Originally aired on December 15, 2020 @ 7:00 PM - 7:30 PM EDT
A weekly podcast where Chris Georgellis, on the Customer Development Team, interviews people across the tech industry. From veterans, to hall of famers, day to day tech industry people as well up and comers. Get to know them as individuals, find out what drives them, how they got into tech, and what they see now.
All right and we're live. Welcome to episode 25 of Legends of Tech. I'm joined today by an absolute legend of our industry. He's been 20 years in in the tech industry. He spent the last 10 years in cyber. He's worked across government agencies as well as Coca-Cola. He's got three master's degrees which I'm quite excited to talk about. Originally from Peru, immigrated to Australia about 31 years ago. Please welcome Marco to the table. Thank you. Thank you for joining us today and I really appreciate your time and how are you? Very good. I'm very happy to be able to participate, George. I'm looking forward for a meaningful discussion so we can get to know about myself and also the context of cyber security in the 21st century here in Sydney. Absolutely, that's great. So Marco, how did you get into the technology sector? What made you get into IT? It was an adaptive evolution. So I am an engineer and my thinking has always been around creating things. My speciality is industrial engineering so I had the opportunity to join 25 years ago Coca-Cola Amatil in Sydney. I believe Coca-Cola needs no introduction. It's very well known around the planet and in Australia the franchise of Coca-Cola products is with Coca-Cola Amatil. So I started working as a business analyst in the supply chain area of business enabling ERP solutions with automation of the factories and also warehouse management systems. So there is a lot of technology and I think engineers by default are the biggest users of technology and that was the catalyst for me to transition a new course into this fascinating field of cyber security. So I participated on a number of transformational programs around the globe. One that I will always remember very closely was the implementation of SAP in Asia-Pacific. We worked very closely with the top 10 bottlers around the world to develop a common template and the reason for that was very simple. The Coca -Cola company had successes of great stories about franchises that implemented this in a cost-effective way and other stories that were not that successful. So the aim was to develop a common template and then allow each agency or each franchise to implement this at the wrong place and that's what we did. And then I transitioned into a brand new role created in cyber security in Coca-Cola Amatil before I transitioned into New South Wales government. What was the impact? So being at Coca-Cola for how many years were you there for? Very close to 25. 25 years. So obviously with technology coming into the marketplace it's been around for a while but the maturity of it has accelerated over time. What was the impact of technology to I guess to the business operation of Coca-Cola? What was that like? I think it was an enabler to do things much quicker. So I think the younger generation will not be able to relate on how the world will be without email for example. So email only became a reality in the 90s. So it enabled a number of processes internal and also external processes. The way technicians and also salespeople interacted with the customers. So in the old days they used to have a full paper form, complete the details and then fax it to the contact center for processing. So this is something a bit antiquated, not effective. But we've seen those transformations happening to the point where today we have automated replenishment of services and products. So what it took days to process now it takes seconds or perhaps minutes. But that's the power of technology enabling businesses around the globe. Absolutely and what about the impact on the actual manufacturing side? How was that? How did technology play a part in I guess evolving or enabling the manufacturing side? So it's all about automation. It's all about having the right product at the right time, at the right price. And that is the key fundamental enabler of what technology can do. Beginning with advanced planning and forecasting systems to plan your workforce, to plan your operations around the country with one system. Having all that visibility allowed the organization to be able to move product from many different distribution centers to be able to meet customer demands. Particularly when we had very hot summers around the east coast we were able to shift product in no time. And always with the guarantee that the product will be fresh as close as the day of manufacture. So it has been a transformational change that we have seen in the overall footprint. The implementation of one national ERP solution to enable planning, procurement and replenishment process. And also the web capabilities to interact with our customers or with Coca-Cola customers. So we built that from scratch because we were in a very exciting period of transformation. And we saw technology as the enabler. That's amazing. That's really good to hear. I mean we sort of take it for granted now in terms of how technology impacts our lives. Especially as you mentioned the younger generation you know without email they probably don't even know what it was like. But it's good to I mean it's always interesting to see how I guess technology impacts whether it's manufacturing or anything that we do in the world. Now I guess the question I have is around