Systems Thinking in Cybersecurity: A Conversation with Michael Collins

Cole:

Hi. I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. A recurring theme of this podcast is the way the cybersecurity industry is made up of people from all sorts of different backgrounds, not just the cliched, nerdy techie type. My guest this episode is Michael Collins, and he’s a perfect example. After spending eight years in the Navy, he moved to Cairns and became a diving instructor. After about five years or so, he decided it was time for a career change, and enrolled in a course to become a MCSE.

Michael:

Yeah, went and did the course, almost bailed after day one. I went in there and all they talked about was bridges and routers and switches, and I was just bamboozled. I had no clue what they were talking about. Went outside, got in the car, my wife picked me up. She said, “How’d it go?” I said, “I’ve made a huge mistake. I can’t understand a word they’re saying.”

Cole:

While it was a bit of a bumpy start, he stuck it out, and today he’s the Chief Information Security Officer at Judo Bank. So in this episode we talk a lot about how he’s managed these transitions in his career, the importance of aligning your cyber strategies with business goals, using systems thinking as a framework for approaching cybersecurity, and plenty more. So let’s jump right on in.

And hello, Mike. How are you going?

Michael:

Great, Cole. Yeah, doing really well. It’s great to be here.

Cole:

It’s a pleasure to have you on. You are over at Judo as the CISO, right?

Michael:

Yes. Yeah, I’ve been there for two years now, so it’s been an exciting two years.

Cole:

I can imagine, going up to it as being part of a challenger bank, as a mid-market bank. I don’t know how to describe Judo Business Bank.

Michael:

Yeah. It is hard to describe, because we are relatively unique, both in Australia and the world. So, we are a startup moving… Well, we were a startup, now classify as a scale-up, and yes, challenger bank in that we’re challenging the traditional monopoly in Australia. So, we focus just on small and medium business lending. And our value proposition, I guess, is that we are a relationship-based bank, so it’s very much about having bankers that meet with the small to medium businesses, learn and understand what they’re doing, rather than just look at the financial statements. So it’s very much about understanding their people, their motivation, their culture, and taking that into consideration when we’re looking at [inaudible 00:02:21] financing their operations. And small to medium business, as you’d appreciate, are the engine room of the Australian economy, so it’s a really exciting time to be supporting that part of the market.

Cole:

Well, I’m sold. I better go to Judo Bank and get stuff tomorrow. Right?

Michael:

Yeah. Yeah. Although the disclaimer, I cannot provide financial advice. I’m not licensed, but…

Cole:

That’s all right. Do I need money? I don’t know, maybe. But it is a good space to be, because I feel like you’ve got the north end of the market, which is the Prospers and stuff, who basically are huge interest rates, very low collateral, money’s available up front, and then you’ve got the other end of the market, which is your typical Big Four, where they’re just going to ask you, “Can I have the house as security?”

Michael:

Yes.

Cole:

I like the idea that there’s middle entrants in the market who probably can speak to me and help me out, because I really felt I struggled on both ends, to be honest, to access any kind of financing. But let’s move away from boring, business-y finance discussions, and move into the best and most important question, which is what kind of bird are you and why?

Michael:

Yeah. So, I would characterize myself as the bird that probably harassed me when I was younger, which was the magpie. And I think because they have a softer side. When you look at them, they look like a real hard-ass bird. They got the big beak, they strut around, they got the evil eyes, but yet when you actually get friendly with them, they’re quite interactive.

And a little story, last year during, or maybe a little bit longer, in COVID, we had a baby magpie out in our front yard that had obviously lost connection with his parents who were in the area. And so my kids and I went out there, and we were just trying to get a little bit closer, a little bit closer, and the baby magpie was just looking at us, and then we started to back away, and it came a little bit closer, and we started to walk back to the house, and it followed us back to the front door literally, and just sat outside the house for a couple of hours, until he eventually realized that his mom was calling him, and then he thought, okay, that’s not my family, my family’s up in the tree, and took off again.

So I think there’s a bit of a stigma. Yes, they will attack you, but they’re being protective for their children, but they are quite friendly, as we probably saw in that movie Bloom, which was amazing. So that’s what I’d like to think of, a person with a hard exterior, but a soft inside.

Cole:

I was going to say, do you actively attack people when they ride bikes near your house?

Michael:

Yeah, if they’re riding over my freshly mowed lawn or doing something like that, I’ll have a go at them, but no.

Cole:

I also have many memories of being attacked as both a child and also as a young adult.

Michael:

Yes.

