Tables Turned: Cole Cornford on the Hot Seat with Abhijeth Dugginapeddi

Abhijeth Dugginapeddi:

Hello, everyone. I’m Abhijeth Dugginapeddi and I’ll be guest hosting this special episode of Secured, the podcast that dives deep into the world of application security. I thought it’ll be fun to mix up things and have Cole answer the questions for once and he’s agreed to jump into the hot seat. So this episode we’ll be learning more about Cole, some of the ups and downs of his career, what advice he has to share, and plenty more.

Cole Cornford:

I can’t stress how important it has been in my career as both a consultant recently, but also as a senior leader at a globally distributed technology firm to just be able to pick up the phone and speak to pretty much anyone from anywhere about how they’re going, what the challenges are and how we can get to yes for security.

Abhijeth Dugginapeddi:

Before we dive into my interview with Cole, let me tell you a little bit about myself. When I first start my website when I was 13, I did not imagine that 15 to 16 years later I would still be doing cybersecurity. I started as a pen tester security consultant working for consulting firms and working as a red team member at Adobe and being the first team member of the application security team at Commonwealth Bank. I’m currently the head of application security team at BigCommerce. BigCommerce is an e-commerce platform that powers more than 69,000 e-commerce websites, it’s in more than 150 countries, and me and my team try to work and make sure that it doesn’t get hacked. I also lecture at UNSW. I teach web application security course. But enough about me, let’s start interviewing Cole and let’s jump right in. Hello, hello. Hello, Cole. How’s it going?

Cole Cornford:

Hey, I’m doing great. I have a slushy because my daughter socially engineered me to get one and it’s also very Newcastle because it’s red and blue, like the Newcastle Knights.

Abhijeth Dugginapeddi:

Nice. That sounds good. I was going to ask you the first thing I wanted to start with, how do you feel about being interviewed on your own podcast?

Cole Cornford:

It’s a bit odd to be the other way around, because usually when I’m interviewing, I’m sitting here furiously taking notes, listening to what the other person’s saying, and I guess now being in the hot seat, I just got to give hot takes instead of actually just, I don’t know, listening.

Abhijeth Dugginapeddi:

Yeah, I’m pretty sure you’re feeling a little bit different when there’s someone else asking you questions instead of you asking questions and taking notes. How about we start with you telling a little bit about yourself and a little bit about your journey on why you’re doing what you’re doing now?

Cole Cornford:

So I guess I’ll go back a bit because why not start early? So I guess my early career before I even really did anything security-wise, I was into video games quite a lot. I used to play a lot of Final Fantasy games, Zelda games and Team Fortress 2. It’s funny, a lot of information security people I’ve met were playing Team Fortress 2 with me at that point in time, and we’ll just be sitting around having beers at AdelaideSEC or at BSides Canberra, and then suddenly we’ll realize we were all playing Team Fortress 2 back then and it will be like a bit of a high school reunion kind of vibe, which is hilarious. But I did get my Steam account stolen for about a week because I fell for a social engineering scam, and that was not a particularly good experience. It wasn’t meaningful to most people, but to me it was because I had a lot of my social connections, and the shame associated with getting scammed for $30 was still a shame because I considered myself quite a smart person.

And then when I graduated high school, basically I decided to go into IT because I figured I’ll just go make computer games because clearly that’s the right pathway to go, I’ll just go build computer games, and then about I think a year in, I was like, “Wow, there are no jobs in computer games. I’m just going to go learn everything computer science,” and I tried to find a role in security in the Newcastle region, and this was around 2011, ’12, ’13, and there was nothing. It was a complete vacuum. I even remember a recruiter that I’m nice with nowadays. So back then she just laughed at me and said, “What the hell are you on about? There is no cybersecurity out this way.”

I got lucky because I got a graduate program just into the ATO, and with that, I ended up finding my way to move through the enterprise until eventually landing in the AppSec function. Now, when I got into the AppSec function, I was there for a week and then the entire team decided to evaporate and say, “We’re going to go create a SOC. You are now the leader of the AppSec function, Cole. Enjoy your acting year 1 status,” and I was like, “I am a graduate, I don’t know what I’m doing.” So I read the entirety of OWASP and read a bunch of static analysis books, I got into the fortified docs in deep detail. Spent ages really focusing on building up technical skills within that discipline and just learning as much as I could. I eventually got to a point three or four years later where I just said to myself, “Oh, what’s next? I’ve kind of been acting year 1 for a while now.”

And then I took a role over at Westpac where I had no reports, I had no headcount to have to worry about, just got to do technical work and learned from other really smart people. Did that for a few years and did WAFs and SCA and a bunch of other things that I moved into. I really wanted to go move overseas to the US because I got approached by Facebook and they flew me to Menlo Park and I went through the rigamarole with the five days of interviews and all that jazz, and in the end they didn’t give me a role, but what it did highlight to me was that I wasn’t particularly good at the software engineering aspects. I didn’t understand scalability, cloud architectures, distributed systems, algorithms, just a lot of the base principles as well as I should, and I spent a lot of time really focusing on developing those skills over the following year and then eventually got a role at Change.org as Director of Security in 2020.

