Episode Summary

In this special christmas episode of Secured, Cole Cornford does something a little different to usual and answers listener questions. Lots of topics are covered, including new years resolutions, cybersecurity trends of 2024, career and life advice, and plenty more. 

A huge thank you to everyone who sent in questions! We had so many responses that we weren't able to get to all of them. Let us know if you enjoy this format and we may do it again in the future.

Timestamps

1:00 - Cole's thoughts on new year's resolutions 

3:00 - Cole's experiences working in large organisations

13:30 - Critical cybersecurity steps for organisations in 2025

20:30 - Using security tools to protect APIs

26:20 - Protecting against supply chain attacks

36:20 - Cole's perspective on DevSecOps

40:50 - Trends of 2024

50:40 - Diversity in the cybersecurity industry 

1:01:02 - ASPM tools

1:13:20 - Why Cole enjoys making the podcast

1:21:00 - Life advice that has stayed with Cole

Mentioned in this episode:

Call for Feedback

Hello, everybody, and welcome to the Christmas edition of Secured.

In this edition, we've answered a bunch of different people who have either been guests on the podcast previously, or just, um, audience members or friends of the show who've then sent in questions about various different types of things, whether it's about running a company or about application security, or just personal values on life.

I found this episode really interesting and fun to do. It's a bit of a departure from my usual ones that bring a guest on and having a conversation. I hope you find it super valuable and I'm hoping I could do this more in the next in new year. Anyway, with that being said, let's get on with the Christmas special.

I wish you all Merry Christmas. I hope this is good fun for you.

Hi Cole, happy holidays to you and the family. Thanks for a great 2024 and just generally being a superstar. My question for you as we head into 2025, what are your thoughts on New Year's resolutions and are you setting any personal or professional goals for next year? Thanks and enjoy the holiday break.

I think there's arguments in both directions for New Year's resolutions. Um, a lot of people will say, hey, why are you going to wait for the new year? Why don't you start now? And another thing is telling people that what you're going to do gives you the same reward as actually doing the task in the first place.

So, like, telling people that you're going to write a blog post tricks your brain into thinking you've written a blog post. So it's kind of the same with New Year's resolutions, telling people you're going to get fit is the same as actually going to the gym for a lot of folk. But I think on the positive side, it's symbolic and it helps you like change your attitude and your mindset.

And our new year, new me. I like them. I think people are too harsh on themselves. Like if you did gym for three months and quit, I know a lot of people would say, oh, I guess like I'm a failure. I didn't follow through with my New Year's resolution. But, you know, maybe what you need to learn is that you just don't like going to the gym.

So I think it's better to have these small experiments and the new year's a good time to start because work's not terribly hard. And I think people are forgiven if you go kayaking or whatever and then discover that you suck at it. You just don't want to do it. So, yeah, get feedback about what you enjoy and then, you know, change it up if you're not enjoying it.

It's really hard to go from zero to one as an adult. Like, I think I've said before that everybody looks on the internet and sees what everyone else is doing perfectly. And then you think that you can get there with a little bit of practice, but it turns out it's actually a lot of practice and then that it discourages people.

So, anyway, go out, try things. Doesn't matter what it is, like stand up, whether agile or comedy, skydiving, dragon boating. Yeah, just don't beat yourself up. If you fall off the wagon, you can always just jump back on. Well, Cairo, you better tell me what your New Year's resolution is. I'm excited to see if you stick to it or if you listen to my advice and fall off the wagon and then get back on it. Have a Merry Christmas to you too.

Hey, Cole, it's Adam from Cinch here, mate. Uh, just come off the back of a massive week at CyberCon where, uh, we have been sharing with the industry our, uh, recently launched solutions to help making working with smaller suppliers simple. As a somewhat smaller supplier yourself at Galah, I was wondering if you had any.

Tips you could share or advice from your experiences working with larger organisations. You know, why is it so painful? Uh, how can you make life a little bit simpler for everyone involved? And you know, what's it, what's it take to break into those larger companies? Thanks so much for the, uh, opportunity to contribute.

Yep. So large organisations are typically the ones with the highest demand for cyber. I know that, um, small business is a bit of a tar pit. And what I mean by that is everybody thinks, hey, look, there's a, a pool of water. We should go and drink water for in that pool because it's, you know, there's nothing there.

