Mohan Koo: 0:00

When people post on social media when they take photos that go to the cloud, right? Anything that is connected to the internet is accessible at any time. People need to start thinking that way. Right? So when people tell me, well, it's okay that I post things on Facebook, because only my friends can see it. Or it's okay, I've got a I've got controls on my Instagram account, right? That is just the most misguided information that has been planted in people's head by the social media organization, that is not true.

Daniel Franco: 0:30

boards aren't talking about this at every board meeting, then there's an absolute threat, they will not be around in five years time. Do you support that?

Mohan Koo: 0:40

That's unquestionable. And unfortunately, the cybersecurity industry has left people part of it to last, they've left that to last. But if you're focused on the technology problem, you are only solving for symptoms, you're playing whack a mole, there's always going to be symptoms that you're trying to whack down and more are appearing. But if you go back to the root cause, which is always human behavior, which is the most difficult thing to solve, and that's what our business has been really, really focused on is understanding the human engaging the human in a positive way in a positively impacted way that they then become that human firewall, for the business for the government for the country, for the planet, then that's the best possible position the best possible outcome.

Daniel Franco: 1:25

A shout out to CEOs who are listening in and leaders of companies listening in. When it comes to cybersecurity, you're saying culture is number one,

Mohan Koo: 1:35

number one, absolutely, unquestionably number one.

Daniel Franco: 1:40

Hey there, my name is Daniel Franco. And this is the creating synergy podcast, your business and leadership podcast where we speak to high profile leaders and thinkers about their careers and dig deep by asking the questions we all want the answers to uncovering their stories, strategies, leadership lessons, and their secrets to success. Today on the show, we have global cybersecurity thought leader, Mr. Mohan Koo as DTEX systems co founder and CTO, Mohan is recently been named by cyberscoop as Australia's only top 50, global cyber security thought leader, Mo with his 20 plus years of cyber experience has a specific passion for the intersection between security and privacy, and for helping organizations to find a balanced approach. I'm not gonna lie to you guys, this chat with Mo today was pretty hard hitting and it left me feel uneasy about how I've been using social media, Google and anything digitally, really, the cybers threat is real folks, as we've just seen in the news with the recent Optus bridge. And in this show, Mo and I go into not only what we should be doing, and thinking about as leaders of businesses, but what we should be teaching our families and friends on how to protect our data and privacy online. We talked about the importance of the company's culture, in mitigating the cyber threats to the potential of cyber warfare that Australian businesses and governments face in the near future. So without further ado, there is my chat with Mohan. Welcome back to the creating synergy podcast. My name is Daniel Franco. Today, we've got a guy who goes under the radar a little bit but his name is Moe, he is a top 50 global influencer in cybersecurity. As of we found out yesterday, didn't we most so we don't want to share his details too much because he wants to stick true to his word. So welcome to the show. Thank you mate. It's a bit a bit of an oddball for me, like social media is such a huge part. And obviously promotion and sales and marketing is a big part. Not being able to share all your details is is a strange one. But thank you for coming on the show. Wouldn't mind just learning a little bit about your story and how you became one of these one of the top 50 global influencers in fact, the only one in Australia to be a global influencer on the cyberscoop magazine magazine is that where they are Yeah,

Mohan Koo: 4:25

yeah, I mean it's it's an interesting story. Right? So you know, when when I first started our company here in Adelaide in 2000, which is a long time ago is like well, before cybersecurity was a thing right so back in those days, it was called information security or IT security. And you know, Australia being Australia, like we have a very conservative way of operating most Australian companies and you know, back in those days, as a as a startup company in Australia, it was very hard to get you know, the big the Big Government departments or the big four banks or the large telcos to really take us seriously, because you know how the perception of how things were back then was, well, if, if it's not a US technology, and it hasn't been tried and tested in either the US or Europe, then it can't be worth its weight and salt. And you know, there really wasn't any reputable Australian technology startups back then that were actually doing good on the global scale. So, you know, we had to move and uproot ourselves and go to London to really kind of get taken seriously. So that was an interesting, interesting time in our lives. And, you know, when we, when we landed in London, it was, it was easier to be taken seriously, because people said, Well, these guys have come all the way from Australia, they must, they must mean what they say they're, you know, they've landed here, they're set up, they're not, you know, flying in and flying out, you know, they've set themselves up here and move their families here. So they're taking it seriously, we better give them the time of day. And that's where we really kind of built the business and for the topic of this podcast, you know, security is important. But privacy is just as important and and the fact that we grew our business as our cybersecurity business. In Europe, having that very privacy centric view of things was really, really important. And in Europe, you know, if you're familiar with GDPR, GDPR, is a privacy requirement, which, which means that, you know, as an employer, you have a responsibility to uphold your employees privacy. And so, you know, a lot of a lot of American organizations and, you know, organizations that have come from different parts of the world, don't take that view, you know, it's you work for my company, I will do what it takes to, you know, know what you're doing, and therefore, and therefore, the perception is, the more we know about what's going on, the more secure we are, which is actually not, not the correct assumption.

Daniel Franco: 7:02

So I want to just pass back to you know, moving over, obviously, taking picking up and taking the families is obviously a big thing. What was it about London, and not America that was in your decision?

Mohan Koo: 7:15

Yeah, that's a really interesting question. So I guess one of the big influences was, like I had, I had never been to America at that point in time. And, you know, I guess the perception, rightly or wrongly, was that the culture, the business culture, between the UK and Australia was much more similar than it was with the US. Second. Secondly, our competitors were coming out of the US. And so I felt like to give you an example, when we first started the company, the first professional funding, we raised way back when was 450,000, Aussie dollars. And it was such big news in those days that made the third page of the advertiser. Right. And, you know, our About six months later, our closest competitor in the US raised their first round of professional funding of 20 million US dollars. Yes, it's a it's a big difference, right? So you can imagine that, for them being at the doorstep of the biggest market of the world with $20 million in the bank US compared to us that is far removed from the the markets, the big growth markets in the world, you know, we were at a massive disadvantage. And so I think the cultural assimilation with the UK and, and a sense of being able to understand better the way they do business, and the fact that our biggest competitors were in the US, we opted to go to the UK and also, I think the UK Government were really kind of reaching out for trying to get other organizations to come and set up in the UK and so UK Trade and Investment really kind of helped us with funding and relationship building and stuff like that. So we've got a bit of a leg up from the UK Government as well.

Daniel Franco: 9:08

Yeah, brilliant. So where did where did you grow the business to today? Like you're obviously you're winning plenty of awards and getting noticed in in many areas as much as you want to keep that on a low on the low down. You know, recently, the Percy foundation Entrepreneur of the year of in Australia. It's not only South Australia, but Australia. You've you've obviously built this business and had some really great success. Can you tell us where you're where the business is at today?

Mohan Koo: 9:40

Yeah. So we were I guess from from a customer perspective is the easiest way to kind of understand where we're at today. So we have hundreds of customers we've been focused on the most difficult, largest organized causations on the planet. So for example, the top three banks in the world, you know, running our platform, you know, we're tracking and tracing what their people are doing with our data. Large telcos, government organizations, the biggest government agencies in Australia are running this, for example, we work with defense agencies. And so we have to be, we have to be able to do this at massive scale. And that takes time, right. And, you know, this is not by any stretch of the imagination, an overnight success story. And it's because you know, to do this, right, you have, it takes time, right, there is no way that you can shortcut the process of, you know, understanding cybersecurity, to the level that you can, you know, deliver at scale for the size of organizations, and deliver on what those employers need to have from a security perspective to protect their shareholders and to protect their customers. But also looking after the rights and the security of the employees. That's and that's, that's our passion, is finding that balance between employee privacy, and security of of the data that they deal with every day.

Daniel Franco: 11:22

Just a quick note, this episode is brought to you by Synergy. IQ leaders in enabling change, synergy IQ are the ones you call when the change or challenge seems so complex, and you don't know where to start. But more importantly, were the ones you call when you want to make a change that will actually last, if you want to check them out. It's at Synergy. iq.com. Today, you brilliant. So the businesses global though, as you set up in still you're in, you're now in the US in Silicon Valley, and you're still in London, is that correct? Any other locations across the world.

Mohan Koo: 11:52

So our focus is five eyes. So five eyes, for those that aren't aware, is the US, Australia, Canada, the UK and New Zealand. So that's a very strong intelligence alliance between those five countries and, and primarily, it has been that relationship, that allied relationship has been focused on the intelligence world. But now it's expanding, right. And so, you know, we've seen a lot of different initiatives, you've seen orcas, which is, you know, the, the alliance between Australia, the US and the UK being being strengthened. So, because of the of the the types of customers we deal with, we only deal with organizations that are headquartered in those five countries, they may operate in many parts of the world. And in fact, we have a number of customers that have operations in Russia, that are trying to disentangle themselves from that. And you can imagine all the different security concerns that are happening for those organizations. So, you know, once you start to understand the kind of level of operation that we have, and the types of organizations that we touch, you can start to understand why, you know, I take the, the seriousness of what we do, to a whole different level.