Cole:

I was in Canberra, I used to go bike riding around… It was a lake in Gungahlin up the north, and I don’t even remember what it’s called. I ended up taking the long route via Amaroo, which is where the housing estate and Moncrieff housing estate area is, because it was completely bare. There were no trees, because the short way to go to the lake was the deathtrap of 50 magpies would come and get you, but if I decided to go via the housing estates where there was literally no trees, it would be another 30 minutes, which was good for my exercise and fitness, but I wouldn’t die and be having a heart attack on the way to the lake to walk around it.

Michael:

Yeah. That can be pretty brutal.

Cole:

Yeah. But magpie’s good, mate. I like hearing when people say that [inaudible 00:05:55] the hard exterior, and they’re aggressive, but they can be really friendly, when you…

Michael:

Yeah.

Cole:

So I’m hoping we can be friends, right?

Michael:

Yes. Yeah. Yeah. You’re safe so far.

Cole:

I’ll just give you some mincemeat in the mail. There we go. Sort it out.

Michael:

Cool.

Cole:

So let’s move on from that. I’d like to know a bit about your journey to eventually become a CISO, because we’ve had a number of CISOs on the podcast in the past, and most of them have had fairly interesting and unique pathways to even get to that, effectively the top rung of the cybersecurity leadership. So, where did you start out and how did you move in that direction?

Michael:

Yeah. It certainly wasn’t where I planned to be. I grew up in Western Queensland in a number of different places. We moved around as a family. My dad was in the ambulance, so he got transferred around a lot. Finished high school in Roma, Southwest Queensland, so way out west. Wasn’t a real lot of opportunities out there. And from there I decided I wanted to get out and see the world and travel, so I joined the Navy. Spent eight-odd years in the Royal Australian Navy, doing a number of different roles, or one of the trainings I undertook in the Navy was to be a ship’s diver, which got me to experience diving on ships, diving in harbors and areas around the coast. And when I got out of the Navy, I thought, well, I’d like to do this recreationally, so I went to Cairns and became a diving instructor. Spent five years up there teaching people how to dive and taking backpackers and travelers out onto to the reef. Did that for five years. Great lifestyle, no money in it.

Cole:

That’s always a problem, isn’t it?

Michael:

Yeah. And then settled down, met my wife, and realized I need to be a little bit more financially stable, and also started having a lot of issues with my ears. So the doc said, “You need to try something else.” So, IT or the internet had just recently been released, and saw an ad in the paper that said Microsoft Certified Systems Engineers wanted, earn up to $30,000 a year. I thought, oh my God, that’s amazing. So went and did the course, did six weeks, became the proverbial what they called at the time a paper MCSE, so someone with certification but no experience.

Cole:

Yep. The [inaudible 00:08:17].

Michael:

Yeah. Almost bailed after day one. I went in there and all they talked about was bridges and routers and switches, and I was just bamboozled. I had no clue what they were talking about. Went outside, got in the car, my wife picked me up. She said, “How’d it go?” I said, “I’ve made a huge mistake. I can’t understand a word they’re saying.” So she was like, “Well, just keep going. You’ll pick it up. And at the end of six weeks, got through the course, did the exams, and picked up a job in a small IT company in Cairns. And that sort of kicked off the technology path of the career, and from there, traveled to the UK, did work over there, working for a large financial services company. My daughter was born in the UK, then we came back to… So it got a bit tough with being away from the family, because my wife’s a Kiwi and her parents are in New Zealand.

So, went back to New Zealand, got a job working for EDS, which was a large service provider at the time, a global service provider. They’d just stood up an offshore operation in Auckland. Did four years there managing a production engineering team, and as part of that team, we had five or six different functional areas. One of those was infrastructure, which had a security element to it. There was a network security team. Gradually got introduced to the large scale security capability [inaudible 00:09:43] working on General Motors in North America at the time, was one of our clients. And that was the introduction into understanding how security works in large firms and large enterprises. And from there, I’ve just gradually moved through a number of different roles, and security’s always been an element of it. And now I’m lucky enough to get to do it full-time.

Cole:

And the top dog as well.

Michael:

Yeah, yeah. Top dog in a big kennel.

Cole:

That’s a really amazing story. Being a diving instructor is not something I would have… I wouldn’t have figured diving instructor at all in your history. I know a couple other people I’ve had, they studied gender studies, or they come from all sorts of other backgrounds into security, but I wouldn’t have thought about diving instructor at all.

Michael:

Yeah. Long blonde hair, suntan, prancing around in Speedos.

Cole:

So, do you still go back and do diving yourself, or is that done now because of your ears?

