Whisky to Firewalls: Jason Murrell's Unconventional Path to Cybersecurity

Jason Murrell:

As a defender, you could stop a million attacks. And you’re wrong once, and you’re hung, drawn, and quartered for it. That’s not a good position to put people in either. It’s a stressful enough job as it is without having that as your ultimate outcome from a state.

Cole Cornford:

Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. Jason Murrell is a cybersecurity advocate and consultant with more than two decades of experience in business and entrepreneurship. He spoke about both successes and setbacks he’s experienced in the startup world, including as a founding shareholder in Starward Whisky and co-founder of Altius Mining. In recent years, Jason’s career is focused on cybersecurity, including roles such as the COO of Cyber Aware, and the group executive of AustCyber. We chat about how Jason’s business experience has helped shape his approach to cybersecurity, learning from mistakes, financial literacy, and plenty more. So let’s jump right in. And we’re live. So hey Jason, how are you going?

Jason Murrell:

Very well, Cole, how are you going?

Cole Cornford:

I’ve had a crazy day. I started at Newcastle Uni giving a lecture about risk and I know that that sounds really boring, but it was pretty fun actually.

Jason Murrell:

Not to me.

Cole Cornford:

I was talking about the likelihood of getting punched in the face as a way to make it relatable to students. Saying you can wear a motorcycle helmet to control the risk, or you can never leave the house to avoid the risk, and got a bunch of laughs out of a topic that [inaudible 00:01:30] is pretty dry.

Jason Murrell:

Well, that is good, yeah, we’ve got to make risk interesting. I think that’s one of the ones, when talking about incident response I always say, is the old, everyone has a plan until they’re punched in the face, the old Mike Tyson line. You can run a plan if you want, but it’s not until you actually get a real incident, you actually see how well-prepared you are for it. So very similar to Mike Tyson smashing you in the face, I’m sure.

Cole Cornford:

Yeah, so that was a good one. And then just had a bunch of coffees with just random people, because as a business owner, you’ve got to go out and sell. So just-

Jason Murrell:

Yeah.

Cole Cornford:

… meet as many people as possible and see who wants to actually sign. So, and now I’m back here, doing a fun podcast of you.

Jason Murrell:

Oh we’ll hopefully get some people signing off the back of this for you.

Cole Cornford:

Yeah, so thanks. So first question I ask almost all my guests is what kind of bird are you, and why?

Jason Murrell:

Okay, bird? Probably my favorite and it’s not a bird, it is a great white shark. So I’ve always had an affinity to those or been interested.

Cole Cornford:

It’s a seabird, right? It’s a bird that swims in the sea.

Jason Murrell:

Yeah, we’ll say a seabird. Yeah, maybe they probably eat seagulls, or something like that. So I think that’s only tenuous link I can put to that, but always been fascinated by them. So I’ve done cage diving with sharks in South Australia, off Port Lincoln, and everything’s just one of my favorites. But yeah, they probably do eat seagulls and other seabirds. So yeah, I’ll just go with shark as I said.

Cole Cornford:

So but why great white over the other ones? Is there just Aussie?

Jason Murrell:

It was just an affinity I had just from a young age, I think I watched one of the, it might’ve been on ABC or something like that, it was Valerie Taylor swimming with some great white sharks, and her husband Ron was filming. From there I just had an obsession with any documentary that was around great white sharks, and obviously misunderstood. I mean obviously there’s occasional death happening from sharks, but we’re in their domain when we’re there, so there is some risk, but more people die from getting kicked by a horse, or thrown from a horse, or stung by a bee then great white sharks, but we don’t go out and try and eliminate all that. But they’re fascinating when you get to know them as a species. So love anything around great whites.

Cole Cornford:

Good lesson in risk management, right?

Jason Murrell:

That’s right. Keep out the water.

Cole Cornford:

But sharks are … One of the things is I feel in cybersecurity, a lot of the messaging that we do, is there are sharks in the water. Be wary of the sharks in the water and that’s how we portray adversaries a lot the time. Which I don’t think is particularly helpful, because it’s the same as us telling people, “Hey, don’t click on links, or watch every email, or don’t go swim outside the flags,” or whatever. People are going to do what they’re going to do, and just trying to scare people the whole time means they’re not really going to be looking into it all that much.

Jason Murrell:

Yeah.

Cole Cornford:

Here we are with our fellow sharks.

Jason Murrell:

That’s right. I think, yeah, that’s, I mean, probably a tenuous link to others, but I think you’re right. There is a lot of similarity there, that sharks and shark attacks, they tend to happen at sunrise or sunset. It is often where they’re mistaken for, to say, surfers on a board, it looks like a seal from below. There’s a lot of things that you can do to mitigate those situations as well, like checking a link, or hovering over it before clicking on it, or going to the proper site, and all those sorts of things we teach in cybersecurity. Maybe we can make a whole course designed around sharks as attackers.

Cole Cornford:

We’ll call it Cyber Shark Week.

Jason Murrell:

Cyber Shark Week?

Cole Cornford:

And make it-

Jason Murrell:

Well, someone’s probably got it. So I’m sure if we look for it, that’s probably registered somewhere. So yeah, no, it’s fascinating when you look behind it, like anything as you say, risk can be mitigated by just being logical in most cases. And it’s when people aren’t being logical or do stupid things, they increase their risk in any facet alive. So I agree with that.

Cole Cornford:

Yeah, enough about sharks. I know that we could talk all day about them. I think what I’d like to hear about is about your story and your career, because I’ve had a look for your LinkedIn and you’ve been through a lot of different types of, I’d say, careers and roles, and eventually ended up in cybersecurity. But maybe you could outline where you came from and just tell us about the different parts of your career?

Jason Murrell:

The start of it really was probably more in financial services, is where I started. So I did a diploma in financial planning back in the day at Westpac Financial Services, and that was more to understand obviously finance. There was a personal event, I think a lot of people do things because they want to learn for themselves before they help others often. I’m sure a lot of us in cybersecurity are like that, but also someone who might’ve had problems with their teeth might tend to be a dentist, so they can help other people, or whatever the case is. So I think sometimes you get got that way. I had done some little businesses beforehand, and had been stitched up by some people, let’s say, that I’d gone to business with, from not understanding numbers and how things worked on that front. So I was refinancing a house, and actually the person I was refinancing with said, “We’re actually looking for financial planners. They’ll pay for the course,” and all that sort of stuff.

