Summary

Daisy Wong is the Head of Security Awareness at Medibank, as well as a disability advocate. Originally from a marketing background, Daisy gained experience in the cybersecurity industry working as part of penetration teams, before making her way into the security culture and awareness space. 

In her conversation with Cole Cornford, Daisy discusses using the tools of marketing to educate people on cybersecurity, what are the hallmarks of a good security culture and awareness program, and the importance of diversity in cybersecurity.

Timestamps

4:00 - Daisy's transition from marketing to cybersecurity

8:10 - The importance of security culture and awareness

11:00 - Building effective security awareness programs

14:15 - The role of diversity in cybersecurity

17:00 - Strategies for inclusive hiring practices

19:40 - The power of communication in security awareness

23:20 - Creative approaches to security awareness campaigns

31:45 - Daisy's personal perspective on the importance of diversity

43:40 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Cole Cornford (: 00:00

Hi, I'm Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Today, I've got Daisy Wong on the podcast. Daisy is a disability advocate and a security and culture and awareness lead at Medibank. Daisy is an absolutely beautiful human being. She came into um, cyber security from a marketing background and then found a way to move through penetration teams is what I call the glue role, and then eventually getting into the security culture and awareness space.

You've probably seen Daisy at a lot of different conferences around the country. She is a proud wheelchair user and will do anything she can to help Underrepresented groups, especially women and people with disability. They know that they can achieve their goals and can be effective cybersecurity professionals.

We cover using marketing effectively in cybersecurity to change human behavior. What are the hallmarks of a good security culture and awareness program? And also I uncover a bit about. Living with disability as well. Later this month, I'm going to have to go through and get a knee replacement for my rheumatoid arthritis.

And, um, I thought it was quite topical to be talking to Daisy about what it's like to be living with a disability. And, I know it's hard for a lot of people who may not know that some disabilities are hidden and others a little bit more overt. But I thought it was a good conversation. Anyway, without further ado Daisy Wong.

Hello, Daisy Wong. Welcome to Secured. How are you doing today?

Daisy Wong (: 01:30

Good. Thanks, Cole. Thank you so much for having me.

Cole Cornford (: 01:33

That's an absolute pleasure. I love that you are in pink on pink. Pink hair.

Daisy Wong (: 01:37

As always.

Cole Cornford (: 01:38

Pink jumper. Pink everything. So dressing up just for my Galah podcast, right?

Daisy Wong (: 01:43

Hey, not bad. You are wearing a light pink shirt as well. I approve.

Cole Cornford (: 01:48

And over here, I've got all my Galah toys and my Galah picture and all that stuff going on too.

Daisy Wong (: 01:58

Oh, I love it.

Cole Cornford (: 01:58

So I try to rep the brand.

Daisy Wong (: 01:58

So I know you are interviewing me, but why Galah? Like, why?

Cole Cornford (: 02:01

Oh, I'm happy to flip the script. Yeah, so I think for me, one of the things I was kind of sick of seeing is that everybody was either using scary animals with swords and shields in cyber security and everything was indistinguishable from black hoodies and red teaming and military. And so I was just like, "Well, what is the complete opposite of all that kind of stuff?" And then I thought, "Well, galahs are sovereign, they're bright pink. Generally, I haven't met a single person who's terrified of a galah yet, whereas spiders and snakes and eagles and so on, they do get... There's a scary animal that do scary things, right? So they kind of landed on that and then said, "Yeah, pink is actually really good to have my entire company brand around as well, because no one else in the industry wants to be the pink company. They just associate it with I guess femininity." And I don't think it has to be that way. I like to think of it as approachable and relaxed and chill and a bit of fun. Not to do with just girls, right?

Daisy Wong (: 03:08

And there's different shades of pink. I choose hot pink on hot pink. I didn't even think. I didn't even think this morning, I just grabbed it. And now that you say, I'm like, "Oh yeah, there is a lot of pink on me yet again." But yeah, I agree. I've been asked why the pink and have I ever thought of not being pink. It might have a more professional appearance, which I disagree.

Cole Cornford (: 03:32

Yeah, I don't think it's unprofessional to choose colors, honestly. You can use different colors, evoke different moods. I know that because you would understand being a security awareness person that people like to use the color blue to make people feel calm. Same with orange. But I guess reds are impactful and try to make people be cautious. And green, so like, "Let's go. It'll be okay."

Daisy Wong (: 03:54

Yeah.

Cole Cornford (: 03:54

So that's probably a good segue. Daisy, do you want to tell me a bit more about not why you choose pink, but maybe not yourself?

Daisy Wong (: 04:05

Yeah. Sure. I know you and I have kind of become acquaintances. We see each other at a lot of the same conferences, but I only just realized you live in a different state than me. So yes, I should probably tell you a bit about myself.