You jump into the tar pit and then, you know, you basically collapse and die. And then it looks like a normal pool of water again. And the next person says, oh, I just don't understand why no one's going to have any drinks in this giant pool of water. Yep. Rinse and repeat. And I feel like every time someone gets involved in the SMB sector, which unfortunately, I know Cinch was really focused on that for quite a long time.

It's really hard because people don't want to be spending the money on it. So overwhelmingly, you have people who have to deal with like big enterprises is where the money is, right? And there's, there's a couple of reasons why enterprises care deeply about it. Regulatory requirements, of course. So to conduct and do business, you need to be able to, you know, follow the ISM or have Essential Eight or meet CPS234 guidelines, an ISO certification, or a SOC2 certification or whatever.

There's a lot of different things in place to make sure that you are good to be able to play in a big spot. Oftentimes, you know, the bigger businesses care deeply about managing risk. With cybersecurity, that risk can, you know, if we look at any of the bigger firms that usually ends up with an article in the financial review, and I know not necessarily massive impact on the share price because we see that it's usually a quick dip and it moves back up again.

But there is often long-term impacts, especially if it's related to like the availability of systems or like if it's threats of human life. So I think that that reputational impact is also quite severe. I know a lot of people are not comfortable using some big Australian firms anymore. Um, I think another thing is that the big companies are extremely proceduralized, but smaller businesses, you tend to have a couple of different people who wear multiple hats.

Like myself as the CEO of Galah Cyber. Um, I also wear a sales hat. So I'll jump on a sales conversation. So I'll qualify, I'll find out what the needs are and propose the right solutions. I wear a marketing hat, shock horror, I'm running a podcast, but there's also lots of other things I do for marketing too, like, you know, blog posts and going and doing public speaking at events, going to meet-up groups, going to conferences, so on.

I also have to do finances and legal and human resources and delivery and so on and so forth. And that's also like a, you know, 15-person company. Even when you get to like 200-person companies, you still end up with like a, you know, a security professional that does everything. They do GRC, they do pen testing, they do backgrounding programs, they do governance, they do all that jazz.

And it wouldn't be surprising if like, you know, in every other discipline, you have full-stack developers and you have general counsel and you have a chief of staff or people and so on. It's only when you go to like a really, really big scale where you suddenly have like entire departments with like Accounts Receivable, Accounts Payable, and like every single type of accounting thing that can go down there.

So whether it's tax or, you know, foreign exchange or whatever, it all flows into a large area because it's just a lot more complexity and it's cheaper instead of outsourcing that capability to bring it in-house and have it within your organization. And so oftentimes that means that you have a lot of people who are quite proceduralized and have very specific.

Accountabilities and responsibilities, and you need to know all of those different people to actually get your business to transact to one of these larger firms. There's another reason it's really hard is because of all the different things that you need to comply with to even participate in the market.

And that could be everything from like your insurances or indemnity and liability. It could be about diversity requirements. If you're like some businesses care deeply about that. It could be about having local talent, AML, KYC, modern slavery, Indigenous representations. There's all sorts of things that you'd need to be able to provide to participate.

Now, the question though, is how do we break into these areas? Right now, do you know the difference between the two step one? So, you know, there's lots and lots of different parts of a bit of these big enterprises. You need to have lots and lots of different advocates across all of these different parts and especially within that major microcosm that you care about of cybersecurity.

Now, a lot of people just go straight to the CIO, CTO, or CISO, give them a phone call and say, hey, please put me on your panel so I can do business with you. That's not necessarily going to work for you, because the first thing they're going to do is either ignore you or defer it further down, or they'll just get frustrated that you even tried to cold-call them and tell you to go away, right?

So it's often better to build up a little bit of an org chart. And then figure out which people are, you know, neutral, positive, negative against you and build relationships with a lot of different people. That way, you'll have a lot of different advocates and hopefully a lot of advocates. It's easy to get on the procurement list because when you go into the room in a CIO or CISO or whatever is making decisions and you have 5 out of the 10 people on their leadership team say, hey, this company is okay.

