Cyber Consulting Room
The Cyber Consulting Room Podcast and Meetup Network is your gateway to a world of knowledge and collaboration in the ever-evolving realm of cyber security and consulting. Our podcast, hosted by Gordon Draper, brings you in-depth interviews with industry leaders, experts, and trailblazers, offering invaluable insights, strategies, and experiences. From award-winning professionals to those paving the way for diversity in the field, we delve into the most pressing issues and emerging trends. But we're not just a podcast; we're a network, connecting like-minded individuals through our Meetup events. Here, you can engage in lively discussions, share expertise, and build your professional network in a supportive and enriching community. Whether you're an established consultant or just beginning your journey in the field, The Cyber Consulting Room Podcast and Meetup Network is your go-to source for staying informed and connected in the world of cyber security and consulting. Join us on this exciting journey, and let's learn and grow together.
Cyber Consulting Room
Cyber Consulting Room - Episode 2 - Ger van Hees
In this engaging episode of The Cyber Consulting Room, host Gordon Draper engages in a compelling discussion with Ger van Hees, a distinguished Trusted Information Security Advisor and the Managing Director of "Van Hees Consulting." With a career dedicated to guiding organizations on their path to optimizing information security and reducing risk, Ger brings a wealth of experience and expertise to the forefront. He has a track record of advising boards and executives on balancing cyber risk with innovative progress, aligning security strategy with organizational goals, and facilitating the seamless integration of modern technology while maintaining robust security governance. Drawing from his deep understanding of information security across various industries, including finance, education, and business services, Ger helps organizations identify security risks and offers strategic advice on mitigating those risks. He's a strong advocate for fostering a risk-aware culture within organizations and optimizing information security to enhance resilience. By sharing his insights, Ger empowers modern organizations to achieve greater profitability, resilience, and a stable workplace culture – making this episode a must-listen for those seeking expert guidance on the path to enhanced information security and risk reduction.
- For more episodes like this visit https://cyberconsultingroom.com
- You can find more information about Cyber Consulting Room Podcast Host at https://www.linkedin.com/in/gordondraper/
Gordon Draper (00:02):
Welcome back to the Cyber Consulting Room, your go-to podcast for all things cybersecurity and consulting. I'm your host, Gordon Draper, and in today's episode we have the privilege of sitting down with a respected figure in the world of cybersecurity consulting. Joining us is Ger van Hees, the managing director of Van Hees Consulting, a trusted information security advisor and an instructor in the cybersecurity at Monash University in Melbourne. Ger specialises in guiding organisations on their path to optimising information security and reducing risk. Today we'll be delving into Ger's wealth event experience, exploring his insights into the evolving landscape of cybersecurity consulting and gaining valuable wisdom for both seasoned professionals and aspiring experts. So fasten your seat belts and get ready for an enlightening discussion with Ger Van Hees on the Cyber Consulting Room podcast.
Gordon Draper (01:14):
Hi there. My name's Gordon and I'm introducing Ger Van Hees. So I'd like to welcome everyone to this podcast. Currently in Melbourne, having recently been at the AISA Cyber Con. I'd like to welcome Ger Van Hees.
Ger van Hees (01:22):
Yeah, that was interesting, that conference, wasn't it? There were lots of good talks and some interesting keynote speakers like Captain Sullenberger, Steve Wozniak was very cool.
Gordon Draper (01:31):
Yes, Steve Wozniak was brought back memories of recording video recording programs onto cassette tapes and typing them in for magazines. Going back to the original, oh, I'll just create a computer out of microchips.
Ger van Hees (01:45):
Yeah, exactly. Playing around with the basic programming language. Very interesting.
Gordon Draper (01:50):
Tell me a bit about yourself. What's your background in cybersecurity?
Ger van Hees (01:54):
So I have been in IT for more than 30 years and the last 20 years or maybe 18 years or so in cybersecurity and cybersecurity related roles, I actually started out working as an electrician. I'm a qualified electrician. A lot of people know that, and so I started working out with cabling and so on and moved into the telecommunications area. We started building networks and computer networks and I rolled into the computer networking side of things. Met my manager at that time, asked me to put the office network in the office, and so I did and I started to connect it to the internet and thinking about security and so on, and that kind of piqued my interest and so I started learning about it more and more just by reading books and articles and so on, and did a couple of training courses about NetWare IPX/SPX and the boarder manager firewall and so on TCP/IP became more and more popular.
