The Architect’s Dilemma: Why Security Design Keeps Failing (and How to Fix It)

00:00 – Intro
00:48 – Chainguard Ad
01:20 – Meet Ken Fitzpatrick and Patterned Security
02:19 – How a cancelled Canada trip sparked securitypatterns.io
04:08 – Why architecture needs practical guidance, not more frameworks
05:18 – The four step method for real security architecture
07:23 – Moving beyond box ticking and why engineering experience matters
09:39 – Teaching architecture fundamentals and selecting the right controls
11:37 – Traceability and making defensible design decisions
13:14 – Architecture vs assurance and who securitypatterns.io is for
16:31 – Embedding secure by design into PMO processes and scale up use cases
19:58 – What secure by design means across different industries
23:05 – Inconsistent definitions in security and the need for clarity
23:50 – Modern defensible architecture and Zero Trust guidance
24:44 – AI’s role in architecture and which tasks get replaced
28:25 – AI in AppSec and reducing false positives with context
30:24 – AI sales bots, hype cycles, and the loss of human reciprocity
33:28 – Ken’s call for collaboration on repeatable architecture patterns
34:28 – Closing and how to connect with Galah Cyber

Ken Fitzpatrick
A lot of architects don’t think about the actual design of the system. People go back to just simply looking at standards, or industry best practice or hoping someone else has solved this problem for them without actually understanding the context or the use cases of what they’re trying to solve in the side of their business. And it becomes more of a tick box exercise in what they’re trying to plan for.

Cole Cornford
Do you have encryption? Do you have like…

Ken Fitzpatrick
Totally. Totally.

Cole Cornford
I hate that. If you are someone that you are identifying with being a checkbox compliance architect, what’s the best way to get you to move more towards designing and solutioning and thinking about that?

Hi, I’m Cole Cornford and you’re listening to Secure. This is AppSec without the input validation. I sit down with people from all corners of the industry to trade stories, share what they’ve learned, and sometimes stir the pot. Open source now powers over 90% of the software we build, but it’s also where attackers increasingly strike. Chainguard closes that trust gap with hardened, secure, production-ready open source builds, so teams can build faster, stay compliant, and eliminate risk. Get your free CV reduction report at day1.fm/chainguard and start shipping software with confidence.

And hello everybody. It’s Cole Cornford here. I’m here joined with Ken Fitzpatrick. Ken, how are you doing?

Ken Fitzpatrick
Yeah, you, Maine. How about yourself, Cole?

Cole Cornford
I’m doing all right. I was in Perth last week and I got absolutely cooked when I got home. Not in Perth. It was so weird. The weathers just swapped. It was all rainy and stuff, but it was really cool to travel there. I haven’t been to Perth before.

Ken Fitzpatrick
Yeah, no, it’s pretty nice. I was actually down in Melbourne in a similar vein in… I expected it was going to be stinking hot and it was overcast and wet and humid. I mean, typical Melbourne is, it’s four seasons in one day down there.

Cole Cornford
That’s right. So, for everyone listening, let me give you a little bit of background about Ken. So, Ken is the founder of Patterned Security, which is a well-known Australian security architecture consultancy. Been helping all sorts of businesses like scale-ups and larger businesses with just making sure that they get their security architecture and their assurance correct. Ken’s previously held roles at Westpac, Transport New South Wales and Osgrid.

And one of the things I’m super excited about is to discuss something that he built about five years ago called securitypatterns.io, which is a website you can go to right now and have a look at about all the different ways to build applications and architectures to be secure by design. So, I thought that might be a good place to actually just start is to just tell everyone about what inspired you to even do security patterns.

Ken Fitzpatrick
Yeah. Yeah, absolutely. So, funny enough, it was back in 2020, I actually worked on that website. So, for context, back in 2019, 2020, as you mentioned, I was working at Westpac at the time and I had been flat out. And at that time, I decided to give myself a career break. I’d worked my entire career from the second I got out of university through to where I am now. And I was like, “No, kids, young family,” I’m like, “I’m spending some time. Just decouple from work, take six months off.” My wife’s Canadian, so I’m like, “Okay, we’re going to Canada for six months. We’re going to travel. We’re going to do all these things. Fantastic.” Had it all booked, laid out.