I'm Daisy. I work in Security Culture and Awareness. It's my, ugh, it makes me feel very old, 10th year working in the cyber industry. Those who know me would know. I actually started in the pen testing team. I wasn't a pen tester. I did marketing at Uni. I kind of landed in the pen testing team, helping them schedule pen tests because a lot of pen testers kind of specialize. So one who specializes in iOS most likely won't pen test like Android or things like that. So I did that for a few years, and that was honestly my first taste and foray into cybersecurity. No idea what it was. But through that role I really had to translate what are the vulnerabilities, what are the risks to the business. And that's when I really started to learn how to talk in normal language, translating cybersecurity concepts into just business risks because people understand business risks. If you say, "If do this, the consequence is this, you're going to lose X amount," people understand.

(: 05:19

But if you just talk in CBSS scores and ratings and green, orange, and red, people look at you like, "Are you talking a different language to me?" Because I did that for a few years and then someone said, "Hey, Security Culture and Awareness might be suitable for you. And I had no idea what that meant.

(: 06:28

I know, Cole, you and I spoke about we're both very open people just share our experiences. I kind of felt pigeonholed as a woman, as in I remember asking my colleagues, "Hey, I'm a non-technical person in a really technical team. What is the next step for me?" And they didn't know what to do with me. "We're not sure. Maybe cyber security project manager because you don't need to be technical or Security Culture and Awareness." And I kind of just felt they gave me those two options because I was a non-technical person. Let's not even say woman. Let's just say because I was a non-technical person, they just said, "These are your two options." I didn't feel empowered to maybe explore other areas.

ecently moved. I'm [inaudible: 00:05:22

Cole Cornford (06:28):

Oh, well congratulations on your promotion.

Daisy Wong (: 06:29

Thank you.

Cole Cornford (: 06:30

I see that a lot. I know a lot of people, especially women who are in what I've kind of termed is glue roles because of the glue that keeps the function together, right? They'll just fit into all the dual little bits and pieces, whether it's filling in time sheets to getting the appropriate pen testers onto the right engagements or doing regular status updates to clients about how things are moving. Doesn't matter whether you're working at an internal security practice like at a large banking institution or if you're working for a consultancy business. By far, I've seen people, women fall into those kind of project management, client liaison roles. And I do agree, I feel like there is a bit of a railroad. It's an important role. So they don't want you to move on, but they also don't give you to respect that's necessary because of how important that role is, right?

Daisy Wong (: 07:20

That's right. I've had two redundancies before the age of 30. So I don't feel very valued as the glue. So I feel like the glue is valued when you're there, right? But then at the end of the day, when push comes to shove, bottom line comes into effect, the glue is ripped away.

Cole Cornford (: 07:30

That's not good for all of us. That's why we've got to do what we can to, A, make sure that we're considerate of providing opportunities for people to get out of those glue positions. I run a consultancy myself and I'm always thinking, "Hey, what is the pathway for people, whether they're going to be in technical roles or non-technical positions to be able to move in the future?" And sometimes that means they're going to move further down an engineering pathway and just get really good technically at a specific discipline. Sometimes they're going to be moving down a consulting pathway and focusing on, how do I go getting good outcomes to customers or thinking about how do I market the business effectively, how do I build a sales funnel. But ultimately, it's about giving appropriate pathways. I've definitely seen people who've stayed in those glue positions for seven years, 10 years, and then they're saying, "Well, what's next? What do I do? I kind of am cat," right?

Daisy Wong (: 07:40

That's right. Yeah.

Cole Cornford (: 07:42

So you did move into security awareness. So what was it like making that transition from being the glue to held everything together for a penetration testing function to now being able to run large programs?

Daisy Wong (: 07:44

Yeah, I detoured.

Cole Cornford (: 07:45

Yes.

Daisy Wong (: 07:46

I detoured. I did do a project management course, so I did PRINCE2. And then I was a cyber security project manager. So I think that was actually a really good role because one of my projects was security awareness.

Cole Cornford (: 08:00

Ah.

Daisy Wong (: 08:00

But then I did other things. So then I did, I implemented the vulnerability management tool. I did obviously my old wheelhouse testing. I organized the pen test. What else did I do? Oh, policies and standards, roll that out. So I think that really gave me a wide breadth of what cyber meant as a program. So that was really good. But at the end of the day, awareness was what got me because I really like... Like I said to you, I did marketing and I say this a lot probably in every single podcast or every YouTube video or conference, "Look at me. I should be at L'Oreal selling lipstick." When I did marketing, I was like, "Yep, love makeup. I'm going to go do marketing at a makeup company." So I think for me, awareness meant I could use those skills. And again, I'm about to get mugs printed with my quote, I believe it's mine. I came up with it though. And that is don't use the stick, use the carrot instead, add cream cheese on top and make it a carrot cake.

Cole Cornford (: 09:06

Ah, yes. Okay, well I'm going to get you some carrot cake next time we come to Melbourne, okay?

Daisy Wong (: 09:08

Thank you sir. Thank you. So yeah, I think no one likes being told what to do. Consequences. So I think using the carrot approach. And that's where I think we can use a lot of marketing. What is marketing and advertising? It's just sell you something or to make you do something, right? Whether it be to buy a product or to sign up to a service. I think we should use those concepts in security because at the end of the day, security, it has been portrayed in the media as something like a big bad wolf. Do you know what I mean? And then if you click, you are stupid when it shouldn't be like that. I think we're all in it together. I don't know if you agree, but I do sometimes think the cyber criminals probably work better than we do because they don't compete. As in they do compete, but they don't have KPIs, they don't have the board that they have to report to. And I reckon they're willing to share intelligence.

