Andrew Morgan joins Sean Martin to unpack the widening cybersecurity gap between large enterprises and resource-strapped organizations. He shares how collaboration, cultural alignment, and practical resilience strategies can help close that divide.
⬥GUEST⬥
Andrew Morgan, Chief Information Security Officer | On LinkedIn: https://www.linkedin.com/in/andrewmorgancism/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥EPISODE NOTES⬥
The cybersecurity community has long recognized an uncomfortable truth: the gap between well-resourced enterprises and underfunded organizations keeps widening. This divide isn’t just about money; it’s about survivability. When a small business, school, or healthcare provider is hit with a major breach, the likelihood of permanent closure is exponentially higher than for a large enterprise.
As host of the Redefining CyberSecurity Podcast, I’ve seen this imbalance repeatedly — and the conversation with Andrew Morgan underscores why it persists and what can be done about it.
The Problem: Structural Imbalance
Large enterprises operate with defined budgets, mature governance, and integrated security operations centers. They can afford redundancy, talent, and tooling. Meanwhile, small and mid-sized organizations are often left with fragmented controls, minimal staff, and reliance on external vendors or managed providers.
The result is a “have and have not” world. The “haves” can detect, contain, and recover. The “have nots” often cannot. When they are compromised, the impact isn’t just reputational — it can mean financial collapse or service disruption that directly affects communities.
The Hidden Costs of Complexity
Even when smaller organizations invest in technology, they often fall into the trap of overtooling without strategy. Multiple, overlapping systems create noise, false confidence, and operational fatigue. Morgan describes this as a symptom of viewing cybersecurity as a subset of IT rather than as a business enabler.
Simplification is key. A rationalized platform approach — even if not best-of-breed — can deliver better visibility and sustainability than a patchwork of disconnected tools. The goal should not be perfection; it should be proportionate protection aligned with business risk.
The Solution: Culture, Collaboration, and Continuity
Cyber resilience starts with people and culture. As Morgan puts it, programs must be driven by culture, informed by risk, and delivered through people, process, and technology. Security can’t succeed in isolation from the organization’s purpose or its people.
The Australian CISO Tribe provides a real-world model for collaboration. Its members share threat intelligence, peer validation, and practical experiences — a living example of collective defense in action. Whether formalized or ad-hoc, these networks give security leaders context, community, and shared strength.
Getting Back to Basics
Practical resilience isn’t glamorous. It’s about getting the basics right — consistent patching, logging, phishing-resistant authentication, verified backups, and tested recovery plans. It’s about ensuring that, if everything fails, you can still get back up.
When security becomes a business-as-usual practice rather than a project, organizations begin to move from reactive defense to proactive resilience.
The Takeaway
Bridging the cybersecurity divide doesn’t require endless budgets. It requires prioritization, simplification, and partnership. The “have nots” may never mirror enterprise scale, but they can adopt enterprise discipline — and that can make all the difference between temporary disruption and permanent failure.
⬥RESOURCES⬥
Inspiring Post: https://www.linkedin.com/posts/andrewmorgancism_last-night-i-was-fortunate-enough-to-spend-activity-7383972144507994112-V3Zr/
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact
⬥KEYWORDS⬥
sean martin, andrew morgan, australia, ciso, risk, resilience, cybersecurity, business continuity, governance, compliance, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
​[00:00:00]
[00:00:36] Sean Martin: Hello everybody. You're very welcome to a new Redefining Cybersecurity podcast. You're on ITSP magazine. This is Sean Martin, your host, who I am fortunate to get to talk with some really cool people in really cool roles and this time in really cool places. Uh, Andrew Morgan's joining me from, uh, down under, he's, uh, he, he woke [00:01:00] up this morning to join me in my evening time, uh, adventures.
He's got the future, uh, of, uh. What's going on because he is a day ahead of me. And, uh, we're gonna talk a little bit about what he's seeing in, in, uh, the cybersecurity space, uh, in Australia and the, and, uh, in the region, in, in, in general perhaps. And, uh, talk about, uh, topic that I think is near and dear to his heart, the haves and have nots in cyber.
And we'll discuss what that means, Andrew. So, uh, so good to have you on my friend.
[00:01:30] Andrew Morgan: Thank you so much, Sean, and, and I'm, I'm very pleased and feel very privileged to be here, so thanks so much for the invitation.
[00:01:37] Sean Martin: Yeah, my, my pleasure. Appreciate you taking the time, uh, out of a busy schedule. Of course. Um, so we, we connected on LinkedIn and it was around the cyber Con time, and I think you were part of another event, uh, where CISOs got together and talked about some things and, uh, well we won't name names and, uh, mention companies.
Uh, we'll get into some of what you're. [00:02:00] What you're hearing plus your own experiences, of course, um,
[00:02:03] Andrew Morgan: Sure.
[00:02:04] Sean Martin: on the street there in Australia. And uh, but before we get into that, perhaps a few words about your role, what you're up to, and maybe connections to the, to the cyber community.
[00:02:15] Andrew Morgan: Thanks Sean. Look, I, um, I suppose I came into cyber in a, a slightly. A very different way to most people. I started off my life, uh, in the police here in, uh, Victoria. Um, I wasn't involved in cyber or, um, forensics or anything at that stage. I was just a, a detective and my specialty was. Transnational organized crime.
