Trevor Hancock on Bridging the Gap between Protection and Progress

Trevor Hancock:

Sometimes you do work that just becomes what I like to call shelfware, where you’re doing a risk assessment or you’re doing a document that you know the agency or the organization isn’t really going to use. They’re just doing it to tick some sort of compliance box. So it’s hard to motivate yourself to do that, but if you can be doing something that you know is going to make a difference to the world, I think that helps you get out of bed each morning.

Cole Cornford:

Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. I’ll be chatting with Australia’s top software security experts to uncover insights on a diverse approaches they take to application security. If I ask you to picture a typical cybersecurity professional, you probably won’t think of someone who spends all their free time during university playing sports. But of course, people from all kinds of backgrounds find their way into our industry. Trevor Hancock believes his love of sport, particularly team sports like rugby and touch footy, helped him develop skills that have helped him in his decades long career as a cyber consultant. In our chat, we discuss finding a balance between protecting against security threats while enabling an organization to pursue its goals, the importance of being vulnerable with your colleagues and plenty more. Whether you’re a cybersecurity expert or just starting out in the field, I’m sure you’ll find something valuable in our conversation. Trev, a lovely to meet you, mate. How you going?

Trevor Hancock:

Yeah, going really well, thanks. Thanks for your time.

Cole Cornford:

That’s all good. So first question I ask everybody that comes onto the Secured show, what bird are you most like and why?

Trevor Hancock:

Well, I would like to say that I’m like two birds I reckon. I’ve got one is I like to say I’m like the emu. My understanding is Australian coat of arms. The reason the kangaroo and the emu are on there is because neither of them can take a backward step. So I like to believe that’s me. I like to be always trying to move forward, but realistically I’d have to say that I’m probably more like a kookaburra because I do like to have a good laugh or take two birds, I reckon.

Cole Cornford:

Yeah, that’s it. Two birds, one stone, right?

Trevor Hancock:

Yeah, exactly.

Cole Cornford:

Or one question in this case. So why is it important to you to always be moving forward?

Trevor Hancock:

Well, just because you want to be making a difference. If you spend too much time trying to… You learn from your mistakes and learn from the past, but it’s no use dwelling on it because it’s over. If you’re going to make a difference, you’re going to be looking forward.

Cole Cornford:

For myself, I’ve had hard times recently and I’ve had to make some tough decisions, and I think that that’s a really good thing to be bringing up yourself is that we have to move forward. And I didn’t know that emus and kangaroos don’t go backwards. They just don’t have a reverse function at all, do they?

Trevor Hancock:

Yeah, exactly. That’s right. So anyway, and then as I said, it makes it easy when you’ve had tough times. I have the same. My teenage son went through some depression and we had to work through that as a family, and it’s better to be looking forward than trying to dwell too much on what you’ve done or wrong in the past, I think.

Cole Cornford:

Well, let’s move on to something a bit happier, because you like a laugh as well, hey.

Trevor Hancock:

Yeah, exactly. Exactly.

Cole Cornford:

So you got a good bird joke or something funny just a story for the listeners?

Trevor Hancock:

Well, you might not know, but I love the rugby and I have a bit of fun at the halftime in one of the rugby games recently where I actually got to dress up as a blow up horse and run around the oval and do a obstacle course at half times, and that was pretty fun, bit of a laugh.

Cole Cornford:

Oh, really? Was this for the Raiders?

Trevor Hancock:

For the Brummies Rugby Union?

Cole Cornford:

Were you on all fours?

Trevor Hancock:

No, see, it was one of those blow up suits where you’ve got a fan and a battery, and so the back end of the horse was just blown up air, whereas the front end was my of legs and arms.

Cole Cornford:

Yeah, yeah, I know what you mean.

Trevor Hancock:

It felt a bit weird, but it was funny.

Cole Cornford:

Did you fall over at all?

Trevor Hancock:

No, but I knocked the battery out of the fan, so my bottom deflated. So by the end of it, I looked like a bit of a sick and sorry horse.

Cole Cornford:

A very sad, lame one without back legs.

Trevor Hancock:

Exactly. Exactly. If someone had taken me out.

