Why “Nothing’s Broken” is the Most Dangerous IT Strategy

00;00;21;09 – 00;00;22;17
Speaker 2
Thank you for joining me.

00;00;22;19 – 00;00;23;01
Speaker 3
You’re welcome.

00;00;23;02 – 00;00;23;20
Speaker 4
Good morning.

00;00;23;22 – 00;00;46;08
Speaker 2
Good morning. Bryan, CEO of REDD. Chris, COO of REDD. Joining us today and today we’re going to talk about IT again. But a very important aspect of it, which is you hear companies say and it’s quite dangerous. And when to say nothing’s broken, or maybe I should say in a more neutral acronym, nothing is broken.

00;00;46;10 – 00;00;47;01
Speaker 4
I like the first one.

00;00;47;02 – 00;01;15;15
Speaker 2
Yeah. Nothing’s broken. Right. So companies, potential leaders, they come in, people log in, works fine, computer works fine. You know, the system runs, the business continues. Nothing’s broken. Right? Thus creates a false sense of stability and of safety. Right. Because you just don’t don’t see what’s going on in the background until now. The wheels are turning. You don’t know if the turning effectively, but it’s a dangerous signal, right?

00;01;15;15 – 00;01;26;21
Speaker 2
Just to take that as fact. Nothing’s broken. Therefore, everything works. They’re not equals. So why does stability create confidence is the first question.

00;01;26;27 – 00;02;00;25
Speaker 4
I think is an interesting question. Because for IT businesses there’s a lot more dependence on that. It. I’d say you do need to be thinking proactively around what you want to do around your it. You know, what’s happening in the background. For example, in a managed services provider, we’re so reliant on our IT and integrations from our tooling and monitoring and what whatever may be, that it is core to operations, but for other businesses, when someone comes in in the morning, logs in and they can log in to their computer, fine.

00;02;01;02 – 00;02;21;24
Speaker 4
That might not be as operationally focussed for them. So in that scenario, yeah, nothing is broken. Maybe you can go out and do 90% of what you need to for the day. I think having that lens is kind of important for the conversation we’re having here around, you know, do we want to talk more generally about businesses and their IT or is it heavy businesses because they do have different.

00;02;21;29 – 00;02;41;09
Speaker 4
They do have different weightings that we need to apply to them. Right. So if you’re an IT heavy business and you just consider stability, everything working fine as the norm and okay, then you might be missing out on where are the efficiencies, what are the hidden gaps, what are the things that aren’t working well that will improve your bottom line, right?

00;02;41;10 – 00;03;09;17
Speaker 4
How can you improve your your gross margin overall? Are people doing things offline that they could be doing online at a more efficient way? Then it becomes a much bigger problem. But if you are in a less IT dependent environment, then it is okay to some extent to say nothing’s broken. I want to be reactive strategically. I don’t want to spend all my time thinking about how can I improve my it, and how can I improve aspects of that IT if it doesn’t drive much to the bottom line?

00;03;09;20 – 00;03;12;14
Speaker 4
And that’s a strategic lens and business owners need to apply.

00;03;12;16 – 00;03;13;18
Speaker 2
Yeah, I think that’s fair.

00;03;13;25 – 00;03;37;00
Speaker 3
The other thing to consider, though, is, how many canaries you have in the mine? So if you’re only kind of leading indicator that something might be afoot is that people can log in and work. You could be missing something that’s slowly burning in the background. That will become a catastrophic problem if it’s not kind of monitored or actioned or remediated in time.

00;03;37;02 – 00;03;57;27
Speaker 3
Just because, you know, there’s that old funny, sayings like my, it’s always working. What do I need you for the I.T provider then. And then the flip side is that nothing works. What do I, what I, what I use it for. And it can be very easy to fall into the trap. Right? But it is important to note that just like a car, you know, your car can run for ten, 20, 30, 40,000km without needing anything done to it.

00;03;58;00 – 00;04;13;26
Speaker 3
Rather, other than fuel, until all of a sudden it doesn’t. And then everything stops working and everything breaks and, you know, you got to put your foot on the brake and the car doesn’t slow down like it used to. It starts making funny noises. And that’s because nothing has been maintained and it is no different. There’s patches that come out every month.

00;04;13;26 – 00;04;28;19
Speaker 3
There’s updates, new software that comes out shadow. It’s not a major issue. You know, you can have stuff running around using tools that aren’t sort of approved by the organisation. That creates data leakage, potentially. There’s a lot of things that are also at play beyond just does it work every day?

00;04;28;22 – 00;04;51;06
Speaker 2
Yeah, absolutely. I think the car is a great example. Right. You don’t change your oil, suddenly your engine is going to clog or you can’t see the oil or you’re driving. So nothing’s broken, right? You can’t see the brake pads until you can’t break. Right. Nothing’s broken. And it, I think even more dangerously so than driving a car, because when you drive a car, people aren’t actively trying to crash into you.

00;04;51;07 – 00;04;52;06
Speaker 2
It’s a good assumption.

00;04;52;10 – 00;04;54;05
Speaker 4
You’ve been driving in Brisbane?

