SECURED

The Evolution of Cyber Defence: Edward Farrell's Journey from IT Ops to InfoSec

Edward Farrell is Director & Principal Consultant for the Australian company Mercury Information Security Services. Edward has nearly two decades experience in the IT sector, having worked early on in network design and IT operations, before transitioning into a focus on infosec. 

He’s an Industry Fellow at the University of NSW, teaching in the cyber security masters program, and a board member and advisor to multiple organisations. In this episode, Cole Cornford chats with Edward about his career journey, using automation to make teams more efficient, his belief that the infosec industry would benefit from further professionalisation, and plenty more.

6:25 – Edward’s career background

10:00 – Did Edward enjoy living in Wollongong? 

11:20 – Value of work experience while at Uni

14:00 – What led Edward to start his own business

15:40 – Using automation to make a business more efficient

18:10 – Career pathways within info security

19:00 – The big 4 firms in cybersecurity

20:40 – A broader issue with the Australian market

22:30 – Financial planning

25:40 – The best blog posts that Edward has written recently

27:10 – The professionalisation of cybersecurity 

32:00 – Too many tech solutions, not enough service providers?

36:00 – Edward anecdote: one guy in the company who knows all the systems

37:20 – Rapid fire questions

Cole Cornford:

Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of cybersecurity. Secured is brought to you by Galah Cyber. If you’d like to learn how we can help your business stay secured, go to galahcyber.com.au.

Edward Farrell:

One of our clients had this one dude who knew everything about the organization and all its systems, and he was pretty much embedded into the company. We sort of did this piece of, “Well, if he gets hit by a bus, what happens to that?” Well, everything stops working. I think the reason why people look at products is because the machine will last longer than the human, unfortunately.

Cole Cornford:

Ed Farrell is director and principal consultant for Australian company Mercury Information Security Services. Edward has nearly two decades experience in the IT sector. He started working in network design and ITOps before transitioning into a focus on InfoSec. He’s an industry fellow at the University of New South Wales, teaches cybersecurity in their master’s program, and he’s a board member and advisor to organizations like ISC2 and CREST. In our conversation, we chat about his career journey, using automation to make teams more efficient, his belief that the InfoSec industry would benefit from further professionalization, and plenty more. Let’s jump right on in.

I’m here with Ed Farrell. Ed, how are you going, mate?

Edward Farrell:

Good, good. I’m pretty good. Thanks, Cole. I’ve been lecturing all day, so it’s, in one way, lecturing activities are a little exhausting. In another way, it’s also very much your own self-education. I’m just going through the coming down of that piece of, I’ve done training. I had AISA yesterday, so it’s been a busy week, but I wouldn’t have it any other way.

Cole Cornford:

Yeah, I’ve had an exhausting couple of weeks, to be honest, with just a lot of travel. Yeah, university lecturing can really take it out of you. I get invited every now and then to do guest lectures, and I can’t imagine wanting to do 13 weeks of it, straight in a row, across multiple disciplines. It can be a real challenge.

Edward Farrell:

Yeah, just a bit, but I think that’s also very much why we’re here, is the challenge is part and parcel of the domain we operate in.

Cole Cornford:

How was the AISA Conference? I couldn’t go. My wife was starting to get a little bit unwell, so I didn’t want to be interstate in case I needed to come back and help her out with the kids. Thankfully, she didn’t get too sick. She just got a bit of a stuffy nose, but ultimately, I just didn’t want to take that risk with kids.

Edward Farrell:

No one would ever blame you for that. I mean, it’s awesome, that view, family very much does come first, so I commend you for that. But no, AISA was actually much better than I was expecting. I mean, last year, it did feel a little vendor heavy. Although this year, whilst it was only on the floor for the day, I had some really productive conversations, had some really good chats with folks I haven’t seen since pre-pandemic, so it was really good to catch up with a few friends who I’ve known in this industry for the last 15 years. That was really good.

Cole Cornford:

It feels like every time I go to BSides Canberra or the AISA CyberCon, it’s like I have a new high school reunion just on an annual basis.

Edward Farrell:

Well, it’s a high school reunion or it’s a, “Oh, that’s your online profile name.” You put names to the faces, to the avatars, and the online name, so it’s an interesting experience. But yeah, you have that reunion, but also you meet some weird, wonderful and fascinating new people.

Cole Cornford:

Yeah. Awesome. The first question I usually ask folk who come onto my cast is what kind of bird are you and why?

Edward Farrell:

Interesting question. I did see this in the list and being the indecisive character I usually am, I kind of struggled with this one, but I did end up settling on… I would put myself as an owl.

Cole Cornford:

An owl, okay.

Edward Farrell:

When was the last time you saw an owl?