Ger van Hees (02:57):
I started moving into a role like security administrator managing networks and systems and firewalls and so on, routers and switches. At some point I found a job at a large insurance company. They were looking for a security advisor in a role where the different projects with that who were running needed some security knowledge because at that point security wasn't really very commonly done in projects and so on. So that was really interesting. And then I thought I really need to get some sort of official piece of paper and I started doing my CISSP training, and so I got my CISSP certification and I already thought to myself, if I want to be seriously working in something like that, I need to get all the way in. And I started doing my master in computer security at the University of Liverpool. So that was interesting, and I kind of rolled in from there. I started working for telco providers in internet service units and lots of different roles basically from there on all security related from the availability side to the consultancy side and everything in between.
Gordon Draper (04:15):
You've got a bit of a background around as a global citizen. You've been a Dutch background and
Ger van Hees (04:21):
Yeah
Gordon Draper (04:22):
Also studied the University of Liverpool.
Ger van Hees (04:24):
Yes.
Gordon Draper (04:24):
Tell me a bit about the different countries
Ger van Hees (04:25):
You've been in. So I was born and raised in the Netherlands, but I worked for companies that were basically working worldwide, companies like infonet that basically had offices all over the world AT&T Unisource. Yeah, so I've been to lots of different countries, projects in the UK, in Italy, in the us. At some point I decided to move to New Zealand, so we've lived in New Zealand for 10 years. I'm actually a New Zealand citizen.
Gordon Draper (04:54):
Oh, very good.
Ger van Hees (04:55):
And now I live in Melbourne.
Gordon Draper (04:57):
I guess one of the questions that people come up with that would love to know is you've given me a bit about your background as to where you've been, et cetera, but How specifically did you get into cybersecurity or information security?
Ger van Hees (05:09):
Yeah, I think it was, the moment that specifically happened for me was when I worked for PTT at that point, Post Telegraphy and Telephony, the company in the Netherlands, the biggest telco in the Netherlands, they're now called KPN, which is the biggest telco in the Netherlands. And I worked for their called advanced value added services unit managing applications on a mainframe. And the manager knew that I was into security and he said, we are going to form this internet services unit where we are going to provide internet services to our customers like Venice Firewalls and secondary DNS and mail backup systems and those kinds of things. And he said, I think you'll be interested in working there. And said, yeah, sure. And I joined the internet services unit. It started out small with perhaps like six or seven people, but within two years or so, it grew to, I dunno, 80 or 90 people just dedicated on internet services and basically designing secure solutions for customers, working with all kinds of systems.
Gordon Draper (06:19):
What year would this be about? Security wasn't necessarily front of mind For a lot of companies for a long time.
Ger van Hees (06:23):
No, exactly. Yeah, no, exactly. And that's why they were sort of one of the first kind of bigger telcos in Europe doing that. That was probably around 1997, something like that, 1996, 1997, and until that time, all their internet stuff and security stuff was done by one of the big university kind of organisations and then analysts called Surfnet and KPN at that point decided to kind of take it back and do it all themselves. And one of the interesting parts of the job was to be one of the founding members of the CERT team, computer emergency response team, which was really interesting because at that point we had lots of contacts with all over Europe and in the United States, and we had this kind of relationships with each other where we exchange information about vulnerabilities and advisories. It was called at that point, we'd exchange information about attacks and infrastructure problems and so on to kind of help each other protect customers. We'd send out notifications to customers if there were any kind of security issues at that point. That was very interesting. And so I guess that's where I really learned a lot about security and started actually to work in cybersecurity
Gordon Draper (07:45):
In a way. Leads into the next question which I have is did you always want to be in information security? It doesn't necessarily sound like it.
Ger van Hees (07:53):
No,
Gordon Draper (07:55):
It was always there.
Ger van Hees (07:56):
Yeah. It's not that I was a little boy and I wanted to be in a security. That's something that came me, kind of grew into that when I was a little boy. I was always more in the technical side of things. I was always, like you said, working with the basic language on the commodore computer and so on, taking apart TVs and radios and figure out how things worked and so on. And I always wanted to kind of something as a trade, so that's why I became an electrician basically and started doing electric engineering and later on I did some electronics and so on, so I had a vocational education, not really went to college or something. And yeah, basically I grew into networking network infrastructure, network protocols, TCP/IP, and from there on at some point into cybersecurity. So it definitely wasn't something that I always knew about that I wanted to be in cybersecurity. It just rolled into it. As in I've always kind of followed the things that I find interesting and do what I find interesting to do.
