THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to another episode of the THEOS  Cybernova podcast. Today I’m joined by the incredible James McCleary, who’s joined us all the way from Thailand. In fact, we’re meeting here in Kuala Lumpur together in person. James, thanks for joining me today.

 James McLeary: Thank you. Paul, it’s a real honour to be here. Thanks for inviting me.

 Paul Jackson: Yeah. No, we’ve known each other for quite some time now, a number of years. We obviously work together,  so I’m really excited about this episode because you are one of the sharpest people I’ve ever met in this field. I know it is going to be a really interesting session today, so we’ll leap right into it.

Well, I want to learn more about you, your story that you told in the recent book written by David Gee. Which obviously had a number of CISOs contributing to it. We’ll talk more about his book in a moment. But your first experience when you were with the bank in Thailand was quite an exciting one, wasn’t it? You were a few days in, am I right? And suddenly you get hit with Lazarus.

James McLeary: To that particular role, yeah. I mean, just an absolute shock. Terrifying. You know, I knew who Lazarus was because I had read up on the Bangladesh heist and all the case studies relating to that. I had heard about the Sony attack, but to actually see it in front of me, see that encrypted email that said Lazarus were instigating an attack against me, took it to a whole new level. And yes, you know you have a plan until you get punched in the face by Mike Tyson, right? No, that’s exactly how I felt at that moment in time. And, you know, my mind just went to, is it true? You know, we better start looking, scanning to see if it really is true. Escalation and response. But yeah, that’s a day I’ll never forget.

Paul Jackson: Wow. I mean, it was also a Friday right? When we often joke about this being the Friday fire drill, and it couldn’t come at a worse time, really. You know, the weekend kicking in and I mean what were the first steps you took? What was your initial, actions?

James McLeary: Yeah, the first step was to cancel my travel plans for the weekend. But beyond that, I said to my team to conduct some scans immediately to see is it’s true that we’re having data egress? From the network, as was stated in the threat intelligence email that was passed to us.

Second, was immediate escalation because I knew how serious this was going to be. Before this occurred, I had not put myself in the situation of being under such an immense nation state attack. I knew that the organisation had not had that experience either. So, it was important to move quickly, get that escalation going, and then start the response activities immediately. Quite fortuitously, I had met that very same week with the Incident Response company, and so I immediately contacted them, and they started working on the weekend straight away.

Paul Jackson: I’m curious because in the book it says that you actually had three DF/IR companies in them. Take me through that because I mean that’s quite unusual to have three working on. Why did you have three different companies?

James McLeary: Yeah, it was unusual. The first one was, as I mentioned, I had just met with them, so they were front and foremost on my mind; it was an Israeli group. They responded very quickly, very effectively. The second one was part of an organizational relationship with Mandiant. So, it wasn’t specifically a retainer that I was holding, but there was a relationship that resulted in us bringing them in. Thirdly was, as I mentioned in the book Microsoft because they were helping us on a lot of the response activities. I knew many people there. So yeah, I ended up with a very crowded war room, handling the response with three IR firms; initially, they did not want to talk to each other.

Paul Jackson: I was going to say that you’ve got competitors in there, right? That must have been a bit weird.

James McLeary: Yeah, it was weird. I remember at one point, standing up on the table in the war room and demanding that all three of them work together. Then things, just things, changed a bit after that.

Paul Jackson: I mean, it’s super interesting you know, they’re going through this experience because I think we talk a lot about cyber resilience and being ready for these incidents. But are we ever really ready? You know, you must have had a lot of learning points from there because clearly you didn’t have this signed in advance. Did the contracting take you time, and did that delay things, for example?

James McLeary: Some more. What became an issue immediately was we needed to fast-track procurement, which often in ASEAN countries is a challenge in itself. But I was able to get across the gravitas of the situation, which meant that the crisis management team was empowered to push things through from a procurement point of view. Secondly, and this took a little bit longer, but I got them to agree on an emergency budget, which then became a lesson learned afterwards. We as CISO  should have access to an emergency budget in a time of crisis where they can, quickly procure any additional equipment or vendors and not have to have a long approval process as part of that.

Paul Jackson: Yeah, that’s a really good point. I never really thought about that, but having a slush fund or an emergency fund. It could be absolutely critical.

The other point I’d like to touch on is perhaps culture, because you had an Israeli company and two American companies working with Thai staff, and well, we have both lived in this region for a lot of years, we know there are a lot of differences in cultures. How did you handle that?

James McLeary: That was really tough, I have to say, especially as you know I was a CISO. My counterpart, the CIO, had to do a lot of the heavy lifting during a cyberattack, including changing network configurations, installing software, and installing equipment. That comes down on the IT teams as a whole, and not only the security team. So there was a bit of shock and awe, a mentality, especially as all of the IR firms were ex-military experienced. They approached it very much like a military exercise; it was get this done by this time, report back and don’t have excuses. Looking back, I would say we did about one year’s worth of work in the space of six weeks. Just getting everything done.

Paul Jackson: That is pretty crazy, and for anybody who wants to really dive into this, you’ve written a brilliant chapter in David Gee’s book. We do strongly recommend that anybody who is interested should buy this book. Right. It’s a great read because you’re not the only expert in it. David’s put together, you know, a slew of real experts globally.

James McLeary: Yeah, it’s an incredible lineup, all CISOs pretty much, but with diverse backgrounds and each giving their expertise in different areas of cybersecurity. So, it really is a bit of a CISO manual, I would say. And well done to David for pulling together such a, such a cast.

Paul Jackson: Indeed. Yeah, the book is called ‘A Day in the Life of a CISO’. Personal mentorship from 24-plus battle-tested CISOs, the mentoring we never got. What a great title, we will put a link to it in the podcast releases so that you know where to buy it. But it is a great read, certainly, highly recommend it.

So moving on a little bit, this talk is about resilience, right? Retainers. First of all, retainers are priceless, aren’t they? I mean, you don’t want to be dealing with limits of liability and indemnity clauses during a crisis, so retainers are a must. But how do you find the right DF/IR partner? You had experience with a three in one incident alone. You obviously work together with me and another provider Kroll where we, we’ll talk about that in a bit, where we obviously the DF/IR how does a CISO who doesn’t really know much about DF/IR, how do they go about knowing which is the right company to choose?

James McLeary: One thing, as part of my incident experience that is in the book, that resonated very strongly with me was one of the incident responders played more of a breach coach role, and he gave me a shoulder to cry on, almost. He kind of explained this is what is likely to happen next. These are some of the messages that you may want to share with the regulator, share with other external stakeholders and just kind of put me at ease given that this was my first time going through such a major crisis event. So I took that experience and what that particular coach did within the incident response and brought that into consulting.

I think, you know, Paul, when we were at Kroll, we realised that we had to not just have the forensic response, but also manage the C-level of the client has been breached, explaining very clearly to them in non-technical terms, about what’s going to happen and what they should do. So, I think finding a retainer partner that can offer good, business-level coaching as well as the technical forensic response is paramount.

Paul Jackson: Yeah. I think, you know, that’s something I’ve obviously carried into my new role at THEOS, because there were a lot of lessons learned at Kroll. We had a brilliant team there obviously, and carrying those lessons in terms of having the technical brilliance of the analysts, but with the communication skills, the hand-holding, if you like, of our clients and understanding the impact from a business point of view is absolutely critical. You cannot just rely on the tech alone.

One of the good things we had going at Kroll was, obviously the fact that someone with your background, having gone through a major crisis like this would also participate in the DF/IR investigations that we had. Bringing your experience in terms of guiding the CISO in terms of next steps beyond just the breach, because, as you explained in the book, there’s more to a breach. There is the recovery part afterwards. Helping companies and guiding them on that path is also critical. So, all too often I think companies look for respond or retainer firms that may have some sort of incident response background, but they really need to look at the full package that they, the company brings to the table. As I said, this is what I’ve tried to do with THEOS, you know, where as you know, James from our conversations we’re an Asia-focused company that’s aiming to make a mark in terms of doing things right in this region, and we do hope that that’s, you know, that’s what our clients want and need. So, it’s good to hear you say that.

James McLeary: Yeah, and just to add onto that, the Asia experience is obviously very crucial as well. Because dealing with an incident in Asia is different from Australia or from Europe, so having the cultural experience and navigating that into the response is paramount. If you’re if you’re going to be successful.

Paul Jackson: Indeed, and that’s again why we enjoyed having you on board at Kroll, because you’ve lived in the region a long time and you understand the nuances. I think that’s vital to somebody like yourself who’s operating in this region. I think the same goes for all of us. It’s just a shame that Kroll decided to withdraw from cyber operations in the Asia-Pacific region, but it’s provided other opportunities for others to fill that gap. So all good. Now, let’s talk about your journey a little bit, because you’ve lived in Thailand now for a long time, but why? You’re obviously from Bonnie Scotland. What was your journey, briefly, you know, in getting there?

James McLeary: I was a software engineer. I became a product of GE IT management leadership program, moved into as a Six Sigma Master Blackbelt doing business transformation, ended up in risk management which brought me back over to Asia and Hong Kong. From there, I moved into cybersecurity. I remember seeing one of those mind maps back in 2015 or slightly earlier when cyber was really just coming out, and I looked at that mind map, and I thought, Oh my goodness, how can anyone do such a role? Because you need technical ability, risk management, change management, communication, procurement, managing vendors and budget management. There were so many different angles of the mind map of what constitutes a successful CISO. But I realised that I had experience in most of those areas. That’s where I decided that the CISO role was one that I wanted to pursue, so I had the opportunity in Thailand, my wife is Thai and also a New Zealand citizen, we had some property in Thailand, so we moved over. I guess it must be about 17 years ago now.

Paul Jackson: Wow, that’s a long time to be living out in this part of the world, and you know, it’s pretty important, as you say, for understanding the culture and being able to operate effectively in this region.

But you’ve also done in-house and as a consultant, obviously, when you were together with me at Kroll. So what are the pros and the cons? You’ve got experience on both sides of the table, and any other CISO perhaps considering a move to the dark side to consulting, what advice would you give?

James McLeary: So, pros and cons, for the in-house role, you’re dealing with day-to-day problems that you cannot walk away from. After the engagement is finished, you own it and that means that you’re there for the long haul, so it does drag you down. Also, to a lot of areas which  my dealing with very task level matters maybe getting involved in inter-company politics. You know, those are some of the cons in an in-house role.

For some of the pros, I would say you really get to build the culture and build the team, the organisation around you, so you are able to leave a legacy behind you, and hopefully it is a good one where you have been able to deliver a lot of value to the end customer.

On the consulting side, for me I get a real buss of helping customers and helping such a variety of customers across different sectors and different engagement types and being able to see the different levels of maturity. So maybe you gained a best practice experience from one customer that you’re then able to bring in to another customer that’s not at that level. So that’s very satisfying to see the value of your trade bringing customers up in terms of a level of maturity.

I guess the downside or the cons on the consulting side that you know the market has been turbulent and job longevity can certainly come into mind. And, well you know it is not for everyone, we might see some of that now if some consultancies are laying off roles due to AI and the impact that they are expect that may have, so you know it is not going to be for everyone, if you are currently in an in-house role and you are considering consulting, I would say what is it that you are passionate about? Are you passionate about that, maybe customer success, do you enjoy sales and then enjoy those regular meetings with customers across different industries?

Paul Jackson: Yeah I know, and obviously I watched you whilst you were working together with me at Kroll and I think one of the things that energised you wasn’t just focused on the advisory piece on you know the VC so type work, but rather also getting involved in incidents as we’ve just talked about, you used to thrive on those, I remember. The opportunity I think in consulting is much broader, isn’t it? To getting involved in those kind of exciting types of cases. So yeah it’s pros and cons and it’s not for everybody though, because there is the selling component. You have to be a good communicator, you have to be able to articulate your value. I think, that’s something that anybody who’s considering perhaps going into consulting from an in-house role should be very cognizant of, you need to have that sort of confidence to go into, to sell.

Let’s step back a little further below that. How do junior people or junior professionals, I should say get to be a CISO? What sort of career path should they be looking at? If you know any youngsters listening to this today thinking one day I want to be that CISO, what advice would you give them in terms of a career path?

James McLeary: So in the different cybersecurity teams that I’ve managed, there tends be two types of people. One, the more risk management mentality, they will manage projects. They will look at the vulnerabilities, formulate strategy, do the risk assessments. Then there are the other people that are more technically orientated, they get a buzz of doing the red team work, pen testing and so on.

But to be a CISO, I think you need to understand both sides of the house very strongly. One of the things that I did before I became a CISO was, and I came from the risk management side of the shop, but I signed up for bug bounty programs. I did capture the flag initiatives, and I got into the more technical aspect, having been a software engineer and in my previous roles.

So having that balance of the technical understanding, but also the strategy, risk management, and risk assessment side is very important. But then you have to overlay that, as a CISO, you’re presenting yourself to the board, you’re meeting regularly with your fellow C-level. So, you really need to be a change advocate, you need to be able to communicate very technical matters in, in a way that will resonate and get you buy in to solve problems and get budget. So you must fine tune your communication, your presentation skills, and your personal branding and gravitas so that you can go in front of a board or push back on the CEO and get what you need to protect the organisation.

Paul Jackson: Yeah, that meshes. I get asked this all the time, the same kind of question, every time I’ll answer, communication, it’s absolutely vital. It doesn’t matter how technical you are, how gifted you are, if you can’t articulate and explain what you’re doing to a business context, then unfortunately, in-house as a CISO, you will really struggle. I think even doing things like Toastmasters courses, learning how to do public speaking, really enhances the value of a future CISO. So, I can only say that put yourself in those difficult positions, go and volunteer to speak at conferences where you can. It may be out of your comfort zone, but the more you do it, the more you learn right?

James McLeary: Absolutely and you never know you might find that you really enjoy it.

Paul Jackson: 100% and that actually leads into the next question which is, who should a CISO report to? Obviously, you have to communicate with somebody who, in the ideal world, you think the CISO should be reporting to?

James McLeary: Without a shadow of a doubt, it should be the CEO. Companies, I don’t know why they are still wrestling with this one today; it has to be the CEO. The CISO needs to be on an equal standing as the CIO; if not, security will always play second fiddle to IT investments. So, you need to be there amongst the other C-level, and this one concerns me, particularly in Asia, because we are seeing the CISO role has not yet gravitated in every country to the level it needs to be, and what we’re seeing now is the emergence of chief AI officers or chief ethical integrity officers.

You know, there are other C-level roles which are being pushed out now, and quite frankly, I think the CISO, if they are at the right level in the organisation, should be taking ownership of a lot of those requirements and representing the C-level committee on those subject matters.

Paul Jackson: Yeah I 100% agree, it should be a boardroom discussion. It should be a conversation between the CEO and the board, I 100% agree with your approach there.

This is switching gears slightly, but when you were working with me obviously we got involved in quite a few crisis exercises, but can you from your position now as a CISO, can you articulate the importance of these and the value and how you would conduct them in your own organisation?

James McLeary: Yeah, so I’m actually about to do one on my own organisation and the reason that I am doing it myself this time around, is not because I think I am great at them, but rather because it is for a lot of people involved, it is the first time that they will have experienced it, so there is a little bit of an uncomfortable zone that I am going to have to break down. So I thought okay, for the first instance we will run it internally, it won’t be as polished as external firms can do it but it will set a level of expectation and comfort. Absolutely, for the second exercise, I would bring in a third-party company like THEOS to help us run a cyber exercise and give us that external realism and threat intelligence overlay.

But to me, tabletop exercises are absolutely crucial. It’s like the analogy of a pilot, they know how to fly the 747, but every time they go out, they still go through the flip chart and check everything is in place, as it should be. So that’s really what we’re doing by running regular cyber tabletop exercises, that’s making sure that your checklist is, is known to everyone, that people practice, and those lists and lessons hopefully start to come down. The more that you do them, the more that you drill it.

Paul Jackson: Muscle memory kind of thing, and I think you’re right because all too often I’ve seen companies go, yeah, come into THEOS, do an exercise for us without having done one before, so it turns into a bit of a disaster because they are just not ready for it. I think that you are doing it the right way, start your staff gently and do it in-house to build up some of the more advanced ones, but the sooner you can get to the advanced ones, the sooner you will be at a level where you feel comfortable dealing with incidents.

The initial ones that you are doing will help you to check whether your playbooks are working, whether people have actually read them for starters and actually know their roles and responsibilities in a in a fairly simple scenario. E.g a ransomware type scenario or something. But ultimately, I think the real meaningful ones are when you get a kind of red team or pen test approach where they come in and look at the actual technology that you’re using and develop a realistic scenario based on what’s in place and input it in the injects rather than at the senior level, input the inject at the working level, because in reality it’ll be the working guys, the cyber guys who have to try and explain to the bosses, we won’t be there in a crisis explaining things. So, the sooner your team gets used to talking to the bosses about the potential impact of a crisis, the better prepared they will be, I guess.

So those are the kind of evolution I think of crisis exercises, but I’m glad you said they are a must because yeah, definitely. It’s, you know, you don’t want to be going through your playbooks in a real incident for the first time.

James McLeary: Absolutely not.

Paul Jackson: No. Right. So one last question before we go into a couple of cheeky questions that I got for you at the end, but you’ve been in the CISO in the financial world, and obviously, you then went into consulting, and now you’re in the hospital healthcare world. I’m curious what differences have you seen between the financial world and the and the hospital.

James McLeary: So, in financial services, obviously, the regulatory environment is very strong, even across Asia, there’s a very strong demand for cyber within the financial regulators, and that drives change and that drives budgets. So, in financial services budgets tend to be a little bit more healthy for cybersecurity and if you look across the industries, financial services will be the most mature in terms of their capabilities within cyber.

Healthcare, on the other hand, although there are regulations globally, the likes of HIPAA in the US, they’re playing catch-up with financial services, and in Asia, we’ve still got a ways to go. Many countries have been introducing of course critical infrastructure laws. Hong Kong did it recently, and a lot of the ASEAN countries have their say, but cybersecurity for critical infrastructure and healthcare is part of that. But it’s not yet that same level of demand, I would say, in comparison with the financial regulators. So, unfortunately, that does reflect somewhat on budgets and maturity within health care.

That said, the pressure within the hospital environment, can be even worse than in financial services but it’s not so much about the regulator coming down upon you but you protecting people’s lives and it’s one thing having credit card information stolen or ATMs hijacked, but if medical equipment stops functioning, if medical record platforms are encrypted then it’s a whole other ballgame. So the severity level is very extreme, and we have seen that it was last year, one of the largest cyberattacks ever and the US was in a healthcare hospital environment, because they had encrypted much of the infrastructure, the hospital could not process insurance claims, which meant they had to turn away patients. It had a massive impact not only on the ransom that was paid, but also the regulatory fines. And then the overall reputation of the hospital.

Paul Jackson: Yeah, I can only imagine that being stressful as well. I know Thailand also prides itself on being a centre for medical tourism; the hospitals there are first-rate, right?

The sort of the best of the world and any damage to that reputation would obviously the government would not be happy but the, the other side, I mean. At THEOS there’s obviously we do a lot of Pen Testing and Red Team and we’re getting an increasing amount of requests for AI testing of AI bots, etc., but also, of course, IoT devices. That must be very different in your world, because you must have a completely diverse set of devices that you need to protect. I mean, because almost everything is network nowadays, right?

James McLeary: Yeah, and similar to manufacturing, it used to be equipment on the manufacturing floor or on the patients, like the scanning machines, the radiologist, X-rays and so on. They would all be standalone, but that’s no longer the case. Much of the equipment is using AI to analyse results, to share information with doctors. So it’s interconnected not just with the IT network but very often with AI platforms, LLM models. So, the attack surface has grown massively. I need to protect my IT environment, I need to protect my medical device environment, the IoT environment, the cloud environment and now the AI modules, which are being increasingly used even. We used to have shadow it, now we have shadow AI, so as a CIO and CISO, I have regular arguments with myself about, well, what’s the best way to control these risks and at the same time allow the hospital to move forward and transform.

Paul Jackson: Right? Yes, the age-old battle between allowing the use of technology, which helps make things more efficient, versus making sure it’s secure, our ethical hackers at THEOS love these challenges. All these new devices and new technologies, it makes life more interesting for them. And they love, trying to hack these, these devices.

Right, we’ve run out of time. But, before we close up today, I’d just like to thank everyone for listening, and please do hit that like and subscribe buttons, it helps us to get out to a broader audience with all this important information. But I’ve got a couple of questions for you, James. You’re my second Scottish guest, and I did ask my previous Scottish guest. Can you say the phrase purple burglar alarm?

James McLeary: No, I cannot, but I will try. I can say 11.

Paul Jackson: I was going to ask you as well. Is your office on the 11th floor? I’m sure those who have seen the memes will understand where we go.

James McLeary: Purple burglar alarm.

Paul Jackson: Very good. You go. All right, my final question is, as always, I’m a music lover and it’s my way of decompressing with, from stress of work sometimes is by putting on a good old fashioned vinyl record. What’s on your playlist at the moment, James?

James McLeary: Paul, I’ve watched you ask this question to other guests, and this was the one that put the fear of God in me, but funnily enough, this morning my Spotify just had the 2025 reviews.

So up on my list was some good old Scottish bands, Texas was number one, Franz Ferdinand was number two, and then number three and four were some obscure Spanish and French bands. Nouvelle. Okay, I remember the name, but very chilled out music that I often just put in the background and, you know, so that’s, that’s, been my playlist.

Paul Jackson: Fantastic. All right, James, thank you so much for being my guest today. It’s a real pleasure having you.

James McLeary: Thank you, Paul really enjoyed it and congratulations on the on the podcast.

Paul Jackson: Oh one last question. Did the THEOS Cybernova podcast, appear on your end of year list?

James McLeary: Believe it or not, it was number four on my top podcast list, just behind Joe Rogan.

Paul Jackson: Wow, there we go. It’s just behind Joe. I’ll take that. Thanks very much for being with us today, James.

James McLeary: Thank you.