How Ryan Ko is Making Australia the Most Cyber-Safe Country through Cyber Education

In episode 41 of REDD’s Business and Technology Podcast, join our host Jackson Barnes and co-host Brad Ferris in this compelling discussion with Ryan Ko, a Professor, Chair and Founding Director of The University of Queensland’s Cyber Security. Ryan shares his insights on transforming cyber security education in Australia. Ryan’s extensive experience as an ISO editor and his pivotal role in the development of cyber security standards provided a unique perspective.

Ryan discusses his efforts to bridge the gap between small and medium-sized businesses (SMBs) and effective cyber security. He emphasises the need for a new breed of standards tailored for SMBs, addressing the often-neglected 97% of Australia’s economy. He highlights a new initiative, SMB 1001, which offers SMBs a structured path to accreditation and certification.

In the coming years, Ryan envisions a regulatory shift towards comprehensive privacy protections for smaller businesses and increased adoption of cyber security accreditations. He champions long-term investment in innovation and research as the path to securing Australia’s cyber future. In his quest to ensure Australia becomes the most cyber-safe nation, Ryan is committed to educating future cyber security leaders, advancing standards, and driving impactful change in the industry.

#CybersecurityEducation #SMB1001Standard #AustraliaCybersecurity #InterdisciplinaryLearning #CybersecurityInnovation

00:00 – Opener
00:28 – Ryan’s Introduction
01:03 – Ryan’s Career Background
08:42 – Ryan’s Cyber Security Courses
13:17 – Game-Changing Things To Change The Landscape Of Cyber Security Courses
14:15 – Elements Of The Cyber Security Courses
15:56 – 4 Non-Technical Language Courses
18:04 – Advanced Courses
21:03 – Criminology In Cyber Security
23:06 – The Purpose Of Cybersecurity Competitions
26:41 – Enforcing Ethics In Cybersecurity Education And Competitions
29:32 – Takeaways From The Biggest Cyber Security Event Of The Year
32:27 – Cyber Security Certification In Australia
36:43 – The Need For Cybersecurity Standards Tailored To Small Businesses
38:32 – CyberCert
41:36 – Cyber Insurance for Certifications
43:54 – The future of Cyber Security for SMBs
45:59 – Microsoft’s $5 billion investment in Australian Cyber Security
47:34 – Australia as the Most Cyber-Safe Country in 2030
49:20 – Cyber Challenges in Australia’s Cyber Security Industry
54:07 – Ending remarks
54:38 – Outro

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected], or through any of the links below. https://redd.com.au

https://www.linkedin.com/company/redd-digital/
https://www.linkedin.com/in/jacksonpbarnes/
https://www.linkedin.com/in/bradley-ferris
https://www.linkedin.com/in/ryan-ko-38894824/

Show Transcript

(00:02):

Hello. Welcome to Redd’s Business and Technology Podcast. I’m your host, Jackson Barnes. I’m your

(00:24):

Co-host, Brad Ferris.

(00:25):

Today we’re sitting down with Ryan Ko, who’s a professor of cyber security at the University of Queensland or UQ for everyone around here, and also the co-founder of C-S-C-A-U, the Cybersecurity Certification Australia. Ryan, thanks for coming in. Thank you. Looking forward to getting some insights, be mostly a cyber security conversation today, which some of our audience I think will be happy about and others will go, oh, I don’t, another cyber episode. That’s okay. You’ve come highly recommended from Darren Hopkins and Peter Maynard, your business partner at CSCAU. So it should be good to get some insights, mate. Let’s start, Ryan, with your background way back before you started doing lecturing cyber security.

(01:02):

So I was an engineer. I went to the semiconductor industry after two years, went back to do a PhD and at the end all my PhD, I was joining a competition and then in the competition in Los Angeles, I won the first prize of that competition.

(01:18):

What competition? Like

(01:19):

Computer? It was the IEE services cup. So you have to do some services computing. It is pre-cloud computing days. Do some demo on automation. At the time it was ai, but AI winter at the time, so people were ashamed to talk about AI as ai, but it’s ai, AI planning, just doing an automated business process formulation for services. And then I won the first prize. One of the judges was from HP and he said, would you like to work for HP Labs? I was like, yep, why not? I took the job, went in and they were saying, look, we now as Hewlett Packard, we have about at a time 70% of the world’s data centre market right now. We would like to see how we can transit into the up and coming cloud industry and just name us the five most important problems in the next five years. Because at HP Labs, our job is basically we’re trying to create the next generation products of hp. So you see, I saw many crazy things inside there. It’s like a science lab. I saw foldable paper that’s electronic and that kind of thing. So lots of things that never saw the day of light.

(02:38):

So I thought about it. Cloud computing, you’ve got to put stuff into other people’s hands. Talk to a few business owners. My friends who are running businesses is say, no, but we don’t trust you. We won’t be having our data in your cloud. That’s more than 10 years ago.

(02:54):

Yeah, leave it in

(02:55):

Our

(02:55):

Building.