Gordon Draper (09:03):
Yeah, I know what you mean. I've had a background in, played with computers in the nineties on the edge of things, so I learned my networking through LAN parties and gaming, and it was only a matter of time to get from there to network engineer. And so I went and did an electrical engineering degree, came out with data networking. Cybersecurity was always on the edges, so I know exactly what you're talking about that I think we are of the vintage That's not necessarily the very first thing that information security wasn't top of my time.
Ger van Hees (09:35):
No, Definitely not. Yeah, that was interesting. You talk about land parties at some point, I worked for BT in an office in the Netherlands in British Telecom. They were called BT centegra a year in the Netherlands. We basically had 30 or 40 people in the sort of area that we worked, and we had an entire floor of cyber geeks, so to speak, and we all after office hours stayed around and started playing DOOM or wolfenstein or something like that over the network and everything.
Ger van Hees (10:09):
Was good. Like LAN parties. Yeah.
Gordon Draper (10:12):
Another question is what kind of education qualifications and industry certifications? You've mentioned that you've got a CISSP and that you did vocation rather than going to the university route, but you've also been to the university.
Ger van Hees (10:25):
Yeah, exactly. Yeah, no, so I started the CISP certification. I did that in 2007. I felt that that was a really good way to learn about all the nitty gritty details of security together with another couple of people in the team I worked at that time. We had a study group, we went through all the domains and did the exam after probably three months or so, three maybe four months, and I passed. So that was really good. There was lots of studying and the exam at that point was not, it was paper-based, 250 questions, six hours in 2010. I did my CISM from ISACA, which was not too difficult at that point because I already had the CISP and there was lots of information was still the same, a lot about risk management and so on. So it was a little bit of add-on of some additional information.
(11:19):
And then I realised when I seriously want to go and get jobs in security, I need to have an official piece of paper, like a degree. And so I did my master's degree at the University of Liverpool, which was at that point also quite rare because I did it completely online. University of Liverpool was the first university in the world to do a completely online master degree in computer security. So the only time I was actually in Liverpool was graduation. And then from the years on, I did many more certifications. I'm always learning, so I did my CCSP, I did CRISK for ISACA, I did the CCISO not too long ago, a couple of years ago and very, very recently I got my official certified ISO 27001 lead implementer.
Gordon Draper (12:14):
Oh, very Good.
Ger van Hees (12:15):
Yeah, I've been doing security implementations, but now put a BE
Gordon Draper (12:20):
Piece of paper there. Piece of paper to help out. Exactly.
Gordon Draper (12:23):
So you currently run your own consulting firm, what kind of challenges do you come across in the hiring of the right consultant for the right position?
Ger van Hees (12:35):
I don't have any kind of personnel in my firm, but I work with other people like partners and so on, the type of consultant, which is really difficult to find other people with technical background, technical knowledge like you and I, and have knowledge from a security management point of view that know about risk management and know how to sort of translate technical risk into a language that CEOs and directors and so understand
Gordon Draper (13:09):
Plain Language
Ger van Hees (13:09):
in this kind of plain language, but business kind of language, try to explain the risk in such a way that it is understandable from a point of view of a business risk. Whereas a lot of technical people, a lot of security people know the technical side of security that can talk about firewalls and vulnerabilities and so on, not translate that into the more business side of things.
Gordon Draper (13:35):
Exactly. What does it really mean to a business? How can it really hurt Someone From the bottom line?
Ger van Hees (13:41):
Yeah, exactly. So translate that into a business where it's loss of revenue or a risk to the continued operations of the business achieving their goals, those kind of statements of what directors and board members understand and not so much about how many vulnerabilities there were.
