Security Awareness Training

    Get Cyber Resilient Ep 90 | Cyber awareness fatigue - with Sara Abak, Head of Cyber Security and Risk, Dulux Group

    This week we are joined by Sara Abak, Head of Cyber Security and Risk at Dulux Group


    Sara talks us through her perspective on awareness training fatigue, strategies for cyber talent acquisition and retention, and we get some great insights on how eCrime has changed and what it has meant for security leadership.


    The Get Cyber Resilient Show Episode #90 Transcript

    Garrett O'Hara: Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara, and Sara Abak joins us today from Dulux Group, where she's the head of cybersecurity and risk. Sara talks us through her perspective on awareness training fatigue, where we're winning, and where we're losing in that area. We get into talent acquisition and retention, with some great strategies for both of those, and we finish out with a discussion on how eCrime has changed, and what that has meant for security leadership over the conversation.

    Today, we're joined by Sara Abak, the head of cybersecurity and risk at Dulux Group. How you doing today, Sara?

    Sara Abak: Good, Gar. How are you? Thanks for inviting me.

    Garrett O'Hara: Absolute pleasure. So, so happy to to have you on the pod. We got to talk, recently, on a panel, and yeah, it was sort of blown away by the insights an- and your commentary, so I was very, very happy that you accepted the invite to join us today. So welcome.

    Sara Abak: Of course, thank you, my pleasure. I've always wanted to be part of a podcast. [laughs]

    Garrett O'Hara: Well, there you go. And I believe you got two people who are gonna be listening to this episode at home, so-

    Sara Abak: Yes.

    Garrett O'Hara: ... hello, hello to those guys. [laughs]

    Sara Abak: [crosstalk 00:01:06] people, but I think we're gonna get a lot of people listening.

    Garrett O'Hara: Good times. Sara, so look, the, the first question we always ask is how did, how did you get to where you are today? So obviously you're the head of cybersecurity and risk for Dulux Group, pretty well-known organisation. Yeah, love to kind of hear your journey to get to, to where you are today.

    Sara Abak: Yeah, definitely. I think I had a traditional sort of journey. Started as a graduate at a Big 4, at KPMG, well, now it's the Big 4, and started as an IT auditor and specialised in SAP audits, and then progressed into basically, you know, information risk management, information security and consulting. Went into internal audit for a s- short period of time, i- in IT internal audit. Then transferred into, you know, broad information security consulting, and then into, you know, this cybersecurity role, sort of evolved naturally. And I think that the IT audit or IT sort of internal control or information risk management area, it sort of just suits really well with this role, because it's based on, you know, what are all of the policies and standards and frameworks that, you know, we need to m- apply or implement, you know, to have good sort of security posture? So it's good sort of security posture.

    So it's probably, works really well, so any IT audit professional, or information risk consultant, really, can sort of fall into this type of role. And you know, I didn't know a lot of things when I started the role, but, you know, you just develop, develop your skills as you're going through. You learn from, you know, building teams, and t- different team members have different types of skills. So yeah, it's, it's a constant growing and learning opportunity, but it's really exciting, and one of, has become one of my passions, really.

    Garrett O'Hara: It sorta sucks you in. We were talking before we started recording about, you know, this as an industry and just how, you know, I don't know if I'm just overly optimistic, but wonderful the people are. You know, and people are very open and sharing and caring, and some, you know, I've had a lotta jobs in tech, and cybersecurity is the one where it really feels like a, a community more than just a job that you do, like there really is that sense of people kinda coming together and sorta trying to help each other, and connect to, you know, sorta, you know, be stronger together. Not to sound cheesy, but i- it definitely feels like a thing.

    Sara Abak: It does, doesn't it? Yeah. We were saying earlier that, you know 10 years ago or five years ago it would be sort of frowned upon if you were to disclose or talk about how, how you were breached, or if something terrible happened or disclose, you know, some sort of framework or approach that you use to be able to address a cyber event or incident, and now it's become sort of like a badge of, not a badge of honor, but basically not, you're not stereotyped and it doesn't adversely affect your organisation's brand or the person who's representing the organisation to talk about h- how challenging it is and what you're doing basically to combat all of these adversaries and I guess, the incidents that are occurring. So it's quite nice agree, the community's sort of coming together, and we're banding together to try and I guess address all of those risks and threats that are continuously happening, and sharing what other people are doing, or learning from them is probably a great thing, because you don't wanna be able t- you don't wanna repeat the things that somebody else has solved already.

    Garrett O'Hara: Yep.

    Sara Abak: Why not learn from that and apply that or tweak it to work for your organisation? Or v- or m- majority of people in indus- different industries, you know, they'll have different sort of risk appetites and the way they wanna work through things and different culture. Because a lot of the changes in policies we implement, it had an impact on our users and workforce. So we need to make sure that the policies and the process that we follow is going to be accepted and you know, people are going to be able to engage our staff. So it might be different in a banking industry, it may be different in the Department of Defense versus in Dulux Group or another supply chain and marketing organisation.

    So one, I guess, one method is not applicable, won't be applicable to everybody, but you can always take some learnings out of that and a- adapt it to, to get some ideas.

    Garrett O'Hara: Absolutely. And tha- that's kind of the spirit of this, this show, really, is exactly-

    Sara Abak: Yeah.