(02:56):

Everyone’s doing it the opposite right now, so it’s quite interesting. So I thought, okay, maybe I’ll just propose privacy, security and trust issues and products around that. And I proposed it to my boss. He gave me the blessings. I was sent from Singapore to Bristol, Bristol to Palo Alto in California, and then we were producing new generations of data tracking or data provenance computer tools. We track stuff at the kernel level so that we can detect different, I think different root kits or malware that usually would bypass a lot of normal detection. And then HP bought oxsight and then Oxsight was saying, Hey, you can apply this into our security information and event management too. So spoke to the founders at Oxsight, say, Hey, how do we do that? And then one of the features of oxsight now feature, one of my teams works. So since then I spoke to my PhD supervisor one day, caught up and then he said, look, I know you really like industry and you’re enjoying yourself, but do you remember the first time you met me? What did you say? I said, yeah, I said to you that I wanted to be a professor. He said, now’s the time, Ryan.

(04:17):

So you’ve always wanted to be a professor.

(04:19):

I wanted to be an academic since I was studying. I just felt it was a great role where you can challenge the frontiers of research and also guide a lot of people at the same time and still be in touch with industry if you want to. So

(04:32):

It’s

(04:32):

A balance of all worlds, kind of like the most flexible job in the world,

(04:36):

Right? Most people, I’d say with your kind of background doing that would try and create a new product or technology or something overseas and try and blow it up, for example, or go want to work your up in the massive chain of hp, right?

(04:50):

Yeah, yeah. It was a pretty good experience because we were about 600 researchers in HP labs located around the world, all reporting to the CEO. So we got to see the then CEOs, we saw a few change over time and we worked directly with them. Got to see bright and very intelligent people. This one guy, first time I went into the Palo Alto office, I saw his name tag on the table. I was like, I think I read this guy’s textbook before. Yeah,

(05:20):

Right.

(05:21):

That’s cool. It was about edge detection on images and then so I got to know him. He likes birdwatching. Yeah, awesome. We went for chats and lunches and all. It’s very interesting talking about edge detection and how he doesn’t want it to be used against him one day for MISSALS and other things.

(05:41):

But

(05:41):

Anyway, back to the cybersecurity topic. So I went into academia, applied worldwide, got job offers from Australia and New Zealand and went to the New Zealand one. Saw the environment at University of Waikato, was pretty good for research and nice environment for teaching. Went there, the head of school, the time asked me, what do you want to do? I said, I noticed you don’t have a cybersecurity lab. Can I start one? So I started that in 2012 and then yeah, so that became the first cybersecurity lab and we offered the first master’s degree, master of cybersecurity degree in the country. One thing led to another, so that brought our group on a path where we became the highest funded group in the country for computer science grants. Using the grants, we managed to build more and then we started to run the national competition New Zealand Cybersecurity Challenge. Started working with the Interpol, the NSA and so on, and I got myself into ISO standards editing as well. So it was pretty good seven years I think. And then UQ came calling and they said,

(06:55):

So 2019,

(06:56):

You

(06:56):

Came to Brisbane

(06:57):

2019, yes, I came here.

(06:59):

You got poached Kind of. Yeah. But I think the mindset is because I did it in New Zealand, hopefully I can replicate it here. UQ has a pretty good history with OER being founded in 1992 as a second world’s second oldest computer emergency response team after Carnegie Mellon University. So I’ve always been a fan boy of OER from across the T and I was like, oh, these guys are so cool. They are the frontiers. And the university I was at was at there was the first connection point of the internet as well for New Zealand at the time. So I was like, oh, this is great. So came here, I was like, oh, this is, yeah, interesting. It’s going to be tough, but I like the challenge, took it up and here.

(07:47):

Well that’s great. I mean, to be honest, that’s a big challenge that cybersecurity industry has, which we might circle back to later in Australia or

(07:54):

Probably

(07:54):

Globally,

(07:55):

Is

(07:55):

The amount of resources like train cybersecurity professionals in Australia is really, really low.

(08:01):

Way

(08:02):

Under demand. I think there’s short 20,000 people or something in Australia to meet actual demand.

(08:07):

Some reports say 26,000, some say 18,000 by 2026. Some of the industry experts say it’s a bit lower, but what one thinks for sure is we are short of,

(08:21):

And to be

(08:22):

Honest, most good quality stuff.

(08:23):

Most stuff that cybersecurity and skilled operation centres are offshore. Almost all of them think’s a really, really small amount locally here. And there’s people who have a couple SOC analysts looking at stuff locally, but the actual full security operation centres in Australia is really, really low. What kind of cybersecurity courses are you teaching currently?

(08:45):

So I run the UQ Master of Cybersecurity. I designed the curriculum. The course that I teach is the first one. So everyone who comes into the degree, actually either the grad cert or the grad deep grad diploma or the master’s degree, they all come through this course. It’s called Fundamentals of Cybersecurity. So anyone who comes in, basically our degree takes in people from any background. So if you have a bachelor’s degree in any say, music, arts, social science, we take you. So we’ve had students who are returning to work, moms, veterans. We have people with music degrees, we have people from journalism degrees and so on coming onto our courses and then they get retrained and they bring a very unique perspective and a different diversity of thought. And sometimes the discussions in class are pretty interesting because we will simulate different scenarios. So my course goes through about 12 weeks of different perspectives of cybersecurity, from geopolitics to law to business management, risk management, standardisation norms and frameworks to different computer science challenges, emerging technologies and criminology aspects and many more and ending with the career options.