So I spent most of my career in the police force, uh, investigating things like, um, mafia, uh, Chinese triads, Japanese, Yakuza, uh, all of those kind of things. And, uh, eventually my very wise wife told me that it was time to probably grow up a, a little bit. I couldn't, uh, run around and have fun chasing [00:03:00] gangsters all my life.
So it was probably the right decision. And, and when I left the police force, I, I moved through a number of different roles and ended up, uh, consulting, doing, um, sort of financial crime risk advisory and, and stuff like that for some of the big consulting firms. And somehow or another, managed to morph into, uh, a computer forensics DFIR.
Kind of career for about 10 years, where I was very heavily hands-on, um, you know, uh, pulling apart computers and, uh, imaging drives and, and searching for, you know, how and when things happened on those computers and that kind of thing. And. Uh, in about 2014, I was given an opportunity to go and set up that kind of a forensics function for our national broadband network company here at NBN.
And, um, I did that and NBN worked fantastic to me, gave me lots of opportunities to look at a whole range [00:04:00] of different things. I took that kind of core skillset, um, moved around the GRC side of, of cyber at MBN. And then ended up running the security operations side of things, which was, um, a real eye opener for me.
We were fortunate that we had good resources, um, lots of good backing, uh, great culture, fantastic leadership. Um, so I got exposed to a whole lot of things there and. I kind of decided it was about time to maybe go out and have a look at being the boss myself. So, uh, I went to one of their universities, Latrobe University, um, and started their, um, cybersecurity program as their first ever size o um, which was a real eye opener.
That's sort of where we come to the haves and have nots. Um, and then more recently I went over to a, uh, an industry specific health insurance fund. Um, as, as their sort of first [00:05:00] head of cybersecurity and, and risk, um, similar sort of things. So, um, yeah, it's been a, an, an interesting career. I've had lots and lots of fun, but, um, yeah, at the, at the moment I'm having a, a little.
I think it's a well deserved break and, um, doing some, uh, really interesting things outside of the cyber world and doing a lot of learning at the same time. Uh, just sort of trying to make sure I'm keeping myself up to date with what's going on and, you know, not get drowned in the tsunami of stuff that's happening around the place.
So, um, yeah, I'm, I'm busy, but I'm, I'm having fun.
[00:05:37] Sean Martin: That's good. But having fun is, uh, important uh, me meaning meaningful work is important, but you can't kill yourself in the process of, of doing meaningful work.
[00:05:47] Andrew Morgan: Look, I, I, I've got a, a very strong philosophy that if you can afford to take a break and totally cut off from the pressures of [00:06:00] that, that work environment, sometimes I think it's a really good thing, not everybody's fortunate enough to be able to do it. I'm in a really fortunate position at the moment that I can, and, uh, I, I think it's a very healthy.
Thing to do for people.
[00:06:14] Sean Martin: So I'm, I'm gonna put my question out there and then I'm gonna take a diversion. My, my question is gonna go back to, uh, your view of kind of fighting. Fighting gangsters and, and looking at that whole world of risk. And then you come in and, and you play, you say play around in the GRC space, and then you move to security ops and then into a CISO role.
And my connection is gonna be what do you, what do you know more about risk now? Better that you have. So I'm gonna come back and ask that question, but I'm gonna go with something more fun quickly because you have, you, you have quite a lineup behind you. My friend, and that, that to me seems like more fun than anything.
What, what do you have back there [00:07:00] than
[00:07:00] Andrew Morgan: Um, so I've got a, a. Harmony Rocket, which is a guitar that I'm told Keith Richards from The Stones, um, was one of the guitars he used Very early days in the Stones. Um, there's a Fender Telecaster, Strater caster, Gibsons G, the world's most horrible bass guitar, and a couple of acoustic guitars.
[00:07:25] Sean Martin: I love it. I love it. I,
[00:07:27] Andrew Morgan: And they're all gathering dust. Unfortunately, because I keep not playing,
[00:07:32] Sean Martin: That's not what I wanna hear. Andrew,
[00:07:33] Andrew Morgan: it's one of my plans. One of my plans,
[00:07:36] Sean Martin: I wanna hear that you pick it up a few minutes every day. I try to do that. I have one, one sitting right there myself. Um, but anyway, so yeah, I, yeah, we can talk music all day long too.
I think it's important to, uh. I think what I find is a lot of security people also play funny enough. Um,
[00:07:55] Andrew Morgan: I've, I've found quite a few and, uh, I found, yeah, a lot of people way more talented [00:08:00] than I'm ever going to be. I'm, I'm just a bitler having a crack as one of my old bosses used to say.
[00:08:06] Sean Martin: you know, it's, it's about, for me, it's about the feeling I get, uh, when I pick, pick up a guitar or the drums or whatever, keyboard or whatever it's, I'm messing around with. All right, so back to the other fund, the what? Any insights on how we look at risk or should look at risk differently now that since you've had a role in, in, uh, security operations and response slash ciso looking at the big picture, do, do you think as, as a general rule, do we have a good picture of how to manage risk or are we missing the mark somewhere?
[00:08:39] Andrew Morgan: I think, look, it's, it's a great, great question and it's the one that I, I don't, don't necessarily struggle with it because I've given it a lot of thought over the journey and I. I've, I've certainly got my philosophy and my approach as to how I consider risk and how I sort [00:09:00] of overlay that back on the business.