Cole Cornford:

I don’t see owls often. I definitely have a stuffed one that my daughter hugs every night. I guess the closest I get are a family of owls, not technically owls. They’re called boobooks, and one of those is a tawny frogmouth, and I see them quite regularly near my house because there’s a lot of grasshoppers to eat. But they’re not really owls, they’re boobooks. They’re slightly different. There you go.

Edward Farrell:

I was reflecting on this. I was like, okay, cool. You don’t see owls very much, but you know they’re about. You know they’re doing things. They’re very much the… We’ll call them the gray people of the bird world, in that they’re not always there, but there’s also a comparison with them as being teachers and educators. I think my view of the world is I’m hanging out in the background doing things without being a peacock or being out there and being particularly showy. But I think, for me, that was kind of the best bird I could really associate with. Just the one that’s hanging in the background, just doing things and being the wise old creature.

Cole Cornford:

It’s better than a galah who’s always flying around there and everywhere. It’s just pink and obnoxious, a little bit annoying.

Edward Farrell:

But at least it’s not the peacock of Mark Wahlberg’s character. “I’m a peacock, you’ve got to let me fly.” I’m not doing all of that. Yeah, I think that was probably, as I said, the closest one I got with my personality. It’d say, “Kill your question,” and I enjoyed the introspection of it.

Cole Cornford:

Maybe tell me a bit more about yourself and your background. Where have you come from and how’d you get into InfoSec?

Edward Farrell:

Yeah, interesting question of getting into InfoSec. My name’s Edward Farrell. I’m the director of Mercury Information Security Services. We call ourselves Mercury to avoid the mouthful. If you go back into hallowed antiquity, my career path’s been interesting. I started off doing techie stuff, hanging out with dad with a 28.8 Kbps modem back when I was about 12-ish. I started to get a bit of a techie interest, started to learn a little bit of programming skills. I remember high school it was like, “Yes, I’m going to be a programmer.” I then started doing programming, and I enjoyed it, but then I went to university and programming was, here’s the requirements doc, just build the requirement doc. There was no creativity, there was nothing, so I said, “Oh, this isn’t me.”

Then I evolved into network engineering, which then evolved into my first career during university, which was starting on a help desk at $12.50 an hour, which then evolved into systems engineering with a slightly better salary, which then evolved and kept growing over time to a point where it’s like, “Okay, well, I should start doing a sub-specialization.” Concurrently, I started doing security at university. I had some really great security lecturers down at University of Wollongong, Dr. M. G. Michael, for example. We also had Professor Jane [inaudible 00:07:13] who was a cryptographer, just really interesting folks. Graduated in 2007, tried to also work out what I was doing in my life. Did a couple of other extracurricular activities I’ve still done to this day, and then jumped into security a little bit more extensively.

Got to 2009, went to Stratsec, did pen testing there and a number of other roles for four and a half years, which then evolved into… I moved on, started 2014. I was already looking for my next step, went to another firm for a little while, and then went out on my own in 2015 and been doing Mercury since. Concurrent to that, I’ve also elected at the Defense Force Academy for a couple of years down here in Canberra where I’m dialing in from. I’m also on the ISC2 board of directors as well for those of your listeners that have their CISSP certification. And then beyond that weird, wonderful random research that takes me into very peculiar places, I now like to take my team along for the journey as well.

Cole Cornford:

That’s an interesting background. It’s funny, University of Wollongong, because tomorrow, I’m going to an event at the University of Newcastle called The Tale of Two Cities, and it’s about collaborating for regional universities. One of the unis is Newcastle and the other is Wollongong, and both their vice chancellors are coming up to have a chat about how we can collaborate more together. I just was like, “Oh, all right.” It’s kind of funny. I’m a Newcastle guy. You’re a Wollongong guy.

Edward Farrell:

Yeah. I actually grew up in Sydney and went to Wollongong. I missed out on the co-op scholarships program at UTS and University of New South Wales. Unfortunately, I couldn’t quite get into those, but the next best program was the one out of Wollongong, so I moved down there for a few years, which was nice.

Cole Cornford:

Did you like living in, I guess, a smaller city after being in Sydney for so long? Because I have always basically grown up in the Hunter Valley and in Newcastle, so moving to Canberra was the big smoke for me when I got my first proper big job. Canberra, big smoke, I know it’s a bit funny for people listening.

Edward Farrell:

Yes and no. Look, I think it depends. There are some really good friends I made in Wollongong that I still had to this day, but I also, a personal frustration I had was there were a lot of people that had a mentality that wasn’t conducive to doing things. There is, you say that tale the two that the experience of two cities. Under the skid of it all, Wollongong has very much a strong… Aspects of it have a very strong work ethic, but then you also have, and I probably saw it quite pronounced with a number of university students, probably more so the art students, which was a sense of… I’m just going to come out and say it. For some, there was a sense of victimhood, there was a sense of entitlement. Some of them thought Jimmy Barnes was singing about them, which is just like, “Hey, folks, just tone it down a bit. Let’s focus on things.”