And that’s how that happened from there. But once you’re in the banking environment, it was fairly restrictive with the advice you could give. You were pretty limited to just, say, selling Westpac-type products, or there was a wholesale fund you could sell to. But quite often the advice was pretty boring, because people were coming in and going, “I want to invest in shares and make money out of the share market, and I want to get a 10% return or 8% return,” whatever the case was. But you’d sit down with them, Cole, and they’d have 45 grand worth of debt on credit cards, paying 17%.

It’s like, “Well, that portion of money you want to invest, probably clear that first because I can’t guarantee you 17%, but I can guarantee you’re going to pay negative 17 if you don’t clear that debt.” So it ended up being quite basic things we were doing that way. There was some big ones. The biggest one I had was a couple of million dollars from a sale of a Bunnings, or a site to a Bunnings store, back in the day. Block of land and this farmer came in, said, “About $2 million, what do I do there?” But yeah, it was pretty restrictive. So I’d actually gone to a seminar myself, and then started to see about buying and selling businesses, or capital raising and startups. And that piqued my interest a bit at that point, and I ended up moving to Sydney and starting an advisory business, and that’s where the gold business started.

That’s where I first came across the likes of Starward Whisky and all those sorts of ones. There was a Thai recycling business in there, multiple businesses that were in there. We started probably a bit early on, on the green bit, with some businesses that were in recycling and things of that nature. The green slant wasn’t as big back then in the early 2000s as obviously what it’s now, but a few of those took a bit a while to get up. But yeah, that’s how it started going from finances, and then into capital raising. What amazed me, is that you could start a business with nothing, give yourself shares at nil consideration, and then you’re basically printing money in a way, by issuing shares into people who’d buy into it.

That was the thing that fascinated me, is that by doing startups, you’re starting with nothing, or minimal capital that you put into sweat equity, but you can start up a company with shares. And then as you issue those shares and the value comes, your shares go up in value. That really interested me, that you could do that and you weren’t restricted. You could basically come up with ideas, and then have a crack. They don’t all work, but when they do work, they’re really good. Like you mentioned Starward and some of the others.

Cole Cornford:

There’s a few things I want to unpack there. I think financial literacy is something I don’t see particularly much in cybersecurity.

Jason Murrell:

Mm-hmm.

Cole Cornford:

I mean everybody says boards need to have more cyber literacy, right? They don’t understand how do we manage patching across our workforce, or any of that kind of stuff is things that they just don’t really get a lot of time. But by the same token, I’d say that a lot of cyber professionals aren’t able to do double accounting, or to talk about profit/loss statements, or return on investment. The credit card debt, that’s a great example.

Jason Murrell:

I think we should be teaching cybersecurity in schools. We teach kids to wear a seatbelt when, they brush your teeth. And I can hear you’ve got some young kids in the background. My girls are older, they’re 18 and 21, but when they’re young, we could be really teaching them about strong passwords, or password managers, and multi-factor authentication, and updates when available. It’s Slip-Slop-Slap of cyber for kids to throw that in. And also, as you said, Cole, I think we should be teaching financial literacy from an early age as well. The Dollarmite account back in the days, where you get kids, just investing money into a bank was obviously a good strategy for Commonwealth Bank to pick up customers early.

But what was that really teaching kids about financial literacy. So if we could throw those two things in the mix earlier, I think that would benefit everyone, because to be able to read P&L, a profit and loss and a balance sheet, and to actually be able to work that out, debits and credit, source and use of funds, just the basics of finance, would be great I think for all of us to better control what we do. And what’s good debt and what’s bad debt. Yes, buying a house and investing in that, that’s good debt. And then you buy a car or a depreciating asset, or spend it on your credit card buying clothes or whatever, bad stuff. I think it sounds very simplistic. And cyber can be in the basics as well and our foundation, and I think finance should be similarly taught in a way where we can just get those foundational basics in place, just to be able to budget and just do the basic things we need in life, especially in these tougher financial times.

Cole Cornford:

I’m doing two things, in I guess, those realms at the moment. So one of which is I’m working with Investment New South Wales to look at high school students and getting them to consider cybersecurity outside of the traditional, “Let’s just don’t click on links,” and just get away from that kind of viewpoint. And also to stop scaring people away from, we build our entire discipline on people, process, and technology. So why do we only exclusively follow on the tech stuff and say, “You need to be a programmer or a network security analyst, and understand how to run [inaudible 00:11:11],” when what we need is diversity of thought and different types of opinions and viewpoints. And by the time people enroll at university, we’ve already failed with creating that pipeline, because we already know that computer science, software engineering is going to heavily weight towards 90% men. So we’ve already lost half the population at that point.

Jason Murrell:

Yeah, no, you’re right. And they drop out early, don’t they? The girls. I know, a friend of mine, Kylie Watson, she said her daughters were getting into coding, but a lot of boys, so they tended to drop out by the time they get year seven. Jacqui Loustau from AWSN, they did a study recently, I think, with RMIT, where it said that I think it’s 17% women in the workforce, and you’ve got Untapped, another organization for neuro-diversity, trying to look at things. And you’re right, it’s a big piece where we need to grab people from other industries maybe, for governance, risk, and compliance, from legal or accounting. We’ve got a big gap there that we could fill, that we could get a bit more flexible with, to try and bring in people and attract people. But I think one of the key things is that we need a cradle to grave approach too.

So we need to start at school and make that pathway possible earlier. And as you say that there’s multiple disciplines and multiple streams we can do from awareness. Like when I started with Jono and he was studying up Cyber Aware from the awareness and phishing stuff, where you could have a different skillset all the way through to pen testing, and red teaming, and all the other things that people get excited about. But there’s a big sphere in between that we can be doing as well. So yeah, it’s a very broad church that we’re narrowly focused on unfortunately, and often looking for the same type of person or avatar of what that should look like.

Cole Cornford:

We’ll get there eventually though. So as long as we keep putting effort into thinking about what’s happening with pipeline at all levels, because we do need people who are board directors and senior leaders to get to a point where they can have meaningful conversations about cybersecurity risk. But we also need to have people not self-selecting out of careers in their pathway, whether they’re mid-career and looking for something different, or just beginning their university degrees. Just needs a whole society, a different approach to it.

