REDD – Business and Technology Podcast Episode 001 with Isaac Nicol from Epic Assist (NFP)
In this episode our hosts Jackson Barnes (BDM – REDD) and Brad Ferris (COO – REDD) interview Isaac Nicol (Head of ICT at EPIC Assist) and discuss his journey at EPIC Assist (Not for Profit). Particularly we discuss with Isaac how to leverage EPIC’s NFP status with Microsoft and other vendors to increase cyber security and reduce IT budget.
We also touch on right fit for risk, ISO 27001, Essential 8, Cyber Insurance and Risk. Thank you Isaac for making our first podcast so seamless! Special mention to Jackson for doing a great job chairing the session. If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show please get in touch either via our website, [email protected] or or through any of the links below.
Thanks for watching!
You can find the full transcript below:
– Hello and welcome to Redd’s Business and Technology podcast. My name’s Jackson Barnes with my cohost, Brad Ferris. And today we’ve got a very special guest, head of IT from Epic Assist, Isaac Nicol. Thanks for joining us. Thanks Isaac, we really appreciate you coming in. We’re just going to ask you a bunch of questions, unstructured. I guess we wanted to start introduction-wise. Isaac Nicol, head of IT Epic Assist Disability Services, employee based in Brisbane, 36 offices, 168 employees, non-for-profit. What we’re going to discuss today is how you have, with the organisation, reduced IT budget and increased cyber security leveraging some of the Microsoft incentives. So I guess, first, you want to introduce your background, what you’ve done over the time and then what you’re doing now.
– Well, look, firstly, thanks for inviting me into the session. I think this is really good. It’s good to have a safe space where you can actually have conversations in relation to ICT and have ideas and be able to share those ideas and listen to what other people have to say. So, it’s good. Thank you for having me. I’ve been with Epic for about 18 months and I was employed for a particular reason, to help Epic get ISO RFFR accreditation. I know you spoke about Epic, but one thing people should know before going to the not-for-profit stands is that, because EPIC is a disability employment service and we have over 3000 clients, we need to be RFFR ISO 27,001, right fit for risk compliant, which is regulated. It’s from the government. If you don’t have that credential or the accreditation, you will not get any contract. So that’s the bottom line. So when I walked into Epic, that’s where we were.
– Yep. So you put that in place and on the side looked after
– Yes, that’s all, it was encompass. It was funny when I got a job as a ICT manager and then I got a portfolio pop up and I looked into it and said ISO as well. That’s really cool.
– And 27,001, do you want to explain that process ’cause no doubt, took you what, three days to put in place? Something like that.
– No, man, you’re exaggerating. Three days, you’re exaggerating. It took me three minutes.
– Can you come and do that for us?
– Yeah. And actually you said that topic.
– Look, ISO 27,001, it’s a big horse to pull alone. It’s massive, it’s a massive thing. Back in the days when people got ISO credentials, it was based on documentation only. So process, policies and the technology. There was nothing to do with the actual implementation of that process. So most people say, I have ISO, but then it’s only the process. Now, with Epic, because we have right fit for risk, which is 420 controls, that’s from the government and ISO is just 120 controls, that’s the regular one, so we had our work cut out for us. So we started off by getting all the processes in place, writing the documentation. I was working with a very, very, very good team, very good team at Epic. And we got all the documents together and we had to start making decisions, like technology decisions as to what it looks like. I think one of the the best things about Epic is the fact that the executive leadership team, we’re all on board.
– Do you really want to say agile battle of technology is for an IT manager or head of technology or CIO, is, how do you get the executives buy-in on buying these expensive cyber security tools or just general technology. How did you get that buy-in from the executive side of it?
– Well, I think it’s threefold. The first one was, our business depends on that. That’s the first one. The second part was, they could see the value in what we’re about to do. And the third part was the strategy we put forward to the executive team and the board. The strategy is simple. It’s all about the end user. Making sure the end user is safe, using the device is safe. Because if you want to train everyone to be an ICT professional, that’s not going to work. We all have our jobs to do, we all have different things we do well, experts at what we do. So our idea is to ensure that the device we hand over to a team member has all the security you need. So we protect you 95% of the way. The 5%, we know things happen. That’s the whole plan. And they could read into that, they could see that. Another thing that’s really, really important as well is reporting, monitoring, login, evidence based. You need to have those.
