Leading Change in Cybersecurity: Tara Whitehead’s Approach to Security Engagement

Cole Cornford:

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Today I’m joined by Tara Whitehead, security engagement lead at MYOB.

Tara Whitehead:

You really need to sharpen that tool set. It’s great if you can code. It’s great if you understand and you’re a great analyst and you’re a good pen tester or whatever, but if you can’t get your products, your service sold across a business, it’s like the tree falling in the woods. Does anyone hear it if no one’s there?

Cole Cornford:

I’m proud to have her on the show. She is relentlessly outgoing, positive, and great at bringing people on her journey. She’s previously rolled out breaking build, which I know a lot of people would be reluctant to do in bigger enterprises, but she’s done it successfully at MYOB, and I think that’s success is because of her prior career in international relations. If you don’t mind a bit of sports banter, bad humor and occasional security tidbits mixed in, you’re going to love this episode. We cover falling into security from international relations and advertising, which is kind of crazy. Using that background as a strength in a field of tech nerds, making effective change management happen and why Brokerwood is her temple of choice. So let’s dive on in. And I’m here with Tara. Hey, how are you going?

Tara Whitehead:

Well, thanks. Thanks for having me.

Cole Cornford:

Yes, it’s an absolute pleasure to have you on. I know that it’s been a little bit of a time since I’ve been able to go down to Melbourne, but hopefully I can come catch up with you soon and maybe you see sports ball together.

Tara Whitehead:

Yes, sporty mate.

Cole Cornford:

That’s it. Yeah, Newcastle Knights, I was thinking about going and getting a corporate box in the not too distant future, but we’ll see.

Tara Whitehead:

That’ll be fun.

Cole Cornford:

Yeah.

Tara Whitehead:

Come play the Storm.

Cole Cornford:

Ah, Storm. Nah, nah. The podcast is over now. We’re not about…

Tara Whitehead:

That’s all right. I don’t really follow rugby. I’m a,-

Cole Cornford:

Your AFL person.

Tara Whitehead:

AFL girl.

Cole Cornford:

Yeah.

Tara Whitehead:

Richmond.

Cole Cornford:

Sydney Swans. Right. So yeah. No, I already see the disgust on your face. So let’s move past the sports references that half my audience won’t understand because they don’t watch sports unlike us sporty people. Tell us a bit about how you got into cybersecurity and how you’ve landed on your current role as a security engagement manager.

Tara Whitehead:

Oh, so look, I’ve had a really eclectic career leading up to this point. I studied at the University of Melbourne, but I have a Masters of International Relations. Prior to that, I interned at the United Nations and did a whole bunch of international affairs stuff, which was great and super relevant to security. But I was about 22 and burnt out once I finished that degree. And I really just wanted to be creative. So I waltzed into a career in advertising, which I don’t know if many people listening to this podcast knows that’s not a waltzing career, but somehow I fell into it. I really wanted a career where I could be thinking and creating and growing, and I loved it. But after a few realized, I realized, or I felt like I was really at the ceiling for that career.

So I dipped my toe back into politics, worked for a politician. That was super interesting for me. But again, I found myself back in advertising for a tech company at MYOB. I had a really pushy recruiter, not from MYOB, an external one saying, “Go, go, go get in there.” And I was like, “I don’t really want to go back,” but I’m so glad I did because I found such a great vibe in tech. I loved the people. So supportive, so interesting, which is a bit of a departure what I’d had before.

About a year into my time in MYOB, I had a incredibly motivating mentor who gently started to encourage me to think about where my skills could take me and what I actually wanted to work on day-to-day, rather than thinking about job titles. That same year, my father sadly had brain surgery that went really poorly and rendered him with a disability called locked-in syndrome. It absolutely floored my world, like it would. Then my relationship of seven years broke down. And to tell you the truth, it just felt like my life was an absolute, I don’t know how you feel about swearing, but it was a bleep show.

Cole Cornford:

You can swear as much as you want on this podcast and,-

Tara Whitehead:

All right. Well, it was a shit show.