Jason Murrell:

Yeah, we’re getting there, but as you say, slowly, hopefully this new 2030 strategy will make things fast track a bit more.

Cole Cornford:

I’m really keen to learn more about that, but let’s stick to the financial literacy piece for a bit too, because I think that’s made a big difference to my career personally. Because it’s meant that I’ve been able to have more meaningful discussions with senior leadership about why we would invest or spend money on certain types of things. Maybe not even invest, because you don’t get a return on securities, just a waste of money, right?

Jason Murrell:

Well that’s what they say until I get a hit.

Cole Cornford:

Until they get hit, right? Maybe it’s insurance, but ultimately you can have these kind of discussions. And I didn’t really learn this stuff until I was already been working for six, seven years. I think the thing that made me really understand this stuff in great detail, was actually running my own business. Because-

Jason Murrell:

You have to know your numbers?

Cole Cornford:

You have to know your numbers, you have to be able to plan cashflow, you need to understand what the hell the difference between IAS and BAS is.

Jason Murrell:

Yep.

Cole Cornford:

If everyone’s financial literacy stops at buy ETFs because 5% return forever is great, maximize your super, and don’t get credit cards, then I feel like we’re all going to be worse off.

Jason Murrell:

Yeah. Well, especially with inflation the way it is at the moment, what’s on the horizon possibly as well. That’s interesting, I did a session last week with Pitcher Partners where they’re a consultancy accounting firm, but they bought all the partners around.

Cole Cornford:

So Pitcher Partners I know that they actually, they have a building in CBD Newcastle, so I’ve actually heard of them before.

Jason Murrell:

Yeah, they’re spread around Australia, probably next tier down from the big accounting firms we know of. But Adam Irwin, who I’ve known, he was one of the initial users of Cyber Aware when we started. He’s been a big supporter along the way, but I got to take my hat off to those sort of organizations that are putting it there today. Financial institutions, they often understand risk because they fall under a lot of rules and regulations due to being in that area, with what they do, but to be as good as they are, or taking the strides they are on cybersecurity, is actually really good to see as well and how serious they take it as a group. It was good to sit on the day, and just to hear the general vernacular that they’re talking about with regard to cyber from going back to 2017, ’18, just so when I first met him to seeing the organization, and how far they’ve come in that time. And they’ve been using Cyber Aware the whole time, and they said people are having those water cooler conversations now about cybersecurity, their staff.

The general vernacular in the office has changed a lot, compared to when they first brought it in. So you can’t be using cyber, or cyber training enough, I don’t think. They’re doing at least minimum monthly training, sometimes more regular than that. Everyone who gets onboarded has three or four lessons, I think, as soon as they come on, on cybersecurity, the keys of that. So it is changing, which is good. But yeah, they’ve got that side, the financial literacy, but it’s good to see they’re adding the cyber. It’d be nice to see the other way around, there’s a lot of other areas as well.

Cole Cornford:

Are you still working there? Or is that still-

Jason Murrell:

So Jono and I, he’s not just a best mate, we’re like brothers. So I’m still a smallish shareholder in the business, and obviously assist. We catch up and talk business quite regularly. He’s a super smart cookie. He’s actually, one of the other businesses we can talk about, is [inaudible 00:16:29] in there. He sold that to Melbourne IT last year, which I helped him out. It was a one man band, became two man band, became bought out by Melbourne IT last year. But we started that, I think it was back 2014 or thereabout, that we participated in that. But no, Cyber Aware is ticking along. I mean the best thing we ever did with that was make it a white label solution, because when we win the market, the big players are obviously still like no before, Cofense, which I think was PhishMe at the time.

Cole Cornford:

Cofense? Yeah.

Jason Murrell:

We weren’t going to be able to go head-to-head with them. There’s a funny story behind that. Maybe we can leave it for another day. But [inaudible 00:17:02] did make an offer to us in the early days to buy us out, but we really wanted to be, and the pivot we made, which was really good, was a white label solution for MSPs and MSSPs, where unless you dug really deep into the DNS, you wouldn’t know we’re involved. But it was, they’ve already got the clients, it’s an add-on service, they can just bolt it on, but it’s a key piece of the puzzle to have the training and the phishing sims and all that sort of stuff in there. So we became a white label solution. So there’s plenty of partners around the world and hundreds of thousands of people using the platform because of that. So it was a smart move to make that pivot early. But yeah, I think along with all the other pillars, training and awareness is obviously a key pillar with that to the general populace.

Cole Cornford:

So because you’ve got a lot of business experience, how have you felt that’s shaped your move into cybersecurity in the end? Because I know you’ve done a variety of different types of roles. Because you mentioned mining before and you’ve had Cyber Aware as well, and you’ve also done a whisky company too, so maybe even talk about that. Why not? I love whisky. I’m a big whisky fan.

Jason Murrell:

Yeah, well I think I probably loved it too much to be fair. But look, the thing is the key with everything, is everything is business and business has certain fundamentals that you need to do And I think when picking a business or looking at it, I knew nothing about whisky when I met Dave Vitale. So one of the first things I said is, “Can you teach me about whisky? So why is this business going to work? Basically educate me or teach me as to why this business is going to work?” He was really good at doing that. So one of the key pillars that really sold me on that one, and we had a chat before we started, just really briefly, about that, because I know you are interested, but one of the key things is why is Australian whisky going to work?

And at that point new world whiskys were just becoming a thing. Like Japan was starting to produce some really good whiskies. And where our real point of difference was, or where he sold me, was not just the numbers that he showed me over the timeframe as in 2007 in August when we first met, he had numbers out until 2022. To say, “Here’s what the business will do and here’s why it’s going to be good.” So really quickly what happens, is for people who don’t know about whisky, is that it goes into barrels to basically age. So it’s a new-make spirit, you basically distill off the steam from beer, the alcohol comes off that through the still, and then goes in there, and it’s your new-make spirit goes into a barrel and you lay it away.

Now everything in Scotland is basically very much a age-statement, “It’s been aged for seven years or 14 years or 21 years,” et cetera. But the thing is, it’s cold over there, so they really only get one month of summer at best, or warmth. So the barrels don’t work that hard. And what David said is he said, and why we got some R&D funding up earlier with that, was, “Let’s research and develop if we can actually get whisky matured quicker.” So we’ve got 50 liter barrels, 100 liter barrels, 200 liter barrels, and the barrels that we can get here are actually great too. McWilliam’s sherry cask, which was the [inaudible 00:19:45], the original ones, that some of them have been, had 70 years of getting filled with sherry, they’re soaked with sherry so they’re really strong and that sort of thing. And McLaren Vale Reds, another one.

