Ahead in the Cloud: Bringing Security Out of the Basement and into the Boardroom with Darren Kane of nbn Australia

Chad Watt: Welcome to Ahead in the Cloud where business leaders share what they've learned on their cloud journey. I'm Chad Watt, Infosys Knowledge Institute researcher and writer, here today with Darren Kane, Chief Security Officer with nbn Australia.
nbn is a publicly owned corporation with the mission of making broadband internet available across all of Australia. Darren has been CSO at nbn for eight years. He has nearly two decades of security management and law enforcement experience with groups including the Australian Federal Police, the Australian Securities and Investment Commission, and Telstra Corporation. Welcome, Darren.

Darren Kane: Thanks, Chad. I really appreciate the opportunity to have a chat to you this morning.

Chad Watt: Great to spend some time with you today. For our listeners who may not be familiar, nbn is a government-owned business with a mission. Tell me about that mission and give me a quick status update.

Darren Kane: So the nbn is Australia's government-owned broadband network. The nbn has connected this continent to a single, secure and resilient network of broadband connectivity. Our network out here carries more than 86% of the nation's data, and it touches more than 17 million people every day with more than 8.6 million homes and businesses currently connected and a further 12 million premises ready to connect. It's an interesting time for us all at the moment as we shift from building the network and focusing on being a wholesaler to those in the community who actually interact with us through retailers.

Chad Watt: So you're moving from this build out phase to an operate, optimize and interact phase. How does that impact your day-to-day activities and your mission as the chief security officer there?

Darren Kane: The nbn's mission or our purpose is basically to lift the digital capability of all Australians, to actually ensure that we minimize the digital divide between those that can have a connectivity and those that cannot. Now, to do that, we have to build a network, which started 14 years ago in 2009, and that's nearly to the day. So the 9th April 2009 was when we started the build, and today we are moving across to running a network.
As nbn grows, the target on our back grows, which means the target on my back grows. That means as we connect more and more people, the role we have as critical infrastructure providers and owners of Australia's biggest critical infrastructure project and the reliance on connectivity means that we have to ensure that we are reliable, that we are resilient, and we are secure.
Now, to achieve those, it means that we have to be ever vigilant against all sorts of issues, breakages, line interruption. But most importantly in this context is those that may wish to us ill will or those that don't follow a pathway of policy and guidelines to ensure nothing happens to the company. And my job is to make sure that is achieved.

Chad Watt: Your first work, Darren, was as a detective sergeant with the Australian Federal Police. Give us an idea of that work and how it prepared you for work in telecom and information security.

Darren Kane: I noticed that in your opening, you mentioned two decades and I'll just qualify that. So I spent almost two decades, just on 19 years, with the Australian federal government. The first 13, it was with the Australian Federal Police, where I rose to the rank of detective sergeant. And I largely spent that time originally wanting to work in close personal protection. So a bodyguard, if you like, for our senior political figures and other VIPs. I quickly realized that that was limited, wasn't as much action as you first think.
So then I actually pivoted, if you like, which is a word for the 2020s, and I got myself into a role which you would call global and national organized crime and large scale drug interdiction into this country. And I spent nearly 11 years in those roles achieving the rank of detective sergeant and having a very exciting and a learning time, working in an environment with committed and passionate folk and in really believing in that mission.
I then did six and a half years with the Australian Securities and Investments Commission, which is your SEC, again, looking at largely organized crime in our financial markets and managing criminal activity.

Chad Watt: How is it that business leaders need to think differently about security in their technology business today?

Darren Kane: A business leader, a CEO, a COO, someone in the C-suite, has to not abrogate the accountability totally to their security lead. They have to invest themselves in what it is the actual SME running security is doing on their behalf. Now, I can guarantee that if the CFO was left to their own devices and "Oh, that'll all be sorted," the C-suite, particularly the CEO, would feel a little naked. They'd want to know what was going on in that accountability.
It is the same for security. It's become mainstream. So from my perspective, when I actually speak with the C-suite, I start to use language that resonates with them. And that's one of the things, Chad, that we in the industry have to address. The language we use, attack surface, state-based actors, all of those sorts of pieces of language that they struggle to understand and put in context, we have to eradicate that from our vocabulary.

