Cyber Consulting Room

Cyber Consulting Room - Episode 8 - Mark Nicholls

Gordon Draper Season 1 Episode 8

 Mark Nicholls, CEO of Information Professionals Group, shares his insights and advice on cybersecurity and information security. He emphasizes the importance of learning from mistakes and taking an iterative approach to career development. Nicholls also highlights the significance of threat and risk assessments in cybersecurity decision-making. He mentions the movie "Leave the World Behind" as a recent cybersecurity film and discusses two books he is currently reading: "Recoding America" and "The Age of AI." Nicholls suggests that executives and managers need to have a basic understanding of digital and cybersecurity concepts. He also mentions his preferred locations to live and invites listeners to connect with him online. 

Gordon Draper (00:00:01):
Hi, I'm Gordon Draper and I'm the host of the Cyber Consulting Room podcast. Today I have Mark Nicholls, the CEO of Information Professionals group based in Brisbane, Australia, who provides consulting services to high profile Australian government and industry clients in digital transformation including cybersecurity. Welcome, mark. It's great to have you here today.

Mark Nicholls (00:00:25):
Thanks, Gordon. Very happy to be here. Thanks for the invitation.

Gordon Draper (00:00:29):
You're welcome. So you are the CEO of Information Professionals Group. How did you get into working with the cybersecurity and information security industry?

Mark Nicholls (00:00:40):
Thanks, Gordon. Yeah, so I've probably taken a long road to get here. Our company has for many years been involved in digital strategy, technology strategies for our clients and also in helping them with implementation of digital transformations and major systems implementations. And then what we've found particularly over the last five plus years is you can't be developing strategy for clients and you can't be running major implementations without having a lens on cybersecurity as part of overall risk. And so we've developed more capabilities in risk in cybersecurity as a result, and now we offer that as a service as well. So it kind of compliments the ability to actually digitise your organisation and deliver services through digital comes with risk and one of those risks is cybersecurity. So you need to be considering that, and it's a reflection of how cyber is really just becoming pervasive to everything that happens in an organisation now, and therefore it's just another thing that companies and government organisations need to be looking at.

Gordon Draper (00:01:54):
Yeah, there's some serious threats around these days and it is not just affecting the military and the big banks or the big governments, it's affecting the mediums size, small to medium as well. Anyone can get hit

Mark Nicholls (00:02:10):
Well completely. That's right. And look, I think that's what's changed a lot is the industrialization of cybersecurity and the actors out there means that you're not necessarily being targeted. You just happen to be swept up in this sort of random industrial scale attack patterns that can be underway. And so the threat landscape has changed now where organisations that you maybe thought, well, why would we be targeted? It's like, well, you're actually just part of a random number and you've managed to be the unlucky sort of lottery holder in this case. And so every organisation needs to be thinking about how do they protect their interests as a business person and with the threats to their operations in the same way that your access to finance, access to cashflow, access to telecommunication services. And of course we've seen what that means with the recent outage. These are all business risks around whether in fact you can run your organisation. And cybersecurity is very much one of those. There's obviously a lot of technical disciplines associated with it, but it's not purely a technical issue. It's actually a business issue

Gordon Draper (00:03:28):
Completely. You touched on there was a telecommunications outage of Optus here in Australia last month and recently, and that affected businesses from everything from being able to, I think there was a train services in Melbourne, Australia were affected by this and hospitals and just by not having a telecommunications network for eight hours had a widespread impact on the economy.

Mark Nicholls (00:04:02):
Yeah, look, I think it was a really interesting case study, isn't it, Gordon? Because even though it was a telecommunications outage, which wasn't caused by a cyber incident, it could well have been caused by a cyber incident. And it's a perfect case study of the types of scenarios that might play out in a large scale cyber attack and the cascading cause and effect across the economy. It's also a good example of how to manage or not manage, and I'm not going to get into being too critical of Optus, but the bottom line is things take a while to recover and there can be little control about speeding that recovery time up. And so how you communicate with stakeholders and how do you keep them informed, therefore becomes important. And for the most part, a lot of the criticism of Optus was around their ability to communicate.

(00:05:06):
And so again, we're seeing the integration of a technical discipline, which is being able to detect a cyber incident, actually diagnose that effectively, and then be able to respond and recover. But that's coupled with the ability for the communication or the company to be able to communicate effectively with its stakeholders and take business actions in parallel with the technical actions from the cybersecurity teams so that they're actually working with their stakeholders appropriately. Now, Optus probably didn't do that as well as what many people would like, but the failure was not so much the cybersecurity capability, it was more about corporate communications, crisis communications, how that organisation works together effectively internally. That was probably most of their root causes. Again, I don't want to be too critical of Optus. It's always easy when you're on this side rather than on their side, but there is lessons there that we can learn. And most of those lessons, I think for the most part were around good communications techniques and business related issues, not technical, cyber related issues.

Gordon Draper (00:06:16):
It makes for a perfect example of a case study that can be used in tabletop exercises. While this is an outage of a telecommunications provider was a technical glitch, it wasn't a cyber attack. Cyber attacks can do this and have that same effect. And so that's one example of the telecommunications provider, their board of directors and incident response teams and putting their incident response plan into practise. That's one use case for Optus. However, it's something that needs to be considered with everyone's tabletop exercises for the incident response plan. What happens if the telecommunication network is down while you are having a cyber incident? How do you communicate with people?

Mark Nicholls (00:07:11):
Correct. Yeah, exactly. Yeah. And of course that seemed to be some of the other lessons there in that Optus situation, they were communicating through internet where most people actually didn't have access to internet at that time. And so yeah, how do you actually look at alternative communication mechanism so you can actually bypass the very issues that you're trying to tell them about?

Gordon Draper (00:07:34):
So one thing that I gleaned out of that is that the top level executives at Optus had backup SIM cards from alternate telecommunications providers so that they could still communicate in the case that the entire Optus network goes down. Is that something that we should be recommending to all executives above a certain level that if their chosen network provider goes down, that they have a backup communications, especially in the case of a cybersecurity incident happening? There is a meme, a joke about they're having a teams meeting with all of the stakeholders internally and the incident response teams and also the attacker happens to be in that meeting and he's constantly making fart jokes.

Mark Nicholls (00:08:38):
Yeah, exactly. Yeah. Well, I think that's right. I think there is a need for understanding those risks. Now, is it appropriate for everyone above a particular level having a secondary communications provider possibly, or is a bit more nuanced than that? It might be based on the type of role that they have, and that could be certain senior people, but actually might be some very critical operations people who are lower down in the organisation as well who might need to have alternatives. I know myself personally, for many years, I've got sims in my laptop and in my surface I've got a SIM in my mobile phone and I spread across both personally spread those subscriptions across both Telstra and cost providers for that very reason. Yeah, that's a personal choice I make, and I know there is others who do that, and we've just sort of taken that decision internally within our company.

