Building a Cybersecurity Team with a Difference with Mat Franklin

Cole Cornford:

Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. In this episode, I chat with Mat Franklin, founder and managing director of the consulting firm, MF & Associates.

Mat Franklin:

We hire great diverse people, then we train and apply them to cyber of management of tech consulting, and found that cyber was a place that was really, really, really not as diverse as it needed to be, and it felt a lot like tech in the ’90s, so that was what we wanted to do. We’ve got a 70% women team, I think we’re 30% LGBTIAQ+. The last time we measured there, we’re about I think 30% disability of mobility. That’s part of who we are. It’s what we talk to clients about, it’s how we hire, it’s how we train, and we think it’s what makes us a little bit special.

Cole Cornford:

Founded in 2019, Mat has quickly grown the company to be 70 or so employees, with the largest team being a cybersecurity function. In our conversation, we chat about the importance of diversity and representation in tech and cybersecurity, what Mat looks for in a potential employee, what lessons cybersecurity professionals can learn from other industries like health and law, and plenty more. So, let’s jump right on in.

Cool, all right, so I’m here with Mat Franklin. How are you going, Mat?

Mat Franklin:

Good, Cole. Yourself?

Cole Cornford:

I’m getting cooked. It is super hot in Newcastle. I don’t know about Canberra, but I imagine maybe?

Mat Franklin:

Oh mate, you’re a mining town boy, too. I grew up in Port Hedland, so it’s pretty hot here, but I think it’s all relative, and as long as I’m in air conditioning in a white collar job, I’m just grateful. So far so good.

Cole Cornford:

See, this is one of the problems about work from home, is that you have to actually pay for your air conditioning bills, so I’m a cheapskate.

Mat Franklin:

And I’m suspecting you’ve got a few toys and tech goods and computers in there that are keeping the house nice and warm as well, right?

Cole Cornford:

Especially my office. Now, they’re banned from the rest of the house because they look too ugly. Also my daughter, she’s extremely mobile now, so she’ll like-

Mat Franklin:

That cable looks like fun, let’s pull that out, right?

Cole Cornford:

Everything, it’s like the Nintendo Switch sitting on the corner and then I’m just a few minutes later being like, “Oh, it’s got a shattered screen. How did that happen? I guess I’m going to figure that one out.” She’s definitely a PEN tester now.

Mat Franklin:

Has she learned to accidentally break things and then come in like, “Daddy, somebody broke that,” or is it still like that’s being hidden?

Cole Cornford:

No, mostly she just points at things or sometimes later she’ll just be sitting next to something broken and playing with it and then looking at me smiling, being like, “Look what I’ve done.” It’s like, “Yes, great. You pulled all the fur out of the dog toy.” It’s all right.

Mat Franklin:

We’ll start you with infrastructure. We’ll work your way up, this is good.

Cole Cornford:

Well, my other daughter really wants to get into computer security as well. As I said, let’s start with computers, so we’re going to look at buying some just really cheap bits and bolts to just assemble a desktop computer-

Mat Franklin:

Oh, that’s fun.

Cole Cornford:

… And see if she is remotely interested in that, then we can move on to next steps after that because she likes Lego.

Mat Franklin:

Train them young with screwdrivers and making sure they get those sore thumbs from pushing in PC AIR-boards.

Cole Cornford:

Oh, they’re the worse, aren’t they? And the heat sinks?

Mat Franklin:

Every time I go to build a new computer, I’m like, “I’m still checked. I can do this,” and then three hours later I’m like, “All right, that was frustrating. I could have paid somebody 50 bucks for that. I now got sore thumbs,” and it works and I’m very proud of myself, but I forget that it’s annoying until next time.

Cole Cornford:

It’s the same with me with mowing the lawn and being like, “Oh yeah, all of these sticks and grazes and bruises I have from just running it over the bark at the front of my house, I could have totally paid $30 to get up the road to do it.”

Mat Franklin:

That’s it. It’s good with the staff though, because you start telling them water cooling stories and they’re like, “Who are you?” I’m like, “No, no, I used to do this stuff.”

Cole Cornford:

People just assume that we didn’t have this background because I don’t don’t know if people are aware, but me and Mat used to… We got into computers because we’d played games when we were younger, and so we had to build our own machines.

Mat Franklin:

Now, why did I get into computer science? Well, my mom didn’t want me on the computers because it’d give me square eyes, so to get access to a computer, I go into computer science. So, I guess that’s the start of the career.

Cole Cornford:

For me, it was I wanted to build computer games because I really liked to Donkey Kong Country and Zelda: Ocarina of Time.

Mat Franklin:

Nice.

Cole Cornford:

Good times.

Mat Franklin:

I was a PC guy.

Cole Cornford:

Ah, I became a PC person. It started out with console games.