    Garrett O'Hara: ... you know, getting, getting folks like yourself on to share their experiences and, you know, even if people come away with one new idea or one new way of thinking, I think that's, that's a win. I wanna kinda pull together a few things that you've said there. So you kinda talk about you know, policies and frameworks and, you know, part of that would be things like ISO certifications, [inaudible 00:06:04] you know, CPS 2, 3, 4, for some organisations, et cetera. And more and more a part of that is the notion of y- awareness training has to be baked in there, and there's sort of, there's ideas around what's i- you know, what does good look like? I'm not entirely sold that sometimes those frameworks or certifications are the, the best way, but they're a way to do things.

    Sara Abak: Mm-hmm [affirmative].

    Garrett O'Hara: And one of the big problems, I think it's fair to say, is that while we, we absolutely need to do cyber awareness, you know, we can't get away from that, there's a huge amount of debate in our industry about, you know, whether it works, whether it doesn't work, how it works best, and how to get the best incomes- sorry [laughs] outcomes. Be great to hear from you, like where do you think we're winning when it comes to, to cyber awareness?

    Sara Abak: Yeah, I think we've got a lot of support, certainly, not just in the cyber community and, you know, awareness in general in organisations. I find that the, the messaging, you know, on radio on ads in, you know, whether it's YouTube, online, and whatever, Instagram, where- wherever people are, I guess, connecting there are, there's more and more cyber-safety type messaging and content. So I think that's-

    Garrett O'Hara: Yes.

    Sara Abak: ... really helping, including people receiving messages, phishing scams, and things like that, the average person is now probably more cyber-aware, you know, in a family and organisation compared to maybe five years ago, just because the Australian government is also, you know, pushing to do a little bit more awareness. So I think having that broad message messages from various platforms and channels, I think that's really helping. But it's just a continuous process, really. It's one of those things that we have to balance, as a cybersecurity leader, we could have, I find that we- we've got the best of the best tools, you know, but one, one person, as you know, like one person who compromises and does the wrong thing can, I guess, undo all of that hard work and all of the tools that you have, and the best monitoring and threat-hunting that you have is not really gonna help. So I think that's a big important element that people are educated, and then we're able to sort of detect it and respond fairly quickly to minimize, you know, its impact if it's one person or multiple people.

    So I think one of the things that is working really well is the phishing tests and simulations that a lot of organisations are doing. They're quite believable and the more you do them, which is a bit disruptive, we find, you know, you've gotta go through certain approvals or make sure that your service desk or other areas are ready for it without giving away too much information. Doing phishing tests so that people can actually you know, learn if they do click and then submit their credentials i- into a fake sort of form that's also part of learning, because, you know, you learn by doing, and not just-

    Garrett O'Hara: Yep.

    Sara Abak: ... people telling you. So I think balancing those has really worked. But overall I, I feel like the world, like globally and locally, people are just more cyber-safe, there's more messaging going around, even in, in schools, in education, I find that kids are also being taught regularly, you know, as part of their standard sort of year cyber safety measures and training, which, you know, like 10 years ago or 20 years ago when we were going to school, primary school or high school, we didn't really have cyber safety as a sort of pillar in terms of, you know, what, when we were learning. But now it's a, it's a foundation, basically. And so I think that more people are s- you know, practicing cyber safe you know, procedures and activities compared to before. So p- but then obviously we've got a vulnerable sort of population still that is, you know, not sort of moving with the times, but we're gonna continue, I guess, having messaging to target different groups of people.

    Garrett O'Hara: Yep. Yeah, I think you- you've sorta hit the nail on the head for, like where I come at this from, which is the l- you know, learning by doing. 'Cause I think one of the things I've had many conversations on the pod about, actually, is the, the c- I almost think of it the old-school way, where, you know, you might send an email once a month, or there might be a poster somewhere. But, like, to your point, it feels like we've moved into an era of behavior-change approaches rather than tryna just, you know, give people information to hope that they do the right thing. And I think you're spot-on, we've got a, hopefully a generation that's coming up that it's, you know, you talk about security by design when it comes to technology and building things, but actually, are we starting to create people with security by design? Where they're, you know, they're getting that education at a young age, and they'll bring that forward into the business world and y- hopefully 10 years, 20 years from now we have less of a problem ... I think I'm dreaming there, but you never know. [laughs]

    Sara Abak: Mm, it's good to be optimistic, but yeah. Completely agree, that's, that's a really good point. It reminds me of, you know it's like we're building a cultural habit. It's becoming habitual-

    Garrett O'Hara: Mm.

    Sara Abak: ... to think, "Well, this is just what we do, this is how we are." Similar to, you know, if we get into a car and we pur- pulled on our seat belts, you know, we don't have to consciously think about, "Ooh, I'm getting into a car, better put my seat belt on, otherwise, you know, I'm gonna have a, if I get into an accident, something terrible's gonna happen." I feel like this cyber safety element and habits that we're sort of building in people across not just organisations but in the community older, younger generation, that's probably just gonna become, "Well, this is part of what we do." It's not an add-on, it's not an extra thing we do, but this is how we need to live how, basically.