That’s also when the pandemic hit, and I worked 2:00 AM till 11:00 AM most Tuesday to Saturday, and that was fine because it was the pandemic, so who cares, right? We didn’t do anything and Canadian dollars were actually a bit better than Australian ones at that point in time, but it’s about that point where I also met my girlfriend, now wife, and I remember I’d clock off work at about 11:00 in the middle of the day and just be like, “Oh, yeah. I’m just going to go for a swim in my dad’s pool while I wait for this pandemic to blow over before I can get sponsored to move to overseas,” and she said to me, “Why don’t you stop being lazy? Just go do something else. Don’t just go swimming every day, doing nothing useful.”

And then I just rang up a bunch of my friends and said, “Hello, do you need AppSec?” and a bunch of them said, “Yes, actually,” and that’s where I decided to start the business, and I’ve been running it for a bit over two and a half years and it’s been a roller coaster of an adventure. I ended up going full-time on my business around middle 2021, because I got sick of the 2:00 AM till 11:00 AM thing.

Abhijeth Dugginapeddi:

Cool. Awesome. Thanks a lot, Cole. I think it’s a pretty relatable story, and as you were sharing your story, I have this massive smile on my face and I was heavily nodding because some things that you’ve mentioned are extremely relatable to myself and I’m sure they’re relatable to some of our listeners too, especially because there are a handful of people in cybersecurity who got hacked and wanted to take a revenge or learn how hacking works, and it’s the curiosity that got them into cybersecurity, and it sounds like that’s like what got you into cybersecurity too. Also, it sounds like started a gig and you were thrown into the deep end by asking you to lead a SOC function or do SOC-related stuff. Looking back, now that you have plenty of experience, do you think as a cybersecurity person you would’ve started with SOC or would you have preferred to start with something more traditional, like penetration testing or AppSec?

Cole Cornford:

So it wasn’t me getting thrown into a SOC. What happened is I joined the AppSec function and then almost the entire AppSec function left the AppSec function to create a SOC function and left me alone in the AppSec function to build it from scratch, and would I recommend being in a team by yourself to establish a function that requires significant expertise in both security, organizational politics and software engineering? No, I would not, but I think that a SOC is a fine place to… People need to get their stripes. You need to get your Stars and Stripes, and there’s a lot of roles out there to do that. You can be a policy wonk, you can go do your patching of systems. There’s always a lot of routine tasks that the senior executives and managers and stuff effectively, they’ve got more important things or they can… It’s not that they’ve got more important things, it’s just that the influence that they have with their expertise actually do change a lot more than doing small individual contributor tasks.

So you’ve got to do the small IC tasks until you get enough of a perspective to be able to influence at a higher level or to improve your network enough to be able to speak to the right stakeholders to influence outside of your sphere. But if you’re stuck just responding to incidents, having tickets come in for you to have a look and see if it’s a phishing link, but it’s a great place to start. I wouldn’t necessarily say stay there for a very long time though. Same with IT help desk, right? There’s only so many times you can fix up group policy object errors and reset passwords.

Abhijeth Dugginapeddi:

I completely agree with you. Some of those tasks actually sound very mundane, but they teach you a lot, especially if you want to have a complete career in cyber, you need to know a little bit of multiple things. It’s great to have a specialization, but also it’s great that you do a bunch of things, especially early in your career, and I’m sure this is one question people keep asking you, “Hey, Cole. How do I get into security?” And for the listeners who are listening to you today, if they want to get into security, what would be that one or two things that you would highly recommend them?

Cole Cornford:

Well, I’m going to be a bit biased to say it because I’m an application security people, the ability to program is right at the top there, but I don’t think I’m alone in saying that. I think that every single discipline within security, if you are able to do some level of software engineering, it’s going to be a better outcome for you guys than people who can’t. If you’re a SOC person, you can write scripts to help you automate a lot of tasks or do some analysis, or maybe you can go a little bit further and think about an ML model that you can program so you don’t have to look at any logs anymore because your computer system takes care of that triage for you.

If you’re a pen tester, if you understand how the software works in great detail and understand the nuances, what does nil mean versus null? Well, you might understand, hey, that’s a keyword that’s specifically related to Golang, so I’m going to start testing about protobuf vulnerabilities, not testing for just standard SQLI. But you wouldn’t get that if you haven’t spent any time understanding why Golang itself is a different language than say Java or C# or Rust.

Or if you know that the web application’s using React components, you’re just not going to spend any time on XSS. So I think that understanding software engineering and programming is tremendously helpful for people, and at university or even TAFE, people don’t spend anywhere near enough time on understanding these concepts and they just want to… There’s a meme that comes to my head where it’s a staircase and there’s a man who just basically steps up seven levels to red teaming from running Nmap, and he just skips over understanding DNS, ARP, networks, but just goes straight to red teaming and skips all his fundamental concepts, and I think those basics and fundamentals is far more important than going off and learning a lot of random esoteric vulnerability classes.

And I think the other thing as well is be willing to actually grind. I think a lot of people don’t recognize that security is a bit of a cliff to actually get into. There are a lot of people who want to break into security because they see that eventually the payoff is going to be quite good. As an industry, we do get paid quite good salaries, but I’m going to say that it’s a lot easier to get in as an entry level software engineer than it is as an entry level penetration tester, because there are nowhere near as many roles doing testing or SOC analysis or whatever as there are people just building product.

And if everyone wants to get into cybersecurity, you’ve got to compete against these people and show that you have a better value proposition, and the easiest way to do that as a junior is by just being technically brilliant, because most people don’t put in the effort, and I know it sounds silly, but it’s super easy to put in 12 hours a day grinding content and you’ll be a lot better than the person who sits there at university doing four hours a week because that’s what they need to pass and get PSQL degrees.

