The Power of Education: Promoting Cybersecurity Awareness with Craig Ford

In episode 29 of REDD’s Business and Technology Podcast, host Jackson Barnes and co-host Nigel Heyn interview Craig Ford, Chief Technology Officer at Baidam Solutions, author, and board member of AISA.  

Craig shares his journey in the field of cybersecurity, starting from a traineeship in IT support and gradually transitioning into a career focused on ethical hacking and pen testing. He attributes his success to his natural curiosity and passion for cybersecurity. 

Craig has authored five books on cybersecurity, with a particular emphasis on targeting young individuals to consider careers in the tech industry. He believes in the importance of educating people, especially at a young age, about cybersecurity and instilling basic security practices. Craig discusses the significance of minimizing data collection and the challenges posed by data breaches in managed service providers. He highlights the necessity of implementing fundamental cybersecurity measures such as multi-factor authentication. 

The conversation also revolves around Baidam Solutions’ recent accomplishment—the opening of Australia’s first indigenous Security Operations Center (SOC). Craig shares insights into the establishment of the SOC and emphasizes the company’s commitment to training and developing cybersecurity professionals. 

Throughout the episode, Craig expresses his dedication to helping Baidam grow and his passion for promoting cybersecurity awareness. He firmly believes in the power of education and believes that cybersecurity should be a fundamental component of primary school curricula. 

Overall, this episode offers valuable insights into Craig Ford’s journey in cybersecurity, his motivations behind writing books, and his dedication to advancing the field and fostering cybersecurity awareness in both individuals and organizations. 

00:00 – Opener 

00:20 – Intro 

00:36 – Craig’s intro and career background 

02:09 – Craig starting in Cybersecurity 

03:05 – Craig pursuing a career in cybersecurity 

03:44 – Craig’s published books 

06:06 – Craig’s first article published 

08:02 – Discussion of Craig’s other books 

08:44 – Craig’s books being traditionally published 

10:27 – Target audience for Craig’s books 

12:16 – Premise of Craig’s latest book 

13:11 – Cyber awareness; Cyber education 

15:30 – What are the big gaps in the cybersecurity industry in Australia? 

17:08 – Training on Cybersecurity in Australia 

18:11 – 3 things done poorly in terms of cybersecurity 

18:35 – Multifactor Authentication 

21:17 – Data lifecycle 

23:10 – Education and evolution in cybersecurity 

24:57 – Cybersecurity in small to mid market size business 

25:53 – Australia being the safest country in 2030 and how to achieve it 

29:06 – Digital SOC in Australia 

32:53 – How does Craig’s Security Operations Center work? 

34:18 – What’s next for Craig Ford? 

35:43 – Outro 

#Cybersecurity #ITSupport #CareerJourney #IndigenousLeadership #TechnologyPodcast #EducationMatters #SecurityOperationsCenter #AuthorInsights #CyberAwareness #TechIndustry 

About REDD  

 REDD is a Technology Success Partner business headquartered in Brisbane, Australia. The Business and Technology podcast focuses on the commercial application of digital technologies in business. Guests will include industry experts, vendors, customers, business owners and anyone with unique insight to share. We discuss and explore current events, issues and stories relevant to business leaders, entrepreneurs, technologists and everyone in between.  

REDD is a leading provider of the following services  

1. Digital Advisory Consulting 
2. Managed Technology 
3. Cloud Computing 
4. Cyber Security 
5. Connectivity 
6. Unified Communications 

Our Vision  

We believe, in the not so distant future, that people will not only deserve, but demand greater access to frictionless tools and systems that enhance and uplift their lives. Technology can create a truly blended lifestyle between work and play that prioritises mental health and wellbeing for our people, while increasing efficiencies and the effectiveness of emerging technologies in the workplace. We believe the future of work is built on perfectly balanced and curated tech stacks that seamlessly interface with the people they are built for. And it’s that future we’re building toward. 

Show Transcript

(00:02):

Yeah,

(00:21):

Hello and welcome to Red’s Business and Technology Podcast. I’m your host Jackson Barnes and I’m your co-host Nigel Heyn. Today we’re sitting down with Craig Ford, who’s a chief technology officer at Beam Solutions, author and board of director of asa, which I’ll sure you’ll get into surely. Craig, thanks for coming in, looking forward to getting insights around cybersecurity and everything you’ve got going on and your journey. Mate, do you want to start with your background in terms of what you did before, what you do now?

(00:43):

Sure, no problem. It’s certainly a pleasure to be here and I’m looking forward to the chat today. So background, I guess probably start from the beginning I guess. I started out in probably early two thousands, 2001, 2002. In sort of a general IT support kind of role, I started a traineeship in a little country town in Veil, if anyone knows where that is.

