Episode 2 - Decrypting the Future: Resilience Is Key

Dan Lidell [00:00:02]: And so my advice to anyone going into the field is learn as much as you can about who actually knows what makes it. Who is it across that mile wide and breadth from the person that, that knows the deep, dark bowels of the operational processes and the IT services and the market or or the people who really know the customers or anyone else who's an expert in their field. Find that person, understand who they are, what they do, build that trust with them because let's, let's face it, you're gonna be calling on them at 3 AM in the morning to draw on their knowledge and skills so that you can help develop a solution to a problem that you probably didn't even know was going to exist or understood it that it could until it actually emerges. John Hare [00:00:48]: So hello, and welcome to this second edition of cybersecurity podcast, Decrypting the Future. My name's John Hare. And in this episode, I'll be having a wide ranging discussion with Dan Liddell, who is a general manager in the Commonwealth Bank of Australia's Group Business Resilience team. Now for those of you outside of Australia, Commonwealth Bank Australia, otherwise known as CBA, is Australia's largest bank. Dan and I are gonna be discussing what we mean when we talk about resilience and why it's important for any organization. We're gonna talk about what good leadership looks like through a crisis. We're gonna be talking about cybersecurity in crisis simulation. What is the formula for success when you're holding these sort of exercises? And we're also gonna be talking about Dan's fascinating career journey and his advice for anybody starting out in a career in resilience. John Hare [00:01:36]: So with that, no further ado, let's get into it. John Hare [00:01:41]: One of the great privileges of doing a podcast like Decrypts in the Future is the opportunity to speak to security practitioners who really are at the top of the game and to share their stories and some of their best practices with the broader cybersecurity community, whether that's practitioners, business leaders, and even those aspiring to enter into the industry and really anyone who's got an interest in cybersecurity. So, look, I'm really delighted to have a very special guest today that fits that bill. We've got Dan Nadell, general manager of crisis management and protective security at CBA with us today, and the 2 of us are gonna be discussing cyber resilience. So hi, Dan. Dan Lidell [00:02:18]: Hi, John. Great to be here. John Hare [00:02:19]: Yeah. Dan, thanks so much for for joining us. Now Dan's had a really interesting career. We're gonna get into that a little bit. But, when I think of Dan, I do think of a something of a an international man of intrigue. And just give you an example of this. I think the last time Dan and I spoke, I pulled him out of a meeting, you know, he pulled himself out of a meeting to speak to me, but it was no ordinary meeting. It was actually a government led exercise on space weather. John Hare [00:02:43]: So, Dan, do you wanna tell us a little bit about that? What is space weather, and what were you doing? Dan Lidell [00:02:46]: Well, one of the great things about my job, John, is I get to deal with just about any type of event you can think of that might cause a disruption. And space weather's one of those. I was learning a lot about how space weather driven by solar activity flares, things like that, actually have an impact on electrical generation and transmission. And, of course, that might have an impact on crude flow infrastructure. So it was part of that exercise the Australian government was running with about 320 industry and government, colleagues. John Hare [00:03:15]: Awesome. Thanks, Dan. Never a dull day in resilience. Before we get into your career and some other sort of deeper questions, you tell us a little bit more about your role at the CBA. What are you sort of doing day to day? What's your day to day mission? Dan Lidell [00:03:28]: So my role, just to ensure that the organization has got all the right capabilities it needs to be prepared for and to effectively respond to any form of disruption you think. That doesn't mean I own the issue. It doesn't mean I'm a subject matter expert on all those different types of issues that could occur or technical details. But it's about making sure the organization's got the right tools, the right processes in place to mobilize the the skills and resources of the the many different teams across the organization in order to respond. It's, really about getting them collectively focused and they're enabling to coordinate, focusing on the right issues in the right order in the right time that they need to. Ultimately, it's it it enables them to minimize the impact to our people, our our orchestra conductor, helping the various teams to harmonize their individual responses into something that's better. And at sure most, it has to be brought together and work pretty much any time of day or night as well. John Hare [00:04:35]: Absolutely. Thanks, Dan. Now the subject we're talking about today is resilience. So before we go any further, perhaps let's sort of define terms. We hear more and more organizations, more and more practitioners talking about resilience, particularly in the context of cybersecurity. In fact, in