Um, and, and one of the things I do is I try and create mantras or, or little sound bites that will kind of resonate and sticking people's heads, because if I start to talk to people about, you know, threat landscapes and attack surfaces and all of the other jargon that's out there. Non-cyber folk eyes roll back in their head and they just go, nah, you're, you're you, you don't get it.
So I talk about creating programs that are driven by culture, informed by risk, and then delivered through people, process and technology Risk for me is the centerpiece or governance risk, and compliance really is the centerpiece. And what I find is. Tragically in Australia, and, and this might be tragically, this is just a case of where we're at from a, a maturity perspective as an industry, but cyber has always been seen as a subset of the IT business.
Um, [00:10:00] it in a lot of places is kind of the, sort of the, the ugly redheaded child sitting off in a corner. It doesn't get to, you know, play with the big kids or anything like that. Um, and. I find probably a little bit too often the approach to cyber is talking to vendors, talking amongst the, the community of other very, very like-minded people with very similar backgrounds.
And the default position for uplifting capability and managing risk is buying the next new tool, probably poorly deploying it, ending up with a whole lot of tooling that does. The same or similar things, massive overlaps, unknown gaps, underutilized investment, all, all sorts of things, never once. Looking at the idea of what are the things that we do in this business that we love that keeps us here, what's the, the core reason for [00:11:00] existing, and then what are the things that could and are likely to impact those kinds of assets from?
Um, sort of the, the, how do you get in, how do you, um, sort of disrupt that particular asset and, and looking at the likelihood and the consequence of those particular things happening. So kind of a threat modeling approach, and then trying to be very quantitative about what does that risk look like? So what, what could that possibly look like in dollar terms?
That quantitative piece is really, really hard. Um, I've seen people use different approaches, but I dunno that anybody's really nailed it.
[00:11:42] Sean Martin: Yeah. Yeah. Math is hard. Math is hard. But then, yeah, because I don't know the, when you don't know what the inputs and outputs are, you can do all the math you want and not know if you're getting anything. Right. Um, so. [00:12:00] You, you started to touch on, uh, a little bit there, kind of the, the, the state of cyber in Australia.
You spoke to it in the context of, of the maturity level, and it's a subset of it. Um, how do you, uh. What, what are some of the conversations with your fellow peers, ciso, security leaders, um, maybe driven or drawn from, from the two meetings that we, that we touched on earlier on the, the Cyber Con event and the the CISO event.
Uh,
[00:12:31] Andrew Morgan: Yeah, look.
[00:12:32] Sean Martin: maybe an overview of the CISO event as well. 'cause I think that's, that's an interesting thing that was done there.
[00:12:36] Andrew Morgan: Yeah, so I mean, I'll, I'll, I'll mention that thats o event. It was, um, that there's a group that's, um, actually sort of been put together by one of the, um, one, one of the, um, security organizations at a commercial, um, consulting company. And the wonderful thing they've done is they've put together what they call a tribe of, of Australian based CISOs.
[00:13:00] So they've limited the, um, membership to 200 of us. And we. Absolutely full. Um, we've got a waiting list a mile long for people that want to join this particular tribe. Um, and, and it's a, a wonderful, wonderful place, incredibly active community where we talk about a whole range of different things, um, you know, through WhatsApp and regular meetings and all sorts of things that the chats that go on and the sharing that goes on is really amazing.
What I've seen is most of those 200. Uh, in the sort of small to medium business segment, education, healthcare, all of those kind of things. The, the really big enterprise players like the big four banks, um, telcos and those kind of things are not represented in this group, which is, I think we're missing something a little bit there.
Um, the, the chief security officers and [00:14:00] CISOs of those big ones are, most of them are in another group that I'm aware of. Um, but at the moment I think there's a little bit of a disconnect, um, between the two. So our ci o group tends to talk more about the issues facing that sort of next segment down underneath enterprise.
Now I've waffled about that. I've forgotten the other part of the question. I'm sorry.
[00:14:23] Sean Martin: No, that's all right. I was, I was, I wanna talk about the, the state of, uh, level of maturity, but I, I want to, maybe we'll come back to that. 'cause I think you're, you're starting to lead into two groups, which. Maybe the haves and have nots.
[00:14:39] Andrew Morgan: Yeah.
[00:14:40] Sean Martin: know. I don't know if that's, uh, if that's me trying to, trying to force something there.
But it sounds like the big enterprise generally have what they, what they need in terms of an understanding and, and capabilities. And they have the option to build teams and biotech tech and hopefully use it in a good way. And then the, [00:15:00] then the, yeah, the public sector and schools and small medium businesses are kind of left to.
Deal with it on their own and groups or the tribe like this may help, um, but it doesn't solve all the problems. Maybe, maybe let's touch on that and then we can, we can kind of go back to the maturity
[00:15:15] Andrew Morgan: Yeah, no. Look, I, this, this is a, a thing that I'm, I'm quite passionate about the two events that we've, um, sort of touched on, one is this informal group of Australian based CSOs. Um, it's called the Australian CO Tribe, or CO au CO tribe. It's, um, been put together and, and is run by one of the security consulting companies. Um, but they do a wonderful job of not, um, allowing.
You know, their desire to sell security services to impact on this environment that they've, um, set up. We do get some events sponsored by different vendors, but they're not in the room during our conversations. They do come in, they get a, a small [00:16:00] slot to be able to come and talk about what it is that they're doing.
