SECURED

Powering Resilience: Nathan Morelli on Securing South Australia's Electricity Grid

In this episode Cole Cornford chats with Nathan Morelli, Head of Cyber Security and IT Resilience at SA Power Networks, which is the sole electricity provider for the entire state of South Australia. Making sure that 1.7 million people have electricity is a pretty important job, and Nathan shares his perspective on how the organisation maintains resilience in the face of potential breaches.

They also discuss the importance of financial management skills in a management role, the Australian government’s updates to the Essential 8 and the national Six Shields cyber strategy, the importance of work life balance, and plenty more.

4:00 – Nathan’s career overview

8:00 – “Not if, but when” and the principle of acting like a breach has already occurred

10:40 – Cyber resilience is critical

11:00 – Finding value in the impact of your work

15:00 – Matching cybersecurity strategy to the resources available

17:20 – High regulation/barriers to entry restrict quality security advice

19:00 – Importance of access to affordable cybersecurity tools

19:30 – Australian government “Six shields” update

23:50 – Australian government update to “Essential 8”

27:40 – Why Nathan adopted financial management concepts in his cybersecurity work

31:10 – Cybersecurity decisions are made for financial reasons

33:10 – Typical career trajectory: follow money, then people, then problems

35:40 – Importance of work-life balance

40:40 – Rapid fire questions

Cole Cornford:

Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. In this episode I chat with Nathan Morelli, Head of Cybersecurity and IT Resilience at SA Power Networks, which is the sole electricity provider for the entire state of South Australia. Making sure that 1.7 million people have electricity is a pretty important job. And I really enjoyed Nathan’s perspective on cybersecurity and resilience.

Nathan Morelli:

It behaved like a breach that’s already occurred, and minimized the impact of that. That’s pretty critical to our operational model, is that we are prepared for a bad day. We have incidents, we just lessen the impact of them, so that we maintain critical systems, so that we maintain the service we give to customers as an organization, and our people value that in us.

Cole Cornford:

We chat about how Nathan uses financial management skills in his role, the Australian government’s updates to the Essential Eight and National Six Shields Cyber Strategy, the importance of work-life balance and plenty more. So, let’s jump right on in. And Nathan, well, hi. How are you going, mate?

Nathan Morelli:

Good, thanks. How are you, mate?

Cole Cornford:

It’s been a good day. It’s looks like it’s going to finally start raining outside. I am keen to go and swim in my backyard pool with the rain going down on me.

Nathan Morelli:

Oh, I’m jealous of your backyard pool. I am jealous. I would love a pool.

Cole Cornford:

I feel everyone in Newcastle has a pool and everyone who’s outside of Newcastle doesn’t.

Nathan Morelli:

Yeah. No, I do feel that, on my street I’ve got three houses around me and all have pools, but I don’t have holes in the fences yet.

Cole Cornford:

Ah, yes. You’ve got to just make friends with all your neighbors.

Nathan Morelli:

Yeah, I do. I do.

Cole Cornford:

Anyway, off of pools, let’s move to the most important question of all, which is, it’s inspired by what we believe at Galah Cyber, which is that I like that Galah’s bright, colorful and obnoxious. And I really wanted to have that as my company branding, because most of cybersecurity is dark and scary and unapproachable. So that’s the kind of bird that I am. What kind of bird are you?

Nathan Morelli:

As a long-time listener, a first time guest, I actually had to go and think about what kind of bird I am. So I just went straight to Google. I asked it, did a survey on what kind of bird I am, and it was an Australian survey. Because I don’t really personally know what kind of bird I am, and it came back as I’m an Australian white ibis. So I’m basically a bin chicken.

Cole Cornford:

You’re a bin chicken.

Nathan Morelli:

Yeah. But the traits of that I felt actually really respected who I am, so proud, loud, strong and brave. Sometimes misunderstood, but very loyal to my friends and very supportive of those people around me. So I thought actually I’m probably a white ibis. If I’m going to be a bin chicken, then embrace the bin chicken and the values that they have.

Cole Cornford:

It’s not that you just have a really a long protrusion, that’s very good for just drinking and slurping up all of the log files. That’s what we call it nowadays, right?

Nathan Morelli:

Maybe previously we could equate this to a scene. Sure we could, but not anymore. I leave that to the experts in my team, and I just get out of their way now.

Cole Cornford:

So that’s probably a good way to move across. So what do you do nowadays and where did you come from?

Nathan Morelli:

Yeah. In talking to other people about your career journeys, when you speak about it, I’ve had a pretty, what would almost be a traditional career journey. I graduated from university into a graduate role at KPMG as a graduate consultant in their risk area.

So my basis of learning was auditing and risk and understanding how organizations manage that and the way you found gaps. Lucky enough to be given an opportunity in their penetration testing team about a year in. So again, a very traditional move, early pen testing. Spent two and a half years in their pen testing team breaking stuff and learning about the impacts of that to organizations, which was good.

And then I’ve moved through many security operations roles, a lot of time at utilities, SA Water, Origin Energy, some time at universities and in the Department of Education Adelaide, some government time at DPC. Returned to EY as a manager then, and that was good fun. Learned how to manage people, the budgets and led the finances and the sales bit.