00;04;54;08 – 00;04;58;15
Speaker 2
Yes. And, not super impressed.

00;04;58;17 – 00;04;59;09
Speaker 3
I wouldn’t be either.

00;04;59;11 – 00;05;20;27
Speaker 2
No, no. But we could record a whole podcast about traffic. Maybe we will, but yeah, people are not actively trying to crash into you. Or. Let’s assume so when you drive a car, unless you’re on bumper cars. But, when you’re in it, people are actively trying to crash into your system, so it’s even more important that you maintain it.

00;05;21;00 – 00;05;45;11
Speaker 4
Yeah. Look, from a cybersecurity perspective. Definitely. Yeah. But like you said, there’s all those hidden metrics and monitors, that you don’t really see. And it’s about surfacing those. Yeah. So if you’ve got the right kind of reporting, if you’ve got the right kind of monitoring in place, if you’ve got the right kind of lens, that stuff is is up to the executive team, then you’re not really saying that all nothing’s broken.

00;05;45;14 – 00;06;03;18
Speaker 4
So we don’t have to do anything. You’re saying we have an active view that nothing is amiss? Yeah. We’re seeing all the right numbers. We’re seeing all the right colours on those. We’re getting greens across the board for the key metrics that we want to manage. Keep an eye on maintain that quarterly, monthly, whatever the cadence might be.

00;06;03;20 – 00;06;18;23
Speaker 4
And then you are taking you’re already taking an active. Yep. Role in managing that. It risks the leaps and bounds ahead of just saying. All right I can log on or I’m not getting an arrow. When I try to do x, y, z task. And that is, that is further hidden in a lot of businesses.

00;06;18;24 – 00;06;44;13
Speaker 2
Yeah, absolutely. So let’s talk about risk. Right. Because that’s related to something that potentially everybody understands the project. Right. Projects usually have rock statuses red, amber and green. Green obviously going well. Red is needs some intervention. Let’s say, when you run a project and let’s say most business, any business runs projects right of different natures, you keep an eye on on those metrics, you keep an eye on things.

00;06;44;15 – 00;07;06;29
Speaker 2
And if suddenly something goes from green to amber, you pay attention. If remember to green, you pay less attention, perhaps because you’ve done something. But let’s say something goes red. You hands on deck, right? So what can we do here? It. Or let’s say people’s it, regardless of the business you’re in doesn’t usually have those metrics, says it doesn’t usually have those colours.

00;07;07;01 – 00;07;13;09
Speaker 2
So therefore how do you know things are going well. Right. And this is what we talk about. Risk accumulating quietly.

00;07;13;11 – 00;07;32;27
Speaker 3
Yeah. So part of that too is also you know humans are naturally adversity. Yeah. Confrontation in in most cases. So if they find something that’s not really working properly, they’ll usually figure out a way around it, or they just kind of ignore it until it becomes so problematic or so, impacting in their day to day that, that it’s a massive issue.

00;07;32;28 – 00;07;53;12
Speaker 3
Yeah. And by that time that’s kind of stewed on for a while. Right. So it’s important to make sure that we’re not just assuming everything’s going well because no one’s winging it. And that’s important to get that feedback at every level of the organisation. If you’re just speaking to the executive, you’re going to get a very siloed view of what it might be like, because they potentially are not interacting with it nearly as heavily as, say, a frontline workers.

00;07;53;17 – 00;08;08;29
Speaker 3
So ensuring that your organisation is testing, and just, you know, serving the staff to make sure that, you know, how do you find it? How’s your computer? How’s your day to day tasks? Hindered or helped? By, I tell you.

00;08;08;29 – 00;08;36;21
Speaker 4
So how do you surface that a non it heavy organisation. Right. So for you from an MSP perspective let’s take it to come in and we can see what’s happening on the ground. But for those business owners that haven’t have managed services partner. They might not they don’t see the flow of tickets. They don’t know who’s raising what day to day, and they may or may not be involved in, say, the monthly cadence where you’re provided might go through those tickets and say, we had X number of tickets were seeing trending in ABC.

00;08;36;23 – 00;08;52;24
Speaker 4
But let’s imagine you’re the owner of a business or you’re running a business that doesn’t have many service provider. Maybe you’re on the slightly smaller end and you are taking that approach. If nothing’s broken, tell them to do anything on the IT front. How would you get a feel for what is actually happening on the ground?

00;08;52;24 – 00;09;08;18
Speaker 3
That yeah, my very, very strong opinion on this is this is a people, challenge, not a 90 challenge. Right. It’s just like any other tool, you know, if you’ve got a delivery driver and his car’s a piece of shit and it’s constantly having issues for him, and he’s not making these rights on time, that’s a problem. Just like I tell you.

00;09;08;18 – 00;09;22;15
Speaker 3
Could be a problem for for anyone as well. So it just needs to be part of your your cadence around your people. So you quality reviews you you have one on one check ins and asking just just how are you tools. How’s everything that you use for your job day to day? Is there anything that’s causing a great fit?

