REDD – Business and Technology Podcast Episode 005 with Mat Cantarella – CIO at FKG Group

In Episode 005 of REDD’s Business and Technology Podcast our hosts Jackson Barnes (BDM – REDD) and Brad Ferris (COO – REDD) interview Mat Cantarella, CIO at FKG Group, and discuss his first 100 days as CIO at FKG Group. Recorded Friday October 7, 2022.  

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show please get in touch either via our website, [email protected] or or through any of the links below.

https://www.linkedin.com/company/redd-digital/

https://www.linkedin.com/in/bradley-ferris/

https://www.linkedin.com/in/jacksonpbarnes/

https://www.linkedin.com/in/matcan/

Thanks for watching!

You can find the full transcript below:

– Hello and welcome to REDDS’s Business and Technology Podcast. I’m your host, Jackson Barnes, BDM of REDD.

– And my name is Brad Ferris. I’m COO of REDD.

– And we’ve got a very special guest today. I’ve been quite excited for this episode, the CIO of FKG, Mat Cantarella. Mat, we’ve got some good insights coming from you, hopefully today around the topic being first hundred days as CIO of an organisation. You’ve got a huge, I guess, cred and experience in the Brisbane market around cybersecurity, and now being the front of the large IT team at FKG. Did you want to introduce your background, Mat, what you’ve done previously yourself before we touch on FKG?

– Yeah. Of course. Thank you first and foremost for having me. I’m really excited to be on the podcast and yeah, really looking forward to the conversation. So yeah, Mat Cantarella. So I recently joined FKG Group as their CIO. Prior to that I was essentially in a CISO role at an organisation called Herron Todd White dealing in the property evaluation industry. So yeah, real focus for me over the last probably near on decade, has been around cybersecurity and cyber security awareness and process, and really making sure that with all the threats out there, that we’re really looking at what we can do to protect, not only the business, but individuals. And that’s a really important component of it is, you know, really protecting the individual from the threats out there.

– Yeah, it’s a big topic right now and we’ve definitely spoken a lot about cybersecurity on previous episodes, so that should be good. What did you do prior to Herron Todd White? How many years were you, I guess, were you there?

– Well. I’ll tell you what, I spent a vast majority my career at Herron Todd White. I joined back or late 2008, 2009. And yeah, really started off in more system administration. So that was really my skillset, and back then it was very different to how it is now. Right. Traditional kind of infrastructure, and a lot of moving parts. Yeah, both in data centres and also On-prem, but I think over time, you know, that evolved into kind of looking after DevOps practises and governance more broadly through the technology space. And then probably around 2013-14, particularly in the financial services industry, we really saw a real focus on information security, and that really piqued my interest. I think, you know, the more and more we digitise, the more and more we risk. Yeah, things like our identities being stolen or data going to places that it shouldn’t, and the impact that they can have on individuals as well as businesses is just so profound. So yeah, our team really start to focus a lot in that area.

– Yeah, definitely. I remember looking at some stats on cybersecurity when it started being a thing like 20 years ago, people actually conscious about it. It was more just like banking, and then it went to like healthcare, and then financial services, as like the industries that get targeted. But it seems to be these days it’s going everywhere, and doesn’t even matter what size you are, they just get more sophisticated the bigger you are. So…

– Yeah, telecommunication providers, and then even suppliers are businesses, you know, are really being targeted now. So you could be quite a small operation, if you supply to one of the larger ones, you’re definitely at risk. So…

– Yeah. That’s a big thing. So do you want to touch on FKG, who they are, what they do, and then maybe your IT team?

– Yeah. Of course. So FKG group have been around for 50 years this year. So it’s our 50th year, which is really exciting.

– [Brad] That’s cool.

– Predominantly in the civil engineering construction space. However, the business is far more diverse than that, which is one of the kind of key reasons, I was really attracted to the role. There’s actually 17 businesses within the group and they range from all kinds of industries, you know, across oil and gas, supply chains, and also, you know, we even have a data centre in our group, halls DC. Yeah. So it’s a really broad kind of group and that really excited me at the time when I joined and still does. There’s certainly a lot to learn. So yeah, FKG group is, yeah, it’s actually been a really enjoyable, almost four months now. And for me, one of the key things that I’ve probably enjoyed is having the opportunity to learn about different industries. And I think as technologists we’re really fortunate in that regard.