Cole Cornford:

A fucking shit show. You just had everything handed to you. It’s just like,-

Tara Whitehead:

Yeah. So I talk about that adversity because it was such an important turning point for me. All of that chaos allowed me to be a bit more open to accept a role in an area that I just thought, oh my God, I can’t do it. So I got offered a role as a business analyst in the application security team at that time in my life where it was chaotic. I didn’t really want to be in advertising, and I just thought, threw everything to the wind and thought, bugger it. Let’s just give it a crack. So yeah, look, I won’t lie to you. When the job was first pitched to me, I thought, oh my God, you’re absolutely mad. I can’t do that for the life of me. And I idolized the guys in the AppSec team, like guys and girls. They were some of the smartest people I knew, and I thought, God, I can’t do that.

But it turns out what they needed from me was a lot of help with influencing and communication and advertising across the business from getting the devs to use our tools and services to begging, borrowing and stealing money from the executive. I was later promoted to AppSec lead, and then we had a restructure and I took on some more of the infrastructure security staff. So I became security engineering lead, and then we’ve restructured again recently, and now I’m security engagement manager. So I know that that’s a term that is very different across lots of companies. But it’s almost like I’ve returned home to marketing in that I have three main responsibilities. One is external customer engagement and enablement. So making sure that the customers of MYOB are practicing and have safe, secure businesses.

There’s a bit of crisis comps in there, so touch wood, anything goes wrong, I’ll be working with corporate affairs to make sure that the communications we send out as a company is good. And then there’s internal enablement as well. So making sure that our tech teams are using our most up-to-date products, services. If we need to massage some change into their lives, I’ll be the one coordinating that.

Cole Cornford:

Oh, look, that is a crazy career journey. I can’t even imagine like starting with a Master of International Relations and go doing United Nations, politics and then coming into tech. It’s just,-

Tara Whitehead:

I know.

Cole Cornford:

All over the place.

Tara Whitehead:

Jack of all trades, master of security.

Cole Cornford:

How did you find moving into a technical security discipline after coming from such a broad background? Because all of those skills that you’ve mentioned, I think are actually incredibly important in the application security domain because we’re not just sitting back and just operating tools. We’re out trying to negotiate and influence and get people to start doing things differently. And so I can see how your background has really helped you in your career, but how’d you find that transition early on?

Tara Whitehead:

Oh, look, I waltzed in my first day very confident. I’ve got this. This is so good. And I remember my first standup, I think the color must have drained from my face because the guy Jonathan, who first pitched the idea to me to come across, looked at me with like a I’m so sorry face, because I just had no idea. I didn’t know what an API was. I didn’t know what a node was. I didn’t know what the hell they were talking about. And I just thought, oh my God, what have I done? But it was great. I had a really supportive team that really took the time to teach me the basics. I did a little uni short course. I grew my knowledge just like any other skill, but there is benefit to not having any knowledge at all. And jumping into the deep end because sorry, I did have a lot of knowledge. I came with a toolbox full of comms and influencing, and I had a job I could do straight away. So that wasn’t like I was fresh out of uni like doe eyed.

Cole Cornford:

Yeah.

Tara Whitehead:

I still had a lot of projects running. But the benefit I guess is, is that you end up asking really simple questions. People say stupid questions. They’re not stupid, they’re simple. And sometimes getting back to those basics are really important. So just asking why, why are we doing this? What’s the purpose? You get the answer, but you actually get the person who you’re asking that question to really thinking, why are we doing this? What is the point? And it does help…

PART 1 OF 4 ENDS [00:09:04]

Tara Whitehead:

Why are we doing this? What is the point? And it does help direct a really good flow of thinking and movement and bringing things back down. Because I’ve worked with engineers for a long time now. You guys get so excited and it’s really good to pull it back down and be like, “No, why are we doing this? What is the purpose?”

Cole Cornford:

Yeah. I love that attitude because when I look to hire people myself, I always take a step back and ask them, “How would you go about building a security program?” And oftentimes they would say, “What we need is SaaS [inaudible 00:09:36] secret scanning, threat modeling, developer training.” And then I’d say, “Cool, let’s take a step back. Let’s think about this. Why do we need all of these things? For what reason? How do we convince and negotiate with people to actually adopt these things, which introduce friction into their processes?” And then it’s suddenly they’re a bit of a stunned mullet at that point because they’ve never really been told to think critically about why we have all of these activities in an AppSec lifecycle. If you come straight out of university and the mentor that’s in your DevSecOps function just says, “Here is Fortify, run it, scan it, this is AppSec,” then you’re never going to be thinking about what is the business trying to achieve? Why are we using Fortify? What is the purpose of Fortify? Why do we even do code analysis, right?

Tara Whitehead:

Yeah, exactly.

Cole Cornford:

Considering that your background with politics, I’m going to hazard a guess and say that you’ve learned about influencing behavior in people pretty well, and that’s made you quite successful on AppSec. So what kind of techniques would you use to help people influence the stakeholders in their organizations?

Tara Whitehead:

That’s such a good question because I think that influencing is a fundamental skill for all security people. I’m such a champion for that. You really need to sharpen that tool set. It’s great if you can code. It’s great if you understand and you’re a great analyst and you’re a good pen tester or whatever. But if you can’t get your products, your service sold across a business, it’s like the like tree falling in the woods. Does anyone hear it if no one’s there?

So for me, putting yourself in their shoes, being empathetic. As security professionals, we have a strong bias towards good security practices as we should. But as software developers, they have a strong bias towards developing software and they have lots of external influences on that. They might have a product manager bearing down on deadlines. They may have a CEO bearing down on deadlines. We needed this out the door yesterday. So a security person coming into that environment saying, “I need you to do this as well,” is going to annoy anyone. That would annoy me if I had lots of pressure and lots of people telling me and pulling me multiple different directions. And the same goes for anything else. You’re talking the executive, you want buy in to spend a couple hundred thousand dollars on a new tool.

Why? What’s the purpose? What benefit is the company going to get out of it or is the executive thinking about this? And not just the tool itself, but are you willing to give up another tool in order to fund this? Or how can the business put this into their strategies? Because ultimately, this is our salaries as well. Our salaries are part of those budgets. So just thinking and understanding the pressures, the viewpoints of your audience is key. Because once you get that, then you can start really digging into, okay, well, I know that they’re really motivated by money. I know that they have no time, so how can I alleviate those issues for them, those concerns straight up before I go there.

The second one is dial back on the doomsday conversation. Everything is on fire to us in security, but it’s not for everyone else. And even if there is a big bushfire, the CFA in Victoria, I don’t know what it’s called in New South Wales or-

Cole Cornford:

The RFS here.

Tara Whitehead:

Wherever you are in the country, the firefighters aren’t putting out the whole bushfire at once, are they? They look at a farm that’s all a light. Are they going to put out the house, the stable, the fencing, or just the paddocks first, right? So it’s all on fire. It’s all kind of screwed. We have to prioritize. I think the other thing is when I was in advertising, there’s this really interesting study by, I think it was the TAC, where they did a whole bunch of research into the kinds of advertising for road toll deaths. And anything that was super gory where there was blood and guts and people ejected from windows and blah, blah, blah. All that sort of stuff, actually had less of an effect on people. This is because they either thought to themselves, oh, that won’t happen to me, or they completely shut off. That’s too scary for me. I don’t want to absorb that information. And we kind of do the same thing in security. So dialing down that doomsday scenario.

And then if we do have a doomsday scenario, like a real scary incident, I don’t know, Medibang Optus last year, that’s when you can be like, right, let’s go. So keeping it for the right moment. I think the other thing, the final thing I want to say here is find your champions. And I don’t mean security champions. Don’t upskill someone in every dev team or whatever. I mean your change champions. Security is nothing but change, but a constant, right? We need people to change their behavior all the time, whether it’s our customers, whether it’s our developers, whether it’s whoever. There’s always going to be someone who’s excited and motivated by the change.

That excitement could come from anywhere as well. And then you use them to then leverage the next group who are cautiously optimistic, but they’re not sure. And then you use that big group once you’ve got them over to move on to the people who are really like, “Go away. We hate you.” Because once you’ve got two-thirds done, there’s not a lot of backing out. A couple of years ago, I don’t know what your audience is like, but we use Sona Cube as our SAS tool. That is a tool that helps scan your code for vulnerabilities if you’re not familiar.