I think my first two years, I got a little bit caught up in some of those attitudes, whilst my last two years in my university degree, I was working full-time, I was studying full-time. For me, that actually I think was the best thing I ever did. It meant that I pushed [inaudible 00:10:34]. I was actually doing practical things. Between year two, three, when I did that help desk job, best thing I ever did.

Cole Cornford:

Yeah, I think it’s really important to get work experience while you are at university. At the very least, I think the most successful people that I know who are graduating from universities are ones who have built that work ethic. Either it’s something simple, like a Caltex doing service station stuff or going to Kohl’s and packing shelves. If you’re particularly lucky, getting yourself a role, maybe doing IT somewhere.

I encourage every student that I meet to actively apply for roles, especially there’s so many of them that get to the final year and they haven’t actually done anything to prepare themselves for actually entering a workforce. A degree alone is not enough to get you a position in a company when you have peer students who’ve actually gone out there and networked at industry events in advance, who have research projects. I understand not wanting to put the hard yakka in because university can be a bit cruisy, but there’s definitely consequences to live in the peace equals degree is life, right?

Edward Farrell:

Yeah, there is. I would also say within that, when I was studying full-time, I was doing 20 hours university a week and I was in the peace getting degrees, and that was the first half of my degree program. The second half, I was working full-time, I was studying full-time, I was doing surf lifesaving fairly regularly during the summer months. My grades improved drastically. I’m a firm believer, don’t do this, “Oh, well, I can only work 37.5 hours a week and anything else, I need flex time. I’ve got to go home, and I’m going to watch Housewives of…”

There’s a lot more you can fit in your day. After I’m done with work today, it’ll be 10 or 12 hours, but I’m going to go out for a run, and then probably going to read a book and that’ll be my night. There’s so much more you can do and fit into a day than a one-hour university class that exhausts you.

Cole Cornford:

Yeah, I find that if you want something done, you give it to the busiest person, because they’ll find a way to fit it into the schedule and get it sorted. If you’re giving it to the people who have the most space in their calendars, tends to mean that they’ll just kind of procrastinate and chill a bit on it because they can do it any time, right?

Edward Farrell:

Yeah, yeah, exactly. Well, also, and I’m trying to get this going with our workforce, is to get them into a state where they are remaining active and doing as much as they can. Doing as much as they can, but also getting a bit of structure with their hours, or even structuring and planning with their execution.

Cole Cornford:

That’s probably a good segue. In 2015 you started Mercury after what, seven, eight years of consulting at Stratsec and a few other businesses, right?

Edward Farrell:

Yeah. I would’ve done about four and a half years, some of that part-time at Data#3, and then Stratsec, I did four and a half years, and then there was another firm I did about nine months before I moved on.

Cole Cornford:

What led you to wanting to start your own business? Because I find that every entrepreneur tends to have their own story about why they want to do it.

Edward Farrell:

Yeah, actually, it’s interesting. I had to reflect on this in our latest team meeting. The call I made was very much one of self-care. I was getting a little bit frustrated that the team I was working in at the time, I was doing 100% delivery. I was then doing another 50 to 60% of administration, and the administration was quite annoying because I had staff that just did not… The staff I had working with me just weren’t committed and motivated, and things like quality assurance and having a bit of pride of the documents that they were authoring, just it wasn’t…

I mean, that did start to change as I got new people into that. But for me, the call I made was, “All right, I need to stop, go out on my own. But in doing so, it needs to be an act of self-care.” That is, I will work 50 or 60 hours, but I will do it in my own time, at my own pace and in my own ethic, and I think that was a big thing.

Cole Cornford:

Yeah. I think that’s really good, because it means that you have the ability to choose to scale your hours up or down based on how you’re feeling. You don’t need to be an enormous firm because you’re not motivated by building that free tier professional services model so that you can maximize income. Even just the numbers you gave just before. 100% chargeable, and then 50% administration on top of that. That already means that you’re working 60 hours a week, and I know that that’s how a lot of the big four are supposed to work to actually make things profitable, but man, that’s not a good life.

Edward Farrell:

It’s not, especially when you’re not a part of it. Whereas I think one of the ways I’ve structured Mercury, I mean, we now have 12 staff, of which only one is non-billable. Outside of that, the business runs itself. There’s a lot of automation and a lot of processes. We are having to re-engineer a lot of it as part of our growth, but I think a philosophy I’ve always leaned in towards is if it’s a manual process, it should be automated. Whereas I think there’s a lot of other businesses, and I’ve written about this several years ago when I started looking at putting these in place in 2017, it’s how do you make your operation efficient.

