Episode 16

Focus on reducing risk, not just improving compliance | Dr Miles Ashcroft, RecordPoint

Risk gets a bad rap, mostly because companies think of it as a synonym for “compliance”, and as something negative. But risk is actually quite useful.

In this episode, RecordPoint’s head of risk Dr Miles Ashcroft joins Anthony and Kris to discuss how risk and compliance differ, how they align, and how the former allows you to think of value creation beyond compliance with rules and regulations.

Rather than preventing you from completing projects, incorporating risk into your thinking allows you to deliver services safely, he says.

He also outlines what he thinks companies miss out on when they narrowly focus on improving compliance over reducing risk.

They also discuss:

  • Why risk does not come from technology, but from people;
  • The benefits an unregulated organization gets from complying with regulations like the Essential Eight or ISO standards;
  • How Miles expects regulation to evolve as approaches to managing data privacy, data security, and data governance converge;
  • And the value “shifting left” can bring to compliance and risk management.

Resources

Transcript

Anthony Woodward 

Welcome to FILED a monthly conversation with those of the convergence of data, privacy, data security, data regulations, records, and governance. I'm Anthony Woodward, CEO  of RecordPoint. And with me today is my cohost, Kris Brown, RecordPoints, VP of product management. How are you Kris today?

Kris Brown

I am good, mate. How are you?

Anthony Woodward 

Good. Yeah, no, it's it's been an interesting month in the world we live in and what's happening. And I'm super excited for today's guest.

Kris Brown

Yeah, I'm not sure how we haven't done this already, to be honest.

Anthony Woodward 

Yeah, I was reflecting as well as, you know, listening to the wrap up episodes FILED late last year, you know, part of my Christmas period, re listening to the wonderful insight of Kris Brown and it stuck out like a sore thumb.

We just haven't had one of our colleagues on who is probably going to enlighten the audience the most.

Kris Brown

Yeah, I like how we're starting the year, just burning Kris again, but anyway, let's get on with it. You can reveal the surprise if you wish.

Anthony Woodward 

Right. Well, today we have Dr. Miles Ashcroft, who is the head of security and compliance at RecordPoint has a really interesting background, not only where his career has gone in terms of ending up here and how that relates to the intersection of data governance and data privacy, but he also has a lot of thinking and observation on the industry as a total, as well as some of the security issues, which form part of his day to day jobs. Welcome Miles to the podcast.

Miles Ashcroft

Thanks Anthony. And thanks Kris for having me.

Kris Brown

Yeah. Hi Miles. It's great to have you on FILED. And as I said, I think it's been long overdue, probably an error.

And I'm going to blame Anthony for that error is certainly he remembered. So he's taken all the fault. I'd love to start by giving the audience an opportunity to understand your background, you know, how you came to be here at RecordPoint. foreign, and then what it really means to be the head of risk.

Miles Ashcroft

Yeah, sure. My background is to be blunt, a little odd. And my journey to this position is strange. I started off as an academic, my doctorate has nothing to do with risk or with technology. It's a politics. Well, arguably you could say it's to do with risk in that it's to do with politics and international relations.

But after leaving academia, I ended up working in strategic planning for a large law firm and an insurance. company and then sort of got involved in the early days of the internet, e commerce, those sorts of things. And met Anthony at that law firm. And we've been friends ever since. And I joined RecordPoint would be 12 years ago, I'd say, Anthony, when we were a small company.

So I think just in terms of my background within RecordPoint itself, I've done a lot of diverse roles. I've been involved in consulting, sort of general management type tasks, sales, pre sales, support. So I suppose I've got a fairly good sense of the breadth of the organization. And when we were looking to set up a risk function in the company as we became large enough.

To warrant that it sort of made sense that I was sort of involved in that process and ended up becoming the head of risk because of that breadth of knowledge of the business, because I think, and this is one of the things I'd love to explore with you guys is risk and compliance has to be set within a context of the reality of the business.

It's not just about ticking off some check boxes in a sheet to say that you meet a standard or a particular compliance or regulatory requirement. In terms of my day to day and what does the head of risk do at RecordPoint? It's quite diverse at the moment in that I'm looking at corporate risks in the broadest sense.

There's mainly a focus on risks to the platform. So cybersecurity is  a big part of my role. I'm effectively the business owner for cybersecurity in the business, working closely with our engineering team and yourself, Kris, and the product team to ensure that the service we provide to customers is secure.

It meets appropriate standards from a compliance perspective, but also more than that. And again, something more for us to explore, I think, as part of this chat is what's risk and what's compliance and how do they align with each other? Where does one start and the other finish?

Anthony Woodward 

Why don't we pick that point up, Miles, on risk and compliance?

And I've had the pleasure of working with you for many years, so I know that you bring a Very full set of thinking to that kind of problem. It'd be interesting, I think for the listener, I'd like to understand anyway, that how you separate those things and what is the delineation and the value of each, and also the drawbacks of each, when we talk about risk and compliance, because they're not always in symmetry.

Miles Ashcroft

No, I think that's true. The way I tend to think about risk and compliance is almost as a continuum. And there is an intersection between them and they sort of overlap. But one is not the same as the other. And I think it's often a mistake that practitioners make, and also companies make, when they start to think about compliance as their means of ensuring that their business is for want of a better word safe or risk free. You can tick all the compliance standards that you like. So compliance for me is more around adherence to standards, adherence to regulatory requirements, adherence to particular internal policies that you may have. But it sits within this much broader, I suppose, superset of risk.

And risk is really taking a different approach, whereas compliance is more bottom up, like I've got a set of things that I need to comply with, and they're at a quite micro level, risk is more at the macro level where you're sort of looking at the business holistically and going, well, what are the threats to my business?

What are the risks to my business in a broad sense? And then how do I address those? So ideally, they should sort of meet in the middle. Oftentimes, though, and I think that's, this is an interesting thing to explore further, is that they don't. And what I mean by that is, you'll see people who say, well, let's take cybersecurity because that's an area of particular focus for me.

I've got ISO 27001. I've got SOC 2 Type 2. I've got IRAP. I've got FedRAMP. I've got cyber essentials in the UK.  Therefore, I'm good, aren't I? I've ticked all those boxes. And the answer is, possibly. But the real answer is probably not, because you're not thinking, if you take that approach, about what is the broader threat landscape that you face, and thinking about what you are as a company.

And what I mean by that is, what's the environment you're delivering into? Are you cloud-based Are you on-premises So, extending the cybersecurity motif a little further. You know, what kind of customers do I have? If you're in the business like us, and let's take RecordPoint as an example, we tend to deal with a lot of public sector financial services companies.

They tend to be larger organizations rather than smaller organizations, the types of data that we keep. We keep sensitive data. So therefore, our profile from a risk perspective is quite different from a company that Might be a corner shop or might be a  B2C web service that's, I don't know, doing movie reviews or something because the data they're keeping is different.

The types of risks they face are different. Now we could both tick off our compliance checklists, say ISO 27001 or SOC, but really the outcome is quite different in terms of have we managed to cover all of our risks. So I think that's sort of how I see that nexus, if that makes sense.

Anthony Woodward 

Thanks. Absolutely. I often Kris and I talk about this a bit in various forms, you know, compliance.

And if you start to talk about how this applies to data and records, compliance is really about meeting rules and regulations, and really very rarely translates into value creation. Right now, I'm not saying that meeting rules and regulations is. Bad, but the end proposition really doesn't become valuable.

The interesting thing I think about risk in inverted commas is there is a whole swathe of opportunities that come out of risk management that are potentially very value creating. And I think that's something how I like to separate in my head is that risk allows you to think about value creation beyond just the compliance with rules and regulations.

Miles Ashcroft

Yeah, I think that's right. I mean, I take a similar approach in some ways. Compliance is hygiene. We have to do these things because we've either said that we'll do them or because the government says you've got to do them. But that's your baseline. Above and beyond that is how do you add value to your customers or in the business that you're in?

Or if you're a government department, how do you provide value to citizens, et cetera? And that needs to be managed within that risk framework, which adds that additional value, I think, Anthony, because what you're doing is you're providing that service safely and in a way that minimizes risk, not only to you, it's not a selfish thing, but also to the customer or the consumer of the service that you're providing.

Anthony Woodward 

Well, potentially all the stakeholders there, right? It's not just customers, it's employees and staff. And I think, you know, when we come back and our focus here at RecordPoint being on data, the opportunity to manage those risks as opposed to the compliance element is where you can create value, you know, within those processes and within your governance risk profile around how, what governance you want to apply there.