– Yeah. So I guess, to point in the direction of the topic of this podcast and what we’re kind of catching up and where we can add the most value back to other non-for-profit, to people who are responsible for IT like IT managers, heads of IT, CIOs, what did you do beyond that, when you identified that near 27,001, you had to put that in place, the Microsoft tool set of non-profits that you reduced, licencing a bunch of things, what did you leverage first and went through that journey of getting ISO 27,001 protecting the endpoint and the users? How did you leverage Microsoft’s non-for-profit status for that?
– Well, I tell you what, if I start talking about Microsoft, you guys will think I’m being paid by them. I’m not.
– Microsoft’s kicking goals. I’ve been a Mic guy from way back when, but I’m a true believer the Microsoft Cloud services and everything they’ve been doing is amazing. I’m a massive advocate. So a hundred percent happy for you to…
– Again, I walked into Epic, I had several months with the team to get them certified. We got accreditation, we had zero nonconformity. It was crazy, it was awesome. However, one of the biggest part of that was the roadmap we had. So the roadmap was, how do we reduce cost? Like, we spoke about that earlier, but how do we reduce cost but still maintain a higher level of security across the footprint. So we looked at Microsoft E5 licence, end of story. When I say end of story I mean, that became our goal, E5 licence for not-for-profit. It’s really cheap.
– Just on that, did you want to explain maybe for everyone else in that space how you went to the executive team at Epic Assist and said, I want E5 licencing? ‘Cause it’s less as a non-profit, right? But the actual pitch of getting there when you’re paying for E3 or something less now that jump for all of users is, you got to justify that. How did you go through that process?
– Well, that’s an awesome question. So it was all based off the strategy I developed, the three strategy. So what I had to do on the strategy is, it’s like a single page with lines. That’s my strategy. So it goes from different categories like security devices, Cloud, Cloud applications and et cetera software. And then in the middle, the next column has what we currently have, what’s in use, and then the third column is where we want to be. We look at the current applications, then we look at what we want to be, what sort of applications can replicate those or do we maintain the current application. And then the third, the fourth part is, the timeframe. Like, how long we have to get it done. So when I went to the executive team, I went to the executive team, I had to tell them, I just showed them. I said, look, this is what’s happening. I said, all of these tools you currently have, we are using, I’m not going to call it the names, this and this and this and this and this, this can save us like three, four, four and a half, five grand a month by just implementing E5. And they said, so what’s the guarantee? I said, well, E5 has all of this and more, it will do them all.
– So you put the business case forward and went, all of these things we can leverage in the Microsoft. If we have licencing, we’ll save this much money and this. a business proposition forward for leveraging the Microsoft stack. What were those things? You don’t have to say names of the software of course, but the things, so the email protection, endpoint, that kind of thing. Do you want to touch on, I guess, what are the things that you leveraged so other people listening can get advantage of that?
– Yeah. What was the difference between the E3 and E5 that you were looking to get?
– Well, first of all, the E3 does not come with the security packages. It doesn’t come with one and two, the two security packages, it doesn’t come with it, it doesn’t come with Teams calling for example. You don’t have that separate as well. Team meeting rooms doesn’t come with it. So that was one part. So for example, one of the things I leveraged was, they use the system for collaboration, something like Teams. And everyone could not use it or could not make calls, they were only about five or, no, I think 12 people that could actually create meetings, create conferences. And I walked in and I was like, why is this in play? And I looked to the cost of years, like, three grand, three and a half grand. I said, we already have Teams, why are we doing this? They said, we don’t know. And five years later everyone’s using Teams, done.
– Something else. on IT budget and how to reduce that and cyber security, but the collaboration piece of mindset.
– Collaboration piece is massive. Look, back in the days it wasn’t that good, but they just, I don’t know, they just rammed up. They just chased everyone down. They chased the competition down.
– It’s actually, I should have brought it in for this session, but the latest gadget in the place is, literally got here on Monday or Tuesday, the HoloLens. The HoloLens 2, I’ve got it on my desk. And the reason we…
– Ah, this is fun.