That's a pretty heavy, like, commitment that they may want to use you in the future. It gets so much harder if you only have one or two. So I try to build a lot of different advocates. I know that that's hard work, but enterprise sales always is. The next thing I'd care about is cycles. You know, there's not much point in selling just after they've renewed a product or selling outside of a budgetary cycle.

So most of the big enterprises are ASX listed. And so you should be able to, you know, look at when they're doing their reporting and look at when their quarters are and when their annual report to shareholders has to come out and that should indicate to you when you need to be worrying about the budgetary cycles, right?

Given that you don't want to be selling like in Q1 or Q2 because they've probably already made their minds up as to how they're going to allocate the money. And so you're going to have to wait an entire budgetary cycle to even get there. And another thing is to cast a wide net. Right. You don't want to just have like one or two businesses that you really care about.

You want to have lots of them so that you at all points throughout the year actually are in different people's budgetary cycles. So like some businesses use calendar year, some use financial year, some use like the Chinese Lunar New Year, some use the Japanese financial year, which starts in April. Just have a look, try to work out that and build your sales cycle around aligning with the budgetary cycle.

So you start having conversations in Q3 or Q4 so that they're ready to go for budgeting, asking for budget in Q4. Hopefully for allocating for Q1, don't sell in Q1 and then they forget about you for Q4. Qualifications important. Don't sell the people that your solution doesn't help. I know I've done that for a long time, selling to businesses that don't write software.

It doesn't really help a software security business. So I'm pretty much never going to talk to a professional services firm or like I say, even a mining, a mining company is probably not great for me. I probably won't sell to defense industry because, you know, they just do things very differently than I would, but SAS scale-ups, tech companies, banks, FinTech, all of them.

Great. But that's why I've got to spend time doing the qualification on every single one of those calls. And probably the hardest thing, I think, for almost every founder is patience. So, it's easy to just, you know, get down in their dumps when it takes like a year and a half to two years to transact. But, you know, make sure you try to spend some time getting a bunch of sardines while you wait to harpoon a whale.

Because the whale is probably a seven-figure deal, but you need lots of small ones to get you across the line. Anyway, I hope, I hope that's been somewhat helpful for you, Adam. Thank you so much, Adam, for writing in. I know that, you know, Cinch has seen a rough couple of years, and I really know that you'll be able to turn it around and do so much better focusing on supply chain, and next year's going to be a bright year for you, mate.

All right, next question is Bruce Large.

Hey, mate. It's old BFL here. Hey, um, Merry Christmas. And if I've been a good boy, in my AppSec program this year, what can I expect the Cyber Goliaths to put in my stocking? Thanks, man. Cheers.

So firstly, Bruce, uh, you're on my naughty list. So you're gonna get nothing but coal for Christmas.

Ha ha. Um, but what am I sending to my staff members? You'll probably laugh, but most of my staff members don't drink and we're all distributed around the country. So I'm actually, I've commissioned a local artist in Newcastle to do Opelara artwork and put that onto t-shirts for everybody. And I've also got a tea set, like a bunch of different teas from up in the Hunter Valley.

Cause that's where I live from a place called Tea Totaler, get it? I think that there's probably a little bit too much emphasis on going out with your mates to the pub. Um, or going to vendor Christmas parties and, you know, probably not waking up the next day terribly happy. I'm a dad now, so I've got to be more cautious of that.

And like, since I live in Newcastle, going to those parties is really hard for me too anyway. So I've had my, you know, five, six years of blackout drunk Christmas parties. And I think I'll be okay from now on, maybe when I'm older. Um, but yeah, just go send people galahs or whatever. Oh, fun fact. I did get a Fiona to galah.

In the mail, which is a cup that comes from Archie Rose distillery. So go look at those. I think they're probably all sold out. So that, that made me kind of smile. Bruce, I'm really looking forward to seeing how large Be Large can get. So have a Merry Christmas, mate.

Hi Cole. This is Charlie from Blackwoods, Australia.

Thank you for having me on your podcast. I had a few questions for you today. The first question is regarding the recent rise in cybersecurity threats and data breaches. What do you think are the most critical steps organisations should take in FY25 to enhance their cybersecurity posture? And on a more personal note, what inspired you to pursue a career in cybersecurity and open your cybersecurity firm Galah Cyber?