– Would be a challenge as well. I imagine though, right? Looking after so many different businesses and not just looking at, you know, “Hey, what construction software do I get, and what type of people?” ‘Cause you’ve got to service all those different industries as well. No doubt.

– Yeah. Yeah, a hundred percent. And you need to actually, you know, spend a fair bit of time. Yeah. And that can be hard for some of us, particularly myself, listening and understanding because, you know, as technologists we see opportunities here, there and everywhere, but it’s actually getting, taking the time to evaluate where you can make a difference with tech, it is really an important skill to have.

– Have all those businesses come online organically, or was some of that through acquisition, do you know, from your time?

– Yeah. A lot of them organically, but some through acquisition as well, which can also present challenges, particularly in terms of integration.

– Yeah, I was going to say, with the different systems. So are you managing, overseeing a wide range of systems with the view to standardised, or is it fairly standardised?

– Yeah, listen, definitely overseeing a number of different systems and platforms, and certainly one of the challenges is understanding, you know, why they’ve been implemented, and what purpose they actually serve, and how critical they are to operations as well. And that’s something, you know, I’ll be, you know, honest with, I’m still getting my head wrapped around in many cases.

– [Brad] Yeah, I can imagine. Yeah.

– But in terms of standardising, it’s a really interesting one because yeah, you really do have to consider the business operationally and those business units operationally, and how much change appetite there is, with the end users as well with the staff. One of the key things, whether we’re talking technology broadly or cybersecurity is, you know, you need to get that balance right between, you know, ensuring the business is still operational.

– [Brad] Performance and risk.

– Yeah. And you know, helping to actually introduce some new measures with tech or cybersecurity principles. So…

– Yeah, that makes sense. Did you want, so how many in your IT team? Because, and I guess the broader FKG group, is that like 800 staff now? Something like that?

– Yeah, so just over 700 and roughly 750 IT users, however, there’s a number of staff that don’t require access to kind of technology. In terms of my team itself, we’re just on 12 now, so still a relatively small team, but a highly skilled team, which has been an absolute pleasure to join, and definitely work towards, yeah, implementing a strategy for the future has been really exciting to do that with my team.

– Yeah, that, that’s cool. So I guess back onto the topic of this podcast, we want to discuss the first 100 days as a CIO chief information officer, of an organisation. So I guess to start on that, before you actually start as CIO, and you were sitting down and going, “Okay, I to get a plan, what am I going to do?” What do you think about first?

– Yeah, really interesting question, and I’ve actually applied a little bit of thought to this and I certainly applied a lot of thought to it in the lead up. So I actually accepted the role a number of months before I started. I about a three month notice period. I had to, which I had to complete. And that in itself was a challenge. You know, I’d had a outstanding yeah, near on 13 years with Herron Todd White…

– [Jackson] That’s a long time.

– Really enjoyed every moment of that, and even, you know, making that decision to leave that organisation was a really tough one. But when I did kind of accept a role with FKG group, I was, yeah, listen, you get a little bit anxious, you know, ’cause you are starting to have a think about the business you’re moving into, thinking about some of the things you wouldn’t mind implementing, or getting your head wrapped around. But it’s really important in my experience, not to go in with any preconceived ideas around how you might do something. So as much as I did kind of want to pick up and hit the ground running from day one, and be prepared prior to that. And I did, I was fortunate that I had the opportunity to meet some of the team you before joining, but I was really conscious of not, you know, setting up any plans before that. What I did, you know, get really interested in and get some information around is how the team was structured, how the organisation was structured. I found that was really helpful for when I did start on day one.

– [Jackson] Big thing for, I guess FKG, like you mentioned, the 17 different businesses within that. So the time to learn the business before you look at the technology would’ve been pretty substantial. So that makes sense. What other advice would you have for other people who are maybe starting a CIO role soon, or just into the position, before they start?

– Yeah, I think to gain as much information and knowledge as you possibly can first. And talk to the really key stakeholders early on in the piece and build relationships with them, and trust and understand exactly what it is that their businesses are trying to achieve. That’s certainly something all business units in some cases I guess are trying to achieve, or what their vision and strategy is. I think for me, when I learned a little bit more around that for each unit, yeah, it really aided me in working out how me and my team could kind of help them more, or get more involved in certain areas. The key thing for me is really people, and when I say people, I’m talking about the team itself. You know, understanding exactly how to… Oh, you know what, it’s more than anything else, it’s actually around realising that the change for them is as big as it was for me, right? That’s probably something that I underestimated initially, I thought, you know, this is quite a daunting thing for myself coming into a new business and having to learn all about where technology fits. But equally it was just as much a change obviously for the team, right?

