Gordon Draper (00:02):
Hello and welcome to the Cyber Consulting Room, the podcast that delves deep into the world of cybersecurity and its many facets. In this episode, we're joined by a very special guest, Edward Farrell, the director and principal consultant from Mercury Information Security Services based in Sydney, Australia. With nearly 20 years of experience in the field of cybersecurity, Edward is an expert in his field and we are thrilled to have him on the show today. During our conversation, we'll be exploring Edward's background in cybersecurity consulting, his insights into the industry and the lessons he's learned along the way. So sit back, relax, and join us as we dive into the fascinating world of cybersecurity with our guest, Edward Farrell. 

Edward Farrell (00:55):
Hi, I'm Gordon Draper and I'm here to talk with Edward Farrell as part of the security podcast. 

Gordon Draper (01:02):
Edward Farrell is a security consultant with 12 years experience in cybersecurity and 17 years in technology. As the director of an independent cybersecurity practice, he has conducted or overseen the delivery of over 700 security assessment activities and incident responses in the past seven years. These professional highlights include lecturing at the Australian Defence Force Academy, being rated in the top 200 Bud Bunty Hunters in 2015 and running an awesome team of security professionals. 

Gordon Draper (01:31):
Hi Ed. How are you doing today? 

Edward Farrell (01:33):
Not too bad, Gordon. It's been an interesting weekend here at Crikeycon and yeah, it's good to be getting home also, Happy birthday. 

Gordon Draper (01:42):
Thank you very much. 

Edward Farrell (01:42):
Yeah, no, it's been good. It's been a good weekend, but I think that's a conversation we can have a little bit later as How awesome it's been. 

Gordon Draper (01:50):
We're in Brisbane airport at the moment, just catching up after the weekend of Crikeycon 2022. One of the things I wanted to discuss was just a bit of an interview, so how did you get into cybersecurity slash information security? 

Edward Farrell (02:04):
So I got into cybersecurity when it was information security and cyber meant something completely different. So I got into it in about 2009. I was working as a network engineer at a NOC. I had my ground level competencies there. Actually, if I come back even further, I'd probably say about 2006, 2007, I started that transformation into security. I set my SSCP certification and also took the security lead at the NOC I was working in. And then over time, that evolved into more of a dedicated security role. Security was very much a niche specialist art. There weren't too many people playing in it, and there wasn't too much in the way of work, and I guess in some ways that still feels like a bit of the case, but in a lot of other ways there's a lot more opportunity out there that has evolved, which is great to see that we've had that industry build out. Yeah, 

Gordon Draper (02:56):
It's definitely grown a lot over the last 10 years or so, 20 years even. It's come from the early two thousands where it was literally a backwater of someone would end up getting the position in cybersecurity and wouldn't necessarily be the major highlight of their career. That had just attracted different type of person than we'd get now. 

Edward Farrell (03:17):
I also think the body of knowledge was quite different in the approach, and I think that's evolved with the technology, the geopolitics, and what is happening with the world. So I think it was curious at Crikey this weekend that we had what, 700, 800 people? This is a moderately sized conference here in Australia. I mean, besides Canberra has about 2,200. I'd contrast that with when we had the one and only conference, which was Ruxcon in Sydney. My first Ruxcon was in 2008 and I think we had about 200 people there, and we all fitted into the bar at UTS. It was a very different time in a different place. 

Gordon Draper (03:54):
So did you always want to be in information security? 

Edward Farrell (03:58):
No, no, I didn't actually. In high school I thought I was going to be a programmer. I graduated high school in 2003, factor in the dot Com burst, I went to university. I then started looking at, Hey, where am I going to go? My subjects in programming were terrible at university, and I think that was a big thing that said, no, I'm not going to do programming, because the way programming's being presented is here's the requirements doc and build for requirements doc, please do not employ any creativity and we'll pay you $40,000 a year. And that was how it was presented. But then there was curiosity that started to come out of computer networking. It's like, okay, well computer networking looks interesting. Let's have a look at this as a prospective career path. That was great. I got my first job in aoc, actually, I was technically on help desk in 2005 as a summer intern earning about $12.50 an hour. 