(01:03):

Don’t actually, no,

(01:04):

Most people don’t, which is why I say that. But yeah, generally it sort of started out sort of worked with a traineeship, worked my way up until I was the senior tech there and sort of got to a point where I couldn’t do anything more from there. Couldn’t learn anymore, so I decided to move to the big smoke. So chose Brisbane and pretty much haven’t looked back since. Sort just kept going along in that sort of IT role generally for probably I would say about 10, 12 years until I sort of decided I thought I wanted to be an IT manager or a, you know, CIO and I decided I’d do a bit of a master’s degree in IT management to sort of give myself a bit of formal qualification because I only had this sort of the industry qualifications. So went along and started and I’d sort deliberately just sort of went, oh really interesting instant response cybersecurity units and I’m like, okay, I’ll give that a go just more for, it sounded really cool to do more than I thought it would actually add major value to being an A CIO or IT manager and I kind of got a bit of a taste and didn’t look back since that was the direction I went from there and couldn’t stop pushing towards the cybersecurity direction.

(02:05):

And I started out, I guess you would say doing a bit of a dual role where I would do anything I could in cybersecurity along my normal IT role until I got that first jump over. But yeah, I had a bit of a natural ability in the ethical hacking pen testing space. So that was my first path in cybersecurity and

(02:23):

It was quite fun. Awesome. Did I see in your background you briefed stint in Rockhampton as well? Yes

(02:29):

I did. I did a six month blip I would call it. It was sort of went up there and sort of had a bit of family up there and the wife and I were like, after we got married we were just like, oh, let’s try somewhere new. Done six months in Rohe. It was too hot for me. Yeah,

(02:42):

I grew up in Rocky. I had spent 25 years there and I did see her at CUR Solutions with Bruce Kerr and that kind of thing. So funnier that happens. Small world. And then the pivot info cybersecurity space, why? What intrigued you about that? Yeah, why did you do that? In terms of on the side when you could have stayed in it, I’m sure there’s PS or IT jobs and you could have been down the path of being IT manager cio. What, why cyber security?

(03:05):

I think it was the continuous learning. It was a real challenge really trying to dig in and pull things apart, particularly that ethical hacking pen testing space. I love to pull things apart and figure out how they work. So I had that natural mindset and as soon as I started doing it, I just wanted more, just kept going and going and going. But yeah, it was that natural curiosity. I think what it was an inquisitive mind. Yes. And I find as I’m looking for young pentest to sort of coming through in that sort of space, you can find the ones that really sit there and you can see them watching and being curious and trying to figure out how things work. They are the best hackers you’ll ever have, best pen testers you’ll ever get. So yeah.

(03:42):

Yeah. Cool. So part of that journey then, what’ll you talk about later today, you’ve released or co-authored five books now. Yes. What was the rationale around doing that? What made you go, oh, I want to put down on paper my thoughts around cybersecurity. Why why’d you do that?

(04:01):

It’s kind of funny actually. If you’d asked me seven years ago, probably just before I started doing any of my writing, I would’ve laughed if you’d said I’d write a book ever. That was never an aspiration or even a consideration. It was not even a thing I thought I would enjoy doing. So it’s a bit of a strange path that I didn’t think I would take. I it was, I’m pretty sure it was 2018, it was the last AC SSE cyber conference in Canberra. I actually went and I was working for an MSP at the time still sort of doing that dual IT sort of time, doing a bit of those both roles. And I was sitting there and they were like, no one was talking about the risks that MSPs have with holding all the passwords, having access to all the systems. And I’m like, no one’s talking about it.

(04:39):

Why is no one talking about it? So after the conference I sort of went away and I was talking to my boss and I’m like, no one’s talking about it. Someone’s going to talk about it. And I randomly saw on a CSL online, the cybersecurity magazine online was said, if you have something you’d like to share or want to talk about, send through a pitch or an article and if we’d like it we’ll publish it. So I’ve done my first article around MSPs and some of the, how the held all the keys to the kingdom and how that was what sort of major risk it was. And yeah, that was 200 articles later. Wow. I’ve probably even more than 200 articles now with, I think I write for about five magazines now. Yeah. Awesome. That’s what started the journey.

(05:16):

That’s really interesting because that’s something we talk about sometimes on the show is I think it’s a big misconception these days that especially in the small business space, they trust their MSP or manage service provider, outsource IT company with everything and they sign an MSP agreement and they think that they’ve got cyber security covered as well. Completely don’t need to go to a separate company. But you’re right, there has been a fair amount of breaches of actual managed service providers in Australia in the past six months, which is not great. And it’s hard as a small business owner because you can’t invest in cyber businesses and seams and socks and all that other stuff as well as an IT team internally or an MSP paying a monthly fee or whatever. So you just try and trust them, hope they’ve got it for you, but that is a myth that does need to get busted. So you’re ahead of your time I think in that in 2018 going down that journey. So that was the first book, what was that called? That

(06:05):

Was the first article. So I started article the Journey, just sort of doing the freelance sort of cyber journalist just doing it because I loved to do it, just kept doing it after a while. But I got about, I think it was probably about 40 or 50 articles in, and I had a colleague, Mandy Turner, I dunno if Mandy Turner, but basically she just said to me, I really like these, they they’re story, they’re a bit more fun, a bit more entertaining, a little bit more open for everyone to understand and learn a little bit more. And she goes, this would be really cool in a book. And I’m like, okay, maybe I’ll see if I can put a book together. And that’s where a hacker I am, my first book was born.

(06:40):

Yeah. Awesome. And what was the success of the book? So is that what the book was about but that MSP being a threat of first book or was that other stuff as well? There

(06:49):

Was quite a lot in it there. Basically it was a little bit different because when I was doing the first master’s degree, I noticed that cyber books and IT books, they’re pretty dry and horrible to read and I hated that. And I, as I was putting together, I’ve got pretty much 50 for a hacker and a hacker I volume two, there’s basically 50 topics in each of them on anything from hacking autonomous cars to the mesh grids that they’ll use to connect to each other, to wifi printer hacking and pretty much all of the entry level kind of conversations and information you would get just that high level and enough to go, I want to know more about that and go have a bit more of a dig yourself. So yeah, basically 50 topics each book.

(07:28):

Yeah. Cool.

(07:29):

And they were sort of the first two were self-published and I went down, which we can talk about in a minute. I went down a more traditional published route with my next set of series. But yeah, so first two were self-published. But yeah, done quite well and I’ve surprisingly I sell more of them in UK and US than I do in Australia for those two books really. Which is an interesting fact. But

(07:47):

Aussies don’t care about cyber security. No, apparently no.

(07:50):

It’s the reason why we do this podcast to try and educate people. Right. Yeah, we welcome. Take

(07:53):

Care. Yeah, definitely. Definitely the case. So your first two books self published and then we went through why did you go through someone else for the other books and what were the other books about take? So

(08:02):

I kind of did a bit of a switch because I was doing a lot of the articles that I mentioned before. So I was doing writing for women in security magazine. I’ve sort of done a regular column since they created the magazine and sort of wanted to try and encourage more young women into cybersecurity. So I’m like, what could I do as a guy in the industry? What can I do to help encourage? I’m like, why not create a cool female hacker character creator? It’s an actual fantasy novel. So a cyberpunk novel series, foresight lead, female character, Sam goes on her journey sort of coming in the hacking world, getting in right into her mindset. So it’s first person gives along her journey and that’s where their foresight series was created. And actually I went the traditional publishing route for kind of one main reason is I’m not perfect and I know self-publishing is they’re not perfect in some of that, not grammatical wise. There was a few mistakes, which is in self-publish you can only read your same stuff 50 times and there’s always at least one thing you’ve missed. So

(09:00):

Yeah, give it to your neighbor who starts reading and falls asleep and

(09:02):

Doesn’t really work so well. So I went through the full traditional process cause I wanted it because of that purpose, why I wrote it. I wanted it to be as clean as possible and as well rounded and refined as possible. So I decided to go to the traditional route and it’s working out really well. So yeah, now I got a second series with them, so that’s

(09:19):

Really, yeah. Cool. And I did see Craig that you, you’ve got a bit of a character around as well and yes, from first, why are you trying to humanize that? Is that to make it interesting not just to about sobs security and hacking because it’d be too boring or why did you do that?

(09:34):

I did it in that first person so he could really get into her mindset. So see what she’s seeing, think what she’s thinking and feel that whole experience of what it would be like to be being an ethical hack on myself, my background, it sort of gave me that unique insight of how to think. And I have five older sisters, so it made it a little bit easier to get into a female mindset. But I had a female editor too, which helps, but giving you that real experience and that real insight of what it would be like to be the hacker and as she’s going through it. And it was in real time too, which is the hardest way you can write first person. So it’s not a past tense or a pretense actually getting in there and the action at the same time and seeing how she was making decisions and how she was doing things. So really try and encourage that spark of, ooh, I would want to be like that. I think like that or I feel like that is something I could do to really encourage that interest, but

(10:26):

Okay. And what’s your target audience for the books? Is it appealing in the IT space or is it, what’s target audience? So

(10:32):

With that particular series it’s I guess you would say high school girls, young at young female was the primary target. Obviously the guys like it too, which is great, it’s always good to have a bit of a wide audience. But the main sort of target was that sort of mid to late high school early adults to sort of encourage that hey, maybe this is a career option for me, maybe tech is a space because essentially what you probably know yourself, there’s about 17% female participation in cybersecurity in Australia

(11:00):

And it’s probably quite similar,

(11:02):

Very similar I would say. So we have a lot of work to do. Yeah, yeah, that’s fantastic. And particularly verbatim, the company I work for, we’re all about that diversity and the inclusion and trying to encourage more participation. So just kind of makes sense. It just pulls up my social strings, the stuff I’d like to I get involved with and to do so. But yeah, that was the general idea behind it. Yes.

(11:22):

And Craig, how are you getting in front of that audience? Are you going to university’s high schools to distribute the books like that? How is your audience getting aware of I guess females in that demographic maybe interested in cybersecurity? Where are you going to distribute that?

(11:36):

So I’m not sure my wife loves this, but I donate a lot of my profits basically into giving copies to the STEM sort of in initiatives and things like that with schools. And I’ve got donated a few copies to WA schools and Queensland schools and just trying to get out there as much as possible. But it’s kind of building its own traction now, which is quite nice. So I don’t really have to do too much, but obviously I try and sort of push it out and I try and talk to university, get into some of their lectures on guest lecturing and just trying to get the information out there. But yeah, yeah, work in progress but we’re getting there.

(12:08):

Awesome. And the most recent book, the fifth book that was released very recently, right? Yes.

(12:12):

The 22nd couple days ago.

(12:13):

Yeah, couple days ago. Yeah. And what’s the premise of that book?

(12:18):

So it was co-authored one with Katie Randall with a colleague from Verbatim. Basically it actually started from a random conversation we just had, I think it was about 18 months ago. It was just someone really needs to do more in the education space in primary schools, really start that education a little bit earlier because we are leaving it a bit too late. We start the cyber awareness training and education when they’re already at their first job or when they’re starting their careers or

(12:43):

Depending where they start

(12:43):

Late in high school and it’s too late. We’ve already got those ingrained skills that behaviors we already have set already. So starting that nice and early just as they’re starting out using social media and particularly they’re digital natives now, it’s almost born with tablets and iPhones in their hands, which is crazy. It freaks me out as a dad, but it literally is something they need to learn and get really well set in behaviors and understand. And it’s, the book was kind of that cyber awareness, cyber education, kind of a similar style to a hacker am but for primary school kids it tells stories, makes it a bit more fun, but gives you the education and lessons as you’re reading it and it sort of tries to give them the knowledge, not say don’t do it but understand what you’re doing as you’re doing it and make better decisions, which the more knowledge you have and the more you understand, the better decisions hopefully they’ll make.

(13:37):

So that was the premise behind it and we kind of went that little step further to hopefully educate the parents and the teachers at the same time. We put a back matter in it that sort of tells you what the main sort of points are, it explains what the internet is, explains, gives you that whole resource of these are the main terms that the kids will talk to you about, this is what you’ll read through the book, this is what it makes sense. And then it has a couple of questions after each chapter to go, these are some good conversational starters to actually talk about it and encourage a bit of a more interaction between either the teachers or the kids and their parents

(14:10):

And is it on their personal cybersecurity side as well in terms of social media and what they’re trying to do on social media and that kind of stuff and all the weirdos, that kind of stuff as well as a business cybersecurity side. So

(14:23):

It’s,

(14:24):

Has

(14:24):

It mostly sort of aimed I guess more of a little bit of both I guess you would say. It comes down to sort of there’s cyber bullying in there and who to talk to and interaction on online gaming and then you got the cyber stalking and harassment and things like it touches some pretty heavy topics for that kind of age group, but it’s done in a way that is try to be a little less confronting and a little bit more educational and try and make it as educational but light enough for them to enjoy at that kind of age. And it sort of goes, it aimed at that eight year old to about a 12 year old. So yeah, it’s when they’re really starting to dig in and really starting to use it, all of that online, electronic, digital stuff now. So yeah.

(15:03):

That’s awesome. That’s very important. Yeah, well all us got kids in this room and I think that that kind of space does need a lot of help because kids are so digital now, iPads from the two, three year old and then social media and they want phones when they’re 10 kind of thing. So it is a scary world out there, that’s for sure. So awesome. Let’s pivot a little bit into the more cybersecurity industry, the stuff that you do on a day to day basis. What are the big gaps you can see in the cybersecurity industry in Australia?

(15:33):

I think particularly, particularly in Australia, I think we are a little bit behind the eight ball. We’re not quite as advanced as some of the other countries around the world, particularly around getting those sort of basics in cybersecurity. We really don’t seem to do that very well. We like all the new flashy solutions and everybody does. It’s new toys, new things to play with, but we really do bad in that lower end space of making sure backups are done properly, making sure we isolate that from our normal stuff with ransomware and education. Education is for some reason really bad. We’ve been trying for quite a while but we are still not really getting the message across. I think we need to do something like the, I dunno if you remember the slip, slope slap kind of sunscreen kind of. We need that for cyber to get that general education across the whole population, not just directly in the business side.

(16:21):

Because I always say when you’re sort of doing that education side, if you can make it connect to them and be something that affects them in their personal life and then help them be more safe in their personal life, they instantly become more safe inside their work life because they’re actually learning the right skills and doing the right things. But yeah, we need to do all of those basics, forget all the nice flashy stuff. We can do that once we get the maturity a little bit better. But yeah, there’s a huge gap and I think there’s a bit of an issue with our workforce side in Australia as well. It’s probably not just Australia, it’s probably a worldwide thing, but we are not really training enough people. We need to, which is one of the reasons why the sock came about, but we can go to the conversation in a minute. But we need to stop poaching each other’s stuff and start training a few people. Do the old school style of do trainee ships. You don’t hear people doing really trainee ships or anything in cybersecurity. We need to do that. We need to put in the time and go sort of paying more money and stealing them from somebody else actually put in a bit of time. I know none of us have time because there’s not enough others, but if we don’t do it, it’s only going to get worse. So

(17:23):

Yeah, I think you’re definitely right. It’s very common that it’s like a network engineer or something who’s like, oh cyber’s interesting, this exactly happened to you. They turn into cybersecurity professional. That’s generally what we see as well on that side. But you’re right, does need to have more people and I agree the knowledge gap is definitely significant from business owners out there. But even internal IT manager, that kind of stuff, it’s quite hard for businesses to keep up with a revolving kind of cybersecurity threat knowledge will possibly may from a business owner’s perspective. You had a question for

(17:52):

Craig? Yeah, look Craig, it’s interesting what you hear about the lack of, I guess the education and that’s why we do these SH shows, right? Because I guess it’s hard for us as a provider to be seen as trying to push something down someone’s throat when yeah, we genuinely are trying to protect them, make sure their biggest asset is their business is protected. If you, in your experience, what would be three common traits you see people don’t do well, you know, touched ’em before the backup air gaps and things like that. Is there three things that you can really identify that is consistently done poorly that listeners today or viewers today can go? Well look, if I fix that, I’m going to be better off.

(18:30):

I think my, probably the biggest one, which really still doesn’t make any sense to me is multifactor identification. People still don’t do that and it doesn’t make any sense. Yes, we all have phones now and it pretty much everyone has a phone, they’re always carrying their pocket, put MFA on everything. If you can put it on there, put it on there. Yes something, some of the old legacy stuff, you still can’t do that. But there is ways around that as well. So I, MFA is huge problem, which we for some reason can’t get right. It’s not perfect, it’s, it’s not a silver bullet but at least it makes it a little harder, particularly for ethical hackers to be able to get past that stuff. And the malicious guys and girls, they, they’re starting to get past that sort of stuff now. So if they’re not at least putting those basics MFA and stuff in place, then we’re wasting our time. They’re just going to keep getting through and at least

(19:16):

Put a lock on their front door. It’s the

(19:18):

Start and password’s, the lock, right?

(19:22):

Use password manager, use different passwords, do something to try and at least get those unique passwords. We’re still even doing that wrong and it surprises me every day the same conversations and it’s like we said before, the basics just aren’t getting done. And I dunno if it’s that education thing where we really need to embed that education and make people understand why that affects them and why they need to make sure it’s clean and the hygiene is done and password managers are not perfect either. They get breached as well, but at least they’re encrypted. The data’s good, you know, reset that password. Generally you’re okay, they fix it, they move on, you’re ready to steal a hell of lot more secure than having the same password for all different accounts when there’s so many breaches now it’s not funny. And the other thing is probably my, I suppose my last little bug bear is the amount of information.

(20:09):

Most businesses keep a lot of it, they don’t need to actually go through a bit of a hygiene process. If you really don’t need someone’s date of birth, don’t keep the date of birth, make it so that yes, pretty much it’s almost guaranteed that nearly every business is going to get breached at some point. The severity is probably the only thing. So you’ve got to figure out how to get those basics slow the sort of breaches down so they don’t get too far into your systems but reduce that impact. But if they get it, make sure it’s not as valuable for them and it’s not as a big an issue to the sort of client base or the customers or whoever’s data that actually is stolen that what they’re getting is not that valuable. And I think I just see it all the time. You see all the forms going, they’re always asking for date of birth and your license details. Yes, there’s got to be a better way to go verify the details, get rid of it and don’t keep it. Once that validation process is done, the verification is done. Just yeah. But yeah, I see that a lot. I think minimize the data, make it nice and clean, keep the hygiene and two things, just do the basics. Yeah,

(21:10):

Perfect. And good advice Craig. Yeah, thank you.

(21:12):

So in a business then, who should be responsible for that kind of data life cycle piece? Because yeah, if you look at a traditional whatever industry business, they’re focused on staying profitable, providing a service, keeping the lights on, that kind of thing, management IT teams internally or MSPs are focused on keeping the lights on. They’re probably not really the kind of people that are going to dive in and look at, oh actually we don’t need this driver’s license from 12 years ago. Who in a business should do that?

(21:40):

I think it’s a bit of a crossover because you sometimes you’ll get, the reason that they’re collecting it is more marketing. So they want to know about their customers, their customer base. So I think it’s probably a lot of the time they’ve got the data so it’s a bit hard to go back and sort of sanitize. So it’s somebody’s got to be given that sort of responsibility. And I don’t think it’s responsibility either or even cyber securities, it needs to be back into a business function of who’s using the data. If it’s their data, they own the data, someone has to own the data inside the organization, it should be their job to go back and clean it up. But particularly in the marketing space, I think someone should sit there and it should be a directive to go stop collecting the information you don’t need. Yes we know that you indicate that could be some potential value but minimize what you collect, make that sort of conscious decision for your clients going okay, we really don’t need this. It doesn’t actually give us any real value. Just the fact that we feel like one day it could be useful. So yeah, just minimize that impact, take that sort of business choice of going this is the right decision for both us and our clients moving forward to stop collecting that kind of stuff. Do the validations then eradicate it.

(22:46):

And it’s interesting just on that space, sorry if you wind back probably about five years, Craig the world was talking about data is the new oil collector as much data, whoever, whoever’s got the most is going to win. And so now we’re talking about look, just being really smart, just collect what you need, keep what you need, manage it accordingly, right? So I think you talk about education, it’s probably ridden between the tea leaves, it’s probably education and evolution. You have to remain on the edge otherwise you’re going to fall massively behind and be completely exposed. So do you think that’s a fair comment? I think

(23:17):

That’s probably a fair comment and particularly when you’re talking around keeping up with particularly the amount of breaches and stuff that are happening and the continuous flow, we kind of need to adapt and we need to go, okay, it’s probably going to happen. How do we make it so it’s minimal impact when it does or at least reduce it as much as possible. And particularly that on flow within your own systems, the segregation, the making sure whatever it is they get into it does reduce as they go through and it’s making it harder and harder because the harder you can make it, the less they’re going to go, they’re going to stop at some point unless you have something that is completely on their wishlist and they’re going to get it no matter what. And then that’s just the case. But as long as you make those steps harder and harder and harder to go through, it’s going to slow them down. They’ll get move on to the next low hanging fruit and you know, can recover and try and sort of salvage whatever situation it is. But yeah, it’s really separating, only collecting what you need, only keeping what you need. And it is basic, just a basic thing. Just only have what you need, only keep it down to what you need. So yeah, good

(24:16):

Advice

(24:17):

May not land as well with marketing teams who’s

(24:19):

Got no, no they won’t like that.

(24:21):

But

(24:22):

It’s true, they don’t need date of birth. Most they most of the time you could get an age gap, like a grade of say 20 to 50 that’d be better than actually getting the date of birth. Yeah, there’s ways around getting similar

(24:32):

Information. What you collect definitely should be reassessed. You mentioned before mfa. So you are seeing in what you do on a dayday basis, a lot of businesses were still without mfa. I

(24:42):

Think there is particularly around that sort of small to medium business space, they are probably not as progressed along as some of the larger enterprise. They’re larger enterprise, they’re getting the single sign-ons and they’re starting to get all embedded pretty well. But you’ll still see that sort of mid to small market where they’re not really doing it. And I dunno if it’s because there’s not enough cybersecurity providers and that are really kind of working in that space and there’s not enough education going out to them to make that a simple process. Cause if they don’t know they’re not going to do it and it becomes a bit of a challenge. But yes, there’s quite a big gap and even in that personal lives, if we can teach them somehow is a wider community that MFA is really good, they will push that into their small businesses and their businesses they work for. So we need to just get that education part out and I think that’ll push itself. But yes, that’s still a huge gap which kind of concerns me quite a

(25:31):

Lot. Well just on that, Craig, Claire O’Neill had a vision to make a story on the safest countries from the SI point of view by 2030 and I know she recently opened your facility. So how do you see us achieving that? Is it going to be something that the government’s going to mandate? Is insurance going to be insistent that you do these things there there’s a of hygiene that people aren’t doing properly but until there’s a compelling event it doesn’t really change right?

(25:52):

Yeah, you sort of spot on. I think it’s basically a lot of conversations we’ve had with industry and a few others and with my sort of role with asa, we have a lot of those conversations with the member base and sort of try and figure out where everyone’s at, where the mindset is and it’s all on that same page. We don’t really know where that next step is. But the general consensus I think around particularly that sort of legislation, it’s not really, the government doesn’t feel it’s a government problem to fix, it’s an industry problem to fix. But I think they’re going to mandate some of that to make us sort of fix it ourselves and pushe us along that right journey. I think there’s a bit of a hard line to walk cause they’ve got to make us sort of go the right direction but they don’t want to put too many roles and rules and requirements on it because then no one will meet them and it’ll just cause a bit of a cascading effect and we won’t get anywhere.

(26:41):

But I think it’s somewhere going to be in the middle. They’re going to be changing in the legal requirements and the critical infrastructure sort of bill and things like that. There’s going to be a little bit more of that. I think what they will give us the overarching here’s what we feel you need to do and make a few fines around it potentially there’ll be sort of some consequences if you really don’t do anything. But I think it needs to be at a point where it’s achievable somewhere in that sort of space but actually makes an effort and really starts to protect the organizations. But the problem I think at the moment, particularly in all the different states have different rules and different requirements for compliance and for regulations. So they need to somehow make that a little bit more consistent and give that, here’s the general simple process for the whole of the country, these minimum requirements if you want to work with government agencies or something like that, that will probably get a bit more consistent approach instead of going you need to do these particular requirements for New South Wales or you need to do these for Queensland and all of them slightly different requirements, it needs to be a bit more consistent.

(27:42):

I think that’ll definitely help. But yeah, I don’t think the government will force to a point but I think there will be some changes. I’m just not sure how far they’ll go. I think they need to do something and they are very, very clear specifically I’ve been lucky to talk to her a couple of times now for a few minutes and she seems very passionate about that and she, as far as I can tell, she wants the industry to be the solving part of that problem. Not to be told what to do but to go this is what we as an industry feel like we need to do and sort of come up with a solution together and them help us do it not the other way around.

(28:14):

It’s a very hard problem because they got, most small businesses have to pay for this kind of stuff to turn on. Yeah they got to pay for stuff to have air gaps, backups and have to be managed and then disaster recovery testing and they’ve got to pay for their MFAs be configured, they got to actually got to deal with it. A lot of things have to do, there is some things you out there likeable, data breach scheme and that kind of thing, which there is some regulation around and if you have government contracts that are funded at a federal state level, there’s definitely more curriculum obstruction things they have to do. But I think that in general businesses very hard task to do. So I can see why

(28:50):

You need managed security services would be a hundred percent tax deduction. So everyone has to take it on board.

(28:54):

That’s a perfect solution.

(28:55):

Exactly. Write that one in. Do you want to go through that story of what happened? Cause for those listening Batam solutions, which Craigslist chief technology officer for just opened I guess the first indigenous SOC in Australia a couple weeks ago and Clane is the minister of cybersecurity in Australia came up and helped open that. Do you want to go through that kind of story? What happened Greg?

(29:19):

Yeah, I think it is pretty exciting to actually have Claire come along and open up the socket’s. Not something you see every day. So we’re pretty privileged I think and pretty honored to have a sort of come along and do that. But it’s to us that the sock itself was sort of, I only played a bit of a small part in the creation of the sock. We have a really sort of, I would guess you’d say a bit of a consortium. We sort of come together with JR from Tarion and we got Whiterock with wheel that we mentioned before and Angela we sort of come together as a team with Beam and they helped us with the knowledge and the creation and getting it built correctly. And we did it in a, I guess you would say they call it a co-design sort of process with, so making sure it works with the indigenous culture and the way they transfer data and transfer knowledge between each other.

(30:01):

And so it’s a little bit different to your normal sock and it’s sort of in that way they sort of sit side by side instead of you would normally get your the low one, two and three sort of front to back. We sort of change the process so you’ve got the knowledge holders sitting next to the junior staff, so it’s a bit more of a knowledge transfer right next to each other all the time and it it’s the way their culture does the sharing and the knowledge and it was really good to see. And we, I guess you would say we’re a bit of a different organization, which you’ve, you some people probably know we actually give 52% of our profit to social outcomes to help encourage young indigenous kids and aspirants to come through and with scholarships sends vouchers. So we’re a little bit different of an organization and the SOC itself is, yes, it’s obviously it’s a capability in cybersecurity, but to us it was about more giving us that capability but then creating that education ground to solve some of that.

(30:55):

Let’s train our own people. So we bring in, yes we bring in some actual qualified instant responders and some SOC analysts and sort of then bring in young aspirants and actually train them and yes some will stay and we’re quite happy for some to go along and work with other organizations and help pass on some of that knowledge. It’s about training and doing that’s more social side. So we are a little bit different in that sort of space. But yeah, it was about 12 months in the process and Cody MEK is our SOC team lead. He’s done a great job keeping it all together and getting it really working well. So yeah, it’s exciting times and we are just getting started and there’s a lot more to come I think. So

(31:31):

It’s such a big industry. We’re so proud that, thank you for coming on the show. For us cyber is critical and we want every business to be protected. I had the luxury of being born here for my parents coming from a Warton country and I love Australia and want to make sure that we’re protected but unless things like what you guys do and what we’re trying to do, we’ve got to work together. That’s the main thing is that cyber is where the old OLiveti typewriter became the word perfect 5.1 on the computer. So this is the new frontier that we really need to protect. So well done guys. Really awesome team. Yeah,

(32:02):

Thank you. And you’re right, particularly around that working together verbatim itself could not have done the stock on its own. It was the consortium with Whiterock and with Terry and then sort of coming in and helping us build that capability and like you said, we we’re all got to work together too much I think in the industry of us and them we’re all against each other. Yes, there’s competitors sometimes it’s the way it is and you can’t share everything. I get that. But sometimes you can come together a little bit and make everyone’s life a little bit easier and say look, this is what’s working, this is what’s really not working. Let’s share some of this stuff and make it a bit easier and everyone gets better for it. We all get more protected and we will become what Claire O’Neil wants us to be and be the most secure nation. So I think we have a lot of work to do, but yeah, we’re on the right path I think. Yeah, isn’t

(32:48):

An elephant one step at a time. So

(32:49):

That’s it. One step at a time.

(32:51):

So the secure Operations center you, you’ve started, is it starting 24 7 straight away? How many people in the team? We’ve

(32:57):

Got, I think we’ve got five staff now inside the team. So we’re sort of going to progressively grow that as over time, particularly with those young aspirants coming through. Cool. We want to be bringing new people in and sort of training them and hopefully letting them go out and do the sort of stuff in the industry itself and great if some stay too, but if they go, that’s fine. Yeah. So yeah, it’s kicking along now. We’re just starting to get us our firstish first few customers on sort of board and start sort of doing the processing and yeah, it’s very exciting. Exciting. Still early days. But yeah, we’re hoping it goes quite well and which it looks like it’s going to and obviously the publicity with Claire coming along and sort of helping us get the word out there is definitely a bit of a benefit. It helps us get it out there.

(33:39):

Yeah, well I’ll have to get you back in a year or two and see how big the team is then maybe you’re spread across multiple sites and big team running. That’s exciting.

(33:47):

I think it’ll be quite potential I think because I was actually brought on with Beam January last year to come internally after doing some contracting for him for a while. So literally my team, the tech team didn’t even exist 18 months ago and now we have basically as many tech as we do as non-tech. So yeah, right. I think it’s a quite exciting time soon. We’re a lot of growth, so

(34:06):

That’s exciting. So I’m conscious of time, but Craig, before we wrap out, what, what’s next for Craig Fort? More books coming out. Obviously you’re pretty invested in Verbatim journey and you started the so and you want to see that grow, but what, what’s next man?

(34:18):

I think yeah, definitely helping verbatim sort of grow along a lot more. A bit of a social strings on me and pulls up my heartstrings, makes me want to do a bit more and get out of bed. So definitely more of that and definitely more books I’ve already written. The next one for my foresight series, so the Hacker Fantasy series that’s coming out and end of next end of the year. Cool. And I’m starting to write the next one in that, and I think from the response with the primary school awareness book actually sold enough copies to make us bestselling authors before it was actually even released just in the pre-orders. So

(34:48):

How does that work? How many copies do

(34:50):

You have to do in Australia? You have to do 5,000 plus cool books. So it was in the pre-order timeframe I think we were nearly 6,000 books. So that’s exciting. It’s quite exciting. So that’s nice little title I can have, which it’s pretty

(35:01):

Cool, but should open with that bestselling author. Bestselling author. Yeah. Wow.

(35:05):

It still weird saying that I’m author, right. It still feels a bit weird saying I’m published off of it. Yeah. But yeah, so probably more books I think probably some more ed education and awareness because I’m, I’m pretty passionate about that. I like to try and transfer any knowledge I have and have those conversations and particularly around the entry into cyber, I try and make that as easy as possible because I know even with a long time in sort of it that sort of foundation background even I found it pretty hard to make that physical jump from an IT actual full-time cyber role. So I just think it’s too hard and I think we can do better. So yeah, we’ll keep sharing and keep pushing that along.

(35:43):

Speaking off to go. But thanks for coming in Craig, really appreciate.

(35:45):

Thank you. It’s.