– Because they might have been concerned about, “Oh, is this new CIO going to come in and change everything on me? Or are they going to go and tell me do other things? And I like doing what I’m doing now”. Is that, is that why?

– Yeah. A hundred percent. And for me, I was really conscious of the fact that, yeah, what’s worked for me previously might not necessarily work for me again, you know, so, you know, I’d built a team over a number of years at Herron Todd White and a fantastic team, and I was really fortunate to have the opportunity to promote a few people as I left, you know, into different roles and that was incredibly rewarding. But yeah, the team I’ve joined, you know, they’re different to the team I came from, you know, and the business is very vastly different from where I came. So I think that’s really important to consider and spend as much time as you possibly can in that first month or so really trying to connect and understand what drives those individuals.

– Big changed for yourself as well, Mat, ’cause Herron Todd White was in Brisbane, right? So you moved to Toowoomba with your whole family as well?

– Yeah. Interesting story. So my wife and I have actually a couple times now moved between Brisbane and Toowoomba, but we actually have a base in both locations, which is handy now. Yeah. My, my wife’s a country girl, so she enjoys Toowoomba and we’d actually made the decision through covid to kind of move back and have a presence in Toowoomba. And I think that was, again, one of the extraordinary things about, you know, interviewing with FKG group was that the ability to kind of be based in both locations and have the best of both worlds, so…

– Did that opportunity come up, or were you looking in Toowoomba?

– You know what, no, and we certainly made the decision during covid to move back.

– Oh, okay.

– Yeah. People working remotely and I had been working remotely for the better part of, you know, 2, 2 and a bit years. So we just thought, you know, we’ll move back to the country and you know, kind of, yeah, settle there. And yeah, a couple months later after we made that decision, the opportunity out of FKG kind of arose.

– Oh, you were already out there.

– So that was really, really fantastic. But yeah, I think that in itself as well, so for those that that don’t know, FGK group started in Toowoomba. Yeah. 50 years ago. And there is a significant presence here in Brisbane as well. So yeah, I tend to spend my time between the two offices pretty equally.

– Yeah, no doubt, that sometimes the stars align. I’m glad that worked out for you, that sounds like an awesome opportunity. All right. So you learned about the business, and well the businesses I guess from FKG’s point, and then day one comes along, what are you doing day one as CIO?

– Yeah, it’s a bit of a whirlwind, isn’t it? To be quite honest that the last three monthS has definitely past very quickly and certainly day one did. You know the first, probably, day and certainly the first couple weeks after that were really around, you know, building rapport and understanding where the team were at, with my team and my direct reports, you know, again to understand kind of what they’ve been working on and what, you know, what the key priorities were at that point in time was something that I really had to get my head around, and again learn, you know, because very different technology stack to what I was used to.

– So how would you do that? Would you like, have a sit down with each one person in your team, for example, get to know them?

– Mean I did both. Yeah. So evidently you catch up with certain groups, but then, yeah, with each individual. I actually made a goal of mine for the first two weeks, to sit down for an hour with everyone, individually. And not just from a learning about their role, but learning about them, you know?

– Yep.

– And that was really helpful, and I think it really gave me some clarity around what people are interested in. Yeah. What gets the most out of each individual is very different and certainly what might work for me might not work for you, Jackson. So I think, yeah, that was a really important thing for me to kind of work through in that first couple weeks.

– How big is your team?

– So that’s 12 in total, yeah.

– Okay. And the business is national?

– Predominantly a lot of, yeah, listen, it is, it’s predominantly Queensland based for the most part, but we do have staff all over the country. Yeah. And sites all over the country.

– And then the total kind of end points you’re managing, or the total the size of the business?

– Yeah. So we’re currently managing it’s around, the number of floats are fair bit, but it’s around that 750 mark of actual, yeah. Yeah.

– [Brad] That’s pretty big.

– Technology, accounts, or endpoints.

– [Brad] Yep.

– But then obviously a number of servers, and various other different things going on as well. But yeah, for the most part, yeah. 750.