I think certainly in a lot of professional services practices, the new pen test practices are putting onto it, but how can you have some more automation to actually augment functions you are performing, so that you are working not so much less hours but the hours you are working are operationally efficient and meaningful and you’re not going to burn time doing hand jamming things where you can make errors.

Cole Cornford:

Yeah, because it’s also a retention issue too. You don’t want to have highly qualified, motivated staff members filling in time sheet blocks and a statement of works and so on. As soon as they’re doing that and just jumping into every scoping meeting and painting in their lives instead of giving that to someone else who’s given a process, or even letting people self-serve through a process. I come from a software engineering background, so everything about automation absolutely makes sense to me. In fact, it’s probably kind of refreshing to hear from a pen testing firm that they need to look at what processes can we just optimize and automate as much as possible, right?

Edward Farrell:

Well, to me, a lot of it comes… I mean, I still believe in a consultant-driven workforce, that is as consultant, you should be selling, you should be scoping, but you should be finding the easiest ways to do it. We’ve hired salespeople in the past. We generally minimize what we have on board for folks supporting us with the sales effort, but you can find that middle layer can end up creating a lot of unnecessary process. Whereas if you are the consultant, you’ll find ways to deliver things at the best value for your customers in the simplest time possible. I think that’s what a lot of people are asking for in the Australian market is how do we do this job without creating a massive, bloated spreadsheet that somehow translates to security.

Cole Cornford:

I feel like it’s always going to be the problem with most of our style of firms and professional services is the scale challenges, the scale of individuals. Because if you keep hiring people who are really quite qualified and you need to retain them, there isn’t really an up or out kind of pathway for a lot of them, so they might just move on to go create their own firms and stuff in the future. And then, you, I imagine, get stuck around 20 to 40 individuals. I guess it depends on what kind of scale firm that you want to be at, but you’re at 12 people, so that’s a really good position to be healthy, for people to be able to choose to do what they want to be doing. I think that’s very commendable.

Edward Farrell:

Well, I would even say within that, you talked about up or out. I think we also probably want to rethink, I call them pyramid schemes. If you look at the big four, it’s, okay, how do I get to being a partner and making half a million dollars a year?” Well, I need a bunch of managing consultants, then I need a bunch of principal consultants, then I need a bunch of associates that are just fogging themselves to death. The scale of that has a triangle looking structure to it. I think there’s a piece where we’ve got to look at our firm structures and how do we create that middle layer of competent operators that know what they’re doing and are remunerated for it. Your management layer, I’m not going to say takes a pay cut, but you understand that your job is more observation and control to an extent, as opposed to driving people into the ground.

Even I make sure that I still hook in on things and remain current to an extent. I have been told Chris, in my team, had to get me to pull back on an engagement recently because it was like, “Hey, this isn’t your area of expertise, it’s mine. Please leave this with me.” I think the fact that our firm has that honesty and integrity for someone to actually tell the boss to, I’m not going to say nick off, but tell the boss, “Hey, you need to go away. Do something else.” It was actually quite refreshing for me.

Cole Cornford:

It’s really good that you’ve been able to build that kind of culture. I think a lot of people would be very scared to even have that kind of conversation. It’s just like, “Oh, do I want to put my job at jeopardy?” I guess if you are confident in what you do, you’re a good consultant, then you know that you’re quite employable. If your manager isn’t going to listen to you about your expertise, do you really want to be working in that kind of environment? Yeah?

Edward Farrell:

Yeah, no. No, definitely not. Yeah. In fact, I think that’s probably a broader issue we have with the Australian market. So much of it has an emphasis on relationships that are usually built by someone who works in sales. I think it’s curious. I’ve seen firms where that’s been phenomenal. There’s one in Melbourne that I’m actually, I’ve got a lot of time for, but the folks that have built it have built it from a sales standpoint, but built it with an extreme degree of empathy. Whereas you have others where it’s a, yeah, we’ve just got to build this so we can sell it off to name your big four.

Cole Cornford:

Yeah, I guess it depends on what the motivations of the people who start the businesses are. Like you said at the start, your motivation was to just give you some flexibility and live a lifestyle where you can choose to go for a run in the afternoon after work and balance your teaching commitments as well as just do some interesting technical work.

For myself, I want to provide for my family, and that means being quite present, so opportunities that allow for remote. I still travel, I still go out to different events, but I’m not going to flog myself, so I just won’t be able to go to art class on Mondays with my daughter and watch her paint. She does really good paintings. It’s one of a crocodile in the background in my office, and I really like that. I just want more paintings. I guess I’m a connoisseur of children’s art at this point in time. The more children’s art that I collect, the better I feel like I’m doing at being a dad.