(10:05):

So it’s kind of like I call myself a museum guide. You are entering the museum of cybersecurity and then you dunno where to start. You dunno where maybe Mona Lisa is or the famous sculptures are, and you may like modern art instead of the Renaissance art and so on. So my role was to introduce them to the spectrum of different types of challenges and then bring them into, so if they like it, they will go into specialisation. So further on in their degree, they specialise in the four fields, cyber defence, cyber, criminology, cryptography and leadership. So leadership looks at converting existing IT managers into cybersecurity or existing managers into cybersecurity leaders. It’s run by the business school. So you get a taste of the cyber MBA that we designed.

(11:00):

So has that landscape changed much like the frontiers I think you mentioned of cybersecurity? Are those fundamental areas much different from when you built your first course in New Zealand to now? Oh yeah,

(11:14):

It’s changed pretty much and has intensified a lot. The geopolitical, so the first degree that I designed in New Zealand was a combination of computer science and law subjects and that’s it. And then the second iteration was computer science law and some parts of criminology. But now it’s almost everything

(11:40):

I get that I imagine it would’ve been if you roll back 15 years, it would’ve been mostly make sure yourself is patch and there’s any virus on stuff. That was cybersecurity, right? 15, 20 years ago

(11:52):

There were some things that still remain. For example, we talk about at the time ransomware was emerging as probably the most profitable for criminals, and we were transiting from banking Trojans to ransom, ransomware attacks and so on. And then we got to work with some companies like Trend Micro and all. Then we ran the ransomware samples in a sandbox and study the behaviour and visualise them for the public to see. So things like that haven’t changed. There’s some things that changed massively. For example, the diversity of the people that’s coming in and the fact that you don’t have to explain why cybersecurity because in the beginning when we started that, the first degree in New Zealand, we had to explain that we’re not training hackers because everyone looked at the Hollywood movies and

(12:44):

They

(12:45):

Looked at WHOIS and also, and when I came to uq, I made it a point that none of our advertising or branding material had anyone wearing a hoodie

(12:56):

Or the S skull and crossbones on top

(12:58):

Of some bits and bites.

(12:59):

That’s right.

(12:59):

And we don’t type fast like the

(13:03):

Matrix

(13:03):

Code. The matrix code. So it’s a perception change. You don’t have to explain what is cybersecurity. Now everybody knows that, so it’s easier, but now the challenge now is how to do game changing things that change the landscape that can make us a safer place. I’ll give you an example, capture. So we use online forms and capture is just a simple concept. It’s basically a reverse touring test testing, whether you are human instead of whether you’re a machine, so you test it, but the

(13:42):

Whole

(13:43):

Implementation of capture into the web form eradicated the entire web spam problem effectively before capture. There were so many bots that automatically generate those entries in the forms and people running websites just couldn’t handle them and capture just simply do that. Yeah, it’s interesting.

(14:07):

Yeah. I do want to unpack what kind of research you’re doing now, but Brad, where do you want this conversation?

(14:11):

I’ve got a couple areas I can go in.

(14:13):

I’ve got one more question. Sure.

(14:15):

So is it fair

(14:16):

To say, so based on what you said in the people that come through the course, the course curriculum, so is there a technical element or is it fairly more around the risk and governance side?

(14:26):

Yeah, so I would say that slightly close to 60% of the people coming in still wants to do a technical element. There’s about 20 to 30% doing the GRC risk related auditing type of jobs. And then there’s a few more doing criminology and minority doing cryptography. It’s my hope that more people will look into cryptography and more people look into criminology because kind of like the new frontiers. Back to your question, I think at that time when I started the first degree, and now this is the third degree and first degree, I think the frontiers were innovative technology solutions. Now the frontiers are, if you look at the people process and technology, the frontiers are actually in the people and process. That’s the part that hasn’t seen a lot of innovation.

(15:24):

So you’ve got people going to study cybersecurity with a technical background. How does that work exactly? I should explain this as clerical as possible for me and people listening. So I would imagine you would need to know what server is, what storage is, what the cloud is, infrastructure computing applications, what all the fundamental stuff that we talk about in the technology world. You have to really understand that at a base level to discuss cybersecurity, right?

(15:54):

Yes. And so we have four courses in the beginning, which is four courses in six months. Then you can leave after that and some people get a job after the six months and they leave with a grad set. The four courses are all taught in non-technical language.

(16:10):

So the course that I teach, I have to explain what is malware, how a computer works, how a computer mirrors functions of a human body. You have a brain and the brain is ACPU, but some parts of the memory is also the ram. And then sometimes you need to store stuff and you want to use it again. It’s a storage, that kind of thing. So we call it pockets. And so we use this kind of analogy. We have some reading material, so we have a few fold kind of ways of teaching. So we let them read something, get ’em not just reading, but also watching videos once the Maurice worm and how did the Maurice worm happen? Are we still seeing the problem now? The answer is yes, we’re still seeing the problem where that’s poor authentication across computers and hence worms spread and that kind of thing. So people get to the approach is what we call a Socratic approach. We ask questions, we lead into the brain and they ask questions. They internalise it for themselves. And at the end of the four causes, all of them know about the problem. They may not know about how to code, they may not know how to do a system administration, but they can grasp the problem very well and recommend solutions towards it.