zone 2024 cyber trend report, we said that cyber resilience is expected to overtake cybersecurity as the primary risk that most organizations consider. So can you sort of give us Dan's view on what resilience really means and why it's important to organizations? Dan Lidell [00:05:10]: Resilience is a cause that's been around for a long time, but I think it's actually finally just gone mainstream. The pandemic certainly had an impact in in sharpening focus, But as boards and management have become better exposed to cyber issues, I think it's become clearer to them all that they're really complex. They're not just technical, they're issues that have got interrelated impacts. They've got competing concurrent demands that you have to cope with. And so that's where resilience comes in, because you can't necessarily have a pre planned checklist or a rigid playbook that you break in glass and then take it off the shelf and look through it when you need it after the facts happen. It's actually resilience is more about having a good set of capabilities that are really just wrong, that they can work well together under pressure in order to respond to a really difficult, complex scenario. Now I think about it, and I talk about it, the Dan Lindell approach is called the LODO break. Every single capability that you need to respond to an issue, a cyber issue, or any other type of disruption, it's an individual bot. Dan Lidell [00:06:19]: Now it might be technology response, it may be communications, it may be continuity of operations. Those little blocks, they work really well within themselves, but Resenech has been able to ensure that they can connect together, work together, and build a response that that can really flex and adapt to whatever the circumstances are for that particular situation. John Hare [00:06:42]: Yep. Thanks, Dan. You know, I think when we are having conversations with CISOs and with risks teams, we are definitely talking more and more about resilience. I think given the threat environment that we find ourselves in, protecting against threats, you know, it's just simply not enough, and it's really critical for organizations to better withstand and recover from an attack as well. So you're definitely seeing evolution in that thinking. So I wonder how that's how has that evolution transferred into your role? How has your role been transforming over time to address this this shift towards resilience? Dan Lidell [00:07:15]: Well, it certainly shifted it quite a lot. So what you just wanna get there is is why cyber resilience, or resilience in general, is not just about the response, but about the preparation. You can work to protect your organization as much as possible, but you also have to plan for what happens if those defenses fail. And so that's where it comes down to understanding what operations are most vital and not sort of, you know, broad statements around these things are important to me, but really defining as tightly as possible in scoping. What are those things that encompass the real core customer outcomes that MetaMosa that you need to protect and recover first? So an example we often give internally is around foreign miners. You think about buying a home, there's a whole process of signing up. It's a really long process all the way through to managing the account, and then finally, you get to on your own. You can't protect that whole end to end process. Dan Lidell [00:08:09]: It's too big. So we looked at fricassee now, and what is the part of that process that matters most and has the most impact? And look, that comes down to settlement day. Not sure if that translates even as we but here in Australia, that's the day that funds are exchanged, titles were exchanged. Ultimately, you get the keys to move your family into that new house and make it your own home. So we've scoped down our critical operation to cover that most important component so that we know that's what we want to protect and respond to and recover. I I think it's very important that it's not just about defining those, but knowing what they are and having them broadly agreed beforehand, so you're not having to decide it and determine it or or worst case argue it on the day. Everyone knows the goal they're working for. But what it means is if you're hit by a major cyber event, you're not able to recover everything, but you can recover those most critical operations that focus on the key outcomes for the customer and hopefully will help reduce the field impact when it matters most. Dan Lidell [00:09:16]: And so that's been biggest mindset shifts during my career. It's not just about a response structure where I'm a good customer management plan or a good team, but how do you prepare and understand those things beforehand? It means I've learned a great deal more about back end systems and data flows and conciliatory of operations than I haven't thought I would and want to implement that approach. But it also means that myself and my team are more have shifted that conversation away from that after the fact through more ahead of time. What are the technology controls? What are the designs? What are some of the the things that we can do to strengthen those relevant IT services to protect those key operations and make them the most recoverable? John Hare [00:09:56]: Thanks, Dan. So as with cybersecurity and so much in life, it's really about identifying what is of absolute critical importance well ahead of time of focusing on that. And, like, I I think that's a pretty great segue into the next topic I wanted to discuss, the the whole idea of preparation, which is on conducting simulation exercises. Now I think this is definitely something we at are seeing more and more demand for with clients wanting to do desktop and, even live exercises, and there's definitely regulatory impetus behind that. But not only that, I think, you know, most organizations, they really do grasp that it's better to find out in an exercise, you know, where you've got gaps in your framework for responding and recovering from an incident than than in a in a real event. And, of course, building that muscle memory in the team is incredibly important before you do actually, you know, get into get into some sort of cyber crisis. Now, Dan, I've actually seen you conduct one of these exercises. I've had that that pleasure. John Hare [00:10:51]: And I wondered if you would just be able to share some examples of the really successful simulations that you've done now and what what made them effective. Dan Lidell [00:10:59]: So, Phil, I love running crisis exercises. They are the best part of my job. Not just because they bring out my John Christian or Tom Clancy when writing the scenario in the SP. They really are a great way to focus people on an issue, and I think that's why we're seeing the shift towards them and certainly a lot more engagement from organizations. They help you conceptualize the variety of impacts that you might face, how they might play out. But as you pointed out, most importantly, you have you identify where are you weak, where do you need to improve, and to do that in that that safe space. And the problem is that some organizations treat them as totally disconnected from the realities they don't know business or some special, you know, invalid commerce, compliance event. They really are part of our resilience continuum. Dan Lidell [00:11:46]: They have to have clear objectives about what you're seeking to achieve, and and it cannot just be for because we we have to run an exercise. That's the outcome. So you have to look at what it is you're trying to achieve, and so I've done 4 day exercises in order to make sure everyone really fully understands and comprehends and has shared understanding of how a particular event, like a ransomware attack, might play out. So you run the exercise, but you're also building in time for education and exploring and canvassing all the different facets of the the impacts across the business that you may not have thought about. But also run very short, 30 minute, quick decision scenario discussions with our leadership team just to concentrate on one particular specific issue. As a part of this brick and mortar scenario, you might need to make a decision about this, this, and this. How are you going to make those decisions? What information might we need? And, you know, that quick decision discussion helps us focus on that specific topic and get a room for the outcome that helps us plan. And and I've also run other types of issue, events like pre mortuaryps, where you focus on the worst case issue as if it's happened. Dan Lidell [00:12:56]: That's the outcome. We're not trying to avoid it. We're accepting that it's occurred and then you step backwards and then and identify what could we have done differently to avoid that taking place? What could we have done to make the impacts less severe? And then ultimately build form again on the capabilities that you need to develop to it, avoidant or help you respond down. John Hare [00:13:17]: So, Dan, you you spoke a little bit about, your creative process. So and there clearly is one. It's really important success factor, I think. So any of these sort of exercises that the scenario that you choose, you know, is technically credible, is plausible when you look at the threat environment. So how do you come up with the right sort of scenario that really fits those requirements? Dan Lidell [00:13:39]: I agree. It couldn't be driven by developing the scenario is absolutely pretty cool. I mentioned it before, but it's vital that you start with the objective that you're trying to achieve. So that makes it actually easier to come up with the broad scenario that's going to give you the vehicle to drive those objectives and outcomes and deliver those requirements. It's about doing your homework. It's diving into the topic, leveraging the experts from either inside your organization or outside your organization to really understand what will happen, because that all helps ensure that you're building a scenario that doesn't require the participants to suspend reality. And that's actually really important because if they are needing a crew sense about what what happened and and what they might need to do, it is more forcible, and it's therefore a lot more challenging for them. They can't just make it up and wish it away. Dan Lidell [00:14:34]: Basically, if you've got a strong plausible scenario into the realities of the organization, you're avoiding waving away the scenario, and therefore, the participants waving away the reality of their responses. John Hare [00:14:49]: Thanks, Dan. Look. I imagine that there will be people listening to this podcast who are gonna be sort of in those shoes about to design and run one of these incidents or one of these exercises. And I think you got dead lit. There's some great tips there for sure. So do your homework. Make sure you got a scenario that really is plausible and and credible, and make sure when you set out that you've got a really, really clear outcome in mind. So if there are people out there who are thinking about staging one of these exercises, Dan, are there any other pearls of wisdom, any other tips that you would like to share with them? Dan Lidell [00:15:21]: Well, I I think one is you have to make it engaged. And I was half joking before about being a writer, but storytelling really is a big part of a successful exercise, I think. It it it'll bring that scenario to life. It puts the participants into a full evil and real world setting. And do that by injecting the wrong amount of color to convey the feeling of the scenario. It goes a really long way when we're seeing the participants into it. And actually, the reason I liked that is because it has a disproportionate impact. It aids the participants to understand the issue, but that can also evolve into sparking their imagination about solutions they may not necessarily come up with. Dan Lidell [00:16:02]: When you're sitting there looking at a July risk assessment or or an impact summary, it's kinda hard to then imagine, really, what is this gonna be like? What will I need to be doing in response and and coming out with solutions as a result? It doesn't need to be a big production. And as much as I would love to have, AL driven augmented reality crisis scenarios, it can really be as simple as as throwing in some quotes from an impacted customer and how it feels for them, using images from similar events if you're looking at a physical type issue, or just some relevant headlines, just help bring it to life for the participants to add that color, the realism, and and spark their imagination and gather their expenses. John Hare [00:16:46]: Make it real. Bring it to life. Thanks, Dan. Now, Dan, just moving on to a slightly different subject. I wanna talk to you about leadership, and I think that you're a really interesting person to have this conversation with given that you come from military background, but you've also worked with, you know, some of the best of the best in terms of leaders in corporate Australia as well. And we will talk a bit more about your background, in a moment. So given that background and given that, you know, you are regularly running exercise this time and and being involved indeed in in in disruptive events, what qualities do you think make a good leader in a crisis scenario? Dan Lidell [00:17:23]: Leadership is always crucial, not just in a crisis, obviously. That's a that's a given. Often we think, though, that a special type of leadership's needed for a crisis, and often thought of as, an free, especially when you're talking about an issue as complex and diverse as a cyber crisis. No one has that subject matter expertise or necessary, and an authoritative leader isn't always going to succeed. In fact, a successful leader has to account for the fact that they actually don't know all the answers. They even actually don't agree with any problems that they're going to have to face. But they're very well developed in their ability to engage and lead a team that can help identify and rule out those issues, the impacts, and then how they're going to respond to them. That can be through a very hard skill of a structured agenda, but it's the soft skills of drawing out the right information, giving it relevant context to the situation at hand, and driving the action that we need to respond. Dan Lidell [00:18:34]: It's also about that leader being being able to give time and that psychological safety to the group to ask questions, to challenge the assumptions, to to say, actually, I don't think we've got this right. We need to think about it in a different way, challenge each other. And I'll come back to being creative again, developing solutions and being open to solutions that are a little different. That's probably very relevant to the situation. Finally, what makes the leader most successful in crisis's perspective is very easy to get right down into the detail in the moment, quite in a visceral way, but a successful crisis leader is able to balance that detail in the now, but keep an eye on what the bigger picture, and and what needs to happen next and later as well. John Hare [00:19:24]: Thanks, Dan. That that thing is a really interesting answer because a lot of the things that you described there, I would say, are things that we'd recognize that the the good leader would have generally in a crisis or or otherwise. I think, you know, that that ability to ask questions, to challenge and create an atmosphere that really fosters challenge as well. But but also I think, you know, going back to our earlier conversation around how important it is to do drills and exercises, you know, you you mentioned that the ability to engage and lead the team, how important that is. And if you're not the expert in everything, I think you need to understand here about your team and know who can help and who can step forward. So clearly, that is something that you can improve through doing exercises. Absolutely. Fantastic. John Hare [00:20:04]: Okay. Well, let's move on from leadership to collaboration. Now we've already touched on this a little bit when we're talking about space weather before, but, if we think about financial services sector, do you have a resilient financial services sector that clearly we need collaboration on on several levels, but I'd say it's very important we got collaboration both between financial services organizations and separately between the financial service organizations and government as well. So I'm really interesting interested to hear from you, Dan. How is that collaboration evolving over time? It seems like we're hearing more and more about XLS, etcetera, you know, sort of cross industry. What's the evolution that you're seeing from your privilege view? Dan Lidell [00:20:44]: Well, it's it's certainly taken off. Again, it's one of those things that's been bubbling away in the background for a long time. Those of us seeing my sort of roles have always wanted and sought to team together or exercise with each other across different industries, even. But it's really it's suddenly exploding into life. Again, I think that's been somewhat hooked by the pandemic, but really, it's that realization that a significant cybersecurity event impacting 1 or parts of the financial services sector will have a material impact on all of the sector, particularly here at Shea, where we're tightly interconnected. It's actually an extended limit further to one of those things outside that could impact life energy, space weather, telecommunications, etcetera. So anything that's going to impact across the financial set data is going to impact the community and the broader economy, and and that certainly will focus the government attention as well. It's fair to say that WEDIS has been there for some time. Dan Lidell [00:21:43]: I think the biggest shift has been adding to the very strong technical level engagement among cyber citizen teams to that higher level cross industry understanding in the interdependent in class, how are we going to coordinate as a collective, and how are we going to communicate and align our responses together. Again, it's an extension back to the lego brick analogy, making sure that it's part across our industry, your financial industry, and other industries, and government actually know how they're going to come together and make sure those connections work very effectively as and when we need them to. John Hare [00:22:20]: Thanks, Dan. Dan, as I mentioned, sort of at the beginning of the the podcast, yeah, this podcast is intended for a broad spectrum of listeners and and definitely one of the audiences that we wanna reach are those who are early in career. So it'd be great to hear a little bit more about your career journey, how you got into your current role. You came through a, you know, to cyber through a somewhat nontraditional route, I think you you might say. I'm also interested to hear about given you came from a nontraditional background. What did you get sort of sponsorship and mentorship that helped you on your on your way? Dan Lidell [00:22:51]: Certainly did. So that's gonna make me you know, I started out in the military. I lived straight out of school, joined, and became an officer in the Australian Army just as it was entering the busiest operational period and it ended in our face since the Sittinoy Ball. So as a 20 to 30 year old, it was an amazing time. Hugely diverse range of experiences I was exposed to. I had privilege of working writing reports at the strategic level in Canberra to senior defense leaders down to leading small teams in field here on overseas operations. When I made the decision after about 15 years of that that I wanted to do something else, it was it wasn't easy to identify where I might be able to apply some of those skills that I've learned, but I just started by talking to everyone at point in my network, doing that network to those that that may have left the military before me, but, you know, following on to others who might be able to give me some insights. And to be frank, there was a bit of good luck and timing involved as well. Dan Lidell [00:23:54]: And, yeah, I talk about mentors. I did have a mentor who had a similar background and who was already in the field, and she was able to advocate for me, essentially helping me to translate those skills that were a green camouflage in the CV into what they might have they might mean for the real world. And so through RevAir, I was actually introduced to business resilience and crisis management, my first rollout in a major airline, and I was all, and into the world of business resilience, and it really clicked with me, and I just love it. John Hare [00:24:27]: Fantastic, Dan. Boy, it's great that you found a professional home after the army in in in resilience and particularly in in cyber. So, Dan, in your current role, just really interested to hear about when you're hiring for roles in the resilience team. What are the attributes that you're looking for in candidates? Dan Lidell [00:24:43]: I'm very privileged. I have a great team. None of them have the same background, and that's their strength. Each of them bring a mix of skills and experience to the role, and it's definitely not the case that they have to have a military or emergency services crammed in fast. If everyone had that in mind anymore across the teams I've worked with, I don't think we'd be successful. We need that MIDS. I defer for attributes over qualifications. And there's a couple of key areas, namely being curious and humble. Dan Lidell [00:25:16]: Always knowing that there's more to learn, and asking how does that work so that they can keep stretching away, understanding it, and then most importantly, understanding how it might go along. Me, personally, I really value, team members that are authentic and transparent. That's not just because they're great to work with, but in this field, it helps to build and maintain trust within the team and across all the different teams that you need to work within the whole organization. And it's vital because, especially under the stress and strain of the crisis, you have to know that you can rely on each other and rely on that person to be upfront and authentic with you. Taking into account new details as they emerge, assimilating them into the situation, understanding what they might mean, and then rolling with that to alter the plan or alter the direction and keep it moving forward as you need to do. And as mentioned before about leadership, you know, any of these attributes, they're good attributes for just any relevant corp of world. You know, if you've got those, they're gonna succeed. Key difference in crisis and resilience is that they have to hold true when under the greatest and bad pressure. Dan Lidell [00:26:28]: So they can't be mini. They can't be service level. They actually have to be really deep. And that when you're operating under the most intense scrutiny, when others are not necessarily able to step up and take the lead, I look for candidates that can do that, and can prove that they are able to do so. That's the key difference. John Hare [00:26:45]: Thanks, Dan. So curiosity, humility, authenticity, flexibility, and just the confidence to step up. Interesting. Actually, it's interesting that a lot of the the qualities that you described there are the same ones that you'd we discussed when we were talking about what good leadership looks like in a crisis. And I guess it sort of demonstrates that leadership can happen at any level in an organization. Dan Lidell [00:27:07]: Absolutely right. Yeah. Particularly in a crisis, you you have to be open to where are the right leaders. It's not necessarily the top. They can be at various levels, and giving those people the roomy voice and the trust to help coordinate the response can bring the best out for the organization. John Hare [00:27:27]: Yeah. Absolutely. So so Dan, final question is you said that a lot of the people that will be listening to this podcast may well be early in career. So what advice do you have to someone who is setting out on a career in resilience? Dan Lidell [00:27:39]: Welcome to a great role. Resilience is a field that gives a really unique view within the organization, and that is how it works across the whole breadth of the organization. We often talk about we have to understand the organization a mile wide, but only an inch deep at times. And then when you get into a response, you dive right down to the deepest layers. But you get to see how it works at its best and how it responds when it's facing its worst. And so my advice to anyone going into the field is learn as much as you can about who actually knows what makes a tier. Who is it across that mile wide and breadth from the person that knows the deep, dark bowels of the operational processes and the IT service it is, and in the market, or the people who really know the customers, or anyone else who's an expert in their field. Find that person, understand who they are, what they do, build that trust with them, because let's let's face it, you're going to be calling on them at 3AM in the morning to draw on their knowledge and skills so that you can help develop a solution to a problem that you probably didn't even know was going to exist, or understood that it could until it actually emerges. Dan Lidell [00:28:50]: So reach out into the organization, get to know those people, understand their strengths, build the trust so you can draw on them when you need to, and good luck. You love it, I'm sure. That's what I'd be saying. John Hare [00:29:03]: Absolutely. And as I said before, never a dull day in, in resilience, but, no, thanks, Dan. I think it's this great, great advice there. So you say it really comes down to understanding your organization and, and really finding and cultivating that network of people that can act as your guides when, yeah, when things do go wrong and you need to call on the helm. Dan Lidell [00:29:19]: It's formal frameworks as well as informal frameworks, and that's an important part of it. So yes, you'll have a list of names of people that are really representatives to the areas that are part of the group process management team, for instance. You also need to know who's to join Pierre and who knows every bit of this process back to front. Who's gonna add a lot into the understanding of who is this well. John Hare [00:29:39]: Awesome. Thank you, Dan. Dan, I think we're out of time, but thank you very much for a very wide ranging and, interesting conversation. Really appreciate you coming in. Dan Lidell [00:29:48]: That's very much. My pleasure. This has been an EY cybersecurity podcast; a KBI Media production.