Cole Cornford:

I know both. So [inaudible 00:19:55] really close to where I live in Newcastle, it’s just up at the Hunter Valley, and McLaren Vales is South Australia I believe.

Jason Murrell:

Yeah. So we had access to these barrels. So whereas what was happening with the Scotch whiskys, they’d often get something made, like a bourbon cast that will come over after two years, and sent over. Or it’d be something from France set over the [inaudible 00:20:13] barrels up and sent them over there. Barrels aren’t working that hard. So in Melbourne we do get four seasons in one day. So where we set up, you get a hot day like today, it was 22, not hot, for Melbourne hot, right?

Cole Cornford:

Yeah.

Jason Murrell:

22, but tomorrow’s going to be 12. So what happens is the barrels expand with the heat, and then what we do, is open up the roller doors when the wind changes, so the barrels are actually making more contact. The new make spirit makes contact. We were getting 50 liter barrels maturing within nine months. The bigger barrels will take longer, obviously, the 100s and 200s, but within three or four years you can get, I mean, you’ve seen the awards we’ve won, we’ve been winning. Last year we won 15 double gold medals, which means every judge judged each one of those 15 bottles the best in class. We were number one distillery out of 5,000 in the world last year.

This year another 12 double gold, and then three gold. So the quality of whisky we’ve been able to produce is not any worse from being shorter. It’s actually better, and that’s why Diageo bought … Diageo was starting to use, and Diageo make Johnny Walker and all that sort of stuff, in some cases having to add caramel color to their whisky to give it color. They were really struggling to keep up supply and demand. It was growing 30% year-on-year. They couldn’t keep up with the demand, and they weren’t producing quick enough. So that’s why they bought in, in 2015, to see that this was a way of actually making whisky, or doing it differently. The Taiwanese do it as well. I think they’ve got what was one of my favorite ones. I’ve not been drinking as much whisky as I used to, but-

Cole Cornford:

Fair.

Jason Murrell:

… there’s a whisky brand in Taiwan, their angel’s share, the evaporation’s about 13%, ours was about nine or something like that. And in Scotland you might lose 3% to angel’s share, which is the evaporation off there, but it’s what you are producing and maximizing from getting it out of the barrel quicker, which was the key part there. So that was the key to it. Once David explained that to me, showed me three different whiskies with the smoky flavors and all different things, having Bill Lark there, who’s like the godfather of Australian whisky, Chris Middleton who is the brand guy, Australian guy behind Jack Daniels, Jack lives here and all that sort of stuff. When you’ve got a good team together with absolute supreme knowledge, and then you can justify a business case for it, then you’ve got a story, why? Start with whisky? Why we call it, “New world whisky?” And that’s why it has the stars, and looking as new explorers did.

Once you put all those elements together, it seems like a [inaudible 00:22:25]. Sometimes even with all those things together, it might not work. But we were lucky to get into Dan Murphy’s fairly early, obviously with the Woolworths group, and things like that. They were looking to make new shelf space at the time. So I mean you create your own luck as well. We had, I think, timing was good. It wasn’t great that GFC hit the year after we started trying to raise capital, that made things difficult. We had to pre-sell barrels and do a barrel sale program, which you would’ve loved, Cole, if you’re back in the day, it’s like, “Give us some money to buy a barrel and we’ll pay you 10% on top of the barrel when it matures.”

So you can make 10% on your money. And if we go bust, you get to keep the barrel of whisky and we’ll even bottle it for you. That was our promise. If it all went the wrong way, you’re actually going to get a bottle. So we had a lot of, obviously, whisky enthusiasts are like, “I’m into that deal. I either get 10% on my money, or I get a big barrel of whisky.” So it’s a win-win. So that’s how it all started.

Cole Cornford:

That’s such a fascinating story. What you’ve basically done, is looked at what the problems of traditional whisky is, which is the maturation, 12, 15, 20 years. And then you’ve said, “Okay, how do we short-circuit this so that we can produce significantly more volume? And then we’re going to change the category, so that the value of the whisky isn’t derived purely on the time associated with its maturation, it’s based on the flavors and the quality of the casks and stuff.” So you’ve effectively established a new type of category, and the marketing around it as well. Good timing is really important with business. It’s something that I’m hoping to ride myself within application security.

Because if you’re looking in Australia, like I’m doing things, I’m looking at what people do with professional services firms, and saying, “Well, what’s not working and what is working?” And almost everybody here bills time and materials, day rate consulting, or fixed price for a product. And almost nobody services application security. With my branding, nobody is fun and approachable and clear and simple. Everyone’s men’s deodorant commercials. So I’ve been thinking about category design, when I’ve been doing my own business. So it’s good to hear that that’s how you’ve been successful with Starward, because that’s what I’m hoping to replicate at least myself with Galah.

Jason Murrell:

Yeah, and you’ve got to look at things differently. And as I say, it doesn’t mean that it always will work. With that gold business, it was really a gold site remediation-type technology. So the theory was there that a lot of gold mining companies were using large gravity [inaudible 00:24:56] with a lot of chemicals to basically extract the gold. We were going back in there with [inaudible 00:25:01] tables to clean out some of the finds of gold, like the smaller bits, but also clean out some of the chemicals [inaudible 00:25:06] site and get stuff out of the mines to clean them up. So you could do a JV with the mine owners who had basically stopped mining there. You could get the stuff which was left behind, which wasn’t the chunks, but the finer of gold, and also clean up the soil and the waterways and everything around a mine as well.

So it was like a win-win around there. So that one wasn’t as successful, and that’s why I did a post yesterday. Because it was 12 years today since we raised the 11 mil, the 51 mil market cap. We didn’t list it on September 19, but we took a lot of investment. We only got 900,000 of the 11.9, or whatever it was, million here in Australia from brokers. It was really hard to raise money here, but we could raise money equally in Asia. And there was one Chinese investor who put in majority of the money, we thought it was 18 odd percent, he had actually been buying through other entities, so he actually had majority share, and basically overthrew us within three weeks after the company listed. Came in there and said, “Here, sign this and off you go,” which was the first kick in the pants from business.

