The Human Side of Cybersecurity: Toby Amodio’s Journey and Insight on Collaboration, Communication and Auditing

Toby Amodio:

Auditors are your friend, point them at the problems you know are there. It’s really shining the light. I do the joke that the only thing that grows in the dark is fungus.

Cole Cornford:

And mold.

Toby Amodio:

And mold. Exactly. So turning off the lights and pretending it’s not there doesn’t make it better. They are your friends even if you don’t think it.

Cole Cornford:

Yeah. Got it, guys? They’re all your friends.

Toby Amodio:

Give an auditor a hug, Lord knows they need it.

Cole Cornford:

G’day. I’m Cole Cornford, founder and CEO of Galah Cyber, and this is Secured, the podcast that dives deep into the world of application security. I’ll be chatting with Australia’s top software security experts about their unconventional career paths on uncovering insights on the diverse approaches to AppSec. For our very first episode, I spoke with Toby Amodio, chief information security officer at the Department of Parliamentary Services. I don’t know of many people who’ve been able to progress in their careers as quickly as Toby has, not just in the public sector, but in cybersecurity more broadly. In just 15 years, Toby went from a university graduate to a chief security position in the federal parliament. In our conversation we touched on some of the AppSec challenges unique to government, when it’s important to say no to a client, why auditors are your friend, and plenty more. Whether you are a veteran of the industry or just entering the world of AppSec, I’m sure you’ll find something valuable in this episode.

Let’s get into it. So first question I ask, because I’m the founding [inaudible] of Galah Cyber, so I ask every guest that comes onto the Secured show, what bird are you and why?

Toby Amodio:

That’s a good question. And I’d have to go with a black cockatoo. And the reason for that is I am very much a Canberra through and through diehard, and they are one of the birds that’s endemic to Canberra. They are resilient, they’re beautiful. They’re all black, so they’re a black hat, but they’re also loyal to their family. So I think there’s a lot to be said for black cockatoos. And if you ever come to Canberra, there’s a great spot to see them at the base of Mount Ainslie. And it’s another thing that makes Canberra the best city in the world, in my opinion. I’m very bias there.

Cole Cornford:

When I was a kid, I used to have a big pine tree at the back of my house and in that pine tree, all the black cockatoos just came there and my parents got so annoyed at them just dropping pine cones on my dog, that they cut the tree down and I didn’t see black cockatoos again. So I actually really like that.

Toby Amodio:

That’s fair. Your poor dog. Your poor dog.

Cole Cornford:

I know know. They’re in there just ripping pine cones out the tree and just throwing them on the ground and the dog’s underneath barking at them, just getting pine cones dropped on him.

Toby Amodio:

Well, I must admit, for those people who are not in Australia, it’s worth googling some of the videos about how destructive cockatoos can be. I think calling yourself Galah Cyber is better than Cockatoo Cyber because cockatoos can just be brutal. They’ll destroy things for the sake of destroying things. So they are the true black hats.

Cole Cornford:

Well, that’s why we’re not a pen testing firm.

Toby Amodio:

Exactly.

Cole Cornford:

So for this podcast, we’re going to be doing a bit of a deep dive into your career. And I think it’s really important to highlight the stories of people who’ve gone from relatively junior roles into senior ones, like yourself now as a chief security officer in the public sector. I first wanted to just maybe ask you about what in your career has been a really interesting or exciting project that you’ve worked on at your happy to share with our listeners?

Toby Amodio:

Yeah, sure. I’ve had many large projects throughout my career and a number that I’ve been at the forefront of. One of the pieces I’m most passionate about was when I was in a role at a large government agency, this is 12 years ago, we had trouble with cybersecurity integrating with the delivery pipeline. And I know that that challenge has not gone away. That is a preeminent challenge through to this day. As part of that, I then championed the role of security by design. And so it was really in that early days before we had that concept baked into, especially into the public sector, I led the work which embedded one of our cybersecurity architects into the delivery lifecycle. It was always that terrible shifting security left, but it was basically ensuring that the security team, especially the architects, were embedded in the development phase of the lifecycle, and even earlier in the procurement phases, to ensure that we could get those views represented. So we weren’t trying to retro engineer at the backend or it costs way more money to fix the security problems that are baked into the project.

So that’s a holistic piece that I did at that agency and it led to a significant uptick in engagement with cyber security. To the point where previous to that work, we had only about 10 projects receiving the security approval prior to go live. And by the end of it, we were up at about 99% of projects receiving approval prior to go live because we made sure that that engagement process was so frictionless that they engaged. I really do, and as you do, Cole, believe that cybersecurity is built on the human. And so making that an engagement and opening approach is critical.

The one that’s probably most close to my heart though is during COVID, I was working in an agency that helped support the release of funds to members of the public who were struggling, who had either lost their jobs or were in financial hardship due to the lockdown conditions, and they were able to access some of the funds in their super space. And this one was really present to me because we went from developing a solution from nothing to having a solution and paying the public within three weeks. And on the back of that, the cybersecurity team, which I was championing, were able to assess and secure and provide advice into that solution development in an ad hoc agile manner, which meant we caught a number of critical bugs prior to release, which would’ve prevented a significant amount of fraud.