(17:29):

So you’ve seen people go through your four courses starting non-technical and then get a cybersecurity job after

(17:37):

Many of them, and that’s a very early exit for them

(17:42):

Because after the four courses, we go into half a year of specialisation if you don’t have the necessary background. So if you’re to cyber defence, you will need a computer science IT software engineering background. In the next half a year, we actually do basics. So we do introductory courses that are intertwined with undergraduate courses that talk about databases, web networks, and so on. By the end of one year, they know the problem when they are taught the technology or maybe even the criminology background or even the business and management background or the cryptography background, they can then do the second year in application where they go deep. So that’s when the advanced courses go in. Yeah, right. Okay. Then that’s the third half or year. The final half year is what we address is another key skills shortage challenge. A lot of companies are looking for unicorns. They want somebody with 10 years experience, but young and energetic and highly qualified, C-I-S-S-P certified and cssm everything. So we’re trying to bridge the gap, build a portfolio for the students before they graduate from the two year masters. So at the last year and the first six months they get to design the project. The last six months they get to implement a capstone project. So it’s kind of like two or three days a week with the industry partner working on a real world problem. Industry partner gets to try before they buy also, so many of them actually gets hired.

(19:23):

You mentioned before on air there’s some cybersecurity research you’re doing. You mentioned some exciting stuff that obviously you can disclose.

(19:31):

Sure, yeah. My traditional background is always in tracking data, looking at how things, but I always find that it’s very challenging to look at just the technical aspects and then that’s where I get pushed out into technical from technical into the non-technical domains. So one of the areas that I’m being exposed to as I was the director of the Institute of New Zealand Institute for Security and Crime Science was the richness of the crime prevention techniques in traditional crime that can be applied into cybercrime. And some of the things that I recently did was applying this group of techniques called situational crime prevention, the 25 techniques to prevent crime. But cybersecurity only uses two out of the 25. So there’s 23 more.

(20:25):

What are the two? The

(20:27):

Two is making it harder, which is what we do all the time,

(20:31):

Right?

(20:32):

And trying to remove excuses.

(20:35):

Okay.

(20:36):

Yeah, logging right, getting logs, trying to find evidence. That’s it. Yep. But there’s so many others, right? Removing motivation and many other families. There’s families, I can’t remember them off the hit right now, but check it out. SCP, crime Prevention. Situational Crime Prevention. The concept comes from the traditional crime theories, which was saying that look, criminology came from the mindset that maybe we should look in. The traditional criminology thinking was maybe we should look in the criminal mind and understand how the criminal works. So that’s what cybersecurity is now talking about, what’s the mind of the criminal and all,

(21:18):

Not just when businesses get hit, how do you recover, but

(21:20):

That’s right.

(21:21):

What are they going looking for? Why are they attacking?

(21:25):

But there’s a group within this criminology group, the scientists who think that, no, it’s not about the, because everyone will commit a crime if there’s an opportunity. So how do we reduce the opportunity? How do we change the environment in which a potential criminal may operate? So an example was this street in the us, which had a lot of drive-by shooting, and they said, let’s do it from an environmental change point of view. Let’s change this so that the drive-by shooting never happens again. So what they did was a modification to the road where they made it a date end and the cars have to U-turn at the date end. And because if you want to do a drive-by shooting, you have to U-turn back. They’ll shoot back at you.

(22:19):

Yeah. Okay.

(22:21):

So the environment was changed and because of that crime was prevented. Now the same thing can be applied into cyber as well. Are we able to change the environment so that this kind of drive-by cyber drive-bys can be reduced? So this is some of the latest works that I’m working on. Interesting.

(22:42):

I thought you were getting interviewed for a second. There might get a little journey into the criminal mind. Yeah. You mentioned as well some of the cyber World Cup that you’ve run, and I believe Australian New Zealand’s gone quite well in. Do you want to elaborate on what that is because I’ve never heard of a solid World cup in my life That

(23:03):

Sounds, is it annual

(23:04):

Or every four

(23:04):

Years? It’s annual. So it was planned during, actually just before Covid was when I was in New Zealand, we were running the New Zealand Cyber Challenge. So that gained a bit of prominence because we invited overseas teams and in 2019 as I was moving here, some of the overseas organisers were saying, Hey, we should all get together kind of like a FIFA or the regulatory body or that comes together to organise a World Cup. And they were like, okay, sounds cool. Call me in. And so what do I do? They said, oh, you will represent your Oceania region. And I was like, oh, this is perfect, because I’ve been both of the largest countries in the South Pacific. So I was like, okay, why not? Turns out to be a very naive yes, because it turns out to be a lot of work, but we ran it in, we wanted to do it in 2020 or 2021, but we weren’t able to do for obvious reasons. And in 2022, we ran the first O Oceania Cybersecurity challenge to qualify youths from 18 to 25 years old to go to the grand finals. At that time in Athens, in Greece. And this year was in San Diego in California,

(24:25):

Right?

(24:25):

The first try. So the first team was 16 uves, about 11 Aussies and five Kiwis. This year’s team is 11 Aussies and six Kiwis. And in fact, some of the Kiwis actually went through some of the competition I used to run. So it’s like full circle. They come back and Oh,

(24:45):

It’s

(24:45):

You again. So we actually managed to, in the first instance, we got fourth place, and this year we actually got second.