The other differentiator I’d encourage for entry level people is about communication skills. In consultancy, we often talk about the three As. So we’ve got availability, affability and ability as the reason that people choose to hire different consulting firms, usually in that order. So your ability to deliver a service is not as important as whether people like you and whether you’re available to help people. Now, availability is a bit hard, but if you’re going up and actually seeking out experts and attending networking events and going and talking to a lot of different people online and LinkedIn and stuff, you’re going to be visible to people and they want to speak with you, and as long as you are not… It took me a long time to get rid of a bit of an elitist chip I had on my shoulder, but generally people love to talk to people who are friendly and kind and excited and willing to learn a lot of things, and less willing to talk to people who are bitter, resentful, process-oriented, want to hide away.

So just try to emulate those kinds of qualities, from speaking to hiring managers, and that should help you out a bit. So anyway, I guess very long-winded way of saying you should grind, you should spend some time working on your communication skills and being a friendly and approachable person, and you should put yourself out there and attend different types of events to meet new people.

Abhijeth Dugginapeddi:

Oh, I completely agree. I think the three things that you mentioned are fundamental for not just entry level people, but even experienced folks who wants to get into cybersecurity. In fact, one thing I sometimes tell to entry level folks is like, “Don’t wait for your first cyber job. If you get an entry job at a tech company as a software engineer or an SRE or a network admin or an IT admin, take it and then make sure that job gets evolved into cybersecurity,” because it doesn’t matter what discipline you work in tech industry, as long as you start in a tech industry, you can kind of convert it into one or the other cybersecurity specialized role, which I think is beautiful about our industry is that you can be specialized in cybersecurity depending on what area that you choose you want to research on or what area that you want to build your expertise on.

Talking of specialization, I think you mentioned a really interesting point about feeling elite or having this sense of, “Hey, I work in cybersecurity, so I must be cool.” I said this because 15 to 20 years ago when I wanted to get into cybersecurity, the barrier to entry was really high, and I’m sure you also agree to that, whereas I feel like in the last 10 to 15 years, the industry is changing a bit. But my question to you is do you think the industry is actually changing a bit or do you think there is still that sense of elitism, where people try to keep the barrier to entry into cybersecurity high?

Cole Cornford:

Yep. So last week… Well, earlier this week I was at Parliament House and my presentation I gave to the delegates at the conference I started by talking about techie AppSec stuff, but the last third of my presentation was talking about how do we have to do a cultural mindset shift within the security industry, and I think application security has already succeeded in this discipline largely. If I think about all the personalities in our industry, they’re basically all the opposite of what our industry as a broad for cybersecurity says. But going back to that, I think the first thing is that we’re taught an adversarial mindset by default. So everybody that you encounter has learned that there are adversaries out there and they’re going to get you, and we need to effectively have black and white approaches and that we’re going to use militaristic terms for almost all of the services that we provide, like penetration testing, red teaming defense, in depth threat intelligence, brute force attacks.

They’re all got some kind of militaristic connotations, and in 1984, if you force people to think in a certain way and speak using a certain language, then they’re going to gravitate to that way because difficult for them to consider things from other perspectives, and so I think that that’s obviously quite problematic because it means that you are going to have a lot of security professionals who are taught that software engineers are stupid and business owners accept risk because they just don’t understand what’s happening, and you’ve got a lot of business people who are thinking that cyber people are just black hoodie hackers who just don’t understand anything, and all they do is they slow my projects down and make my life hard. And they talk past each other constantly, and we need to be basically dealing with these harmful stereotypes and recognizing that generally people want to do the right thing and security people should be trying to lean in on that and not taking as adversarial approach.

And I think the other thing that’s really problematic in the industry is the way that we measure our own self-worth, like our value that we provide to society, is not based on other people, it’s based on our peers. What I’m saying by this is that on LinkedIn, the way to ascertain whether someone’s a good security person is whether they have an OSCP, A CISSP, a CISM, a couple of black hat presentations, they’ve gone and spoken to some audience somewhere. All the focus is on me and how do I professionally make myself look awesome to other security people? But if you take a step to the right and you talk to just some normal small business owner and you ask them, “What is black hat? What is CISSP? What is OSCP? What is a [inaudible 00:18:32] about SQLi?” Then none of that matters to them.

What they care about is that they can be safe, that they get given good advice, that they feel like they have a trusted person that can help them out and that they had a good experience interacting with this professional, and I think until we shift the industry’s values so that they trust in customer outcomes and customer success a lot more than in how their peers perceive them in the industry, we’re going to be really fighting an uphill battle as far as culture’s concerned because we’re just going to be reinforcing this existing state.

Abhijeth Dugginapeddi:

For the listeners who can’t see my face, I’ve been heavily nodding to each and everything that Cole was saying for this particular point because I think as an industry we still have some way to go in terms of the cultural shift that we need to get to, but we are heading in the right direction. And as you mentioned Cole, I think as AppSec engineer or people who work in the AppSec space, we are closer to, let’s say, the product and engineering and we are closer to the idea of the business being successful, or you risk accepting things and not having that red tape on top of everything. So I think in the AppSec space, think we are heading in the right direction, but as an industry itself, there is still a long way to go.