Michael:

No, I definitely do do it. We just came back, my wife and I spent a week in Fiji, so did some diving over there. Still have issues with the ears, so just spent the last week shaking off an ear infection, that’s something that I just tend to get after most diving trips. But we certified both of our children in diving as soon as they were young enough to do the course, so they’re both active divers, and I think it’s just another world down there.

It’s just a way of… It’s the closest you’d get to being in space, I think, which Chris Hadfield at CyberCon recently said as well, when someone asked him, “What’s the nearest to being in space?” And he said, “Scuba diving.” And it literally is. You’re just weightless, in another world, breathing underwater. People say it’s quite foreign to them, and a lot of people are scared about breathing underwater, but what I used to say with people who were starting out diving in the course was, you did it for the first nine months of your life. You were literally immersed in liquid breathing, so you just need to go back to the beginning of your life really, and realize you can do it.

Cole:

Just go back to your roots, right?

Michael:

Yeah, exactly.

Cole:

Yeah. So diving’s… Obviously moving into, we do all have changes in our lives. I’ve got two kids myself, and two to three years ago I was planning to move to San Francisco. I’d signed a role up with change.org as director of security, and I was just ready to get on the plane and go overseas, and now look at me here running my own business and having two young daughters who like to play video games with me, or open doors when I don’t want them to, which is…

Michael:

Yeah.

Cole:

Yeah. They’re good at that. I’m learning that the security controls that I thought were effective are not as effective as I thought, so they’re definitely ready to be testing that. The most recent one that I discovered is, they’ve got these little adhesive squares that you put onto staircase corners, so that when they try to walk upstairs, if they fall, they won’t hit their head on the adhesive, it’ll bounce off and they’ll feel okay. Anyway, I discovered that she had just ripped off four of them and was just throwing them around. She just literally pulled them off and started playing with them like toys. And then she donked her head on one of the stairs. And I’m just sitting there thinking to myself this, am I just living my own job, but at home?

Michael:

Yeah. Yeah. Well, that’s human nature. People make their decisions and do what they need to do with what’s in front of them at the time, and they’re not always thinking about what’s the best thing for the collective organization. They’re just thinking, what do I need to do to achieve my objective at this point? It’s human behavior.

Cole:

This is probably a good segue into systems thinking, actually, which I know is something you’re quite passionate about. So for my audience, would you be able to just do a high level summary about what systems thinking is, and why people in security should be looking at that approach versus just a traditional checklist?

Michael:

When I got into technology and security in general, it very much was with an engineering focus. You built things, and it had that mechanical linear element to it, and you become very focused and narrow in your view of what you’re trying to do or what you’re trying to build or the solution you’re trying to implement. And what systems thinking does is it forces you to sit back, to pull back, and look at the bigger picture. So it’s okay to dive into the details, but when you stay there at that level, you miss the big things, and you miss things like, who is going to be affected by the solution that you’re putting in? What’s the different use cases that you need to consider? How does this system figure into the larger ecosystem? And so system thinking is about being able to ultimately think about how you’re thinking, and take into consideration a number of different aspects and different levels and different perspectives to give you a more holistic view of the problem that you’re trying to solve.

Cole:

It reminds me of a quote from one of the security companies, I can’t remember what, where it was like defenders think in lists, and attackers think in graphs. You’re an engineer, you understand that if you represent a system as a graph like circles and lines, it’s a lot easier to represent and think about, what does a business do? Who are the actors that interact with these systems? Where do they interact with them from? Instead of, I’m going to test for input validation, for logging. I feel like this kind of approach nowadays isn’t a good return on investment versus, what does the system look like, and where does my business really drive revenue, and where are the biggest problems that I need to be addressing?

Michael:

Yes.

Cole:

How would someone get started with systems thinking, then?

Michael:

Yeah. Look, it can happen a number of ways. I guess I approached it from trying to understand how people think and make decisions in situations where you’ve got a lot of uncertainty or time pressures. And that sort of led me down the path of understanding or researching decision-making theory where there’s two schools of thought. There’s the rational people that look at a probability model and the likelihood of an outcome happening and what the potential consequences should be. And there is a role that that type of approach has in what you’re looking at from a cybersecurity perspective. But there’s also the thing that we often overlook, which is our natural intuition and our gut feeling and the simple rules that people follow that they often don’t know about.

And I think… So, trying to understand how we think then led me into the whole domain about thinking and cognition. And then you discover people like Peter Senge who came out with The Fifth Discipline, which was one of the more popular books about systems thinking. And then you realize that there’s a whole world of research and approaches to systems thinking, and so then you explore all the different theories and methodologies.