Uh, but again, that doesn't, on the kind of sanctity of this group, there's two. Ca the membership at 200 and we've got a waiting list a mile long. So it's a very, very successful initiative and, and I'm really, really pleased and proud to be part of that. Um, and the membership is generally at the, sort of the small to medium enterprise.
So, you know, there's still big businesses, there's still businesses doing you, you know, up to sort of, you know, half a billion dollars in revenue a year. So it's, it's not like we're talking about small places. Um, or even, even bigger than that, I think. Um, and so we have regular meetings. We've got a very, very, very active, um, number of chat channels that we have for sort of general conversations, talk about different products and services and, um, vendors out there and what [00:17:00] they're doing and the experiences that we've had and what does work, what doesn't work.
Um, we make sort of recommendations around, you know, what's. Been trouble for us in a particular initiative we might have had. Um, we share a lot of resources. Um, we've got sort of a threat intelligence channel and a representative from the government who comes in and shares some pretty early intelligence with us around a range of different things.
Um, if we've got staff who are kind of looking for their next role or we are looking for a particular kind of person, we can put that out there as well. So we've got this really active, really positive, really valuable network going on. And one of the things we did a couple of weeks ago. Was we had just before the ace of Cyber Con, because we knew we would have a lot of people in Melbourne.
We held a a, an end of year, um, dinner for the Melbourne chapter and um, and we had, oh, it was 40 or 50 sozos in the room for that [00:18:00] dinner again. Booked out to capacity for the room that we were in. Um, and we had a couple of different sort of discussions during that dinner about sort of what had happened during the we year and, and those kind of sort of normal end of year wrap up things.
We were really privileged to have, um, Australia's cybersecurity coordinator, um, Lieutenant General Michelle McGinnis, come and speak to us and I've not seen, um, Michelle speak before and I came away from it. Absolutely. Sort of mind blown as far as the. The way in which she approached her subject and her discussion with us, her willingness to listen, her willingness to give really good advice to us as to things that we could and should be doing, um, and great insight as to how government and the business community [00:19:00] can work together to get better outcomes.
Um, she spoke a lot about. What the government agencies are seeing as far as sort of nation state actors and sort of the current state of geopolitics and the kind of horrid mess that the world is kind of in. But she also brought that back to what was near and dear to us, which is we've got our own little pieces of the world that we're trying to protect, and what are the things that her agency and the, the, um, Australian government are seeing.
As far as causation and, and sort of root cause analysis to give us insights as to the kind of things that, um, we should be having and doing, um, compared and contrasted them with the Cyber Con that went on for three days after that, um, where we had a lot of presentations from kind of the, the, the big end of town and, and there's an absolute.
There's [00:20:00] so much we can learn from the really big, really well resourced programs and, um, you know, heavily regulated and scrutinized, um, critical infrastructure kind of places because they've had to develop and get to a level of capability in a level of maturity. Really, really quickly to meet their obligations.
So we, we, there's this enormous learning opportunity from them as well. But it's trying to then scale the top end of town down to what it is that we have, um, down in the, the sort of the next segments down. So small, medium enterprise education, not-for-profits. All of those kinds of, of places, which. And a lot of times that are really guarding some really sensitive and precious information.
So, um, so that, that's kind of the, the compare and contrast between the two and it's something that the World Economic Forum are well aware of. Last year's World Economic Cyber report [00:21:00] absolutely highlighted this massive and growing gap between essentially what they're calling the haves and the have nots.
Um, and the fact that a significant cyber breach in the have nots. Is far, far more likely to shut down that organization forever. And that's the bit that I think is particularly worrying.
[00:21:22] Sean Martin: Yeah. So what, um. Uh, clearly you're, you're passionate about this topic and, uh, something we want to touch on here. What, um, what are your thoughts on how we start to, I don't know if we ever can ever bridge that gap, but maybe get closer, right? Bring two sides of the, of the river close to each other. Um.
Yeah, because I mean, we're, we're never gonna take a, a, a data center, SOC driven SOC and drop it into a, a public school. Right. It's just, it's not physically possible, let alone all the rest of it. [00:22:00] Um, but, but, but there are, to your point, things we can learn. So what, what do you see happening? What are your ideas on, on how to make some progress there?
[00:22:08] Andrew Morgan: Yeah. So I mean there, there's a, there's some really good reference material out there. Um, so you've got the, um, the, the IBM cost of a, a data breach report, the Verizon reports. There's a whole lot of material out there that talks to what are the things that are happening, you know, locally and globally, um, and e even.
Speaking with Michelle McGinnis and her talking about, you know, the, the, the causative issues around cyber breaches that they are seeing. Her advice was in Australia, we don't do our basic hygiene, security hygiene things well enough. So there, there you really basic things that just aren't sexy. And anybody that tells you that security is sexy is probably not doing it well enough because it's like police [00:23:00] work.
It sounds so much fun until you realize it's just one step. Then the next step, then the next step. If you jump three or four steps, you're probably, you're gonna run into trouble and, and if you get that sort of adrenaline rush from dealing with the trouble, that's fantastic. But we can't be cowboys all the time.
If we take one step in the next step and, and logically and sequentially understand the things that we care about and put the right kinds of controls around them and make sure the controls are relevant to the way we are most likely to be attacked or compromised. We're probably dealing with that idea of risk so much better and protecting the things that matter so much better.
So it's the really boring, dull things like patch everything, put proper fishing resistant. Um, protocols in place, phishing resistant, multifactor authentication, um, you know, just log [00:24:00] everything. Uh, if I could tell anybody in SME land, if I had to do everything from sort of. Yeah. Identify threats. Yeah. That, that sort of missed cybersecurity framework pillars.
