Martin McGregor on the AusCERT Share Today, Save Tomorrow podcast

Device co-founder Martin McGregor caught up with Anthony Caruana on the AusCERT Share Today, Save Tomorrow podcast. 

They discussed:  

• User autonomy and security: Security measures and user needs don't need to vie for attention. It is possible to achieve an equilibrium where vital security measures are not obtrusive and users have access to everything they need. 

• A practical and user-friendly approach to compliance: How to implement necessary controls without imposing excessive restrictions.  

• The evolving role of IT professionals: Investing in understanding user needs and how to support users effectively will lead to improved security outcomes. 

• Adaptation and innovation in device management: Embrace innovative solutions that improve security, reduce manual interventions and provide a better user experience. 

Listen to the podcast here. 

Anthony Caruana: It's a pleasure. So you've got this really special interest in dealing with the operational issues around mobility, Essential Eight, and just trying to make us all feel safer when we turn our laptops on or turn our iPhone or smartphones and tablets on. What are you actually seeing out in the world when it comes to those issues? 

Martin McGregor: I think it's a really fascinating area because you're dealing with people, people are using these devices and people are infinitely complex and we support them as people. So, it's a relational thing. For organisations to really do that well they've got to appreciate that and invest in it. So, the challenge is getting more difficult to support people. 

Anthony: Is that because people are getting more demanding about what they want? Or, is the environment around them changing? Is it a combination of all these things?  

Martin: I don't know if the users are getting more demanding. They might be getting less demanding because they're becoming more autonomous. But, I think it's the challenges of the way that people work now that are difficult for technology people.  

Anthony: So, one of the things you just said was people are becoming more autonomous. How does that work for and against us when we're talking about security? 

Martin: Well, that's just it. What do they need so they can remain autonomous and how do we support them to do that? That's the real difficulty.  

Martin: It's trying to understand what they have to achieve and getting out of the way. So, we have to address security in a way that's really not obtrusive for them. But, at the same time, it has to be. I don't know if it's the best word for it, but inclusive in a way, because it's the security controls and approaches to how we manage the devices people use and all the software that they need. If we don't do that in a way that makes their job easier - If we put controls that get in the way - it just makes them less efficient and they often find other workarounds. So, we've got to try and find ways to support users that actually makes them more successful in what they do so that they get on board with the things that we're trying to do.   

Anthony: There's kind of an implicit challenge in that today though. One of the things that we now have more of that we've never had before is all those bits of compliance advice and rules and regulations that we never had. It probably started in 2017 when the Privacy Principles began that journey. We've got encryption rules now, and we've got the Essential Eight, which puts a whole bunch of other controls in. The Essential Eight is on the cusp of becoming almost like a mandatory set of controls, especially in government. 

Anthony: How do you balance that getting out of the way bit with increased compliance and regulation? 

Martin: That's why it's so complex. And, that's why it's challenging because we need to do those things. The risk climate is a real thing. We can't pretend our devices and our employees that are working remotely or wherever they are, they're not at risk. They are at risk. We need to make these things happen, but the challenge is designing systems and processes that apply those controls in a way that makes it better for end users. I think that's the challenge. I think it's really possible. More than possible, I think it's mandatory. It's the way that we approach it. So, whatever it might be in the Essential Eight, there's a way to look at I think just about every control in the Essential Eight, where it can actually be better for end users. You can create a more stable environment for them and a more consistent environment where they're ultimately less disrupted. But, you really do need to understand how they work and what they need to work before you start.  

Anthony: Is that the traditional view of infosec? That it's the Department of don't. You can't do this. Don't do that. No, you can't have that. That's been the view, probably until about four or five years ago, I guess. And, that's been changing more recently. What are some of the practical things an infosec person can do to take what's becoming an increasingly rigorous compliance regime, but make it user friendly and just get the user to be able to do their job in a compliant and safe and risk averse way? Without sticking 27 dialogue boxes in front of them and making them dance under a full moon on the 30th of every month in order to make sure they're safe? 

Martin: I think if you appreciate the values or how important applications are to the people that work. People that aren't security people. People have a bunch of applications that are important for their job, and we have to be pragmatic about that. I don't think we should impose views on the way that people work too much. We need to understand what they're doing and applications on end user devices is just such a key area of misunderstanding and opportunity as well. We can understand what applications people use, whether they might be applications on the client or the SaaS applications and we can control those and make them available to them, we actually are enabling them in a great way. If we can provision those applications to them as soon as they log onto a device, for example, they can just start working, it's great for the end user. They don't have to think about what might be missing. They might not have to worry about collaboration issues between the version they might have and a different version a colleague might have or a partner.  

Martin: If we can manage those applications for them, keep them up to date, all that sort of stuff for their needs, it's actually a fantastic outcome. What we get to do on the back of that is there's a whole bunch of compliance things that we can then achieve. If we manage applications well, we can start looking at taking away local privilege on the devices like local admin. We can start thinking about maybe implementing things like allow listing because we know what's out there. It's a great opportunity just focusing on managing applications well for end users. Then we get great security outcomes as well.  

Anthony: What's interesting in that is that a lot of what you're talking about is not how it's implemented technically. But, it's not a technical problem that you're solving, you're actually solving a people problem. Is that one of the things that you're seeing now that security professionals have got to get better at the people stuff. You and I both spend a lot of time around information security professionals so we know that they know their stuff. If you walk into a room full of information security professionals, you'll know all the ones and zeros are going to line up on everything. They're really fixed on understanding all that technical stuff. Is that the gap that they're now trying to bridge - actually thinking about the people and process? They've got the technology bit. That triangle, right? Is it the people and process stuff that they've got to catch up with and learn better? 

Martin: Yes, I think so. The closer that we can be to end users, the better. I think the more that we can understand the way that they need to work, the better, and if we can sort of sneak in security, if we think about how we can actually put them in a better operational place, we will increase the efficiency of the entire organisation. If they can work, they can get their job done to a greater degree without interruption and it really does improve the whole organisation. For the business they're not really concerned about the security controls that we're trying to achieve at the same time. But, if we do manage this properly, there is an opportunity for us to think about, okay, if we take control of this area and we set up a user the way that we need to and we understand them. Well, what sort of controls can I put around them, or guardrails around what they do, so that it's almost like the least privileged conversation. What do they not need to do that we can remove and reduce the potential for exploits. 

Anthony: I want to think about a really practical example because I've worked around this long enough to remember when I had to carry a key fob that gave me a six digit number so that I could log into of the VPN so that I could get into the system and then login again and all that sort of stuff. I mean authentication and passwords and user identities still remain a significant threat sector for the threat actors. But, they're also a significant pain in the butt for users and it's one of those things that's very specifically addressed inside the Essential Eight and NIST and any sort of security guidelines now has something around user authentication.  

Anthony: How do we bridge that gap where we make say, for example, just taking that very practical example of how do we do user authentication better for today's world? 

Martin: This is a fantastic example of an area where if you manage identity properly and you allow a user to authenticate once and then you have a single sign on between all your applications, you manage the identity of all of the applications and all the SaaS services you subscribe to. You pay the extra dollars unfortunately to get the single sign on options. From an end user perspective, it just makes their life easier. And, onboarding a person makes it much easier to become operational and get to work. Great for the end users, great for the business, but phenomenal for security.  

Anthony: But the challenge in that, of course, is that if I go and buy a SaaS service today or I buy an application that's been developed in the last two or three years, the ability to do that is probably there, even if I have to pay a little bit extra for it, I can get it. But, unfortunately we have this thing called old stuff. That doesn't necessarily play well. How do we bring businesses along and how do we actually do that in a practical sense and manage the legacy and the older stuff.  

Martin: The reality of is that there's no such thing as green fields. It's not a thing. Businesses are messy and the technology is messy. We wouldn't have cybercrime if it wasn't as messy as it is, so you have to deal with that mess and you must make compromises. Perhaps there's some app that's really important to the business. How do I get around that requirement so that they can work effectively, but I can still make it easy for the end user? I don't think just saying: well we can't use these apps anymore. That just isn't feasible and ultimately just makes end users less productive. So, we have to live with them in a world of compromise that might just mean logging better for those applications, finding other controls, complementary controls to reduce the risk.  

Anthony: That's the interesting thing, isn't it? Sometimes when someone says there's an argument Essential Eight that says we must have a multifactor authentication, and you go, well hang on, the application that we depend on to run the business can't let us do multifactor authentication. So, you sit there and go right well I'm going to be non-compliant at the top line. But, what do I do around that? That's really what you're talking about is saying: well, if I can't do multifactor, how do I do other stuff to ensure that environment is safe and that identity is that identity? That's what I guess you're talking about using heuristic things like location of the person logging in device that they're using and all that, is that the kind of things you're talking about? 

Martin: Even just making sure it's the latest version of the app. Being concerned about are there vulnerabilities in that application. Maybe we talk to the vendor. What are the other things that we can do because ultimately the business has to run. And, if we don't have a business then none of this matters. How do we make the business successful and use our nouse as technology people to give the business an advantage, but at the same time do something that's really important to businesses these days, which is trying to consider security risk and minimise that. The most important thing is the business has to be operational and still has to keep going forward.  

Anthony: So obviously, the last few years, we had this very slow transition that seemed to be happening with people working a little bit more remotely. We had people starting to do bit more BYOD and there seemed to be a lot more device flexibility starting to permeate organisations. But, then we had this thing at the beginning of 2020, that kind of just put the pedal right down to the metal and made us accelerate really quickly towards work from home and remote working and all those sorts of arrangements. A lot of organisations did stuff really quick to get their workforces operational so they could work from home and they could potentially not have to travel in from rural areas or whatever. How are we now? Are we now playing catch up? Do you find that? Is there a long tail of that catch up to get things right? Perhaps in your experience, what have been some of the biggest issues that people created through that rapid transition and what are some of the things they've done to get to overcome those.  

