THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to Theos Cybernova. Season two, episode six.

Today I’m joined by a legend of the security industry, a Chief Security Officer, that everyone looks up to. Well known throughout the world, worked on three continents, and he’s here with me today, in Manila. Thanks for joining us today, Tim McNulty.

Tim McNulty: Thanks, Paul. Thanks. Yeah, that was a very nice intro.

Paul Jackson: Well, it’s one that’s well-earned. You know, you are extremely well known. You’ve worked with major banks. Well, two of the biggest banks in the world. And you’re moving on to a new journey, which will be disclosed at a later date, and we’re all looking forward to seeing how that goes for you. 

Tim McNulty: Yeah. I can’t talk about that, for obvious reasons, but, happy to talk about anything else.

Paul Jackson: Absolutely. Well, let’s start off with a cracker. Let’s ask you, how does one become a great security leader? 

Tim McNulty: Yeah, that’s always one of those million-dollar questions, isn’t it? It’s very personal to everybody. I think it starts off with training, experience, and then practice. 

So, if I go back to training when I was at University, Newcastle, I was made the club captain of the rugby organisation. And that wasn’t just the team captain that was running six teams, at Newcastle University. So it meant choosing the right teams on a Wednesday and on a Saturday.

So you let people down, and you were trying to get the best people or the best teams together, choosing the right leaders for those teams. Also, dragging people out of bed who slept in, and you had to throw them in. I had a mini, and I ended up with about six or seven rugby players in a mini, dropping them off at the various places to get them into the right place, and then obviously going to have to play yourself.

And so those administration or organization picking the right people, in the right place at the right time and be able to cajole people and work with people and understand them so you get the best out of them. And it was really interesting because you don’t know this is forming you when you’re doing that. To me, it was just  I love rugby.

Yes, I love playing, I love teams, and we just had a great time. But you don’t realise that those are the foundational steps.

Paul Jackson: That’s you’re the third guest I’ve had on that who’s attributed rugby to their success in leadership. And I think for all our listeners, maybe you need to don a pair of boots, right? 

Tim McNulty: Yeah. I think rugby has always been the start of my journey, I guess. And it’s always taken me through. It’s one of the reasons I joined the Hong Kong Police. Because they paid you a salary, and you were able to play rugby in police time. 

Paul Jackson: Absolutely.

Tim McNulty: And so that was a real motivator for me. And at the time, you don’t realise it, but all of that being part of a team is really important. Yeah. Being able to lead a team is slightly different because you have to be part of something you’re leading. And I think if you look at global organisations, you have to be part of a larger organisation, but also be able to lead it. That’s about, again, about people having the right people in the right place, doing the right things.

Paul Jackson: I entirely agree with you. And when I’m interviewed on podcasts, I always attribute the learnings I got from the Hong Kong Police in those early days because we were both young when we joined. And you’re thrown into a leadership position right from an early age. And so, alongside the sport, you’ve got the actual work. And you’re leading teams often with offices. And they’re older than your dad. Right?

Tim McNulty: Yeah, I don’t know if you remember, but we used to have leadership training. I always thought that was great fun. It was like playing Cowboys and Indians, because you’re out there with a map, and you had to take a group of people to a point, then you had to do an ambush. You know, all of that good stuff. But that’s kind of more about the formality of training, because that was teaching us how to brief, how to lead and how to make decisions.

And I think decision-making, again, is a really important part of leadership. I do see around me a lot of the time people who like to manage, but when it comes to making a formal decision that’s going to either make or break a situation. There’s not many people who will take that. And I think one of the things about my journey is I’ve always felt that, if you take all of that information you have on hand and a decision needs to be made.

It’s your responsibility as a leader to make that decision and take the responsibility, and you taking that responsibility on top of the people you’re leading so that they don’t feel responsible for it. So the responsibility is all on you. That’s really important as well, because I think if people respect you when you take the good with the bad, if something doesn’t go so well, you take it on the chin, even though it may be one of your people who’ve caused that particular problem or issue, but you’ve led them into that. It’s so important that you take that responsibility and that success and failure.

Paul Jackson: Hundred percent, well, as you know very well, because you were the one who brought me across from the police to a certain large US bank. Well, we can name them, can’t we?

