows why my background with NAB. You know, I came into NAB to pull together the four investigations, physical, security, and cyber teams, information security teams. Um, you know, I'm a big advocate of the enterprise security model, that front and back security model. We have another, you know, there's another couple of organizations, I think of NBN and IAG here specifically, Commonwealth Bank just to go down that path. But if you have a look at uh... you know, let's- let's go back to some of my early days in uh, RBS. In mid 2004, 2005, 2006. You know they- they were already operating, as organizations at those times, were already operating almost at that enterprise security function. There were security [inaudible 00:34:25] functions um, that sat together underneath the Chief Security Officer or a Director of Security, [inaudible 00:34:31] at that time.
And the reason they did that is because clearly you know, the- the rise of digital- digital services and digital transactions, online banking uh, you know there was more and more... there was this intrinsic relationship, this collision of cyber security and- and information security in the digital environment coming together with fraud and- and those elements. And then you start thinking about in cyber threat, you know, physical security plays a role. And actually physical security plays a role whether it's insider threat or external threat. You know, you need to protect your most critical assets, and those critical assets are commercial buildings, and data centers, and branch offices. Right? So in order to- to ensure the operational resiliency of your organization. So, yeah, definitely a big advocate of making sure that those functions align. Doesn't necessarily mean that they need to be part of the same organizational structure, so let me be clear on that. I think there is value when that does come together. I think there's definitely a trend in the industry but, you know, like I say I even [inaudible 00:35:33] Lloyd's Bank, RBS, very much were in that space in the mid 2000s, mid, early 2000s.
Uh, I think now that's becoming more and more recognized and we're seeing more progress in that space. But, I've also worked in organizations where they didn't sit underneath the same roof. But you can... with the right people in the right seats, with the right uh, you know, with aligned agendas you can bring that together uh, just as effectively as well, right. But for me, I- I don't think you can be looking at cyber security in isolation. You can't be looking at fraud in isolation, you can't be looking at physical in isolation anymore. It just doesn't work. And I think it's uh, very important that- that you as a risk or security leader in your organization start thinking about how do you take a bigger plan, support your peers and your partners in their agenda and how do we do that together and how do we reap a value again from that important asset, data?
Garrett O'Hara: And- and clearly uh, you're an advocate for it, but like are there any "gotchas" that folks can be aware of? Like management overhead, is there additional complexity with that approach?
David Fairman: Oh, yeah absolutely, absolutely. There's um, look there's- there's skills that, you know, challenges because, you're- you're bringing together organizations, different functions that talk a different language. You know, the cyber people talk differently to the fraud people, talk differently to the physical security people. So there's challenges there. There's um, you know, alignment on processes and- and you know, real core foundation capabilities like case managements and- and investigations and how those things are brought together. So there's alignment on process, and product, and capabilities there. Um, but you know, the benefits, you know working through that, the benefits can be- can be tremendous and- and really fruitful for an organization.
Garrett O'Hara: And- and you have an advisory role with uh, Istari and they're doing work in- in cyber resilience. But more broadly in that case um, it's more than cyber. And uh, when we were kind of getting ready for the interview, you raised the idea of digital risk covering more than just cyber.
David Fairman: Yes.
Garrett O'Hara: And I'm wondering ca- can you kind of talk us through that?
David Fairman: Yeah, absolutely. So, you know, we- we've done a lot of thinking about this at Istari and um, you know, we- we've actually launched a digital restoration program and actually it's in- in collaboration with Columbia University. And we've pulled together, I guess, our framework, our thinking of how we define digital risk and again, it comes back to that element I- I spoke about earlier on and you know, why do organizations go down that- that digital transformation path, or digitize their- their organization?
You know, it's about reaping value from that data and streamlining and taking cost out of their organization. But, [inaudible 00:38:11] with that like anything. Any change in any environment brings about certain risks. And digital risk is that- that risk of digitization and we talk about as cyber security prac- practitioners, we think about cyber risk and very much so cyber risk is a large part of digital risk. But I think there's also two other very, very important elements which are sometimes overlooked. There's digital operation risk, which is really that- that, you know, old term that we used to use. Which was technology risk, right? So uh, potential impact or failure of technology or digital systems.
And then a real important piece which I think has never really been given enough attention as it needs to, as it should do, and it's gaining momentum and impetus now is- is uh, digital value creation risk. Now, what does that mean? When organizations go down this path of digitization and the digital transformation, that's based on the business case. Because if the business case didn't stack up, you wouldn't invest the funding to go and do that. So you're re- you're expecting certain amount of return and value from that digitization. Whether that's cost out, whether that's you know ability to- to achieve greater market share, ability to um, uh- uh, ability to um, you know, get greater share of wallet, those elements. What are- what happens if your transformation, your digital transformation doesn't result in those benefits that the business case [inaudible 00:39:52] you created. So there's a uh, value creation challenge there that I think is important and shouldn't be overlooked.
So, you know they're, for me, the three elements, that digital value creation risk, the cyber security risk, and the- the digital operational risks. And that's not necessarily for security leaders to drive all three elements of that. Maybe because we play such a big role in the cyber risk space we can help our peers, start thinking more broadly about what digital risk looks like.
Garrett O'Hara: Am I maybe over simplifying the- the sort of the digital operations risk as kind of continuity, so service access, sort of data access during an event, sort of that stuff? Or is there a different flavor here?
David Fairman: For- for digital operation risk?
Garrett O'Hara: Yeah.
David Fairman: Yeah, correct. And- and failure, yeah, failure assistance, failure IT assistance, change control failures, those sorts of things absolutely.
