Podcast
    Security Awareness Training

    Get Cyber Resilient Ep 81 | Building a positive cybersecurity culture - with Andrew Pritchett

    Our guest for this week’s show is Andrew Pritchett, CIO at Grant Thornton Australia.

    CR_podcast_general.png

    Andrew has had a unique career that has seen him traverse through a range of industries, from sheet metal production, to 10-pin bowling, and finally to IT where he quickly rose through the ranks to CIO roles.

    Andrew brings his unique perspective to this conversation centred around building a positive cybersecurity culture and how to lead change using Kotter's eight step process. Andrew walks us through this process and his principles around patience, balance, coaching, and transparency.

    The Get Cyber Resilient Show Episode #81 Transcript

    Garrett O'Hara: Welcome to The Get Cyber Resilient Podcast, I'm Garrett O'Hara. The conversation today is with Andrew Pritchett, who is the Chief Information Officer over at Grant Thornton. It's always a good sign when you're 20 into an engaging conversation and haven't even hit record for the actual interview. Andrew truly has the squiggly line career, from sheet metal work, ten-pin bowling coach, into an overnight computer operator gig. And from there, he was off to the races with promotion after promotion, leading to CIO roles. Andrew has written for the Get Cyber Resilient website on positive cybersecurity culture, including head lead change with Carter's eight step process as the framework. We talk through that in more detail, including each step in the process, and also Andrew's principles for fostering cultural change. Those principles are be patient, be balanced, be a coach, and be transparent. Over to the conversation.

    Welcome to the Get Cyber Resilient podcast, I'm Garrett O'Hara. And today, we're joined by Andrew Pritchett, who's the Chief Information Officer at Grant Thornton. How you going today, Andrew?

    Andrew Pritchett: Pretty good. Just looking forward to having a chat.

    Garrett O'Hara: The first thing we kind of always ask the guests is just to tell us how they got to where they are today. So obviously, you're the Chief Information Officer for Grant Thornton, but you know, you've, you've obviously had other roles along the way, but it'd be great to just get a sense of your journey to, to land where you are today.

    Andrew Pritchett: Yeah, I think it's actually had a pretty non-traditional journey I would say, like I sort of started as a factory worker, like doing sheet meatal.

    Garrett O'Hara: Okay.

    Andrew Pritchett: [laughs] and, and roofing, and guttering and, and I got sacked from that job. And then I worked in a bowling alley and while I was working in a bowling alley, like, you know, handing shoes and, and, you know, putting perfume in shoes and powder and, you know, I wasn't a bowler. I just luckily got a job through the paper. I realized that I probably needed to do something maybe that might be a bit better or a bit more opportunity for income to be... you know that's a stable income job. So I went to TAFE with the, the sole... the so sole goal to get a job in technology that would be, you know, consistent or something that I wouldn't get sacked from perhaps.

    And I went to TAFE, I didn't finish my course about three quarters away through the course I got an opportunity to get a job at Diners Club, which was a credit card back in the day. And was a overnight computer operator, a computer operators like a service test person, but you, you basically take printouts off printers and put them in pigeon holes and you might... you know, the technical side of it might be, you go... you go to a mainframe screen and you type 14, comma, 15, comma 10, and you might do that seven or eight times a night. And that was my seven years doing that. And then what happened is there was sort of towards Y2K, there was a big thing in the IT industry where everyone was really scared about the Y2K bug.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: And there was a big, big... a big... I was a night shift person, so I just worked nights. And I was there in the morning and the... everyone just didn't really think of me as being part of the team. I was just like this outsider that was sort like there at night, you know, like, you know, something from a TV show. And they came in, and the IT guys came in, there were about 40 IT guys, and they came and said, "We need you to stay around, we're gonna have a meeting. We're going on strike." "Okay, cool. I've been here for 12 hours. It's, you know, 8 o'clock on a Monday morning. I'm exhausted, but yeah, sure.

    So I'm sitting there and then the, the CIO at the time came up and said, "Where is everyone, Andrew? What are you still doing?" He was genuinely concerned for my wellbeing. And I said, "Oh, I think they're actually in a meeting." So he goes into a meeting and they are... they were. They had a big fight in the meeting, all 40 people and the CIO. And on the spot, he sacked the network... The network team. He sacked them on the spot. That was it, they're gone. So we had two Novell guys. And Novell was, like, before Windows or, you know?

    And he came over to me, said, "You're pretty smart. You're now my network guy." And so that was how I got my first technical role, and I was sink or swim. And I did that for a few years. And then I just sort of kept getting promotions and promotions and to a point where I had some really good bosses, and got a relief CIO job while my boss went away. And then I leveraged that to get a full-time CIO job in another firm when he came back, and from then I've worked in a couple of different professional services firms. Yeah, law firms, accounting firms as at that level. So, yeah, that's a probably a non-traditional... I did go back though and do my MBA. So I felt... I, I... that definitely something that stopped me from getting a management job 'cause I didn't have a degree.

    So I went back and started my MBA, and it took a long time, but yeah, that, that definitely was something that I think was beneficial for me getting the cred- the credibility to get a CIO role.

    Garrett O'Hara: Yeah. Very cool. And as a matter of interest, like, how good a bowler are you? I know you were... you were kind of working behind the desk, but did you get a chance to, to sort of hit the pins?

    Andrew Pritchett: Yeah, I think once, I got over 200. I, I I was actually a coach, so basically I couldn't bowl, but I actually knew the technique to coach others. So, like, they would actually have, like, coaching programs, and I'd have to actually go coach people and like, I'd be coaching people that were way better than me. Like, but they didn't know that 'cause they just assumed because I worked there it was something that was actually really quite out of my comfort zone. So I felt like absolute hustler. So yeah.

    Garrett O'Hara: Yeah. Interesting that we're coaching, and not yet, we won't get too far off track here, but I often think that you don't need to be really good at the thing necessarily. You just need to be good at coaching and, and having people spot, like, what they need to get better at sometimes, right?

    Andrew Pritchett: Yeah. I, I think that's actually true. And it's probably holds true to, like, work now. Like, I'm... you know, I don't know Jack about, you know, software development actually coding certain languages or whatever. That's my guys, but I can help them with thinking about how to structure something or, you know, things to consider outside of that, that, you know, is sort of more generic. And that's how I think, you know, I know we're talking about bowling coaching, but that was very similar. Like, I got shown how to coach not shown how to bowl.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: And then they thought I was actually okay at it. And they just kept giving me, and I kept getting work, doing this coaching thing, which was... It didn't... it didn't earn me any money 'cause I was just the shoe guy, but it earned... it earned the bowling, at least, the money because people would pay whatever per hour to get coached.

    Garrett O'Hara: Yeah. So this is interesting to me 'cause like, I suspect you probably had a, a very kind of a seminal experience there that is gonna lead to what the topic of conversation is today, which is around culture, but it feels like what you just said so there, learning to coach not learning how to bowl, that's the distinction, you know when it comes to... you see people all the time, really, really good at a role. And then they get promoted into management because they're good at the role. And then it turns out they're actually not very good at the management side of things 'cause no one's... you know, that's a very different... it's a very different skill.

    Andrew Pritchett: Yeah. There's a... there's a model for that. It's called Peter Principle. And it's a... it's a model that says, as you get promoted to your level of incompetence. [laughs] and I, I... a few times, I'm pretty sure I've been promoted to my level of incompetence. So I've been pretty lucky, but yeah, definitely used to ha- have a few friends, and we used to joke about that. That's you know, your [inaudible 00:07:22] and you get promoted and you have to sort of almost adjust your personality, adjust your whole style to survive. And I think our previous... in our preamble conversation, I was joking how I feel like I'm an imposter. I feel like I'm acting quite a lot. I think that comes down to it. I actually deep down, I'm a nerd, or deep down, I'm a technical person.