00;09;22;17 – 00;09;40;21
Speaker 3
You know we need to know about? And it could be car, could be tool, could be it could be the coffee machine. You know, it could be anything. But incorporating that into your constant feedback loop with all your stuff is critical. And we’ve helped plenty of organisations do that kind of go, here’s a good starting point. Just start asking these questions.

00;09;40;23 – 00;09;44;28
Speaker 3
You know, when you’re talking to your people, because that’s the only way you’re going to get it. You’re not going to get it unless you force it out of them.

00;09;45;00 – 00;10;20;01
Speaker 2
Yeah. Let’s talk about why it’s dangerous as well. Right. And let’s mention AC labs. Right. First. Fine. That was issued a couple of million, potentially more 5 million or so. They, either had the visibility or didn’t have the visibility but failed to act upon it. And as a consequence, they got fined twice. Right? Plus, having to pay ransom, plus losing data plus reputational damage, you know, and something that could have potentially taken them half an hour a week if they were looking at it, proactively turned into thousands of hours of effort and damages and business loss and things like that.

00;10;20;01 – 00;10;32;19
Speaker 2
So what do you do? Right? AC labs got fines. They got fines hugely, massively right. And then on top of that they lost a bunch of clients, bunch of business. And hard to think that a business can recover from that.

00;10;32;21 – 00;10;52;14
Speaker 4
It’s a tricky one right. There was a lack of oversight in certain areas, or maybe there wasn’t enough importance paid to certain things. I wasn’t privy to the discussions. They had that at an officer level or a board level, but ultimately they weren’t looking at the right metrics, right? The right things weren’t being surfaced to them to say, oh, hopefully the right things weren’t being surfaced to them.

00;10;52;14 – 00;11;10;15
Speaker 4
It wasn’t that they were ignoring things that were being surfaced to them. But a lot of that fine came down to them not taking appropriate steps to secure things from a cyber perspective. But that’s still just one of the aspects of it that you want to be keeping an eye on, you know, is it working? Is it working well?

00;11;10;15 – 00;11;29;10
Speaker 4
Is it going to work to protect us from a cyber incident? Is it going to work to continue to provide continuity when we have and maybe a physical incident in the building, or on site or whatever it might be? All of those questions need to be asked more broadly across your IT. Yeah. To say, have we got what we need for our purpose?

00;11;29;13 – 00;11;44;20
Speaker 4
That was unfortunate. For example, for ACL. But there’s so many of those out in the market, they just happened to be the first one to have been hit with a fine related to not acting in the way they should around that information.

00;11;44;26 – 00;11;57;10
Speaker 2
Yeah, absolutely, absolutely. And executives have to resign and all these things. And it’s just not a nice story. Right. But, I’d be very surprised if they would be the last one. All right. They were certainly the first.

00;11;57;12 – 00;12;22;18
Speaker 3
Yeah. First, what might an example of for sure. But there’ll be many more. You know, we’ve had Optus, we’ve had Medicare, we’ve had all sorts of massive companies that have had similar, you know, challenges. And that will continue to be the case. Because even the best intentions are can still be be tough if you’re not getting the right advice or, or you just have someone that’s in a position that’s not acting as, you know, diligently as potentially they could.

00;12;22;21 – 00;12;31;26
Speaker 3
So it is important to have those constant feedbacks and to have that right lens and surface, that right information to the executives so they can always be making, you know, the right decisions with the information they have.

00;12;31;29 – 00;12;49;15
Speaker 2
Yeah, absolutely. And Optus I know from a bit of insider here, but Optus had to get budget from other places in the business. And they killed the marketing budget for a couple of years. They had zero marketing, zero publicity once they had the incident because it just could not afford it. And you know, what does that do down the line?

00;12;49;21 – 00;12;57;14
Speaker 2
You know you’re just losing market share. You’re losing client. And the recovery is not nearly as quick as the fall.

00;12;57;16 – 00;13;22;14
Speaker 4
Yeah. You have to make tough decisions and right you have to sacrifice on that particular spend. Maybe they could have you know they got away with having some of their marketing budget. But they needed to spend it on other things. And that was probably the catalyst that made them go, okay, let’s reinvest into other aspects. You know, ideally in the IT sector, and in their in their infrastructure, and in their management of upstream and downstream supply and vendor risk.

00;13;22;14 – 00;13;23;19
Speaker 2
Yeah.

00;13;23;21 – 00;13;29;02
Speaker 4
And that’s just necessary when you’re making decisions off the back of an issue or an event.

00;13;29;03 – 00;13;56;27
Speaker 2
Yeah, absolutely. And this is where it is not resilience. And as a matter of fact action is reactive instead of product. So let’s move on to failures. Being the first visible warning. Right. So when problems appear it’s usually because something’s failed is something’s failed. It is rather the P0 number one priority. Call it whatever you want, but that’s when you have to put hands on next.

00;13;56;28 – 00;14;00;03
Speaker 2
But it’s too late, right. It’s too late. Something’s happened. Something’s failed.

00;14;00;04 – 00;14;24;09
Speaker 3
Yeah. So the problem you’ve got there is you’ve no longer got control of the situation anymore. Not full control. You’re having to pull resources off things that, you know, a proactive or, you know, driving the business. And now they’re having to look in the rear-view mirror and figure out what’s going on and fix it. And so and often, you know, businesses particularly, you know, less mature ones will kind of throw everyone at the same problem because it’s a big problem.