Yeah, part of running a business to me is having that flexibility. I can choose to go to a conference and not stress about whether my manager is going to be upset with me, and it’s an intentional choice to sacrifice chargeability to just go and see people have fun, enjoy the experience.

Edward Farrell:

Yeah. Look, an exercise I would encourage anyone listening to do is ask yourself the question, how much money do you need to live, and then reverse engineer it in terms of a day rate. I’ve done the calculations on this in the past. If you want, I can flick you some of the spreadsheets that I’ve put on Google Sheets for it, where it’s, realistically, you’ve got maybe 200, 220 consulting days a year. You multiply that by the requisite daily rates, and then you realize not so much how little you need to work, but what you can achieve with only so much, and then just working your budgets backwards from there. It’s surprising what could be done.

Conversely though, it’s also you want to make sure you’re saving up and retaining a bit of money just for the bad times when they do come.

Cole Cornford:

I guess if you do that as well, it’s a good way for you to basically benchmark what the difference is between what you’re doing right now and what your goal is, and then you have to really think hard about how do I get to that point. Because it might be that you set yourself up for, I don’t know, let’s say that you’re pulling yourself out at $1,000 a day, and then you realize you’re getting locked out of the market and you see everyone else’s on two. Then you have to ask the question, how do I become a $2,000 a day person? How do I get to that?

I think that that’s a really good way of changing people to move away from, “I’m just going to be a technical specialist,” because the people getting paid those really high rates, they can go a lot higher than 2k a day. I can tell you that a King’s Council’s a 15, so day rates are stupid in professional services. But the main thing is that if you are valuing yourself backwards from this is why I need to live and what is the gap between that and where I’m at at the moment, then you can actually really critically analyze where do I need to develop myself.

Edward Farrell:

Yeah, absolutely. I think it won’t go too much into our business strategy, but we are diversifying this role to take the pen test and skills that we’ve had for the last eight years and build it out into the services that Australia needs. I think I see it a lot with folks where they’re getting quite obsessive about, “Okay, I need to become a pen tester. I need to become an IRAP assessor, because this is going to solve all the world’s problems.” Well, no, it’s not. Here are the services that you do need to be focusing on and delivering against.

Cole Cornford:

One of the things, I did a presentation a few weeks ago at the DPS Conference in Canberra. I really talked about how the cyber industry basically is people pat themselves on the back a lot of time, and the way that we value ourselves is on our ability to do technical research, on how our peers perceive us at conferences, on the types of certifications we acquire. But ultimately, none of those things actually matter to the clients that we serve. What they care about is, “Do I like working with this kind of person? Do I understand the challenges that my business is facing, and how do I keep myself safe within my tolerances of risk?” I want us to try to move in that direction.

I know that you quite frequently blog about a lot of different topics to do with these kinds of things. What would you say are the best blog posts that you’ve written in recent history?

Edward Farrell:

Recent blog posts, I think some of the ones on job and value and on some of your mathematics towards start of this year were well received, to analyze where the market is at. I had an interesting one in terms of analyzing some of the job roles out there. They’re all on my LinkedIn. The recent one though, which has actually struck a chord was our Internet 2.0 research, which looked at a product called the Internet Cloaking Firewall. Once again, that was an eclectic mix of technical aspects as well as some of the business aspects and the value for money and the support framework around that product.

Whilst we found some really epic technical stuff, I think the interesting thing for me was more so what does the support infrastructure look like as well as, well, what’s the value for money and what is a customer getting off this thing? I think you and I were talking about it before. I don’t like bringing in drama or anything, but I think, for me, it was an interesting objective reflection on where businesses can go and also what does value look like in our industry. Those, I think, were some of the more significant ones, but I’ve done a ton a fair few posts over the year. It’s definitely over the last eight years. Now, I have to go back and have a look at them all and probably pick out a few of my favorites.

Cole Cornford:

I also saw one that you commented on earlier today from Tony Vizza about the professionalization of cybersecurity, and I thought that was a really, really good post as well. Maybe you could tell us a bit about why you agree with his views there.

Edward Farrell:

Yeah. Look, I think Tony and I agree on a lot of things. We disagree on a lot of things. I think the one that we definitely agree on though is the idea of professionalization of the industry. It was why I joined the board with ISC2 at the start of the year. We were talking before about what I refer to as the pyramid scheme of cybersecurity. However, we look into our past, whether it’s the medieval craft guilds from a few hundred years ago that said, “Hey, here’s the structure to bring someone in and train them up and then make them a master, as well as how do we make sure that they retain a reliable income that keeps them alive.”