Within that tool, you can turn on a feature called breaking build, which means that when the developers are writing their code and they try and push it back into production, they can’t push it into production. They break that build while there’s vulnerabilities that hasn’t passed a quality gate. This is pretty frowned upon in a lot of AppSec circles because they see it as a blocker to development and that the devs will hate us for doing this. And we thought, no, we want to have a good quality gate. We don’t want to introduce new vulnerabilities that we know about into our tech stack and our code.

So we embarked on a big journey to break builds in our Sona Cube moving forward. And we got a lot of learnings out of that. We started with a part of the business, financial services, who are motivated simply because they are compliance heavy part of our business. They have a lot of audits throughout the year. They handle credit card details. They handle bank accounts and all that delicious stuff. So we went to them first and we’re like, “Hey, we’ve got a way for you not to introduce more vulnerabilities to your code. Do you want to get involved?” “Yes, please. Oh my God, that’s going to save us so much time around compliance time. This is awesome.” They’re excited. So we gave it to them first. We sorted in all of their repositories and said, “Go forth.” We stopped there for a bit. We took some learnings.

What were the benefits? What other benefits did we not know about here? And we discovered this one really cool one. So there’s a linting tool. For those that don’t know, this is basically brings forward that process of scanning the code while you actually write the code for vulnerabilities before you push it. And we found that the benefit there was as the developers were writing the code, as it was in their brain, I know why I’m doing this. They were able to fix it and not go back a week or so later and be like, “How does this code work again? What did I do?”

The other really big benefit, which we didn’t see and really blindsided me, and I really loved hearing about it, was it empowered the devs. Instead of it blocking them, it gave them a tool to have really good conversations with their product managers and their managers and whoever is putting pressure down on, we need this delivered yesterday to say, “Hang on a minute, it’s really not ready and here’s why. Here are the vulnerabilities that we’ve got to work through and I can’t do anything about it.” So it gave them I guess a communication tool of themselves to push back harder.

PART 2 OF 4 ENDS [00:18:04]

Tara Whitehead:

…. it’s a communication tool of themselves to push back harder and it empowered them, which was great. So armed with that information, we were then able to go to our next cohort who had heard about it. That’s yours thing. You get a little gossip around like, “Oh, we’re keen, but we’re not sure.” And then so on and so forth. Took about a year and until we got to the people who really just were avoiding us, but there was nowhere to hide. And once most of the company was on board, they had less argument to be like, “Oh, we don’t want to. We don’t have time.” Because everyone else was doing, it’s really successful and they reluctantly accept. So change management is a constant.

Cole Cornford:

Cool. So I’ve got a lot to unpack there. So the first thing I’m going to unpack-

Tara Whitehead:

Sorry.

Cole Cornford:

That’s all right. I think that was a great answer. So the first thing I’m going to unpack is about the doomsday messaging. I really like that you’ve mentioned road fatalities and driving safer and how that’s not that effective. And I think the campaigns that I’ve seen there, there’s one in camera where they just have signs everywhere that just say stupid things like, “Drive and text, you’ll be next” with silly letters.

Tara Whitehead:

I’ve seen those

Cole Cornford:

And I’m just like, “This is embarrassing.” But also, I guess it’s kind of nice to see that. It’s very different from showing pictures of people in the middle of accidents or whatever. I don’t like to shock campaigns. I don’t think they’re very effective. But once we get embarrassed, there was one where I remember people had the small finger. If you’re speeding, you got something, someone’s a bit small as you overcompensating. And I think that that worked brilliantly because men are just like, “No, no, I’m actually all right. I’m not that kind of guy. I’m not.” So I agree. I think, yeah, doomsday means that people eventually get fatigued from that messaging and just disconnect from the conversation. So I am not about… We’re even at a point where everybody, if you say, “Oh, such and such got a breach.” They’ll say, “Cool. Which of the 600 breaches have I been at this point?” So I don’t think that that way of working is helping anymore.

Tara Whitehead:

It feels a little boy who cries wolf [inaudible 00:20:09].

Cole Cornford:

And the other thing I wanted to talk through was about the break build piece. So you mentioned SonarQube is your static analysis tool, and you say that you went through a year process to break build and that a lot of apps, people are not willing to go on that journey because really challenging to get the right level of cultural change going. And I think that what you’ve got here is you’ve done a few things that are really interesting is one, you’ve given them a waiver process.