We were set to travel in April 2020, and then sure enough, March 2020, COVID kicks in, flights are gone. Wife and I are like, “Oh yeah, it’s fine. It’s fine. Give it another month. This thing will totally blow over. We’ll still do this.” And sure enough, it didn’t. And whilst we were at home, I went, “Okay, fine. I’m just still going to take the career break. I’ve worked all my life. Just take some time out.” And it was perfect during COVID. And it was at that time, I started working on securitypatterns.io as a concept, really just to keep myself busy. I mean, I got to spend plenty of time with family as I had originally planned, but time to make sure I kept myself focused during the COVID days.

Then securitypatterns.io was a bit of a passion project when I started. It was something I’d been thinking, working on. And what it was all about was really giving practical advice around how to write security architecture. I constantly have seen in the industry where there’s plenty of frameworks, there’s a lot of content out there about how to plan and think about controls and threat modeling and what’s required as part of a particular service or implementation.

In terms of just grassroots practical steps to actually write architecture, how to conceptually think about and plan for it and actually producing an output that isn’t just architecture for architecture’s sake is actually something that can be used and applied to where I started to put together securitypatterns.io. And so, what it was at the time was really a concept around what are the core steps around writing architecture. And I always thought about it as, if I had to be in an elevator pitch and talking to someone that’s not ever been in security architecture before, what would be like the core four things I’d tell them to think about?

And that’s what securitypatterns.io centers around is at minimum, these are the things to think about and here’s a step-by-step guide about how I work it through and how I use it practically in projects and example templates to follow.

Cole Cornford
Oh, cool. Cool. Yeah, because unless you’ve been in the industry for quite a long time and you’ve had exposure to all of these different types of patterns and how all these systems are all connected, it’s quite unlikely that you’re going to come in and say, “Yeah, this is what a good authentication approach would look like. This is what a good authorization approach should look like.” And you would just grab what’s available and just run with it, instead of being able to think it through from first principles.

Ken Fitzpatrick
And that’s exactly it. And a lot of architects don’t think about the actual design of the system. The ABCs of trying to work through some of the security designs is really, people go back to just simply looking at standards or industry best practice or hoping someone else has solved this problem for them without actually understanding the context or the use cases of what they’re trying to solve in the side of their business. And it becomes more of a tick box exercise in what they’re trying to plan for.

Cole Cornford
Do you have encryption? Do you have like…

Ken Fitzpatrick
Totally. Totally.

Cole Cornford
I hate that.

Ken Fitzpatrick
It’s where I’ve seen in the industry where architecture and GRC don’t in practice end up looking the same in people that are just taking a standard because someone else said that they need to do that, going through the controls, marking them off and okay, maybe they add some flavor on top of that of, okay, thinking about this and some nice discussions around the solution architecture, general solution architecture, but in practice, they’re just ticking boxes.

And so, when I started looking at patterns, that was one of the key things is trying to actually, and I talked about length about the challenges of using just generic standards is think about the use cases, context manners, and use that to inform your threat modeling to then determine what controls you need to use.

Cole Cornford
Yeah. So, I reckon there’s a lot of security architects who are listening to this, probably Toby. So, “Hey, Toby, how are you feeling? You might be a little bit called out here.” But if you are someone that you are identifying with being a checkbox compliancy architect, what’s the best way to get you to move more towards designing and solutioning and thinking about that? Because a lot of the time, it means that you actually have to have an engineering background at the very least or work on that, I’d say, right?

Ken Fitzpatrick
And engineering background in architecture is always important in my mind. I mean, stepping aside from the process, you need to have a solid understanding of what you’re describing and planning for. An analogy I’ve used in the past is, for people that want to move into architecture, is if you haven’t actually understood how these things work and put together, and you’ve never actually even played or experimented with the tech stack that you’re trying to architect, then you’re never really going to have the level of value that you should be providing as an architect. And the analogy I use is like trying to design a car when you’ve never actually driven one or been in one, right?