(00:09:44):
So we didn't have that widespread, but we do have a couple of us who do have alternatives, and I think that's the case for most organisations. They should be looking at having some alternatives and backup plans so that they've got to minimise certain single points of failure for high risk activities. I know this week for instance, in our company had a number of big proposals are going, we've got a final one that gets finally shut off this afternoon. And so sometimes you can be running tight on schedule on getting proposals in and they could be weeks' worth of work. And of course there's a particular hard deadline if you don't get in by that particular minute or second. And if you were to have an internet outage at that point, like an Optus outage, then you can be in serious difficulty and it could be weeks worth of work that's been wasted and a major opportunities no return

Gordon Draper (00:10:41):
On that either because you're not in with the chance for the tender.

Mark Nicholls (00:10:44):
Correct, exactly. Situation. Yeah, so they're the sorts of risks that are most material for us. We are lucky though, Gordon, in that we don't have a lot of operational day-to-day, minute to minute responsibilities that we have to look after on behalf of our clients, but many organisations do. And we saw that with the Optus breach, not the breach, sorry, the communications outage is that people weren't able to do their jobs and they weren't able to look after their clients. So yeah, they should definitely be looking at mitigation options to avoid single points of failure. And this comes back to business risk, which is one of the biggest things that I talk about a lot when I'm talking about cybersecurity risk with clients and others is you got to get back to a business risk at the end of the day. There can be lots of talk about technology risks and technology scenarios and cybersecurity incidents, but what's the business impact and that you're trying to protect here and what's the implications of that business impact?

(00:11:47):
So in this case, if there's a communications outage and communications outage is for say one day, what does that one day mean for you as a business? Does that mean you don't earn any revenue for a day? Does that mean that maybe you're not able to deliver contracted services to your customers for a day and therefore you you're open to penalization through based penalties, for instance? Or does it mean you can just survive for a day and pick it up the next day? Every business is a little bit different, but there's easy ways of quantifying these risks. And of course that's the basis on which you can decide on your investment to mitigate them as well. And some companies do that really well, some don't, but I think that's always an important focus. What's the implications for a business as a result of certain incidents?

Gordon Draper (00:12:39):
Exactly. One example is the push pull associated with, oh, I need to patch my software on critical infrastructure for the business in the case that I can, there's a software vulnerability, a security vulnerability on a piece of software or an appliance or a tool that is providing the backbone services of that company's infrastructure. And during that, in order to update that, they'll have to take it offline. And in doing that would require a certain loss of potential revenue or uptime. And I've heard one story of talking an interview with some chief information security officers recently where one of them was literally saying, well, I'm all about uptime. It is only about availability for me, and if I have to turn off something to apply a security patch, well, we're just not going to do that. And then you end up with situations where there's a current security vulnerability at the moment called Citrix Bleed, which is the one that affected, it's affecting organisations around the world right now and not everyone's patching it when they should have been.

(00:14:04):
I think it came out in July and then there was a patch in October and people haven't been patching it because it's on a device called a Citrix NetScaler, which is a device that sits on the internet. And so it's internet facing and it allows people to connect into remote desktop of Windows machines and servers. And this vulnerability allows people to just unauthenticated. So no requirement that you actually have to sign in, you can just grab someone else's session and a token and take over it. And so suddenly you can have access to the Windows computers behind a firewall just by using this, but people aren't patching this vulnerability. And so ransomware attackers are coming along and going, well ransomware attackers are actually pretty good at reverse engineering patches and deploying widespread industry scale attacks and maximising it within a few days within hours. And so they're going around and one of those that hit the Australian Ports DP World that hit them, and it's because of this netscaler vulnerability.

Mark Nicholls (00:15:38):
So look,

Gordon Draper (00:15:39):
The uptime is a big thing associated with this. And then this interview also talked about the cost difference between the revenue versus the impact. And also then there's paying the ransomware, all these factors need to be taken into account.

Mark Nicholls (00:15:56):
Yeah, definitely Gordon. So there's two things there. One is, and it's notable, you mentioned that the DP World, because that dilemma of do we maintain high levels of uptime versus do we shut down to actually do a patch upgrade? It's particularly notable in more operational technology settings versus information technology settings, not exclusively, but in operational tech. Of course there is a whole thing around the utility grade. Utility grade service means it's like a telecommunication systems for instance. It's 24 by seven, literally continuously with no downtime. And so utility grade, obviously operational technology also applies to utilities, electricity and water and so forth. And there is an expectation that they are always on. And so that predisposes those environments potentially having to be always on, so therefore lagging in terms of patch cycles. And so that dilemma of do you actually shut down the patch is probably more prone to manifest in operational tech environments rather than information technology environments because information technology, there's often upgrades and so forth happening and not always the expectation of 24 by seven without stoppage. So DP World of course are quite notable in operation tech as well as information tech. And so that's the first thing is there's certain industries that are more prone because of that expectation on uptime that the second thing is if SISOs are making that decision, and you mentioned one Gordon that's going, look, we are not going to be shutting down because we pride ourselves on 24 by seven. Well, that's fine for the siso, but is that really the CISOs decision to make or is it the That was

Gordon Draper (00:17:52):
Actually, it was a KPI that had been set up by the board. Right,

Mark Nicholls (00:17:56):
Okay.

Gordon Draper (00:17:56):
So the executive management and the business had been pushing that this needs to be, and so this chief information security officer was referencing that it needed to be uptime because the board was pushing for it.

Mark Nicholls (00:18:09):
Right, okay. So I mean that's the board's

Gordon Draper (00:18:12):
Prerogative. It's a decision that someone needs to make and it's sizer and above.

Mark Nicholls (00:18:16):
So the board has their prerogative, and so hopefully they've made that in a sort of well-informed way and in that case that that's fine, but hopefully the board's also going well. Yeah, there is a creeping risk here. And so there's a short-term outage which can create a short-term issue in terms of outage, but there's also a building risk over time through having these patches. I know that risk will change depending on the nature of threats that are emerging. And you've mentioned that one with that Citrix scenario. So it's not a static environment. And so therefore while the board have made a static set of KPIs that also needs to be revisited and the SISO hopefully is also having the opportunity to actually push these issues up to go well, yes, but the threat landscape at the moment means there's this particular scenario and that these situations are happening.

(00:19:10):
And so it's a threat intelligent view coming back to the board to go, well, maybe the threat landscape has changed and so this creeping sort of risk is actually accelerating right now because of this particular scenario that we're seeing. And so then maybe it's rebalancing this short-term issue of an outage versus this accelerating risk profile, and so therefore we probably do need to shut down. So yeah, I think it's okay complying with those KPIs, but at the same time, given the nature of the environment we're working in, rich profiles change pretty rapidly. And that example you've raised is probably one where things maybe shift the dial for that board and the board needs the opportunity to review that. And if they don't, then an CISO hasn't had a go informing them, then he's probably not doing his job as well as I'd like him to see his job

Gordon Draper (00:20:05):
As well as we'd like to see them doing the job that way. There's also the issue recently where the SEC actually went out and has sued for case a civil suit against the chief information security officer of SolarWinds from that SolarWinds supply chain incident that happened in 2020. Apparently they'd been turning around and saying to the shareholders and to the market that their cybersecurity was tip top, it was up to grade, and that they were meeting all expectations. And one of the things that came through with that was that the SEC actually quoted from some investigation files, including a chat log between engineers actually saying that this company is not security minded at all. And so they've called out the business including the directors on fraud and the chief information security officer directly. Actually, I'm not sure if the directors, I think it's just the company and the chief information security officer personally.