What do you think Org should do in FY25 for posture, so I'm not sure if you mean financial year or calendar year. I'm going to assume calendar year because it's Christmas. Honestly, um, it really depends on what your Org is doing at the moment and how much protection that you actually want to have. It's a no-brainer to just focus on basic cyber hygiene.

Cole Cornford 14:41 And so that could be, you know, marketing and sales channels. If they get compromised, then you may suddenly have no ability to transact or have sales, or have any inbound coming anymore. If you're in, like, fast-moving consumer goods, that can be terrible and detrimental to your business.

Cole Cornford 15:16 The other thing is just fraud. Small businesses are usually pretty loose. Just, you know, go do things. And when an invoice comes in, try to pay it whenever it makes sense in your cash flow. I think introducing a level of friction to how you pay invoices can have outsized benefits for not that much extra effort, whether it's something like, um, over $500 for credit card transactions needing an approval code, or invoices over $5,000 requiring a phone verification, something like that.

Cole Cornford 16:07 So yeah, think about what assets you have, what actually matters to your business, and what enables revenue. For bigger businesses, it's a little bit different. Things like cash flow don't really matter to companies the size of, like, Westpac. They’re not thinking every day about, "What’s my cash flow going to be?" because they have, like, 20 million people paying mortgages and hundreds of thousands of revenue streams.

Cole Cornford 16:59 Because honestly, when you get to that scale, information security can become a black hole. You can do literally everything under the sun: threat hunting teams, constant red teaming, bug bounty programs, regular internal and external audits—every vendor has something to sell you. It’s better to work out what the most important crown jewels are and focus on protecting, detecting, and responding to issues with those.

Cole Cornford 17:51 There's also compliance. Sometimes you just have to spend the money to meet minimum compliance levels. So, you know, starting compliance for an enterprise product is just to participate. That’s not a bad place to be either. But if you had to use a risk-based approach, I’d focus on those critical assets and minimize spend elsewhere.

Cole Cornford 18:30 So I worked 3 a.m. to 11 a.m., Tuesday to Saturday, in line with the American time zone. Then I’d pour myself a mimosa and go swimming because there wasn’t much else to do during the pandemic. It seemed like a good idea at the time. But then I decided not to head overseas because I met my girlfriend, now wife.

Cole Cornford 19:12 So I rang up a family friend and said, "Hello, can I start a business?" She said, "Yep, I’ll register it on ASIC," and she did. Then I rang up a bunch of my other friends and said, "Hello, do you need AppSec?" Most of them said, "Nah, we’re good, Cole." But one did say yes, and eventually that one turned into a couple more.

Cole Cornford 19:52 It’s been a rollercoaster, and I encourage people to start businesses. The worst thing that can happen, assuming you’re not really reckless and getting into massive debt, is that you can always pick up a job again and close the business. Starting a business has been great for my professional growth, and I encourage others to give it a go too.

Daniel Pludek 20:27 Hi Cole, Daniel here from Kip McGrath. We’ve been doing a lot of good work with AI recently, and I wanted to get your thoughts on something. How can we use security tools to protect our APIs without turning our DevSecOps pipelines into a high-friction, low-trust environment? Hope you and the team at Galah have a great Christmas.

Cole Cornford 20:53 Now, um, APIs are challenging because it's kind of like the Spider-Man meme where you have all the 20 different pictures of Spider-Man pointing at each other about who is responsible for it. Most of the time, I see people talk about API security, they think that WAFs and CDNs manage it, but they just do point-in-time inspection of the data, or they help manage traffic.

Cole Cornford 21:35 And you have security saying, "Hey, you need to be doing these other things." Everyone's just pointing fingers at each other. So it can be quite challenging because devs often get siloed into building their own APIs. Other developers don't even realize what APIs are available to consume and use.

Cole Cornford 22:12 And if they're all safe, then doesn't that introduce a disproportionate amount of risk relying on other people? I think there's a lot of overlap between external attack surface management and observability. I feel like the best way to get across API security is to look at how the APIs call each other, which you would get by looking at the log files in your cloud environment or using a product like Traceable or AppDynamics.