– Yeah. Cool.

– So day one, you meet the team, look at what technology they’ve got in place currently, what priorities, how do you then take that, and formulate a hundred day plan?

– Yeah, yeah. Again, a really, really difficult thing to do when you’re talking about such an extensive suite of products and services.

– That’s why I got you, you’re the expert. Right? So…

– Yeah, it was, basically the way that I approached it at least is first I understood exactly what they were working on at that moment. I needed to kind of get a handle and an understanding of that. And then from there I actually spent some time learning about the products because a lot of the systems that we were using and supporting weren’t particularly familiar to me, many of which I’d heard of or used previously. But I’d also, you know, come from a Google environment.

– Oh wow.

– Which we’d implemented at Herron Todd White a number of years ago. And I was moving back towards a Microsoft environment, which I’m pleased to say has definitely progressed a long way in a decade.

– Even in the last couple of years.

– Yeah. Even the last few years. So that’s been fantastic. But yeah, I think the first probably the month or so was really around learning. And then after that first month, I was able to sit down and kind of work out what the one year strategy was, was the approach I took. I think it’s really important that the team has really clear direction on what we’re trying to achieve. And ideally I would’ve implemented potentially a three year strategy, an evolution of things, but I just wasn’t positioned to do that. After a month, I found I needed to break it down to probably quarterly chunks and say, “Okay, this is what we’re going to deliver in this first quarter”. And that’s the way I’ve kind of approached it up until this point. But certainly one year strategy was something that I developed after three months, to really give us a sense of purpose and direction.

– So that first three months was more meeting, looking at tool sets, getting familiar with those. And then you tried to create a 12 month programme after that.

– [Mat] Yeah.

– So with that first three months or a hundred days or whatever you want you want to call it, how did you prioritise those initiatives? Was it based on risk to the organisation? Was it based on just what was worth optimising? Or like how did you prioritise?

– Certainly risk plays a big part. Yeah. It certainly plays a big part. I think it’s also really important that there’s an initiative that’s well underway that you don’t get in way of it.

– [Brad] Yeah, I was going to say.

– You don’t say discard it.

– Like when you came in at what point, you know, ’cause the way we look at digital strategy is that it’s kind of got to tie into the broader business strategy. So when you came in at June, you know, where was the business in the cycle of its business strategy, corporate strategy? You know, were you just resetting? Was it kind of come with a fresh…

– Yeah, I think it was largely a reset moment. The team had spent a lot of energy in, I guess getting the foundational technology stack to a point where it was ready to be uplifted and ready for the future. Which is really, I was really fortunate to kind of come into the business at that time, or the team at that time. So yeah. That was good. I think, yeah, I was really conscious as said before, not to interrupt anything that was in progress, but then what we did look at is establishing a way of working through what our capacity actually was, as well, as a team. And I think that’s something that I’d really recommend that everyone in a role like mine is very aware of, is what is your team actually from a resource perspective in a position to be able to complete simultaneously.

– Yeah. And you know, BAU verse projects if you like.

– Yeah.

– What can, yeah, right?

– And how do you get that balance right? Yeah. For me, I’m a big a firm believer that I don’t think any one person should be working purely on BAU. I think it’s really important that people have a real connection to the strategy and the projects that are on the roadmap.

– [Brad] Yeah.

– That’s it. So you have everyone in the IT team, ’cause I’ve seen a lot of organisations where it’s like these three or four people, for example, just help desk, and then there’s projects team over here. So that’s not how you structure things?

– Oh, certainly you need to have your separate teams, right? And we have a support function and engineering function. Yeah. Some other areas of the team. But I mean, for the most part, yeah, I’m really big believer that you need to have, as an individual, you need to have a buy into something that’s actually going on, bigger picture. And that really drives, I guess the effectiveness of what you’re doing because the people that end up supporting whatever we’re building, or integrating with or whatever project we’re looking to implement, they have that insight because they’ve been involved or someone in the team and that support unit has been. So yeah, that’s definitely the approach I’ve taken. And what it enables me to do is look at areas for growth and opportunity with individuals as well.

– Mm.

– For many people that have a really, you know, clear direction, this is what I want to work on, this is where I want to get to. But for some, unless they’re exposed to that, it can be quite tricky to work it out.

– Mm. I guess for some engineers it’s really good to develop their skills by getting involved in projects and getting buy in on that kind of stuff as well. So…

– Yeah, without doubt, without doubt.