(24:53):

Yeah, right. What’s involved in a sub world cup? What are they doing exactly?

(24:58):

So we just

(24:59):

Go and hack into this. Do you set up a scenario for them?

(25:02):

There are a few challenges. So the first is the capture the flag. So that’s another big change since I started until now, capture the flag. Competitions used to be custom made and you have to do a lot of effort, but now there are so many platforms you can just run them quite easily. But the capture the flag competition is round one. You get scores and you try to get as much scores as possible and you solve the challenges. After that, there is an attack and defence round, which also includes for this year. We also included a hardware round hardware challenge. So these people are stretched. They’re usually put in out of their comfort zones because most people will just be focusing on specialising. So some of the competitors are specialists in cryptography, for example, or binary exploitation or that kind of thing. And then when they’re put across, it’s when the team comes in because you need to have different specialties. For example, you need a defender, you need a striker, you need a goalkeeper and so on. So this is the exact thing. There’s substitutes as well that you can use. And there’s strategies.

(26:10):

And you are not training hackers, just to be clear? No, no, we’re not. You’re teaching them practising on attack and defence? No. How do you do, I’m joking little bit, but how do you enforce ethics? You are kind of showing people how to, you’re trying to help people train how to defend from cyber criminals. Obviously you’re right, by giving ’em a lot of exposure to the criminal way of doing things and that kind of thing. How do you enforce ethics for

(26:41):

It is a key part of everything that we do in teaching and research and also in training of competitions. So for teaching, we tend to cover the legal implications. The crime brings you more years in jail than some other crimes. And the consequences, we let them sign declarations, they have to attest that they wouldn’t do this, and then it has to be witnessed by a peer. In ethics, in research, research ethics are important, very tantamount because you don’t want fake results and figure outcomes. And then we have, training wise, it’s the same thing. So there is a code of conduct, there are ethical expectations. People who come to the competitions typically want to do the right thing, and they see a good career outcome out of it. And we always say, look, there’s people circling around the sponsors who are helping us to sponsor this. Actually recruiting, so many of them are actually recruited in the end, and ethics is also enforced in the way they do it. From time to time, you might see some, so before even the people who actually, let me just put it, people who actually qualify for the finals typically wouldn’t have any ethical issues because they’ll be weeded out long before that because their peers will point ’em out

(28:11):

Or tell on them. So you get a kind of natural selection. I started organising competitions in 2014. That was the first New Zealand cybersecurity challenge was because I just felt that there was a gap in the way we teach cyber or the way we research cyber, because there’s learning from the lectures and tutorials and hands-on exercises. And then there’s this thing called peer learning. And because of the pace of cybersecurity, you can’t just depend on lectures and tutorials.

(28:45):

Outdated. Yeah,

(28:46):

Outdated, right? Yeah. So the team now, for example, the latest or team Nia that just got in, they’re teaching each other about the latest AI techniques to automate some of their detection.

(28:58):

Yeah. Have you put any of that into your teachings recently? Some of the AI is a massive topic. Now

(29:03):

We have a topic called AI in cybersecurity, so it has been from the go get. Yeah. But those are the theoretical concepts and the classical machine learning and AI techniques, these guys, they’re using the latest.

(29:18):

Yeah. Right,

(29:18):

Right, right. Yeah, bit

(29:21):

Different.

(29:21):

Yeah, a bit different.

(29:22):

So last week you were down in Melbourne for the the biggest cybersecurity event of the year hosted by Asia. What were three takeaways from that event this year?

(29:32):

I guess one takeaway was it’s a great, I think it’s a coming of age for the conference. So you get to see not just the usual suspects, the same faces

(29:49):

You

(29:49):

See a second and a third generations of cyber professionals.

(29:53):

Is that because of the more people studying cyber or because of all the large recent breaches like end of last year and early this year? I think

(30:01):

It’s all of the above.

(30:02):

Yeah. Okay.

(30:03):

So you got to see people who are trying to break into the industry. You got to see students who are volunteering and then you see interactions. There’s a career village and it’s coming of age because, and you got to see foreign delegates as well. So there are visitors from the UK or Lithuania and other countries coming to see the cyber con. So it’s quite interesting. Cool.

(30:25):

What were the other two takeaways from the event last week?

(30:28):

The other two was mainly the second one was in the area of the topics. Some topics I found that it’s quite interesting to see that the supply chain related topics tend to have people standing at the back because there’s not enough seats.

(30:48):

They pay supply chain risk,

(30:49):

Supply chain risk. I think people are scared because they don’t know how to get a sense of it, and the responsibilities are not the cybersecurity professionals. So that’s the second takeaway. I guess the

(31:01):

Third

(31:02):

Takeaway is that I was able to see this inclusion inclusive mindset because they got to bring different types of thoughts and thinking. So that was really attractive because I get to listen to different perspectives. I see people from different backgrounds. So it’s kind of mirroring what we’re trying to do at UQ with the interdisciplinary approach.

(31:29):

But this

(31:29):

One is on scale. So it is pretty interesting to see this inclusive nature of cyber that’s forming,

(31:41):

Because I think there was a big previous to this year, cyber industry versus the IT industry kind of thing where cyber professionals were like, you go as a IT guys. And we hear all crazy stories coming both ways, to be honest. Do you feel like that’s a little bit getting diffused recently?

