Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 117
Afternoon Cyber Tea with Ann Johnson 10.28.25
Ep 117 | 10.28.25

The Power of Converged Security in a Connected World

Show Notes
Transcript

Ann Johnson: Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cyber security. I'm your host, Ann Johnson. From the front lines of digital defense, to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today, I'm excited to be joined by Darren Kane, Chief Security Officer at NBN. Darren has held this role since March 2015, leading a converged security group that integrates physical and cyber security to protect NBN's people and assets against evolving threats. Darren's expensive career spans law enforcement, financial enforcement, and corporate security. Darren spent 13 years with the Australian Federal Police, and six and one-half years with the Australian Security and Investigations Commission, serving as the Assistant Director of National Enforcement. Darren then joined Telstra, where he spent 11 years in senior security roles, including four and a half years as Director of Corporate Security and Investigations. Together, we're going to explore the biggest challenges shaping cyber security today, the impact of AI and emerging technologies on resilience and defense, and how leaders can guide organizations and teams through constant change. Welcome to Afternoon Cyber Tea, Darren!

Darren Kane: Well, good morning actually down here in Australia, Ann, and I'm really pleased to be able to join you for the morning tea for me, and for Afternoon Tea for yourself and the folks listening.

Ann Johnson: Well, awesome, and hopefully you're having some good morning tea, or maybe you're just having a flat white, whatever works for you. So you've had an interesting career, from police, to financial enforcement, corporate investigations at Telstra, and now first leading this converged security org at NBN. That's quite the spectrum of experiences that all intersect through security and resilience. Can you talk about what motivated your transition into cyber security leadership? And how has your background in policing and enforcement shaped the way you think about converged security?

Darren Kane: Well, firstly, I always wanted to be a police officer, from a very young age, and I thought by joining the Federal Police, here in Australia, a little like your FBI, I would have an opportunity to actually not just be contained by the state jurisdictions, by the state based police force, but I would actually have both a national and international aspect to policing. I found that I spent most of my policing career in transnational organized crime, and working for different government agencies, looking at that particular crime type. I then felt that looking at the financial sector and working for your-what is your SEC, for example, is not Australian Securities and Investments Commission, was an opportunity to take my knowledge around organized crime into the financial markets. And then ultimately, you could actually see that tech towards the start of the dot com boom, the late 90s and 2000s, the tech was going to be really important. And in fact, would facilitate crime. And that's when I made the decision to actually go corporate and joined Telstra, which is Australia's largest mobile carrier down here, and was at that time the whole-well, majority government owned. So from there, I built out my knowledge and capabilities in the tech side of the telecommunications and information technology and looked particularly at cyber safety in, so my big start in this space was around the education and awareness of online users working for our biggest site, Perth, at the time, which was BigPond, which was owned by Telstra. And it was through that engagement that I got to meet Microsoft for the first time, and traveled across to Redmond, but not only that, I had a role with the Virtual Global Task Force, which was international crime, sponsored by large [inaudible 00:03:51], and looking at education awareness for the different online risks. And then ultimately, as I became deeper and deeper involved in the tech side of enterprise security risk management, I could actually see that technology applications, networks, platforms, were supporting both IT and OT, security risk controls, and I learnt from that aspect that a lot of money was being spent in the enterprise security risk space on tech, and yet my ability to actually control or have authority about where and how that money was spent was incredibly limited, because I was actually on the physical personnel side of the business. So really, to be quite honest, it was that aspect of finance and access to resourcing that truly motivated me to actually move across to a converged security model. And I really do want to make a point that my role here at the end being-isn't just about cyber, and managing the actual ever-evolving threat that is coming from that particular stream of security risk, and one of the best things about being in charge of everything if you like, so all aspects of security risk, is that I actually am the person that actually speaks to the C-Sweep, and speaks to Board, and our government owners, on how we are managing it. If we have a post-incident response, for example, there is no finger-pointing. There's just talking to me, and I'm able to use what I think is a pretty transparent and honest communication style to help them understand how managing things-and look, I think the other thing, too, going back to your question about how my experience in law enforcement has helped shape my certainty around the effectiveness of a converged or hazard security approach is that transnational organized crime is not siloed. If you pass a murder to Homicide, having missed an opportunity to crack a drug ring with the DEA or having missed an opportunity to have a look at a significant fraud in the financial markets, because you've only looked at it as one aspect of crime, and because of my experience, I looked at it more holistically, and if you think of your position, it's more like Eureka, if you look at everything they're doing, it gives you a better understanding of the size, scope, and possible solution to managing the risk.