– That definitely helps. So key takeaways I’m getting from first hundred days for what you’ve done recently is really get familiar with the team, the business, the business units you’ve got, and then look at capacity and planning and then what do you tackle next, and then you created a 12 month kind of roadmap out of that, how did you get that 12 month roadmap of things you want to the executives and say, “Hey, this is my plan, this is what I want to do”. How’d that conversation go?

– Yeah. So I essentially presented it to our senior leadership team, which is yeah, our executive group, and also for the various different business units, the GMs or the CEOs of those businesses. And you know, when I walked them through that, one of the key things I kind of made sure I had room for was anything that they could bring to my attention that they wanted to either discuss, or have potentially fit its way into that strategy. A lot of it, as a CIO, you walk in, you say, “Okay, these are some things that I really feel we should be looking at”. And it was, those things are usually quite clear pretty early on. What you’re not exposed to is where the business, or the businesses in this case, are looking to go and what things are particularly the low hanging fruit that you can deliver pretty quickly. And what I found is after I implemented that kind of 12 month strategy, and I’d kind of set up, you know, the initiatives around that and yeah, you set goals for roughly when you would like to implement it or, or have it completed. And what surprised me is we’ve actually got pretty far. Yeah, almost completely through the 12 month strategy, already. Because we’ve able to chip away at things much quicker than I thought we would, because people have buy in a sense of connection to those projects.

– Well done. That’s an achievement alone.

– Yeah. And it was fantastic to see that kind of unfold.

– So do you have, it’s an interesting, not segue but consideration, so your, the relationship between, you know, the IT, the digital side of the business and the operational side of the business, how is that relationship? How, maybe, how was it, how is it now? How are you finding it? Do you have regular communication with the other managers, the other CEOs of the different business groups? Is it a a good working relationship?

– Yeah, I think it has to be. And I think, you know, we as technologists have to really ensure that we’re actually playing our role in that as well. You know, obviously personalities are different, and some people would be more than happy to come and kind of say, “Hey listen, I think we had this area here to actually, you know, leverage technology a little bit more”. And I certainly had those conversations. With others it was actually more so making the time myself to kind of reach out to them and learn about what it is they’re doing. I think if you sit back and kind of wait for everyone to come to you, you’re probably going to let some opportunities, you know, kind of pass you by. So I think it’s definitely something that in our roles as you know, head of technology teams, we need to really invest that time and effort into, and to actually build those relationships with the key stakeholders.

– That’s good advice to be more proactive, like a proactive CIO right. Where you’re going in and consistently meeting with those, you know, heads or executives to get their feedback because if it’s just reactive, then you’re just putting out fires and not innovating, right?

– Yeah. I guess from the outset you’re kind of setting the tone for how the relationship between the tech team and the rest of the business will unfold. But yeah, and I mean to answer your question though, it’s not real, I don’t think there’s any one correct answer for how often you should catch up with those particular, you know, particular people or the stakeholders. I think it’s more, you know, how appropriate it seems based on that relationship with that business unit in terms of frequency. But, yeah. Building those relationships and making technology tangible is very important for many people in those roles. You know, they’ve been doing, they’ve been leading their businesses for a really long period of time, in many cases they might not even be aware of, you know, the technology capabilities that we have now, and the things we can’t implement. So…

– [Jackson] Probably even more so in construction, ’cause typically in construction, business owners and executives are less tech savvy than say an accountant for example, or someone who works in some kind of technology field. So, I guess you’d probably come across that. I do want to touch on, I guess the cybersecurity side. It’s interesting you said it used to be CISO, there was actually out today, I’m not sure if you saw, but the Uber ex CISO got found guilty of hiding and not reporting a breach in 2016, and is facing up to eight years of jail time. That’s actually terrifying. That’s really bad precedent for someone in a CISO position right now who’s responsible for the information of an organisation and meant to be reporting breaches and that kind of thing because eight years jail time for not reporting a breach for the CISO of that’s, I’ve never seen it like that before. That’s unreal. I’d like to get your your thoughts on that before we touch on cyber FKG.