Chad Watt: Give me an example of something you do differently or something you advise people in a role like yours to do differently.

Darren Kane: I never use the term "insider threat".

Chad Watt: Okay. What do you say instead?

Darren Kane: I spend hundreds of thousands of dollars trying to locate the best staff I possibly can to introduce to a company that I love and is high performing. I do background checks. I give them passes to get into corporate entities and into operational sites. Because they have a password, I allow them onto our networks. And yet, as soon as they start work with us, almost every organization that I actually engage with considers them a potential insider threat, on the basis that they've got that access. And I go, "Well, why would you call them a threat? What have they done wrong?"
Instead of calling them insider threat, I call them a trusted insider. It's the same aspect of what I do to actually manage the risk of that individual, but instead of them being a IT, they're a TI. There's a simple example of giving the C-suite comfort that we are an enabler, instead of someone who only worries about the downside.

Chad Watt: I really like that because as an insider, I feel like sometimes, in some organizations, I've been treated as an insider threat. I'm just trying to accomplish my task and my mission, and I get stopped from doing that. For some reason, that is not fully explained to me. Whereas if, Darren, you come to me, "Chad, you're a trusted insider, these are the tools you have to do the job and this is why you can't use this thing in this context," it just feels like a different conversation. So that's great.

Darren Kane: And Chad, to pick up on that point, the C-suite and boards, particularly, currently sitting under the specter of the environmental, social and governance movements, the ESG if you like, so incredibly important that the way we manage our workforce fits that. And if we actually have this concern or threat about almost everybody we've allowed access to, it doesn't sit well in the language of board and C-suite, whereas a trusted insider certainly does.

Chad Watt: Darren, give me your threat level assessment. What does security look like in 2023?

Darren Kane: I think this is as a difficult period as I can remember, the Indo-Pacific issues with China and Taiwan, certainly Ukraine and the Russian invasion there. We've got very, very active cybercrime gangs all around the world, and some are actually taking nation state sides. We've got nation state. So the actual geopolitical theater we're dealing with has never been as active.

Chad Watt: So what do you do about that as a security leader?

Darren Kane: The one thing that's really focusing the group here, and I think our industry globally, supply chain, we've all utilized cloud software as a service, insource, outsource, MSSP, so security services as a provider. And it's an effective and correct way to get a high performing business to run most efficiently and effectively. But what we're now seeing is through supply chain that we've got to ensure that they are working on the same protocols that we internally are managing their business. And that's becoming the challenge.

Chad Watt: You're describing something I heard recently talking about how so much of the security work is about extensive compliance hygiene work around not just what your team is doing and what your trusted insiders are doing, but every tool that they're using down the line also has that level of hygiene, if you will. It's hard, important work. How do you do it right and how do you get leaders and individual contributors to buy into that?

Darren Kane: Language, communication style and understanding the risk. So continually pushing C-suite to appreciate the risk environment, threat environment, and what controls we are utilizing to actually manage. I think one of the most important things you do, Chad, is to work with your board and C-suite to clearly identify risk appetite for the organization, have them understand what their risk appetite is in relation to your top 7 to 10 to 12 risks as it pertains to security. And I do want to come back and talk about security and not just cyber. And then once you've established where the risk appetite is, then work with your internal organization to then address those risks that are significant, that sit outside appetite, and help them better understand why they sit outside appetite and what controls we're utilizing to actually either reduce the risk if we can, or to accept the risk because we've put mitigating controls in place, or the risk we have when we put a control in place to try and mitigate the risk, which is supply chain. And it's all down to taking the time and asking them to invest in what it is that I do for them.

Chad Watt: Think about your younger, newer employees. What's different about the world they've grown up in and the world that you and I have grown up in where there's an analog that's transitioned into digital. These young folks have only existed in a digital world. What is it that they get and what is it that they need to learn from us?

