Gordon Draper (00:02):
Greetings and welcome to the Cyber Consulting Room podcast with your host, Gordon Draper. Today's episode is a special treat as we bring you a panel discussion recorded back in October, 2023 at the Tuskcon Small InfoSec Conference where there's a maximum of 50 participants. Tuskcon is situated in a caravan camping park, nestled in the vibrant Sunshine Coast of Queensland, Australia. This panel features three distinguished experts each contributing their unique perspectives to the intricate world of cybersecurity. In the first of our two part series will be exploring the vast expertise of Prashant Mahajan, the director of Payatu Australia cyber consulting firm who brings a wealth of experience in the field. Joining him are two remarkable professionals. Amy Nightingale, a self-employed senior consultant specialising in incident response and forensics, as well as a cybersecurity instructor at the University of Sydney and John Gers, a self-employed principal consultant, renowned for his, expertise in enterprise security architecture. The discussion was so rich and comprehensive that we've split it into two episodes to ensure you don't miss a moment of the valuable insights shared by this esteemed panel. Stay tuned for the first half of this engaging conversation.

(01:32):
Hi everyone, my name's Gordon Draper and I'm the host of the Cyber Consulting Room podcast. Today I've got three people with me that we're going to have a panel and we're at the Tuskcon 2023 on the Sunshine Coast in Queensland, Australia. First interviewee, I've got Prashant Mahajan, Prashant runs Payatu Australia and he has over a decade of experience with various aspects of information security including penetration testing, vulnerability analysis, digital forensics, and incident response. He is also a developer of open source tools such as ad recon and Azure AD Recon. He's a founding member of Null the open security community and a frequent speaker at industry events and trainings. Thank you for joining us, Prashant.

(02:22):
Thanks Gordon.

(02:23):
Our next panel member is Amy Nightingale. Amy is currently a security consultant specialising in incident response forensics and security operations Centre or SOC. She was an assistant lecturer at Sydney University teaching an intensive 24 week cybersecurity bootcamp to educate newcomers and re-skilled professionals transitioning into the cyber industry. Amy comes from a very strong background in SIEM and SOAR development specialising in Splunk and developing in a variety of programming languages and applications. She's also fluent in the Japanese language. She regularly applies these skills in personal projects and contributing to the security community, including hosting workshops, volunteering at events, and building out CTF platforms and scenarios. Thank you for joining us today, Amy.

Amy Nightingale (03:13):
Hi Gordon. Thank you for that.

Gordon Draper (03:15):
The last person I'm introducing is John Gerados. John is an enterprise security architect and penetration tester with over 15 years of experience who loves to make break and fix things. John can usually be found researching the latest security topics, playing with ham radios, tinkering with random objects or roaming around security conferences. As well as his day job, John teaches a cybersecurity bootcamp at the University of Sydney and actively participates within the information security community. He regularly mentors students and cybersecurity professionals and runs several security training sessions and events. Thank you for joining us, John.

John Gerados (03:54):
Thanks, Gordon. Great to be here.

Gordon Draper (03:56):
So my first question for the panel is now that I've introduced each of you, would you like to introduce yourself and where are you working right now and what your background is related to cybersecurity consulting?

Prashant Mahajan (04:10):
Hey everyone, this is Prashan Mahajan currently run a small cybersecurity consulting company called Aspire to Australia and also recently started an online hacking store called As Ozhack. In terms of my background related to cybersecurity consulting, I've worked as a freelancer in India in cybersecurity, whereas to do cybersecurity investigations forensics and then moved to Australia where I did my masters and worked for a few different cybersecurity consulting companies where I did penetration testing projects, incident response, managed a team, built out a programme to basically train newcomers and basically build a pathway for people to enter into an industry.

Amy Nightingale (04:54):
Hi there. All my name's Amy Nightingale. I am currently an independent security consultant. My specialisation is in the blue team field, so that as Gordon mentioned earlier, is inside mainly incident response forensics and SIEM as a whole. I was also previously doing a lot of internal security consulting as well. My background is a little bit varied as well since I do come from working as a developer as well. So it's a bit of a mix, but yeah, good to meet you guys.