Talking about your journey in AppSec space and industry, in 2011, when you started your first gig, did you ever tell yourself that 10 years or 12 years from now I would start my own company? If you’re did, I’m curious how you motivated yourself to start your own company, or if you never imagined to start your own company, I’m curious for you to dive a little bit more into what motivated you to start your company and what are some of the difficulties that you faced in starting your own company?

Cole Cornford:

So I’ll go through a few of those. So my first job, you’ll like this, so I was second year university and I didn’t like commuting from Cessnock to Newcastle, which is a bit over an hour. It’s like an hour and a half at the time. Nowadays, it’s 40 minutes because as soon as I left Newcastle, they opened the Hunter Expressway, also known as the Joel Fitzgibbon Expressway, and that reduced my commute down from an hour-thirty to 40, so it actually would’ve been good to be able to live in Cessnock. But yeah, I really wanted to get out of home so I could have some independence and some are all that jazz, as young people do. And so I did, I met a bloke at a party and then the next morning I said to my dad, “Hello, I’m going to just move into this man I met at a party,” and my dad was grief-stricken and said like, “Oh, you met a man at a party and you’re moving in with him. That’s pretty fast goal. Something you’re not telling me?”

But I did, and the reason I could move was I got a small scholarship for $2,000 from the university to be able to do that. And then I noticed that the money was disappearing relatively quickly about eight weeks in, and I was like, “Ooh, maybe I should get a job.” So then I started going out and getting jobs. I just got a really basic IT help desk job so that I could survive eating Hungry Jack’s Stunner Meals for the next couple of years. But anyway, main thing is that at that point in time, it was fight or flight and I didn’t really think about the future other than, “How do I finish my uni degree?” rather than, “Do I need a career or anything like that?” Because as basically the first person in my family who’d actually attended a university at any point, it was pretty much a new experience the idea of having careers.

A lot of my people, just my brothers and cousins and mom and dad just got jobs in hospitals doing laundry and delivering linen between different hospitals or fish and chip shops. None of them had any aspirations besides, “I’m going to do my nine-to-five and go away.” And yeah, it was kind of a different experience being exposed to a lot of people when I moved to Canberra and that helped me formulate a bit of an idea. But I do remember a recruitment fair in 2012. They had all the IT faculty staff and a bunch of students there, and a lot of people eating pizza. I would go to every single one of these because I’d get free pizza and a lot of Coca-Cola, and that was very important to me at the time because it meant I didn’t need to spend $10 at Subway at lunch.

And so I went to these and the recruiters who put it on asked students in the audience, “Is anyone interested in signing a business in the future?” and I was the only one that put my hand up. All the other students there kind of looked at me and laughed at me a bit and they’re like, “You start a business? What you on about?” And then the recruiter said something that was really cool, which… I think her name was Julie Geary at GWG, and she said, “Don’t you guys laugh at this person, because in 10 years’ time you might actually be working for him because he’s taken the steps to actually go and consider starting a business,” and I think the impetus for why I did start a business a few years ago was honestly because my wife just gave me a kick up the backside and just said, “Go do it. What’s stopping you?”

And the answer is that not much, but also I hadn’t known anyone who’d really started businesses. Almost everyone I knew in my professional career were employees basically. Yeah, I just said, “What’s the consequence, right? I’m just going to go move to Canada. If it doesn’t work out, it’s all good. It’s a bit of extra money, and then I’m just trading time for materials, T&M arrangement, so it doesn’t actually matter. And yeah, one thing went to another and I had to go through all sorts of different challenges, as you do when growing out a company. But yeah, I encourage people to give it some thought and feel free to hit me up if you do have any questions about wanting to start a business, especially a consultancy and especially a consultancy if you haven’t done consulting before. One of my good mates, he rang me up and he’s just like, “I heard you’re starting a business. That’s a very brave move,” and I learned two years later that this particular individual uses brave as a synonym for stupid.

Abhijeth Dugginapeddi:

I think most innovative things, some of the best things that have come out of science were called stupid at some point in the history, and I’m not surprised that your mate used the word stupid for brave. I started my first company when I was 19 years old and I was at university. I started a security training/consulting, but it was more like, “Hey, I’ll come and do a two two-day ethical hacking workshop, you pay me some money, and that’s it. I don’t see you again. I give you some hand-printed PDF files or printed papers,” and that’s how I used to make money. It was a necessity more than anything else that made me start my own company. By the time I was 21, 22, we sold the company because I got a fantastic opportunity at a company and I started security consulting. I guess where I’m going towards with this question is as an entrepreneur, as someone who runs this consulting company, as an AppSec person, you’re trying to juggle multiple balls at the same time. I’m curious what your day looks like.

Cole Cornford:

So I guess there’s two ways to put it, there’s working in the business and there’s working on the business. Nowadays, I’m quite heavily focused on the business and I do occasional high value in the business tasks, but I really, really try to avoid doing anything that’s a code review, nine-to-five, this is the day rate or pen testing or security architecture or whatever, because if I’m doing those, there’s no ability to scale out a business, because it’s working on the business that actually turns the business from this to scaling it out. And I do have a good team of people who can deliver the services below me and I manage to quality and the outcomes of the engagements that they do and look to always speak with their customers and clients and make sure that they’re doing a good job.