Ann Johnson: Yeah, and I love how you bring it together, because it makes it intuitive. And I'm going to ask another question about that, but before I do that, we have a large global audience, and whilst NBN is incredibly important in Australia and in the region, I suspect that some in our audience may not actually know who NBN is, how critically important you are, and what you do. So before we go into our next question, can you talk just a little bit about the organization?

Darren Kane: Yeah, certainly. In fact, it's an organization I'm incredibly proud of. And so thanks for this opportunity. It's got a significant purpose, the NBN, so when you're thinking about connectivity in Australia, it's fitting to probably compare our island continent with maybe mainland USA. Australia is a continent that spans about 7.7 million square kilometers. Now, to put that into your perspective, mainland USA is about 9.5 million. The USA is the world's third largest country, and Australia is the sixth. On the flipside, the USA's population is 333.2 million. Which is over 12 times Australia's 26.7. Now, the USA's population density is 38 inhabitants per square kilometer. Australia's is only 3.5. Now, I actually give you all those stats to help you understand just what the challenge is to try and connect whole cell broadband connectivity to all our inhabitants. With many rural and rich communities, we must connect and not leave any behind, now that's the purpose and mission of the NBN, to ensure that everybody isn't left behind the digital divide. So, it was established, the National Broadband Network Code was established back in 2009, by the Commonwealth of Australia, that's our federal government. It is government-owned organization that designs, builds, and operates the country's wholesale broadband access network. The NBN plays a critical role in delivering fast, reliable, resilient, and most importantly for me-a secure broadband connectivity. Simply, the NBN co is the nation's digital backbone. It's Australia's largest critical infrastructure project. I ran 80% of the nation's data packaged, parses through our multi-technology mixed network, with fiber every day. And we've got cable exceeding around about 390,000 kilometers, which is nearly ten times around the world. And that's my responsibility to keep secure. Now, what is interesting, and it's a stat I often use, we've got around about 10 million homes and businesses connected with multi-gig capability. Now in our last Census, we've got anywhere between 2.3 and possibly 2.6 people per premise. So around about 23 to 26 million folk rely on NBN every day for connectivity.

Ann Johnson: That's a lot, Darren, across as you mentioned, it's not a lot of humans across a large expanse, so as you think about the work you do, I'll move into our next question with this, as you think about the work you do, it is about connecting people in pretty remote areas, and a lot of physical infrastructure too, as well as cyber. So this unique role you have where you're putting physical and cyber together, a lot of organizations-I'm not going to say most-but a lot of organizations still treat those as separate functions. Yours is not only quite forward-leaning, it's expansive across a really large geography. So how do you think about it? And how do you get advantages from the combination like your example of having a drug bust and a murder investigation? How do you actually converge the physical and logical security in protecting this large, vast network across a continent?