Then I was escrowed for two years, which means I couldn’t sell the shares, and I just watched the shares just plummet down. So by the time I’d got out, they dropped at 90%, or 90 plus percent. So they were virtually useless and worthless after that time. So yeah, that was a bit of a kick in the guts from 2003, get the listing in 2011, get through the GFC and all those sorts of things, and then to have that happen at the final stretch was a bit of a kick in the pants, and did flatten me for a while. But there’s the yin and yang of business, 15 years being overnight success. And this one here, you graft away for eight years or nine years to get it listed, and then end up with nothing at the end of the day.

So I think we need to talk about the mistakes, and that’s what I think we need to do in cyber as well, is that we need to see these incidents. And say, “Rather than pulling the shutters down and covering up what’s actually happened, let’s share some of the lessons learned from actually the mistakes they made.” I mean there’s been some high profile ones that, across the press, we know a bit about what’s happened with them, but it’d be good to actually say, “What do we learn from he mistakes?” Because you learn way more from your mistakes than you do from your successes.

When you have success you can go on a golden streak, and we’ve all had those. We go on a run where everything seems to be turning to gold, but it’s from the times we actually have those tough times. I went through, I would’ve likened it to maybe losing one of my children, or something like that, having that business collapsed the way it did on me. I was flat, even though I had Starward to go to and do some stuff with, that wasn’t easy. That was going through a difficult time as well. It’s stress personally, I mean with relationships and stuff like that as well.

So I think we need to talk about that sort of stuff. And same in cyber, we have these instants. Ideally it’d be good to unpick it like we do with a bushfire, or a natural disaster. We go back through and say, “Well, could we have trimmed the grass around the power lines more? Or trim the branches back?” It’d be nice to be able to do that with a lot of these cyber attacks, not just the big high profile ones, but all of them, to say, “Let’s unpack them and actually see what happens, so we can all learn from it.” Which doesn’t tend to happen unfortunately. And that’s something I think would be ideal to see.

Cole Cornford:

Yeah, I’d really like to see more people who are honest about where they make mistakes. I try to be pretty open about what I make mistakes of with my business, because I know that I would encourage many people to go and actually take a step to create a cyber security company. Now you could start off really small, and just be a consultancy, and just solve one particular problem that you’re really good at. But over time, eventually, you’ll want to expand, and that creates opportunities for other people who may not have those opportunities to come in and learn from you and your experience.

If you make mistakes, then you can go ahead and teach other people about those as well. For me, it’s pretty table stakes. If I am open about how I make mistakes, then people go, “Ah, what’s he know?” But it would be good to see the bigger businesses recognizing that yeah, like with, Optus is a great example, is last week they refused to release the Deloitte report about how they got breached. I know that Kelly has gone and individually spoken to a lot of different CISOs around Australia about what’s happened and all the events leading up to it. But it would be really good to be able to talk about that report and what we can do to make Australia the most cyber resilient by 2030, if that’s where the government wants to go to. We have to be transparent about this, right?

Jason Murrell:

Yeah. Well, and I think that’ll be the interesting thing off the back of this. Let’s see what happens, but that’s the ultimate outcome, is if we can get to the point where that is the case, that would be ideal. But the thing is that as a defender you could stop a million attacks. And you’re wrong once, and you’re hung, drawn and courted for it. Whereas the attacker only needs to be right once, and can do a million attempts. So both sides of the equation, we’re lauded for a successful attack as a cyber criminal. They’re like, “Well done. You had a million pots, and you finally got one to pop,” and that’s worth it for them. They can make some decent coin out of it. But on the other side, someone’s got something right for 20 years of their career, makes one mistake, and they’re often hung, drawn, and courted and you’re out, you made a mistake.

That’s not a good position to put people in either. It’s a stressful enough job as it is without having that as your ultimate outcome from a mistake. There’s so many things that go into cybersecurity, and it can just be an API, it could be something that could have been missed. Especially in the size teams that some of these companies have, it’s easy for stuff to slip through the cracks. So what happened? Let’s learn from it. So everyone else can fix those same or similar problems, or think about their own situation better.

Cole Cornford:

One of the things that I see a lot in software engineering, or more specifically site reliability engineering, is blameless postmortems. So the idea is that a website service goes offline, “What are we going to do about it to make sure that that doesn’t happen again?” And, “There’s no one to blame, because ultimately we made a bunch of decisions that led us to this point in time where the website went offline.” Because as soon as we start attributing blame to individual people or teams or whatever, then we’re attacking individuals, and not attacking the root cause behind why it happened.

I’d love to see more of that kind of behavior from companies. I’d also love to see if people are more open or transparent about it. Even if it’s something as simple as, let’s say, you have a bunch of cyber incidents. And then the next year, when those cyber incidents fade into obscurity and are no longer relevant, you go out and talk about what you’ve meaningfully done to actually, like, what happened, what the consequences were, and then what you’ve meaningfully done to actually move forward since then. I’d love to see more businesses talking about that.

Jason Murrell:

Yeah, let’s see what happens. There is some shifting of the sands to some movement in the market, but that’s, it’d be a nice [inaudible 00:31:28] to get to, but we do need to have that, I think, just generally across the market to help us all out realistically. So let’s stay tuned and hopefully we see something happen.

Cole Cornford:

That’s right. So going into your more recent career, because you were at what, AustCyber not too long ago, correct?

Jason Murrell:

Yeah. So there’s a lot of money. I mean, AustCyber was set up back in Malcolm Turnbull’s days, back in 2017. So as part of the Growth Network, so it was one of the last ones left, and it did do a merger with Stone and Chalk about two years ago, a bit over two years ago. So yeah, it’s basically come to the end of its natural life, I think, mainly funded by [inaudible 00:32:11]. And basically we got an extension of time, but not money. So everything was supposed to end June 30 this year, and just to finish off the projects going until June 30 next year. So they’ll just be wrapping up the last little bit, some of the projects. One of the ones that was quite successful was the start of the professionalization scheme. So we talked about the education piece, and it’s trying to set up, and I think only Australia really and the UK are the ones trying to crack that nut at the moment.