Mat Franklin:

Oh, so this was your gateway drug [inaudible 00:04:09]-

Cole Cornford:

Yeah, because all my friends are in high school, they’re all super keen on Counter-Strike 1.6, and Day of Defeat, Doom, Quake, Unreal Tournament, and eventually Team Fortress 2, which is where I sunk a tremendous amount of my youth.

Mat Franklin:

And you might get this growing up in Newcastle, but I was in Gladstone, Port Hedland, and places where the internet wasn’t great. So like PC gaming and then LAN parties, there’s a bit of community around that, and you learned a lot of stuff, which I think was maybe more helpful than the degree in the start.

Cole Cornford:

Well, I found a few things out of it. I felt like everybody I met online was significantly further in their lives and careers to me. They’d either had kids or finished uni and had jobs and mostly were well-educated software engineering types. I grew up in regional Australia in Cessnock, and so for that it was like, “How do we do burnouts or go out to the bush and do some stuff out there?” I’m not so keen on lighting cars on fire versus staying at home and just I’m shooting people’s a scout TF 2. But yes, this is a cybersecurity podcast, not a nostalgia one. So, let’s kick off with the first question, which is inspired by what we believe a Galah Cyber, which is the bright colors of the galah and what it represents, its openness and its lightness, things that I find are not really common in the cybersecurity industry. So, that really goes for the first question I ask people is, what kind of bird are you and why? Because for me, it’s because galahs are bright pink and obnoxious.

Mat Franklin:

First of all, galah is a good choice. I think we met through a friend of a friend… I think it was Toby who was one your guests previously.

Cole Cornford:

Yeah.

Mat Franklin:

He said, “Oh, you’ll like him and his favorite color is pink.” And I thought “I will like him. I like that,” and so I think my favorite bird, if I could be any bird, would be a chicken because chicken’s like your workhorse bird. You’ve got people who’d be like, “I’ll be the soaring eagle or the noble wedge-tailed, or something like that. I’m like, “No, I’m not that fancy.” Chickens are underrated. They lay eggs, they’re lots of fun. I’ve had chickens as a pet, and if you’ve never had chickens as a pet, I thoroughly recommend them. You can teach them to let you walk around with them on your shoulder until they get bigger, and if you train them as a little baby chicks like that, and they’re so cute, they’re about not much more than an egg, they’ll sit on your shoulder and when they grow up, they’ll fly away, and they’ll come back and they’ll land on it, and that’s cool.

Cole Cornford:

My dad had the shock of his life when his partner got a bunch of chickens and they raised these chickens and they got one chicken initially, it was called Penny. He named it, she didn’t, and then she got five other chickens and they were called Penny II, Penny III, Penny IV, Penny V, Penny VI, and my dad got heartbroken when Penny I died, and then I think he cooked it because, why would you waste-

Mat Franklin:

Oh, no.

Cole Cornford:

Just sort of being like, “Mate, Penny, this is why you don’t call your chickens Penny. This is why they’re chickens. They’re literally cattle.” So, at that point my dad decided he wasn’t really going to be good with chickens, and so he’s got an RV and decided he was going to be one of those retirees, not a raise the animals kind.

Mat Franklin:

That makes sense. My parents on both sides used to be farmers, so they’re not softhearted, but when they had kids, we had little yellow chickens, and we went away for holidays when we were maybe three or four, we were really kids, and when I came back from visiting cousins, little yellow chicken had turned into a little black chicken and I thought, “That’s a bit odd.” And mom explained, “No, no, no chicken sometimes when they grow, they change color like that and that’s totally normal.” I thought, “Oh yeah, that’s fine. That’s nice.” Anyway, I found out 20 years later that my little black chicken might’ve been eaten by fox and mom couldn’t find another way to find the same colored chicken, so she told me that story, so that I didn’t take it too hard. I don’t think we would’ve eaten the chicken. Mom was a bit gentle, which is nice.

Cole Cornford:

My dad’s partner grew up on a farm, so she was all about like, “No we got to be… Don’t waste. Why would we bury the chicken? The chickens are meant to… They’re livestock, they’re meant to be consumed.” But yes, it’s good to have pet chickens as well. There’s two sides.

It’d be good to maybe give us a bit of background about yourself and where you came from, Mat. You work for Fujitsu now, but I’ve noted previously you’ve done a lot of different things in your life. So, maybe give us the cliff notes.

Mat Franklin:

I tell this story now. If I discovered consulting earlier in my life, I probably wouldn’t have jumped around as much, but the variety’s been a lot of fun. So, I started working underground in a mine and coaching tennis to pay for uni. I thought CIS admin was the coolest thing there when I had one really good computer science lecturer that CIS admin, so I bought all the uni shirts and did that sort of thing. After that, joined a startup without knowing it was a startup. I come from a family of small business people, so it’s a small business, but we were trying to beat Google, and so would you believe we didn’t beat Google?

Cole Cornford:

Oh.