Garrett O'Hara: Yep. Yep. Okay, got you. Um, and then yeah, look we're- we're kind of rapidly approaching... we're rapidly approaching time way quicker than I expected, I suppose. Um, but you know, last couple of kind of things that I was keen to kind of pick your brains on and um, you know, one of them is the, you know, artificial intelligence, machine learning topic. And the, you know, that idea that- that look I- I would say that we kind of got over our skis as an industry as we often do. And the brochures are amazing and promise a lot, and then eventually the utility arrives. And that's- that's sort of I think where we're at- at the moment. Um, what are your thoughts when it comes to artificial uh, intelligence and machine learning?
David Fairman: Well, look, I think it's um... you know, we've seen some great advances in that space. I- I think it's hugely relevant, these days. Um, but I do also think it's an overused term. I think everybody will tell you they're using AI and ML. Well, what does that actually mean and how are you using that? Um, but in- in... that aside, you know, I think there's value in AI and ML. If I think about the way our adversaries have advanced over the many years, they're leveraging technology capabilities at a greater pace than we are. And, if I think about the, you know, if we talk about AI and ML specifically with respect to security and what that means, there's always been two operational measures I've been focused on. Mean time to detect and mean time to respond. And if we continue to throw people and those problems and that process, we're not doing that at machine speed, we're doing that at slowly. So how do we leverage these technology capabilities like AI and ML to allow us to execute at machine speed?
And we're seeing a lot of vendors build this into their own capabilities, but within your own organization you need to start thinking about how do you start automating your processes? It's not just automation, it's not just taking a process and streamlining in robotics and- and automating it. How do you create a capability so that this machine starts to operate and think for itself to some- or- or respond to conditions through a process in the right way? And so I think there's value to that. And so I think what we're gonna start to see is you know, our cyber security experts are going to start to take a much more data science approach to that. Right? And in fact your data scientists are gonna become cyber security experts to- to some degree and I think that's- that's really... you- you need the two ha- you know, the two hands to clap. You need the cyber security expertise piece, and you need the data science uh, expertise piece to go forward.
But I- look, I think were only gonna see more and more to it. But, of course, that, again my- I mentioned it before. Any change in environment brings about potential risk. There's risk with AI and ML. One, the speed at which negative behavior or negative actions can permeate through an organization. So how do you validate the integrity of your model and that it's performing and producing the output that you expect, and not producing um, you know negative uh, outcomes?
There's also bias associated with um, models and training these algorithms. Algorithms are trained by human beings. Human beings have bias, and we're starting to see bias um, you know, be introduced with some of these elements and you just gotta think about how to resolve for that. And third most important piece, or third important piece is, you know, poisoning of the training data, poisoning of the model. Poisoning of that data. Because if you- if you're giving it the wrong data, that model will then start to behave the wrong way. Um, again sort of comes back to the [inaudible 00:44:22] of the model and how you're showing that. So there's a few things there we need to think about.
Garrett O'Hara: So- so broadly very useful, but with the caveats of yeah, just being mindful of those ways it can be abused. Yeah.
David Fairman: Absolutely. And you know, I think we've seen some great advances in AI and ML, particularly you know, next generation AV as a good, you know, great example. And we're seeing some automated threat hunting capabilities. Now they're using those capabilities to help us speed up our threat hunting, and you know, we need that to be able to scale. Our building a good hunting team, as an example is really, really tough. To get the right number of skilled people and there's more and more threats and- and you know, security teams are being overwhelmed by data today to get through that. So, how do we get through that at- at pace and at scale? So this is where we can leverage it, but like everything else, it needs to be thought through.
Garrett O'Hara: Yeah, absolutely, and remove so much of the donkey work, you know, that was raised [inaudible 00:45:12] you know, [inaudible 00:45:14] to employee retention.Because if you can automate so much of the- the donkey work, and then just have humans make those, as you say, the critical decision points where there- is a- an opportunity for negative outcome. Cool, have the humans involved there, but get all the- the grunt work done by the- the machines.
David Fairman: And even not so much, you know, needing to have a human being come into a process where it's you know, it's that- that big chunky issue. Maybe even making sure it's the- the humans that are building the model to even solve those big, chunky issues. They're getting the donkey work over, but still having the machines do the big, chunky work as well. But, under the guidance and the supervision of the humans.
Garrett O'Hara: Yeah, yeah, absolutely. We- we've blown past time, but I wanted to ask one last question and- prob- probably a big one. Um, you get a magic wand and uh, it- we can fix one problem in cyber resilience, but only one problem. Um, what are you gonna wish for?
David Fairman: Oh, great question, great question. Look there's so many different ways that this could go so, and- and you're asking me to choose one. I think it's really tough. Look I think I'm a very data centric kind of guy. And I always talk about a data centric so uh, you know, security program. Understanding the critical asset. And for me, the critical asset is data. So I think it's probably around automated classification of data. And truly being able to help an organization in a very fast and highly accurate way, understand the critical data and where that critical data resides in that organization. Because, I think if we knew that very well, we can then focus our finite resources on those highest areas of risk.
Garrett O'Hara: I think there's gonna be a lot of companies out there that wish for that same magic wand and that wish [laughs] to- to come true. Um, David, thank you so- so much for taking the time, and spending the time with us today. Really appreciate the insights and the conversation. Um, yeah, very much appreciated it.
David Fairman: Right, very happy to be here. I really appreciate it. Thanks for the opportunity.
Garrett O'Hara: Thanks so much to David for joining us for that episode. As always thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes and like, subscribe, and leave us a review. For now, stay safe and I'll look forward to catching you on the next episode.