PODCAST
The View from Down Under

About the Guest

Nigel Phair
Professor
Department of Software Systems & Cybersecurity
Monash University

Professor Department of Software Systems & Cybersecurity Monash University
Nigel Phair is a Professor within the Faculty of Information Technology at Monash University. He is an influential analyst on the intersection of technology, crime and society. Nigel has published five acclaimed books on the international impact of cybercrime, is a regular media commentator and provides executive and board advice on strategy, risk & governance of technology. In a 21 year career with the Australian Federal Police he achieved the rank of Detective Superintendent and was a Team Leader of investigations at the Australian High Tech Crime Centre for over four years. He is a non-executive director on several Australian boards.
Credits:
Presented by: Paul Jackson
Studio engineering and editing: Roy D’Monte
Executive producers: Paul Jackson and Ian Carless
Co-production by: THEOS Cyber and W4 Podcast Studio
Stay Connected
- Nigel Phair LinkedIn: https://www.linkedin.com/in/nigelphair/
- Cybercrime in Australia: 20 years of in-action: https://amzn.asia/d/g0FpxhP
- Under Pressure: Empowering Cyber Security Incident Responders : https://amzn.asia/d/fCilJja
- Cybercrime: The Challenge for the Legal Profession: https://amzn.asia/d/1euIOcb
- Cybercrime: The Reality of the Threat: https://amzn.asia/d/6vwfOi9
- Paul Jackson LinkedIn: https://www.linkedin.com/in/jacksonhk/
- THEOS Cyber Website: https://theos-cyber.com/
- THEOS Cyber LinkedIn: https://www.linkedin.com/company/theos-cyber/
- THEOS Cybernova LinkedIn: https://www.linkedin.com/showcase/theos-cybernova/
- THEOS Cybernova Instagram: https://www.instagram.com/theoscybernova/
Episode Transcript
Paul Jackson: Wherever you are in the world. Hello and welcome to THEOS Cybernova podcasts. Before we begin, I’ve got a quick favor to ask from you. There’s one simple way that you could support our show, and that’s by hitting the follow or subscribe buttons on the app that you’re listening to the show on right now. It makes a huge difference in helping to get the show out there to as many people as possible.
So please, please give us a hand and click that button now. Thank you very much for.
The THEOS Cybernova podcast hosted by Paul Jackson. So here we are with the second episode of THEOS Cybernova podcast. I’m Paul Jackson, and each week we are digging into the latest trends, challenges, innovations that are shaping the cyber security landscape. As well as talking to a fantastic mix of leading industry experts, thought leaders and technologists. So whether you’re a professional in the field or simply curious about staying safe in the digital age, we hope that THEOS Cybernova will operate valuable knowledge and actionable insights for everyone.
So today, I’m delighted to welcome Nigel Phair to the show. Nigel is based downunder in Australia and like myself, started his career in law enforcement. I believe Nigel, you also served almost 22 years as a cop with the Australian Federal Police. Is that right?
Nigel Phair: That is correct, Paul.
Paul Jackson: Yeah. So pretty. Yeah. Pretty coincidental because I did just slightly under 22 years with the Hong Kong police.
So really great to have you on the show. And of course, we met through our connections through Interpol back in the good old days when we were both fighting crime. But I made the decision afterwards to go into like, finance with the banking JP Morgan, I guess, for the money, but also, you know, to expand my career.
And then more recently, of course, I’ve been in the consulting world, and, and now I’m the CEO of, THEOS Cyber. So what guided your decisions after leaving the police? And where are you now? Tell us a little bit about your story, Nigel.
Nigel Phair: Yeah, that’s an interesting one, Paul. Well, I think it’s interesting. I might be fractionally biased, but, you know, when you and I met, the word cyber wasn’t even around, and that was well over 20 years ago.
Paul Jackson: Yeah. That’s a remind me how old I am. Thanks, Nigel.
Nigel Phair: Yeah. I think you’re a very young police officer for your time, but don’t you know, I did I did, you know Australian High Tech Crime Center again before it was called cyber and then did, you know, went to the AFP area for a couple of years and I do the secondment to be the Department of Defense.
And at the end of that secondment, there was nothing really going for me in the AFP. There was no one saying, come and work on this great crime type and do X, Y and Z. So I thought, yeah, I’m gonna have a, I don’t have a crack and test myself. And I resigned and went out and was working in a range of different roles, but primarily with my very good friend Ellis MacGibbon.
And we I’d like to think we’re reasonably early pioneers at what is now known as trust and safety. And now everyone has a trust and safety person that works for them. Every organization has some type of lead and body that does awareness, and I think our lack of success was mainly we tried to do it too early before it all became very popular.
Paul Jackson: So where did you take it from there? Nigel.
Nigel Phair: After doing that for a number of years we were based at the University of Canberra. We were doing some teaching, we were doing some research into a whole range of a different part to the online environment. And then that was going quite well. And then we concluded our MoU, our commercial relationship with the University of Canberra, when there was a change of vice chancellor and then out of the blue, I, got a call from the University of New South Wales and us was asked to go and lead the cyber center in at the Australian Defense Force Academy.
So I did that for nearly five years and was doing some other bits and pieces consulting on the side. So on some boards go, you know, did a lot of public speaking. We used to a lot of media still do a lot of media, you know, just generally most days there’ll be a piece of media that’ll come along and one thing I’ve learned in that time with the media is the simpler it is, the more they like you.
Paul Jackson: 100%. You know, if you can distill something into, you know, that’s easily understood by the masses, then you see, you’ve kind of half way through winning the battle.
Nigel Phair: You are. And I think it’s important. And I’ve gone away from sort of the snobbery value of doing breakfast TV, because that’s where all the people are. And they still like you’re talking about passwords.
So as much as I went through a stage of, you know, I anyone to do the high-falutin media stuff is, you’ve just got to get to where the people are and you’ve got to. And there is a playbook for getting media which I, you know, subsequently learned along the way. And, you know, when you’ve got research to release or you just want to get some of your ideas out there, or you just want to be completely reactive to a large scale data breach with what you think should have happened in the incident response, for example, having that message for that outlet was exactly what you need to do.
So I did that, for I still do a little bit for you. And through there, a little body in Sydney called Safe Edu, which is a really important part of how do we get more students going through doing their cyber or related degree and software engineering, etc., bachelor rights and get them into the workforce. So we’ve been holding some yearly conferences.
We had a really big students, teams of four capture the flag in October last year, where we had 47 teams from across Australian universities have a go with a four week long CTF, pretty involved, pretty hard. And so we want to do more of that. And we talk to a whole range of, industry about how do we get those people opportunities to get the smart young people into industry and solving the problems that we need solving.
So I still do a bit of that. And then, the rest of my days I work part time at, Monash University as a professor of cyber security. There I look after the, Australia chapter of Chris, the Council of Registered Ethical Security Testers, which is a great not for profit out of the UK. That’s been going for a good seven, 18 years and is really, really ramping up with over 400 members globally to professionalize the industry.
Both the organizations and the people that work in it. And then I’ve been doing a bit of work for a, a US based startup called Codex, which is a law enforcement liaison, case management platform where policing can make inquiries of, of organizations.
Paul Jackson: Oh, that’s interesting. And I’ll talk to you in a moment about collaboration between the public and private sector, because I know it’s a hot topic and one that’s always discussed at various law enforcement conferences, etc..
But let me talk to you a little bit about the university work that, that you’re doing. And what exactly do you teach? I mean, what’s the theme of your lectures?
Nigel Phair: Well, I’m actually in a non teaching role at the moment, so, but, my, my main interaction with students, which is, which is actually very enjoyable is the integrated workplace learning packages.
So we have a really good cohort of students. We have a really good cohort of industry that support those students. They go off for a semester and they do some actually deep dive meaningful work. And I get to, follow the students through their journey. I speak to them three times throughout the semester, beginning, middle and end, checking in on them.
Make sure they’re doing all right. Make sure they’re doing daily logs and weekly reflections and meaningful work. And I’m getting them ready for their final, not just written assessment, but their oral assessment to their peers of how it was and what they’ve learned. And it’s fascinating to what these young people can do. And when I think back to when I was a 22 year old, for example, and I joined the police at 22, if there’s no way I was that organized, like some of these uni students are, they’ve they’ve really got their act together and they’re really going to contribute immensely to society, not just in cyber but just generally.
Paul Jackson: Can I ask you about the nature of students? Because here where I am, obviously I’m up in the, the Southeast Asia part of our region, and there’s always this challenge of getting the best and the brightest into cyber security because, you know, this kind of the old way of thinking that you make more money as a doctor or a lawyer or whatever, and therefore, you know, cyber security is perhaps lower in profile in attracting the best and the brightest.
Is that the case in Australia overall, or do you see a difference?
Nigel Phair: I see a difference because people acknowledge the value of a technology degree. Where do they actually take that into a cyber career? Is, I think, the interesting thing that one of the things I found the most interesting is, yeah, people that study cyber security often have a preset idea of what they want to do, and invariably it’s the young guys that want to be pen testers, for example.
And then they get put in and guys and girls like get put into the these roles with industry and they get looked after. Well. And most of the time they don’t get to choose what they want to do. And you’d be surprised how many people I talk to about doing a GRC roles, for example, I didn’t even know this existed, but I’m really lucky.
Or they’re doing code review or, you know, they all just think they’re going to be smashing iPods and hacking boxes and it’s all going to be cool. But, you know, they’re doing a range of, you know, that they realize this type of work they’ve got to do. And, you know, it’s one thing writing code, but the other thing is writing secure code.
And then the next thing after that is actually writing documentation about the code and what that actually does and, and how it is under the hood. And it’s fascinating talking to them as they go through that journey, because at the beginning they got to write down what their goals are. And in the mid term placement they’ve got to revise their goals.
And when you have the final discussion, you remember at the beginning you said you thought you going to achieve this and now you’ve achieved something completely different. It just like blown away with with how it is. And you’d be surprised how many of them get offered jobs afterwards because these people go, this is just a six month long job interview.
I want you to stay because you’re awesome.
Paul Jackson: Yeah, it’s interesting, but you just gave me a good lead in as well to a key question. When you talk about guys and gals, I mean, are you seeing the balance become a little bit better in terms of encouraging, women in cyber to significantly. So that’s good to hear. Yeah.
Nigel Phair: No, it is good. There’s a lot of work that’s being done globally, but also in Australia we have the Australian Women Security Network and a range of other not-for-profit groups which are getting out to high schools and sort of setting the table. I think to think we’ve got a long way to go to really get it. But particularly for technical careers, I think it’s giving girls that confidence that they can be technical if they want to rather than it’s, it’s the guys in the pen testers or whatever it might be.
And also, I think the big thing is explaining all the different types of cyber careers that you can have in your one cyber career.
Paul Jackson: Indeed. Well, we’ve, we’ve at this we just hired, what are the best female, pen testers red team is that I know of in the region. And it’s so encouraging to see that sort of talent emerging. She’s a real prospect for the future, and, we’re really proud to have her on the team. So I guess whilst I don’t see, Southeast Asia as being, you know, the gap narrowing anytime soon, I think there are we’re definitely seeing signs of improvement, but it’s really encouraging to hear that Australia is, is kind of leading the march on this.
Nigel Phair: Yeah. I don’t know how we get going globally with numbers, but we’re definitely getting there because yeah, it’s one thing getting, you know, the smart young things through university. We’ve still also got to work at mid-career people as well. And I’m a firm believer that there’s a cyber career for everyone. At whatever stage you are in, whatever career your in, you know, if you can apply that whatever thinking that you’ve come from, you can apply it to, you know, whether it’s through the intelligence or trying to solve problems or incident response or those sorts of things.
And that’s where I think it comes down to. We’re still not very good at explaining what a career in cyber security actually makes. Yeah.
Paul Jackson: Well said. I think you’re absolutely right there. And, you know, it’s something I’ve tried very hard. You know even back in the days of, JP Morgan, you know, I tried to get the teams to, to interact more. Not, not be in silos. So, you know, the investigators interacting more with the pen testers because who better to try and understand or unravel what the hack about done in the environment than an ethical hacker themselves, right. And work closely with the DFI team, the forensics folks to try and just tell a story.
Nigel Phair: Yeah. And I think that’s super important because, you know, as we know, it’s not to say they’re solving business problems.
They’re not technical problems. And solving. We’re trying to we’re trying to, you know, keep businesses and governments, you know, functioning. We’re trying to make them more resilient to cyber attacks. So I think getting people from a range of different business areas and talking those people to say, actually, this is what our mission is, it’s a business mission. We’re not we’re not trying to secure a network.
We’re trying to secure a business or an organization. You know, that’s still got a lot of work in progress to do.
Paul Jackson: Right. So, you know, you talked about, you know, your journey from the, the public sector into the private sector, happens a lot, doesn’t it? How is Australia doing about retaining talent in government? Because, you know, we see Hong Kong, Singapore or other places around our region, the Philippines.
Nigel Phair: That, yeah, unfortunately, companies like ourselves are hiring, the most talented people from government. I was Australia to. Yeah. I think we’re, you know, doing okay, but at best, okay. You know, no better or no worse than anywhere else. And I think, you know, going back to, to when we created the Australian High Tech Crime Center in 2002, we could back then we couldn’t compete with salaries from, you know, court, the big four consulting firms.
There were hardly any generalize cyber consulting firms, but the big four were doing mainly incident response. And I think what government needs is much, much better on the sales pitch because people would go off to the big four, particularly for what wasn’t was called digital forensics back then, wasn’t really internet responsive. And that’s what they were doing. And all of a sudden they realize it’s all about the billable hours.
They weren’t getting a train. They never went to a conference. They never got to play. It’s all about getting out there. And sure, they doubled their salary, but they didn’t particularly many of them didn’t enjoy the work, and all we could do at the time was we were contracted to to Dell for laptops that we would buy people.
The most expensive Dell laptop that you could. We would spend $5,000 on something with virtually no memory. And yeah, not much in the way of software that and whenever the latest Nokia mobile phone came out, we buy one of that all the time because we couldn’t compete on salary. But we gave people lots of cool training.
We gave them lots of opportunities to go to a conference and speak, or go overseas and meet with their peers or do a whole range of things. And I yeah, that that’s really valuable, I think, for people at all stages of their career. And I don’t think government globally, I think they rest on their laurels. And the other thing they need to also better explain to people is, I think it doesn’t matter how cool your consulting company is and how cool you think the stuff you do is, once you get a security clearance and you’re working in government, you are working against the best cyber criminals.
Yes. And you’re you are doing at the highest levels with the coolest equipment and the coolest partners. And that’s the other thing that the, the, the, the public sector has got to better explain to people. Yeah, if you want to learn to hack, this is where you learn to hack in the people you’re doing it against. You know, it’s pretty it’s pretty much all out in the open now.
All major, particularly Western governments are all saying that that that there’s some active defense for want of a better nomenclature. So, yeah, if you want to do the cool stuff, you go to the government and I think it’s great what we’re not good at. And I think you’re going to lead to this anyway, is transitioning those people into the private sector.
And it kind of pains me to say this. The US probably do it the best way. When you leave government and you go to the private sector, you’re not dead to people, right? Whereas in Australia, in a lot of other places, I’m saying you, you, you, you struggle to chat again with your work colleagues in a meaningful way because I think you’ve sold your soul.
And I think that’s a real shame because the government can’t solve all the problems. That’s why they bring in consultancies like you guys to, to help them. That’s the reality. So they should be acknowledging that. I think just because you’ve left government, you haven’t left the mandate that is securing the nation’s critical infrastructure.
Paul Jackson: I think you’ve just made a really important point there because, yeah, even when I left the police here, you know, I felt like a bit of a turncoat and a traitor to the, the rest of the guys, and yeah. So because I lived in the US for a while when I was with JP Morgan, and obviously JP Morgan was full of former US law enforcement guys, I could see the big difference. I could see exactly what you just said. You know, they were still interacting with their colleagues. And you’re right. I think they set the bar very high over there in terms of those relationships.
Now, I was just at the Interpol working party meeting for Asia Pacific region. I was invited to go there just a couple of months ago. It was actually held in Manila, and I attended that. And it had been, it had been oh 24, 23, 24 years since my first working party meeting and you know what? The topics were still very, very similar.
Said, I think what we’ve done, you know, a lot of it’s around the, you know, the need for the public private partnerships, which you brought up earlier in this conversation and how is still not succeeding in that. I don’t know what. Do you have any answers? How do we improve the public private partnerships?
Nigel Phair: Well, so culture, I think is what it is. So firstly, as we’ve just discussed, it’s acknowledging that just because you’ve left government doesn’t mean that you are still not, you know, focused on the mission that is that is, you know, protecting a nation’s piece of critical infrastructure. I think that’s the first piece of culture. The second one is the government people. And you and I probably didn’t know this either when we were in government.
And no one told us that the private sector is gold completely different to the government? And, you know, it is about the billable hours. And if you’re listed, it’s about earnings per share, per quarter. And you know, if you’re in a consulting business, it is about having a certain percentage of, of billable hours. And that’s just how it is.
And I think that’s the next step. Where that culture falls down is that there’s a different aspect or a different way of looking almost at every meeting. And it’s not always brutally commercial, but, you know, people get it wrong on both sides. You know, we had many vendors at the AFP that would come along in the early days and want to give us a whole lot of free stuff, and then they’d get upset when they didn’t win a tender for, say, the antivirus, for the whole network of the AFP because they thought, oh, well, we’ve but we’ve given, you know, a whole lot of dongles of, of incident response forensics, whatever the people.
So why didn’t we get that? And so I think on both sides of the coin, there’s a lot of lessons. How we bring that together is again, he’s just, I think, working on the culture, but acknowledging that everyone’s got a role to play. I think also universities can come into it to the extent and obviously I get paid to say that, yeah, I can, I can just in case my vice chancellor is listening.
But they can come in to the extent that when I’ve looked through Europe, there’s a lot of people in industry that have adjunct professor and similar ships with universities, and they’re widely culture. So I think there is a bit of a breach along the way. I think we should be getting universities, maybe not in the middle, because that’ll just blur things.
So they have they have the exactly a similar thing, have their own goals and cultures and everything. But I think it’s acknowledging that everyone can do something different. I think it’s, you know, we have problems with people getting security clearances once they’ve left. That’s a that’s another issue I’ve been lucky I’ve had along the way enough consulting opportunities in back in the government where there’s been a department says, yes, we will retain a clearance for you so you can come and talk about certain things with us.
But there’s a lot of people that that would have a, again, a good story. Yeah. You guys, through your network probably see an awful lot of things that some other people don’t. Yet government in some governments may or may not want to hear that for various reasons. So I you know, I blame doesn’t lie anywhere. But improvement lies everywhere of just chipping away and joining up.
I think it security clearances. I think it’s bringing people in. It’s lawyering. It. You know that we have our Australian Cyber Security Center in its capital city. We have at what’s called the JCS Joint Cyber Security Center. I think it’s a brilliant idea where business can come in, but that’s only brilliant to the extent that if a business can come in and talk to government about what they’re saying on a two way dialog, if you don’t make it overly onerous for the NDA, that’s got to be signed when it goes to the in-house lawyers and they just get we’re not signing this because we’re not sharing it because and we’ve just got some brand new legislation late last year, like November last year, where the government doesn’t have to or can’t give information to the regulators. So the lawyering side of it, rightly or wrongly, is still a long way to play out to join this all up. But the sharing of threat intelligence is it would be a great way and is a great way it’s happening.
Having said that, there’s a lot of organizations that technically can’t receive threat intelligence because actually don’t know what to do with it.
Paul Jackson: Yeah, that’s true, that’s true. But yeah, I think you touched on the law, the legal side of things. And you’re absolutely right. One of the challenges, and I know that from talking well, from my own experience and from talking to folks who are in-house, is that they are kind of shackled.
You know, the companies are risk averse and they don’t want, you know, to engage in sharing because it’s, you know, potential fear of reputational damage or leaks coming, even coming out of law enforcement. Let’s face it. You know, we see we see multiple instances where law enforcement themselves have been responsible for leaks. So I guess it’s all that one word, isn’t it. Trust. And that’s what we’ve really got to think.
Nigel Phair: I think it is. But we’ve still got to address that whole legal issue because, you know, there’s a number of prominent law firms who have some big cyber incident response practices particular in the back of national legislation. You know, we have we have data breach legislation. Most, most advanced jurisdictions now do.
That’s now becoming a more of a headline in the boardroom. And I think the easy kneejerk response from a group of company directors is I want more legal advice, not less.
Paul Jackson: Right, right. And by the way, you’re throwing me some real easy ones here because you’re leading into the next questions beautifully because I wanted to talk about governance and boards and but wait, let’s start off with your book.
Nigel Phair: There’s five of them now is there.
Paul Jackson: Gosh, all New York Times bestsellers.
Nigel Phair: Number one with a bullet.
Paul Jackson: There you go. So what made you decide to start writing in the first place?
Nigel Phair: You know, maybe it’s the wannabe academic in me. You know, it’s interesting.
So I wrote my first one back in 2006 called Cybercrime The Reality of the Threat. And it’s funny, when I now look back at that book and some of the predictions I made, luckily, phishing is still going because I said I said, but my big thing, phishing is going to be huge. And, then I tried to get them all, and I know that now.
I wrote, cybercrime, the Challenge for the Legal Profession. I think about 2010, I wrote Technology for Company Directors because I used to do a lot of in boardroom briefings, a lot that was like a fraud for a little while or most of, you know, a full time job in between the two university engagements. I then the last one is, an incident response.
And what that means for responders and, no psychologist, but I tipped on that. But the one before that in the middle was, we had the Australian Cybercrime Act come out in 2001. So I always envisaged I’d write one on the 20th anniversary. So I wrote Cybercrime in Australia 20 Years of in action back in 2021. And, you know, I really I was lucky I had a researcher that helped me with that.
But we looked at a lot of case studies and, you know, we did surveys of people. We looked at legislation and we looked at a whole range of different things. And, you know, law enforcement unfortunately just doesn’t do anywhere enough.
Paul Jackson: No, it doesn’t, but I think, you know, anybody who served, quite a number of years in law enforcement automatically gets, the title of psychologist because it’s part and parcel of the job, right.
Nigel Phair: But, but particularly you won’t be able to talk an interview.
Paul Jackson: Correct. Correct. Yes. But look, you focus. Oh, one of your focuses was on government, governance. Sorry. And boards. And but you said you used to do board briefings. You don’t do so many anymore. What’s changed?
Nigel Phair: Two things change. One is I went sort of full time with, with you in University of New South Wales, but the second one and an interesting one is I used to charge for it.
And then once I got to be a fashionable thing, your particularly big full time consultant, that would come along and inverted commas off for free, and they’d be trying to sell about $300,000 of, consulting services out the back end result. Come along and say I give it to you straight between the eyes. We’re going to talk about the threat environment.
We’re going to talk about control frameworks. When I got that risk, you’re going to get all these juicy things at a high level under the, under the, the umbrella of, of governance, of strategy and risk, what we’re doing and all it’s a good fun to talk to. But what I stood like even more was actually talking to our risk of audit committee.
And you had these people, particularly with the big organizations, you big, you know, stockmarket listed companies who are at the top of their game. And for some unknown reason, you put the word cyber in a sentence and they go weak at the knees. And I take these people from a risk perspective. We are doing nothing different than what you do to manage other risk, whether it’s financial risk or work health and safety risk or a range of a range of other risks.
It’s just gonna it’s we’re going to, you know, do it. It sounds trite, but we’re going to do a risk assessment. We’re going to look at a number of scenarios. We’re going to come up with a control framework. We’re going to implement it. We’re going to measure it. We’re going to monitor it. And you’re going to you’re going to make an investment.
And that’s how it how it is. You know, I think that the practice obviously a little bit more work. But I was there just to, to be the evangelists, not to actually say. And by the way, you know, here’s my, my right card. I’ll help you do that. I’ll let you get yourself 27,001.
Paul Jackson: That’s a very cynical approach, but very accurate, I would say.
But now I’m not going to annoy all my many friends in big four
Nigel Phair: It was business development for them. I don’t begrudge them anything. You know, they the Holy grail was to do the presentation and to get an intro to the side. So, you know, I get it.
Paul Jackson: So are you saying, are you seeing any, any changes, any improvements in this regard? Because I literally an hour and 39 minutes ago, I just wrapped up a board briefing, with an organization who take it very seriously and, and you could tell they actually wanted, you know, they wanted information. They wanted to be able to make the best judgment decisions they possibly could based on, you know, facts and figures. And, and, and clear information.
Because ultimately, you know, a board is responsible for governance, managing risk, etc. and unless they know all about cyber, how can they how can they govern and manage cyber risk? So are you seeing I mean, I’m seeing definitely an improvement in Asia. I think they want to take it seriously. They want real information rather than, you know, just taking a box and getting somebody and you’ll do it for free.
But the price you pay is a bit of sales talk. Are you are you seeing that the trend is changing to allow boards and executives taking it perhaps a little bit more seriously than they used to?
Nigel Phair: Well, yes or no. So I think they want to take it seriously. There’s certainly more board briefings and those things, you know, our peak body, the Australian Institute of Company Directors, I’ve had for a number of years courses for directors and I believe they’re quite, you know, popular.
You know, they when they do their yearly members briefing, they always talk about cyber security when they have their annual conference. There’s always a cyber security speaker there. But so there’s a lot of interest. Where I think it goes wrong is on a multitude of levels that we start from boards perspective is when, particularly when you get to your big ASX listed boards.
I’m a firm believer that most people sit on too many boards and they’re not across. They’re really not deep dive across the business and particularly the technology. So when I when you talk to them, you know, they’ve read a book or they’ve read some magazine articles and they’ve, you know, it’s one of those a little bit of information knowledge is dangerous.
But when you say to them, do you know what your information assets are? Do you not? Your technology assets, are they? And I’m not saying that, as you said, their governance is rich. Their strategy, they’re not to get into the weeds, but they’re actually clueless to how technology heavy their organizations are. And when I’ve done the review, I actually did a paper about a bit over two years ago on the company directors in the ASX 100.
And now out of that, there’s about 707 positions filled by about 600 people. And we just basically looked at the bio that they have on their website and their LinkedIn profile. Out of those 600 people, I think there was three that said they knew about the cyber. But this is just people that self-declared that they knew about that sort of stuff.
So you’ve got virtually and I’ve spoken to headhunters. I said, you know, the people of the boards actually want someone with cyber experience on their board. And I get that. Not so they want to get the same monoculture that they’ve always had. They want to have an ex managing partner from a law firm, an ex consultant from a big for an ex lawyer, an ex account, and this whole diversity on board.
Sure, they might get a different nationality. You know, they might get a female to replace a male and put themselves on a boat. But it’s all for nothing because it’s exactly the same skillset they keep bringing it. I replace one lawyer with another lawyer. So I think from that perspective, we’ve got a long, long way to go. Then yeah, if we Google questions and board directors should ask about cyber, we get pages of the stuff.
So there’s one thing saying these are the questions to ask, but I don’t know what answers to receive. Yeah that’s true. And that’s where it falls over. You know it’s like you know, do we have a control framework. Yes. Is on a in the edge. Might be yes. We are SOC2 or we got NIST, you know, next or we’ve got done 27001.
But it’s a meaningless answer and they can get it. Oh tick. We, we’ve got, we have a credit for 27001. Okay. But what part of the network is it the CRM. Is it, you know, the, the, the this is that something that’s really critical, you know, why was that chosen. They just didn’t know the subsequent deep dive questions to ask.
And because so many of them are overboard. Did you look at when we went through all these see six people sitting on you know, four and five boards? There’s no way they can be across everything. And then when someone comes along like, man, you guys, oh now I’m going to talk cyber. And they’re going, oh my God, we’ve just had a whole day of boring presentations.
And now you want me to you want me to concentrate on this? That that’s where that fire is from that side. From the other side, from the people delivering it. I’m kind of a bit tired of everyone dooming and gloomy, and I really don’t enjoy when I go to a conference or go anywhere and people try that. But it’s not a matter of if you get hacked, it’s when, and, and people do switch off.
I’m saying that people just go out all over. What’s the point? Rather, you know what, let’s have a conversation about goes back to what I mentioned before about being a resilient organization. Yeah. Here’s some of the things you can do. You know, because as a consultant, you’re bringing people in to sort of, you know, fix something that may or may not have happened, you know, so I try to explain to people, this is what we’re trying to do, and this is the why, you know, so, yeah, there’s too much of yeah, nation states just going to smash the insides. Yeah. I mean there’s nothing you can do. So defeatist.
Paul Jackson: Defeatist already. Yeah.
Nigel Phair: No, I hear you. It’s, it’s you’re saying, you know and it’s the same when I get personal advice of the old. If it seems too good to be true, it probably is. Well, the people have suffered scams. Didn’t think it was too good to be true.
They then go telling people. Yeah, it’s like we say, people don’t click on links. I click on links all day. So we give this advice out in these presentations and we really need to rethink how we do it.
Paul Jackson: I think that’s you’ve made some really good points. I think I’ll have to invite you back for another session where we just focus purely on boards and governance and the mistakes that have been made, because it’s a fascinating topic, but I do want to cover another quick couple of questions before we close up for today.
Why is it Australia seems to have a large number of cyber incidents? Is it just because of more transparent, more publicized?
Nigel Phair: I think there is a degree of transparency, probably helped by the media, rightly or wrongly. You know, and some, some organizations have used the media better than others. Some of them have used their government relations, better than others.
But we do have a lot. There is certainly no hiding away from it. According to our Australian signals director, just on the platform where you can report cybercrime, which the vast majority of people have never heard of, there’s a report every eight minutes. So and I reckon that’s about one fifth of what there are now we could debate the definition of a cyber incident.
Of course. But, yeah, I think we’re pretty rich jurisdiction. We’re pretty connected. You know, maybe we just don’t have the best, security going around. I couldn’t put my finger on any one thing, but we’re definitely up there with the top of the pops. And with claims of ransomware, too.
That’s the other thing. It’s another. But when we up to podcast number seven between you and I, we’ll get on. Yeah. We’ll get on to the vagaries of playing or not paying ransomware.
Paul Jackson: What a great topic that is as well. And, obviously you’re one of the ransomware gang’s best customers down there. And in Australia.
Nigel Phair: Well, we are, we pay up. Yep, yep. So why not why not keep that business model going?
Paul Jackson: I’m also going to talk to you on a future chat because I’ve loved this chat, and I’m going to get back to you on a few of these things, because I do want to talk to you about the cyber security market in Australia as well, because we as a consulting firm, not based, not headquartered in Australia, found challenges breaking into the market because it seems to be, relationship driven rather than, ability driven.
Maybe I’m being a bit unfair there, I don’t know, but does that perhaps lead to a lack of global perspective in the, in the, in the marketplace down there?
Nigel Phair: Yeah. Well, I’m sure your big four consulting firms would argue they bring global perspective, but really they just got local teams run by local partners. They just SMEs. At the end of the day, you know, we’ve got 1 or 2 big firms and then we’ve got a lot of little 10 to 20 man shops.
Yeah. Sort of stuff. Right. Some, some of that just do a boutique service like say 3D intelligence or Pentesting or code review or whatever it might. GRC some that we’ll do and doing the full function. Yeah. I think it is very relationship driven. I think we have pretty good capability point you could argue. And we just discussing about how many incidents we have maybe the capabilities.
And so in so good I don’t know enough about other markets to know how hard it is to crack into them. But I think you guys should move down here. I think a lot of organizations should. We went through a phase of sovereignty. I don’t know if that’s still really such a buzzword anymore, because people are happy to buy everything from, you know, say, a Microsoft or whatever.
So I think that’s probably the compelling argument. I don’t know enough about the market to how you the pie is growing dramatically, and I’d say even the last five years. Right. You know, new entrants have come along and I’ve really taken other people’s work. But just growing, with more organizations. So whether you sort of take a sectorial approach, particularly with critical infrastructure protection, we’ve got some laws around that.
You know, it’s yeah, I’d have to give it some more thought on, on, on a go to market. Why there’s not so many internationals. Right.
Paul Jackson: Let’s save that. Let’s save that then for the next chat along with a drill into the board briefings. Because I’ve loved this conversation with, you know, and it’s great to reconnect. It’s been so many years since we’ve we lost too many years, way too many years ago.
We’re overdue a cold one, aren’t we? But I always close, this THEOS Cybernova podcast by asking my guests because I’m a music lover, right? I really, you know, kind of the offsets the stress of work, I guess. And also, it’s just a hobby of mine. They’re collecting vinyl and stuff. So, what are you currently listening to?
What? What floats your boat at the moment, Nigel?
Nigel Phair: Oh, I don’t listen to this specific, source. I will, I will, I will on, Apple Music. I do, I do have some, some various playlists which I’ll put on, you know, some that go through genres, some of them are all like, you know, like, I still love the old Australian stuff of midnight oil and all those 80s.
Yeah. So I’ve got a playlist of that. I’ve got a playlist of R&B stuff from that that’s really quite new. Know on the beats, you know, I don’t mind the old 70s disco stuff. I’ve got various playlists and then sometimes I’ll just put it on, you know, random.
Paul Jackson: I’ve got, I’ve got this vision of, you know, Nigel in a Saturday Night Fever gig, giving it love.
Nigel Phair: Absolutely. I’m going to let me out of the wardrobe and I’ll pull out the sequin suit.
Paul Jackson: Fantastic. Look, Nigel, thank you so much for giving up your time of being a guest on the on the show today. And, look forward to having further conversations with you down the line as we continue the series of podcasts.
Nigel Phair: Okay, so congratulations for you for doing something like this. Paul. I think it’s great to get some ideas out there.
Paul Jackson: Thank you so much, Nigel. So, THEOS, Cybernova was presented by myself. Paul Jackson, the studio engineer and editor was Roy D’Monte. The executive producer was myself and Ian Carless. And this podcast is a co-production between THEOS Cyber and W4 Podcast Studio.
The THEOS Cybernova podcast.

Episode Summary
What makes Australia’s cybersecurity landscape unique? In this thought-provoking episode of THEOS Cybernova, host Paul Jackson sits down with Nigel Phair, a former law enforcement professional turned academic, industry advisor, and bestselling author of five books.
Paul and Nigel explore their shared beginnings in law enforcement, spanning 22 years in vastly different jurisdictions, before delving into Nigel’s transition to academia and his work helping industry leaders understand and address cyber risks. Together, they unpack the cultural and operational differences between Australia and the broader Asia-Pacific region, including surprising insights into why Australia experiences a perceived higher incidence of cyber breaches.
The conversation also tackles the complex topic of cyber governance, examining the roles and responsibilities of Boards and Executive Committees in managing cybersecurity. Candid, sometimes controversial, and packed with regional insights, this episode sets the stage for future discussions with Nigel as they contrast the cybersecurity challenges in Australia with those across the region.
This is definitely an episode you won’t want to miss!