Afleveringen

  • Episode Summary

    In this special christmas episode of Secured, Cole Cornford does something a little different to usual and answers listener questions. Lots of topics are covered, including new years resolutions, cybersecurity trends of 2024, career and life advice, and plenty more. 

    A huge thank you to everyone who sent in questions! We had so many responses that we weren't able to get to all of them. Let us know if you enjoy this format and we may do it again in the future.

    Timestamps

    1:00 - Cole's thoughts on new year's resolutions 

    3:00 - Cole's experiences working in large organisations

    13:30 - Critical cybersecurity steps for organisations in 2025

    20:30 - Using security tools to protect APIs

    26:20 - Protecting against supply chain attacks

    36:20 - Cole's perspective on DevSecOps

    40:50 - Trends of 2024

    50:40 - Diversity in the cybersecurity industry 

    1:01:02 - ASPM tools

    1:13:20 - Why Cole enjoys making the podcast

    1:21:00 - Life advice that has stayed with Cole

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Episode Summary

    Elizabeth Stephens is CEO of DBS Cyber, where her team deliver IT solutions for clients in various industries. A retired Marine Corps Major and author of the book Building a Resilient Digital Future: A Comprehensive Guide to Cyber Risk Monitoring, Elizabeth draws from her diverse experience in her work. In her conversation with Cole Cornford, they discuss leveraging AI to be helpful and not harmful the politics and nuance of cybersecurity, lessons from Elizabeth's military experience that she applies to her current role, and plenty more.

    Timestamps

    1:00 - Elizabeth's background

    7:30 - How we can leverage AI to be useful not harmful

    14:30 - Using AI to help with parenting

    20:30 - The politics & nuance of cybersecurity

    23:30 - Roblox & cybersecurity for kids

    27:00 - Lessons from the military Elizabeth applies to cybersecurity

    30:30 - Elizabeth's journey as an author

    36:30 - Cybersecurity for small business

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Zijn er afleveringen die ontbreken?

    Klik hier om de feed te vernieuwen.

  • Episode Summary

    In this episode, Cole Cornford is joined by cybersecurity experts and IRAP assessors, Kat McCrabb and Toby Amodio, to unpack the latest updates to the Protective Security Policy Framework (PSPF) for 2024. They explore the significant changes introduced in the PSPF, such as the heightened emphasis on IRAP assessments, the potential strain on resources due to increased demand for assessors, and the impact on government agencies' compliance efforts. The discussion delves into the restructuring of the PSPF domains, including the separation of information and technology, and the challenges this presents for reporting and governance. They also address issues with self-attestation in agencies, insights from ANAO reports, and the critical importance of managing legacy IT systems. Kat and Toby offer valuable perspectives and practical advice for organisations navigating these new requirements, highlighting the need for proactive planning and adaptation in the evolving cybersecurity landscape.

    Timestamps

    01:27 - What is the PSPF? Toby explains the framework

    03:07 - Kat discusses the biggest changes in the PSPF 2024 updates

    04:20 - Challenges with IRAP assessments: time, cost, and limited assessors

    06:18 - When are IRAP assessments required? Clarifications

    08:13 - Changes in PSPF domains: splitting information and technology

    10:08 - Implications of the changes for reporting and governance

    12:15 - Comparison with NIST framework and governance considerations

    13:38 - Issues with self-attestation and insights from ANAO reports

    15:09 - Strategies for improving reporting and assessments in agencies

    17:36 - Managing legacy IT systems under the new PSPF requirements

    18:52 - Key takeaways and final thoughts from Kat and Toby

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Episode Summary

    In this episode, Cole Cornford speaks with Anand, an API security expert at Traceable AI with over 18 years of experience in crafting innovative IT solutions. Anand's expertise spans API design, microservices architecture, cloud technologies like Kubernetes and AWS, and security architecture including IAM and OAuth. Together, they delve into the critical importance of API security in today's digital landscape, discussing why traditional web security measures are insufficient, lessons learned from incidents like the Optus breach, the challenges of managing API inventories, and how AI and machine learning can enhance security practices. Anand also shares his experience writing a book during the pandemic and the value of continuous learning. This episode is packed with insights on modern application development, cybersecurity, and plenty more.