    So, and I, I remember doing a presentation a couple of, maybe three, four months ago to the IT group in my organisation with another colleague, and I was giving a, a timeline of, you know, where malware has, how malware has developed, and a- ad- I guess cyber incidents have sort of evolved. You know, it started off in the '90s, 2000s, early 2000s with the little viruses and bugs, like the ILOVEYOU virus and, and then when you go down the trajectory, all the way down, you know, to 2020 w- a- and past what we're seeing is ransomware as, as a, you can buy it as a service, and then we're s- you know, what I predicted is also happening is wars basically are happening in cyberspace. You know-

    Garrett O'Hara: Mm.

    Sara Abak: ... I- if we take the current example of the Russia invading Ukraine you know, these things, you can g- actually get an advantage as well in cyberspace. So the wars, although they're happening on the ground organisations or you know, other, I guess, criminals, criminal groups, or goverments are basically going into cyberspace to take down or do the damage. Which is amazing, think, you know, when you think about it, you know, in the traditional days where you had ammunition, and you had p- lots of people in the army taking things down and, you know, having lots of ammunition would, would help you win the war. But now, you can see that with the cybersecurity I guess skills and capabilities, you can actually also impact a war, prevent things from happening. It's incredible, it's very powerful.

    Garrett O'Hara: Frightening. I remember reading a book when I was a kid, and I mean, maybe it would be nice if we got to this. But instead of people actually losing their lives, they, it's like a virtual world where when you were gonna go to battle with another sorta nation or whatever, you would put on a haptic feedback suit, and it was VR experience where you would go in an- and sort of, it was a traditional war with tanks and, you know-

    Sara Abak: Wow.

    Garrett O'Hara: ... people shooting each other, but there was no actual deaths, because in the book, you know, you basically, you might win the war, but then at the end people would take off the suits and, you know, [inaudible 00:14:06] and, you know, people had signed up to that as kind of an agreement. But yeah, [crosstalk 00:14:12]-

    Sara Abak: Ooh, yeah, like a simulation, [crosstalk 00:14:12]-

    Garrett O'Hara: Yeah.

    Sara Abak: ... to be able to practice and get the experience without the actual consequences.

    Garrett O'Hara: Without hurting anybody, yeah, which would be lovely to be able to do that in this situation. You know, as you go, circling back on the the cyber awareness, you know, parts, there's, you've, you've sorta talked about a lot of the things that are going well. Wh- what do you think we can do better? Like where are the areas where there's work to be done when it comes to awareness training or cyber awareness?

    Sara Abak: Yeah, I think, I think the main ... Wh- what I'm finding in my experience is, you know, the, the repetitive followups aren't always affecting-

    Garrett O'Hara: Yep.

    Sara Abak: ... you know, we- we've got platforms and our processes to go, "Hey, you haven't done your training, your, you know, you're not compliant when we're measuring how many people in the organisation have completed their awareness training, or how many people have been phished or successfully not phished. You know, those reporting those, that's great. But I find that similar, going back to our point about by design, we need to start to build and instill in our leaders across, you know, our organisations and people, that security is everybody's responsibility, and it's basically just what we do. So it's not an add-on, it's not additional, and I think that's where we probably have to do more. We have to make sure that people are held accountable and know that they are responsible for cybersecurity awareness, and have an actually pla- part to play, and it's not just the cybersecurity department, or the IT security, or help desk, or whoever that is gonna help them, protect them.

    So I think it's shifting from being a function, a- and platforms, and processes that cybersecurity function runs, which we'll s- continually still run and support and facilitate, but we've got to somehow shift the culture and embed that in our leaders, executives, boards, to, you know, talk the talk, tone at the top, and make sure that they're supporting those processes so that it is part of what they do. And it's not acceptable to be phished, it is not acceptable to not do your training all of those other things, you know. It is not acceptable to get an email asking you to quickly change a bank account detail, and then going ahead and doing it without checking, process-related things. So I think it's the responsibility's now, needs to be shared. That's where I think w- we need to head, that's my professional sort of opinion. And if we don't, then, you know, it's just gonna be an uphill battle, and we're gonna be in the same situation that we were 10 years ago or now, where people still sort of thing cybersecurity is responsible for awareness.

    We are, we deliver it, and that's our responsibility and obligation to make sure it's aw- a mitigation to protect people, but we, similar to the cybersecurity community, we all need to get together and we need to combat this together. So I feel like in organisations, that's probably the same way we n- approach we need to adopt.

    Garrett O'Hara: Yeah, totally agree. Y- you know when somebody says something, and then you realize you're gonna be stealing their phrase from that point on?

    Sara Abak: [laughs]

    Garrett O'Hara: So tone at the top is, to- tone at the top is part of my, my phrases, so if I ... I- I'll give you credit, I'll I'll make sure that you're [laughs] that you get the, the credit for that one. You mentioned as, as you started talking there, that kind fatigue around messaging, you know, getting the same message every, every month, or that repetition. And, and I, I totally agree with you, by the way. I was at a, a talk last week with the guys from Netskope and CrowdStrike, and we were having this conversation around context, an- and the point being that, exactly as you've just described, it feels like users just get the same message.