Darren Kane: I love this. I love the way this podcast is going. This is right in my sweet spot hitting zone, if you like. The digital natives we refer to are these kids that have grown up with a PlayStation console in their hands, the familiarity and feel of an iPhone. And these kids with talent falling out of trees, they probably do not need to go to high school or even to tertiary to actually learn the skills that they've developed naturally so they can engage on social. As simple as that, they interact every day using the tools.
So my first piece of advice is understand the risks. Now, Chad, I don't know whether you have children, but I can guarantee you that you didn't throw them the keys to the motor car and said, "Work out how to drive yourself." The dangers of a kid on a motorway or in a street when they've never driven a motor vehicle before... But yet I would guarantee that when you actually handed the iPhone or the connectivity device to an individual, you probably believe that they could work it out themselves and/or they already knew all about it.
Now, the first thing I'd do is sit a newcomer to the security industry down and talk to them about the industry as a broad church, as all of the opportunities that exist across the industry, rather than purely focus on cyber defense, pen testing, data science, data engineering, help them understand what goes into managing security risk. And there are enormous roles and opportunities that will give them promotion and an ongoing career that they haven't considered.

Chad Watt: Let's go to AI and then let's come back to the human side of security. We talked about that level in the geopolitical sense, put your security hat on and let's talk about AI, generative AI and all these very rapid, very emerging technologies related to transformer architecture and large language models in chat. How does that impact security? How do you prepare for that with security?

Darren Kane: Chad, look, I think if you're going to talk about this, you're going to have to look at a generative AI around the evolution of technology. Now you are old enough, as am I to remember, the personal computers in the eighties and how the graphical user interface that GUI changed everything. And along came Windows. You remember when the internet was in its infancy in the early to mid-nineties, and then of course there was the mobile phones became really commercially available. And I remember driving around in a police car with a old brick Motorola banana. And before that, the one that sat in the console. Or the release of the smartphones in the early 2000s, socials, '04, '05.
AI is this decade's evolution. So that's the first thing, except that there is so much noise at the moment around the concerns and worries and where it'll take us and what it will do. But if you think about those evolutionary points I spoke about, there was the same discussion. There's an opportunity for our industry, particularly the security risk industry, to maybe even catastrophize the risks that are represented by AI machine-based learning. And I see that and I understand that, but I also think you look up and you understand the opportunities that AI may present. And we're seeing it all the time in cyber defense around automation and user-based behavior analytics. So always remember the yin and the yang is my message there.
Look, there was a great article by Bill Gates, and if your listeners haven't read it before, it's called The Age of AI Has Begun. And it's really worth a read because he talks about the new technologies like AI that is so disruptive that it's bound to make people uneasy. And he raises those hard questions about the workforce, legal system, privacy and bias. But then he also talks about where it could take us and what the opportunities are.
So all I'm asking for is balance. I absolutely believe AI and generative AI will represent risk and new risks that we haven't even thought about yet. And I don't think all of those people that are cautioning us are wrong. But also, new controls and better automation will bring opportunities to be smart around those controls and how automation can compliment the controls. So always understand that with generative technology advancement comes risk, which is my job. But then I also look at it, well, what's the upside? Where's it going?

Chad Watt: The fog of cybersecurity paranoia has the CEO driving cautiously, jumping and overreacting to any potential perceived threat on the horizon, whereas a good cybersecurity clean would give you the view through that fog and allow you to perform as optimally as possible.