    And I have to work really hard for the empathy side. I- I'm better at it now. I could keep going, I think it builds, but the empathy side and the... and the... that soft skills is something that I was really challenged with for quite a long time. Some people that reported to me over the times would probably even now probably think I'm the worst manager in the world, so.

    Garrett O'Hara: But are aware enough to at least, you know, consider the possibility 'cause it's amazing how many people in leadership roles, yeah, that wouldn't even... [laughs] wouldn't necessarily cross the their minds. So look, I mean, you actually were very kind and, and recently wrote an article for the Get Cyber Resilient site, so the kind of sister website to the podcast and it was,

    Andrew Pritchett: Yes.

    Garrett O'Hara: ... the feel guide to building a positive cyber security culture. And yeah, I suppose the, the big question to start with why, why does a positive cyber security culture even matter in an organization that might seem like a really simple... there's an obvious answer, but yeah, I'd love to hear your take on that.

    Andrew Pritchett: Well, I actually got a story from today. Like, so just like two hours ago, we we... today's our lockout day for cyber and for... If you haven't done your cyber trading today, today's our lockout day. So we just locked out 130 people from their accounts. And I had a really nice bloke.

    Garrett O'Hara: [laughs]

    Andrew Pritchett: You- you're laughing. This is... this-

    Garrett O'Hara: I, I am. [laughs]

    Andrew Pritchett: I had a really nice bloke come up. I haven't seen him for two years 'cause of COVID, whatever. He's a pretty, pretty smart guy. He's a senior guy. He's on big bucks. He's top performer, you know, can't say enough nice things about him, but he came up and he's got his laptop in his hand. He goes, "Something's wrong with the laptop." And I go, "Did you do your training?" And he goes, "What training?" And like, he's just not reading his emails. And you know, we, we sorted him out and then like, you know, that same person three years ago was done with the phishing attack.

    Garrett O'Hara: Yeah. Okay.

    Andrew Pritchett: So, and, like, we had... we, we didn't lose data, but we, we know the person gained entry. But we know what they did 'cause we used Darktrace, so we can actually see what they were doing. However you know, just a good example, I think, like, that's just training. So when, when I talk about culture, like, it's gotta be taken seriously from the top level down. He's a senior guy. And you know, he's a, as I said, top-performer just, you know, it's just not in his... it's not even on his on peripheral vision. It's just like blinkers down. "I've just gotta get my work done. I've gotta focus on what the client wants." But without that, like, cyber security culture, you don't have a holistic approach of, like, the part of your job is to protect your client's data. You know, protect our data. And you know, he's doing... he's done his training now, so he is all good.

    But yeah, it's... Yeah, it's a... yeah, I think it's just so many aspects of this, this point that it's just, just the fundamental. We have a board that holds me accountable for a bunch of metrics, and it's not necessarily... there's no cultural metrics, but by, by establish- by establishing that, they'll come to you, and they'll come to you with some problems or some opportunities or challenges, however you wanna put it as opposed to finding a workaround. So you've gotta create this thing that they understand, and they have enough understanding that they, they kind of appreciate what they may not know. And therefore, you get to a situation where you kind of have a chance. Without that, I'd suggest... You know, I deal with other, other firms and other companies, and you know, the, the cyber guy is, yeah, everything's a no.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: And kind of... they just work around it. And, you know, often those guys, or that person's day's are numbered, guy, girl, you know, whoever it is. Yeah. So I think that as CIO, though, you have to establish that culture, and you have to actually define what you're trying to... what sort of culture you're trying to do and then set up your principles to align with that. So that's like, "Okay, I'm not a no guy. I'm a no, but guy, or a maybe guy, or let me come back to you guy or let me work out what you're trying to achieve guy," and really be known for that. And then you kind of can actually work with the business or work with the people. And then they start to understand, you also have to explain and coach, like, we just talked about, like explaining what the ramifications are or using stories from other places to really build that that, that awareness that the, the desire that there is a problem and that they can actually see and it's really tangible for them. And then, typically, if you're in a good firm, like, I'm very lucky you kinda can get built on that over a period of time.

    Garrett O'Hara: Yeah, absolutely.

    Andrew Pritchett: But-

    Garrett O'Hara: And I, I think you, you sort of... you've touched on some very, I think, important points around you know, culture, which, which points to engagement rather than just understanding that maybe you shouldn't do the bad thing, but actually, like, to your point, if I'm... if I'm kind of getting you right, you've got people who actually don't just understand that they shouldn't, but they're engaged enough to not want to, because they kind of understand the wider ramifications of what it could mean, yeah.

    Andrew Pritchett: I think... And I think that that's almost like if you can get to a point where you're not seen as the enemy-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... and people re- respect you and then people have a desire and they sort of hav- know enough that they know that it's really a big problem. Like, it's not just... we're not just mucking around, you know, there's hackers there, there's, you know, there's people who want your data or client... or the client's data or the... or money, you know, there's, you know, different types of money. If you can get them to appreciate the ramifications, then they sort of take it seriously. It becomes like a, a burning platform or a, a reason to change or a reason to actually engage. So you've gotta, like, be pretty honest, pretty transparent. It's actually... I think it's a tightrope. Like, it's like-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... you have to sort of... you know we locked out accounts today. The, the guy that came and said, "What if I was just walking into a client meeting? Look, you can't lock my account out." I said, "Well, we sent you an email. We did this, we did this, we did this, you've had this much at some point." And, and he goes, "Well, who's made this decision?" I said, "Well, I've got the board endorsement to do this." And he's like, "Oh, okay, well, yeah, that's pretty serious. Okay, cool." So, you know, and then... but at the same time, like, straightaway, we unlocked his account. We helped him made sure there was no problems, made sure that he was... we didn't impact him, you know? And he's the... he's the first person that if he comes to us, you know, during lockdown, he, he called us, he's got, like, some kids at home they were starting to work from home and he said, "You know, we don't have enough screens at home. Is there anything he can do?"

    So we just shipped him the couple of screens. So, like, he knows that if he needs our help, he can come to us about anything that's stupid. Like, you know, anything, really. But at the same time, he also knows that we don't do things... You know, but he is really challenged at, "Who told you you could do this?" You know, it's like, so even though that he still challenged, you know, later he'll remember that it was only a couple of years ago that he was phished, so.

    Garrett O'Hara: Yeah, it's, it's, it's kinda easy to forget that stuff when it does happen. And, you know, look, I definitely take your point around walking the, you know, to use your words, walking that tightrope because like, this stuff is so serious, but I think you're... like, I, I fully agree that that sort of positive reinforcement, building the human relation, getting the culture going, like, that's critical, and you can sort of... well, you can't really scold people 'cause they tend to kind of shut down, you know, react wrong, you know, react in the wrong ways.

    Andrew Pritchett: Yeah. I think for... that's a great... they're great. If I tried to scold that guy like, he is like pretty senior in our firm. Like, he probably has the power to get me sacked. And that's not good... you know, that's not the... the other thing that we take back, I think it's a, a, a pretty key thing I can shout out to a guy's name's Phillips Gogy. He... we actually used to the best interest of the firm. So if you can actually show them, demonstrate that the reasons why you've got the best interest in the firm which means you really gotta know your detail, which is where it really does help to be technical. If you can articulate what, why, what you've done is in the best interest in the firm, which is what I really tried to do today. They get it 'cause their company, and they get it, and they can't really argue with that.