Mat Franklin:

And when we didn’t beat Google, I took a job at HP pres-ops because I worked out quite like I was better at talking to people than I was at coding. I had a little bit of time at Telstra doing network engineering and strategy sort of stuff. And then during the mining boom decided I’d volunteer to go run a mining company because I figured there was a shortage of labor and young 27-year-old Mat was pretty confident. So, that was a really good experience. They actually said yes, and then I came back to Canberra because I was missing my wife who is the real cybersecurity expert in the family. She’s been doing it for about 20 years and she had a very Canberra-centric job. So, I took a job in defense, did network engineering, ran a team doing that, and then did some military and strategy stuff on a bit more on the dark side. Went to the NDIS because I’ve done a lot of volunteering, I do a lot of pro bono work, I really wanted to help people.

I still love everything the NDIS stands for, that was a hard year. And then got into consulting and I worked for another business for years, started my own, and three years later we were acquired by Fujitsu about two months ago. We grew to about 70 people and our largest team, headed by Laura O’Neill who should absolutely interview next, is a cybersecurity team. And we really got into that because along the way I’d had cyber team work interview. I wasn’t really a cyber person. I’m tech network engineer type, and then when I came in to do some strategy for a key client in the strategy consulting business I was running, he said, “Hey, can you do cyber while you’re here?” I said, “Oh look, it’s not really my thing,” but he sort of convinced me. He said, “It’s not really anybody’s thing. I don’t think the industry is very mature at the moment, so come have a look at it.”

I did a great piece of strategy work. I think I saw that some of the parts of the market that deal with that strategy and governance risk compliance architecture, advising the executive parts of cyber just weren’t as strong as I’d like and I really wanted to honestly just fix that problem. And then through that, our whole company was based around diversity and inclusion. We hired great diverse people and then we trained them either to do cyber or management of debt consulting and found that cyber was a place that was really, really, really not as diverse as it needed to be and it felt a lot like tech in the ’90s. So, that was what we wanted to do, and we’ve got a 70% women team. I think we’re 30% LGBTIAQ+. Last time we measured and were about I think 30% disability of mobility. That’s part of who we are, it’s what we talk to clients about, it’s how we hire, it’s how we train and we think it’s what makes us a little bit special, so that’s why I’m here.

Cole Cornford:

That’s such a good background, going from just being techie-techie, eventually moving over into high level management consulting, and then I also love that you did a lot of volunteering work. I want to do more of that in the future. I’m not really sure whereabouts I should be doing it. I feel like I do enough in the local tech community and with my membership of my local political party, but there’s so many other ways that we could be giving, whether it’s back to Landcare, or going and helping with schools. I’m next year running a cyber schools thing with Investment New South Wales to just try to get-

Mat Franklin:

Oh, nice.

Cole Cornford:

… More girls to not self-select out of IT because they just don’t take the subject.

Mat Franklin:

I used to be on the board of Volunteering Australia, so let me give the New South Wales organization a plug. The Centre for Volunteering in New South Wales is a wonderful resource, wonderful group. If you are wondering about how to get into volunteering, head there and I’d suggest for the sorts of stuff you’re doing, if you want help on how to expand that, professionalize it, make best use of volunteers, they can probably help you with the things you’re already doing as well. They’re a great organization.

Cole Cornford:

Well, there you go. Look at that.

Mat Franklin:

Who knew this was going to be about volunteering, right?

Cole Cornford:

Yes, this is the volunteering podcast as well. Let’s keep away from cyber, it’s too techy, but diversity is something that is really missing. Both of us white men and in leadership positions within the cybersecurity industry, if people aren’t able to look up the chain and see someone that they could be in the future, how are they ever going to aspire if that role model doesn’t exist? And over time we’ve got to do what we can to promote people into those positions. I guess also I know that one thing I find is the tech challenges that people put through can be very exclusionary because then it means that you find people who think more like the people who are traditionally going to go to university, study computer science, and then grind through techie stuff. Whereas the other skills that people bring to the workplace can be overlooked if all you’re looking for is whoever they have an OSCP and they can pass a technical hacking exam.

So, what kind of strategies do you use to help identify and help diverse talent get into the cybersecurity industry? Because I’ve had a few guests on who said it’s been really challenging, especially I remember Sam Fariborz told me that it was one of the hardest as both an immigrant and also as just a woman who English wasn’t her primary language. It was a really challenging thing, which she had all the technical background, but no one gave her a shot because it was a boys club still. So, do you have any suggestions for people listening about what they can do to, for lack of a better word, lean in?

Mat Franklin:

Yeah, look, there’s a couple of things, you’ve got to think about, how do you attract people? How do you get them, how do you get access to them? How do you meet people where they are? We go out of our way to try and sponsor organizations like Women in ICT. We do a lot of work with Australian Women in Security Awards run by Abigail Swabey, excellent set of awards, but anywhere that I guess supports the causes that we believe in that are really at the heart of our business, we want to be there, we want to help, we want to support, and they go more broadly too, when we talk about supporting the community that we live in, for 70% of my company that’s women. So, we donate fairly heavily to the Australian [inaudible 00:14:28] Foundation and I think part of it is just being credible in those rooms.