So it’s an amazing way for us to go, not only did I achieve an outcome which supported delivery to the public and those people who were immediately in need, but we did it in a way that was so responsive that it meant that those people didn’t suffer for longer than they had to. And the reason why that one sticks so close to home for me is that my immediate family were actually in that boat and one of them had lost their job, and they were some of those people that were actually trying to access those funds. So it was one of those moments in life where the mission of the public service is to deliver to the public, and I was able to visualize that most pressingly with my own family getting that support that that was required. So it was one of those moments that made me really sit back and go, “This is the best of the public service and this was the best of what I can lead as a leader driving a team that can help support those outcomes to deliver.”

Cole Cornford:

Both of those are absolutely amazing stories. As an AppSec professional hear about shift left constantly. It is the most common thing in our entire ecosystem. I wonder whether that’s changed all that much over 12 years, to be honest.

Toby Amodio:

It hasn’t. And I hate to be that person that’s like, “I was doing it before it was cool,” but it is one of those rewarding pieces when you do something and you name it something and then the environment starts to name it that anyway. I’m not saying I came up with a name, but I just happened to hit on the same name as the rest of the environment as it went through into it. So part of being in cyber, as you know, is trying to be ahead of the next problems and that was definitely one of the next problems at the time.

Cole Cornford:

Yeah, there’s a lot to unpack there. So the customer experience really is the big thing for you. Because I know that in cybersecurity, something I really deeply care about is making sure that we look after the people who hire our services, and make it a frictionless and seamless piece. And that they walk away from working with us and just feel happy and engaged, and that we’ve provided value for what we’re doing. Because I’ve seen a lot of security assessment in the past that is just so focused on the technical details or just cross-site scripting. That stuff doesn’t mean anything to a customer.

Toby Amodio:

No, it’s the risk that’s introduced by it. You’re 100% right. And I must apologize the bells in the background. I’m actually in Parliament House and that’s the bells to show that there’s voting going on, so if that’s in the audio, unavoidable for the location of work.

Cole Cornford:

That’s all good. So are you a yes? What are you voting, hear, hear?

Toby Amodio:

No, no, no, I’m not. But it’s the bells that ensure that the members of parliament get into the chamber to vote, so it’s one of the beauties of being in the house of democracy. But to what you’re talking about, I always preach that security is… We joked before this started that security can be seen as a cost center and the brakes on the car and the friction, but security, like anything, only exists to ensure that the business can succeed, whether that’s a public sector or a private sector business. And so if the business fails, security has failed. So fundamentally, security has to be there to securely enable the delivery and inform business about how they make their decisions to achieve their outcomes.

And as you said, we need to do that in ways that are in language the business can understand. Sitting there and going, “Oh, you need to have this control on there,” is not a conversation, cross-side scripting. Or, “You need to be Essential Eight compliant,” or using these buzzwords at them. It’s really about talking to them about the risk that’s being carried by the organization and pragmatically balancing that with the opportunities that they want to capture and seize, and then what that looks like into the future for them.

Cole Cornford:

Yeah. I see it a lot in my consulting services and it’s a reason people like to interact with us as we really do put the context to the businesses that we operate just in front of a lot of the work that we do. So we can be technically correct about a penetration test or an AppSec assessment, but the main thing that matters is then going to the stakeholder and saying that, “Hello, you work in a regulated context in the financial services industry. These things are more important than these other things and these issues don’t matter to you guys.” Whereas if you’re working in a university sector, you might say, “Actually, let’s protect the confidentiality of these documents. It’s far more important than whether students are offline.” Because we know stuff the students, they don’t matter. They’re not the important people for the universities. It’s the research, it’s the IP, right? So that’s where they get their brand reputation that brings students in. So it comes back down to how do I enable these businesses to operate, right?

Toby Amodio:

Yeah, you’re 100% right. And understanding your business context that they work within. I used to joke, and this is not as relevant nowadays, but Google in the past didn’t care as much for their search engine services. They don’t have as much of a care about confidentiality of the information, but availability is super critical because if that system goes down, then that’s their service that they’re providing. And it’s a good example of ensuring that the controls you’re proposing aligns with the goals of the business, and that you are then giving them the advice that helps them target that.

And you mentioned the compliance framework and it’s really great… I always propose in the context that I work in, you need to think about compliance, but you also need to think about risk. And risk should be the primary driver, but then you also need to think about maturity. And they’re the kind of three hats that I use when having conversations with the executive because compliance will give your yes, no, and that’s your audit requirement, and they’re often the minimum bar. That’s your barrier to entry. And so your job as a cyber professional is to ensure the organization can meet that minimum bar, and do it in an ongoing way that meets the audit requirements they have.