Martin: I think it's ultimately a good thing because what I've noticed over the last 20 years or so is we probably haven't respected the end user device in businesses as much as we used to, so we haven't been concerned about how well we manage them. Can a user just get onto the thing and get working with little interaction with it. Ideas like that just became less and less popular and my observation was that the state of end user devices has just become worse over time, more and more appalling, because the value hasn't been appreciated. I think people lost sight of why we actually gave computers to employees in the first place.  

That was really what I've noticed, is that with 2020 and COVID, it was like this massive education piece for the whole world. Where, they realised our users can't get operational on this device. Our business can't function as a real test and we just haven't seen innovation in the last 20 years in this area, but all of a sudden, we started to see innovation and people coming up with new solutions for onboarding people remotely, or provisioning things to them remotely, getting visibility of them remotely. That's really a new thing in this space, because the technology is still very much LAN based. 

Anthony: I was just thinking, the other angle to that, of course, is that's a pendulum swings. It's like if you've worked in it as long as we have, you know the pendulum swings back and forth. I remember going from mainframes. And then we went PCs on every desktop. Now we swung back towards the cloud, which is kind of like a mainframe of centralised computing, but it's not inside the server room, it's out there somewhere in the ether. We have these interim solutions like VDI, which is kind of like having the thing on your desk, but it's over there. We've had all these things that have swung back and forth, and I think you've kind of described the same thing with end user devices. When we started putting PCs on desktops back in the 90s, we go, oh, that's a really important device. We better manage it really well, because it's a $2,000 asset sitting on a desk, which, when $2,000 was worth 10,000 of today's dollars was a big deal, whereas now we've swung it back the other way. It's like a pencil. Computers were stationary, and I've been guilty of that as a manager in IT environment saying, can we just not mandate that everyone has to have the same model pencil. No one makes me buy the same biro and now we're swinging back the other one saying, well, hang on these things are actually a little bit special, we've got to do something about it.  

Martin: Even going back to the 90s like you're describing, not even when a company adopted computers was it a thing where everybody got a computer. You still had to make a business case. It had to be this person, does this job and if they have a computer, they could do this, whatever it might be. The business would say ok, it's lots of money, but it's going to make things better. And now it's just ubiquitous. We just give them to every employee. We don't necessarily think about it. It's just expected.  

Anthony: When I think about device management today, that's the overwhelming change, isn't it? That we've suddenly realised these things are actually a little bit special and important. And, we're now affording it that attention through device management tools. Thinking about things like user authentication and thinking about all the stuff around even device authentication, knowing what you have, if I had a buck for every person that's sat across this microphone and said step one of everything is know what you got, I'd be retired. I'd be retired and in the Bahamas on my own island. That's the thing, people don't actually know what they got because we forgot how important these devices are.  

Anthony: So, the last question we're asking everyone in this season's podcast is to give a shout out to their cybersecurity superhero. I think you've got someone already in mind that you do want to mention. One thing that we're doing is sometimes these people aren't people aren't well known. So a lot of the people have mentioned mentors and leaders and advisors that no one would have ever heard of. So, it's a great opportunity to give a shout out to people that maybe no one's ever heard of and just to give them that acknowledgment that they've been important in your career. So, who do you want to throw out there.  

Martin: He's a fantastic gentleman called Brad Bush. So, when I worked at William Hill as head of security, it was a new kind of role for me. It was my first job where I had security in my title. I'd been doing security my whole career, but it's my first proper security role. And, I was just very eager to make a big impact. It's the first time I'd taken a job for a company as a consultant for 20 something years. Everyone that's listening to this will know the challenges of trying to convince a business of what we see. The concerns that we see and even the stuff that we're talking about, these security controls. I deeply believe that we can do these things in a way that improves the business and that makes the business a more reliable, safer, and more efficient business. I was just absolutely committed to that goal, but struggling. I was finding it really hard to communicate to the business. I went and saw a debate one day. It was a cybersecurity debate. There was this person in the audience who asked a couple of questions that were just so on point and so articulate. Being articulate is something I struggle with so I was just so impressed with his questions. And, it wasn't just me, the whole room was.  

Everybody just started asking Brad questions, including the people on stage. He was just so humble but had so much knowledge. I thought, my God, that's the thing that I need. So, I went up to him straight afterwards and, and this is probably the first and only time I've ever done something like this, but I said I want to do what you do somehow, someday, can you please mentor me? Can you please help me? And, he just became someone that was more than a mentor. He became a dear friend. He was just incredibly supportive. He had a big portfolio, a lot of things on his table but he always made time for me. We would regularly meet up for coffees and I would just dump all my problems on him. But, that has still continued. He's helped me go from someone that was a consultant, an employee, to now I've started my own businesses in cyber security, and he's been helping me the whole way. So he's an angel. 

Anthony: That's awesome. Thank you so much for your time today Martin.  

Martin: My pleasure. Thank you so much.  

Anthony: Thanks for listening to this episode of Share Today, Save Tomorrow, The AusCert Podcast. And thanks to Martin McGregor.