Cole Cornford:

Reverse centaur in this case. Oh, dear. All right. Yeah, that’s a good one. Yeah, I’ve always up for a good laugh. So one of the things that we’re going to be doing is diving into people’s careers. So I’d like to start with what’s one of the most interesting or exciting projects that you’ve worked on and always engaging about it for you?

Trevor Hancock:

It’s a toss up for me is because especially now the more senior part of my career as I’m hopefully coming towards the end of it, getting closer to retirement than my starting time, I’m looking for something that where I feel like I’m making a difference. So I’ve got three projects that I’ve been really lucky to work on recently where, one, I was working on a cyber threat intelligence sharing capability, which had a goal of not only uplifting the individual organization, but uplifting the cybersecurity resilience of the whole Australian’s economy. So that was pretty exciting to be working on that.

And then also I worked with an government department to implement the identity solution that Australian citizens use to engage with government. That’s pretty exciting to know that you’re making a difference to people like your mom and dad and your family. And then I guess the last one is helping some state government agencies develop their whole of government cybersecurity strategy. So helping a government for a state define what their strategy’s going to be for the next four or five years. So they’re what keeps me up and gets me excited about my job is that ability to be banking a difference.

Cole Cornford:

I really like that idea of making a difference. One of the things to myself is that I don’t know when it’s going to be, but at some point in the future, I’ll be finishing up with Galah Cyber, and I don’t know when that’s going to, what that looks like or why that’s going to be the case. Maybe someone comes up to me and acquires me a fat stack of money.

Trevor Hancock:

That’d be nice.

Cole Cornford:

Maybe I just get sick of AppSec. I don’t know. But ultimately, when I do finish up, one of the things I do really want to be given back is making a difference to the Australian community. And I thought that one part way to do that was to really just go hard at working in the public sector. Just really getting into it. I don’t mind as a consultant or as a permanent staff member, but just really working on projects and make a difference to the sovereign cybersecurity capability of Australia. Hopefully I can help with that a little bit. Yeah,

Trevor Hancock:

No, no. The thing is, we all work in cybersecurity, there’s so many varying areas that you can work in the field and sometimes you do work that just becomes what I like to call shelfware where you’re doing a risk assessment or you’re doing a document that you know the agency or the organization isn’t really going to use. They’re just doing it to tick some sort of compliance box. It’s hard to motivate yourself to do that, but if you can be doing something that is going to make a difference to the world, I think that helps you get out of bed each morning.

Cole Cornford:

And I think I noticed that cybersecurity has a lot more people who are jaded than other disciplines within tech at least because I work a very closely with architects, with engineers, with UX testers who are quite passionate about technology and their jobs. And I think that a lot of time it’s because they get to really see the impact that they’re making on a day-to-day basis by interacting with customers and just seeing what their changes go live. And I feel like a lot of the work that we do with cybersecurity is preventative, and we get quite abstracted away from our customers at the end of the day who you could say, yeah, it’s a bank’s customers are just people, but if you’re doing risk assessments for a bank, you’re not really one to one ever interacting with the clients themselves. Right?

Trevor Hancock:

Yeah, exactly. But also the thing is, well, I think our industry makes a bit of a rod for its own back because we all have to use the fear factor to generate money and generate budgets because it’s only just really recently been a board focus for organizations where cybersecurity is seen as something, it’s always sort of been an add-on as something that is added onto the end rather than in mind. But I think a lot of that is, as you mentioned, aside from being jaded, we’ve got a lot of naysayers in our industry where they want to just say, “No, you can’t do that because the risk is too high.” But my view on cybersecurity is that you have to be enabling business. If a business can’t work, then they can’t make money, so they can’t pay your salary as a cybersecurity professional for that organization. So you’ve got to be willing to help the organization understand risk and manage it rather than being the type of person that says, “No, it’s too risky to do anything.”

Cole Cornford:

One of the things from one of my earlier episodes, what Toby said was getting to yes. And I think that it’s such a different attitude and paradigm than what most cybersecurity professionals are taught. So how do we get people to get on that journey to go away from fear, uncertainty, and doubt, and instead just be working with people as a friend really, a trusted partner to help them get there?