Cole Cornford 23:06 You can also identify when APIs are not being called and deprecate them. So I think it's a good way of approaching the problem. It's much better than just telling developers they need to do input validation. Most of the time, the problem with API security is that we've exposed APIs somewhere, and we're not thinking about how they're used in conjunction with other APIs.

Cole Cornford 24:04 So I hope that's helpful for API security. Now for DevOps, the low-trust, high-friction thing matters here. Generally, people aren't going to let code into a random SaaS service, and you want to ensure every component of the DevOps pipeline is configured to be secure, or you need to use the right types of products.

Cole Cornford 24:57 There is something called Salsa, which stands for Supply Chain Levels for Software Artifacts, where they basically say that Level 0 means you do nothing, Level 1 is about provenance—preventing people from making mistakes, Level 2 is preventing tampering after the build, and Level 3 is tampering during the build.

Cole Cornford 25:45 Thank you so much, Daniel. I hope these insights help you and Kip McGrath with implementing API security and DevSecOps. You know where to find me. Have a Merry Christmas, mate.

Gaurav Vikash 26:11 I've got two questions for you. Cyber question: How should a cyber startup best prepare themselves for the increasing risk of supply chain attacks? Personal question: How do you stay motivated and continue to grow as a leader in such a rapidly changing industry? Hope these aren't too tricky. Wishing you a Merry Christmas and a wonderful holiday season.

Cole Cornford 26:57 Generally, you don't have enough value for adversaries to really want to target you anyway, so you just kind of go for it. If you're in cybersecurity, there's an expectation that you're already secure as soon as you enter the industry, which makes it pretty hard to participate because there's a massive upfront cost to get things right before you even start doing the work.

Cole Cornford 28:02 That’s not terribly helpful, but it’s the usual way people approach supply chain security. Another option to explore is contracts. Hiring lawyers can help draft and redline terms to ensure that in case of a cyber incident, negligence, or other issues, the third-party provider is held accountable. This might include clauses for compensation up to the contract’s value.

Cole Cornford 29:22 Ultimately, you could also choose to accept the risk. If your startup goes out of business, does having an ISO 27001 certificate matter all that much? Probably not. I hope this advice helps. Now, to your second question—staying motivated and growing as a leader.

Cole Cornford 30:42 As a founder, you often work on problems you’d rather avoid. To stay motivated, it’s crucial to focus on other aspects of your life. Take intentional breaks—sleep, swim, or spend time with friends. Goals take longer than anticipated, so pacing yourself is essential.

Cole Cornford 32:41 I enjoy code reviews and training. I don’t enjoy troubleshooting DevSecOps integrations or debugging certificates. Balancing these preferences keeps me engaged. Finally, set a North Star—a personal goal like financial security for your family or pursuing activities you love. A clear purpose helps you grow.

Cole Cornford 34:36 Networking and exposure to diverse ideas expand your influence. Also, develop strong communication skills—whether through speaking, writing, or listening—as they’re essential for leadership. Lastly, commit to continuous learning and incremental effort. Small, consistent improvements compound over time, leading to significant growth.

Cole Cornford 36:10 Next question is by Ian Dickson.

Cole Cornford 36:46 What are your thoughts on certifying developers and engineers for safety and system security?

Cole Cornford 37:17 Because of this, I’m conscious that if we ask people to do safety or security certifications, the rest of the industry might not value it either. Hiring managers primarily care about delivering features faster or complying with legal requirements. Most software engineering roles focus on feature velocity, not safety or security. These are more common priorities in industries like space, transport, or defense.

Cole Cornford 38:22 The challenge isn’t reaching the one developer who’s already interested; it’s engaging the other nine who don’t care. It’s similar to mandatory evacuation trainings—people tune out because they don’t see the relevance. One idea could be an independent assurance activity like IRAP but for AppSec—an “AppSec RAP” of sorts. However, it would likely require regulators to jump on board.

Cole Cornford 40:05 That said, maybe hinge back a little to make your critiques more constructive. This way, people perceive them as thought-provoking rather than personal attacks. And while you said not to say family, I’m still going to say it. Lastly, we should create a certification for unhinged rage posting on LinkedIn. If not, maybe it could be a Christmas present. Merry Christmas, and I hope to see you in Canberra soon.

