1
00:00:06,000 --> 00:00:08,000
Speaker 1: Welcome to Fear and Greed Q and A where we

2
00:00:08,039 --> 00:00:12,200
Speaker 1: ask and answer questions about business, investing, economics, politics and more.

3
00:00:12,240 --> 00:00:16,079
Speaker 1: I'm Sean Aylmer. Four in five Australian business leaders expect

4
00:00:16,280 --> 00:00:20,000
Speaker 1: JEB political issues will pose challenges to their operations in

5
00:00:20,040 --> 00:00:22,919
Speaker 1: the next twelve months. That's up sharply from last year.

6
00:00:23,079 --> 00:00:26,120
Speaker 1: Mcgrart Nickel has just released a new Risk and Security

7
00:00:26,160 --> 00:00:28,840
Speaker 1: Report for twenty twenty five, which builds on the previous

8
00:00:28,880 --> 00:00:32,240
Speaker 1: two years of findings. And while cybersecurity is still ranked

9
00:00:32,280 --> 00:00:34,720
Speaker 1: as the number one risk for business leaders, there are

10
00:00:34,760 --> 00:00:37,440
Speaker 1: a host of other challenges for Australian companies, from supply

11
00:00:37,560 --> 00:00:41,120
Speaker 1: chain issues through to insider risk. Matt Fine is Head

12
00:00:41,200 --> 00:00:44,120
Speaker 1: of Advisory at mcgrat Nichol, a supporter of this podcast. Matt,

13
00:00:44,159 --> 00:00:47,440
Speaker 1: Welcome back to Fear and Greed. Hi Sean and Matt

14
00:00:47,479 --> 00:00:50,120
Speaker 1: Grant is a partner at mcgrad Nickel. Matt, Welcome to

15
00:00:50,159 --> 00:00:50,800
Speaker 1: the podcast.

16
00:00:51,080 --> 00:00:52,320
Speaker 2: Thanks for having a Sean.

17
00:00:52,800 --> 00:00:55,360
Speaker 1: Matt Fien talk us through some of the headline results.

18
00:00:55,440 --> 00:00:58,360
Speaker 1: How has the risk and security landscape developed over the

19
00:00:58,400 --> 00:01:00,080
Speaker 1: past year or so?

20
00:01:00,120 --> 00:01:01,800
Speaker 3: Thanks Sean, And this is the third year we've run

21
00:01:01,880 --> 00:01:04,480
Speaker 3: the survey and partnered with you gov to go out

22
00:01:04,520 --> 00:01:08,280
Speaker 3: to organizations with fifty or more employees, and this year

23
00:01:08,319 --> 00:01:10,520
Speaker 3: there was over three hundred and thirty responses, which is

24
00:01:10,520 --> 00:01:14,080
Speaker 3: a good representation. I think the number one headline for

25
00:01:14,160 --> 00:01:18,160
Speaker 3: me business leaders really there's a critical gap between security

26
00:01:18,240 --> 00:01:22,960
Speaker 3: risk awareness within their organization and really the organizational capability

27
00:01:23,360 --> 00:01:25,080
Speaker 3: and what they've got built in. A couple of the

28
00:01:25,160 --> 00:01:29,360
Speaker 3: key facts that came out of the responses that we received,

29
00:01:29,760 --> 00:01:32,839
Speaker 3: As you've alluded to, cyber risk is still a top

30
00:01:32,880 --> 00:01:37,319
Speaker 3: concern and leaders are ranking that in their top five challenges.

31
00:01:38,080 --> 00:01:41,840
Speaker 3: Supply chain confidence is certainly declining when I say that

32
00:01:42,200 --> 00:01:46,240
Speaker 3: the thirty seven percent of leaders are only rating themselves

33
00:01:46,280 --> 00:01:50,160
Speaker 3: as very confident in managing the risks within their supply chain.

34
00:01:50,720 --> 00:01:54,440
Speaker 3: And then geopolitical risk it's for the first time emerged

35
00:01:54,560 --> 00:01:56,480
Speaker 3: as a top five concern.

36
00:01:56,800 --> 00:02:00,240
Speaker 1: And I presume that reflects the what's happened PARTICUAR in

37
00:02:00,280 --> 00:02:03,120
Speaker 1: the US, but also in our own region around China,

38
00:02:03,160 --> 00:02:03,559
Speaker 1: et cetera.

39
00:02:04,240 --> 00:02:07,840
Speaker 3: Yeah, I think there's certainly regional pressures and geopolitical risk

40
00:02:07,960 --> 00:02:11,680
Speaker 3: is particularly that issue, and I think what we're seeing,

41
00:02:12,120 --> 00:02:16,000
Speaker 3: you know, with the focus within Australia around Orcus, and

42
00:02:16,040 --> 00:02:18,880
Speaker 3: then I suppose from a China perspective, it being you know,

43
00:02:18,919 --> 00:02:21,600
Speaker 3: the two way trade is exceeding three hundred billion dollars

44
00:02:21,639 --> 00:02:27,240
Speaker 3: between Australia and China. It's a major trading partner of ours,

45
00:02:27,280 --> 00:02:30,200
Speaker 3: but navigating that is certainly a delicate exercise.

46
00:02:30,880 --> 00:02:34,880
Speaker 1: Matt Grant. Cyberstreats continue to dominate executives concerns, followed by

47
00:02:34,880 --> 00:02:38,280
Speaker 1: financial risk. This certainly shows that over two thirds of

48
00:02:38,320 --> 00:02:41,680
Speaker 1: respondents ranks cyber among their top five business challenges. Almost

49
00:02:41,680 --> 00:02:44,679
Speaker 1: half expects cyber risks to increase in severity over the

50
00:02:44,720 --> 00:02:48,000
Speaker 1: next twelve months. It ain't going away. Basically, do you

51
00:02:48,000 --> 00:02:51,840
Speaker 1: have a perspective on these results, what steps organizations can

52
00:02:51,919 --> 00:02:55,400
Speaker 1: be taking now to protect themselves, and also whether they're

53
00:02:55,440 --> 00:02:58,240
Speaker 1: doing any better than the past couple of years.

54
00:02:58,800 --> 00:03:01,320
Speaker 2: I think there's two components to that, Sean. I think

55
00:03:01,400 --> 00:03:03,960
Speaker 2: one is a visibility issues. I think given what we

56
00:03:04,000 --> 00:03:07,279
Speaker 2: see in the media and what's front of mind, executives

57
00:03:07,280 --> 00:03:09,240
Speaker 2: are more aware of what's going on in that threat

58
00:03:09,280 --> 00:03:12,720
Speaker 2: landscape and more across the security risks. And also with

59
00:03:12,840 --> 00:03:17,960
Speaker 2: increased regulator interest in organizations and boards around cyber security,

60
00:03:18,000 --> 00:03:21,320
Speaker 2: I think is a key issue. I think separate to

61
00:03:21,360 --> 00:03:27,560
Speaker 2: that we do see a growing concern, growing threat landscape

62
00:03:27,600 --> 00:03:30,919
Speaker 2: that organizations need to deal with. We see the prevalence

63
00:03:30,960 --> 00:03:35,200
Speaker 2: of AI and AI driven attacks being particularly more sophisticated

64
00:03:35,240 --> 00:03:39,880
Speaker 2: these days. We see more sophisticated phishing campaigns, both as

65
00:03:39,920 --> 00:03:45,360
Speaker 2: individuals as consumers of technology. It also is organizations and business.

66
00:03:45,360 --> 00:03:47,600
Speaker 2: Email compromise particularly is one of the key areas of

67
00:03:47,720 --> 00:03:51,320
Speaker 2: concern for organizations now, where people are convinced to click

68
00:03:51,360 --> 00:03:53,600
Speaker 2: on a malicious link that opens up a door for

69
00:03:53,680 --> 00:03:58,360
Speaker 2: the cyber criminals. In terms of what organizations should be doing,

70
00:03:58,360 --> 00:04:00,560
Speaker 2: we've spent a lot of time helping organize at the

71
00:04:00,560 --> 00:04:04,000
Speaker 2: front end of being able to protect themselves and prepare

72
00:04:04,040 --> 00:04:06,320
Speaker 2: for an incident. Were now at a point where I

73
00:04:06,320 --> 00:04:09,080
Speaker 2: think organizations understand that no matter how well they do,