Daniel Franco: 13:14

It sounds like, through your just through your language that, you know, some shit that we don't know. And is that is how do you how do you handle manage that in your own self every single day?

Mohan Koo: 13:31

Well, you'd be surprised that I mean, certainly on a customer by customer bases are things that we see in the things that we, that we touch, and that we are privy to, is not stuff that we share. But in general, the things that we're seeing, everyone should know about. And, you know, one of the things that, you know, I've been advocating for for the past 10 years, at least, is, you know, organizations think that they can train their staff on cybersecurity by giving them you know, computer based training programs to run once a year and they tick the box and nobody pays any attention to that crap. It does. It's not it's not effective. Everybody knows that yet. They still do it. Yeah. Right. And what we've found is that, actually, if you want to engage people, and there is no, regardless that I'm a security software vendor, right? There is no silver bullet from a technology perspective. You know, anybody that thinks they can buy any software solution or any security application and deploy it and they are safe is completely misguided. Right? It's not about that. It's about changing the way people think and act that is truly going to protect all of us, right and truly going to be you know, we're in this era where our I relate to it by saying the human firewall, right, we need to engage every human being to think and act differently. I about the way they carry themselves, right? So I'm not expecting everybody to not have a social media profile like I do, right? That's an extreme. But when people post on social media, when they take photos that go to the cloud, right? Anything that is connected to the internet is accessible at any time, people need to start thinking that way, right? So when people tell me, well, it's okay that I post things on Facebook, because only my friends can see it. Or it's okay, I've got I've got controls on my Instagram account, right? That is just the most misguided information that has been planted in people's head by the social media organizations, that is not true. For example, Facebook, or matter, whatever it's called nowadays, which owns a whole bunch of other social media platforms, they have 1000s of employees, right? Yeah. Those 1000s of employees? Do we know what they're doing with that data? We don't, they can access it, where there's been, they can share it, they can leak it

Daniel Franco: 16:01

there's been examples of

Mohan Koo: 16:02

1000s of examples, right? And, and it's not examples of just people doing something with somebody's data. It's, like hundreds of 1000s of people's private information, right, getting into the wrong hands. Right and influencing our political system. Right, this is, it's pervasive. Right. And the problem is, it's not a it's, it's, the problem is that we're not educating individual human beings well enough about the importance of their own data, their personal information, right. And so what we're doing for companies and organizations that are trying to educate their people would cancelling out that whole computer based training thing, you have to protect the data of the company, and you have to protect the systems of the company, it's your duty to the company and to its shareholders and its customers. That's not effective. What is effective is when we train people to protect themselves, to protect their families, to teach their kids write, to teach their parents, right? That's effective. Because guess what, when I train you to think twice before you make that post to think twice before you take that photo and put it in the cloud, right? I'm also inherently teaching you to look after your family. But inherently that comes into the office. So when you when you go back to work that's ingrained in you because you're doing it by nature, not because you're told you have to do it. Does that make sense? Yeah. And then the more that we can do that, for the next generation coming up, especially for the next generation, that's coming up that's born with a device in their hand that's born with all these social media platforms. And I, I have to tell you, like, even though I don't operate in a social media world, personally, I operate within a social media world all the time. My three kids of varying ages, right, I have a, I have an 11 year old, I have a 17 year old and I have an 18 year old, right, and all the trials and tribulations that it brings to the table. Not once have I told them don't have social media platform, right? I ask them to think thoughtfully about what social media platforms they have, and use and why Yeah, I'll let them make their own decisions about that. But I'm very, very careful to teach them about what they post, who they share it with, and where they share it. And when they share it. Do you know what the consequences are? Because you might think that today, it feels okay for me to take this photo and keep it in iCloud or Google Cloud or whatever cloud but in 10 years time, when you're not 18 anymore, and you're 28 Is that photo going to come back and haunt you is that post that you made gonna come back and haunt you for these different reasons. People just don't think like that. No one's teaching him to think like that. Especially young people are in the mode of now, my life today, what makes me feel good right now. Right? But those things that they do can impact them in so many different ways if they're not aware. And so we take that principle that we when we work with large government customers or large banks or large pharmaceutical companies or whatever. We're always telling them that the journey is not about stopping people doing things or stopping data leaking out. It's about risk appetite. Do you understand as a business, what your real risk appetite is? Because everyone has to have risk, there is no business without risk. So once you understand what that risk appetite is and it's different for every organization, no two organizations are exactly the same no matter if they're from the same field or not. So once you understand where your risk appetite is, you say, Okay, I'm drawing a line here, this is a risk I am prepared to take to do business, this is a risk I am not prepared to take to do business. Once you understand what that line is, then you can start to understand, okay, these are the types of providers I will engage with not engaged with. These are the types of customers I can support, not support, does that kind of make sense? Those, these are the kinds of suppliers that aren't working for me, because they understand where my risk appetite is, and they're not going to tip me over that line. Now, if we teach human beings to behave the same way, understand what your risk appetite is, right? If you're, if you're not risk averse at all, then post whatever you want. And there are some people that are just like that, right? Like, they don't care. What people think

Daniel Franco: 21:01

it feels like a it's a tidal wave, right? The amount of stuff that is getting posted, do you ever feel like what you're what you're saying, You're fighting a losing battle, like, this just seems like a runaway train where people are just posting whatever they want, right now,

Mohan Koo: 21:15

look, I mean, our business is not the business of, of looking after Pete, the individual human beings, what they do online, but it's a personal passion, where the education comes from, it's where the education comes from. And if you do that piece, right, then it automatically transfers into, you know, employees in the workplace, which is, which is our bread and butter is serving large businesses and government agencies, the ones that actually store all our personal data. Yeah. And the intellectual property of the country, right. And so now, you know, a lot of eyes are on Australia, particularly because of our close proximity to China and our trade relationship with China. And everybody's kind of watching to see what we do, and how we manage that relationship. It's a very delicate balance. Right? So we're really kind of at this pivotal moment where we can actually influence like, I don't think there's anybody out there that that doesn't agree that cybersecurity is an important thing. You know, maybe three years ago, we had a big job educating people, no, this is serious people know, it's serious today, what they're not what they need help with, and guidance with his what to do about it. And it has to be really simple, easy to understand language that we use to communicate and teach people, right. Because, you know, for from the beginning of cyber, the cyber growth of the cybersecurity industry, we've created all this really strange language that people don't understand. Maybe it's because, you know, my predecessors wanted to appear to be the smartest people in the room. And actually, they were just creating a few words that people didn't understand. And we're now having to reverse engineer that and turn it back into easy language to understand, which is why I use the term risk. Yeah, right. Because everybody can understand risk executives at the highest level, understand what risk means to them. Right. And people understand inherently what risk is. So find that risk appetite, understand, where you are prepared to go not prepared to go. And then, you know, revolve your life around that.

Daniel Franco: 23:19

Who, there's a lot, there's so much in that. And thankfully, we've got some time today to explore it, I want to I want to just jump into the risk appetite element, where we know that cyber security and you said three years ago might have been a different story. But we know cyber now is all about risk management, right? And we know that it's not a matter of if we're going to get here or if we're going to get attacked, it's now a matter of when is that? If it's not, if it's a matter of when then is there a reason to be fearful? Is there a reason to be concerned? Like we can spend as much money as we want in security and cybersecurity. But if it's if it doesn't matter if we're still gonna get hit, what do we do in that instance?

Mohan Koo: 24:10

So fearful is the wrong response. Concerned is the right response. It concerned in a way that forces us to take some action right now what that action is, can mean different things to different people. But I will back you up because you said people realize that it's not a matter of if but when it's actually gone beyond that. The chance of you already being owned, is extremely high.

Daniel Franco: 24:44

When you mean when you mean when you say owned,

Mohan Koo: 24:47

meaning somebody has access to one of your devices, somebody has access to your email system, somebody has access to something digitally, that you use on your in your everyday life. Um, so criminals have gone from what we call opportunistic attacks to like kind of spray and pray we call it right where they just blast out a whole bunch of stuff to see what comes back, see who clicks on something, see who responds to an SMS, see who, you know, engages positively or negatively, because it's that engagement that triggers them to be able to put malware on your device, or something, I'm just using one, one simple example. And whether it's a business, whether it's a government agency, whether it's somebody's personal acts access. It's so pervasive these days, that the criminals have gone from being opportunistic to being very clever and targeted about how they do things. And so many of many people that are just not familiar with how to kind of that risk appetite, and not to do certain things they already have have been infected. You know, many of our devices, let's say there's 10 people in this room, you know, at least two of them, will have some malware sitting on their device somewhere, whether it's a laptop, whether it's a personal mobile device, whether it's something else, right. And, and the criminals are getting more patient, right, because they know that we're getting smarter about how we, how we detect and how we respond to things. So they're trying to stay in the background. And they're trying to wait for the opportune time to turn to we call it weaponize to weaponize that bit of malware that's sitting there doing nothing that you don't even notice is there until they do something,

Daniel Franco: 26:41

how do they get it? They're like, what's this

Mohan Koo: 26:44

there's tons of ways to get it there. So, you know, in the, in the industry, in the kind of enterprise security space, many, many people are familiar with the term phishing with a pH and underneath, right, which is, you know, and again, we caught like, the early days of fishing was spray and prey, where they would send out these phishing emails to millions of people randomly, and just see who clicked clicks on the link. And you only need 0.1%, to click on that link for you to infect them. Right and in. And this is happening all the time now, not just for businesses, and governments, but also for individuals where, where they turn that into a ransomware attack, where they can lock your device or lock the entire company's hardware systems. And say, you will pay me a ransom if you want it to be unlocked, and organize lots of organizations that didn't have their basic fundamental backups, processes in place that they were locked down. There's examples. There's local examples here in Adelaide of companies, you know, big companies, doing billions of dollars worth of transactions, that got their systems locked up and had no idea how to back out from that situation, no idea how to continue serving their customers on a daily basis. And we're in disaster mode, like emergency businesses going under mode after having been around and very comfortable and very profitable for decades. So it happens. And it's now happening to individuals.

Daniel Franco: 28:24

So what in that scenario, what happened? How did they get out of it, just out of curiosity

Mohan Koo: 28:29

So without mentioning any name, this one organization and and the the CEO is, you know, a real advocate now for cybersecurity, because she didn't really understand it that well, until this happened to her. And now she's out there talking behind closed doors to other organizations say, this is what happened to us, it can happen to you, you know, here's how we recovered from it. And for for her, she was quite lucky. Because what she had to do was she had to, she had to go and speak to she literally get on the phone to ex employees who had, you know, overtime, left the business, but that built her technology stack. And she had to go back to them and say, I don't know how to undo this, I don't, I'm gonna have to either pay the ransom, which we can't afford to do. And I don't want to, you know, give the criminals a win because that means they'll do it more often because they got a win out of it. So I don't want to go down that track. So therefore, the only way I can get out of this is to rebuild my IT from scratch. And I don't have people in my business today that know how to build those systems because they were built by other people who are now working for other employers. She had to personally call each one of them and say, Would you come and help us for the next seven days? I'm asking you for a massive favor. Right? And I'll sort it out with your employer, like can you talk and literally all of those people Paul came back. And they slept in the office seven days, they rebuilt the IT infrastructure from scratch. Yeah, imagine that. That I mean, that is

Daniel Franco: 30:11

sickening. That is sickening. I've actually like feel you,

Mohan Koo: 30:15

right? Yeah. And that's not an insignificantly sized business. Right? That's hundreds of employees serving 1000s of customers across Australia. So you can you can imagine what goes through the minds of the board of directors, shareholders and the CEO.

Daniel Franco: 30:32

Well, that's, it's a very good point when we talk about boards, right? Like, a very good friend of mine. Connor O'Rourke, his name is he's been on this podcast a few times once. And we've been brought up a few times. But he, he runs a IT firm that specializes I do a lot of work in the cybersecurity space. And I said to him, I've got my camera on tomorrow, throw it like, you know, what are you? What are your thoughts because he knows the subject better than most. And he said, I'm just quoting him, he goes, I'm the ISP certified. I've got ISO 2000 27,001 certified and ASD essential eight mature yet I still worry about getting cyber attack every single day. And he said, If boards aren't talking about this at every board meeting, then there's an absolute real threat, they will not be around in five years time. Do you support that is unquestionable. And so? How? So if I'm, if we're saying they might not be around in five years time with this scenario that you've just given? They will manage to get out of it. Right? Is that not just the option that they just have to go through a lot of shit to get out of it? Or what does it mean, when I say someone won't be around? How does that work?

Mohan Koo: 31:51

Look? So so? It's, there's this false misconception. And look, I will say boards in Australia, have matured in their thinking towards this a lot. Yeah. Right. So I would, I would say, definitely, from an ASX 100. perspective, my guess would be at least 50% of those boards will be across this to a certain degree. Now. They understand the extent of the problem, they understand how much it can impact their business. Yes. ticking the box. The question is how much they understand about what to do about it. And there's still a misconception that you can buy tools and hire people. And you will have ticked the box to solve that problem and protect the business. That's not true. And that's coming from a vendor that sells these products. Yeah. Right. It's, it's about having a preparedness plan. That's what this is about. Right? So when I say a preparedness plan, it's it's not? Am I gonna get attacked? Yes, you are gonna get attacked? It's how quickly I can respond. And, and how prepared I am to make the right response. Right. So what we're talking about is a communication strategy. So when we get hit, of course, we've got the technical means to recover from the hit. Right? That's, that's for sure. You've got to have that. But that's just a very small part of the challenge. Communication is probably the biggest challenge, right? It's, do we have the right people in our business that know how to respond to a our employees to give them the comfort? And, and and know that we are on top of this? And we need your help to do this, that and the other? Because it's everyone's responsibility at that point in time? Does our CEO know how to interact with our shareholders, our customers, how quickly do we react, to be able to notify our shareholders and our customers, you know, the regulators? The Australian Government, the ACSC, the earlier you can involve them in the most seemingly smallest of incidents is to your benefit. The later you involve them? It is to your detriment. Right, like, because if it's something that you think is pretty simple, but it turns out to be pretty significant. Yeah, then you're in deep shit. Right? But if it's, if it's, if it's, if it's simple, they can just tell you, you don't have to be as concerned about this as

Daniel Franco: 34:42

the constant reader, right? Yeah. Yeah, front in front of mind front of mind. So, like in all that, I mean, you've given some really good examples and ideas that boards can be talking about. But what what about smaller companies in this like I I run a businesses go 20 odd people compared to an ASX business? I don't have the security Yep, it people sitting in my business I use another company. But what what can what can the smaller businesses do in these scenarios?

Mohan Koo: 35:16

Yeah. So I go back to the point that we were discussing earlier, which is, it's about the human firewall, right? It's about making sure that each and every one of the people that touches your business, not just your employees, but your supply chain, too, because, you know, you're only as strong as your weakest link. And so anybody that's touching your business, are they as individual human beings, as protected for themselves as they can be? Are they? Are they aware of the things that they do? On a day to day basis? Are they aware of the consequences of not getting it right of not thinking twice, before you click on something of not thinking twice, before you send something of not thinking twice before you send something up to Dropbox, and share it with a third party without protecting that link? Right, these are all ways that criminals are looking at, to try and take advantage of an individual to then take advantage of, of other of an organization, and then to use that organization to take advantage of other organizations that they do business with, because that's how it works, right? The supply chain, you know, today, you know, criminals are smarter than they used to be where they would if they're targeting company, a for whatever reason, whether it's to steal intellectual property, or get access to some customer record, or whatever the case may be, if they're targeting company a five years ago, they would just go straight off to Company A, and they might do some socially engineered social engineering around some of your employees to get into your systems. Today, they know that's too hard, because Company A knows they're a target. And they've put up all these defenses. And they've trained their people, I'm going to go off to Company B, which is a tiny little supplier that serves Company A because I can get onto their systems and then navigate sideways to get into that. And that's that's where this gets more difficult. So

Daniel Franco: 37:11

the government recently, as I know, there's been some recent issues that we've got within government

Mohan Koo: 37:16

Constant, constantly. Yeah, there's ones that we hear about in the news, and there's lots that we don't hear about, right. And that's, that's not just our government, that's every government. Right? And, you know, we spoke about phishing before, right? Like the spray and prey type attacks? Well, not many people are aware that those opportunistic spray and prey attacks have become much more targeted. And we call that spear phishing, right? It's exactly what it sounds like, right? It's now a much more targeted approach, where a spray and prey phishing attack before was just a randomly worded email that you can tell straight away that this is not. For me, this is a random kind of a thing, even though some people click through to. Today, it's an email to Daniel Franco from Mo. That looks exactly like the way I normally type using exactly the same abbreviations that I normally use with my exact email signature about a topic that you and I are conversing about. But it's not from me. That's scary. Yeah.

Daniel Franco: 38:22

It's just always check the aim at email address, don't Yeah, yep.

Mohan Koo: 38:25

But today, they're pretty clever. They can ask that too. Right. So it's, you know, there's certain situations that even the most adept like, you know, I've been doing this for 20 -23 years now. Right. I can be fooled by that. I have been fooled before, but it's, it's not just complacently complacency, because now some of them are getting so good, right, that you just can't tell you like it's the chance of them succeeding is so high that we're like sitting ducks. So that's where the systems and processes that follow and the response plan, the preparedness strategy have to be very good because we are going to get, we are going to get that situation.

Daniel Franco: 39:13

So thinking about going back to the training of the individual people, there's this the Hayward's like zero trust approach gains thrown around, can you can you elaborate on that for us if you can,

Mohan Koo: 39:24

yeah, so the zero trust approach is, is literally I really don't like the term because, you know, the, the whole thing that we're trying to influence is trust, right? Like the the more trust you can build inside an organization and with people that you do business with, inherently you're going to get better engagement and therefore they are going to have a sense of responsibility to the organization. And so we try to build trust. However, zero trust has been is a is another new term that the cybersecurity industry has put out there and what it effectively means is, you know, don't trust anybody unless you have to. And then you start to work out from there and you start to open up systems from there. It also it refers to the fact that we know that we've been owned. So now respond from that mindset. So you know how you said, it's not a matter of if it's when zero trust is all about. Take it from the perspective that we are owned right now. Now, what do we do? Yeah, they're inside. They're there. They're within our organization. They have infiltrated, they are here. So now, what does that kind of makes it does?

Daniel Franco: 40:41

It? It seems a lot though, right? It seems. I mean, it it's, like, it's a really good option for businesses to think that way. Because it means they're thinking front and center, they're thinking a few steps ahead. They're playing the game of chess, right. But for those who don't have the knowledge, and who are have smaller business that

Mohan Koo: 41:03

don't have that risk, I'd have a completely different risk profile and risk appetite,

Daniel Franco: 41:07

it becomes becomes quite difficult. So I see here as a leader of a business going, Wow, there's so much I need to do, but I just don't have the time, the money, the power, the influence, or whatever it is. Yeah, to do that. Yeah. what can what are the most basic essentials that you from a health point of view from a business? What that especially small business? Or medium? non for profits that listen in that sort of space? Yep. What, uh, what can we do at that level? To just ensure the basics are covered?

Mohan Koo: 41:43

Sure. So you mentioned before a mate of yours that that has an IT company, that's, that's doing some cybersecurity stuff. And he mentioned to you essentially, yeah. So essentially, it is a great spot to start. And it is about the basics. It's about hygiene, right. So everyone should know and understand what the essential aid is, and start to build that as their foundation is by no means you do the essential aid, and then you're done. Yeah, right. That's just the basic,

Daniel Franco: 42:13

is it? Is that something you can quickly just sort of jump through? Well look,

Mohan Koo: 42:17

for an aid, for example, basic patching, right? So making sure that you're, you're in a small organization of 20 people, you're probably not going to have centralized IT systems today. Everyone's just you buy him a laptop. Yeah, you give them Wi Fi access, and they're off to the races, right. Yeah. And that's pretty much you know, that's the SAS world that we live in, right. We're all running SAS application, so on and so forth. But there's, you know, in those sorts of scenarios, right? It's important that, again, your staff are that human firewall, and they're thinking through these things, they understand the basics that need to be done like patching, right? Keep our applications and the software that we're using, keep it up to date, because the older, the longer a piece of software code has been sitting there, the more vulnerable it is, because it's given the bad guys a chance to reverse engineer some of that and get some code in there. Right. So so the, that's just one example. So the hygiene of basic patching is something that lots of organizations, especially small medium, businesses just don't do. Because unlike, say, in my company, we have a centralized security team, and they push patches out to us. So we don't even have a chance to not patch because it has to be patched. In small, medium organizations, you don't have that so that I go back again, to the most important thing, is getting people to think for themselves and practice their own basic hygiene from a digital perspective, because then it's automatic that they do that, for everything they touch in the business. Does that make

Daniel Franco: 43:49

sense? It does. You know, one thing that's

Mohan Koo: 43:49

Of courses it is, course it is always really interests me is the it's the companies like yours, which are cybersecurity experts, the people within them who understand and our integrity comes into this right, this question where I'm about to ask, but the people who are in them understand all the loopholes for some of these biggest

Daniel Franco: 44:12

And so how do you go about mitigating that? How do businesses. So you talk about Facebook, and that giving people's data away? Is that not something that is of concern to security we know that security companies are doing the right thing by the big companies that they

Mohan Koo: 44:32

Yeah, and look, it's a difficult one, right? But you know, this is where reputation becomes everything. Yeah, right. Which is, which is why for me, I'm personally extremely risk averse in the digital world. Like, I take a lot of risks in my personal life. I like to have fun and it's fun. Yeah. But when it comes to the way we operate our business, I'm extremely mainly risk averse in the security industry, you know, you would assume that they eat their own dog food or drink their own Kool Aid or whatever term you want to use. But not all of them do. Right? So, you know, for us, because of the types of, of, of organizations we partner with, we have to be whiter than white. And we have to be very clear about who we do and don't do business with. So there's many, many organizations that come to us for help, that we actually we'll turn away, because they don't fit the profile of our risk appetite. Does that make sense? Yeah. So which is why for us, we only deal with five eyes headquartered organizations or, on occasion, organizations that operate within Friends of the five eyes. Okay. Right. And, and that's by design. And now, that doesn't mean to say that, you know, if you're, we're only employing people from those organizations, that they're all going to be good people, and they're not going to do anything wrong. No, by no means at all. Right? You, it is one way of de risking the organization, because within the five eyes, we can we have a better idea of an understanding of who these people are, what their backgrounds are. But we do drink our own Kool Aid. Right. So at my company, we use our own technology internally, we everything that our customers use us for we do that internally. And we are our own. Yeah, test case.

Daniel Franco: 46:39

I'm not questioning the integrity of your company and whatnot. It's more about there's the individual, I always think about the individual, the person who's creating these hacks and phishing schemes. Absolutely no, the cybersecurity world better than anyone says typically might be someone who's actually on the inside, you know, but we could go down a rabbit hole in that space. I am really interested in just more so the the common mistakes that companies might make, like, is there a sort of, really two or three that might come to mind? I mean, you could we could talk common, there'd be hundreds, right? But is there two or three that come to mind every single time when we talk about the common mistakes that we see?

Mohan Koo: 47:22

Yes. So the number one thing that pops up when you asked me that question is compliance. Right. So I'll just call it for what it is right? In our country. Energy companies are grossly behind the curve. And sometimes, the regulation, which is meant to kind of drive these organizations to a certain standard, have completely failed in the approach. Because what they've done is they've created a checkbox exercise to say, if you check these boxes, then you are good. But those check boxes are so outdated. And all of those all those regulators have done for the industry is teach those industries that I don't care about anything else, if I've checked those boxes, we're good, we go forward, and I'm going to take the minimum steps that's required to check those boxes and not spend a cent more than I have to check those boxes. And guess what, it's those organizations that are our utilities that serve us our electricity, they serve us our water service, our water, that handle our sewerage systems that, you know, these are organizations, that one thing goes wrong, right, we're all in trouble. And it disrupts the entire safety and security of the entire citizen population give you one example. Florida Water Treatment Plant. Some people have heard of this, others haven't. But it's a publicly available story. Someone was able to hack into the Florida Water Treatment Plant. And they were attempting to change the concentration of some type of I don't know that the exact details but some type of mixture, like they treat the water with different chemicals and certain things to, you know, make sure that there's no bacteria and so on and so forth. But they change the pH levels to a level that it would be toxic for human consumption. And the only way that this was stopped, was someone happened to be walking past a computer screen. And at the point that they were walking past that computer screen, they saw the mouse moving without someone sitting at the desktop. Wow. And they went well. That's weird. How's that? How's that mouse moving around, and then called it it checked it out? They found out they'd been hacked. Now that individual if would have got away with it. Yeah. Now the only thing that's stopping that from happening anywhere else, any other utility power can be shut down overnight. I'll tell you a story about that. Right? Power water. Two basic things that humans nowadays can't live without. Right? We are so vulnerable. And the only thing that stopping an attack like that happening is motivation. It's the only thing. There are criminal groups out there. Terrorist groups out there, nation, state actors out there that already know how to compromise those systems, and could do it right now, if they so have the motivation to do so. And yet, our utilities and energy companies are so far behind the eight ball, and it's not their fault. It's the regulator, who is so outdated and not up to speed with the requirements of modern day.

Daniel Franco: 51:01

It seems like the regulator's sends out those constant patches that you're talking about, in updating their their information, we did a I used to work in a utility, and we didn't we hear that synergy IQ did a big program with with a certain utility. And one thing that I remember, was part of the dialogue when we when we worked with him was, let's like it's SA water here in South Australia. And we, we we talked about the purpose of the business as a health regulator, right, like because at any point the water, the water system can get infiltrated. And not only that the sewer, right? Stops disease. So it's about keeping people on keeping the community healthy. And yeah, at any point, you can infect 1000s and 1000s, if not 10s of 1000s of people from one push of a button potentially. Right. So let's hear it. You talked about an example from a utility perspective. Could you share that with us as well? You mentioned the power example.

Mohan Koo: 52:03

So here in South Australia, we have the highest penetration of rooftop solar of anywhere in the world per capita. A lot of people don't know that. Right? So the South Australian big, big mission, and we've and we've gotten there. But cybersecurity is often an afterthought. And it's the responsibility of the manufacturers and the energy providers to make sure that we're protected. Ollie. So I'm, I have a Tesla battery. I'm connected to the smart grid. I'm feeding into the smart grid all the time, every day. And has anybody come to check the security of my home internet? That's connecting my Tesla battery to the smart grid? Nope. Does anybody know how easy it is? To get into my home Wi Fi? Even though I'm pretty good at what I do. It's easy. There's like hundreds of people in South Australia that know how to hack my Wi Fi today. Guaranteed.

Daniel Franco: 53:14

Right from outside the front of the house. Yep, yeah.

Mohan Koo: 53:18

And so And there's other ways they can do it as well without being in front of my house. But so the point is, the only thing that's stopping that is motivation now to shut down the grid is not that difficult to do if you can get access to the to people's homes like that because all you need to do is to take all of the battery that's the all of the power that's stored in all of those batteries in our houses and dump it to the grid all at the same time. So we have to do what it would bring the grid crashing down

Daniel Franco: 53:51

feel like you're giving ideas to the people out there.

Mohan Koo: 53:54

You have no idea why they already know but wouldn't they

Daniel Franco: 53:57

get caught? Is that what is that with a moment lack of motivation comes from this simple fact that they could do it but they just gonna get caught

Mohan Koo: 54:05

that's the perception there's some pretty clever smart folks out there that know how to cover their tracks as well

Daniel Franco: 54:13

and would would it be the motivation be just to damage it wouldn't be a financial motivation thing would it?

Mohan Koo: 54:20

Well, who knows who who actually knows could be politically motivated could be financially motivated could be disgruntlement could be you know, humans are strange cats. Right? If you look at if you look at the, you know, terrible example, but if you look at the single shooter incidents that happened in the US and the volume of these that are happening today, one incident the individual, we should have detected it over weeks and months from the things that they've been posting online. Yeah. And yet they still go and do it. And another individual you would never have guessed Right. So there's there's humans a different like we they do strange things is sometimes not the patterns of behavior. You just can't You can't see it that way, right and so. So again, preparedness is important, right how you respond. So, of course, how you detect how you defend, how you respond. Those are the things that we need to be cognizant about.

Daniel Franco: 55:25

We were touching on the power. And I remember last time we spoke that really caught my interest was an external country owning our power utility,

Mohan Koo: 55:42

not just our power you like a lot of our most sensitive critical infrastructure, entities are foreign owned.

Daniel Franco: 55:51

Is that a concern? What do you think? Why is it such a concern? Do you believe and is there a way that we can wrangle it back?

Mohan Koo: 56:03

Well, look, that's probably more of a question for ASIO and an ASD. But look, it does make me personally extremely uncomfortable, that we have ports that are owned by foreign entities. We have power shipping ports, you're saying shipping ports, we have power companies. We have other types of utilities, that in times of geopolitical harmony doesn't make a difference. In times of discord. That's a bad situation

Daniel Franco: 56:49

feels like we're the pawns on a chessboard, right?

Mohan Koo: 56:53

Yeah, we are. If we choose to be. And previous governments have allowed that to happen, for whatever reason, and I'm sure they had good reasons at the time. But it certainly seems absurd to me, that we would ever allow that to happen again.

Daniel Franco: 57:13

Are you suggesting that some of these countries that do own these specific businesses and organizations and ports and utilities? Are you suggesting that they're playing the long game here? Is its

Mohan Koo: 57:29

basic geopolitical strategy? I mean, it's just look at history. It is.

Daniel Franco: 57:35

So what can we do to not be put into checkmate?

Mohan Koo: 57:43

Well, I think we, again, we need to uplift everybody's awareness, we need to uplift everyone's understanding of what matters. And you know, there's the forest principle, see something, say something. Right? If we can teach all Australians to do that, then we as a country, are as safe as we could ever be. Right? Because that's the best thing you're ever going to get. Right? Doesn't matter about speaking what technology you've got, and how many security engineers we've got and how many security companies we've got protecting us. What really matters is the citizens. That's what matters, right? And the more people that will see something and say something, the more alert, we're going to be to these things, right. And so, you know, that's why even though we're focused on enterprise, and protecting businesses, and governments and things like that, it always comes back to the people, people are at the center of everything. And if you and unfortunately, the cybersecurity industry has left the people part of it to last, right, they've, they've left that to last. But if you're, if you're focused on the technology problem, you are only solving for symptoms, and you're to use the US terminology, you're playing whack a mole, you know, there's always going to be symptoms that you're trying to whack down and more are appearing. But if you go back to the root cause, and you solve the root cause, which is always human behavior, which is the most difficult thing to solve, and that's what our business has been really, really focused on is understanding the human engaging the human in a positive way, in a positively impacted way that they then become that human firewall, for the business, for the government, for the country, for the planet, then that's the best possible position, the best possible outcome.

Daniel Franco: 59:40

I love. I love the slogan of your business, which is, you know, the difference is human and you talk a lot about the human behavior is there. And we have spoken about it and it seems like we just always end up back here and it all starts with the individual. We touched on the social media Your aspects we touched on every individual just being curious, right? And obviously the forest principle. What about those who are looking to build and promote themselves through a marketing point of view, the social influences that we're in, it's a legitimate business for them to constantly grow. We, as a business, use our social media channels to help promote Yeah. What's the what's your idea from a marketing perspective of how businesses could be a little bit more conscious with some of the stuff that they're putting out there?

Mohan Koo: 1:00:37

I think it's, I think it's less about the business aspect of social media, and much more about the personal aspect, right, like, because people are pretty thoughtful, when they're running a business on social media, they're pretty thoughtful about what they put out there. But they have this perceived thing is my, the reputation of the business is important. So I'm going to be, I'm going to think twice, but thinking posts that thing, but when they're just doing it, like snapping things on their day to day basis of what they're doing with the kids on the weekend, or, you know, what they think about a political statement or whatever, right? Like they, they just tend to shoot from the hip when it comes to personal posts, and

Daniel Franco: 1:01:17

they could make an error of judgment, is that what you're concerned? Yeah,

Mohan Koo: 1:01:21

or could put something out there that makes them a target, right? Or put something out there that can be used against them. Right, like, like, never underestimate the nefariousness of the bad guys, they do not care about how what they do affects your life. You've seen like NDIS scams, and like people ripping like blatantly ripping off disabled people that need the NDIS to survive, they scan their money, they don't they don't care, right. And if you put something out there, that exposes you in a way that they can take advantage of that and, and use it to coerce you into doing something for their personal benefit. They will. And so people don't think of that

Daniel Franco: 1:02:13

one of those scenarios, though, like that, you would I mean, you're not on social media. You would obviously

Mohan Koo: 1:02:20

not, there's lots, right. So think about it from a social engineering perspective, right, like, so people that are really easy to socially engineer are those that have instability in their lives, whether that be I had no financial instability, whether that be a gambling problem, or some kind of an addiction, or, you know, if they're having extra marital situations, you get the picture, right, like anything that I can use against you, that's going to embarrass you, or, you know, make you uncomfortable, and you don't want to go through that. So you'd rather just pay these guys and shut them up, or go and steal this bit of information from your company and give it to them as a one soft, so they go away and leave you alone, or, you know, if you're in a financially difficult situation, right? Super easy for them, rather than for me to hack your company. If you work for this big telco or this big bank, right suit much easier for me to be able to pay you a grand a month, just slip me a bit of information or stick this USB in a drive or whatever the case may be, then for me to have a whole team of hackers trying to break through firewalls, and etc, etc. And, in fact, the company Yeah, well,

Daniel Franco: 1:03:39

right. So that's actually just another whole interesting point that people's businesses and their employees could have been infiltrated through another means

Mohan Koo: 1:03:50

happens all the time happens all the time. So we, we have seen situations where we're working for, let's call it a big telco in the UK. And we actually caught an individual inside that company, a trusted insider in that organization. That was that was taking sensitive data about so they were a sell station engineer, right. And how we caught them was, every time their line manager would send them a task to do, they would actually Google how to do that task. So they didn't actually know how to do their job. And yet they were in this very serious position where they had access to very sensitive data. And when we reported that back to the company, so this is unusual, right? unusual number of Google searches around this specific engineering topic has led us to what is this person doing? Okay. When we reported that to the CIO, went to the CIO. He checked out who is this individual? Oh, he's not an employee. He's a contractor. But it's okay. He's contracted by this big contracting organization that we use for all our contractors. So should be fine. goes and talks to the CIO of that contractor firm. Oh, he's not our employee. He's a contractor. So contractor of another contractor, yeah, right. And then the third hop, we look into it. It's a retail store that doesn't exist that he's actually employed by. That's very strange. When did he start working for the contractor, a contract B, and then contract the C 18 months, was the period at which he had worked to be planted inside our customer organization to get access to the data he now has access to? So that's, that's what I'm talking about. That's the long game. Now. We consider that to be the long game and getting paid for it and getting paid for it the whole way. Right? Yeah. And we consider that to be a long game 18 months, and and navigating your way through those hoops to get to there. But the longer game is being played by nation states, where they're thinking 20 30 years from now, where they can have advantages over Australia and our allies in terms of intellectual property that they can harvest right now, that will put them way ahead of the game, you know, 10 years from now, right? When you're talking about AI and machine learning algorithms, when you're talking about all kinds of these future technologies, space, nuclear. Now, you kind of see what we're talking about, about the long game and the seriousness of the situation.

Daniel Franco: 1:06:48

What is, so there's so much Oh, my God, there's so much in that one thing alone. And you want to go back to the person who infiltrated the company, right? So I think the take the key takeaway from that would clearly be the checks and balances, right? Like, make sure you're checking out your contract as a sub 100%. That's the supply chain. And

Mohan Koo: 1:07:09

he's so this is a project that we're doing at the moment, which is really, really exciting. Actually, it's called continuous vetting. Right. So you must be familiar with for anyone who works for defense, they have to be cleared. Alright, so you know, the clearance process is difficult, right? So if you go want to go and work for a big defense contractor or for the Australian Department of Defense, you have to get a clearance, different levels of clearance, obviously. But even the basic level of clearance, there's a lot of scrutiny that happens. They do all these massive background checks. Sometimes it takes 12 months, 18 months to go through that clearance process. But then what happens once they're cleared, and they're employed.

Daniel Franco: 1:07:52

Bau isn't a good Bau here, right,

Mohan Koo: 1:07:55

we trust them. They're good to go. Yeah, right. And maybe every couple of years, there's a check in point where there's a circle of employees. Exactly. Now, here's the thing about bad insiders. They weren't always bad, right? Even if a bad insider, or an what we call as an insider threat. They, most of those were good people that have just made bad choices. And that bad choice doesn't come before they were employed, it comes off that by and large, you know, and people make bad choices for all kinds of reasons. They're inherently good. Of course, there's some people that are inherently bad, but they are so few and far between. By and large, people are good, they just make bad choices. So what we're all about, is trying to minimize the environment where people make bad choices, right? By influencing good behavior, based on the fact that our employees feel trusted, respected, protected, and valued. Because when you got those four things inherently as a human being, you feel happy. You feel good about what you do. And if that's the case, you're emanating positive energy around you, right? It's very hard for that negativity to take hold. Does that kind of talking aspirate?

Daniel Franco: 1:09:25

Oh, well, I think what I'm hearing so what were those four again, that was protected,

Mohan Koo: 1:09:29

trusted, trust, respected, protected, and valued and value? Those are the four things

Daniel Franco: 1:09:34

and so effectively, what I'm hearing is that is the the genetic makeup of an extremely good culture. Exactly. The business culture is everything. So that was going to be my next question is, how important is the culture of a business in protecting itself?

Mohan Koo: 1:09:51

It's the number one most important thing you can do away with every other every security tool that you've got, you can do away with all of that crap. If you have a culture that feels trusted, respected, protected and valued, you are going to be the most secure you could ever be.

Daniel Franco: 1:10:07

Okay, can you elaborate on? How do companies I mean, this is what we help companies get to right. Can you elaborate on the level of thinking from a leadership point of view? Around your your comment right then?

Mohan Koo: 1:10:23

Well, I mean, look, there's particularly after the start of the pandemic, there. There was this, thought that now that all my workers have gone home, and they're working from home, I've lost control of lost visibility. And I feel nervous about that. What are they doing? Are they actually working? Are they have they become a risk? Have they become an insider threat to me? Right. And the knee jerk reaction by a lot of employers was surveillance, completely the wrong approach? Because if your people weren't feeling alienated, before, once you take that surveillance approach, they will definitely feel alienated, then. Yeah. And guess what you're doing, you're creating that feeling of discontent, and discord, and that the exact thing that you don't want to happen is going to happen, because you've now put people in a nice coat on,

Daniel Franco: 1:11:31

and now they're thinking, why don't really care what happens, because I don't want to work here anyway. Exactly. This is none of my concern, or Yep. You know, stuff head office, you know, yeah, it's common. It's so common.

Mohan Koo: 1:11:45

And guess what, when you're thinking that at that point in time, and you get approached by someone externally, that says, I know exactly how you feel, right, here's an opportunity for you to fight back. Right, and make some money at the same time. At that point in time. Aren't you more inclined to go? Hell yeah. Why not?

Daniel Franco: 1:12:06

Yeah. Right. Well, it's, you'd hope not right. Hope not.

Mohan Koo: 1:12:11

But unfortunately, that's the situation.

Daniel Franco: 1:12:12

We're dealing with the masses here, aren't we? And I think that's the reason why I asked the culture question is that, because you're right, like if you're, we often talk about being inspired and being fulfilled and feeling safe. Is is critical to to the success of a company. If you're not feeling those things, then then you're more likely to do things that are done against the grain go against the values of the company, that go against the vision and the mission of the company, for your own benefit. Yep. So a shout out to CEOs who are listening in and leaders of companies listening in, when it comes to cybersecurity, you're saying culture is number one,

Mohan Koo: 1:12:58

number one, absolutely, unquestionably, number one. And I will say, I'm extremely proud of Australia's ability to take that concept, all the way to the bank. Right? Because interestingly, and this is a bit of a gross generalization. But interestingly, from a technology perspective, put aside cybersecurity for a minute. From a technology perspective, Australia has always been a little bit behind the curve, right, because by and large, again, gross generalization by by and large, it's true, though, new technologies get invented on the West Coast of the US, Silicon Valley has been the hub globally of where that stuff gets invented. And then over time, those technologies get adopted across the US. And about a year later, New York and DC comes online with those technologies. And then about a year later, it makes its way around to London, and then across Europe. And then by the time it drops down to Asia Pacific and Australia. We're three years behind. Right? That is in cybersecurity. Three is behind a lifetime, like you, you're not even up to speed. So what I'm really

Daniel Franco: 1:14:10

still proud of on the Atari.

Mohan Koo: 1:14:13

Exactly. And so what I'm really proud about is over the last sort of six years or so, Australia has leapfrog everyone else because we recognized early on, and this is, this is a big shout out to, you know, our government and, you know, industry organizations that we've grasped that we've gone, we are behind, and we can no longer afford to be behind. We're going to get behind this mission of cybersecurity, and we're going to make Australia. You know, this is a national security initiative that we must get right. And over the last six years, which is a relatively short time to change that trend of always being behind the curve. We've actually been able to jump through education, engagement collaboration, we've actually been able to move that needle forward to the point now that I would say Australian organizations get that cultural thing much better than a lot of US companies and a lot of European companies that are still struggling and go down that surveillance route and kind of take that intrusive approach of deploying something that's really spooky, where they're even kind of looking at videos of people and logging all their keystrokes. And what a terrible, terrible approach to try and drive efficiency, you are going to completely destroy your business over the medium to long term. And Australian organizations have really kind of taken that on board and said, Okay, let's do this the right way.

Daniel Franco: 1:15:36

And I want I want everyone listening to know that they're not just going to destroy their business, from the point of view of cybersecurity, right? It is just, you cannot command and control is not the way in which we work anymore. There. People are more connected to purpose. They're connected to coming in to work every day and feeling like a valued member of a community or business or whatever it might be.

Mohan Koo: 1:16:01

And we've actually already seen that in the US with the great resignation. Yeah, correct, right. People don't want to work for companies that don't have that principle that are inherently doing terrible things and managing their people in a terrible way. And the thing is, person A is not the same as Person B, and will never be the same as person A and B, and you don't want to develop robots. That's not what we want. You know, the best way to drive people as an asset, not a liability is to respect that you're an individual. And as an individual, you have your own personality, you have your own ways of working. Let's encourage that.

Daniel Franco: 1:16:39

Yeah. Yeah. There's, there's when when the culture is in check, then there is less things that can go wrong. Yeah. In regards to cybersecurity, yep, for example. Yep. I am conscious of your time, I know that you've got to shoot off shortly. I do want to, I do want to ask you, because you've you've got a few sort of really strong opinions around, you know, current state, then for Nation Security, all the above. I want to just pick your brain. Do you fear for the position of Australia moving forward?

Mohan Koo: 1:17:24

No, I don't actually I'm really encouraged by the last couple of years. And you know, I moved back to Australia, just pre the pandemic, and what a good move. I'm so glad I did. But I'm really, really encouraged by the way that we are taking a bit of a leadership position or thought leadership position and being able to mobilize quickly as a country. And I think the difference is that Australia, well, it's a big geography, right? Like it's a big landmass. It's actually quite small in terms of the number of people when you compare it to the likes of Europe in the US, right, or even just UK and the US, for example. And so what it means is, we can actually put our arms around the problem. And we can actually get people in a room pretty easily, and actually have the conversation and say, Okay, what are we going to do to shift the dial, and we're doing that, like, you know, industry organizations, academic organizations, government organizations, we're all getting together. And we're sharing ideas, we're sharing thoughts, and we're saying, let's not just have a talk fest here, let's actually deliver projects and programs of work that are going to shift the needle forward. And let's come together and pull our resources and our knowledge and our and our, our technologies and our thinking, to further the mission together, because we are all on the same mission. And that's starting to really resonate. And it's that collaboration piece that is really moving the dial and other other countries like the US while they have that mindset to want to do that. It's such a bigger ship to steer. And even just in government, you've got all these different agencies that have their own ways of thinking their own kind of initiatives that they're working to, to get them together to collaborate like we do here is very difficult to know.