    And, you know, I use the analogy, it's a little bit like brushing your teeth. You know, no one really remembers brushing their teeth in the morning, 'cause you do the same thing in the same place every day, so you kinda zone it out. And it sorta feels like we give users messages, but there's no context. They're always the same, there's no change, they're not dynamic, and they're no- they don't give people the information that allows them to make good decisions. I- it's just a, "This might be dangerous, don't do that," but without the context, it feels like that's really hard to h- and like it's hard to make a good security decision.

    So maybe like a two-part question. I think you agree, but, like, do you? Do you kind of agree? And, and how do you then feel like we could fix that problem, or, or even can we?

    Sara Abak: Yeah, I definitely agree that people are becoming fatigued and bored. You know, it's not having the same effect, and probably it's a psychology thing, and-

    Garrett O'Hara: Yep.

    Sara Abak: ... you know, probably the people that you've spoken to would or in your experience you would've seen that it's also human psychology, right? People will become bored and fatigued, and we need to change it up, as I said. So I guess we probably need to expect more from our platforms, and then-

    Garrett O'Hara: [crosstalk 00:19:02]-

    Sara Abak: ... you know, awareness platforms to make sure that they are dynamic and adapting and have got sort of mitigations or strategies to help organisations successfully you know address these fatigue issues. So we can't just keep delivering the same content each month expecting people to just continually you know, absorb the same stuff. But what else can we offer them, maybe it's something more sort of out of the box like a playpen or something, to show them a video of this is what a hacker does, or this is an example of what can happen to you, sort of thing, rather than speaking. Or, I've also been speaking to some pa- strategic partners recently, one of the things they suggested was complementing the awareness campaigns or phishing campaigns with sort of face-to-face sessions. But I mean, in the, in the current situation, you've got thousands of thousands of employees, that's quite difficult to scale and to allocate that time to be able to have face to face time with, you know, let's say 10,000 people in the organisation, or 4000 people in the organisation.

    So we have to come ou- up with better ways of I guess combating that fatigue. And I like your example of the VR, you know, the virtual reality. Maybe-

    Garrett O'Hara: Hm.

    Sara Abak: ... it's going to be that. Maybe it's going to be giving people a virtual reality experience of, "Hey, watch this, this is what happened to a grandma," or, "This is what happened to a corporate worker," you know, "This is what happened to an accountant," or, you know, "This is what happened to an electrician. Whatever occupation, it doesn't matter, we need to have it relatable and go, "This is, you know, this is what can happen." And then each time we're showing them, demonstrating what can happen, they're probably learning and it can resonate with them. So I'm not sure, but I definitely think that we need to have a role in pushing and supporting our cybersecurity awareness platform, partners, and, I guess vendors to make sure we're trying to get them to keep us you know improving and modernizing what they're doing, to adapt with what we need. And sometimes, they're not on the ground aware of how we're doing things and what we're struggling with, so I think it's really important for them to connect with the client's experience, and really understand what people are doing and how they can make it more seamless.

    So yeah, I, I don't think there's any f- platforms that I know of yet, you know, out there which give you tho- that different, sort of different content, yeah? But I think we're getting there, s- they're starting to sort of evolve a bit better now, because probably in the last two weeks two years, sorry, since the pandemic hit, you know, people have accelerated their awareness and simulation activity, you know, to combat against people being remote, try to connect with them and get them more aware, because you can scale quickly and reach so many thousands of people in one go. So it's become more important now that is running out, people are exhausted-

    Garrett O'Hara: Yeah.

    Sara Abak: ... two years of pandemic, this year was supposed to be recover and, you know, feel better, but we've got another year of challenges and sort of uncertainty. So maybe just people need a little bit of a boost, or different way of engaging them and getting them to learn. And maybe there's new threats and things that are happening out there, which I don't know if you've received and heard, but there's so many ... you know, you've got a delivery-type message on your mobile phone, or just an unknown number calling you constantly and that's just I guess widespread now, and it's very annoying. So wha- what do we do about that?

    Garrett O'Hara: Yeah, I think, I think we all need to take a year off. You know, goverments around the world just need to agree to take a, give us a year leave, we can just go and, like, have picnics and, and relax for a year, so everyone can kinda recharge their batteries. I think you're, like you're, you're s- spot on, and I really like what you said about showing people. We, there was a talk we were doing for a little while with [inaudible 00:23:29], actually, where we would go in and do a live hack, so using just Kali Linux and, and fairly widely-available stuff, but we'd show them in real-time how easy it is when you click on a link to basically take control of a machine, look at the file system, get screenshots, take the webcam control. Like it's very, very easy when you know ... Actually, I was gonna say when you know what you're doing. Even when you don't know what you're doing. You know, with Kali, like it's all automated, it's n- [crosstalk 00:23:51]-

    Sara Abak: [crosstalk 00:23:52]-

    Garrett O'Hara: ... it's not hard to do. So I think that, I remember standing in a room with you know, we'd go to [inaudible 00:23:57] firms and watching the partners' facial expressions go from, "Oh, here we go again, another thing we have to sit through," and then watching the, the sort of, not terror, but the, the "Oh my God" moment where they [laughs] they kinda realize just how trivial it can actually be to compromise a machine and, and what that could lead to. And you could see the cogs going, turning in their heads as they kinda realized this stuff isn't academic and it's, it's very, very, very real.

    Sara Abak: And accessible, right? Like [crosstalk 00:24:26]-

    Garrett O'Hara: Accessible, yeah.