Now, that won’t necessarily meet the risks of the organization. I used to joke that you can be Essential Eight compliant, but then have a cross-side scripting vulnerability and have billions of dollars pumping out of your business, but you’re Essential Eight compliant. So you could meet your compliance outcome but not meet your risk outcome, which is of managing the financial risk to your environment through the cybersecurity controls. And then on top of that, neither of those two lenses allow you to compare yourself to other organizations. So I always recommend to people think about the maturity piece and what maturity framework you’re going to go against. Because when you’re trying to propose additional investment, it should be against a mean. And if you’re not addressing additional risks, it should be, “Well, we want to be at X level or X bar,” or, “We want to compete with blah,” and then that gives you the ability to go, “Well, we’re five cybers out of 10.”

And that’s a much more meaningful conversation with the board rather than, “We want more investment to do X control.” It becomes a, “We know that the market is here for this capability level, and so for us to get there, we need this level of investment.” And so if we want to keep and maintain that maturity with our partners in the market, that’s a great way to have those conversations. And I know it’s timely because the National Institute of Standards and Technology in America’s reviewing the cybersecurity framework that they’ve got in place. That’s a really great one, which gives you five domains that you can then leverage your maturity against. But there’s a number of others that you can use COVID Five, you can use other frameworks, as long as there’s enough other people on that framework to enable you to do a maturity piece, you can have that conversation.

Cole Cornford:

Yeah, it makes a lot of sense to look at it from those three views. Because I know that at least in my services, since I’m in software engineering a lot of the time, it’s so abstracted away from what people say on a day-to-day basis for cybersecurity, right? Because in Australia, we’re so heavily focused on governance risk and compliance as something that we need to comply and meet these standards. If you’re dealing with critical infrastructure or you’re mapped against the Essential Eight, those are built for companies that are Windows AD environments and that are networked, that have on-prem people going into an office. And they’re a bit shy about adopting Azure services or moving into modern DevOps practices.

So this conversation just doesn’t even happen when it is a big part of where they need to go to in the future. Because as a government, we’re got to be looking at providing digital services for people. And if we’re still so focused on how do we protect our workstations and how do we protect our SharePoints or whatever, and we’re not talking about our software engineering practices over here, it’s not a great place to be, right? So try and to have those conversations.

Toby Amodio:

No, and you’re 100% on the money, and it’s probably a good pivot into the Australian Cyber Security Centre, they released the Information Security Manual, which becomes the tomb, the Bible for controls for Australian government agencies. And that becomes that compliance base. It’s got another document above it called the PSPF, the Protective Security Policy Framework, which articulates how you do security across all of the domains, from physical, information governance, and personnel. But underneath the information space, it’s really underpinned by the Information Security Manual. And historically, in the past, the Australian Cyber Security Centre was slow to update that to keep pace with the modern technology.

Now, they’re updating on as quickly as monthly basis, depending on the requirements needed, and a quarterly for more frequent. And those updates are trying to keep pace with those controls. So it is really good to see the government stepping forward with keeping that compliance base up to date. But as you said, it can’t keep pace with the range of controls and technology that’s out in the environment. So it’s really great to see the investment they’re doing in that space, but it’s also up to us as professionals to filter out the noise to make sure we’re only proposing what’s relevant to our organizations to help them to stay secure.

Cole Cornford:

Well, I better read the ISM again. It’s been, what, seven years maybe? Nah.

Toby Amodio:

It’s a real page turner.

Cole Cornford:

Mate, it is a good book.

Toby Amodio:

Just start at control one and go from there.

Cole Cornford:

I’ll skip past the ones where they’re telling me that I need to have a red cable plugged into my computer, and just go straight to the AppSec part of it.

Toby Amodio:

Hey, it’s all risk-based and they have just made the software bill of materials and a number of AppSec controls embedded into the most recent updates. So I can recommend that if anyone’s interested in AppSec and the evolving nature of the government’s cybersecurity controls, it’s worth having a look into there because they are really trying to lean into it. They even talk about the use of OWASP and OWASP Top 10, and how you can factor that into your secure development. So they really are trying to stay at that front end and it’s commendable to the people that manage the Information Security Manual. And I’m sure in the future that you and I might have some more robust conversations on that.

Cole Cornford:

Yeah. Oh, sounds like it. If the government’s pushing that, then I’m happy to have that conversation. So as a regular OWASP contributor, I’m sure that we’ll be chatting a lot more in the future about it.

So shifting gears a little bit away from nerdy GRC standards and stuff. How about we talk about you and your experience? Because with this podcast, I really want to be talking about people’s personal journeys into leadership within cybersecurity, right? So could you just tell me about maybe where you came from and what inspired you to move into cybersecurity? Because I find everyone has unique pathways into the sector.

