The ISM has been updated again, and this time AI is front and centre. In this episode of Secured, Cole Cornford is joined by returning guest Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services, for another instalment of Policy Wonks and Gronks, cutting through the vendor noise to talk about what the March 2026 update actually means in practice.

They explore where AI is genuinely delivering value for cyber professionals, from automating compliance mapping and vendor assessments to streamlining pen test reporting and SOC triage. But they are equally candid about the risks: the erosion of foundational skills as junior roles get outsourced to AI, the creeping fatigue of reviewing outputs at scale, and the danger of skipping straight to full automation without the expertise to validate what the machine is doing.

The conversation also tackles bigger picture concerns unique to Australia, sovereign AI capability, the risk of a brain drain to the US, and whether a small country can afford to decentralise its AI infrastructure. Toby closes with a sharp reminder for government CISOs: AI is just another system, and how people use it matters far more than the certifications attached to it.

Timestamps

00:00 Episode Trailer

01:01 Chainguard ad

01:28 Intro and the March 2026 ISM update

03:00 AI hype vs real world utility

05:00 Governance and compliance use cases

08:00 Vendor assessments and knowledge base automation

11:00 Skill erosion and the junior roles question

14:00 AI in pen testing: reporting, scoping and customer experience

17:30 The maturity model for AI adoption

21:00 Vibe coding, slop assurance and fatigue at scale

25:00 Agents watching agents and the bot vs bot future

28:30 Australian AI sovereignty and the brain drain risk

32:00 Top tip for government CISOs on AI risk

35:00 Shadow AI and DNS log visibility

37:00 Closing remarks

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

Secured is part of Day One.

Day One helps founders and startup operators make better business decisions more often.

To learn more, join our newsletter to be notified of new First Cheque episodes and upcoming shows.

Tara Whitehead is Security Engagement Manager at MYOB. Prior to becoming a cybersecurity specialist, Tara had an eclectic career, including working in advertising and international relations. In this episode Tara chats with Cole about how her non-technical background has in many ways been an asset working in security, leading change management in large enterprises, the importance of great communication skills, and plenty more.

Timestamps

7:15 - Tara's first days in AppSec

10:00 - How to influence people

12:30 - Why we should dial back on the doomsday conversation

14:10 - Find your change champions

21:30 - Is a non-technical background help or hindrance?

23:30 - Communication and influencing key skills

26:00 - Communicating with execs

28:20 - Rapid fire questions

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

Secured is part of Day One.

Day One helps founders and startup operators make better business decisions more often.

To learn more, join our newsletter to be notified of new First Cheque episodes and upcoming shows.

Mentioned in this episode:

Download your free CVE Reduction Assessment

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk.

December 2025 - Chainguard

Artificial intelligence is dominating headlines in cybersecurity, but how much of it holds up under scrutiny? In this solo episode of Secured, Cole Cornford, founder and CEO of Galah Cyber, shares his unfiltered take on three of the biggest AI narratives making waves in the AppSec space right now.

Cole breaks down the Claude Code security announcement and why the market reaction dramatically overstated its real-world impact, arguing that the most meaningful security vulnerabilities have never been the ones static analysis tools can easily catch. He then examines Aikido's continuous penetration testing proposition, raising serious questions around noise, cost, resilience, and whether most organisations are even architected to support it.

Finally, Cole tackles the AI job displacement narrative head-on, making the case that most high-profile tech layoffs are less about AI capability and more about mismanaged businesses using automation as convenient cover for decisions driven by poor performance and investor pressure.

Timestamps

00:00 – Intro & Cole's hot take on AI hype

01:30 – Claude Code Security: what it is and why markets overreacted

03:30 – Why meaningful vulnerabilities need context, not static analysis

05:30 – Autofix, token waste, and who's actually using Claude Code

08:00 – Aikido Infinite: the continuous pen testing promise

10:00 – Cost, resilience, and noise concerns with Aikido

12:49 – The AI jobs narrative: Cole's verdict

14:30 – WiseTech, Block, and the smokescreen theory

16:00 – Jobs shift, not job loss

17:03 – Closing thoughts and solo format feedback

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

Secured is part of Day One.

Day One helps founders and startup operators make better business decisions more often.

To learn more, join our newsletter to be notified of new First Cheque episodes and upcoming shows.

Mentioned in this episode:

Call for Feedback

AI is starting to change penetration testing, but most people are asking the wrong question. In this episode of Secured, Cole Cornford sits down with Brendan Dolan-Gavitt, AI researcher at XBOW and former NYU professor, to unpack what autonomous pen testing really is, what it can reliably do today, and what still needs humans.

They explore why AI agents are great at scaling the boring parts of testing, like authenticated workflows and broad vulnerability coverage across huge attack surfaces, and why that does not automatically translate to deep, context-aware exploitation. The conversation also gets into the messy parts: AI systems overclaiming “serious” findings, business logic flaws that are hard to verify, audit expectations, and why scope control needs real guardrails, not vibes. From agent traces and validation models to cost curves and creative exfiltration tricks, this episode is a grounded look at where AI helps AppSec and where it can still cause damage if you trust it too much.

Timestamps

00:00 – Intro

03:10 – From academia to building autonomous security tools

05:00 – Human pen testers vs AI agents: what is actually different

06:40 – Where AI helps most: boring tasks and low hanging fruit

08:30 – Scale: a thousand targets vs hiring a thousand testers

10:20 – Accessibility, economics, and Jevons paradox

12:30 – Accountability: audit evidence, traces, and “who signs off”

14:40 – Scope control: avoiding prod and preventing out-of-scope actions

16:20 – Safety checkers, overseer agents, and persuasion resistance

18:40 – The cost question: VC money, inference pricing, and efficiency

21:20 – When AI wastes money and why prioritisation matters

23:50 – Failure mode: overclaiming business “vulnerabilities”

26:10 – Validation agents and adversarial peer review

28:40 – The scary clever stuff: exfiltrating files as images

31:00 – What AI finds well: XSS, SQLi, file traversal, hard proof bugs

33:10 – What AI struggles with: business logic and contextual judgement

35:20 – Hype vs skepticism and why nobody has a crystal ball

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

Hiring is still a human process, no matter how much AI gets injected into it. In this episode of Secured, Cole Cornford sits down with Kim Acosta, Managing Director at UCentric and former Amazon talent acquisition leader, to unpack how AI is actually changing recruitment and where it is quietly breaking trust.

They explore how candidates are using AI in applications and technical assessments, why misuse often damages long term employability more than failing an interview, and why recruiters and hiring managers are responding with stricter controls, in person assessments, and AI detection. Kim shares what she is seeing across data, analytics, and AI roles, where demand is growing, and why human judgment, rapport, and credibility still matter far more than perfect answers.

The conversation also covers embedded recruitment and RPO models, why soft skills matter more as teams get smaller, and what the next hiring cycle is likely to look like as big tech contracts while smaller companies continue to grow. For candidates, hiring managers, and founders alike, this episode is a grounded look at why shortcuts rarely pay off and why trust is still the real signal.

Timestamps

00:00 – Intro

01:24 – Meet Kim Acosta and UCentric

02:06 – From Amazon to starting a recruitment consultancy

04:19 – Data engineering demand vs AI hype

05:31 – What data engineering roles actually look like

07:27 – Adapting business models to real market needs

10:04 – Where AI genuinely helps recruiters

11:09 – Custom GPTs and interview preparation

13:43 – One way interviews and candidate slop

15:09 – Technical assessments and AI misuse

17:19 – Trust, failure, and reapplying the right way

18:29 – Spotting AI generated answers in interviews

20:19 – Rapport, eye contact, and human signals

22:19 – Hiring for values and team fit

23:52 – Agency vs internal vs embedded recruiters

27:59 – RPO models and cost tradeoffs

28:47 – Layoffs, market shifts, and salary reality

30:57 – Where hiring is still strong

33:10 – Why hiring and podcasts still need humans

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

The Protective Security Policy Framework is meant to guide how government manages security risk, but constant updates make it harder to implement than to understand. In this episode of Secured, Cole Cornford is joined by Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services and former senior cybersecurity leader across Australian government, to break down what actually changed in the latest PSPF update and why it matters in practice.

They examine the growing focus on personnel security and foreign interference risk, the inclusion of AI guidance that adds little beyond basic risk assessment, and the long overdue recognition of Secure Service Edge and SASE as compliant gateways. The conversation also explores why deny lists and centralised risk sharing sound sensible on paper but are far harder to enforce in reality, and why most security failures still come down to behaviour, accountability, and how technology is actually used rather than what policy says.

Timestamps

00:00 – Intro

01:18 – What the PSPF is and why it exists

02:49 – Annual updates, directives, and policy advisories

04:19 – What actually changed in the 2025 PSPF update

05:36 – AI in the PSPF and why it adds little value

08:14 – Tool hype vs implementation risk

10:32 – The AI policy advisory and trusted vendors

14:25 – Directive 3 and clearance disclosure risks

17:21 – Personnel security and enforcement reality

19:41 – Secure Service Edge and SASE recognition

23:39 – Commonwealth Technology Management directive

25:28 – Deny lists, transparency, and security through obscurity

28:05 – Centralised risk sharing and assessment overload

29:52 – Policy wonk or policy gronk

31:12 – Final takeaways and closing

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

Mentioned in this episode:

Download your free CVE Reduction Assessment

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk.

December 2025 - Chainguard

Call for Feedback

Most security architects are not actually doing architecture. They are doing assurance work, following checklists, and hoping standards will save them. But as systems get more complex and attackers get faster, that approach is no longer good enough.

In this episode of Secured, Cole sits down with Ken Fitzpatrick, founder of Patterned Security and creator of securitypatterns.io, a resource built during the lockdown years that has since grown into one of the clearest frameworks for designing meaningful, context-aware security architecture.

Ken shares why so many architects fall into the trap of compliance thinking, how security design becomes a tick box exercise, and why threat modeling without understanding context is pointless. They unpack the four foundational steps every architect should follow, why traceability matters more than ever, and how modern teams can stop copying best practice and start solving the real problems in front of them.

The conversation also digs into secure by design in different industries, why the term has lost its meaning, and how modern defensible architecture is resetting expectations for what good looks like. Cole and Ken also dive into AI and its impact on the architecture function, separating hype from reality and exploring which roles are at risk as AI improves.

If you work in engineering, architecture, AppSec, risk, or are building a product and want a practical way to think about secure design, this is an episode you should not miss.

Timestamps

00:00 – Intro

00:48 – Chainguard Ad

01:20 – Meet Ken Fitzpatrick and Patterned Security

02:19 – How a cancelled Canada trip sparked securitypatterns.io

04:08 – Why architecture needs practical guidance, not more frameworks

05:18 – The four step method for real security architecture

07:23 – Moving beyond box ticking and why engineering experience matters

09:39 – Teaching architecture fundamentals and selecting the right controls

11:37 – Traceability and making defensible design decisions

13:14 – Architecture vs assurance and who securitypatterns.io is for

16:31 – Embedding secure by design into PMO processes and scale up use cases

19:58 – What secure by design means across different industries

23:05 – Inconsistent definitions in security and the need for clarity

23:50 – Modern defensible architecture and Zero Trust guidance

24:44 – AI’s role in architecture and which tasks get replaced

28:25 – AI in AppSec and reducing false positives with context

30:24 – AI sales bots, hype cycles, and the loss of human reciprocity

33:28 – Ken’s call for collaboration on repeatable architecture patterns

34:28 – Closing and how to connect with Galah Cyber

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

Mentioned in this episode:

Chainguard is the trusted source for open source.

Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Report now!

December 2025 - Chainguard

CTFs are fun, but do they actually make developers write more secure code? In this episode of Secured, Cole Cornford is joined by Pedram Hayati (Founder of SecDim & SecTalks) to explore why most developer security training fails, and how SecDim’s “Fix the Flag” approach is changing the game.

From contrived WebGoat-style examples to frameworks that quietly eradicate entire bug classes, Cole and Pedram dive deep into the intersection of AppSec and software engineering. They unpack why developer experience is non-negotiable, why security needs to borrow design patterns from engineering, and how real-world incidents (like GitHub’s mass assignment bug or the Optus breach) make concepts stick far better than acronyms like “XSS” or “SSTI.”

This is a technical, opinionated episode for anyone who’s ever struggled to get developers engaged with security.

Timestamps

01:10 – Why Pedram built SecDim, the problem with pen test reports, and why CTFs don’t train developers

04:42 – From “Capture the Flag” to “Fix the Flag”: making training realistic and Git-first

06:30 – Training inside developer workflows and why contrived examples fail

10:28 – Using modern stacks, AI-tailored labs, and real-world incidents to make concepts stick

12:35 – Why security names suck (XSS vs. “content injection”) and the Optus hack as a teaching moment

17:37 – Secure design patterns vs. vague slogans, and why secure defaults beat secure by design

21:15 – Frameworks like React, Rails, and Angular that kill entire bug classes

23:23 – Engineering by-products: reproducibility, immutability, and orthogonality in secure coding

30:36 – PHP’s bad reputation, language quirks, and what’s actually most popular in security training today

33:41 – Why AppSec pros need to build and deploy apps (not just know vulnerability classes)

37:44 – Getting started with SecDim and hands-on secure coding

Mentioned in this episode:

Call for Feedback

The Australian Information Security Manual (ISM) just got a major update, and not everyone’s thrilled. In this special episode of Secured, Cole Cornford is joined by Toby Amodio (Head of Professional Services, Fujitsu Cyber) to break down what’s changed, what’s missing, and what it all means for CISOs, AppSec teams and public sector security leads.

From the new cybersecurity principles (and why they feel like yak shaving) to the long-overdue expansion of software security controls, Cole and Toby navigate the mess of frameworks, missing maturity models, and babushka-doll-style mappings that have left many teams overwhelmed. They also reflect on what “secure-by-default” really means in a world of legacy codebases, overstretched resources, and one-person AppSec teams.

Timestamps

01:02 – Why ISM Updates Matter (Even If They’re Late)

02:32 – New Principles: Nice Idea, Hard to Implement

04:08 – Yak Shaving and the Complexity Cascade

07:48 – Mapping Mayhem: PSPF, E8 and Governance Overload

10:25 – Losing the Maturity Model: Who Does That Help?

13:46 – Secure-by-Default and the Problem with OWASP-as-a-Proxy

18:13 – Integration, Incentives, and Cyber vs. Business Silos

20:34 – The Talent Gap and Why Code Reviews Still Matter

22:58 – Galah Cyber, Capability Building & Doing AppSec Right

23:57 – Why Buying Tools Isn’t the Same as Building Capability

25:21 – What Red, Amber, Green Tools Really Miss

26:01 – One ISM to Rule Them All… If You Can Implement It

26:52 – Final Thoughts (and a Funding Stick for CISOs)

Mentioned in this episode:

Call for Feedback

With a career that spans mainframes, integration platforms, and developer experience, M Brennan brings a unique lens to the world of application security. In this episode, M joins Cole Cornford to unpack why integration is often the riskiest layer in software systems, how context is everything when choosing security controls, and what it really takes to build security into developer workflows without adding friction.

They dive into stories from government and enterprise environments, the overlap between security and resilience, and how thinking in terms of energy and empathy, not just tools, can lead to better outcomes for everyone. Plus, a surprisingly effective stereo-selling strategy, some well-earned AI scepticism, and a jam-jar analogy you’ll never forget.

Timestamps

03:45 From COBOL to Developer Experience in Security

06:37 Choosing the Right Security Control for the Right Risk

10:00 Reducing Developer Friction with Secure Defaults

14:10 How Threat Modelling Creates Real Value

17:57 Fixing Access and Provisioning for Devs and Security

20:09 Virtual Dev Environments and Automating the Boring Stuff

24:04 Smarter Security Adoption and the Jam Jar Effect

28:48 AI, Developer Toil and the Problem with Overpromising

31:03 Using AI to Kickstart Threat Modelling and Resilience

33:56 Why Some Tech Trends Aren’t Worth the Hype

36:09 The Risk of Letting Chatbots Handle Security Promises

37:16 Final Takeaways on Empathy, Context and Collaboration

Mentioned in this episode:

Call for Feedback

Scott Contini has a PhD in cryptography with more than a dozen research publications, and has spent the last 15 years focused on solving real-world security problems. After switching from academia to industry in 2008, Scott has identified hundreds of cryptographic implementation flaws across the world, written widely read blogs on common coding mistakes, and contributed significantly to the 2021 OWASP Top 10 topic of Cryptographic Failures. He joins Cole Cornford to discuss how cryptography often goes wrong in practice, why secure-by-default APIs are reshaping security today, and the importance of clear communication and community-building in advancing the field. Scott also shares stories from working alongside legendary figures in cryptography, and offers advice for anyone looking to build a sustainable and impactful security career.

Timestamps

00:20 - Scott’s background in cryptography and transition to AppSec

02:00 - Moving from theory to real-world security challenges

05:00 - Common cryptography mistakes in the industry

07:50 - Why using the wrong encryption modes leads to vulnerabilities

10:10 - How Java’s cryptography design led to widespread issues

14:40 - The rise of secure-by-default APIs in cryptography

17:00 - Stories from working with cryptographic legends

22:00 - Improving advice in the OWASP community

27:50 - The value of writing and public speaking in AppSec careers

33:00 - Advice for newcomers in security: think like an attacker and keep learning

Mentioned in this episode:

Call for Feedback

Jon-Anthoney de Boer is the Product Security Lead at Transmax, overseeing security for critical infrastructure that manages traffic flow across Australia. Coming from a strong software engineering background, Jon-Anthoney shares his experience transitioning from traditional engineering into product and application security. He highlights the importance of aligning software engineering and security teams, building trust into the software development lifecycle, and fostering a security culture based on practical strategy rather than superficial metrics. Jon-Anthoney also discusses how behavioural change, organisational alignment, and operational excellence are key to achieving effective, sustainable security outcomes.

Timestamps

00:32 - Jon-Anthoney’s journey from electrical engineering to product security

05:08 - Transitioning from software craftsmanship to cybersecurity

09:30 - Why aligned incentives between engineering and security teams matter

12:22 - Goodhart's Law: pitfalls of security metrics

18:21 - Rethinking cybersecurity strategies beyond tools and compliance

25:12 - Building observability into the secure software development lifecycle

32:35 - Why executive support is crucial for security initiatives

38:34 - Operational excellence: removing waste from security processes

Mentioned in this episode:

Call for Feedback

In this episode of Secured, host Cole Cornford chats with Laura O'Neill from Fujitsu Cyber. Laura shares her journey from a pure maths and cryptography background through management consulting into the world of cybersecurity. She explains how she helped grow MF&A from a small team into a 70-person company before its acquisition by Fujitsu. Cole and Laura discuss the challenges of scaling a cyber practice, the importance of professionalising sales and board-level communications, and how embracing diverse, non-traditional talent can transform the industry. Their conversation offers valuable insights into shifting from a compliance-based mindset to a risk-based strategy that truly supports business objectives.

Timestamps

00:10 - Introduction to Laura O'Neill and her role at Fujitsu Cyber

02:27 - Laura recounts her journey from pure maths and cryptography to cybersecurity

05:31 - Discussing the rapid growth of MF&A from a small team to 70 staff

07:30 - Overcoming scaling challenges through improved processes and support

11:23 - Professionalising sales and board-level communications in cyber

15:30 - Moving from a compliance-driven approach to a risk-based strategy

26:16 - Embracing diversity and non-traditional hiring in cybersecurity

31:20 - The value of diverse backgrounds and soft skills in solving security challenges

40:43 - The importance of empathy and listening in leadership

42:16 - Closing thoughts on security as an enabling function for business success

Mentioned in this episode:

Call for Feedback

Cole Cornford speaks with Kat McCrabb, founder of Flame Tree Cyber, about navigating cybersecurity compliance and risk, particularly within education, government, and mission-driven organisations. Kat shares insights from her experience in federal government and as CISO at Brisbane Catholic Education, highlighting the strengths and weaknesses of compliance frameworks like Australia's Essential Eight and MITRE ATT&CK. The conversation covers how to effectively communicate cyber risks to stakeholders, align security with organisational priorities, and why prevention beats incident response every time. Kat also discusses strategies for meaningful conversations around funding and shares her perspective on the evolving landscape of security in the age of SaaS and cloud technologies.

Timestamps

00:59 - Kat’s background and founding Flame Tree Cyber

03:10 - Defining mission-driven organisations

04:29 - Challenges of prescriptive compliance frameworks (ISM, Essential Eight, DISP)

05:41 - Compliance vs meaningful security improvement

06:51 - How threat modelling with MITRE ATT&CK helps allocate resources

07:35 - Balancing foundational cybersecurity and advanced threat intelligence

08:52 - Incident response and the value of understanding threat actors

11:46 - Allocating budget and demonstrating security value to executives

16:31 - How to effectively request security funding from the board

20:00 - Relevance of Essential Eight in modern SaaS environments

29:21 - Kat’s role with AISA and building the cybersecurity community in Queensland

Mentioned in this episode:

Call for Feedback

Kiera Farrell, Cyber Analyst at David Jones, shares her journey from studying a Bachelor of Cybersecurity to landing a role in cybersecurity operations. She reflects on the challenges of breaking into the industry, the lessons learned from risk management, and the importance of networking in career growth. Kiera and Cole discuss the value of stepping outside your comfort zone, the evolving landscape of cybersecurity degrees, and what hiring managers can do to attract and retain young talent. If you're an aspiring cybersecurity professional or a leader looking to support early-career hires, this episode is packed with insights.

Timestamps

2:00 – Kiera’s journey: From Bachelor of Cybersecurity to David Jones

5:00 – What studying cybersecurity is really like

8:10 – The surprising importance of risk management

12:00 – Ethical hacking & the role of security education

16:30 – The grad job hunt: what works, what doesn’t

19:45 – The power of stepping out of your comfort zone

21:30 – Building a strong professional network

23:50 – What makes an employer attractive for graduates?

26:40 – How mentorship accelerates career growth

30:35 – Advice for students and early-career professionals

Mentioned in this episode:

Call for Feedback

In this special solo episode, host Cole Cornford reflects on the journey of the Secured podcast over the past two years. He shares behind-the-scenes insights, from the unexpected challenges of cicada season disrupting recordings to the podcast’s growth, hitting 45 episodes and over 7,000 downloads. Cole discusses listener feedback, format changes, and his plans to expand the show, including moving to weekly episodes, introducing video content, and diversifying guest profiles. He also highlights listener engagement stats, the importance of audience reviews, and the future direction of Secured with a focus on delivering more valuable and dynamic cybersecurity content.

Timestamps

00:20 – The impact of cicada season on recording and production

01:10 – Hitting 45 episodes: reflections on the podcast’s growth

01:54 – Asking for listener feedback and reviews to support the show

02:51 – Plans to move to weekly episodes and potential sponsorships

03:51 – The possibility of introducing video content and its challenges

04:35 – Listener engagement stats: unique listeners, downloads, and demographics

08:05 – Most downloaded and highest engagement episodes revealed

10:55 – Diversity in guests and topics: striving for representation

13:48 – Changes in podcast format: cutting certain segments for better engagement

17:03 – The shift towards professional development-focused content

19:50 – Future goals: more international guests and sharper conversations

Mentioned in this episode:

Call for Feedback

Madhuri Nandi is the Head of Security at Till Payments and a trailblazer in the Australian cybersecurity industry. As co-chair of the Australian Women’s Security Network, she brings decades of experience to the table, breaking barriers for women in tech and redefining what leadership looks like in cybersecurity. Madhuri shares how a love for gaming and cheat codes sparked her journey into application security and the cultural challenges she overcame to thrive in a male-dominated industry. They explore the realities of leading security functions in scaling FinTechs, why compliance doesn’t equate to security, and the critical role of aligning cybersecurity strategies with business objectives.

Timestamps

01:13 Cheat Codes Ignite a Cybersecurity Path

02:26 From Database Admin to Security Professional

05:09 Lessons from Gaming & Early Misperceptions

07:29 The Jump into Executive Leadership

10:53 Compliance vs. True Risk Management

18:45 Overcoming Cultural & Workplace Hurdles

31:55 Diversity, Women in Tech & Final Reflection

Mentioned in this episode:

Call for Feedback

In this episode of Secured, host Cole Cornford chats with Neha Malik, Head of Product Security at REA Group, about building and scaling effective application security (AppSec) programs. They delve into the importance of empathy, communication, and relationship-building between security teams and developers. Neha shares her journey from a Microsoft graduate program, through external consulting at KPMG, and into her current leadership role. They discuss making security easy for engineers, managing security champions programs with realistic expectations, and learning from other disciplines—like psychology and marketing—to better influence and engage stakeholders. Neha and Cole also highlight how tailoring approach and tooling can differ for startups and large enterprises, and emphasise that collaboration, not confrontation, leads to long-term AppSec success.

Timestamps

00:20 - Neha’s Role at REA Group and Positive AppSec Outcomes

01:30 - Starting a Career in Security at Microsoft’s Grad Program

05:45 - Building an AppSec Program from Scratch at REA

10:00 - Startups: Embedding Security in Tools Over Heavy Process

14:40 - Security Champions Programs: Value, Expectations, and Incentives

20:25 - Learning from Other Disciplines (e.g., Psychology) to Influence Teams

Mentioned in this episode:

Call for Feedback

In this special christmas episode of Secured, Cole Cornford does something a little different to usual and answers listener questions. Lots of topics are covered, including new years resolutions, cybersecurity trends of 2024, career and life advice, and plenty more. 

A huge thank you to everyone who sent in questions! We had so many responses that we weren't able to get to all of them. Let us know if you enjoy this format and we may do it again in the future.

Timestamps

1:00 - Cole's thoughts on new year's resolutions 

3:00 - Cole's experiences working in large organisations

13:30 - Critical cybersecurity steps for organisations in 2025

20:30 - Using security tools to protect APIs

26:20 - Protecting against supply chain attacks

36:20 - Cole's perspective on DevSecOps

40:50 - Trends of 2024

50:40 - Diversity in the cybersecurity industry 

1:01:02 - ASPM tools

1:13:20 - Why Cole enjoys making the podcast

1:21:00 - Life advice that has stayed with Cole

Mentioned in this episode:

Call for Feedback

Elizabeth Stephens is CEO of DBS Cyber, where her team deliver IT solutions for clients in various industries. A retired Marine Corps Major and author of the book Building a Resilient Digital Future: A Comprehensive Guide to Cyber Risk Monitoring, Elizabeth draws from her diverse experience in her work. In her conversation with Cole Cornford, they discuss leveraging AI to be helpful and not harmful the politics and nuance of cybersecurity, lessons from Elizabeth's military experience that she applies to her current role, and plenty more.

Timestamps

1:00 - Elizabeth's background

7:30 - How we can leverage AI to be useful not harmful

14:30 - Using AI to help with parenting

20:30 - The politics & nuance of cybersecurity

23:30 - Roblox & cybersecurity for kids

27:00 - Lessons from the military Elizabeth applies to cybersecurity

30:30 - Elizabeth's journey as an author

36:30 - Cybersecurity for small business

Mentioned in this episode:

Call for Feedback

In this episode, Cole Cornford is joined by cybersecurity experts and IRAP assessors, Kat McCrabb and Toby Amodio, to unpack the latest updates to the Protective Security Policy Framework (PSPF) for 2024. They explore the significant changes introduced in the PSPF, such as the heightened emphasis on IRAP assessments, the potential strain on resources due to increased demand for assessors, and the impact on government agencies' compliance efforts. The discussion delves into the restructuring of the PSPF domains, including the separation of information and technology, and the challenges this presents for reporting and governance. They also address issues with self-attestation in agencies, insights from ANAO reports, and the critical importance of managing legacy IT systems. Kat and Toby offer valuable perspectives and practical advice for organisations navigating these new requirements, highlighting the need for proactive planning and adaptation in the evolving cybersecurity landscape.

Timestamps

01:27 - What is the PSPF? Toby explains the framework

03:07 - Kat discusses the biggest changes in the PSPF 2024 updates

04:20 - Challenges with IRAP assessments: time, cost, and limited assessors

06:18 - When are IRAP assessments required? Clarifications

08:13 - Changes in PSPF domains: splitting information and technology

10:08 - Implications of the changes for reporting and governance

12:15 - Comparison with NIST framework and governance considerations

13:38 - Issues with self-attestation and insights from ANAO reports

15:09 - Strategies for improving reporting and assessments in agencies

17:36 - Managing legacy IT systems under the new PSPF requirements

18:52 - Key takeaways and final thoughts from Kat and Toby

Mentioned in this episode:

Call for Feedback

In this episode, Cole Cornford speaks with Anand, an API security expert at Traceable AI with over 18 years of experience in crafting innovative IT solutions. Anand's expertise spans API design, microservices architecture, cloud technologies like Kubernetes and AWS, and security architecture including IAM and OAuth. Together, they delve into the critical importance of API security in today's digital landscape, discussing why traditional web security measures are insufficient, lessons learned from incidents like the Optus breach, the challenges of managing API inventories, and how AI and machine learning can enhance security practices. Anand also shares his experience writing a book during the pandemic and the value of continuous learning. This episode is packed with insights on modern application development, cybersecurity, and plenty more.

Timestamps

4:20 - Understanding API security challenges

9:30 - The role of AI in API security

16:55 - The importance of API inventory management

24:00 - The business impact of API security

28:00 - Cole & Anand discuss books & writing

34:00 - Current state of API security in Australia

Mentioned in this episode:

Call for Feedback

In this episode, Cole Cornford speaks to two guests on the topic of robotics: Damith Herath, a Professor at the University of Canberra, and Adam Haskard, co-founder and Director of Bluerydge, a Canberra-based cybersecurity and technology firm. Together, Damith and Adam are conducting research into Secure Robotics, an emerging field of study that addresses the intersection of robotic safety, trust, and cybersecurity. In their conversation with Cole, they discuss the growth opportunities for robotics, how someone interested in the field could pursue a career in robotics, potential risks of the common household vacuum robots, and plenty more.

Timestamps

2:00 - Robotics: definitions & applications

8:45 - The intersection of robotics & cybersecurity

10:00 - Trust & safety in robotics & cyber

15:00 - Emerging risks in robotics

18:40 - The role of cybersecurity in robotics

20:30 - Regulation and innovation in robotics

40:00 - Growth opportunities for robotics

29:00 - Future of robotics & AI

32:00 - Career pathways into robotics

39:00 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Ilkka Turunen is the CTO at Sonatype, a company that helps millions of software developers use open-source software while minimising security risk. In this conversation, Ilkka chats with Cole Cornford about the benefits and risk of using open-source software, how Maven helped standardise software development processes, the different approaches to AppSec regulation in Australia and Europe, and plenty more.

Timestamps

1:33 - Ilkka's career background

4:00 - Varying quality of open-source software

6:10 - How Maven helped standardise software development processes

13:00 - The balance between speed of delivery & quality

17:00 - Importance of environment parity in software dev

21:40 - Risk of using 3rd party code in software

25:10 - Regulation of AppSec in Australia vs Europe

32:10 - How new European software security regulations will be enforced

35:00 - Recommendations for compliance with European regulations

39:00 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Daisy Wong is the Head of Security Awareness at Medibank, as well as a disability advocate. Originally from a marketing background, Daisy gained experience in the cybersecurity industry working as part of penetration teams, before making her way into the security culture and awareness space. 

In her conversation with Cole Cornford, Daisy discusses using the tools of marketing to educate people on cybersecurity, what are the hallmarks of a good security culture and awareness program, and the importance of diversity in cybersecurity.

Timestamps

4:00 - Daisy's transition from marketing to cybersecurity

8:10 - The importance of security culture and awareness

11:00 - Building effective security awareness programs

14:15 - The role of diversity in cybersecurity

17:00 - Strategies for inclusive hiring practices

19:40 - The power of communication in security awareness

23:20 - Creative approaches to security awareness campaigns

31:45 - Daisy's personal perspective on the importance of diversity

43:40 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Antonio Deliseo has been in the information security industry for decades. Currently working at Telstra, Antonio has enjoyed a long and winding career path and has plenty of stories and insights to share as a result. In this conversation with Cole Cornford, Antonio discusses how he got started in his career studying physics, overseeing cybersecurity at a goldmine, how to advocate for cybersecurity within a large organisation, and plenty more.

Timestamps

1:40 - Antonio's career background

3:30 - Advantages of coming from a non technical background

8:30 - Stories from Antonio's early career working at a goldmine

14:00 - How Antonio moved into the GRC space

17:30 - The role a board of directors plays in cybersecurity

20:00 - Cybersecurity is less like IT, more like gambling or insurance

25:30 - Calculating the cost of a breach in dollar terms

30:30 - How to advocate for cybersecurity as a CISO

40:00 - Cybersecurity often seen as unaffordable by small businesses

42:30 - Pros & cons of networked technology

Mentioned in this episode:

Call for Feedback

Ben Gittins is the Principal Security Engineer at Bugcrowd, one of the world's best bug bounty platforms. Ben has previously worked as a Senior DevSecOps Engineer at Canva, as well as DevSecOps Lead at SecureStack. 

In this conversation with Cole Cornford, Ben shares his belief that cybersecurity needs more generalists, how coding and AppSec have changed over time, whether cybersecurity qualifications are overrated, and plenty more.

Timestamps

3:50 - Why is Aus cybersecurity lagging behind? 

9:50 - Over-reliance on purchasing cybersecurity products 

14:40 - We ask too much of our AppSec professionals 

19:00 - How App development & cybersecurity have changed over time 

24:00 - "Greenfield projects" are often not realistic 

28:20 - How to bring new people into the AppSec industry 

32:00 - Importance of communication skills 

38:20 - Cybersecurity qualifications are overrated

43:00 - Rapid fire questions  

Mentioned in this episode:

Call for Feedback

Shan Kulkarni is the co-founder and CEO of Nullify, a product designed to augment AppSec teams with AI agents capable of carrying out multiple levels of product security work autonomously. Prior to Nullify, Shan worked in roles such as Cloud Operations Lead at UNSW Redback Racing, and Cloud Security Engineer at CMD Solutions Australia. 

In this conversation with Cole Cornford, Shan discusses the challenges of starting a business, and in particular the challenges of hiring, the state of AppSec in Australia, what the future might hold for the industry, and plenty more.

Timestamps

1:30 - Shan's career background

5:30 - Why AppSec is so often inefficient and expensive

9:00 - Bigh tech has a monopoly on AppSec talent

12:30 - Shan's journey from consultant to founding a company

15:40 - Biggest mistakes when starting a business

19:20 - Selling products/services to devs is extremely difficult

25:00 - Where Shan sees AppSec going

28:00 - Consolidation of security products

32:00 - What security leaders are struggling with: visibility

34:00 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Dan Draper is CEO and Founder of CipherStash, a data-storage platform that helps customers keep data secure. As well as being fascinated by Cryptography and data security, for most of Dan's career he's either been a founder or worked in the leadership team of startups, so has plenty of experience in both business and getting into the nitty gritty details of technical problems. 

In this episode Dan chats with Cole Cornford about Cryptography, the challenges and rewards of founding a company, best practices for securing funding for a startup, and plenty more.

Timestamps

 - 2:00 - Dan's career background

 - 8:00 - Dan's lessons from working in government

 - 9:30 - When Dan became obsessed with cryptography

 - 12:40 - Reflecting on Dan's 1st failed business

 - 17:10 - The founding of CipherStash

 - 23:40 - Managing data a major challenge in large orgs

 - 28:00 - Different types of data breaches

 - 32:00 - Potential and limitations of AI in cybersecurity

 - 37:00 - Experience raising money for a startup

 - 44:10 - Dan's 3 tiers of investors

 - 46:00 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

In this episode, Cole Cornford chats with Matt Jones, co-founder of Elttam, an independent security boutique that provides security assessment services. On top of his role at Elttam, Matt is active in the infosec community in a variety of ways, including helping with BSides Canberra's call for papers and writing open-source tooling such as talkback.sh. Cole and Matt chat about the motivation behind founding Elttam, why Australia's infosec industry is lagging behind other parts of the world, the exploit development space, and plenty more.

Timestamps

2:00 - Matt's career background

7:00 - Matt's early challenges finding an opportunity in cybersecurity

11:00 - Why Matt chose to co-found Elttam

13:00 - Cole: Australia's infosec industry is immature compared to US

19:00 - The importance of specialisation

20:30 - Better to do 1 thing really well when bootstrapping

24:00 - Using the right approach for the right context

25:30 - Risks of using a bug bounty program

31:10 - Cole: the bar for pen testing reports should be much higher

37:10 - Training & education for infosec

39:00 - Cole: is infosec a cottage industry?

44:00 - Product vs service approach to cybersecurity

47:50 - Cole: I like looking at source code from 80s and 90s

49:00 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

In this episode of Secured, host Cole Cornford interviews Bruce Large, a security architect and evangelist at Secolve, the OT security specialists in Australia. They discuss the importance of threat modelling in operational technology systems and the need for engineers to consider the potential for cyber attacks. Bruce also shares insights from the ISA/IEC 62443 series of standards, which provides guidelines for secure system development in OT. Additionally, they touch on the significance of unions in the tech industry and the benefits of joining organisations like Professionals Australia. Tune in for a fascinating conversation on application security and more.

Timestamps

1:25 - Bruce's professional background

2:40 - Defining "engineer" in different contexts

6:20 - Differences between computer engineers and civil engineers

8:20 - Threat modeling

12:40 - How we treat safety in software vs other industries

18:30 - Bruce: we should be encouraging lifelong learning

24:00 - ISA/IEC 62443 safety standard

29:00 - The Year 2038 Problem

34:20 - Unions & industrial relations

43:40 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Paul McCarty is CEO and founder of SecureStack, a DevSecOps visibility & automation company, and GitLab's Red Team leader. Paul's been involved in software security in Australia for decades. In his conversation with Cole Cornford, Paul discusses how Australia's software security industry has changed since the early 2000's, whether security professionals aught to know how to code, and plenty more. 

Timestamps

2:50 - Paul's career background

7:00 - Spicy take: people on LinkedIn are too blindly positive

10:00 - Understanding what went wrong when there's a breach

13:00 - Cole doesn't think "zero trust" is feasible

14:10 - Cole: maturity of cybersecurity in Aus is weak generally

16:00 - Cole hires for dev experience, not sec ops, because dev is harder to teach

18:30 - Aus market different to US, which has lots of software companies

21:50 - Paul: we've devalued the importance of operations

22:20 - The "holy trinity" of offensive security

26:30 - What percentage of ASX companies have a bug bounty program?

28:50 - Cole's free pizza exploit

31:00 - Got to be in security for the long haul

31:40 - The book that changed Paul's life

Mentioned in this episode:

Call for Feedback

Timestamps

1:40 - Advantages of generalisation vs specialisation

4:00 - Tips for communicating effectively to leaders

6:00 - Clarity comes from simplicity

9:30 - Importance of reporting structure in a large org

14:20 - Core foundations of a cyber strategy

20:00 - How current economic climate is affecting cybersecurity budgets

24:30 - How do you maintain intrinsic motivation?

27:00 - Work life balance

30:30 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

Timecodes

7:15 - Tara's first days in AppSec

10:00 - How to influence people

12:30 - Why we should dial back on the doomsday conversation

14:10 - Find your change champions

21:30 - Is a non-technical background help or hindrance?

23:30 - Communication and influencing key skills

26:00 - Communicating with execs

28:20 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Daniel Grzelak is currently the Chief Innovation Officer at Plerion, and has had a storied career at a variety of technology firms around Australia. In this conversation Daniel brings his experience and insight to the topic of common myths and misconceptions within the cybersecurity industry, and with Cole Cornford tackles questions like:

Does a cybersecurity professional need to know how to code?

Is there a workforce shortage in the industry?

Should pen testers write remediation advice?

Timestamps

1:50 - Does a cybersecurity professional need to know how to code?

5:40 - Is there a workforce shortage in cybersecurity?

9:30 - Questions to ask when interviewing potential cybersecurity hires

12:30 - Are people in cybersecurity bad at promoting their own skills?

17:00 - Should pen testers write remediation advice?

20:20 - Daniel's career advice: start writing

Mentioned in this episode:

Call for Feedback

In this episode, Jacqui chats with Cole Cornford about how businesses can change their approach to hiring to improve diversity, the importance of supporting kids and students of all backgrounds who have an interest in the field, as well as some of her thoughts on the future of the industry.

Secured by Galah Cyber with Cole Cornford website

Timestamps

4:30 - Jacqui’s career background.

9:30 - How Jacqui became inspired to tackle the issue of diversity within cyber.

10:00 - At Jacqui’s first cyber event in Aus, struck by a sea of men.

13:00 - Achievements Jacqui is proud of from the last 10 years.

15:20 - What can businesses do to encourage diversity.

19:00 - Cole: what are some systemic issues we need to tackle?

22:00 - Jacqui: you can always teach technical skills.

23:00 - How we can support kids & students to move into cyber.

25:00 - Rapid fire questions.

27:10 - What will be the theme in cyber for 2024.

Mentioned in this episode:

Call for Feedback

In this conversation Susie chats with Cole Cornford about Susie’s career, the benefits of coming from a non-technical background, and they do a deep dive on the security needs of small businesses in Australia.

Secured by Galah Cyber with Cole Cornford website

4:36 - Susie’s career background

5:40 - benefits of coming from a non-technical background

7:15 - Challenges of running your own business

7:40 - Cole: you’re selling protection, it’s a pure cost

8:10 - Susie’s motivation to become a founder

9:00 - Consequences of breaches “the worst working day of their life”

10:30 - Most common  security challenges for small businesses

13:00 - Big businesses that work with small businesses share cyber risk

14:40 - Supply chains and small businesses in Australia

17:20 - 90% of employers in Aus aren’t served by our current cyber solutions

18:00 - Worst examples of advice not suited to small business

19:20 - Tips Susie would give to small businesses

21:20 - Password managers are a no brainer

25:00 - Rapid fire questions

26:10 - One cybersecurity myth Susie would like to debunk

Mentioned in this episode:

Call for Feedback

They also discuss the importance of financial management skills in a management role, the Australian government’s updates to the Essential 8 and the national Six Shields cyber strategy, the importance of work life balance, and plenty more.

Secured by Galah Cyber with Cole Cornford website

4:00 - Nathan’s career overview

8:00 - “Not if, but when” and the principle of acting like a breach has already occurred

10:40 - Cyber resilience is critical

11:00 - Finding value in the impact of your work

15:00 - Matching cybersecurity strategy to the resources available

17:20 - High regulation/barriers to entry restrict quality security advice

19:00 - Importance of access to affordable cybersecurity tools

19:30 - Australian government “Six shields” update

23:50 - Australian government update to “Essential 8”

27:40 - Why Nathan adopted financial management concepts in his cybersecurity work

31:10 - Cybersecurity decisions are made for financial reasons

33:10 - Typical career trajectory: follow money, then people, then problems

35:40 - Importance of work-life balance

40:40 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

In the conversation, Cole and Mat chat about the importance of diversity and representation in tech and cybersecurity, what Mat looks for in a potential employee, what lessons cybersecurity professionals can learn from other industries like health and law, and plenty more.

Secured by Galah Cyber with Cole Cornford website

14:40 - How to improve diversity within a team

17:00 - What Mat looks for in a potential employee during a job interview

19:40 - The stereotype of cybersecurity professionals

20:00 - The movie The Web, and portrayal of cyber in film

24:00 - Cole: example of bad behaviour at a cybersecurity expo

26:30 - How did Mat build his business?

30:40 - Taking inspiration from how other industries operate

31:40 - Mat’s company targeting ex-nurses for employees

33:30 - The importance of brevity in corporate communication

35:50 - It’s not possible or useful to try and know everything in cyber

37:20 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Today, he’s Chief Information Security Officer at Judo Bank. In this episode we chat about how Michael has managed major transitions in his career, the importance of aligning cybersecurity strategies with business goals, systems thinking as a framework for approaching cybersecurity, and plenty more.

Systems Thinking Made Simple - by Derek Cabrera:

https://www.amazon.com.au/Systems-Thinking-Made-Simple-Problems/dp/1520740492

Secured by Galah Cyber with Cole Cornford website

2:20 - A good summary of Judo Bank

7:10 - How Michael became a CISO

9:00 - How Michael almost bailed on his cybersecurity training after day one

12:00 - The joys of scuba diving

14:30 - Advantages of systems thinking

16:30 - How someone can get started with systems thinking

17:40 - DSRP thinking (Distinctions, Systems, Relationships and Perspectives)

24:20 - Delivering AppSec by meeting the business where it is, not being idealistic

25:20 - “It’s not all about downsides”, businesses succeed by taking risks

27:10 - How we can promote more business-mindedness in cyber

32:50 - Michael’s transition from techie role to CISO

39:50 - Cole: “Leadership is a funny thing”

43:30 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

They chat about the potential for AI to improve AppSec, the unhelpful tendency to idolise big tech companies, the importance of good communication between developers and AppSec, and plenty more.

Secured by Galah Cyber with Cole Cornford website

Mentioned in this episode:

Call for Feedback

Jeanette chats with Cole Cornford about some common misconceptions about AppSec, the sometimes uneasy relationship between developers and AppSec, the potential for AI to change our industry, and plenty more.

Secured by Galah Cyber with Cole Cornford website

7:30 - Jeanette’s career background in aviation

10:40 - Working for airline “best years of my life”

13:10 - Giving up career to move to Australia

15:20 - Jeanette’s current role at Secure Code Warrior

16:40 - Developers being wary of appsec

20:40 - Cole: I don’t think education issue, but incentive issue

24:00 - Using AI to improve appsec

24:40 - What is Secure Code Warrior

28:00 - What do teams struggle with in terms of Appsec?

36:00 - Management leading by example

38:40 - Often, devs don’t want to hear from appsec team

43:00 - How did Jeanette get involved with appsec after moving to Aus

46:50 - Value of webinars, podcasts, and people sharing knowledge online

47:30 - Developers, programmers or engineers, what’s the correct term?

51:50 - The importance of titles and job descriptions

52:30 - Rapid fire questions

59:30 - Jeanette: hug your appsec team

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

Time Stamps

6:25 - Edward’s career background

10:00 - Did Edward enjoy living in Wollongong? 

11:20 - Value of work experience while at Uni

14:00 - What led Edward to start his own business

15:40 - Using automation to make a business more efficient

18:10 - Career pathways within info security

19:00 - The big 4 firms in cybersecurity

20:40 - A broader issue with the Australian market

22:30 - Financial planning

25:40 - The best blog posts that Edward has written recently

27:10 - The professionalisation of cybersecurity 

32:00 - Too many tech solutions, not enough service providers?

36:00 - Edward anecdote: one guy in the company who knows all the systems

37:20 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

Abhijeth Dugginapeddi is currently Head of AppSec at BigCommerce, an ecommerce platform used by thousands of companies across 150 countries, as well as lecturer at the University of New South Wales. Abhijeth has worked in cybersecurity for well over a decade, including roles at Adobe and Commonwealth Bank. 

Secured by Galah Cyber with Cole Cornford website

2:56 - Cole’s career background

4:30 - Cole rapidly becoming head of AppSec function 

8:20 - Looking back, was Cole’s career background a good start?

10:20 - Cole’s advice for people getting into cybersecurity

13:30 - The 3 “A”s of consulting

16:00 - Is elitism still common in cybersecurity?

16:50 - Cybersecurity: we’re taught an adversarial mindset by default

20:10 - What were the motivations and challenges for Cole starting a company?

22:40 - Cole’s experience at a recruitment fair

25:50 - What a day in the life of Cole looks like

31:00 - Tips for leaders on how to build a successful security team

34:00 - Importance of good relationships/communication among team

35:30 - Does Cole have frustrating days? What are some challenges he’s overcome?

44:00 - Rapid fire questions

Mentioned in this episode:

Call for Feedback

An entrepreneur at heart, Karissa took a leap of faith, quit her job, and has since focused on helping those with technical expertise tell their stories more effectively.

In this episode Cole Cornford chats with Karissa about her experiences with podcasting, producing a TV show, the ups and downs of entrepreneurship, and plenty more.

Secured by Galah Cyber with Cole Cornford website

Time Stamps

• 4:20 - Karissa’s career background.
• 6:30 - Moving away from a purely technical role.
• 7:20 - Cole: is a uni degree important for a career in cyber?
• 11:10 - Karissa being inquisitive in her early years.
• 11:50 - Treating people the same regardless of their job/rank.
• 13:00 - Cole: lots of students think a uni degree will be enough to get them a job.
• 15:00 - Karissa’s decision to pursue entrepreneurship.
• 16:40 - Cole: starting out in business, naivety can be valuable.
• 18:40 - Karissa’s journey building her business and getting into media.
• 23:30 - In the early days of Karissa’s podcasting, what worked well and what didn’t.
• 26:40 - Cole gives a shoutout to W2D1.
• 27:30 - Karissa: podcast hosts need to enjoy/care about hosting their podcast.
• 31:30 - Karissa’s TV show.
• 38:00 - The importance of preparation for a podcast.
• 38:30 - Karissa’s entrepreneurship journey.
• 39:20 - Karissa: Entrepreneurs are a different breed.
• 43:00 - Entrepreneurship is constantly challenging.
• 44:30 - The importance of a good support network.
• 45:10 - rapid-fire questions.

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

Time Stamps

4:46 - Sharks as a metaphor for adversaries in cybersecurity

9:40 - Financial literacy

12:30 - Need for greater gender diversity

14:30 - Learning financial literacy from running a business

18:40 - How Jason’s business experience informed his approach to cybersecurity

19:00 - Jason’s experience with the company Starward Whisky

24:20 - Cle sees similarities between whiskey company and Galah Cyber

25:40 - In business, approaching problems differently to the competition

25:50 - Jason’s gold mining business

26:30 - Raising millions for the gold mining business, only for it to be taken over

28:00 - Learning more from mistakes than successes

28:30 - In cyber, we shold learn from instances and mistakes better

30:20 - Optus breach, and the imbalance of “one mistake and you’re hung drawn and quartered”

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

Time Stamps

4:15 - Sam’s journey into cybersecurity.

5:00 - Sam losing her confidence when coming to Australia.

6:00 - Cole has seen people from overseas struggle to fit into Australian work culture.

7:00 - Sam’s experience with racism.

8:10 -  Sam’s positive experiences meeting mentors.

9:10 - Cole’s uni address and why “career ladder” is a terrible analogy.

11:45 - Sam: a story of one mentor who changed the path of her career.

14:10 - Cole: giving back to the community that fosters you.

16:40 - How to network effectively.

17:00 - The value of attending community events.

19:00 - The growth of cyber community in Australia.

20:00 - Sam: today everyone wants  to get into cyber.

20:20 - The increasing gender diversity within cybersecurity.

21:30 - Sam: the need for greater diversity within cybersecurity.

27:20 - Sam’s experience being a woman in a cyber leadership role.

28:20 - Sam: most women feel like they need to be perfect to be acceptable.

31:40 - Sam: cybersecurity is changing every day.

32:10 - Sam: cybersecurity professionals have a positive impact on the lives of people.

Mentioned in this episode:

Call for Feedback

In this episode, Laura chats with Cole Cornford about the challenges of becoming a startup founder, the current state of AppSec training & education, Laura’s vision for SafeStack’s legacy, and plenty more.

Secured by Galah Cyber with Cole Cornford website

Timestamps

4:19 - Laura’s career background.

7:45 - no clear pathway into a career in AppSec.

8:40 - Cole’s experience at a career expo @ Newcastle uni.

12:00 - Large and small companies AppSec needs are different.

14:00 - A large company like Facebook is very different from the average company.

16:40 - Security has a tendency to get lax for software not being actively developed.

18:10 - Laura: the theme of this conversation “you will fail and this will make you stronger”.

19:00 - Why Laura is in AppSec.

20:00 - Laura speaks about being a salesperson + having a product company.

21:20 - Cole: I anticipate AppSec will grow Laura: software rules the world.

25:10 - SafeStack: for profit with purpose, balancing purpose and profit.

27:50 - Laura: discussing Blackbird’s investment in SafeStack.

29:40 - Laura’s background as a consultant.

30:20 - Laura: customers called me “Mary Poppins of AppSec”.

32:50 - Laura’s transition from consulting to founding a product company.

34:20 - Laura: on building a company, I sometimes joke “I used to be in security”.

37:40 - The leap from idea to product.

38:30 - Laura’s vision for SafeStack’s legacy.

40:10 - SafeStack’s “one hour AppSec”.

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

Timestamps

• 9:10 - When Ken started running AppSec conferences.
• 12:00 - Ken: an “agnostic approach” to appsec really resonated with people.
• 14:30 - Ken: “by nature we are always behind the curve”.
• 15:40 - Ken: appsec is getting much harder.
• 17:00 - Cole also advocates for an agnostic approach to appsec.
• 18:50 - Ken’s favourite thing about Github: the culture.
• 20:30 - discussing Github.
• 25:00 - Appsec education.
• 26:30 - quality software is secure software.
• 27:30 - AI & Appsec.
• 33:50 - Brief overview of Ken’s professional life, transition to being a founder.
• 36:30 - Cole: people who plan to build a product alongside consulting.
• 38:20 - Cole’s experience starting a consulting business.
• 39:40 - Ken’s interests outside AppSec.
• 40:40 - How Ken got into brazilian ju jitsu.
• 44:10 - Cole’s pandemic experience.

Mentioned in this episode:

Call for Feedback

Iain chats with Cole Cornford about taking a risk-based vs a compliance based-approach to cybersecurity, why punishing a company for their security breaches can sometimes be a bad idea in the long run, the importance of communication skills, and plenty more.

Secured by Galah Cyber with Cole Cornford website

Timestamps

4:30 - Iain: my entire career is finding issues in things.

7:15 - Are security professionals naturally risk averse?

8:00 - Compliance vs risk approach to cybersecurity.

9:00 - Cole: I try to understand the business before talking security.

9:15 - Iain: discussing optus breach & risk vs compliance.

11:00 - Should we persecute companies for having security incidents?

11:15 - The tenant of “zero trust.”

12:00 - Cole: as soon as you start being punitive, no one will want to work with you.

16:15 - Cole: a business is there to achieve an outcome.

16:50 - Cole: a lot of security challenges are user experience challenges.

18:15 - Cole: passwords solved the wrong problem (spicy take).

20:00 - Iain’s spicy takes.

21:40 - Companies claiming to help people meet “essential 8 compliance.”

25:35 - Essential 8 note very relevant to appsec.

28:35 - Iain’s background.

30:00 - Iain: I have a rule with vendors I work with: no selling.

31:30 - Cole: no Australian likes to be sold to.

33:30 - Cybersecurity in the OT space.

36:00 - Challenges in OT that don’t exist in other sectors.

38:45 - Difference when working on tangible vs non tangible software/hardware.

40:15 - Difference between software engineers & developers.

41:15 - Software as a profession hasn't existed very long.

44:50 - Iain’s advice.

49:30 - Cole: too much focus on technical skills.

50:20 - Iain: sometimes, leaders choose to accept risk.

51:15 - … and if you can’t accept that, you’re going to burn out.

53:00 - You can’t live without risk.

54:15 - Founding of Comfycon.

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

• 4:00 - Ian works from different locations around the world.
• 5:20 - Ian’s professional background.
• 5:30 - Ian was in cybersecurity before it was called cybersecurity.
• 8:00 - Cole’s professional background.
• 9:30 - Common misconception: if you build it, they will come.
• 11:20 - Moving from consultant to starting a product company.
• 12:20 - Skills that were useful for Ian when he became a startup founder.
• 13:00 - Ian: I like to be comfortably uncomfortable.
• 14:30 - Cole: I am a naturally good salesperson.
• 16:00 - Selling is a valuable skill for all security people.
• 18:30 - Cole: What scenarios have you pushed yourself to be uncomfortable?
• 21:30 - Cole: I think starting a company is not as big a risk as people think.
• 22:40 - Cole: Public speaking anecdote.
• 25:15 - Cole: Shaving a yak parable.
• 27:00 - Ian: Similarities between starting a business and having kids.
• 31:40 - How Ian came to found his company.
• 35:00 - What drove core product changes for Ian’s company.
• 36:40 - Advice for aspiring SAAS founders.
• 39:10 - Ian: The graveyard of products that nobody uses.
• 40:20 - Approach to startups in the current challenging financial market.
• 44:10 - Quick fire questions.

Mentioned in this episode:

Call for Feedback

Host Cole Cornford chats with Edwin about transitioning from focusing on the nitty gritty challenges of an engineer to the very different challenges of overseeing a team, the importance of due diligence when using open source software, the pros and cons of end to end encryption, and plenty more.

Secured by Galah Cyber with Cole Cornford website

2:55 - Importance of listening.

3:50 - Edwin’s current role.

4:28 - A recent news story: end to end encryption & Google.

7:30 - Unintended results from security decisions.

8:38 - Security about making "an informed risk decision."

9:50 - Edwin’s background and career trajectory.

12:50 - The challenges of doing intangible work vs. work you can see the tangible impact of in the real world.

13:30 - Edwin: "Changing from a technical challenge to a people and culture challenge," i.e., going from a technical role to a manager role.

15:50 - Cole: Would you want to go back to a technical role?

18:30 - Edwin: In security, there’s this idea that security is a blocker.

20:30 - Edwin: "What you know today is obsolete in 11 months."

23:40 - Cole: I think AI is a really good example of security not having a proactive mindset.

25:00 - Edwin: Security team always chasing its tail.

26:30 - Cole: I always worry when cybersecurity teams advocate for having more money.

27:30 - Edwin: Security is seen as a "cost centre," not revenue generation.

30:30 - Advice for young people wanting to enter the industry/tech more generally.

32:40 - Rapid fire questions.

35:50 - Edwin’s favourite book to recommend: How To Win Friends and Influence People.

37:30 - Edwin’s 1 piece of advice: "Look at your open source supply chain."

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

00:00 - Toby Amodio and Cole Cornford start their discussion about the Australian Cyber Security Centre's (ACSC) Information Security Manual (ISM) Control 2023 Updates, focusing initially on the encryption and handling of passwords.

03:38 - Toby highlights a humorous typo on a 30-character limit for "break glass" accounts, which was later corrected by the ACSC.

06:04 - Cole discusses the ISM Control 1171 update which relates to password managers. They explore the pros and cons of using these tools.

09:00 - Toby introduces a change in ISM Control 1492, which now requires password changes only when there are indications of compromise, marking a shift from regular password changes.

11:08 - Cole discusses changes in ISM Control 1428, highlighting how security is shifting towards a more risk-based approach rather than blanket mandates.

14:15 - Toby talks about Control 1371, which emphasises procurement processes and "secure-by-design" practices. However, he also acknowledges the practical challenge of enforcing such a control.

18:43 - Cole and Toby discuss ISM Control 1431 which focuses on scalability in cloud environments. They delve into how most government systems might not be architected to handle dynamic scaling.

25:46 - Toby introduces the concept of continuous real-time monitoring. They debate the removal of Control 1518, which pertains to maintaining a low-bandwidth version of a website as a form of backup.

28:51 - Cole argues against maintaining a low-bandwidth website. He emphasises the need to build more resilient applications that can handle load effectively.

31:42 - Toby and Cole discuss the practical impact of the changes, noting how it creates a competitive vector for businesses and promotes better cultural change in the security space.

33:18 - Toby summarises the overall changes in the ISM guidelines, focusing on the blend of security by design and resilience of websites and external services.

34:51 - Cole shares his viewpoint on why it's better to focus on resilience rather than having a low bandwidth backup.

36:07 - They discuss the potential negative implications of switching to a low-bandwidth version during high load, such as causing alarm and potential reputational damage.

37:41 - Toby and Cole discuss their favourite parts of the updates, appreciating the indirect promotion of better cultural change in security through the ISM.

40:46 - They conclude their conversation, expressing their gratitude to the ACSC for the constant improvement of the ISM document and its value to the cybersecurity community.

Resources

https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

6:00 - Discussion on Sheena’s career background.

8:00 - Sheena discusses the start of her career in consulting, highlighting its benefits.

10:30 - Cole shares his experience and challenges moving into consulting.