We had those historical processes, but also the last 150 years, you look at the medical profession, we’re teaching a lot to the medical profession about the security of their devices. But I think we also have an opportunity to learn from them of, if you go back into the 1850s, especially in the United States, to become a doctor, it was about as easy as getting your CEH. You just had to questions, pay a few dollars, and suddenly you were a doctor the same way you can be a certified ethical hacker.

However, when the Civil War started, it became apparent that, yeah, some of these doctors don’t quite know what they’re doing, so you actually saw Johns Hopkins University come about and create a structured programs, and then you saw that evolution over the years, to a point where we now actually have people get qualified as doctors and we trust our medical professionals. I think that should be our goal in cyber is how do we become like medical professionals, like pilots, like accountants, where this isn’t simply a job you get because you could emulate a TED Talk you saw.

Cole Cornford:

I think it’s really hard to… What do you call it? Right now, the majority professionals in the field, I feel have, basically been just taught random techie stuff. And then, I guess, the core aspects of what I’d be looking for in a professional is that there needs to be some level to accredit and assess that they are able to communicate in plain English, pass some certifications or exams. What do those look like? I don’t know, because there’s so many different types of disciplines and parts of cybersecurity, and I guarantee that I’m not going to be able to list all of them.

But yeah, how do you go, how are you going to use ISC2 to help drive this kind of agenda? Because I know that they do do CISSP, and that’s considered a pretty good benchmark from a lot of professionals that have a broad range of cyber experience. But again, it’s a test that can be learned by grinding through a lot of written book content, and I think that that’s quite different from the practical skills that we need with a lot of these systems as well. What do you think is a good way to balance this?

Edward Farrell:

Look, I think there’s an industry paradigm that needs to be looked at. Reason why I like reflecting on [inaudible 00:29:47] as the measurement is you would have your master craftsmen and you would have the purchases associated without crafting and the wider guild, and then you’d have the intermediaries and the journeymen who would be kind of your mid-range folks that were quite capable, quite competent. But the idea is you collectively train and grow people as a guild to get them to that standard. I think we, as professional organizations, whether it’s Galah Cyber, Mercury, [inaudible 00:30:19], Vital Advisory is another firm that comes to mind in Sydney.

Cole Cornford:

Is that Paras?

Edward Farrell:

Yeah, Paras and his crew. You can actually see there you have Gary and Paras there. Both of them are incredible professionals that bring decades of knowledge to the role, and they’ve got a really cool cohort in their business. I think if you look at all of our businesses where we’re already starting to have those structures where you have a SME who still remains quite competent at the top of those organizations, but there isn’t some Victorian era upstairs, downstairs approach, where it’s a sales salesperson flogging his or her pen testers or governance consultants at 150% utilization and telling them to fill out their time sheets. It’s a more organized, more structured approach that has that mentorship. I think that approach to mentorship and growth within these businesses and the reliance on quality product by them is what’s going to save us as an industry.

Cole Cornford:

I guess that makes sense to professionals as well, but do you feel like there’s probably been too much product capture over the industry as well? Because it feels like when I go to, say, AISA CyberCon last year, there was millions of products and very few firms that actually just provided services to people. I feel like a lot of the gap in the market at the moment is understanding what holes you even need to fix within your businesses, and then choosing the right products to use in those environments, and that’s overwhelming for a lot of people. They need to be seeking professional advice, and there’s no real way to distinguish it for a lay person. Do you feel like we’ve got too many, I guess, tech solutions in the market at the moment?

Edward Farrell:

Yeah, I would agree with that. I think it was something I did see a little bit at the hall, but also if you’ve got to remember right, this is what happens with economics around this, which is to say, this is where people put money, a professional services firm, if you are… For those of the listeners that are looking to on sell their professional services firm, be a PS firm, if you were to sell it to a Deloitte or a PwC, you’re looking at a valuation of between 2 to 3X up to about 5X depending on what are the established relationships that are going to yield over time that remain in play.

However, if you are a product-based company, where you are not relying on a backside of [inaudible 00:32:53] to achieve an outcome, and it’s a product that can easily scale, that turns into 10X and 20X. So if you’re an investor and you dump $5 million into a company, you get that company valued at 50 million so that you can then on sell it to the next person. We’ll go, “Well, I’ve got a $50 million pub key,” realistically, it’s a 500 million pub key, and they’ll then IPO it and make their money that way.

I think the issue here, you and I both recognize there’s an objective and a goal that needs to be set by the market, but the reality is the economics still tend towards products as the focus for solving all of our problems, when quite frankly, there is an intellectual need to get people up to that standard. In my opinion, a pen tester takes us about, I would say probably, minimum one year, sometimes two years to actually build into a competent professional. Even still, there’s an ongoing consolidation and learning process that in the age of TikTok where you’ve only got 30 seconds, people are just going to overlook that stuff.