    Sara Abak: ... yeah. I- it's accessible, it's open source, so pretty much anybody could pick up something, and people have got more time, obviously, 'cause they're not traveling as much ...

    Garrett O'Hara: Yeah.

    Sara Abak: Lately, you know, so they've got more time to download things, trial stuff, and you can pretty much Google and YouTube or TikTok whatever you want now. And learn quickly by error, you know, trial and error, and yeah, people are just more interested in doing cool things like that. And there's no consequence at the moment. But yeah, I think we probably definitely need to mix it up a bit, and start thinking a little bit more outside the box, and not stick to maintaining the status quo. Because it's not gonna work, it's gonna run out, run its course, probably, and people are gonna be- become disengaged.

    Garrett O'Hara: Yeah, if they, if they aren't already, unfortunately. And, and speaking of, you know, people being disengaged, like the bigger picture, then, is, you know, you're running a, a cybersecurity function and, and risk function for a fairly large organisation.

    Sara Abak: Mm-hmm [affirmative].

    Garrett O'Hara: And one of the big challenges m- most security leadership has at some level is cyber talent. You know, we, we talk about that a lot in our industry and, you know, the-

    Sara Abak: Yeah.

    Garrett O'Hara: ... massively competitive landscape it'd be great to hear you know, given the Great Resignation, you know, the weird world that we live in today, and, and just how competitive that sort of talent acquisition landscape is, like how have you, as a starting question, how do you approach finding the right people?

    Sara Abak: Yeah, it's been really challenging. The great resignation, I remember reading an article about that, last year. [laughs] I'm thinking, "Oh dear, no." but I think we've had to adjust. For me professionally and personally, I've had to really just think ou- outside the box and thing in terms, and have a bit of a strategy for that.

    Garrett O'Hara: Yeah.

    Sara Abak: ... and not, I guess, get into doom and gloom into negative mode. And basically build strong partnerships, strategic partnerships with various firms that we already work with to source the talent there, and get them to, I guess, support us and sort of be an extension of our team and augment what we're doing, whether it's small sort of projects or initiatives to help us through a priority item that we wanna deliver, or we will look at internal talent as well, and sort of bring people through who are already working in, in IT or in, within different businesses, and see the level of interest that they had, and then sort of bring them through into an, a new capability.

    But surprisingly I've had so many people reaching out to me internally putting up their hand, you know, that they're in a, a career in cybersecurity, not surprising probably to a lot of other cyber leaders.

    Garrett O'Hara: Yeah.

    Sara Abak: But there's a lot of talent out there internally in your organisation, and I think just networking and talking to people and sort of picking out talent, so when you can see that people are interested and engaged you can definitely ask them, you know, what's on their development plan, an- and then come up with a bit of a transition for them to come into cyber. And then al- obviously, the other part, the third one is looking at your operating model. So I always look at the operating model and think, "Well, what are the things that ... Where do we want to be, how do we want to operate? What are the things that we want to be good at and have control internally, and manage the capability internally, and what are the things that we're probably not going to be able to [inaudible 00:27:57] talent and skills in, and what are the things that we wanna outsource, or have a bit of a hybrid model? Where, you know, we've got experts who know what they're doing, and they can retain and attract that talent, and we're paying them for a service or manage subscription of some sort."

    So you have to balance out all of those things and it depends, again, on the size of the organisation and the size of the cybersecurity budget, and, you know, the head count, all of those things.

    Garrett O'Hara: Mm.

    Sara Abak: And how serious, you know, you take cybersecurity. But for me it's definitely those three things, you know. Looking leveraging your strategic partnerships, making sure you've got that ready and working with them. Definitely looking at internal talent and bringing them up and giving them an opportunity, and keeping the- retaining them in the company, but-

    Garrett O'Hara: Mm.

    Sara Abak: ... moving them around. A- and then definitely looking at your op model. 'Cause if you know that you're not gonna be able to retain the skillsets, it's probably a good idea to explore whether it's cost-effective and efficient to outsource it to some partners who know what they're doing and then just retain those internal talent that you want to. And also prepare yourself that people, you're probably not gonna get more than 15 months out of each person.

    Garrett O'Hara: Yeah.

    Sara Abak: Maybe, the worst-case scenario. So you've gotta just build that into your process and your budget, to, to alleviate that pressure. The other strategy I've used in the past is making sure we have knowledge base articles and, you know, documentation around what, what are the steps and things that people need to do? So then when there is a newcomer, you sort of can introduce them and help them assimilate into your organiza- into your group more smoothly, because there's sort of at least documentation and steps that they need to follow, and a set of periodic tasks that they need to perform, you know? To develop them. So I would say they're probably the key things. Yeah.

    Garrett O'Hara: Yeah, it's, it's interesting to hear you talk about kinda developing the talent internally and and that idea of, and, you know, this is, we talk about this in the industry a lot. You know, pil- pulling people from adjacent role types, or completely different departments sometimes, curious, is there, is there any kind of department where you see more interest than others? Like, is there a natural kinda center of gravity when people are making the transition into cyber?

    Sara Abak: Definitely. We've had all sorts of people, but mainly it's, it's people who are in sort of network security, like managing networks, people who are in service desk, and people who are in desktop support.