Gordon Draper (14:02):
Exactly. I know exactly what you're talking about. What would you say that one of your most memorable experiences doing some consulting in cybersecurity would be
Ger van Hees (14:11):
Interesting for me to see that someone understands what you're talking about. And I remember clearly remember one of the moments where I was talking to a company in the Netherlands, it's like a small business, and we were talking about availability of his systems and so on, connecting it to the internet, and I was kind of explaining to him what the risks were, sort of when I explained to him what potentially the risk could be if a hacker or something like that would get into a system and disclose or get all this data about all this customers from a CRM and so on, potentially what kind of damage that could do to his reputation and what kind of loss he could get from that. I could see in his eyes that kind of light bulb moment like, oh shit, yeah, I never thought about that. And that is the moment that you see that people understand what you're talking about and why you're doing security, and I still remember that moment when that guy had that kind of light bulb moment in his head. Then I felt, this is why I'm doing it. It's that kind of making people understand why security is so important. That is important for me.
Gordon Draper (15:28):
Definitely. I recently introduced someone to the cybersecurity field. They went through something very similar. It's just like, yeah, yeah, it's not that important. What are you talking? Oh, you mean that can happen and that can happen, especially in Australia. We've had the Optus breach in the last couple of months where 10 million records were taken. That's now from people across the general public. You hear your Uber driver talking about, do I need to change my driver's licence and Medicare number?
Ger van Hees (16:02):
And that's where the impact becomes real, right? I mean, so sort of at some point theoretical talk about disclosure of personal information and so on, but when someone gets hit by the fact that their identity has been stolen, a bank loan has been taken out in their name or something like that, that's when it hits that it's real, and that's why we are doing all these security things to protect them.
Gordon Draper (16:27):
Yeah, it's definitely bringing more awareness to People.
Ger van Hees (16:29):
Oh yeah,
Gordon Draper (16:30):
Absolutely. This leads to another topic, the potential ramifications of Australian government, bringing in more privacy regulations should be an interesting to see whether we end up with a GDPR or equivalent For Privacy.
Ger van Hees (16:46):
Yeah, absolutely. Absolutely. Yeah, it is. Lots of discussion around the privacy Act already with last year they kicked off with a privacy act review and we'll have to see where it goes, but there's lots of different things to that can improve. I'm thinking for example about the exemptions for small companies. Obviously for the small companies, it can be very cumbersome to implement lots and lots of security measures around personal information. But even a small company, if you have a small company with, I don't know, five people and you have only 2 million or 3 million of revenue or whatever it is not below that level that makes you exempt from that breach notification, you could still potentially have hundreds and hundreds and hundreds of records of people that could be disclosed and why shouldn't they be
Gordon Draper (17:40):
Covered by this
Ger van Hees (17:41):
Kind of that they have to disclose any kind of breaches and they have to put all the security message in place to protect it, just like the big companies. So there's pros and cons, but if the Australian Privacy Act would be reformed to something like GDPR, there's definitely going to be a lot of work coming up for lots of Companies.
Gordon Draper (18:02):
Yeah, it could be a boon for the Cybersecurity Consulting in Australia.
Ger van Hees (18:07):
Absolutely. Yeah.
Gordon Draper (18:09):
We've recently just been at the AISA Cyber Con Melbourne. What have you seen or heard at the conferences recently that really stands out to you?
Ger van Hees (18:18):
Yeah, there have been lots of different interesting talks from quantum computing and the risk to confidentiality to encryption and so on. That is an interesting area, but there was one talk that I saw about, I don't remember exactly what the title was, but something about the mess about all the security standards that are out there, like nist, the cybersecurity framework and the ISM and er CPS-234 and ISO 27000 and so on. There are so many security standards out there that for companies, it's very difficult to understand what applies to them and what are the requirements exactly what kind of industry are we in and what do we know? And that's where consultants can be of a big help. It was interesting to go through the different standards that the speaker was going through, all the different standards, and it kind of dawned that, and I already probably had kind foreseen that ISO 27001 is really the standard that covers most of it. When a company would implement ISO 27001, you'd cover like 90% of all the other standards as well.
Gordon Draper (19:36):
I saw a mapping previous position I was with that compared ISO 27001 with NIST 800-53. ISO 27001 did cover around 90%, but there was the 800-53 is ridiculously Huge.
Ger van Hees (19:52):
It's huge. It's like NZISM as well, or ISM here in Australia or NZISM In New Zealand, you're talking about, I don't know, like 900 different controls or something like that is huge, which are really sort of all technical controls, whereas ISO 27001 is more of the, it's a little bit higher level, but it's more around managing information security in your organisation such that it is much, you have a much more sort of stable environment and exactly what you're doing and what your security posture is at all times.
Gordon Draper (20:31):
As you described, it covers 90%, I think it's the 27002, which is the controls library for that suite that's getting on the ridiculously huge as well for the Technical controls.
Ger van Hees (20:41):
So they have recently in 2022, they have brought out a new version of ISO 27,002 So the controls, which was basically, it previously was called best practise or something like that. Now it's called information study controls. And there are 93 controls in four different categories. So it's not huge.
Gordon Draper (21:02):
No, no, it's.. must have misunderstoog
Ger van Hees (21:05):
They brought out a new version and it was from down from a hundred and I think 120 or 124 down to 93 controls. That's really good. That's
Gordon Draper (21:15):
Quite good progress. So moving on to pop culture, do you have any cybersecurity or hacker movies that you've seen? Is that an interest of your, I mean, you've got the business of keeping businesses as protected, but is there a quite hoodie with an anonymous mask on in the background in any of your movies?
Ger van Hees (21:38):
Yeah, it's an old movie's called The Net, which Sandra Bullock probably remember that, which is about identity theft and she has to find out what happened and so on. So that's a really good one. A TV show that I really liked was Mr. Robot. You've probably seen that. That was very interesting. Lots of twists and turns and so on, and looking into that future where there's all cryptocurrency and everything and was interesting, the dark army of hackers that they had to fight and he was like the evil one, but still also the good one and different people at the same time. So that was interesting. Yeah,
Gordon Draper (22:18):
Yeah, definitely added Mental health issues to the mix as well, that particular show.
Ger van Hees (22:23):
And one talking about mental health or something that you touch on. But yesterday and the day before yesterday, a broadcast on 10 here in Australia, and it's called Mirror Mirror. It's about social networks, and he kind of touches on interesting things about, for example, relationships, about bullying, about identity theft, about artificial intelligence and so on. Showing all those sort of negative social aspects from social media, which is not really about hackers, but about more about that,
Gordon Draper (23:03):
The way the social network
Ger van Hees (23:04):
Aspects of the cyber world, so to speak.
Gordon Draper (23:08):
And of course you've got the pop culture, black mirror showing the dark side of what things can happen with technology.
Ger van Hees (23:18):
I didn't see all of them, but I saw a couple and it's a very interesting one, which of course it gives you this very sort of uneasy, awkward feeling just watching that show
Gordon Draper (23:30):
Uncanny Valley. Yeah. If you've been to a number of different places around the world, if you could live anywhere in the world, where would it be?
Ger van Hees (23:40):
I mean, like you said, I've been to lots of different places and I definitely like the United States just because of the diversity of the country from big deserts to major cities and everything in between, the mountain ranges and so on. I love Italy. Italy is a fantastic country. The people, the food, the climate, it's all awesome. But the country that I ultimately love most is New Zealand.
Gordon Draper (24:08):
Oh, very nice.
Ger van Hees (24:09):
And that's why also I became a New Zealand citizen. I will probably go back to New Zealand at some point to retire or something like that. So if you ask me where I would want to live, it would be in New Zealand.
Gordon Draper (24:21):
Awesome. Moving back to the consulting world, what's one thing in your consulting history, you've worked at different businesses, but have you worked at different consultancies other than your own?
Ger van Hees (24:34):
I've worked for different companies in consulting roles, not so much always for a consultancy firm, consultancy internal in, for example, big banks and insurance companies and telcos and so on, where as a consultant security consultant, you basically are consulting to the business in the organisation, helping them with, for example, projects where they need to implement security in the projects and basically in the organisation in the bigger picture. And an interesting one, for example, is where I worked for the New Zealand Qualifications Authority as at that point, what they call security and risk advisor. Basically helping the organisation to be risk aware and compliant with the regulations. Being a consultant, but internally in an organisation is interesting. And being a consultant in a consultancy firm, consulting to clients is interesting as well, but it's a different sort of,
Gordon Draper (25:40):
Definitely different. Yes. Has there been anything that sort of consultancy firm has done that you didn't necessarily expect that might've been a bit of a surprise?
Ger van Hees (25:50):
Well, I remember working for a consultancy firm that decided to tie themselves to a specific product from a technology point of view. And so as the consultant, we always had to advise the client to implement that particular product, which I think is not the right thing to do
Gordon Draper (26:12):
Because You Should be technically agnostic.