74
00:04:09,160 --> 00:04:11,760
Speaker 2: they're likely to be subject to a compromise or an

75
00:04:11,760 --> 00:04:13,760
Speaker 2: issue at some times. So we're now spending a little

76
00:04:13,760 --> 00:04:17,120
Speaker 2: bit more time in the resilient space helping organizations be

77
00:04:17,200 --> 00:04:20,240
Speaker 2: ready to respond and recover to an incident. Sort of

78
00:04:20,279 --> 00:04:23,880
Speaker 2: things that we're doing there are helping boards and executives

79
00:04:23,880 --> 00:04:27,840
Speaker 2: through crisis exercises, whether it's cyber or otherwise, and we're

80
00:04:27,880 --> 00:04:31,599
Speaker 2: doing a little bit more in the incident response support space,

81
00:04:31,680 --> 00:04:36,000
Speaker 2: where we're onboarded in organizations in a retainer type process,

82
00:04:36,040 --> 00:04:38,839
Speaker 2: where we're ready to respond if they do face an issue.

83
00:04:39,279 --> 00:04:41,440
Speaker 1: So in some ways I mean cyber risk. There's no

84
00:04:41,520 --> 00:04:43,800
Speaker 1: good news in cyber risks, except for the fact that

85
00:04:43,880 --> 00:04:46,880
Speaker 1: if you're at the resilience we're doing more work around resilience.

86
00:04:47,400 --> 00:04:53,080
Speaker 1: Rather executives and firms at least understand it better than

87
00:04:53,120 --> 00:04:55,719
Speaker 1: they used to, certainly than last year or the year before.

88
00:04:55,880 --> 00:04:58,560
Speaker 2: Absolutely, absolutely right, Matt.

89
00:04:58,560 --> 00:05:03,520
Speaker 1: Coming back to the geopolitic discussion that you we talked

90
00:05:03,560 --> 00:05:06,320
Speaker 1: about a moment ago, the federal government faces a delicate

91
00:05:06,440 --> 00:05:10,800
Speaker 1: balancing act really upholding critical security relationships with the US

92
00:05:10,839 --> 00:05:13,520
Speaker 1: and the United Kingdom long term friends, as well as

93
00:05:13,560 --> 00:05:18,479
Speaker 1: economic ties with China, our biggest trade partner in your view,

94
00:05:18,520 --> 00:05:23,560
Speaker 1: or Australian business is prepared for changes in that geopolitical

95
00:05:23,600 --> 00:05:24,279
Speaker 1: status quo.

96
00:05:24,920 --> 00:05:28,520
Speaker 3: From the respondents, eighty percent of the leaders expected geopolitical

97
00:05:28,600 --> 00:05:34,520
Speaker 3: issues to impact their operations and their supply chains. So

98
00:05:35,160 --> 00:05:37,480
Speaker 3: now there is more awareness and probably what you're talking

99
00:05:37,520 --> 00:05:40,839
Speaker 3: to just then with Matt, greater awareness and then more

100
00:05:40,920 --> 00:05:45,160
Speaker 3: scenarios that they're considering. So we're seeing organizations adapt To

101
00:05:45,200 --> 00:05:49,200
Speaker 3: your point, I suppose board members are training themselves to

102
00:05:49,240 --> 00:05:51,960
Speaker 3: be more aware of what the likely consequences will be.

103
00:05:52,360 --> 00:05:56,000
Speaker 3: And I think overall eighty percent expect geopolitical issues to

104
00:05:56,080 --> 00:05:59,560
Speaker 3: impact operations. That's a good thing. That means executives are

105
00:05:59,560 --> 00:06:02,120
Speaker 3: paying a teen to it and they're actually doing more.

106
00:06:02,120 --> 00:06:04,800
Speaker 3: To Matt's point and what he touched on these desktop

107
00:06:05,120 --> 00:06:09,839
Speaker 3: or boardroom exercises, they're training to be ready and the

108
00:06:09,880 --> 00:06:11,719
Speaker 3: ones that are very good at training to be ready.