You know when you go and get a qualified builder or electrician or what have you. But we don’t really have that with cybersecurity. There’s people out there saying, “Yeah, I’m a cybersecurity specialist, or I specialize in these things,” but what’s the certification for it? So it was good to have round the table all the academic people here, ISACA, (ISC)2, ACS, AIIA, et cetera, to work this together. Because if we can get a collaboration on that, Cole, and then get a sign-off on that to have some agreement, with the varying avatars across different areas, not making an extra cost for anyone, so it’s not going to be set up for profit, but basically there’ll be a cost obviously to run that sort of organization. But members of certain other organizations will get discounts, there’ll be grandfather clauses for people with preexisting skills, et cetera.

So that was a really positive piece of work that we had, and getting that collaboration and people. It did start off a bit testy. I remember some of the original meetings with people being strong personalities in there. And also of protecting their own turf, and saying, “We are better, or what we do is best,” and that sort of stuff. But it got to a point of general consensus. So I think off the back of cyber strategy, that piece of work will continue on, to find what a cyber professional will look like as a scheme. As I say, UK doing a lot of work on that front as well. The SCP was always a good piece of work. The Sector Competitiveness Plan, it was always a bible for people to go to in cyber to look at for the latest stats. So to see what’s happening in the market, where we might have gaps with employment and other stats with startups, and all those sorts of things as well.

Cyber week was really good, opened by Minister O’Neill last year, where we launched the SCP and everything. So there’s a lot of good work that’s come out of AustCyber over the time, and I think a lot of it will continue on in whatever shape or form that takes, going forward. But yeah, I think the industry has matured a lot over that time. If you look at when AustCyber started and the work that Michelle Price and the team did to get it kicked off, that was a very small market at the time. We [inaudible 00:34:31] as well over the last few months. So I just think it’s a changing of the guard with this new cyber strategy hopefully, draws that line in the sand and it’s something that we can progress forward from as a more mature and collaborative piece of work and industry, going forward rather than being so segmented and pulling in multiple different directions as we often have.

Cole Cornford:

Yeah, the professionalization is, I’ve seen so many people argue in both directions. I know that offensive security is really wedded to CREST as the, I guess, domestic, or I guess, international standard for-

Jason Murrell:

Yeah, well there’s different CRESTs, isn’t there?

Cole Cornford:

Yeah, there’s multiple CRESTs anyway. And the other things is any layman, just purchaser, is not going to really understand a difference between a SISP, a CISM, [inaudible 00:35:17], an IRAP, or ISO 27001 lead implementer or whatever. I guess, so it makes sense to move towards having a standard that they can actually understand. But my problem, I guess, with it is that I don’t want there to create, when we need a lot of different diverse viewpoints and talent, if we create a professionalization to actually get into the industry, are we just creating barriers to entry and gate-keeping? And that’s something that worries me a bit. The other thing as well, is it’s difficult to get people to learn about something if a salary depends on them not knowing it. So getting these certification providers to all agree to a national accreditation body would directly cut into their ability to sell SISPs, and CISMs, and [inaudible 00:36:01], and so on. So I don’t know.

Jason Murrell:

I don’t think it’ll limit it. I think it’s how it’s going to be seen. So a couple of points there. I think if you’re a kid and you’re trying to go for a career, if I had to sit down with my Year Nine coordinator at the moment and say, “I want to go and be a plumber, or I want to do accounting, or I want to do something,” there’s a fairly clear pathway. One of the things is to open that pathway up, but it’s not to cannibalize any of those sorts of things that say, “If you go for this, this is what that qualification will get you. So this is what, if you want to do this role, here’s the suggested.” So it won’t be taking anything away from any of them, it’ll just basically say, “Here’s what you qualify.” I would imagine when it does get up, that it wouldn’t be too dissimilar in when you do gaming, just say you’re playing a sports game, might be soccer or something like that. It’s a striker who has a 76 rating, and here’s their speed and all that sort of stuff.

Not too dissimilar to that, saying, “This person is a mid-level GRC person with financial services background skills,” so that could be good for the role. Or, “They’ve worked in financial services, and they’ve also worked in retail environments,” or whatever. So you could see what you’re getting, and then they’re saying, “They’re keen to up skill, or do other training, or whatever, or they’ve learnt this on the last job, so their skill can go up.” So I think it’s more to give a clear pathway for the professional themselves, what they should be looking at, or doing next if they want to get to a certain place. And if they want to go for a role, here’s a pathway and where you go. So it wouldn’t limit, or say that, “You should go for is ISACA or (ISC)2,” or whatever the case may be.

It’s just saying that, “These are qualifications that will actually get you next level, or go work at this next organization.” We all know ourselves if you want to get better, you have to keep pushing yourself, or stretching yourself to go to different areas. And like I’ve done with my career, you sometimes pivot and take a different direction to get somewhere. But yeah, sometimes you’ve got to get out of the comfort zone to do that. But some people are just happy to sitting in a, and they might say, “I just want to be a mid-level GRC-person who works in financial services, that’s my lot. I don’t want to stretch any further than that.” And then they’ll just stay there. But at least you’ll know that’s what you’re getting. But you can get someone who’s aspirational and say, “Oh, I actually want to get to being a CISO one day, so what’s my career pathway look like to get there?”

Cole Cornford:

Oh, those people need a reality check.

Jason Murrell:

They do. Yeah, they do. Well, you talk to any CISO, they’re usually a little bit nuts, but they’ll probably get a different talking to from a lot of the CISOs we know. But we just need to support that too, because I think CISOs don’t, especially in this country, have as much support. They’re very good amongst themselves. You mentioned about Kelly going out and speaking to CISOs, but they do have a community themselves, but it’s a lonely job in a lot of ways. And as we said before, if there are incidents that happen, they tend to be the one the board point the finger at, and everyone else does to take the bullet.

Yeah, it’s something I think, as a whole community, we need to be supportive of in whatever shape that takes. And the next stage will be into more open up to the public, “Here’s the what’s it all, here’s the FAQ all answered.” So we can get that feedback from industry and have it nutted out. As I said, I still think it’s probably realistically probably 2026-ish type timeframe until something like it comes out. It’s got a lot of more barriers, but it was good to get that starting point, actually start to get something knocked into shape.

Cole Cornford:

Yeah, and we’ve got to do these kind of things to be ready for 2030 anyway.

Jason Murrell:

Yeah, correct. Yeah, absolutely.

Cole Cornford:

So one of the things that you did mention though, is that it’s lonely at the top. And I really empathize with that. I don’t consider myself a CISO, because obviously I don’t know. I’ve got more brown hair than gray at the moment, so we’ll see how that goes. But I run my own business though, and one of the things with running my own business, is that for better or worse, I don’t really have other people I can speak to unless they’re other business owners to talk about the challenges I go through with things as simple as hiring people, or cashflow management, forecasting, sales strategies, to how to do effective consulting, good customers and bad customers. Ultimately, everything falls onto my head as a chief executive of my own company. So I empathize, and I understand what it’s like to be a CISO in some ways, because all the responsibility for security falls on their heads, and it’s lonely up there.

Jason Murrell:

Yeah, you need good people in your support network. I spoke about Jono, when we did Cyber Aware that you need someone else, that you do need the yin and yang in your business sometimes. Sometimes people start businesses, and if they do have other people, it’s two similar people. I think one of the best things, advice-wise, if you have a growing team, is to have people to fill the gaps in stuff you’re not great at. You do what you are good at, and the stuff that needs to be done in business but is not your [inaudible 00:40:23], get other people who that’s what they specialize in. If you really start to grow a business, often, one of the things I do see with a lot of startups, is they get two people who are both coders, and they’re both great at a certain thing, but that’s never going to get you anywhere in business.

I think some good examples that we have in Australia, is [inaudible 00:40:40] with [inaudible 00:40:40] and Ben, they’ve got two different skill sets, and then you can grow a team around that, having the varying personality types. But [inaudible 00:40:47] when he started, he was trying to do so many things, and be so many things, that he just couldn’t do. And as soon as Ben came on, and took some of the load off to some of the stuff that he wasn’t great at, it got the business moving forward a bit better. So I think for any business for yourself or anyone else, you need to, when you’re expanding your business, you need to look for people who have the requisite skills, where they love doing the stuff you don’t and vice versa. You can have some crossover and some convergence and some things.

But generally speaking, if you can try and get people that love doing stuff you don’t, and you can concentrate and stick to what you’re really good at, is actually really helpful. But any business, it’s good to have Jack of all trades, master of none in a lot of things. You do need to know financials, you need to know a lot of things, because you’ve got to make sure you’ve got yourself covered, and control as much as you can when you start. But then you need to start getting comfortable handing stuff over to people you trust as well.

Cole Cornford:

I’ve got a few fast questions for you, and then we’ll wrap up. So here we go. All right, first thing to come to your head for these ones?

Jason Murrell:

Okay.

Cole Cornford:

Best book to give someone?

Jason Murrell:

Oh, best book? Wow. I’ve read so many books and I have to go, I’ve actually been reading some stuff on longevity stuff at the moment.

Cole Cornford:

Okay.

Jason Murrell:

Outlive by Peter Attia I just read recently, which was a surprising book. It was really slow to start. Had some really good information in the middle, and then had a surprising ending. So that was one that I read recently, which was really good. But yeah, my books, I am usually going and flowing through a lot at once. So yeah, I could probably give you a different recommendation every day. I was just trying to think. Atomic Habits, James Clear was another one that was good recently. And actually Happy by Darren Brown was really good. Derren, D-E-R-R-E-N Brown, Happy by title, but it was interesting, more stoic sort of principles on that one.

Cole Cornford:

I think I’ve done two of those. So I’ve definitely remember Atomic Habits, and I think GTD was pretty similar to it in a lot of ways. Atomic Habits just recognize your triggers, and then if you don’t know what’s causing you to do these kind of things, then it’s really difficult to change something, right? So for me, a good example would be I see chocolate wafers in the cupboard and then I go and eat the chocolate wafers.

Jason Murrell:

Don’t put them there.

Cole Cornford:

So the chocolate wafers now are in a really stupid location, and guess what? The habit’s broken. I don’t eat chocolate wafers anymore.

Jason Murrell:

Talking about the lock and key, Cadbury’s chocolate for me is my Achilles heel. It was Father’s Day Sunday. My daughter bought for me three blocks of Cadbury’s chocolate. I think it lasted no more than 48 hours for three blocks. So that’s a killer for me.

Cole Cornford:

I’m the worst one with chocolate too. So it’s the Fry’s Turkish Delight is my Krypto-

Jason Murrell:

But they’re Cadbury’s now.

Cole Cornford:

Yeah, I know.

Jason Murrell:

Yeah, they’re Cadbury’s now, yeah, dangerous.

Cole Cornford:

And the longevity one, I think I remember Daniel Miessler talking about it a bit. He was saying it basically rolled down to two things that he saw, I think was just actually do exercise, which I need to learn. And sleep I think was the other big one?

Jason Murrell:

Yep. It’s two keys. And I think it’s a similar theme at the moment, Cole, I think sleep is massive, and I have stopped drinking this year. So it’s funny though, we’re talking about whisky and stuff, but at the start of the year I’d made pact to myself. I said, “I’ll just drink once a month. If it’s a friend’s birthday or a special occasion, I’ll just have something,” which I did do January, February. Then I just thought, “No one really caress if I’m drinking or not, so I’ll just stop.” So I just haven’t had a drop since then.

That’s really improved my sleep massively. During COVID, the first part of COVID, when it happened in Melbourne, I ate and drank way too much. Then on the second part I bought myself a home gym set-up, and then had been working out religiously, five or six times a week, and then walking that at least 12,000 steps a day. But they do make a big difference. So yeah, it had been something, I think, the Andrew Huberman podcast got me, that me and Tim Ferris have been listening to it for years, so they’ve all gone down that path. So I think I’m folding down there with interest, so that’s been one of the things. I think health, if you don’t have it, you can’t do anything.

Cole Cornford:

I think, I know that it’s a few things, with the whisky. I’ve got a bunch of bottles of whisky, and I like drinking it, but I pretty much limit myself to one glass a week really at a time where it actually makes sense, because I just don’t need to be drinking. I’ve swapped all my soft drink for Sodaly nowadays, which it’s made of apple cider vinegar.

Jason Murrell:

Yeah, I’ve seen that.

Cole Cornford:

Yeah.

Jason Murrell:

I’ve been on the kombucha.

Cole Cornford:

Just simple stuff like that can make life a lot easier, and you can still enjoy a bit of a dark habit. Maybe we need to do less on the Turkish Delight and [inaudible 00:45:27].

Jason Murrell:

Yeah, that’s probably it.

Cole Cornford:

We’ll take that over alcohol.