Ger van Hees (26:15):
Exactly, exactly. Every client can have a different situation where they need a different type of product or a different brand. You have to be agnostic of technology. Exactly. So I didn't really like that, and some of the situations that I ran into at that place kind of made me decide to move on and then definitely learn from that, that you need to always be sort of independent and agnostic of technology, although you obviously have a sort of preference for certain types of technology or certain products because just that they are good products, but don't stick with one product.
Gordon Draper (26:53):
I think that's a very good learning lesson to take from that. What is one common myth about the consulting industry?
Ger van Hees (27:00):
Well, I think the myth that out there is that it's all for the money. And obviously the consulting world is, there's big money in it. There's lots of consultancy hours and hourly rates of especially the bigger consulting firms are really, really high. Most consultants aren't always about the money. Most consultants, if you look into their heart, they really have the best interests in their clients and they want the clients to get the best possible solution. Obviously, they have to bill the hours, and at some point as a consultant working for a larger consultancy firm, you have this sort of target that you have to reach so many billable hours per month and so on. But I think that for most consultants, that's not the main driver.
Gordon Draper (27:47):
Fundamentally, what I've seen is it's a lot of these consultancies, it's still a service driven position, and so it's still fundamentally, it's almost like a service desk, especially the internal ones, internal consultancies where you are dealing to other divisions in the business, other teams in the business, you're effectively like a service desk providing cybersecurity support. And so cybersecurity help, and I think that even as a external cybersecurity consultant, you are still providing a service to help people out. Obviously, one of the things of the biggest myths is it's not always about, Hey, we found these vulnerabilities or problems or gaps. Now we'll sell you the solution and then we found some more gaps, so we need to sell you another solution, and it's just a continual engagement so that you can continually upsell. And it's not necessarily always like
Ger van Hees (28:45):
That. No, it's not. It's not. But I've been in situations where management said like, oh, they have, well, they had bronze, silver, gold kind of contracts with the clients, and they said, this customer just pays for silver, so you don't want to give me more kind of service than they should get. Whereas I am more kind of customer driven and I always thinking the best interest of the customer, but management was, no, no, we don't want to do more than we have to do because they're only a silver customer. That's not the way it should work. Yeah,
Gordon Draper (29:18):
We're trying to help people here. Exactly. I'm sure you've come across some situations where you've learned some lessons throughout your career. What's one of the most important lessons you've learned?
Ger van Hees (29:30):
Learned? Probably the most important lesson is that I think security is all about people actually. There's lots of technology involved and so on, but ultimately it's all about people. We are talking about protecting people's data, protecting a company that has their crown jewels or something like that, but basically you're protecting the company because of the people that work in the company. Plus also what I think is that your last layer of defence insecurity and information security are your people. It is true that more than 80% of, so cyber incidents have some sort of human factor involved. It's not only the people that are attacked, but also the people that are your last layer of defence. So
Gordon Draper (30:20):
Very,
Ger van Hees (30:21):
Whatever kind of angle you look at it in information security, it's always about people.
Gordon Draper (30:26):
Yeah, that's a very important lesson that people don't realise until a bit further down the track. It's not just about the cryptography and the firewalls and someone trying to hack websites, and there's a great picture where it's in one corner of the ring, we have all these technology of computers and firewalls, and on the other corner of the ring we have Dave,
Ger van Hees (30:51):
Like all the technology and so on. They are measures that you can help, that you put in place to help with security, but ultimately it's all about the people.
Gordon Draper (31:01):
What sort of advice would you give to someone that's just starting out in cybersecurity now? They're maybe career changing or they're starting out as a uni student or even TAFE as technical further education, so vocational trade level, moving into cybersecurity. What's one piece of advice you'd give to someone starting out?
Ger van Hees (31:20):
So there's lots of pieces of advice that I could give, but it really depends on where you currently are. I would say if you have the possibility to start in an IT role, for example, on a service desk or as a system administrator or something like that, even if it's as a junior kind of role, do that because there you'll build important experience, starting to learn about systems, starting to learn about networks. Those kind of things give you that kind of foundation of technical knowledge that is important to understand what security is and why are we doing it. So that's a good kind of way of starting out. If you have the possibility to do some sort of course, that would be a good idea. For example, the Monash University here in Melbourne has a 24 week cybersecurity bootcamp programme that is very good. It takes you from the basics of information security. I want to start to talk about confidentiality, integrity, availability, and risk and so on through encryption and system administration and networking, all the way to hacking and pen testing and so on. So you get a whole, not too detailed, too technical, but a whole sort of broad idea of what security is like and that really prepares you for an entry level role, like a security analyst or something like that.