Cole Cornford (: 10:06

I wouldn't be surprised.

Daisy Wong (: 10:07

Really.

Cole Cornford (: 10:07

Absolutely. Look, I 100% agree with you. I think that something I advocate for a lot of security professionals to do is to go learn something that's completely non-cognizant. Sorry, non-cognate.

Daisy Wong (: 10:20

Yes, yes, yes, yes.

Cole Cornford (: 10:23

So what I mean by that is to go to a discipline that's completely unrelated to what you do and then look at doing that. So for me it could be, I'm going to go learn marketing and sales, right? So for me as a business owner, it's been amazing to go out and have to learn about sales qualification processes or what is a marketing funnel, how do I look at or creating the right events to get top of funnel, middle funnel, and bottom funnel to learn to do conversions, right?

Daisy Wong (: 10:49

That's right.

Cole Cornford (: 10:50

And you could be taking those same kind of approaches and thinking about user behavior, like in AppSec. We think tremendously about how developers interact with the products that we provide them, thinking about their experience and then how do we leverage their goodwill to be able to introduce security outcomes significantly earlier than when an assurance activity like a pen test comes along. What's the customer process? Maybe it's looking at NPS, that's another one. Do we actually go and speak with our internal business units about what's the experience to cybersecurity? How do we go about uplifting those? Do we take lessons from safety or from law? I just say to everybody, "Don't just go and study an OSCP and then move on to an OSWE and then go get a CISM" because that's all well and good, but if you really want distinguish yourself, go and learn something that's a completely different discipline and then bring those skill sets into cybersecurity as well.

Daisy Wong (: 11:45

Right. And that's exactly what I do in my security awareness programs. And to go back to your question, I think the transition has been relatively smooth because I had the chance to learn a lot of security concepts in the pen testing team. Then I went to become a project manager running a lot of these programs and again, seeing how security works and how all the functions relate to each other. That's the thing as I see in the industry, and I've been in a few security teams, I feel like a lot of the times the security teams work in silo and then the security team is on an island.

Cole Cornford (: 12:19

Yeah, that's it.

Daisy Wong (: 12:20

So there's the organization over here and then you've got tech, which is usually on the side already. Then you've got security on an island and it's made up of tiny islands. I don't understand why we can't all be a team because if you think about it, I reckon accounting, HR, marketing, legal work quite closely together.

Cole Cornford (: 12:40

Oh, absolutely. All of them fall under operations, right?

Daisy Wong (: 12:41

Correct.

Cole Cornford (: 12:43

But in security, somehow this fits in within its own pillar. It doesn't really make sense of in the business, because they're like, "Are we risk or are we technology or are we information management IT?"

Daisy Wong (: 12:55

That's right.

Cole Cornford (: 12:56

"I don't know. Where do we fit?"

Daisy Wong (: 12:57

Yeah, that's right. So I've been quite lucky. I think my transition has been good because I had... It was one of my projects and I worked with someone who was very experienced. I still call her my mentor. So I did that and then I got into my first full-fledged security role in Victorian government. So that was really good. I learned a lot. Interesting times. I did that during Covid. So I think that's where the marketing. And you really need to be creative. How do you cut through?

Cole Cornford (: 13:26

You have to be... I guess it's distributed to workforces because I used to run security awareness myself as part of my role at change.org there. I learned a lot of things through, A, messing up campaigns, and B, also having to think about how do we get things that are relevant for specific cultures and demographics globally that in Australia there's some things that are going to always land to us. And then you try to take that to India or you try to take that to China and then it just doesn't land and they don't understand and it would never fall for it because that's just culturally wrong. And so I think one of the big issues that I encountered with awareness was that I guess I wasn't worldly enough.

Daisy Wong (: 14:07

I think, look, there's a lot of marketing advertising campaigns that have gone wrong, so you're not the only one. I think it is hard and I think it changes as well. So what's acceptable in the past is probably not acceptable now. So it's also hard. So I don't blame you. I feel you. I understand you. I understand you.

Cole Cornford (: 14:29

Yeah. So what do you think, if you were to start doing a security awareness program from scratch, what do you think would be your first 90 days? What's the most important thing to get going, assuming that we're starting in the blank slate?

Daisy Wong (: 14:40

Yeah, I think the first thing I would do is work with your SOC team. So most people find that not interesting, but shouldn't awareness work closer to marketing comms? And this is the thing I like to distinguish, Security Culture and Awareness is not pure comms. You should have a comms partner who works with you that aligns the tone, the writing to the organization culture and the comms. So I think it's very important to distinguish that.

(: 15:08

My first 90 days would always be I work with a SOC team to look at the risks. What are the top three risks that have been caused by human behavior? So that's usually things like click rate and that or phishing attempts. So most organization would have the technology to block these malicious emails, but I just want to see even events. They don't need to be full-fledged incidents. Password reuse. Do you have a password manager? Do you check that? Web browsing behaviors?

