From Australia Post to Cynch Security: Susie Jones's Journey to Safeguard Small Businesses

Cole Cornford:

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. While working as head of cybersecurity business services at Australia Post, Susie Jones worked on a product that was designed to support small businesses that had suffered a data breach.

Susie Jones:

We interviewed dozens of small business owners who had had data breaches, and hearing their personal stories of what went wrong and the impact that that incident had on them was really, really real for them. It was the worst working day of their life.

Cole Cornford:

Susie came to believe that existing cybersecurity tools to support was generally either too expensive for Australian small businesses or didn’t suit their needs, and so she co-founded Cynch Security which aims to fill that gap. I had a great conversation with Susie, we spoke about her career, the benefits of coming from a non-technical background, and we did a bit of a deep dive on the needs of small businesses and how we can secure them. So let’s jump right on in. All right. So, Susie, welcome to the show. How’re you feeling?

Susie Jones:

Pretty good, thank you. Thanks for having me.

Cole Cornford:

You’re back from the New Year’s break. Are you feeling excited to just get back into security?

Susie Jones:

Yeah, I am actually. It’s been the first year out of a few post-pandemic, et cetera, where I’m really starting the year going, “You know what? We’ve got everything that we need. Now we just need to get our heads down and do the work.” So really looking forward to getting into it.

Cole Cornford:

I feel like the last couple of years I’ve just kind of had this period, or I mean, last year I had my baby. That was just a complete fog of I don’t know what the hell I’m doing because I have a screaming child, and the year before that was when the Delta lockdowns I think were happening, so that was also a bit of a fog of war as well.

Susie Jones:

Yeah, well, the year before that I actually started the year by getting COVID on New Year’s Day. So, yeah.

Cole Cornford:

Oh, all right. Man, that’s not good. There’s a new of variant going around nowadays as well. So my daughter’s daycare apparently has had… I took her out of daycare the other day just because-

Susie Jones:

So many cases.

Cole Cornford:

We were feeling guilty because it was her third day and we just said, “Mm, I just don’t want to have her in daycare.” And then turns out there was a COVID infestation that day. So we made the right choice by just not taking her to daycare on day three because we felt bad as parents.

Susie Jones:

Parents’ guilt is real.

Cole Cornford:

Oh dear. But anyway, let’s go on to the questions. So first one I’ve got for you is what kind of bird are you and why? And for a bit of context, the reason that we ask this question is because I run a company called Galah Cyber and I wanted to choose a galah because they’re bright, colorful, and obnoxious, and I think that’s a bit like my kind of personality. But what about you? What kind of bird are you?

Susie Jones:

I think about this, I think I’m a penguin.

Cole Cornford:

Penguin?

Susie Jones:

What I love about penguins, when you watch videos and they constantly fall down but then they just pick themselves straight back up again and keep going. They just keep going on with their life, and I think that sort of resilience is definitely something I stand for.

Cole Cornford:

Do you noot noot at people as well like Pengu?

Susie Jones:

No, but I did go to Gold Coast a couple years ago and we did the penguin experience at SeaWorld and that was fabulous.

Cole Cornford:

So do they normally just fall over and get back… Is that what they…

Susie Jones:

Well, I mean, you’ve got to realize they’re flightless birds for starters and they’re walking around on ice all day. Ice is slippery, so they fall down all the time.

Cole Cornford:

That is a good point. That is a good point. And you huddle together as well because you’re here to help all the people in the community, right?

Susie Jones:

Exactly right. So my kind of bird, flightless and community minded.

Cole Cornford:

So that probably brings me up into the next one is that maybe you give the audience a bit of background about your expertise and where you came from.

Susie Jones:

Yeah, absolutely. So I certainly didn’t come into security the way many do through technology. So I actually started my career as a corporate insurance broker and specialized in risk management for large enterprises right across the country. I then moved into the broader risk management space, cyber risk management. I worked on the client side and actually purchased their first cyber insurance policy, and that was my first sort of entree into the cyber world because I needed to work with the internal cyber team to get all the information to buy the policy. That’s when I started to really have my eyes opened to just how broad this industry is, just how real the risks are, and how complicated it can be for a non-tech person to understand what this world is.

And so over sort of the next couple of years of my career, I met my now co-founder, Adam Selwood, and yes, just sort of took it from there, and I found that being that translator from technical people working on really interesting, deep tech solutions and the business that needs to understand what the value of that is, that’s my superpower. So that’s what I spend all day doing.

Cole Cornford:

I think that’s one of the things we see quite commonly is people coming from non-cognate just backgrounds into cybersecurity and I think that gives you a very unique proposition. Recently I’ve been working with the University of Newcastle to help fix up their cyber degree, and I guess stupidly enough I agreed to be in marketing material, and so I took my daughter to go see Wish at cinemas and guess who turns up on the screen, Daddy talking about why nurses and doctors are going to be great cyber professionals because they have a unique perspective into stuff, right?

I mean, so that makes sense to me. Coming from insurance and risk from writing policies and helping people make decisions about that, you have a lens that I think naturally plays to the SMB space, to be honest, because a lot of people who come from a pure tech background who know network security and application security like myself, or they might be good at pen testing, you go to an SMB owner and they would have no idea about any of these concepts, let alone multifactor authentication or things that we would normally take for granted for just being in the industry for a year or two.

Susie Jones:

Absolutely, and also they don’t appreciate that cybersecurity for a non-cyber professional, for a business owner running their business, cybersecurity is one of 50 things they might need to think about on any given day. It’s not that they don’t care, it’s not that they don’t want to give it more time and energy, but they’re running a business here, they’re doing whatever it is that they’re actually experts at. And so as a non-cyber person working with SMBs, it’s really, really helpful for me to understand that there are different priorities and how we can balance those out.

Cole Cornford:

I mean, me and you probably have it because gone through hell and high water. When you start your own business, you put on a hat that you’ve never worn before of how do I sell this to other people, how do I market what I’m doing in an effective way, how do I get people to actually agree to transact because this problem is actually so obtuse. It’s not like cybersecurity, you’re selling protection. It’s just a pure cost most of the time, so it’s kind of hard.

Susie Jones:

Yeah, exactly right because I mean, so often if we’re doing our job well, nothing happens. It’s pretty hard to understand the value when literally nothing happens when you do the job well. So yeah, it can be tricky, and you and I both know, we’ve spent years building out our value proposition because we know that nothing happening doesn’t mean nothing has been generated or nothing has been well invested.

Cole Cornford:

Yeah. So what sparked you to go from, because you were at a corporate position previously, managing a large information security program to go be a founder helping SMB, what sparked your desire in that space?

Susie Jones:

Yeah, it was actually a project. For context, I worked at Australia Post, I was head of cybersecurity business services in their information security office there. But on nights and weekends, my co-founder and I were working on what was the beginnings of Cynch, and the reason for that is we had spent six months working together on a project within Australia Post that was designed around building a product for small businesses that had suffered a data breach. And so as part of that research for that product, we interviewed dozens of small business owners who had had data breaches, and hearing their personal stories of what went wrong and the impact that that incident had on them was really, really real for them. Sure, there was definitely financial repercussions, et cetera, but for them as people, as humans, it was the worst working day of their life.

In a large context, like Australia Post, you have an incident, it can make for a pretty bad week, maybe even a bad month, but life moves on, you get past it, but in a small business context, it can truly bring everything to a stop. With the industry in security being focused only at the top end of town, it means that they were completely left on their own, and we just decided to do something about it and so Cynch was born. So we’re all about supporting those that don’t have the resources that large enterprises have to help avoid that day being one of the worst days of their lives.

Cole Cornford:

Well, that’s a fantastic mission. It’s really good to have had those personal interactions with people who have suffered because then it makes it more real for you because I feel that a lot of cyber professionals, it’s quite nebulous and abstracted away what the actual impact to business is of the things that we do other than you’re slowing my project down and you’re costing way too much money.

Susie Jones:

Absolutely. I mean, we’ve all been called the head of the department of no before, right? We’ve all heard that. But seeing on the other side the very personal and emotional impact that an incident can have on a business owner definitely raises the risk and also the reward.

Cole Cornford:

So let’s fix the handbrake to happiness, right?

Susie Jones:

Exactly. Exactly.

Cole Cornford:

All right. So let’s go into some of the questions about SMBs, right? So first one is what do you think the most common cybersecurity challenge is for someone who is classified as an SMB are?

Susie Jones:

Yeah, look, they’re working with different constraints. So if you think about a small business, and within the Australian context I’m usually referring to a business that has somewhere between five and 50 employees, so they have three main constraints that large enterprises don’t have. So first of all, their budget. So sure, whilst everybody has to work within their budget, in a small business a budget might be $500 a year. So if you’re talking that, there’s no option for a SIEM. None of the solutions that we would always want to see in place for a large corporate are even available. Secondly, the time. As I mentioned before, small business owners are juggling 50 different things on any given minute of any given day. So having the time to really sit down, learn a new skill, learn what it is that they need to do, research the solutions, all the rest of it, it’s just not something that they have. So they need efficient solutions.

And lastly, it’s the expertise. We’re talking about somebody that goes into business because they’re a mortgage broker or a real estate agent or a GP. These are not people that set out to build a business. They set out to do what they are experts at and they just wanted to do it on their own terms. So when that’s the case, when you don’t have internal tech expertise, let alone cyber expertise, the whole challenge is completely different to large enterprises.

Cole Cornford:

Yeah, I know that if we didn’t have our backgrounds in cybersecurity, I’m sure that we’d be in a similar boat, right?

Susie Jones:

Oh, absolutely. I think about if I had started 10 years ago, if I’d gone off and decided to start my own corporate insurance broking business, I shudder to think on what the security of that business would’ve been 10 years ago because I simply didn’t know what I know now, and it wasn’t spoken about as readily as it is now as well. So I would never even known it was a thing that I should be thinking about.

Cole Cornford:

Yeah, even some of the businesses I speak with, they’re just like, “What? What? I didn’t even realize that there are security professionals in Newcastle, like it’s a thing. I thought that that was something that only intelligence agencies did.” And I’m just like-

Susie Jones:

Oh wow. Yeah.

Cole Cornford:

… “All right. Yeah, okay. I mean, this is real.”

Susie Jones:

And it’s completely reasonable, right? As somebody that has never worked in this space, it’s a reasonable assumption to have, but this is why people like you and me are trying to shout from the rooftops and let people know the good message.

Cole Cornford:

And I do a fair bit of SMB workup in Newy where we go to the local business golf games and just meet people and they’re like, “I’m a plasterer or I’m an accountant and I’ve got like 50 clients,” and then you’re like, “Oh, okay.” One of those clients is, I don’t know, Whitehaven Coal or one of these hundred million, $2 billion company. So he’s just got this small accountancy shop who’s been mates from high school 40 years ago or something, and they’re like, “Should I do cybersecurity?” And I’m just like, “I don’t know. Do you think Whitehaven would like you to do it?”

Susie Jones:

Exactly right, and that whole supplier customer relationship is what really I think is driving change throughout the small business ecosystem. So we know we’ve now expanded at Cynch, previously we had solutions that were only designed for the small businesses out there to use, and now we’ve expanded to have a supply chain assurance solution because there are so many small businesses that are working with the biggest businesses in this country. 97% of businesses here in Australia employed fewer than 20 people. So when you’re talking that sort of number, then every big business relies on small businesses. It’s as simple as that.

Say you’re running a, I don’t know, some sort of engineering company out in the middle of WA, 600 kilometers from the next engineering company, and the Telstras of the world have a network that they need to still run 600 kilometers from the next company, then you’re going to be the one that they use. But that also means that you’re dialing into Telstra’s network which creates a whole different risk. So that’s the mission that we’re on now, is to help all of those businesses that are working with big ones to make sure that they can keep the revenue that they have, but also demonstrate how good they are so that they can win more business in the future.

Cole Cornford:

Supply chain’s a really interesting one for SMB because we see news articles all the time that X, Y, Z large institution got hacked because IT help desks that was outsourced to a small IT MSP who has no security procedures, but they managed to bid really cheap and win the contract. They’re the ones that got owned in the first place to go up into the organization. But like you said, these kind of companies with five to 50 people don’t have the time or expertise to invest in these programs. So how do you guys help manage compliance? Because I get a lot of people coming to me saying, “Let’s do 27001,” and then I say, “Okay, why?”

Susie Jones:

Do you want to lose 12 months of your life and hundreds of thousands of dollars? If you want to, sure we can. Yeah, no. So look, this is exactly why we approach the problem that we do.

So as you know, Cole, at Cynch, we’ve built a software as a service solution for small businesses that does all of that risk prioritization, risk management for them. So all they need to do is register the assets, the technologies that they use, and our platform tells them exactly what they need to do and in what order. If they do want to aspire towards something like ISO 27001, they can use one of our cyber fitness programs to help them to guide them to put the controls in place that they will need so that they can do that work upfront before they engage a security consultant that’s going to build out a roadmap for them and then charge them $5,000 a day to put all of the things in place, whereas the reality is if they just registered their assets with us and followed the step-by-step instructions, they could do it themselves in between all of the rest of the work in their day.

Cole Cornford:

I wish that we had more accessible content for these providers because the amount of times where I’ve had a chat with someone and had to move them over to Cynch because we’ve immediately worked out from just where their add on GP plus revenue plus cashflow that they would never be able to support talking to consultants for hours, let alone days or weeks, right?

Susie Jones:

Exactly right, and not only that, but it also, that’s not where your value is, right, Cole? So you are a deeply technical person that those small businesses that are in that position, they’re not going to realize the benefit of working with someone like you because that’s not where their business is at. Quite often business owners work with us as they’re growing and they’re going through those early few years of their company, and then eventually they get to the point where they now have a technology solution that they’re trying to sell and they go, “Oh, okay, this is when I need Cole.” This is the time where your expertise is going to really help them out, right?

Cole Cornford:

Yeah. It’s the scale ups, that’s where we hit it, so scale ups and enterprises. But yeah, it does, I mean, it makes sense that a security market does target a big end of town because that’s generally where they can actually make the money out of it, but you’re right, it has led to perverse incentives where 90% of our employers in Australia aren’t helped by existing solutions, right?

Susie Jones:

Yep, exactly right. Yeah, perverse is exactly the right word for the situation that we’ve ended up in, and it’s not just Australia. It is like this in developed countries right around the world. Australia just happens to be the one that I care about.

Cole Cornford:

So going back to the types of things that larger companies are able to just assume that are naturally able to be done and smaller companies just cannot do, what would you say would be the worst suggestions that you’d hear a security consultant give to a small business because they’ve seen it in a larger firm?

Susie Jones:

Yeah, look, things like a SIEM, things like running enterprise grade vulnerability management software, those sort of deeply technical solutions where they’re designed by security experts for security experts to use. If you need a security degree to use the tool or the software that you’re talking about, then it is not applicable for small businesses, even if it’s priced at a price that they could afford because it will end up being shelfware in any small business context. So really thinking about who is going to be using the solution, who’s going to be implementing it, who’s going to be be maintaining it. If you need a tech background for any of those steps, then it’s not appropriate for small businesses.

Cole Cornford:

Yeah. I mean, I see very similar parallels within the AppSec space where a lot of the traditional application security products were given directly to, let’s say, AppSec experts, and then they’ve realized that we can do delegating this responsibility over to software developers who may not necessarily have security expertise but they’re going to scale a lot more than getting a lot of Coles out there, right?

Susie Jones:

Yeah.

Cole Cornford:

So I’m sure that we can probably find the right types of products to suit. So then going back to it, what do you think the best tips you would give to an SMB would be? If they had to invest in products, where would they start?

Susie Jones:

Look, I would start with the people. So if you have a team of people, then start investing in their security, and one of the first steps that we recommend to every small business out there is a password manager. Being able to get on top of their access management, being able to get them to be able to better manage and set strong, unique passwords, that’s a great place to start. And the second place to start is putting multifactor authentication on everything. We’ve been banging on about this in the industry for years, but we still make it just too hard for people to understand the value. The simple fact is if you have to get access to a security code that only you physically have access to in order to get into a program that you use, then that’s more secure than just using a strong password, and we just need to get better at having those conversations. So really getting on top of your access control in the first place is incredibly important.

Secondly, backups. Backups are still completely underrated, and I think some of this has come about through the transition to cloud services because many people don’t realize, they just, they assume that a backup is always included in their cloud service, but for some products and solutions out there it’s not. It’s an option. And so you need to actually go into the settings, you need to understand what is required to make sure that a backup is in place because I tell you what, if you fall victim to ransomware, a backup is your best friend.

Cole Cornford:

Yeah, I agree. It’s amazing how few people go to such simple solutions first, and none of those are cost prohibitive. In fact, they’re actually usually negligible because if you’re using O365 or you’re using Google Workspace, you can always download your documents and put them on a physical device somewhere.

Susie Jones:

Exactly.

Cole Cornford:

And then you should be okay. Even if those tenancies get owned, you still have your backups elsewhere.

Susie Jones:

Yeah, Exactly. And password managers, we’re a reseller for one, and it’s as little as $9 per staff member per month. That’s nothing. It’s completely negligible. But if it helps you quickly and easily log into all of your solutions, generate passwords that you never have to remember and means that the only password you need to remember for the rest of your days is the password to get into your password manager, it just, it’s a no-brainer.

Cole Cornford:

Yeah. Do you find a lot of small businesses outsource the IT responsibility to a third party, and then if they do, how do you as a director of a business then go and actually have the knowledge to be able to ask your supplier to make good choices?

Susie Jones:

Yeah. So around about half of the small businesses that we work with do have outsourced IT support, whether they be in a formal MSP or MSSP arrangement or just they have an IT guy down the road.

Cole Cornford:

They’d have the guy, yeah, he’s from uni, he’s all right, he got glasses, he knows what he’s doing.

Susie Jones:

Exactly. Yeah, exactly. He set up their website and all the rest of it. That’s the problem is that it’s a huge difference in quality in service between the IT guy down the corner shop and your MSSP that have formal services arrangements in place. So making sure that if you’re going to outsource the management, and keeping in mind you can’t outsource the risk, all you can do is outsource the management of the risk, then really making sure that you have educated yourself on the right questions to ask when selecting that provider is really important, making sure that you can walk away, have confidence and know which things, which aspects of the risk they are responsible for managing versus which things you always have in house. At the end of the day, teaching your staff to not click on links is not the IT support provider’s role, right? That is your role, and it is always your risk.

Cole Cornford:

I guess that’s one of the things that me and you would have to grapple with quite a lot is that we know our expertise is in security and a few other niche areas that we’re probably pretty good at. For both of us, we’re good at communicating, good at sales, but we’re probably pretty terrible at legal or terrible at, I don’t know, IT in some way. I’m terrible at IT. I don’t want to be managing Google Workspace. I do. I don’t like it. It’s not fun. It’s not my area of expertise. I would love to get rid of it.

Susie Jones:

It’s not fun, yep, yep.

Cole Cornford:

But I guess one of the things that I always see it is we have to recognize that even if you have delegated the risk to some other party to manage or to a product that unfortunately delegating it doesn’t eliminate it, and you’re ultimately still going to have to assume ownership of it yourself.

Susie Jones:

Absolutely, and I mean, it’s like the old comparison to insurance, right? So at the end of the day, everybody buys house insurance and that’s for the day that your house burns on fire, but you still lock the door when you leave because there’s other risks involved that are still inherent when you have an asset, and your business is an asset. So whilst you buy insurance to help protect and transfer some of that risk of the epic event, those every day-to-day events still need to be managed and that risk is still there.

Cole Cornford:

Yeah. So I guess one last one on the SMB topic is if I was a aspiring entrepreneur or just a new company director, what is the one resource I should learn to make sure that I understand the types of things, like the risks I’m delegating out to other parties and that I have to own myself?

Susie Jones:

Yeah. Look, I mean, the great place to start is always cyber.gov.au. It’s really good at telling you what you should be thinking about. It’s not great at telling you how to actually implement anything, but that’s when you come to the likes of Cynch because that’s what we do. But if you’re starting out and just wanting to familiarize yourself with what things do I need to start thinking about, that’s a great place to start.

Cole Cornford:

All right. Onto the rapid-fire questions. Here we go. So best book to give someone for Christmas.

Susie Jones:

For Christmas? Okay.

Cole Cornford:

Yes.

Susie Jones:

Oh, okay. I love the ones by Samuel Johnson, so Dear Dad, et cetera. I mean, he’s just a wonderful human being on a fabulous mission, and those books are really uplifting and heartwarming.

Cole Cornford:

Best parenting tip.

Susie Jones:

So fun fact, I’m not actually a parent, but I am a stepparent.

Cole Cornford:

That doesn’t stop people from giving tips about parenting even if they’re not parents anyway. I get it all the time. They’re like, “I have no kids but this is what I read on the internet, so you should do this,” and I’m like, “Okay.”

Susie Jones:

Yeah. Look, I mean, the best parenting tip that I can give from a stepmum to people out there is you don’t always have to be the parent. Sometimes you can be the silly friend, and that’s perfectly okay.

Cole Cornford:

Yeah. I mean, I agree with a lot. My daughter, Xinni, I am always the silly friend of her pretty much, and when I need to step in as a parent, something silly’s happened like I need to really put my foot down but pretty rarely, so I’m okay with swapping when I need to. I can be the friend.

Susie Jones:

Exactly.

Cole Cornford:

One cybersecurity myth you would love to debunk.

Susie Jones:

I think that what I would like to debunk, it’s actually more with the security industry rather than small businesses that I think needs this debunked. Security professionals quite often make the assumption that small businesses don’t do enough on cyber because they don’t care, and that is absolutely not the case. They care. They absolutely care. This is their business. This is their livelihood. For many of them, it’s their identity. Small businesses don’t do enough with security because the security industry doesn’t do enough to support small businesses. So flipping that on its head is definitely a myth I want out there.

Cole Cornford:

Yeah, I like the inversion principle, and also it’s part of the reason I love going to just getting outside of the tech space entirely. Going and playing golf with plasterers and doctors, you can talk to them and they’ll whinge to you and say, “Homeowners just don’t understand why I have to go out and do a quote. Because the cost of materials changes, I can’t just give a quote on the spot. Why does everyone want a quote on the spot? I don’t feel like being badgered. I just run away from those people.” Or doctors saying to me, “Man, the Medicare updates mean that I need to be able to charge more people at this rate.” And you’d think that with these kinds of conversations that it’s very similar to cybersecurity professionals whinging about why are people not doing this kind of stuff. But every industry is frustrated with their clients, unfortunately, and we’ve just got to accept it, right?

Susie Jones:

Yeah, spot on, and I mean, they’re all very real problems that they’re having to deal with, right? Cybersecurity is just one of them. No matter how much we would like to think it should be number one for everyone, if you’re a doctor you’re going to be far more concerned with how do you make sure that you can support as many patients as possible than you are going to be worried about how strong is the security on the computer at the front desk.

Cole Cornford:

My superpower, I guess, is understanding business quite well, and that helps me a lot with both software and security. So what do you say your superpower is?

Susie Jones:

That translation between general business speak and technical language, yeah, I’ve done it.

Cole Cornford:

Fist bump.

Susie Jones:

I’ve done it from complex insurance policies back in my twenties, risk management policies and processes in my thirties, and technology and cybersecurity is just another thing that needs that translation. So that’s what I do.

Cole Cornford:

All right. Well, if you guys need any more translation, hit up Susie Jones at Cynch. So Susie, thank you so much for coming on.

Susie Jones:

Thanks for having me, Cole.

Cole Cornford:

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.