Darren Kane: Ann, from my perspective, it's a really good question, and we are a unique utility if you think about it. And our broadband has become an essential utility. It's like water and power, nowadays. Connectivity is such an inherent requirement for everyday life, and to have that utility, you must have critical infrastructure. And if you've got critical infrastructure, you've got a lot of physical infrastructure. You have a lot of people required to manage and run that infrastructure, and from my perspective, if I was only to look at one stream of security risk, think people, there would be so much interaction that I would have to have with the actual accountability owner, the physical security and the cyber security, that I have always been someone who recognized that you would be much better off having sole accountability for all three, and managing the risk in that fashion, because it would be more effective and more efficient. Now, I recognize nowadays that way of managing the risk isn't everybody's cup of tea, or a requirement, but I do believe that nearly every enterprise, right across the globe, has a situation where there is now such interaction and crossover between those three, possibly four or five different streams, and the other couple of streams would be governance, risk compliance, the GIC, investigations, digital forensics, even resilience, incident response and recovery is starting to fold into that accountability. Now, I think you need a helicopter view of all of those issues, and all of the duplications and crossovers to be effective and efficient in managing that risk. Look, one of the other advantages that I've never seen when I started to first think about an all hazards or a converged security model, way back in 2008, 2009, and I was lucky enough to be given the opportunity to introduce it here at NBN in 2015, it's only in the last four or five years that I've really picked up on this issue and to pinch a line from Meghan Trainor, which was all about the bass, no treble; this is all about the data and no trouble. If you can think of all the data feeds that I'm getting from all of the different streams I have accountability for, all of the cyber, data, your logins, your monitorings, your sim action and so forth-all of your VX passes or VX beam, swipes on doors, your enterprise building integration capability, all of the times, text, tape, keys in to access points of interconnect, and if you think of all of the actual data that is available to me around managing personnel security, I actually have all of that feeding into our fusion center. And now, with the assistance of machines, and we're going to be talking about AI on the podcast, think about how valuable a picture I get because I've got all of those data feeds? Now, if I didn't have that accountability across all of the streams, I would actually have to go looking to have that data released to me. I've got authority and control across the top of the data, and as we know, data is the new gold, it's the new oil. So that's one of the advantages that has belatedly come to me, since we've been running the model into the fusion center.

Ann Johnson: So, if someone had asked Big OH's podcast if you would have quoted Meghan Trainor, the answer would be no, I'd expect maybe Nick Cave, or something like that [laughing], but moving along with our topic--

Darren Kane: Yeah, I only just thought about it, because it's all about the data, no trouble. And what's going on, on other than before. And look, when the proverbial ship hits the sand, if you like, you won't have business units pointing fingers at each other and saying well this was your fault, this was your fault, this was your fault. What we've got here at the NBN is they will point the finger at me and say "listen, what's happened?"

Ann Johnson: Yeah.

Darren Kane: And that again is another benefit of the old hazards approach of being employed here at the NBN.

Ann Johnson: So, the world is changing, right?

Darren Kane: Yeah.

Ann Johnson: The stakes are incredibly high because you're protecting critical infrastructure across millions of people, across, as we mentioned, a very large geography. And you're not just dealing with cyber threat today, you're dealing with cables, under-sea cables, you're dealing with nation state actors, you're dealing with physical challenges, you're dealing with potentially sabotage, right? How do you think about mitigating all of this at scale across again a very large geography?

Darren Kane: That's a really good question. How do I think about it? Firstly, prioritization. So, what I generally look at is what is the most critical of our assets, and why is it important that we protect them first? So if I look at like a consequence of failure, I work hand-in-glove in great collaboration with government, and with other Telcos down here, who actually buy wholesale access office, so upstream would be government engagement, downstream would be all of our retail service providers who ultimately send out the access to the end-user here in Australia. So I prioritize those assets, I look at what controls and capabilities are required to manage that, and then, this is where Microsoft and other vendors come into the process. I also recognize very quickly that my capability here with the team that I actually have the privilege to manage are only as effective as the controls and capabilities of the vendors that support me. And I definitely do not look upon the third party providers of both product and service as a necessary evil to do my job. I see you people as someone who is part of the team, and by you people, I'm actually speaking of Microsoft in this instance, but it may be other hyper-scalers, it may be other product providers. But I see them as people who are very, very important to me, and someone who I have to be in sync with and have a trusted relationship and partnership with, and then, from that perspective, I take great pride in ensuring the team understands the importance of the assets they're protecting, and the mission and purpose they have. And then from that prioritization aspect, we actually work our way down a list of things that we must protect all the time, then some of the things that are something that we can take more of a risk with. So very much a risk-based approach here at the NBN, on criticality of asset, and then the components of those assets that are also important to ensure they're running effectively, and we just work our way down that role. As I said, I think most importantly it's relationships, both with government, with the RSPs who sell it, with our vendors and providers, and then ultimately, end-users. One of the things that I think is really important, and I have a job to do, is to help those that are actually getting benefit through connectivity with the wholesale broadband, knowing their responsibilities in, knowing and understanding how they can have the best experience, and what sort of simple security measures and controls that they can deploy to protect themselves? Because I think you'd understand this, and so would most of your listeners, to this podcast, is that Enterprise Security Risk Management on a scale that we're talking about can not be left to a small group of people. It must be done holistically, across an environment, who have a responsibility and a connection back to the capability they enjoy.

Ann Johnson: I think that you've touched on a couple of things, and I want to pull the thread across collaboration a little bit more, in partnership, and talking about folks, us, you, other people, because in the world we're in, no innovation can afford to defend alone, right? We just can't afford to stand alone. I don't mean financially necessarily, I mean just in general. You've had experience in government, you've had experience in private sector. We've talked a lot as an industry for many years about collaboration. Collaboration to strengthen cyber defense, collective defense, resilience. What models have you seen that actually work in practice?

Darren Kane: Ah! That's a really good question. I think we need to be careful we're not too prescriptive around models. Certainly, down here in Australia, for example, the Australian Federal Government have just introduced some significant reforms around the security of critical infrastructure, and they have identified 11 areas or sectors of industry where certain participants in our sectors important to the overall critical infrastructure environment and supporting Australians, so we've been actually captured by that reform, and there's a different framework that the governments have actually required us to now be compliant with, and that's called SOCIF as an acronym-Security of Critical Infrastructure Framework. And it is different in particular models and frameworks that we're actually working toward. Now, here, it's the essential eight? Which is things like patching apps, patching UOS, multi-factor identification, who has privileged access, application controls, with street macros, for example, Apple cash and hardening, and, of course, spec outs is the example, that framework. And there's about eight criteria to the essential eight, and they're called essential for a reason, because it's a way for the government to measure maturity risk controls, against a certain framework. There's also MIST down here in Australia, which can be part of the SOCIF reforms, and then, of course, the government has its own policy which we call the Protective Security Policy Framework. Now what's important about that last one, PSPF, it is largely looking at holistically how you manage things. So it's the people like myself who have a converged security model. That's the framework where, or the framework we're working to down here. It's only recently applied to us. And look, I'm a supporter and promoter of that, because I think the government is trying to ensure that all aspects of the critical infrastructure dependency are at a certain level, and I think that's a good thing. Another thing which is more of a practical model that I think works incredibly well, and is collaboration, and trusted relationships between people who have similar accountabilities. And I don't just mean those in the tel-car sector [phonetic spelling], or those in the critical infrastructure sector. I'm talking about those who have accountability for security risk in their enterprise, and all of the people that actually are participants in an environment. And that includes yourself, at Microsoft, who is a huge global supporter of most of the folk that do roles like mine. So that's our model that we're working to down here. That framework, I think, is a good thing. And I think it will offer significant improvements around security controls, and I can't see at the moment having any downsides, but as we get deeper into it, obviously there will be room for improvement and continuous learning. But at the moment, that's where we're working to, and the model seems to be working.

Ann Johnson: It's really great. I also, I note the Australian government is learning forward on critical infrastructure. I think SOCIF is a very good starting step. It's also something the world can model in a lot of places, right? Regulation, and I'm going in a little different direction, and then I'll ask you a question, but regulation being practical is really helpful, and regulation being about defense is really useful, so we'll see, right? We'll see how it plays out, but I was in Australia a few weeks ago, and I had the opportunity to learn a lot about it, and its' one of those things that I think is a step in the right direction, so hopefully as the-it also drives what we were talking about, collaboration, and also drives the community to come together, and think about the-how you all become more resilient from critical infrastructure entities, and sharing best practices amongst each other.

Darren Kane: Yeah, and look, one of the definite benefits from this is if you're like a rising tide and there's all boats, there's incredible dependency in this integrated world we live in, where we are relying so heavily on different upstream dependencies, and of course downstream dependencies. And the example of that would be energy upstreamed from the NBN capability now that Telcos, and then of course, all of the capability we provide different industries from their connectivity downstream. Now if any of us have an impact through poor security controls, or poor security posture and hygiene, well, the actual flow and effect across the community is significant. So that's why the government is trying to target an overall approach to ensure everybody is at a certain standard, and to me, that makes a lot of sense.

Ann Johnson: Yeah, exactly. Well let's pivot. The audience knows its coming, you know it's coming. We're going to talk about artificial intelligence for a minute. We are starting to see it really reshape the threat landscape, for the moment, hyper-focused on what I call phishing, right? There's some other places, but we're talking pretty openly about how we're seeing it changing the phishing landscape. It's obviously changing the defensive toolkit with a lot of organizations, and I think that in a critical infrastructure environment, in a region of the world that is sensitive, right? We're going to see really pronounced and profound impacts from AI. So how are you thinking about AI, and automation? What's your approach? Are you being slow? Are you rushing? I don't think you-I think you are very practical. I don't think you're rushing anything, but where do you see the greatest risks, and where do you see the greatest opportunities for applying these technologies, particularly in defense?

Darren Kane: Yeah, look, there wouldn't have been a podcast in 2025 if I hadn't been asked the question of AI, and it's appropriate that we talk about it. So many artificial intelligence really became a reality in late '22, with the introduction of ChatGPT, and just all of the things that brought to us. But always remember, Ann, I'm an aggressive promoter of good security being an enabler for a high performance business. If we rely too much on the catastrophizing of the downside of risks that AI might represent, I really do think we may miss the upside of the opportunity. So firstly, yes, I think AI does represent a risk. But I also think that if you approach it in a positive fashion and help the organization understand what good security controls, hygiene, aimed leaning towards the benefits that may come from machine-based learning, and automation, you may actually have an opportunity to benefit from it. So that's the first thing, is a positive approach to it. It the idea that artificial intelligence is transforming our field of expertise, our-our role. In less than two years, its evolution or revolution has become a business priority and perhaps a security vulnerability. And it's sort of something that we should be aware of, for sure. It's helping us to take threats faster, automate responses, analyze fast data sets, goes back to what I said about Meghan Trainor, it's all about the data, no trouble. Because of the converged security model in all of the data feeds, think of the opportunities that AI is offering ourselves here at the NBN Co. And inside that there's vulnerabilities. Adversaries are obviously using AI too, to speed the scale of sophistication, and it's having an impact on C-socs and incident response capabilities, I mean, it is very real and near that we're going within a significant issue. Largely, those issues are third-parties, so it goes back to what I said about a rising tide, and lifting all boats. And we must understand that AI is both a shield and a sword. It plays a dual edged sort of things in our roles, and this is something that I've actually learned from my engagement with you this year Ann, is that our defenses must involve to anticipate not just known threats, but also the emerging ones. So understanding how constantly we should be almost testing ourselves through IOA machines, almost offensive simulations, and the learnings from that, and how that can actually train our defensive models, and what we can learn from our global partners, who have actually had a similar experience. And I think that will be really important. Because it actually allows us to speak-to respond, to follow up on AI automation and our approach. Our greatest risk is applying in defenses. How do we get what we know into our systems and capabilities controls as quickly as we possibly can? Because there is no data that our adversaries-are doing that offensive attacking. So much quicker nowadays. So we're looking at that issue as well.

Ann Johnson: Yeah, and as you said, data is the new gold. It's all about the data. And I would encourage folks, and I think you'd probably agree, that having good data hygiene, good data controls, understanding where your data is traversing, understanding where your data is, classification, labeling, data loss prevention, all of those things are going to make or break whether your AI program is successful.

Darren Kane: Absolutely. Well said, and I call it battlefield information, you know? Who has got the planes, and how are you going to defend? Who has got an understanding of what strategic capability you've got? Who owns that accountability or to protect it? And can those folks be trusted? So you're quite right. Categorization, classification of data, and its protection, I think, is going to be critical, as well.

Ann Johnson: Yeah, agreed. Well let's talk a little bit about resilience, because as you know, I talk a ton about resilience. I talk a ton about organizational resilience, but of course, we have human resilience, and psychological safety, particularly in cyber. I don't know the folks outside of cyber security understand the types of information that the cyber security teams may come in contact with, and some of it really does risk the psychological safety of your employees. So can you talk about both dimensions? How do you think about organizational resilience, meaning, that those data lines and those cables, and those things that drive information across the continent of Australia can't go down, and then just talk a little bit about psychological safety and what you do for your team.

Darren Kane: That's a fantastic question, and it's an incredibly important one, yeah, to actually speak on, and I've spent a lot of time now in some of my presentations talking about the concept of shift left, but move right. Everyone knows that shift left means that we actually have to be better at identification, and the proactive protection of our capabilities and our networks, platforms, applications-because by doing that we are actually, not actually having to actually sort of constantly defend and respond, recover, from a breach. So that's the shift left concept. But nowadays, we all must move right. We all must actually spend a large part of our resourcing budgets, our strategy efforts around how we are going to respond, and what have we got in place to ensure that response is the shortest period of time to recovery? And I often think about I have a number of ex-law enforcement folk work with me here, and one young fellow who was working with me for a very long time said look, I don't know whether you've thought about this, but our training from a young age in law enforcement has always been about if we actually do something today, we put something in place, we don't just think about the impact that will have today, we think about the ongoing effect maybe three or four, or even five steps ahead. And if you put it in law enforcement speak, if we actually do a particular investigation inquiry today, we get an outcome, we've actually got to think about how that will play out through the investigation going forward. But most importantly how will we present that evidence in court? And how do we ensure that it will be seen as something that's been gathered lawfully, and what effect it will have? And so we're always thinking three, and four, and five steps ahead, it's just trying to do that, and when you think of resilience, I always think of the defendable position we must have in the event of a PIR, or post-incident review. I always think about, well, what would someone in a post-incident review look to Darren Kane to have had in place, to manage a particular risk, that he or the company should have known about? And that, to me, is how we actually set up our incidents. It's how we set up our security controls for prioritization of our most critical assets. It's how I actually ensure the people that are working with me are trained to actually respond. And that's coming back from law enforcement training. I cannot stress enough the importance of good security posture and hygiene. Just getting the basics right, for good resilience. Ensuring that people understand what their roles are, and that they are going to do their roles accurately and timely. As even entities through some of the highest security risk controls continue to focus on awareness around the basics, be it past phrases, suspicious things, or even keeping devices up to date, they're examples of your just really good basic hygiene, or in this time and resources, in building a culture of security at NBN, where the mantra that security is everyone's responsibility resonates with almost every employee, all down to even the simplest of things like wearing lanyards, that people are able to identify folk when they're in our facilities. It's a simple example of that. I have a very strong educational awareness campaigns and we do communications down here in Australia for example, and saw the security awareness month, where the government, ourselves, and other entities are actually supporting educational awareness efforts across the months. The only other thing I did want to touch on was your question around what about our people, and the folks that we rely upon to manage the actual-firstly controls, and ensure they're working effectively-but probably most importantly incident response and recovery, nowadays it's probably not a matter of if, but when we have a vulnerability and how do we respond to it? And unfortunately they're coming on with an amazing frequency of light, and I won't go through stats here, I don't think that's helpful. But I will be able to tell the audience that it is happening very regularly, and we are relying on the same small cohort of people each time to respond. And sure, through muscle memory and training and constant standing up, they've become more efficient and more effective, and more capable. But at the same time, it's a huge burden to carry, and I often think the folk that work in this space are over-invested in their mission, and they do have a bit of a fear of failure around what happens if Australia loses capability of the NBN? So the past-of the team and helping them understand what their role is, how they're managing their role, ensuring their wellbeing in the workplace, and a balanced life existing outside the workplace, is probably the most significant priority I have in managing the role I've got there. I take the pastoral care of the team probably as important as any priority that I've got.

Ann Johnson: That's great to hear. Which also brings me to the evolving role, right? The CISO, or the CSO, roles are really expanding, particularly in recent years. And you talked about the-right? That you were reporting to the Board, you're talking to senior-level leadership, you're navigating SOCIF and other regulations. How do you see how the roles evolved in the years ahead, and what advice would you give to folks that are aspiring CISOs or CSOs?

Darren Kane: Wow, well I could go everywhere with this answer, Ann, but look, I'm the guy who says drop the I. I'm a firm believer that the days of the CISO are slowly coming to an end. I believe the title of Chief Security Officer will be one that most CISOs will eventually evolve to, and it's for the reasons that we've spoken about on the podcast today. It's just such an evolving area, and title, that I can't see it not going in that direction. And the role is so much bigger now than just information security, as we've mentioned. Now, we've come a long way, from sitting in a basement to now sitting at the Board table. In fact, I firmly believe that a CSO role can be done by a senior business executive who has very limited security understanding or experience. I think an effective junior executive, business executive, could come in and learn from his or her significant direct reports across the different strains. Things like seeing personnel, think physical, think admin. And that person over 6 to 12 months could become familiar with their accountability and then in 12 to 18 months become almost expert in managing up, down and across, around this accountability. And ultimately, can move on, maybe to a COO role, Chief Operating Officer role, maybe to a Chief Customer role? Maybe to a Chief Financial Officer Role. And ultimately, I think that most competent CEOs in the future will need to actually demonstrate a capability and even an owned-accountability of enterprise security risk. So I actually think the evolution of this role that we call Chief Security Office now will be one where it is probably an opportunity or advantage to have some experience in managing security risk on your CV, or resume. Why do I say that? Well, almost every Board survey, every government response, even most C-suite surveys, are asked the question what keeps you up at night? And usually the answer is cyber or security attack. So therefore, it makes sense that you've got someone who is leading the organization have that experience in their resume. So that's where I think it's going. We test the-yeah go ahead-

Ann Johnson: No, I was going to say, what you're saying makes an awful lot of sense, and it ties into we're getting down into the last two questions I want to ask you, is take that in context of your own personal career journey, right? First, what's one piece of advice you wish you'd received earlier in your career? How does that shape who you are today? And then what do you think that listeners should take away, or could take away from your journey, that ties into your comments of where you think the role of CSO is going?

Darren Kane: Piece of advice that I received? I've always been somebody who has had a lot of confidence, and a lot of neat tools, and people that have invested themselves in my career early on, have seen that, so that actually encouraged me to continue to fake it until I make it, so they basically said look, you're someone who can actually take on a risk and manage it until you become expert and better at it. So I've always done that. And when you look at my career, and the different aspects of it, I think it's reasonable to say that that's basically how I've managed to learn, and build skills, and capability. So that's something that I've recommended to others, that I see have similar traits. But I also encourage others that are more studios, and are more risk averse, to bite off as much as they can chew. And then just chew like hell, to make sure they can actually learn and grow, because the one thing that I'm seeing in the world today, Ann, is the speed in which evolution is happening. And if you take your time to try and become expert in things nowadays, sometimes you may miss the opportunity. So that's my advice. Some other advice to folk in relation to moving into this area of accountability that you and I are both working around enterprise security risk is don't limit yourself to one particular capability or stream. Don't go to a university with an attitude, or coming out with a graduate degree with an attitude that I only want to work in cyber. Make sure that you understand that you want to work in enterprise security risk and that will ensure A, there's plenty of different areas to get your foot in the door in, whereas if you just concentrate on one small sliver of accountability, it would be harder to break into. And you really don't know until you know it, and once you get inside okay, an organization for example like NBN Security Group, there's so many different areas that somebody can actually find a pathway to a long-lasting and enjoyable professional career. There might be digital forensics. It's something you enjoy, but you are only ahead focused on cyber. It might be investigations. And it should be a governance role, or a compliance role. It might even be that you've come in here to be a security admin manager, and looking after personnel security. That sands your way to cyber. And incident response. So the once piece of advice from me, in relation to a career, in what we're doing Ann, is make sure at the very start of your career, you've got a broad scope and understanding of the size of opportunity, enterprise security risk. Don't limit yourself to only one accountability or physical security or certain cyber security, which is often common.

Ann Johnson: I love that advice. The final question. I always call myself a cyber optimist, because I know for every attack we see on the news, or every major event we've stopped thousands, as an industry. And despite the challenges, there's always something that I'm looking forward to, or focusing in cyber security we're in this month here in the US also. I've been focusing on talent. So I'd love to know what you are optimistic about when it comes to the future of cyber security?

Darren Kane: Well, look, you first can make it, folks can break it. I'm optimistic about people making the difference. I'm optimistic about the future talent in their field, the fact that the generations behind us have grown up as digital natives, with a mobile device in their hands, and a PlayStation console. Cyber is just a stream of enterprise security risk management, and folks should know, as I said, their focus to any one area, but I'm really very much-have got the attitude that you can learn from the past, but there's a reason why the wind screen is so large, and the rear-view mirror is so small. Because the world is telling you to look forward, keep an eye on the car in front, keep an eye on the traffic ahead, but really enjoy the journey. And I'm really optimistic about, A, the growth of enterprise security risk and the importance of it, so most entities, but then all of the folks that we're going to need to help staff and manage, and own some responsibility of enterprise security risk. It offers them a wonderful opportunity and career. So I'm optimistic about the new tech that's coming along and what it means. I'm optimistic about the folks that we'll need to have come and work with us, and where those folks are from, and the diversity that offers. But most importantly, I think it's the young talent that I'm really wrapped about, the bright understanding of tech and what those people can offer, and it's something that I think our industry could lean into more. We have to actually own a little bit more of the accountability of men, of ensuring gen mixed, seed the areas that we work, it's exciting and somewhere they want to work, and I think if we actually have a cyber security awareness month, for example, and it sounds to me like that's global, we really should be promoting the opportunities for the people that come and work with us, particularly the young folk.

Ann Johnson: I completely agree, and it's just purely coincidental that my starting post for Cyber Security Awareness Month was about something called the Last Mile Education Fund, and how Microsoft partners with them to provide scholarships for folks in the US who were going to technical school or community college, to pursue a cyber education, so I think it is the future generation, is what I am most optimistic about also. So I appreciate you joining us today, Darren. I know how busy you are. I've witnessed how busy you are, and you always have such deep practical advice, you're pragmatic, you have great experience. I really appreciate you making the time.

Darren Kane: Look, Ann, really privileged and humbled to be asked to join you. I know how wildly listened-to this podcast is, and to think that you've reached out to the other side of the world and to us, Ann, you're known in Australia. To have us join you, it's a privilege. So thanks for all you do, across the world, in your role at Microsoft. And then, of course, for hosting this. And to your listeners, be safe. And thanks again.

Ann Johnson: [Background music] Awesome, thanks to the audience for tuning in. Join us next time on Afternoon Cyber Tea. [ Music ] I invited Darren Kane to join Afternoon Cyber Tea because he's just such an industry expert, and also has this incredible background where he brings together just this plethora of experience to really shape and think about the role of securing one of the largest infrastructure providers in Australia, on the entirety of the continent. So it was a great conversation, and I know the audience will enjoy it. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President and Deputy Chief Information Security Officer at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Charlynn Settlage, Producers are Rob Petrillo and Greg Ormsby. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft