Secured by Galah Cyber with Cole Cornford

Episode SummaryCTFs are fun, but do they actually make developers write more secure code? In this episode of Secured, Cole Cornford is joined by Pedram Hayati (Founder of SecDim & SecTalks) to explore why most developer security training fails, and how SecDim’s “Fix the Flag” approach is changing the game.From contrived WebGoat-style examples to frameworks that quietly eradicate entire bug classes, Cole and Pedram dive deep into the intersection of AppSec and software engineering. They unpack why developer experience is non-negotiable, why security needs to borrow design patterns from engineering, and how real-world incidents (like GitHub’s mass assignment bug or the Optus breach) make concepts stick far better than acronyms like “XSS” or “SSTI.”This is a technical, opinionated episode for anyone who’s ever struggled to get developers engaged with security.Timestamps01:10 – Why Pedram built SecDim, the problem with pen test reports, and why CTFs don’t train developers04:42 – From “Capture the Flag” to “Fix the Flag”: making training realistic and Git-first06:30 – Training inside developer workflows and why contrived examples fail10:28 – Using modern stacks, AI-tailored labs, and real-world incidents to make concepts stick12:35 – Why security names suck (XSS vs. “content injection”) and the Optus hack as a teaching moment17:37 – Secure design patterns vs. vague slogans, and why secure defaults beat secure by design21:15 – Frameworks like React, Rails, and Angular that kill entire bug classes23:23 – Engineering by-products: reproducibility, immutability, and orthogonality in secure coding30:36 – PHP’s bad reputation, language quirks, and what’s actually most popular in security training today33:41 – Why AppSec pros need to build and deploy apps (not just know vulnerability classes)37:44 – Getting started with SecDim and hands-on secure codingMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryThe Australian Information Security Manual (ISM) just got a major update, and not everyone’s thrilled. In this special episode of Secured, Cole Cornford is joined by Toby Amodio (Head of Professional Services, Fujitsu Cyber) to break down what’s changed, what’s missing, and what it all means for CISOs, AppSec teams and public sector security leads.From the new cybersecurity principles (and why they feel like yak shaving) to the long-overdue expansion of software security controls, Cole and Toby navigate the mess of frameworks, missing maturity models, and babushka-doll-style mappings that have left many teams overwhelmed. They also reflect on what “secure-by-default” really means in a world of legacy codebases, overstretched resources, and one-person AppSec teams.Timestamps01:02 – Why ISM Updates Matter (Even If They’re Late)02:32 – New Principles: Nice Idea, Hard to Implement04:08 – Yak Shaving and the Complexity Cascade07:48 – Mapping Mayhem: PSPF, E8 and Governance Overload10:25 – Losing the Maturity Model: Who Does That Help?13:46 – Secure-by-Default and the Problem with OWASP-as-a-Proxy18:13 – Integration, Incentives, and Cyber vs. Business Silos20:34 – The Talent Gap and Why Code Reviews Still Matter22:58 – Galah Cyber, Capability Building & Doing AppSec Right23:57 – Why Buying Tools Isn’t the Same as Building Capability25:21 – What Red, Amber, Green Tools Really Miss26:01 – One ISM to Rule Them All… If You Can Implement It26:52 – Final Thoughts (and a Funding Stick for CISOs)Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryWith a career that spans mainframes, integration platforms, and developer experience, M Brennan brings a unique lens to the world of application security. In this episode, M joins Cole Cornford to unpack why integration is often the riskiest layer in software systems, how context is everything when choosing security controls, and what it really takes to build security into developer workflows without adding friction.They dive into stories from government and enterprise environments, the overlap between security and resilience, and how thinking in terms of energy and empathy, not just tools, can lead to better outcomes for everyone. Plus, a surprisingly effective stereo-selling strategy, some well-earned AI scepticism, and a jam-jar analogy you’ll never forget.Timestamps03:45 From COBOL to Developer Experience in Security06:37 Choosing the Right Security Control for the Right Risk10:00 Reducing Developer Friction with Secure Defaults14:10 How Threat Modelling Creates Real Value17:57 Fixing Access and Provisioning for Devs and Security20:09 Virtual Dev Environments and Automating the Boring Stuff24:04 Smarter Security Adoption and the Jam Jar Effect28:48 AI, Developer Toil and the Problem with Overpromising31:03 Using AI to Kickstart Threat Modelling and Resilience33:56 Why Some Tech Trends Aren’t Worth the Hype36:09 The Risk of Letting Chatbots Handle Security Promises37:16 Final Takeaways on Empathy, Context and CollaborationMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryScott Contini has a PhD in cryptography with more than a dozen research publications, and has spent the last 15 years focused on solving real-world security problems. After switching from academia to industry in 