John Gerados (05:22):
John Gerados, also known as Gene here, so I currently work at Fortian as a cybersecurity consultant specialising as a enterprise security architect. I've been doing enterprise security architecture for quite a few years now. On the side I also teach at the University of Sydney teaching a cybersecurity bootcamp over there. My background in security comes from GRC as well as penetration testing. I do have quite a technical background. Prior to that I was working as a sysadmin and then a network engineer that kind of introduced me into the field working as a network engineer and then basically grew from there. So yeah, basically my goals in security are obviously to secure organisations and help people out, but also I have a very big passion for teaching running events, going to conferences and mentoring people. Basically upskilling individuals and helping people join the really, really good industry and community that goes with it. Thanks for having me here.

Gordon Draper (06:23):
Wow, we've got some really cool people here. Thank you for joining us on the panel today. I think we'll start with how did you get into cybersecurity? That's always a very interesting call. How did you find your calling Prashant? Do you want to go first?

Prashant Mahajan (06:37):
If I were to try and basically figure out what was the first thing, it was basically trying to peek under the hood of how things worked. That's where I sort of got known in the school. Whenever as systems broke down, I was the one who was called saying, did you cause this or help us to fix it? That got me more into learning about computers and slowly meet people who were already working in the industry and sort of get guidance from there. But they told me what to do. I was interested in pursuing a career in security and that time it was fascinating to me that people would actually pay you to try and break into their computers.

Gordon Draper (07:17):
I first came across something at SecTalks in Sydney, Australia and I was suddenly fascinated with what you can get paid to do this. This is awesome.

Prashant Mahajan (07:26):
So that's how sort of passion became the job.

Amy Nightingale (07:29):
Mine was actually pizza. All the events had free pizza. I just started turning up to them. I was a student, I was very much into tech. I was working as developer as well. So I really into those kind of things to start off with and I started going to all the events. I really fell in love with the community. I found really, really great people there, really welcoming, open-minded and just so willing to teach me every single time I went to an event or I went to a conference, whatever I went to, I'd just come back learning a new skill, learning something absolutely wacko and there's some brilliant people here. So pretty much how I really felt like I wanted to join security and then I decided to pursue it and since I found a lot of my friends were red teaming, I was like, oh, why not give blue team a go? That sounds actually quite exciting and met a few people who were really cool in the industry and decided to pursue that as a career. So that's pretty much where I come from as a whole security.

John Gerados (08:18):
So from my perspective, I kind of touched on it a little bit before when I was working as a network engineer, I got to help out the security team quite a bit. Every time there was an incident they'd come to me to get the right logs from firewalls, routers, switches and whatnot and it kind of developed my interest in that sounds cool and I want to know more about it. So I applied for a few jobs, got knocked back saying you need to know more about security. But I work here. I enrolled in a master's of information security and basically fell in love with the community. Like Amy said, the community is really amazing. I started going to meetups, actually participating in helping run some meetups in Melbourne. So if you ever went to Ruxmon back in the day, I used to be one of the organisers. It's still running now with a different group of organisers who are doing a great job. Going to those events and helping participate and organise them basically made me fall in love with the community and I never looked back.

Gordon Draper (09:11):
So given that you've all found your way in different ways, pizza and tech support, did you always want to be in cybersecurity slash information security? Was it something that you was like, oh, I just woke up at the age of 10 and that was it. I'm going to be a hacker or a cybersecurity expert?

Prashant Mahajan (09:31):
Funny, we were just talking about the same thing while driving here. Initially my interest here was actually into genetic engineering, sort of more into medical field and is trying to get into that, but apparently I was not smart enough to get into medicine. At the same time I always had a keen interest in cybersecurity computers in general. I didn't think so, but initially there was a cybersecurity as even term as existed.

Gordon Draper (09:57):
Yeah, exactly.