Cole Cornford 41:01 I’ve noticed three key trends this year. First, the commoditisation of compliance activities. Tools like Vanta, Drata, and Sightail have gained traction in Australia, promising rapid compliance with ISO or SOC 2 without expensive consulting. This productivity boost has disrupted the consulting industry, especially for those focused on compliance.

Cole Cornford 42:16 Finally, there’s been a plateau in enthusiasm for AI-generated content. At the start of the year, everyone was excited about image and content generation. Now, we’re recognising how hard it is to achieve meaningful outcomes. Many people prefer content with nuance and depth over AI-generated material.

Leander Nott 46:12 Hi Cole, Leander here from Alambicare. Firstly, Merry Christmas to you, your staff, and your family. My question is, how do I decide which cybersecurity framework to use if I’m starting from scratch? Thanks.

Matt Waugh 47:15 Hey Cole, this is Matt from Equal Experts. If application security was a person, would it be a hero saving the day or that annoying friend pointing out the unlocked door? And how do we make developers want to be that hero? Thanks, mate. Merry Christmas.

Cole Cornford 48:13 Changing attitudes towards AppSec requires a fundamental shift. Developers need to see AppSec as engineering-focused rather than a compliance exercise. This involves joining them early in the design process, helping them migrate to more secure technologies, and showing them the value of these efforts. Thanks for the question, Matt, and Merry Christmas!

Cole Cornford 49:19 It's about helping and training engineers and building capability in areas that matter. It’s not just about handing them the OWASP Top 10 and expecting them to figure it out. For instance, a C programmer might question why they need to learn about security headers or access control when writing a C program. Helping them migrate from an insecure language to a more secure one—eradicating an entire bug class—is far more valuable.

Cole Cornford 50:21 Merry Christmas to my incredibly annoying friend, Matt Waugh. One day, you can be a hero too.

Cole Cornford 51:22 Hello Nina. You ask if we need diversity in cybersecurity and why. It’s a great question, though one that might stir some debate. First, we have disproportionately low participation of women in cybersecurity—around 17%. That’s not many, and it’s even fewer in technical roles like penetration testing, application security, or security architecture.

Cole Cornford 52:41 Another focus is improving hiring processes. Traditional job descriptions often emphasise technical ability and use gendered language, discouraging women who might not meet all the criteria. I actively source candidates and keep role descriptions broad to attract more diverse talent.

Cole Cornford 55:02 Diversity also expands the talent pool. Cybersecurity often limits itself to computer science graduates or those with prior experience. By considering candidates from other fields, like law or medicine, we can tap into new skill sets. These professionals bring strong work ethics and communication skills, which are transferable to cybersecurity.

Cole Cornford 57:27 Now, Christmas traditions. My family does the usual: Christmas trees, light drives, and corny movies like The Great Escape, Polar Express, and Die Hard. I also let my kids pick decorations each year from David Jones or Myer. While my traditions might seem vanilla, I hope they help you find inspiration. Looking forward to a wine or beer in Sydney next year. Merry Christmas, Nina!

Cole Cornford 59:31 Thank you, Toby. Fun fact: ten years ago, during Cybersecurity Awareness Month at the ATO, I asked a similar question to Toby McMahon. I was a cheeky grad and didn’t realise how difficult the question was. Toby kindly answered with buzzwords like defense in depth and secure by design. That grad was me, and I’ve since learned not to put people on the spot like that.

Paul McCarty 1:01:18 Next question is from Paul McCarty.

Paul McCarty 01:01:43 All right, mate, here we go. Question number one. This is a professional question. ASPM tooling is starting to catch on here in Australia. It's taken a while, I know, but it is happening. It's a very crowded market, very busy with lots of players. How does an ASPM tool rise above the noise and kind of differentiate itself from all of its competitors for, say, an average Australian mid-market enterprise and perhaps even for a scale-up?

Cole Cornford 01:02:52 How does an ASPM tool rise above the noise and be ready for scale-up or enterprise? Thanks for this, it's a pretty hard AppSec question.

Cole Cornford 01:03:35 This commoditization exists because the technology is reasonably straightforward. It involves aggregating various scanning outputs—JSON or SARIF files—and transforming them into actionable formats. To stand out, tools need to improve the signal-to-noise ratio. Scanners often produce a "cubic metric ton" of issues, making it hard to prioritize fixes.