(: 15:39

I think that my first 90 days would be to identify the top risks. Once you've identified the risks and you prioritize them depending on your organization and maybe where other projects are at. And again, I never work by myself, you should always work with the whole security team because they might be implementing a tool that then changes your risk profile. So I think it's just really important that you talk to each other. So then I would look at the behaviors that I want to change. So what are the behaviors that... So it could be I want to reduce click rate on messages or emails and I want to increase report rate. That's the behavior. And then I'll look at how I would do it.

Cole Cornford (: 16:22

I really like that focusing on identifying risks, because I guess when I thought about a lot of security, they're just kind of canned programs where a lot of people will say, "Hey, I just don't quite understand. Why do I just keep getting the same training over and over again? I'm just going to skip to the end of the awareness videos and just not learn anything useful." And the phishing campaigns are always about FedEx and we use Australia Post, so it makes sense to me to go, "Okay, we're having trouble with people getting scanned by Zoom because we just keep getting Zoom links because we use Zoom internally and then writing a campaign around what to do about that. So I think that's really smart and intelligent. And then you build basically a go to market plan effectively, right?

Daisy Wong (: 17:06

Correct, yeah. And then, exactly, go to market. And also I would also then tailor the content. So risks, behavior, change, and how are you going to create the change. And you need to do things. So I separate it. So awareness activities could be doing an information session, an internet article. If you use Teams or Slack, you would do those static posts. I think awareness is very one way. While culture and behavior changes both ways that you actually intrinsically want to change your behavior. So I think they go hand in hand. You can't change culture without awareness because if people don't know, they're not going to change their behavior. So I think awareness first.

(: 17:49

And then I'm a strong believer of having a call to action. So if you don't want me to click on the link, what do you want me to do? So I give them something else. I rather you report. I stole this from a friend, deleting protects you, reporting protects us all. So if you think about it, if you just delete an email, we won't know about it. But if you report it, the SOC team are able to go in, investigate, potentially block that domain.

Cole Cornford (: 18:18

I guess that's one of the things I see is usually problematic is the way that security awareness programs are measured in their effectiveness. It's all well and good to say that we got this many people clicking through. But I think that how do you demonstrate that the culture is fundamentally changing and that people are making the right decisions. I like especially the call to actions because if people take an intentional choice about something and you can record that, it's very difficult for people to record tacit, do nothing approach.

Daisy Wong (: 18:51

That's right. That's right.

Cole Cornford (: 18:52

You can't say this person was on holidays for three weeks and never saw the email, so they passed the phishing campaign versus this person checked his email while on holidays and said no to it and moved it into the quarantine.

Daisy Wong (: 19:05

Yeah. That's right. That's right. And I feel like people are naturally curious, right? So you need to give them something else to do because otherwise they will... Let's face it, curiosity kill the cat, they've going to click. But if you give them something else to do, they'll be like, "Okay, I don't need to be curious. Someone else can be curious for me." So report.

Cole Cornford (: 19:24

Just really need to just buy as many galah plush toys as possible. I'm very simple with what my call to actions are for getting scammed on my own internal phishing campaigns.

Daisy Wong (: 19:33

Pretty much. Pretty much. So yeah, call to action. And also make it relevant. I think you just spoke about it, always using the same template where in my previous organization I changed the template. I probably only chose the template two weeks before the campaign was coming. Now you could argue, "Oh, days. Forward planning,. Shouldn't you have it all planned out? No, because it changes all the time. So for instance, if there was a natural disaster, I would probably use that, but I didn't know the natural disaster was going to happen. So I might use that to be like raise funds or GoFundMe page or whatever it may be. It could be, what do we get here? We are not in the US. Do we get cyclones? We don't get hurricanes?

Cole Cornford (: 20:19

We get hurricanes. Yeah, we do get hurricanes and we also get earthquakes. There was one in Newcastle three weeks ago.

Daisy Wong (: 20:28

Yeah, earthquakes. And then it's also not a bad idea to also piggyback off incidents or news events. Now I'm not a believer or ambulance chasing, but the recent Crouch Right incident, I would never jump on it because I know that they've tried their best, but I may use that as a phishing email template because it's topical, it's fresh.

Cole Cornford (: 20:51

Yeah. And I think that that relevance makes a lot of sense to get your campaigns around because nothing's worse than now getting a... Let's say you do your entire year and then one year ago, we're just assuming one year ago everyone would've been talking about NFTs and web free. Let's say that that rolls out today, I guaranteed that almost zero people would click on that because they'll be like, "Wow, that's incredibly dated." Whereas if you said something about interest rates, so getting changed in the bank or something, "We need to update stuff based on last week's RBA," even if no one went and had a look at that, it's topical and relevant and they'll have to go and source information independently, whereas-

Daisy Wong (: 21:31

That's right.

Cole Cornford (: 21:33

Yeah, I think planning out a year of security awareness training doesn't really make terribly much sense unless you have specific themes that are always going to be relevant. But that's another thing, is the more content that you have to give people, the more that they have to remember and then the less effective they're going to be at any of those individual pieces.