Spent a decent amount of time at Naval Group Australia as well when they had the contract for submarine builds and as their cybersecurity lead trying to help the French understand Australian standards and how to build for them. And that was good fun. I spent a lot of time with some friends that are still at Lockheed Martin, Australia now. And we had a really good time traveling through France. Travel, got a bit much. And then I was good for another opportunity, which is how I landed at SA Power Networks as their Head of Cybersecurity and IT Resilience, where we help the organization manage cybersecurity risk, prepare and be prepared for outages, incidents through the resilience part of our capability.

In general lead a team of very high performing, very successful professionals and get them the tools and the finances and the support that they need to deliver the best that they can deliver. And at the end of the day, we support systems that effectively and efficiently manage the power for our state. So it’s a critical infrastructure. It’s pretty essential to everybody in South Australia. So really good to be a part of an organization that has a real tangible value to people as well.

Cole Cornford:

Did you work with the Elon Musk super battery thing, whatever it is? Is that part of your… Do you have to care about that?

Nathan Morelli:

Our role in that is to ensure that that is taken into account, that we manage supply of electricity throughout the state, so we didn’t directly have a part to play in it. Was it a result of a massive outage? And does that help in a massive outage next time? Yes, it does. It plays a really good role in that energy market management piece.

We don’t have anything to do with it. We do have a lot to do with Tesla. Because there are a lot of Tesla batteries on houses. And as an organization, what we’re trying to enable in this energy transformation and further electrification at homes is integrating those assets and those capabilities back into our network. You take SA Power Networks back 200 years, traditional coal-fired power station, power from there, big power lines that are run by ElectraNet to SA Power Networks, it’s distributed to a home.

Now we’ve got power. On the edge we’ve got smaller organizations with massive solar farms. You’ve got solar and batteries that consumers are investing in. So we’ve got to be able to take that excess power and redistribute it. So now we’re building a two-way network. So Tesla and their batteries and their power management systems and their cars have a big part to play in that as well. So no, didn’t have anything to do with the big battery, but we have a lot to do with Tesla every day as well.

Cole Cornford:

Yeah. Cool. And that’s really cool that resilience is a big part of your job description. Because I see a lot of people in cybersecurity, they stick to compliance, they stick to hacking and penetration testing, but ultimately organizations care about the outcome of a cyber incident. And that outcome could be system outages, it could be theft of IP, it could be a threat to human life. It just depends on what kind of industry you work within.

Nathan Morelli:

Yeah.

Cole Cornford:

But resilience is often the way that we resolve a lot of these kinds of problems, right?

Nathan Morelli:

Yeah. And that concept is pretty strong across cybersecurity, when it behaved like a breach already occurred, it minimized the impact of that. That’s pretty critical to our operational model, is that we are prepared for a bad day. We have incidents, we just lessen the impact of them so that we maintain critical systems, so that we maintain the service we give to customers as an organization.

And our people value that in us and it’s probably why we own IT resilience, is a lot of outages are usually from cybersecurity incidents in the last five years, other than a few massive Azure outages that were because of your electricity going off and air conditioners not turning back on.

Cole Cornford:

Or BGP B2B router updates.

Nathan Morelli:

BGP routers, yes, there was those ones too. So yes, as cybersecurity capability we’re usually pushing for the BCP, we’re usually pushing for the DR, pushing for the backups to be tested.

So it makes sense where you’ve got that traction to just bring the other capabilities along anyway, because the outcome is the same. Having good DR and good backup recovery procedures and good segmentation, for cyber, for operations, it’s the same. And if you’re working together on it anyway, don’t label it anything different. Just work together and achieve that outcome. And that’s the approach that’s worked really well for us here.

Cole Cornford:

And I think that’s a really good way of looking at it, because blast radius of an incident. And also having your cybersecurity program attached to other parts of the business, fundamentally aligned to what the business is trying to achieve. Oftentimes I see them completely at odds and it’s, why are we doing these cyber activities? And it turns out because someone knows how to do that activity, it’s not because it has any meaningful contribution to managing a risk that the organization has.

And so obviously Power Networks care quite deeply about power outages. So anything you can do to stop those from occurring or lessen the impact of those, while if a impact comes from a cybersecurity incident or whether it comes from just, I don’t know, someone accidentally running over a transformer with a bulldozer in the middle of God knows where, seriously it could happen.

Nathan Morelli:

It can.

Cole Cornford:

Let’s think about my friend [inaudible 00:09:11] and your fret [inaudible 00:09:11], it’s weird.

Nathan Morelli:

It’s okay.

Cole Cornford:

I live in Newcastle, but I see lots of stupid mining incidents out here.

Nathan Morelli:

Yeah. Well yeah, we go back to threats. One of the threats to power provisioning is theft of copper and people just stealing the essential cables that connect things together. So there’s a risk to human life there. Because it can be live and that can be quite dangerous. And there’s a risk to supporting human life, because if you break a power station, then we don’t have the resilience in the network from a network point of view, not from a cyber, but from an operational technology point of view, then we’re unable to provide essential services, which is not a great outcome.

So yeah, resilience is pretty critical, whether it be from a technology point of view or from a physical asset point of view, and the way that network self-manages itself is really important too. So those resilience objectives are pretty cool to how we deliver services as an organization.