But yeah, if I think about the types of things I’d be doing if I’m in the business, it would generally be a mix of code reviews, which I’ve always been quite good at. I used to run Fortify for a very, very long period of time, and effectively when you get used to doing taint analysis, moving across from using automated tools to doing manual curation and assessment’s really not that hard because you know how taint analysis is the main way that people do auditing of source code besides just running a couple of tools and then checking to see where different types of normal things, patterns that look bad are and interrogating those with unit tests as well. So I do that a bit. I help advise systems engineers about what they can do to architect systems in ways to be a bit more secure. So nowadays I’m a big fan of pushing people to using software-defined infrastructure as much as possible. A usual selling point is this deals with five of the essential eight, and then people are like, “Wow. Okay, I never considered that,” and they’re like, “Yeah.”

Training. I try to do in-person training because I think that there’s already a tremendous amount of online self-service video content, and I don’t want to be competing with free. I think that’s one of the challenges that people go into is having to find a way to build a brand, and if you’re giving away content for real cheap or for free, then you’re not really distinguishable from the other players that are doing that. So I charge a bit of a premium and have in-person instructor-led training instead. It’s almost always by me, and that seems to be going pretty well too. But yeah, those are the main kind of activities that I do every now and then. But I think that the majority of my day-to-day is almost always on working on the business, and when I’m saying working on the business, it’s about how do I make the business sustainable and how do I ensure that it grows in a meaningful way into the future? And that is a lot of different types of tasks.

It’s about understanding where your staff members are and what you can do to support them to grow as well as if they’re looking to move on, what you can do to help them move on to somewhere a lot better, because I want to see people who are looking on the way out that they’ve had a great experience here and eventually may become an advocate for me in the future. I don’t want them to be burned on the way out. So talent retention and talent management’s one thing. Another thing is sales and marketing. So you’ve probably seen a tremendous amount of bright pink content everywhere. Well, it’s been quite intentional. I can talk about branding a little bit later, but I do a lot of content creation and going to conferences and meeting people.

And then there’s sales. I’ve had to entirely learn sales from scratch. I just figured that sales is easy. You just ring up your friends and they’ll buy from you. I’ve since learned that that’s not quite the case and that your network is pretty small and then once you exhaust that, you need to really go to market and find out how do you sell elsewhere? And so I do a lot of that part of the business as well. So I’d say, yeah, my day-to-day is kind of chaotic as well. Being a business owner, things come in, things go, and I try to balance that with having two children and doing school pickup and amongst nappy changes and stuff as well.

I don’t think I do that successfully a lot of the time because running a business is quite consuming of your time, but at the rate that I want to scale at my business and my kind of life goals, I could choose to take a step back and go for something a little bit more sustainable, but for now I’m happy to just grind really hard and then the payoff will be in the future when I can spend more time with my kids as they get a bit older.

Abhijeth Dugginapeddi:

Thanks, Cole. I think kudos to you for doing so many things simultaneously and grinding because I know it’s not an easy gig, especially sales. I mean, over the years I’ve seen several people choose sales, and not just cybersecurity, but across different industries. It is actually one of the hardest things to do, especially calling people and telling them about your business and trying to sell your services and right people, right time, right place, everything needs to fall in place for you to sign a contract. So kudos to you for doing all of that stuff. I did want to touch on one of the things that you mentioned. There might be several individual contributors and several managers and leaders who are listening to this podcast right now. Do you have any specific tips for leaders, managers on how to build a successful security team or how to build an AppSec team, especially from scratch? Because some of them might be the only person and they might start hiring the second and third team members.

Cole Cornford:

Yeah, cool. So the first thing to recognize is that it’s a journey and also that you’re going to have for a tremendous amount of time gaps in your program and that if you try to boil the ocean, you won’t succeed. I’ve seen many people who are relatively junior… I wouldn’t say relatively junior. They’ll be the first engineer who’s a security engineer at a company, so they’ll usually be staff security engineer or something like that, and they’ll come in and they’ll want to kind of replicate what they’ve had at their previous big institutions. So it’ll be go find a commercial static analysis tool, dynamic scan, a secret scanner, go start out with threat modeling immediately, go do developer training and get that across the workforce, start building a policies, processes, procedures, and I think that that’s quite an ineffective way to start.

Instead of looking at the different activities you could be doing and trying to do all of them at once, the first thing you should really be doing is speaking with your leadership team and understanding business risk and what matters for your organization. If you are a project-based organization, it will change quite tremendously from a product-based organization, and because of that, you have to be able to create different service functions and delivery lines and pathways and so on to meet the changing needs of what type of organization you have, and you also may need different types of controls that scale or don’t scale. So I would encourage people to initially just listen, read financial reports, go speak to executives, go speak to head of engineers about what they are concerned about, what levels of friction they have.

The things that matter the most when you’re initially building a program are the types of activities that will scale without your involvement, and that basically comes down to distributing work to other people, which can be done via training delivery pathway. I think that that’s fine if you’re in one of those product-based organizations because generally the engineers at those places care quite deeply about the product and they can take those lessons about the process and guidance and types of vulnerability classes that you’re implementing straight to use without your involvement whatsoever.

The other activities that would scale I think would be actually helping build defined architectural patterns with your platform engineering team and having other people come and leverage those, because if you’re doing that, then as long as people are using the platform team’s platform, then they natively get these kinds of security benefits. One other thing you’d be doing would be just establishing a network and relationships across the business. I can’t stress how important that has been in my career as both a consultant recently, but also as a senior leader at a globally distributed technology firm, to just be able to pick up the phone and speak to pretty much anyone from anywhere about how they’re going, what the challenges are and how we can get to yes for security. And I think if you’re coming in there from a compliance space attitude, you’re going to have a lot of difficulty.