Daisy Wong (: 21:49

That's right.

Cole Cornford (: 21:52

How do you go about helping people make sure, because there's a lot of things you have to remember in cyber besides don't click on links and I guess trust but verify? What do you recommend for trying to get people to have consistent responses to security campaigns?

Daisy Wong (: 22:10

So I think that's why I have a job. Because if any no seriousness, if saying something once cut through, honestly I wouldn't have a job. There wouldn't be TV ads. Do you know what I mean? So I think it's that always on campaign. That's always there, keeping it relevant. And it could be as simple as a team's post or internet article, but just keep it trickling. Keep the drum just drumming along and not just cyber went this month in October and then you disappear. So I think being consistent is really important.

(: 22:45

I also like bite size, like bite-size learning. Storytelling is really powerful, so I love going to find interesting speakers. Now when I say that, I don't mean a Hollywood celebrity. Don't know them. I've managed to get one in. And it doesn't have to be someone that is well-known in the industry either. Genuinely, it could be a victim of identity theft. Sometimes their stories are more powerful. I've had really good success there.

(: 23:17

And also I also really like having the customer focus kind of style. So what I mean by that is I always encourage employees to reach out because if they are willing to reach out or are curious to know if this is malicious, that is the best way I can train them.

Cole Cornford (: 23:37

There's so many things to unpack there. So I like that messaging. You said that we have to have repeatable, consistent messaging. And I know that there's a figure that you need between seven to 11 touch points to actually get something to stick in people's head as far as advertising is concerned. And so I'm sure that there's a bunch of children's toys that I would have seen advertisements on when my daughters are watching Coco Melon. All I know is Wheels on the Bus because I've seen that 150,000 times. And as much as I love Wheels on the Bus, it is the best karaoke song I always want to sing at, I think that it's crazy that I've had to watch that so many times to actually get to the point where I've complete memorizing brand familiarity with it.

(: 24:22

But then there's other things I think about as well. We always talk about urgency, we talk about fear, we talk about appeal to authority, all of these kind of ways to manipulate human behavior, but you do exactly the same thing, not from a malicious campaign, but from a marketing one as well.

Daisy Wong (: 24:39

Yeah, that's right.

Cole Cornford (: 24:40

Where you could use humor, you can use appeal to authority, you can use different channels and the size and type of activities. Do you find that you have to spend a lot of time producing collateral as well?

Daisy Wong (: 24:40

Yes.

Cole Cornford (: 24:53

Because I mean, I'm a guy that has to do content creation because I'm writing doing a podcast with you right now, and that's one of my channels of marketing. But I think about I have to do blog posts, I have to do public speaking, I have to do a lot of things to get my business, like people wanting to have a chat with me about application security. Because even domestically, we don't have a large market in it. So I need to do a lot of marketing to get people to recognize the challenge. So how do you even manage the workload of all the collateral that you have to produce as well?

Daisy Wong (: 25:25

It's hard. I never thought Canva would be my best friend in all the roles I've had, right? Creating infographs is like what I do. Posters, podcasts for work as well or videos. Hosting. Never thought I would have to do so much posting. And that's the thing. I feel like sometimes people think security awareness is just phishing. You know what I mean? It's just phishing, they don't realize the creative side of it, which I love. That is my favorite part. There is so much time creating content.

(: 25:56

So if you're lucky, you'll have someone to help you, whether it be... I know larger organizations, I think the financial institutes will work with an agency, a marketing agency, and they will actually do their cyber awareness campaign like a proper ad campaign that they would any other product. So that if you're lucky. I don't have that luxury yet. So I do do most myself, but there are times when I do get contractors, graphic designers, they're my best friends, to help. But you do spend a lot of time.

Cole Cornford (: 26:30

How good is Canva, right? It's just so good. I remember this, it's one campaign that really stuck with me that I thought was super effective. It was at Westpac. So Nerson Malke, a big fan of her, she went and created all of these animals basically, right?

Daisy Wong (: 26:47

Yeah.

Cole Cornford (: 26:47

So I remember it was Frank the Fox and it was a little spider on a post that said, "Be careful on the web." And it's like a tiny cute little spider. And so it's just all of these animal messages about security things, and it was super memorable. They were hung up in all the lobbies. They were on digital screens everywhere. They were on the internet portal. And I always thought that that was just a way to appeal to people because generally they like animals. And it's kind of disconnected away from technology and cyber because you're just seeing pictures of cute animals doing stuff.

Daisy Wong (: 27:16

Yeah, that's right. No, it's great. And that's the thing, that's why branding is really important. I think with awareness it's really important too. I always try and uplift the profile of the security team, bring them back to the mainland, less of an island so people know where to go.

Cole Cornford (: 27:33

So there's no Wilson ball being like, "Hey, Wilson ball, we need to do more red teams and penetration tests." Why is everyone still falling for phishing links? Maybe I should just stay on my little island and just keep talking to Wilson.

Daisy Wong (: 27:47

Yeah, pretty much. And that's the thing, I feel like people process technology. I don't know why, but most organizations seem to focus on technology.