Is the level of complexity in most environments these days requires you to be hands-on. You need to have experience, not just reading the textbook of it to understand how you’re actually going to meaningfully architecture and understand the design that needs to go behind it.

Cole Cornford
I’d say it’s like closer to being a mechanic is like, where you don’t want to be because if you’re a mechanic and you’re going into fixing problems with a car, you can’t conceptualize what would a new car look like or how do we get all these different pieces of components to work together in a way that’s going to improve performance or make a car more reliable or whatever because you’re just fixing things, right? So, how do engineers go from being mechanics to then building that more higher level understanding?

Ken Fitzpatrick
Understanding the architecture and planning, 100%. I mean, and this is where when I was writing the securitypatterns.io, the first iterations of it is with a bit of a mindset of if I had an engineer and I’m trying to teach them the basics, what I teach them is four fundamental steps is if you’re designing the system, you have to start with understanding the use cases and the context of what’s being done.

So, whilst you still need to be technically proficient, understand if it’s a cloud service or if it’s a new set of applications that you’re trying to deploy, how is your business or the stakeholders that are involved in deploying that, how are they actually anticipating to use that software or those environments? Understanding that context is then step two is to then threat model around it. And there’s a whole range of threat modeling techniques out there. I talk on that as a whole separate topic. But if you’re getting started, just start with the basics. Start with the basic threat modeling exercise to get your head around what’s there.

Do research, do an understanding of what threat modeling is out there already. Once you have that and you understand the assets involved, then start to make a selection of controls. Go back to, do your cross checks against industry best practices and what’s out there, but you should be understanding first, the threats that you’re looking to mitigate before you start just ticking boxes and saying, “Oh, good architecture isn’t like picking controls like they’re a smorgasbord. It’s about actually selectively picking on the ones that matter and being putting prioritization behind that.”

Cole Cornford
And what would you say is number four?

Ken Fitzpatrick
Well, number four is that traceability. When I talk about stakeholders, and this is where architecture, if you think about the function that it provides is you do still require, in most instances, to have traceability to what’s driving the need to mitigate risk and having that traceability to whatever framework your business has. If you’re a large organization, you’ll have a range of frameworks that you already need to address, particularly if you’re a regulated entity that you need to work against. If you’re a smaller organization, then it could simply be just doing that cross check, a backwards check against whatever best practice that you’re looking to target to.

I mean, in very simple terms, if you’re an organization that’s just doing even something as simple as ISO 27,001, SOC 2, use that as your crosscheck in terms of, did I miss something? Did I not think about a particular control? And it’s not that you’re going through and now trying to add all those in. It’s about just having robustness in your planning and approach to control selection.

Cole Cornford
It also helps you justify why you made the decisions that you did at that time.

Ken Fitzpatrick
A hundred percent.

Cole Cornford
Because then you can say that we had a shoe store and a shoe store, we found that the problem is that for some reason we only get all of our revenue comes from Facebook advertising. And so, controls, there’s going to be MFA on Facebook and strong passwords on Facebook and backup accounts on Facebook or whatever. And then when you do your traceability and they say, “Oh, but the website got the e-commerce website got hacked.” You say, “Yeah, but the only channel that matters is where we get business.” So, even if the website got hacked, everybody only interacts with a Facebook page. So, a very contrived example, I have been looking at shoes recently.

Ken Fitzpatrick
You did give yourself a way.

Cole Cornford
Look, just everybody tell me what kind of shoes you want. I want to get some ons. That’s the ones because my wife was telling me that my white Nike shoes look like they are actually black now, so it’s not particularly helpful. Anyway, so who would you be the best person to be reading these security patterns? Would it be good for an engineering, like a founder of a company who just wants to build, make sure that they’re doing the right things and embedding security early on? Or is it like more for if you’re an engineer working as part of a product function that you’re just trying to inherit stuff?

Or like obviously security architects should be using it, but I imagine that a security architect probably is already pretty good at security architecture, or at least I’d hope.