Don’t start by just getting a checklist, like the ASVS or OWASP SAMM, or something like that, and then looking at where your gaps are and how to fix that. That’s all well and good for people who’ve established a need and budget and have the authority to go out and just start filling all those kinds of roles, but in my view, it’s about understanding where your organization is and what their financial priorities are and what their actual genuine risks are from running a business, and then taking the security steps that help them achieve this goal within some safe guardrails and choosing practices that are quite scalable, not ones that involve bringing you into every conversation.

Abhijeth Dugginapeddi:

Those are some really great insights, Cole. I think I can definitely relate to some of the things I’ve worked on in that space, and I’m sure some of the audience who have built teams from scratch would extremely relate to the concepts that you mentioned. I also like the way you said project-based technologies versus product-based technologies and the way you want to implement security in both of them is different. You kind of hit the nail there. In the so many years that you have worked in cybersecurity, Cole, I’m sure you have worked on many problems and there might have been days where you wanted to call it quits and you might have shut down your laptop, just threw it away, and there might have been days that you were so frustrated that maybe you wanted to quit cybersecurity.

So there are two things I want to know. One, were there any days that you were so frustrated that you wanted to call it quits in this industry? And two, can you describe one of the best problems that you’ve worked on, something that you found really challenging but you have overcome it using your soft skills or tech skills or whatever skills that were required?

Cole Cornford:

Yeah. So I think that frustrating days is few and far between because I happen to have the ability to be relentlessly positive pretty much. A few of my friends happen… I guess also Change.org really helped me with that, but a few of my friends are doctors and I speak to my doctor friends about how they’re going and they say, “Yeah, I just got out of surgery. I’ve been sleeping in the cafeteria for three hours, but now I’ve got to go back in and just a guy’s cancer-ridden spleen out and then he’s got a 20% chance that he will live. So I just got to do it and then tell him, ‘Yep, there’s a 20% chance, and then that’s it. That’s how it is, even if I do the best,'” and then I sit there and I say, “Why am I getting so upset about some poor bloke who doesn’t understand what the difference between different types of output and coding?”

I think having that really helps give you some perspective about life. Also, speaking to a lot of people outside of your discipline. I think when cyber people talk to other cyber people, they feed off of each other’s negativity a lot of the time. Going out and looking at the cool things that software engineers build or going and participating in a political party or a sports group, it’s a really, really good way to just kind of bring you back down to earth and get you out of your bubble. It’s really amusing to me listening to people saying that they get stuck within… You get on your YouTube bubble and then you’re stuck in your echo chamber, and I’m sitting there thinking that the cybersecurity industry itself is a bit of an echo chamber and I’m like, “Why are you going out?” People in glass houses shouldn’t throw stones, right?

So it’s hard to think of situations in my career where I’ve actually had frustration where I’ve not been able to say, “Cool, where is this individual motivated from? Oh, that person’s upset because they’re going through a divorce or this person’s upset because they’re going to lose their job if they don’t get this thing done, or they just don’t understand the importance.” I think empathizing for wherever people are has really helped me get to a situation. Not that I don’t care, it’s just that recognizing that the frustration is not something that I should be really feeling all that often and being able to move past that and look for productive solutions.

I know a lot of people get really, really hung up on this in cybersecurity so much where they come across a critical vulnerability in a system and then they get very angry because the business owner still chooses not to fix it, even though it’s leaking everyone’s PI or something else, but then you think about what the business owner’s going to say, “If that system goes offline, we stop producing revenue, and so I just can’t afford the patch. It’s too brittle. What I need is to build an entirely new system to take over from this one in the future, and I don’t have the capital or cashflow to be able to do that.” And if you’re a cyber person, all of that doesn’t make any sense to you. So it’s all the form of stuff. All you see is SQL injection, they should be fixing it.

Now, the things I’m most proud of. I don’t know, I’ve just got lots of small good stories. I don’t have any enormous super big wins I can point to and say that, “You know what? Yeah, that was an amazing thing.” I’ve done things, like… I’d say myTax. If you know myTax?

Abhijeth Dugginapeddi:

Mm-hmm.

Cole Cornford:

Being able to help say that effectively I’ve helped to deal with cross-site scripting and SQL injection in that application and manage that before it ever got to penetration testing through doing code reviews or saying that in the past I helped to manage the implementation and rollout of a WAF that predicts the St. George and Westpac live systems. I think they’re all important, but it’s all a team sport. It’s not just me going out and doing, it’s all the people who run these systems and build them and have to go and remediate the issues. I’m just like a bit of a cog in a lot of these places.

I think at Change.org, one of the big things I got that was quite helpful was about anonymization of information based on the geographies that people located in, because we recognized that there were genuine threats to human life from people who were protesting against all authoritarian governments in, say, Belarus or Russia and so on. And so having to really think through those threat models and recognizing that for a globally distributed company, we cannot just have a one-size-fits-all approach. So that was a really interesting way to think about both managing national security and geopolitics balanced against user experience and traditional AppSec stuff because as you introduce security controls to a petition website, people are less likely to sign or put their name against petitions and then the petitions of less effectiveness. So I always thought that that was a really cool and interesting period of time to be involved in.

And I guess even recently, just some of the smaller engagements I’ve worked on, like helping Camplify a lot has been quite meaningful to me. They had a situation where a lot of people would be taking transactions offline, because Camplify is a marketplace application. You have buyers and you have owners and renters basically, and Camplify facilitates both these people meeting to get camper van rented out, and what they found is that the owners and the renters would find a way to start talking to each other outside the app before Camplify could get its market maker payment. So helping them change the processes so that they take payment first is a good meaningful win versus in the past where they were thinking about building effectively an auditing and logging and monitoring arrangement to deal with this problem instead of thinking about the business flow itself. Because if people met using Camplify, but then took the conversation offline, it’s a financial risk to their organization, and also, the insurance is covered by the organization no longer could affect it because it’s two private parties meeting each other.

Now that I think about it, probably all of the public speaking stuff I’ve been doing has been quite meaningful to me too. Over the years, I’ve gone from being a pretty bad public speaker when I was at the ATO, just talking internally to a few people about what is output and coding or what are secrets, and moving to small community groups in Newcastle and then eventually conferences, like BSides and AISA, and I don’t know, now I run a podcast and just a bit of a galah really. So I think that journey is something I’m really proud of as well.

Abhijeth Dugginapeddi:

I love it. I’ve listened to some of your podcasts and they’re absolutely amazing and I’m sure that listeners who are listening to this podcast are also enjoying the podcast so far. I love the fact that you’ve worked on so many diverse projects. One of the things I almost envy you right now is the way you work with some of these common projects and you’ve got a chance to get some insights into some of these geopolitical situations. As a cybersecurity person, I don’t think a lot of people in the cyberspace get that opportunity. So kind of envy you there a little bit, but also I appreciate the fact that you were talking about empathy and you were talking about understanding someone else’s situation when you’re talking about cyber vulnerabilities or doing risk management.

And the point that you mentioned about having friends outside cyberspace is so important because it kind of gives you a perspective of what real life is and then you start questioning things, right? Because I feel like cybersecurity is one of those spaces that gets philosophical after a certain point of time and you start questioning whether the cross-site scripting popup that you see in the browser is actually more important than someone who has to get rid of cancer in someone’s body and there’s only 20% probability that they might be successful. And having that perspective towards life is very important, and I feel like I have learned that and I’m very thankful to the cyber community and people who share these stories in our space, and that I think is for me personally, one of my biggest takeaways from spending 15, 16 years in cybersecurity.

All right, let’s get to some fun stuff. I have some rapid fire questions for you.

Cole Cornford:

Okay, let’s do it.

Abhijeth Dugginapeddi:

I think the first question I have for you is what’s the worst password that you’ve seen someone use?

Cole Cornford:

I’m going to pause on this one because I reckon a lot of them are still active, so I’ve seen some bad ones, guys. Some have been less than three characters.

Abhijeth Dugginapeddi:

There you go, everyone. To all the listeners, if your password is October at the rate of 2023, please change your password right now. If not cybersecurity, what would you have done?

Cole Cornford:

I have thought through this a few times and I did get ridiculed once for it. IT software engineering is obviously is a very, very easy transition from application security. I just can’t see myself not doing a traditional software engineer to enterprise architect route if I was to go back and do my career again. But if I didn’t go down that route, if I think about what’s in the future, I’m considering looking at potentially either academia. I am working with the University of Newcastle to restructure their master’s of cybersecurity degree and to help build the content from scratch. So that’s making me happy is a good meaningful thing to be given back to the community and to where I went to university.

I could see that, always moving into some kind of academic role in the future. Otherwise, I was thinking either bureaucrat or MP, because I really do love Canberra as a city and I’d love to be able to move back there at some point, and I feel like going and serving my country and doing some stuff that’s good for my kids and family as well would be a really good idea. And I feel like I’ve got a lot of diverse perspectives and a good attitude that I can bring to working in the public service. I would definitely think about that.

And the other thing is an MP. I am involved with the Labor Party up in Newcastle, and I think that it’s going to be quite difficult if you’re not involved with a Labor Party in Newcastle. We’ve had this seat red since federation, and I think if you were any other seats, you’ve got no hope of ever being in office. But at the same time, I’m a centrist, right in the middle and I can definitely see myself in 12 years, maybe 20 years, looking at a stint in politics as well because I’m a good communicator, I do like humanity and I do want to do something more meaningful, and having good tech chops and cybersecurity chops is probably something that might resonate with a younger audience in the future. And I’m hoping that in 10 years, 15 years’ time, that I’ll have a good wealth of experience to draw upon as both a business owner and maybe a bureaucrat or academic as well.

Abhijeth Dugginapeddi:

Hey, I’ll vote for you. You have one vote already.

Cole Cornford:

Just going to get all the cyber people to vote for me in my electorate.

Abhijeth Dugginapeddi:

That’s it. That’s it. So this is more coming directly from me, it’s a personal question. What came first, the idea that you needed to have a pink logo or Galah?

Cole Cornford:

It was kind of all the same time actually. If you think about it, I registered the company Galah Cyber, so that was always its name. I think I registered it June 2021 after already working as a independent contractor for nine months prior to that. Because you don’t need to give a sole trader business a name, you only need to give a company name when you go to a PTYLTD from sole trader. And when I came up with Galah, there’s a few things for it. One, I really recognized that the majority to cybersecurity industry was all painted itself as adversarial colors, so it was always blue and black, or blue and red, or black and green, these kind of color schemes. If you go look on any of them, you’re going to see that they’re very much built on uncertainty, doubt, the traditional hacker mindset, and so I wanted to do something completely the opposite to that would make it fun and approachable and chillaxed.