(31:59):

Oh, it’s definitely diffused because look at the name badges of all the people. They’re not from cyber or IT companies. They’re from end users, they’re from clients, they’re from government agencies, the departments. And you’re just like, oh, this is, like I say, it’s the coming of age of the audience of the conference where it starts to break down these barriers.

(32:21):

Let’s, I’m just gears a little bit to the cybersecurity certification. Australia, you started with Peter Mannar, which from Cyber Metrics who we had on the show actually maybe six months ago or so. Why did you start that and how’s that going?

(32:36):

So like I mentioned earlier in the show, I was an ISO editor for about more than 10 years now, and I’ve done a few. I’m in the technical committee that regulates the SC 27. It’s called SC 27. The long name is io, I-E-C-J-T-C one, SC 27. But 27,000 series came from this committee. And one of the challenges that I see is that the pace of the standards development doesn’t match the pace of the evolution of Cyber One. ISO standard takes about six years to get published.

(33:12):

Wow. And six years is a long, long time.

(33:14):

Six years, that’s right. Every second we have four new malware created. So

(33:20):

That’s not working very well. It’s an uphill battle that

(33:22):

One, it’s an uphill battle. So there has to be a way to radically change that, but yet not compromise on the quality of the standard. It has to address something. The other challenge for the ISO standards is the fact that most of them are not descriptive because it is intentionally. So it’s created as a guideline where you can customise as a consultant, customising, but because it’s not prescriptive, it doesn’t tell you you should do A, then B, then C, some of the small and medium businesses don’t know where to start.

(34:01):

Yeah,

(34:01):

Yeah. It’s kind of like saying that, let’s go for the ISO standards because they’re the gold standard. It’s like some telling someone who doesn’t know martial arts, you have to be a black belt to be safe, you have to be a black belt. But what about the coloured belts? We start from white and then we go up the levels. So this is the mindset and how do we change this? How do we have create an organisation that creates a new breed of standards that’s focused on this kind of small and medium businesses, which forms more than 90%, probably 97% of the economy that has been neglected because they cannot get a black belt.

(34:50):

And there were some stats out, actually I think 62% of breaches in the first six months of this year in Australia were for businesses with less than a hundred staff. But the newspaper gets all the big ones, obviously. But the majority of breaches are the fairly small businesses.

(35:06):

Small businesses. And actually some of them pay a ransom and they go hush hush, don’t talk about it.

(35:14):

But there’s a statistic that shows that more than 50% of such businesses also go bust after the cyber attack. So it’s a business destroying kind of situation. So we need to be able to bring the standards to be best practise prescriptive and is guided for the lowest common denominator. Everyone from the florist to the butcher to the sparky, and then to the lawyers who are also less than 10 people in the law firm to the accountants who does tax returns for people. These people are handling some of the interesting data that cyber criminals would target, but nobody’s there to protect them. So what we want to do, so when I met Peter, he was sharing his frustrations about being an SME and also servicing the SME as well, the SMB sector. One of the frustration is that because you’re asking people to do a black belt, people don’t know where to start and they dunno how to do the step one. So we say, look, why don’t we look into something that has tears? And then we came together and then we looked at it, we said, okay, let’s change the way this is done. We break it down into digestible levels. So we have five levels and level one has six controls or six measures,

(36:49):

Which are basically cyber hygiene. First step is you should find an IT support guy. Yeah, IT support provider

(37:00):

And then IT support provider found. Then you need to update your passwords regularly. You need to be able to look at creating a backup for your staff and many more that are really easy to do. And then level two, we start to introduce a little bit more encryption based techniques like multifactor authentication. If you have a website, make sure it has TLS turned on for htt PS and so on. And then we start to go up more and more. And each time you actually do a little bit more until you are at level five and you realise that you’re just almost ISO 27,001, which is level six. It’s

(37:49):

Definitely needed because I agree the cost for a small business to go and do I say 27,001 is pretty ridiculous. And you’re right about the six year thing. I dunno if it’s still the case, but I know a couple of years ago the framework was very much speaking about on-premise infrastructure was just, it was all worded around that I believe it’s not so much anymore, but you can’t keep up with everything going on. So it’s great that you’re achieving there and I believe you get an actual certificate out as well when you do it. Can

(38:17):

You

(38:18):

Explain that?

(38:18):

So C-S-E-A-U is a standards making body. There’s a standards issuing body, it’s called a conformity assessment body, which will help organisations to certify against it. And it’s cyber search cyber actually helps the people to get a certificate out of it. There’ll be an attestation process and at the end of it they get a batch, which they can say that, look, I’m ready to articulate that I’m level one of SMB 1001. Yep,

(38:53):

That’s definitely needed. How is that going? Where is it at now? How many people have been accredited gone through the process, and what’s the plan for the next couple of years?

(39:02):

So the last two years, Peter has been doing this manually and he has been going around the councils and some agencies in the Pacific working with them on different aspects of certification on these five levels. What we’re currently doing with cyber studies, we are automating some of the processes. We are also doing disruption in the sense that if you want to do level one, it only costs you $95 to get certified. Level two is 195.

(39:36):

So very cost effective,

(39:37):

Very cost-effective.

(39:38):

But are you actually going and checking what they’ve got or is it just a question?

