Join us for a conversation with Darren Kane, Chief Security Officer at Australia's National Broadband Network, where we explore the difference between the CISO and CSO roles and why it may be time for security leaders to “drop the I.”
In this Security Leaders interview, Clarke Rodgers, Director of AWS Enterprise Strategy sits down with Darren to get his perspective on more than just the CISO vs CSO question. Watch the video above or see their conversation in detail below to get Darren’s leadership tips for “selling” security to the board, hiring for diversity, supporting sustainability, and planning for the future of security.
Meet Darren Kane, CSO at NBN Co. Australia
Clarke Rodgers (00:08):
Darren, thanks so much for joining me today.
Darren Kane (00:10):
Thanks, Clarke, for the opportunity.
Clarke Rodgers (00:11):
Certainly. So, if you'd be so kind, please tell me a little bit about yourself, your background and your role at NBN.
Darren Kane (00:18):
Okay. Well, so I'm the father of four, I'm the husband of one. I'm currently the Chief Security Officer at Australia's National Broadband Network, which is a wholly owned government business enterprise, which provides wholesale broadband services to around about 8.6 million premises across Australia, which is, with the ability to connect to 11+ million premises.
I've been in that role now for eight and a bit years. Previously, 11 and a half years in security roles, including sort of directed corporate security at Telstra. Prior to that, I had six and a half years with the government, with your SEC, our Australian Securities Investment Commission. And before that, about 13 years with the Australian Federal Police. So, my background has largely been in law enforcement and security now for almost 40 years.
Clarke Rodgers (01:05):
Oh wow. So, I meet with a lot of customer CISOs and we've seen the role of the CISO evolve over time, that I'd say, it's fair to say in the last 10 or 15 years, there's been a steady progression of the security office of being somebody we have to have. And maybe the joke is they stay in the basement, and you only bring them out when you absolutely have to. To now, we have CISOs regularly reporting to the boards. They're part of the C-suite, they're really part of the business overall. Can you share a little bit about how you've seen that role evolve in your experience, and maybe specifically to Australia?
CISO or CSO, what’s the difference?
Darren Kane (01:44):
So firstly, the CISO role, the Chief Information Security Officer role, incredibly important. As companies have become more efficient and effective, building on technology platforms and building into the digital age, the role of the CISO to manage security risk in that space has grown exponentially. But, so has everything that sits on those technology platforms.
So, the role of the CISO to just focus on information security has actually become almost redundant. They're being asked now to actually concentrate on things like privacy, incident response, business continuity, particularly issues around operational technology. And as we actually have access control systems for building access points, as we have digital forensics investigations requirements and so forth, you're finding that the role of the CISO, as you call it, the CISO, has grown and grown and grown, to actually bring into issues other than information security.
So, I'm definitely the guy that says, "Drop the I." If you need to have a CISO in today's big corporate roles, I believe you really should have a CSO. And all those areas of accountability that I spoke of, incredibly important nowadays. Trusted insider programs, privacy and privacy breach, incident response — that's a huge suite of accountability. And for the CEO, the C-suite and the board to actually have confidence in that being one streamlined effort, it's not unusual to have one person accountable for it. That person now is the CSO.
I'd also like to add that the importance of both the CISO and the CSO in the modern company or modern entity has become very, very significant. The board, the C-suite, government particularly, understand now the risks that security represents. So therefore, that individual who's been tasked with owning that has a more significant role and is expected to be able to articulate and communicate, as well as manage and lead.
Clarke Rodgers (03:57):
So, first of all, I like the guy who drops the “I”, right? So we need that on a T-shirt somewhere. But to sort of poke back at that a little bit, you talked about managing the risk overall for the organization. How does one in that Chief Security Officer role — or the Chief Information Security Officer role for that matter — how do you balance the need for the organization to innovate and succeed from a business perspective with all the things that need to be done from a security risk, compliance, and privacy perspective? How do you "sell" the security aspects of that to the business leaders while still innovating for your customers?
How do you “sell” security to the board without over-emphasizing the risk?
Darren Kane (04:40):
That is a challenge. There is no doubt. And I think in the past we've all been guilty of it, me included. I'm actually continually challenging the business to understand and appreciate the risk that we actually are accountable or responsible for. And by doing that, we would often catastrophize the risk and demand that they actually address the risk by further resourcing support or actual funding support. And by resourcing, I obviously mean workforce.
And it's also recognition of the risk we managed. Now, I think that worked for a while while we were actually making all sorts of efforts to ensure they understood and appreciated the risk. But of late, to your point, most competent boards and certainly competent C-suites now have an unbelievable understanding of security risk. Their issue is, what are we doing about it to control it, and how do we manage it within appetite?
And this is to your point, that if you continue to just sell risk as a catastrophe, that's a tired message. So, the way I approach it is to actually work with the C-suite who are supportive, and the board who are understanding, and help them understand the importance of good security maturity, strong posture, and hygiene. And what are the advantages and opportunities that come from that. The fact is that if they've got comfort that we’re managing the risk to win in appetite, can they then take funding away from me and place it somewhere else in the business, maybe around resilience?
Clarke Rodgers (06:21):
Darren Kane (06:21):
Can they actually sleep a little bit more comfortable at night and concentrate on other issues like workforce? So, my approach to it is security should be seen as an enabler rather than something that says “no” or as a blocker. Best analogy I can possibly use is if you can think of an entity as a high-performance motor vehicle, and that the CEO is the driver, one would think the brakes in the motor vehicle, which are the security group, are there to stop the motor vehicle. And that's the most common appreciation and understanding of us.
I don't agree with that. My belief is that the brakes are there so that the CEO, the driver of the vehicle, can take that car to the edge of its limits.
Clarke Rodgers (07:06):
And go faster, so to speak.
Darren Kane (07:07):
Right to the edge of its performance, on the basis that they have confidence and knowledge that they can tap the brakes and stop if they have to. So that the actual security group enables the business to ride at the edge of its performance capabilities.
Clarke Rodgers (07:22):
Love it. Love it. So, do you report to the board yourself?
Darren Kane (07:25):
I do, quite often, through the ordinance committee, and to board on occasions ad hoc, but certainly twice a year as a requirement. And obviously through to the C-suite, I'm a direct report of the C-suite, and I do that as often as required.
Clarke Rodgers (07:40):
What kind of, and not going into specific details, but what kind of information are boards interested in these days, or the C-suite interested in these days? Because for years, it was, "I've patched this many machines. We had this many vulnerabilities. I put in this new security piece of software to hopefully squash those vulnerabilities." Are they still interested in the sort of bits and the bytes, or are you communicating risk in a different way to them?
Darren Kane (08:10):
I think I'm communicating risk in a different way. What you've just described is quite granular, and more of management report through to EXCO than board. But I'm a CSO, the Chief Security Officer, so I have enterprise accountability for all things security risk across the NBN, which includes wholesale access to 8.6 million premises. 85% to 86% of all data in Australia go across our network.
Clarke Rodgers (08:39):
What metrics and language should CSOs use when reporting to the board?
Darren Kane (08:40):
So, when I brief the boards and the C-suite, I take a very holistic approach. If I'm asked to target something, I will provide more granular data. But in today's current environment, geopolitical issues, the threat environment, issues in Ukraine, issues in the Indo-Pacific, issues with supply chain, for example, are very, very significant. Obviously cyber risk, nation state, and cybercrime is a significant issue, like everywhere else in the world.
So, there's a really broad range of issues I can report on. If targeted and asked about cyber security specifically, certainly I'll give some details around that and how we're managing controls in place to manage it. But at times, I try to keep a more broader, wholesale view of what I report.
Clarke Rodgers (09:36):
And do you typically quantify the risk in terms of P&L and money? I guess, what I'm really looking for is, if I'm a board member, what language do I want to speak, and then how are you adapting your conversation to them?
Darren Kane (09:52):
No, look, great question. Traditionally, it's hard metrics, to your point before. But I think the future lies in quantitative analysis and an ability to actually identify risk in the language of the business. So the entity actually works on dollars and sense, and sense spelled S-E-N-S-E. So I don't think it's appropriate when I'm briefing boards, EXCO, or anybody, to use language like “attack surface,” to use language like “insider threat,” to use language like “bad actor.” Even the most recent example and trend in our industry, “Zero Trust.”
Clarke Rodgers (10:32):
Darren Kane (10:33):
And my efforts are to get the board and anybody that works with me to trust me. To then try and use a word that's almost an antichrist to me is really a bad attempt at informing them on what I'm trying to do. So I think quantitative analysis and using money to actually identify risk as an overall versus the control cost, and then the residual risk after that is, probably the best approach. I haven't perfected that, but it's certainly something I'm looking at doing.
Clarke Rodgers (11:02):
That's awesome. So, switching gears a little bit — staffing, right? So, I've yet to meet a CISO or a CSO for that matter, who is satisfied with the amount of security personnel that work for them, in the sense that, "I have enough.” We could always do with more. And I've spoken to several who have different ideas on how to sort of scale the security team throughout their organization without actually hiring additional security badge folks. What are you doing at NBN to really sort of get security out in front of everyone and out and across the business when you may have a limited security staff?
How do you hire and retain the right talent for your security program?
Darren Kane (11:46):
I look at renewal as much as retention. So, and in fact, in some ways, my focus is on renewal. There's only a limited amount of money I can offer to retain. There's only a limited amount of progression, development, and other opportunities I can offer to retain.
At the end of the day, the industry needs talent. If I've got talent and it's their time to move, I say good luck to them. What my job is to ensure that what's left through succession and talent management, and then who we actually attract to the organization, are going to be capable to fill the hole. So, my focus really is through graduate programs and a recent internship, which I'm incredibly proud of. And if you've got five seconds, I'll quickly brief you on it.
Clarke Rodgers (12:35):
Darren Kane (12:37):
What we recognized was we needed more diversity in our graduate and intern take. So senior members of the SLT and the Security Group targeted Box Hill TAFE, so your community college. So it was a Box Hill TAFE in Melbourne, Victoria, and we offered internships to people who were trying to build a career into cybersecurity. Trying to target those looking at a secondary career or a return to work, and it just so happened that we got five wonderful women — either returning to work because of other issues or mothers and so forth — who had traditionally not had any experience in cybersecurity.
Clarke Rodgers (13:18):
Darren Kane (13:19):
We offered them an internship initially for six months, which we were hoping to extend, even in these times. And our goal was to make sure if an opportunity came up to employ them, we would. But if we couldn't, we would actually give them 12 months experience in the industry so that when they applied for roles external to us or across the business, they actually had that on their CV. And I'm very pleased to say that one was recently picked up by a top four consulting firm.
Clarke Rodgers (13:46):
Oh, that's fantastic.
Darren Kane (13:47):
And we're doing as much as we can to place the others. And when you speak to these interns or these women, incredibly capable people who were really looking for an opportunity and a chance to excel. And I think that that's the example that our industry overall, globally, should pick up on, which is that most of the folk that you will need to employ in the business need to have a curious mind with a great attitude. They don't necessarily need to have the hard skills because we all know you actually employ for attitude, you train for skills.
So, to answer your question in short, my focus is on renewal rather than retention. And I'm incredibly proud of the Security Group alumni. We've got about eight or nine CISOs out there in Melbourne now coming through the NBN.
Clarke Rodgers (14:37):
Oh, that's great.
Darren Kane (14:38):
Yeah. So from my perspective, it's as much of what we do to harden the industry as to build out the NBN.
What benefits does diversity bring to a security team?
Clarke Rodgers (14:47):
So, your story about the intern program is fantastic. As you know, I talk to a lot of CISOs, and they talk about diversity in their teams, diversity of opinion, diversity of background, diversity of experience. Can you share a little bit about that type of diversity in your team? That not everybody came from a computer science background, not everybody is a hardcore security researcher. Maybe you had somebody from HR, maybe you had somebody with a financial background that ended up being a great security practitioner.
Darren Kane (15:19):
Again, I smile because your question’s right on my hitting zone. I'm a huge believer in the fact that if you’re going to protect a village, you need villagers from all walks of life to do it. I've got a great story. I had a fellow hit me up. He was, during the pandemic, during lockdown, he was working for one of our national airlines. A very senior member of staff, a captain that trained other captains on Airbus. He was let go. He ended up going to a community college being Box Hill TAFE, and he hit me up on LinkedIn. Interesting story.
So I obviously responded and said, "I'm interested." And said, "Well, where you get to?" Unbeknownst to me, he had applied for a role at NBN sometime later, and we employed him on a contract.
Clarke Rodgers (16:08):
Darren Kane (16:09):
And he arrived having had a love for flying, but previously was in law enforcement in Western Australia. So there was a little bit of actual crossover.
Clarke Rodgers (16:19):
You had that connection.
Darren Kane (16:20):Yeah, connection. So we gave him a 12-month contract, and all he had was his training at Box Hill TAFE over 12 months, the certificate course. And obviously, great competence, both as a leader and a manager of people, and obviously hard skills in flying Airbus and Boeings.
Incredibly successful. Just fitted in like a hand in a glove. Was very much looking to bring him on full-time. The pandemic finishes, we go back to our normal way — well, try to go back to our normal way of life. Just as we're about, well, he was about to accept the role we would offer him, he was offered the permanent senior captain's role back in the airline. And there was a great article on him returning to the air, having had that experience.
Clarke Rodgers (17:14):
Darren Kane (17:15):
Yeah. Great example of exactly what you said. It had nothing to do with experience nor capability. It had everything to do with communication skills and ability to actually engage, and a willingness to learn. And I'm finding that if you can find folk with that sort of, or all of those attributes, you will have success, because all they're looking for is an opportunity and that'll grow with them.
Clarke Rodgers (17:41):
And then the different perspectives are just so helpful throughout every part of your security department.
Darren Kane (17:46):
Absolutely. And one of the things that's not as important in Australia, because we're not as diverse as far as language skills, but we're finding that more and more down there that a diversity of origin, a diversity of religion, certainly a diversity of gender is becoming very, very important. If you’re a competent leader and manager, you understand the importance of diversity and what they bring to a team.