Um, yeah, it, it's, it's a wonderful, fun thing to, you know, look at who are the bad guys and what are they doing, and all of that kind of thing. But you know, can I detect something that gets into my organization? Can I prevent it in the first place? If I do detect it, can I quarantine it? Can I push it out?
Can? And the main thing is, can I actually then get my business back up and going and I think. We look at the, the sort of the sexy side of, you know, identify and detect and do all those really great fun things. At the end of the day, I think business continuity and disaster recovery, they're the things that we can nail.
I can't necessarily [00:25:00] stop a really, really motivated. Well-resourced bad guy from getting into an organization. I may not be able to detect it. I may not have the resources to respond to it well, I need to be able to sleep at night knowing that if everything turns to poo, I can get that business back up and I know how long it's gonna take.
I know the order that I need to do things, and everybody understands that.
[00:25:29] Sean Martin: Uh, yeah, and I think, yeah, I, I, I see the pendulum swing. I've been doing this 30 years. The pendulum swing back and forth over, over the years where detection, protection is king. And then, and then, uh, response and recovery is, is king. And yeah, I was joking with a buddy. Oh, good. I think, uh, I, interestingly enough, I, I think it was [00:26:00] very, the last few years, maybe two, three years ago, was very endpoint detection. Uh, focused and I, I've seen a lot happen with, uh, SIM and soar, um, with a push for response and some automation there to, to alleviate some of the, the, the grunt work, if you will.
Um, so that better response can be, can be had, um. Yeah, and I think to your point on the hygiene, I don't know. That is why I was gonna say, I was joking with a buddy of mine the other day of, um, a big yellow company I used to work for. I don't know how many backup companies they bought while I worked there.
For them and they still don't have one. And I think they even bought a big company that effectively operationally took them over and they were a backup company and they still don't have it. Anyway, my point is, even thus, that basic hygiene of, of a backup and recovery is part of, of [00:27:00] resilience program still seems to miss the mark.
So, um, and we're, I think one last thing I'll say is kind of a AI is changing a lot. Um. In that, uh, I, I see it potentially as a way to kind of string a lot of things together, um, from detection to response if somebody's looking at it that way. I still think we're in a, in a world of, we have all these different categories and every vendor's doing, throwing AI at their particular piece, and, and it's still very siloed, but, uh, ultimately I think AI might, might flow there.
Um, what. Yeah, I dunno. Any thoughts on, on what I said?
[00:27:41] Andrew Morgan: Yeah, no. Look, I, I think you are a hundred percent on the mark and, uh, backups and backup recovery is, uh, yeah, it's a really interesting thing. And what I think is one of the challenges is, you know, we go in front of our boards and, you know, regulators and, and we say, [00:28:00] yes, we do backups, and we've got MFA, and you know, we do patching and, and, you know.
Board and regulators go, that's fantastic. When you really sort of peel back the layers of the onions, you know, you suddenly got, you find out that, you know, we don't necessarily back up everything because some things are hard. Um, we haven't tested backups like properly tested them, um, for maybe two or three years.
Um, we. Don't require phishing resistant, complex passwords, phrases, biometrics, something like that. And I've got a list of 200 employees that jacked right up when we rolled out multifactor authentication. So they're in the not needed to do multifactor authentication list. And we've got, you know, service accounts and all sorts of things just floating around all over the place that, uh, yeah.
Pretty easy to get to once you're, you know, inside or quite determined and [00:29:00] pretty easy to compromise. So, you know, those things that are really tricky and you're right, um, AI can really, really help there. But I think one thing I've been playing around with is this, the, the idea that. And we talk about the human, but still being the, this sort of really pivotal piece in cybersecurity 'cause it's still a person on a screen.
The most common thing that we see is a person get tricked through maybe an AI generated really good phishing email and they go somewhere and the whole world turns to rubbish on you and then it's your worst day.
Awareness training I still think is in its very early stages of, of maturity. So, you know, we've got fishing drills, they're fantastic, they are getting better. Again, we can generate really lifelike fishing drills. Really good. Um, what organizations then do with those results is a separate thing, but [00:30:00] specific.
Education awareness. Cultural uplift, I think comes from meeting people where they are at. Um, so, you know, having a two minute video saying, you know, Bob pressed on a bad link, don't be like Bob. Um, not super effective, not super sticky. We can't get in front of everybody often enough, but one of the things I've started playing with is.
AI is out there and it's fantastic. And what if I was going around to all of the different business units in my organization and you know, we talk about cyber champions and that kind of thing, but if I had a go-to person in each of those different parts of the business, I can start to create. Life, like avatars of each of those people.
Um, so, you know, we bring them in and what I want to do is create tailored education and awareness [00:31:00] content delivered by somebody that those recipients engage with in, in a way that's, you know, real to them. So using, you know, the, the, the, the avatar approach, I'm not calling on people's resources too much.
I've got a really engaging way of being able to then pump relevant content into those people. So it might be call center people, um, totally different education and awareness program to, um, you know, my devs. So, you know, the devs might need a particular kind of technical, um, delivery. Um, you know, the networking people need something else.
I can start to use that AI to create stickiness and relevance that you could never do before. So, and it costs you next to nothing.