As you said, we’re both obviously straight white blokes, but I know the reason I’m on this podcast is I know that you feel strongly about this as well, so good on you, don’t stop. So, it’s one meeting where they are, but then secondly, I think it’s looking at I guess some of the gatekeeping stuff. So the strongest… And when I say the strongest, we’ve won national awards. [inaudible 00:14:50] individual, won national awards who are the best in their profession. So, when I say the strongest person in our company at risk and strategy has a political science background, but has [inaudible 00:15:00] experience in cyber, you wouldn’t normally pick a person up like that from a CV. Coming out of university, that’s not your candidate, but you look at somebody who’s got I guess an interest that put some work in, I’ve had somebody reach out for me LinkedIn and tell me, “Hey, here are the five things that I know about cyber. What should I look at next and how much I need to learn before I can have a job with you?”

I’m like, “Oh, that’s interesting. Don’t everybody cold call me like that, but I thought that was a really interesting approach.” So, somebody that chose that curiosity about it rather than just a, “Oh yeah, there are jobs in cyber. I can get a job in cyber.” So, anybody with curiosity is getting an interviewed. Secondly, we look for people that solve problems or that progress. And so even if that’s you started at McDonald’s, and then after three months you were the night shift leader, “Hey, good on you. You’re finding ways, you’ve got in there, you’ve progressed, you’ve done something, you’ve moved on, you’ve looked at improving yourself,” and I’ll look at that in any industry.

But particularly in the cybersecurity where we know we don’t have enough talent at the moment, enough people at the moment, it’s not like the alternative to that person is somebody with a PhD in cyber that’s done 20 years in a SOC. They don’t exist, so if I want to work with raw materials, which we all know we have to, I want diverse people that have had to work hard because they’re more diverse in a lot of cases and they’ve got an interest and they’ve progressed. That’s kind of our key market and there’s a few different ways that we test that, but mainly it’s just how they talk about problems, what they’ve solved, and then when they talk about what we did and how it helped, rather than what I did and why I’m a hero, they’re our people.

Cole Cornford:

I really don’t like that the industry still focuses super heavily on, how do I prove myself to other security professionals? So it’s like, “Yes, I can go do speaking at security conferences, I can go find O days in software, I can write open source products,” or whatever. Main thing is that all of these things don’t actually matter to the broader community, they only matter to people in security who recognize what that is, and I guess that’s helpful if you’re looking for your next job, but as an industry, it doesn’t really help our clients all that much.

Mat Franklin:

I have never thought about that, but that is profound. The gatekeeping concept, and unless you’ve bought a black hoodie and you’ve compromised these so many things, you found this many zero days is first of all, that’s part of the cyber job. So, I’m not saying that that’s not, but I think we’re actually doing this without realizing we were doing this. So, thank you for helping me distill this because we hire people that will be able to help our clients and that our clients will respect and that can work on the client’s problems.

What I struggle with when I look at some people that I consider hardly through the pipe, they’re very keen on proving themselves, to your point, the internal, the chief engineers and all the rest of that. You’ve got to be good, you’ve got to do the work, but what I most care about is that you’re there helping the client, they can see that, and they trust you because if they trust you, they’ll let you do your best work. And doing that by being professional with the meeting them where they are rather than being the stereotype like [inaudible 00:17:55] the hoodie, that doesn’t necessarily have good table matters is really what we’re about, and I didn’t realize that… I think your reflection on that’s really strong.

Cole Cornford:

But if you think about it, it’s because the industry is… It’s not that mature, and I know that’s something that you care about is the professionalization of it over time. We have been doing I guess technology for maybe 70, 80 years or something and outside of the startup culture where yes, you can get free lunches and everyone turns up in T-shirts and you have nice offices that are very nice pastel colors on the walls and everyone’s friendly and stuff, but I don’t really think that that kind of culture is one thing, but with security, the culture that’s permeated is the elite hacker who broke into the defense agency or is underground and all of the movies that people watch, which to be fair perpetuate the stereotype, are like this just one guy who has a geeky haircut, who’s terrible with women, can’t communicate, but somehow he’s able to press a button and break into the casino on Ocean’s 11 or The Italian Job. I could just think of heaps of movies. I think more realistically… Have you seen The Web?

Mat Franklin:

I haven’t seen The Web. My favorite ones… Sorry, my least favorite one in terms of accuracy was Swordfish, the gun to the head and the get it done now in 30 seconds, I’m like, “Yeah, okay, that’s not…” I’ll put The Web on the list.

Cole Cornford:

So, The Web is a good one because the basically is a programmer who has access to a system and there’s a backdoor into the system and then this program has whistleblowers for it, and then basically the system’s used by government agencies that trust the system fully, they don’t trust the whistleblower. And so, the people who are using the backdoor just completely erase and manipulate her life because the system was the source of truth. And so, the movie is about her basically going around trying to whistle blow unsuccessfully, but eventually winning because that’s how plots are.