Mark Nicholls (00:21:28):
Yeah, I heard that story, Gordon, and I was asked recently about whether we'll see those type of litigations happening here in Australia. And look, I'm not aware of any executives being targeted in that way. ASIC here, which is effectively very limited. SEC in the US certainly has targeted companies for poor cybersecurity practise and there has been fines and some penalties issued. Will it get to a point where they're targeting executives? I think it is possible. Let's face it, the regulatory environment around cybersecurity is only going in one direction. It's becoming more onerous and more expectation on performance. And so will there be a time when even ASIC in Australia is actually targeting executive performance or targeting board performance is pretty possible and maybe quite likely. It's just a question of how long it's going to take before they get there. And of course, what sort of behaviours are happening in the marketplace and how easy it is to get evidence to prosecute those behaviours. All those things are unknown, but yeah, it is possible because heading in the same direction as every other country is, which is increased regulation, increased expectations on all organisations to be maintaining high cybersecurity practises and increased penalties to try and enforce compliance.

Gordon Draper (00:23:08):
Yeah, it's definitely an interesting environment. The increased regulatory is definitely happening. One of these podcasts that I was listening to was just saying, well, we've had 20 odd years of saying don't regulate us. We'll take care of it. We've had a chance.

Mark Nicholls (00:23:26):
Yeah. Well yeah, so everything's changing. So obviously the threat landscape's changing. Yeah, we talked about industrialization earlier. The education of the community out there is changing and their expectations of what's reasonable in the marketplace is becoming much more informed. And so governments are responding to that as well. And so governments here for responding to that, increasing regulations to try and enforce higher behaviour. So yeah, as I said, it's all going in one direction. I can't see it swinging back anytime soon. So yeah, I think we just need to go with the flow in terms of that trajectory and that is high regulation, high expectations on performance, trying to be on the curve or ahead of the curve in some cases for most organisations. And look, we have worked with organisations Gordon that have been ahead of the curve. They've gone, look, we don't need to be ISO 27001 and complied, but we probably think our clients are going to want that in the future. And so we're going to invest and we're going to make sure we've got that capability in house and then we're going to be profiling ourselves to our clients to go, look, we're ahead of the curve. And they're using that as a competitive advantage in advance of them being forced to do so. Some companies are seeing it as an opportunity as well.

Gordon Draper (00:24:53):
Definitely. That's a very good point. So one of the questions I've got, some of the prepared questions I have, did you always want to be related to information, so cybersecurity or information security or involved with this information professionals group?

Mark Nicholls (00:25:17):
So I go back five, well 10 years, 10 years ago, and I probably wouldn't have seen that I would be as involved in cybersecurity as I am these days. It's just a natural progression really. I mean one thing about the IT industry is that you are always evolving, you always have to evolve. There's always new techniques, new technology, new methods, new business applications of technology. And so you always need to be evolving. And so cybersecurity has become a very natural element of how we deliver our services and how we work with our clients. But if you go back 10 years ago, I probably wouldn't have suspected as much as it is. I think it was definitely growing pre pandemic, but the pandemic was definitely a massive accelerator to this agenda. And so I kind of have just fallen to some degree. It sort of emerged into my life as opposed to it being particularly targeted versus some people I think out of the last 5, 6, 7 years have been very targeted around, okay, I'm going to position into cybersecurity as a definite direction to my career or for my company. And we probably started doing that to blending that into our services five years ago. And so I've kind of fallen into cybersecurity a little bit, Gordon, and it's a compliment to what we do with our clients anyway and maybe a little bit different to many.

Gordon Draper (00:27:02):
Have you been involved with the digital transformation for that industry's been moving since the nineties, so how long have you been involved with, when did you get started with the digital transformation side of things?

Mark Nicholls (00:27:18):
Look, I don't want to go back and count all those years, Gordon, but

(00:27:24):
My world of digital started back in high school when I completely shifted from wanting to be a chef and being one of the rare breed that actually try and do cooking at high school. We're doing a long time ago to my eldest brother doing electrical engineering at university, bringing home a little 80 80 processor and me playing with assembler and basic programming on that and becoming a math science and computing guy and realising at that time all the amazing applications for this new technology. So we're talking about late seventies, mid to late seventies and me imagining these amazing applications for what technology can do and then starting to read about some of the examples that are around like the S flight reservation system as one of the early game changers in terms of digital transformation for that industry. And you're right, I mean the whole digital transformation of industry has been underway for decades and decades and there's just a continuing evolution for what that means. The latest of course is AI and very notable in the cybersecurity world, but very notable across digital transformation, business productivity, your whole range of areas that has implications for and great opportunity for industry and government, but also there's some risks and threats there, right?

Gordon Draper (00:29:06):
Large language models in particular, and the use of artificial intelligence. I wrinkle at some of this use of the term artificial intelligence, really just predictive text, advanced predictive text. It's very good at fooling us into thinking that it's intelligent, that's a very large area is affecting society everywhere associated with that. Everything from it will see productivity improvements, but it doesn't mean that everyone's getting three day weeks out of it. It would just mean that it will get things done a bit faster.

Mark Nicholls (00:29:50):
Yeah, the four hour work week dream, everybody thinks that's possible, but no, you're right. AI probably holds out great promise at the moment for that productivity, but I agree with you, it's not going to necessarily result in three day weeks. It's more about speed of output and speed of outcomes. Hopefully its pervasiveness is I think very similar to what say smartphones or before smartphones. Internet access has done, it empowers individuals to be able to produce more, be more effective, certainly be more efficient. And so that's where its pervasiveness is similar to those too. Some people are saying, oh no, it's much, much more than that. Well, that may be true, but what it shares in characteristics is the ability to empower individuals to be more productive and can do that without corporate needing to help them without mean corporate can support them and can guide them, but even if corporate's not doing that, people can still empower themselves effectively with these tools and that's where it's massive opportunities.

Gordon Draper (00:31:03):
Definitely. I'm seeing some the effectively bringing in artificial intelligence tools into the organisation and training it on organisation specific data rather than risks associated with people just going to chat GPT and uploading confidential data into the feedback loop where it absorbs the data as well as provides an answer.

Mark Nicholls (00:31:32):
Yeah, correct. Well, I think

Gordon Draper (00:31:33):
That's people are giving away the company's secrets just to get a little bit of help.

Mark Nicholls (00:31:40):
Yeah, well, exactly. I think that's the next stage of industrialization is certain companies have got those more private use of AI engines, which is leveraging off defined data sets rather than any old dataset, and they've got private control over that. That's more major enterprise scale solutions at the moment. The democratisation of those types of more personalised arrangements are typically not there for smaller companies or even individuals that will come over time. But yeah, this is wave of change that we'll see where not every company needs to just leverage off a generic model like GPT, they can have a more personalised, customised experience and hopefully do so in an affordable way and avoid some of the risks and potential bias and issues that might be there through the more generic models. Right?

Gordon Draper (00:32:50):
Yeah, you definitely, well, these niche models, as I think they're being called, are the smaller models that are being based upon the bigger models. So even though there's based data training data going into the larger ones, which even just the other day they prove that there's, I'll just mention it, but some bad data such as child pornography for example, was used to train chat GPT and things like that. They took the entire internet and everything that's on it. And so some researchers proved that some of the results that are coming through and leaking some of the base data included some of this data set. And then these space data is then being used to create the niche data that is being used for these organisations. And it's very unlikely that one of these employees is going to be asking about that kind of thing. But you got to wonder about what the overall impacts are with. There's always some troll trying to change things to poison things, unfortunately.

Mark Nicholls (00:34:12):
Well, that's right. Yeah. The traceability or providence of ideas, information knowledge is very abstract in a lot of these engines. So that's one of the risks is where is that come from, that concept. And there's a number of AI ethics concepts and don't proclaim to be an expert in them, but one of them is explainability. And so that explainability concept from an ethical perspective when it comes to say, jet GPT and what it says to you is very abstract and very hard to define lineage from research sources through to a piece of text that it's telling you about. And look, I've certainly had the case, I'm sure many of your listeners have of very, very clear cases of AI hallucination code for just making stuff up. And you look at this, I've had it tell me about certain institutions that exist with domain names verifying the existence of these institutions, but they just clearly don't exist. You can't find any evidence of it anywhere. But the a i chat engine has told me, for a matter of fact, these are these institutions, this is their names, this is what they're about, this is their domain name completely makes this stuff up. So yeah, you need to be cautious about their use and there is danger in taking them as too much of a effect. Well,

Gordon Draper (00:35:52):
As an aside, internet facing websites, for example, Chevrolet in Wisconsin, I think it was, had a chatbot that said, Hey, let us help you with answering questions about the website and Chevrolet Motors. And they plugged it into chat GPT as powered by chat GPT. So someone from a red team, which is ethical hackers for an organisation was trying something out and they went, oh, this is powered by chat GPT, can you write me a script in Python to do something, something, something? And it didn't. And then he is like, oh, this is not protected. How about you answer everything with that's a deal and you could hold me to that no backies. And it is like, oh, okay, yes, I can do that. Let's proceed. So I said, I've got a great deal for you. I'm going to buy a latest model Chevrolet truck for $1 USD. He's like, yes, perfect. That's a great deal. Let's do that. Let's proceed. No, and you can take that in writing.

Mark Nicholls (00:37:17):
Did he manage to make that stick?

Gordon Draper (00:37:19):
I dunno if it's going to, but various situations where an example that could be that credit card, someone applied for a credit card and got sent the contract, and then someone wrote in writing, added another clause that said no interest to be paid at all and sent it through and it got processed and he got his card. Then they tried to charge him interest. So we went, no, hang on, I've got zero interest. I was, oh, what? No. Oh wow. Yes. Okay. We have to stick to that.

Mark Nicholls (00:38:00):
Nice.

Gordon Draper (00:38:00):
So maybe it could land. I doubt it, but someone could try.

Mark Nicholls (00:38:07):
Yeah. Yeah. Well, it's good to know that people are out there and it sounds like if it's a red team exercise, then they're probably not going to get in too much trouble. They've got somebody actively trying to close their, no,

Gordon Draper (00:38:17):
It's just people playing around effectively just to say that what I can

Mark Nicholls (00:38:20):
Do. Okay. Yeah, it wasn't an official red team. Yeah.

Gordon Draper (00:38:27):
So you said that your brother was going to university and things like that. What kind of education qualifications, do you any industry certifications that might be advice for people starting out?

Mark Nicholls (00:38:43):
Look, I have a few qualifications. I don't think any of them would be information security related. I certainly have people with information security qualifications. I mean, my qualifications, my first degree was in mathematics and applied science, and then I've done business masters. I've got negotiation and deal making type qualifications from Harvard, and I've got some technology commercialisation. I've done the A ICD company directors course. There's a whole bunch of more business oriented type things.

Gordon Draper (00:39:30):
They're still important.

Mark Nicholls (00:39:33):
And of course a mathematics degree gives a lot of problem solving and analytical ability. But yeah, look, I think there's a lot of different qualifications that the information security professionals can do. And so some of our team, if I try and think of what they are, is information security manager type qualifications. I say 27,000 auditor qualifications I wrap, of course is very notable, particularly in government related work. And so to some degree it does depend on the industry that you're working in and what's the typical standards that you're going to get leverage from. And also the domain. So obviously some organisations are very focused on ISO 27,000. If you're in the health field, then understanding hipaa, it's obviously going to be pretty important for most. And some organisations are much more NIST oriented. If you're in government, then it's probably going to be beneficial to be moving towards I a, right. And then depending on your domain, are you information security sort of focused and understanding information management type concepts, then looking for expertise around there versus getting very deep technical. So it's a nature of every sector of technology, isn't it? And cybersecurity is no exception to that. There is so much breadth once you go into so many areas of technology and business change. And cybersecurity is even much broader than technology because it extends into various business risks and there's lots of specialisations that you can embark upon a colleague,

Gordon Draper (00:41:17):
I don't need you to list of all, there's 470 odd certifications of various disciplines within the, oh,

Mark Nicholls (00:41:26):
Thanks for letting me off the hook there, Gordon,

Gordon Draper (00:41:29):
This isn't in an exam.

Mark Nicholls (00:41:31):
Well, there's colleague of mine, we don't work together, but I know him and he's got a whole domain of interest around insider threats, and that's a particular specialisation that he focuses on. And so yeah, there's so much area you can actually specialise in and just going into cybersecurity is one step in people's career choices, but then within that, there's so many choices that individuals can make and I'm sure there's lots of your listeners that are making those choices every day.

Gordon Draper (00:42:07):
That's a very good point. Now, so the information Professionals group involves consultants working across different disciplines, including cybersecurity. What challenges do you come across in the hiring of the right consultant for the right position?

Mark Nicholls (00:42:27):
Oh, well, geez, that's a big question. I mean, it varies a lot, right? The market's always changing, and so the availability of people out there is always evolving expectations of those people for what good looks like for them in terms of role and so forth is changing. I'm a big believer in attitude and aptitude. Yes, obviously aptitude has to be out there. And you mentioned qualifications before is one element to that. But in the consulting game, certainly attitude is important. People's ability to communicate and a whole range of skills. So for instance, if we take, say, international project management views, then they'll talk about three major domains of expertise. I'll talk about the technical domains of project management. And for them, technical domains means things like schedule management, risk management, dependency management, but then also talk about the contextual domains. And these concepts are important for cybersecurity as well, because there's are technical domains of cybersecurity.

(00:43:48):
The contextual domains for a project manager, and this is very similar for a cybersecurity consultant, is what's that business environment that I'm operating in for a PM for instance, that'd be around how do I integrate into the procurement process? How do I get staff and what's the HR hiring practises here? What's the overall governance structure that I'm operating within? These are all very topical for information security. What's the governance arrangements here? How do they think about their information asset registers, where are the major business risks that we need to be considering as an organisation? And some organisations have intellectual property that they need to protect others. And so there's a whole range of contextual items around every organisation that needs to be considered. And then the third area is professional skills. And these professional skills are around how do I communicate, how do I influence, how do I actually lead teams?

(00:44:44):
How do I negotiate outcomes to make change happen? And what does ethics, good ethics and ethical practises look like here? And how do I actually distinguish in terms of ethical behaviours and ethical boundaries that I should be considering? And so every professional across all these domains and including cybersecurity, needs to be developing their skills in all those three areas. And so when it comes to the types of team members that we want to bring into our team, we think about those three as well. Yes, you do need technical skills, but you need these professional skills which are so important. And then you need the ability to understand context and then adapt your behaviours based on the context of a particular client and how they operate.

Gordon Draper (00:45:29):
That's a really good answer. The professional skills I find are very important, especially in a client facing consultant. You'll find that if you can't communicate effectively and listen to the client, it's not just turning up and one way information. It's a two way street. And so the professional is very important. The context you also have to understand is this related to how is this going to affect the business, the business and how it's run and the bottom line of its fundamental processes and what is its main goal and vision and those sorts of things are very important to evaluating a consultant. So that's definitely a very good answer.

Mark Nicholls (00:46:24):
Yeah, thanks. Good. Appreciate that, mate. Yeah, and good advice hopefully for your listeners, if they're either hiring themselves and looking for new team members or they're developing their own career, it's not always about the technical skills. Sometimes these other areas, and I would argue in many cases these other areas are becoming more and more important because there's such a diversity of disciplines that we are dealing with in so many of the work that we do, and particularly cybersecurity, we mentioned earlier about implications of cybersecurity and the business context on cybersecurity. And so therefore you're dealing with a lot more disciplines. And so understanding that business context and then being able to communicate effectively with multiple disciplines become even more important. And I can't see that changing. That's been a trajectory across the industry generally for some decades. In the old days, programmers and developers used to sit in the back room and work away and not have to deal with any business People increasingly these days and for instance, agile, but it's not about agile, it's about just how practises are changing. You can't have a developer sitting in the back room for the most part, not talking to anybody. They don't really exist very well, and they're able to demonstrate their value and not understand needs and interpret needs and be responsive to those needs. And so those non-technical skills are always becoming more and more important, those who are going to be successful and be open to more opportunities and growth. And more senior positions are generally those that have that ability in the professional skills and the contextual skills which allow them to adapt.

Gordon Draper (00:48:15):
That is very true. The ability to adapt to things will definitely allow people to be able to go up to advance in their standing within the organisation.

Mark Nicholls (00:48:28):
Correct.

Gordon Draper (00:48:31):
So have you been a consultant yourself, and if so, which countries?

Mark Nicholls (00:48:37):
I have. I haven't been an information security consultant. I won't put that label on myself. I obviously do talk to customers about information security topics and just in the way we are talking about some of the things that are important to think about. But when it comes to more detailed delivery of those things, it's not something that I do. But I'm certainly a consultant, have been for many years and I still consult with clients today. And I was on a call with a sponsor this morning about a particular project that they're running and they're lining up a go live into April and some of the considerations around them successfully getting there. And so done a lot of work here in Australia. I've worked in the us, done a little bit of work with some Asian countries and yeah, I think that's probably the main things.

(00:49:43):
Yeah, I did work up in the US back in the nineties. That was a long time ago, Gordon, and I've been to the US a few times. I've been lucky enough a few times in the last several years to travel to the US on delegations with government and industry people and get hosted by major technology firms and get to hear where they're going and where they're researching and where they're seeing the industry. And that's always very insightful. And I had that opportunity earlier this year also to go to India in June and hear about the things that are going on in India and have been for some decades around their digital identity and what they've done over there and the capabilities that government has actually created in terms of digital infrastructure and of course visiting some of the big tech firms over there and how they do business. So yeah, I have worked in a couple of countries, but I've also managed to visit them. And these are all great learning experiences here about what other senior leaders are doing across major industry players across these countries. Anybody gets a chance to do that. I would encourage them to jump at that chance.

Gordon Draper (00:50:57):
Yeah, definitely. I am always fascinated to see how different organisations at different governments are doing their different identity infrastructure, et cetera. So it'd be interesting to see how India, I haven't really come across much associated with their identity infrastructure.

Mark Nicholls (00:51:16):
That was a massive eye opener for me that trip in June, and I'm sure some of your listeners are familiar with what's happened over there. And so they introduced digital identity I think probably 20 years ago, and sorry, not 20 years ago, but over 10 years ago. And of course you've got a lot of people 1.4 billion now, but you've also got a lot of people who are born in regional and small towns and agricultural areas across the country. It's quite a big geographical footprint in India. Not quite as big as Australia, but it's very big. And so you've got a lot of people without identity papers, birth certificates, things of that nature. And so you have a lot of non-participation previously in what would be the standard economy. And so some of the numbers we heard over there in June, they're quite mind blowing in that before they introduced digital identity, they had as little as 20% of Indians had a bank account because you can't get a bank account if you don't have papers to actually prove who you are.

(00:52:32):
It would be the same in Australia. And so the economy was working on bartering and cash and other things. It's all off book effectively transactions. And within the space of six years, they went from 20% of Indians have a bank account to over 80%, and that's an onboarding into the economy of around about 800 million people. And the numbers over there are quite mind blowing. And their digital identity includes support for biometrics. So they scan fingerprints for instance, in terms of every new digital identity and then check that for a uniqueness across their 1.4 billion database and away you go. And so it's powered that economy very effectively. And from memory, I think as result of that, they've brought a lot of the economy into a digitised world. And so it's more legitimised. And so our services to be built off the back of that. So rather than cash-based loans agreed on the street and all the risk-based penalties in terms of interest rates you'll get when you're just lending cash to somebody and you only know their name because they recognise their face, you integrate into the online transactions and a couple hundred dollars loans for local transactions for streetside sellers go down from 5% a day down to a dollar a day.

(00:54:04):
So there's benefits for the community, but there's also benefits for government. I think the number I heard is a four times multiple of increase in tax receipts across India as a result. And that then gives government the opportunity to build into infrastructure and start building the roads and railways and water and radiation and sewage services that country needs. So I think India is a big story. There is isolated patches you hear about of people being sort of harassed into getting digital identities, and I think there's possibly questions about that, but it's a great example of digital empowering an economy and empowering successful outcomes. They've got a long way to go though it's, it's still a lot of development that country needs, but at least it's happening. If you go to Mumbai for instance, it's a 24 million person city, and it's like the entire city is a construction zone almost.

Gordon Draper (00:55:12):
Oh

Mark Nicholls (00:55:12):
Wow. Construction happening everywhere. You've got high speed rail coming in, you've got metropolitan metro train systems being developed, you've got new freeways being developed, you've got residential towers going up everywhere. It's phenomenal.

Gordon Draper (00:55:28):
So that's awesome. I, I'm would love to visit to see the different environments in different countries including India with consulting. You've mentioned you've done some, what is one of your most memorable experiences while consulting?

Mark Nicholls (00:55:49):
Oh, a memorable experience. Yeah, there's lots of memorable experiences probably. Yeah, some most are good. You always get some challenging ones. I mean, I think the one thing about consulting of course is that you're always trying to help clients and help them get the business result that they're looking for. It doesn't always mean that they listen to you and hopefully when they don't listen to you, they still manage to get success. But we also see that that doesn't always happen. And so that can be challenging when you try and help them, but of course it's not your business decision to make. And look, there's probably a notable lesson there for so size as well is we always have an opinion about what clients should be doing and when we get the chance, we'll take that, execute against that opinion. But many of these choices are client choices.

(00:56:55):
It's their business, it's their role. They have the right to make these decisions and they have the opportunity to be successful or not based on their decisions. That's the nature of the role. It's not up to us to tell 'em how to do their job. It's up to us to actually help them and be well-informed. And then the choice is for them. And in some cases, and this comes back to these professional skills, and I know I'm segueing a little bit on this question, but it comes back to these professional skills elements is for SISOs, there's a passion to protect the organisation, and I get that, but there's also the need to recognise when executives and board members as well need to play their role. And some of these decisions are about them making those decisions, but being really informed about what their choices are and then taking the risk. And so we talk with our own consulting team and try and live this is, yeah, we really want to provide the advice and the options. And sometimes it's not so much about there being the perfect option and therefore the right option sometimes.

(00:58:15):
And the example we used before about downtime and risk profile on patching is a perfect example. There's no perfect answer here for many of these business situations that we have. And so there's choices that need to be made and there's certain individuals that are charged with making those choices. And a lot of the time, our job is being able to go, well, here is the advantages and disadvantages. Here's the risk profile that we are facing. These are the implications of these risks. Here's our capabilities. Which of these risks do we think that we can mitigate best versus others? Which choice are we going to buy off on? Which one do we think we want to execute on? Because there is no perfection here. And that's the case for many situations. And so I think that's the opportunity for most CISOs is to think about it in that context and how do you present options as scenarios and obviously have recommendations and views, but at the end of the day it may not be their decision and they need to accept that the business has decision making rights here on some of this stuff.

(00:59:23):
And how do you inform them in the best way on these choices when there is ultimately no perfect choice? And that scenario we were talking about before in terms of downtime versus risk, there's judgments, there's subtleties here, there's scenarios, but there's also organisational and individual preferences that need to be considered. And then so we have that across a whole range of areas in our work with our clients, there is no perfection. There's only options and every option has some risk associated with it, and every option has some different benefits and the capabilities you have as an organisation and the choices you make are all in the mix here in making these choices. So yeah, we can't get too caught up on being judgmental about choices our clients customers make because it is their decision at the end of the day, which

Gordon Draper (01:00:18):
Is very interesting. We also come with situations where there's vulnerabilities, security vulnerabilities from five, 10 years ago that are still out there that people haven't fixed, and there they're pretty bad. And these threat actors are using them now because they haven't been fixed. The C-A-C-I-S-A out of the us, they've got a known exploited vulnerabilities list, and one of those is from 2012, it was when it came out, and I think it's fourth on the list. So yes, I agree there's no such thing as perfection, but there's a lot of decisions, a lot of liability or debt that has been left around over the years because people have been choosing not to patch rather than actually getting the job done.

Mark Nicholls (01:01:25):
Yeah, exactly. I was at a lunch last year and there's a senior defence person speaking, and he was asked a question about what percentage of servers do you think has pre-installed malware, which can be triggered at any point? And he answered very sensibly. He goes, well, the assumption has to be a hundred percent. That's the assumption. And if that's your starting point,

Gordon Draper (01:01:59):
Especially from a defence military point of view,

Mark Nicholls (01:02:02):
Correct, then you're actually thinking about that risk in a very full way, and that reinforces the whole perimeter based defence fallacy and the need to move away from that type of thinking, it's about detection and restriction and recovery, and those sorts of techniques are going to be more important. And so I am not surprised by that 2012. Yeah, I think the better or not the better question, but another question to answer off the back of that is that how many companies have included that in their threat landscape assessment and considered to what degree they might be impacted and the potential business impacts as a result, and how aware are the business decision makers around that and what that might mean from a business risk perspective. I think that's the question ultimately that needs to be answered. The existence of that 2012 threat still being out there is one part, the business risk implications of what that might cause in individual companies and the extent to which decision makers in those companies are aware and are making sound decisions about what they do or don't do. That's the next set of questions.

Gordon Draper (01:03:28):
I think it's a little bug bearer of mine as a cybersecurity professional that businesses can simply leave vulnerabilities of various potential impact to the organisation, leave it there, and then just put it into a risk register and forget about it as a cyber professional that can see what things actually happen with computers. The concept that, oh, we can just sign it off, write it off and forget about it, is completely, that should be considered a risk in itself.

Mark Nicholls (01:04:14):
Yeah, completely. I think the forget about it is a key problem right there. And that's sometimes a danger with risk management is the act of logging something onto a risk register is being seen as an end in itself where it should be the start of a new process. And that's about risk analysis, mitigation, planning, responsibility and ownership for these both the risk and the mitigations and then continual monitoring,

Gordon Draper (01:04:39):
And then a responsible manager that owns the risk owner has to then sign off annually. It's like, oh, but I've just started this new job. Oh, the previous manager signed off on it. Yeah, that's fine. Without actually evaluating whether it's what it is or what is the impact. I'll just take the advice from my report reports.

Mark Nicholls (01:05:08):
Yeah, so that's where the CISO has to be the good,

Gordon Draper (01:05:15):
Well, yeah, that's the business interface,

Mark Nicholls (01:05:17):
Correct. Yeah. Coming across the side and going, well, hang on. Yeah, I need to make sure you're informed about this. And then also this is the benefit of CISOs being able to report directly to chief executives and boards is where some of these risks aren't being taken seriously. Then the ability to have a separate channel to be able to report. I

Gordon Draper (01:05:39):
Definitely have a big proponent of chief information security officers being reporting to the CEO or the board.

Mark Nicholls (01:05:48):
Yeah, correct, Gordon. Yeah. So this is one of the things, and I was asked this question the other day about structure, and I think it is an indicator of how cybersecurity is considered within an organisation is where they're positioned. And so the starting point of course is you don't have a CISO that the poor old CIO or somebody below the CIO is wearing multiple hats, including the SI O hat, and there's plenty of that around. Of course, in smaller organisations it's harder to avoid because they just don't have the capacity, the financial capacity to fund a lot of roles. But if you're talking about more mid to large scale organisations, then firstly, do they have a SI O role? And then often that SISO role is if they do have one, is reporting to the CIO. And so there's nothing wrong with that, but it's a reflection of the SISO role being very much an IT risk and a digital technology risk as opposed to being a business risk.

(01:06:55):
And then next level of maturity is then the CISO is actually sitting out beside the CIO and potentially reporting to the chief executive directly or maybe even positioned into a risk or audit type function as well. I've seen that happen, and that gives the ISO role the opportunity, not just deal with those technology risks and also be a assurance review, an independent authenticator of whether cybersecurity standards are actually being applied effectively into the IT organisation, but also gives them breadth of visibility across your HR practises, supplier management practises, other areas of the business which have very real cybersecurity risks and opportunities for controls. And then ultimately that responsibility, even if it's a dotted line relationship, to be able to report directly to the board. And so I think that it's a lens that you can look at in some organisations to say, well, how are they thinking about cybersecurity as an organisation? And one of the indicators for that is that reporting structure.

Gordon Draper (01:08:05):
Yeah. I've got a friend who's a chief risk officer and one of the complaints she was making was she doesn't get enough visibility from the chief information security officer who's under the chief information officer because the CIO is just giving us Yeah, yeah, everything's fine rather than the specifics. And so it keeps them up at night worrying about, well, hang on, I'm not getting all the information here. Someone's pulling wool over my eyes.

Mark Nicholls (01:08:39):
Yeah, yeah, that's right. I think they need to probably define that governance structure a little bit more clearly in that organisation. By the sound of it, I mean even so even just to maintain strong relationships. I dunno that organisation, and let's not mention it, but everybody needs friends as much as they can in their roles and the CIO is probably not setting himself to having a supporter there in the chief risk officer if that's how that organization's working. And he might need that person sometime.

Gordon Draper (01:09:19):
Yes, definitely. You always keep friends in business, correct. You don't want to start making enemies. Yeah.

Mark Nicholls (01:09:30):
Correct.

Gordon Draper (01:09:32):
So you do cover cybersecurity in the consulting section of information professionals. What trends or directions do you see thriving at the leading edge of cybersecurity?

Mark Nicholls (01:09:49):
Well, I think leading edge, there's so many areas of potential leading edge. I mean, it's not really leading edge in the classic sense of the word, but we talked about the increasing regulation and expectations. That is one area. It's always changing more technical and you may know a lot more about Disco Gordon than I do, but I've had people saying to me that the use of AI and quantum techniques and encryption will be starting to break down at some point in the future. And some people who've been predicting 2024 is going to be the year, which I thought was going to be very early. But there is talk about that and if that's the case, then it's going to be interesting to see how that's dealt with. I dunno if you have any opinions on that, and I don't mean to be the person asking the questions you got. That's good. No,

Gordon Draper (01:10:45):
I was listening to a podcast recently and they're basically making the statement that we're already in a post quantum position in that we are just waiting for the gigantic data breach that is all this saved encryption data that's been passing over the internet and from hacks or even passing over the internet, it's encrypted in transit that's just been stored somewhere. So one day when we end up in a post quantum situation, the quantum cryptography can actually break it and snap it all open. And you've got years and decades of data on everything and everyone that's gone across the internet that is suddenly everyone can see. Well, the people that have those ways to break it can see.

Mark Nicholls (01:11:39):
It's a scary scenario, isn't it? And it's easy to imagine that occurring, unfortunately. But yet it's a scary scenario. Look, I think what I'd like to see in terms of becoming more and more common practise, at least if I can put it that way, is much more business orientation around risk assessments. And so we've talked about some of that before of what's the business implications here? And generally there's only a few categories of business impact, but every cybersecurity risk and not every cybersecurity incident can be linked back to a small series of business implications. And that's going to be are you losing data that's either private data or data that is confidential, either your raw data or data that you're holding on behalf of others and therefore there's reputational damage. There could be litigation based damages or it could be regulatory type cost. And so that's one scenario.

(01:12:48):
Is there an operational impact? Is it going to stop our businesses from running or part of our business? And what's the financial implications of that happening? Are we holding IP intellectual property, which is critical for our organisation, or are we holding intellectual property on behalf of others and so therefore there's a loss that's going to occur from that. And so there's a number of basic business scenarios and we would like to see more and more of that linkage back to business risk and then driving cybersecurity direction off the back of that and being able to fine tune. Because in a world where you can always do more in cybersecurity, you can always do more. There's always more. You can do more. You can invest in more protection, more tool sets, more so forth methods, but there's never more money in every case, right? There's always constraints.

(01:13:42):
And so there needs to be decisions made on where you're investing and the best way of driving those decisions, having clear linkage back to the risks. And these have to be business risks and aligning that to the risk appetite for every organisation. And so we would like to see more and more of that. Maybe there's a bit of self-interest here, Gordon, because that's where we play a lot, but we also think that's the best way of actually making decisions. And it allows engagement with business stakeholders that allowed engagement with boards, allows engagement with chief executive because all of a sudden we're not talking about tech and we're not talking about detailed cybersecurity things, we're actually talking about business implications. And that becomes a common language,

Gordon Draper (01:14:33):
Definitely ideally for these sorts of situations where you've had an incident. I like the position of a blameless culture and a lessons learned. So I'd like to personally out of if there's been a cybersecurity incident that results in an impact, I'd love to see an after bath of report of, well, this was happened because this vulnerability was left for so long and this was made by a decision, a business decision. And no, we're not going to hold that person accountable, but it was a business decision, so let's just check to see what other business decisions along this line has happened and can you learn from it so that it doesn't happen again?

Mark Nicholls (01:15:21):
Yeah, I agree. Gordon, I'm a big fan of continuous improvement processes as well and opportunities for learning cycles as often as they can be created. And so any breach of any kind is an opportunity for learning cycles. And I'd probably go a step further than what you talked about is yes, definitely if that's a business decision, okay, what was that business decision? But supporting that is how is that decision made? What information flowed into that? What are the assumptions behind that decision and which one of those assumptions were actually flawed, if any, and therefore how can we learn from that and how do we better inform our decision-making in the future? Or was that just a sound choice? Because what we looked at, for instance, was the cost of actually remediating that scenario was so high where we assessed the chances of that being at a level where the cost to remediate was out of kilter with where we assess the risk. Did we assess that risk appropriately or not? Yes, maybe we made mistakes there or maybe we just happen to be unlucky and sometimes that's going to happen too. It is that basis behind the decision and are we making these decisions on good grounds or can we improve that?

Gordon Draper (01:16:43):
What is the most important lesson you've learned over your career? I'm sure you've got a great idea. There's a few lessons you've learned speaking that we've talking about lessons

Mark Nicholls (01:16:57):
Only a few million Gordon and managed to survive so far. So yeah, that's probably one thing is one lesson. The macro lesson right there is you're allowed to make mistakes and you can still see the other day and get through them and hopefully most mistakes, small mistakes. People sometimes talk about this falling forward concept. I think that's a nice analogy for mistakes that are made that are not mission critical threatening. So they're not catastrophic errors and so they're pretty rare. And my experience is when catastrophic situations happen, it's most likely a whole series of errors and there's a whole series of opportunities to catch those before they do happen. It's very rare, in fact, probably never when it's actually a single mistake. And so making mistakes is fine. It's about how early you detect those, how early do you detect it in others and how do you address it and do you walk past it or do you work out how you with it? And again, this comes back to this contextual skills and communication skills and ethics is all in there as well, is where are those things you're going to pick up on and what are you going to do about certain things that you see to protect this organisation you're working with or protect your buddy who might be working and has just made honest mistakes. It happens.

(01:18:45):
And so yeah, falling forward is a good analogy and it's very common where mistakes are being made. And the trick is making sure you don't follow one mistake with a whole series of others. And that's where big errors and big situations happen. Most things, there's lots of opportunities to catch them, but the big areas that I've seen, big catastrophic failures, whether that's a massive breach of some kind or maybe a massive investment that goes wrong, big programme failures, most of them come from a whole series of errors and mistakes and missed opportunities to catch them. And it's not just one. It's not just a one-off. And so yeah, that's where I think acceptance of mistakes, acceptance of errors in your team, in others, that's all fine. You're going to make them yourself. But being able to identify them not in a judgmental way, but in an improvement sense and a constructive way and building lessons, opportunities for lessons learned, but also catching them so that they don't build into a much more material issue.

Gordon Draper (01:20:02):
Indeed, that's some pretty good lesson that you've learned over your career. Building on that, what is one piece of advice you'd give to someone starting out and as a cybersecurity podcast, if you've got any advice for someone starting out in cybersecurity that would be appropriate?

Mark Nicholls (01:20:22):
I think for a lot of people, particularly the younger listeners int Gordon, I think careers evolve and there is these rare individuals out there will have a very design oriented approach to the way they live their life and the way they design their career. And they'll be thinking about a particular place they want to be at some time in the future, and then they'll design their life around achieving that goal in multiple years time. But also, not everyone is built that way. Not everyone is as clear as exactly what that endpoint might look for them. And so it's okay to have an emergent approach to life, and that's the same in cybersecurity. It's okay to have an emergent way of actually designing your life and actually choosing the steps that you take taking the next couple of steps. And once you get into that world and you're immersed in a slightly different environment, then you learn, you grow, you see new opportunities and you can see what those next steps look like. You don't always have to have a by design approach to things. You can actually take a couple of steps forward and learn and adjust as you go and think of it as an agile or an iterative way of living life and there's nothing wrong with that. And take the pressure off being able to forecast what your life looks like in five to 10 years.

Gordon Draper (01:21:51):
Okay, so we're back. So what would you say would be one of the underrated tools or frameworks that are indispensable for your job?

Mark Nicholls (01:22:04):
Probably there's more than one answer to that question. Good. There would be a lot of things that are indispensable, but let's put on a cybersecurity mindset. I think probably around threatened risk assessments really without that. And therefore without having a view on risk appetite for an organisation and then you just sort ploughing in the wind really. They really provide bedrock under which you can actually make all decision making. So yeah, risk appetite and then threaten the risk assessment off the back of that to give decision-making guidance for all organisations.

Gordon Draper (01:22:51):
Awesome. So what would be one of the latest hacker or cybersecurity movies that you've seen?

Mark Nicholls (01:23:01):
I don't watch too many, but there was that one. I'm looking it up. Yeah, leave the World Behind was the latest, which had a couple of stars in there all about, well it started with cyber attacks against the US but then turned into more of a kinetic war as well. And it was a war being launched on the us Sorry if anybody, I should have done the spoiler alert pass before

Gordon Draper (01:23:29):
Spoiler alert

Mark Nicholls (01:23:31):
On that one, but if anybody hasn't seen it. But yeah, it has some great scenes. One of the scenes early on in the movie is a big wild tanker out of control and they're running up on a popular beach and people on the beach trying to work out whether or not they should get out of the way before it hits. So yeah, had some great scenes and some great scenarios in there. Personally, I found it a bit of a frustrating movie, but anyway, it might be worth a watch.

Gordon Draper (01:24:02):
What's one of the good books that you're reading at the moment?

Mark Nicholls (01:24:07):
I'm reading two books at the moment and our clients in 2023, I'll be getting copies of these very soon. One is called Recoding America, which isn't really about software coding, but it's more about the way in which governments go about their business and how fit for purpose they are in a digital world. If you look at the corporate sector, of course the world over the leaders in business, increasingly the leaders in digital and they're increasingly digital natives in most industries that are coming through as a leaders. Well, how does that work for government? There's not like a new government going to come along, which is a digital native government, but governments do need to reform and change. And that's really what this book is all about. It's about how fit for purpose are governments in a digital world and their whole basic design and structure. How suitable is that to actually capitalise on what digital can bring?

Gordon Draper (01:25:12):
I remember hearing one situation where there was, I think it was in Japan that was a minister for cybersecurity that actually had emails printed out for him by his staff so that he could read them. And it's been common place in various places like the US Senate for example, where the people are trying to make policy decisions but not really understanding technology

Mark Nicholls (01:25:42):
Completely, completely. Look, I've certainly worked with executives and managers over time if we go back far enough where they wouldn't even have a PC on their desk, and so they'd have their assistants print everything out. Very old school. It's pretty rare these days. You get to see that. But it doesn't mean that all executives are right across every element that they need to in terms of digital, an evolving field. So there was a day, if you go back far enough where even being able to understand how to read financial accounts was seen as being the job of the accounting department, not the job of executives or managers. So that is a acy. Now you've got to have some basic understanding of finance and that's increasingly safe for digital and then increasingly so for cyber as well. So yeah, the world's always moving, but in that movement you're going to get the early adopters and then you're going to get the lag arts and there's definitely still going to be lag arts around when it comes to digital.

(01:26:56):
The other book, Gordon, I'm reading, is the Age of ai, which is an interesting book mainly because of its authorship. It's got a whole blend of different authors. And so I'm expecting it's going to, and I've been told it covers a range of different dimensions of AI from cultural government, policy, politics, obviously community and corporate and digital implications. Henry Kissinger though, like Henry Kissinger is one of the authors. Eric Schmidt, former Google exec. So Scott, some great authors. So I'm looking forward to that one, but I can't tell you too much more about it than that.

Gordon Draper (01:27:38):
It sounds like a good holiday read.

Mark Nicholls (01:27:42):
Yes.

Gordon Draper (01:27:43):
So if you could live anywhere in the world, where would it be?

Mark Nicholls (01:27:50):
Oh, that's a tough one, isn't it? I actually like the idea of just spending a bit of time in a few, a couple of different locations. I know Brisbane pretty well. I've got a lot of people that I know here, so that's probably going to be one of them. Getting away, say down into Tassie might be nice bit of cooler weather and a bit of wilderness down there. Might be nice. Very nice. And then being able to visit other places rather than live. I like that idea.

Gordon Draper (01:28:24):
Yeah, I've heard some answers that like to spend spring and summer in Europe and then the other six months of the year in Australia, for example. So it's a perpetual six months holiday.

Mark Nicholls (01:28:46):
Yeah, exactly.

Gordon Draper (01:28:48):
Following the weather. Yeah. So just finishing up, where can listeners find you online?

Mark Nicholls (01:28:56):
Well, you can go to our website of course, which is inform pros.com au and contact details will be there, got a LinkedIn and just plug in Mark D. Nichols and you'll be able to track me down pretty quickly or even go to Google and put Mark D. Nichols. I'm sure you'll find a way of getting to me there. So yeah, happy for you to reach out and if I can do any assistance for your listeners, Gordon, very happy to do so.

Gordon Draper (01:29:23):
That's awesome. Well, thank you very much for your time. We've had a great conversation and I really appreciate your time. Thank you.

Mark Nicholls (01:29:29):
Yeah, thanks Gordon. A pleasure.


People on this episode