Trevor Hancock:

You’ve got to be willing to share your expertise if you’ve got the thing, but rather than sharing it in a way that say, “Look, you can’t do this because of this, this, this and this, and this is going to happen and they’re all bad and they’re all going to be detrimental to the organization,” then you need to be focusing on, all right, if that’s going to be detrimental, what can you do to mitigate it? And then it’s about converting that narrative to make it about all right, yeah, there are those risks, but if we do these little things extra on top of what you want to do, then we can still do it and manage that risk. So I guess that’s my take out of it is you’ve got to be willing to analyze risk. And I think people fear risk, especially cybersecurity professionals who may not be strong in risks. They may know the technical controls, but they don’t understand the risks, so they’re not very good at presenting risk.

Cole Cornford:

I think also a lot of people really focus on, again, the technical stuff. So we find a cross-site scripting vulnerability or we find an insecure network port, but then being able to turn that into what does this actually mean for a business is quite hard because it requires you to have knowledge outside of your domain, right? You need to know what is these businesses, how they’re making revenue, what keeps their CEO up at night. Is it going to be a ransomware attack? Is it going to be theft of their IP? I don’t know.

Trevor Hancock:

Yeah, exactly.

Cole Cornford:

I guess that’s why we read the paper.

Trevor Hancock:

And to be honest, as you mentioned, look, most cybersecurity professionals have a level of technical capability and background, but most users probably don’t. So it’s getting that balance right between that knowledge of technology and lack of knowledge of technology. So if you don’t design your security controls with that in mind, then you’re always going to be making it harder and less usable. And to be honest, that’s just as big of a security vulnerability as having no security controls is people will find a way to get around your security if it’s stopping them, but doing what they need to do to do their job.

Cole Cornford:

I think that within, I guess my discipline, there’s a lot of fail fast and make mistakes and recover from those quickly because the consequences of making a mistake in software usually pretty small, in that you can usually iterate on them really quickly. Whereas I feel like for a lot of other projects at work, if you mess up cybersecurity really early on, it’s going to be there. Those kind of risks will be endemic for the entire project and difficult to fix, right?

Trevor Hancock:

Yeah. And then that’s the big problem with… That’s where the concept of the app dev process and security by design getting flown into that DevSecOps rather than DevOps processes is if you can get the security people working with your developers who are developing the capability at the start, then the chances of having a vulnerable system at the end is a lot less. But to be honest, even today you’ll find… I was on a customer site the other week where a project had been in development for six months before they even engaged with security. So it’s still happening today, that lack of engagement and seeing that cybersecurity is an add-on rather than a part of the foundation of the system that’s being built.

Cole Cornford:

Oh, I wonder how we go about solving that. Do you have any ideas about how do we change that perception?

Trevor Hancock:

It’s one of those it’s got to be changed from both ends. Security people have to be more open to supporting and being willing to, as I mentioned, take that risk view and say, all right, well, we can’t do that, or it’s too expensive to do that, so we’ll try and do these other mitigations or develop policies or procedures to mitigate it rather than having technical controls. And then in reverse projects have to be given the breadth to engage a security resource at the start, which is always hard because most projects are scoped very thin because there’s always limited budget and they’re all limited time. So having the breadth of capability, but I think everyone needs to own it. And if everyone’s owning it and we have that view that security is everyone’s problem and it’s not just the cybersecurity team’s problem to fix it, then I think we’ll get there eventually.

Cole Cornford:

It’s always about that shared responsibility.

Trevor Hancock:

Yeah, exactly.

Cole Cornford:

So shifting gears, you’ve been in cybersecurity for quite a long time, so can you tell our audience your story about how you got into it?

Trevor Hancock:

I got a bit lucky. I left university and joined a small more consulting organization, and I was a Unix admin. And on my third day I was dumped out on site, not alone. It was a really good company. They gave me both a mentor and I was working on site alongside an experienced Unix administrator. And then over time, they gave me the training and the onsite skills, knowledge transfer so that I was able to step in to become that Unix administrator for that site. And so I developed my career that way and I got a foundation in technical knowledge. So I did that for my first couple of years, and then we got acquired by a product company, and the product company had a single sign-on solution and they wanted to volunteer to learn from an expert they’re bringing in from the US.

And so I said, yep, I’ll do it. So I moved to Sydney and worked with this expert and became the product expert in single sign-on, and then that expanded into other of the security products that the organization had. And then we got acquired by another company, a bigger fish bought us. So I then had had a wider range of security products that I had to skill up in. And so I became a directory expert working with X.500 directories and LDAP directories for the region. So basically I would fly over to the US or the UK and get trained up on the company’s products, and then I would train the local. So I’d go into Asia and New Zealand and all around Australia, training our security professionals on the products. So then from there I got poached and joined a PKI company.

So as I said, I just stumbled along the way into different product skills. And then from there, after doing PKI, then moved into back into a consulting organization that had no products and was doing risk assessments and risk management. And then that led me down the path of learning about the ISM or the information security manual here in Australian government. And I was part of the inaugural IRAP program that the Australian government put out to certify Australian government systems. I got involved in that for a couple of years. So as I said, I stumbled into it rather than planned it.

Cole Cornford:

Sounds like a lot of your career has been like, well, besides luck from being acquired multiple times and then having a role change is just saying yes to opportunities and trying new things out. Is that the advice that you would give to new people who are starting in the industry? Just being open-minded and saying yes?

Trevor Hancock:

And to add to that. Yeah, definitely. So being open-minded and be willing to say anything but also be true and maintain a level of integrity. I don’t ever claim I know everything and I don’t think I’ll ever know everything, but the thing that the clients that I work with is that I’ll go, “Yeah, I don’t know that, but give me a chance and I’ll go and find out for you.” So you take ownership of a problem, but you’re willing to say, “I don’t know, but I’m willing to find out for you.”

Cole Cornford:

I think that builds trust.

Trevor Hancock:

So saying yes, but being willing to… Yeah, exactly. Build trust.

Cole Cornford:

I’ve met a lot of people who seem to think that they know everything, then it collapses a little bit later when it’s proven that they don’t.

Trevor Hancock:

Yeah, exactly.

Cole Cornford:

And then they’ve broken that bridge, right? So how do they build it again? It’s very hard to.

Trevor Hancock:

Yeah, exactly. It’s one of those things is that doesn’t take much to lose trust, but it can will take forever to regain it if you do lose it, having integrity is important. I actually got fired from one of my jobs because of that exact reason. We had an opportunity where the sales guy had an opportunity, and so he came to me as the technical lead on the opportunity and said, “Oh, what would we need to do this?” So I said, “All right, well, I need all this preparation time to do it.” He then went and sold it without taking my advice on then, so we won it, and then I said, “All right, well, if we’re going to deliver it, I need this time to do this preparation.” And then basically the week before it was supposed to be delivered, he’s gone, “I need you to go and deliver this.”

And I said, “I can’t. I haven’t done the preparation and we don’t have the preparation there. It won’t deliver what the customer’s expecting, so it will just be a bad experience for me. It’ll be a bad experience for the customer and it’ll be damaging to our reputation.” They tried to get a contractor in to do it, and they ended up not being able to deliver it because the contractor couldn’t deliver it. So I got let go. I got brought into my boss’s office and said, “Look, my contract said that I was to do any legal request asked of me,” and I said no to this, so they let me go.

Cole Cornford:

Wow, that’s a bit harsh.

Trevor Hancock:

But I was comfortable with being let go because I maintained my personal integrity.

Cole Cornford:

I think that’s very important to maintain those values. One of the things I try to live through my company is my personal values of I believe cybersecurity needs to be approachable. It needs to be easygoing and fun, and I know that at least I want to have high quality business driven outcomes for people instead of just focusing on technology and crazy stuff. And I also know where my skills stop. I’m not a great risk person. I’m not a pen tester. I can’t do that really well, but what I am good at is helping software engineers with problems. So if someone comes to me and says, “My system has these kind of architectural constraints. How do I get to yes?” And I can give them some good advice, but if someone asks me to do an audit against the Essential 8, then I’m going to have a bit of a laugh and try to find a contractor to do it.

Trevor Hancock:

That’s something as well is that I’m the same, I don’t claim to know everything, so I’ll, I’ll be happy to grab someone that has more knowledge, but I like to use it as an example that you don’t cross a busy road without looking left or right. So that is risk management. If you walked out on the road without looking, then you have no risk management approach. But if you actually look left or right before you cross the street, then you are taking a risk management approach. It’s just having that mindset that says, what am I trying to do? What do I have to protect against? And then trying to design away. So I’m sure that with the tips, you could probably do an Essential 8 assessment and control. I’m confident, Cole.

Cole Cornford:

I probably would, but I wouldn’t be an expert at it, but at the very least I’d know how to start with it. So I’ve always had that attitude ingrained with myself, I guess growing up even. So when I was younger, I remember one of my teachers in year seven, so 20-ish years ago or more for me was talking about risk management in relation to sports. So don’t go tackle the guy who’s a foot taller than you and built very strongly PG show, so I was going to say.

The main thing is that you don’t do it. Don’t pick fights of that you’re going to lose. Don’t jump over pits. Think about risk, think about it. That changed a lot of my attitude. And even when I was growing up, I used to play a lot of competitive games, and a hell of a lot of that is judgment calls about risk because you’re like, do I go and engage someone who is better at match than I am, or do I choose to wait for a better opportune moment when he’s distracted or I have a partner to work with me to fight that person?

And so you make these decisions a lot, and I feel like that’s really helped me in my career. I try to understand the situation that people are operating within and having that situational awareness makes you a lot better at being able to make calculated risks and yeah, cyber’s all about that, right?

Trevor Hancock:

Yeah, exactly. And the other thing you want to add to that from a cybersecurity perspective is that concept that, as you said, you can’t know everything. So I see my role as working with, whether it’s the network operations team or the app development team or the policy writing team to go, all right, so what are we trying to do? And my view is to make them aware of the risks. And then I might be a glass half full type of guy, but I personally believe that everyone does care about what they do to some extent. And so no one deliberately develops an application that has security vulnerabilities in it. They are trying to make it as secure as they can. It’s just sometimes they need help to understand what the risks are they’re trying to mitigate. But I won’t know how to do that from an app development perspective. All I’ll know is I’ll say, “Look, these are what we are worried about,” and then hopefully the app developer can go, “Well, this is how we would stop you being worried about that.” And together we solve the problem.

Cole Cornford:

Delegation’s really important. Everyone else is an expert in their areas. I feel like a lot of cybersecurity, you understand security principles extremely well. You understand risk reasonably well in business context. Okay. But the thing that you probably don’t understand is whatever people you’re interacting with, discipline as well as they do. I know I’ve spoken with people who are absolutely gun at Ruby on Rails or they’re expert Elixir developers, great enterprise architects, thinking about how to combine all these systems together in a secure way. They’re far smart of an eye in those kind of areas, but what I can do is at least communicate to them, “These are the kind of things that we are worried about. How are we going to work together to solve that problem?” And that usually ends up doing pretty well for me.

Trevor Hancock:

And that’s the right approach, Cole. I’m a hundred percent agree. It’s got to be a collaboration. We can’t do it in isolation.

Cole Cornford:

So looking back on your career, did you think you’d be in the position you are in today?

Trevor Hancock:

Depends how far back you look. When I was at university, I loved my sport. I played rugby, I played touch football. I’d basically have some level of sport on every day of the week. By Friday I would have whether it was touch football, rugby training, rugby on Saturday, touch football on Sunday. And I even almost changed careers. I was working part-time while studying at the university gym, and I applied to be a full-time role as a sports facilities officer there with my thoughts is if they had have got that full-time role, I was going to go back and study part-time to get a degree in sports admin. So no, definitely didn’t think I’d be there.

Cole Cornford:

Do you find that playing all that sport has been helpful for you? Because I feel like sport would give you, you’d be really switched on and good at making decisions quickly. What other benefits come from just having a career that started out in sport?

Trevor Hancock:

You’re a hundred percent right. I think probably the biggest one I think that sports helped me is that team approach. As I said, I don’t feel as an individual, I think I’ve work better in a team. Now, as I said, I’ve got expertise and I can deliver as an individual, but I get more enjoyment out of any project where I’m working as part of a team. So that team area is really good. So if you’ve got that ability to work into a team, because a sports team, like any work team, is that you’re going to have the personalities that are really out there. You’re going to have the personalities that are a bit shyer, but may have some real high quality capabilities that you’ve got to work out how to draw them out to get the best out of the team.

But also, going back to your question, once I got into consulting, I think that my career has progressed sort of the way I wouldn’t have changed it if I could go back anyway. I think that I’ve had the capability to change and do multiple things, which has really given me a depth of capability across a lot of areas that have allowed me to really enjoy what I mentioned about the exciting projects that I get involved in. It’s because of that capability is my management know that they can throw me on absolutely anything and I will succeed because of that spread of capabilities I’ve had involvement in.

Cole Cornford:

I love that sport set you up for success. I know a fair few people in cyber who just come from go to university, study a computer science degree, graduate, and straight into a techy programming role or something. And so hearing people with diverse stories and ways that they get into this field is awesome to me because I actually know a few other people who’ve come from competitive sports. One of my favorite guys used to be a Wallabies player and now does sales because he was told, “Ah yeah, you’re going to be on the bench permanently at Parramatta.” And he said, “Well, rather than being a bench warmer for my career, I’m going to go learn how to do marketing and sales.” And that’s what he did and he transitioned to the that.

Trevor Hancock:

Nice.

Cole Cornford:

But still enjoys playing his sport, right?

Trevor Hancock:

Yeah, and that’s right. And to be honest, I’ve got a good mate that is an ex-Brumbies and and ex-Wallabies, who’s now working for a competitor but working in a similar industry to me. And that’s purely based on the high performance areas that he learned through being a professional sports person that he’s now transitioned into helping teams operate in high performance mode, which I think’s a great analogy that you have to do that. And you need something, whether it’s the sport or whether it’s just the exercise, you’ve got to have that thing where you’re actually keeping your body moving as well as your mind.

Cole Cornford:

Yeah, I know that’s something I let drop a lot actually myself. I need to really hit the gym.

Trevor Hancock:

Yeah, I’m the same. I’m trying to get back to my running or was running a bit, so I’m trying to get back to it. It was funny, I rang one of my partners from the company I work at because I was running every day as the flexibility of my job meant that rather than having a lunch break, I’d just go at whatever time I didn’t have meetings. But he loved it because I’d ring him in the middle of it going, “I want to to run and I’ve got this idea.” And we just talk about my idea as I was running. So it frees your mind. Exercise is good for that.

Cole Cornford:

I find that as well, at least when I get stuck. I decode reviews a fair bit and a lot of it, it gets monotonous because you’ve just been staring at an IDE with extreme focus because you’re basically doing taint analysis and it’s really hard to do that consistently for a long sustained period of time, even with coffee. So what you do is you get up, you go pick your baby up and carry around the house and tell her that she’s a cute dum-dum, and then go for a walk outside play fetch with the dog. I think that sunlight is really good way to reset and get a different view on things or just talking through stuff with your partners, with your friends. I need to spend more time doing that personally because when I do get into a bit of a rut from just having to work really long hours, I find that that reset really helps me.

Trevor Hancock:

Exactly. And it’s funny because you bury yourself sometimes in your work because you get such a heavy workload that you think, oh, I can’t take a break. I need to be working. But you realize the longer you work and the longer you go without that break, the less percentage of quality of work you get out. And so eventually you get a negative effect because you’ve spent spending more time sitting there, whereas if you took a half hour break and came back, you’d probably deliver more than just sitting there trying to deliver.

Cole Cornford:

I do notice that my eyes glaze over and I’m just scrolling through a file and I’m like, wait a second, I reckon picking up that I’m just going through an emotions but not being effective at this point. So got to better get that exercise banded out and start doing those things just behind your back, pull it, get your spine moving.

Trevor Hancock:

Let’s say when you do quality assurance and documents and stuff, because I deliberately will mark in a different color when I’m editing just so that I can see that I’ve done a good edit on it and then of course, convert it back to the real color. But if I notice there’s a page where there’s been no color change and I think, oh, I need a break because I’m not really reading this.

Cole Cornford:

Yeah. So do you redline everything?

Trevor Hancock:

Yeah, sort of that. I highlight if I’m changing something. So as I said, I tend to work in IT so you don’t sort of redline as much, but I do the track changes so that it is actually highlighting the changes that I’m making.

Cole Cornford:

One of the things that I try to do with my consulting reports from my staff members and also myself is to literally print out the report and then just go through, read it out loud with a blue or red pen and just circle areas that just don’t make sense or just are too complicated or too long and that I need to simplify because I feel like that’s one of the best artifacts you can be producing in cyber at the moment, at least in my view is extremely simple, blunt and informative advice.

Trevor Hancock:

Yeah. Yeah. And it’s typical of everything. No one has time to read too much detail. It’s like when you’re in consulting, as you know, you’ve got to have that executive summary that is to the point because you know that the executive’s not going to read past that summary.

Cole Cornford:

Switching gears, so there’s a lot of young people who listen to my podcast who are aspiring to get into careers in cybersecurity. What would you recommend that they do to get themselves prepared to join the sector?

Trevor Hancock:

I guess to me the idea is, as I mentioned, you have to be flexible. You have to be willing to try something. I’ve found through my career that I’ve learned more through failure or trial and error rather than failure where I’ve tried something and it’s not worked and then worked out the way to get it to work than actually not trying or trying to read and trying to get the right answer before I even start. I think that’s one of the things I said be willing to try. It’s one of the things I put in place now with graduates and analysts that joined the company I work for is the first thing I’ll say is I want you to try it. I don’t care if you weigh off the mark because I can work with you to understand your thinking and help you because you’ve had a try.

Nothing frustrates me more than when you get a young person on a project and they come up and they go, “So how do I do this? How do I do this? How do I do this? How do I do this? How do I do this?” And then you’re going, “Well, I could’ve just done it myself in the time with the number of questions you asked.” So that’s the approach is give it a go. Don’t be afraid to give it a go. That would be the first thing. And then the second thing is don’t be afraid to ask for help and say, I don’t know. IT in general is changing.

Back when I first started, you’ve had your Unix admin, you had your database admin, you had your network admin, and they were your core competencies. But there’s just so many competencies now across IT and even in the specialty of cybersecurity that you can be a pen tester, you can be a risk GRC person, you can be a threat intelligence or a threat analyst or a threat hunter. There’s so many different choices. So don’t be afraid to say I don’t know. But if you do say I don’t know, be willing to go and find out.

Cole Cornford:

I think that’s a great piece of advice. I remember a talk at BSides Canberra a few years ago from Alex from Atlassian, and one of the things that they mentioned was that as babies and kids, we like to just learn by doing. So we got really good at computers by just pushing buttons randomly and seeing what would happen. And then as adults, we start to get this risk-adverse mindset saying, “Ah, but what if I do it wrong? What are the consequences? It could be really bad for me.” And I think that that advice that you give about giving stuff a real red-hot go as a graduate is great because what are the consequences? I don’t think anyone’s going to fire you for just writing a report that’s wrong. Ultimately, it’s not their fault. It’s their managers and eventually goes all the way up to the top to the business owner. So it’s low stakes, give it a go, and as long as you learn from, it’s all good.

Trevor Hancock:

Also, you can add, I had a scenario where I was doing, or I had a team developing a risk assessment for a government agency. And one of the analysts, I did that approach with them and they came up with a risk that I didn’t even think of. I went, “Wow, yes, that’s a real risk. We probably should be mitigating that risk.” But it didn’t even pop into my head. They just because they had that mindset and that was based on their life experience that they saw this potential risk with the system that we were using, and we wouldn’t have got that if they weren’t willing to share and get involved.

Cole Cornford:

Yeah, really, really, the young folks with all the… There’s new perspectives about approaching things. I feel like I have a mindset that’s come around from, like for me, playing computer games as a kid, doing long distance running, not being particularly good at schooling, but finding ways to be lazy to pass. So having a very programmer mindset to approaching it. What’s the quickest way to get a pass so I can spend more time playing games? That’s why I think diversity in your team’s really good. So you have people who can view things very differently, and I’m hoping that in the future that we can encourage people from all sorts of backgrounds to come in especially for this podcast, right?

Trevor Hancock:

Yeah, exactly.

Cole Cornford:

All right, let’s move on to the fast segment. So these questions here, I want you to answer immediately, whatever comes into your head. Okay?

Trevor Hancock:

Yep, yep. Sounds good.

Cole Cornford:

Here we go. All right. So best purchase under a hundred dollars and why?

Trevor Hancock:

Probably, I’d have to say Catan.

Cole Cornford:

Catan?

Trevor Hancock:

It was a board game that… It was the start of my family. So my teenage boys and my wife are getting together and playing games together.

Cole Cornford:

I always say Settlers of Catan. My university has this habit of getting students in third year computer science to actually have to, similar to Tower of Hanoi, to work out the best decisions matrix for Settlers of Catan based on probability. We end up with anyone in Newcastle generally hating Settlers of Catan because they had to do an assignment on it. But I didn’t do that assignment. I just accepted that I had enough marks in a subject to get by, so I just didn’t have anything in. So for me, I actually love Settlers of Catan. I don’t have any negative attitude around it. So like a sheep for wood, wood for stone kind of guy.

Trevor Hancock:

I’m hopeless because my family don’t trade with me, so I never win because they always trade with each other before they trade with me because they don’t like dad winning.

Cole Cornford:

We had a period of time where my friends, we used to play Risk. I played with some friends who were a couple and they would always never do anything that would influence the other one to lose. So they’d intentionally make bad risk decisions, but it ended up being with one of them winning because they basically had to double the amount of starting piece.

Trevor Hancock:

Yeah, exactly.

Cole Cornford:

We ended up not playing Risk with them after a few months because you were just like, we’re sick of this couple warfare going on.

Trevor Hancock:

Exactly. I’m the same with when I play with the family, that if they’re going to do something bad, my boys will do it to me over mum. So mum never gets you if they’ve got to do something. If they’re going to steal a piece or steal a card because the robbers come along, they’re going to choose me over mum anytime.

Cole Cornford:

So going on to your next question, if you could go to the same holiday destination every time, where would that be and why?

Trevor Hancock:

I have to be Fiji. I love the beach. I love scuba diving and I love warm weather. And Fiji has this in spades and are generally the nicest people.

Cole Cornford:

I’ve never been to Fiji. I know that one of my friends nearly got scammed by wood. You can’t bring wood back to Australia or something. I remember that it was…

Trevor Hancock:

You got to declare it. If it’s got bugs or anything in it, then they’ll confiscate it. But if you declare it, they check it and they check for holes for bugs coming into it. I bought in once when I went to Fiji bought back from my young boys a bow and arrow that got confiscated because I didn’t realize because it was deemed a weapon. It’s a kid’s toy.

Cole Cornford:

That makes a lot of sense actually. Yeah, I wouldn’t have thought about that. I would’ve just been like, “Oh, look at this. This is good for the kids.” And they’re like, “No, no, no.”

Trevor Hancock:

Exactly. That’s right.

Cole Cornford:

Or you’re like, “This is art. It’s going to hang on the wall.”

Trevor Hancock:

Yeah, exactly.

Cole Cornford:

They’re like, “Yeah, no, sorry mate.” This isn’t going to fly. That brings us up to the end of the interview. I ask all my guests at the very end, what’s the one piece of advice that you give to our listeners that people normally wouldn’t think of as security advice to help keep themselves and their businesses secured?

Trevor Hancock:

That’s a tough question. I guess for me it’s don’t be afraid to be vulnerable. I don’t like that really sounds stupid when you are thinking about security vulnerabilities. But the thing with me is that if you are not afraid to be vulnerable, then you’ll share your concerns with others because I think collaboration is the key to maintaining a secure environment. If you’re willing to share what’s keeping you up at night and learn from others and let others learn from you, I think that will make us and our Australian businesses more secure.

Cole Cornford:

I think vulnerability is a really good quality that I like looking for in staff members as well and it’s something that as often as men, we’re taught that we need to maintain a position of strength and not really show that we have weaknesses. And so it’s often difficult and there’s miscommunication. People don’t really understand the extent of where cybersecurity issues are because they don’t want to look stupid. They don’t want to look like they’ve made mistakes. So I think that that’s always served me well and it’s good. I’m glad to hear someone else call out. Vulnerability is a thing that you need to do too.

Trevor Hancock:

Yep. Thanks for your time. It was good.

Cole Cornford:

All right. Thanks, Trev, for coming along. It was really good to speak with you, mate. So do you have any shoutouts or anything you’d like to say at the end?

Trevor Hancock:

No, as I said, it’s great changer. I’m glad to see that we’re trying to get more people interested in talking about cybersecurity, so definitely happy to be involved.

Cole Cornford:

Yeah, thanks. Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favorite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galahcyber.com.au/newsletter and get high quality AppSec content straight to your mailbox. Stay safe, stay secure. I’ll see you next episode.