– [Mat] Yeah. My thoughts on that is it is really scary, isn’t it? And I think it’s kind to a degree, it’s human nature as well. You know, we try to protect ourselves, and our businesses from those types of events. And then when they do occur it can be, you know, can certainly be a whirlwind trying work out the best ways of actually dealing with an incident like that or something that has occurred. And that’s probably been, you know, something that I’ve learned over a number of years now is that as much as we look at the technical solutions, and technical measures we can implement to protect our businesses or, or even individuals, so much of, you know, cybersecurity is really around how you respond. You know, it’s how you respond, it’s how you communicate. Time passes by really quickly when you’re in the midst of an incident. You know, you’re sitting there with your technical team members trying to get to the bottom of whatever it might be, be it an outage or a security event, or whatever the nature of the incident is. And yeah, time can pass by really quickly, but it’s really important that you are communicating effectively internally with the people that are impacted. Yeah. I think that’s where many businesses come done in terms of responding to these types of things.

– [Jackson] Mm. It’s definitely scary for other SICOs that right now that you potentially be facing jail time if you don’t report a breach or you try and cover up a breach. That’s pretty scary. So in terms of cybersecurity, when you were creating a hundred day plan, how do you layer that? And follow-on question from that is, how did you get the additional budget to get the best kind of cybersecurity protection for FKG? Because no doubt having the cybersecurity background, right, that’s something you went pretty hard at FKG was around that cybersecurity side, which is definitely a good thing. But how, so what did you look at and then how did you go across to the executives and say, “Hey, I need these tools for these reasons?”

– [Mat] Yeah. It’s a really good question. I mean, evidently coming into the role and then spending so much time focusing in that area previously, it was something that I was really interested to understand what the current posture was, and what was some of the initiatives we could potentially look at to improve that. And certainly I think it should be part of everyone’s, yeah, technology strategy how they handle cybersecurity and how they continue to evolve. So yeah, a lot of concentration has been around, particularly with a very complex environment. You know, the things we ha we need to consider and probably over time evolve more. So yeah, it is been a big part of what we’ve looked at and to my point before, I think it’ll continue to be a really big part, what will continue to be a really big part is how we communicate with our staff around cybersecurity or information security. It’s probably a better way of articulating it. I think people think about, you know, IS or cybersecurity as being, you know, a technology problem in many ways it is, but it extends that, you know, it extends that to things that are printed, to data that might be on whiteboards, to any kind of information. Right? So I think it’s really a cultural issue just as much as it is a technical one.

– [Jackson] Do you align to a framework, or like when you we like NIS or Essential Eight, or like ISO like so when you were creating that a hundred day plan, did you align to one of those frameworks?

– [Mat] Yeah, so I’ve had a lot of experience with ISO 27001 and it is a really good standard in terms of it’s comprehensive, how comprehensive it is. I guess one of the things that kind of recommend people consider when they’re looking at increasing their posture in the space is if you’re looking for a standard to come in and fix all your problems, 27001 probably isn’t the one for you. It’s very much so a risk based assessment where you will go through, you know, all the framework and work out how it applies to you. It’s not going to give you a lot of technical guidance on exactly what you should implement. If you look more to an Essential Eight model, which I’ve also, you know, quite familiar with in using some of the principles there too. It’s more technology focused in the sense that it actually articulates, you know, for application control you should do X, Y, and Z. And I think, you know, if you’re just looking at potentially increasing your capability in the cybersecurity space, Essential Eight is a really good model to look at. And to kind of, to work through ISO 27001, yeah, more than anything else, it’s a risk based assessment where you’ll probably want to, you know, I think having those procedures and policies in place are important, but you kind of really need to understand how that connects to the tele technical elements, I think. Yeah.

– [Jackson] Okay. So when you went to the executives with your 12 month strategy, you actually used like the Essential Eight as a framework to help articulate to them, “This is the Australian cybersecurity Essential Eight and we need to get these things in place”.

– [Mat] Yeah. And then also articulate how it actually tangible impacts us. Because that’s another thing to consider too. No two businesses are the same in that regard. And certainly your appetite levels will be different depending on the data as well that you store and that you process and the products you use. You know, whether or not you, you’re using a number of SAS based products or not, also comes into consideration I think. And yeah, that’s been something again that I’ve experienced in transitioning, you know, from one organisation to another is that, yeah, you really do have to look back and think about things like information classification through a different lens. You need to learn about the business before you tackle those things.

