The Security Circle

EP 099 Jason Brown: International Speaker for Risk, Intelligence, Security, Innovation, Export and Arms Control, Scenario and Strategic Planning

Jason Brown Season 1 Episode 99

Share episode

Send us a text

BIO -Jason Brown is an internationally recognized expert in risk management, cybersecurity, crisis management, and business resilience, with over 40 years of experience across government and industry. He currently serves as Principal Advisor on Risk and Security for Thales Australia and New Zealand, as well as CEO of Cinnteacht, a consultancy specializing in risk and security. Known for his strategic leadership, Jason works at the executive level with government and industry to drive robust security frameworks, risk controls, and crisis responses.

Key Expertise

  • Risk Management & Security: Extensive knowledge in enterprise, physical, cyber, and personnel security.
  • Crisis & Continuity Management: Experienced in crisis planning and simulations for critical infrastructure, notably leading Exercise GridEx VI.
  • Strategic Defense & Compliance: Advises on defense trade control, security compliance, and government partnerships for Thales.
  • Standards & Committees Leadership: Chaired ISO TC262 for risk management, steering the ISO 31000 guidelines. Actively engaged in ISO committees on cybersecurity and supply chain security.

Career Highlights

  • Thales Australia & New Zealand (2004 - Present): Former National Security Director; now advises on high-level risk, security, and compliance, with a focus on mitigating strategic risks.
  • Commonwealth Government (1977 - 2004): Held SES-level roles in Defense and the Attorney General’s Department, leading initiatives in security, safety, and intelligence.
    • Pioneered the Australian Risk Standard AS4360 and ISO 31000.
    • Chaired Defence Security Committee; negotiated international defense security agreements.

Board & Committee Memberships

  • Chair, International Standards Committee for Risk Management (ISO TC262): Managed international efforts for ISO 31000 and related standards.
  • Governance Advisory Committee Member, Institute of Strategic Risk Management.
  • Senior Vice President Asia Pacific, ASIS International (2010 - 2016).
  • Convenor, ISO 28000 Supply Chain Security Standard Revision.
  • Deputy Chair, Forum of Australian Security Executives (2020 - 2024).

Recognitions

  • Australian Security Medal (2011) for outstanding service.
  • Top 20 Global Influencers in Security and Fire Management by IFSEC International (2019).

Education & Certifications

  • BA (Hons) in Educational Psychology, Dip Ed (Hons) - University of Sydney.
  • Postgraduate Diploma in Security Risk Management - CIT.
  • Leadership and Development Programs through Mt. Eliza, Australian Public Service, and Defence.

Fellowships

  • Institute of Strategic Risk Management
  • The Security Institute
  • Australian Security Leaders Climate Change Group
  • Australian Risk Policy Institute

Jason’s contributions to risk management and security have made him a sought-after speaker and trainer, presenting across continents on the latest in security convergence, risk governance, and crisis management strategies.

Security Circle ⭕️ is an IFPOD production for IFPO the International Foundation of Protection Officers

If you enjoy the security circle podcast, please like share and comment or even better. Leave us a Fabry view. We can be found on all podcast platforms. Be sure to subscribe. The security circle every Thursday. We love Thursdays.

Yoyo:

Hi. This is Yolanda. Welcome. Welcome to the Security Circle podcast. Here we are again. IFPO is the International Foundation for Protection Officers and we are dedicated to providing meaningful education and certification for all levels of security personnel and make a positive difference where we can. to our members mental health and well being. Our listeners are global. They are the decision makers of today and tomorrow, and we want to thank you wherever you are for being part of the Security Circle. If you love the podcast, we are on all podcast platforms. Subscribe, like, comment, and share, and we thank you for your company. Today I have a very special person with me. We are in two different time zones, although that's not unusual, but it's his night time and my morning time. That might give you a good idea where he is. Well, he's currently the chair of Australian Standards Committee for Security and Resilience. He's the chair of the International Standards Committee for Risk Management. Member of the advisory committee of the institute of strategic risk management? No, they are and the member of the cyber security standards task force deputy chair of the forum of australian security executives I mean, look, wow. Jason Brown, welcome to the Security Circle Podcast. What a list. How are you doing?

Michael:

Well, all of those things are things I've been doing. It doesn't matter because I've done all those things and they're all hilariously amazing.

Yooy:

Hilariously amazing. You've been on a heck of a security journey. And you've held some wonderfully important and prestigious positions, but what is it that excites you, having had such an amazing career? What excites you now about working in the security community?

Jason:

Passing on knowledge. It's an easy one. It's having had, I won't say how many years experience, but Methuselah would be envious. passing on the things I've learned to people and the international standards work that you sort of referred to, where I was head of the risk management committee and, and the Australian representative on, security resilience, etc. And now in cyber stuff where I'm doing a lot. It's about what have I learned? And how do I pass that back in? There's two ways of doing, three ways of doing it actually. You can write, you can train, or you can work with other people to develop best practice. And, um, and the, so the, so I do write some things, um, and I'm working with someone who you've interviewed before, um, uh, Julian Talbot, he and I have been working on the security risk management body of knowledge and the new risk management body of knowledge, which I've got the draft of and I've got to work on the weekend. So, so things like that. Um, but I love training people. So, uh, the opportunity to talk to lecture to give presentations that gives me a great deal of joy and, um. And it helps, I guess it helps me, um, crystallize my thoughts. There is nothing better than when you've got to think about how to communicate something to people at maybe very different levels of experience. Whether it's at a Risk Management Institute conference, or a security conference, or even some high school kids thinking about what their careers might be. So all those things I think are terrific. But um, security itself is a good thing to do. We live in a complex, dangerous world and it's a good thing to be doing.

Yooy:

Unfortunately, we do live in a complex and dangerous world and a very unpredictable world as well. Do you ever get asked by the people in your circle, either client side or colleagues, you know, what do you think is going to happen next? I get asked this and I just, I focus very much on the things people can control, do you know what I mean? I focus on staying current with geopolitical issues, keeping good information around global world events, not just what you read on Twitter. Stay away from social media, you know, enabling people to have good clarity of thought. When it comes down to that sort of question, what do you do? Advise people,

Michael:

I'll start with what you a way of being careful there's so much information out there. The first question you've gotta ask is, who's telling me this? Then the next question you ask is, why are they telling me this? The next question is, what do they want me to do? And then you lay, the classical intelligence processes about credibility, reliability, recency, primacy to determine. Not only what they're trying to get you to do by telling you things, but how much you can rely on it. So, for me, the issue, and why risk management is so interesting, is the issue is about how you understand uncertainty. And uncertainty can be a dearth of knowledge. Uncertainty can be driven by conflicting information. And so, applying at least a minimal level of analysis is really important. And I enjoy it. I hear people telling me these wonderful things. seen on Snapchat or whatever it might be. And I think that there's no resemblance to any reality that I share. Um, so in order to get some sense of reality, it's about having multiple sources of information and asking the sort of questions I just asked. Then you can say, well, If you think about it, it does make sense. But look, there are reliable sources. I mean, but even really reliable sources that have been collated, analyzed, et cetera, let's take the World Economic Forum risk reports every year. I've read them over many, many years. And as a consequence, I watch where they've got it really wrong as well as when they've got it really right. Their risk management processes have improved greatly the last four or five years. But if I go back. To the time of, the Middle East Respiratory Syndrome and SARS and bird flu, etc. It was way up there. Now, the actual likelihood of a major pandemic event occurring had not changed, but because it didn't have primacy in the minds of the analysts, the one that was done the year before the pandemic, it may be. had dropped it right down. But from someone who's looked at this longitudinally, the likelihood of pandemic was actually probably higher than it had been, but they missed it because there's a tendency to look at the shorter term the experts who were talking about it then are now relegated because, oh, it hasn't happened. Well, there's reasons for that. The Middle East Respiratory Syndrome. It was coming through travelers, but you had to get pretty close to a camel to get it

Yooy:

Let's look at shorter term, longer term, because you've triggered something there. I read an article, uh, very recently about how China's got a bit of a dilemma coming along because they're going to have, they're going to have a population of 300 million people who have retired. And that's the population of America. They're all thereabouts. And we know because of the. areas we operate in, and so do many listeners, that China plays a very long game in its strategic and tactical, moves. they didn't see this coming, did they? And they also have a compounded problem with the lack of, one gender due to the one baby rule. When we look at our own nations, I know that China Our looking at the shorter term is absolutely crucifying us. And I think it's down to the period of elections, election periods. I definitely think there's a huge difference to how we approach risk in that sense. What do you think?

Michael:

You're absolutely right. Let's start from the democratic positions of the world. Short election cycles breed short term thinking and a combination of the perception of what people want in the short term in order to deliver a Because they're not trying to deliver large votes. They're trying to deliver that four and 5 percent of the margin. You're either rusted on social Democrat or rusted on conservative. And so therefore the tendency to be responsive to short term things, housing, housing shortages. Or, um, an event, uh, taxation, things that get people personally tend to dominate over things that are essential for long term national development, for example. There's measures that need to be taken by politicians that could be unpopular electorally, but are actually good strategically. You know, there's a whole lot of those, and I won't go through them. Now, China's an interesting one, because The, they did abandon the one child policy, but the Chinese behavior didn't change because people got used to not having lots of children. And there was, they, and even with an incentive to have more children, it hasn't happened. So, you're getting this big demographic bump. Now China's probably more unique, you know, being able to cover that because, That population, their voting might make no difference. Whereas in Australia, for example, or the UK or Germany or France, that ageing population has a serious impact on government. I suspect we'll see the rise of political action for folk. I happen to live to 100, so I expect to be politically active for another 30 years.

Yooy:

I don't believe it for a second. I think you're going to be one of these people, like, I aspire to being able to reduce my hours of a certain age and still have clients and still produce work and, you know, have a little money coming in so I can still do fun time and, sit back on my pension. I should imagine you've got your fingers in lots of pies, Jason,

Michael:

and

Yooy:

you're a writer as well.

Michael:

I'm going to be finishing up with TALIS fairly soon because I've done 19 years there. That's long enough for you to pass over to the next generation. But I am looking at my own company in those areas of critical infrastructure protection, crisis management, business continuity, etc. And that'll kick off mid year. And why I wanted to do that is, too, it's exciting and interesting. I've got a lot of friends who have businesses, and I'd love to work with them solving problems, you know, solving issues like how do you plan for critical infrastructure in the transition from, a carbon based system to a solar based system and the potential impacts on national capability. And how do you analyze that? How do you explain to a small or medium company that's got to build a critical infrastructure? Capability because it's part of a much bigger infrastructure. So the last thing you want is a small, electrical grid in a country town, bringing down the interconnected system. And these things are possible as people understand that, but they need to be helped. You know, to their own risk management plans and understand how they relate to big ones. So that's a really interesting thing to do. The issue I think is that, you change the way you work, in terms of what outcome you're looking for. Young, you're looking for a promotion. recognition and all those other things. And when you have a lot of experience, you tend to say, what, what is the value of the experience in terms of, as I said, sharing?

Yooy:

We are also an amazing community and we're a community that just loves to work with each other. I find as well, I should think you'll probably be in very high demand. You've had some great positions. You have, for those that don't know, the equivalent of the Assistant Attorney General in Australia is like the head of MI5, right? That's the kind of height in the career that you've gone to. When you look back at your career now, What was the

Michael:

job? An assistant director general is two down from the head. Oh, is it? So I have been in very senior positions. There's no doubt about it. As someone who said, I'm the only person I know that's been in three intelligence and security agencies. How did

Yooy:

you do that? How did that happen?

Michael:

Absolutely by accident. It was not an aspiration.

Yooy:

Really?

Michael:

My ambition was to be a university academic in the area of, um, social psychology etc, or anyone that would allow me to sit in the, Hello, gothic halls of Sydney University, which is like a mirror image of a baby Oxford. And sit in a knock and sit in this building in a tower with gothic bookcases and wax lyrical about whatever it was I felt like waxing lyrical about. And then I was actually on my way. I got my honours degree out of the way, I had started my master's degrees, I was a postgraduate student representative for the University Senate, I had a lovely job at the Institute of Technology as a counsellor, I was recruited into the public service to work in, in the intelligence area. Because I was being interviewed about somebody else and they said, oh, we're looking for guys like you or gals like you, as the case may be. And I said, how much do you pay? And they offered a good pay, so I joined. Something like that. It's a short version.

Yooy:

Look, it takes a certain type of person to be in security, let alone have the kind of career you've had. When you look back at all the jobs you've had, is there a particular job that made you the happiest or the most content or gave you the most purpose? And why was that?

Michael:

that's really hard because every of them, every one of them had some positive fulfillment around them. And, and as a younger person, the adventures in operational work and investigations and things like that. And until that was something that, that I enjoyed and I was good at, but being good at it, I actually looked at how careers work and I felt you at least needed more than one or two strings to your bow. So I made a particular effort. to understand planning strategy and a particular effort to understand training and development. So it didn't matter where I was. And the big things for people working in the security space is, um, they don't link out to where security fits in more broadly. So if you want to be a really good security leader, You've got to be a good trainer. You've got to be a good planner. They're not disciplines just of security. They're, they're life disciplines. Um, and so I was lucky enough, um, to be accessing the public service executive scheme, which gave me a year off. And I worked at the National Gallery, um, and helped develop their strategic plan. I worked with the tax office to develop a client service strategy to reduce the number of, problems we were having. I also then did,, the Australian position on the UN anti drug control plan. So I did three very different things that weren't traditional security, but the skill sets absolutely benefited when I went into a more senior management leadership role. so I think, A security professional who seeks diversity, and that diversity could be volunteering to be on the board of the school. It could be,, it could be running, some sort of charity. And that more whole person approach becomes very important. The problem with security work, it can put on a particular narrow set of glasses on how the world operates. and therefore, by, uh, Deliberately ensuring diversity, whether it's in lifestyle or in change of profession. It can still be in the security world, but it won't be a change of activity from operations to training to management with a team to whatever it might be.

Yooy:

There are some significant events in our history that have had an impact on our nations. I know that 9 11 had a big impact on the UK. Did 9 11 have a big impact at all on Australia?

Michael:

Yes, it did, partly because because it was so graphically in your face, at every point. I think probably Australia was more affected by some of the incidents in Britain, some of the bombings and things like that, because while the United States is one of our closest allies, obviously we have a really close association, but in terms of our cultural field, There's more resonance with Britain still, despite, some of these alignments. So when someone blows up a concert in Britain,,Ariana Grande, for example, it's more of a shock than when they blow up a concert in the U. S. Because they do things like that over there. A school shooting in the UK is somehow more personal and horrid because,, it's just a different thing. And, yes, but 9 11 itself was shocking. I did write a piece on 9 11 how,, ages ago, it still gets quoted, I get it back, people come in through the academic literature thing. Tell us about

Yooy:

it, Jason.

Michael:

I mean, even before the The event, um, when I saw this, this is an event that never could have happened. It was quite clear three years before that certain groups associated with violent terrorism were planning to have a capability to do this. I actually wrote a scenario. for a major exercise where a plane was hijacked and the threat to fly it into the city without the release of these people, would not happen. Three months later, there was a TWA airline that was going to be crashed into a Riyadh if these Palestinians weren't released. The, the boss said, Jason, did you sell your plan? but the evidence was there because there was already training going on in parts of the Middle East about how to take over an aircraft. And so two things happened. One, the intelligence puzzle wasn't being put together because of rivalries and differences of opinion about who did what. But secondly, if you're going to work in security at that level, You have to think outside the probable because the probable will happen. It's the improbable that you have to prepare for. And therefore, risk management and scenario planning take on a very different perspective. They have to be prospective, not retrospective. And I see so much. security planning that's retrospective. the thing that I've tried to explain to people about security related risk management is the adversary is adaptive. See, safety, the, machine doesn't say, oh, I didn't get in this time, I'll do something different next time. An adversary does. the adversaries of a civil society who may want to make some changes for their own good reasons, and they don't think they're good reasons. Um, they will say, okay, well, this is what's happened. We're going to change our strategy, um, or change our target or whatever. And, and the IRA said it, you know, you've got to be right every time. We've only got to be right once. That's what I said to Margaret Thatcher.

Yooy:

Not a lot of people get to say that.

Michael:

No, no, um, but so, so, so these issues around, um, around terrorism are really interesting. I mean, it's, it's. If you're trying to deal with terrorism, you have to understand the relationship between intentions and capability, and intentions can vary. Um, the Justice Commandos of the Armenian Genocide are one of the best terrorist groups in the world in terms of efficiency and effectiveness, etc. But once Armenia got a state, the intention went away.

Yooy:

when I read this figure about 300 million people being of pensionable age in China, and I started thinking back to COVID and Wuhan, and I started to draw a parallel, a connection here, I started to think,, I know it sounds awfully far fetched, but we don't think that. in a far fetched way, we think, could there be a causality? Could there be a reason behind, you know, something happening? And sometimes we're called harbingers of doom, aren't we? We'll say to a business, look, the worst case scenario is that,, that this could be catastrophic for your reputation. Oh, Yeah, but that's not going to happen and how do we, when our brains are so finely tuned into thinking, was there a reason why this was invented in Wuhan? And is there a reason? And now that we know that there's 300 million surplus people to governmental requirement that are going to be very,

Michael:

very expensive.

Yooy:

And do you know what? I'm not a conspiracy theorist and there's a huge line that came to me. I read the article. I thought,, wouldn't that be convenient if you lost half your population?

Michael:

I could go really berserk and talk about the multiverse.

Yooy:

Go on, you've got 10

Michael:

minutes to go berserk. I'll say what's really interesting, when you, and I'll go back to the world you came from, they look at the connections between things, all things are connected, right? And, um, if you apply a chaos theory model to things, you can start to see that if I didn't understand that relationship. I don't think there's a relationship between new hand and population. It doesn't make sense. and often anything that linkages come often through happenstance, the linkage was there, but a turn left or a turn right makes a difference. And no one's put a plan into that. So when you're doing with security and you want to talk about the what can happen, You might not try to make it on worst case scenario. Worst case scenario is not always a good way for planning. A good way for planning is to say, what will make you more adaptive in a changing complex world?, let me tell you about, some work that I was involved in where we did. a bunch of scenarios about what the future of security threats would look like. And some of them were quite extreme. One was, um, uh, a situation where, and this is a long time ago, so it's probably close to being true now. Um, a major, a major Southeast Asian power became much more warlike and much more aggressive, et cetera, et cetera. And what would that mean in, for our security? Well, the question wasn't, What that would look like. Um, the question was, what would you be looking for to see that that was coming forward so that therefore you could identify that emergent trend in the first place. So it was all about saying, um, what are the pathways to that problem area we're talking about. So let's take global warming for a moment. So, so when you start to think about global warming, people often think about, oh, it's going to be hot here. When I think about global warming, I think, okay, what already happens when there's an aberrant weather activity? And then you say, okay, um, How would that play out if that was happening more often? How would that play out? So then you do a scenario and say, okay, um, global warming, let's look at it through the lens of population movement, and then you do the what if. If we had a half metre sea level rise, what does it look like? And then when you get to a metre or so, you realise 400 million people will be on the move because the Erawati Delta's flooded, the Niger Delta's flooded. A Western country or an advanced Third World country can probably deal with it. I mean, in Britain, you've already got flooding that's controlled by the Thames dams. A lot of London would flood when there's a king tide or a surge tide, etc. Now, that's now. Um, that probably wasn't the case at one point because the water could spread out into the fens and things. So the landscape has changed. Now, let's take it like this. Already the Irrawadda delta gets flooded. So if you're a security planner. You need to plan for that. But, um, I'd say in Australia, what does it mean if the islands of the international in the Indonesian archipelago flooded. So people are already worried about Pacific, but that's a million or two people manageable. What happens when you're talking about 2 billion people, and then you can say, let's look at it from the food lens. Well, the world fisheries are no longer producing what they didn't produce. Now, I'm not saying this is going to happen, but you say, if this did happen, what's it going to look like as it emerges? And what do I need to be able to do to manage that? So what we, what we looked at, and I'll give you a really classic example. Before all the stuff that's been happening, the web, web with encryption and things like that, we said, what would happen if you had a capability to have highly encrypted communication that couldn't be broken by GCHQ, for example, what would that mean? in terms of our capacity. So what have been building up in agencies around the world like NSA, GCHQ, was an increasing dependence on electronic surveillance of communications. But then you have high level cryptography in the hands of small activist groups of one description or another. it becomes important again, human source actors. And if you go back to,, say the, second Iraq war, that there was very few sources of human intelligence and the SIGINT in England was misinterpreted for a range of reasons. So you have to think about that sort of stuff. So scenario planning is the way to go, but the scenario matters less. Then an understanding of what could happen to lead us to that and see if those things are already there in the environment or emergency. Have your itinerary for emergent sources of risk, and then you manage them through a process of risk analytics.

Assist security group. ASG. Gee. Is a private security company specializing in tailored security. The solutions to meet the distinct needs and challenges. Of each client. Their team of highly experienced security professional. provide a risk and intelligence led security solution. That ensures the protection of their client's assets, buildings. Brand people. And profit. Bye. Understanding the environment that their clients operate in, they can. Forecast emerging threats control risk. And offer managed. Managed solutions. ASG. ensure your security. And peace of mind through a fully inclusive professional security service. That includes physical security, intelligence and investigate. specialized training. And comprehensive. Risk management. Assist security group.

Yooy:

There's a lot to learn, isn't there, about. People getting it wrong. We say in crisis management, there are so many things that we can learn and adjust from just by watching what happened with Manchester Arena. That is still giving, right? It's giving change. It's giving better training. It's giving, giving, giving all the time. I don't know about you, Jason, I've always been fascinated by any movie that has time travel in it, but if someone said to me, Yo Yo, you've got the opportunity to go back in time, I'm like, hell to the no, because there were too many risks around flying, because plane crashes changed and made plane traveling safer. There were safety changes made to cars, due to the way cars behaved on roads. It's like we've gone through life being crash test dummies on absolutely everything to get safety, implemented. So now I don't wanna go back in time and go on a ferry.

Michael:

I'll advertise a YouTuber. There's a guy called Simon Whistler. Who often does historical analysis and he ends up by saying the past was shit. Because it was, it, it compared to now other than the existential doom of climate change and nuclear war, which has been around since a while. for the individual in a society, even in, as long as it's not in a war zone, life is so much safer than it's ever been before. And opportunities are greater than it's ever been before. so one can remain. Mystic in a personal sense, um, and pessimistic in a global sense. And I agree with those two. I think we

Yooy:

all feel safer because we can

Michael:

ironically people are more fearful and fear is driving a lot of things at the moment, fear is driving elections, fear is driving, splitting up in society, Who's

Yooy:

driving the fear, Jason?

Michael:

I wouldn't want to mention Rupert Murdoch. I mean, he might. I think once it actually was only the media and politicians that could really drive fear, because fear was, but now fear is driven by the net of communications you drop into governed by the algorithms you've accidentally triggered or deliberately sought out. So. it is easier to motivate people through fear than it is through joy, and love, unfortunately. They can overcome the fear, but, no, people are fearful, and it adds up. It doesn't add up in a way that you can measure it. How fearful am I of increased interest rates for my mortgage? How fearful am I of youth crime, whatever that is? How, I mean, you see people, you'll see a person in a supermarket, there'll be a gang of kids hanging around just like kids have always hung around, having their ice creams and being noisy, and you'll see someone who's frightened because for three weeks in the newspapers, it's been talking about youth gangs in the suburbs. There may be a few youth gangs in the suburb, but it's never been us actually.

Yooy:

Question for you. When we talk about fear, Mike Corll talks a lot about the rise of security through fear from the Victorian ages, and there's this wonderful part in his book, which I would recommend and can't recommend it stronger really, where back in the day, they discovered that they could sell insurance to people's homes, but if they also purchased these locks for example, they were less likely to get burgled. But that fear of being burgled had already been implemented. The partner was the lock firm. And then of course they weren't going to get burgled because they already had locks on their doors. All they had to do is put locks on the doors. They didn't need the insurance. And so there was a commercial drive, of increasing fear. But then I realized, let's just be pragmatic. Don't people listen more? When they are driven through fear.

Michael:

you can drive them by painting out the positive consequence of doing things. So take your example. The positive incentive was put on the lock and your insurance premium is reduced. So you can sell a lot of locks by helping people reduce their insurance permit. That's a positive incentive driven from a fear-based initiative. so look, the fear is interesting because it's not always logical. I mean, we should be afraid sometimes. Fear, fear is what's kept the human species going in the face of the depredations of the natural world. Irrational fear becomes a problem. And when fear becomes divisive. Particularly fear of another religion, fear of another ethnicity, fear that drives people to take actions that are actually counterproductive for their own protection, but they believe, for whatever reason, they will be useful. so security doesn't have to build on fear, to the extent that, This sounds weird. Security can enable people to operate without fear. the link between providing security and fear is a complex one that, I'll tell a quick story about a security guard and this really sums it up and it goes back. 40 years ago for me. On that subcommitment to the Australian National Gallery, I used to like getting there early so I could have the works of art to myself, you know, stand in front of Modigliani's sculpture and say, how did he do that? And look around the back and do that sort of, well, when I went down early one morning, um, there was a guard in one of the gallery areas that I'd never seen there before. And I said, Oh, We haven't met, who are you? And, uh, and I said, you enjoy being a guard here at the National Gallery. He said, oh, I love it. I love it. And and he'd been down in the Asian area. He is now up in the international art, said, I'll do this fairly quickly. But I said, look, I'm doing the helping the director of the gallery write the strategic plan for the gallery. And um, and one of the things I think is really important that people who work at the gallery have to. Understand what the strategic plan might mean for them. So tell me what you do here. Obviously you make sure no one steals the works. And he said No. on a day when I come to the new gallery, I learn about the works of art that are here and people ask me questions about all time. I keep an eye on them to make sure that there's no deterioration or damage by accident or design. And also often telling people what else they can see in the gallery.'cause they know where I'm, you know what the objectives of the National Gallery were. Educate people about the art, maintain the national collection, and make it available to Australian people. That guard did everything directly to the main objectives of the legislation for the National Gallery. He didn't realise it, but he was, and the point I said to the director was, if you can make a link between objectives, And the behaviors at all levels of an organization. So when it comes to security, to bring it back, security can be that guard. It can enable people to do the things they need to do. So, that doesn't mean their security isn't their primary job, say, particularly in a shopping center. But if they become an integral component of the culture of the shopping center, and seen in a way that's not just about responding to trouble, it changes the narrative. And then, when a security guard might be getting into a bit of trouble, the whole of the shopping centre is there to back them up.

Yooy:

Everyone has a role to play. Look, cyber, I remember when cyber security was starting to emerge as a thing. And I just remember thinking, oh, goll, that's going to be a nasty big threat landscape. And now that I work in cyber security, I'm like, oh, goll, this is a big threat landscape. It's a whole new piece of work, isn't it? Cyber. How did you get involved with cyber and what is it that excites you about it?

Michael:

Cyber is just another potential vector for attack. we, we've had a new, we've had a new attack surface in a way. the problem with cyber is, the opportunities it provides for people to do more things, the engagement it has, the use of it to manage stuff has created vulnerabilities. I'm always interested in the human factor vulnerabilities that, that, um, people We'll be using this stuff and not understanding it. Cyber is in a place, for the automotive, people didn't, we still don't have the protective capabilities for individuals in the cyber that may be necessary. But again, cyber is interesting because of the adaptive capacity of cyber criminals. You, you plug a vulnerability and they find another vulnerability. And of course, the human factor stuff is I think the most critical part. you can't, Protect people from doing dumb things and cyber provides lots of opportunities to do dumb things. Oh, he or she looks handsome or beautiful. I'm going to click on that.

Yooy:

I'm, I'm, I'm laughing here. I am on mute. I'm laughing.

Michael:

The critical infrastructure protection focus, cyber focus, I mean, and in Australia about cyber hygiene. Do, you wash your hands if you've been out in the garden. Of course you do, but if you don't, you're likely to catch something nasty. So, so cyber hygiene is a, is a way of communicating. cyber has provided plenty of opportunity. For playing up and causing problems on a global scale. And the other thing is for the criminal or the cyber activists, you can't, they can't be held accountable for their behavior.

Yooy:

We're talking about a new highway, aren't we? We've had a highway for power, the National Grid. We have a highway for fuel, oil pipe lineage. And what this is this new threat vector is an information highway. And you can't help but think, if everywhere was flooded with that information, there wouldn't be the need to necessarily protect it anymore. But if only we thought differently, and maybe we could validate people's authenticity better, because clearly once everybody's information is available, you're open to fraud. That's what we're trying to protect here. We're trying to protect fraud. So rather than spend trillions of dollars on stopping information getting out, Let the information come out and let's just say we spend more money on making sure we can authenticate people's true identities. Surely that would be more logical. What do you think

Michael:

in an ideal world? I think that simplifies the complexity of what the post conversation does. There was a lot of people who thought the availability of information would be utopian in its outcome. it isn't, because, information can be used, so you have information, then you have misinformation, you have disinformation. And misinformation is produced by people who don't know. Um, who are putting out on the part of the story because they don't understand it. It's misleading for a whole range reasons. It's disinformation where there's deliberate actions to distort that now you will not get rid of that. the information the highway is like the one on the phone cartoon when he's trying to get off a freeway, and keeps driving around and around until he stops and sets up his own taco stand because, there's no easy answer and it is so interrelated. Cyber hygiene for individuals is really important. The capacity to create. Outside the world of the dark web, an ethical framework, but I mean,, we're in really small beer at the moment. We're not even on the edge. We're not on a superhighway. We're on a rutted dirt road with the occasional, problem. On a tractor. On a tractor. The superhighway. Is when we have genuine AI enabled and sustained at the space of quantum computing, quantum computing changes everything when it's able to be used effectively. What we have now is an AI, but it's getting closer all the time and generative AI machine learning is not AI. When you get a situation where the speed of learning, the speed of integration. And you move from symbology to, I guess, nuance enhanced communication, and it's at that speed, and you have the computing power, you will not be able to tell, and you nearly can't tell now, a human being. You could be a simulcra right now. If your support system was sufficiently fast and you had enough data about yourself to create that symbol queue. And I saw a wonderful one, it's been taken off the web because I think people are aware of it. it was Obama dancing down the street singing a song and it was absolutely him. I mean, a lot of people have seen it now because once it got out, it was always going to be out. Without going into details, we did a little experiment, you can, for 10, you can buy some kit that if you have enough sound bites of someone, you can create a speech by them, the AI will produce the speech, it'll link together the languages, and it will sound like, I'm so pleased to be here at the 25th anniversary of the Pond Lovers Club of Wisconsin, and it's that person's voice. They know they weren't there, but you now, when you add that to the other digital capabilities of producing a CRA online, I actually might not be me. You might have actually wronged the wrong person here.

Yooy:

No, I can guarantee you. I know it's you. It's for anybody in any doubt. You mentioned the dirty word, though. You mentioned AI first. I didn't mention it, but I listened to a podcast yesterday, and I'm not going to reveal who was in this podcast because they're going to be a future guest. So we always keep future guests in a vault. but this person who will come on to the podcast basically. Open my eyes into how AI is being used to sell products. People are claiming it's got AI in it. AI is the new buzzword. Everyone's interested in AI. There's this over talk about AI and a lot of us now are quite sick and tired of talking about AI because. if you're selling a great product, the product should be great and stand alone as a great product. You shouldn't have to sell it as a product that's claiming to have AI technology when it really doesn't. It's just a great product that's been engineered really, really well. And I think we have to kind of take away those rose tinted glasses and have people thinking quite rationally about how they are being pitched to around AI. What's your view?

Michael:

Well, back in the 1950s, they used to advertise that there was chlorophyll in your toothpastes. Chlorophyll was a great word, and it was green. If you have some software that learns from its interactions, With you. So let's take a look, there's a web development company. I won't name. They very quickly through the things you ask and the way you structure things, learn to give you things that might be helpful. So AI is active in controlling lots of things we do through the algorithms that feedback to the generative AI to learn about you. but some of it says. We have an AI enabled video camera that we can sell you for half the price of, and the ones I love, you see them on the Webbleton, this new breakthrough, the government's trying to stop it, but it will empower you to do X. It is an AI enabled whipped cream maker, uh, well, but, but, you know, it's a differentiating from AI as the development of an artificial intelligence that has a capacity to learn and respond is very different from, um, the way it's used in the advertising you're talking about. But it's, and it'll change. I'm really fascinated by it. There's incredibly good work going on looking at the ethics. I do a terrible joke, about, when there's someone, a human being or not. And so Stephen Hawking, right? Dead now, wonderful thinker. I just say this and it really upsets people, so I can upset all the listeners. When did Stephen Hawking cease being a human being and become an artificial being?

Yooy:

Yeah. I can't imagine him ever not being a human being, because he still had the human, but he couldn't

Michael:

walk by himself. He couldn't walk by himself. He couldn't do a whole lot of things by himself. He was machine. He was a machine enabled human being.

Yooy:

Yes. Yes. So with

Michael:

ai, when do you get. a human enabled machine that's a person. So think of Blade Runner, think of other things like that. Yeah. So these are, these were science fiction, but they're not beyond science fiction. We're not there yet, but We're there, soon.

Yooy:

potentially

Michael:

has that. I remember my grandmother saying, I have lived through the most marvelous era, despite the wars of humankind. She lived to 100. She said, there were no automobiles and there were no, and I've seen these things come and go but that was at a rate of change that was barely exponential. We are beyond exponential in the rate of change of technology. And as a consequence, it's going to be very difficult to imagine what things are like even five years from now.

Yooy:

Yesterday, when we talk about how fast technology is moving, it's literally, we're not even able to control the speed of the growth of technology and development from, the automobile right through to where we are now. But they're trying to determine. How they can tell the time on the moon. But I was never very strong at physics or maths. it's widely known that I have to use my fingers to add up occasionally. And that's only because I don't trust myself. Adding up. I'm often right, but I don't trust it's always right. And that's the best way to describe it. It's a little handicap., my brain could almost hurt if someone said to me, Yo Yo, how do you think they can, tell the time on the moon, because it's got a lot to do with gravity as well. The moon has a different gravity to earth that determines, you know, how it moves. I'd love to see how they work that out. I don't think it's a straightforward answer. I'm not expecting you to give me the answer

Michael:

a physicist can answer that question. Yeah. Because time is nearly immutable, it changes all the time. The faster you're going, the slower time goes. If you get a train to go fast enough, the person who's back at the station is on a different time than you are when you arrive at your destination. We just don't travel, I always make jokes about this, the closer, the faster you reach the speed of light. I think there is a relationship to gravity, but I think the actual relationship is the relationship to speed. How fast are you traveling? And how quickly you cover distances and things like that. The mid hedron collider, that could tell you more about what time is going to be like than I can. is the time on the moon different? It would certainly be different, but nearly very, very difficult to

Yooy:

measure. Yeah, 100%.

Michael:

I'm not worried about time. I'm just worried about lack of it.

Yooy:

Oh, bless you. before we go, and we've had some amazing highlights, I can't help but notice on your t shirt, I can only see the word former. Don't show me. Whilst we've been talking, I've been thinking, I wonder what's underneath that. Former. So I thought, I'm going with this. I think this is the best bet. I think your t shirt says former boy band member.

Michael:

No, it's a cyber t shirt. My favourite t shirt is a, just a plain black one with tiny white writing that says Art But it was so funny

Yooy:

how that was piquing my curiosity. we work in cyber security, we're sometimes more curious than we really, I actually reached the limit of my curiosity last year. Sometimes you can be curious and you can want to know something. And when you do know it, you wish you didn't know it. You know what I mean?

Michael:

Yep. So now you see my real, you'll see my real background.

Yooy:

Yep. Yep.

Michael:

And, but I won't stand up again, it's a bit of fun. So, so now look, one of the beauties of being involved in the cyber world is they have really good conferences.

Yooy:

Yes.

Michael:

And, I learned early in conferences that there's lots of vendors there, and they don't actually want to take the stuff they brought home. So if you go to a cyber security conference with lots of vendors, they'll have t shirts, books, pins, socks, the big ones, plus the really big ones, socks. so I just, oh, I need to come up with a new t shirt, but I'm very careful with t shirts. I only get the t shirts of the products that I approve.

Yooy:

Yeah, agreed. I think we have to have an efficacy that sits with that, but we do all love a bit of merch. I want to ask you about Julian. I've never met Julian. So when you do see him, give him a hug and kiss from me. What's it like working with someone like Julian who is avidly passionate about writing? And what is it you're planning to create together? Yeah.

Michael:

Oh, look, Julian and I are good friends. Because we're both crazy. When he first started and wanted to get going on the first security risk management quality of knowledge, I was able to get some funding from TALOS to support it. So we got some from Risk Management Institute from the Prime Minister and Cabinet. And from there to do that. I contributed a lot of my intellectual knowledge for, hence in the first edition, there's a reference to myself and my other guy, Don Williams, who gave a lot of, uh, material. I then supported the second edition. and now we're actually working very closely to have, he's fun to work with, but he is, an energizer bunny when it comes to ideas and writing and stuff like that. I can't keep up with him because there's no boundaries to what he's prepared to write about when it comes to doing it. But he and I share ideas and one of the things we talk about does this diagram work and does it illustrate what we're trying to, that. back and forth between us increases the likelihood that diagram will communicate to you or anyone else. I probably talked to him three or four times a week about things.

Yooy:

so far then we've talked about how security can enable people to operate without fear. We've talked about identifying emerging trends early, which is a skill I think we'd all love to have. That's a superpower we'd all love to have. We talked about we should be afraid sometimes, so we should be, not always driven by negative fear, but a little bit of fear is good. We talked about irrational theory becoming a problem. We've talked about the worst case scenario. Is it always the best for planning? No. And we also talked about short election cycles, bringing short term thinking, information. Who is telling you this? Always bear that in mind. And look, what can we say?, you're a mind full of amazing security information. I'm sure there'll be lots of people making notes from all of the great things you've said. Jason, wishing you all the best for your venture, in 2024. Thank you so much for being a guest on the Security Circle Podcast.

Michael:

Very happy to do so. It fits with what I was talking about. What can you give back? That's the measure.

Yooy:

so much.

Michael:

Thank you.