Cole Cornford:

I think one thing you mentioned earlier that was cool to me was that you take a lot of pride in working for your company. And I run my own consultancy business, and the types of clients I’m going to take, obviously there’s the smaller businesses, but the ones that I love taking are where the challenge is just astronomical and it affects real people. That’s to me… We can have meaningful impact on people if…

I don’t want to go out there and just only work for all the small tech startups out there that no one’s heard of and no one’s done anything, even though they’re probably for a software security, one of the most important areas, because their entire business is software. But people don’t know what these companies are. And if they go offline, it doesn’t really have any measurable, meaningful impact on people.

Nathan Morelli:

Yeah.

Cole Cornford:

You talk to a university, you’re affecting the ability for researchers to commercialize their ideas. You’re talking to students and their ability to get educated, access school systems. And that’s just your university. But critical infrastructure, telecommunications, superannuation, finance, government, all very important. I’m very proud to work for those places.

Nathan Morelli:

And same. And what I’ve learned over my career is an organization’s mission has to resonate well with me for me to actually be engaged and overdeliver, to be a high performer within an organization. And I’ve learned that along the way. Some positions I’ve chosen in the past have been about working with somebody, which is a good idea too. But the higher up I’ve gone and I’ll be more solo in my work and choosing maybe one person to work with rather than a team.

Missions become really important and I’ve probably learned the most about mission at my role at Department of Education where you’re looking after systems for schools. And public education historically doesn’t have the funding for everything that they need.

So you go out to… I value face-to-face interaction with the people that I’m providing a service for. So I visited two principals a week from first year I was there, and we would have a conversation with the principal and we would say, you are not doing these cybersecurity things very well. And most of the time it would be, I don’t have the budget and I’m making choices. And they’re making choices between fences or gates to protect their children, to protect their students or some kind of piece of technology that I’m saying should be in there or cybersecurity is raising your risk around.

Well that, A, it brings you back down to earth and it reminds you of the mission and the most important things to your customers. So when you go through that journey, you’re, mission is really important, and if I can get the mission well ingrained in the way I operate, then I would deliver better outcomes for my organization. And I will be more fulfilled as a human being as well. Because I know I’m contributing to something.

Cole Cornford:

I think that’s funny, because I’m going to be working for a school in the near future. And one of the things that I remember, the IT guy came to me, he was, everyone wants multifactor authentication, but how do we give YubiKeys to 1,200 people in high school? And I’m, you don’t. You don’t, you just don’t.

Nathan Morelli:

You don’t.

Cole Cornford:

This is a risk you accept. These students need…

Nathan Morelli:

Yeah.

Cole Cornford:

But they’re going to need access to DT, they’re going to need access to these systems. You do not give them Yubikeys. So you don’t give a multifactor because phones are banned anyway. Come on, this is not the right scenario.

Nathan Morelli:

No. And that’s about controls for purpose. What are you really protecting at a school? Your main double downs are about stopping them from looking at bad stuff on the internet.

Cole Cornford:

Yeah.

Nathan Morelli:

Stopping them from downloading bad software that takes the systems out that they need to use. And being able to detect and respond to malicious activity. Or it might be threat actor led, or it might be insider threat led, either. That’s where you’ve got to double down in schools, multifactor authentication does not prevent any of that. The threat modeling, it’s got to be better.

And I understand that there is a need for minimum baselines across different organization types, but you’ve also got to understand your threat first and then work towards that, which gives you a better outcome for your customer, like you’re talking about, or part of your day job.

Cole Cornford:

It seems like a lot of cybersecurity professionals always operate in a utopic plan. So this is where we want to be. This is what perfect looks like. And if I had the resources of Facebook or Google, I’m sure that I would get there. And then you say, well actually you work for a small kitchen cabinet manufacturer in Cardiff and you build 30 kitchens a year, you don’t have Facebook and Google’s resources. What should you do?

Nathan Morelli:

And that is an immense challenge, because they’re the organizations that make one little mistake, click the link, give away their username and password, and they’re the ones that are getting the 3 million ransom or the 30,000 whatever it might be, on average for a small like that.

And that is the difference in between their organization continuing and their organization not continuing, and they’re the ones that are going to get impacted the most by cyber criminal gang. So what do we do as a society around helping them be protected better, helping them lean into larger protection systems? How do we empower a Microsoft to say, you are of this organization type. You are just going to have these controls on by default. And I understand that’s going to impact your business processes just for a little bit, but you have no choice, because this is what will save you from a bad day.

You don’t understand the why. You don’t need to go to three ACSC forums to understand the why. It’s just forced upon you. And that’s got an element of force, but how else are we going to do this as a whole country? How are we going to make that change?

Cole Cornford:

And I think that it’s worth looking at recent changes and a couple, I like going to disciplines that aren’t cybersecurity and seeing what they do, because you can do parallels across them. And one that came out yesterday that I think was really interesting was the updates to financial advice. I know this sounds really stupid, but we had the-

Nathan Morelli:

Keep going.

Cole Cornford:

Yeah, the Hayne Royal Commission six years ago, whatever. They basically said all banks are evil. Banks can’t do advice because banks have conflicting interests to sell wealth products for whatever, and lots of bad stuff coming out of it.

Nathan Morelli:

Yes.

Cole Cornford:

And so banks divested away from wealth and the skit, financial advice is incredibly professionalized. And it became really difficult, because the barrier to entry to get into providing financial advice and the burden for doing it made it astronomically difficult for people to get decent high quality advice.