109
00:06:11,760 --> 00:06:12,920
Speaker 3: And I think if we look at some of our

110
00:06:12,960 --> 00:06:17,080
Speaker 3: major financial institutions, when they have a crisis, they handle

111
00:06:17,080 --> 00:06:20,279
Speaker 3: it really well. Those that don't probably don't even handle

112
00:06:20,279 --> 00:06:24,440
Speaker 3: the pr well. So there's a range of geopolitical events

113
00:06:24,440 --> 00:06:26,960
Speaker 3: that may impact and I think we're all becoming a

114
00:06:26,960 --> 00:06:31,840
Speaker 3: little bit more aware things such as tariff volatility and

115
00:06:31,880 --> 00:06:37,800
Speaker 3: how does certain industries react to that diversification. I think overall,

116
00:06:37,839 --> 00:06:41,120
Speaker 3: I think the status quo today is some industries are

117
00:06:41,160 --> 00:06:43,480
Speaker 3: pretty good at responding, and that might be defense and

118
00:06:43,520 --> 00:06:47,080
Speaker 3: critical minerals because there's actually an onus on them from

119
00:06:47,480 --> 00:06:51,560
Speaker 3: regulatory obligations to have in place risk management plans, whereas

120
00:06:52,000 --> 00:06:56,520
Speaker 3: consumer goods and say agri business probably not so ready,

121
00:06:56,560 --> 00:06:59,880
Speaker 3: and they do struggle when there's these jolts from a

122
00:07:00,120 --> 00:07:03,279
Speaker 3: from a tariff being implied or being applied to whatnot.

123
00:07:03,960 --> 00:07:06,120
Speaker 1: Matt Grant, The survey seems to be considering a much

124
00:07:06,160 --> 00:07:08,920
Speaker 1: broader range of risks and security concerns that we tend

125
00:07:08,960 --> 00:07:11,240
Speaker 1: to more so than we tend to hear about in

126
00:07:11,280 --> 00:07:15,160
Speaker 1: the headlines. We mentioned cyber attacks, but why should government

127
00:07:15,240 --> 00:07:19,440
Speaker 1: organizations consider all these other security risks? And I suppose

128
00:07:19,440 --> 00:07:22,520
Speaker 1: I'm I mean, what were the other legal and regulatory

129
00:07:22,640 --> 00:07:23,720
Speaker 1: drivers for this?

130
00:07:24,600 --> 00:07:26,920
Speaker 2: Yeah, there's certainly a range of legislation that we've seen

131
00:07:27,000 --> 00:07:29,920
Speaker 2: sort of develop over the last eight or ten years

132
00:07:30,080 --> 00:07:35,320
Speaker 2: sewn that gives guidance on a broader aspect of security risks.

133
00:07:35,400 --> 00:07:37,920
Speaker 2: So cyber certainly gets the headlines. But when you start

134
00:07:37,960 --> 00:07:40,840
Speaker 2: to peel back some of the causes of cyber incidents

135
00:07:40,840 --> 00:07:43,360
Speaker 2: and I spoke about a phishing campaign or a business

136
00:07:43,440 --> 00:07:46,960
Speaker 2: email compromise, there's a human element that sits amongst all

137
00:07:47,000 --> 00:07:52,880
Speaker 2: of those cyber incidents, and legislation like the Critical Infrastructure legislation,

138
00:07:52,960 --> 00:07:57,880
Speaker 2: the Security of Critical Infrastructure Act, more focused by the

139
00:07:57,920 --> 00:08:01,960
Speaker 2: Privacy Commissioner on privacy breach. We've got OPRA and the

140
00:08:02,000 --> 00:08:07,720
Speaker 2: CPS two thirty requirements. It's all talking to understanding a

141
00:08:07,800 --> 00:08:10,840
Speaker 2: broad range of security risks and what that means is,

142
00:08:10,880 --> 00:08:13,640
Speaker 2: do you understand the risk in your supply chain? Do

143
00:08:13,720 --> 00:08:16,280
Speaker 2: you understand the risk in your people or your personnel

144
00:08:16,320 --> 00:08:20,920
Speaker 2: security challenges? Do you consider your physical security challenges amongst

145
00:08:21,000 --> 00:08:24,560
Speaker 2: your cyber challenges? And organizations at that more mature end

146
00:08:24,560 --> 00:08:27,640
Speaker 2: now are looking at this in a what's term to