13:30 - Cole asks about the essential qualities required for leaders of companies.

17:00 - Cole addresses the challenges of having just a one or two-person cybersecurity team.

20:20 - Sheena shares strategies on how to encourage shared responsibility throughout a company.

23:30 - Cole discusses the negative dynamic between security teams and the rest of the company.

25:20 - Sheena emphasizes that the security architect should be part of the architecture team.

26:20 - Cole presents two models that security architects typically fall into.

32:20 - Cole asks about decision-making strategies regarding resource allocation.

32:40 - Sheena insists that the cybersecurity strategy needs to align with the business strategy.

34:20 - Sheena highlights the rapid changes in the cybersecurity field.

34:50 - Sheena asserts that compliance is not a strategy.

36:50 - Cole addresses the difficulty in measuring ROI in cybersecurity and asks about Sheena's strategies.

42:50 - Rapid fire questions begin.

49:00 - Sheena's piece of advice: the importance of collaboration and cooperation.

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

2:30 - Benefits of shared workspace.

5:30 - Shubham’s background.

9:00 - Bug bounty hunting.

10:45 - Developing a good work ethic from crappy jobs.

15:00 - Video game hacking.

21:00 - Tying video game hacking to cybersecurity.

22:40 - Shubham: got in trouble for hacking in high school.

24:20 - Shubham: had to convince his parents to let him study computer science.

26:00 - Shubham was working an unpaid internship.

26:50 - Cole: pros and cons of uni education.

29:20 - Shubham: I don’t discourage people from going to uni.

32:00 - Assetnote - discussing the company.

34:00 - Shubham started commercialising but “had no idea what I was doing”.

36:45 - Cole reflects on his early naivety when starting Galah Cyber.

38:30 - Pros and challenges of bootstrapping a business.

39:00 - Shubham: came close to running out of money.

40:45 - Cole: I see a vacuum for app sec talent in smaller orgs.

41:30 - Cole: software has eaten the world. Now AI is eating software.

43:10 - Shubham: division of work between Shubham and co-founder.

44:30 - Doing any job to move the business forward.

47:00 - Rapid-fire questions.

Mentioned in this episode:

Call for Feedback

Secured by Galah Cyber with Cole Cornford website

4:40 - Riki’s background and career journey.

11:30 - Riki: as a recruiter, I’m the least important person in the interaction.

13:40 - Cole reflects on opportunity cost.

14:20 - Cole: recruitment’s a tough industry: why?

17:00 - Cole: I follow David Mayster’s philosophy.

20:00 - Riki: Video calls and pandemic changed recruitment industry.

23:00 - Team culture is hard to drive when everyone is working remotely.

24:20 - Pros and cons of video calls in recruitment.

26:20 - Hybrid work.

27:00 - Riki: recruiting for big tech firm that requires hybrid work.

27:50 - Cole: what are some trends in cybersecurity recruitment?

28:40 - Riki: In general, seeing a maturing of the industry.

30:20 - Riki: gender diversity trending in right direction.

31:20 - What are the right qualifications/requirements for a cybersecurity job.

33:00 - Importance of networking.

35:00 - Limited amount of entry-level cybersecurity jobs.

36:30 - Cole: if you can’t empathise with people, you’re screwed.

38:20 - Tips for people further along in their career.

39:20 - Riki: your appearance matters.

41:10 - Cole overdressed at Atlassian office.

42:00 - Quick fire questions.

Mentioned in this episode:

Call for Feedback

In his conversation with host Cole Cornford, Trevor discusses finding a balance between protecting against security threats while allowing an organisation to pursue its goals, the importance of being vulnerable with your colleagues, and plenty more.

Secured is brought to you by Galah Cyber.

Secured by Galah Cyber with Cole Cornford website

Timestamps

• 2:00 - Opening banter.
• 5:00 - The most interesting project Trevor’s worked on (gives 3 examples).
• 6:40 - Cole: making a difference by working in the public sector.
• 7:20 - Trevor: “Shelfware” vs worthwhile work.
• 7:45 - Cole: Cybersecurity industry has a lot of people who are jaded.
• 8:30 - Trevor: we all have to use the “fear factor” to generate money.
• 9:10 - Trevor: cybersecurity has to enable business.
• 9:50: - Cole: How do we build a positive, trusting relationship with our customers?
• 11:00 - Cole: People focus too much on technical aspects, not enough on business aspects.
• 13:00 - Trevor: cybersecurity is often prioritised far too late into project.
• 13:30 - Cole: how do we change the above?
• 14:40 - How Trevor got into cybersecurity.
• 19:50 - Cole: I believe cybersecurity should be approachable.
• 20:45 - Trevor: you wouldn’t cross a road without looking left and right.
• 22:40 - Making calculated risks.
• 23:55 - Cole: delegation is important.
• 25:40 - How sport has been helpful to Trevor’s career.
• 29:20 - Exercise helps free the mind.
• 30:00 - The importance of taking a break.
• 32:30 - Advice for young people entering cybersecurity: be willing to learn from trial and error.
• 36:50 - Quick fire questions.

Mentioned in this episode:

Call for Feedback

After years of working as a software developer, Nina Juliadotter was reading headlines about data breaches at major companies. She was horrified to think developers like herself might be leaving vulnerabilities that made these breaches possible. This inspired Nina to study for a Masters in Cybersecurity, and has focused on improving application security ever since. Today, Nina is Westpac’s Principal Information Security Consultant. 

In her conversation with Cole, Nina discusses cybersecurity education and training, the crucial role of software inventory management, the importance of not being afraid to ask “dumb” questions, and more.

Secured is brought to you by Galah Cyber.

Secured by Galah Cyber with Cole Cornford website

Timestamps

3:13 - Nina’s path to getting into cybersecurity.

3:37 - “I was horrified” - Nina felt responsible for data breaches.

4:50 - Cole: Are developers taught about AppSec today?

7:00 - Need for higher-up management to appreciate the importance of AppSec.

9:00 - Cole: How do we tackle the problem of not having enough respect for AppSec?

10:30 - Nina: I don’t think secure development is rocket science.

12:10 - Nina: I believe the work is meaningful.

13:00 - Nina: It comes down to good and evil.

13:30 - Cole: AppSec is working with real, tangible things.

15:00 - Cole: What does formal cybersecurity education look like?

16:30 - Nina: Considers her work very specialised and narrow-focused.

17:00 - Cole: Believes most AppSec professionals are generalists.

18:30 - Nina: currently focusing on inventory management.

19:00 - Nina: Where do you start with an AppSec program?

21:45 - Cole: How does a large organisation tackle inventory management?

22:40 - Nina: how inventory management works at Westpack.

24:50 - Cole: What’s one personal trait that’s helped in your career?

25:00 - Nina: I was never one of the gifted kids.

25:45 - Nina: Important to always ask questions.

29:30 - Cole: Importance of hard work.

30:40 - Rapid fire questions.

Mentioned in this episode:

Call for Feedback

Secured is brought to you by Galah Cyber.

Secured by Galah Cyber with Cole Cornford website

Timestamps

4:00 - Two examples of exciting projects Toby has worked on.

5:30 - “Cybersecurity is built on the human”.

5:40 - How Toby’s work helped people during covid.

8:30 - Parliament house bells in the background.

9:00 - Important to communicate in ways businesses can understand.

14:20 - Begin discussing the Australian Cybersecurity Centre.

15:30 - Cole: “I better read the ISM again”

16:40 - Cole: wants the podcast to focus on personal journeys.

17:00 - Toby’s background is studying politics and arts.

20:00 - Toby: “The crux of my career…”.

21:00 - When you should say no to a client.

22:30 - Cole’s views on people skills & the right attitude are more important than qualifications.

23:40 - Toby recommends debating in high school as helpful for any career path.

24:15 - Toby recommends having cross-domain capabilities.

25:30 - Cole: communication skills are key.

26:50 - Toby: it’s easy to assume malintent.

26:50 - Toby: Half the job is calling CIO’s baby ugly.

28:35 - Cybersecurity experts have to tell people what’s wrong constantly.

30:00 - Cole: I see lots of people are afraid of auditors.

30:38 - Toby: Auditors are your friend.

30:50 - Toby: The only thing that grows in the dark is a fungus.

31:40 - Cole: Toby has progressed in his career very quickly.

32:00 - Cole: What are some challenges unique to gov?

33:50 - Toby: Higher levels of scrutiny.

35:20 - Collaboration between different gov orgs.

37:30 - Private sector keeps its cards close to its chest.

39:00 - Cole: cybersecurity in the rental sector.

39:50 - Quickfire questions.

Mentioned in this episode:

Call for Feedback

Subscribe now to hear career stories and practical tips to help level up your career on “Secured by Galah Cyber”.

Mentioned in this episode:

Call for Feedback