[00:31:52] Sean Martin: Yeah. Yeah. Can uh, I love the idea. Yeah. 'cause contact, I mean, uh, the devs environment is different than hr, different than legal. They [00:32:00] use their own apps. They, they have their own language. They think a certain way. They drink Mountain Dew and have foodies on, you know, I'm joking, but I. But no, I think context and relevance and familiarity.
Um, if you have a relationship and you can, you can scale that virtually. Uh, that sounds really cool. I wanted to, I want to touch on another area because I know our, the US government spent a lot putting together kind of a, a secure by design. Program out of cisa. And, um, I don't know that that's living on at the moment.
Uh, regardless of the shutdown, I think maybe that the, the team and that whole program is not, uh, not up and running anymore, but the, the concept is there and then it goes kind of back to the risk thing of if you don't expose yourself in the first place, then you don't have to worry about getting frostbitten, right.
[00:32:58] Andrew Morgan: Yeah, [00:33:00] that
[00:33:00] Sean Martin: wondering. I'm wondering, I know it's summer, summertime there, but, so you're not worried about frostbite at the moment, but, uh, things raining everywhere today. It's funny enough, everybody I talk to, it's raining. Um, but the, the idea of if you. If you build the business and you stack it properly with the right tech configured in the right way, with the right policies, you can alleviate a lot of need around monitoring and detection and putting protections on it and, and responding to stuff.
And I use the example of, of patch management. If you, if you're using a piece of tech that you're having to patch 20 times a week and it's not critical to the business or there's a difference. Different piece or player or vendor you can plug in there that doesn't require 20 patches a week, may maybe you make that decision as a business.
We do that all the time in other areas of business. Um, so what, what do you say to to that in terms of maturity level, uh, and readiness to be secure by design in, in [00:34:00] Australia, where do we
[00:34:00] Andrew Morgan: I'm, I'm, I'm really glad that you've, you've sort of brought that concept of vulnerability management, patch management into the conversation, because that's another one of those hygiene issues. Um, and, and you're right, the, the top level generic advice. Yeah. Patch, patch, patch, patch applications, patch os, patch, bloody, everything.
Um, and, and, and you're right. Then if you are purely on the technical side and don't necessarily buy into the business process improvement side of things, you may just get into this rut of, you know, we've run a scan, we've got 10,000 vulnerabilities. I need to produce a report that says I've moved them down in a particular timeframe.
So we are just gonna push out patches left, right, and center. You know, we've got patching windows. This is what we'll do. Um, that the, the context of am I making protection for my business better? [00:35:00] Doesn't necessarily exist. And the concept of. Okay, we've got a vulnerability, but is that in something that we care about or need to care about?
I think that's kind of the magic source in all things vulnerability management. Um, really tricky. And you, you're absolutely right. I think, you know, if, if you are using a piece of tech that's kind of flaky, end of life, um, not necessarily compatible with a whole lot of other things, old generation, tech, whatever it might be, and it's constantly needing to be upgraded.
Then is it time to then look at, do we upgrade that particular piece of tech? Um, you know, I'm, I'm a big fan of simplify, where you can, particularly in the, the sort of the non-enterprise businesses because it's really hard to be an expert in everything. So, you know, Microsoft, bless them, [00:36:00] um, you know that they.
Are pretty good at a whole lot of things. They're not the necessarily the best in anything from a security perspective, but anybody that's been in the game for a while has seen them come from nothing. Probably 10 years ago they were terrible at security produced good operating systems and office type programs.
Fantastic. But you know, they're really good security organization now, and what nobody has is the breadth of coverage that they've got. You know, I can look at, you know, endpoint protection. The defender tools may not go as deep as some of the other vendors out there. Um, data loss prevention they can do, but maybe other vendors are better, but I don't know anybody that's got the breadth of coverage.
So, again, if I'm a, a smaller organization, does that simplify things for me? Does it give me the most up to date, most robust? Um. [00:37:00] Best breadth of coverage. And if I really understand the risks to my business and I can see that, you know, we are a bit light on in endpoint, I can supplement that with another tool if that that's what I need to do.
But once I start to look at that simplification platform kind of approach, that also leads to probably a, a, a more efficient way of keeping things up to date from a protected. Perspective around patching and things like that, whereas when you've got 30 pieces of tech trying to keep up to date with all of that, I think is, it's a, it's a big challenge for any organization, let alone one that's resource constrained.
[00:37:42] Sean Martin: Yeah. And on that same, same vein, um,
[00:37:47] Andrew Morgan: I'm not plugging Microsoft there.
[00:37:49] Sean Martin: Yeah, absolutely not. Um, yeah, I don't, I didn't hear that. Um, but I'm just wondering, so forget who, who the. The entity is, that has a broad [00:38:00] view of, of things. Um, and, and maybe what I'm really looking toward is, are there, I don't know, column avar, call 'em a service provider.
I, I'm just wondering. So Microsoft, whoever has a big stack, it crosses a lot of the, the. Operational bits of the business and can give some inter intersection of, of those elements of the business with pro, yeah. Cross section of, yeah. Protection and defense and response and whatnot. Um. If, if an organization isn't on that and they pick best of breed for certain things, I, I want to get your perspective on how much gluing happens from a CSO perspective.