    If you are just like, going, "No, I'm not gonna... but I'm not gonna tell you why. And I don't care. And you'll... here's a... you're gonna wrap across the knuckles, and I'm reporting you." It doesn't help. Like, if you can actually articulate, "I'm doing this because A, the board wants us to do it, because if we actually don't do the training and then someone is phished, and then someone gets in as well as taking data, you know, we're in the paper, we're losing our cyber insurance. We're, we're losing clients, you know, we're... some of our clients are banks." So we, you know, we try every dimension we can to make sure that we're as compliant as possible with, you know, cultural dimensions, training dimensions you know, security, obviously, not even that. We're just talking about the soft side of it.

    The hard side of it as well is having all the right tools, all the right technologies in, in place to actually protect them. So, you know, to some extent they you know, they can actually, you know, be safe without worrying, but there is an element that they have to still be aware. I- I'm... I'm rambling it because I, I, I just laugh because we actually... we did a board report just recently. And in the board report on one of the slides, it actually... when we are doing our Phishing simulations, we're seeing a slight increase of, of click throughs by our people.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: Two things have happened. Obviously, we use mine cast for our email spam filtering and filtering, and it's got... it's, it's improved and got really good. So they very rarely get a Phish attack. And we also use targeted threat protection, which is a... is a... is a tool that allows you to kind of block block your URLs, not block URLs, basically when they person clicks, it re- rewrites URLs, so they're coming, you click on it, and it actually goes and, and gets checked in real-time. And if someone else has, you know, flagged that, you know, it's pretty good. It takes, you know, a few minutes after that might hit you actually, that, that link doesn't work anymore. So we do all these things that we make it so the user doesn't have to think about things.

    So when we attack them, we're actually able to trick them. So our click ratio is higher, and we do some education and things like that. So it's not like the worst thing in the world, but the click's actually probably higher. But yeah, we're getting less. I don't know how to explain it. We're actually doing so much for the user, that they don't have to worry about it as much in our firm.

    Garrett O'Hara: Yep.

    Andrew Pritchett: But at the same time, we have to keep training them because that one that does get through is gonna be the one that kills it. It only takes one that the right attack getting through is gonna be the one that, you know, cripples our business.

    Garrett O'Hara: Yeah. And that, that is the way. And we'll, we'll get to this a little bit a later actually about the... like, sustaining the culture the service security culture, 'cause I think that's, that's often where the whee- the wheels fall off the cart. But coming back to the... to your article one of the things that, you know, I found personally kind of really interesting was you kind of introduced this to Dr. John Kotter's 8-Step Process for Leading Change.

    Andrew Pritchett: Yeah.

    Garrett O'Hara: And so I hadn't seen that for but it made a lot of sense to me. I'm a big fan of frameworks and, you know, five steps to this, 10 steps to that. I lov- [laughs] I'm one of those people that kind of thinks in that way. But it'd be... you know, we'll, we'll get to, I suppose, the individual steps. It'd be good to understand from your perspective, why, why use a framework first of all? And then if, if you can comment maybe on specifically why you like Kotter's approach.

    Andrew Pritchett: Yeah, it's... it... I- I'm actually just bringing it up 'cause, like, I don't know all the stages in my head. So I'm just bringing up my post on that. But the framework's really important because, like, senior managers or senior execs in the business, a lot of them have done MBAs. A lot of them have actually gone to, like, you know... in our... in our group of them have gone to Harvard for, like, leadership courses and you know, change managements, a really hot topic.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: You know, and they're saying, you know, "How do we get organizational change? How do we get, like, system adopt- adoption?" so the model is actually gives you a tangible thing to talk to-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... so you can actually take the model in and then you can, like, you know, draw it table, do a graph, do a presentation, do something. And they actually A, it's not me saying, it's not the nerdy IT guy telling them it's like John Kotter or, like, he's not... I'm thinking of John Connor there it's... from Terminator. It's... Kotter is like, you know... he's done... he's developed that... you know, I think in the 60s originally, and, like, it went through the 70s, so all the CEOs went through it in the 70s. So it's... you know, it's an MBA change management model... module you know, method so that anyone that's done any leadership course will have probably come across it. And what that means is instead of me actually having to sort of make a framework up or which, you know, I don't mind making my own framework up, but it just gives it that, that, that meat on the bone.

    Garrett O'Hara: Yep.

    Andrew Pritchett: And that confidence that you're actually thinking things through. There's a few of them that I use that really help you articulate the story or get to the detail at multiple levels. They hit multiple stakeholders. So some of my stakeholders, they have to deal with that, they, they won't read anything. They'll read eight points on that thing and they'll go, "Right. He's using Kotter's. He must be right, sweet. I'm done." Sign off. Another one will get me in a room and they'll ask me questions for 90 minutes and wanna know every single piece of information I've got, drill me, drill me, drill me to make sure I know everything and I've considered everything.

    You know, and, and not a note... it's not a note, it's not a trust issue. It's a you know, they- they've gotta be comfortable. They feel exposed if they don't have all that data, especially at the board and the exec level. So we've gotta, like, manage all those messages for every level of stakeholder interest, especially in a business like our own, and I suspect most businesses now at the board or at the exact level. And this, this approach just gives them confidence that I've considered it methodically.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... and then it also gives me a framework where I can drill down into the detail. And then, you know, I start up really high, you know, just the eight steps, you know, embed the change. Okay, in this instance, what does that mean? Okay, and then I can actually say, "We're gonna embed the change by doing this," do, do, do. And then they go, "Okay." And, and you can use it as a, like a, a drill down approach to tell a story and then yeah. And you know, great for communications back into your team as well. Like you said, you hadn't come across that particular model before, which you kind of... but it resonated with you straight away-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... because it's pretty well-thought out. It's actually... and it- it's real-world... It's a real world reservation as well.

    Garrett O'Hara: Yeah. There's a couple of things that come into me as you... as you talk through that, like, it's the signal of thoughtfulness and, and kind of aligning to an existing framework, is I would say powerful for getting leadership buy in, sort of, you know, paraphrasing what I guess what you've just said, but, you know, the work has already been done. Why recreate the wheel, if somebody's got a perfectly good framework that, you know, has been shown and ran, has... can... been battle tested? Like, of course, it sort of makes sense as you talked through to, to kind of go for that.

    Would you be able to very kind of briefly maybe just given... give sort of time, but like, it'd be great to kind of run through those steps of the... of cultural change cultural change, given it was kind of a, a sort of key part of the article you wrote.

    Andrew Pritchett: Yeah. So I mean, I've actually, as I said, I actually don't have it in my head, but I used to, when I was doing my MBA. I had to memorize these these models. And there's like... there's a couple of places on the net you can go to that actually has them all. But this one, in particular, says it starts with a creator of urgency. And I think this is really important. I mean, this is actually, I think the reason why a lot of things fail, especially IT projects or change projects. It says... it says create a sense of urgency, but I think it's actually what... how I describe it is creating a burning platform.

    And the burning platform that I'm trying to say is that you're creating you- you're creating this platform that the person or the person you're explaining to is standing on the platform, but you are getting them to understand that it's on fire, and there's a problem. And they've got a leap off that platform to make a change. And that, that, that leap that they're gonna make. So if you can actually get them to understand that there's a sense of urgency, or I like to use burning platform then straight away, they're gonna actually almost be on your side to change, especially if you go back and you, you can demonstrate this isn't the best interest of the firm. So if you think about, like, I read on the... on or other places, you know, a real challenge to get funding for like cybersecurity stuff.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: I- I've... you know, touch wood I've never really had a challenge with that because I've been able to et- articulate that whole best interest of the firm. And, you know, if I show the best interest of firm, especially if you're dealing with the board and the exec, and then all of a sudden, their accountable for making the decision to do something dodgy or to do... not do something that is imperative, in my experience, unless the firm or the company's under im- immense financial strain that... and which in that case, they might actually defer the cost or they might defer something.

    Now we've got an... I've got an example of that that, you know, that will actually be on board. So the example of that is, we deferred, and I spoke to the vendor and I told them, "I've got approval, but we can't pay for 12 months." And we actually established a three year contract that was backend. So we still... And then I went back to the board say, "Hey, we don't have to pay anything this year. And this a three year contract, blah, blah, blah." We were able to go ahead with that particular initiative. So I think that, you know, so if you actually have that transparency, if you can actually create that sense of urgency, the burning platform, the next one is build a guiding coalition.

    And that's, like, you've gotta have your team on side. A lot of the time in IT, especially technical team, there's a lot of argument about what tech to use, or who to use it, or if you use a third party vendor or if you don't, or if we do it ourself. But if you can actually get the people to buy in that, you know, the sense of urgency, and the, the burning platform, then you actually get them to actually agree with that. We actually need to do this as a burning platform. Some of the... some of the tech stuff just dissipates. And then if it can actually get the people to understand the, the, the burning platform, like, a senior exec then they're there sponsor you.

    A trick that my boss currently sort of taught me, and I don't know who's gonna listen to this. So if you... anyone that we actually do this to, can you please stop listening? But what we'll do is if we put a proposal through to the board, or if we put a proposal... Not any proposal, but a significant proposal through, what we'll do is we'll actually separate. And each one of us will take one of the decision-makers. And say there's six or seven decision makers, maybe more sometimes. And we'll actually go talk to them one-on-one before the meeting to discuss the decision. And we'll explain to them one-on-one, "This is why we're doing." And we'll put it in their words, how they want to be told or-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... about how they want learn. We'll give them an opportunity to ask. And often, what that's meant is often when we go to get the decision made, that coalition has been established with the people who are in the room. They may not... they won't know that we've talked to everyone in the room, and we'll get a unanimous vote. And, like, people come out and like, go, "How did you get... These guys don't agree on anything." And we'll go, "Well, yeah. Well, that- that's because we put forward a good business case." But it's not really 'cause we put a good business case for, it's because we actually were able to explain to them why we need to do it and get them on side. And, therefore, we had a coalition in the meeting that we actually were able to leverage. Anyway. I really like doing that. That's actually quite fun.

    Garrett O'Hara: It, it sounds like an episode of the West Wing, you know, where they're trying to get agreements on a, you know, a thing and, and they go off and they, they work at the various stakeholders and, and get... get things through. Yep.

    Andrew Pritchett: Yeah. I think... I think that's, that's probably a good example, but I... it's not that dissimilar because we're a partner. Like, my last few companies have been partnerships.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: We have 160 partners in our firm. Any given time, any of those 160 people could be on the exec. So, you know, at times, I don't know the people very well, 'cause it's really hard to know in deep, you know, depth, 160 people. And I don't know, there's some research on how many people you can know really well. It's definitely not 160. So that that's, that- that's kind of it. And I think getting those two up front, is it really key one, and then we've got some other ones like former strategic vision and initiatives. So that's really just creating your... you know, once you have the, the burning platform and the coalition and coming up with your plan volu- volunteer army, like, we do that in our team by getting people involved.

    It, it doesn't mean you don't pay them, [laughs] it just means they're volunteering their time at work to actually help you. And means... that goes back to that they understand the burning platform.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: So if you get that first couple of steps right, everything just flows. The one where... You know, the one that sticks out to me, you know, removing barriers, which is pretty obvious, like, basically just making sure that you're thinking things through analytically, and you know, coming up with solutions around those create short term wins, giving some quick wins and-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... and, you know, the great, but we implemented... I'm not being nice to minecraft, I know. But we implemented the minecraft training software and we're on another product. And the product that we were previous on was like a, a 20-minute PowerPoint type solution that asked really questions. And we didn't even always agree with the answers. Now we've gone to the minecraft solution. It's like three minute funny video. So that straightaway gave them back 17 minutes.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: So it's a quick win in their mind. So that's, that's a good example of a quick win. Another quick win might be when we respond to RFPs for clients that we now take something that would always say no on, that becomes a yes. So they'll put up with a bit of pain if they know that that knows no is a yes in front of the client's eyes.

    Garrett O'Hara: Yep.

    Andrew Pritchett: The, the, the one that where, you know, the sustained acceleration institute change, the institute changes where I think it drops off. And that's going back to the principles of how you, you know, you wanna operate your team. You have to... like, this morning, I could have easily sort of said, "Oh, okay, I'm really sorry. We'll never do this again. And that's... you know, to some extent that- that's how I felt. I felt quite-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... ill from being confronted. But at the same time, like I, I just went through and went back and explained the burning platform again. So you kind of use this model to actually reinforce it. And that means your communications is always structured, aligned. I've found, in my career, I, I try not to bullshit I don't know if you allowed to swear on this podcast, but I try not to... like, I try to be very transparent.

    Garrett O'Hara: Yep.

    Andrew Pritchett: And I try not to, like, pull the ball over inside. I, I found... I found, when people do that it was sort of unravels, maybe not straight away, but in one year, two years you know, at some point it unravels. So I think bringing them along those trusted people and, and being quite transparent and, you know, saying the truth is, but the, the way it gets you, I guess, is if, if you're going to say the truth, you've kind of gotta know what's a true. I'm also not... I'm okay to say, I don't know, let me get back to you, but it's helps. I think you have technical people and you've got people you can trust in the team that you can, you know, leverage.

    Garrett O'Hara: Yeah. M- most definitely. I wouldn't mind kind of just stay on the, the, kind of the... where, where we are at the moment, which is the kind of sustained acceleration part. And, and, you know, the, the struggle that I think many organizations would have where that, you know, I think what can happen sometimes is we're gonna start a, you know, security awareness or behavior change type program. And, you know, everyone gets excited, it's all new. And then, you know, at some point, the kind of Novelty will wear off, right, that just happens in most change management at some point, there's the bit worthy excitement goes away. And I actually, now we have to do the, the stuff that just requires kind of discipline and grit to kind of get it done.

    Any kind of pro tips or like, any suggestions for, like, the listeners as they, like, push through that kind of trough that's ave- you know, inevitably is gonna arrive.

    Andrew Pritchett: Yeah. I mean, I've got a few examples. I, I think... I, I, I think that... Hmm. I think when I start... when I started here, everyone... No one's listening to this podcast, yeah? No one listens, yeah? Hopefully.

    Garrett O'Hara: No one, yeah.

    Andrew Pritchett: When I first started... [laughs] when I first started everyone in the firm had admin rights to their own computer. So they could install whatever software they wanted. You know, it was just... you know, you can just imagine 1,400 people with admin rights and no standard SOE, people could just install, you know, and like we have, you know, systems. So we took that off. And that was actually something that was really painful.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: It was a... that was like done in my first, maybe few weeks. This is a really important job for me, [laughs] so I got a significant amount of heat. If you can imagine people going, "Hey, I wanna install this software." "No, you can't."

    Garrett O'Hara: Yep.