– [Brad] And then you mentioned earlier around the people side of things, obviously awareness and training. In your experience, what have you done to raise awareness for your team, for the broader business? Obviously there’s probably a bit more of a heightened awareness within the tech team, but the people down on the frontline, effectively, becoming aware of the risks, and how to handle that and what to look out for. How have you handled that?

– [Mat] Yeah, from a frontline perspective, it’s a process, right? I think the approach that I’ve taken for a number of years now is really to connect with individuals in a more broad sense. And not just specific to what we’re doing in a corporate environment. When we talk about cyber security risk, you know, people are number one, right? Everything comes for a person before, before it moves its way through an environment.

– [Jackson] So someone’s got to click that button, right?

– [Mat] Someone’s going to click a button, someone’s got to, yeah, click that link. So yeah, as much as we put in the technical controls and measures, people need to be aware of, you know, how to identify something that might not be legitimate. One of the key things always talk about, you know, is if you’re not expecting a parcel to arrive, you know, click on a tracking link is probably not, is certainly not a great idea. So yeah, one of the things I’ve kind of tried to try to implement, certainly my previous role and also now is communicating with staff that, you know, we’re here to protect you regardless of whether it’s in a personal or corporate capacity. I think yeah, traditionally over a number of years, I think IT teams and I’ll admit I’ve been guilty of this myself, have been really focused on purely looking at the corporate side of, you know, of that identity.

– [Jackson] Yep.

– [Mat] And now as we progress into a world where the lines between, you know, home life and work life are definitely becoming more grey. And I think for good reason, you know, we do need to take a little bit more accountability in helping people with any kind of cyber risk, be it in a personal capacity or corporate one. And that starts to change mindsets a little bit.

– [Brad] Yeah. On cyber risk and, and mitigating the risk. Obviously there’s policy training, technical controls you can put in place. They’re not going to mitigate all risks. And then generally, kind of what you’ve got left over to protect the business is some sort of insurance. We’ve had a few people in this room over the last couple of weeks and different conversations with very different perspectives on insurance. Is it worth the money? Do we take that money and reinvest in more controls, more training, et cetera, and take a smaller premium, take a risk? I’m just wondering your experience…

– [Jackson] Around cyber insurance.

– [Brad] On around cyber insurance.

– [Mat] Yeah, cyber insurance it’s incredible, right? Premiums have skyrocketed. We’re not talking about doubling, sometimes 10 times the price of a previous premium. I would agree that in a broad sense, I think that, you know, I’d be more inclined to spend and invest that money in increasing your posture, in my view. I think that it’s a real balance, right? Between, you know, policy and technical capability. But, you know, investing that money into either tools that give you visibility, protect you from those external threats in the first place. But then also the incident response piece is a big one that I’d probably look to invest quite significantly in. Whether it’s your time or funds in working with a partner.

– [Brad] Yep.

– [Mat] In my view that’s money probably a little better spent than in cybersecurity insurance at this point in time. But, you know, every business has different requirements, and in some cases you’re contractually obligated to have, or you might be at a risk level where you feel cybersecurity insurance is fundamental.

– [Brad] It does seem to be trending in that direction probably because insurance companies are getting burned and I think they’re struggling to work out how to price these things as well, and they’re trying to cover their risk. So the price just goes up.

– [Mat] It goes up and you know, the incredible thing is about four, five years ago, yeah, it was probably little bit longer ago, longer than that ago when I first, you know, when we were first looking at cyber security insurance and we’re going through that process of working with brokers and filling out, you know, questionnaires on our posture. And I think the first questionnaire I filled out had maybe five or six questions. You know, things like, do you have antivirus protection? You know, really kind of basic things. And I think the last couple that I’ve received are 120, 130 questions. It’s like going for an ISO 27001 You know, so, and then the fact that the prices of the premiums have just skyrocketed. Yeah. In correlation with that is just incredible. It doesn’t seem to matter how mature you are in the space, The premium is still just excessively high in my view. You know.

– [Jackson] We joked about this couple weeks ago, so you need an IT degree to be able to…

– [Brad] Fill out the form.

– [Jackson] Well, provide a quote on insurance, it gets crazy.

– [Mat] You know, excellent thing as well, the most incredible thing is that, you know, obviously you’re working with a number of different firms trying to get that right premium, and the questionnaires they use, even though the questions are essentially asking the same thing they’re worded that little bit differently just so you know, you have to do the exercise 10 times over.