– Maybe we’ll bust it out a bit later. But the reason was that collaboration piece. So I actually, I watched a podcast, well, listened to it and then there was a video associated to it. So I had to go back and find the video and watch it. And the actual example was about a mixing console. And this was a Microsoft document and it was about, I’m trying to plug my microphone in, I can’t get any sound. So if you have the HoloLens 2 with the dynamics 365 remote assist licence, the user who’s in the field, if you like, can be looking at their environment and then the senior technician, if you like, is back in the office and can guide through and can start annotating the real environment virtually. So you have this mixed reality scenario and it just, all these things clicked for me, all these light bulbs, all these things, you could use it. And that was two weeks ago and now there’s one on the desk.
– Look, that’s the good thing about you guys. You guys are progressive, you guys are, you guys are not only trying to be innovative, you guys are living with cutting edge. I tell people every day, you don’t have to be the first all the time. You can be the second, but just be the best second you can be.
– What do we say? The cutting edge, not the bleeding edge.
– That’s exactly what we say.
– That’s a good thing because I can imagine how that’ll work for you guys. So it means you can literally have someone on site that has no idea what IT is and just…
– We’ve got presence in a lot of data centres and not all those data centres are in Brisbane. So sometimes we need to get people remotely. The other beauty of it, all the things we were talking about in the preamble, before we started, but the training aspect. So you can, it’s a Teams call effectively. So you record that and that you can put, you can use for training for other people. And it’s just a great way, we’re all about trying to bring up the junior people to progress their careers, all that kind of stuff. So they can then have that opportunity, we could send one of them to the data centre and we could guide them through the step. Basically, they sent me to our internal rep and they said, take this cable and plug it there. So if I could do it, then anyone can do it.
– And then the light shut off and then fire everywhere.
– I think you don’t, look, you should trust yourself more. You just hung a light. You can plug in cables.
– You do this room.
– So I guess the valuable position you had to the board to go to E5 licencing, you said you were going to save six grand a month, get rid of these tools and leverage some of the Microsoft E5 stack. Is that right?
– That’s correct. Because we’re already paying for it, why not leverage it? Again, every time I go to Gartner, I try to look at what they have. I never go for the number one or the leader, I always go for the guy who is trying to innovate because I think the guy who is trying to innovate has a lot to catch up on.
– Yep. They’re hungry.
– They’re hungry and I like working with them. And then they come in as well for not-for-profit, moneys, we don’t really have a lot of money, so they’ll come in and they’ll help us out. They’ll say, okay, if you can do this for us, we can do this for you.
– I’m conscious of like, six grand a month for a nonprofit organisation, that’s huge. What does that actually mean for the organisation? What do they do with six grand a month for example?
– It helps us help the people who really need it. So for example, if we had like staff issues somewhere, we can add an extra staff, that’s one thing. Or we can go out and get actual, we can do needs analysis and help people and reach out to the actual people who need it. We believe in adding value. We believe in value and the only way we can get value is if our participants get value. One of the best things about Epic is seeing someone, a person with a disability gain employment and become independent. That is so fulfilling. That’s very, very fulfilling. And you have lots of people out there. So that’s sort of saving can help us put back into the community. Another thing with Epic is, EPIC helps the community as well, like outside of just what we do. Every quarter, we find an organisation that needs help and we just donate to them as well. We just donate cash to them or donate stuff to them. Just help them out because we know it looks easy when you see someone dressed up, they look good, but you don’t know what’s wrong with them. They have a saying to say, you see all the alligators lying flat, you cannot tell which one’s stomach is hurting because they’re all just lying there. So we try to do that as well and that sort of money goes back into things like that.
– Yeah, that’s awesome. I guess for other organisations with the technology as a whole, you’re responsible for not just the Microsoft products and ISO accreditation. What’s next for Epic Assist? What else are you trying to do next, like, in this year, 2022?