Cole Cornford (: 27:54

Yeah. I think that that's one of the challenges, and I'll probably segue into something that I wanted to talk about with you a bit more. But I think it's because traditionally we've always tended to hire people who have come from an IT background or come from a computer science background into cybersecurity roles as, because generally they're doing IT quality uplift because people are just built terrible quality software, terrible quality networks, terrible quality cloud environments and needed to uplift that. And because most information systems are systems and needed to be improved. So I actually think there's a significant glut of people who are coming into the industry with those kind of backgrounds and overwhelmingly people who come from computer science IT and so on tend to be white men. And so I think that that's actually really not so great for trying to get a more inclusive and diverse culture in the industry because our adversaries and also the communities that we represent and need to protect are not just like 50 young white men like me.

Daisy Wong (: 28:52

Exactly. Well, you're just profiling yourself.

Cole Cornford (: 29:00

That's all right, everyone. I'll take it for now. So I'll use my platform to help other people have platforms.

Daisy Wong (: 29:04

Sounds good.

Cole Cornford (: 29:05

But maybe you could talk a bit about what diversity means for you because I know it's really quite important to you personally.

Daisy Wong (: 29:12

Yeah. Yeah, of course. Obviously, I confirm that this is going to be audio only. So let me describe it for your listeners who don't know me or haven't seen me on LinkedIn.

(: 29:22

I'm a wheelchair user, so I was born with a tumor in my lower spine, L3, L4 is what they tell me. That's all I know. But basically, when they removed it when I was three months old, basically it caused spinal cord injury. That's basically the best way to describe it. So yeah, I'm a wheelchair user. And so obviously growing up, I've had to deal with that as well. So as a wheelchair user, I used to be more on crutches, a bit more ambulant. There's still a lot of things I couldn't do. I don't think being from a Chinese immigrant family, my parents don't speak English, I don't think they knew what to do with me. They'd never really had expectations of me. So I think for me it's really important to show others with whatever disability, whether it be invisible, hidden or like me, it's very obvious. I just think I just want to showcase to other people with a disability that they can also do something else. And it doesn't require the Paralympics.

(: 30:25

I've been getting this a lot. So the Paralympics are on and I meet a lot of people and they're like, "Oh, are you interested being in the Paralympics?" I'm like, "No." Just because I'm in a wheelchair does not mean I want to be the next Dylan Alcott. Good for him. He's done great things. No. I want to do other things. Like being a wheelchair user, it doesn't have to be going to the Paralympics. It could be doing good work in the cyber industry.

(: 30:55

So I just think I want to encourage more people with a disability if they're interested in our industry, to join. There is room and space for everyone. Obviously, I'm sure you understand, Cole, that there's still issues with that industry with diversity, not just with gender but with other diversities. So we're slowly getting there, but yeah, so if I can just help and spread the word, then I'll be happy.

Cole Cornford (: 31:22

That's it. That's one of the things I try to help with my platform, is to make people consider it and the fact that, yeah, it's great that I'm in a position I'm in at the moment, but I need to also try to help other people get here as well.

Daisy Wong (: 31:33

Yeah, that's right. And that's what I want to do as well. I want to help other women. Diversity inclusion and equity, it could be, I've had a lot of women come up and say, "I really want to join the industry, but it seems really full on. Are they supportive of mothers?" And that's where I think organisations are doing better. I have a lot of flexibility now in my role and I'm very grateful for that because I do have a lot of doctor's appointments, physios and things. And that's the other thing I want to debunk, that maybe disabled people need more support or they won't be able to deliver. That's not true. I think to say anyone with a disability are the most resourceful people because we've had to be. Trust me, yeah.

Cole Cornford (: 32:20

I have a hidden disability myself with rheumatoid arthritis. So standing on the stage for a long period of time, I tend to need to sit down for a while after that because I get inflammation in my joints. Sometimes I think you've mentioned earlier that you need to plan a lot. I don't need to plan anywhere near as much as you because I don't need to think about the types of taxis I need to get into or how do I travel to a destination. I may not be wheeled, which are accessible, right? But at the same time, there are aspects where I'm just like, "I don't really want to walk down these stairs. Is there a different route because walking down these stairs is going to put me in pain?"

Daisy Wong (: 32:53

That's right.

Cole Cornford (: 32:56

Because I'm going to get a knee replacement in a few weeks time, it's something that I have to think about quite a lot. AI know that when most people would be looking at me, they'll just say, "Wow, Cole's, he's kind, he's successful. He goes and does a lot of public speaking, runs a podcast, has a good business. Everything seems like it's perfect in his life." But there's a lot of people who are in your industry who you may not recognize or actually may have issues at home. They may have a disability, they may be undergoing cancer treatment, they may have a learning impairment, they may be part vision impaired.

(: 33:29

And even within my business, I try to make accommodations to people where I possibly can. I've got young mothers who are working for me, and I give them the flexibility to spend as much time as they can with their kids as long as they get the time to actually deliver the tasks they need to do. But I also, at the same time, am very clear about what my expectations are so that they can work and be empowered, not just like I'm not a doormat, right? [inaudible 00:33:55].