Tim McNulty: Yeah, sure. I mean, I took you out for a steak, I think sort of biannually and asked you the same question. Are you ready to leave? It costed me quite a lot of steaks, to be honest.

Paul Jackson: I do, I do like meat.

Tim McNulty: And again, I could see the way, when I started working at JPMorgan Chase, an Asia sort of regional remit I had at the time, but it was so obvious that the world was moving into technology. Banking was, when I joined, a bank. Now it is a technology company that does finance. That journey started then, and it was people with your experience in forensics, certainly around the investigation side, what we were trying to do was obviously get the right evidence. If we had an issue with it within the organization. We haven’t got the skills to do that because we were all less formally trained in that technical aspect.

So your hiring or me trying to grab you, into that organization was because I saw the development of that area. And I think it has obviously proven to develop that way. But that’s another reason, we’ve known each other for a long time, but I always knew I was going to hire you before anyone else. That’s the other thing is that just because somebody doesn’t apply for a job doesn’t mean to say that they don’t want to work for you. 

Paul Jackson: That’s a very good point. And you’re absolutely right. I must admit, though, I love police work, I’m sure you did as well. And we’ll talk a little bit about your journey in policing as well. But I absolutely loved what I did. We were pioneers in those days in this space that were well budgeted.

Yeah. So this is a really good point, Tim, because I loved police work. I absolutely loved it. We were pioneers in the Hong Kong Police. Developing new technologies for investigation, for high-tech investigations, because we had the budgets, we had the good manpower there. And it was very advanced in law enforcement came from all around the world to come to our training. It was a fabulous time, and I absolutely loved it.

But cometh the day, cometh the time. And we both knew that there would be the right time to move. And I did move. But I’ve got to be honest, I’ve done 20 years in the police by then. And I was thinking I’m going to JPMorgan Chase, right? It’s the world’s biggest bank by assets or whatever. And I’m going to be the dumb guy in the room. But what I quickly learned is exactly what you said earlier is you make decisions, you take charge of things. You design strategy, you come forward, and you are actually well-respected in places like that. And so it proved to be because both of us obviously did very well there.

Tim McNulty: Yeah. And I think when I joined JPMorgan Chase, it was very much a traditional security role. We were doing obviously physical security, which is the backbone. It’s actually the backbone of cybersecurity. We see that today. I mean, you have to protect your servers physically as well as protect them logically.

But we were doing investigations. We’re doing pre-employment screening. And we weren’t really using intelligence. We weren’t looking at what was happening in our region. We weren’t looking at crisis management. We weren’t looking at some of the issues where you can do pre-preparation to try and keep you as business as usual as possible.

And I started seeing all these opportunities, due diligence, looking at potential clients. And I didn’t look at it as no, your client’s  KYC regulatory compliance, I saw it as how do we get the bank in a position with the right information to make the best deal? Because there were a lot of people at the time turning away from Indonesian clients because of the Suharto regime and anybody would play golf with Suharto, we couldn’t do business with them. 

That was de facto. Well, I changed all that by getting more information by and and talking about the statute of limitations on people and where compliance and companies were starting to get better. So I started to see opportunities, weirdly, because from a police background, you kind of don’t expect that.

But I think what drove me was that as a policeman, you are the point of the organisation. When you go into a corporate, you help manage some of the risk in an organisation. And I didn’t like being in the back room. I wanted to be helping the business do what the business do.

I wanted to be the point. That’s always driven me with crisis management, due diligence and all of the other things that I’ve done and set up. It’s always driven probably by the fact that I know what we know, and what we learned can really help a business be successful as opposed to just protecting it.

Paul Jackson: Right. I think a couple of the key points you touched on there, that security shouldn’t just be seen as a cost centre, right? It should be a business enabler, a business driver. And I think we both seen it that way. Cyber can be a business driver because you look after your clients, you help them in that cybersecurity journey that they may not understand. These high-worth individuals from a banking perspective anyway. And sure enough, it facilitates the business. Right?

From your point of view, things like that, making sure that you’ve got the right clients in using the investigative mindset to sort out who is a valid client versus who, well frankly, shouldn’t be a client, is of huge value. So, yeah, I think that mindset obviously set you well and led to you, obviously, expanding your career and going on to another CSO role, where you actually led the cyber teams as well. A very unusual position where the CISO actually reported to you. Right?