Daniel Franco: 1:19:20

You must want to pick up America, turn it upside down, shake it out and start all over again, in some ways, because it'll get successful they've been it just seems so

Mohan Koo: 1:19:30

just because it's because of the the sheer population, right? Like it's, you know, we we have that advantage here that we don't have that that that that behemoth to manage, right. It's still there's still work to be done. It's still you know, there's still politics to navigate and all that stuff, but it's, it's, it's, it's feasible to put your arms around it and move it forward and we are doing that.

Daniel Franco: 1:19:56

So looking forward it's your, in your opinion with the current approach and the current desire to improve, and put our arms around the problem and work together, that we're going to be in a pretty good position here in Australia.

Mohan Koo: 1:20:13

Yeah, we look, we are in a good position here in Australia. And I guess the takeaway for any of the business leaders out there is stop thinking about what you're going to do from a tooling perspective, per se, to protect your business and start thinking about a programmatic approach to it. And most importantly, think about your preparedness plan, right? Like, you know, when the incident happens, whatever the incident is, have your preparedness plan ready to kick into gear because we have seen incident instances where an organization gets breached. But because of the way they responded, quickly, promptly gave their customers a feeling of strength and control gave their employees a sense of empowerment through the process, and were able to communicate with the media in a way that resonated, their share price actually went up. Right. So security can be an enabler. And can be a differentiator, if you get it right

Daniel Franco: 1:21:13

without doubt, without that. And I think, from a key takeaway point of view. And this is not a plug at both of our businesses here. But from a security point of view, obviously, looking at hiring in the right companies to help with you, like look at the checks and balances on them as well, and help and work with them in helping you design your company in a safe way, then, but also, to another point that we've made a few times already now is the culture of the business. Think about steering that ship, as well, this is an area that constantly needs to be improved on. And you don't just get a good culture overnight. It's something that you start working on. Yep. And you iterate it, and you iterate it, and you're gonna make some mistakes. And it's tough, but as long as everyone is aware of where you're going, yep. And you talked about communication being critical as well, we follow that path. And we're all we're all going to be in a much better position moving forward. And for the future, which is really exciting. What is what is the future for for your you personally look like? I mean, you've built this amazing business, you've, you know, got top honors here, and global top 50, and entrepreneur of the year, and all these amazing things that you've done personally, what where do you see yourself in the next five and 10 years?

Mohan Koo: 1:22:38

It's, it's an interesting question, look, I have I have a real passion for giving back to the community that's like, and, you know, my, my background in cybersecurity is valuable in that sense. So, you know, one of the things that I really want to do is to try and create the ecosystem here in Australia to enable startup companies to flourish, not just cybersecurity companies that can help cybersecurity companies more probably more than others, but, but to help the Australian ecosystem, get behind those entrepreneurs in a way that they don't have to leave the country and take this massive, long journey across the planet to make success. Right. And, and that, that, for me is a pretty big, big one like so, you know, I've started to invest in some local companies here, and they're doing really well and trying to trying to bring Silicon Valley investors down here to see what's going on. So we don't have to go see you, you want to invest in our companies, because they're great, you make the effort and come down here, that kind of principle and building an ecosystem around them. So we've started to see a shift in you know, some of the major banks and some of the major telcos getting behind these, these startup companies and, and, and investing in them early and being a partner to them in such that we will test your technologies, we will provide you with feedback that helps you to develop the world's best capability in these areas, because that's investing in the future of our country. Right. And we have to have that long game plan now, like stop thinking about what's happening today and how we can benefit ourselves today think about the future, and generations to come and look at what's happened down lot. 14, right. Like, that's game changing for South Australia. That's game changing for Adelaide. It's been years worth of work, but it's an investment in all of the future generations, right? Like I was interviewing a chap today. And he was going from our company and the interview in our at our company to an interview with a space company to an interview with a leading IT provider to an interview with a venture capital firm. I mean 10 years ago, five years ago, that's never possible. You're gonna have to fly them Melbourne, Sydney, you know, Los Angeles to have those conversations, right. And today, you can have them right here in Adelaide. So that's, that's the kind of thing that I'm passionate about, you know, completely aside from that, you know, environment environment is a big, big thing for me. So, you know, I'd like to see an opportunity for me to kind of have enough time on my hands to spend thinking about new ways that we can, you know, advance conservation, you know, starting with conservation in this country, and making sure that we're doing the very best that we can to protect the environment that we live in for the future generations to come, which is not a foregone conclusion right

Daniel Franco: 1:25:40

now. Yeah. No, I love it. I want to ask one quick question. Sorry, I am I want to jump this in, because what you were saying then about lot, 14 really sort of threw something at me. Previous guests on this show, Adrian timber, we had him on last week, who is chair of the SA Productivity Commission, we've had Bruce Judo whose committee of Adelaide, Bruce's article in the paper recently talking about, you know, wake up Adelaide, you're not doing enough sort of thing. And I'm paraphrasing that, that the podcast that we did last week with Adrian timbul, was about, again, the policies that South Australia has had, and I'm specifically talking about South Australia here is has been very much geared towards the lat fourteens and the tons leads and putting time and effort and money into those precincts. To which he's saying that we actually don't know and can't see the return on investment. Can or arguing that? Have you seen it to be an amazing precinct? 100% Yeah. And that scenario that you're talking about? Or have you seen? Can we see the next unicorns come out of there? Is that Is that what we're seeing?

Mohan Koo: 1:26:48

We are seeing the the next unicorns come out of that there's a reason. There's a reason why I moved back to Adelaide. Right? It's to be a part of that ecosystem. Right? And, you know, you just have to look at, it's, it's obvious when you come down there, right, like, we have the four top space startups in the country are based in Adelaide, Adelaide. Yeah, that's

Daniel Franco: 1:27:10

like wheat space.

Mohan Koo: 1:27:11

There's heaps of them. There's Mariota. There's, there's there's heaps, right? Like, there's, there's a lot. And that's just the space industry, cybersecurity, you've got DTEX down there, and you've got five costs down there to have the best companies ever to come out of Australia. From a cybersecurity perspective. You've got defense companies, like you've got all the big defense primes that are down in Adelaide now. Right? And with them, they bring their whole supply chain. Right? These are this this is transformational. Right. Five years ago, you couldn't get interesting jobs in this high tech space, like they didn't exist. Tonsley. Have you seen some of the companies that are operating down at Tonsley? Its advanced manufacturing at the bleeding edge. These are the world's best in the game. Right? So So anybody that says that there's not enough going on, and they can't see the change that's happening hasn't been down there and hasn't interacted with the

Daniel Franco: 1:28:06

I love it. I love a bit of a debate. Gabs has got ecosystem. a smile on her face. Because we last week, we were hearing different things, but that I think this is really important. And Adrian is the first to say that I want someone to challenge me on my thinking on this, because that's what we need. From the state's point of view, we need to see this grow. Because if we are investing the time and money, then we want to see it flourish.

Mohan Koo: 1:28:29

Exactly. And I will say though, that we haven't done a good job as South Australia in promoting what happens. Yeah. And that's that's a huge mistake. Right? And this is, this is not just South Australia, this is Australian cultural mentality, right? It's like, you know, and one of the reasons why we have our startup companies previously haven't been as successful as they could have been in Australia. By and large, again, gross generalization. But majority of startup technology companies are founded by engineers. And they come up with brilliant ideas. They are brilliant engineering minds to come up with new concepts and building new concepts. What they don't have is the commercial marketing, sales, business development, nows that the US guys. So the US guys come up with complete bullshit vaporware a lot of the time, a lot of the time, not all of the time. But they come up with this stuff. But they're so good at the front end sales marketing business development piece, that they managed to get the investment, they managed to get the customers even before they fully baked the product here in Australia was so concerned with fully baking the product and then trying to sell it whereas we should have engaged earlier in the piece. So we make sure it's fit for purpose. And that we've been so that's, that's a big that's a big thing. So what I will say is, we need to get better as Australians at the marketing at the communications at the business development piece. If we can do that, then the Adrian's of the world won't be saying what they're saying. Because the message will have reached out to them. And they would have engaged earlier because they'd be like, I want to be a part of that. Yeah. How do I get involved? Right? So there is this there is this part of me that saying, you know, we need to get better at communication. So if you think about all of our publications, our biggest publication here that everyone locally reads is the advertising. So when a nice good story coming out a lot, 14 goes into the advertiser. No one outside of South Australia can read and read it because it's behind a goddamn paywall. Yeah, right. It's painful. How can we promote South Australia if everything is behind a paywall? How can we promote the goodness of what's going down here, if we only have one media channel, one print media channel, we need to have several, we need to have better social media promotion of what's going on, we need to be able to reach out to America and Europe with everything that we're doing constantly. So that is definitely a mind shift. That will