00;14;24;09 – 00;14;48;00
Speaker 3
And, you know, I’ve seen that many times in my career where, you know, one of your big customers has a major problem, and all of a sudden you’re grabbing every wizard from every corner of the office to try and solve this problem, you know, and you still got a bunch of other customers, right? So it’s important to, to really be clear in those, you know, instances in those events, you know, who’s accountable for what, who’s doing what, because you don’t want everyone trying to do the same thing because then chaos ensues, right?

00;14;48;02 – 00;15;03;14
Speaker 3
Yeah. So that’s why, you know, predictive failure or predictive analysis is so important. You don’t want to be in that situation where you’re having to you know, rally the troops to fix something that you should have known about, should have been should have been warning signals, those canaries in the mines.

00;15;03;17 – 00;15;22;10
Speaker 2
Indeed. So let’s, add one thing that I like saying basically is something happens, your failure occurs. You’re going to have to look in the rear-view mirror set and put in place all the measures anyway that you should have put in place to start with, but it’s going to cost you more. You’re going to have to do it more rushed is going to be more difficult.

00;15;22;10 – 00;15;36;21
Speaker 2
You’re going to have to neglect your clients. How do you do it in the first place? It would have been a lot smoother. You know, that transformation, just transition, whatever you want to call it becomes easier. But now you’re gonna have to do it anyway. And as a matter of fact, you lose negotiating power because you cannot afford not to do it now.

00;15;36;21 – 00;15;49;02
Speaker 2
You cannot afford not to fix it. And it just becomes very, very difficult. And potentially you’re forcing this onto the people, onto the business, when you could have very much did it, do it from a, you know, proper change management perspective? Look, I think that’s.

00;15;49;10 – 00;16;04;16
Speaker 4
I think that’s interesting because to some extent that assumes that you knew about it before it was going to happen. So if if you did and you knew you had to do those things and you chose not to do those things, and then something happened, then you’re forced to do that, and then you should be looking back and, you know, kicking yourself.

00;16;04;17 – 00;16;24;21
Speaker 4
That was dumb. But that’s negligent, right? And in many of these scenarios, you knew you had to do it. You’re aware of it and you didn’t. Yeah. That’s very different to the very first signal being something went wrong. Then you’re looking back and saying, okay, let’s learn from that lesson and let’s put it in place now. Sure, you still constrained you to do it faster, that there’s more risk, it’s a worse time to do it.

00;16;24;23 – 00;16;48;19
Speaker 4
But, you know, the key question is how can we know about it before so that we can, you know, if we choose to be negligent and not do anything about it, we do that or we do something in advance. And I think that’s the that’s the trick, right? If you’re not it savvy, if you’re not heavily dependent on your it, if it isn’t something that you think about every day because it’s core to your business, why would you think about it prior to an incident?

00;16;48;22 – 00;17;06;22
Speaker 4
Yeah, I think that’s why it’s so common that this is how it plays out. Nothing happens. There’s silence. Everything seems fine. Then there’s an issue. Yeah, you’re offline for a day. People can’t do what they need to you. You lose revenue and then suddenly you start thinking about that problem. And I think that’s very difficult. I think that’s difficult, especially for smaller businesses.

00;17;06;24 – 00;17;08;26
Speaker 4
That aren’t it. It’s heavy.

00;17;08;29 – 00;17;24;01
Speaker 3
Yeah. Particularly when, like, the businesses at all sizes always have what’s most important and right in front of them right now. And to your point, if it’s not a huge part of that, very rarely will it be at the front of your mind, I suppose.

00;17;24;04 – 00;17;44;28
Speaker 4
I have an it back, have come from my team doing that for decades, so it seems far in that people wouldn’t think about it as part of their, you know, be a unit, part of business operations. But I, I think it is sad that people don’t now, given everything we know about how the world works, make that a priority in the business, even if it isn’t something core to you know, the operational model.

00;17;45;00 – 00;17;45;25
Speaker 2
Yeah.

00;17;45;27 – 00;18;02;09
Speaker 4
And I think we’re seeing that to not a greater extent, but it’s more publicised at the moment. It’s cybersecurity falls in the same bucket. Right. Like we think, you know, you should be thinking about that from design. Everything you do, you should be thinking about what from a security perspective from a cyber and a physical security perspective, why are we doing this?

00;18;02;09 – 00;18;17;29
Speaker 4
How are we doing this? But I don’t think people do that naturally either, unless it’s a core part of their business or they’ve had an incident. So it’s really about getting the right mechanisms in place so that it just becomes part of your norm, part of your view, part of your monthly reporting that you’re going to have some metrics on it.

00;18;18;01 – 00;18;42;06
Speaker 4
And they might be as simple as what we talking about before we just go, hey, let’s do a survey once a month ago has anyone had major problems with their tooling and and their IT our systems just to get something to start with that smaller sized business. If you’re a larger size organisation, you need bigger frameworks, more structure, so that information filters from the ground all the way up, and you actually get a useful metric to look at something on a scorecard.