147
00:08:27,720 --> 00:08:31,400
Speaker 2: converged approach to managing security risk where you're thinking holistically

148
00:08:31,480 --> 00:08:34,800
Speaker 2: about how it all measures together and that provides a

149
00:08:34,840 --> 00:08:37,400
Speaker 2: better coverage and understanding to be able to protect from

150
00:08:37,400 --> 00:08:41,080
Speaker 2: all of those threats that we've spoken about. Alongside that,

151
00:08:41,160 --> 00:08:44,840
Speaker 2: regulators are getting a little bit more interested and taking

152
00:08:44,840 --> 00:08:48,640
Speaker 2: a stronger view on boards and executives and their obligations

153
00:08:48,679 --> 00:08:52,040
Speaker 2: around these risks and making sure that they're managing those risks.

154
00:08:52,360 --> 00:08:54,640
Speaker 2: And we're working with a range of clients across a

155
00:08:54,720 --> 00:08:58,480
Speaker 2: number of sectors to help them both write security risk

156
00:08:58,520 --> 00:09:02,839
Speaker 2: management programs also undertake, particularly in the critical infrastructure space,

157
00:09:02,920 --> 00:09:06,560
Speaker 2: independent reviews because the boards in that environment are now

158
00:09:06,600 --> 00:09:09,120
Speaker 2: expected to or acquired to sign off and a test

159
00:09:09,240 --> 00:09:11,360
Speaker 2: to home affairs that they've got a good handle on

160
00:09:11,679 --> 00:09:13,040
Speaker 2: their risk management programs.

161
00:09:13,360 --> 00:09:15,960
Speaker 1: So just saying with you, Matt, and can we talk

162
00:09:16,000 --> 00:09:19,120
Speaker 1: specifically about supply chain issues because seventy seven per cent

163
00:09:19,200 --> 00:09:23,400
Speaker 1: respondents said they've faced recent challenges managing supply chain risk

164
00:09:23,520 --> 00:09:28,360
Speaker 1: and security. What are the obligations and types of supply

165
00:09:28,520 --> 00:09:31,280
Speaker 1: chain issues currently facing execs.

166
00:09:31,440 --> 00:09:34,720
Speaker 2: If they're being expected to consider their supply chain almost

167
00:09:34,800 --> 00:09:38,960
Speaker 2: as a complete extension of their own environment now and

168
00:09:39,320 --> 00:09:42,880
Speaker 2: regulators expect that you have appropriate level of oversight and

169
00:09:42,920 --> 00:09:46,439
Speaker 2: control into your supply chain from a security risk management perspective,

170
00:09:47,520 --> 00:09:50,880
Speaker 2: particularly as I mentioned, the Security of Critical Infrastructure Act

171
00:09:50,920 --> 00:09:53,679
Speaker 2: identifies that supply chain as one of the key hazard

172
00:09:53,760 --> 00:09:56,880
Speaker 2: vectors that you need to think about and consider. And

173
00:09:56,920 --> 00:09:59,640
Speaker 2: so what does that mean practically for organizations They're starting

174
00:09:59,679 --> 00:10:02,520
Speaker 2: to think more about and I guess in the past

175
00:10:02,600 --> 00:10:06,160
Speaker 2: we've thought about financial due diligence when we look at

176
00:10:06,240 --> 00:10:08,920
Speaker 2: onboarding and management of supplies, were now starting to think

177
00:10:08,960 --> 00:10:12,320
Speaker 2: more about the security risk posture of those supplies. Have

178
00:10:12,400 --> 00:10:16,560
Speaker 2: they got appropriate controls in place to protect themselves from

179
00:10:16,679 --> 00:10:19,200
Speaker 2: the sorts of cyber attakes and other security risks that

180
00:10:19,200 --> 00:10:22,679
Speaker 2: we've spoken about. Are you doing appropriate due diligence when

181
00:10:22,679 --> 00:10:25,880
Speaker 2: you're on board them around those controls. Are you doing

182
00:10:26,080 --> 00:10:30,240
Speaker 2: any ongoing assurance to make sure the controls they've promised

183
00:10:30,240 --> 00:10:33,160
Speaker 2: that they'd have in place have actually remained in place