Where I eventually landed, which is where my primary focus is now, is around what they call DSRP theory. So, four letters. D stands for distinctions. So that’s, as you’d appreciate, when you’re doing any sort of threat modeling, distinctions is about understanding what the boundaries are, what you include and what you exclude, not only relevant for security, but also just in our lives in general. So when we name something or we label it or we group it or put it in a category, we’re by definition putting a boundary around it, but we’re also excluding a lot of other things, consciously or unconsciously.

The second letter is S, which is about systems, and touch briefly on that. So it’s about understanding the parts of the whole, and also that the whole could be part of another larger whole.

Then you’ve got R, which is about relationships. So, relationships can be understanding, what are the relationships between the parts of the system? And for every relationship there’s an action and a reaction. That could be an emotional action or a reaction, it could be physical, it could be financial, it could be a number of different things.

And then the last letter P is about perspectives. So, that’s acknowledging that we often see things from our own perspective, and the research shows that almost 98% of people only look at something from their own perspective and fail to consider other perspectives. So, being able to think about those four rules, when you’re looking at a solution, a challenge, an idea, opens up a whole broader perspective and view on what you’re looking at.

And that’s something that, whether you like it or not, you are consciously and simultaneously applying those four rules to everything you do every minute of every day. But because most people don’t realize it or appreciate it, what happens is you start to form biases. So, perspective is a classic one. We see things from our own position, we have biases, we think we’re right, that the world is the way we look at it, but we fail to appreciate that there’s many other people that have a perspective which could be different to ours. So, that’s where having an appreciation of what those four simple rules are, when you think about any situation, again, just opens up a lot of options, and most people don’t even stop and pause to think about those four aspects of everything that we’re looking at.

Cole:

What I really like about this system is, it’s completely away from IT. We’ve just turned security from we have an IT challenge, to we have a business challenge, and we think about distinctions, or we just look at system alone. When we talk in systems and IT, often people think we have a cloud environment, and this cloud environment runs these applications, and they’re networked and something like that. But then that’s where the distinction is for their view, their perspective, is this is the business, is this cloud environment. But if you take your view of it instead it’s, what are the business processes that are enabled by this cloud environment? Who is using the systems like this cloud environment? Why are they using it? Who do they talk to? And that gives you a more full understanding about what kind of areas of risk exist in your organization. And it may not be the cloud environment you have to look at. It could just literally be the people who interact with the cloud environment who are the problem instead.

Michael:

Yes.

Cole:

I really like this approach, because if you go up to a senior executive, you don’t use the term cloud environment. You can actually directly point it to something they understand, and most executives understand their business very intimately, even if they don’t understand the details happening underneath it. Right?

Michael:

Yeah. No, you hit the nail right on the head there, Cole. And that’s I think the difference between people early on in their career that are very technically savvy, very good at what they do, but aren’t yet equipped with the skills to be able to make that bridge between what they do and what the business does. And I think that is where, certainly in my experience, starting to take that systems thinking approach and applying those four rules really allows you, exactly to your point, to start conversing in language that they understand.

And back to relationships, you take the action to meet them where they are, they react by going, “Well, you’re actually here to help me, you’re not here to hinder me.” And so you can apply this literally anywhere, but it’s very powerful, I think, and something that’s been lacking in the cybersecurity domain, because we’ve been so technically focused, and being damn good at what we do from a technical perspective, but using language that no-one else understands.

Cole:

Yeah. I gave a presentation about a month backat Parliament House, where I talked about the industry measures its success by patting itself on the back, not by how we help other people, and we intentionally use language that’s militaristic. And as soon as we start talking with those terms, we’re alienating a lot of people who have had no exposure to cybersecurity or the military. So if you start saying “brute force attacks,” because I don’t know, that seems pretty militaristic to me, threat modeling or threat intelligence, defense in depth, red-teaming. All the analogies we use in our industry are related directly to live combat, and shape our perspectives and narratives to view things from an us versus them perspective.

And because cyber was a fairly immature industry, and also a lot of people were just [inaudible 00:22:48] who like to just figure out how things worked, that’s kind of… I can see how [inaudible 00:22:56] and your blog write-ups and your black hat presentations are how people value each other’s expertise, but we shouldn’t be going out into the industry and having our self-worth dependent on what other industry peers view of us. It should be the customers that we interact with and the stakeholders and the people that we do meaningful work with to help keep their information safe, to help keep their systems online, to just take care of our population, honestly.

I don’t know. I’ve worked in application security for a very long time, and I feel like almost all of the discussions I have nowadays are with a similar approach. It’s just going up to the top and saying, “What are you trying to achieve with your business? Where do you earn revenue? Where’s your cash flow come in? What kind of systems and people matter in your organization?” And then eventually, after asking all of these questions to get the context of why people do the things they do, then we can go down and start looking at source code and saying, “Well, now it makes sense about why SQL injection is there, because the system doesn’t matter.”