Mat Franklin:

That’s how movies work.

Cole Cornford:

And I can see that realistically happening.

Mat Franklin:

Absolutely.

Cole Cornford:

But, what was it, Die Hard 4 or 5 where there was a hacker who could push a button and get all of the autonomous vehicles to follow in a pathfinding stream motion that’s reminiscent of StarCraft II Marines. Do you know how hard it is?

Mat Franklin:

If I had a superpower, that would be very cool, but I’ve been on the other side of the scene, on some of the defense agencies and it’s a team sport. There’s no one person sitting there doing mastermind stuff. You have teams, you have specialists, you have people who are not good at stuff and people who are okay at stuff and people who are good at stuff, but regardless of the mythology about the elite kid, that’s a good guy, bad guy, whatever it is, nobody does this alone anymore. And so gatekeeping, unless you can recite each one of Kevin Mitnick’s date of birth, social security number, and you can recite from Bruce Schneier’s book, it’s just a bit not relevant. You talked about industry maturity and it’s an interesting one because you go back to early 1900s motorcar and motorcar was like a specialist thing and you had a driver for your car, you probably had a dedicated mechanic.

You can’t afford one unless you’re actually super wealthy and the actual time you get to use that car is maybe in half an hour average a week because the thing breaks down and you’ve got to polish it, you’ve got oil it, you’ve got to fix it, and you really had to be specialist at it. And it was very much like if you weren’t one of those fancy mechanic types, you couldn’t possibly know what was going on. And these days, all right, we let 15-year-olds get their licenses, there aren’t too many road accidents, it’s very safe, it’s a very mature industry, and it’s like tech in the ’90s, there were people… I’m just old enough that I just missed the dot com bubble boom. I was still at uni, which is good for my career, but there were people that knew HTML that were making hundreds of thousands of dollars a year because they knew HTML.

These days that is something we either outsource or we’ve got other software that writes that for us. Thank you, ChatGPT, and it’s become a skill that doesn’t make you a millionaire. In fact, it makes you become very low in the IT hierarchy and cyber, I hope, because it will mean that we’re a mature industry and we’re actually a lot more secure, will go in that direction. And so, the people that knew a little bit about security a few years ago are millionaires, hopefully we can replicate that not for what it is, but break it into components and make the system of skills and talent more secure in the way that we hire and fire and we think about teams, so that you don’t need to be that one mad genius that happens to run this thing.

And I think it means that culture wise, as you go from the mad genius, when you’re a mad genius, you’re a billionaire, you’re allowed to do anything you want. It’s not very healthy, but as you get more professional and you realize you can break it down into smaller chunks and it’s actually not that hard when you work as a team, then the sort of behaviors and gatekeeping that we were talking about will just disappear because it won’t be tolerated anymore now that it’s a more mature and more approachable and inclusive industry, I hope. So, I’ve seen it elsewhere. I know what’s happening in cyber. I guess I’m just trying to make it a little bit faster.

Cole Cornford:

And I know that there’ll be a lot of people who lament about the fact that the security conferences, the tech talks aren’t as good as they used to be. And it’s like, well, that’s because people are focusing on the right things I’d hope. We’re actually not just considering the… We’ve got to consider the character of the person who’s presenting a talk, as well as the technical content. Whereas in the past you could have people on… I remember Kauai Con five years ago or Kiwi Con back then, someone came onto the stage after drinking three quarters of a bottle of Glenfiddich 12, and he basically went out there, the sort of front row who were laughing at him because he was misspelling stuff in the terminal and then he just started abusing people saying that they need to understand symbolic regressions and that they’re all stupid and they should just go to hell.

And I’m just sitting there being like… It’s kind of an embarrassment that these are the leadership figures that we’re putting on a stage that people aspire to be like, and then if we’re trying to encourage people to move in this direction, because Kiwi Con is effectively the same level of notoriety as besides Canberra, and I can guarantee that Sylvia and Kylie would never let that happen. You can have unqualified professionals who end up on stage and that’s okay, maybe the talk’s not as good, but you don’t have someone come out and just abuse people or just do those kind of behaviors. So, I’m sure he is doing fine for himself.

Mat Franklin:

In any room that we’re in, we want people to feel comfortable and welcome and included, and that’s our job as leaders, whether it’s of companies or organizations or tiny teams, just ourselves. What can I do to make sure that this is a room that other people are comfortable in, where they feel they can contribute? And is one guy getting on the stage and being a racist going to ruin an industry? No, but we need to keep diminishing that and celebrating the diverse voices and the mature voices that recognize that we need to head in a more inclusive, a better direction because every person in every one of those cons, there are a few black hats there I guess, but all the rest of us are on the same side. Whether you’re government, whether you’re in a large company, whether you’re a consultant or a service provider, we’re all trying to make each other more secure.

Cole Cornford:

That’s it.

Mat Franklin:

You can’t do that if we’re not communicating, or excluding others.

Cole Cornford:

That’s probably something that’s probably good to move on to is that you’ve been able to build a business with these core values in the ground up. And I know a lot of people say it’s very hard to even just start building a business, let alone building one where you’re seemingly taking things that are difficult to instill and usually become important for late stage companies, not so much the ones who are just struggling with problems like just getting a couple of sales through or managing cashflow effectively. So, how are you able to start off with just growing your business initially and then having these values in part and built into your company from the ground up?

Mat Franklin:

I’m lucky that I’ve got people around me that I’ve learned from as I’ve gone. I’ve met a lot of very impressive people that’s done really well in different companies. And I’ve looked a lot at that and go, “Okay, I want to try and do that,” and then I’ve also worked in… I’ve hopped around in enough companies that organizations where I’ve seen where I go, “No, I want to exactly not do that,” and sometimes you learn the best lessons from those ones, from the experience that you have and the experience you see others having in other companies. And so, I guess I was an accidental company founder. I don’t think I’ve ever actually used the word founder, but I founded a company, let’s try to emphasize, because I wasn’t enjoying where I was and I’d left another role a year earlier and I thought, “Well, I want to start a company and maybe it’ll work, maybe it won’t, but let’s do it my way.”

And I say that because founding a company, as you’d know, is a lot of work and just watch other people really, really struggle with it. And so if I’m doing it my way, I want to make sure that we start with the values in mind. And I said, “If we need to hire the wrong sort of people to make a lot of money, I don’t really want to do that.” So, that’s I guess a decision that we made upfront and we’ve been very successful, made good money, that’s wonderful, but my wildest dream when I started this thing was this was going to go one of two ways. I thought downside, I’ll wind up in a year and I’ll go back and be an executive to somebody else. I like being an executive, no problem with that. I’m used to having bosses. I don’t want a small business owner’s heart.

And then the second thing was my wildest dream was we have a company between five and 10, after five years, and we’d all be very kumbaya, try to do the right thing, we’d make enough money that we’re all happy and we’d work with just a few clients and that’d be okay because I’d get what we were trying to do. That was my A-grade outcome. And so, to have grown as fast as we did, we won some wars along the way, which has been really nice, and to be recognized for the fact that we have focus on our values and our diversity and being a good place to work, that is an order of magnitude about what I thought the best outcome was, but we started with values because that’s what we cared about. That’s the sort of organization we want working.

Cole Cornford:

That’s fantastic. I’ve got a lot of values myself that I instill. It came with the professionalization. I don’t think we listen to people enough about what they actually want from cybersecurity professionals. We’re still being asked to do effectively IT quality that we can’t control as our core business. That’s something that should be managed by IT teams, they should just do their jobs correctly, but they don’t, and so we have jobs to PEN test it.

Mat Franklin:

Well, and I’ve got some PEN test that I think work with clients really well, and I think to your earlier point, it’s almost that stereotype of who we help them idolize that actually is probably holding that back because I think we built up this mythology of the PEN test and OSCP and other related quals, and first of all, I’ve got a few friends that haven’t done computer science, that worked in tech that decided to OSCP out of interest in holidays a couple of years ago. Very smart guy, but he didn’t find it that hard.

And so then when we gate keep around that sort of thing, and unless you belong to this particular… Look, this is me being old IRC channel or board, whatever else, you’re not one of us. I just think it’s not particularly helpful, and then you meet a few really good PEN testers that one, treat people the right way, but two, also talk to clients about what matters to them, rather than using colorful language and abusing them and looking down on them for not having the most secure system, and I think that’s really impressive. We just need more people like that.

Cole Cornford:

And that’s why I really want to try to at least at my company, try to provide and look at giving an alternative to just do a PEN test for compliance’s sake, but never read the report. Instead it’s like, okay, I’m doing a penetration test and the people have actually listened to me about things that I care about. And then they went and specifically targeted those kinds of things and then they gave me a good experience afterwards to say, “Hey, I’m so happy that you’re able to work with me to actually resolve the issue’s post instead of just staying there flipping a report over defense. Sorry, I’ve got another two week test to run off to. Don’t have time to chat with you about anything else.” So, I guess it’s one of the good things about looking at fields outside of the cybersecurity field and how they approach things.

I’ve been privileged to be involved with a lot of people work in the medical industry and also politics. In both of those fields, I guess medicine has an extremely low risk tolerance. They are not happy. They have procedures in place to make sure that you cannot make mistakes, unless you’ve messed up in a procedure in some capacity, the processes is that, and the people are extremely professional and get actively selected out with UMAT or other admissions testing if they’re not someone that makes a person feel comfortable. And I don’t think we should be gatekeeping on whether someone’s easy to talk to, but it certainly helps and I feel like it’s a skill that you can still teach people, just throw a bunch of how to win friends of people, I guess start from there. You can tell them to stop being bitter to each other.