184
00:10:33,280 --> 00:10:37,000
Speaker 2: and are effective? And then are you thinking about how

185
00:10:37,240 --> 00:10:39,680
Speaker 2: if that supplier is no longer with you, you're making

186
00:10:39,720 --> 00:10:41,520
Speaker 2: sure that you off board them from all of your

187
00:10:41,559 --> 00:10:45,120
Speaker 2: normal operations so they don't retain any access, whether it's

188
00:10:45,160 --> 00:10:49,640
Speaker 2: physical access or logical access that they shouldn't have. So

189
00:10:49,640 --> 00:10:54,240
Speaker 2: it's just much more oversight and practical control over that

190
00:10:54,280 --> 00:10:56,640
Speaker 2: supply chain as if it was your own environment. Is

191
00:10:56,640 --> 00:10:57,600
Speaker 2: what's being expected?

192
00:10:58,040 --> 00:11:00,680
Speaker 1: Okay, Matt Fan, I can't have you on and not

193
00:11:00,800 --> 00:11:04,400
Speaker 1: ask about AI, particularly when considering emerging risks to an organization.

194
00:11:05,440 --> 00:11:07,559
Speaker 1: What are some of the challenges as more and more

195
00:11:07,559 --> 00:11:10,600
Speaker 1: companies experiment with AI? How can business leaders insure it's

196
00:11:10,640 --> 00:11:12,840
Speaker 1: responsible use? What I don't need to do to prepare?

197
00:11:14,160 --> 00:11:17,280
Speaker 1: I know that cyber remains at the top and geopolitical

198
00:11:17,360 --> 00:11:21,880
Speaker 1: ish issues supply chain risks, but surely everyone's thinking about

199
00:11:21,880 --> 00:11:22,760
Speaker 1: AI in some way.

200
00:11:23,320 --> 00:11:26,720
Speaker 3: Sure and I hear on this podcast AI and people

201
00:11:26,760 --> 00:11:30,520
Speaker 3: talking about it frequently. It's certainly the hot topic. Whilst

202
00:11:30,559 --> 00:11:34,200
Speaker 3: I think cyber is still the hot risk. What I

203
00:11:34,240 --> 00:11:36,199
Speaker 3: hear from clients is both the good and the bad.

204
00:11:36,559 --> 00:11:39,760
Speaker 3: I suppose and when I say that AI is delivering

205
00:11:39,800 --> 00:11:45,200
Speaker 3: real benefits, efficiencies now automating business processes, improving how they

206
00:11:45,240 --> 00:11:49,840
Speaker 3: can search large data sets, Insurers looking at numerous documents

207
00:11:50,440 --> 00:11:55,160
Speaker 3: that they can use AI to get to them very quickly.

208
00:11:55,840 --> 00:12:00,000
Speaker 3: I think the benefits that organizations are seeing as a experiment,

209
00:12:00,120 --> 00:12:02,719
Speaker 3: they're still coming up with the use cases, so they

210
00:12:02,720 --> 00:12:06,200
Speaker 3: need to be cautious because it's still somewhat uncertain and

211
00:12:06,240 --> 00:12:08,680
Speaker 3: there have been mistakes. I think the main thing is

212
00:12:08,880 --> 00:12:10,880
Speaker 3: your data's in there, and you need to protect your

213
00:12:10,960 --> 00:12:15,479
Speaker 3: data and understand how you're using that. But the unfortunate

214
00:12:15,520 --> 00:12:18,920
Speaker 3: point is whether the bad guys still will come around

215
00:12:18,920 --> 00:12:22,120
Speaker 3: wherever there's new technology, new business process as we've seen

216
00:12:22,120 --> 00:12:26,160
Speaker 3: with financial institution, cyber attacks and otherwise, the bad guys

217
00:12:26,240 --> 00:12:29,800
Speaker 3: are using AI to weaponize what they're doing to counter

218
00:12:29,880 --> 00:12:32,960
Speaker 3: cyber attacks. So I think what we're seeing in response

219
00:12:33,200 --> 00:12:37,640
Speaker 3: organizations and respondents certainly said from a risk and security perspective,

220
00:12:37,720 --> 00:12:42,400
Speaker 3: more training, but we need more cybersecurity tools to combat

221
00:12:43,000 --> 00:12:45,440
Speaker 3: AI AI attacks.

