Jay Hira is a cybersecurity director with 18 years of experience working in a variety of roles both in Australia and internationally. Today he is Director of Cyber Security: Financial Services at KPMG Australia, and Founder and Executive Director of MakeCyberSimple. In this conversation Jay and Cole Cornford avoid getting too deep into technical details, and instead discuss a zoomed out perspective on cybersecurity strategy for large organisations, how the current macroeconomic climate affects approaches to cybersecurity, tips for clear communication between technical and non-technical stakeholders, and plenty more.
Timestamps
1:40 - Advantages of generalisation vs specialisation
4:00 - Tips for communicating effectively to leaders
6:00 - Clarity comes from simplicity
9:30 - Importance of reporting structure in a large org
14:20 - Core foundations of a cyber strategy
20:00 - How current economic climate is affecting cybersecurity budgets
24:30 - How do you maintain intrinsic motivation?
27:00 - Work life balance
30:30 - Rapid fire questions
Mentioned in this episode:
Call for Feedback
Hi. I'm Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security.
Jay Hira (:See, the way I look at it is neglecting cybersecurity during tough times is like neglecting a leak in your roof when it's raining.
Cole Conford (:Today I'm joined by Jay Hira. Jay has a great background spanning many decades about all sorts of different types of cybersecurity. He started initially doing penetration testing before moving into more of a governance role, and now leads a bunch of different cybersecurity practices around Australia. This conversation's really interesting to me because instead of focusing on the deep technical weeds, we take a step a lot higher and go and talk about how to strategize, how to govern, how to influence culture, and then how to bring all of those types of things back to dollar values to present to your board.
(:And I'm here joined by Jay Hira. Hey Jay, how are you going mate?
Jay Hira (:I'm very well, thank you. I'm very excited finally to be on your platform.
Cole Conford (:I'm glad to finally have you on. Would you be able to be so kind to give our audience a little bit of a background about your experience in cybersecurity, mate?
Jay Hira (:Of course, Cole. So I started my career back in 2006 as a penetration tester, worked as an application security consultant for a period of time with a telco in India, worked in consulting world, have worked across architecture and engineering, security operations, and more recently on strategy and transformation roles. So broad experience across various aspects of cyber.
Cole Conford (:It's good to be in a inch deep but mile wide because then you can have good conversations of basically anybody in the industry, right?
Jay Hira (:A hundred percent. I think everyone has different experiences and not just work experiences, life experiences, transferable skills that they bring to the table. I think each of those experiences add value to how we think and operate. I tend to compare cybersecurity to a complex multi-layered puzzle, and there is no one size fit all solution to cyber. We've got to think through what are we really trying to solve and how to do that in the best possible way.
Cole Conford (:Two of my previous guests have very similar mindset to you. Tara Whitehead, who I think was a few episodes ago, and she's came out and basically talked about her background in international relations, really set her up. I've also had Michael Collins on in the past, and he's had a chat about using a systems thinking approach to cybersecurity instead of a technical based one too. So it's good to have all these different perspectives to challenge our ideas about how we should be giving an adequate level of protection to our customers, right?
Jay Hira (:A hundred percent. Think of it this way, if all of us in the room solving a problem have similar background experiences, we'd all lean more towards the same sort of solution. There wouldn't be a check-in challenge and there would be a lot of blind spots in our solutioning process. And which is where when we have people that have got different life experiences, different age groups, different genders, different upbringing, different educational backgrounds, they bring a lot to the table in terms of if they feel comfortable and if their voices are heard, then they'll speak about and challenge how we're solving the problem, and that brings out the best.
Cole Conford (:Yeah. So nowadays I know that you're spending a lot more time talking to different types of executives and leaders instead of just getting your hands dirty, doing pen testing anymore. I mean, I'm in a similar boat. As much as I love looking at source code and telling people, "Hey, you should be fixing up these things." I don't get that luxury anymore. What tips would you give to people about communicating effectively to leaders? Because they're very different from us techies. What's the best way do you find to communicate to people who don't have that tech background?