Mat Franklin:

100%, actually, I’ll tell you a story about this. It relates to your previous one as well. I don’t have the numbers, but I feel like it’d be about half a dozen the last couple of years. We had about half a dozen nurses and pre-med decided not to do medicine and came to us instead, and we now almost deliberately target ex-nurses because I think you’ve got a work ethic, you’ve studied something, you’ve had to work hard. There’s a lot of caring and being focused on the patient and you understand that you’re a part of a bigger system. And I think there’s just a lot of those traits just really work nicely with cybersecurity and consulting for that matter, but it comes into how you communicate as well, because I’m not going to plug us or sandbag anybody else, but we had a competing company advising Sizer, one of our biggest clients.

And I knew the guy, much better at cyber than me. The guy’s eminent, he knows what he’s doing, but he gave a two-minute ramble… Tech ramble might be a bit much, but basically a tech ramble, and the Sizer turned to the younger diverse woman who was working for me as I think she’s a consultant at the time, we promoted her pretty soon after that, and said, “Okay, yeah, but what do you think I should do?” And this person had been in cyber for six months, said, “All right, well, I think this is the issue. I think this is the real risk that we’re talking about, and in your position for the organization, I think this is the best option for this reason.”

And took her about 30 seconds, but she was talking to that client on their level, answering the questions and the issues that they had, rather than showing off about how much she knew about the tech or knew about cyber. And the client went, “Yep, all right, thanks, we’ll do that,” and walked off. And it’s not to say that you don’t need that deep tech background. I put her in a CCIE classroom or an OSCP against that guy, he’d win, no question, but I really found a lot of talent outside of cyber that’s been really effective in cyber.

Cole Cornford:

And I guess as you move up the chain and have to make decisions that are more macro, instead of micro level, then the conversation’s going to be a lot more about they don’t have time to listen to a five-minute text spiel. I see PowerPoint decks from people, some of my clients, so they’re trying to convince someone to do something and the deck is like 60, 70 slides along and I’m sitting there thinking to myself, “That’s too much. If you use this, you’re not going to be able to influence the other person because they’re going to tune out after slide two.”

In fact, probably another good metric is just for B2B sales. If you can’t convince someone to stay on the phone after the first 10 seconds of your phone call, it doesn’t matter what next 30 minutes of that phone call are. First 10 seconds matter, and I figure it’s exactly the same with public speaking, with establishing credibility in a meeting is building rapport and it doesn’t come naturally to people. It’s a skill that you can learn, and I like the idea of going to other disciplines where it’s ingrained, so medicine, law… Law is another place I think would be a really good place to get it because they-

Mat Franklin:

I’ve got a few lawyers.

Cole Cornford:

There you go. They understand the [inaudible 00:33:42] model at the very least as well and have a strong work ethic.

Mat Franklin:

Well, this is the thing. So, I did a year of law before I dropped out of law. I wasn’t very good at law. I’m not good at reading that many cases, but when I was in year 12 and I was doing legal studies, a law professor came along and I was a young kid in front of class who was ready to get top marks and shoot for the moon. And I said, “What was the most useful thing that you did in high school to get you ready for practicing law?” And he said, “Math.” I went, “Oh, that’s weird. How does that work?” He said, “Well, law is a study of logic and cause and effect and just applying that to novel situations.” And then so you go to computer science and you start looking at cyber and you think, actually that mindset is totally right. And so, we’ve got a few lawyers at the moment and they’re usually particularly effective. We’ve got to make sure we get the tech into them, but they think the right way.

Cole Cornford:

And that’s the thing, you can always give people who studied a university book some kind of technical guides and they can just smash through that content relatively quickly. They’re not software engineers, they’re not building applications, they’re advising around the applications themselves or following a methodology. It’s rare that we’re going to be employing people who need to understand everything. And if they are, they’re probably partners or directors in a firm because they’re good enough.

Mat Franklin:

Well, that’s it. I think you can’t really have a mature industry if somebody has to know everything. There’s too much knowledge and if there’s not too much knowledge, you’re going to be inventing it at such a fast rate that really quickly there’ll be too much knowledge. So, to set out to know everything and get every cert, and I see the guys that go like, “Here are my 40 certs.” I’m like, “Oh, that’s cool, but are they relevant to what you’re actually trying to do today?” And I think they’re wonderful, you learn a lot, but at the end of the day, we’re here to solve problems. When we’re hired, at least as consultants, and I think it both applies when you’re in companies as well, it’s what problem are you going to solve? Can you solve that problem? Great, solve it, and then how do we make it better next time? How do we eliminate the problem so it doesn’t happen again and then we move on to the next thing.

Cole Cornford:

I also think that the people who are cert collectors, I don’t know, I feel like if you’re busy collecting certifications, you’re not solving problems. You’re just adding to your resume

Mat Franklin:

I love learning, so I’m not actually taking a crack at certs. I’m just saying having cert’s enough isn’t enough. You’ve got to be like, “All right, why did you do that?” [inaudible 00:35:54] CV. No, why do you do that? Because I learned this thing and I can apply it over here. I think about 90% of tech by going, all people seem to need data models, always high stack, where’s the thing happening? I kind of understand what we’re all talking about now and start piecing it together and sure, there’s a lot more stuff anybody agree and I technically used to be a coder, wouldn’t hire me to do code, but as long as you understand the fundamentals to have a view of the world and then you’re a specialist where you need to be, you’ll do well.

Cole Cornford:

There we go. It’ll be a specialist where we need to be. So, that might move me on to my fast round questions for you, Mat. So, the first I’ve got for you is for $100, what would you buy someone for Christmas?

Mat Franklin:

I need to do this right now.

Cole Cornford:

There you go.

Mat Franklin:

A nice bottle of red wine, a black notebook for all the golfs in my family, or I buy people massages, blokes too. Everybody loves a massage. It makes everybody feel better.

Cole Cornford:

Oh, that’s amazing. It’s funny, actually, my wife was asking me and I was just embarrassed to tell her that I would just love to have a remedial massage done for like two hours straight.

Mat Franklin:

Oh, 100%.

Cole Cornford:

You sit in a chair all the time, or you’re traveling on a plane and stuff and it’s got creaky muscles. It just makes sense to get rid of all that fascia and just push it all out.

Mat Franklin:

Absolutely, it was funny, we did this actually two Christmases ago, we had about 10 people, 20 people in the company at the time. I bought, I think, 10 vouchers for a really nice meal, 10 vouchers for day spa massage, all but one of the blokes took the massages when they had the option to without having to go out there and buy it themselves. So, for everybody out there, buy the guys in your life massages or day spas, we need it too.

Cole Cornford:

And this is why Mat has got his complexion, his beautiful skin.

Mat Franklin:

I can thank my parents for that, good genes.

Cole Cornford:

Cool, next one for you would be, what book would you give to someone looking to transition into cybersecurity?

Mat Franklin:

What book would I give somebody? Anything by Bruce Schneier or the ISM because I’m a government guy. And I’ve said that because I think Bruce Schneier’s interesting if you like that [inaudible 00:38:04]. And then secondly, if you can get through a bit of the ISM without losing heart, I’m like, “Okay, you’ve got enough. I think you’re cut out for this. You could do this,” because if getting into some of the details and stuff that you might find personally boring is going to turn you off the industry, let me save you three years of your life.

Cole Cornford:

I remember when I started out, I did actually spend a lot of time reading the ISM because I thought it was really cool all the things that they do for security. And I think even the PSPF when we started talking about things like the wiring needs to be certain colors or the vents need to not fit a human head. And I’m just being like, “So all of these bloody hacker movies that people just crawl through the vents have actually been solved with data security protections for 20 years?”

Mat Franklin:

Oh, I used to run the [inaudible 00:38:49] defense and we used to have our own separate manual for that sort of stuff. I found it one day and I’m like, “Why do we have a different cabling stand than all the rest of it?” They’re like, “Ah, because we make up the rules.” They fixed that a few years later, so it all became decoded, but I think for a couple of years there we were using the easier version, so we could comply with it.

Cole Cornford:

Cool, and I guess one more, so what’s someone that you look up to that you tell other people we follow?

Mat Franklin:

Who do I look up to? I would say actually my first boss. My first boss would be Leslie Butterfield. She was a Telstra Business Woman of the Year. She was an engineer in the ’70s and ’80s, before that was an okay thing for a woman to do. She worked for Telstra, so she transitioned into technology stuff and then I met her because I was her baby IT manager as a 17-year-old with long red hair and a suit jacket that mom gave me to wear to the interview, and I looked after her like 50 person companies, laptop… Not really even laptops and desktops, and I remember that I sat with her at lunch once and I was trying to work out what a CEO did. I said, “So, I guess you’re a really good decision maker and you make the hard decisions. Is that right?” She said, “You’re not far off.” And then after that, she actually gave me a fair bit of time and I consider her my first mentor and learned a lot from her.

Cole Cornford:

It’s good to have those people early in your career. I’ve been super privileged myself to have really good mentors throughout mine. Well, Mat, thank you so much for coming on Secured. It’s been an absolute pleasure. Is there anything else that you want to say before we wrap up?

Mat Franklin:

No, I just want to say thanks for having me, loved talking to you. Big shout out Galah. They do great tech stuff. They’ve chosen my favorite color, pink, and it was an absolute pleasure to be on the show, thanks.

Cole Cornford:

Thanks, Mat. Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favorite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galahcyber.com.au/newsletter and get high quality apps and content straight to your mailbox. Stay safe, stay secure. I’ll see you next episode.