Michael:

Yeah. I think to that point, we have failed to, like I said earlier, failed to make that bridge between what the business is doing. So, take that step outside and look back in to what we do, instead of being the people that are… With all good intentions, we often try to stop the business because we think they’re going to damage themselves by not understanding and appreciating the risks, but we don’t look at it from their perspective and go, it’s not all about downside, it’s about upside. Businesses aren’t there to just build a wall around themselves and protect themselves. They’re there to take risks, and you become successful by taking risks. You took risks to start your business, versus to take that opportunity in San Francisco, and there’s trade-offs with every decision that we make, but we can’t always be about reducing risk to zero, because that’s impractical.

Cole:

Yeah. I feel like people forget that risk is an opportunity, on the same coin. They just see risk as a five by five grid, and we’ve got to make the reds go green. And oftentimes the answer is, actually, I’m okay with red, because that enables me to get into a new market. Even if I don’t know anything and I can’t measure it, I’m making that choice. Like I started my business, I had no capital, I had no idea how to run a consultancy, I’ve never done a consulting job before. I just went out there and just gave it a go. And I’m doing pretty well for myself. I’ve been to the school of hard knocks a few times, like you and your magpies, but you learn from those.

Michael:

Yeah, exactly. Yeah. Yeah. Great point.

Cole:

So what would you recommend people do if they want to start changing it, or just the industry more generally? What do you think we should be trying to do to get people to start thinking in more business context? Because I see more and more people pushing for techie, techie [inaudible 00:25:59] we need people to understand programming, we need people to get really good at doing log analysis. And I’m thinking a lot of these IT challenges are going to start getting more and more automated and solved, by especially artificial intelligence. I think that the value that we can provide as security professionals is in critical thinking about how businesses operate. It’s not in helping manage IT functions. But how do we shift people away from just doing IT work to more security oriented work?

Michael:

Yeah. I think one of the things that I promote with my team is, who have they reached out and talked to in the business that they haven’t met before, or they are curious about what they do and want to understand the role that they play in the business? And by reaching out and building a relationship with other areas of the business before you need them to do something for you is one of the best ways to get buy-in. There’s nothing worse than you identifying an issue or a vulnerability or a suboptimal process, and going in cold and having to try to convince somebody at some level in the organization that there’s potential risks around what they’re doing. It’s much easier to do when you’ve been and had a coffee with them, or you know about what their kids do, you understand their family, where they come from. It’s much easier then to go in and to be able to influence them and inform them on what might be a better approach.

So, it goes back to the R in that DSRP, is building relationships before you need them, and being curious about what the business does. One of the things we’ve recently started doing is, I asked my team to nominate, what’s an area of business you’d like to come and talk to us about what they do? And so I find out from my team what areas they’re interested in in the bank, and then you get the people in that team to come in and just do a 20, 30-minute presentation. Here’s what we do, this is why we do it, here’s how we do it. That also gives you the context that you talked about earlier, is that you now understand the business processes, and you can link that to the technologies and the systems that underpin what they do, and you have a deeper appreciation for when you make changes or recommend changes to their systems and you understand the impact.

I think when I moved from working for a service provider, it was much easier to design and build a solution and throw it over the fence to the customer and walk away to your next engagement. When I moved onto the client side and became the person internally running technology and security, what I realized was, you have to walk down the hallway past people every day that are affected by the decisions you make, and you’ll be there as long as they are and for as long as your solutions are. So, you become much more empathetic and appreciative of solutions that you implement, because you have to look those people in the eye, and they either say, “Gee, that was great, that really helped me,” or they just turn around and walk the other way, or they sneer and hiss at you for locking something down and being Mr. No. So, I think to be more people focused rather than technology focused is super important to keep in the back of your mind when you’re getting into cybersecurity, or if you’ve been in it for any period of time.

Cole:

One thing I tell a lot of people is hearts and minds. It’s difficult to win over minds unless you start with winning over hearts. And you can do that by being kind and listening to people and just making friends. And I think it comes naturally to me, and I’ll tell you what, it didn’t. When I was a lot younger, I had to spend a lot of time to get rid of a chip off my shoulder about having to prove that I was the best. I was technically brilliant, I’m really smart, and everyone else sucks and [inaudible 00:29:59] stupid. Nowadays, I still have faith and confidence in myself, but I’m never going to be belittling or [inaudible 00:30:07] because I know the challenges that they go through, and I can empathize for other people and their life situations.