2008, Scott has identified hundreds of cryptographic implementation flaws across the world, written widely read blogs on common coding mistakes, and contributed significantly to the 2021 OWASP Top 10 topic of Cryptographic Failures. He joins Cole Cornford to discuss how cryptography often goes wrong in practice, why secure-by-default APIs are reshaping security today, and the importance of clear communication and community-building in advancing the field. Scott also shares stories from working alongside legendary figures in cryptography, and offers advice for anyone looking to build a sustainable and impactful security career.Timestamps00:20 - Scott’s background in cryptography and transition to AppSec02:00 - Moving from theory to real-world security challenges05:00 - Common cryptography mistakes in the industry07:50 - Why using the wrong encryption modes leads to vulnerabilities10:10 - How Java’s cryptography design led to widespread issues14:40 - The rise of secure-by-default APIs in cryptography17:00 - Stories from working with cryptographic legends22:00 - Improving advice in the OWASP community27:50 - The value of writing and public speaking in AppSec careers33:00 - Advice for newcomers in security: think like an attacker and keep learningMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryJon-Anthoney de Boer is the Product Security Lead at Transmax, overseeing security for critical infrastructure that manages traffic flow across Australia. Coming from a strong software engineering background, Jon-Anthoney shares his experience transitioning from traditional engineering into product and application security. He highlights the importance of aligning software engineering and security teams, building trust into the software development lifecycle, and fostering a security culture based on practical strategy rather than superficial metrics. Jon-Anthoney also discusses how behavioural change, organisational alignment, and operational excellence are key to achieving effective, sustainable security outcomes.Timestamps00:32 - Jon-Anthoney’s journey from electrical engineering to product security05:08 - Transitioning from software craftsmanship to cybersecurity09:30 - Why aligned incentives between engineering and security teams matter12:22 - Goodhart's Law: pitfalls of security metrics18:21 - Rethinking cybersecurity strategies beyond tools and compliance25:12 - Building observability into the secure software development lifecycle32:35 - Why executive support is crucial for security initiatives38:34 - Operational excellence: removing waste from security processesMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this episode of Secured, host Cole Cornford chats with Laura O'Neill from Fujitsu Cyber. Laura shares her journey from a pure maths and cryptography background through management consulting into the world of cybersecurity. She explains how she helped grow MF&A from a small team into a 70-person company before its acquisition by Fujitsu. Cole and Laura discuss the challenges of scaling a cyber practice, the importance of professionalising sales and board-level communications, and how embracing diverse, non-traditional talent can transform the industry. Their conversation offers valuable insights into shifting from a compliance-based mindset to a risk-based strategy that truly supports business objectives.Timestamps00:10 - Introduction to Laura O'Neill and her role at Fujitsu Cyber02:27 - Laura recounts her journey from pure maths and cryptography to cybersecurity05:31 - Discussing the rapid growth of MF&A from a small team to 70 staff07:30 - Overcoming scaling challenges through improved processes and support11:23 - Professionalising sales and board-level communications in cyber15:30 - Moving from a compliance-driven approach to a risk-based strategy26:16 - Embracing diversity and non-traditional hiring in cybersecurity31:20 - The value of diverse backgrounds and soft skills in solving security challenges40:43 - The importance of empathy and listening in leadership42:16 - Closing thoughts on security as an enabling function for business successMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryCole Cornford speaks with Kat McCrabb, founder of Flame Tree Cyber, about navigating cybersecurity compliance and risk, particularly within education, government, and mission-driven organisations. Kat shares insights from her experience in federal government and as CISO at Brisbane Catholic Education, highlighting the strengths and weaknesses of compliance frameworks like Australia's Essential Eight and MITRE ATT&CK. The conversation covers how to effectively communicate cyber risks to stakeholders, align security with organisational priorities, and why prevention beats incident response every time. Kat also discusses strategies for meaningful conversations around funding and shares her perspective on the evolving landscape of security in the age of SaaS and cloud technologies.Timestamps00:59 - Kat’s background and founding Flame Tree Cyber03:10 - Defining mission-driven organisations04:29 - Challenges of prescriptive compliance frameworks (ISM, Essential Eight, DISP)05:41 - Compliance vs meaningful security improvement06:51 - How threat modelling with MITRE ATT&CK helps allocate resources07:35 - Balancing foundational cybersecurity and advanced threat intelligence08:52 - Incident response and the value of understanding threat actors11:46 - Allocating budget and demonstrating security value to executives16:31 - How to effectively request security funding from the board20:00 - Relevance of Essential Eight in modern SaaS environments29:21 - Kat’s role with AISA and building the cybersecurity community in QueenslandMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryKiera Farrell, Cyber Analyst at David Jones, shares her journey from studying a Bachelor of Cybersecurity to landing a role in cybersecurity operations. She reflects on the challenges of breaking into the industry, the lessons learned from risk management, and the importance of networking in career growth. Kiera and Cole discuss the value of stepping outside your comfort zone, the evolving landscape of cybersecurity degrees, and what hiring managers can do to attract and retain young talent. If you're an aspiring cybersecurity professional or a leader looking to support early-career hires, this episode is packed with insights.Timestamps2:00 – Kiera’s journey: From Bachelor of Cybersecurity to David Jones5:00 – What studying cybersecurity is really like8:10 – The surprising importance of risk management12:00 – Ethical hacking & the role of security education16:30 – The grad job hunt: what works, what doesn’t19:45 – The power of stepping out of your comfort zone21:30 – Building a strong professional network23:50 – What makes an employer attractive for graduates?26:40 – How mentorship accelerates career growth30:35 – Advice for students and early-career professionalsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this special solo episode, host Cole Cornford reflects on the journey of the Secured podcast over the past two years. He shares behind-the-scenes insights, from the unexpected challenges of cicada season disrupting recordings to the podcast’s growth, hitting 45 episodes and over 7,000 downloads. Cole discusses listener feedback, format changes, and his plans to expand the show, including moving to weekly episodes, introducing video content, and diversifying guest profiles. He also highlights listener engagement stats, the importance of audience reviews, and the future direction of Secured with a focus on delivering more valuable and dynamic cybersecurity content.Timestamps00:20 – The impact of cicada season on recording and production01:10 – Hitting 45 episodes: reflections on the podcast’s growth01:54 – Asking for listener feedback and reviews to support the show02:51 – Plans to move to weekly episodes and potential sponsorships03:51 – The possibility of introducing video content and its challenges04:35 – Listener engagement stats: unique listeners, downloads, and demographics08:05 – Most downloaded and highest engagement episodes revealed10:55 – Diversity in guests and topics: striving for representation13:48 – Changes in podcast format: cutting certain segments for better engagement17:03 – The shift towards professional development-focused content19:50 – Future goals: more international guests and sharper conversationsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryMadhuri Nandi is the Head of Security at Till Payments and a trailblazer in the Australian cybersecurity industry. As co-chair of the Australian Women’s Security Network, she brings decades of experience to the table, breaking barriers for women in tech and redefining what leadership looks like in cybersecurity. Madhuri shares how a love for gaming and cheat codes sparked her journey into application security and the cultural challenges she overcame to thrive in a male-dominated industry. They explore the realities of leading security functions in scaling FinTechs, why compliance doesn’t equate to security, and the critical role of aligning cybersecurity strategies with business objectives.Timestamps01:13 Cheat Codes Ignite a Cybersecurity Path02:26 From Database Admin to Security Professional05:09 Lessons from Gaming & Early Misperceptions07:29 The Jump into Executive Leadership10:53 Compliance vs. True Risk Management18:45 Overcoming Cultural & Workplace Hurdles31:55 Diversity, Women in Tech & Final ReflectionMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this episode of Secured, host Cole Cornford chats with Neha Malik, Head of Product Security at REA Group, about building and scaling effective application security (AppSec) programs. They delve into the importance of empathy, communication, and relationship-building between security teams and developers. Neha shares her journey from a Microsoft graduate program, through external consulting at KPMG, and into her current leadership role. They discuss making security easy for engineers, managing security champions programs with realistic expectations, and learning from other disciplines—like psychology and marketing—to better influence and engage stakeholders. Neha and Cole also highlight how tailoring approach and tooling can differ for startups and large enterprises, and emphasise that collaboration, not confrontation, leads to long-term AppSec success.Timestamps00:20 - Neha’s Role at REA Group and Positive AppSec Outcomes01:30 - Starting a Career in Security at Microsoft’s Grad Program05:45 - Building an AppSec Program from Scratch at REA10:00 - Startups: Embedding Security in Tools Over Heavy Process14:40 - Security Champions Programs: Value, Expectations, and Incentives20:25 - Learning from Other Disciplines (e.g., Psychology) to Influence TeamsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this special christmas episode of Secured, Cole Cornford does something a little different to usual and answers listener questions. Lots of topics are covered, including new years resolutions, cybersecurity trends of 2024, career and life advice, and plenty more. A huge thank you to everyone who sent in questions! We had so many responses that we weren't able to get to all of them. Let us know if you enjoy this format and we may do it again in the future.Timestamps1:00 - Cole's thoughts on new year's resolutions 3:00 - Cole's experiences working in large organisations13:30 - Critical cybersecurity steps for organisations in 202520:30 - Using security tools to protect APIs26:20 - Protecting against supply chain attacks36:20 - Cole's perspective on DevSecOps40:50 - Trends of 202450:40 - Diversity in the cybersecurity industry 1:01:02 - ASPM tools1:13:20 - Why Cole enjoys making the podcast1:21:00 - Life advice that has stayed with ColeMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryElizabeth Stephens is CEO of DBS Cyber, where her team deliver IT solutions for clients in various industries. A retired Marine Corps Major and author of the book Building a Resilient Digital Future: A Comprehensive Guide to Cyber Risk Monitoring, Elizabeth draws from her diverse experience in her work. In her conversation with Cole Cornford, they discuss leveraging AI to be helpful and not harmful the politics and nuance of cybersecurity, lessons from Elizabeth's military experience that she applies to her current role, and plenty more.Timestamps1:00 - Elizabeth's background7:30 - How we can leverage AI to be useful not harmful14:30 - Using AI to help with parenting20:30 - The politics & nuance of cybersecurity23:30 - Roblox & cybersecurity for kids27:00 - Lessons from the military Elizabeth applies to cybersecurity30:30 - Elizabeth's journey as an author36:30 - Cybersecurity for small businessMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this episode, Cole Cornford is joined by cybersecurity experts and IRAP assessors, Kat McCrabb and Toby Amodio, to unpack the latest updates to the Protective Security Policy Framework (PSPF) for 2024. They explore the significant changes introduced in the PSPF, such as the heightened emphasis on IRAP assessments, the potential strain on resources due to increased demand for assessors, and the impact on government agencies' compliance efforts. The discussion delves into the restructuring of the PSPF domains, including the separation of information and technology, and the challenges this presents for reporting and governance. They also address issues with self-attestation in agencies, insights from ANAO reports, and the critical importance of managing legacy IT systems. Kat and Toby offer valuable perspectives and practical advice for organisations navigating these new requirements, highlighting the need for proactive planning and adaptation in the evolving cybersecurity landscape.Timestamps01:27 - What is the PSPF? Toby explains the framework03:07 - Kat discusses the biggest changes in the PSPF 2024 updates04:20 - Challenges with IRAP assessments: time, cost, and limited assessors06:18 - When are IRAP assessments required? Clarifications08:13 - Changes in PSPF domains: splitting information and technology10:08 - Implications of the changes for reporting and governance12:15 - Comparison with NIST framework and governance considerations13:38 - Issues with self-attestation and insights from ANAO reports15:09 - Strategies for improving reporting and assessments in agencies17:36 - Managing legacy IT systems under the new PSPF requirements18:52 - Key takeaways and final thoughts from Kat and TobyMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this episode, Cole Cornford speaks with Anand, an API security expert at Traceable AI with over 18 years of experience in crafting innovative IT solutions. Anand's expertise spans API design, microservices architecture, cloud technologies like Kubernetes and AWS, and security architecture including IAM and OAuth. Together, they delve into the critical importance of API security in today's digital landscape, discussing why traditional web security measures are insufficient, lessons learned from incidents like the Optus breach, the challenges of managing API inventories, and how AI and machine learning can enhance security practices. Anand also shares his experience writing a book during the pandemic and the value of continuous learning. This episode is packed with insights on modern application development, cybersecurity, and plenty more.Timestamps4:20 - Understanding API security challenges9:30 - The role of AI in API security16:55 - The importance of API inventory management24:00 - The business impact of API security28:00 - Cole & Anand discuss books & writing34:00 - Current state of API security in AustraliaMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIn this episode, Cole Cornford speaks to two guests on the topic of robotics: Damith Herath, a Professor at the University of Canberra, and Adam Haskard, co-founder and Director of Bluerydge, a Canberra-based cybersecurity and technology firm. Together, Damith and Adam are conducting research into Secure Robotics, an emerging field of study that addresses the intersection of robotic safety, trust, and cybersecurity. In their conversation with Cole, they discuss the growth opportunities for robotics, how someone interested in the field could pursue a career in robotics, potential risks of the common household vacuum robots, and plenty more.Timestamps2:00 - Robotics: definitions & applications8:45 - The intersection of robotics & cybersecurity10:00 - Trust & safety in robotics & cyber15:00 - Emerging risks in robotics18:40 - The role of cybersecurity in robotics20:30 - Regulation and innovation in robotics40:00 - Growth opportunities for robotics29:00 - Future of robotics & AI32:00 - Career pathways into robotics39:00 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode SummaryIlkka Turunen is the CTO at Sonatype, a company that helps millions of software developers use open-source software while minimising security risk. In this conversation, Ilkka chats with Cole Cornford about the benefits and risk of using open-source software, how Maven helped standardise software development processes, the different approaches to AppSec regulation in Australia and Europe, and plenty more.Timestamps1:33 - Ilkka's career background4:00 - Varying quality of open-source software6:10 - How Maven helped standardise software development processes13:00 - The balance between speed of delivery & quality17:00 - Importance of environment parity in software dev21:40 - Risk of using 3rd party code in software25:10 - Regulation of AppSec in Australia vs Europe32:10 - How new European software security regulations will be enforced35:00 - Recommendations for compliance with European regulations39:00 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryDaisy Wong is the Head of Security Awareness at Medibank, as well as a disability advocate. Originally from a marketing background, Daisy gained experience in the cybersecurity industry working as part of penetration teams, before making her way into the security culture and awareness space. In her conversation with Cole Cornford, Daisy discusses using the tools of marketing to educate people on cybersecurity, what are the hallmarks of a good security culture and awareness program, and the importance of diversity in cybersecurity.Timestamps4:00 - Daisy's transition from marketing to cybersecurity8:10 - The importance of security culture and awareness11:00 - Building effective security awareness programs14:15 - The role of diversity in cybersecurity17:00 - Strategies for inclusive hiring practices19:40 - The power of communication in security awareness23:20 - Creative approaches to security awareness campaigns31:45 - Daisy's personal perspective on the importance of diversity43:40 - Rapid fire questionsMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryAntonio Deliseo has been in the information security industry for decades. Currently working at Telstra, Antonio has enjoyed a long and winding career path and has plenty of stories and insights to share as a result. In this conversation with Cole Cornford, Antonio discusses how he got started in his career studying physics, overseeing cybersecurity at a goldmine, how to advocate for cybersecurity within a large organisation, and plenty more.Timestamps1:40 - Antonio's career background3:30 - Advantages of coming from a non technical background8:30 - Stories from Antonio's early career working at a goldmine14:00 - How Antonio moved into the GRC space17:30 - The role a board of directors plays in cybersecurity20:00 - Cybersecurity is less like IT, more like gambling or insurance25:30 - Calculating the cost of a breach in dollar terms30:30 - How to advocate for cybersecurity as a CISO40:00 - Cybersecurity often seen as unaffordable by small businesses42:30 - Pros & cons of networked technologyMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

SummaryBen Gittins is the Principal Security Engineer at Bugcrowd, one of the world's best bug bounty platforms. Ben has previously worked as a Senior DevSecOps Engineer at Canva, as well as DevSecOps Lead at SecureStack. In this conversation with Cole Cornford, Ben shares his belief that cybersecurity needs more generalists, how coding and AppSec have changed over time, whether cybersecurity qualifications are overrated, and plenty more.Timestamps3:50 - Why is Aus cybersecurity lagging behind? 9:50 - Over-reliance on purchasing cybersecurity products 14:40 - We ask too much of our AppSec professionals 19:00 - How App development & cybersecurity have changed over time 24:00 - "Greenfield projects" are often not realistic 28:20 - How to bring new people into the AppSec industry 32:00 - Importance of communication skills 38:20 - Cybersecurity qualifications are overrated43:00 - Rapid fire questions  Mentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/