Ken Fitzpatrick
Yeah. Look, I mean, there’s a few different audiences when I was writing the website that I catered for, but funny enough with architecture, and this is based on broad observations of the industry, but one of the things that I constantly see is architect’s not actually architecting and really they’re just doing assurance and maybe part of their role to do so.

But if you’re coming in and just simply going through a standard that was written generically at a point in time with no context to use cases, or what you’re trying to solve in the business, it’s looking more like just another take of industry best practice and you’re just going through those on the projects to go through and validating at the end of the project, have they been completed, you’re doing assurance, not architecture. And that’s where I see a lot of the focus goes to that backend because not that they lack an appreciation of architecture, but it’s just not having practical steps to run through it.

There’s a big tendency of overcooking architecture or actually not thinking about how it actually has to integrate as part of your broader security by design, security architecture and assurance function, how it’s meant to tie into those things. And so, people tend to… Like all architects, you’re always short of time and a million things to cover. And what you end up falling back to is just ticking the box and trying to get through the workload to say, “Hey, yep, we’re good enough.” And shortcutting the time and effort that should be done upfront to plan and design and do architecture.

Cole Cornford
Yeah. I guess there’s a few reasons that that happens. And a lot of us is the same challenges we would have with an application security because A, lot of AppSec people learn because they’re basically placed into a conveyor belt. And so, like product comes in, need to assess product and then give people heads up that here are the gaps, go address the findings. And when we’re working in that kind of cyber assurance model where we effectively have a centralized security capability that’s then reviewing projects on a one by one basis, it’s quite uncommon, if not rare for security to be engaged as part of the initial solutions architecture and design.

In which case, as an architect, if the design has already been decided on, by the time it gets to you, then the only option you really have is to go down the assurance route. So, I think if you are working at those larger businesses, the emphasis should be trying to figure out how do you get inside of a change traffic management… I don’t know, what the hell. There’s like a project management center thing. What do they call those? Yeah.

Ken Fitzpatrick
Front door service.

Cole Cornford
Yeah, I don’t know. Not so much like a cyber project management server, but like the business directors and stakeholders who fund projects, then it goes to like, is it a TPO or something, like a project office or like…

Ken Fitzpatrick
Yeah, your security architecture and assurance function has to be tightly integrated into that PMO function-

Cole Cornford
Mm-hmm, that’s it.

Ken Fitzpatrick
… in terms of how project execution and lease management is dealt with. And that is where the security patterns work that we do and where it’s definitely evolved over the last five year is to talk and extend on not just the design part that fits into that, but what does security by design as a framework, how does that actually need to integrate across a PMO function and be integrated to that, so that you get maximum value out of the architecture design work that you do and actually show that it’s not about just doing the design phase, it’s about how that design facilitates all of the subsequent phases of work that you need to do to bring together an overall capability.

Cole Cornford
I guess it’s like one of the interesting things is because you’ve been running patent security for about five years and I imagine that your customer base is like mine, it’s all over the shop because when you’re a small business, you’ve got to take what work is given to you. And sometimes it’s a big enterprise, sometimes it’s a startup and sometimes a mid-market customer. And in my experience, the security architecture function tends to be something that larger businesses tend to do. So, how are you finding coming into effectively applying security architecture principles and threat modeling and all of that in the context of like scale up customers or like small business customers?

Ken Fitzpatrick
Well, I mean, it’s funny, you look at the work we do, we are 60% in work in what we do for security patterns, which is around the strategic capability we’re establishing for and focusing on large organizations. But funny, as you know, as you mentioned, starting up a business, you then have to be opportunistic about what’s in the market and what’s selling. And what I tend to do is actually bring back into, if I look at scale up businesses and businesses that are ramping up, you’re not going to go to the extent of doing security patterns as a startup business, right? You’re stuck trying to deal with what does it even mean to do cyber risk management?

What does a cybersecurity operating model even look like for your organization so that you can show coverage and across the teams in terms of who is responsible for what activities, who is planning around that, how do you roadmap activities, what type of funding and competency you need within the teams to be able to actually allow the business to grow. And so, we do a lot of that strategic planning, but that then is then when we start to build out, and it gives a good appreciation of how that has to then build out to more complex environments where you start to embed security by design into project execution and obviously where we start to extend on security architecture as a function.