Cole Cornford:

Yeah, I guess it’s going to be people just looking for a quick fix to solve their problem. We’re going to go out and buy the latest WAF, and then we’ll never have to worry about [inaudible 00:34:06] because we have fixed Java. It is done.

Edward Farrell:

Yes. Yep. Well, EDR was going to replace AV, and I’m just trying to think what other solutions we’re going to solve all of our problems magically.

Cole Cornford:

My background’s DevSecOps, and well, AppSec technically, because DevSecOps is a subset. But I’d say the majority of the professionals in the application security trade have done software engineering at some point in their careers, because you’d be pretty bad at AppSec if you can’t talk to software engineers or build solutions yourself, I’m going to say. But anyway, besides that, it also means that if you’re a software engineer, you know how to build things. You see a problem and then you go build an open source product to solve it.

But the majority of the problems that I encounter and see in a lot of these bigger businesses are around processes and about educating people to be effective with the products, but the usual response is the product doesn’t work, we need to go buy a different product. So, we have a revolving door swapping between different types of static analyzers, web scrapers and scanners and firewalls, when that’s never the issue in my experience.

Edward Farrell:

Yeah, exactly. Well, the reason why people are looking for the products though is because it’s like… Funnily enough, one of our clients had this one dude who knew everything about the organization and all its systems, and he was pretty much embedded into the company. We sort of did this piece of, well, if he gets hit by a bus, what happens to that? Well, if everything stops working, I think the reason why people look at products is because the machine will last longer than this human, unfortunately, and you’ll have that reliability and that reproducibility. I hate to admit it, we had it with one of our pen tests fairly recently where we found a bunch of bugs, but we didn’t find all of them, and it came down to… I looked at it, we did our after actual review, it was just the pen test was having a bad day. People will rely on the product when the human fails. I mean, thankfully, we pick up most of that stuff with our quarterly assurance processes, but this was about one in 1100 engagements we’ve had over the years where we made an honest mistake.

Cole Cornford:

I’d like to move to a couple of fast questions for you then. These ones just say whatever comes to mind. Let’s have a go at answering it. First question is, what $100 or cheaper gift would you give to a friend? What’s the best one you can think of?

Edward Farrell:

The best cheap gift?

Cole Cornford:

Yeah. Something that if you had 100 bucks to spend to buy someone a gift, what would you spend it on?

Edward Farrell:

Lock picking set.

Cole Cornford:

Lock picking set. All right. Why that?

Edward Farrell:

Probably the experience I just had with my niece and nephew that visited recently. They, one, got very excited by it, but two, it was then, okay, you can only use this on this training lock I’ve given you. But now, you have an opportunity to learn, understand, and conceive how security works. It’s a novel, unique gift, and they’ll remember you for it. It’s going to sit on the coffee room table and when they have guests over, they can do a magic trick.

Cole Cornford:

I was at a careers fair early this week, and there’s another cyber company called Alpha Echo, and they brought a door in and we’re using… I’m not even really sure how to describe it, but it had a torsion wrench, of course, because I’m not really a physical pen tester. A torsion wrench, and then a device where you click it, and then I think it’s a bumper is what they described it as.

Edward Farrell:

Oh, yeah.

Cole Cornford:

And then, you could use it. You just got all these high school students to come in and then have a go at trying to bump to pins and the lock and then twist it with a torsion wrench. I thought that was a really engaging way to get a lot of high school students interested in cybersecurity, even though physical security is not really cyber, but the idea, I guess, is that they’re like, “Oh, I can do this with computers too?”

Edward Farrell:

Yeah.

Cole Cornford:

Cool. Next question is what book would you recommend that aspiring students read to get a good understanding of cybersecurity?

Edward Farrell:

It would depend on where the student is at. I think Kevin Mitnick did good. There are all the controversies behind Mitnick. I would say his books were quite easy to read. However, if you do want to level up, I would suggest David Kahn’s book on cryptography.

Cole Cornford:

What’s that book called? Is it Real World Cryptography?

Edward Farrell:

Let me double check. The Codebreakers. Deb Kahn.

Cole Cornford:

Ah, Codebreakers. Okay, there you go. Art of Deception, and Art of… Are those the Kevin Mitnick books?

Edward Farrell:

Well, Mitnick has a few. Art of Deception looks at the more human aspects, whereas the Art of Intrusion looks at the more technical aspects. I think it also just very much depends on what’s your flavor.