Cole Cornford 01:05:00 Another strategy involves vulnerability management. Good ASPM products guide users by focusing on issues that allow for multiple fixes at once—for example, addressing a vulnerability that resolves findings across DAST, SAST, and SCA. This approach saves time compared to addressing isolated issues.

Cole Cornford 01:07:47 Enterprises also need clear legal contracts, enterprise pricing, SLAs, SSO, OIDC, audit logs, and SOC 2 compliance to even consider a tool. These factors make scaling up to enterprise readiness a complex but necessary step.

Cole Cornford 01:09:18 For example, the DevSecOps Maturity Model (DSOM) focuses heavily on technical controls like package security and CI/CD workflows, while SAM (Software Assurance Maturity Model) encompasses broader aspects like governance, design, verification, and operations. DSOM's narrow scope often misses the strategic lens needed for comprehensive security.

Cole Cornford 01:11:11 Overemphasis on pipeline-based auditing interrupts developer workflows, reducing productivity and innovation. Blocking builds for vulnerabilities shifts the focus from releasing features to patching issues, which can harm business velocity. Instead, we should prioritize secure engineering practices and abstract security concerns into platform engineering.

Adam Spencer 01:13:15 Hey Cole, Adam Spencer here from W2D1 Media.

Adam Spencer 01:14:04 It’s been an absolute pleasure working with you on the show. Here’s to an even better 2025.

Cole Cornford 01:14:29 It was a five-hour journey, sometimes longer depending on bushfires. I got to listen to a lot of podcasts and always enjoyed it. I thought it might be fun to try someday. Having done video game commentary before, I figured it wouldn’t be too different, just less exciting.

Cole Cornford 01:15:29 I decided to give it a go and connected with "Welcome to Day One." I worried the quality might be terrible or I’d fail after a few episodes. But I figured it was better to try and learn than not try at all. I also felt security podcasts weren’t meeting my needs, so I wanted to do something different.

Cole Cornford 01:16:52 How does the show add value to customers and my business? It allows customers to understand my values and personality. Podcasts are intimate—a one-on-one experience. This builds a deeper connection, making people more likely to engage with me professionally.

Cole Cornford 01:18:24 For example, in a recent episode on governance, risk, and compliance, I let Kat and Toby lead the conversation. I focused on facilitating rather than dominating. This approach keeps the content authentic and valuable.

Cole Cornford 01:20:22 My podcast has evolved over time. I started with a structured format, including quick-fire questions and a recurring bird-themed question. But I adjusted based on audience feedback, focusing more on guest expertise and creating engaging conversations.

Tara Whitehead 01:20:57 What advice did you get early in your career that you wish you hadn’t followed? And what’s a piece of advice, positive or negative, that has stuck with you?

Cole Cornford 01:22:40 Another impactful moment was when a salesperson convinced me to try a pink shirt, challenging my assumptions about corporate colours. This inspired Galah Cyber’s branding. A manager at the ATO also urged me to stop self-selecting out of opportunities, pushing me to pursue security despite my doubts.

Cole Cornford 01:25:43 On the flip side, a consultant once belittled me, telling me to “know my place.” While hurtful, it reinforced the kind of leader I don’t want to be. Another lesson came from a mentor who told me, “Hope isn’t a solution.” As a business owner, I’ve learned to make proactive decisions instead of relying on hope.

Sheena Peeters 01:27:00 Hey Cole, it’s Sheena. Merry Christmas to you, Monica, and Cinny. First, what’s your favourite bird, and why did you choose the galah? Second, what parallels do you see between the pukeko and cybersecurity?

Cole Cornford 01:30:50 The pukeko’s communal nature mirrors cybersecurity—both involve protecting and supporting a group. The industry thrives when professionals collaborate and share knowledge, just like a pukeko’s collective care.

Cole Cornford 01:31:49 Thank you to all my listeners for supporting the podcast over the years. Your messages, introductions, and shares mean the world to me. If you’d like to give me a gift this Christmas, leave a review on Apple or Spotify, or share the show with friends. Have a Merry Christmas and a Happy New Year! See you in 2025!