(39:41):

Yes. So that’s where our innovation comes in. We check what they got and it’s a test station process. And we also ask the directors or the people with fiduciary duties to come and attest that they have done, for example, found an IT provider and done the automatic updates or the six measures of level one, and it’s a director attest station. So you’re effectively moving the responsibility from the IT person to the director, which is aligned to the ICD guidelines on the responsibilities of the board,

(40:19):

Which is also what happens in reality anyway. Exactly. If a business gets breached, the IT manager can just resign and run away with the directors sitting there with losing customer data. So requirement,

(40:30):

There’s no audit

(40:31):

Per se,

(40:31):

So there is an audit from levels four and five. Okay. So we work with companies, MSPs or other certification companies to do the audit. So there’s an audit process. So levels one to three is self attestation, which is aligned to most of the, so for example, CMMC in the US level one is self at self attestation. The reason is because you want to scale it. So millions of people to be audited is impossible, but when you go to levels four and five, these are the companies which possibly can hire more than one IT person and they’re the ones who are able to be audited as well. And then we work with companies that are consulting companies that are able to help us to service and audit on the either implementing or auditing of the controls.

(41:29):

Have you tried to, for the end users of the accreditation, try and use that this certificate to try and reduce cyber insurance and those kinds of things yet?

(41:38):

So we haven’t looked into feeding into reducing cyber insurance, but it’s a great thought that we had as well, which is why in now we have been focusing a lot of our energy in creating a great governance structure around C-S-E-A-U. One of the steering committee members is actually the insurance council of Australia,

(41:58):

Right?

(41:59):

So we’ve set up a structure where we have a steering committee of representatives from different parts of Australia. So we’ve got the ASD on board government of South Australia to represent state level concerns and also to articulate more into the different needs of the state governments. And also we have, for example, Australian digital health agencies. We’ve got cos, BOA representing small businesses and we’ve got the Insurance Council of Australia and many more maico, BDO and so on. So we managed to assemble a pretty good group and it’s independently chaired by Jason Morrell, the previous group executive of a cyber. And then this committee is for this SMB 1001 standard, but it’s also governed, there’s governance over it where there’s this standards and certification oversight body, SEOB that’s made up of people who are very experienced either in the sector or in the standards making space to make sure the standard is created in the right way. That’s been our efforts so far with Peter and now we’re moving into getting some of the people through the certification bodies.

(43:27):

So it’s live now. People have gone through it already.

(43:29):

It’s starting to be live very soon. So I think in the next couple of months we’re starting to see people going through the automation system. Yeah, yeah.

(43:38):

Cool. So the cybersecurity industry for small businesses, I would say is evolving rapidly. And it used to be only large businesses took cybersecurity seriously, and now a lot more businesses are taking it seriously. What do you think it’s going to look like in five years time?

(43:55):

Five years time? I think one thing that we need to look out for is the change to the privacy act. I’m sure you probably have noticed that they’re flagging that they will be removing the exemption of small businesses

(44:09):

From the Privacy Act requirements, especially in the notifiable data bridge scheme. There’s a big responsibility for small medium businesses. So we just believe that there’s going to be a huge regulatory load on the small and medium businesses and there’s a need for them to articulate that they are compliant. So this is one of the trends in the next five years. The other trend that we see in the next five years is the small and medium businesses would have a desire to use their cyber maturity as a way to gain more procurement. So if they’re supplying to a large business, say an airline or a mining company or retailer, a large supermarket, they’re able to say, look, I’m at level one or I’m a level two. And then the retailer can say, look, I want people to be at level two. Are you level two? Yes, I am. Yeah. So this is going to be another. So that’s going to be a larger demand. Yeah,

(45:19):

I think it started already, to be honest. We are getting us from our clients now for that kind of stuff. Give us some proof that we’re at some certain level that we can put on our proposals to go back to, yes, contracts and stuff require certain things now, but not all. Not many.

(45:37):

And

(45:37):

A lot of our big businesses are looking at third party supply chain risks, like you mentioned before. But some of our clients are actually saying, what can we stamp on our proposals saying we are cybers safe and that kind of thing. So that’s starting already. So I think you’re right. That’ll definitely happen. I want to get your thoughts on the Microsoft recent announcement of the 5 billion investment in investment into Australia to create a cyber shield for Australian small businesses. How did you interpret that?

(46:00):

Well, the number is big, and I mean in Australian context, probably not in the American context, but in Australian context it’s a large investment. So it’s a good sign because it’s a large company that’s used by almost every country in the world investing so much into Australia. It is also addressing a few things. For example, they’re going to expand the data centres in Australia, although Brisbane was not listed as one of the cities, I would have wished that they had put a data centre here as well. It’s Canberra, Sydney and Melbourne, and then they talked about the 300,000 professionals they’re going to support. Maybe it’s still early days, but I would like to see more details about how they would be able to support that because 300,000 is a large number, but if they can support that, then we have a very good labour force. So that’s excellent.

(46:56):

I hope it’s for something meaningful, not just getting more data centre, more tin in data centres that they’re buying and more 365 licencing they can provision. Although that is definitely a good method for basic controls for small businesses getting leveraging business premium to turn on MFA and a bunch of those other basic security technology thing. So that’s a good thing. But yeah, this sounded pretty exciting because I didn’t want to get your feedback. I did want to get your feedback as well on Claire, the minister of cybersecurity in Australia has the vision of making Australia the most cyber safe country by 2030. What do you think we need to do?