Cole Cornford:

My view is that it’s important to read books, and one of the reasons I think is that listicles and blog posts and articles just have nowhere near as much curation put into them as a book does. A lot of the books that were written a long time ago, I’d say even the Phoenix Project or Smashing the Stack or whatever, they still have really good approaches to security, and I still think are really important for people to read. Yeah, you might get a little bit annoyed that the content isn’t as courageous as it should be, but the quality of what you’re receiving compared to some ChatGPT content farmed article is tremendously better. So, I always encourage people go read books.

Edward Farrell:

Also, over time, you actually engross yourself in that book. In doing so, you get engaged and you stay engaged, and that’s what a book should be doing. I’ll come back to the report that we did for our product research against Internet 2.0. We really took our time to press that ad into 60 pages there. For a lot of people, it’s too long to read. If you take that time and put in your effort to reading, it’s not just that one point you’re absorbing. It’s a litany and a logical process to how did they get here, and that in of itself is an education.

Cole Cornford:

Cool. Okay. The last question I have is, as an entrepreneur, what is your biggest kind of mistake that you’ve made early in starting your business?

Edward Farrell:

I wouldn’t say it was a mistake we made, but it was a weakness that I overlooked. I would say I’ve always struggled with being able to engage with human beings, and I didn’t learn that skill effectively until I started my own business. I think, for me, I should have actually taken time, mapped out what I was good at, worked out what I needed improving on, and really committed to that improvement.

Cole Cornford:

It’s probably the hardest skill. I think that one of the reasons I’ve had success is that I guess I’ve spent a lot of time on focusing on communication, on writing, on being able to do public speaking, or fairly human activities. We consider how people interact with each other and less so on the techie stuff. I’m still really good at my traditional strategy, DevSecOps, cloud stuff and all of that. But at the same time, I think that a lot of people who just focus on the techie tech stuff because it’s so easy to just open up MDN and learn browser fundamentals and detail over a weekend, just sitting down and just reading through a Chromium source code. But it’s a lot harder to say, “Hey, I want you to go ring people up and then have them tell you to stop calling them because annoying them,” or to not be awkward at conferences.

Edward Farrell:

The two best training aids I would give to that, Chris Hadnagy’s book on social engineering. I think Chris actually takes the idea of human engagement and almost puts it in an engineering mindset, which I found incredibly helpful. I think for some people, Chris is a controversial figure, but I think the reality is that doesn’t deny his authorship from being awesome at being a place to learn something off. Also, I would suggest trying your hand at speed dating. You don’t need to come out with an outcome, but at least use it as a learning lesson, because you’re not necessarily going to need to win at that. But winning at human engagement later on, we’ll just put that training aid will help.

Cole Cornford:

Honestly, if speed dating stands intimidating to a lot of my listeners, or you’re married and that would be a very awkward discussion with your wife, just go pick up hobbies, like group hobbies. I know so many cyber people who just say, I’m like, “What are your hobbies?” And they’re like, “I ride my bike and then I go for a swim and then I do running,” and I’m like, “Oh, so you just do a bunch of solo sports where you don’t interact with anyone,” or, “You’re a dead lifter and you just sit there with your headphones on the gym.” And then, they wonder why they have issues relating to people because their lifestyles, their hobbies, and even video games and watching anime and television, they’re not getting outside the house, right?

Edward Farrell:

Oh, no.

Cole Cornford:

I love all those kinds of things, by the way. They’re hobbies that I enjoy. But at the same time, I’m not the person that needs to work on continuing to build that kind of skillset. A lot of the cyber professionals I meet do though. They need to go to art galleries and ask people about artworks, or go to a pub and just start talking to random strangers and play pool with them or something. It’s a challenging environment to do that, but I encourage people to give it a go.

Edward Farrell:

Well, the other one I’ll throw in there, community groups, surf lifesaving, Rural Fire Service, Volunteer Rescue Agency, and St. John’s Ambulance, because they will also teach you personal resilience without an immense degree of hardship. Those skills are also, I think, undervalued in what we do.

Cole Cornford:

And also really meaningful stuff. All of those things. I know a few people who work for the RFS up this way because in the Hunter Valley, there’s just lots and lots of bushland. It’s farming, it’s all vineyards. It’s important not to burn down, so a lot of people like to volunteer. I encourage people go out there, go pick up some hobbies, and also just go volunteer for your local community service groups. Good call out, Ed.

Thank you so much for coming on, Ed. I really thought this was a great interview. Anything else you want to close on?

Edward Farrell:

No, no. I think we covered off a lot. I’m on LinkedIn. You’ll probably see me making a very smart comment in Cole’s LinkedIn. But yeah, Cole, thank you so much for having me. It’s been phenomenal.

Cole Cornford:

Been a pleasure. Thank you.

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.