00;18;42;08 – 00;19;00;04
Speaker 4
And that’s the first step to at least being able to say we’re thinking about it, we’re talking about it something or it’s happening, we see it in numbers and it’s happening regularly. And that’s the only way you really going to get some kind of warning in advance of an incident to say, hey, we should do something about this particular piece before it becomes a problem.

00;19;00;07 – 00;19;06;25
Speaker 4
And cyber is just one aspect of that, but it is very front of mind one at the moment. Absolutely, and should stay that way.

00;19;06;26 – 00;19;28;23
Speaker 2
Yeah. So it’s not only about keeping things running, it’s about not falling behind really as well. So funny story. Well not funny for them but funny story for others potentially is in the past when I, when I was London architecture company used to actually get a lot a lot of business and then suddenly just started losing business to competitors, potentially smaller competitors, let’s say more or less equal size.

00;19;28;25 – 00;19;47;13
Speaker 2
And they, they went back and asked why, why are we not getting this business actually went to their clients and they did the right thing. You know, I’m proactively seeking feedback. Well, a lot of people know, especially architects, but a lot of businesses do office tours before they sign contracts to their IT. And their computers were just not state of the art.

00;19;47;19 – 00;20;07;12
Speaker 2
Just we’re not old. And for a business, the word that matters so much, you know, you could have things running your computer might run and your architecture software might run. But those guys are better, you know, they can take changes on better. They’re potentially a bit more secure. They have the latest software. Yeah, they might be a bit newer, but smaller.

00;20;07;12 – 00;20;10;18
Speaker 2
But they have a better setup. So I’m going to go with them.

00;20;10;18 – 00;20;12;17
Speaker 4
Just the visuals. It looked like they knew.

00;20;12;20 – 00;20;12;28
Speaker 2
Yeah.

00;20;13;02 – 00;20;16;28
Speaker 4
Like they were in sync with their I.T dashboard and their reviews on the wall.

00;20;16;28 – 00;20;22;29
Speaker 2
They were in sync with their idea. You know, in a company where it doesn’t necessarily matter, but they work digitally like every company does.

00;20;22;29 – 00;20;44;18
Speaker 3
Now let’s talk anything. Document that looks good. You go like you’re likely to want to read it through. That looks good with your eyes. It’s the same with anything you do an office tour and there’s, you know, green gingham patterns on the walls and mismatching orange carpet and old monitors. And, you know, it’s all mismatched. I.T. That’s an immediate sign that people are just not thinking proactively about a number of items.

00;20;44;18 – 00;20;50;13
Speaker 3
Right? Yeah. Yeah, absolutely. And perception is a big, big part of it.

00;20;50;20 – 00;21;09;08
Speaker 2
Yeah, absolutely. So it’s as I said, it’s not only to keep the wheels turning, but it’s also not falling behind. And so I’m in the UK, my implement today might be outdated tomorrow, especially with, you know, how quickly updates and your softwares and programs on are coming and the reason why the company because there’s a need for it, not because it’s just saturate in the market.

00;21;09;13 – 00;21;29;04
Speaker 2
Okay, let’s move to what you mentioned, which is I am a small business. I am a potential leader of a of a business, necessarily small, medium size, large size. I now want to look at this. I’m going to give you another example. Let’s say we are more or less know somebody who’s bought a house, who’s trying to buy a house, or you heard rumours of somebody buying a house before you buy it.

00;21;29;04 – 00;21;46;10
Speaker 2
One of the most critical steps you do is you get it surveyed, and if you don’t, you’re a fool. All right. So you might not see under the ground, but there might be structural issues you might not see on top of the roof when you view it. But, you know, the gutters might be clogged or broken and that’s going to create damp and mould, etc., etc..

00;21;46;12 – 00;21;51;03
Speaker 2
You hire somebody, right? Because we’re not all structural engineers. It’s a.

00;21;51;06 – 00;21;51;26
Speaker 3
Definite no.

00;21;51;29 – 00;22;12;26
Speaker 2
They look at it and they tell you what it’s wrong. Now you want to fix it, you want to buy it, you want to do something about it. That’s up to you. But I guess the analogy here is you don’t have to do this alone, right? There is services, tech reviews, whatever you want to do that are out there that are very cost effective, that can look at it for you and tell you, this is everything that’s wrong.

00;22;12;28 – 00;22;17;17
Speaker 2
You don’t have to look at 100 things, but you 64 or 5, you’re in a good shape.

00;22;17;23 – 00;22;37;01
Speaker 4
So yeah, look, that’s a good way to start the ball rolling to, you can you can bring someone in to do a bit of an assessment. And this is how long as a piece of string component to it. And you can spend days and days and days digging into things so you can do something reasonably, cost effective that has good coverage that’ll give you some initial starting point.

00;22;37;07 – 00;22;52;19
Speaker 4
And that might form the basis for what are we going to measure, what are we going to add to that monthly scorecard or reporting pack that we look at as an executive team or a board? And that is a really good way to start getting that information. And that can cover interviews and talking to people on the ground to get their feedback.