And so what ended up happening, is the bottom 90% of people just never received any financial advice whatsoever. So they started going to TikTok and to YouTube and just grabbing whatever they could off the internet. And I feel that there’s parallels if you think about cybersecurity, because yesterday they actually said, well, we still want to have it professionalized. We’re going to relax the requirements for doing so. And we’re going to make it easier for people to move into providing financial advice and to make it plain English instead of complex forms, and look at just different ways to make it less of barrier entry to get into it.

And I wonder whether in cybersecurity, which I think is in a similar boat, because to get a penetration test, you’re in the ball mark between $16 to $40,000. For an SMB, that’s enough a cashflow hit, usually to just say, no.

Nathan Morelli:

We’re done.

Cole Cornford:

We’re never going to participate. And even just getting a pen test, let alone a proper full scale audit or some kind of strategy or even buying any of the products to get up to speed.

So I wonder whether there’s going to be something that’s going to come to market to help with that? And another one might be work, health and safety, right?

Nathan Morelli:

Yeah.

Cole Cornford:

So no one did WHS until there were criminal liabilities associated with getting it wrong. So I wonder whether we might be seeing that if there is a risk to human life from cybersecurity? Whether criminal liabilities and penalties be associated with that, we might shift behavior for SMBs who just otherwise might not care? So yeah, different parallels.

Nathan Morelli:

There’s elements… In the recent subject updates, there’s elements of those criminal things happening to larger organizations. What I did see yesterday, I do follow the DriBoss organization a lot. Because I really like what they’re doing. And for smaller than, I think it was a 100 million turnover critical infrastructure, utilities areas, they were offering upright for free. I’m guessing that they probably leaned on some kind of federal funding for that.

But those kind of programs need to have a little bit more emphasis and support to give people access to tools at a price that they can afford. Free is good, but you’ve still got to do something, whether I understand that. But those kind of things for smaller organizations would be of more benefit than some of the programs that are out there right now.

Cole Cornford:

Yeah. Although that said, we do have the Six Shields update. Do you have any thoughts about that?

Nathan Morelli:

I was at the ACSC when the last version of the cybersecurity strategy was released. And sure, the themes are great. It’s about delivery on those themes. What I don’t like, and I think that this is just my personal opinion of politics in general, is first we bagged the previous person. The previous person that was in the role we bagged them, they did nothing. Here’s what we did that’s brilliant. Forget about what was done, what the ACSC delivered on the last cybersecurity strategy was the beginnings of this too. And that was never really acknowledged. And I know that’s politics.

I opened up the Adelaide JCSC, and that was one of those shields, how do we build collaborative environments where organizations come in and give us feedback and we could work with them? Well, we built some very nice centers in the center of Adelaide. And we did communications around that. We’ve done that. Okay, what’s the next phase of it? Well, that’s what they’re trying to do in the next phase of this strategy.

So yeah, there’s six shields. It’s a very good marketing, great bundling of objectives, really keen to see what happens next. Big organizations are probably pretty well taken care of with curriculum structure centers’ work, with home affairs already. So it’s about medium and small, and there’s a good focus on that.

Cole Cornford:

Yep.

Nathan Morelli:

Again, keen to see delivery, because there’s no accountability in there. There’s no KPIs, there’s no check back in with us in six months time, we’ll tell you how well we’ve done on this, because they’re all fluffy, unmetrical things.

Cole Cornford:

Yeah.

Nathan Morelli:

That kind of strategy wouldn’t suit. It wouldn’t float in an organization I’m with, because I can’t report on it. I cannot show value for money and investment or return on that. Because there’s nothing deliverable.

Cole Cornford:

Yeah, that’s it. I guess it just depends on what is the outcome, what is the purpose of why they would release this kind of strategy? Is it to align Australians to have a shared vision about where they need to be going to in the future? So in which case, it’s a effectively propaganda marketing material to try to get people the same view about how to move forward, effectively this is a North star.

Nathan Morelli:

Yeah.

Cole Cornford:

Just like this is the general way that we’re going to angle our ship, and then maybe there’s going to be individual operationalization plans in the future. But I don’t think that we’re going to actually see that. And if anything, I reckon it’ll just be the big four that might…

Nathan Morelli:

Yeah, that might. Yeah, and some other larger consultancies. Yeah, it is built for that unfortunately. And then you look at the… Okay. Home affairs, they’ve got a strategic role that’s great. There’s a bunch of allocated funding to it, that’s great. But then the posture of federal and state governments and their agencies, the security posture of them are lagging behind.

So is this the right place to be spending taxpayer dollars? Should we be reinvesting this money in helping those organizations get resources, get protections in place so that they can better protect the government’s data anyway? So there’s that conversation that we have as leaders as well. Well, that’s a lot of money to spend on that element. What about the other elements that are critically underfunded, that we know they are? And the results are showing that as well.

How long have we been reading national audit office reports that say top four from 15 years ago still isn’t being met above maturity level one across 80% of federal government agencies. That’s not for want or to trying to improve, that’s resourcing and funding.

Cole Cornford:

And I guess that’s maybe not even a cybersecurity problem because again, a lot of those top four issues are IT quality problems, right? Because you have just patching operating, I’m not great at remembering these, but patch operating systems, patch applications and restrict admin privileges and turn on MFA. Is that right?

Nathan Morelli:

MFA and application.

Cole Cornford:

Application.

Nathan Morelli:

Application wireless thing. Application control, as it’s called now.