How security is enabling sustainability and bridging the digital divide in Australia
Clarke Rodgers (18:13):
So, with NBN's 8.6 million customers or so, plus all of the data centers you have and just the fact that technology continues to expand into everyone's life, what role does sustainability play in the way NBN governs its resources and thinks about it, how it affects customers?
Darren Kane (18:34):
Well, if you think about what we are offering as a product at NBN, it enables people to work from anywhere, to work from home. So you've got carbon footprint issues, you've got paperless office issues. You've got places where we don't leave a carbon footprint because of the fact we're using technology to actually improve it.
We have 8.6 million premises connected, and that may have multiple people at home. But where I look at this is it is an opportunity for us to bridge the digital divide in Australia, to give everybody that needs the access the access, but also to ensure that where we can utilize technology to perhaps even reduce the carbon footprint.
If you think of the ability to work from home, I certainly believe it wasn't road and rail that saved the Australian economy from an infrastructure perspective during the recent COVID lockdowns — it was connectivity.
Clarke Rodgers (19:33):
Darren Kane (19:34):
And the opportunity for people to learn new ways of working has come through that technology. With that obviously comes an ability going forward for hybrid or remote work, for more folk living in remote and rural Australia, reducing the carbon footprint by not traveling to work back and forth.
So, from my perspective, I can see technology and the way we actually utilize it going forward, particularly through connectivity, will actually certainly offer carbon reductions and greater sustainability.
Clarke Rodgers (20:09):
Certainly. So, I realize you don't have a crystal ball in front of you, but you've been in the security industry, I believe you said, for close to or just over 40 years. What do you think we'll be talking about five years from now?
Preparing for the future of security in Australia and around the world
Darren Kane (20:26):
In 2025, I'll be in my 40th year. I don't think I've ever experienced a threat landscape like the one that we are facing into currently. I don't think we in this industry can appreciate what I believe generative AI and machine learning will bring to the industry in way of opportunity and technological advances. I think, if anything, it'll also ramp up that threat landscape, so I think that's really exciting.
I think data and data volume will be exponential growth and an ability to actually manage that. I've got all sorts of concerns, I suppose, on making sure that the community don't leave the security risk up to those they pay to do security. Does that make sense? My mantra is that security is now going to become everyone's responsibility.
Clarke Rodgers (21:34):
Darren Kane (21:35):
You can't say you’re the Chief Security Officer and the team now own the risk, because that risk is one that can only be managed within appetite by ensuring everybody that engages in that space. Be it the cleaner that ensures they lock the door behind them. Be it the busy PA with the lazy forefinger that doesn't understand that they've clicked on a link. Be it, obviously, the cybersecurity professionals in our defense or CISOs. All of those people now have a responsibility as we go into these next three to five years, to ensure that they appreciate and understand how to put controls in place to manage the risk.
And I think one of the things that we have to encourage them to do is to speak up when they think they may have seen something or done something so that we can manage that. And phishing drills and other things are examples where it's a learning experience. It shouldn't be one that is a disciplinary experience.
Clarke Rodgers (22:37):
So, if that's going to be the future state, what are you doing now from sort of a security culture perspective to help build that mental muscle into the roles outside of security so that they're thinking about security all the time?
Darren Kane (22:54):
I think most importantly, we're not catastrophizing the risk. So, what I like to try and do is sell the upside, sell the opportunity, not always constantly say, "Don't do this because of the risk." Goes back to that motor car analogy. The brakes are there to tap if you need them but go out and enjoy your life.
Clarke Rodgers (23:13):
Love it. Darren, thank you so much for joining me today.
Darren Kane (23:15):
Great, and great opportunity. Fantastic. Thank you.
About the leaders
Chief Security Officer, NBN Co. Australia
Darren Kane has been the Chief Security Officer at nbn™ since 2015. Under his leadership, the nbn Security Group has become a converged center of physical and cyber security, enabling Australia’s biggest critical infrastructure owner to better protect its people and assets against evolving threats. Prior to nbn, Darren served in Federal Government law enforcement agencies for over 19 years in the Australian Federal Police and the Australian Securities & Investment Commission. Darren was appointed as an Adjunct Professor in the School of Information Technology, Faculty of Science, at Deakin University in 2020. Darren has a Master’s in Business Administration, a Diploma of Financial Markets and is a graduate of the Australian Institute of Company Directors.
AWS Enterprise Strategist
As an AWS Enterprise Security Strategist, Clarke is passionate about helping executives explore how the cloud can transform security and working with them to find the right enterprise solutions. Clarke joined AWS in 2016, but his experience with the advantages of AWS security started well before he became part of the team. In his role as CISO for a multinational life reinsurance provider, he oversaw a strategic division’s all-in migration to AWS.
Take the next step