Cole Cornford
It’s probably a good one, secure by design. I remember back when Toby was championing this at the ATO in 2014, 2015 or something, and it was like really, it seems to have taken off and become endemic really. And to me, I’m a big fan of by default rather than by design, but I also think it’s really unrealistic to be telling people to be secure by design because most of the work that we do is on existing products. And so, if a product which is likely to have been written in the last 15 to 20 years is being iterated upon, it’s very hard to be applying these SBD principles into a brownfield’s estate.

So, why is there so much emphasis on SBD as opposed to like, how do we go about thinking about addressing legacy and trying to reinfence or modernize that so we can manage our existing debt?

Ken Fitzpatrick
Yeah. I mean, look, the first thing I’ll start with SBD is it means different things to different people within the industry.

Cole Cornford
Pen testing, penetration testing-

Ken Fitzpatrick
Totally.

Cole Cornford
… end volt testing. I’ve got a pen right here. Let me just tap it for you 50 times. So, I don’t even know what security architecture is anymore.

Ken Fitzpatrick
Well, I mean, look, here’s the thing, right? If you talk to secure by design in the financial services sector, they’ll tell you about APRA’s CPG 234 in references around security by design and how that has to be embedded in project execution and delivery. If you talk to critical infrastructure and OT environments, you talk about safe and secure by design, and there’s publication through federal government that gets tight, which gets linked back to things like SOCI about what that means for them, about establishing both cybersecurity, but just general physical security and wellbeing of staff and linking those things together.

If you talk secure by design in most more recent times, where you look at the SBD pledges and what was published out from multiple international agencies around security by design around software manufacturers providing basically is around, if anyone’s not familiar, it’s around higher quality software products that are less vulnerable, that don’t have defects involved. And there was a number of pledges taken, as you know, around from various software companies that yes, we’re providing soft adherence to uplifting cybersecurity and producing more secure software. And a lot of that’s fallen through, not fallen through, but hasn’t had the same probably impact that was anticipated at the time.

But if you talk in that space and what you see published, for instance, from ASD, it centers around software development software for software manufacturers in terms of the general theme. So, it definitely means different things to different people when you talk to about it. And that’s where one of the things we’ve been trying to make distinction is what it means when we talk about SBD in context of patterns to what we’re trying to solve and work in.

Cole Cornford
It’s really hard and difficult to work in. And I think that’s one of the worst problems we have in cybersecurity is there is no consistency amongst almost all the activities we do. Penetration testing is probably the one that we’re most familiar with at the moment, because we just do lots of testing and just talking to different people who are expecting it to be, “Oh, do a pen test and all I want is a vulnerability scan or do a pen test against this or take screenshots of every single action to basically model your staff.” It’s like there’s no methodology, the outputs that they want are completely different. And your examples are just different verticals not even agreeing about what SPD is.

And the best part of this is if you go out and you say, “Hey, this is what the Australian government now defines SBD as,” then you’ve got seven, it’s like that XKCD comic where they’re like, “Oh, we need a unifying standard. There are now 15 competing standards.”

Ken Fitzpatrick
Yeah, yeah. Yeah, yeah, yeah, totally, totally. We now have a 16.

Cole Cornford
I don’t know if you’ve ever met a bloke called Rob Whalen, but he’s looking in charge of something called modern defensible architecture. And I think that that’s going to be a much better way than by trying to jump into the category that everybody’s competing against and trying to create their own version of what SBD looks like. Same as what is Zero Trust? What is post quantum? Let’s give that to all the marketing functions, right?

Ken Fitzpatrick
Yeah. No, I’m a big fan of what the ACS has published around modern defensible architecture and giving more prescriptive guidance to Zero Trust. Again, Zero Trust is one of those things that’s also been overused. Every network vendor is out there selling or any product vendor for quite some time or had their Zero Trust product because it all fitted in as part of that equation somehow and it was the buzzword at the time, but poorly understood to what it actually meant. So, I’m always a big fan where I see architectural approaches to doing Zero Trust, rather than it just being buy a product.