How, how much, how much code has to be written, how much automation has to be written, how much, how many systems have to be put in place that allows you to actually bring that connection and context together.[00:39:00]
[00:39:00] Andrew Morgan: Yeah, no, every, everybody's looking to the, um, the, the fable, one pane of glass. And, um, it's, it's a pretty hard thing to find e even if you take a Microsoft platform approach, they haven't nailed the one pane of glass. No. Nobody's nailed that. And, and you know, you see lots of people trying to then create.
Those different ways of what you said, you know, stitching things together so you know, what logs does this particular tool generate? How do I get them into whatever same solution I'm using or whatever solution my managed security service provider is, is using. How do I then get some context of what might be happening through other telemetry that we are gathering?
How do I build a detection around that? I've got that detection, how, you know, what's the fidelity of, of that detection? How do we then respond to that? Um, the more disperse your tool set, [00:40:00] um, I kind of, you know, again, work on that theory that, and unless you've got a really well resourced in-house security operations team, it's, it's kind of hard to.
You know, build as much automation in as you possibly can to, you know, um, you know, this endpoint is now doing this. The telemetry iss being received by the soc, the SOS done their, their automated detection, the detections come up and they can then, through automation, automatically quarantine that particular device, you know, shut down the user session, whatever it might be, to then allow remediation at a later time.
Um. The more things you introduce into that ecosystem, the harder it becomes.
[00:40:47] Sean Martin: Yeah, and I, my head explodes as I.
[00:40:51] Andrew Morgan: And, and I, I, I lived through both. So, um, you know, again, if I look at the NBN experience, we were so fortunate that we [00:41:00] had a fantastic. Soc and, and you know, I'm, I'm super proud of the guys that we had. Um, you know, Splunk run their, their global boss of the SOC competition every year. Um, two years in a row.
Our SOC team won the Australian version, went over to Vegas on one of the years to competing the, the global one. So they, they were kind of, you know. Australia's, you know, one of Australia's top security operations centers at the time. And while I'd love to take so much credit for it, um, every single person in there was about 2000 times smarter than I'm ever gonna be.
So, um, they were a fabulous team. Really talented people.
[00:41:42] Sean Martin: Uh, they're given the space and the, uh, the opportunity to put their skills to use, which is, uh, half the battle, I think, if you're not constrained. Um,
[00:41:52] Andrew Morgan: people. I love what they do.
[00:41:53] Sean Martin: yep. Where was I gonna go next? There was one more thing I wanna touch on before we, before we closed, and [00:42:00] it's, oh yeah, I mentioned it earlier. The, I don't know what, what, yeah, I guess bars, right?
People you can go direct and buy from the vendor, you can buy it through somebody else and sometimes they, they help with deployment and integration and configuration and management monitoring and all that. Um, what's the, I dunno if you have a view of that. 'cause when we start talking about small, medium business and the have nots, that that world can hopefully, or perhaps.
Fill in some of the gaps and, and help what's the state of the union in that regard?
[00:42:37] Andrew Morgan: Yeah, no, look, I mean, we, we've got a very active, um, uh, sort of group of, of organizations, um, down here who, you know, do that reseller stuff, um, and, and do it pretty well. Um, you know, they can then, as you said, you know, help with. Uh, you know, the, the implementation side of things [00:43:00] and, you know, I've, I've seen sort of full service offerings within, they will go and, and then operate that for you on an outsource kind of basis.
And, um, sometimes you. Get them too entwined with your business where you bring them in to do some of your assurance and, and sort of governance work as well. So they'll go look around and say, oh, you've got a gap here and a gap here and a gap here. Just so happens we've got relationships with these vendors.
We can procure those tools for you. Um, and in fact we can then implement those tools for you. And 'cause you've only got a small team, how about we operate them for you as well? Um, so I think, you know, from an assurance and, and a a, a probity perspective, we've gotta be careful about not putting everything into a single vendor in the ecosystem.
Um, and I've been really fortunate. I've, I've worked with some fabulous, um, service providers out there. There, there's some absolutely gunned people out there doing some wonderful work. Um, but I've also worked [00:44:00] with a couple of ab absolute. S Scallywags as well, that have, um, you know, they, they're, they're very driven by the deal and not so much a partnership.
And, you know, I, I kind of look at, I am, you know, going to look at a true partnership where I can learn from them, they can learn from us, share things. We bring them in, they're part of our team. If we, if you can't get that partnership approach, I think yeah, it becomes, it's probably not worth. Uh, the, the money that you're spending on the contracts because it's just transactional.
So, you know, find the people who've got the right heart, the right mindset, and want to partner with you in the long term.
[00:44:44] Sean Martin: Yeah.
[00:44:44] Andrew Morgan: But yeah, there, there's, there's plenty of Skelly wags that would love to tell you whatever the shiny thing is. You should have this, it'll solve all of your problems. They may not have ever asked you what your problems are, but they'll solve them.
[00:44:55] Sean Martin: Yeah, exactly. Well, you're, uh, you're preaching the choir. I'm [00:45:00] actually, this, this recording Will, will. Get published after the newsletter I'm writing, uh, will be out. 'cause I'm, the newsletter is scheduled for tomorrow morning, and this will probably come out next week, but, um, it's on that
[00:45:13] Andrew Morgan: have been,
[00:45:15] Sean Martin: viewed the, uh, uh, the newsletter before this.
[00:45:17] Andrew Morgan: no. How many people were some of these, uh, conversations we've had? Um, upset.