So that if they have some kind of real reason that they absolutely need to get the build into production, then they absolutely can. They can find a way to get around the process. So it’s not going to cause too much friction. There is a break glass, but I also think that you’ve got embarrassment and compliance as the sticks that you’re using to make people move one way because no one wants to be the team that’s leftover at the end is just not wanting to do stuff. And then you’ve got the carrots saying faster assurance, faster compliance, less report writing, less pen testing. How cool are all of these things? So it’s just a good example of a successful software security program rollout. So you should be proud of yourself.

Tara Whitehead:

Oh yeah, it was a lot of work and it wasn’t just me, but it was a great application security team. And then just again, finding the champions who then go sell it across the business for you. Do work smarter, not harder.

Cole Cornford:

That’s it. So moving on to the next question I’ve got is I said was starting from zero blessing or curse. And I think that that is completely wrong. I think that your background is, you are coming from a non-cognitive background, is the way I would describe it. You are not coming in from a discipline where you’ve learned computer science, so then moved into software engineering and then moved into application security. You’ve come in from a different way. So has that been a blessing or a curse for you? And what challenges have you found have come about from coming from a different pathway into AppSec?

Tara Whitehead:

I think we discussed this earlier. For me, yeah, challenges. I’ve sat in many meetings where I thought, “Oh my God, I have absolutely no idea what’s going on.” And I don’t even know where to ask good questions. I just stood there like deer in headlights. That’s certainly at the start. But again, I feel like not knowing puts you in a good place to ask those questions that someone will say a dumb question, but simple questions that help people get thinking in the right direction. Why are we doing this? How can we do better? And then also reframing it. I think there’s a lot of creativity and security and you don’t have to know the topic in detail to help drive a conversation to help other people come up with creative solutions. So really in that sense, it was a blessing to not know, because you can ask the questions, be like, “I don’t understand what’s going on. Explain it to me like I’m dumb.” I’m not dumb by the way, that was a horrible thing to say. But another really key benefit helped the entire application security team had had a really hard time talking with executives and non-technicals. So it gave them a lot of practice in a safe space to explain things to someone who is smart. Let’s be real. Just because someone’s not technical in a computer science degree sense, it doesn’t mean that they’re not really intelligent or they don’t have a lot of smarts in another area. So talking to them in a way that’s not infantilizing or belittling their intelligence, but still getting across a really complex topic. So I got a lot from the team, but they also were able to develop their skills in other areas as well.

Cole Cornford:

It’s really hard to get people who have both backgrounds. You generally won’t have people who are technical specialists who are also able to understand how do I communicate this in terms of headcount, financial constraints and risk and getting an adequate level of protection for my business versus this is cross-site scripting.

Tara Whitehead:

Yeah, I think so. But I don’t think it’s impossible. I mean, I still hire people who are personable. I could start with that, sort of almost sales, sales-y. Application security is sales. Please use our product. Please use our service.

Cole Cornford:

Please, please. It’s internal consulting. I’ve said this to so many people. If they come to me and they said the background is DevSecOps and they brand themselves as a DevSecOps professional, I pretty much immediately disqualified them from being able to participate in my business because that’s not what I try to do. What I try to do is go in, get executives to understand what level of risk they have and then how do they manage it. And that’s about a conversation. And conversations, we tend not to have enough conversations.

Tara Whitehead:

I agree. I agree. So yeah, I’m on the same when I hire. I feel communication influencing is a key pillar. And because of that I’ve got… Well, I’m not running security engineering anymore, but it’s a great team here at NYB that are all very capable of presenting, facilitating, talking to scary executives or customers or anyone.

Cole Cornford:

Yeah. See that’s the thing. Why do people say that executives are scary? They’re just people. And oftentimes I’d say that they-

Tara Whitehead:

No. They’re not.

Cole Cornford:

We’re not people?

Tara Whitehead:

No. They’re not scary. No, they’re not people. Please no NYB executive listen to this. I might be up for a job. Someone, if you’re hiring a security engagement manager, please. I’ll let you know in about a week’s time after this release.

Cole Cornford:

Oh my gosh. That is not getting edited out. Executives are not people. Done.

Tara Whitehead:

No, that’s not it. No, no, no. They’re not scary. They are people. They have the same concerns and worries and whatnot. I did a conference last week, the Accounting Business expo, where I explained to accountancy firms how they can be more secure back in their office. And I was having a chat to some of the other speakers from NYB, including our executive, and they were the same level as shit scared as I was about walking up on stage. So that was comforting to know. And they do that all the time.

Cole Cornford:

I feel like it never goes away. I, last year, did a tremendous amount of public speaking and I still to this day get a little bit nervous when I walk on a stage. Even if it’s something that I know perfectly well, I know exactly what I talk… I know what the narrative I’m going to convey is. And I know my audience and I still walk on a stage and be like, “Oh, it’s a bit hot up here. Hey, let me drink six liters of water before I…”

Tara Whitehead:

Yeah. But it goes back to they have this… Executive have the same worries, the same nerves, the same fears as we all do. And that helps humanize them.

Cole Cornford:

And I think another thing as well is also-

PART 3 OF 4 ENDS [00:27:04]

Tara Whitehead:

Humanize them.

Cole Cornford:

I think another thing as well is also I find that most executives are also quite happy and comfortable with delegating and understanding where the limitations of their knowledge are because they can’t be in the weeds anymore. They’re ultimately about changing strategically the direction of the company. If they have to know how to triage Fortify results or choose between Snyk or Veracode, then that’s not their job. They just need to know, “Am I solving this problem?” They ask and lean on your advice and are willing to listen and work with you. That’s why you’re hired.

Tara Whitehead:

I think you’ve really jumped onto a really interesting point there about negotiating and influencing with an executive class. They are people who, I guess they are busy and they have to delegate and they trust you to do your job. You don’t need to go to them with every small, little detail about why you want this over that and blah, blah, blah. It’s just about getting their one slide, one pager. Really if you can make it visually beautiful, that always helps too and just be like, “We want this tool. It costs this much. These are going to be the benefits.”

Get in and get out because ultimately at the end the day they’re busy people. They want to know all the benefits. Maybe they might want to ask you a few questions about what’s this going to cost and not just cost money, but cost the business? How much time, all of that sort of stuff? They do trust you. Don’t go in there and confuse them with lots of details. Just really simple stuff, they get it. They’re smart people.

Cole Cornford:

Right, people remember that executives are people. They’re not robots.

Tara Whitehead:

They’re not robots.

Cole Cornford:

Time has absolutely flown through this. I’ve loved speaking to you. We’ve got some fast questions we can run through. Here’s the first one. It’s what’s the best purchase for less than $100?

Tara Whitehead:

I’d been thinking about this and I had this long thing about self-care and blah, blah, blah, but actually the answer is wine, a good bottle of wine to share with your friends, your family, maybe by yourself in front of the TV. For me, I’m a chardy girl, cool-climate chardy. I know you’re up in Newcastle and I don’t mind a bit of broken wood from out that way.

Cole Cornford:

Cricket Pitch is my usual one I get.

Tara Whitehead:

Is that savvy bay, the Cricket Pitch?

Cole Cornford:

Yeah, that’s a savvy bay.

Tara Whitehead:

I am a bit biased to the Victorian, particularly Mornington Peninsula and Yarra Valley chardonnays, pinot noirs.

Cole Cornford:

You’ll have a laugh. One of my mates up here runs a digital forensics firm. He also has a side hustle called Appalachian Hunter, which he just goes and drinks wine from different places around the Hunter Valley. Yes, if you want to go watch him on Twitch, it’s Twitch.TV/AppalachianHunter. There you go.

Tara Whitehead:

I’m actually going to go look that up. I have a Instagram account called 35Wineries if anyone wants to follow. It is so lame. I wanted to do 35Wineries in my 35th year around the sun, didn’t quite get there, but I’m determined to get there this year.

Cole Cornford:

That’s all right. What happens is, like fine wine, you just increase the digit every year and you just mature more wineries.

Tara Whitehead:

That’s it.

Cole Cornford:

Other than Brokenwood, is there any other ones you’d recommend up this way that you like?

Tara Whitehead:

Do you know what? I say this. I don’t really know much about the Hunter Valley. As I said, ask me about the Victorian ones. I’ve been to many, many.

Cole Cornford:

I guess all I’m hearing is that you need to come up to the /NEW conference so that you can make a side hustle to go out to the Hunter Valley the next day. Sound good?

Tara Whitehead:

Yes, I love that. That’s perfect. I mean-

Cole Cornford:

Done, next one, best book to give to aspiring professionals.

Tara Whitehead:

I’ve actually recommended this book to almost everyone in my security engineering team, anyone who comes to me for advice, mentoring. It’s called The Obstacle Is The Way. It’s written by a guy called Ryan Holiday, Holiday, Halliday. He is a modern stoic philosopher.

Cole Cornford:

The daily stoic guy, right?

Tara Whitehead:

Yes, that guy, the book is great. It’s bite size. It’s super great for modern lifestyle. You only have to read a couple of pages and each chapter is kind of like its own short story. The whole philosophy is to embrace adversity, as I have I guess, to find the opportunity. It’s just awesome and it also helps make you feel really humble, but appreciative and grateful for the amazing life that we all have.

Cole Cornford:

I think it’s important to do that as well. I think people who work in cybersecurity oftentimes become very bitter and sad. They can’t make the change that they want to see because ultimately they don’t own cybersecurity risk. They’re to advise and to help people make those decisions. If the business chooses not to do things, then that’s their prerogative.

We have a lot of people down below who may realize that it could be a marketing or sales error that they’re not doing correctly, but more than likely I just see people get bitter. Cyber people get paid good money. We get to do interesting work and we work with lovely people. We should be grateful for that, right?

Tara Whitehead:

Absolutely, absolutely, but it’s a good book. It helps frame things. Then, it’s also just the kind of thing that seems a bit counterintuitive like embracing the dark times to find the silver lining I guess, but they happen. If you’ve got a life, if you’re alive, you’re going to have some dark times or some annoying times or something is going to go wrong. What good can you find out of it and run with that? It’s just a great message.

Cole Cornford:

I know that I’ve had a few of those situations in my life. One of them was when my mother passed away when I was working in the ATO. I came back to Newcastle and basically it was just like, “Man, what am I doing just drinking shit tons of whiskey every Friday night and playing Team Fortress 2? I should probably just do something genuinely useful because I have very little time to actually spend with my family, my friends, and I need to make the most of it.”

That set me up to just hustle bloody hard through the last nine years effectively. Now I’m pretty set to be honest, but adversity does really help people grow. I’ve definitely met those who have had to struggle and then those who’ve just had a relatively charmed life.

Tara Whitehead:

I’m really sorry to hear about your mother’s passing. There is something about death that makes you appreciate life a lot more, but it doesn’t have to be something as serious as death or my father’s disability or something like that. It could just be something like, my God, I broke my arm. I don’t know.

Cole Cornford:

My God, I went to a hairdresser and she ruined my hair today.

Tara Whitehead:

Exactly, actually grown in two weeks-

Cole Cornford:

My lasagna is burnt. I have to get KFC now.

Tara Whitehead:

Exactly, exactly, that’s wonderful.

Cole Cornford:

See, silver lining in every single burnt lasagna, that’s all you need. Cool, our last question would be what kind of parting piece of advice would you give to listeners of my podcast?

Tara Whitehead:

I’m going to go back to the stuff we’ve just been talking about. Just be so grateful. Live life to the fullest. We’re only here for a short time. Take that break from work if you need it. Have that extra sleep in for an hour if you really need it. What we do is really important in security and it can be really stressful like you said. It is important to take those breaks and those breathers as needed and embrace the wonderful things that do happen in our lives.

Cole Cornford:

Thank you so much Tara for coming on the Secured podcast. Hopefully, I’ll catch you in an AFL game when I head down to Melbourne next. Sound good?

Tara Whitehead:

Yeah, Sydney, Richmond by the sound of it.

Cole Cornford:

I’ll catch you then. Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secure, go to GalahCyber.com.au.

PART 4 OF 4 ENDS [00:35:03]