Darren Kane: I remember 15 years ago when I had a very significant role at Telstra, very similar to the role I have here. I would be desperate for my one-up, the CFO or the CEO, to be fully engaged in what it is that I did for the company. Back in those days, to your point, security risk cybersecurity was something that really mad techs and hoodies behind green screens in the basement managed. And I think that the industry got into a habit of continually catastrophizing the downside of what we did to assure that we got resourcing and recognition for the important role we played. So we actually created different language, state actor, attack surface, insider threat, bad actor. And we used all this sort of language because it made us a little special and ensured that somebody actually had to follow up and asked the question, "Well, what does that mean?" So ensure that they engaged with us.
Now on the flip side, in the '20s, we're arguing that, "Oh God, bloody board and the C-suite, they're all over us." They want to know more about what we're doing. We've sold the risk incredibly well. Now they want to know how we're managing it. I welcome that. I think that's wonderful. I think that the engagement and the support we get from C-suite and board on how we're actually managing the risk is incredibly important. It gives us that recognition and the support and resources we need to manage it effectively. So I wouldn't criticize that. What I would do is say, "Well, okay, how can we do it better?" How can we improve on the way we engage with board and C-suite to make things easier? And we start with communication and language.

Chad Watt: And that's the eternal question because there's no question that the opponents will always be looking for ways to improve and bring novel threats to the board as well. So, great. Darren, thank you. Do you have time for a quick lightning round?

Darren Kane: Yeah.

Chad Watt: Okay. We're going to talk about cops, computers and movies. What film got police work right? Or the closest to correct.

Darren Kane: I always loved Stakeout with Emilio Estevez and Richie Dreyfuss. To be really fair, Chad, by far and away, that was the fun we had. That was what actually happened. I don't know who provided the actual inspiration and/or consultative input to those producers, directors of that movie. But a lot of what you see on that film does actually happen in observation posts. So I thought Stakeout was great.

Chad Watt: There's one to dial back up. Okay, so what movie has a realistic portrayal of hackers and cybersecurity?

Darren Kane: You go back to the old Sneakers and Fireball and a couple of others. But to be honest, the one that I really liked is actually a television series, may have been on Foxtel over here, so one of your streaming services, coming out of the BBC called COBRA. And that was a senior government think tank, if you like, managing a solar flare that took down all of the energy and computer globally. And it was all about how do you respond. It's called COBRA. That for me is about, well, what happens if we lose energy? What does that do to our technology platforms? And it was a global issue and it shut down health, education, logistics, and it's probably a real thought-provoking series, and recommend that those interested in the podcast chase it down and have a look at it.

Chad Watt: Very good. Very good. What is one thing about security work that screenwriters typically get wrong?

Darren Kane: The green screens. We still see the images of the person in the hoodie behind the green screen, and you get the glow of the digital screen in the face of the individual, which you can't generally see the face. And nowadays, some of these crooks online are pimply-faced college kids. They're out there and they're promoting what it is they're doing. They don't necessarily sit in boiler rooms and so forth in Eastern Europe. They're all over the globe.

Chad Watt: Interesting. So Darren, if you were cast in a movie, do you want to play the sergeant, the hacker, or the CSO?

Darren Kane: I'd like to play the CEO.

Chad Watt: Good answer.

Darren Kane: Probably a little like... If I was still the sergeant, I'd want to play the sergeant. I think I'd be a great hacker. I've got the face for it. But I think at the moment, I think the upside is to celebrate and actually promote the role of the CSO. What you'll find is an individual will drift through the C-suite and become the CEO from this role, and you'll see that happen quite regularly going forward.

Chad Watt: Thank you, Darren. Thank you very much for your time today.

Darren Kane: Thanks Chad, and thanks for the opportunity. I love your podcast.

Chad Watt: Great. Thank you so much.
This podcast is part of our collaboration with MIT Tech Review in partnership with Infosys Cobalt. Visit our content hub at technologyreview.com to learn more about how businesses across the globe are moving from cloud chaos to cloud clarity. Be sure you follow Ahead in the Cloud wherever you get podcasts. You can find more details in our show notes and some links to some TV shows I think, and transcripts as well at infosys.com/iki. That's in our podcast section.
Thanks to our producers, Catherine Burdette, Christine Calhoun, and Yulia De Bari. Dode Bigley is our audio technician and I'm Chad Watt with the Infosys Knowledge Institute signing off. Until next time, keep learning and keep sharing.