    Andrew Pritchett: Hang on a sec. So I think if you're gonna do it, you've gotta give them an alternative. So we did it, but we bent over backwards to make sure they weren't impacted. So we're packaging in system center. We were like finding alternatives. So you've gotta, like... you've gotta be on the ball. If we would've just, like, gone... Like, it's like a marathon. If you just, like-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... sure, we could have done that first week's sprint. And then, like, a week later, you know, we, we wouldn't have done it. So a week later, we would've backed it out. So what happened with that is how you sustain it. Like, that's a... I think that's a really... so how we sustained it is we told stories at the right level to show how this was gonna be the best interest of the firm. So then people can connect emotionally with the change and get behind it.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: Make sure... This is a perfect example, we removed barriers. So when people can say, "No, no. I need admin access, so I need to be able to do this." "Okay, why do you need it?" We actually get our best people on it to solve the person's problem. And often, that meant that are in a better position when they were doing it themselves, because it was automated scripted. They changed their laptop. It didn't have to worry about anything. So really, it's, it's almost like service delivery. So there's that aspect of it. The second aspect, where I think acceleration or, you know, maintaining the pace is really good. We had a guy here, his name was Gavin Townsend, and we kind of couldn't afford to do a methodology for monitoring our cyber maturity. But we could afford it, but we felt that it was better to invest that money into technology to keep our firms safe rather than the technology to report, to report, if that makes sense.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: So Gavin actually made his own methodology. It was based on this, based on ISO, and we credited a scoring framework. And we use that scoring framework over the past eight years to present quarterly to our board and to our exec about how we're going. So putting numbers to things over time-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... and showing those incremental improvements in those numbers, is... I don't know why, but it seems to be human nature to be very competitive. And to see improvement over time just really connects with people, and then they kind of are, how are you going to get to four? So our numbers between-

    Garrett O'Hara: Yep.

    Andrew Pritchett: ... one and six, and my wasted it, like, we, we were, like, a three, and now we're nearly at a four, so we're not even talking a small incremental change over time, but we've got a framework behind that, that actually we honor, and we're very honest too, that allows us to actually then go, "Okay, we're sitting at a four now because we, we just re-"

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... "re- re- recently implemented a CASBY solution. That's good."

    Garrett O'Hara: Yep.

    Andrew Pritchett: And that meant we moved from 3.9 to four, you know, [laughs] so four has been our five-year goal. So then everyone's like really happy, "Oh, we're finally at four. What's your new goal, Andrew?" I'm like, "You know, we're, we're just trying to get to, like, four [laughs]. I don't want it. We're not going to get to five 'cause we, we... you know, we're going to have to invest a lot of money." But we will we'll review it and change it or whatever. But I think that having that, you know, and we use BitSight... Yeah, BitSight as well. I don't know whether you're familiar with BitSight?

    Garrett O'Hara: For threat Intel I mean?

    Andrew Pritchett: Yeah. It's... So it's for external monitoring. So it gives you a BitSight score.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: So it uses honeypots and a few other things to work out how-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... your security posture is. And it users... you know, let's call it an IoI, but it's an algorithm and it gives you a score. So our board and exec want to know my BitSight score every month. And so we put that up and... up- upfront, and we've worked really hard to maintain it.

    Garrett O'Hara: Yep.

    Andrew Pritchett: We've had a hit a couple of times when we've had... we once had a, a client event in, in our Perth office and someone brought a rogue laptop in somehow managed to use our guest Wi-Fi and that get... they were infected and doing some bad stuff, and we took a 60 points. So that score... the BitSight it's between one and 900. A good score is in the 700.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: And we took a, you know, a 40 point hit based on someone coming in using a guess Wi-Fi. So, and that takes six months to get back. So, you know, it's pretty... it's pretty smart. And that... the reason why we knew we had a problem in Perth was because of that... the BitSight. We... It didn't detect because it was on a guest Wi-Fi, which we treat as untrusted, but it's still coming out of our network. So they still... apportion that to us. So that BitSight score. So having those metrics that you can actually measure, really gives a real, tangible sort of-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... flavor for the people to go, "Okay, you know, tell me how you're going?" "Well, here's some metrics here. We can tell you this is what we're doing." You can always show them if you've had an attack or if you hadn't had an attack over time, over years, showing those consistent metrics with the BitSight score with a, you know, a framework score from these still something, is a really good way of doing it.

    Garrett O'Hara: Yeah. So sort of green arrows going up, or, you know, a, a trend line that's kind of, you know, going open to the right, and that, that connects you with people-

    Andrew Pritchett: Yeah. Or even a, a red arrow going down is not bad if it's the truth.

    Garrett O'Hara: Yep.

    Andrew Pritchett: Because when we did have the guest Wi-Fi incident, we were able to show that, and they were like, "Oh my God, this is terrible."

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: And that gave all of the people who were involved in that communications, it wasn't a penalty. It wasn't anything bad.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: We didn't... we didn't have an exposure or anything, but what it meant is, they realized... that actually was almost educating them. And they're like, "Okay, what are we going to do about this guest Wi-Fi? So then they're almost asking you, "What are you going to do?"

    Garrett O'Hara: Yep.

    Andrew Pritchett: You know, we're talking about, like, what are you going to do with your spiff records? Like, what that... how is this a conversation that, like, a board level asking you, this is what we're going to do with, you know, different types of DNS records. So I think that, that, is really, when you explain why we took a hit-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... then they go, "Okay, well, we need to fix that." So just... it also, I think really establishes a connection to understand the complexity a little because it's so like... I mean, you would know. I don't have to... the complexity of keeping it all together a lot with patching, with certificates. With third-party vendors, with third-party suppliers.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: With you know, security products and attackers and users that are trying to work around systems. It's, it's, it's very complex. So yes.

    Garrett O'Hara: I- it is. I've been... I've been sort of running a, a campaign in the background that we all go back to advocacy. There's no pads. And, [

    Andrew Pritchett: laughs] that would be better.

    Garrett O'Hara: Yeah. Just to hear, I mean, puts us all out of jobs, but maybe that's the down side of it, but yeah, we'll, we'll get there eventually. And I wanted to.. It's maybe, not pivoted, but you know, move, move onto the principles that you kind of outlined in your article as well. 'cause that was sort of the, really what felt like the second part of, of the article. And you started there with being, or, you know, be patient as you put it. And one of the... one of the certain timeframes you mentioned in the article was that, you know, it was... it was... well, you said eight years, and then you said five years, but you know, we're not talking five months, it's a reasonable amount of time to get to the point where you feel like you know, change has happened, and culture is starting to get bettered in. But yeah, it'd be great to, to kind of hear you talk through that, like that, that... like being patient, it seems like such a... it's two words, but it has such an impact to expectations, I suppose.

    Andrew Pritchett: Yeah. I, I, I laugh because, like, we had a sidebar chat, I think on one of the... on an email when we were preparing for this, this chat and like you were like, "Yeah, like, don't really have use Andrew, [laughs] to try to get this all sorted out. I'm just really interested in what the hell are you talking about?" I think you got to bring the people along for the journey, and like, there's not going to be, like, one thing that, you know, while the worst thing, the worst thing that can happen is you're not patient.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: And normally, when you're not patient it's because you've just been having a... you just had a massive cyber attack, that's when the firm's not patient. So that's like a, a, not in companies that have you used the word pivot, like give just like, you know, under invested in cyber or haven't really taken it seriously. Maybe not even under invested in terms of dollars. It's just not being that important. So to threaten the money-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: Hamadan rod had heaps of halls, I, you know, made heaps of concessions or whatever it is, you know. Sometimes not even that. Sometimes just bad luck-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... really bad luck. That's, you know, just wrong place, wrong time patch gone wrong, something stupid. And then I get attacked then basically they, both guys "Well, we're going to sack everyone, and it's this person's fault." And I mean, that, that approach is not necessarily... that's... but that's what I sort of mean by not... so being patient, what I mean by that is, like, yeah, we, we identified what we needed to do over a period of time. I mean, I don't want to dare myself. The first time we did a penetration test under my watch a penetration test has got in very quickly shout out to the missing link.

    They, they got in very quickly. It was actually very bad. No, it wasn't very bad. It was like a really good, good thing that they got in, and they were able to fix that. But you know that... So then we get the roadmap, and then we can't... we're not going to be not possible for me to go to the board and get... Two things. I'm not going to get all the money I want.

    Garrett O'Hara: Yep.

    Andrew Pritchett: So it's got to be incremental. And I'm also not going to be able to sustain the change required all at once. It's gotta be incremental, not just from a not just from a, you know, people, you know, side of things. It's actually a technical change. You can't just dump systems in, dump systems in that, you know, just do that because you gotta make sure that things architecturally aligned-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... you've got to want it that long. So got to worry about you know, even, you know, CASBY with Netskope applied, that's actually something going to be quite sensitive. Then you put it into the right balance so you don't break your client's experience or your users' experience. They can still do that work. So, you know, we started off with, "Okay, what's the most... you know what... These are the recommendations from the third party penetration testers. Okay, so this is what we'll do first. But we're not going to stop there. We're going to actually get penetration tested again in six months, make sure we rectified that and get a new list." And it's like a cycle, like... so, you know, so you keep going and keep building your roadmap, keep looking at what's next, it's... And it's never ending. So I think when I say, be patient, like, you've got to start off somewhere. When I say people try to do everything sometimes they don't laugh.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: They like... they've got unrealistic requests. So they end up, okay, this guy's a lunatic. I'm not going to do any of it because he wants to do it all. So you got to go, "Okay, gotta be realistic. You've got to be pragmatic." And you, you do have to be patient. You have to like, "Okay, these are the most important things for me to fix this, this time around." and these the next one, these are the next ones, and incrementally, you just get better, better, better, and tighter, tighter, tighter. What I see sometimes, and, you know, it's unfortunate. I see some really smart people get like CEO roles you know, really smart, really good people. And the firm doesn't understand they've got someone who's really good and really smart.

    And they're really pushing, and they'll go, "Okay, this guy's... this guy, you know, he wants to do this. Then it's a stupid, it's a waste of money." You know, they get rid of him. So I think-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... it goes back to that best interest of the firm. You can't have to take them along for the journey, and you have to just do it incrementally for multiple reasons; change, budget, technical change. So yeah.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: I think that's sort explains what I was talking about.

    Garrett O'Hara: It, it definitely does. And that actually echoes... Phil Zongo was on, it's... it feels like a while ago now, maybe a year, year and a half ago. And, but he talks about that idea of kind of realistic outcomes and how important that was completely, completely kind of echoing what you've just said there. That one of the mistakes you see made is that people promise too much, fail to deliver, breaks trust, and then, you know, potentially they're [laughs] out of a job, worse case, but you know, best case, people just... they're not really gonna trust them going forward.

    Andrew Pritchett: Well, they can't get more investment.

    Garrett O'Hara: Yep, yep.

    Andrew Pritchett: They can't do the next thing. They might not lose their job, but they're stuck.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: And they, you know, they've, they've got to have a leadership change around them. You know, I've seen that as well, where they get stuck. And then, like, a new CEO comes in and the guy's a superstar again, you know?

    Garrett O'Hara: Yeah.

    Andrew Pritchett: So it's a real... it's a real real, real balance. A tightrope analogy is actually what I think is really good one.

    Garrett O'Hara: Yeah. Maybe we might go kind of off piece a little bit on this question, but you did mention kind of, you know, see those kind of getting, getting the can because of a breach or whatever. And I've been reading kind of analyst research around how much more valuable a security leader is when they've actually lived and breathed their way through a breach, you know, rather than the, you know, the interviewing sort of questions being a bit like, have you been... have you been a CSO in an organization where there's been a breach? And that's seen as a bad thing, when actually it should be seen as a good thing.

    You know, if we accept the premise that... and, and you kind of said it, you know, patches go wrong, you get these series of things that just kind of, when you chain them together, you've sort of in theory done, not the... you know, all the right things, but you know, directionally everything's been good, and then it goes wrong, but it sees as much more valuable if they've been through a breach rather than not. What, what do you think of [laughs] of that?

    Andrew Pritchett: I think almost like truer words have never been spoken.

    Garrett O'Hara: Yeah, yeah.

    Andrew Pritchett: It's absolute mad. It's absolute beyond madness to say some of the things I've sort of heard about or seen you know we... I mean, I can't divulge as I've seen it-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... just, just gone, and they are absolute guns. And it, because like-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... sometimes, and it's, it's, it's just horrific to me. Sometimes they have nothing more to do.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: They've explained what to do. And they've told them what to do. And they've been told, "No, we're not going to do it that way. Sorry." So someone who doesn't really know what they're talking about has made a decision that this person who doesn't know what they're talking about is wrong. And then the attack happens or something bad happens. And then the person who actually has been trying their hardest to actually make a change is the one that gets, you know, "Well, why didn't you tell us about that?" And you'll go, "Well, I did." "But you didn't tell us well enough." Or your slides weren't... your slides weren't-

    Garrett O'Hara: Your slides weren't good enough.

    Andrew Pritchett: Your slides weren't good enough, [laughs] you know, your email language was, you know, you didn't tell us that it really was. "You told me that it might happen. You didn't tell me it would happen," you know?

    Garrett O'Hara: Yeah.

    Andrew Pritchett: It's like this crazy, this crazy. I think that, you know, being through some stuff, you know, myself like it, my job over we've actually had to deal with different scenarios. It gives you that... It gives you, like a really good basis of how to understand it, and what tactics to play who to go get help. You've got to establish relationships.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: When, you know, get rid of the size. I bring a new size though, and it doesn't mean a new size are good. I'm not... definitely not saying that. But what ended up happening is even if they're the best in the world, they've got to establish... they've got to establish relationships. They've got to understand the architecture and the landscape, the politics, potentially-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... the budget constraints. They've got to understand that might be coming into a team that you know, was really aligned with the previous size or the previous security manager. Therefore, like they've got a hostile team, a hostile environment, you know, it's it's just... unless the person have... if the person has other performance or it's actually really is a malpractice, I don't know the-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... cyber security.

    Garrett O'Hara: Kind of negligence or something. Yeah, yeah.

    Andrew Pritchett: Negligence.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: Or, or... then I'm thinking that for me, I would... I would be on more inclined to keep them. And I'd say that most manager levels, unless it's... You know, a lot of the time, it's going to be a cultural issue that happens rather than... now, I think that's we talked about and start around developing the culture. This is what that's... what you're talking about there is the cyber security culture. It's not a blame game. As soon as it becomes a blame game, then you kind of lost because you can't cover every angle. It's almost like inevitable that you're going to have some, some attack. I mean, it's not almost inevitable. It's actually inevitable. You know, like when I talk to you, like, you know, when I was thinking about whether I should actually talk to you on this podcast, I'm like, "Do I want to talk to you on a podcast and like, have some hacker somewhere decide that I'm a really good target?" I'm like, that's how I was literally thinking, like. You know, there's smart people out there-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... really trying hard to get your stuff, and there's no... I'm under no, no... I'm, you know, I'm trying to think of the right word where no illusion-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... that these guys don't have tools. These guys aren't smart. These guys aren't organized, that they know what they're doing. They probably... you know, there's probably a bunch of them listening to this podcasts right now. You know, just, like going, "This is great stuff. I wish I... yeah. So this is what we're going to do. We go to deep fake this guy's voice and call the CEO and ask him for something," you know. So that's just... it's really yeah, it's a really interesting thing. But for the greater good, I think we've got to talk about this stuff so people-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... will have a better, better chance, you know. It's a real-

    Garrett O'Hara: Yeah. I can't... I can't... Well, you just said there, you know, we gotta talk about this stuff. I mean, clearly enjoy these conversations, but you know, the, the point of this is the value to the broader service security community. That's the only point of this podcast. And I think these conversations help help so much because let's be honest, the, the other side of the fence are doing exactly that on forums in the dark web and, you know, all the places that you know, that those kind of conversations happen. And yeah, the CSO getting canned, I mean, I think it's... the only explanation I could ever really see is that it's a good PR move if you've got to do it for, you know, for PR purposes. But I think, you know, from an overall security outcome perspective, like it's no bueno.