Amy Nightingale (09:59):
For me personally, I was, I was pretty set to get into cybersecurity from pretty early on. Honestly, even though I was doing a software engineering degree at the time, I just of computer science degree. Once I found out about security and once I found out about the people and got to know it, I really felt like I did want to get into it. And the other thing about security is because the fields are so broad, there's so many different fields and so many things to learn, it really meant that I knew that if I went into it, it's quite easy to pivot. Once you learn one skillset, it's quite easy to pivot to another one and go into different roles in the field. So I was pretty set from the get go and even now I've been running a lot of different villages, like for example in RF and completely different radio. I'm doing blue team, but I'm running radio events and learning heaps about that and that's still security when itself, so that's a different topic. It's a really, really broad field and it's good fun

John Gerados (10:50):
For me. I think that's a really good question. I was always really interested in computers. Computers were always my thing. I always had the hackers mindset and I grew up basically literally breaking things and putting things apart and always not putting them apart as well as they were originally. I can't say I was always interested in cybersecurity purely because the term didn't exist when I was growing up, hackers existed, crackers existed, people who broke things existed and I always had that mindset. I built computers out of scrap parts and basically learned that way. But like I said, I basically graduated with a computer science degree, got into the industry and started working in a different field doing sysadmin, network engineering. Then seeing the security team doing cool things. I decided that's where I want to be and then I took it from there.

Gordon Draper (11:38):
John, you mentioned that you've got a master's of information security. I think that was what it was. What education qualifications and industry certifications do you have?

John Gerados (11:49):
I enrolled in a master's of information security.

Gordon Draper (11:52):
Can I Leave it there?

John Gerados (11:53):
After a very long period of enrollment and full-time work, because I decided that's my priority during the covid period, I decided I'm going to exit with a graduate diploma and call it there because I've got enough experience in the industry that I decided working in the industry's probably better than trying to finish off a master's, which is a little bit difficult to finish during covid and full-time work. So I finished with a graduate diploma, but other than that I've got my OSCP, I've got ITIL, which no one really cares about insecurity, but I've got it from prior work and a bachelor of computer science, a whole bunch of other certificates which don't necessarily matter to information security, but Cisco CCNA, CCNP and a whole bunch of other things.

Gordon Draper (12:39):
Do you have any recommendations for certificates and qualifications?

John Gerados (12:43):
If you are just starting depending on what kind of technical background you have, if you've got a computer science degree or you've already got some sort of technical background, I reckon look for something short, look for something small like a security plus or something like that just to get a little bit of terminology down pat so that when you sit in an interview, it's not like a deer in headlights when they start pulling down acronyms and saying words, you kind of have an idea of what they're saying. I think that stuff's important, but if you don't have a master's of information security, I don't necessarily think you absolutely need to go get one to enter the field. Like I alluded to before, getting some work experiences probably more important than getting a whole bunch of certificates and degrees. I think the certificates and degrees go well as a compliment. I say that as someone who teaches a cybersecurity bootcamp, but it's not the be all and end all. You need work experience to go with it. I think that's my recommendation there.

Gordon Draper (13:42):
Awesome. Amy, what degrees do you have? A comp sci degree you were mentioning?

Amy Nightingale (13:48):
Yep, that's right. I do have a comp sci degree, so I say Bachelor of computer science. I also did a diploma in Japanese on the side because I like torturing myself. I mean part of the industry right now it's pretty full on in terms of specifications. Splunk, a lot of Splunk certs. That's my main focus.

Gordon Draper (14:07):
Prashant, I'm guessing you've got a whole catalogue of library of certificates. I mean I remember you telling me previously that you built a training framework for people coming into the industry in pen testing, et cetera. You've been around for a little bit. You must have a few certificates.

Prashant Mahajan (14:24):
Not really. In terms of certifications, I am probably one of the odd ones out who hasn't actually gone behind many certifications. In fact, currently I think so I only pulled one the GCFA or GX certified forensic analyst

Gordon Draper (14:39):
Call me surprised. I thought you'd have quite a few. But I'm also of the school of having come through the non-Business Excellence school, so there is the occasional call out as to whether various certificates are required just to get a job.

Prashant Mahajan (14:57):
I like to call certifications, HR busters. It helps to get your resume shortlisted I think. So there should be a better way to showcase your knowledge and skillset rather than just some pieces of paper.

Gordon Draper (15:11):
I did do a master's of information security. I've got an AWS architecture certificate, oh and GCIH, the SANS incident handler. So there's a few around, but I haven't necessarily gone down the path of getting CISSP or the SANS Masters or any of these. Every little bit helps and you can end up, as you said, HR buster. So everything helps in the long run, just some of them expire. Just make sure that if you're listening, that you take that into account when you get a certification, you'll probably need to resubmit to an exam,

Prashant Mahajan (15:45):
Either put in the effort to recertify or level up from there.

Amy Nightingale (15:50):
I think in terms of certifications generally, I think you mentioned earlier as well, just the bare minimum to be able to have some knowledge to get started, get you started and be able to just know at least some lingo and be able to get started in the field. And then job experience is a hundred percent the most important. Quite often I do knowledge students tend to want to go out and buy out of their own pocket, but quite often if the company is really liking you, you are willing to learn. You are a fast learner that you're doing a great job. Quite often they'll sponsor you for a lot of these certifications anyway, and that's usually where you end up getting your certifications. I did not pay for my own slunk certs, so at the end of the day that's really important to emphasise.

Gordon Draper (16:32):
Okay. So what are the most important cybersecurity challenges and threats that organisations are facing today? Each of you have been involved with cyber consulting and some of you are assisting from the offensive side and some are assisting from the SOC and defensive side and even architecture. What would you say that organisations are facing? What are some significant challenges?

Prashant Mahajan (16:54):
One thing is definitely try not to do everything. Try to figure out what is required and what is possible from the current budget and resources available to you. Focus more on Crown Jewels rather than trying to do each and everything possible. And amazing, because there's nothing such as a hundred percent secure

Amy Nightingale (17:13):
Because a lot of different organisations are suddenly realising, oh wow, security is actually important. Starting from zero and getting overwhelmed with trying to do everything at once and hire everything and throw money at it, pray for the best. It does tend to get a bit messy, so prioritise as can be quite difficult. But I do think one issue that I do want to point out is most definitely just not taking it seriously enough is still a big, big problem. It's either they suddenly take it seriously, they'll taken at zero, but most places they're not taking it seriously enough. They're not prioritising it enough, not putting aside enough funds for it. And just in general, disrespecting security engineers, security consultants, and I'm sure many consultants who've worked know the feeling of just coming year after year with the same issues, same problems, same things. Reoccurring. It happens a lot. So I think it is something which is an issue. So yeah, the people and decision-making

John Gerados (18:06):
For me pretty much along the same lines, I think budgets, competing priorities and not taking it seriously enough. A lot of companies are waking up to it now thinking it's serious and we need to take it seriously and budgets seem to go up as soon as you see a major incident on the news, but actually prioritising it internally within an organisation is always a challenge. You always have to compete with a lot of other things happening inside the organisation, getting things out to market in time and basically integrating things into projects on the fly. Realistically, they're not going to be fixed up later. So I think getting that awareness and getting security integrated basically from day one or as early as possible is something that's critical and something that a lot of organisations still struggle with.

Prashant Mahajan (18:53):
As long as you have security, which is part of all the processes, it'll reduce the headache, which you would've to do later

Gordon Draper (18:59):
On in the same way that trying to fix a vulnerability just before going live costs a ridiculous amount compared to doing it early in the design process. In the same way, if you could design it for security in mine to begin with, I think I've got a sticker on my laptop that says Secure by design, by CISA out of the US and you can definitely see me supporting that. So how do blue team defenders, SOC analysts, the security architects and red team attackers, how do they all collaborate to enhance an organization's cybersecurity posture?

John Gerados (19:35):
Depending on who you talk to, they either do what they don't. If you're a blue teamer, you hate the red team, and if you're a red team, you think you're cool and the blue team isn't cool, and if you're a security architect, you sit in the middle scratching your head. Realistically, everyone has to work together. The blue team probably wouldn't exist if the red team didn't exist because the red team needs to identify vulnerabilities, needs to identify attacks and make the blue team aware of it so that the blue team can fix it and defend against it. Also, vice versa, if the blue team wasn't setting up a good defence or setting up something for the red team to actually test, then there wouldn't be a point. As for security architects, we sit in that magical purple spot. We kind of work with developers, work with the organisation to try and do secure by design as best as possible rather than apply the band-aids. But then we have an advisory role where we consult with the red team, consult with the blue team and basically try and make sure everyone's on the same page and knows how to implement the best designs possible

Amy Nightingale (20:37):
As an internal security consultant as well. Without red team, without even GRC, yeah, our jobs are going to be a lot more difficult. Try to convince the fact that we do need it and be able to emphasise that heavily as well. So it does help significantly. One thing to understand is even though we like to say it's segregated and separate, it really isn't. If you're a blue teamer, you need to have be a good blue teamer. Having a good amount of red team knowledge is really, really important. Same with red team. Having a good amount of blue team really, really helps significantly to be a really good consultant in that field. You do need to have a good balance in terms of that knowledge and understanding. So it's really important to kind of get that understanding. So it's really, really helpful when you do have another person on the engagement who has a background, who is different from yours because in security, just the more knowledge you have, the more different perspectives you have, it really makes a difference on the outcome at the end of the day. So I think that's something really important to emphasise

Prashant Mahajan (21:34):
In order to build mechanisms to collaborate. I think that the industry also likes a lot of colours, so we have also mixed red and blue to create purple and a bunch of other colours. The premise behind all of that essentially is just to understand what the other person's perspective is, and I think, so the best way to get that is try to put yourself in their shoes. Things like secondments from red teamers to blue team to see how they actually work and what sort of challenges they face because of things which the red team does and vice versa would definitely help and create more collaboration opportunities between the different teams.

Amy Nightingale (22:11):
I don't think we mentioned this earlier, but when you do start off in a lot of consulting roles, you do tend to touch a lot into a different field, especially if you're starting off and you don't really have something you'll have your mind onto. You do tend to end up getting a lot of engagements in different fields and different fields anyways, and that really gives you a good idea and a good skillset. Start off with a basis, which is another reason why I think consultancy is a really, really great field to start off with and get a kickstart into. They throw you on the deep end and you get a really well-rounded skillset and knowledge and a fundamental understanding of each field, which is so key to be a great security professional in the future, whether a consultancy or not.

Gordon Draper (22:48):
John, did you want to add something?

John Gerados (22:50):
Basically, just to add to what Amy said, look, if you can get a job as a graduate or in a startup, you will tend to rotate between different teams and do a little bit of everything. Gives you a really, really good exposure to the different teams and a lot of experience. So I think that's the way to go if you have that opportunity.

Gordon Draper (23:06):
The next question I'd be asking is associated with how do the regulatory changes and compliance requirements affect cybersecurity consulting engagement? So now we've got the APRA in Australia, we've got the New York Financial services, I think it's called. You've got GDPR in the Europe. You've got various breach notifications that are coming in and around the place. You've also got regulatory requirements for red teaming and consulting engagements that are coming in. How would you describe the regulatory changes and compliance requirements that have come in?

John Gerados (23:43):
I think it creates a lot of extra work. It's not actually a bad thing. Biggest issue in security seems to be budgets and seems to be taking things seriously. What these regulatory changes and compliance requirements do. They force companies to take it seriously because now if they don't take it seriously, they're going to be fined. So it does create a lot of work, but it's not bad work. It means consultants get a chance to actually tell organisations, here's how things should work. Here are the good design practises, here's what you should be implementing and what you should be looking out for. There is a little bit of red tape, there is a little bit of overhead that you might think maybe isn't required, but honestly overall, I think it's a good thing

Amy Nightingale (24:27):
Pretty much on the same page there. And honestly, it actually makes it easier I find in sense of you do get taken seriously. They're actually start off with when you'd be working with it. Quite often I'd find with a lot of engagements, you want to be doing the best job possible and be able to recommend the best things possible. And now a lot of these are actually enforced, which actually helps significantly with, I mean well only pushes your point, but just means you can actually do a good job without having to spend a lot of time just convincing and pushing the fact that this is important and they should, and it's a necessity now. It's actually a necessity. So I think it's actually a good thing. I guess it is extra work at the end of the day. Yeah,

Prashant Mahajan (25:03):
It is extra work, but at the same time we're initially talking about is talking in the same language, I think. So what these sort of regulatory compliance requirements are doing is creating that common language between techies and the business. So they can talk about cybersecurity, which is a good thing. But the downfall also of creating specific requirements is also that companies treat that as these are the only things which they need to do. Whereas compliance is basically setting the bar saying these are the minimum things which you need to do, and after that disguise is the limit. But I think so everyone forgets that.

Gordon Draper (25:38):
Yeah, definitely. From my experience in the past with consulting, you can get a lot of pushback with regards to your recommendations of what seemed to be fairly common sense security to us practitioners. There was a lot of complaints and pushback. It was like, no, we don't want to do that. We'll find a reason not to do that. Now it's coming back. Some of them have to, I think it's a good thing, it will be more work, but that's part of the consulting process.

John Gerados (26:06):
I'm just going to add one more for the compliance one. Anyone that's done PCI compliance knows how amazing and exciting it is. It's actually quite good when you can go to an organisation in the past it would be like, you need to be secure because we said so here's the recommendations, can we have budget? And the answer tends to be no, because it's academic and no one's going to hack us anyway. With PCI, for example, not my favourite framework, but whatever. You go to the organisation, you say, here's the risks, here's how to solve it. Here's some controls you should be in place. It's going to cost X dollars. And it's like, can we have budget? And the answer is, well, if you don't pay for that budget and you don't fix it, you could lose your ability to accept credit card payments, which is basically going to stop your business from operating. So again, it is paperwork, it is overhead, threat tape, but if it wasn't there, people wouldn't take it seriously. Overall, again, I think it is a good thing.

Gordon Draper (27:04):
Now I'm moving on to how do consultants stay up to date with the latest tools and techniques in this fast evolving field?

Prashant Mahajan (27:11):
That's a good question to answer, but at the same time, don't try to go into the rabbit hole of trying to always keep up with everything. It's impossible to know everything and keep on top of it, figure out what sources work for you. For some people, Twitter used to be a very nice resource. Unfortunately that is changing, but a lot of underground forums, discords and Slack channels, signal groups, they are also quite good in terms of trying to get quick updated knowledge about different things happening, different attacks happening. I still do have a bunch of RSS feeds, which I follow, but I think so trying to figure out a single source to try and keep up to date with everything that's not possible. You have to be on a few different sources and figure out which works best for you.

Amy Nightingale (27:58):
Well, I strongly believe that the sole most important skill as a security professional, especially in consulting, is learning, picking things up. You'll do it in your job. And so I do find a lot of these technologies, you just learn on the fly, you learn as you go. When you get thrown into different scenarios and different engagements, you'll have to pick up the tools and technologies and quite often a lot of them you might pick up along the way as you go along on these engagements, there'll be different attacks, different vulnerabilities out there, different things popping up. A lot of these tools are created to make up for those, so you will learn them to be able to defend against those vulnerabilities. Same as what Prashant said, it gets very overwhelming very, very quickly. It's very easy to just jump straight in head first, try and learn everything.

(28:46):
I think it really is one step at a time. If you are working in consulting, one engagement at a time, one knowledge, one skill set at a time, just taking it step by step, whatever is exciting, whatever piques your interest, just dive into it. Go crazy if you want to, but don't feel pressured to learn everything all at once just as you need it. And personally, I find a lot of places where I learn is honestly is, I mean there's a reason why there's a lot of meetups and conferences talking about these latest technologies and these great tools that people have discovered or created themselves as Prashant has created himself. So honestly, I think that's a really good way, and it's also fun, enjoying and keeping the enjoyment there of learning because you can get burnt out so quickly with learning if you try to force it down too much, find the fun things as you're learning and find what's exciting and what piques your interest. I think that's really, really the way to go.

John Gerados (29:35):
I've got the tough job of trying to add more to what Prashant and Amy said. I completely agree with everything they've said. To be honest, there is no one course or one book that you can do or read and then finish and say, I know everything there is to know about cybersecurity. Having that mindset of you'll never stop burning and you'll never know. Everything is the best mindset to have in this industry. I'm a very, very big fan of conferences and meetups. I think the community is what makes this industry so good and where you learn the most. We're pretty lucky and we're pretty privileged. We have that community and we have that ability to knowledge share in other industries. You're not exactly going to go to an accounting conference and present to talk and say, I've learned the brand new way of balancing your ledger and adding numbers together In cybersecurity, you go to conferences, you learn new techniques, you run CTFs, you learn a whole bunch of new tools. It keeps you motivated, it keeps you going. And pretty much all of us, or at least I like the industry so much that I have fun playing with these tools, and I think that's what you just keep doing and keep learning

Prashant Mahajan (30:47):
Student for life.

Gordon Draper (30:48):
Yeah, yeah. It's a never ending journey. Once you've started, you never stops,

Amy Nightingale (30:53):
Never pretend you know it all because you really don't

Gordon Draper (30:56):
Keep asking questions. That's a very good point. Do not ever pretend that you know it all in the same way that you don't say that something is secure. You need to make sure that you keep learning all the time to keep across things. How do organisations and consultants approach incident response and preparedness in the face of increasing cyber threats?

Prashant Mahajan (31:14):
So in terms of preparedness, most organisations basically do not have an incident response plan in first place. So create one after that is created. Basically you have dry runs of the plan because things change and once you actually go through what you think might happen in an incident, also, all the people involved in the plan know what they're supposed to do. You might notice a few different cracks in there as well. So going through different dry runs and doing it regularly instead of treating it like an annual exercise, like compliance will help to keep a fresh in everyone's memory and once actually happens, people know what to do and are actually prepared for the incident.

Amy Nightingale (31:54):
Prashant's, hit the nail on the head, why I'm struggling with this question. I'm going, oh, how do they, no, they don't tend to. They're definitely improving. Definitely improving. In terms of having approaches for incident response preparedness, it is, as Prashant mentioned before, do agree it is very much to do with having an instant response plan and actually practising it. So that can be via tabletop exercises and just going through people who are involved. They're all very, very aware and knowledgeable in the field and know exactly what to do and what approach should be taking is very, very important. So it's more of what should they do rather than how they should. But so far it is very much improving. It's very much improving, but it's definitely not to panic and try fix everything all at once. I actually like this question because it's focusing on the incident response and preparedness because the incidents will happen.

(32:42):
It's inevitable. It happens, and you need to know what to do afterwards. You can try put as much security and bandaid as much as possible, but you need to know what to do if it does happen. So I think that's something that I think a lot of organisations aren't really that aware of. They think as long as they throw enough money at security, it might fix everything and they won't have any incidents. It won't happen to them ever, but I think it's really important to understand the fact that it will happen and there are things that you need to do against it.

John Gerados (33:08):
Yeah, only thing I'll add here is in the past year consulting with a bunch of companies, I found a lot of companies looking at the recent news events deciding we actually need to do something, start writing their incident response playbooks from scratch because they might not have had one in the past. So a lot of places are in the process of that, if not already finished, but also doing that incident simulations and a whole bunch of pen testing and stuff to basically bring their maturity up. A lot of people or a lot of organisations have woken up to the risks recently. It is becoming better, but it is something that is definitely on the improve.

Gordon Draper (33:49):
A heartfelt thank you to our insightful panellists, Prashant Mahajan, Amy Nightingale and John Gerardos for gracing us with their wealth of knowledge in this first instalment of our two-part series recorded live at Tuskcon on the Sunshine Coast, your expertise has illuminated the intricacies of cybersecurity, providing our listeners with invaluable insights, we extend our gratitude for your time and thoughtful contributions to the Cyber Consulting Room podcast. If you found this episode enlightening, stay tuned for the second part of our series where we'll continue this engaging discussion with our esteemed panel. Until then, stay cyber resilient, employ multifactor authentication on everything, and we look forward to bringing you more in-depth conversations in the world of cybersecurity.