00;22;52;19 – 00;23;14;18
Speaker 4
And it can also be reasonably easy from a tooling perspective. There’s lots out there that’ll be able to and with the right permission to scan and pick up any of those key, risk areas or any of those key gaps and say, hey, we ran this scan. It didn’t return the result we wanted. That means you probably need to think about this type of project in the future, but it will start to get that visibility.

00;23;14;21 – 00;23;20;23
Speaker 4
And again, you don’t wait until after there’s an incident to do something like that, but you do under a bit of planning, right? Yeah.

00;23;20;25 – 00;23;24;01
Speaker 2
Yeah. So you don’t want to wait for your house to fall on top of you before you start for us?

00;23;24;01 – 00;23;30;27
Speaker 4
Sure. Yeah. Yeah, yeah. If this is good money to fork out, that might prevent these have bad.

00;23;30;29 – 00;23;32;01
Speaker 3
Yeah. Exactly.

00;23;32;03 – 00;23;42;11
Speaker 2
Okay. So four things leadership should have should be included. Agree or disagree. Let’s go one by one. Independent resilience validation. So this is an exercise.

00;23;42;13 – 00;23;43;19
Speaker 4
One thing is that three things.

00;23;43;20 – 00;23;44;15
Speaker 2
No that’s one.

00;23;44;17 – 00;23;45;24
Speaker 4
That’s one. That’s one thing.

00;23;45;27 – 00;23;48;13
Speaker 2
One thing. Independent validation. Right.

00;23;48;16 – 00;24;13;21
Speaker 4
So yeah look I think the second part is more important than the first necessarily. You need some form of validation, some form of quantification of what you’re looking at. Independent is good, especially if you’re a little bit to, tunnel vision on your own business or if you’re the one when you step back, you realise I haven’t been thinking about it because I don’t care about it, then yeah, independent is definitely important, but I think keep it validation.

00;24;13;23 – 00;24;18;13
Speaker 4
You need to be measuring something. Yeah. Looking at something that you validate is a useful measure.

00;24;18;15 – 00;24;22;20
Speaker 2
Yeah. Number two, risk visibility.

00;24;22;23 – 00;24;46;16
Speaker 3
Yeah. So there’s much like the that scans the tools that can find, you know, infrastructure layer issues or technical issues. Then there’s the security aspect as well. I think it’s important. And a very simple way of doing that is, you know, you aligning to a framework and that can be very easy to do. So essentially it is, you know, what the Australian Signals Directorate kind of profess to be a good standard.

00;24;46;16 – 00;25;05;14
Speaker 3
And there’s got different layers within that. That essentially framework. If you’re looking at things through that lens, you’re already going to be leaps and bounds ahead of a lot of other businesses that are not looking at that. With a serious, view. And they’re simple things like, you know, are you doing regular backups? Do you have multi-factor authentication?

00;25;05;16 – 00;25;21;08
Speaker 3
You know, are your systems being patched regularly so they’re not super complicated, you know, need to be a CI so to understand what’s going on. They are simple implementations you can do. And your business is going to really support, the business from being, you know, ahead of most.

00;25;21;11 – 00;25;26;20
Speaker 2
Amazing number three, regular recovery testing.

00;25;26;23 – 00;25;44;28
Speaker 4
Yeah. All well and good to have all these things in place and visibility and expect it to work when you need it. But yeah, you got to test it now. Have them fall through the cracks. I mean, if we think about how immature a lot of businesses are on this journey, just thinking about it risks thinking about cybersecurity risks.

00;25;44;28 – 00;26;01;25
Speaker 4
Having some kind of reporting is already a great step in the right direction, and I can see why a lot of them then go, okay, I think we’re good. Reporter all looking good. Now let’s move on to the next thing, the next problem, something that might feel bigger, and then you forget about the testing. It’s super common, but you have to you have to regularly test.

00;26;02;01 – 00;26;21;02
Speaker 4
And that doesn’t mean test everything or, you know, turn off your business for a day. Think about what is a useful test to do that’s relevant to your business, right? If everyone is, if you’re email driven heavily email driven, right. Let’s say you want to test the scenario where what if you can’t access those in the way you normally can?

00;26;21;05 – 00;26;34;16
Speaker 4
What if for whatever reason, you get a mass deletion event, can you use your backups to get access to those emails again? Do you have backups? I assume, actually, and then you test them. Can you actually use them? Can you restore them? Can you get people working again? But pick something relevant?

00;26;34;19 – 00;26;50;16
Speaker 2
Doesn’t have to be. I love the story, but I’m going to give you another story on this one because it’s an email driven, do you guys know what the NHS is? Yep. Okay. For those who don’t potentially is the Medicare of the UK right? Simple. Very email driven because everything has to be put into notes. Very secured email.

00;26;50;16 – 00;27;14;04
Speaker 2
You can’t actually email anybody outside the NHS domain. When you email right. You have to use specific domain. That’s great. But there was a function on the email where somebody wrote an email and it was emailed all and the NHS, 40,000, 50,000 people crashed their email. And because people didn’t really know what to do with it, they started getting reply alls.

00;27;14;09 – 00;27;15;27
Speaker 2
Please remove me from this chain.

00;27;15;29 – 00;27;17;07
Speaker 3
Oh dear.

00;27;17;10 – 00;27;40;15
Speaker 2
Please remove you from this chain. And that happened hundreds of times out of 40,000 people, right? Take 1%, 2% of people doing that. The NHS went to a standstill for about a week because people’s emails were not working. It was loading, loading, loading, crashing, crashing, crashing. I need to see that patient critical urgent care. What does this pass notes say?

00;27;40;17 – 00;27;48;23
Speaker 2
A week man of the UK 60 million people because there were email focussed on. I see how this is.

00;27;48;26 – 00;27;54;16
Speaker 3
Wild that they are using email which was invented as a shorten memo service to steal medical.

00;27;54;16 – 00;27;57;20
Speaker 2
Information. Right. But we always email Medicare sure. To use emails.

00;27;57;20 – 00;27;58;09
Speaker 3
I’m sure I do.

00;27;58;09 – 00;28;10;20
Speaker 2
Yeah. They, they also have their systems to store notes, but that’s it. It crashed 40,000 people, employees, millions of people on on your waiting list. Horrendous event.

00;28;10;22 – 00;28;12;02
Speaker 4
It’s a tough one to test.

00;28;12;04 – 00;28;13;04
Speaker 2
Yeah. So fun to test.

00;28;13;04 – 00;28;26;19
Speaker 4
But that’s load testing, right? That’s that’s kind of that’s super tricky. Yeah. But what you want to be able to do is then, you know, if you’ve got to metaphorically pull the plug, let’s say this super old school and you still have email service, exchange service. And the problem is it’s.

00;28;26;19 – 00;28;27;02
Speaker 3
Been a while.

00;28;27;08 – 00;28;43;10
Speaker 4
Yeah. He’s, he’s still occurring. Then in theory, you switch them off to short circuit the problem, and then you go, all right, let’s go back and see what we can recover from our last backups and then start from fresh again. Rebuild it a little bit harder. When it’s all in the cloud. You got to let it run its course to some extent.

00;28;43;10 – 00;28;48;10
Speaker 4
Or maybe there are ways to short circuit that that I’m not aware of, but you’ve probably got to call in the big guns there.

00;28;48;16 – 00;28;52;03
Speaker 3
Yeah, they definitely have mechanisms for that are there. And

00;28;52;06 – 00;28;58;00
Speaker 4
You’ll be you’ll be talking directly to the providers and yeah, you know, Microsoft, whoever hosts your email and then.

00;28;58;02 – 00;29;01;03
Speaker 3
You give biblical sort you.

00;29;01;06 – 00;29;06;02
Speaker 2
Yeah I’m talking about number four. Then a documented incident response plan.

00;29;06;05 – 00;29;21;17
Speaker 4
That should be broad enough that it covers all kinds of incidents. There should be an element of that for cyber. Yeah. Some people think about that with that cyber lens predominantly, but it should be looking at what types of incident, most likely to affect your business. What way does it affect your business. And then what are we going to do about it.

00;29;21;20 – 00;29;21;28
Speaker 2
Yeah.

00;29;22;02 – 00;29;41;02
Speaker 4
Let me start with that as a template. Again, another good way to make sure you’re looking at the right things. Because you can have that conversation. You can have a with with a partner who can help with that conversation. But it helps you start to think about what if this thing goes down with anything goes down. And that might be, you know, the little thought bubble that starts you down the path saying, we should measure this thing.

00;29;41;04 – 00;30;00;27
Speaker 4
We should get someone to build this, a report that says, how is this tracking every month? And we look at it because we know we’re going to need to do something associated with recovery if there’s an incident of that nature. Yeah. And it might be as simple as can we hotspot off our phones or, you know, if there’s a flood event, can we store our goods somewhere nearby that’s slightly higher?

00;30;01;05 – 00;30;02;14
Speaker 3
Can you take me higher?

00;30;02;16 – 00;30;03;26
Speaker 2
Yeah, yeah.

00;30;03;28 – 00;30;06;15
Speaker 4
And it’s a good starting. It’s a good starting point.

00;30;06;17 – 00;30;15;06
Speaker 3
And it’s important to note to incident response plans are not exclusively for cyber incidents. Right. There’s all sorts of stuff like you just mentioned the flood fire whatever.

00;30;15;08 – 00;30;16;17
Speaker 4
The big one here in Brisbane there.

00;30;16;17 – 00;30;31;17
Speaker 3
Yeah it is people very quickly these days are focusing on the cyber ones and forgetting what happens if someone runs a backhoe through the cyber, you know, can you hotspot or are you in one of those wonderful buildings in Brisbane that just happens to get a dead zone and you can’t actually hotspot and you haven’t thought about it.

00;30;31;19 – 00;30;33;14
Speaker 3
Might has simple things, right?

00;30;33;17 – 00;30;33;25
Speaker 4
Yeah.