– [Jackson] One other thing I wanted to get your opinion on, Mat, sounds like you’ve done a great job of getting really familiar with your IT staff, and building up the team, and saying that you’re big on even like, not just the IT team, but the rest of the employees at FKG. But we know that finding and retaining, so, you know, finding and retaining technical staff in southeast Queensland and probably even, maybe even more so in like Toowoomba versus Brisbane for example, is very, very hard. How do you go about finding and retaining IT staff?

– [Mat] So for me, retaining is really around probably some of the things we spoke about earlier. I think as, particularly as technologists, but with any role, right? People want to kind of have an idea of how either, you know, their manager in my case or the organisation can help them, you know, gain additional skills that they might not have now or progress in their career. And I certainly look to attract people that are motivated particularly by that and find, you know, contributing to projects that are really quite exciting to be motivators for them. So in terms of retaining staff, that’s usually been my strategy. And I think also finding people that compliment ensuring that you have a team that complement each other. Yeah, if I had 12 Mats running around, it’d be horrible working environment. So they’re probably, yeah, the main techniques and I think, you know, when you’re actually recruiting new staff, I think it’s my biggest learning over the years is just to be really comfortable that you’re making the right decision not to feel forced into hiring someone that might not be quite aligned with your business. Yeah, because of your current workload. You know, and it’s as much for the incoming employee as it is for the current team is that, yeah, you need to get that person that’s going to come in and whether it’s from a technical capability perspective, or just, you know, being the right fit for the people in the existing team, Yeah. You need to get that right.

– [Jackson] Yeah, that’s a good point. We definitely saw, like last year I heard of IT managers or senior engineers getting offered like double what they’re currently on to make the jump to other organisations. Are you still seeing that happening?

– [Mat] Oh, listen the market’s definitely still really quite hard. Yeah. In my view, you know. If I’m being offered or if someone’s being offered twice what they’re currently on, I’d probably also be asking questions as to why that might be or thinking about that, and what you might be looking at. But yeah, listen the market is hard and it’s certainly competitive and there’s plenty of opportunity out there. So I think, yeah, being able to kind of you know, in my case it’s our technology strategy, but whatever it might be, being able to sell a bigger picture than just, you know, what they might be working on now, and really ensure them that they’re involved in that. And have the ability to actually, you know, to contribute towards what that strategy is going to be as well. I think as a leader it’s, you know, particularly someone that has a technical background, one of the things I had to learn pretty quickly around, you know, being in a leadership role is, you know, we might have a project in a success criteria and how we’re going to deliver something. But how we get that, I’ll get there, I’ll leave up to the technical people, you know, they know what they’re doing, and they certainly don’t need me hovering over their shoulders kind of saying, “Oh, I think we should do it this way or that way”.

– [Jackson] It’s good advice. So give your team like that buy-in and direction on what tools to use, for example.

– [Mat] Yeah. In ownership, right? Yeah. So, and particularly in the interview processes as I was talking about before as well. I mean, I think it’s so important that, yeah, the people that are going to be working with that potential applicant are really heavily involved in the interview process.

– [Brad] Yeah. I mean, makes sense.

– [Mat] You know, in most cases, I often, you know, would prefer not to interview a candidate until the second round myself personally, typically it’d be two of the team members at first would interview.

– [Jackson] Oh, really? So you get two of your team to interview a candidate first, and then you join for the next one? Get them to rule out on first on.

– [Mat] Yeah, exactly. I mean, at the end of the day, why would I want anyone to join our team if my team don’t kind of think they’re a good fit. So…

– [Brad] Yeah, makes sense.

– [Mat] Yeah. And that’s definitely served me well up until now. Yeah. Yeah.

– [Jackson] That’s awesome. All right, I really appreciate you coming on, conscious of time, but you’ve provide some awesome insights into what you’ve done recently, and your first hundred days as CIO of FKG, and it sounds like you’ve done a really stellar job of getting to learn the business and the people, and knocked out your 12 month roadmap well early in time.

– [Mat] We’re not quite there, we’re getting close, that’s for sure.

– [Jackson] Yeah. No, really appreciate coming on, Mat. Anything else you want to add before we close out?

– [Mat] No, thank you very much for having me. It’s been a great conversation. I’ve enjoyed, yeah.

– [Brad] Thanks for coming out.

– [Jackson] Thanks man.