[00:45:24] Sean Martin: Oh, how, how many people? Hopefully a lot
[00:45:28] Andrew Morgan: I, I think it's a fabulous conversation that we should be having. We, it's never gonna stand still. We need to keep being as good as we can possibly be. That means, you know, we've got to be vigilant. We've got to be proportionate, we've got to be forever on. this is not, you know, security is not a project.
Whereas, you know, every, you know, a lot of CIOs I think are kind of project driven. Um, everybody you talk to is [00:46:00] talking about security uplift. Well, that's not security. Oh, well, may call it security uplift. That's okay. But it's security business as usual, which is, we are never finished. We need to keep an eye on.
How are things changing from either what we've got in place or what bad guys are doing, and how do we get that balance as right as we possibly can? Acknowledging that we can never be perfect. So any that puts their hand on their heart and says, we are secure, they're kidding themselves. You shouldn't be in that role if that's what you say.
[00:46:34] Sean Martin: Yep. Yeah. But I'm, I'm gonna close with, uh, kind of a loop back to the beginning and or close to the beginning where we were talking about the, uh, the, the tribe that you're part of. Um, I'm fortunate to be, um. Be invited to a few CSO groups, uh, that are off the record as well. There, there are many. Um, and you're right.
The, the conversations in those groups, and this is what my newsletter is about, is those [00:47:00] conversations happen and they're honest, right? They, they'll, they'll, they'll call out the s scally wags, they'll call out the challenges they're having, they'll tell each other. Hey, I just found a way to automate this thing that's been a gap for us for three years and or we found this new tech piece that, that, uh, we replaced.
And, and my team is not pulling their hat. They, they have that conversation. You pointed. You said it. They have those conversations. So my call to people listening, security leaders and CISO's listening, if you're not part of one or more of those groups. Find them, find the mask. Go to go at a physical event, find, go to a, a physical event, find another CSO, and ask them what group they're part of and be part of those conversations.
And, and you'll, you'll get the real, the real scoop
[00:47:48] Andrew Morgan: Yeah. Or find people in your industry and, and get 'em together at your office. Go, go to a, a pub and have a drink and you know, just. Just sit there and, and you know, [00:48:00] whinge and moan about the fact that you haven't got enough money and everybody's questioning. You'd like to start a conversation starting.
It's the hard bit that the conversation will flow, because what you're going to do is have a group of people around you who are. Of a similar mindset and direction. And the good thing is if you don't all agree on everything, because that then generates really good conversation, really good discourse, and you start to then drill into what does this really mean?
If, if you know you've got 200 people in a room and they're all thinking the same thing, we're not never gonna change.
[00:48:36] Sean Martin: Yeah. Well, I love it. I, I was happy with my passive. Find a group. I'd love your proactive. Start your own and start drinking beer with your group.
[00:48:45] Andrew Morgan: Yeah, tragically, I, I, I don't drink anymore. I, I stopped drinking about four years ago, but I still, I drink non-alcoholic beer so I can still go to a pub, get it poured into a glass and everybody thinks I'm drinking with them. The only difference is I get to drive home safely. [00:49:00] They end up having a So laky some dodgy stand at three o'clock in the morning.
[00:49:05] Sean Martin: That's right. Yes. Or Curry chips another, another favorite at three in the morning. Um, yeah, I'm not promoting drinking or not. Um, but definitely the group. Get the group together. Andrew, fantastic chatting with you. Appreciate you getting up this morning, uh, and uh, joining me for this conversation. And, uh, hopefully I'll get a chance to meet you, but, uh, with any
[00:49:28] Andrew Morgan: so I dunno whether you are still talking,
[00:49:30] Sean Martin: for the next Cyber Con or perhaps another, another event there.
And, uh,
[00:49:36] Andrew Morgan: no. Sean, thank, thank you so much for giving me an opportunity to. Jump on my soapbox and, and evangelize about stuff that, um, yeah, I, every time I speak about it, I realize just how crazy sort of passionate I am about this. You know, this is important stuff. We, we are protecting things that. Can really, really [00:50:00] matter.
You know, these are keeping roof over people's heads, putting food on their table. If you know we have a catastrophic event in a company and that company shuts down the ripple effect of that. Out into the employees and the people who use the services. Those companies can be catastrophic. So don't ever underestimate the importance of what it is that we do.
It's, it's really important. So find your tribe, be part of it. Try and input into the industry and take as much back as you possibly can. It's, it's okay. It's a good thing to do.
[00:50:36] Sean Martin: And, and pick up a guitar every now and then.
[00:50:38] Andrew Morgan: You, you have prompted me and, and shamed me into, um, my fingers have gone really soft. I haven't played for so long, so I.
[00:50:48] Sean Martin: It'll hurt, but the call will come back and, uh, I'm fairly certain you'll feel better for having, having picked up a guitar,
[00:50:56] Andrew Morgan: I will, I'll, I'll be frustrated that my brain knows where fingers should go. [00:51:00] Fingers are gonna.
[00:51:03] Sean Martin: uh, There you go, Andrew. Fantastic my friend. Uh, have a great rest of the day, good weekend. And, uh, everybody listening, thanks for joining us and, uh, watching do connect with Andrew and, and, uh, I'll go back to the, to find your tribe. Um, and, uh, yeah, do, do, do what you can to stay healthy personally, and, and, uh, then help the business.
Continue to protect itself. All right, so thanks everybody. Stay tuned for more Redefining Cybersecurity.
[00:51:35] Andrew Morgan: Thanks so much, Sean. I really appreciate it.
​[00:52:00]