Toby Amodio:

Yeah, definitely. I started originally in doing IT throughout high school. And funnily enough, doing IT through high school taught me that I didn’t want to do it as a career, so more fool me for where I’ve ended up. I did find out through it in high school that computers will find new ways to break every time. And so I decided to go to uni and do a bachelor of arts and I majored in politics, history and gender studies. So I’m probably the only CISO with a feminist degree. Because that was my passion and that’s why I was really interested in, I’m blessed to have spent three years at uni really chasing the things that empowered me and taught me a lot about how to communicate, how to engage with other people, how to understand the diversity and how we interact as humans, which set me up more than I would know for the future roles that I would have in cyber. And so after uni, I had to eat because apparently money is required to function in life.

Cole Cornford:

I had that problem too. My first day in Canberra, I was eating rice with some pepper on it because I forgot how expensive it was was to rent there. So had a week of just having straight SunRice, so the good stuff, mate.

Toby Amodio:

It’s real. The tightness is real. And so I applied for a number of public service jobs, and I got onto the service desk. And so if anyone is interested in getting into the public service or getting into any ICT job, I recommend looking up the service desk calls because that is where the best IT teams poach their talent from. And so I was in the service desk for not very long, and then I was poached by the cybersecurity team. And the rest I could say is history, but it really was an approach where I went from being in the cybersecurity compliance team, the governance risk and compliance team, moving into their security architecture space, developing the security by design, becoming their chief security architect, and then moving sideways into the head of governance risk and assurance for the whole of the agency, which then meant I had about 60 or so staff underneath me for that role.

That developed into the deputy CISO role, then into acting CISO role. And then I’ve pivoted agencies into another CISO role. So I know that’s just saying all the roles, but the beauty of the public services I got in, I didn’t have specific IT qualifications. Through my hops through the agencies, I was able to gain a number of those qualifications, they were able to fund those for me. And it put me in the position where I was able to do interesting things, learn interesting things, and work with interesting people. And they also leaned in not just on the technical skills, but also on the leadership and the career advancement pieces, which enabled me to move from being a technical advisor into someone who can help develop capability across the people, process and technology, and then integrate that capability with business, which is so critical.

I mentioned about security by design and shifting security left, but that became the cornerstone of my brand and developing who I was as a cybersecurity professional, which was ensuring that cybersecurity was an engaging front door. How we get to and how we inform business about what they do. And so once I found that pivot for myself, it really became the crux of my career, which was ensuring that my advice mirrored that ethos, which was how am I enabling business? How am I giving back to the security of the organization? And how are we ensuring benefit and value add to the business?

Cole Cornford:

Yeah, I really like that statement, getting to yes. That is a really strong thing because we’re in cybersecurity known as basically blockers and saying no to everything, so I like that you flipped that around and said, let’s focus on how do we get you enough to, so that we can say, yes, you need to go there. Because it is a risk decision at the end of the day, it’s not you, as a security professional, who gets to make that decision. It’s the business owner who has some kind of objective that they need to achieve. So you’re just there to help them get there with enough guardrails in place to hopefully not fall off the bridge, right?

Toby Amodio:

Yeah, I couldn’t agree more. And if you are saying no, then it has to be really extreme. You have to be stopping them from doing something that’s illegal, immoral, or fundamentally will break the business.

Cole Cornford:

I thought you were going to say really stupid.

Toby Amodio:

No, no.

Cole Cornford:

Maybe all three of those are really stupid.

Toby Amodio:

Yeah, all three together. But if they’re bridging either one of those three, then sure, you should be saying no and it should be linked back to that. But also it should be linked back to their business objectives and outcomes and their business risk tolerance because you should be using their language back at them. And funnily enough, most of the time my conversations with business is around how they’ve constructed their risk frameworks because that’s how we have the same conversations. And if we’re not talking… And I know it’s really geeky to talk about risk and risk management down to the level of how you do an agreement on the risk frameworks for how consequence is derived, but how consequence is derived within an organization is so critical to ensuring that when you give them a risk, they can then understand it and match it against the benefit that they’re seeing.

Because if they don’t understand the same consequence for benefits and for costs and they can’t put it in the same language, then you’re comparing apples with oranges, and it’s not informing the executive to make the right decisions in that space, and then it defaults back on you. And not that you don’t want to be that decider in those pieces, but you really want to be the one that’s providing the executive with the decision. And as I said, you only want to be the decider if they’re doing something really bad and going to go to jail for it, among other things.

Cole Cornford:

That’s heavy, heavy. Hopefully you haven’t had a deal with too many of those.

Toby Amodio:

No.

Cole Cornford:

Another podcast.

Toby Amodio:

Exactly.

Cole Cornford:

So what I do is that focus on language because I think that that actually comes from your background in politics and arts, actually. I’d like to explore that a bit more because every time I go into LinkedIn or go into industry forums or events, there is so much focus on you need to get an OSCP, you need to go get a CEH, you need your CNAs and networking like things before you can break into cybersecurity. And I personally don’t agree with that kind of background. I think just being a good human that people like to work with, being able to write in a clear succinct way and establishing relationships and being willing to learn things that are outside of your ballpark. They’re the greatest successes I’ve seen in staff members within my company. None of them had OSCPs or any of those kind of qualifications. So I’d like to hear about where do we look for nurturing new talent into the industry? Considering your background is pretty unique too.