Jason Murrell:

Occasionally, it’s okay.

Cole Cornford:

Yeah, cool. Let’s move on to the next quick one. A best advice for someone who’s going to start a cybersecurity business?

Jason Murrell:

Yeah. I think if you’re starting a business, most people are obviously coming at it with a cyber background in some way, shape, or form. I think what we need to do is look to solve for problems into the future rather than trying to compete, or try and make something better than what’s already existing. With the likes of AI and Quantum, pretty much all generative AI here, but into future with quantum and different things happening, we need to, I think, in Australia, look to solve for problems into the future. Often we’ve been a bit of a lag behind, because we’re often just saying, “Oh, someone else has got a product on the market, I can make it better than they do.” And they’re all just undercut on price. I think we need to really look into the future and say, “What is the future of cyber security? What do we need to solve for in tomorrow’s problems?” And start to look at there.

I think the other thing we can do too, if I was going to start a business, I’d be really talking to the CISOs of the world and say, “What are the top five things you need to solve for?” Because when you then go to them with a solution that’s in that top five, they’re going to have budget for it, and they’re going to give you a POC or try and help, and they’ll mentor you and probably come invest with you and do a whole lot of things if we can actually flip there. So find out what the actual problems are, what they perceive problems to be, that could become [inaudible 00:46:42] or, “I wish I had this.” And if you get enough of that, that’s usually a good clue. So don’t try and make something and then sell it to market. I’d go the other way around, and say, “What’s the actual market want? Can I build that?” And let’s go and do that.

Cole Cornford:

I like both of those. I see so many people just start their own little consultancies up. And it’s like, “Yeah, all well and good. You can be a pen tester.” I personally think that penetration testing is part of quality assurance, and that over time as we get better quality assurance products in the software engineering market, or that more people just use software defined networks, or infrastructure as code and so on, we’re going to have less of a need for network security penetration testing. But we’re going to probably have more of a need for software engineering chops. So I’ve positioned myself to be super aligned with software engineering and application security. Because, I guess, domestically, I don’t see anyone really servicing this industry at all. It’s pretty much, it’s huge in the US. And it’s huge in Europe and I don’t know why it doesn’t exist here.

So that’s why I’m in that category in a place that no one else is participating in yet. So I encourage people, if you’ve got an interest in large language models, or blockchain or whatever, and you can find product-market fit by speaking to customers, and getting just one or two people on board, then maybe go do that. If you’re doing it right.

Jason Murrell:

Yeah, exactly. And the lead from overseas is key to, I mean we’re such a small market, 2.3% of the world, cyber market. Go and look at what Israel do. If you want to do a startup, 30% of billion dollar companies or unicorn companies are out of Israel, 10 million, not even 10 million head of population, producing that sort of output. But why is that? And then you’ve got to look at the clues and then follow through, and see why certain markets do certain things well, and take the good of that, and strip away any of the negative stuff. Because people try and always look for the negative in things all the time, rather than going, “Okay, what’s working and how could we replicate that?” Rather than just trying to pick the eyeballs at it and find mistakes all the time.

Cole Cornford:

I think the other thing is to be a bit more open-minded as well, if you are a CISO or a leader, about speaking to people from Australia. You don’t have to go by the Forester Wave Top Quadrant, Gartner thing all the time. There’s a lot of good local producers that solve specific problems, and supporting local industry is a really good idea. We may not be the most competitive at the moment compared to if you go to Singapore or Vietnam or India, but I still think it’s good to at least hear people out. I always get frustrated when I see CISOs on LinkedIn whinging that salespeople should never contact them at any point, and that they know what they want to buy at all points in time. I just think that’s entitled and a bit of a cop out.

Jason Murrell:

To be fair, and putting yourself in their shoes, a lot of them do get hit a lot.

Cole Cornford:

Yeah.

Jason Murrell:

They get peppered, and often, from knowing a lot of CISOs, I think their team’s better to approach about stuff that they’ll make a decision on, and can go to the CISO a bit easier. So I think if you are a startup and been through the mill, not just with cybersecurity, but others, is find out the key person, or the key buyer in a business, or the key person that solution’s going to fix, rather then go to CISO, who’s overarching and looking at stuff. But go down the chain a bit and say, “Who in the business would benefit most from this?” And actually have a talk to them and get that feedback in there.

So I think what people do often, Cole, is they’ll go on LinkedIn and say, “Oh, there’s a CISO. I’ll go talk to them. They really need this product because he heads that company, or she heads that company.” Whereas sometimes you’re better off saying, “Who actually works in that specific area for that cyber team that would actually get the most benefit from, and let me see if I can help them, or make their job easier?” And then get them to sell themselves to or that product or service to the actual CISO themselves.

Cole Cornford:

All right, guys. Got it? Don’t go straight to the top. It doesn’t work. Don’t go all the way to the top.

Jason Murrell:

No, look, especially if you’ve got big teams, I just know that, and I know when we went to RFA this year over in the US, some of them are getting, and I’m not kidding you, 40 emails of people just peppering them with stuff. And, “This is the next best thing,” and silver bullet stuff and all that sort of thing. To work through it when you’ve got your normal work to do, it’s just white noise for them, and they do suggest that themselves. They’ll say, “Just go and find someone on my team, just do a bit of homework, read our reports.”

Or do just a little bit of stuff to say, “Hey, I read your last report and I saw that this was an issue for you guys, who on your team would be best to contact and find that out?” Go contact them in LinkedIn and say, “I didn’t want to talk to your CISO, I thought this was best to run past you, because you obviously are at the [inaudible 00:51:01] with this thing. What can we do to maybe help you? This is something as a solution or some help.” They don’t get as much in their inbox, so they’re more likely to give you an ear, make some time with you, because they’re not as busy, or that is something you want. So tailor it really to the specific person in the organization I think would make a difference. So I think it makes it easy for everyone.

Cole Cornford:

There you go guys. So great sales advice from Jason Murrell.

Jason Murrell:

There you go.

Cole Cornford:

Jason, thank you so much for coming on the podcast. I really appreciate your time here, mate.

Jason Murrell:

No worries, mate. Take care.

Cole Cornford:

Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favorite platform, and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galahcyber.com.au/newsletter, and get high quality apps [inaudible 00:51:47] content straight to your mailbox. Stay safe, stay secure. I’ll see you next episode.