    Garrett O'Hara: Yep.

    Sara Abak: So they're probably, like, engineers and sort of people who are doing and maintaining IT systems. They're generally the ones that wanna get their hands dirty, and it's exciting, and it's probably a step change in their career, and they're aspiring to, I guess, develop their skills and knowledge. And the difficult thing is getting into cyber, because,

    Garrett O'Hara: Yeah.

    Sara Abak: ... obviously there's a lot of impostors out there [laughs] who say they are experienced in cyber, but they don't really have demonstrated experience. So I think any opportunity for people to be able to move sideways or step up into a different role you know, people are more outspoken now about what they want. As even this new generation and th- they, they'll just say, "This is where I want to be." It's not, they're not ashamed to say they wanna be in cyber in 12 months, or they wanna move towards being a cyber specialist in two years. Whereas, you know, you know, you wouldn't even talk about that with your manager 10 years ago. You know, if you said to your manager, "I want to move to another department," they'd probably be like so scare and try and make you redundant [laughs] or-

    Garrett O'Hara: Yeah.

    Sara Abak: ... replace you, to make sure that, you know, they retain the knowledge and what have you. So it's such a different environment now, it's, it's really, people are, like I said, very accepting and supportive of people wanting to achieve their aspirat- career aspirations, and support what their staff want, versus trying to keep them in a role which perhaps suits the company or the department, but not necessarily the individual and where they want to be. Very different. [laughs] And people are so open to it.

    Garrett O'Hara: Yeah, which i- I think is wonderful. Yeah, I think it's that when it comes to it, good people are good people, and i- it sorta seems like, well, to me, anyway, as I, I've watched various people throughout the years, it tends to be that if you've got a [inaudible 00:32:33] type of work ethic, or way you show up to a, a role, quite often, you'll l- you know, potentially learn quickly, but you'll be successful because you're somebody who kinda, that's, that's what you value, you know, assuming you're not kinda phoning it in. Would be keen to circle back a little bit. You mentioned. You know, the, the problem of retention, which I think everybody's experiencing, because it is so competitive, and I know from talking to like our team, you know, LinkedIn is constantly pinging with, "Hey, this cool job," you know, the blinkers and the stars, and, you know, it's all gonna be amazing. Would love to hear from you, like any tips you've got for cyber leadership on, on how you've kind of ma- make sure kinda people will stay as long as they can, assuming that that's, you know, right for them and right for the company, and all of that stuff.

    Sara Abak: Yeah, I find that I was actually having this discussion with another colleague last week, which was interesting. It's, we spent a lot of time on our va- employee value proposition, so what I find is it' snot just the money element people are-

    Garrett O'Hara: Mm.

    Sara Abak: ... interested in. People want to see cybersecurity elevated, and want to see it as an important pillar in the enterprise in the organisation. They want to see visible senior management support for cyber, and like that thing we were talking about, it's what we do, it's embedded in what we do, it's the most important thing for our business to survive, basically. They want that, that's one of the elements I find that keeps people there, because they feel appreciated, they feel par- like they have a purpose, and they're actually making a difference, an impact on protecting the organisation.

    Obviously flexibility you've probably heard this before in many [laughs] and in your organisation flexibility, people want flexibility to be able to work anywhere, any time and don't have to waste their time traveling if it's not necessary. But if they've got children, younger children or other commitments, and even people who have, like own businesses, you know-

    Garrett O'Hara: Mm-hmm [affirmative].

    Sara Abak: ... online businesses, or other sort of activities, it definitely doesn't affect their current role, they're, you know, dabbling in other things, so that's even changed, you know, f- they've got that flexibility, it's different for everybody. People can now ramp up, ramp down, you know, their time that they spend at work. And then obviously they want you know, mental health support or a support from their line manager or their organisation that they're going to be able to balance their work and life commitments. So it goes back to the flexibility element. But that sort of understanding and empathy towards staff that, that people are human, they're not numbers, and that they're probably gonna struggle sometimes, and sometimes they're gonna do really well, but they're with an organisation that understands that and supports them through those challenges.

    And then what's emerging more is ethics. They want to work for an organisation that stands for something important an organisation that's doing the right thing, us, you know, sustainable and sort of moving modern, moving towards, I guess, a- addressing sort of common issues, of challenges that become problems. So yeah, I think that's probably overall what people look for. And then non- although financial benefit is always sort of at the top of that list, even non-financial benefits like making sure that people have training opportunities, conference opportunities to learn, and network and sort of get out of their comfort zone and be able to do something different or even work on a project in, in between different teams, so to break down those silos. So somebody in cybersecurity may work in another project as an architect or something for a short period of time you know, or give advice, or work on a network security type project, so, or infrastructure sort of project. Those sort of things sort of keep them interested.

    Garrett O'Hara: Yeah, absolutely. And y- you've sorta, you've sorta lightly touched on this and it sounds like you're, you're kinda maybe already thinking around this stuff, but n- you know, mental health support is something that you just mentioned, and we've, we've had the conversation around burnout, which is normally CISO burnout. You know, give- just given the amount of stress [laughs] and yeah, the, just the, the weight on those shoulders is just enormous. But like, to your point, I think we're starting to see that burnout almost kinda trickle down to other parts of the organisation and, and sorta people in, you know, individual contributor roles and even sort of, sorta lower mid and mid-management. So y- you've sorta lightly touched on this already, just given that you mentioned, you know, the mental health support, et cetera.

    One of the things we've talked about on the show previously is just the idea of burnout. And it's normally CISO burnout, but, you know, from what we've sorta talked about so far, feels like that's starting to trickle down, and we're seeing at a, an individual contributor level. Would love to hear if you've thought about burnout specifically, or if that just fits in with your overall kind of engagement plan for [crosstalk 00:37:40]-

    Sara Abak: No, such a good point. And I'm glad you brought it up, because I, I was planning to raise it in my, our previous discussions on the topic of retaining and attracting talent and some other sorta strategies in com- keeping employees engaged. What I find, and this I something that I focused on this year and last year, really, I find is an effective strategy is making sure that, you know, you revisit all of your priorities that you have, basically what you need to deliver in your cybersecurity program, and that's what I've done. I've been very brutal with what are the must things, the imperatives that I must deliver on and I need my team's support on? And so revisiting and making sure your priorities are super clear, and they're achievable and just trying to take the pressure off the team. That, I find, has helped immensely, and is a continuous, it's not something that you just do once.

    So I find that giving that clarity to say, "Okay, guys, this is, these are the two three things you need to make sure you don't drop the ball on, just concentrate on these things and the other unplanned stuff, you know, let's just park those, or we can push them out, unfortunately." And then being honest with executives and senior management and saying, "Look, we can only deliver against these things. Unfortunately, these are s- the things, challenges that we're facing, and, you know we need to make sure that we're not overloading our staff, 'cause they're just exhausted from the last couple of years." That tends to take the pressure off, giving that flexibility, and, you know, mental sort of option that, "Hey, you, you've got support, don't worry." If you've got a problem with your challenges, with your priorities raise it, we have, you know, regular catch-ups with staff one-on-ones to see how they're going, progressing, I would recommend that.

    And then, you know, in those, in those sessions, you, you need to really hone in on it and understand, do you know what your priorities are? Are you okay to manage it? And if not, put your hand up. So I think s- being honest an- and transparent and saying, "We're going to be able to deliver these, all of these things, but we're actually not gonna be able to deliver these things because of these reasons, so we'll need to defer these," and give the t- you know, the team time to think, and actually put in the quality time that they need in the activities they're doing.

    I find that that is probably another em- employee value proposition, if you provide that option to people and pe- and staff know that they, they've got priorities and their priorities are clear, and they're time-boxed, or they've got certainty in an environment with a lot of uncertainty, and-

    Garrett O'Hara: Yeah.

    Sara Abak: ... confusion and change, it gives them some level of control to go, "Right, I can't control everything else that's going on, on around me, with the pandemic or personal issues and whatever, but actually I know what I need to deliver and focus on, my boss has taught me, or the organisation has taught me, these are the things, imperatives I need to focus on," and that just gives them a sense of control and less anxiety to be able to deliver, and then they know they've got the support."

    And look, people do come up more and more now and say, "Look, I can't ... This is a lot. I can only do so much, and these are the things that I need to do but I'm not sure about this, what can I park?" So sometimes people will, staff will bring it up. But it's better to identify that earlier on, see those red flags, and see if your team's struggling, and make sure you address that right away, before it even happens. And that's something that I did last year, I parked and deferred quite a few initiatives, [inaudible 00:41:28], "You know what? People are exhausted, it's November, December we're not gonna be able to give this, you know, these initiatives the quality time and effort that we need to, focus that we need to, given that they're all burn out or been working so hard."

    So I would say that that's probably a strategy for all leaders, not just the [inaudible 00:41:49], just revisit your priorities regularly. Just because you s- y- you committed to a budget and, you know, a plan, it doesn't mean you have to execute it blindly, just because you promised. You have to adapt it to what's happening in the threat landscape in risks, what's happening in your organisation, and it can change. So I think regularly monitor that and be really in tune with where the, I guess, effort needs to be allocated and resources need to be allocated.

    And then the other thing, just going back, sorry to make it long-winded, but going back to your strategic partners as well. So sometimes I find-

    Garrett O'Hara: Mm-hmm [affirmative].

    Sara Abak: ... well, I can't really achieve that with the current internal resources, a- and cap- capacity. So I look for capacity externally, to where it's gonna work, obviously. We, we [inaudible 00:42:36] a lot of things to be delivered and then just l- you know, thrown over the fence, and we have no idea. So where it makes sense, if it's a technical change, which is not gonna have a huge impact on my team then it may be something that you get your strategic partners to help you with. So there are options there, I would say those two strategies would work.

    Garrett O'Hara: Absolutely. Y- you, you actually kinda r- y- you're sort of reinforcing something that Phil Zongo actually raised, in a different context, but kinda the same sorta, same sort of approach, which is the kind of realistic expectations in terms of what a security team is gonna deliver.

    Sara Abak: Mm-hmm [affirmative].

    Garrett O'Hara: And, you know, the, the outcome at a business level there is that you build trust with the execs, because you don't overpromise and you don't-

    Sara Abak: Mm-hmm [affirmative].

    Garrett O'Hara: ... say you're gonna boil the ocean, but you're actually very strategic in terms of the things you're gonna do, prioritized-

    Sara Abak: Mm-hmm [affirmative].