Tim McNulty: Yeah, I mean, at JPMorgan, I kind of run everything but the CISO organisation. But it became very clear, and this was sort of like, I don’t know, 2018, 2015-18. I was at JPMorgan. It became so obvious that those pieces were so siloed. But the collaboration was needed.

And collaboration at the time when I was there was seen as eating someone else’s lunch. You know, comments like ‘stay in your lane,’ etc. And I just thought, you know what? This is actually going to weaken the organisational strength. And when you talk about if a CISO doesn’t understand that physical security sort of objectives within the organisation, how can you say that cybersecurity starts at the logical end? At firewalls?

How can you say that’s part of firewalls and not say that it’s actually the perimeter of the data centre, or it’s how Amazon managing their data centres that’s actually the cloud, right? That’s the first place to start. And then we can start talking about, zero trust and all this other good stuff. But unless you get your basics right, unless it talks to the whole organisation, I don’t think it’s a holistic risk program.

That’s always been my belief. So, an example, when I joined my current company, we had a lot of attacks on our ATMs the and you’ll know what I’m going to say, but that was a very distinct sort of round hole being drilled in the top right-hand corner of the ATM. Our physical security team couldn’t understand why we were being vandalised.

That’s kind of how it was being described. And I started putting together a team meeting every morning to discuss cyber issues, physical issue, investigative issues, fraud issues. And we started talking about what happened in the last 24, 48 hours. So they came up and started talking about all these ATMs that had this hole drilled in them, and they were how they were going to put a plate on it.

And somebody from the cyber side said, well, obviously they’re they’re trying to jackpot the machine because that hole is to enable them to pull the wires up to the machine and pull the money out. Oh, said the physical security team. And it was just that first one, the first win. Yes. And then people started to understand within the organisation that actually they needed to be talking about holistic risk and not about siloed risk.

Paul Jackson: Yeah, they got the rationale for it. That’s so important to get that first win, isn’t it? Because there’s so much resistance, I’ve seen it time and again. Now, I work on the consulting side. I see inside a lot of companies and there’s still that siloed stay in your lane mentality that you alluded to.

Paul Jackson: So when we do go into clients now, we try to get them in the same room. We try to get security and physical security, and cyber security and risk, and all the other components talking together and trying to come up with solutions and thinking of the human nature of the problem rather than just from IT thinking in ones and zeros, from physical thinking of cards and guards.

So it’s slowly happening. I think we’re seeing more and more companies embracing it. And what is good is that I get a lot of physical security, leaders actually coming to me and saying, Hey, Paul, what courses should I be doing to improve my understanding of cybersecurity? I don’t want to be a hands-on, you know, technical way. I just want to understand it. And that’s a good sign. I think more and more security leaders are now embracing the fact that they need to be crossover.

Tim McNulty: Yeah, and I think there’s some fear amongst security managers who haven’t sort of been formally trained in cybersecurity. But I think if you boil it down to its basis, security hasn’t changed since they built the castle.

And they still have they still have visibility by mowing the fields down. They still operate intelligence by having horseback riders running around the forest to see if there’s anybody watching. They still have thick walls. They still have defence in depth. And the concept of looking after all of the gold at the centre of the castle in the strong room.

Well, that’s that’s the a data centre. And so fundamentally, security hasn’t changed. How we actually employ the controls has changed enormously and continues to change because we’re moving now into cloud environments, etc. But I think physical security managers should embrace their own knowledge. And certainly, when I was managing insider threat when I was at JPMorgan and when I moved into my next organisation, as you say, I was managing the whole function.

I’m a great believer in getting a basis of an understanding. So I did do some reading and I kind of understood where I needed to go, what I needed to do. But I think from a leadership perspective, there’s a humility aspect that you don’t know everything. And what you should be doing is working at what you don’t know.

And when I first went there, we had some quite interesting DDoS attacks. So I was layer seven, DDoS attacks, etc. And I didn’t understand what that was. So, we had an office near Manchester, and I went up there, and I spent a day with one of our engineers who took me through what all this meant, how it worked, how it fitted together.

That really stood me in good stead. And so what I’ve done, what I did over the seven years of managing this function is with every incident and every issue, you’ve got to be able to deep dive, except you don’t know something, but be able to deep dive enough into it so that you can actually then explain it to other people.nAnd I think that’s really important. So you have to work really hard at doing that. That’s a constant education, and I educate myself all the time.

Paul Jackson: Right. So you, again, touched on a really important point. Because to be a leader of these functions, you don’t need to be an expert, right? You need to know how to lead and how to identify and manage the right people.

So people often ask me, where should the CISO function, the cybersecurity function set in terms of the org chart? And I highlighted already that yours was a quite a unique situation where it was reported to the CSO. That doesn’t happen very often. So what are your views? I know you’re gonna say it’s about the person, but really if you didn’t know the organized or the person in charge of the organization, where would you sit the cyber security team?

Tim McNulty: If you think about operational risk. If you look at most organisations who have a chief operating officer, their responsibility is managing the risk for the organisation. And they normally, again, trained in a certain way that could be a technologist, they could be a finance person, they could be from the business.

But what they actually hold is that ability to look at holistic risk across the firm. So you have to understand what the firm’s strategic objectives are, how that translates into what requirements are needed in technology and operations, what risks are involved in that and that could be regulatory, it could be resilience, it could be cyber commanding. And they ensure that the programs that you have in place are meeting those objectives. And so me, as the CSO, I took a lot of that responsibility from the COO because I reported to them. But I was looking after resilience, cyber investigations, physical security, crisis management.

Paul Jackson: That’s huge. How many people did you have?

Tim McNulty: I had about 2000 people to run all that. And it’s a big organisation, it was almost like a mini CLO. So I would say that that was what my role was. And when I started thinking about it in terms of risk and strategic decisioning, then it helped me a lot. I had a really good CISO. I had a really good head of investigations, had a really good head of physical security. These were all very mature, experienced people.

But to bring all that together into a to a holistic program, that was what my responsibility was. And I think that’s really about understanding the risk the firm need to take in order to be successful and managing that risk accordingly.

Paul Jackson: Right. So what advice would you give to an aspiring CSO, somebody who’s looking at you, who went from being a police constable? Oh, well, first of all, obviously Hong Kong Police, but then a police constable in the UK to being, well, one of the leaders, the strongest CSOs in the world.

Tim McNulty: Yeah, it was all an accident.

Paul Jackson: I don’t believe that for one minute.

Tim McNulty: To be honest, it was because I just said yes. So, the reason I ended up at JPMorgan was I was asked by an ex Royal Hong Kong Police colleague, who I met at a barbecue in Sussex because they were currently working for JPMorgan in Asia and somebody had just left them, who was looking at due diligence and investigations, and he just asked me if I was interested and I wasn’t massively interested. I mean, I was running a surveillance team, I was driving up and down the country at 300 miles an hour. I was calling in helicopter and it was really exciting. But then in my 30s, it was like, how long can you play cowboys and Indians?

How long can you chase the bad guy? How long can you call in the gunships. And there was part of me again that hankered back for Asia. I love Asia and we’re in the Philippines today. Yes. I’m here on my own volition. But, I love Asia. And to get back to Asia was something that I sort of hankered for.

So, this role was in Singapore, and I didn’t really know what it was. I just said, yes. And then when I arrived, I sort of thought, oh, what do I have to do? So I said yes because I like the overall opportunity. And then from there, I started off at sort of running investigations crisis. I developed a crisis management program.

I developed an intelligence program sort of underneath. And then, he, my boss then left. And at the time Chase were buying JPMorgan and the head of the region for Chase in Asia was sitting in New York, which was probably my advantage because they suddenly thought, well, we’ve got somebody sitting in the region, why don’t we use that?

So I don’t think I necessarily, I interviewed for the job, but I don’t think I necessarily want it on merit because I just I kind of want it on location. But from there then it got really interesting because then I could start playing with what I had. Yes. I built the first command center in a virtually a broom cupboard in Capital Tower in Singapore that was taking it all.

I was trying to network at our technical security. And so I’ve not always been involved in just sort of physical security. I was getting involved in technical security. And in order to do that, I went on a week’s course learning how to wire, access control systems. So actually, I’m a qualified fitter of access control systems.

Paul Jackson: Wow. Have you ever fitted one?

Tim McNulty: No, I built one in the lab, but I’ve never fitted one. But it allowed me when I went to test the commissioned them to actually catch out some of the installers who weren’t necessarily as diligent as I should have been. And but that allowed me that knowledge allowed me then to be a bit more powerful in that area because I needed to understand.

And I’ve always done that. I’ve always pieced pieces of information, grabbed a course here, done some education there because that’s really important to develop yourself as you move forward. And I do the same today.

Paul Jackson: Right. Now, like myself, you’re a great believer in governance. And, you recently like myself, attended a non-executive director program, for yours in the UK, I did the Financial Times. And you were at the which one?

Tim McNulty: Institute of Directors in London.

Paul Jackson: Got it. What did you get out of that and what was your reasons for?

Tim McNulty: So I spend a lot of time with boards and we spend a lot of time talking to boards about risks,  cyber, crisis management, ransomware was the big thing I was doing. And I was trying to get more involvement from the board. But you really then have to understand what the board’s responsibilities are and try and hit the key points to allow them so that they’re looking at managing the strategic risk of the organisation as opposed to the operational risk of the organisation, the credit risk, the market risk.

They have a view on that, but it’s not their job to do that. It’s their job to set a kind of a strategic direction. So doing that course, understanding how companies run, how balance sheets work, how boards are comprised, what the fundamental sort of elements of board duties are. I think it really helps you. And it did actually the first time I spoke to the board after that, it was obviously a completely different conversation, just naturally, because I kind of knew what they wanted to hear and that was why I did it.

But also, I think that’s given me a much broader understanding of how businesses are run and therefore how the banks run, and also allows me to do my job better. So again, education is important. And I did a master’s in security and risk management soon after I joined JPMorgan in order to try and be able to translate my experience in law enforcement into what a corporate organisation would understand.The language is different, the outcomes and the elements are probably not right.

Paul Jackson: Yeah, no, I think you know, we joined very well. We attended those courses for pretty much the same reasons then. Yeah. And because obviously my job I speak to a lot of boards as well. And it’s absolutely the right thing to do to understand what their focus is, what their interests are, what their responsibilities are. And, it’s no use to me just talking about cyber without making it relevant to them. So, I found it extremely helpful, I have to say. So, yeah, it was very much a good thing. So another thing I wanted to touch on with you is crisis. Now, you’ve mentioned it a few times already in this podcast. But crisis is a big word, isn’t it? And crisis can take many forms.

Tim McNulty: I love crisis. That’s when I’m alive. Because I think it’s the essence of the job that we do. People in our organisations haven’t had the training we’ve had. We’ve had to be able to make quick decisions in a dynamically changing situation.

And, I think that skill is really important to bring to an organisation. But there’s so much you can do with crisis. It’s not about the crisis. The work is before. And if you don’t do the work before, if you don’t see how a crisis might start, if you don’t understand how, issues occur and start to try and minimise those far out, then you’ll have lots of practice at crisis.

The idea is with crisis management is not to have a crisis. Albeit, when you do have a crisis, you have to have a really good way of managing that, and informing people and making the right decisions. So my view on crisis. So long-term intelligence horizon scanning is so important, understanding what is going to impact your business in lots of different ways.

That requires working with the business to understand what makes them tick, what makes them float, what worries them on a day-to-day basis, taking that and saying, how if we knew a day before that they got impacted, how would that help them? And then that starts to help you understand resiliency planning. And so I think it’s about giving the business time to respond.

And, so all of the work you do, a horizon scanning level intelligence management, talking to the business early, mitigating and mitigating you, providing time for people to understand it and what we try and do, with horizon scanning, if this is the best outcome. So horizon scanning identifies potential impacts that the business is going to have a big problem with.

You managed to get, give them two weeks notice as a result of getting that two weeks notice, you’re able to look at that impact, see exactly where it’s going to impact, and run a test on that. So you do a crisis management test on that particular scenario. Out of that scenario, you get lots of different controls that you need to mitigate and work out and enhance. You then look at that. You do an after-action report on that, and you’re still before the crisis has hit. By the time the crisis hits you, you’re almost BAU.

So an example of that is actually, as we’re sitting in the Philippines when I was at JPMorgan, every year we had a typhoon, and every year we know that the typhoon tracks around through the Philippines, and up towards Hong Kong, China. And we know that it happens between a certain amount of months, and every year, we, the office, used to get flooded and knocked out, and people wouldn’t be able to get to work.  And so I was thinking about this, and I said, look, if we were able to get some sandbags because we know where areas flood because we’ve seen it every year, if we were able to understand who was key, who needed to be in the office.

We got some supplies and some cots for them to sleep in and what have you. We could do a preparation session before the typhoon season and then when with typhoon season comes, we can actually then ride through it because we know exactly what we’re doing. That’s a really good example of horizon scanning and that’s seasonal.

Yes, and it’s not just something that blows up like SaaS or coronavirus or whatever. So that’s a really good example, but you take that example and you apply it to everything a business does. And so that’s really simple concept, a lot of hard work. But crisis is about planning and intelligence. And then having a really good process for managing the aftermath of when you do actually get hit by things because cyber attacks happen like that. And we have to respond and jump to that, having a really good communication system. Being I think as the crisis leader, being in charge, making decisions really well.

Paul Jackson: I try because we obviously do a lot of these crisis exercises, cyber crisis drills, and each one is different because, as you rightly say, you have to find out what would hurt the organisation most.

You know what’s the biggest point of failure. And what I find is one of the weak links in many companies is that key role of communication, right? Somebody who manages the crisis. And for the longest time, I’m normally brought in by a CISO or somebody in cyber IT or whatever to run the exercise.

And I say, well, have you told your Chief Security Officer and the answer ninety percent of the time is no, why would I? And, it’s kind of frustrating because I always find or not always, but mostly find that if the CSO is involved, that person knows crisis, they can take charge. And even if they don’t understand the ins and outs, they can manage to make sure the playbooks are being adhered to. The communication channels are there.

Tim McNulty: It’s managing the structure of the crisis. So whatever the crisis is doesn’t never matters. Yes. So it’s interesting because when I do crisis training, I always start off, which really annoys people by saying the three most important things you have to understand in crisis. And everybody gets their pens out. Here he goes, and he’s going to sort it all out.

And I say number one is communication. Number two is communication. And number three is communication. And then I break that down into number one is communication up. Number two is communication internally. And number three is communication externally. And if you get all those things right, you pretty much win. If you forget one of those, you pretty much lose.

Even if you manage to get back into some kind of BAU activity and you solve your tech problem, whatever it may be, you have lost a customer, you have lost your people, you have got newspaper reporting that is erroneous. And in a banking environment, what are the most important things you have to avoid? If things like a run on the bank? Customer need to have confidence in the fact that you can supply them with money.

Interestingly enough, the most used, if you look at any banking app, the most used, part of that banking app is people looking at their balance. They do it multi times a day, and if they can’t look at that balance, then that confidence starts to go. So if you’re able to design your technology system and your mobile app, so that actually checking your balance is kind of separate from everything else. Yes. If you’ve got a big problem with your payment system and you can still see your money’s in the bank, that’s massive.

Paul Jackson: That’s interesting. Very interesting. Yeah, I wouldn’t have thought of it that way. But I guess you’ve put a lot of study into that and looked at a lot of metrics. That’s quite fascinating. But yeah, crisis. So, because I know we’re running out of time on this one, but by extension from the crisis you got involved with, the Asia Crisis and Security Group. Would you like to tell us a little bit about that? Because I think that plays a very important role.

Tim McNulty: Yeah, at the other part of a good crisis manager is also having help and then other people in the organisation and their network, and network is something you really have to build. But it takes time, the right people in the right places. So Asia Crisis and Security Group was formed after the tsunami. I think in 2003, I think so, I think 2003. So I was in Singapore, tsunami occurred, and unfortunately, there were lots of people who were, holidaying at that time in that area, Thailand and Sri Lanka and all these other areas that were affected.

And so it wasn’t necessarily a business crisis. So the business were not impacted, but the people were, and we weren’t really that well set up to manage a big sort of disjointed people operation. And so there were many of us got together, all of the different banks got together, and wider organisations beyond banks. I mean, we had JCB, we had all sorts of different people.

And we all got together and said, look, we all have resources, we all have some bigger operations in some of these countries and others. How do we use the resources we’ve got if we pull them? And so if I was looking for twenty people in Thailand, we already had people on the ground in Thailand working for another company.

So I would give them the names and the identification of those people in order for them to help find them. And so we really were just coordinated sort of UN type approach to managing crisis. And it was really successful. As a result of that, the ACSG was born, and then it became a shared information sharing situation.

So then it really looked at what’s happening in the region. And that’s a preplanning pre-crisis. If we see a situation happening in Indonesia that may affect business, then we start talking about it, and there’s somebody on the ground in Indonesia might not work for JPMorgan, but they work for the Bank of America or whoever. And so that pooling of information was really, really important.

And then Mark Hargraves, who sadly is not with us anymore, who was really the lifeblood of that. Yes, and almost singly kept that going for many, many years, and it’s still going today. And I’m now an advisor to that organisation. We just had the 20 year anniversary this year, when you and I came over for that in Singapore.

But the element of coordinating and helping each other in crisis really does help protect organisations. And it’s so important. I tried to build a similar kind of thing in Europe, and it didn’t quite go the same way, with their various small organisations. But I think there’s so many competing organisations that are focusing on so many different things that it’s a little difficult to create something that everybody buys into without having that thing that people can touch. We formed out of a crisis, so everybody realised it was working to form it without like a significant event, I think is a little more difficult to do.

Paul Jackson: I Agree. It was timing, but the reality is now it attracted some superb professionals. Of course, I’m not allowed to be a member anymore because I’m on the dark side as a consultant. It’s only for in-house, chief security or security folks. But I feel honoured whenever I get invited to attend these meetings and speak at these meetings as the cyber contributor or whatever. But it’s just a fascinating bunch of folks who I love talking to. And, we’re about to meet, a couple of them, in a few minutes time, from that organisation.

Tim McNulty: It’s recognised by the International Security Managers Association, ISMA. So it works, and it works closely with governments as well. So and certainly, when we were looking at in the tsunami in Thailand, we were working very closely with the British government as well with their emergency teams.

Paul Jackson: Right. So the likelihood, listen, is probably from a cyber background rather than a physical security background, but anybody who is, if you’re physical security leads aren’t members or aren’t involved, they should be.

Shouldn’t they, Tim? Really?

Tim McNulty: They should. And it doesn’t just sort of come together in crisis that we do a lot of mentoring, trying to bring more junior members of the security organisations in Asia, specifically because I think in Europe, in the US, there’s lots of courses and lots of hands-on issues. I think in Asia, sometimes, people need a bit more guidance because the industry is a little younger, but that’s really developing. It’s just a good place to share information.

Paul Jackson: Right. Well, that’s a good point to end on a good high note there. And, but I always ask my guests, one last question every time because, well, you know me well, Tim, I’m a music lover of vinyl music, predominantly. And it’s my way of decompressing because we all operate in a stressful world. Right? And so I love listening to music. And how about yourself? What are you listening to these days?

Tim McNulty: Yeah. AC/DC when I’m driving, that’s my go-to. And my daughters always say if they put AC/DC on when I’m in the car, I’ll get there quicker. I’m not sure that’s breaking the speed limits. And then I like a bit of soul. Teddy Swims is a kind of YouTube now moving into the kind of more mainstream.

Then there’s a guy that I’ve been following in Brighton called Ren, REN, who’s doing some interesting things, but that’s a bit rap-oriented and of quiet out there. So I’ve got quite an eclectic mix, but I do hop back to kind of you know, the 80s anthems. That’s kind of where my general music sort of taste sits.

Paul Jackson: Right. Well, very interesting and Tim McNulty, thank you so much for joining me today and taking up a bit of your time on your vacation to talk to us. Some of the stuff you talked about is absolutely fantastic information. Really appreciate you’re giving of your time to be with me today.

Tim McNulty: No problem. It’s been great. Thanks, Paul.

Paul Jackson: Thanks.