Toby Amodio:

I couldn’t agree more. I really focus on ensuring that we have diversity and breadth of people that we’re bringing in and understanding, especially with the tightness in the market at the moment, it is a constrained market. So for me, I would prefer to get in resources who have the aptitude and the attitude, and then develop them into the resources that we need to support the outcomes. I say to people, “The one thing I would recommend you do to be good at any career if you’re at uni or at school at the moment is debating.” Because to me, that gives you a great understanding of how other people think and how you have to construct a narrative, and how you have to bring someone across to your point of view, and that becomes critical to no matter what role you’re taking in your career. And your ability to communicate and get your point across will be your ability to succeed in the workplace.

So if you understand debating, you understand language, you understand communication, everything else will fall into place as long as you have the ability to then pick up the other skills that you need to compliment that. The other piece I have with cybersecurity is we’re one of those cross-domain capabilities where if you may be a coder and you only have to deal with the development of the app stack. You may be an infrastructure person, you only have to deal with the infrastructure. And sometimes you’re a mainframe infrastructure person and you’re even more siloed. Whereas the cybersecurity professional has to be across all of it. And the beauty of that is you become that conduit and that communications part across all of it.

So I call it the one mile wide, but one inch deep, as opposed to one inch wide and one mile deep. And if you can sit in that space where you can look logically and put things together that are laterally relevant, that becomes more precedent to me. It’s your ability to problem solve, your attitude to learn and your aptitude to apply that into a workplace where you’re building those relationships to draw those cross connections and achieve outcomes across the organization. Because you can’t be in a silo. You have to function with others. If you are in cyber and you are in a hostile relationship with your ICT delivery, then you’re destined to fail. So it’s about those relationships you can build, those cross connections you can establish and how you can articulate that to the business which will enable you to succeed.

Cole Cornford:

That’s super relevant because a lot of my consulting in DevSecOps application security and cloud security is almost always down to communication difficulties between the security team and the architecture app team, development team, whatever. They both have good points, but they’re talking past each other, not using shared language and just not empathizing for the other constraints that each party has. So I see it a lot in my AppSec domain. Someone will approach a developer and say, “Hey, you’re missing these security headers,” or, “This cookie doesn’t have these security attributes inserted it into it.” And then the developer goes back to him and says, “This security guy just doesn’t understand it. This whole cookie, we don’t even set it. It’s set by Amazon. So what are we going to do about it?”

And so you end up with a black mark against that. And then slowly what happens is these relationships further break apart. So it makes a lot of sense to me that when I’m brought in, it’s usually to just get these people to start communicating with each other. So I don’t know, am I a counselor or mediator now instead of an actual security… Maybe that’s your job.

Toby Amodio:

Yeah, well, I do say, “Yeah, I’m cybersecurity, I’m here to help.” But you’re 100% on the money in the sense that it’s the shared language that we use to talk to each other. And it’s just like any relationship, and this is the same relationship you have with your partners or with your family in the sense that it’s really easy to assume malintent. But if you come from the place where you assume positive intent, it usually leads to better conversations. Because one of the things that people get lost in when they have emotional or challenges like personality challenges for someone in a role is they lose the fact that that person didn’t come to work that day to make your life bad. They came to work that day to make the organization succeed. So very rarely, unless you have a complete sociopath, they’re there to do a good job.

And the gap is usually they don’t have the support or the resources, so you’ve got to be empathetic to what’s holding them back from achieving the outcome that you’re trying to promote them with, or they didn’t have the knowledge. And so it’s about giving them those resources to support them on that security outcome, or sympathize with them and talk about what you can do to take things off their plate to make life easier for them. But if you come in with that, why did you do this accusatory approach, then you’re more likely to get them getting their back up. And inevitably, a lot of what you’re doing in cybersecurity, and I use this joke, is when I report to the CIO, half of my job is calling his baby ugly. And so it’s about how you call his baby ugly or her baby ugly in a way that they accept. And it’s about how do we make it prettier? And I know that’s a weird analogy to then go, “How do you make the baby prettier?” But you get the point by the extension.

Cole Cornford:

Yeah, I have a similar one. I tell people that they’re brave. It’s a better way of saying stupid.

Toby Amodio:

That would be a brave choice, a bold move.

Cole Cornford:

Very brave, guys. And they’re like, “Yeah, it is. I’m willing. This is great.” And I’m like, “Yeah, it’s so good.”

Toby Amodio:

You’re missing the inflection on brave there. There’s a little bit of sarcasm with brave. But it is hard because we are constantly telling people things that are wrong. Cybersecurity doesn’t turn up to be like, “Everything’s great.” The whole point to risk is identifying the gaps and then quantifying those risks. It’s not identifying all the things that are good, although that is a byproduct of risk assessments, but it’s not what people focus on. And human nature is to focus on the negative, and so it’s about how do we frame that conversation around the negative to be like, “Well, this is the cost of doing business and these are the things that we need to take care of, and this is how I’m going to help you to manage them.”

And I think once he gets that, it’s you and me against the problems, it’s not me against you, it becomes a different relationship. They understand that we’re there to help. And I use that as well… In cybersecurity as a CISO, my goal is often to get more funds to help drive delivery of cybersecurity objectives through other arms. So it’s not me delivering cybersecurity, it’s the others that deliver cybersecurity, and I help empower them to do that. I get the funding for them to do that. I get the resources for them to do that. I give them the advice or the knowledge for them to do that.

Cole Cornford:

Maybe we can talk about empire building another day. Seen that in a few places as well. But I’m a big fan of empowerment and giving. Because you did a mile wide, one inch deep kind of idea. So if you go to an engineer and say that, “You need to do static analysis.” And the engineer comes back to you with some techy questions, you don’t get it, then of course you should be delegating that responsibility to these people with some parameters that they can work within.

And I like the idea as well. Because I see a lot of people who are afraid of auditors or testers or assurance professionals and they try to hide the uglies because they don’t want to work with them. They don’t want to see the skeletons in the closet. And I come at it from a very different point of view, which is that auditors are actually your friends because they allow you to get a business case to go and fix these problems. Whereas if you keep sweeping it under the rug, then yeah, there’s a head off, you might get a black mark against your name. But yeah, at the end of the day for the organization, it’s the better outcome. It’s people. It’s always people, right?

Toby Amodio:

It is. And that audit piece is really prescient in the sense that auditors of your friend. Point them at the problems are there, so that you can get the support to address them. Everyone has legacy systems in their environment, everyone’s carrying technical debt. The way that you can pull that out is through your audit engagements and drive investment. It’s really shining the light. I do the joke that the only thing that grows in the dark is fungus and-

Cole Cornford:

And mold.

Toby Amodio:

And mold. Exactly. So turning off the lights and pretending it’s not there doesn’t make it better. That’s where the auditors are really to stop you from driving the car completely off the tracks. It’s about how do we help be the bumper rails to keep you within those safe tolerances? So that independent assurance should be leveraged and wielded to drive those outcomes where you can. They are your friends even if you don’t think it.

Cole Cornford:

Yeah. Got it, guys? They’re all your friends. Just be friends with them.

Toby Amodio:

Give an auditor a hug, Lord knows they need it.

Cole Cornford:

And then if they raise that as a finding against you, then use it for a business case to go do some maybe mental health sessions. So you’ve had a very successful career to date, Toby. I don’t know many people who’ve been able to progress so quickly, not just in the public sector, but just within cybersecurity too. A chief security position from a graduate, what was it, how long? It’s like 15 year-ish.

Toby Amodio:

Yeah, I was acting within 15 years. So from literally bottom APS 3 in the environment, right up to acting in a CISO role.

Cole Cornford:

Yeah, so you’ve seen everything. One of the things that I don’t think has talked about very often is challenges that are uniquely for the government and that we don’t see within large corporates in the SMB sector. So could you tell me if what your experience of encountering things that are only going to be pressing for government agencies that you wouldn’t see elsewhere?

Toby Amodio:

Yeah, sure. So it is hard because government gets a bad rap. We often get belimed in the media because of the cyber events that occur on our systems. But I do feel like A, the threat vectors and attacks on a number of government systems exceed that of the private sector. And B, our mandatory reporting channels mean that they’re obviously going to get more attention. And C, the consumption of our services mean that they’re going to get more press. And it can be a double edge sword where one of the beauties of the public service is that, as an example, the Tax Office is never going to go bankrupt. So when we work with our budgets, we don’t necessarily have to consider the fact of the Tax Office being abolished because of a cyber event.

That doesn’t mean that the risk of matrix we put against that doesn’t have that cost-benefit analysis. We can look at the benefit that the ATO may have from voluntary engagement and quantify that as a risk to the income of the country. So for me, they get all of the same cybersecurity risks as the private sector, but often with a lot more oversight. I know that’s variable. Some of the people in the private sector will be spinning in their seats going-

Cole Cornford:

Just let them spin around angrily. It’s okay, they can fester.

Toby Amodio:

I have a lot of oversight and I would counter that you don’t necessarily have the audit office and the other artifacts that the government have. So that level of scrutiny is above and beyond, and can be really focused. The other piece there is that the reporting and obligation is often higher. So I mentioned before with the protective security policy framework, we have to report annually to the attorney general’s department about our compliance with that. And so if you imagine that, we’ve got underneath one of the domains is information, one of the information domains is the ISM. The ISM is over 650 controls, it fluctuates.

But if you imagine you’ve got to apply those 650 controls against every system in your environment, and so you may have 40,000 machines, it becomes an exponentially large problem that then we then have to summarize that up into a reporting of a yes-no against the checkbox. So not saying that the private sector doesn’t have that, but it’s one of those unique pieces where I find that level of governance risk and assurance overlays on it, if that makes sense. And it can really consume a lot of the cycles for the cyber teams to ensure that they’re meeting those obligations, those compliance requirements. And that sometimes distracts from the risk conversation

Cole Cornford:

Because I know that a lot of people who exit the public sector often say that there’s a lot less red tape and that we have less busy work that we need to do. But all of that kind of work is because you have that level of scrutiny and transparency and openness that you need to have as a public servant. Yeah, in the private sector you can let things grow in the mold over there. That’s why we have regulators. But in the public sector, there’s a bit of sunlight everywhere, right?

Toby Amodio:

Yeah, and it is extremely important sunlight because we’re spending taxpayers dollars. It’s your or my money a public investment. And so we have to make sure that that public investment is being appropriately managed. And so that assurance for me is front and center, but it is a change. I guess the other big difference to me between the public and private sector is the ability for us to integrate with each other with government agencies, and this is a force multiplier, without that fear of competitive costs. There’s no IP or there should not be any IP sharing between agencies. And so it means the economies of scale we can get as a government cohort in sharing our threat intelligence and sharing our governance risk and assurance is exponentially larger than any one business can get. And I know that there’s a number of business sharing forums and some of those are feel facilitated by partners and vendors.

But the opportunity there for the government to have a whole of government cybersecurity lens on pieces means that we can effectively achieve economies of scale that would not be achievable in Australia otherwise. So that leads into another initiatives that the government’s championing at the moment. But it really is to me, the force multiplier of how government can provide cybersecurity advice back into the public sector. And it’s really that benefit that I see. We’ve got that mission of protecting the Australian public’s assets and the unified cyber capability of all of the agency’s resources. So instead of just 30 people here, 100 people there, I believe that we’ve got over 5,000 cyber professionals across the public service that we can point at the problems we have.

Cole Cornford:

That’s really impressive, to be honest. Because I wouldn’t have even considered that idea of a collective government action to tackle a specific problem, but it makes a lot of sense. So take myGov for example, centralized… I know that people are going to be angry about it because they haven’t had a great experience or whatever. But I’m just going to say that you have a centralized authentication identity service that’s consumed by all government, like major federal government services. And that means that they can all leverage a single point of identity nowadays.

So I’m sure that there’s probably a lot of other special stuff that’s going on behind the scenes that we’re not going to go into today, but that force multiplier is a really, really big thing. In my experience, you’ll have cyber professionals and CISO round tables and people talking about it, but they keep their cards close to their chest because it’s competitive IP. And a lot of decisions that people are making our business decisions around risk. And if you know your competitor’s risks and what they’re concerned about, then you can leverage that, so they’re a lot closer to-

Toby Amodio:

Yeah, keep the cards to their chest. And I think you hit on it really well there with myGov and the other one, people don’t often think about these services, they then get taken for granted. But one of the initiatives the Tax Office led was the super rollover capability. And I know that that initiative alone reduced the amount of checks sent around Australia by about 90% because the super agencies were sending checks to each other. And so we set up a portal which made it more efficient for people to get their information. And I know that comes with its own risks around fraud and all the rest of it, but they’ve got control layers in there that also didn’t exist for the checks. It’s not like the checks, they were checking every signature on everything. So for me, it’s about how does that government achieve those roles where they can pivot and add value to basically 10 X the private sector? And another lens there is the DVS, the document verification system, which it’s basically putting out there into the public. It’s these pieces where the government can really be that hub to better support both the IT industry within Australia, but the public who interact with those IT industries.

Cole Cornford:

Take for example, people who are applying for rental properties or just looking at just getting a contract set up. At the moment, most of those small franchise real estate agencies are just storing all sorts of information. I don’t know how, don’t really want to know, just know I’ve probably got my passport everywhere. So I think just being able to consume these services just to verify identities is a fantastic idea.

Toby Amodio:

Yeah, I completely agree. And I feel like sometimes people have a go at it because the service isn’t perfect, but that old perfection is the enemy of done and it’s better than the world without it. And as you said, the world without it is everyone’s information decentralized. Your passport’s on a million little home computers for every tax agent or-

Cole Cornford:

Sounds like a crypto nerd’s dream. Decentralized everything. So let’s do it.

Toby Amodio:

It is.

Cole Cornford:

So I want to move on to the rapid-fire segment. So some of these questions are a little bit left to field, and you’ll have to tell me exactly what comes in your head, right?

Toby Amodio:

Go for it.

Cole Cornford:

All right. First one, if you could hack into any fictional computer system, what would it be?

Toby Amodio:

Tron.

Cole Cornford:

Tron?

Toby Amodio:

Tron. 100%.