Gordon Draper (32:51):
That's some really good advice. Getting out into bootcamps. I know I've come across people that have picked up. I've been involved with the alumni of the university that I've been at, and they've been running bootcamps as well, but I think it's the same type of organisation that's running these bootcamps through these universities, and you get to see some of the presentations of what they've learned over their projects and what they've learned over the 24 weeks. It's getting to the point where they've learnt a reasonable amount considering where they're starting from.
Ger van Hees (33:26):
Yeah, exactly.
Gordon Draper (33:26):
Obviously these sorts of, the learning curve is huge and it takes a long time, but they've done well out of their six months.
Ger van Hees (33:34):
Definitely something to look into.
Gordon Draper (33:36):
So you are mostly dealing with regulatory type of things and auditing and providing advice from, as you said, the ISO 27001 lead implementing, for example. What kind of tools do you use as part of your job? What would you say is one of the underrated tools?
Ger van Hees (33:54):
That is quite a difficult question. There's so many tools. I'm not entirely sure what would be underrated. What a tool that I really like for doing assessments or assessments against as a free tool is the NIST Cybersecurity framework. It is something that you can easily get. You can download it just from the website from nist, and it's if you kind of learn that the website also has good education, sort of training around what the NIST cybersecurity framework is and how to interpret it and how to work with it and gives you that kind of knowledge on, have a look at your current situation and see where your gaps are and create a roadmap. So that is very helpful and I think lots and lots of organisations could use it to improve their security even without having to go through implementation projects like ISO 27000 and so on. I would say that's sort of an underrated tool that is easily be used, but I think the tool that is most underrated is people skills, communication and brain. Just think about what makes sense and whatnot. That's very often your gut feel will tell you already what is right and what is not. Right.
Gordon Draper (35:12):
Definitely. Coming up to the last question or two, what would you say are three cybersecurity books that you would recommend?
Ger van Hees (35:20):
So the books that I really enjoyed reading, the first one is called Ghost in the Wires from Kevin Mitnick,
Ger van Hees (35:28):
Which is really interesting about him hacking his way into all kinds of systems over the years. Another is a bit more technical, but it's applied cryptography from Bruce Schneier. If you want to know about how cryptography works and how it is applied in networks and computer systems, that is a very interesting book, a very interesting book, but more from a people side, which I do. I also do a lot of security awareness programmes is a book called Transformational Security Awareness from Perry Carpenter, which talks all about human behaviour and insights into that and how to use that to transform your security awareness programme into a security culture improvement programme.
Gordon Draper (36:19):
Well, first of all, I'd like to thank you very much for your time and sharing this interview with us. So where can listeners find you online?
Ger van Hees (36:27):
Obviously my LinkedIn profile. Just search for me. Ger Van Hees, and you'll find me. I am also on cyber market. Yeah, I don't know. Just my website, perhaps. My consulting
Gordon Draper (36:40):
Website,
Ger van Hees (36:40):
Which is a very simple vanheesconsulting.com
Gordon Draper (36:44):
Well, thank you very much for your time. I really appreciate you spending some time with us today, and I look forward to seeing you online line. And with that, we conclude another insightful episode of the Cyber Consulting Room. I'd like to extend a heartfelt thank you to our guest, Ger Van Hees for sharing his invaluable expertise and experiences with us today. Ger, your insights into the world of cybersecurity consulting have been truly enlightening, and we are grateful for your time and contributions to our podcast. To our dedicated listeners, we appreciate your continued support and for tuning in. If you found today's episode as enlightening as we did, don't forget to subscribe, rate and share the cyber consulting room with your colleagues and friends. Stay tuned for more thought provoking discussions with our industry experts in the world of cybersecurity consulting. Until our next episode, stay vigilant in the world of cybersecurity and keep seeking expert guidance in your consulting endeavours. Thank you for being part of the cyber consulting room community.