Cole Cornford:

Yes. Yes.

Nathan Morelli:

As part of it too. So four great controls to reducing risk, but yeah, they are mostly hygiene.

Cole Cornford:

Yeah. And I feel a lot of it’s because the breadth of what people have to do is so complicated. There’s just too many things that people need to work out how to do and who’s even accountable to own these kinds of things.

And the old software systems, or even just computing systems in general just aren’t set up in a way to be responsive to just even the patching cycle that we anticipate nowadays. Last week or maybe a few weeks ago, the Essential Eight was updated, and I think the most important thing to me was that patching cycles got halved across the board, basically. They said everything needs to be done in 48 hours down to 24, two weeks to one, four weeks to two.

Nathan Morelli:

Yeah.

Cole Cornford:

And I’m sitting there thinking to myself, we still can’t even get people to just do basic.

Nathan Morelli:

Yeah. We can’t get people to patch a critical high patch today. Let’s just focus on that as well. You go through Citrix NetScaler incidents, Dipin World being one of them, and then the government taking the opportunity to smash them. We told you about that, you should have done better. Well, yeah, but do you understand that business? And do you understand the technology that that was supporting?

And yeah, we can all sit here and poke and point the finger and say, you should have done better, but we’re not in their shoes. We don’t understand their situation and what risk they’re currently holding and their appetite for that kind of change. Patching isn’t easy. Patching critical systems is not easy. There are impacts for it. Can you afford them? That was their decision. And sure, four day outage reports is not a good outcome and hopefully that helps them justify further investment in the future to do that. But also returning to full output on day four is pretty resilient too.

Cole Cornford:

I feel also, I don’t like leadership where you do a blame culture. I like to live a blameless postmortem, where ultimately we have gaps in process and policy control weaknesses, people that weren’t educated or whatever, but ultimately it’s not this person made a mistake or this organization’s a problem. It comes back to, okay, well something went wrong. Now let’s think about are we going to go try it?

I think there’s a lot of knee-jerk reactions a lot of time to these kinds of incidents. Risk is managing uncertainty, and unfortunately things do happen that we don’t plan for. And even if you say you’ve got a 1 in a 100 chance, over a 100 years that risk is, I guess it’s a bit of a fallacy, but it’s likely to occur once. Like a global pandemic, I know a few people have told me that they stripped global pandemic off of their risk registers in 2018, which is hilarious to me personally.

Nathan Morelli:

Yeah. But it did accelerate a lot of digital transformation and organizations and collaboration in tools and be comfortable with working from home and all of that. Disperse workforce advantages as well. So yeah, we’re all still here.

Cole Cornford:

I think that’s a great thing though. Because if we can help businesses move away… Because the investment, you need capital expenditure to modernize some kind of system to at least… I guess a lot of people used to, I spend money, I get outcome. Whereas with a lot of software, it’s effectively OpEx.

So if you’re trying to think about patching, you don’t build a project to patch something and it’s patched and it’s good. And the pace of which we need to be patching systems nowadays is that there’s probably five CVEs per application per day indefinitely from now on, right?

Nathan Morelli:

Yep. It’s relentless.

Cole Cornford:

Improving the ability for people to… I guess the timeframes for shortening, how long it takes to update systems significantly by just introducing more modern engineering practices. I think that’s a really good thing.

Nathan Morelli:

Mm-hmm. Yeah.

Cole Cornford:

And also that doesn’t come out of cyber’s budget, because that’s another thing I keep hearing out of you is… Going back to the finance thing. I constantly hear from a lot of professionals, whether they’re senior executives or even junior employees, who just say, I never have budget to be able to achieve anything. And so I’m constantly bitter and angry and upset and the world sucks and people don’t understand my issues.

So I find it interesting that you do talk about finance. So where did you start bringing these financial discussions into your everyday, I guess, language?

Nathan Morelli:

Yeah, over the last three roles, I reckon, I’ve had to be better at financial management almost than I am at people and task and resource management. Because it can significantly impact your ability to A, deliver, and B, manage risk at the same time.

So you’ve got to know what your funding model is within your organization. So as a regulated organization we do a regulatory reset, which means we put a business case to the regulator and say, this is what we’re going to do in the next five years. Here’s the reasons why. Here’s the risk that’s going to lower. And they meet you, at your ask, or they do the debate and you go back and you might lose 20%, 30% of that ask or whatever.

All of us regulated organizations have to do that. And that can be challenging. Challenging from multiple perspectives, but you have to know how financing works within your organization, how CapEx is treated, how OpEx is treated, is there a TOTEX view as well? Then you’ve got to know how you are going to deliver your program of work within those boundaries as well. What makes an operational expenditure? What makes a capital expenditure? What’s easier in your organization to get funding for? And then building business cases aligned to that. And then it’s a dance of then delivering within CapEx and OpEx boundaries as well.

In the last two roles, Naval Group and Network Australia and SA Power Networks being asset focused companies I’ve had to learn a lot about that. And it’s been a great learning, because it’s given me skills in that piece of communication and knowledge, but it’s also been really good for my teams that I’ve managed. Because then I can translate that into their knowledge sets and help them deliver within those boundaries, and get that tension out of the room, where a finance business partner might come to us and say, you’ve written a business case like this, that’s an OpEx, you’re going for CapEx, that’s OpEx.

