The Power of Converged Security in a Connected World

A

You're listening to the Cyberwire Network powered by N2K. Welcome to Afternoon cybertea where we explore the intersection of innovation and cybersecurity. I'm your host, Dan Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, insights, expert interviews and captivating stories to stay one step ahead. Today, I am excited to be joined by Darren Kane, Chief security officer at NBN. Darren has held this role since March 2015, leading a converged security group that integrates physical and CyberSecurity to protect NBN's people and assets against evolving threats. Darren's extensive career spans law enforcement, financial enforcement and corporate security. Darren spent 13 years with the Australian Federal Police and 6 1/2 years with the Australian Security and Investigations Commission, serving as the Assistant Director of National Enforcement. Darren then joined Telstra where he spent 11 years in senior security roles, including four and a half years as Director of Corporate Security and Investigations. Together we are going to explore the biggest challenges shaping cybersecurity today. The impact of AI and emerging technologies on resilience and defense, and how leaders can guide organizations and teams through constant change. Welcome to Afternoon cybertea, Darren.

B

Well, good morning actually down here in Australia and I'm really pleased to be able to join you for morning tea for me and afternoon tea for yourself and the folks listening.

A

Well, awesome. And hopefully you're having some good morning tea or maybe you're just having a flat white. Whatever works for you. So you've had an interesting career from police to financial enforcement, corporate investigations to Telstra, and now of course leading this converged security. Org@nbn. That's quite the spectrum of experiences that all intersect through security and resilience. Can you talk about what motivated your transition into cybersecurity leadership and how has your background in policing and enforcement shaped the way you think about converged security?

B

Well, firstly, I always wanted to be a police officer from a very young age and I thought by joining the Federal Police here in Australia, so a little like your FBI, I would have an opportunity to actually not just be contained by the state jurisdictions of a state based police force, but I would actually have both a national and international aspect to policing. I found that I spent most of my policing career in transnational organised crime and working for different government agencies looking at that particular crime type. I then felt that looking at the financial sector and working for your. What is your sec, for example, is our Australian securities and Investments Commission was an opportunity to take my knowledge around organized crime into the Financial markets. And then ultimately you could actually see that tech towards the start of the dot com boom in the late 90s and 2000s, the tech was going to be really important and in fact would facilitate crime. And that's when I made the decision to actually go corporate and join Telstra, which is Australia's largest mobile carrier down here and was at that time whole, well, majority government owned. So from there I built out my knowledge and capabilities in the tech side of the telecommunications and information technology and looked particularly at cyber safety. Ian so my big start in this space was around the education and awareness of online users working for our biggest ISP at the time, which was bigpon, which was owned by Telstra. And it was through that engagement that I got to meet Microsoft for the first time and traveled across to Redmond. But not only that, had a role with the Virtual Global Task Force which was international crime sponsored by large continent ISPs and looking at education awareness for the different online risks. And then ultimately, as I became deeper and deeper involved in the tech side of enterprise security risk management, I could actually see that technology, applications, networks, platforms were supporting both IT and OT security risk controls. And I learned from that aspect that a lot of money was being spent in the enterprise security risk space on tech and yet my ability to actually control or have authority about where and how that money was spent was incredibly limited because I was actually on the physical personnel side of the business. So really, to be quite honest, it was that aspect of finance and access to resourcing that truly motivated me to actually move across to a converged security model. And I really do want to make a point that my role here at the NBN isn't just about cyber and managing the actual ever evolving threat that is coming from that particular stream of security risk. One of the best things about being in charge of everything, if you like, so all aspects of security risk is that I actually am the person that actually speaks to the C suite and speaks to board and our government owners on how we're managing it. If we have a post incident response, for example, there is no finger pointing, they're just talking to me. And I'm able to use what I think is a pretty transparent and honest communication style to help them understand how I'm managing things. And look, I think the other thing too, going back to your question about how my experience in law enforcement has helped shape my certainty around the effectiveness of a converged or all hazards security approach, is that transnational organised crime is not siloed. Now, if you Pass a murder to homicide? Have you missed an opportunity to crack a drug ring with the dea? Or have you missed an opportunity to have a look at a significant fraud in the financial markets? Because you've only looked at it as one aspect of crime and because of my experience, I looked at it more holistically. And if you think of your position, it's more like Eureka. If you look at everything they're doing, it gives you a better understanding of the size, scope and possible solution to managing the risk.

A

Yeah, and I love how you bring it together because it makes it intuitive. And I'm going to ask another question about that, but before I do that, we have a large global audience and whilst NBN is incredibly important in Australia and in the region, I suspect that some of our audience may not actually know who NBN is, how critically important you are and what you do. So before we go into our next question, can you talk just a little bit about the organization?

B

Yeah, certainly. In fact, it's an organization I'm incredibly proud of and so thanks for this opportunity. It's got a significant purpose, the nbn. So when you're thinking about connectivity in Australia, it's fitting to try and compare our island continent with maybe mainland USA. Australia is a continent that spans about 7.7 million square kilometers. Now to put that into your perspective, mainland USA is about 9.5 million. The USA is the world's third largest country and Australia is the sixth. On the flip side, the USA's population is 333.2 million, which is over 12 times Australia's 26.7. Now the USA's population density is 38 inhabitants per square kilometers. Australia's is only 3.5. Now I actually give you all those stats to help you understand just what the challenge is to try and connect wholesale broadband connectivity to all of our inhabitants with many rural and regional communities, we must connect and not leave any behind. Now that's the purpose and mission of the nbn. To ensure that everybody isn't left behind. The digital divide so it was established, the National Broadband Network Co was established back in 2009 by the Commonwealth of Australia. That's our federal government. It's government owned organization that designs, it builds and operates the country's wholesale broadband access network. The NBN plays a critical role in delivering fast, reliable, resilient and most importantly for me, a secure broadband connectivity. Simply, the NBN CO is the nation's digital backbone. It's Australia's largest critical infrastructure project. Around 80% of the nation's data Packets passes through our multi technology mixed network with fibre every day and we've got cable exceeding around about 390,000 kilometres, which is nearly 10 times around the world. And that's my responsibility to keep secure what is interesting and it's a stat I often use, we've got around about 10 million homes and businesses connected with multi gig capability. Now in our last census we've got anywhere between 2.3 and possibly 2.6 people per premise. So around about 23 to 26 million folk rely on NBN every day for connectivity.

A

That's a lot there. And across, as you mentioned, it's not a lot of humans across a large expanse. So as you think about the work you do, and I'll move into our next question with this, as you think about the work you do, it is about connecting people in pretty remote areas and a lot of physical infrastructure too, as well as cyber. So this unique role you have where you're putting physical and cyber together, a lot of organizations, I'm not going to say most, but a lot of organizations still treat those as separate, separate functions. Yours is not only quite forward leaning, it's expansive across a really large geography. So how do you think about it and how do you get advantages from the combination like your example of having a drug bus and a murder investigation. How do you actually converge the physical and logical security in protecting this large vast network across a continent?

B

Ian, from my perspective, it's a really good question and we are a unique utility if you think about it. And wholesale broadband has become an essential utility. It's like water and power nowadays. Connectivity is such a inherent requirement for everyday life and to have that utility you must have critical infrastructure. And if you've got critical infrastructure, you've got a lot of physical infrastructure, you have a lot of people required to manage and run that infrastructure. And from my perspective, if I was only to look at one stream of security risk, think people, there would be so much interaction that I would have to have with the actual accountability owner for physical security and for cybersecurity, that I've always been someone who recognized that you would be much better off having sole accountability for all three and managing the risk in that fashion because it would be more effective and more efficient. Now I recognize nowadays that way of managing the risk isn't everybody's cup of tea or a requirement. But I do believe that nearly every enterprise right across the globe has a situation where there is now such interaction and crossover between those three, possibly four or five different streams and the other Couple of streams would be governance, risk compliance and GRC investigations, digital forensics, even resilience, incident response and recovery is starting to fold in to that accountability. Now I think you need a helicopter view of all of those issues and all of the duplications and crossovers to be effective and efficient in managing that risk. Look, one of the other advantages that I've never seen when I started to first think about an all hazards or a converged security model way back in 2008 2,09 and I was lucky enough to be given the opportunity to introduce it here at NBN in 2015. It's only in the last four or five years that I've really picked up on this issue. And to pinch a line from Megan Traynor, which was all about the base, no treble, this is all about the data and no trouble. If you can think of all the data feeds that I'm getting from all of the different streams, I have accountability for all of the cyber data, your logins, your monitorings, your SIM action and so forth. All of your EAX passes or EAX being swipes on doors, your enterprise building integration capability, all of the times techs take keys down to access points of interconnect. And if you think of all of the actual data that's available to me around managing personnel security, I actually have all of that feeding into our fusion center. And now with the assistance of machines and we're going to be talking about AI on the podcast, think about how valuable a picture I get because I've got all of those data feeds now, if I didn't have that accountability across all of the streams, I would actually have to go looking to have that data released to me. I've got authority and control across the top of the data. And as we know, data is the new gold, it's the new oil. So that's one of the advantages that has belatedly come to me since we've been running the model into the fusion center.

A

So if someone had asked me going to this podcast, if you would have quoted Meghan Trainor, the answer would be no. I'd expect maybe Nick Cave or something like that. Moving along with our topic, I only

B

just thought about it because it's all about the data, no trouble. And I thought, hang on, I've heard that before. And look, when the proverbial ship hits the sand, if you like, you won't have business units pointing fingers at each other and saying, well, this was your fault, this was your fault, this is your fault. What we've Got here at the end, the end is people point the finger at me and say, listen, what's happened? And that again is another benefit of the all hazards approach we employ down here at the nbn.

A

So the world is changing, right? The stakes are incredibly high because you're protecting critical infrastructure across millions of people across, as we mentioned, a very large geography. And you're not just dealing with cyber threat today, you're dealing with cables, undersea cables, you're dealing with nation state actors, you're dealing with physical challenges, you're dealing with potentially sabotage. Right. How do you think about mitigating all of this at scale across again, a very large geography?

B

That's a really good question. How do I think about it? Firstly, prioritisation. So what I generally look at is what is the most critical of our assets and why is it important that we protect them first? So I look at likelihood and consequence of failure. I work a hand in glove, great collaboration with government and with other telcos down here who actually buy wholesale access Office. So upstream would be government engagement, downstream would be all of our retail service providers who ultimately send out the access to the end user here in Australia. So I prioritize those assets, I look at what controls and capabilities I require to manage that and then this is where Microsoft and other vendors come into this process. I also recognize very quickly that my capability here with the team that I actually have the privilege to manage are only as effective as the controls and capabilities of the vendors that support me. And I definitely do not look upon the third party providers of both product and service as a necessary evil to do my job. I see you people as someone who is part of my team and by you people, I'm actually speaking of Microsoft in this instance, but it may be other hyperscalers, it may be other product providers, but I see them as people who are very, very important to me and someone who I have to be in sync with and have a trusted relationship and partnership with. And then from that perspective, I take great pride in ensuring the team understand the importance of the assets they're protecting and the mission and purpose they have. And then from that prioritisation aspect, we actually work our way down a list of things that we must protect all the time, then some of the things that are something that we can take more of a risk with, so very much a risk based approach here at the NBN on criticality of asset and then the components of those assets that are also important to ensure they're running effectively. And we just work our way down that role, as I said, I think most importantly, it's relationships both with government, with the RSPs who sell it, with our vendors and providers, and then ultimately end users. And one of the things that I think is really important, and I have a job to do, is to help those that are actually getting benefit through connectivity with the wholesale broadband, knowing their responsibilities and knowing and understanding how they can have the best experience and what sort of simple security measures and controls that they can deploy to protect themselves. Because I think you'd understand this and so would most of your listeners to this podcast, is that enterprise security risk management on a scale that we're talking about cannot be left to a small group of people. It must be done holistically across an environment who have a responsibility and a connection back to the capability they enjoy.

A

I think that you've touched on a couple things and I want to pull the thread across collaboration a little bit more in partnership and talking about folks, us, you, other people. Because in the world we're in, no innovation can afford to defend alone. Right? We just can't afford to stand alone. I don't mean financially necessarily, I mean just in general. You've had experience in government, you've had experience in private sector. We've talked a lot as an industry for many years about collaboration. Collaboration strengthens cyber defense, collective defense, resilience. What models have you seen that actually work in practice?

B

Ah, that's a really good question. I think we need to be careful. We're not too prescriptive around models certainly down here in Australia. For example, the Australian Federal government have just introduced some significant reforms around the security of critical infrastructure. And they've identified 11 areas or sectors of industry where certain participants in those sectors important to the overall critical infrastructure environment and supporting Australians. So we've been actually captured by that reform and there's a different framework that the governments have actually required us to now be compliant with and that's called SOCHI as an acronym Security Critical Infrastructure Framework. And there's different particular models and frameworks that we're actually working towards now Here it's the essential eight, which is things like patching apps, patching UIDs, multi factor authentication, who has privilege access, application controls, restrict macros, for example application hardening and of course backups is the example that framework. And there's about eight criteria to the Essential eight and they're called essential through a reason because it's a way for the government to measure maturity risk controls against a certain framework. There's also NIST down here in Australia which can be part of the Sochi reforms. And then of course, the government has its own policy, which we call the Protective Security Policy Framework. Now, what's important about that last one, pspf. It is largely looking at holistically how you manage things. So it's for people like myself who have a converged security model. That's the framework where all the framework we're working to down here, it's only recently applied to us. And look, I'm a supporter and promoter of that because I think the government is trying to ensure that all, all aspects of the critical infrastructure dependency are at a certain level. And I think that's a good thing. Another thing which is more of a practical model that I think works incredibly well is collaboration and trusted relationships between people who have similar accountabilities. And I don't just mean those in the telco sector or those in the critical infrastructure sector. I'm talking about those who have accountability for security risk in their enterprise and all of the people that actually are participants in that environment. And that includes yourself at Microsoft, who is a huge global supporter of most of the folk that do roles like mine. So that's our model that we're working to down here. That framework, I think is a good thing and I think it will offer significant improvements around security controls. And I can't see it at the moment having any downsides, but as we get deeper into it, obviously there'll be rooms for improvement and continuous learning. But at the moment that's where we're working too, and the model seems to be working.

A

It's really great. I also, I know the Australian government is leaning forward on critical infrastructure. I think Saki is a very good starting step. It's also something the world can model in a lot of places, right. Regulation. And I'm going a little different direction and then I'll ask you a question. But regulation being practical is really helpful and regulation being about defense is really useful. So we'll see, right? We'll see how it plays out. But I was in Australia a few weeks ago and I had the opportunity to learn a lot about it. And it's one of those things that I think is a step in the right direction. So hopefully it also drives what we were talking about, collaboration. It also drives the community to come together and think about the. How you all become more resilient from critical infrastructure entities and sharing best practices amongst each other.

B

Yeah. And look, one of the definite benefits from this is if you like, a rising tide lifts all boats. There's incredible Dependency in this integrated world we live in where we are relying so heavily on different upstream dependencies and of course downstream dependencies. An example of that would be energy upstream from the NBN capability and other telcos. And then of course all of the capability we provide different industries from our connectivity downstream. Now, if any of us have an impact through poor security controls or poor security posture and hygiene, well, the actual flow on effect across the community is significant. So that's why the government is trying to target an overall approach to ensure everybody is at a certain standard. And to me that makes a lot of sense.

A

Yeah, exactly. Well, let's pivot. The audience knows it's coming, you know it's coming. We're going to talk about artificial intelligence for a minute. We are starting to see it really reshape the threat landscape for the moment, hyper focused on what I call phishing. Right. There's some other places, but we're talking pretty openly about how we're seeing it changing the phishing landscape. It's obviously changing the defensive toolkit with a lot of organizations. And I think that in a critical infrastructure environment in a region of the world that is sensitive. Right. We're going to see really pronounced and profound impacts from AI. So how are you thinking about AI and automation? What's your approach? Are you being slow? Are you rushing? I think you're very practical. I don't think you're rushing anything. But where do you see the greatest risks and where do you see the greatest opportunities for applying these technologies, particularly in defense?

B

Yeah, look, I wouldn't have been a podcast in 2025 if I hadn't been asked the question of AI and it's appropriate that we talk about it. So for many, artificial intelligence really became a reality in late 22 with the introduction of ChatGPT and just all of the things that brought to us. But always remember, Anne, I'm an aggressive promoter of good security, being an enabler for a high performance business. If we rely too much on the catastrophization or the downside of risks that AI might represent, I really do think we may miss the upside of the opportunity. So firstly, yes, I think AI does represent a risk, but I also think that if you approach it in a positive fashion and help the organization understand what good security controls hygiene, and leaning towards the benefits that may come from machine based learning and automation, you may actually have an opportunity to benefit from it. So that's the first thing is a positive approach to it. There's no doubt artificial intelligence is transforming our field of expertise. Our role in less than two years, it's evolution or revolution has become a business priority and perhaps a security vulnerability. And it's sort of something that we should be aware of for sure. It's helping us detect threats faster, automate responses, analyze vast data sets. Goes back to what I said about Megan Trainor. It's all about the data. No trouble because of the converged security model and all of the data feeds. Think of the opportunities that AI is offering ourselves here at the NBN code. There's no doubt there's vulnerabilities. Adversaries are obviously using AI too, for speed, for scale sophistication, and it's having an impact on CSOC's and incident response capabilities. It is very rare now that we're going a week without a significant issue. Largely those issues are third party. So it goes back to what I said about a rising tide and lifting all boats. And we must understand that AI is both a shield and a sword. It plays a dual edge sort of thing in our roles. And this is something that I've actually learned from my engagement with you this year, Ian, is that our defences must involve to anticipate not just known threats, but also the emerging ones. So understanding how constantly we should be almost testing ourselves through AI machines, almost offensive simulations and the learnings from that, and how that can actually train our defensive models and what we can learn from our global partners who have actually had a similar experience. And I think that will be really important because it actually allows us the speed to respond to follow up on AI and automation. And our approach, our greatest risk is applying in defenses. How do we get what we know into our systems and capabilities, controls as quickly as we possibly can? Because there is no doubt that our adversaries are doing that offensive attacking so much quicker nowadays. So we're looking at that issue as well.

A

Yeah. And as you said, data's the new gold. It's all about the data. And I would encourage folks, and I think you'd probably agree that having good data hygiene, good data controls, understanding where your data is traversing, understanding where your data is classification, labeling, data loss prevention, all of those things are going to make or break whether your AI program is successful.

B

Absolutely. Well said. And I call it battlefield information. You know, who's got the plans of how you're going to defend, who's got an understanding of what strategic capability you've got, who owns that accountability or to protect it, and can those folks be trusted? So you're quite right, categorization, classification of Data and its protection, I think is going to be critical as well.

A

Yeah, agreed. Well, let's talk a little bit about resilience because as you know, I talk a ton about resilience, I talk about a ton about organizational resilience. But of course we have human resilience and psychological safety, particularly in cyber. I don't know that folks outside of cybersecurity understand the types of information that the cybersecurity teams may come in contact with. And some of it really does risk the psychological safety of your employees. So can you talk both dimensions? How do you think about organizational resilience, meaning that those data lines and those cables and those things that drive information across the continent of Australia can't go down and then just talk a little bit about psychological safety and what you do for your team?

B

That's a fantastic question and it's incredibly important one now to actually to speak on. And I spend a lot of time now in some of my presentations talking about the concept of shift left. But move right. Everyone knows that shift left means that we actually have to be better at the identification, the proactive protection of our capabilities and our networks, platforms, applications, because by doing that we're actually not actually having to actually sort of constantly defend and respond, recover from a breach. So that's the shift left concept. But nowadays we all must move right. We all must actually spend a large part of our resourcing budgets, our strategy efforts around how are we going to respond and what have we got in place to ensure that response is the shortest period of time to recovery. And I often think about, I have a number of ex law enforcement folk work with me here and one young fellow that, who was working with me for a very long time said, look, I don't know whether you've thought about this, but our training from a young age in law enforcement has always been about if we actually do something today we put something in place. We don't just think about the impact that will have today. We think about the ongoing effect maybe three or four or even five steps ahead. And if you put it in law enforcement speak, if we actually do a particular investigation inquiry today, we get an outcome. We've actually got to think about how that will play out through the investigation going forward. But most importantly, how will we present that evidence in court and how do we ensure that it will be seen as something that's been gathered lawfully and what effect it will have? So we're always thinking three and four and five steps ahead. It's just training. We've had and when you think of resilience, I always think of the defendable position we must have. Ian in the event of a pir, a post incident review I always think about well what would someone in a post incident review look to Darren Kane to have had in place to manage a particular risk that he or the company should have known about? And that to me is how we actually set up our incidents. It's how we set up our security controls through prioritisation of our most critical assets. It's how I actually ensure the people that are working with me are trained to actually respond. And that's coming back from bit of law enforcement training. I cannot stress enough the importance of good security posture and hygiene. Just getting the basics right for good resilience, ensuring that people understand what their roles are and that they are going to do their roles accurately and timely. Now there's even entities with some of the highest security risk controls continue to focus on awareness around the basics, be it passphrases, suspicious links or even keeping devices up to date. They're examples of you just really good basic hygiene. I invest time and resources in building a culture of security at NBN where the mantra that security is everyone's responsibility resonates with almost every employee, all down to even the simplest of things like wearing lanyards. So people are able to identify folk when they're in our facilities is a simple example of that. I have a very strong education and awareness campaigns and we do communications down here in Australia, for example, it's Cybersecurity Awareness Month where the government, ourselves and other entities are actually supporting education awareness efforts across the month. The only other thing I did want to touch on was your question around what about our people and the folks that we rely upon to manage the actual firstly controls and ensure they're working effectively, but probably most importantly incident response and recovery. Nowadays it's probably not a matter of if but when we have a vulnerability and how do we respond to it. And unfortunately they're coming on with amazing frequency of late and I won't go through stats here, I don't think that's helpful, but I will be able to tell the audience that it is happening very regularly and we are relying on the same small cohort of people each time to respond. Now sure, through muscle memory and training and constant standing up they become more efficient and more effective and more capable. But at the same time it's a huge burden to carry and I often think the folk that work in this space are over invested in their mission. And they do have a bit of a fear of failure around what happens if Australia loses capability of the nbn. So the pastoral care of the team and helping them understand what their role is, how they're managing their role, ensuring their wellbeing in the workplace and a balanced life exists outside the workplace is probably the most significant priority I have in managing the role I've got. Then I take the pastoral care of the team, probably as important as any priority that I've got.

A

That's great to hear. Which also brings me to the evolving role. Right? The CISO or the CSO roles are really expanding, particularly in recent years. And you talked about at the beginning, right, that you were reporting to the board, you're talking to senior level leadership, you're navigating saki and other regulations. How do you see how the roles evolved in the years ahead? And what advice would you give to folks that are aspiring CISOs or CSOs?

B

Wow. I could go everywhere with this answer, Anne. But look, I'm the guy who says drop the I. I'm a firm believer that the days of the CISO are slowly coming to an end. I believe the title of Chief Security Officer will be one that most CISOs will eventually evolve to. And it's for the reasons that we've spoken about on the podcast today. It's just such an evolving area and title that I can't see it not going in that direction. And the role is so much bigger now than just information security. As we've mentioned now, we've come a long way from sitting in a basement to now sitting at the board table. In fact, I firmly believe that a CSO role can be done by a senior business executive who has very limited security understanding or experience. I think an effective junior executive business executive could come in and learn from his or her significant direct reports across the different streams. Think cyber, think personnel, think physical, think admin. And that person over 6 to 12 months could become familiar with their accountability and then in 12 to 18 months become almost expert in managing up, down and across around this accountability and ultimately can move on maybe to a COO role, chief Operating Officer role, maybe to a chief customer role, maybe to a Chief Financial Officer role. And ultimately I think that most competent CEOs in the future will need to actually demonstrate a capability and even an owned accountability of enterprise security risk. So I actually think the evolution of this role that we call Chief Security Officer now will be one where it is probably an opportunity or an advantage to have some experience in managing security risk. On your CV or resume. Why do I say that? Well, almost every board survey, every government response, even most C suite surveys are asked the question what keeps you up at night? And usually the answer is cyber or security attack. So therefore it makes sense that you've got someone who's leading the organization, have that experience in their resume. So that's where I think it's going. We test the. Yeah, I'm going for your life.

A

No, I was gonna say what you're saying makes an awful lot of sense and it ties into. We're getting down to the end. One last few questions I want to ask you is take that in context of your own personal career journey. Right. First, what's one piece of advice you wish you'd received earlier in your career? How does that shape who you are today? And then what do you think that listeners should take away or could take away from your journey that ties into your comments of where you think the role CSO is going.

B

Piece of advice that I received, I've always been somebody who has had a lot of confidence and a lot of mentors and people that have invested themselves in my career early on have seen that. So they've actually encouraged me to continue to fake it till I make it. So they basically said, look, you're someone who can actually take on a risk and manage it until you become expert and better at it. So I've always done that. And when you look at my career and the different aspects of it, I think it's reasonable to say that that's basically how I've managed to learn and build skills and capability. So that's something that I've recommended to others that I see who have similar traits. But I also encourage others that are more studious and more risk adverse to bite us off as much as they can chew and then just chew like hell to make sure they can actually learn and grow. Because the one thing that I'm seeing in the world today, Ian, it's the speed in which evolution is happening. And if you take your time to try and become expert in things nowadays, sometimes you may miss the opportunity. So that's my advice. Some other advice to folk in relation to moving into this area of accountability that you and I both work in around enterprise security risk is don't limit yourself to one particular capability or stream. Don't go to a university with an attitude or come out with a graduate degree with an attitude that I only want to work in cyber. You make sure you understand that you want to work in enterprise security risk and That'll ensure a there's plenty of different areas to get your foot in the door in. Whereas if you just concentrate on one small slither of accountability, it's a bit harder to break into and you really don't know until you know it. And once you get inside an organization, for example like NBN's Security Group, there's so many different areas that somebody can actually find a pathway to a long lasting and enjoyable professional career. You might be digital forensics, it's something you enjoy, but you only had focus on cyber. It might be investigations, it should be a governance role or a compliance role. It might even be that you come in here to be a security admin manager and looking after personnel security, but found your way to cyber and incident response. So the one piece of advice from me in relation to a career in what we're doing Ann, is make sure at the very start of your career you've got a broad scope and understanding of the size of opportunity enterprise security risk. Don't limit yourself to any one accountability like physical security or certainly cybersecurity, which is often common.

A

I love that advice. The final question I always call myself a cyber optimist because I know for every attack we see in the news or every major event, we've stopped thousands as an industry and despite the challenges, there's always something that I'm looking forward to focusing in. Cybersecurity Awareness Month here in the US Also I've been focusing on talent so I'd love to know what you are optimistic about when it comes to the future of cybersecurity.

B

Look, if folks can make it, folks can break it. And I'm optimistic about people making the difference. I'm optimistic about the future talent in our field, the fact that the generations behind us has grown up as digital natives with a mobile device in their hands and a PlayStation console. Cyber is just a stream of enterprise security risk management and folks shouldn't narrow, as I said, their focus to any one area. But I'm really very much have got the attitude that you can learn from the past, but there's a reason why the windscreen is so large and the rear view mirror is so small because the world is telling you to look forward. Keep an eye on the car in front, keep an eye on the traffic ahead, but really enjoy the journey. And I'm really optimistic about a the growth of enterprise security risk and the importance of it to most entities. But then all of the folks that we're going to need to help staff and manage and own some responsibility of enterprise security risk. It offers them a wonderful opportunity in career. So I'm optimistic about the new tech that's coming along and what it means. I'm optimistic about the folks that we'll need to have come and work with us and where those folks are from and the diversity that that offers. But most importantly, I think it's the young talent that I'm really wrapped about the bright understanding of tech and what these people can offer. And it's something that I think our industry could lean into more. We have to actually own a little bit more of the accountability of ensuring Gen Next see that the areas that we work is exciting and somewhere where they want to work. And I think if we actually have a Cybersecurity Awareness Month, for example, and it sounds to me like that's global, we really should be promoting the opportunities for the people to come and work with us, particularly the young folks.

A

I completely agree. And it's just purely coincidental that my starting post for Cybersecurity Awareness Month was about something called the Last Mile Education Fund and how Microsoft partners with them to provide scholarships for folks in the US who are going to go to technical school or community college to pursue a cyber education. So I think it is the future generation is what I am most optimistic about also. So I appreciate you joining us today, Darren. I know how busy you are. I've witnessed how busy you are and you always have such deep practical advice. You're pragmatic, you have great experience. I really appreciate you making the time.

B

Oh look, Ian, really privileged and humbled to be asked to join you. I know how widely listened to this podcast is and to think that you've reached out to the other side of the world and to us down here in Melbourne, Australia, to have us join you, it's a privilege. So thanks for all you do across the world in your role at Microsoft and then of course for hosting this and to your listeners. Be safe. And thanks again.

A

Awesome. Thanks to the audience for tuning in. Join us next time on Afternoon Cybertro. I invited Darren Kane to join Afternoon Sessions cybertee because he's just such an industry expert and also has this incredible background where he brings together just this plethora of experience to really shape and think about the role of securing one of the largest infrastructure providers in Australia, on the entirety of the continent. So it was a great conversation. I know the audience will enjoy it.