Kris Brown

Yeah. To put another lens on it, and obviously, you know, Miles, you and I have been involved practically in a lot of this stuff, especially as it relates to compliance elements. But I know even in our own projects around IRAP, for example, that while we were walking through 1700  items that, you know, you need to check off in your words.

Miles Ashcroft

700, but pretty close Kris.

Kris Brown

There you go. Close. There you go. I've washed that from my memory. It was fun. But a lot of the conversation we had in the end was, well, what should we be doing here? So it was, we were actually asking ourselves the risk question off the back of the compliance. And I think that's where that, for me, tie practically comes from.

As, as you said, you can just go through and tick the boxes, but if, as you're looking at the intent of the compliance, you can start to think, well, where does that drag that risk element and other things out? Because at that point it becomes an asset, the compliance in and of its own right, may not provide a lot of value, but it does become an asset because you're starting to actually talk about the way in which you've met those compliances.

Has that tenuous slash overlapping intersecting pull, as you mentioned earlier, around those pieces?

Miles Ashcroft

No, I think that's exactly right, Kris. And IRAP's interesting for listeners who don't know what IRAP is. It's the Australian Federal Government Standard for security controls that are applied to government agencies, but also to companies such as ourselves who provide services into federal government.

Anthony Woodward 

Miles, what does IRAP stand for as an acronym?

Miles Ashcroft

It's the InfoSet Registered Assessors Program.

Anthony Woodward 

And I think it's worth detailing what that means, because you're absolutely right is one of the federal government standard we see here in Australia. It's analogous in many areas to FedRAMP for our American customers.

There are other standards around the globe that look very similar. And, you know, as a Five Eyes country, there is really symmetry between these things and the rest of the Five Eyes as well.  It's probably worth just breaking down what that is, I think, for the listener, because it's been a focus of ours to meet those kind of standards that are referred to, and IRAP was certainly one that probably pushed our boundaries a little bit as we went through it.

Miles Ashcroft

No, I think so. I mean, I think there's constant changes and improvements to the IRAP program. I think when we first did it, it was very. Aimed at agencies, government agencies, rather than service providers such as ourselves, but I think it's really matured now. And the problem with compliance standards and all of them, this is not having a crack at IRAP or any of them.

It's just a fact of life is they always lag what technology is doing out there in the cybersecurity space. So when we first did IRAP, it was there was almost like an on premises assumption in terms of how you were managing your business. Now we're obviously a cloud based company. We provide cloud services.

A lot of the controls were actually not particularly relevant, but you still had a reason why you were complied with that or why it wasn't applicable to you. So I think it does help you focus the mind and that you're going through this process of going, is that relevant to me? Yes. No. How do I meet it?

Or how do I meet the desired outcome? Even if I don't meet the specifics of how the control is articulated, I think it's a really useful process to go through with any of these standards. Cause again, it goes back to giving you a baseline of understanding where you're at as an organization. It also from our customers perspective, gives them confidence that we adhere to that.

Baseline. I still think there are, and I'm probably creating a rod for my own back here. There are questions customers should ask us above and beyond those standards. I think for anybody looking at solutions out there who is concerned about security standards, as they rightly should be, it's always dangerous in my view to just say, Oh, I can tick these boxes against these particular standards.

They're important, but also you need to look at your own particular risk. Profile and the data that you're capturing and also don't repeat the stuff that's in the standard that's sort of pointless as well So a lot of security questionnaires we get Really repeat the same controls that we get in those standards.

We have the standard what's above and beyond that that the customer is concerned about So I think it's again going back to the theme that we talked about earlier. It's as a customer when you're assessing these particular services, taking a risk lens rather than purely a compliance lens to them. Yeah, cool.

Anthony Woodward 

I think it's super interesting to focus in on that because it it results in a lot of tactical considerations around risk and risk behaviors and how you manage yourself and the organization, which I think is one of the things we haven't really touched on or the industry often sort of forgets not necessarily how many firewalls you have and the rest of it.

It's what are those organizational processes and what are those behaviors that you want to enshrine?

Miles Ashcroft

That's a critical part of it because let's face it, the major risk from a cybersecurity perspective is not the technical controls. Usually it's the people and the way you operate and the processes that you bring to bear.

And I think the technology, you know, I take RecordPoints is a really good example. Technology should support those processes and try and help you. Get to better practice in terms of how you, in our case, manage your own information. So you reduce the risk around that. It's a combination of the two. And I think what's really interesting is we're seeing in the market, and RecordPoint is an example of this as a platform, is the emergence of tooling that enshrines process just as much as Giving you a set of technical controls, you know, you're not just protecting your data by, as you say, Anthony, putting it behind a firewall or putting a password over it, you're actually enshrining it in the day to day business processes that you follow because that makes it far more secure and reduces risk even further.

Kris Brown

So let me sort of dive in on that for you, Miles, we've obviously spoken a little bit about IRAP and we're sort of talking about regulated organizations and we're touching on compliance and, you know, as you're saying, making sure that they're not just taking the compliance aspects, but for all the organizations out there that aren't heavily regulated, for all those organizations out there that don't necessarily have to comply with a set of these rules, are there other benefits that they should be seeing from, you know, an essential aid or the ISO or SOC standards?

Miles Ashcroft

Well, I think you mentioned one there. Essential 8 is a really good one. And for our UK customers, Cyber Essentials is really good too. If you're looking at a way of just at least baselining and going, well, where am I at here? What is my risk from a cyber? perspective. Essential 8 is basically a subset of the stuff that we've been through with IRAP, but it focuses on the key things that everybody should do.

So, you know, things like appropriate password length, MFA, controlling the, the applications that you put on your desktop, doing all of these sort of. Basic hygiene things cyber essentials. I think actually takes that a step further, but still in a fairly lightweight. I think it's a good exercise. If you happen to be based in the UK to go through cyber essentials, just because that will give you some peace of mind that you are at least at a base level managing your risk around cyber.

So there's different levels here. You don't have to go for the full level. IRAP or the full FedRAMP or the full ISO 27001, for example, because that costs money. You can do some of these things yourself as a self assessment and then use these tools to manage risk as opposed to necessarily being too worried about, hey, I'm This compliance or I'm compliant with these things because if you're that type of business type of business, you're referring to Kris compliance with those standards.

It doesn't really matter in the scheme of things, but it's a useful measuring stick for you to go. Yeah, I'm actually doing this in a way that I feel comfortable with and my customers data won't get stolen.

Anthony Woodward 

I think that's an interesting point. I want to step off to something a little more controversial.

I'd love your opinion on miles. One of the things I think is a real failure in those standards. And I think where it comes to this intersection that we talk about here a lot on the FILED podcast  is that they don't deal enough with data. They're very. much about processes and they have discussions in them about types of technologies and how it should be deployed, but they don't actually think about how the data can be protected in an isotopic nature.

Where do you see that evolving to? We've seen some hints of it. I think in some of the revisions that are coming to SOC 2, I believe the ISO committee are considering how to extend those processes, but I'd love your thoughts on how we actually become more data centric in these standards, because it's data.

That's the lifeblood in the problem, right? You know, the hackers and the bad people that you're trying to keep out are after that data and the processes you want for hygiene and control is about that data.

Miles Ashcroft

Look, just a comment. I think you're absolutely right, Anthony. The problem with most of these standards is they're written by cybersecurity professionals who come from an IT tend to be operational background.

So there's an element of I'm a hammer. Everything's a nail. I'll interpret this in a way that makes sense to me, which is to put a firewall around it, put technical controls around it, rather than thinking about the life cycle of the data. You're absolutely right with SOC. SOC, SOC 2 is interesting because it's a little bit more open ended and it's more outcomes focused than a lot of these other compliance standards which are much more prescriptive.

And it sort of gives you the space to, I suppose, think a little bit about some of those data management practices. Because I think, you know, a theme that's been going through the file podcast for a while, you know, I should say first up long term listener, first time caller here, but the themes that you guys have been working through is really about, well, it's all well and good to protect the data, but if you haven't got it because you've got rid of it, because you've managed it appropriately through its life cycle, then that massively reduces your risk.

And that's what we're bringing it back to. So. I've heard similar sorts of inklings that there will be changes to some of these standards, but I think the reason why it's not happened up until now is because there really wasn't the tooling available to actually achieve those goals. With tools like ours and others in the market now, that is possible.