    Andrew Pritchett: Th- that, that might change. I think-

    Garrett O'Hara: Mm-hmm [affirmative]. I hope it does.

    Andrew Pritchett: I think if they actually did a PR perspective that we actually sticking with CSO because of these reasons. Like, that would actually probably be resonate better in the market that, "Okay, these guys actually give a shit. These guys know, these guys are actually switched on." They're going to actually have a better outcome than go, "Oh yeah, we had that comments." It's not always the... It's also not always the SCO who get canned. It's sometimes the IT manager, or this... or the the one always... the one that pops into my head was actually the IT manager. So he was the IT manager, not the IT security guy. So they got rid of the IT manager and kept the IT security guy because, you know, and it's like that guy... I've met that guy he's like switched on, no way that like he's... you know, so it's yeah.

    It's a really interesting thing. So I, I think that a good... if a smart group think about it, they, you know, they might actually go, "Okay, we're going to use it as a PR, but we're going to go the opposite way that we see that-"

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... you know, and it might... it might turn.

    Garrett O'Hara: Yeah, you, you would hope so. You'll definitely hope so. We're, we're pushing time here, but yeah, I'm keen to kind of get on to the next principle that you had if assuming you can continue talking,

    Andrew Pritchett: Yeah, yeah, go g for it.

    Garrett O'Hara: We can? Yep. Which is being balanced. And I'm actually going to quote you on this one. There's... the quote, is that still an us and them mentality in many firms. And if you don't walk this tightrope carefully, you'll find the people that work around you rather than the way you... and we've sort of talked about this a little bit already, but w- you know, what to think as many cyber security leaders, they talk about the people and the politics of the job, and what I'm keen to get to is like how you've seen people successfully walk that line between them and us. And then the nuance, maybe with this question is, how to do it and then push that urgency that you've talked about, you know, the burning platform, what might be an, an aggressive agenda, you know, that, that, that tightrope just seems like so difficult to walk.

    Andrew Pritchett: Yeah. So I actually got a person. There was a... there's a guy in the industry called Peter McLeod. He used to be the SCO of the accompany I worked at. I'm just laughing because like one time he had... he got his one chance to present to the board. And what he did is he got all their passwords. I say, he hacked all their passwords. And he just put a slide up on the... in the boardroom with everyone in the room's password that they... just[inaudible 00:52:09] there this slide I want to show you. He's trying to get to a point where he was upgrading the SOE to a different version of windows. And the version of windows that had was known. You could break the passwords really quite easily. And so he just had the slide up there that said you know, all the board members... it didn't say who password they were, but he just said, "I just got one slide I want to show you today." And he put up this slide of all their passwords.

    Everyone in the room's password on the screen. And everyone was just like, realized exactly what's happening. Like, they had some stupid passwords, like HomerSimpson11, you know, like, and like [laughs] everyone just sat there for a few seconds. And when they're looking at the screen, not realizing, then they've sort of realized that they passwords up there, but they've all had the same realization at the same time. I wasn't there for that meeting because I was... like, I was just the network guy, but he came back down tell me... he comes back down to me and he you goes... He sat next to me, he goes, "Yeah, we're upgrading. All good." [laughs] I had to go, [inaudible 00:53:03] "I'm might not have a job tomorrow, but we're upgrading." He got basically-

    Garrett O'Hara: Great.

    Andrew Pritchett: ... [crosstalk 00:53:07] the room. So I think that's probably... he was trying to... he'd been asking to try to get... to get that for a long time for, you know, maybe six months to a year, and that he went by, "I'm sick of this. I'm just going to try a stumped." So I think, you know, I guess that's maybe the example of what going over the top rep is still getting the outcome. He was still there for years after that. So he was like, really well-respected. And there was many, many times where, you know, he would go out of his way. He was the go-to guy if there was any sort of like internal cyber espionage 'cause, you know, partnerships, people leave, want to take clients, and all that sort of stuff.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: So he built up a reputation over a long period of time. So I think that's, that's... I guess what our main site, when needed, he's willing to push, you know, really pushed the boundaries of, like, what's socially acceptable. But then on the other side, he's really approachable and he was able to like, be really value adding, like, 100% of the situations he's, he's presented with. And he definitely wasn't a no person. So it was almost like a, "No, we can't do that, but let me have a think about, and I'll come back to you all." He's an approach we could take instead, or here's another way we could do it, or come back and say, "Look, we can't fix it in this instance because we historically, we don't have the data, but this is what we could do going forward if you want to have that data. So that next time." So I think, yeah, you got to push hard.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: But you've also got to be realistic. And, and, and, you know, I think that... you gotta be on their side, and so it's not an us versus them, but sometimes you gotta be, you know, funny, witty out there, and really challenging the status quo. I hope doesn't mind me mentioning his name and what he did.

    Garrett O'Hara: We bleep [laughs] we can bleep that out we need to.

    Andrew Pritchett: No, I think you'll be fine.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: I remember. I actually remember that, that time. And I actually haven't done that particular one, but definitely I've you know, gone to a meeting with a story about a partner that's done X, and I haven't named them, but I've actually gone and got permission from that partner and said, you know, hey, do you, do you mind if we use this story, it's a really good lesson?

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: He goes, you know, normally go, yeah, that's okay. And then I put that up and then what's happened is that's really connected with that group of people because they could see how easily it could happen to them.

    Garrett O'Hara: Yeah, Yeah. Making a company a human, I suppose. Do... the next principle then and just sort of conscious of time at this stage, but it's... it'd be a coach which kind of almost starts to bring us full circle back to the bowling days where [laughs] you were coaching people how to bowl without being a bowler, but in the article that you're contrasting the I think this is such an important point when you contrast the difference in outcomes when cultural change gets kind of pushed forward or catalyzed by positive rewards and feedback rather than the kind of negative consequences or fear-based approaches, and it'd be good to kind of talk, talk to that a little bit.

    Andrew Pritchett: Yeah. So I think I mean, I believe in this a 100%, I think if you actually try to push back and, you know, don't take consideration egos and stakeholders and all these other things-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... you can be in a situation where you put the worst... a worst in affirming a worst situation. Going back to Gavin, who was here. He, he did a really good job of setting up these whole you know, coaching mentality. And that's carried on through the team that's in the, the cyber team, which is a guy called Taylor and a guy called Ben. And you know, they, they go really hard to sort of, like, explain... go out of their way to explain and, and help. And also when someone does something good you know, they really sort of doubled down on that kudos. The great example for that is, you know, we had... I mean, obviously, our SCO gets attacked all the time-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ... Trying to get them to change money, and you know, some of the stuff gets through or gets through via someone else. That's not even actually her getting attack, it's someone else getting attacked with someone pretending to be her, [laughs] you know, it's actually quite quite a challenging scenario. But she's really awesome at picking up, picking up those attacks, and she's like, you know, this isn't a challenge for everyone out there to see if I can trick my CFO, but she's really good at... good at that. And so when, you know, when we present back up to the, you know, to the board or, or someone I might use one of the stories exactly when she's actually worked out and, and show them email, so the board will go-

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: ...holy shit, I might have fallen for that.

    Garrett O'Hara: Yep.

    Andrew Pritchett: And, you know, in that... then that CFO is actually elevated in the board's eyes as someone who really cares about cyber. And then she doubles down on that and she actually does really care. She does already really care, but she realizes that she can get positive recognition at the right level. And then she does it more. But it's because we're giving the kudos. We recognizing the good behavior, not just penalizing the bad behavior. Not bad behavior, but the mistakes.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: So that's actually something that I think really does make a difference. I've said being coached there. So that's like the training's gotta be funny. The training has gotta be short and engaging. When you're helping you, you got to not be saying, "No, we can't do that." It's like, okay, here's what we're going to do. This is the risk tolerance. What's your risk tolerance? Okay. Cause there's... everything's kind of got a risk in some ways.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: Nothing's perfect.

    Garrett O'Hara: Yep.

    Andrew Pritchett: And so we'll like... we, we crafted a solution a few months ago where we actually identified what the risks were, and we put mitigations around those, but we got the partner and the client to agreed that that way... that were acceptable risks, we just didn't assume.

    Garrett O'Hara: Yep.

    Andrew Pritchett: But what that did is that elevated them, the thought process of what they should be thinking about next time. So next time we might not necessarily need to be there. And that partner, we thinking, "Oh, hang on a sec, this might be an authentication issue or an encryption issue or, you know, or a private data privacy issue." So really, going through that process and actually using every opportunity or an interaction to sort of like explain. And I don't mean like you know, explain down, I mean, you know, here's the solution, it's really good. And these are the things we've considered, and these are the mitigations we've got for you. Are you comfortable? We think that where... we're nine out of 10 comfortable here-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... what do you... what do you think? So that way they can go, "Okay. Right. I, I think this is okay." to sometimes we've even gone down the path of going to the client's cyber security team and checking with them, if they think that, you know, in all getting agreed in that. To be honest, the client, we don't usually deal with the cyber security team, but the, the person that we would deal with typically would be someone like a CFO with a client or someone like that. And they really, really has... It's, it's, it's fascinating. They've got the same challenge where they've got to keep themselves covered because they're responsible for stuff as well. So if their cybersecurity team and our cybersecurity agreeing that their risk is, you know, there, and what it is, it's a tangible risk, but it's acceptable in this scenario.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: Then that gives them comfort that they've actually done the right process internally at decliners also. And it just... so it's really bringing them on the journey and getting them to understand and using every single one of those interactions to reinforce the principles. And almost going back to the burning platform, isn't it?

    Garrett O'Hara: Mm-hmm [affirmative]. Yeah.

    Andrew Pritchett: Understanding why you're doing it?

    Garrett O'Hara: And, and it's a thing you do not a point in time. It's probably the big thing I'm getting from this conversation. Like, it- it's, it's, it's small, incremental changes day by day by day by day by day is the thing that gets you to the, you know, that sort of successful place. You know, we're, we're very much pushing it on time here, but I'm keen in the spirit of kind of closure to get to the last kind of principle. And you talk about being transparent, which, you know, we've, we've actually touched upon throughout the conversation. And, you know, you mentioned some of the kind of metrics and stories that you've used to kind of bring leadership along that journey, a journey, any kind of last thoughts on that as we kind of fi- finish out here, Andrew, this is the, the last question I promise. So. [laughs]

    Andrew Pritchett: I'm actually... I'm actually pretty grateful to even have a chance to talk, because I think it's... some of this stuff other people are going to be going through and like, don't know where to get started or don't know what, how far they go. Or it's really hard because, you know, when you're talking to a board, there's a level of how much transparency you want to give them. And, like, it's all... you also, you can... you can never lie, and you can never withhold information, but you can't give everything because it can be overwhelming-

    Garrett O'Hara: Yep.

    Andrew Pritchett: ... and it can cause unnecessary stress. You know, there's... in cyber you know, it's constant stress anyway. You know, so I think it's really important that, you know, you, you have to come up with your own... in your own culture, and your own firm, how much transparency you can actually give. But when I mean transparency, what, what I've seen in the past, if someone has maybe optimistically used it, use something they'll use something that, you know, there'll be say 10 data points. Nine data byt- points a lower rubbish and making... it's really bad.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: But one data point is actually pretty good, so I'll choose that one data point that's pretty good and actually share that and everyone will be slapping each other on the back. And I'm like, "Guys, this is crazy."

    Garrett O'Hara: Yeah.

    Andrew Pritchett: Like, you actually... you're sort of having... creating a warped perspective of it. So I think when I think about transparency, I'm thinking, making sure that the people you're dealing with have an honest perspective not too walked in the positive or the negative, and then balancing that, that out is... I think that the, the, the key stuff there is, if you've been attacked, you've got to make sure you, you know, for the greater good of the community, you've got to be transparent with that.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: You tell clients, you know, a lot of... a lot of people, I... you know, not a lot of people I know now, but I've heard sort of horror stories where kind of companies, you know, everyone's really like comp- this kind of knew something was wrong, but sort of didn't do anything about it for a while. Then it became progressively worse. You know, so it's just... you got to get on top of it straight away. I've actually got an absolutely awesome risk manager in our firm, her name's Joe. So we have open communications. Nothing's secret, nothing about work that is, you know, nothing secret completely aligned, no politics, straight, straight talking.

    So I think that's definitely... and then, like, at the mer- not at the mercy, but almost at the mercy, I say, what do you think we should do? And then when I'm dealing with the board, being transparent with data, and I think going back to that data story is really important, having that data over time gives people a flavor of where you are, and that can be rolled up to be transparent, but at the same time not give too much detail to give un- unnecessary, you know, worry.

    I think the roadmap is really important, and the budget. If I was honest with you, I think that one of the best things we did was we, we benchmark that cyber security investment. We did that against Gartner. So we got the percentage of revenue for IT, and then the percentage of cyber fraud revenue, and a percentage of cyber for IT.

    Garrett O'Hara: Mm-hmm [affirmative].

    Andrew Pritchett: And Gartner have the benchmarks for that across the industries. And we can actually then go say, "Okay, are we actually doing enough? Where do we fit with that?" And that's, that's something that I know is good for transparency, I guess, that, you know, we then share that with the board. So when they go, "Are you doing enough? This is what our budget is, this is how much we spend, this is what we're doing." So not hiding things. Yeah, it's a real tough one because I'm sort of conflicted because you can get yourself into a lot of problems if you're... you can't not be transparent, you have to be honest, and you can't hide things.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: But if you talk too much, that's the probably best way to say, if you talk too much, then you create unnecessary worry and, and, and panic and stress and you end up focusing potentially on the wrong things.

    Garrett O'Hara: Yeah.

    Andrew Pritchett: Yeah.

    Garrett O'Hara: Yeah, totally-

    Andrew Pritchett: You'd be focused on reporting instead of, you know [laughs]-

    Garrett O'Hara: Yeah.

    Andrew Pritchett: ... l- logging.

    Garrett O'Hara: Instead. Yeah. Actually it's sort of doing, doing the work. It's a little bit the I think we said it earlier on the... in the conversation around the, you know, the amazing presentation or your sorry, your presentation wasn't good enough was that, is that what we said?

    Andrew Pritchett: Yeah.

    Garrett O'Hara: Andrew, really, really have enjoyed this conversation. So massive thank you for, for coming on and being so transparent, you know, the, in the spirit of the principles phenomenal article, by the way. We'll include that in the the show notes for the episode. So thank you for both the article and obviously then spending the time with us today. Yeah, very, very much appreciated.

    Andrew Pritchett: No, I appreciate the opportunity. Was nice talking to you.

    Garrett O'Hara: Likewise. Thanks so much to Andrew for joining us and for his great take on positive cyber security culture. As always, thank you for listening the Get Cyber Resilient Podcast. Jump into our back catalog of episode and like, subscribe, and please do leave us a review. For now, stay safe, and I look forward to catching you on the next episode.

     

    Back to Top