Cole Cornford:

Why Tron?

Toby Amodio:

Oh, I would love to be in that world. And actually, I don’t mind the reboot of Tron and obviously the soundtrack was one of the best soundtracks ever and they’ve just announced-

Cole Cornford:

Oh, yeah mate, I love it. It’s just such good music.

Toby Amodio:

But that whole world and the mythos they can build around it, and the idea of being in the machine and how you can utilize within the machine. 100%, that would be it.

Cole Cornford:

Yeah, I don’t know. I feel like there’s so many options available to you because it’s just like some other guests might be like Skynet, and then just suddenly you control the world or the matrix, and it’s like I can change everything. But Tron’s really interesting, but maybe it’s just because I’m a big fan of the idea of light cycles going around everywhere and people sticking up walls just to cause absolute carnage.

Toby Amodio:

100%.

Cole Cornford:

Okay, next one. What’s the scariest cyber attack you’ve experienced?

Toby Amodio:

Touch wood, I’m blessed in the sense that I haven’t had that many that are as scary as some of the ones that I’ve seen my colleagues go through, if that makes sense. But there have been events where we have found things in the environment where it shakes you to your core because it isn’t what you thought it would be, if that makes sense. And I think that any situation you’re in where your world suddenly changes instantly, it can be unnerving. It’s the old joke and this is why you should always practice your IR, but everyone has a plan until they’re punched in the face. And so anytime you get that cyber punch in the gut where the world is not as it seemed, it’s pretty bad.

Cole Cornford:

Yeah. I hope that you don’t have too many those in the future as a CISO.

Toby Amodio:

Touch wood.

Cole Cornford:

Best purchase under $100 and why?

Toby Amodio:

Best purchase under $100?

Cole Cornford:

I will breach the first rule and I’ll say AirPods because for me, good-sounding noise-canceling air headphones are godsend, no matter what situation you’re in, whether it’s a baby crying, the air conditioning in the office, going for a run, having the ability to zone out into your own world. So my wife was lovely enough to buy me AirPod Pros and they’re a lot more than $100, but you can get similar ones for within that price point, and they would be the one that I could not go without.

Yeah. Okay, cool. And one more it would be, what’s the most common mistake that you see people make in cybersecurity?

Toby Amodio:

The most common mistake is taking the risks personally. So I see security professionals saying no to things because they’re emotionally invested in it when it’s not their risk to bear. And that often leads to a lot of resentment from the cybersecurity professional side, which then undermines the relationship immediately. It’s that old, if someone wants to jump off the cliff, you are there to give them the parachute and tell them the risks. It can be very scary to watch them do that. It’s kind of like having kids. You don’t want to hold on so tight. You’ve got to empower them to achieve the outcome. So I often see my professionals advocating quite emotionally, and that’s because they’re taking it personally, and it’s not a personal piece. It’s about the outcome. And so you’ve got to have that step away and focus on the outcome.

Cole Cornford:

Cool. That’s some really good advice. All right. Speaking of advice, we’re going to sign off with one final question for you, which is, given our audience is all sorts of different people, mostly application security professionals, but a lot of C-suite as well. So what would you tell our listeners to do to help them keep their businesses secured? Just one piece of advice.

Toby Amodio:

I would say patch systems. It is one of those jokes, but the reason why the Essential Eight is the Essential Eight is because it stops a majority of the cyber attacks that the Australian Cyber Security Centre has seen. Don’t be the low-hanging fruit. It’s like in your house, you wouldn’t leave your back door unlocked and your front door unlocked, so start with that. Basics, the cyber fitness. Hit the cyber gym by making sure you, you’re getting your systems patched and especially anything that’s external facing, because you don’t want to be the low-hanging fruit when some script kiddie scans the internet. And I know that that sounds really simple.

The only other one I would say is have good password health. Get a password manager. Apple has one free now built into their phones, you can totally use that. I have used other ones in the past that have been compromised, but it’s still better than having the same password for everything. So they’re the two pieces that I always say to someone if you want to get that base amount of health, turn on automatic updates and make sure you’ve got a long, complex password. If you need to put a long password in there, I recommend choosing a line from a song, and then changing out some pieces within it. But you can end up with a password that is over 100 characters long, that is super easy to remember and means something to you. And if you’re like me and you listen to very obscure death metal, I’m sure no one’s going to guess my password. And that’s probably just invited a million people to try and give it a go.

Cole Cornford:

Hey, is it the groan of wind brings deadly disease from Kalmah? I love my death metal. I’m on a music trivia binge at the moment, actually, so you’ll have to come by sometime and just own the deaf metal section.

Toby Amodio:

That’s good. That is good.

Cole Cornford:

All right. Thank you so much. This has been with Toby Amodio, the chief information security officer for Parliament House. So thank you so much Toby, and yeah, looking forward to speaking with you more in the future.

Toby Amodio:

I appreciate it, Cole, thank you so much for your time and your service to the industry. Be safe.