00;30;34;02 – 00;30;46;22
Speaker 3
And I live in Chelsea and you know Telstra is supposed to be the best coverage in the world. There’s a dead spot in my house with, the one of the major providers 14km from the city. So don’t assume that it’s going to be available.

00;30;46;24 – 00;31;05;24
Speaker 2
Yeah, absolutely. I saw it within a kilometre a 5G tower. Right. They look like weird cactus trees. Right. But those we don’t know what it look like. But you know less than a kilometre away and three places in my house I get no signal. So don’t assume. And I think the people the assumption here, the mistake is that an instance is responsible.

00;31;05;24 – 00;31;24;16
Speaker 2
It doesn’t have to be a 200 page and no, nor should it be. Or should it be very simple. Yeah. And as a matter of fact, to an extent, you can use some cookie cutting techniques, right? If you bring somebody who knows what they do and who’s seen this before, because incidents tend generally to repeat themselves in nature or can be, you know, the same for various businesses.

00;31;24;16 – 00;31;33;21
Speaker 2
And you can take that and adapt it to your own. So it doesn’t have to be difficult. Yeah, but you don’t want people running around the headless chickens once a failure happens.

00;31;33;21 – 00;31;43;16
Speaker 3
Now the biggest thing is just to get clarity on who’s who’s going to do what. Yeah, the complexity and the technical side. You know, most businesses will have partners that will execute that. But it’s about who’s got what.

00;31;43;18 – 00;31;44;17
Speaker 2
And

00;31;44;19 – 00;31;46;19
Speaker 3
Aspect of that response plan.

00;31;46;21 – 00;32;05;11
Speaker 4
And it’s not just it, you know, I think we have a tendency to think I take that way where we sit. But your incident response plan needs any type of incident, like if you you’re a medical practice and you’ve got, you know, physical access restrictions, if there’s a, there’s a, flood event or something. Right? And people can’t get the practice.

00;32;05;14 – 00;32;21;04
Speaker 4
How are you going to manage that incident from just communicating to potential patients? And thinking about, you know, how they checking in. Can you move to telehealth? There’s often technology related solutions to them, but you need to think about problems that are not tech. Yeah. Tech dependent.

00;32;21;07 – 00;32;30;08
Speaker 2
Yeah. Hospitals are a great example. You know what happens if your city goes off in a hospital. Well number one is usually diesel backup generator. Right. But what happens. Right. Well somebody else is going fire. Don’t think.

00;32;30;08 – 00;32;50;00
Speaker 4
About them. Go through the process right and see what it highlights around. Actually we don’t know what we do there. Actually we need a backup there. Or actually the strategic move could be yeah we’re going to acknowledge that risk. But we’re not going to do anything about it because the mitigation options are way too expensive. We think we could probably survive without till we make a conscious decision to say.

00;32;50;02 – 00;32;52;20
Speaker 4
We’ve talked about the risk for acknowledging that we’re not going to do anything about it.

00;32;52;21 – 00;33;10;04
Speaker 2
Yeah. Listen, it’s super simple. One that we all have in place is a fire alarm plan. The fire alarm goes off. There’s one person who’s a fire warden who goes everybody out and don’t use the lift. Take the stairs and let’s meet at the car park or wherever. The point is, what do we do?

00;33;10;07 – 00;33;18;16
Speaker 4
What do we do when they’re working from home? That one day? Yeah, but the fire alarm goes off, which Murphy says is going to happen every day. Yeah, he’s your backup firewood.

00;33;18;19 – 00;33;35;05
Speaker 2
Well, and not a bad day for the person from home. If there is a fire, it’s pretty good. Pretty good day to choose to work from home. But yeah, listen, you’re right. And but that is a simple example. Your minimum requirements. Right. Yep. That is 3 or 4 pages. Sorry three four lines. Three for bullet points. You know firewood and puts his hat on.

00;33;35;05 – 00;33;37;28
Speaker 2
Everybody out mate, by the moisture point.

00;33;38;00 – 00;33;42;16
Speaker 3
Interestingly, far more important when you’re on the 40th floor of a building as opposed to the first.

00;33;42;19 – 00;33;43;17
Speaker 2
Yeah, got a course?

00;33;43;24 – 00;33;46;07
Speaker 4
I take the fire so.

00;33;46;09 – 00;33;47;22
Speaker 3
That the company helicopter on the roof.

00;33;47;24 – 00;33;51;12
Speaker 2
Just got a cool slide. Pretty sure.

00;33;51;14 – 00;33;52;05
Speaker 4
If it’s in your plan.

00;33;52;11 – 00;33;53;01
Speaker 2
Yeah, it’s in your plan.

00;33;53;07 – 00;33;56;14
Speaker 3
Pretty sure. Flats and I had a slot in the office at one point that I still do.

00;33;56;21 – 00;34;15;21
Speaker 2
Yeah. Yeah, some some places do. Some places do not. Listen. Thank you very much, for your insight today. If anybody listening, this is not too sure where to start. Reach out. We can point you in the right direction. Next time we’re going to be talking about how one single outage has wiped out some businesses for months. That’s an interesting one.

00;34;15;23 – 00;34;21;22
Speaker 2
Scary indeed. And the great thanks. I speak to you next time.