cyber security. So you started off as a I guess as a business analyst and then you finished up as a cyber security person. How did the cyber security piece come into Coca-Cola and then how did you actually go from I guess one part to the next part? It's purely by opportunities, by observation and by identifying value for the organization. Building automation in the warehouses, building automation in the manufacturing processes. Security came up very early in that development process. And if you go to any organization that is assembling Internet of things equipment and particularly referring to SCADA systems. These are the controls that operate a number of processes that are fully automated. We will find that there are a number of weaknesses on the traditional layout of those equipments because security was never built with those systems. The fundamental assumption was that those systems were operating in a trusted zone. So in the days where the perimeter doesn't exist, it's a flawed assumption. So that understanding came to the surface fairly quickly and when an opportunity became in Coca-Cola Hamilton, I was very fortunate to be given the role to take a lead for Asia-Pacific in that context. It was about enabling processes. Security has always been traditionally built as the Mr. No person. No, you cannot do that. No, you cannot do that. Well, let's understand the business value. Let's understand the context and then I will work with you to make that secure connection reliable and robust. So that was the thinking and I found that most of the time I was spending meaningful time with business people rather than the technical people, analysts, etc. Which I think is time very well spent understanding the business purpose, understanding the motivations, etc. Okay. Did the business have to be convinced that security was important for their operation in the business or did they understand that from the get-go? No, it's not an easy experience. I think this is where the CISO, the Chief Information Security Officer, can add a lot of value. So these people or the audiences that we are trying to reach are non-technical. So therefore, they don't know much about technical terms but they do understand one thing better than anyone else in the whole organization, risk. And that is the reason as to why these individuals are the decision makers. If organizations are running a private enterprise, they have two missions to generate profits and to be able to maintain the business. If you are in government, the purpose will be different. It will be more around making sure that services are delivered to the community. So this is how the decision makers are educated by talking their language, which is the risk language. It's only then when decisions can be made to say we're going to accept risk or the other option is to say no, in these areas we're not going to accept risk and we are going to increase our investments. So it works both ways. The reality is there is no organization in the planet that can afford full protection for all information assets. Decisions have to be made based on a risk-based analysis. And I think that is the role of the CISO. If you ask me how I describe the purpose of the CISO, it's only one way to describe that and that is to reduce risk for the organization. And when I say reduce risk, it's about bringing that risk in accordance with the risk appetite of the entity. Yeah, absolutely. No, you're spot on there. It's definitely, you know, I think as technologists, we forget sometimes the reasons why we do things. And if you look at security, I guess as a company, it's reducing your risk profile because if your organization gets taken out, therefore you're not going to deliver services to your customers and then you're not going to make money. Now, just on the security side, when that came up, where was the security posture? Was it around the data? Was it around the manufacturing side? Was it around internal users? Or was it everything as encompassing? I'd love to understand where did the actual conversation start and how did it evolve throughout the business? It started in the corporate environment first. But as soon as these risk discussions occurred, it became apparent that there were risks in many different areas outside the corporate environment. Now, people handling very sensitive information using mobile devices, salespeople, etc. etc. How do we protect those connections? How do we protect that information at a time when the perimeter was disappearing? So, CISOs today need to think about risk-based controls, where the controls follow the data all the way through to the point of consumption. So, the perimeter doesn't exist or perhaps an alternate view is to say that the perimeter has been extended to the Internet. And that's probably the way to see it. The traditional security approach for protection will not work. So, it's all about conditional-based risk assessments. So, if you consider, for example, how people do things in the physical world, then these things will become more real. If you go to take an international flight, you go, you check in, you go through customs, you present your passport, they check, yes, this is George, I can see him, his photo is a perfect match, and they will ask a few questions and you are good to go. Now, if we translate that physical model into cyber, what's happening? All right, so we have the connection, you have the correct passwords, and you have passed the MFA challenge. So, you're in, George, you have whatever access you need to do. And you see, we don't do any further checks. So, if I detect on your passport, oh, this is not George, or the photo is not a big match, then I will put you aside and we'll do further analysis. And this is all about conditional access. It's all about making sure that you are the person who claim to be. So, that's a new thinking. That's something that my colleagues in the industry are looking at very carefully, because there are tremendous opportunities to do things better and in a more cost -effective way. Yeah, absolutely. It's a great analogy, and I've always thought of it in that context, but the way you explain it, it's exactly the same, right? Just picture yourself taking an international flight and going through the checks and balances, security has the same measure. You did mention a couple of things around IoT, and as we know, IoT has been something that's been around for many, many years, but the explosion of it, especially over the last 10 years, has been quite phenomenal. I guess, what was the IoT security, I guess, not requirements, I guess, thought process around protecting the business from those sorts of vulnerabilities? The only protection control in those days was, well, we have a firewall, the network is segmented, therefore, that's our protection. Now, when in fact, it's far more powerful, when we look at the, in the last 20 years, the most recent attacks on critical infrastructure, we see how those basic controls have been bypassed quite easily. 10 years ago, there was this Iranian nuclear development, and there was a joint effort between the US government and Israel to stop it. And we've seen that how they were able to infiltrate the systems, the scala systems, and to stop that program from occurring. So, it tells us the fragility of those environments without the protection that they deserve. They can be bypassed, and let me tell you, cyber thieves, or cyber offenders, are very quick to learn and to innovate, and to find ways to get a back door and to infiltrate. Yeah, spot on. And I think we've become more aware, but we've heard of all the cases where, you know, someone's walked into a showroom, they plug the laptop into a port next to a printer, next thing you know, they're siphoning out data, or they've sat outside an office building doing a bit of wire sharking, and they've been able to connect to the systems as well as that. So, yeah, I guess it's good to see the, I guess, the evolution and the awareness become quite, I guess, good. And to your point, you know, the perimeter, especially now during this year, has now completely dissolved. You've got users at home, you've got people here, people there, data's everywhere now. So, I think as an organization, or even as individuals, I guess our risk profile's a lot different. So, you spend a fair bit of time at Coca -Cola. So, I guess a very fast-paced organization, you know, delivering all sorts of products out to the marketplace, and then you moved into government. What was that like moving from, I guess, a corporate delivering, you know, that type of service, then moving into a government type area? What was that transition like? And I guess, how was all the things that you learned transferable to a different industry? I think is the, there are two things with government. So, in government, you are working and reaching large audiences. So, the decision-making process on itself, it's much slower. So, anyone considering a career in government must be aware of that. It's the large amount of stakeholders that you need to socialize ideas and so forth. Joining in was always a challenge in the sense that government is refreshing systems coming into the 21st century. We have a great minister here in New South Wales government, Mr. Dominello, who is a businessman on itself, a politician, but with a great understanding of how technology can deliver value for the citizens of this great state of ours. And it's that type of minds that we need to see replicated across the whole of Australia to be able to transition into the digital era. Now, the digital transformation is not a fast word, it's not a trend, it's an economic reality. And we do this simply because there is absolutely value for communities and also for service providers. So, having said that, transitioning into government was facilitated by the exposure that I had in many different environments in what we call Amatil, and also in many different geographies. What worked here was probably not the same way as it used to work somewhere else, like Papua New Guinea or Indonesia, because of cultural differences or different ways to go to market, etc. So, that helped me a large context to be able to relate and to facilitate a transition into government. Fantastic. And once you got into government, what was it like going from, I guess, a Coca-Cola into a government agency? Was the maturity level the same? Was government further ahead? Were they further behind? What was your observation as you first entered into government? So, the first observation was the fact that there was still a perimeter operating, and therefore, that was the first main difference. Okay, we are operating in a perimeter environment, how do we scale up to move out of the perimeter in a secure way to facilitate a number of processes. That in itself is a major change in the way you think, in the way you interact with your shareholders. And I think that was one of the first challenges that I faced very early. The other thing that I faced very early was the amount of phishing activity around government. So, spoofing of emails is today a very common occurrence. And I have to say, NSW government has done a great job in mitigating the risk for the constituents of New South Wales in that context. So, as I said at the beginning, it's all about engaging with this community of shareholders and being able to influence your views with your stakeholders on value and by delivering benefits to the user community. Absolutely. Now, you mentioned when you were at Coca-Cola or within business, it was all about managing the risk and managing, I guess, the business process. Did government have the same, I guess, thought process or was it a completely different chain of thought in reference to security? The traditional way of thinking is that security, and this is how traditional governments have viewed security. It's a compliance effort. So, we're doing A, B and C because we need to comply with regulation protocols, etc. When in reality, it's not. It has to be a risk-based decision approach. And this will change the thinking because if you do it right, then you will get the same outcome. Yes, by default, you will become compliant with A, B and C. But what you're targeting is to do, you need to prioritise your investments, you need to prioritise your resources, and you need to prioritise your workloads. How do you do that? Using a risk-based approach. And working very closely with my government colleagues, we have for the first time, well after the event, a new cybersecurity policy for the state in which it indicates the need to have the crown jewels identification. So, on itself was a new concept, but very powerful. And all that is, is to prioritise your information assets. There will be information assets that are more important than others. And therefore, the focus should be on protecting those information assets. So, you will be less risk tolerant on disruption to those assets compared to other types of assets that are not priority. And your understanding of tolerance can be extended a bit more. So, this is how you prioritise investments based on the risk-based approach. I think that has been something that I looked at from day one. So, moving away from the traditional way of how security was done, complying with space to a risk-based approach. Fantastic. When you look back over your career, are there any highlights for you that stand out that you're very proud of in terms of achievements? Yes. Look, I have invested over the last 30 plus years on myself. I have been adaptive and resilient. And as such, I collected three degrees from UNSW at a master level. I did my first degree in engineering science, building up on the knowledge of automation, Internet of things, and replenishment systems using technology, etc. And that was my first interaction with artificial intelligence. So, it was early days, but it's something that always was left on my mind. So, I was able to do that in recent times when I completed a master's degree in cybersecurity operations from UNSW Canberra. And before that, I had a master of business in advanced information systems and management, again, from UNSW. So, what that means is I have invested myself. Knowledge has evolved by adaptive learning and by other means to be able to contribute to this body of field. I think one of the most significant elements on this development has been networking with my peers, with industry thought leaders, to be able to share experiences and learn from each other. Fantastic. That's great. And that's really awesome achievement to do three degrees, I guess, in very diverse areas of business, engineering, science, cyber. So, it's quite an amazing thing. What about lessons? If you look back, are there any key lessons that you've learned over the last 30 odd years of being, I guess, in this sector that stand out for you, that sort of build on your way forward? I think over the years, there is one that particularly comes to my mind, and that is to be able to develop meaningful business relations, number one. And number two, to maintain those business relations over a period of time, because this is when value is built, is delivered, and you're able to reuse one of the fundamental engineering principles, which is reuse. If it worked for you, I'll check it out, because it might work for me, and the development time can be reduced substantially. So, it's all about learning, engaging your stakeholders, whether you're in government or in the private sector, it's very important, and always speaking to them in their language, moving away from the technical jargon that no one understands. You're not trying to reach those audiences, you're trying to reach business audiences. Business audiences need to run a business, or run a government agency, and therefore their priorities are different. We have scale resources, we have limited budgets, how do we use all the many different elements in the best possible way? So, maintaining those business relationships, being able to speak to those audiences using their language, will set you on a successful career. Fantastic. Marco, I can talk to you for hours. I just wanted to say thank you so much for your time today. I've learned a lot. Hopefully, in the new year, we'll get to have, I guess, an episode, a second segment to this one. Fascinating stuff. I haven't even gotten into the detail of the things that I wanted to talk to, but I just wanted to say thank you so much for your time today. I just wanted to thank the audience for tuning in this year as well. We're now approaching Christmas, and I think it's time to spend time with our loved ones. So, thanks everyone, and see you in the new year. Thank you, George, and we'll rest you on that conversation. Cheers.