Many years ago, people chose to stay with the same employer for decades. Today, employees are changing jobs more regularly. Each company needs to have processes in place allowing access to systems needed to do their jobs, but there’s also a risk of when they leave that they may still have access to certain programs.
Today’s guest is Craig Davies. Craig started in banking, holding many roles including CSO. As the CISO and the Executive Director of Gathid Ltd., he is passionate about helping organizations strengthen access management without completely overhauling their people, processes, physical infrastructure, and technology. Craig has spent more than 25 years in cybersecurity working with infrastructure operations, security architecture and software, web development and operations. He was the first CEO of Ost Cyber and at Atlassian he helped develop the security program for all aspects of their business, including security, cloud operations and protection.
“Biometrics as a tool to use against fraudsters has grown globally.” - Stuart Wells Share on XShow Notes:
- [1:32] – Craig shares his background and what his roles are at Gathid.
- [4:52] – When bringing on new employees, there are several front-end issues that a company and employee can face.
- [6:22] – It can be really frustrating for a new employee when there are so many different programs to learn and manage.
- [8:18] – We have to think about the employee’s journey.
- [10:59] – In many cases, new employees receive a ton of access without learning the process during onboarding.
- [11:49] – Offboarding can be a nightmare because we don’t always think about all the things that are connected.
- [15:26] – We need to protect the person who is leaving.
- [18:06] – One of the challenges is knowing who should be responsible.
- [19:12] – There needs to be a list of all the programs and systems that an employee may have access to.
- [21:17] – Offboarding is not typically a priority but not focusing on it can be a huge risk.
- [24:43] – Smart use of control is important especially in onboarding and offboarding.
- [27:26] – Working remotely makes systems and access even trickier.
- [29:39] – There is a reason the large companies have large systems.
- [31:50] – Every company has the same problems. The ones that have a process in place have likely experienced a crisis.
- [34:57] – What are the challenges to the new ways of working post-pandemic?
- [36:26] – You can’t get rid of risk, but you can manage it.
- [44:50] – These processes all start with a conversation.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Craig Davies on LinkedIn
- Gathid Website
Transcript:
Craig, thank you so much for coming on the Easy Prey Podcast today.
Chris, it's great to catch up with you and have a chat about all things cyber and particularly how we see the world from here.
Awesome. Can you give myself and the audience a little bit of background about who you are and what you do?
My name's Craig Davies. I'm the CISO at Gathid Identities. I've been involved in Gathid for a while. My background is working in cyber and technology since the 90s, from developing first-generation internet banking through to being the CISO for a large medical device company, to being the security director for that little company that people might have heard of, Atlassian.
Then CEO of an Australian government initiative called AustCyber, which was designed to help Australia create a cyber security industry, and also being now at Gathid, but also heavily involved in the startup, scale-up community, providing guidance, advice investment into those ideas and people I find fascinating. I've been fortunate enough that my career has given me the opportunity to do this all over the world from Europe through Asia, to Americas, and of course Australia.
That's an awesome background in history. How long were you at Atlassian?
I was there for a number of years before the IPO. I built their security program, went through the IPO, and then about a year after the IPO, I was approached to form this industry growth center for the Australian government. It seemed like too big of an opportunity to pass up. How many people get an opportunity to shape an industry in their home country?
I left them with a heavy heart, but still have a lot of contacts inside Atlassian, still in constant contact with lots of people there, and learned a lot. Made lots of great friends, learned more importantly the joys of scale, and solving cybersecurity challenges in a company, which is where we're going to talk about today, which was hiring 20–30 people a week. Trying to figure out, how do you get all them together and get them into environments? If they leave, how do you get them in and out?
I've been involved in Gathid for the past few years. Initially, we're not called right crowd. They're now called Gathid post divestment of some parts of the business. Originally, as a director of the business and still as executive director, but now with us breaking out, stepping in as their CISO to bring some of that expertise I've got over the years and try my best to contribute to the team and our customers around what we can do, the importance of this, and build on their already outstanding security approaches.
Cool. Let's talk about the IT onboarding and offboarding of employees. There's a whole bunch of HR stuff that I don't want to get into because I don't like HR stuff. But there's definitely a massive IT side these days to onboarding and offboarding employees. Let's talk about it in two ways. We've got onboarding and offboarding. What are some of the front-end issues when you're bringing on new employees? I could think of a whole bunch.
I can think of them. We all know those experiences ourselves. How many companies go to all the trouble of hiring an employee and then in the first week treat them so badly that the person's going, “Oh, my goodness, what have I done?” They get into the business, they join, they get a desk, and maybe they get a computer. Or nowadays, they get a remote access login with remote work. But then so many people still spend the first period getting access to systems that they need to have to do their job.
I think that's super frustrating, but it's also such a poor employee experience around you've hired, people are excited. You want them to be productive as soon as possible. They want to make a good first mark. They've got all these things they're going to do in the first week, and then they don't have access to ticketing. Maybe their rights aren't correct if they're developers in the repos. If they're working in any function, maybe they'll be doing something, and then fine, they don't have access to some system.
Nowadays, there are companies using so many systems to do parts of a role. It can be really frustrating for a new employee and it does distract or detract from their initial experience. -Craig Davies Share on XNowadays, there are companies using so many systems to do parts of a role. It can be really frustrating for a new employee and it does distract or detract from their initial experience. I think one of the challenges I thought about whenever I've joined an org is that, how do you get access to stuff? If I go back to my experience at Atlassian, we took this very, very seriously. We're working hard to develop an onboarding system so people could join the organization and get access to stuff fast because we wanted to be productive.
It's quite complex to do. You read these stats about how many systems that people need to use to do their job now—mapping that and managing that—unless you've got dedicated resources to do it, or you're built at all green fields, it's really hard. That's actually one of the challenges that inspired us in the Gathid platform to look at, how do we think about that journey?
No one talks about onboarding. They'll worry about offboarding, which is true. You want people to be offboarded, but you know yourself, Chris, everybody says, “Oh, I just joined XYZ Corp. It took them three weeks to give me a building card.” It's always something that you might think is insignificant, but it can really, really frustrate someone.
We're very keen using the Gathid methodologies and the experience of that, my experience, other people's experience, of those personal journeys where you've joined an org or left an organization, and it's just a little bit crap. I think the more companies can do that, the higher value proposition they can give as an employer of choice.
Now when you've got people remote—oh, my goodness—it’s not like they can walk around and ask the person at the next desk, “Hey, how do I get access to Jira? Which project in Jira should I be in? Or we use Monday, or we use whatever?” We can't do it. We need to create those exceptional working opportunities for people.
Is the challenge that you have, the onboarding is managed by different people, you've got the HR person, maybe the department they're going to go to work for, and then you've got the IT department who is going to set up permissions and all these systems, and it's just that there's not a good process, or is it something more than that?
It's always process-driven. Now, if you're working in a certification world a bit, ISO 27001 or particularly 27001, you actually have to have these processes. But no one ever really does it.
They design them but don't follow them. When it comes to onboarding people, is the issue that we've got too many stakeholders, that you've got HR, you've got the department they're working for, you've got IT, they just don't have a process that they follow?
Yeah, I think that's the core thing. In this age now of distributed platform ownership, or I used to call credit card architecture, a group, we won't pick on any groups who buy a tool because it's really great for them, but it never gets really brought into the enterprise. The process never gets figured out well, even though certification processes like ISO 27001 expect you to have it. It ends up in the too-hard basket.
Or we gave them an AD account, we gave them email, we put them in Jira, we put them in Confluence, we put them in the ERP platform, we're done. Then it's just accepted culturally that the people are going to spend the next two or three weeks finding out that they're supposed to have this right in ERP.
What I've seen, and it gets picked up occasionally, is they get the same rights that Barry had. Of course, Barry was there for 15 years, had god rights, and no one knew. That's where the Gathid platform with these role-based things and toxic role combinations, like all these things that we see can simplify that process because onboarding is bad.
Offboarding is another nightmare because we forget about the things that aren't really connected. We forget about the building management system, particularly if they're a remote worker and you only saw them in the office once a month. We forget that they've had a car because it's not connected to anything.