222
00:12:46,320 --> 00:12:49,080
Speaker 1: Matt, Just to finish it off, Matt Fian, you've been

223
00:12:49,080 --> 00:12:50,720
Speaker 1: doing this for three years. Mcgroind Nichol has been doing

224
00:12:50,760 --> 00:12:54,880
Speaker 1: this for three years. Matt Grant mentioned the word convergence.

225
00:12:55,040 --> 00:12:56,920
Speaker 1: One thing when I read the report that kind of

226
00:12:56,960 --> 00:12:59,520
Speaker 1: came through is that people seem to be thinking about

227
00:12:59,520 --> 00:13:03,199
Speaker 1: a lot of these risks more holistically than we were

228
00:13:03,240 --> 00:13:04,680
Speaker 1: talking about two years ago.

229
00:13:05,840 --> 00:13:07,880
Speaker 3: It's really good observation. I think that's what I've seen

230
00:13:08,080 --> 00:13:10,400
Speaker 3: probably over the last decade. And I can say that

231
00:13:10,440 --> 00:13:12,960
Speaker 3: confidently a number of people who have been in the

232
00:13:13,040 --> 00:13:15,880
Speaker 3: role of chief security officer for some years and senior

233
00:13:15,920 --> 00:13:20,360
Speaker 3: executives in critical infrastructure organizations, the major telcos and banks

234
00:13:20,720 --> 00:13:23,680
Speaker 3: have been using the term converge for some time, where

235
00:13:23,720 --> 00:13:26,920
Speaker 3: they look across holistically the risks that sit within a business.

236
00:13:27,600 --> 00:13:29,040
Speaker 3: I think one of the points if I say, what

237
00:13:29,760 --> 00:13:31,680
Speaker 3: have I seen over the last twelve months alone in the

238
00:13:31,720 --> 00:13:34,680
Speaker 3: last three years, the changing role of the risk and

239
00:13:34,720 --> 00:13:36,960
Speaker 3: security executive, And I think I touched on this last

240
00:13:37,040 --> 00:13:39,320
Speaker 3: year as well. Where it used to be the chief

241
00:13:39,400 --> 00:13:42,160
Speaker 3: risk officer, or it might be the chief cyber or

242
00:13:42,200 --> 00:13:45,440
Speaker 3: the SIZO as people refer to as being the key

243
00:13:45,480 --> 00:13:49,640
Speaker 3: person responsible for that, today it's the chief security officer,

244
00:13:49,679 --> 00:13:52,400
Speaker 3: and we're starting to see those elevated to the executive

245
00:13:52,480 --> 00:13:57,200
Speaker 3: level within some of the major organizations, particularly critical infrastructure organizations.

246
00:13:57,600 --> 00:13:59,920
Speaker 3: But really that means what does that person look after

247
00:14:00,080 --> 00:14:05,080
Speaker 3: A holistic program really covering cyber, physical personnel, and supply

248
00:14:05,200 --> 00:14:08,160
Speaker 3: chain risks, so they really are looking who's in the tent,

249
00:14:08,200 --> 00:14:10,280
Speaker 3: who's outside the tent, who's connected with us.

250
00:14:11,040 --> 00:14:13,400
Speaker 1: Always good to end on a positive note. Matt Thee

251
00:14:13,400 --> 00:14:15,280
Speaker 1: and Matt Grant, thank you very much for talking to

252
00:14:15,280 --> 00:14:15,880
Speaker 1: Fear and Greed.

253
00:14:16,080 --> 00:14:17,679
Speaker 2: Thank you, Sean, thanks for having us.

254
00:14:18,000 --> 00:14:20,440
Speaker 1: That was Matt Thee and am a head of advisory

255
00:14:20,480 --> 00:14:23,240
Speaker 1: and Matt Grant, partner at mcgrah nicol. Mcgrah Nichol is

256
00:14:23,240 --> 00:14:25,400
Speaker 1: a great supporter of this podcast. I'm Sean Almer and

257
00:14:25,480 --> 00:14:28,760
Speaker 1: this is Fear and Greed Q and Day