Daisy Wong (: 33:55

Yeah, of course. And that's the thing, I feel like communication makes the world go around. I think we just need to communicate better. Like you said, you set your expectations and your employee should be able to work around them, but flexibly. Do you know what I mean? I think you should be outcome-focused. I really don't mind what time you do anything as long as it's done by the day because we have deadlines, right? I understand you're running a business. There's organizations we work for.

(: 34:23

But yeah, I do think we're doing better. I say this a lot. I think Covid's helped. I remember I used to be the exception. So Daisy got an exception to work from home, and now I feel like it's the norm and I do feel more included. I don't feel as uncomfortable constantly having to flag that because of my disability, I need to go to the physio. Because of my disability, I need to get an MRI. I think now it's just more accepted. And I think employees should be empowered, like you said, to spend time with their children, not miss milestones if they're able to make it work, right?

Cole Cornford (: 34:59

Yeah. I've got two young daughters. I've got a ten-year-old. I always try to make sure I go to her art club and to her tennis club. It's at four o'clock on Mondays and Tuesdays. But if I miss those times with her, I'm probably not going to get it back. And so I'll do work at nighttime or I'll do work early in the morning to compensate for that. But ultimately, if I can't live these values as a business owner, I'm just kind of giving myself a job that pays not all that much as opposed to just taking a big tech job and having the flexibility and stuff of that. I'm making my life hard for myself. And if I can't live values, what about my staff members, right?

Daisy Wong (: 35:39

Exactly.

Cole Cornford (: 35:41

The standard I've got to live to as well is the same as what I hope I can give to everybody else, yeah?

Daisy Wong (: 35:46

Yeah, that's right.

Cole Cornford (: 35:51

Yeah. We do get a fair few business owners and leaders who are listening to this podcast. What strategies do you think that they could take to either the hiring processes so that they can combat inherent buyers or at the very least, be a bit more accommodating? I know one thing I try to do is not focus on technical acumen as the be all and end all for most of the roles. And I also try to actively source and work with places to find diverse candidates. I don't just put a job add up and then just get the 30 men who apply for it to come straight for the interview. But what do you recommend businesses should be looking at doing?

Daisy Wong (: 36:26

Yeah, I think you've done some great things, Cole. I know you interviewed Jackie Lusdale from [inaudible 00:36:33]. Have to plug it. I volunteered many years. I think advertising through there is a really good channel because a lot of women... I'm sure you've heard of it, women will only apply if they hit all the requirements while men will apply even if they fit 20%.

(: 36:50

So I think in Australian Women in Security Network, the women are empowered and just feel like it's a safe space that they can... Oh, they see a job, they know this employer wants to support women. So I think that's a great channel. I think other things to combat bias would be, like you said, not look at technical acumen. And I like asking questions that aren't related to security. Ask just a general behavioral question. "In this situation with a difficult stakeholder, what would you do?" Or even give an example that's completely left filled. You're a market check out lady or man, person. Trying to be politically correct.

Cole Cornford (: 37:32

Trying to be politically correct. You are a check-outer. You are a self check-outer.

Daisy Wong (: 37:36

A self check-outer, yes. Yes, yes, yes. Check-outer. "Somebody isn't happy with the product, what would you do?" Because I think that really showcases their problem solving ability. That may not be technical. And it also depends the role you are hiring for. So if you're hiring for a pen tester, then yes, ask them the technical questions. But if you're hiring someone that for a non-technical role or a more junior role, why do they have to have a master's in cyber, five years in cyber industry, have all those certificates under their belt for a relatively junior role? Everyone needs to start somewhere. Just give someone the opportunity.

Cole Cornford (: 38:20

Yeah, it is looking for those qualities. It's like one of the most important things. I think about recently, I hired a lady called Poppy. Poppy's background is that she lives in Adelaide and she's worked in makeup, fast fashion, and influencing. She's quite a big influencer following. So everybody, go subscribe to Poppy on what's his Instagram, I guess.

Daisy Wong (: 38:20

I love the plug.

Cole Cornford (: 38:43

[inaudible 00:38:43].

Daisy Wong (: 38:45

I love the plug without giving the username.

Cole Cornford (: 38:48

Yeah, I know. I don't know how it works. I'm not an Instagram person. See, I mean, it's idiot. But anyway, the thing about Poppy is that I feel like a lot of people would've looked at her background and said like, "Wow, she's an influencer. What could she actually bring to your business?" And what I can see is that she has enthusiasm, she's really smart. She really wants to get into technology sales and operations, and that she's successfully been able to build and grow, A, a social media presence that's enormous at this point, but B, businesses built around that. And so I'm opportunistic. I think she's a great employee and I'm hoping that she works with me for a long time. And even if it's is just a foot into her door into the industry, a lot of other employers might say, "You know what? She's a young woman who's an influencer. He's got young kids. It just seems too hard compared to the next computer science graduate."

Daisy Wong (: 39:40

And that's the thing, I think sometimes it's just giving, like I said, giving that person the opportunity and also working with them. Performance should still be taken into consideration. And I think it's always a give and take. So you give flexibility. And your employer, you should also give back. Conflict arises when someone takes too much and doesn't give it.

Cole Cornford (: 40:04

Yeah, I guess that's one of the things as a business owner, I'm very explicit with what my expectations are. I've been in positions before where I've kind of said, "Hey, I like to be autonomous and let teams be self-serving and figure out stuff for themselves." And then what I found is that either people go too far to the left and just take the Mickey and just off doing whatever they want to do and not actually doing anything to grow the business. Or they've gone too far to the right and either burnt themselves out or they've just gone in into complete steamrolling in the wrong direction because they have no idea what they're actually supposed to do, right? And so you need to give them a sense of psychological safety so that they can challenge you and push back on things. And if they need the space and time to support them, then yeah, go create that for them. But if you can't give direction and get people to follow, to start moving slowly towards that north star. What are you doing as a leader, right?

Daisy Wong (: 41:04

Well that's exactly right. So yeah, no, I definitely think you're on the right track as a boss, Cole.

Cole Cornford (: 41:06

Thank you. Thank you. I'm very happy to hear that as someone who's not employed by me.

Daisy Wong (: 41:06

Exactly.

Cole Cornford (: 41:10

But if you weren't, I'll take the credit anyway.

Daisy Wong (: 41:19

No problems. I'll go tell my boss later.

Cole Cornford (: 41:19

All right, so I've got two final questions for you.

Daisy Wong (: 41:19

Sure.

Cole Cornford (: 41:19

Do you want to pick ones before we wrap up? So the first one is, what book would you recommend to somebody who's just looking to break into security?

Daisy Wong (: 41:26

Security or security culture? Both?

Cole Cornford (: 41:29

Either way.

Daisy Wong (: 41:31

Okay. So I think just security, I'm sure a lot of people would've recommended, but Kevin Mitnick's book or movie, I think it's a really good one just to understand a little bit more about social engineering, how he did it back in the day. And his story is pretty extraordinary. I think that's a good one. And then security culture, I love Perry Carpenter's books. He's got a new one called, I think he pronounced it as fake, it's F-A-I-K, and it's all about AI, deep fakes. I just got it recently, but I was very lucky to meet Perry in person and he's very entertaining and he does a lot of content creating as well. So he will fill your pain, Cole, when you have to edit me during this podcast. But yeah, those are probably the two authors and two books I would recommend.

Cole Cornford (: 42:18

Cool. And one more for everybody is, what is the best thing that you can buy for someone for under a hundred dollars? What's fundamentally improved your life?

Daisy Wong (: 42:30

Say that again? So buys...

Cole Cornford (: 42:30

Something for under a hundred dollars that you can buy that's made your life great.

Daisy Wong (: 42:34

Geez. Okay. What have I bought recently that's a hundred dollars that I really like?

Cole Cornford (: 42:40

Interest rates, right?

Daisy Wong (: 42:43

You know what? It's not even a hundred dollars. My boyfriend bought it from Kmart. It helps you pick things up on the floor. What do you call them?

Cole Cornford (: 42:49

Oh, like the claw grabber things, whatever they are.

Daisy Wong (: 42:49

They're so good.

Cole Cornford (: 42:55

I got one that's got a T-Rex head on the top. And my daughter likes to try to grab my head with it occasionally when I'm trying to sleep on the lounge.

Daisy Wong (: 43:01

I love it. I love that. She's my favorite person today. She is [inaudible 00:43:06] day.

Cole Cornford (: 43:06

She definitely helps me get heart attacks. So I'm fully aware of security risks, like T-Rex heads, go chomp, chomp, chomp in my head.

Daisy Wong (: 43:12

Yeah, I think that... Yeah, because I didn't have one for the longest time. I don't know why as a wheelchair user, why wouldn't you? They're so good. I use it to pick up everything or things on my shelves, like chips. And then the other thing, I don't know if you know anyone who does this, but my friends and I who are Chinese, we love eating chips with chopsticks.

Cole Cornford (: 43:35

Oh no. That's what my wife does all the time. So look, I'm fully on board of that nowadays. I don't want to get salt and vinegar all over my hands. So I'll just get the bag and then I'll push up from underneath the bag to get the chips to go up further. And then that basically creates a little platform and then you use chopsticks to pull them all out. So what I still haven't got used to is using the chopsticks for popcorn.

Daisy Wong (: 43:57

Oh, I haven't done that for a while. I've done that before, but that's also a very good idea. There you go.

Cole Cornford (: 44:03

Yeah, look at this. We're just sharing wonderful life hacks for everybody on this podcast.

Daisy Wong (: 44:03

Exactly.

Cole Cornford (: 44:07

Don't worry about cyber culture. We're here to just make you a more cultured individual, right?

Daisy Wong (: 44:11

Exactly. There you go. I love it.

Cole Cornford (: 44:14

And with that, thank you so much, Daisy, for coming on. It's been an absolute pleasure to interview you.

Daisy Wong (: 44:18

Thank you so much.