So I felt, “Okay. Yeah, cool. This makes sense. I’m going to do something that’s pink and white. How do I take this a bit further? I want it to be sovereign. I want to… What do I like? I like birds. Okay, Galah. That makes sense.” So when I went and did a brand workshop with Cyborg, I explained all of these things and we went through a bunch of different logos and company names and ideas and stuff, but I ended up really sitting down at Galah Cyber because I was…

If you think about galahs… One of my mates, they gave a phone call when I drove to Canberra the other day. He said, “Do you know the thing about galahs, Cole, is that every other bird, when I take my dog for a walk around Canberra, every other bird, he runs at and screams at them and chases and down like they’re fighting, but galahs, they’re quite docile and approachable and chill, so he just doesn’t care. He just walks past flocks of galahs all the time,” and I said, “What, you’re just saying I’m docile, chill and approachable?” and he’s like, “Yeah, that’s a pretty good representation of your brand, honestly.” So I think that the bird itself is already a bit like me and I really wish that the security industry had moved in that direction as well.

Abhijeth Dugginapeddi:

Nice. Now, I personally love your logo and the word as your logo, so that’s why I asked you this question. Here’s the last rapid fire question. Can you tell about a recent purchase, less than $100, that you absolutely love, and it’s like that one thing you tell everyone about?

Cole Cornford:

I was going to say, if you look around my room, it’s entirely like galah things everywhere. Well, I mean, I’ve got a slushy. I like slushies. It cost me like $1.50, but actually besides galah memorabilia, which I have a tremendous amount of galah memorabilia, and almost all of it costs close to nothing because no one buys galah memorabilia. Now, this is a hard one, man. Let me think. What have I even bought for less than $100? I guess just things for my family or my dog. I don’t really buy terribly many things for myself because I want to see my business succeed.

So really it’s probably just taking my kids out for lunches or parks, or just having meaningful family activities, because I’m not in a position where I really, really get a lot of value out of buying a nice shirt or getting a pair of headphones or something kind of expensive or some jewelry or a fancy suit or whatever, or even video games, to be honest. Nowadays, I don’t have time to play them. But what I do like doing on the weekends is being able to take my kids out to go trampolining, like a jumping event or to go take Monica onto the waterfront around Newcastle and just walk around in the pram, and those experiences, I guess, can only be done if I buy one tank of petrol for $90 from Costco. So there you go.

Abhijeth Dugginapeddi:

Nice. I love your answer. It’s a very wholesome answer also because kind of puts things into perspectives, because things don’t stay forever, but experiences do, and it sounds like you’re a man who loves experiences and that’s what matters to you more than buying artificial things. I love it. That’s great. Hey, as we start wrapping up the interview, if I were to ask you to give one suggestion to our listeners today, what would that be?

Cole Cornford:

Just like, subscribe to Secured.

Abhijeth Dugginapeddi:

My job. I’m supposed to say like, subscribe, please share this on your LinkedIn, YouTube, Instagram, everywhere.

Cole Cornford:

All right. So what I would suggest to listeners is to actually go and spend some time looking up Abhijeth, or even all my other guests on this podcast. This is a special episode for me to give a bit of context around myself and what I’m doing of my life and what drives me to start a business, and I know that usually I’m the host and talk in other people about all of their experiences, so I thought it’d be good to flip the script a bit, and I really appreciate that you’ve come on, Abhi, and been able to hopefully have an interesting interview for everybody to listen to. And it’s been weird being in the hot seat, I tell you that. I’m sitting here, sweating, being like, “Oh, man.” The $100 question really got me. I got there in the end. But no, I think the one thing I’d say is just I hope that you’re all still really enjoying Secured, and that if you have any feedback at all, please reach out to me. Let me know what I can do better.

Abhijeth Dugginapeddi:

Thank you so much, Cole. I think one of the reasons I wanted to interview you is I’ve been following you for the last two, three years, I think, and especially in the one year, I’ve listened to some of your podcasts and listened to some of the bits and pieces that you post on LinkedIn, and I felt like my personal thoughts and your thoughts resonated so much, and I have never even met you.

For the listeners, just for context, I only met Cole for the first time a month ago, and then we instantly clicked and I felt like, “Hey, Cole, I know you do a podcast. How do you feel being interviewed on your own podcast?” and he said yes, and here we are, 45 to 50 minutes later, all of you listening to this podcast, and we have got an opportunity to dig a little bit deeper into what Cole does, what he likes, and we all now know that he likes to go to Costco to get his patrol. So next time you see him in Costco, make sure you say hi to him or give him a high-five. Cole, thank you so much for taking time and doing this interview. I hope you get to spend time with your family over the weekend and good luck changing some diapers.

Cole Cornford:

Thank you very much. We’re going to have a lot of fun with that one. Thanks, Abhi. See you later.

Abhijeth Dugginapeddi:

See you, Cole.

Cole Cornford:

Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favorite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galacyber.com.au/newsletter and get high quality AppSec content straight to your mailbox. Stay safe, stay secure. I’ll see you next episode