And I agree 100% on getting outside of InfoSec, going and doing rotations in other areas. One of the best experiences, and I know that someone’s going to write me some hate mail about this, was when I was in a grad program in the public sector, I worked for the ATO and in the first rotation I did just software engineering, just normal software engineering role. My second rotation was contact center during tax time. It was two months of me picking up the phone and listening to people say, “I can’t pay my BAS because I’m in a drought and I’m a farmer, so what do I do? And I’m sitting there being like, “Well, you just… Here’s a payment plan.” You know what I mean? You have these difficult conversations or you help people walk through myGov, and you understand things like, why do we have levels of privilege within [inaudible 00:31:03]? And there’s escalation points, and how does the tax system work? You understand the systems that you make, things that you’re doing as a technologist, impact dysfunction within the business, and dysfunction impacts customers.

And if I didn’t work in the contact center, I would have a much worse idea about taxation and significantly less empathy for when I pick up the phone and I get onto Aussie Broadband and be like, “My internet’s down,” and they’re like, “Yeah.” Like, I understand. It’s okay. I’m not going to scream at you. I’ve been on that side.

Michael:

Yeah, definitely.

Cole:

So, I guess another thing to be moving on to is, what do you find really interesting to be doing as the CISO, and what do you miss also as well from being a techie back in the day? Because I find that when people move into security leadership, they often miss some aspects of the technical stuff quite a lot. So, is it the [inaudible 00:32:04] do you miss do any MSCE breaches and networks and routers? Or…

Michael:

No. No, definitely not. And I think that was a hard shift to make. There became a point where I had to go to my team and say, “You need to remove all my privileges to the systems, because I’m just… I get curious, and I just go poking around, and then I find stuff, and then I go, why isn’t this been fixed?” And then you realize as you become more of an astute leader that you employed these people for a good reason, and they’re good at what they do, and you need to trust them to do what they’re good at and support them in that, and not be a peer who’s poking around in the back ends.

So I think for me, that was something that took a number of years to get over. Certainly I don’t get on the tools now, and I don’t want to, because they’ve advanced so much more that I probably wouldn’t know what I was doing. I’d break something before I fixed it. Yeah. So, I think that’s a tipping point you have to cross and reach as you move up into the CISO role. And it depends on the level of the organization as well. Sometimes you see CISOs in various small companies and they have to be still hands-on, until you can get to the scale where it doesn’t make sense any more. That was the second part of your question. The first part was…

Cole:

Yeah. First part was, what do you like doing about being a CISO? What’s fun?

Michael:

Oh, yeah. So for me now, the joy I get is two things, which I often tell people. One is delivering an aligned result for the business, so making sure that the cybersecurity function is aligned to what the business objectives are. And then the second thing is being able to enable the personal and professional development of the team. And I think for me, playing that role is where the sweet spot is in most of my day. It’s being able to help people challenge their thinking, understand the rationale around why they made decisions, and try and uncover that before judging the decisions that they make, but also playing that role again between the function that we have and the business, and making sure that we’re keeping the business front of mind in all the decisions that we make. So, that’s the joy that I get on a daily basis.

Cole:

I’ve enjoyed the transition into business owner, from being just a technical guru and just a people manager, to now having to think about coaching, mentoring, and advocacy, and the difference between all three of those. Do you find that you have to think about that yourself often? Because that’s something I always think about with my staff members.

Michael:

Yeah, I think so. I think if you want to run a people-centered team, or have the people element of what you do at the center of everything, then you have to have those perspectives. You’re always juggling between those at any point in time, and trying to help people also see those perspectives and make sure that they’re keeping the broader stakeholder group in consideration as well, rather than just their own outcomes.

Cole:

I find a lot of personal value in seeing people do really well, and then grow tremendously as individuals. And I’d love them to stay around at my company forever, but oftentimes they outgrow whatever role I hired them for, and I don’t necessarily have a promotion pathway available, because if I did, then I’d end up with 100 principals and then I’d make no money. I wish I could just keep hiring principals forever, and just have a cool club of awesome people that we just go out and solve cyber everywhere. But unfortunately, businesses need to make money and be sustainable. So, I’m happy to help them move on into good places and put a good word out for them, but it always makes me sad to see good folk go on, but also happy.

Michael:

Yeah. It’s a double-edged sword, but that’s part of that, which is what you’re saying, the joy you get from helping people progress. And there’s nothing worse than seeing someone who thinks they’re stuck in a role and that they can’t develop further, or for whatever reason they haven’t got the drive to take a chance. And so it’s about, I think… Providing you’re not churning people out every week. Some of that churn is healthy, because it brings in new thinking, it brings in new experience, you give people that growth trajectory for a certain period of time. And you’re right, no matter the organization, everyone’s going to reach the ceiling at some point and have to move somewhere else or need another challenge or pivot from their role to something totally different. But I think as long as we try and support people in that as best we can, then you should be happy waving them goodbye if they’re going to a better place, knowing that you can bring someone in and start that journey again.