Edward Farrell (04:53):
Then they brought me back part-time as a network engineer my last two years of a four year degree, and then I built out my security competencies. Then we had the GFC, so I still had to kind of hang around, but then I got a fabulous job, which then became BAE Systems. I then moved to another firm called Hack Labs for a few months before starting out on my own. So in answer to your question of did I always want to be in cybersecurity? Not quite. I think it was a natural discovery process, and I think for a lot of the people that are looking at this or getting curious about it, I think it's going to be very much one of those cases of you'll make those determinations as you go through, or you'll just hate it like I did with programming. I mean, programming certainly has changed, and if I had my time again, I'd probably be interested in actually going down a program's path. But yeah, 

Gordon Draper (05:40):
My undergrad was in 2002, learning Java in object oriented programming. It's definitely changed compared to now where there's still Java being written in enterprise Java, but the popularity of the language is starting to wane. 

Edward Farrell (05:57):
It's funny, right? You also saw that with Pascal that some of us were actually getting taught at several points. It's just like, we're never going to use this language. But then you'd contrast that with some of the computer science degrees that are focusing on legacy systems that are guaranteeing massive salaries afterwards.  

Gordon Draper (06:14): So speaking of education qualifications and industry certifications, what sort of areas do you have with regards to that? 

Edward Farrell (06:21):
So my undergrad from Wollongong, which is in communications technology, I also have a CISSP, SCPA, Crest, CRT oh and a CISA from ISACA. Outside of that, I also have a bunch of lifesaving qualifications, including first aid and jet skis. If you see my photo that I like dropping on profiles when it comes to speaking engagements. I also have a CERT four in training and assessment, and I have just been undertaking my graduate AICD directors course. Very good. That's a mix of training and education over the last 20 odd years. That 

Gordon Draper (07:00):
On that topic, you are teaching a course at the Australian Defence Force Academy? 

Edward Farrell (07:05):
That's correct. So there's another line of education I have. I've also spent 14 years in the Army Reserve, and so I've also got a series of qualifications out there, but funnily enough, my career there as an industry fellow at the academy had actually really just stemmed off some of the courses that they had originally had. That then evolved into me supporting the postgraduate programme, which has been really insightful both for myself, but also then working out along and collaborating with students on some of their activities at a post-grad level has been really cool as well. 

Gordon Draper (07:34):
I'm sure you get challenged by the students in different areas as well. 

Edward Farrell (07:39):
Yeah, I guess in two ways about that. Some of them are incredibly smart and will challenge assumptions or even academic observations in our course material, and it's great. I also find some curiosity that also getting a lot of people that haven't come in from a technical discipline, so there's a massive uplift that we need to deliver there, and that's brought its own challenges. I've had students turn up to my course and it's their first day of using Linux. There's a steep learning curve that we need to manage with these new entrants. 

Gordon Draper (08:07):
When I went back to do my master's in IT security, there was the, I already knew about Linux, but there was the, oh, here's Kali. This is what it looks like, how to use Kali in pen testing, et cetera, and that's its own learning curve as well. What challenges do you come across in the hiring of the right consultant for the right position? You run a cybersecurity consultancy, information security consultancy growing, and you're regularly hiring new consultants to join your team. What challenges do you come across? 

Edward Farrell (08:38):
Interesting question, bit of background. We currently have about 10 employees and 10 subcontractors working for us. The biggest one is actually cultural fit. If you are still in a small company and a small team, whoever comes in needs to actually be able to compliment the business, but they also need to provide some sort of new insights or some sort of new approach. I don't need clones of everyone. I need someone that can offset a particular need that we have in the business. So one of our new hires is leading customer relationship management. They have come from an existing pen testing organisation, but they have commented that some of the unique and bespoke approaches that we apply are drastically different. So they're sufficiently offset in so far that they're going to be effective at helping us build business. They also recognise their own shortcomings in terms of what they know and they're in a position to build on it. 

Edward Farrell (09:30):
Which leads to the second point I have in terms of challenges is the desire and the capacity to learn, but also operate in an empathetic environment. And that I think is another particular one is you'll often have people that will come into the business that just they don't understand that this isn't about technology or elitism. This is a team sport, and if you're not here to play in a team, you're not going to have a very long career. And that also comes into a third part, which really comes down to trust. We're having a lot of trust put in us, and we've built that trust over many years. If you're a consultant coming into the space, are you in a place to actually help us sustain that trustworthy relationship with our customers? 

Gordon Draper (10:14):
Definitely. That's one of the key values of what I've been working with cyber market is making sure that there's trustworthiness associated with consultants, and as I've seen across a lot of different consultancies, the trust is of the consultant is paramount. A bit of a generic question, but did you spend any time as a security consultant yourself before you went and started your own consultancy? 