    Garrett O'Hara: ... deliver those, and then move on. And then, like to your point, the added benefit is the team has clarity and certainty in a time where I think that's, we're all just looking for an anchor, you know, we're looking for something to [laughs] latch onto, or-

    Sara Abak: Mm-hmm [affirmative].

    Garrett O'Hara: ... we can you know, have some, some version of consistency day over day. Kinda, like one last question, I'm just looking at the clock, here, and, [crosstalk 00:43:43] it's amazing how quick time goes [laughs] in these conversations. So i- it's a bit of a big question but kinda need to ask it anyway. And, you know, you mentioned earlier on, kind of ransomware as a service and just how, you know, eCrime in genuine- in general has evolved into this kinda beast where you've got people that are specialised access brokers and people who, you know, just do this part and that part, and people who j- [laughs] customer success and service to help you pay the Bitcoins and all of that stuff it's just so, so different, right? It's not j- you know, you mentioned the ILOVEYOU virus, it's not that anymore. It's very sophisticated, like we're fighting another industry, almost. What, like how has, how has that changed your thinking? What does that mean for you as the head of cyber and cybersecurity and risk? Like what's changed in your thinking these days?

    Sara Abak: Yeah. I think probably for most of the cyber community we're all sort of watching to see what the response is from government, and lawmakers, and politicians, obviously. And I think where we're heading is that a- you know, people are starting to, I guess, develop bills legislation about what is acceptable, what is criminal, and what is not. So at this stage, we don't even know, you know, paying a ransom can become a criminal offense. So for organisations that are having sort of onboarding and, and purchasing cybersecurity insurance, you know, what does that mean? In the past, you know, cybersecurity insurance was giving them assurance- insurance to have access to lots of experts to help them through, you know, some major cyber events and disruption. But now, you know, is it still worthwhile to have cybersecurity insurance, given that maybe we, we won't be able to, as a community, pay people a ransom, or if people make an extortion request, that it's gonna be a criminal offense, and the, and the organisation will suffer. So all of that is sort of still playing out and we're all watching as a community to see how it's gonna evolve.

    But I think overall, you know, our strategies aren't going to change too much. I think the basics, back to basics, like making sure that you have a, a good, strong m- you know, multiple internal control type frameworks, because some frameworks don't give you everything. You could follow the NIST framework and, you know, CIS, and ASD Essential Eight, but I think you just need a good combination of a variety of those, not just one, and then just making sure that your hygiene is addressed you know, overall, and then your resilience activities, because, you know that you are probably gonna get hit by some incident, whether it's a person, by human error, or whether it's calculated and somebody's targeting you, you just need to be prepared.

    So I don't think it's anything different to before. The threat-

    Garrett O'Hara: Yep.

    Sara Abak: ... and the pressure's probably higher.

    Garrett O'Hara: Yeah.

    Sara Abak: But you just gotta go back to basics and go, "You know what? We're gonna try and do the best that we can with the resources that we have," and, again, raise, you know, do, use a risk management approach, assess your cybersecurity risks, threats, make sure you've got mitigations to address those gaps and, you know executives and management board are aware what those gaps are, and giving investment, I guess supporting you and providing investment to be able to uplift those and maintain it, and then at the same time, making sure that you know, you understand, you've got a good defense, as a cybersecurity leader, I've got a good defense that I've done as much as I can, and highlighted what the weaknesses or areas for improvement are, and you can only do your best in that sense.

    You know, if you've got a good defense, that you've got good frameworks and controls and posture, and practices that's all you can really do. You can't stop any ransomware attack or extortion attack, but there are mitigations and things that you can do that will enable you to have credible defense that, hey, we've done all the right things, and look, we couldn't have seen this coming, or we did, and we put in practices to circumvent it or address it. And look, it's a learning activity. We've experienced something, and now we're gonna try and do better. So I think we've, as a community, we've become more forgiving an organisation [laughs] we've become more forgiving. I don't know that anym- you know, when there's a big cyber event, whether now people's heads are on the chopping block, like in-

    Garrett O'Hara: Mm-hmm [affirmative].

    Sara Abak: ... t- you know, 10 years ago. I don't know if that's still the case, it doesn't seem to be. But I think that's what I would say. Just go back to basics, and make sure you've got a good defense, you know, as in credible defense about what you're doing, and be transparent, and that's all you can do.

    Garrett O'Hara: Absolutely. You, you brought us very elegantly full circle there with the comments on, on community. Don't know if that was deliberate, but it was, it was, [laughs] it was beautifully done. And it-

    Sara Abak: [crosstalk 00:48:48]-

    Garrett O'Hara: ... it seems like the, perfect, perfect time for me to say thank you, and very, very much appreciate you joining us today, Sara.

    Sara Abak: [inaudible 00:48:54].

    Garrett O'Hara: And really enjoyed the conversation.

    Sara Abak: Yeah, excellent. Thank you.

    Garrett O'Hara: Thanks so much to Sara for joining us. And as always, thank you for listening to the Get Cyber Resilient podcast, jump into our back catalog of episodes, and like, subscribe, and please do leave us a review. For now, stay safe, and I look forward to catching you on the next episode.

    Haut de la page