Daniel Franco: 1:31:04

change. I speak to a lot of CEOs every day, as part of my work, not just the podcast. But and there's one that I've recently spoken to who's moved here from he's been in a CEO role for four years, he moved here from New Zealand to get this role. He said the only thing that he knew about South Australia, he'd never stepped foot in our state before agreeing to take on the job. The only thing he knew about our state was that was a good one. That was that was the only one he has four years ago, like he knew think like we are we're horrible at promoting horrible, what is what is going on,

Mohan Koo: 1:31:42

but inside our circles that don't rely on the media to push this stuff out. Right? I have so many friends in Sydney and Melbourne right now that are saying to me, if you can find me a job in Adelaide, I want to move the family there or even take a pay cut. What you guys have got going on is so exciting. And I just want to be with the lifestyle is awesome. There's no traffic, you've got great wine. Yeah, you've got great beaches, and it's 10 minutes from the city. I want to

Daniel Franco: 1:32:09

And to the point of that CEO, he's like since be there. I've moved here, there is no other place in the world that I will have from the exactly the travel the walk the beaches, all the above and pristine compared to what's happening.

Mohan Koo: 1:32:21

Well, I look I've lived I've lived in Singapore, I've lived in Malaysia, I've lived in London, I've lived in the US. There is nowhere on the planet that I want to be other than Adelaide. Like there's just so much goodness going on here. And it's just such a nice environment for the family. Like there's nowhere else on the planet.

Daniel Franco: 1:32:39

I'd really brilliant. Let's wrap up a couple of minutes to just get through some quickfire questions, and then we'll we'll push you out the door. What are you reading right now?

Mohan Koo: 1:32:52

Well, I'm trying to get through Rich Dad, Poor Dad, I don't have a lot of time. I don't have a lot of time to read at the moment

Daniel Franco: 1:32:57

But it's an interesting story, right investing in?

Mohan Koo: 1:33:01

Well, look, I mean, it's, it's an interesting story about a guy who has, you know, two to two days ones come from a poor background and his mentality and his view of the world and a rich dad. And it's interesting to me because my dad came from a very poor background, but he took the in, like in the book, the mentality of the rich dad he took that mentality from being very, very poor and managed to, to change his outcome. So that's an interesting.

Daniel Franco: 1:33:31

I mean, I love Robert Kiyosaki. But it's just the the it's all about mentality. Right is is if there's one book that you believe that stands out from the crowd, that one that you might gift to others more so often that one that they can improve themselves with, what would that be?

Mohan Koo: 1:33:51

That's a really good question. And I'm trying to think through what I would say let's come back to that. All right.

Daniel Franco: 1:33:58

Do you listen to any other podcasts at all? I don't you don't know. Other than this one? Of course. What's one lesson that's taking the longest to learn?

Mohan Koo: 1:34:07

Well, I think the one that's taken me the longest to learn, I'm still kind of learning it, I guess, is to listen more than you speak. And, as you can tell, like it's easy for me to speak. But my first ever chairman, told me that ripped me out of a board meeting to specifically say stop talking. Listen, because when you listen, you will be able to change things more than when you speak. Yes, profound. If you could have three people over for dinner, who would they be? Well, and I'm gonna assume your family's there. Right? So yeah, look. It's an interesting one. For me, love music is a big part of my life. So I would I would have to choose musicians, right? Like I would have Jimi Hendrix, because, you know, because yeah, I would have Zack de la Rocha, because he really changed changed the way music can be used to spread messages that are important. And I would just probably have Robert Plant just because

Daniel Franco: 1:35:27

because religions of the game yeah, a lot of it. What else? Do you do play music? Or you just

Mohan Koo: 1:35:33

guitar? Yeah, not not? Well, I haven't played a lot in the last 20 years or so. But I do just

Daniel Franco: 1:35:38

heavily invested into it. Yeah, brilliant. What's some of the best advice that you've ever received outside of the listen more?

Mohan Koo: 1:35:45

Well, I it's got to be from my dad, right, like so. And this is this is a very, very topical one right now, right? Because in Silicon Valley, a lot of over the over the many years, companies have been told to grow at all costs, like spend, spend money and throw money at the problem. And you will become, you know, a viable business at the end of it. But today, it's very different. And so what my dad always told me was, you don't have a business if it's not profitable, like it's not actually a business. Right? It is. It is not a going concern. And so today that's ringing true for me more than anything, anything else, because profitability is king. And so, you know, we're in a very comfortable position from that perspective, where a lot of Silicon Valley companies have taken massive amounts of investment and thrown it at the problem and grown their businesses too big to manage. And at a time like this, when we're going into a downturn, it's very hard for them to keep track. Yeah, really scary place to be.

Daniel Franco: 1:36:50

It is. I mean, isn't that the whole reason you go into business? Well, I mean, you would think so it was I mean, they're the the Silicon Valley approach is grow business, like get a value would

Mohan Koo: 1:37:00

think so. Uber, yeah, I mean, right, you know, profitability, insight, massive company, with their own internal struggles that they're going through now, which are only going to get tougher in a downturn.

Daniel Franco: 1:37:11

Absolutely. If you had access to a time machine, where would you go?

Mohan Koo: 1:37:18

I would go back to 1999.

Daniel Franco: 1:37:23

Yeah, yeah, I'll go back a little bit big bug comes along with

Mohan Koo: 1:37:28

before I got into business, pretty much so you know, I was doing very different things. Then I was I was playing music. I had a band. I was a breakdancer are really aiming for a living so yeah, that's where I'd go.

Daniel Franco: 1:37:43

Go. Wow. Is that something that's never been mentioned on a podcast before it is, that's gonna go in the show notes. Breakdance. If you if you say if your house was on fire, we're gonna assume your family and pets and every one is safe. What is the one thing that you would?

Mohan Koo: 1:38:04

That's an easy one, my 1977 Fender Stratocaster?

Daniel Franco: 1:38:09

And that's, that's a good, that's a good sign. I was gonna say, Yeah, brilliant, and there's that is sentimental value to you, or

Mohan Koo: 1:38:16

it has sentimental value to me. But it's also worth a fair bit fair bit.

Daniel Franco: 1:38:23

Not signed by anyone, just not just Alright, what's it worth? What would it be worth?

Mohan Koo: 1:38:28

I don't even know what it's worth today, but it's a fair bit Scrivener

Daniel Franco: 1:38:31

number one, beautiful. If you had one super bit how one superpower here. One was saying one superhero power? What would it be?

Mohan Koo: 1:38:42

Look, I don't think it I don't think it's a superhero power. I think look at the end of the day, I hope that I can be more thoughtful about the environment around me and others around me and not just humans but other beings around me and trying to you know, give more than I take and at the end of the day, that's that's all that's really important to me at the end of the day.

Daniel Franco: 1:39:07

Okay, you That's brilliant. Thank you very much. Now last one. Your father of three you have to have a dead joke surely.

Mohan Koo: 1:39:18

Like my kids would say they're not jokes that don't qualify as jokes and don't ever tell. They do.

Daniel Franco: 1:39:25

And I am a connoisseur of them.

Mohan Koo: 1:39:29

There's only so much room in my brain for

Daniel Franco: 1:39:32

these Yeah, there is I'm putting you on the spot. You don't have one. That's fine. Not a problem. Look, we're going to wrap up there. I know you do have to shoot off. Thank you so much for your time today. Thank you for all that you and the business doing and in prep, prepping Australia and I guess the world from you are a global business in in putting us in a better position moving forward and keeping keeping those bugs away and the bad guys away as such, so thanks for everything you're doing.

Mohan Koo: 1:40:04

Thank you very much. Now,

Daniel Franco: 1:40:06

if someone did want to get in contact with you, how would they go about that?

Mohan Koo: 1:40:11

There's many ways to get in touch with me. But I would say go and go and have a look at our company detect systems. You'll find that online and you'll be able to find a way to get in touch with us.

Daniel Franco: 1:40:21

Excellent. Not a problem. And that's it, guys. Thank you very much. It's been very insightful, some scary moments throughout the way but I think you were consolidated when you said we're going to be okay as long as we keep going on the same track. So thanks again. My Awesome. Thanks, Daniel. Cheers, guys. Thanks for listening to the podcast though. You can check out the show notes if there was anything of interest to you and find out more about us at Synergy iq.com.au I am going to ask though, if you did like the podcast, it would absolutely mean the world to me if you could subscribe, rate and review. And if you didn't like it, that's alright too. There's no need to do anything. Take care guys. All the best