Or maybe if I can educate the team on writing their language and in their needs, to the accounting standards needs, then maybe we’ll get better outcomes. And generally over the last three years we have got those better outcomes, because we’ve been able to communicate in the businesses’ language and understand the business process to then get funding, get OpEx uplifts, get lots of additional CapEx where needed based upon risk where we’ve seen it, but ultimately dance the dance really well.

Cole Cornford:

And I feel a lot of cyber people just don’t know how to two-step or tango. They’re just, I’m just going to do the thing where I throw my arms up in the air and just all sit in the corner and just do this repeatedly until eventually they say, can you buy me a drink? It’s, why would I buy you a drink? I’m going to go talk to that guy over there who actually knows how to moonwalk. So come on, man.

Nathan Morelli:

Yeah.

Cole Cornford:

It matters though, right? Finance is super important.

Nathan Morelli:

It is. And there’s also an appreciation and a trust element that you get through those conversations you have with a finance business partner or a CFO. I’ve taken the effort to understand your world to try and better communicate with you in your language.

So you’re building trust with them as well. And they can then hopefully, and this works well, with the way I engage, is that you get good feedback back. You get a good level of, hey, that’s great. You’ve tried, here’s how you could be a little bit better. But hey, you tried, you brought your knowledge to the table. I’m going to listen to you educate me a little bit on risk and cybersecurity impacts. And we come to the middle and we have a nice dance. And we go away and have a meal together and-

Cole Cornford:

Break bread.

Nathan Morelli:

We enjoy each other’s company. We break bread, that’s right.

Cole Cornford:

I always encourage people who are looking to move out of just… Well, because a lot of people come to a crossroads where they say, do I want to continue being an individual contributor? Which I guess in cybersecurity we don’t really use the term IC and EM, but in software engineering we say individual contributor and engineering manager, and they’re both distinct career paths.

And you can basically get to a point where you just transition laterally to level zero manager, where people don’t like being called level zero managers, but they are. Or you can keep being better at whatever technical discipline you want to be in.

Nathan Morelli:

Yeah.

Cole Cornford:

And I say that when you want to go to start over here, you should just honestly sit down through a GAICD or equivalent, and just figure out how the hell does money work. And just go make friends with people like project managers, TPOs, just non-cyber people, get out of the cyberspace. Because, it seriously does come back to dollars. It does come back to headcount. These are conversations that… If you want to have a meaningful conversation with a business leader, they’re going to look at the spreadsheet, the line items, and the associated business outcomes and make decisions off of those.

Nathan Morelli:

Yeah.

Cole Cornford:

They’re not going to look at the pen test report and say, cross-site scripting is worth this much risk. They’re going to say, how much is it going to cost me to eradicate all the problems in here?

Nathan Morelli:

Yeah. Yeah, it’s essential. I did my AICD, post-grade course. I’ve done all of that and they were great. And they were also great for procurement, supply chain, legal and all the other areas that you get out of that as well. As well, it’s a very good network.

But again, it’s about perspective and understanding the person you’re talking to perspective, what their business outcomes are, their pressures, and how you can either lighten their load a little bit or help them achieve this with your program at work.

Cole Cornford:

So sifting away from finance, there’s something that you said a lot earlier that I took a note down for. I thought it was actually quite interesting. You said early on, you followed people and now you follow problems. And pretty much in people’s careers I find that they usually start by following money and then following people that they want to work with and can learn from. And then eventually following problems that they want to go and tackle, because that’s what’s interesting to them. Did you find that your career followed that trajectory as well?

Nathan Morelli:

Yeah. Again, I’m pretty standard. You get to a point in life, you become a parent and you realize that money isn’t everything. Yeah, it supports great things, but you feel, I am now watching another person grow up and money isn’t the majority of their problems. It’s no problems. There are other big problems in the world and solving problems is a skillset as well.

But yeah, I would say that that’s probably the progression. I think as you mature as a high performer that money is second to getting some internal positivity out of what you’re doing, is really important or else why are you doing it? Because the money now is enough.

Cole Cornford:

Yeah.

Nathan Morelli:

It’s enough. We’re living in Australia. We are a very lucky country. I’m even luckier in South Australia, 10 minutes from work. My kids walk back and forth to school, really lucky. We’re safe. I’m in a really good career. My path is really good. I work with great people, I have great friends around me. Okay, be appreciative of all of that. But if you’re going to spend nine hours a day doing something, make sure it’s for the right purpose.

Cole Cornford:

And I think that intrinsic motivation is just always going to trump extrinsic, because there’s going to be a point where you do pick up your daughter and then you disappear for a conference and you come back. And she’s doing something. Because that’s happened to me. I’ve traveled somewhere, I can’t remember what, I think it was CyberCon Canberra, and I came back and she just looked a lot bigger. And so I just missed three days of her just growth spurting or something. You get perspective as you get a little bit older.

Nathan Morelli:

Yeah.

Cole Cornford:

And I love my kids and I want to let them have a good life. So to me, money enables that and it’s important. But I know that once I get to a point where I have that stability and that my kids are looked after and that my wife can choose to do what kind of career she’s interested in, I’m going to be smashing myself hard at things like problems I really care about.

Nathan Morelli:

Yeah. Those incidents you talk about. I think we’ve all had them and they give us good perspective when we make choice. I did a stint over in the Middle East when I was at EY and I missed a Father’s Day. To me, that’s my Father’s Day. It didn’t matter to me, but when I heard it from my son’s mouth saying I was supposed to celebrate you on Sunday and you weren’t here. Oh, that hurts.

Cole Cornford:

Yeah.

Nathan Morelli:

It gets you a little bit. And you’re, okay, I’ll make a different choice next time, I think. So again, when you move to an organization where you’re solving good problems, but they’re also supportive of where you want to be as a human being. Then you start thinking about, all right, second to purpose and mission and organization is the people I’m with. Does my chief digital officer, as Chris is right now, he is incredibly supportive of family, your family’s first, and he knows that. He will employ good people with good values if he supports that.

So if I say, I’m not coming in today because my son’s sick, all good, see you tomorrow. And that thing is, all right, that’s where I want to be, because I have to prioritize family because money, organization, fame and glory don’t mean anything to them. They just want their dad, their mom to be around when they need them. And they want their questions answered. And that’s what makes them happy as people. So that’s what we should be doing.

Cole Cornford:

I know that sometimes my daughter tells me, hey, I’d love to play more Minecraft with you, but I know that you’ve got to work tonight. And I sit there and think to myself, I’ve taken on too much work over the Christmas break. So I’m trying to be incredibly intentional about having sacred… Because early on, when you start a business, you can just fill up your time. There’s unlimited demand for cyber stuff. Even if you are kind of mediocre, if you just hit enough phones, I guarantee you have the full pipeline for a year.

Nathan Morelli:

Yeah.

Cole Cornford:

And it’s that pipeline, it can be very enticing to just look at. Yeah, you know what nights are good, so are weekends. And then you come back a year later and you’re, oh, my wife divorced me and my two kids don’t know who I am anymore because all they know is I go into the office and disappear for 16 hours.

In my personal life, my dad did overtime constantly. He was a truck driver. He’d get up at 3:00 AM in the morning and he would drive linen between hospitals, which I think is a very important thing to do. And if people belittle that career choice, they can go away.

Nathan Morelli:

No. No, no.

Cole Cornford:

We need those people.

Nathan Morelli:

Yes.

Cole Cornford:

And so he did this six days a week and he did overtime, so he’d do other shifts and stuff. But the fact is the unsociable working hours and the fact he had do overtime a lot of time meant that I didn’t get as much face time with my dad as I liked.

And so that’s really impacted me nowadays. Because I don’t have a solid relationship with my father as I know other people do with their kids. And my mother’s not around anymore, but I was really close with her and I hope to have that same bond that I had with my mom that my kids can have with me, but I know that that’s only going to happen if I can be a present dad.

Nathan Morelli:

Yeah, you’ve got to make purposeful change that supports your personal wants. So that is choices. Geez, that’d be a fun conference to go to. Oh, three of my mates are going, but we’ve got… And this is legitimately why I didn’t go to ACE in Melbourne. I had my daughter’s calisthenics May night of the year where she managed to win third place in the state, whatever they are, state championships for her division.

Cole Cornford:

That’s great. Congrats.

Nathan Morelli:

I went to that and I saw that, and I didn’t go to ACE in Melbourne despite 55 signal messages of all the fun that they were having, which yes, that’s fun. That would’ve been fun. I would’ve had fun with that, but I probably would’ve missed a critical point with my kids. So purposeful choices, they’re there for a reason.

Cole Cornford:

And there’s always more high school reunions we can go to anyway, right? Because that’s what most of the CyberCons are.

Nathan Morelli:

Yeah. There’ll be another conference.

Cole Cornford:

I did similar this year. I missed ACE Melbourne because my wife got sick and I didn’t want to take a chance of being in another state and have her crook, in case we needed to look after the baby. So I think that was the right decision, even though she recovered pretty quickly.

Nathan Morelli:

Yeah, it doesn’t matter.

Cole Cornford:

I also got lots of signal messages from people being, where are you? Yeah, it’s all good. It’s fine, we have to make the choices that we do.

Nathan Morelli:

And I also don’t want to not be included in all those messages, because I want to see the fun they’re all having, because it’s also nice to just see. It’s, oh, it’s still a great thing. You’re still engaging with each other. You also don’t need me there.

Cole Cornford:

And you can always catch up with other people or give them a phone call. I feel people think it’s only at conferences that you can meet people, but if you just travel for work somewhere or you just send someone a text you haven’t spoken to in a long time and see how they’re going, I reckon it’d be a lot of people that would just love to hear from each other.

Nathan Morelli:

Yeah, correct.

Cole Cornford:

Here we go, dude, the Big Hug podcast where we just tell everybody love each other like you love your mum.

Nathan Morelli:

Yeah. We’re a community. Be nice to each other. Be kind. Don’t be negative in the comments.

Cole Cornford:

All right, well maybe you’ll be negative about the fast round questions.

Nathan Morelli:

Yeah. All right, let’s go.

Cole Cornford:

Christmas present to give to someone that you work with?

Nathan Morelli:

All right, so I’ve got three people at work who genuinely like good wine. So I am going to purposefully find three wines that they have not drunk, they don’t have to be expensive, that I have enjoyed. And say, I’ve chosen this for you, and your palette and what you’ve [inaudible 00:40:09]. So again, something that they would enjoy, that shows that you took the time to think about them.

Cole Cornford:

My friend, Jeff Campey, up this way, he runs a digital forensics firm for expert witness stuff. And in his spare time he runs a wine thing, where it is an excuse, it’s a Twitch stream, where he just drinks wine and talks about all the wine stuff. And my wine ability is basically, there’s a lot of wine. The wine is colored red and [inaudible 00:40:38].

Nathan Morelli:

It should go with foods that aren’t red.

Cole Cornford:

This tastes bitter. I’m not a particularly good connoisseur, as opposed to coffee. But you should have a chat to him sometime. He would love to talk to you about why he’s…

Nathan Morelli:

I will actually. I’m going to find his Twitch stream, is it?

Cole Cornford:

Yeah. And what do you call it? What is it? He’s a local… He’s Hunter Valley. So that’s where we’re at. If you know Hunter Valley Wines, he knows all of them. So there you go. You can get something from this way.

Nathan Morelli:

Yeah. Oh, wonderful. Cool. Yeah. Well, maybe we can do a collab twitch where I talk about Barossa Valley and Clare and McLaren.

Cole Cornford:

He would love that.

Nathan Morelli:

Great South Australian things.

Cole Cornford:

There we go. So we’re going to get a cyber wine podcast happening next.

Nathan Morelli:

Yes. Cywine.

Cole Cornford:

Cywine. Done. All right, so next one would be, what’s your most recent audiobook and why?

Nathan Morelli:

I am currently reading Netflix’s… Listening to Netflix’s No Rules Rules. I’m really enjoying that for challenging the normal governance processes that organizations put in place to deal with one minority to fix the majority rather than just dealing with the minority. Although, I really like this concept that I’m hearing.

And then before that, because I’ve just started that, it was Green Lights by Matthew McConaughey, which was just a good laugh. Because he’s a great storyteller and I really enjoyed some of his personal reflections on his life and choices in that too.

Cole Cornford:

Was it Reed Hastings who did No Rules Rules?

Nathan Morelli:

You are correct.

Cole Cornford:

Hold on. Oh, look at me, I know something. I go to a lot of places where bureaucracy exists, because they have too many edge cases and it’s always just like, well, how about you just apply for most and then deal with the edge cases, just manual boring processes, don’t worry about having to try to account for everything everywhere. And then they’re, wow, look at this, it’s functional. Now we have a business that works. Crazy.

Nathan Morelli:

Yeah. And the expense of it. Netflix have been really good at showing you the expense of governance controls for sake of it. Anyway. Yep, that’s it. This is supposed be quick five.

Cole Cornford:

Yep. And last one would be, where’s the best place to eat food in Adelaide?

Nathan Morelli:

But that is a epically long question, but at the moment I thoroughly enjoy a steak from Arkhe, which is a place on Norwood Parade, big coal grill right in the middle of the restaurant. Lovely bar around it. Really good food, really good wood fired, taste-driven, meaty, hearty food. Really delicate flavors around it to balance them out. And I’m guessing you asked this question, because you know I like my food.

Cole Cornford:

I figured if you like wine, you’re going to probably food as well, mate.

Nathan Morelli:

Yeah, yeah. There’s also my food blog, Hustle, but don’t… But that’s another podcast.

Cole Cornford:

Oh wait, wait. When you do that, just feel free to send it to me and we can link it in the show notes. So people can go and listen to yours.

Nathan Morelli:

All right.

Cole Cornford:

I was in Adelaide yesterday. I went to this place called Peel St.

Nathan Morelli:

Peel St.

Cole Cornford:

And I just walked down there and just walked into it and I was just, hello, I would like food. And they’re, what? So I just ordered a bunch of stuff. And I was just, wow. Watermelon with halloumi. I’ve never had this before. This is amazing. So, I highly recommend.

Nathan Morelli:

And Peel St’s one of those Adelaide institutions, it’s one of those restaurants… In most of smaller cities, if you can survive greater than five years, you’re an institution and that Peel St, other places like Bread and Bone and Georges on Waymouth and Proof, little bar. These are places and press is, they’re institutions now because they’ve survived and they just do great food. Australian-driven food.

Cole Cornford:

I went to Little Pub as well, so if that…

Nathan Morelli:

Not too bad.

Cole Cornford:

Yeah. Just had a lot of… I wouldn’t say the Indian eats are any good, but I’ll definitely have the beer. So all the craft beer.

Nathan Morelli:

Good variety of beer, don’t do a bad steak either for that particular environment either.

Cole Cornford:

I also noticed that your glass that you’ve got on camera is a whiskey tasting glass, I believe, Norco?

Nathan Morelli:

It’s all of the above. If it’s water, if it’s whiskey, if it’s coffee. All at once, sometimes.

Cole Cornford:

Oh, you play King’s Cup too. I see. Oh, dear. Well, mate, look, Nathan, it’s been absolute pleasure to have you on the podcast. Is there anything you’d like to say before we wrap up?

Nathan Morelli:

Oh, no. I appreciate you asking and having this conversation with me. I’ve enjoyed our conversations. I’ve enjoyed the tangents we’ve gone down around purposeful choices and having a great mindset and bringing family to the forefront as well. In this day and age, it’s hard to do, but it’s really important. So thank you.

Cole Cornford:

Oh, no worries. All right, thank you so much, Nathan. Have a good one.

Nathan Morelli:

Thanks Cole.

Cole Cornford:

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.