But yes, absolutely a big fan of the work. And I know that they did a great session in Cybercon last week. In fact, on the Friday, apparently it’s a full house in them presenting on that topic. So, yeah, yeah, definitely a big fan.

Cole Cornford
I’ll send them some love mail for you. Okay? So, not hate mail. So, speaking of hate mail, artificial intelligence, because I just can’t deal with it at the moment. I feel like every second person I talk to is either trying to throw rubbish down my throat. I just don’t want to buy and just don’t want any of my products, or it appears to be terrifying and getting rid of all the jobs and everything’s going to be amazing. Even looking at the security patterns work with your four steps, I can see how AI can assist across each of those categories, like providing the context necessary or the use cases for the business or automatically generating and creating front models.

What’s your experience with how AI is coming into the architecture space?

Ken Fitzpatrick
Look, AI is one of obviously those topics. It’s the hot source of every conversation at the moment. Everyone wants to sprinkle AI onto doing something right. But look, overall, I am very optimistic around where AI sits in the future, like most people. It can augment parts of architecture, but I am also very opinionated that it won’t replace architecture in the need and want of what’s being done. And in saying that, however, if you’re an architect that’s just doing assurance, you’re absolutely replaceable with where AI is heading.

If you’re doing architecture and design, critical thinking about use cases and into threat modeling and controls, then that is a value that will be very difficult to replace with AI or augmented, but difficult to replace. Where I’m super excited with patterns is for anyone who may not be familiar with it, we provide templates, for instance, about an example on the website around example templates and how it facilitates standardization and repeatability of architecture design.

And so, when you look at to be able to use AI effectively to augment parts of architecture, you do need standardization and templating of your design, so that you can help inform your other iterations of future design works because it knows and understands and can base that on the detail that you’ve provided. And understanding context and the use cases and having that captured is super important. So, AI can tell you, if you say, give me a list of controls, it’ll spit out a list of controls based on want to combine regurgitating industry best practice.

But where AI struggles is context and developing architecture that captures that context, captures the use cases and understanding of what you’re trying to solve and gives that traceability into threat modeling and control selection absolutely is where you add value into your AI models for it to understand, ingest and have a better informed set of controls when it actually… When you go to ask it, “Okay, well now I’ve got to this point, describe how I do this control implementation for these technology stacks.” AI is great for that, right?

Where it is is still obviously ongoing maturity, but it’s absolutely going to improve in the future to your ability to do that because there’s so much content out there for it to learn and base that part of it on. So, that’s where I see AI in the future absolutely support, again, supporting and augmenting parts of architecture, but not necessarily replacing it.

Cole Cornford
Yeah, I see the same in application security and very similar to you. I think there are a lot of people who’ve done really well on being effectively systems integration people or doing reasonably monotonous tasks that can be solved using artificial intelligence nowadays. Most common example I’ve probably got is someone that analyzes the output of different types of products.

So, if you run a SaaS tool or you run a DAS tool and you have to then verify the efficacy of it, I don’t really see why you can’t just have AI look at the track record of previous findings or get context from just looking at the ecosystem it’s in and say, “Oh, so you found a PHP vulnerability, but this is a Java app, so this is probably a false positive,” right? And instead of spending ages getting humans to go look at that with technical ability, you can probably spend seconds and just analyze all that kind of information really quickly.

I know that the new breeds of products that are coming out to market to solve static analysis of source code or having enforcement engines and stuff, they’re all written in natural language nowadays and it’s going to be a very different world. You’re not going to necessarily need people to be amazing program. It’s like the understanding everything is going to be important, but then you don’t need to go out there and just be like, “What’s the syntax? Again, is this a spaceship operator or…”

Ken Fitzpatrick
Yeah, 100%, 100%. And look, it’s still early days in my opinion for where all that is. I’m very, again, very optimistic to where it’s all heading. I can see the potential, but I think like many people in the industry, it’s still too early to call to say what’s out there today is solving or dramatically addressing those. It’s got potential and everyone’s obviously experimenting with it, but it’s still… I was reading through around a podcast that was done actually on… I can’t forget his name, but they spoke around, it’s not the year of AI agents, it’s the decade of AI agents.

And more putting in context, we talk about things being as if we’re going to use AI and it’s going to turn around results in six to 12 months. It’s going to be years before you meaningfully drive change, but it will get there, but there’s a bit too much of a hype cycle around AI and how quickly we’re getting results out of it at this point.

Cole Cornford
I mean, I just want to stop seeing it just turn up in literally everything for no reason whatsoever.

Ken Fitzpatrick
Yeah, totally, totally.

Cole Cornford
I just don’t want it in anything. I also don’t want to talk to AI because I feel like that’s the other thing I’m seeing is just a lot of, they’re like, “Oh, if people are involved, how do we remove the people and do the machines?” I had this one this morning, which is great, where a AI sales development rep called me up and said, “Hey, I’m Paul.” And they’re like, “Yeah, sure you are.” And he’s just like, “Yeah, I am.” And I’m like, “Okay, Paul.” I’m like, “Tell me, Paul, about what you do.” And Paul’s like, “We are a coaching service.” And I’m like, “Look, mate, I’m really excited about being able to finally speak to a professional coach.

What’s important to me is that my breathing technique is quite weak and I need to extend my sproke length and my legs are really just suffering.” And then it got back to me and started going back to media training and being like, “While sports coaching is good with executive training, you’re going to get better at swimming in the future, Cole.” And I’m just like, “Okay, cool. So, let me know when I can go speak to a professional swimming coach.” And they’re like, “Oh, but we’re an executive coaching firm.” And I’m like, “Didn’t you tell me you were a coaching firm before?”

So, it was like I was just doing this back and forth where he was the kindest, nicest little AI engine in the world listening to me and then just always saying like, “Yeah, but I understand what you want, but no, I’m trying to make you have a 15-minute meeting with some bullshit artist telling me crap on LinkedIn.” But I just want to get better at swimming mate. It’s the season for it. And if that’s it, I don’t think there’s any reciprocity because that’s what sales is about a lot of the time is that you put the effort into understanding and knowing somebody. So, if you call them up and you say, “Hey, can I get sports coaching?” And then you’re just like, “No, I only want to pitch this one thing.”

And the uncanny valines of it, I can’t deal with having to wait and then they’re breaking your conversation every two seconds going, “Uh-huh, mm-hmm, yeah.” This faking that they’re having to listen to. It’s like, “No, go away. You’re an AI engine. I don’t need to have you sit there thinking, just process what I said and then send me a professional swimming brochure or something. That’s what I really want.”

Ken Fitzpatrick
Yeah. And look, it is a good way to try and work out whether you’re talking to AI or not. I understand there’s a risk of someone, a BDM rep that’s really passionate about swimming and maybe you do mix things up, but it is a good way of working out what’s AI and what’s human.

Cole Cornford
Well, the good thing at the start is it just basically admitted that it was artificial intelligence in the first minute because I feel like if you call up and then you can’t talk about yourself or whatever, you may as well just say, “The gigs up. I’m sorry. So, how are your kids?” As an artificial intelligence engine, children are a concept beneath me. I like to think of my processes as each freight as being a child process and it’s like, “Go away. I don’t want to talk to you.” All right, Ken. So, is there any shout-outs or anything that you’d like to wrap up or not? Because we’re coming close to time.

Ken Fitzpatrick
Look, we continue to evolve and work through security patterns and it’s absolutely both a business and a passion project for me. And I’m always super interested to hear from people that are either working or looking at different ways of applying architectural artifacts in a repeatable manner, in a way that can be standardized, automated through DevOps and in particular on cloud where we have most of the use cases of what we apply and build towards. So, I’m always super passionate and keen to hear about that. So, if you are someone in that space or working or thinking about that, please reach out. I’m always keen to catch up for coffee and hear about what you’re doing.

Cole Cornford
And that’s it guys. You heard today from Ken Fitzpatrick at Patent Security. And for everyone again, Ken Fitzpatrick. It’s been an absolute pleasure having you on, mate.

Ken Fitzpatrick
You too, Cole. Great to talk.

Cole Cornford
Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.