– Oh man, look, this year, first of all, we’re trying to reduce cost on our firewall. For example, like edge devices. Like I said earlier, we’re trying to build human firewalls now. That’s what we’re trying to do. We’re trying to make humans, our people firewalls. So what that means is, I’m having like secure gateways on devices locked down. I don’t care where you are, where you’re logged onto, you are still secure. So that’s one of the things we’re trying to complete. We’re already doing a proof of concept. Actually, we’ve gone past that. We are deploying that now into the system. We did a silent deployment, did not tell people about it and they already have it. We did that simply because every time ICT goes and say, we’re doing a change and this is going to happen and then people start coming back and saying, I have a problem, I have a problem, I have a problem. They try to relate everything to that change. So we just did this slowly in phase. So that’s one of what we’re trying to do, get a secure web gateway to protect team members across the board the same way. Another thing we’re trying to do is around ZTNA. There will never be a full ZTNA, there’s nothing like that.
– Do you want to explain what that is?
– Zero trust network access. So we want to be able to have our users fully identified before accessing anything that has to do within our domain. So it means, you log into something, you log from your device and then it authenticates your device that you have, authenticates your username, sometimes your password or just biometrics, it takes you through and then it does a scan just to say, oh yeah, it’s actually correct before you can access our main portal or go out to external portals. So that’s what we’re trying to do. But we’ve noticed that you can never be a hundred percent zero trust. There are accounts out there that will not be a hundred percent zero trust.
– So it’s a bit of marketing, right? Zero trust meaning you trust nothing except what you allow, but there’s always outlines like printers and account systems.
– I’ll give you a good one, MFA. Again, it’s never a hundred percent. In our Azure tenant, our identity is rated at 99.2.
– The few people out there that don’t have it.
– So I guess on topic with the purpose of this kind of catch up, as a non-for-profit organisation, there’s a bunch of things with Microsoft you can leverage. What are the other things that you leverage in particular that other leaders of technology, non-for-profit organisations in particular, not just in general, should be aware of or should know about?
– I think what other not-for-profit should be aware of is like, the opportunities you have as a not-for-profit entity. You have not only savings or 10% from every other thing, but you have like an ecosystem as in E5 licence that can actually progress across the line. Talk about SharePoint. We have SharePoint in there, we have Teams, you have about I think 21 terabytes of data space. You have that in there. You can store stuff up to seven, nine years eternity. You have a system or a portal that relies on or rest on services network. As in, it doesn’t go offline, it’s always online. If something goes wrong, you have a bigger body to look at. And then inside of Microsoft Azure as well, you have lots of security controls. For instance, I do my attack simulation through Microsoft. I push out phishing emails, blah, blah, blah all through Microsoft. Someone that contacted me two days ago and literally two days ago and said, oh, we have this thing you can use, is it okay? It’ll cost you eight and a half thousand dollars. I said, for what? Just to push out? He said, yeah. I said, well, I have it for free. Well, it’s for E5. He’s like, what do you mean E5? I said, how about I show you? And I took him through attack simulations like, oh, I never knew this existed, so we’re welcome. Again, people need to be able to probe and see what’s out there. I think one of the biggest issues we have in not-for-profit areas is, some of our leaders, they like new things or they have a particular, how would I say, belief in a particular software or something and they like to move with it. I’m not that sort of person. I have no commitment to anything. If it works, it works. I always like to ensure that at the end of the day the organisation benefits. Know what I like, know what I want. I’m massively diagnostic.
– So if you have a problem that comes out from part of your IT team or one of the managers, whether it is we need better cyber awareness training or phishing attacks, simulation, that kind of thing, you go to the Microsoft stack first to see what you can leverage in E5?
– Absolutely, absolutely. Look, if you try anything, if you try shadow IT in my environment, doesn’t work. And even if it’s good, I tend to tell you that I’m not doing it because you didn’t go through the proper channel. Process is important. I’ll go back again, I’ll go back again to ISO 27,001. That’s why they have it. You need to have those rules, you need to have those processes in place. If you don’t, you’re massively vulnerable. That’s what it goes back to. You have to go back to ISO. If you’re governed and controlled by ISO and ISMS controls, which every quarter you have like 75 that comes in, if you’re governed by that, it means you have a proper security environment or you’re working towards that. So our advice, other ICT heads or managers are working not-for-profit, even CEOs, CFOs, leverage Microsoft. Microsoft has another trick. There are things in Microsoft that are available to you. For instance, you have like three and a half grand. You can, 3,500 latest U.S. dollars actually for not-for-profit per year. Now, you can go through not-for-profit portal and request it an instant like, oh yeah, you qualify, here you go. Now you have this. Then they’ll ask you to use this with a partner. So you need to look for a partner that’s Microsoft accredited, yada, yada, yada. However, you can still use it against paying for services with Microsoft. The same three and a half grand. So I’ve leveraged that. So I’m like, for all my Sentinel, is what I pay, so I used to pay for Sentinel. We’re not paying for it since Microsoft pays itself. And sometimes you need to ask questions like, you go into our governance. So we have all those controls in Microsoft that says you have to improve your secure score. Our secure score is sitting at 92%.
– Well, impressive.
– Our governance score is sitting at 85%. So you go in and try to do something that will tell you that your licence do not cover this. And then you call Microsoft up and say, what do you mean? They say, oh, we’re sorry, it does cover it. Again, you need to have that relationship and try to contact Microsoft for some of those things. But you will have all these benefits in just a know. And Microsoft are very, very happy to help you if you’re not-for-profit. And another thing for all my ICT guys out there, like, not-for-profit, every time you go out man, negotiate. Tell them you’re not-for-profit, you will get me on 10% discount.
– That’s good advice. That is a good point. They do look after not-for-profit.
– They do. Microsoft but also other other tech organisations as well. Like, I spent five years in the managed print industry and they have a different price book in that industry for non-for-profits first. Everyone else, they get bundled with schools for example, but also like the Teams calling side as well, reduced price for non-for-profit. There’s almost everyone if you mention a non-for-profit organisation, definitely with certain size as well, you can get significant discounts.
– That’s correct. The secure web software we are using right now, discount regard is crazy, it’s unbelievable.
– Yeah. So I guess, as you’ve put a lot of advice for non-profit leaders out there in the market, around the cyber security realm, before we ramp up, what have you noticed this year in particular around cyber security? Anything that’s changed versus the years prior.
– Look, what’s changed currently is, scammers have increased massively and they’re very smart. Scammers are using all different methodology now. Scammers have realised that the infrastructure, ICT ecosystem is stronger, so people can still hack and stuff, but now they’re trying to use people to make money off them. So scamming is the biggest business. So they know that an employee is more susceptible to being scammed, then cracking or breaking into a server or hacking a server. So now they’re using people, they’re using people more and more and more. So like, for instance, what we’ve done across our footprint is, every email you receive will tell you straight the ways from external email. We have DMARC, DKIM enabled. Yes, some emails get lost, yes, some emails do not come in, but that’s what you have to carry. You cannot win everything. But you have to put the security in place stronger. Let’s change a lot. Another thing is changing in security is people. I believe more people have greater awareness now. People that never had awareness before have more and more and more awareness. People are trying to understand that security is not about your organisation, but about you as an individual. Because you think being careless with their security at work is the problem. That’s not the problem, the problem is your home. Being careless with your security at home. Because when you get hacked or you lose money through scammers, you don’t get paid back. When we lose money through scammers, we get insurance. Cyber security insurance.
– Cyber insurance is always another topic and we can almost get on that. So you have cyber insurance at Epic Assist?
– We do. Yes, we do.
– I’d imagine with a 92% Microsoft secure score, you get significant discounts with that because of all the methods you’ve put in place with…
– Absolutely. And honestly, I was really shocked when I saw that on the form. What’s your secure score? I’m like, well, okay.
– Yeah. I remember doing a year ago for a client that come back saying, do you use Microsoft 365? Being one of the questions. Do you use Outlook? Being in the questions. Then it was MFA and now it’s, what is your Microsoft secure score and cybersecurity, cyber insurance providers. And the details they do now around cyber security is intense. If you are selling cyber insurance, they have some some kind of IT degree to decipher the storm that comes back. It’s unreal, but that can really have a massive discount on you…
– Well, that, and if you get the questions wrong, when they come in and they do their assessment, you won’t be getting that payment.
– It’s true, absolutely. I will talk about the form a little bit because it’s good fun. Just completed this, I think is about Tuesday actually, we completed cyber security form. It’s pretty good fun. I was in there with my other CFO going through and I looked at the form, it said, NIST. And I looked at it and thought, that’s not correct. It’s not NIST, it’s NIIST. I said that’s wrong. So my CFO was like, what is not, that’s totally wrong. I said, let’s call them. So we called them up and said, hey, I just want to understand, what’s this thing? He said, oh, that’s the framework. I said, no, there’s no framework like that, NIST. It’s NIIST. And he said, oh, we’ll have to call them. I said yeah, that’s absolutely wrong man, that makes no sense. I said, well, besides, in Australia we don’t use NIST. NIST is more for…
– [Jackson] It’s American.
– It’s American, but it’s more for defence here, defence users. I said you need to be able to have questions surrounding our standards, like ISO standards, like ISMS, that sort of thing.
– I think that’s a good point though at how quickly it’s changing and how quickly it’s becoming an issue that the actual providers are struggling to kind of keep up and work out what they’re insuring. We just had a conference a couple weeks ago with a bunch of guys from the states and over there it’s really, like everything, there are always a year or two ahead say of where we are. But that emphasis on risk mitigation and insurance is massive and they are kind of still trying to work each other out and it’s affecting premiums, it’s affecting coverage. And it will be, and that’s kind of, we laugh at it but it’s actually a pretty serious example of where they’re really…
– Struggling to keep up.
– Struggling to keep up with what’s going on out there and the risk because it is becoming very, well, it is very sophisticated, it’s very profitable to be a criminal and it’s expensive to manage it. And it requires a lot of tooling, time because the downside, well, for insurers, it’s very expensive.
– Huge. And I’m pretty sure there was some stats out on that, that the cyber insurance companies actually went massively negative about a year ago when ransomware increased and the cyber insurance policies were too low. That’s why they’ve made these forms a lot more strict because they almost need like, Redd’s technology reviews, they almost need a third party company to do technology reviews to see how much they should charge for cyber insurance. But how’s that scalable anymore? It’s unreal.
– Look, that’s a whole different topic in this But just a few highlights. The insurance companies, I think they still think only insurance, they don’t understand security. They still mistake security, cyber security for home security. They don’t understand it. So they go out there, look at like a template and they say, ah, this will do. And they cannot actually interpret it properly. So, I said I have 92% secure score. And that’s it, they don’t ask any other questions.
– 27,001, 92%, but there’s actually a lot more other questions that should be…
– Yeah. Things like evidence based for example. Oh, that’s awesome. How many points have you gotten there? Because Microsoft has this points, how many points have you actually added to it? That’s the other thing. It means you’re actually doing work.
– I guess corners of time, I really appreciate coming in Isaac. Is there anything else you wanted to add before we wrap up?
– Look, the only thing I will say, technology’s not going anywhere. It’s going to be here. Everything is going to change, like, continuously changes. For people out there, people who make decisions out there, you have to say I trust in the people you employ. Especially when it comes to security, if you employ a company, trust the company, trust what they come up with and align yourself to a standard. Whether it’s essential aid or ice, just align yourself to a standard. Because when you do that, it means you get checked, you get fact checked year in, year out, you get a baseline, you get to It’s very, very important. Align yourself with something. Essentially, this is the easiest. You have ISO standards, just align yourself with something. It just helps you with your risk mitigation as well because all of those standards will help you cross that. Just before I sign off, the biggest security risk is physical security. Most people don’t know that. Tailgating, someone walks into your building, oh, hey mate, you let them in. That is the craziest security problem in the world right now, tailgating. A proper hacker just needs to plug in somewhere, they are fine. They’ve gone past what they call black box, they’re into the grey zone now, they’re halfway there.
– It’s very true. And I’ve seen some organisations that have got these all the secure identity stuff in place, but once you’re in their office, for example on their network, there’s a different problem. Look, just summarise, it sounds like you’ve done an awesome job over the past two years leveraging the Microsoft stack and not-for-profit status to reduce your IT budget, which has created real impact for Epic Assist to hire more people and help out more people with disabilities gain employment. Some of the highlights has been getting 27,001, 92% Microsoft secure score. That’s huge in that short time period. So, well done and we really appreciate you coming on, speaking and having a chat with us.
– Yeah, thanks for coming in.
– Thank you guys.
– [Brad] It was great to meet you actually.
– Thank you guys. This feels like home really. And yeah, drinks and everything’s pretty good.
– Awesome. Well, thanks Jackson. Well done hosting. See you on the next one.
– See you.
– Good one.
– Good one guys.