    Timestamps

    4:20 - Understanding API security challenges

    9:30 - The role of AI in API security

    16:55 - The importance of API inventory management

    24:00 - The business impact of API security

    28:00 - Cole & Anand discuss books & writing

    34:00 - Current state of API security in Australia

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Episode Summary

    In this episode, Cole Cornford speaks to two guests on the topic of robotics: Damith Herath, a Professor at the University of Canberra, and Adam Haskard, co-founder and Director of Bluerydge, a Canberra-based cybersecurity and technology firm. Together, Damith and Adam are conducting research into Secure Robotics, an emerging field of study that addresses the intersection of robotic safety, trust, and cybersecurity. In their conversation with Cole, they discuss the growth opportunities for robotics, how someone interested in the field could pursue a career in robotics, potential risks of the common household vacuum robots, and plenty more.

    Timestamps

    2:00 - Robotics: definitions & applications

    8:45 - The intersection of robotics & cybersecurity

    10:00 - Trust & safety in robotics & cyber

    15:00 - Emerging risks in robotics

    18:40 - The role of cybersecurity in robotics

    20:30 - Regulation and innovation in robotics

    40:00 - Growth opportunities for robotics

    29:00 - Future of robotics & AI

    32:00 - Career pathways into robotics

    39:00 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Episode Summary

    Ilkka Turunen is the CTO at Sonatype, a company that helps millions of software developers use open-source software while minimising security risk. In this conversation, Ilkka chats with Cole Cornford about the benefits and risk of using open-source software, how Maven helped standardise software development processes, the different approaches to AppSec regulation in Australia and Europe, and plenty more.

    Timestamps

    1:33 - Ilkka's career background

    4:00 - Varying quality of open-source software

    6:10 - How Maven helped standardise software development processes

    13:00 - The balance between speed of delivery & quality

    17:00 - Importance of environment parity in software dev

    21:40 - Risk of using 3rd party code in software

    25:10 - Regulation of AppSec in Australia vs Europe

    32:10 - How new European software security regulations will be enforced

    35:00 - Recommendations for compliance with European regulations

    39:00 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Summary

    Daisy Wong is the Head of Security Awareness at Medibank, as well as a disability advocate. Originally from a marketing background, Daisy gained experience in the cybersecurity industry working as part of penetration teams, before making her way into the security culture and awareness space. 

    In her conversation with Cole Cornford, Daisy discusses using the tools of marketing to educate people on cybersecurity, what are the hallmarks of a good security culture and awareness program, and the importance of diversity in cybersecurity.

    Timestamps

    4:00 - Daisy's transition from marketing to cybersecurity

    8:10 - The importance of security culture and awareness

    11:00 - Building effective security awareness programs

    14:15 - The role of diversity in cybersecurity

    17:00 - Strategies for inclusive hiring practices

    19:40 - The power of communication in security awareness

    23:20 - Creative approaches to security awareness campaigns

    31:45 - Daisy's personal perspective on the importance of diversity

    43:40 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Summary

    Antonio Deliseo has been in the information security industry for decades. Currently working at Telstra, Antonio has enjoyed a long and winding career path and has plenty of stories and insights to share as a result. In this conversation with Cole Cornford, Antonio discusses how he got started in his career studying physics, overseeing cybersecurity at a goldmine, how to advocate for cybersecurity within a large organisation, and plenty more.

    Timestamps

    1:40 - Antonio's career background

    3:30 - Advantages of coming from a non technical background

    8:30 - Stories from Antonio's early career working at a goldmine

    14:00 - How Antonio moved into the GRC space

    17:30 - The role a board of directors plays in cybersecurity

    20:00 - Cybersecurity is less like IT, more like gambling or insurance

    25:30 - Calculating the cost of a breach in dollar terms

    30:30 - How to advocate for cybersecurity as a CISO

    40:00 - Cybersecurity often seen as unaffordable by small businesses

    42:30 - Pros & cons of networked technology

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Summary

    Ben Gittins is the Principal Security Engineer at Bugcrowd, one of the world's best bug bounty platforms. Ben has previously worked as a Senior DevSecOps Engineer at Canva, as well as DevSecOps Lead at SecureStack. 

    In this conversation with Cole Cornford, Ben shares his belief that cybersecurity needs more generalists, how coding and AppSec have changed over time, whether cybersecurity qualifications are overrated, and plenty more.

    Timestamps

    3:50 - Why is Aus cybersecurity lagging behind? 

    9:50 - Over-reliance on purchasing cybersecurity products 

    14:40 - We ask too much of our AppSec professionals 

    19:00 - How App development & cybersecurity have changed over time 

    24:00 - "Greenfield projects" are often not realistic 

    28:20 - How to bring new people into the AppSec industry 

    32:00 - Importance of communication skills 

    38:20 - Cybersecurity qualifications are overrated

    43:00 - Rapid fire questions  

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Summary

    Shan Kulkarni is the co-founder and CEO of Nullify, a product designed to augment AppSec teams with AI agents capable of carrying out multiple levels of product security work autonomously. Prior to Nullify, Shan worked in roles such as Cloud Operations Lead at UNSW Redback Racing, and Cloud Security Engineer at CMD Solutions Australia. 

    In this conversation with Cole Cornford, Shan discusses the challenges of starting a business, and in particular the challenges of hiring, the state of AppSec in Australia, what the future might hold for the industry, and plenty more.

    Timestamps

    1:30 - Shan's career background

    5:30 - Why AppSec is so often inefficient and expensive

    9:00 - Bigh tech has a monopoly on AppSec talent

    12:30 - Shan's journey from consultant to founding a company

    15:40 - Biggest mistakes when starting a business

    19:20 - Selling products/services to devs is extremely difficult

    25:00 - Where Shan sees AppSec going

    28:00 - Consolidation of security products

    32:00 - What security leaders are struggling with: visibility

    34:00 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Summary

    Dan Draper is CEO and Founder of CipherStash, a data-storage platform that helps customers keep data secure. As well as being fascinated by Cryptography and data security, for most of Dan's career he's either been a founder or worked in the leadership team of startups, so has plenty of experience in both business and getting into the nitty gritty details of technical problems. 

    In this episode Dan chats with Cole Cornford about Cryptography, the challenges and rewards of founding a company, best practices for securing funding for a startup, and plenty more.

    Timestamps

     - 2:00 - Dan's career background

     - 8:00 - Dan's lessons from working in government

     - 9:30 - When Dan became obsessed with cryptography

     - 12:40 - Reflecting on Dan's 1st failed business

     - 17:10 - The founding of CipherStash

     - 23:40 - Managing data a major challenge in large orgs

     - 28:00 - Different types of data breaches

     - 32:00 - Potential and limitations of AI in cybersecurity

     - 37:00 - Experience raising money for a startup

     - 44:10 - Dan's 3 tiers of investors

     - 46:00 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Summary

    In this episode, Cole Cornford chats with Matt Jones, co-founder of Elttam, an independent security boutique that provides security assessment services. On top of his role at Elttam, Matt is active in the infosec community in a variety of ways, including helping with BSides Canberra's call for papers and writing open-source tooling such as talkback.sh. Cole and Matt chat about the motivation behind founding Elttam, why Australia's infosec industry is lagging behind other parts of the world, the exploit development space, and plenty more.

    Timestamps

    2:00 - Matt's career background

    7:00 - Matt's early challenges finding an opportunity in cybersecurity

    11:00 - Why Matt chose to co-found Elttam

    13:00 - Cole: Australia's infosec industry is immature compared to US

    19:00 - The importance of specialisation

    20:30 - Better to do 1 thing really well when bootstrapping

    24:00 - Using the right approach for the right context

    25:30 - Risks of using a bug bounty program

    31:10 - Cole: the bar for pen testing reports should be much higher

    37:10 - Training & education for infosec

    39:00 - Cole: is infosec a cottage industry?

    44:00 - Product vs service approach to cybersecurity

    47:50 - Cole: I like looking at source code from 80s and 90s

    49:00 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Summary

    In this episode of Secured, host Cole Cornford interviews Bruce Large, a security architect and evangelist at Secolve, the OT security specialists in Australia. They discuss the importance of threat modelling in operational technology systems and the need for engineers to consider the potential for cyber attacks. Bruce also shares insights from the ISA/IEC 62443 series of standards, which provides guidelines for secure system development in OT. Additionally, they touch on the significance of unions in the tech industry and the benefits of joining organisations like Professionals Australia. Tune in for a fascinating conversation on application security and more.

    Timestamps

    1:25 - Bruce's professional background

    2:40 - Defining "engineer" in different contexts

    6:20 - Differences between computer engineers and civil engineers

    8:20 - Threat modeling

    12:40 - How we treat safety in software vs other industries

    18:30 - Bruce: we should be encouraging lifelong learning

    24:00 - ISA/IEC 62443 safety standard

    29:00 - The Year 2038 Problem

    34:20 - Unions & industrial relations

    43:40 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Summary

    Paul McCarty is CEO and founder of SecureStack, a DevSecOps visibility & automation company, and GitLab's Red Team leader. Paul's been involved in software security in Australia for decades. In his conversation with Cole Cornford, Paul discusses how Australia's software security industry has changed since the early 2000's, whether security professionals aught to know how to code, and plenty more. 

    Timestamps

    2:50 - Paul's career background

    7:00 - Spicy take: people on LinkedIn are too blindly positive

    10:00 - Understanding what went wrong when there's a breach

    13:00 - Cole doesn't think "zero trust" is feasible

    14:10 - Cole: maturity of cybersecurity in Aus is weak generally

    16:00 - Cole hires for dev experience, not sec ops, because dev is harder to teach

    18:30 - Aus market different to US, which has lots of software companies

    21:50 - Paul: we've devalued the importance of operations

    22:20 - The "holy trinity" of offensive security

    26:30 - What percentage of ASX companies have a bug bounty program?

    28:50 - Cole's free pizza exploit

    31:00 - Got to be in security for the long haul

    31:40 - The book that changed Paul's life

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Jay Hira is a cybersecurity director with 18 years of experience working in a variety of roles both in Australia and internationally. Today he is Director of Cyber Security: Financial Services at KPMG Australia, and Founder and Executive Director of MakeCyberSimple. In this conversation Jay and Cole Cornford avoid getting too deep into technical details, and instead discuss a zoomed out perspective on cybersecurity strategy for large organisations, how the current macroeconomic climate affects approaches to cybersecurity, tips for clear communication between technical and non-technical stakeholders, and plenty more.

    Timestamps

    1:40 - Advantages of generalisation vs specialisation

    4:00 - Tips for communicating effectively to leaders

    6:00 - Clarity comes from simplicity

    9:30 - Importance of reporting structure in a large org

    14:20 - Core foundations of a cyber strategy

    20:00 - How current economic climate is affecting cybersecurity budgets

    24:30 - How do you maintain intrinsic motivation?

    27:00 - Work life balance

    30:30 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Tara Whitehead is Security Engagement Manager at MYOB. Prior to becoming a cybersecurity specialist, Tara had an eclectic career, including working in advertising and international relations. In this episode Tara chats with Cole about how her non-technical background has in many ways been an asset working in security, leading change management in large enterprises, the importance of great communication skills, and plenty more.

    Secured by Galah Cyber website

    Timecodes

    7:15 - Tara's first days in AppSec

    10:00 - How to influence people

    12:30 - Why we should dial back on the doomsday conversation

    14:10 - Find your change champions

    21:30 - Is a non-technical background help or hindrance?

    23:30 - Communication and influencing key skills

    26:00 - Communicating with execs

    28:20 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • Episode summary

    Daniel Grzelak is currently the Chief Innovation Officer at Plerion, and has had a storied career at a variety of technology firms around Australia. In this conversation Daniel brings his experience and insight to the topic of common myths and misconceptions within the cybersecurity industry, and with Cole Cornford tackles questions like:

    Does a cybersecurity professional need to know how to code?

    Is there a workforce shortage in the industry?

    Should pen testers write remediation advice?

    Timestamps

    1:50 - Does a cybersecurity professional need to know how to code?

    5:40 - Is there a workforce shortage in cybersecurity?

    9:30 - Questions to ask when interviewing potential cybersecurity hires

    12:30 - Are people in cybersecurity bad at promoting their own skills?

    17:00 - Should pen testers write remediation advice?

    20:20 - Daniel's career advice: start writing

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • After working as a cybersecurity consultant in Europe for over a decade, Jacqui Loustau was struck by how cybersecurity professionals in Australia were overwhelmingly male. This led Jacqui to found the Australian Women in Security Network (AWSN), a not-for-profit association and network with the goal of increasing the number of women in the security community. 

    In this episode, Jacqui chats with Cole Cornford about how businesses can change their approach to hiring to improve diversity, the importance of supporting kids and students of all backgrounds who have an interest in the field, as well as some of her thoughts on the future of the industry.

    Secured by Galah Cyber website

    Timestamps

    4:30 - Jacqui’s career background.

    9:30 - How Jacqui became inspired to tackle the issue of diversity within cyber.

    10:00 - At Jacqui’s first cyber event in Aus, struck by a sea of men.

    13:00 - Achievements Jacqui is proud of from the last 10 years.

    15:20 - What can businesses do to encourage diversity.

    19:00 - Cole: what are some systemic issues we need to tackle?

    22:00 - Jacqui: you can always teach technical skills.

    23:00 - How we can support kids & students to move into cyber.

    25:00 - Rapid fire questions.

    27:10 - What will be the theme in cyber for 2024.

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • While working as Head of Cyber Security Business Services at Australia Post, Susie Jones worked on a product that was designed to support small businesses that had suffered a data breach. Susie came to believe that existing cybersecurity tools and support was generally either too expensive for Australian small businesses, or didn’t suit their needs. And so she co-founded Cynch Security, which aims to fill this gap. 

    In this conversation Susie chats with Cole Cornford about Susie’s career, the benefits of coming from a non-technical background, and they do a deep dive on the security needs of small businesses in Australia.

    Secured by Galah Cyber website

    4:36 - Susie’s career background

    5:40 - benefits of coming from a non-technical background

    7:15 - Challenges of running your own business

    7:40 - Cole: you’re selling protection, it’s a pure cost

    8:10 - Susie’s motivation to become a founder

    9:00 - Consequences of breaches “the worst working day of their life”

    10:30 - Most common  security challenges for small businesses

    13:00 - Big businesses that work with small businesses share cyber risk

    14:40 - Supply chains and small businesses in Australia

    17:20 - 90% of employers in Aus aren’t served by our current cyber solutions

    18:00 - Worst examples of advice not suited to small business

    19:20 - Tips Susie would give to small businesses

    21:20 - Password managers are a no brainer

    25:00 - Rapid fire questions

    26:10 - One cybersecurity myth Susie would like to debunk

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/
  • In this episode Cole Cornford chats with Nathan Morelli, Head of Cyber Security and IT Resilience at SA Power Networks, which is the sole electricity provider for the entire state of South Australia. Making sure that 1.7 million people have electricity is a pretty important job, and Nathan shares his perspective on how the organisation maintains resilience in the face of potential breaches.

    They also discuss the importance of financial management skills in a management role, the Australian government’s updates to the Essential 8 and the national Six Shields cyber strategy, the importance of work life balance, and plenty more.

    Secured by Galah Cyber website

    4:00 - Nathan’s career overview

    8:00 - “Not if, but when” and the principle of acting like a breach has already occurred

    10:40 - Cyber resilience is critical

    11:00 - Finding value in the impact of your work

    15:00 - Matching cybersecurity strategy to the resources available

    17:20 - High regulation/barriers to entry restrict quality security advice

    19:00 - Importance of access to affordable cybersecurity tools

    19:30 - Australian government “Six shields” update

    23:50 - Australian government update to “Essential 8”

    27:40 - Why Nathan adopted financial management concepts in his cybersecurity work

    31:10 - Cybersecurity decisions are made for financial reasons

    33:10 - Typical career trajectory: follow money, then people, then problems

    35:40 - Importance of work-life balance

    40:40 - Rapid fire questions

    Mentioned in this episode:

    Call for Feedback



    This podcast uses the following third-party services for analysis:

    Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/