So I'm hoping, and again, I talked earlier about the fact that compliance standards always lag what's out there. I hope that we start to see more consideration of data management and life cycle management and disposal of data and management of redaction and control of PII and those sorts of themes in these standards.

Kris Brown

I'll defend all of the other regulations for a moment. You know, I've got my team of regulations around me and, you know, CPS 234  is, you know, sort of one of the early ones to sort of say, you know, thou shalt classify information. Obviously you do privacy regulations and these things are starting to lean in that way, but I have to agree, right?

Like a lot of the regulations are focused more on the technology, the implementation, and maybe the potential stopping the breach as opposed to, as you've said, Miles, if it's

not there, it can't be breached. I think it's good. It's coming from the lawyers. And from government where you're starting to see these changes, Kris, the standards bodies are the people who probably haven't caught up yet.

Anthony Woodward 

And now we've just jumped for people out there, people out there to CPS 234. I think we should explain a little bit of what that is. We do, we have talked about it before on the podcast, but CPS 234 is an APRA requirement for the financial system in Australia. I was looking at you, Kris, you bought it.

Kris Brown

You were looking at me to finish? You started, I thought, I guess it'd be fun. But yeah, the idea behind CPS 234 and APRA being the Australian Prudential Regulatory Authority, they look after our backs at the end of the day here in Australia. They make sure they're a government agency that ensures that they're doing the right things. You know, they talk about all of the elements of the prudential system, but yes, specifically, more recently, they've introduced things like CPS 234.

Upcoming CPG 235, which they're very much talking about the data management element, ensuring that you classify your data. Again, the goal of having that, thou shalt classify your data statement in those regulations is about them. Well, if you know what it is, you've got a much better chance of doing the right thing with it.

And so if you think about the statements that you've just said, Miles, you know, again, knowing that it's. A particular type of information knowing that it should only be kept for four or five years or two years or 10 years or whatever it might be means that you have a much better chance of acting on that.

And I think, as you say, it's a trailing indicator that the industry has caught up in terms of technology, that some of these standards authorities are able to now go, well, you should be able to do this at scale on mass across the entirety of the organization, regardless of system and all of these other things.

Because again, a lot of the listeners will be coming from like all of us, a place where information management was a tool on everybody's desktop that when you finish that word document, that's when you said we better check that in. And that's not scalable. So doing that at a transactional level at a bank, doing that at a transactional level.

Say something like the stock exchange, be it the U S UK, or, you know, the FTSE, the NASDAQ, et cetera, being able to do that level of transactions on any given day and classify that data does give them more value. Yes. Meaning that compliance is still ticking that box and they have to do the actions, but you would hope that now armed with that information, you know, those financial institutions are able to make those next steps.

Anthony Woodward 

Yeah, and I think there's an interesting discussion there, right? We've seen the SEC in the U S released the 17 CFR parts 229 through to. Miles is going to test me. I think it's 249 around the new reporting for cybersecurity incidents. But what I found super interesting in the commentary and what we're seeing in the forms that are being lodged into the SEC.

And yes, I do spend time looking, crawling through them at night when they're lodged, but there is, there is a real discussion about data in them. So whilst I think the initial implication of it was really to think about cyber and the risk management and governance strategies and then having a disclosure process.

So investors understood what was occurring of those listed companies in the U. S. And we see, you know, same some of the same elements in the APRA requirements and in 234, we see some of the same requirements in other. Regulations and other markets, but it really is extending out into this data domain.

Miles Ashcroft

Yeah, I think just to add on to that, Anthony, you see that in Australia as well with APRA, obviously, but I and people can go and check it out on the RecordPoint website. I did a blog post a little while ago. about the ASIC survey. So that's the equivalent of the SEC in Australia. And they did a survey on cybersecurity just to understand from the entities that they manage and responsible for what controls people had in place around cybersecurity.

And there was a big emphasis in one of the sections on data management and lifecycle management. The slightly scary thing is people weren't very good at it. So  that's the concern. Everybody was ticking boxes around. Yeah, I do MFA and I've got firewalls and my network's all hardened and all that stuff, but they weren't really managing that data particularly effectively in terms of that life cycle.

Anthony Woodward 

No, absolutely not. I suppose, you know, to switch gears again, slightly. Where do you see, you know, again, I think what we're hopefully painting here is there is again, a convergence where we're starting to see the intersection of data security and data privacy and data governance come together. And, you know, there are terms that Gartner is rolling around, like data security posture.