Edward Farrell (10:37):
I did. I was with, as I said, stratsec for a while. I then also spent some time working for HackLabs, hacklabs was going in a very different direction to where I was going. So I did look at going out on my own, and that's just meant I've been able to give my own unique brand and stamp to what it is we do and how we do it. But yeah, that's all been in Australia. And 

Gordon Draper (10:55):
You've all been in Australia. Okay. What is one of your most memorable experiences of consulting in information security?

Edward Farrell (11:00):
 So there was the Eternal Blue meltdown in May of 2017 and just working at what the hell had been happening with a couple of customers. The same was with wannacry as well, and doing discovery of that in April, 2017. There were also some major projects I was working on back at Stratec as well that were incredibly insightful and I think contributed to building me out as an individual, which was great. And even before that, I did have a really cool one where we may have found a remote code execution bug in one of the first software as a service platforms. A couple of this is going back into hallowed antiquity, so I wouldn't say there's one particular memorable experience. I think there's a lot of memories that stitch together that build out and consolidate over time that have made for a really great experience and a great career. 

Gordon Draper (11:50):
So would you ever consult again, but a higher level, for example, as a virtual CISO or run your own consultancy, but you already are. So I think that that question answers itself.

Edward Farrell (12:00):
It does. I think the comment that you have about running as a virtual CISO or a higher level person, I disagree with that as role. Ideally, those roles should already be in place in a lot of the organisations. It kind of comes back to working at your costs at your place. I think right now in the world, we just don't have those people equipped and built and ready to go. It makes sense that people are outsourcing that role, but I think wouldn't say that jumping up into higher level consulting gigs at the board level makes sense. 

Gordon Draper (12:32):
There's not necessarily an immediate leap between consultant and virtual ciso, but there's a roundness that you get when you cover a number of different areas, including the risk and incident response. 

Edward Farrell (12:45):
Yes and no. Look, I think I have my own opinions about the idea of CISOs and is a case of are they genuinely necessary are the environments that we often encounter. I think there's businesses where there's genuine value with having an SME operating in that space, whereas others, there's other existing roles that can fulfil that capability. So your CIO your head of risk and audit, and most of 'em already have a really strong discipline that's already grown over the last couple of decades. I guess I'm reluctant with the idea of CISOs and virtual CISOs based purely on needs, but also I think the virtual experience, other roles and capacities that we've already got that can fulfil that, and it can be a bit of a controversy, I guess, but I think there's other avenues that I think we need to be considering before we go, oh, we're going to use a virtual CISO.  

Gordon Draper (13:37):
So yeah, there's a lot of small to medium businesses that don't even have a security expert, so it really is just they've barely got an IT person kind of thing. 

Edward Farrell (13:46):
But I think it comes back to we can also find ourselves encumbering businesses by having a virtual CISO. It's identifying the legitimate business need for that. And I'd even say that's actually a job in of itself is our job should be to actually make our job redundant. So are we doing the world of disservice by creating a lot of work that we don't necessarily need? 

Gordon Draper (14:08):
That's a very good question. My next question is what have you seen or heard at the conferences recently that stand out? So we've just been at Crikeycon and a couple of weeks ago we were in Las Vegas for BSides, Las Vegas and Defcon. 

Edward Farrell (14:23):
Yeah, actually there was a really good talk that sits in my mind from wednesday morning at BSides in Vegas. I can't remember for the life of me, it was the first talk on Wednesday morning, but the speaker, some of the key points that I took away from it was we're probably starting to, as I said, we're doing a lot of technical activities, but we're not applying effective operations and strategy. And for me, there is a disconnect. I think for me, our engineers are trying to over-engineer our solutions and are in fact creating more unnecessary complexity when there's probably a simple activity. I think some of our strategists as well, because this is like the problem they had with the US Civil War, suddenly they invented machine guns and no one knew how to deal with the mechanisation of warfare to a point that it caused so much carnage and chaos. No one knew what the actual fix was. That took a bit of time to change as well. And the same can be said for when we've introduced manufacturing processes as we saw during the industrial revolution, and even the same as being said about the information revolution, new concepts and ideas getting introduced. And yet so many businesses are still running off a macros enabled spreadsheet. And so if you can suddenly find operational efficiencies to drive a business harder and faster, that's going to have its payoff. But I think we're often too afraid to because we don't know it or because we know what already works. And so coming back to your question of anything I heard at conferences that have really stood out, I think that particular tool, which should be online in the next few weeks, I'm going to probably watch it again three or four more times, but it was a really curious dive into 

Gordon Draper (16:04):
Or automation and business efficiencies, 

Edward Farrell (16:06):
Probably just also operations and strategy in cybersecurity. I mean, the speaker did jump around in a few different domains a lot. Really good. Yeah, a couple of other ones were also quite good. I think sit code's talk at DEFCON was pretty epic. For those of you aren't aware, this is the gentleman that managed to instal DOOM on John Deere tractor, which is a bit of scientific organism. But if you think about it, if you have a look at our food supply chains, we are two weeks away from starvation at any point in time. And if that can be targeted through targeted attacks on our agricultural infrastructure, I think it's a problem that we need to reconcile with. And I think some of our business models that make sense economically to places like John Deere for how we operate our supply chain, they make sense economically for John Deere, but they don't make sense from a national security standpoint if it becomes a targeted i e targetable vulnerability that can seize our entire food production. So that's a big fear that I have. 

Gordon Draper (17:05):
I've never really thought about it, but having internet connected tractors, I was thinking mainly more about the right to repair and the restrictions associated with the DMCA of code inside tractors. 

Edward Farrell (17:18):
But that's a part of it, right? That right to repair and that capacity to fix things should have at its foundation, the survival of the human race. We cannot, and covid has demonstrated this, we cannot simply rely on being able to get a Amazon order of something out and hoping and praying that that's going to work. There is every likelihood that at some point in the next 10 years, if we have another conflict, whether it's in the Asia Pacific region or in Europe, there's every likelihood that it's going to result in impact on supply chain. We need to actually have resilience in our technologies around that supply chain. 

Gordon Draper (17:58):
So just changing topic up a little bit, I don't think I've seen any internet connected tractors as part of hacker movies, but what's the last hacker or cybersecurity movie that you'd seen? 

Edward Farrell (18:09):
There was a particularly half-decent series on, I believe it was on Stan, what was it? The undeclared war that looked interesting. I think the imagery and the themes they had were really affecting in sort of communicating to the layman what it is we did and it's alternate thought processes. There was another, in fact, to be honest, I've actually been getting more into books and literature just because I think we can go into greater depth than a lot of our hacker movies. A couple of good ones. I've read recently Q Anon and on by an author from the Guardian Van Barden, where she has actually done a really detailed research at cults Q Anon in the Australian scene. 

Gordon Draper (18:48):
Oh, in the Australian scene, okay. 

Edward Farrell (18:50):
Yeah, 

Gordon Draper (18:50):
That's interesting. 

Edward Farrell (18:51):
The weaponization of everything was another good one I'd read, but there was also, apologies. I'm just going back through my list here. So return to more Marco polls, what I think was a good one around the sociology of mindset like war, the hacker in the state and also John Burmingham as an Australian author, did a really good series of books that hypothesised what would happen to the US if there was an attack on its digital infrastructure at an state level and how that could actually lead to a failure. 

Gordon Draper (19:22):
How old's that?

Edward Farrell (19:22):
It's probably two years old. 

Gordon Draper (19:26):
Really? a good quality analysis?

Edward Farrell (19:29):
Wouldn't call it an analysis. I would say it's more of a hypothesis of here is a story of how this would pan out. So if you're into your zombie apocalypse style literature, it does a really good visualisation of what that would look like. 

Gordon Draper (19:43):
You've mostly been based in Australia with information security and consulting. Is there anywhere else in the world that you would consider moving to or where else in the world would you live? 

Edward Farrell (19:55):
Where else in the world would I live? I would be interested in getting a yacht and sailing around the world for 10 years. I think that capacity to keep moving, but also to be self-contained in your own ship and be the master of your world, I think would be what would be really cool for me. But I'm still many years off that. 

Gordon Draper (20:12):
Yeah, it sounds like a retirement plan that may only be a few years away. 

Edward Farrell (20:17):
No, no. We're never retiring, we've got too much work to do. 

Gordon Draper (20:21):
Exactly. That's always going to be there. Given the current state of affairs, what's one thing in your consulting history that the consultancy that you've worked for did that you didn't expect? And what did you learn from it? 

Edward Farrell (20:34):
It's very spicy, and I think there'll be points where I really have to bite my tongue on things that I didn't expect. I guess one of the curious ones I can talk about with my own company was actually when we went fully remote, I was afraid that when Covid hit, we wouldn't last three months. Oh, really? But funnily enough, going full remote, we will find that. In fact, I even remember from an efficiency standpoint, we had increased productivity, and one of my staff members commented on it quite well where he said, I'm not on public transport for 45 minutes to an hour each day, and I'm also not exhausting my mind or feeling overwhelmed because I'm having to interact with it. So that was really, really insightful. 

Gordon Draper (21:16):
Definitely I noticed the same kind of thing. The productivity generally went up and it saved time on commuting, and I can definitely get a lot more done focused. What would you say that the most common myth about the cybersecurity consulting industry is? 

Edward Farrell (21:31):
I would say it's the illusion that you have to know and that you have to know everything. Something that a lot of people don't get over with consulting is there is a belief that they have to be confident and cocky, and that results in two problems. It means that our best and brightest are actually afraid to enter. But it also means that we get walking textbook cases at the Dunning Kruger Effect, where you have people that after watching 16 hours of TED Talks, are suddenly cybersecurity thought leaders at face value. We have this illusion that you have to be smart. And so some people will fake it till they make it or worse. And the problem with that is it means that we do get a lot of very dangerous bullshit artists. We neglect our best and brightest as a result. So I guess if you're looking at getting into this industry and you're afraid you don't know everything, there's people that are far worse than that right now. Most of 'em used to be flogging cryptocurrency. Now they're all cybersecurity thought leaders. 

Gordon Draper (22:27):
Just wait until the business coaches to step up. 

Edward Farrell (22:30):
Oh, yeah, that's going to be fun. So yeah, it's kind of almost a two phase myth of we lose our best and brightest who are too afraid to get into consulting, but we also get the worst of humanity that suddenly start becoming consultants and it doesn't help us. 

Gordon Draper (22:45):
Definitely. I think that's a very good one because a lot of people think, especially coming out of university, that the only way to get a job in cybersecurity is by hacking all the things doing hack the box challenges, and the only path is the pen tester. That's a grain of sand in the scheme of things. 

Edward Farrell (23:03):
Well, yeah, it's the initial point. There's a lot of work that still needs to be done in terms of integration and configuring organisations. There's also a lot to be done in security operations. Even incident response I think is another big one that people step into. But it's also, I mean, I remember dealing with one person who was incident response expert, and all they were doing was just working at the board level. There was no capacity to actually deal with 

Gordon Draper (23:28):
What was happening on the ground, hands on keyboard. 

Edward Farrell (23:30):
Yeah, and I think that's actually can be quite disingenuous and quite dangerous, is when you get somebody who thinks, oh, I just need to operate at a board level. Well, you at least need to have an appreciation of what's happening one level down, and there's a lot of people that will suddenly become board level, and we don't have the barrier to entry in that space of someone being a notional expert. 

Gordon Draper (23:50):
The difference that you get between, I've done some work as both pen tester and also GRC consultant, the risk side of things, people that come from the risk perspective, just assume that you can write things off with a risk acceptance. And from a pen test experience, I know that what I can do, I can have some impact. It's just a matter of time. 

Edward Farrell (24:11):
Yeah, definitely. 

Gordon Draper (24:12):
You're going to be jumping on a plane fairly shortly, so we need to start wrapping up. What is one piece of advice you give to someone starting out in cybersecurity? 

Edward Farrell (24:19):
Be curious. Understand what is happening and why. Don't be subjective. Don't think you're here to save the world, and definitely don't think you're here to dominate enough human being. If you can take a very objective, rational view, you are going to set yourself up for success. 

Gordon Draper (24:35):
Excellent. So where can the listeners find you online? 

Edward Farrell (24:38):
So you'll probably find me floating around the SecTalks channel or the BSides channels or somewhere on Slack. You'll also see me on LinkedIn as Ed Farrell. That's probably the easiest place to connect to me. 

Gordon DRaper (24:51):
Awesome. Well, I just want to really thank you very much for your time and allow me to pick your brain. 

Edward Farrell (24:57):
No, no worries, Gordon. Thanks for having me. 

Gordon Draper (24:59):
And that concludes our conversation with Edward Farrell, director and principal consultant of Mercury Information Security Services. I want to extend a heartfelt thank you to Edward for sharing his invaluable insights and expertise with us today. If you are looking for advice on cybersecurity consulting or if you're a new consultant looking to navigate your way through the industry, I highly recommend reaching out to Edward and his team at Mercury Information Security Services. They're a wealth of knowledge and experience, and I'm sure they'll be able to provide you with the guidance you need. Thanks again for listening to the Cyber consulting room, and be sure to tune in next time for more fascinating discussions on all things cybersecurity.