(47:39):

Well, we need to look beyond 2030. We need to look beyond 2040 actually, and we need to build a long-term roadmap and address the big chunks of gaps. So we need to, like I mentioned, the small and medium businesses is the 97% of the economy that we have neglected. That’s an area in terms of skills. There’s an area that’s neglected as well currently by the industry, which is we are lacking people like myself, academics and trainers and lecturers,

(48:19):

To be honest. I was going to say that, Ryan, from our conversation, is that kind of what you are doing is exactly what I think Australian needs to do. Have more people teaching cybersecurity, making it so you don’t have to do a computer science background to get into cybersecurity. And also the accreditation for small businesses really actually helps, I think because there is a massive gap in 27,001. They need something in between. So I think couple things you’re doing is exactly what are any of

(48:42):

The other major universities offering a similar Yes. So I think there are a few other universities, but I’ve never seen something as interdisciplinary as us so far. But as a tech external assessor, I’ve done about quite a number of assessment and accreditation for taxa last two years. And I’m seeing a trend where the rough model of my interdisciplinary approach has been copied by some of the new offerings. So it’s a good validation. There you go. Copying is the best flattering.

(49:18):

What other challenges does the cybersecurity industry have in Australia?

(49:21):

I think one of the challenges is there’s the talk about sovereign capability, I guess to be truly sovereign. It’s very challenging, mainly because of the, we don’t provide end-to-end production and not just the hardware, but also software as well. So it’s a long journey. So by 2030, I think it’s less than 10 years, so it’s very hard. So I was walking in Central Station and looking at the train stations photographs and the train tracks were built more than a hundred years ago. They had a vision to link in different parts of Queensland and then Qantas, Queensland and Northern Territory as surfaces, or started in Winton because they wanted to send mail across. And these are the visionary investment. It can be by government, it can be by industry that builds something beyond. So this is something that’s missing in Australia now. The investment into game changing, the future captures that we can create, that we can be proud of and say this is an Aussie invention, like wifi,

(50:42):

This

(50:42):

Is an Aussie invention and it’s changed the world. So I think we should really invest in research and a lot on research and keeping the research here. An example is the solar, the photo volta, solar panels, the technology was the breakthroughs for efficient solar panels also in Australia. But the talent went back home and they started their own manufacturing and that’s it. So if you don’t retain these talents that you train, it’s very difficult to retain these sovereign capabilities. So there has to be pathways for people, for example, like PhD students or postgraduate students or even migrants who are experienced professionals to come here and see this place as a home and then bring their expertise in and stay here and keep the

(51:41):

Expertise and keep innovating and researching and designing stuff. Yeah, I think you’re right. It’s going to be very hard to do because all of the hardware, software, and you look at the cybersecurity industry, all the tools that are used, the amount designed in Australia, probably none.

(51:57):

There are some interesting capabilities, but they’re usually not big enough to create a critical mass. So I think for example, what the Queensland government recently did was they wanted to invest in quantum technologies. I think that’s brilliant. That’s the right vision, the right thing to do because even if it’s a risk, you may not achieve it, but at least you’ve tried. Yeah, you tried building the roads, you’ve tried building the railroads, you tried creating the Qantas.

(52:27):

Have they done anything with that? Quantum computing?

(52:29):

So you’d be surprised actually at uq, one of the quantum computation textbooks by Newso and Huang was from UQ and it’s used around the world. We have some of the greatest breakthroughs in quantum computation and error correction are from here.

(52:47):

Yeah. Awesome.

(52:48):

Yeah, but we’re missing the foundries, we’re missing the manufacturing ecosystem. So hence we have them produce overseas.

(52:59):

Yeah, man, we just dig stuff out of the ground and ship it overseas here. That’s all we do. It is a problem, actually. I joke a little bit. I did want to ask, so with everything going on in the cyber industry, the last probably 12 months has been a lot worse than before. Are you seeing a lot more people wanting to study cybersecurity in the last six, nine months?

(53:23):

Yes, I believe.

(53:25):

Any stats on that? Is it a big increase?

(53:27):

It’s a tool for increase, at least from the applications that we receive

(53:32):

In the last 12 months.

(53:33):

In the last 12 months.

(53:35):

Is your course a sellout, oversubscribed? What do they call it?

(53:39):

It’s one of the best performing postgraduate courses in the university. Yeah.

(53:43):

Wow.

(53:44):

I can’t call it a seller. That’s not a Taylor Swift concept.

(53:49):

I dunno what the term would be. Well, you must have limited capacity. Yes, yes. Right.

(53:57):

So we say that we are trying to focus on the future leaders. We try to keep the qualification cutoff.

(54:06):

Yeah. Awesome. Thanks Ron for coming in and sharing insights. I’ve learned a fair amount through this and I think it’s great what you’re doing actually, to be honest. And I think what you are doing is how we make Australia most the cybersecurity country in Australia, right? Educate more professionals that are in it or not in it to get into cybersecurity and then help small businesses get secure without having to charge a million dollars more than they should be. And that kind of thing will be going through 27,000 at once. So thanks for coming in and what are you doing? Thanks. Been a pleasure. Pleasure. Thank you.