Jay Hira (:Well, brilliant question, Cole. To be fair, these cyber risk conversations have had quite the journey in the last decade or two decades from the server rooms to the boardroom, haven't they? Many of us came up through tech ranks and started deep in the weeds of offensive security, architecture and engineering of security operations. We are all brilliant at discovering a vulnerability but might need a bit of practice translating that into terms that our stakeholders, our business leaders, and our executives understand. So the question then becomes, how do we bridge this wide gap? Let's break it down to three simple steps.
(:First, speak the language of business, and that means communicating cyber risk in financial terms. Leaders understand the language of revenue and risk in monetary value, not in technical terms.
(:Two, let's use storytelling. Craft a narrative that captures the essence of cyber risk and mitigation strategies, linking it back to what is the business objective? What are we really trying to achieve? What's our biggest mission and vision?
(:Now, the third thing is keeping it simple, direct and actionable. We all know that time is money, especially for business leaders. Focus on what are the critical risks, not every little detail. Discuss the financial loss exposure and what are the options on the table to mitigate those risks so that we can continue to operate within the risk appetite set out by business.
(:Clarity comes from simplicity, and I can actually share an example, which is a very interesting one. If we were securing funds from the board or going to executives about network segmentation to limit the lateral movement of an attacker in case of a particular system or service getting compromised, we could frame a question on how do you feel about staying in a hotel that does not offer any locks on any doors? Imagine the experience of walking into a hotel and getting your identity validated right at the front desk, but you get no keys and you're free to move around and move between rooms. Now, would you feel safe with your luggage and valuables in this sort of setup? A well-placed analogy can sometimes make the penny drop faster than a stack of technical reports.
Cole Conford (:I always wonder about usage of analogies. I feel like a lot of the time we try to go down that route and it's a bit torturous, and I've seen one so say, we need all hands on deck. We need clear skies. This ship needs to be turned around and stuff. And then it loses the messaging that you want to convey, and especially you don't bring the techies on the journey as well. So is there a way to balance using these high, because I don't think any board member is stupid? I actually think that we're moving to a scenario nowadays where a lot of these directors are coming up from a reasonably technical background, and while they may not have had their hands dirty, writing Nmap outputs and stuff, or passing different binary files and learning about stuff, the main thing I think, is that there is an expectation that they need to understand technology's impact on their business, and then how are they're managing that risk. So what would you say is the language of business considering that more and more directors that we're seeing nowadays are coming from a tech background?
Jay Hira (:You're right, a hundred percent. And think of it this way, that if a risk or risk mitigation approach that we're discussing at the board, and the board members are hearing it for the first time, that in itself is a lost battle. That in itself is an upward, uphill task because we've got to be smart enough to navigate and make sure that we've had one-on-one time with each of the executives in the board prior to the board meeting. And we've expressed that here's the risk, here's the financial loss exposure, here's our plan, here are the options on the table. And that's the plan A, that's the plan B, that's the plan C. I think that's when we discuss with them for the broader group, if this is what we were discussing, what would be the best analogy? And I think we have these several discussions with board members prior to even getting into the board meeting. And I think that is the secret sauce. That's the right balance. Having the one-on-one communication, really reading the room before you get in the room. I think that helps-
Jay Hira (:... before you get in the room, I think that helps with finding that right balance.
Cole Conford (:So I guess as a security consultant, how often do you get to speak directly to boards? Because a lot of the time the directors of the board, they start to recognize that cyber security is a challenge that they need to manage as a business, but ultimately a lot of times it gets filtered up through a technology lens. So how do you help people who are aspiring CISOs to start getting those direct channels and relationships established?
Jay Hira (:I think as a consultant, to your first question around as a consultant, how often do you really get an opportunity to speak to the boards? I think it's only when you are actually talking about an area that the board is really interested to understand and they're trying to uncover exactly what are the implications of, let's say, AI and the use of AI in automation and security operations. I think that's when you get a consultant to come and speak about what are the various experiences they've had and where have they actually implemented the technology in the past, which has, and what are the pains out of it. What are the lessons learned?
(:I think that's the sort of opportunity for consultants to get in front of the board and speak to the boards. And for the CISOs or for the upcoming CISOs, I think it's more about, it's the reporting structures. A lot of different organizations have different reporting structures, but the most common structure is the size of reporting to the CIO, which is from a lines of defense perspective, it's the line one. In a lot of ways if the organization isn't very mature in terms of cyber capability, then that's the best reporting structure because that's where you would need a lot of tools and technologies that you are investing and the reporting to CIO actually helps with securing those funds.
(:Whereas once you're slightly more mature in cyber capabilities, a better reporting structure would be to the CRO, which is the second line of defense because that's where you're slightly more independent from the IT function and from the CIO function, and you can actually then check and challenge them a bit more. So I think it just depends on different organizations and where are you really placed. You've got to be conscious of that reporting structure and what line of defense that is.
Cole Conford (:It's always an eternal challenge. It's like, "Oh, it's not in my bucket, it's in someone else's bucket." How do I get people to invest and understand these technologies when I'm just in the risk space to see? It's just not on the strategic roadmap of the technology division. So security too weird. Hey, covers across all the different functions and unfortunately never accountable for delivering anything. So want to change texts. One of the things that we talked about prior to the show was how we actually go about prioritizing security spend.
(:Now, it can appear to be a bit of a bottomless pit because to achieve an adequate level of protection, well, what does that mean, right? It means do you need a SIEM? You need regular pen tests, do you need a SOC2 type 2 audit? Do you need to comply with essential aid? Do you need an application security program? How do you help people make the right decisions about prioritizing where to spend their money because there's too many things?
Jay Hira (:I agree with you, spot on call that bottomless pit worry is very common amongst leadership. But think about it this way, cybersecurity isn't an endless expense. Let's go back to thinking about how do we build a house? When we build a house, you've got to be clear about how many floors they're going to be because the foundation is only built once. You can't really decide to have one floor in the house and then at the latest stage add another floor and then another, because the foundation is always built just one.
(:So if we think of it from that perspective, you wouldn't compromise on a solid roof and a strong foundation, which is cyber security is an investment in the future of our business. We prioritize the essentials today, a strong foundation, a secure roof. That's what prevents those costly disasters that eat away at our bottom line and damage customer trust. When we allocate the budget to, let's say, and I think this is something that we discussed earlier when we were having a conversation, a comparison to marketing. When we allocate budget to market our products and our services, we should invest in protecting them equally. It is never one or the other. Both are essential for sustainable growth. Investment in cyber is a smart business investment as it builds trust and preserves value.
Cole Conford (:Yes, I agree with that. So maybe probably going to a little bit more in the weeds then, what would you say are the core foundations or that's solid roof that you need to be looking at initially? I imagine it's a good governance model and just a couple of the core capabilities around managing people, process and technology. But what would you suggest to people who now need to have newly minted cyber program start with for those two pieces?
Jay Hira (:I think getting the basics right. We often focus too much on tools and technologies to solve problems. And then what we realized later down the path is that we've got a lot of point solutions and these point solutions don't speak to each other. So having a clear sort of strategy, which really helps us understand where are we at having a clear sort of measurement scale that we use to measure where are we at and where we desire to be. And then it's more about what are the capabilities that we need to improve?
(:I think the foundational capabilities that you mentioned are more around having standard operating environment, having a strong vulnerability management program which not just looks at scanning systems and scanning our attack surface, but also looks at patching systems appropriately and in a timely manner. Having cleared SLAs, having clear measures of success defined on how do we really measure how good are we at vulnerability management, how good or how frequent are we when it comes to patching?
(:What are we tracking? Is it the patching age? Are we adding in context around there are two vulnerabilities identified on two different assets. One is internet accessible, the other one is actually on an inside user zone. Are we differentiating between them when we are patching them? I think it's these sort of extra layers of context that will help us making the right decisions. But like you said, I think governance is also an important part, but governance would come from having the right structures, policies and standards in place. And then it's more about monitoring and policy and making sure that we stay in check. But that staying in check and a mechanism to measure success and reporting back to the board on what success looks like and how are we measuring ourselves? How are we getting from that point A where we are at and point B where we desire to be?
Cole Conford (:Yeah, I find that it's really important to be measuring and demonstrating that things are improving over time, especially those foundational capabilities. Let's say coverage of SOEs throughout your workforce. If you know how many of your devices are covered and how many of them are just bespoke different systems, that's a good way to start is just, do we have a thousand unmanaged devices or do we have 20? And for those 20, are we doing something about those? But I always worry about reporting all of these different numbers and metrics about taking a step back and thinking about how do we turn these statistics into something that is meaningful for the business.
(:I liked that when you mentioned earlier about FLE and ALE. I think that spending this revenue at this point, we'll be able to prevent these losses from occurring is a form of insurance, is a good way to be able to bridge that gap.
Jay Hira (:It's spot on. I think you raised a very important point around coverage of controls. A lot of the times we have programs, cyber programs with massive amounts of millions of dollars of investment that are delivering capabilities. But delivery of capability doesn't really mean factoring in the coverage of the capability. And I'll give you an example. Let's say if you were deploying a PAM solution in your environment or a new SIEM solution in your environment, doesn't mean from day one you're completely secure. It's the onboarding process. It's the extension of the coverage of these controls. How many systems are sending feeds to my...
Jay Hira (:How many systems are sending feeds to my scene? How many applications are actually onboarded onto the PAM platform? Unless we know that within our environment there's, let's say an example of about 20 applications that are core applications, that are critical applications, critical to business are they all onboarded onto PAM? Are they all sending logs to scene? I think that's the sort of question. That actually then helps us understand what's the coverage of a controls. And sometimes when we use scales like NIST CSF framework, we can't really differentiate whether the investment of money is actually leading to gains in the maturity and there's no direct correlation because there'll be a minuscule increase on the scale. You were probably 3.5 and you've got to 3.55 through the $11 million that you invested last year because the focus was on capability expenses, Capex and not on OPEX. There wasn't really the coverage that was factored in.
(:So I think we've got to go back to all of those questions to really clearly articulate back to the board on where is the investment going and will it be really focusing on are we building capabilities or extending the coverage of capabilities.
Cole Conford (:So that's probably leads back to I think another area that would be good to talk to, which is about how right now it's a tough time for people who are just in business in general. Inflation is really high, the interest rates are high and it's depressing growth and people had spent sacrificing in places where it's not necessarily core for operating their business, right? So we're seeing sales like people, HR and operations, recruitment, marketing, and I'm going to say cyber security as well because ultimately cyber security is a revenue drain and it's insurance and it's not. If someone tells me that security is a way to earn revenue, unless you achieve a certification that enables you to access a market, generally not. So how do you think that the macroeconomic climate has influenced how people are spending or prioritizing their cyber security budgets?
Jay Hira (:Fantastic question. You know, Cole, if I've learned anything over the years, and both I think you and I have learned anything over the years, it's that ignoring those big picture economic shifts is a bit like dashing across the road during rush hour for a fancy flat white. It sure sounds appealing, but you've bound to get flattened by something you didn't see coming.
(:As cyber leaders, our focus is not just on protection, detection and resilience, but also on understanding the business climate in which we operate. Think of those economic headwinds as the traffic on the road. It forces us to adjust our pace and strategy even when we are craving that morning coffee fix. See, the way I look at it is neglecting cyber security during tough times is like neglecting a leak in your roof when it's raining. Short-term view, sure, we'll save some money by avoiding to bash the roof, but the damage will only escalate costing us much more in the longer term.
(:What's more with the current sort of market conditions, customers are extra cautious. They want to do business with organizations they can trust. Ignoring cyber security now means losing their confidence and ultimately their business. That's why picking security in from the start is the smartest investment regardless of the economic weather. Imagine trying to strengthen the foundation that we discuss in our house example while you're building extra floors. It's a costly nightmare. Building on a strong and secure foundation is what facilitates future growth. And let's face it, that's how we ensure revenue stays protected come rain, hail or shine.
Cole Conford (:And it's raining pretty bad at the moment, both macroeconomically and outside my house. So I like that what you said there about, if you are taking money away from your cyber security, you are basically causing problems in the future. And I've seen exactly the same argument for companies that are slashing marketing budgets effectively because you need marketing to be able to create your funnel to be able to get sales and revenue coming into your business, right? But not the first thing that almost always goes in most businesses for cost-cutting is marketing. I would've thought that using marketing to enable you to get more sales is the way to go and to look at other areas you can be a little bit more lean on in the business. And so to me it just parallels with what you've said about cyber security causing future problems if you don't invest in it now.
Jay Hira (:100, which is where when we were speaking earlier, we are drawn comparisons between marketing and cyber security because I think that's very similar. The argument is that we can't just continue to endlessly invest in cyber security because there aren't really any visible returns and that's very similar argument with marketing. It actually generates leads and opens up a lot of new doors to us, which is similar. I think if you look at the conversation we just had around how if we don't focus on security now, the customers are so cautious and they're so much more privacy and security savvy that they don't want to work with organizations or do business with organizations that aren't serious about that information. So in a way, marketing your products in security or investing more in protecting information or customer data becomes your competitive edge.
Cole Conford (:This has taken a very left-to-center approach because we've just spent a while talking about security risk and managing it. One of the things you've been able to do is move between different consultancy internal roles. And even running our business, I think we've make cyber simple. How do you maintain intrinsic motivation to keep working on your business? Because it's one of the things that's really quite challenging if you are motivated purely by financial means, like, "I just I want to be rich really quickly, so I'm just going to work 80 hours a week and then I'm rich." I find people who have that kind of motivation burn out super quickly because they don't want to work 80-hour weeks, they just want money. There's faster ways to do that, like tech sales I guess. But how do you maintain intrinsic motivation or where do you draw your strength from?
Jay Hira (:Well, those are fantastic questions. Intrinsic motivation, work-life balance, these are really, really big questions and questions that an average office worker as much as every business owner grapples with. It's funny, isn't it? We all get the same 24 hours, yet some of us seem to make magic with the same 24 hours while others feel like they're drowning in a chaotic work week.
(:For me, it boils down to two things. Finding our why and embracing that work is in separate from life. See, when you are driven by the purpose that lights a fire within you, there is no need to balance anything. It all starts to flow. Suddenly, the chaotic days when we are juggling multiple tasks feel like an awesome challenge we're excited to tackle. Now the key is finding that why, that is bigger than a paycheck. Like you said, something that gets us out of the bed early not because we have to, but because we want to and we want to make a difference. For me, it's about making cyber security simple for everyone that drives the fuel for those long hours, making the tough stuff less of a burden because it's not just a job, it's building towards something much more powerful and much more meaningful. That's how we achieve both, like you mentioned, passion and profit. Find what ignites you and don't be afraid to let it become a driving force in your life. And honestly, that's when the distinction between work and life starts to blur in the best possible manner.
Jay Hira (:Starts to blur in the best possible manner.
Cole Conford (:Yeah, I always find that people who talk about work-life balance just haven't figured it out because they're separating them. They're just saying that... I get it. If you're working a job where the job's the job. You're doing like, I don't know, brick laying or something, you are not passionate about building houses, you're just laying bricks. I can understand wanting to have a clear segregation between a lot of those. But I find that the people who are the most successful entrepreneurs or generally are able to say that I'm really passionate, super interested in what I do and motivated to do a good job. And it does blur into the personal lives a fair bit as well. But at the same time it's fairly seamless because they're a big part of our identity is their professional success and they draw a lot of strength from that.
(:So I mean, I guess when I was a lot younger, I was money motivated and I think that a lot of young people moved into IT and technology said, yep, this is a good way to make a bit of money. I'll give it a go. And then over time, I've definitely changed my perspective. And of course running a business, you're still going to be looking to make it profitable, but that's not the be all and end all. It's about giving myself opportunity to spend time with the kids, being able to go and do work that I find interesting and meaningful and being able to do fun things like run this podcast, which I wouldn't be able to do if I had some other big corporation holding a stick over my head telling me to just grind out code reviews every five minutes or something.
Jay Hira (:Yeah, spot on. I think that's very interesting. Like you mentioned how, what we forget is work is a part of our lives and it's not different from lives and which is where we confuse ourselves by disconnecting work from life. It's almost, think of it this way, it's a third of our lives and if you're doing something that doesn't excite you, you're not going to be able to sustain. If it feels like it's different, where are you deriving the joy from it in order to then make it a part of your life?
(:So I think it's like having a family or friends. There are people who constantly keep complaining about not having the right people around them. There's a saying, in Hindi it says, let me give you an English translation just so it's easier, the English translation is you find what you look for. If we're looking for people around us that are motivating, then we'll find them. If we're looking for people around us that are negative and not trying to drain us, then we'll find them. I think it's more around that... And I was reading a book recently on my flight back from India to Sydney, that was more around the courage to be disliked.
(:And it showed some sort of statistics on every time we are out and about, approximately out of every 10 people, there'll be one that is actually going to really bond with you and like you, there's going to be one that is actually going to be completely different from you and which is where if they're very different from you, if they've got a very different thinking from you they might not like you that much. But all of the others are going to be very balanced. They'll be dealing with their own sort of things and which is where it's on us, whether we are looking for people that are supporters or those that are opposing us or are against us. I warned you I was going to go philosophical, Cole.
Cole Conford (:Don't worry. I'm all about philosophy on this podcast. So speaking of, let's move into some of the shorter round questions.
(:One that I've got for you, and I guess since you've been reading lots of books lately, is what book would you like to give to an up and coming cyber analyst? And I'd like it if the book's not technical because I don't want to be telling people to just read books about how to do offensive security or security engineering or product security or whatever. I think that we should be trying to promote books to give diversity for different approaches. So what would you recommend, given that you love philosophy?
Jay Hira (:I'd love for them to read the [inaudible 00:31:10] because if I had to think about two key takeaways from that book, the first key takeaway is work hard but remain unattached to the outcomes. And that's the best way to motivate them because they're going to be working hard in a role, which is a thankless job, but still the outcome could be that there's a breach in the organization and everyone comes pointing to them in terms of them not doing their job. So I think you've got to be smart enough to really not attach yourself to outcomes and focus more on doing the next right thing like we discussed before we started hitting the record button on the podcast.
(:The second thing is more around how past is gone, future is yet to arrive, all we have is present. All we have is now, which is a present to us. So I think it's what we do now, rather than thinking too much about what has happened in the past or what are the cyber threats doing in the future, it's focused on the now. What do we have at the moment? Let's focus and do our best with what we have, which is the present moment.
(:So I think those are the two sort of things that will enlighten them, motivate them, and let them keep going if they were to read [inaudible 00:32:35].
Cole Conford (:It's funny that that quote reminds me of, this will sound quite sad, is Kung Fu Panda. Have you seen that movie?
Jay Hira (:Yes.
Cole Conford (:There's a turtle in it called Oogway, and he says... I can't remember the exact quote because I'm useless. But I always like the scene. He basically says, and that's why we love the present and the present is a gift. That's why it's called a gift. I'm like, oh yeah. I love how wise this old turtle is. So highly recommend Kung Fu Panda. I always go watch it.
(:So we're coming up to time, Jay. I thought it would be good if you wanted to have some parting guidance for our guests, what would you say to them?
Jay Hira (:I've got to think really deep and hard about what would I say to a guest. Let me say this. Our minds and our intelligence can be our best friend and also have the ability to be our worst enemy if we don't really put focus or let them focus on the right things.
(:And we had this conversation that I was having with my daughter while I was dropping her to school where she was complaining about the weather and the rains and how she hates it. I think it is within us to really understand and accept the fact that there are always going to be things in life that will be outside of our control. We can't control what's outside of our control. What we can control is how do we react to the situation, to the weather, to the workload, to someone being rude to us.
(:So I think the passing thought or the gift that I would want to give the audience is that always think about how our minds are such a powerful tool and our intelligence is so powerful that they can be our best friends or our worst enemy. It depends on us how do we treat them.
Cole Conford (:That's it. God, give me the serenity to not complain about how heavy it's raining.
(:All right. Thank you so much for coming on the podcast, Jay, it was pleasure to have you on, mate.
Jay Hira (:Thank you, Cole. Loved it.
Cole Conford (:Thanks a lot for listening to this episode of Secured. If you've got any feedback at all, feel free to hit us up and let us know. If you'd like to learn more about how Galah Cyber can help keep your business secured, go to GalahCyber.com.au.