Offboarding is another nightmare because we forget about the things that aren't really connected. We forget about the building management system, particularly if they're a remote worker and you only saw them in the office once a… Share on XWe might forget about some little critical system, and you think about this. There have been published instances of companies having a data breach because of a system that has been implemented, but it's not connected to anything. The person leaves, creds are reused, whatever the circumstances are, and the next minute the company is having to explain why system X that they use has been responsible for a data breach because they didn't remove a staff member out of the platform, reused creds, whatever the circumstances are. Or some IT groups would remind me, we didn't even know the system existed, which is always an adventure, I think.
That it is. Let's go to the offboarding. Maybe I'll just tell a story of a company that I worked for. I was running the IT department. Over the number of years that I was there, I wrote my own procedure from an IT perspective. If someone's going to leave the company, here are all the systems I need to check, and here's all the order that I need to go through it such that I can actively shut down the most critical stuff first while they're in their exit meeting, and then the rest of the stuff, I could slowly take care of it over the course of the next hour or so.
I feel like it happened more than one time. I always say, “OK, what time are you doing the exit interview?” “At 1:00.” “OK. If you're going to change it, you need to tell me before 1:00 because at 1:00, I'm going to start killing access to things.” There's one time that, OK, they said, “Yeah, absolutely 1:00.” So at 1:00, I start revoking access to things, resetting passwords as a first round. That way I can at least deal with it appropriately later.
The person walks up to my desk and says, “Hey, I just got logged out of this system.” I'm like, “Oh.” I closed my screen. “Let me look into that. Make sure you tell whoever their supervisor is that it happened also, that he knows that you're not able to get something done.” Then the supervisor comes over to me and he's like, “Why did you start revoking access?” “Because we all agreed that it was going to happen at 1:00.”
I've definitely had those oopsies. I know somebody's leaving, which is never a fun position to be in when you know someone's going to lose their job that day, but even worse when you start revoking access to things and they walk up over to your desk.
Yeah, I have gone through that pain running IT functions, where “We're getting rid of so-and-so at 2:00 PM. Make sure their access is cut off.” “No worries.” 2:00 PM, help desk phone rings. The person X goes, “I can't log into anything anymore,” and you're like, “Oh, man.” Or you have the reverse, which is even worse, where they do move somebody out of the business, they don't tell you for two or three hours, and the person realizes they've still got access.
There are balances to that. I always think about this with offboarding. One of the things I always think about all the time is respecting the dignity of the person who's left and not assuming that they're evil. I talk about this with companies and go, “Look, you want to have a robust onboarding procedure because you want to protect the person who's leaving. You don't want there to be any hint of anybody thinking if something bad goes from, ‘Oh, it's because Susan still had access.’”
It's like, no, we do this promptly in a respectful way because people are still people to remove the possibility that Susan, Neville, Barry, Karen, whoever, could ever be considered as a source of a problem against the organization. I think that's far more respectful than going, “We're going to cut them all off because they might do something bad.” Honestly, I think more likely when you think about people doing something bad, you're the person sitting across from them at a table, and if you're firing someone, I think right then it's the bigger risk than them doing something malicious to tech.
Those platforms and that approach, that's one of the things we think about within Gathid because we can connect all these things together virtually. Even if they're not linked, we can still link them. It allows you to ensure that you don't, even as an IT professional side with an HR professional, do things in a way that is respectful to the person who is leaving the organization, and you are honoring your commitment to the organization to protect the informational assets that have been entrusted to you. That's what people, I think, miss a little bit when it comes to these procedures.
You're giving them the farewell card. The giant novelty card goes around the office for three weeks and everybody writes, “Farewell, whoever you are.” We worry about that, but we would know ourselves. You do see these cases where someone does do it, but it's so rare. It's more likely that something else is going to happen and someone will think, “Oh, that's because we left Susan in the system.”
Is there an approach that makes all this work out, where if you're not in a single sign on environment, do you prioritize, “OK, this is what I need to do while they're in their exit interview, and this is the stuff that I can do later”?
I think for people, whoever's ultimately accountable, that's always the challenge. Is it the people team? Is it the IT group? Is it the manager? That's an argument that will go to the end of time. It's a bit like everybody points at each other and go, “Well, I thought you were doing it.”
For many companies, regretfully, they're still going to have that conversation as to who's accountable. I'm not going to buy into that one today because I can't win. It's the third rail of identity management.
Let's assume it's IT. Let's just make it easy and go, “IT guys, IT girls, team, you're accountable.” They're going to have a list of everything that someone could potentially be in. I just realized we're doing a podcast, and I'm here drawing things with my hands. If everyone could just imagine that, that would be really great.
They've got to have this really comprehensive list of everything that a person might be in. I'm talking about a typical company they might be in. They don't have single sign on, or they're using a platform of whatever for that kind of stuff.
I will admit, at Gathid, we're very lucky because we will spin out. We had to build everything brand new, and I was able to put in the rule from the beginning going it's SSO or it's not happening, which means that not everything is SSO. A lot of our stuff is SSO, and of course we use our own tooling to link everything else together. We've got this great view, but that's why we think our products are good.
For everybody else, you've got to have this really big list of, “Are they in this? Are they in this? Are they in this?” Then you actually need to prioritize it. You can do it based on a thread model, you could do it based on pragmatic. It would depend on the company, I guess, how they would rank that. People would think straight away, “We've got to get them out of the network. OK, great.”
They're a remote worker. Maybe they've got a cell phone with email on it. That's the bigger risk. OK. Do you get them out of email first? Do you get them out of your messaging platform first? That's a conversation that needs to happen. I think it's a wonderful tabletop exercise, to be honest, to sit around and drop all those weird little scenarios in and try to develop that list.
The next big challenge is, all right, who administers all those systems? Who's got rights to actually do this? They might not see the risk the same way that you see the risk. This comes back to the role of the security personnel, the IT, the HR, or whoever's accountable, building those relationships across the board.
For lots of companies, they're not doing the 20 hires a week, they're doing the two hires a month and maybe one exit every other month. It's not like the highest priority, but they're the big risk scenarios. They've got to take the time, just break it down, and go, “OK, we use 57 systems to do our job. Maybe we should get a handle on those.”
What do you do about the department that doesn't tell the responsible party? We've added this other, “Oh, we've got this great cloud platform that we're now using for creating graphics, and everybody has the right to delete everything in there,” but they didn't tell IT about that system?
Why are you picking on marketing people? I want the records to note that you were the one picking on marketing people, never me.
Because IT people always pick on marketing people, and marketing people always pick on IT people. It's the natural order of things.
That's true. That is the natural order of things, isn't it? I think it comes back a little bit to the strength of the relationships across the organization. Security people, cybersecurity, CISOs, whatever, and I've just written about this in an article about the first 100 days for CISO; the world has changed. You can't be just sitting in your corner being the IT guy, the security person, or whatever. You're an integral part of the company. You need to build those relationships so the likelihood of that happening is much, much lower.
I always get terrified when an industry personnel will say to me, “Oh, the business doesn't understand.” I'm looking at him going, “I'm sorry, I thought you worked in that company, or you didn't realize you were a consultant.” “No, no, I worked for them.” I said, “Well, you're the business.”
This relationship building is a skill that is getting better across the board, but that's how you can get in front of it. There are always going to be these things. That's where you can have Gathid platform and solutions to technically look at these things. But you're still going to have that relationship because you still need to find out who the administrator is.
It's OK for the department that looks after their own system. I don't have a problem with that. As long as they're going to play by the rules that support not only maybe at certification, maybe it's IT general controls that you have to do under Sarbanes-Oxley, but there's always some regulatory framework. I just don't like using regulatory framework as the stick. I just don't like it. You want to use it as, “This is the way we work here, and this is why we work this way.”
It's not because some lawyer told us we have to do it this way, it's because it's the right way to do it.
Exactly. We're currently at Gathid upgrading to the ISO 2022 standard. We're still 2013, the last version. There are a lot of changes in that. We're also working through SOC 2, GDPR, and all these standards. We're not doing them because some lawyers told us to do so. We're doing them to reassure our clients that we actually do know what we're doing, and this is how we independently prove it. It's not the value proposition of we do it.
Smart use of control or smart use of regulatory framework is aligned to helping you do your business better, but being OK with pushing back with a compensating control around things. I think the number one thing that for many years was that you need to change your passwords regularly. I was so pleased when this came out a few years ago and went, “Yeah, don't do that. Just make them really good.” I think the junior help desk engineers, the world's over went, “Oh, thank goodness.”
I know someone that I won't disclose who or the company they work for. With the pandemic, most of the employees are now remote. They have a 90-day password policy. Every 90 days, all the employees yank their hair out and try to come up with a new password. For whatever the reason, it's supposed to be single sign on and change it everywhere. But inevitably, the person I know, “Well, it worked on my laptop today, but when I reboot and try to get to my laptop tomorrow, it'll be the old password.”
“Once I wait two or three days, it'll be the new password. So now I've got to remember two passwords until this password somehow, not sure why, doesn't roll out right away.” But inevitably some system somewhere, it doesn't update, and they've got to call in the poor IT guy, the poor help desk person and say, “Hey, I did my password change, but it didn't work here.”
I'm having built this stuff a couple of times. Even in Gathid's own experience, I used to call several super awesome magic login. In prototyping, it always worked well, and then the media rolled into production. You'd realize, “Hang on, that particular platform only does a SEML update every six hours.” You're like, “Well, how can I make it go faster?” “We don't do it any faster than that.”
Particularly, if it's aligned with a full SSO, SEML, SCIM setup, and maybe it's done really, really well, but it still only syncs every four hours. If you've got a couple of platforms like that, all of a sudden you're whole off to the races in single sign on or, as I call it, single sign on mostly.
When people are remote with the modern Entra ID or whatever Microsoft calls it this week, and the Intune and all that, which are really great implementations, if you're not online at the right time, it doesn't check in, it's just, “Oh, my goodness.”
Having the visibility across all those systems and being able to look at it and go, “OK, I don't agree in changing passwords. I think you should have a really great password. You should use a really great password manager.” I'm not going to mention any brands, but we deployed one to all our people. We managed that really well. And then everything else is single sign on because no matter what you do, you're going to have passwords for other things.
Thankfully, more and more organizations are doing passkeys, which I think are going to save us for the next couple of years until we figure out how to breach them. That's only a matter of time, but we'll see how we go.
Again, we're talking about that visibility; that's the really key issue. So many organizations cannot see across their organization as to what is actually being used, who's connected to what, and which supervisor can see things. That's the challenge that we have seen. Now, that's what's motivating us around the Gathid platform, to provide that independent visibility compared to trying to do all the things.
Who does it better—large companies, midsize companies, or small companies—in terms of knowing who has access to what and what new platforms have been spun up?
I can put on my sales guy hat right now and go, we have clients with 80,000 people in the system because without our platform, they would have no visibility. We've got clients who've got a thousand people in the system—without our platform, they would never. We've got people with 20 systems, a hundred systems, and things.
I'm not saying any company that works with me does it very well, but that's complete bollocks. Large companies, there's a reason they have large identity and access management teams because it's the gift that keeps on giving. I worked in an Australian bank for many, many years. I knew what it was like then.
At Gathid, we've got a client who came to us and still runs AS/400. I think, “Oh, my goodness. Thank goodness you don't run OS/390.” They were coming to us and said, “We need to connect the AS/400 identities into the Gathid platform.” I'm going to pick on our engineers a little bit here. I don't think a couple of our devs were born when AS/400s were a thing. It was really quite funny.
They're the kind of challenges that are just lovely. Now we can categorically state, “Hey, if you've got an AS/400, we can link it into the Gathid platform. “Because that's a large financial organization, they gave a challenge. Yup, we can do that. We've been doing this for 20 years. We all looked at each other and went, “OK, does anybody remember how an AS/400 identity works?” Not that I'm going to use AS/400 in 20 years. I think I know someone.
That's the thing I'm talking about. These large companies have legacy things. It could be mainframe. I'm sure somebody still has SunOS boxes running key systems. I know a manufacturing company very, very well who still runs MS-DOS on the production line. It's a completely walled off system because they built a platform based on that. To change it in a certified, regulated business, it's just not worth it.
That's what I'm talking about. It's not bigger or smaller. Everyone suffers from the same problem, and the only people who get on top of it are the ones who have probably had the crisis and go, “We've got to fix this.”
It's funny about legacy systems. When LinkedIn was new, I had put on that one of the companies I've worked for, I'd worked on this particular hardware platform that even at the time, it was pretty old then.
Twenty years after I left that company, someone messaged me through LinkedIn and was, “Hey, we're having problems with this particular system. We see that you have experience in it; can you help us?” I'm like, “I haven't touched that system in at least 20 years. There's no way I can help you.”
But it was one of those things—it’s a machine back in the corner. As long as it's doing its thing and working right, nobody touches it, no one messes with it. Once it goes wrong, no one knows how to fix it.
Wouldn't you admit that most of us who have worked in this field for a few years probably have two of those systems still lying around in a previous organization and just hoping you never left your name anywhere in the code?
Yes. As we work towards a landing here, what are the unique challenges—I hate calling it a post-pandemic world, but since so many people are now either hybrid or entirely work from home, does this whole new, at least they used to be in our office, and when we fired them, let them go, or they quit, they walked out the door, they didn't have physical access to our stuff anymore. But now that they're at home, there's no one watching them during the day. And if they leave our employment, they still have machines and equipment. What the heck do we do?
I'm going to speak to the person who's worked remotely for a really long time. For the benefit of people listening to us, Gathid is based on the Gold Coast in Australia. Really great place, lovely, great beaches, big holiday destination. I live in Sydney. We've got team members in Melbourne in Australia. We've got team members in the United States. We're distributed from day one.
I had to think about these problems when I was building the Gathid architecture. How are we going to work? And it brings in the experience. I'm a former Atlassian employee; Atlassian is team everywhere. Many other companies are facing these challenges, and I don't want to get into the, “Is it better to work remotely? Is it better to work hybrid? Is it better to work in the office?” That's not my battle. I like to do all three because I get lonely. My cat's a really bad coder, so I need to go and work with real people.
What it does, though, is it really manifests core processes around employee system management. You're right, you could get away with it before because when a person left, particularly if they've gone off to explore further opportunities, probably, then they would get their box and they'd go. We didn't have to worry about BYOD, we didn't have to worry about cell phones. If they had a cell phone, it was probably a corporate one that was already taken from them, and it was fine. If we didn't have all the processes in the back end, it's fine. We've got all our stuff, there's nothing they can do.
Nowadays, we've got employees. I know we've got employees that gather that I haven't seen face to face ever. Other than on video, I've never actually met them face to face, and I'm OK with that. But it means then I've got to think through as a security professional, “OK, how do we manage that?” Now the technologies are getting better, but still nothing's perfect. This is the point where we all really realize that we miss BlackBerrys because you could just get a BlackBerry and go, “That's it, you're gone.”
You can't get rid of the risk, but you can manage it. Yes, they might have a laptop. But if you know the six systems that are really key, how they're connected, and who looks after it, you can cut that access off. -Craig Davies Share on XEverything else has gotten better, so the importance of having that entire visibility across your enterprise becomes super critical to being able to effectively lower the risk. You can't get rid of the risk, but you can manage it. Yes, they might have a laptop. But if you know the six systems that are really key, how they're connected, and who looks after it, you can cut that access off.
Ultimately, it might just cost you a laptop. Maybe you're never going to get that back. Maybe the remote works, maybe. Nowadays, it seems to be much better than it used to be.
If you don't have that visibility, and you can't see across those environments, then that remote work, hybrid work model from a cybersecurity and IT effectiveness, and I even think from a business value proposition like the money you spend, becomes incredibly high. That's why we believe that our approach of creating the digital twin and the independent overview of your platform allows you to start building those models to figure out where your risk points are and where you can get somebody out.
Remember we talked about before, having that checklist of all the things? Again, I think you hit it on the head there, Chris. The person who's an employee who lives in-house, in the building, that risk profile is going to be very, very different to the employee who's remote, perhaps lives in another country, perhaps lives in another time zone, is a day away from the office. You've got to have that ability to accurately assess what that looks like, where the pain points are.
Again, I spoke previously about tabletop exercises running those. They can be fun or they can be boring. Better if they're fun, but you can call that really crazy scenarios, which ultimately you find out aren't that crazy because they've happened to someone. I do all my tabletop scenarios with companies based on allegedly real-world scenarios, things that happen allegedly. It's very confronting for people sometimes when you go, “But that's not possible.” You go, “We'll see how it goes.”
I think about it, Chris. If you think of yourself with the little bits of tech that you've built over the years, I reckon it'll be a really great survey to ask CISOs and IT people, “What's the one security- or IT-related process that, in your organization, is a little bit crap and terrifies you?” I'm telling you, if onboarding or offboarding is not in the number one or two position, then seriously, because everything else we seem to be figuring out how to do reasonably well, but, “Oh, my goodness, we still have no idea how to bring someone in and how to help them move onto their next adventure.”
I think that's because people are more complicated than systems. When you're bringing a person on or letting a person go, there's so much more involved than just the technical aspect of it.
I cried a little bit when I retired an AS/400, but hey, that's just me. You're right. Remember, I've talked about this before: the importance of, particularly when people are leaving for whatever the circumstances are, is honoring their work with the company and respecting their exit journey, and not immediately jumping to conclusions that, “Oh, my God. They’re a threat,” but treating that process with respect. You know what? That's going to be doubly important if the person's remote because their exit is not necessarily going to be in a quiet little room. It's going to be on a Zoom call.
“Let me wipe your computer while you're in the middle of the exit interview call.” That would not be good.
Yeah. Hello. Hello. I'm just thinking through that as a tabletop exercise going, “I really want to test that.”
That would be a fun one. I look forward to hearing the results of that test. As we wrap up here, how could people find out more about your company and you?
There are a couple of things you can do. You can go to gathid.com. We've got some great case studies from clients. We've got the story, and we're more than happy to take people through a demo around what we do. We have an explanation online from our outstanding product manager, Alicia, around how the thing’s glued together.
You can find me on Twitter, Insta, and LinkedIn. Fair warning, if you're looking at any of those, not LinkedIn, but on Instagram and Twitter, I will probably be showing photos of my yacht. I do offshore yacht racing, so fair warning. Be there. Occasionally, I do write interesting things about my thoughts around cybersecurity. I've been doing this for so long and still, I keep doing it because the problems still bother me so much. It's like, well, these days, I'm going to have a week. LinkedIn, of course, under me or under Gathid.
In most publications near you, I've been writing a lot lately over the past few weeks, particularly around the importance of mergers and acquisitions. As you know, we find that the Gathid platform, we've got a client who's just used this for a major merger and acquisition play. They could get a complete overview across both organizations and the impact of that.
An article came out today that I'd written around the first hundred days of a CISO, which are the most terrifying hundred days of your life, particularly if you're the first one, or as a friend of mine says, particularly if you're the second one depending on what happened to the first.
I'll be continuing to publish those things based on doing this for a long time and spending a lot of time. I do spend a lot of time with startups and scale-ups around the organization, around the country, and overseas because I'm always interested in how other people are adapting to problems that have bothered me for a long time. I love seeing the fresh ideas that some people come up with. And then we'll do the final plug, I guess, for haveibeenpwned.com, Troy Hunt.
If you have not signed your domain up, you are missing out on a wonderful resource that can give you a tiny little chance of finding something bad before you end up as the top link on news.com.
Yeah, no one wants to be there.
We've all had security breaches over the years. At Atlassian, I can honestly say, we had them when we came out. One of the things that I was nice, or I've worked with companies and gone in and helped other CISOs because we've all been there, we've all been through it.
I remember we had a breach at Atlassian when I was there, and a CISO from another prominent organization who was a great friend of mine rang me up and said, “Well, first of all, you know I've got to give you a hard time over it.” I went, “Yeah, fair enough.” He's like, “And how are you doing? Do you need some help?”
The community, we understand that. But the more we can talk about that in and frame things in a business way so we've got a seat at the table and we can address these concerns for people or raise the concern, please, if you're a security person, do not tell them how much […]. No one cares. Talk about the value position that you're doing for your business. That's the most important thing. You need to have those conversations. Of course, use Chris' tools to find stuff.
Always use my website thousands of times a day, if you can.
Have the link at Gathid, sign up, and do all these things. That'd be great. Then yeah, please go to Chris's website and just click on stuff. I do it all the time. My life is not complete without a visit to Chris' website.
We'll make sure to link to all the resources that you mentioned in the show notes. I super appreciate you coming on the podcast today.
Chris, it was wonderful to spend the time talking to you today. Greetings from Sydney. It's a little bit damp here today, but occasionally it does rain here. But I'm going to go home now, talk to my pet kangaroo, a random wallaby, and the echidna that's walking up the driveway.
That's awesome. Thank you again.
Leave a Reply