Cole:

That’s it. That’s like one of the things… I read a book every now and then called Managing the Professional Services Firm, which is… It’s about law firms. So law firms, they’re not that different to just any professional service firm, really. You have juniors who come in and do a lot of the work and just grind really hard, managers who maintain equality, but there’s not too many of them, and deal with clients a bit, and partners who basically win the business and bring it in themselves. And most law firms, I think, are up and out organizations, so that you have 100 grads, and those 100 grads turn into 10 managers, and those 10 managers turn into one partner over time, or some… I don’t know what the ratio is. It’s something like that. And it confronted me at first by him saying that churn is actually a really good thing, because it means that you don’t have people who are not good fits for your organization languishing and staying there for a very long period of time. They get frustrated because they can’t progress, so they move on somewhere else.

And you’re dead right, I didn’t think about it, but getting fresh perspectives is a really good idea as well, because sometimes you need that diversity of thought. I’ve been in situations where I would’ve loved to have someone from any kind of non-technical background come in and just whack me on the back of the head and be like, “Cole, this is how you actually do sales,” or, “Cole, this is how you do financial management. I’m a CFO, or I’m a sales director, or I’m a marketing person,” or whatever. Different viewpoints and backgrounds and experiences can really change your approach and help you as a manager as well, because you’re not just going to be helping people to move on to their next roles. I think it’s good for you to learn from your subordinates too, right?

Michael:

Yeah. Yeah, exactly. Everyone’s got something to share, and you can’t know it all as a leader. And sometimes leaders feel like they have to have all the answers, and they have to be the ones that know everything, but that’s just not how the world works. And I think unless you open yourself up to the fact that you don’t know it all, and that the people in your team and around you in other teams have just as good ideas, you just need to create the environment for them to feel comfortable sharing those ideas, then ultimately everybody benefits. It’s a win-win for everyone in the team.

Cole:

Leadership. It’s a funny thing.

Michael:

It is. It is. And I gave a presentation at CyberCon a couple of weeks ago, and I talked about leadership and this fallacy that people think in organizations that there is a leader that everybody’s following, but it’s actually, if you look at, again back to systems thinking, the way nature works is, there’s a collective behavior that emerges from the agents in that system following simple rules. So ants in a colony, there’s no leader, there’s no government. The ants, some of them might be foraging, some of them might be building the nest, some of them might be helping the queen. They’re all going about their business, not thinking about collectively we’ve created this colony. But over thousands of years, that model has allowed them to evolve and sustain and remain adaptable to challenges. And I think in organizations, if we take the same approach that we’re a collective organization, and it’s the sum of all of our rules that we’re following and our behaviors that creates the culture and then what we actually achieve, and whether we reach the goals that we’re aspiring to.

Cole:

Yeah. I guess if you have leadership who are basically, they’re not directing people to go, it’s more like the wind in the sail. So you still need people to be on the oars, you still need someone to do the rudders and stuff, but if you’ve got a tailwind or you’ve got a headwind, a lot of that can come down to, is the leader moving the ship in the right direction?

Michael:

Yeah. Yeah. Steering. It’s probably more about steering, which is an interesting term, because I’m doing research at the moment on cybersecurity and the applicability of systems thinking today and where it should go. And if you look at cyber, that term actually comes from an old French term called cybernetic, but also back further to Greek, which actually means to steer or to govern. And so I think that’s important in today’s world, because we want to steer the organization, to your point, on a safe path to reach where they need to go. And so it’s not about just tying off the wheel and just heading in that direction and just plowing into storms and trying to fight the tides. It’s about being able to help steer them and navigate around obstacles, while still keeping an eye on the far shore that we want to reach. So, I think there’s some good analogies that we can think about, rather than the way we’re currently thinking about cyber, which is beat people into submission.

Cole:

That’s it. You got to… Let’s just have this ship be ship-shape, and we’re just going to patch all the holes so the water doesn’t go, so we don’t sink, instead of thinking about… This analogy is very tortured.

Michael:

Yeah. Yeah. And just to torture it a bit more, I think the other good one is, to help people think about decisions and what the real risks are, I try and phrase it as, is this going to be below the waterline or above the waterline? Are we making a decision that’s going to sink us? Well, if it’s not, if we’re going to put a hole in the hull and it’s above the waterline, maybe it’s kind of safe to try this and see if it actually pans out the way we think it is. But in cyber, we think everything’s going to sink to ship, so we end up getting nowhere.

Cole:

And sometimes it’s okay to sink to ship because you’re already on land.

Michael:

Well, yeah. Sometimes you have to run it aground and then bail and go and find something else, build a new one.

Cole:

That’s it. That’s why we start businesses, right?

Michael:

Yeah.

Cole:

So, I’ve got some fast questions for you before we wrap up.

Michael:

Yes.

Cole:

Whatever pops into your mind, and let’s have a bit of fun with it. So the first one is, what’s the best book you can give to someone for Christmas?

Michael:

The best book. I would give them Systems Thinking Made Simple by Dr. Derek Cabrera.

Cole:

Okay. Okay. I’ll get a link to that and put it in the show notes.

Michael:

Yes, definitely.

Cole:

Why would you recommend that one besides… This is the DSRP, is that why?

Michael:

Yes. Yeah. And it’s very simple and easy for understand. Often systems thinking is made overly complex and it puts people off.

Cole:

Yeah. Look, that’s something that I’m really about, is taking things that are… Even from other disciplines. For example, I like hazard by outrage, which is for measuring risk instead of likelihood by consequence, because when a business talks about the outrage associated with an event occurring, that’s a lot more consequential to senior leadership than a fancy red, amber, green chart. Right?

Michael:

Yeah. We’ve had a few of those in the last couple of months. Outrage.

Cole:

Even days, to be honest.

Michael:

Yeah.

Cole:

Yeah. I guess what’s really close to me is making content accessible. I work in application security. Software engineering for the most part is quite inaccessible to a lot of people, and putting security on top of that, it’s a lot of… Too much brain, cognitive load is just… So I want to do something I can do to make it really easy and simple and clear and clean and brief. And so, it’s really good to hear that you’ve got a book that focuses on making what can be an entire PhD of education, hopefully into something that’s a bit more digestible at nighttime with a bottle of whiskey. Or maybe a glass. Don’t go that hard. What’s the best $100 purchase you can think of?

Michael:

Best $100 purchase. Gosh, what a curly question. I’d say, sub $100, the best purchase you can make if you’re a diver is what they call a safety sausage, which is a really simple plastic tube that if you get left behind, lost, dragged away by the current, you simply inflate it, and it stands about three meters high and it’s bright orange, like a high-vis suit. People don’t seem to invest in those these days, because you hear about divers getting swept out to sea and lost, and one of those things is probably the best investment, under 100 bucks anyway.

Cole:

There you go. Safety.

Michael:

Yeah.

Cole:

It’s a dangerous hobby.

Michael:

Yeah. And you never need it until you do. And when you haven’t got it…

Cole:

Just like quality of life increases. It’s like when people… If you go bike riding, a mud flap on the back, people don’t think about that, but it’s nice to not have to worry about your clothes getting mud because you’ve got a protective mud flap on the back. But you don’t think about it until you turn up to work with mud on your ass, and you’re like, hang on a second, this sucks.

Michael:

Yeah. A big spray up the back. Yeah.

Cole:

Cool. And I guess the last one I’ll finish up on. What advice would you give to someone who’s just starting out in cybersecurity nowadays?

Michael:

I think be curious is the best thing you can do. Cyber is so broad and so deep, there’s many different paths you can take, and I think if you’re curious, both in terms of the opportunities that you have within cybersecurity, but also curious about how other people see cybersecurity, and getting those other perspectives, then you’ll never be bored. You’ll always have something to think about. So, curiosity is really key.

Cole:

Yeah. It’s just one of the traits I always look for when I’m hiring people straight out of university. It’s like, I’d like people to have some technical background, because it’s usually quite hard to teach a lot of techy stuff, and they need to be friendly and personable. But I definitely put curiosity and willingness to learn stuff as the best traits, because if they’re not curious about how systems work, then how are they ever going to think about how things can break?

Michael:

Yeah. Yeah, exactly.

Cole:

All right. Well Michael, thank you so much for coming on. It’s been an absolute pleasure. I’ve learned a lot, and I’m going to go read all about systems thinking after this. Is there anything you’d like to say before we wrap up?

Michael:

No, I think podcasts like this are really great because they make it accessible to so many people to understand about cybersecurity, and also gives people the opportunity to realize it’s not, to your point, just all about being a techie. There’s a strong people element to it. So, I think what you’re doing is great to help promote the field and the domain.

Cole:

Thank you so much. I appreciate those kind words. All right. It’s been Michael Collins. Thank you so much for coming on.

Michael:

Thank you.

Cole:

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.