There are other terms. Out there that are trying to describe this intersection, because I don't think anyone's created the vocabulary of, of this transition that's occurring, but whilst, you know, putting your crystal ball in front of you, where do you see this all going? Where do you see the key themes lining up and where are we going to be five years from now, 10 years from now?

Miles Ashcroft

From a cybersecurity perspective, I think what, what we'll see and again, this is clearly just my opinion, but is that the old traditional approaches to cybersecurity around perimeter security or protective security that we see, you know, concerns about firewalls and how networks are configured and passwords, et cetera,  to access networks, they'll start to become less relevant and they'll sort of wither and the controls around Data management and admittedly still a protection of that data, the encryption of that data, the ensuring that only, you know, certain individuals can see that data, but it's more a product of how the data is managed through a lifecycle rather than this attempt to ring fence that information.

Because as we know, Anthony, and, you know, you guys obviously have seen this more than anybody is data ends up in all sorts of places. So the attempt to sort of lock it in a box  and keep it in your network, that doesn't work anymore, and arguably it hasn't for the last two or three years. So looking at methods and controls that allow you to use a tool like RecordPoint to make sure you're only managing the data that you need, and secondly, that you're securing that data.

wherever it resides, because it will reside beyond your traditional firewall boundaries. I sort of see where that's going. I'd be really curious to understand your and Kris' views on that.

Kris Brown

Yeah, look, I think to sort of dive in here, maybe steal into that question, mate. So one of the themes, you know, we've been exploring here on FILED for a little while, and obviously it's a bit of a theme for this year, which is around shift left.

So sort of describing what you're saying there is that as we  look at all of these ongoing regulations. As we look at the way in which the world is changing, you're adding inflexible working. It makes it more difficult for cybersecurity. You've got that landscape of that hacker element, the bad, you know, the influence that's out there trying to steal data.

And we're watching trailing indicators of regulations and standards and things catch up with that. You know, I think the interesting thing here is as a podcast about that intersection and as it sort of happening in front of us, if you will, I'm interested to sort of take you on a little bit of a journey there and say, well, what happens to that risk profile?

Now that you start to think about, well, in this instance, you're shifting left. You want to embed security and privacy into everything that you do. You want to deal with that data governance and everything that you do. What happens there in terms of that risk profile, you know, like being a risk practitioner, is this where we should be going?

And do you see value in that?

Miles Ashcroft

Yeah, I think what it means is I get a decent night's sleep, to be blunt, Kris. And I think this has always been a problem of the shift left analogy. Obviously, I'm familiar with it from a more pure cybersecurity perspective, in particular. But I think it's really interesting that we've moved away from the, we do stuff, we build it, we create data and then we secure it as opposed to we secure it as part of that process of either developing that data and it goes to us as software vendors as well.

I mean, one of the other big themes that's coming out, which is analogous to the shift left or is. Feeds into the shift left story is the requirement by scissor and the A.C.S.C. In Australia and C.S.C. In the U. K. for software to be secure by design and secure by default from a configuration perspective.

So again, feeding into that whole story of. The data's secure, the application's secure, the code's secure, we're doing all of this stuff up front. So in some ways, the securing of the perimeter, because the perimeter doesn't really exist anymore, because it's a cloud world, becomes almost irrelevant.

Kris Brown

I'm not sure what I would have done if IE 6 back in the day didn't allow me just to copy files onto any web server anywhere by default, unless someone had changed the settings. I have a whole childhood of dumping stuff in other people's servers, just because of those sorts of things. So again, I'm glad we didn't shift left too early.

Miles Ashcroft

You're ahead of your time, Kris.

Anthony Woodward

For those out there, Kris isn't allowed near our web servers, just for clarity anymore. It's not a thing.

Miles Ashcroft

We have a different team. I maintain the corporate risk register and there's a special entry for Kris.

Anthony Woodward

I always struggle a little bit with the notion of shift left. I do think it's worth probably just breaking it down a little bit and explaining what this means.

You know, I understand you've just talked about the implications of it, but shifting left in this world of compliance and risk, you know, how do you shift left on filling out a compliance form and what does it mean to be shifting left?

Miles Ashcroft

Look, I don't think it's so much shifting left for the person filling in the form.

It's the form shifting left.  And I think, again, it's interesting because I think I see government regulators, because they sort of have had to because of the breaches and the concerns that have occurred over the last little while. They're moving faster than the standards bodies around this kind of thing.

I mean, I think what you'll end up seeing is compliance standards that will require things like secure by design, secure by configuration from a software company perspective. And from a data management perspective, enshrining controls a bit like in the APRA requirements that Kris alluded to earlier, or talked about earlier, where data management and data lifecycle is enshrined in those controls and is an outcome that you're expected to comply with.

My view is get ahead of the curve because the shift left is occurring is going to occur in those standards controls. It has to otherwise we end up with this inconsistent picture of government regulators saying you need to comply with these particular standards need to be secure by design. All these other things and the standards bodies haven't really caught up with that yet in my view.

And again, I'm not privy to the development of those standards and that may be occurring.

Anthony Woodward

Yeah, no, I think it's about those standards also don't enshrine the shift left mentality of proactivity. So, and it's that, that I think is going to be interesting because we are seeing that conversation, if not in the standards bodies.

And I think there actually is some going on to be fair to them, but in the industry as a whole, really thinking about, well, what can we predict the kind of issues are, how do we think more holistically around your cyber risk at one level, your data management at another level. The privacy element of that, which is, you know, this cross cutting concern almost between the two of them.

And how do we really begin that process? And, you know, we're seeing a lot of conversation in the privacy space around pixels at the moment and how to deal with pixels, which is one of those shift left behaviors that's occurring. Right. Our prediction certainly is, and what I think Kris and I have talked about a lot of time, I think we'll talk about more this year in the podcast, is that is just going to keep going further and further downstream.

The pixels are the beginning, not the end of the conversation.

Miles Ashcroft

Yeah. I mean, think about building in privacy, cyber, all of these things. At the design stage, and that's not just in the context of software, that's in the context of everything that you do around the management of risk within the business, design it in early because it'll be a hell of a lot easier later.

Anthony Woodward

Cool. Thinking about that landscape and the elements like shift left and where we started this conversation talking about different types of risks and the definition, what do you think organizations need to be thinking about to be more effective and to quantify and manage their risks more effectively?

Miles Ashcroft

Yeah, look, I think we spent a lot of time talking about detail and controls and compliance frameworks and changes potentially to those control frameworks. I think it's and again, I'm a simple person in this regard is let's lift it up and let's look at this from a macro perspective. Go back to looking at your organization and assess those risks.

What kind of organization are you? What do you do? Who do you deal with? Who are the stakeholders? What is the data that you manage? And once you've built that picture, because the trouble with these control standards is they're so overwhelming. But if you boil it back up to that high level, you start to, I think, in my view anyway, establish some clarity around where are the places you should place your bets in terms of the cyber bets that you make and the controls that you need to apply, etc.

I'm forgetting about any kind of legislative statutory or standards based requirement. It takes it back to a risk discussion around well, what is the existential threat to my business? And how do I manage that

Anthony Woodward

For the organizations out there? Can you tell them the entire level of the existential threats and what all be over the next four to five years?

I'm kidding Miles. Sorry.

Miles Ashcroft

"Big" is all I can say

Anthony Woodward

And constant, right? I think that's the element Everything we did today is going to be defunct tomorrow, unfortunately, the speed of change in the cyber world and what's occurring in terms of those threats, both internally and externally is evolving at a very fast pace.

And I think it's just really being able to be in front of that and manage that. And it's both the fun and the disaster of what's occurring, I think, in the broader community is that the speed of change is quite quick here.

Miles Ashcroft

And I suppose the last thing there is the trouble with cyber in particular is attackers only have to be lucky once.

You've got to be lucky all the time.

Anthony Woodward

Love that statement. And look, Miles, we really thank you for making some time to jump on the podcast. I suspect you'll be back as a guest again. There's a lot of very interesting topics there. We didn't even get in into your thesis and the discussion of whether or not the removal of the Whitlam government was correct or incorrect, and we're not going to bring that up in this podcast today.

We'll leave it for another podcast, but thanks for being on.

Miles Ashcroft

That's been my pleasure, guys. Thanks for the chat. Thank you all for listening.

Anthony Woodward

I'm Anthony Woodward.

Kris Brown

And I'm Kris Brown. We'll see you next time on FILED.

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic