Laura Bell Main specializes in securing some of Australia and New Zealand’s fastest-growing organizations. She has over twenty years of experience in software development and information security.
It’s her mission to bring security into organizations of every shape and size.
Laura is the founder and CEO of SafeStack Academy, an online education platform offering flexible, high-quality, and people-focused, secure development training for fast-moving companies.
SafeStack is a values-driven company on a mission to make cybersecurity accessible for everyone and any organization. “To protect each one of us, we must protect all of us,” this is the underpinning belief that drives Laura.
Her company is pushing hard into this issue by attempting to train all of our organizations, big and small. Through free plans, student sponsorships, and sponsored communities, she is working towards a future where we no longer spend 99% of our security resources on 1% of our organizations.
She is an experienced conference speaker, trainer, and regular panel member, and has spoken at a range of events
such as BlackHat USA, Velocity, and OSCON on the subjects of privacy, covert communications, agile security, and security mindset.
She is also the co-author of Agile Application Security and Security for Everyone.
What you will learn
- What sparked Laura’s passion for software engineering and computer security
- What inspired Laura to launch her own company in this industry
- The top 3 things a growing company can do to get started with security
- Discover the critical importance of software updates in protecting your systems
- Laura shares her best tips for enhancing the security of your WordPress site
- Learn how to reduce and prevent unwanted emails
- Uncover how to secure and grow your company
- Discover the opportunities and challenges for business security in the age of AI
00:00:06 - 00:02:16
Hi everyone and welcome to The Jeff Bullas Show. Today I have with me, Laura Bell Main. Now, Laura is specialized in securing some of Australia's and New Zealand's fastest growing organizations. And we're not talking about locking up the front doors or the back doors. We're talking about the digital doors. She has over 20 years experience in software development and information security. It's her mission and passion to bring security into organizations of every shape and size. Laura is the founder and CEO of SafeStack Academy and we're gonna find out how she started it and how she's going and what are some of the joys and pain of growing an online company.
So SafeStack Academy is an online education platform offering flexible, high quality and people-focused, secure development and training for fast moving companies. The focus on building security, skills, practices and culture across the entire engineering team. In other words, she makes sure people are developing software for a company that she can weave security into there to protect the company. SafeStack is a value driven company on a mission to make cyber security accessible for everyone and any organization. And I know that talking about security for software and for my digital platform sort of makes my eyes glaze over because it's something that is hidden and most of us that operate in a physical world don't see and we, what we see we don't care about, but Laura's gonna tell us why we should care because we live our lives very much online these days and our businesses are very needed to have software security and we're gonna try and make sure this is.
Now, Laura described me as being a nerd. I'm sort of a nerd with a little bit of a futurism lean. And so is she, but we're gonna have a chat today and try and make sense of something that basically we don't have enough conversations about because we just hope it's gonna go away and we're not gonna have security problems with our digital platform. So, Laura, welcome to the show. It's great to have you here and you're dialing in from the northern part of the North Island of New Zealand.
Laura Bell Main
00:02:16 - 00:02:20
I am indeed. And thank you so much for having me. It's really great to be here.
00:02:21 - 00:02:45
So, Laura, I'm intrigued. That is the question I always like to know is what got you into software engineering and security for computers and platforms? Where did this all start from? Was it like you were three years old and said, mum and dad, I wanna be a software engineer. Where did it start?
Laura Bell Main
00:02:45 - 00:04:56
Oh, I'd love to say I had one of those stories, you know, you picked the right schools and you did the right courses and, you know, 30 years later you get what? No, that's absolutely not how it happened at all. I thought I was going to be a lawyer. Specifically I thought I was going to be a lawyer speaking French and German and a bit like Ally McBeal off the TV at the time and living in Geneva and I thought it was gonna be glorious. The only bit of that is I got to Geneva for a while. But when I was 16, my mom got sick and one of the results of that was I needed to get a job. Now, I come from a town that's famous for two things, teenage pregnancy and the number of roundabouts we have. That's really not a good, exciting high tech, you know, paradise to grow up in. But I was lucky and I could have gone and worked for, you know, a big known burger chain or something. There's no shame in that if you need to pay the bills. But in my hometown EDS, which no longer exists, I think they were purchased by Hewlett-Packard. They ran an apprentice program for software developers. I never touched a computer in terms of coding in my life. I'd done word processing and things. But I was like okay, well, I'll give it a shot. Let's see what they want. Their interview was me solving puzzles for two hours. I was in my element. It was so much fun. And at 16 I became the youngest Cobal apprentice that they had now. Bear in mind, this was the early 2000s and Cobal definitely wasn't called then. It certainly isn't now. And ever since then I've kind of been on this journey of getting into a space where I started out from a need, but it's grown into a huge curiosity. So I've been studying AI and robotics at university when I finally was able to fund myself through that. I've worked for Cern in Switzerland and the Large Hadron Collider doing radiation monitoring software, and the UK government doing counterterrorism. So I've had a really exciting adventure and now I'm in this position where I'm using all of the things I've learned on that wobbly path to hopefully change the way that we build software and young companies so that security isn't just this thing on the side that we'll get to later. That is actually part of growing and part of surviving and not necessarily the really irritating person at the party you don't want to talk to.
00:04:57 - 00:05:16
Well, I'm glad you grew up in a city with roundabouts. It's a town. We have one of those in Australia. It's the center of government and they have a lot of roundabouts. It's called Canberra in Australia. So, but, yeah, I think roundabouts were invented by an Australian or New Zealander? Or we could have that argument for a long time.
Laura Bell Main
00:05:16 - 00:05:27
I think we would probably end up not friends. We're not allowed to talk about those kind of things. It's like, Lamingtons and Pav weren't allowed to have that conversation either. So we'll step backwards and then we can remain friends.
00:05:27 - 00:05:43
Yeah, we won't talk about religion or politics either. So, the industry you're working in didn't really exist 20-30 years ago.
Laura Bell Main
00:05:43 - 00:06:38
No, absolutely, you know, security has been around for as long as there's been people, you know, as long as there are people around, we will be jerks to each other to get hold of something we want, we don't need to confuse it with it being a digital problem or cyber or anything like that. This is very much a human problem. But what has changed in the last 20 years is the dominance of technologies in how we operate our lives. So, the motivation for attacking the systems is higher than it's ever been. You know, this is how we control our finances, this is how we send goods between each other, this is how we form trust and communicate. So it started off being a minor thing. And for those who, you know, were around any of the early tech and networking spaces, it kind of came out of there. And now as we've got more into the software led organizations where we're more focused on the systems we're building at that software level. It's kind of migrated there and it's growing fast.
00:06:39 - 00:07:07
So it is like and part of not only is digital technology woven to pretty well everything we do in business today. I suppose the real challenge became when we connected the personal computers to a company network and then the internet showed up and then we connected it to a global network.
Laura Bell Main
00:07:07 - 00:07:09
Yeah, it’s a funny space.
00:07:10 - 00:07:12
So the bad actors could come from anywhere in the world now.
Laura Bell Main
00:07:12 - 00:08:08
Yeah. And if you think about how we, as people think about risk, right? We evolved from the idea that, you know, say a bear wanted to come and eat us, we could see and we could hear and we could smell this bear before it came anywhere near us and we could respond and we only had to protect the bit that we could see our physical environment around us. And as we've become more interconnected, the risks have increased. But they're ephemeral, they're not something you can interact with on a physical level and that becomes very difficult. We're used to and we're evolved to protect what we can interact with. And so we've got this space that's very high risk with lots of opportunities for organizations or individuals to cause harm to us or our systems. But at the same time, we don't see that or experience it directly. And so we have no natural instinct to go and find and protect those areas.
00:08:09 - 00:08:37
So you got to create tools to make it visible. And, so let's wind back a little bit. So before we get too much into how we can, basically as a small, you know, small growing companies can get started with security. I think that's a good question that I'd like to get into. But before that, tell me a little bit about how you went from being an employee of EDS. Is that right, EDS?
Laura Bell Main
00:08:37 - 00:08:38
Originally. Long time ago.
00:08:38 - 00:08:49
Yeah, which got bought by another competitor, a big competitor, gobbled it up. An EDS is an Electronic Data System which I think came out of a spinoff out of General Motors.
Laura Bell Main
00:08:49 - 00:08:54
Probably. Absolutely. If you look back into the family tree of all these companies, it's basically the same five people.
00:08:54 - 00:09:20
That's right. It's, and the fact the first person that started was really Adam and the partner was Eve so really, that's where, how far back it goes. Right. So, anyway, I wasn’t going to talk about religion, but we did. So, before we get to that, so you go and do all get all these experiences right across, including British government, all sorts of things. So, what happened along the way for you to go well, I'd really like to start my own company. Where did that come from?
Laura Bell Main
00:09:20 - 00:10:47
In all honesty. I had a terrible boss. I had my first child. She was 10 months old. She's now 10 years old. So it kind of shows you the timeline of things. And I think my tolerance for having a bad job was just zero at that point. And I was also a bit frustrated and I was like, I love going fast in software development. I love building amazing technology. I love helping people do that. And I wanted it to be secure, but the ways we were doing security were really slow and really painful and mostly focused on somebody coming to your team and saying, hey, your software baby is ugly and you should feel bad, you should change what you're doing and that doesn't work. Nothing works when you do that. And so I literally put my money where my mouth was. I had about $330 in savings and a small child and I quit my job and I said, well, I will go and do some consulting and see if I can find some software companies and prove that we can do this differently. And off I went so, that led to becoming the virtual security officer for a number of high growth software based companies, writing a couple of books and it's been a crazy adventure until 2020 when myself and my co-founder decided we would try and turn what we could do as consultants into something that everybody could use to bring those skills into their team.
00:10:48 - 00:10:54
Right. So, and that's a, sounds to me like a really good move because as a consultant, you're always trading time for money.
Laura Bell Main
00:10:55 - 00:10:57
Exactly. You can't scale a person.
00:10:57 - 00:11:04
No, you can hire people, train them up and teach them what you do and then they run off and do it themselves.
Laura Bell Main
00:11:04 - 00:11:08
And then Google poaches them is what we learned. Yeah.
00:11:09 - 00:11:17
So you realize that this, what you're doing was not sustainable and maybe not fun as well because you're always on the clock.
Laura Bell Main
00:11:17 - 00:12:25
Part of it. To be honest, we're a bit of a COVID baby as a product company. So, it was April of 2020. We'd gone into the big lockdowns for the first time in New Zealand. And we had one of those little kind of sit downs you have with the team and, you know, revenue drive up because everyone's on lockdown and everyone's kind of a little bit freaked out. We were like, well, we could just wait for it to blow over or wouldn't it be cool if we tried to build a product and, well, none of us were in the space that you're supposed to be when you build a product. We, you know, we had kids and home loans and responsibilities and things and like zero savings. And so the April we kicked off building and in October it was in the market and I think there's an element of stubbornness in our mission. We don't want it to be a world where you have to be rich to buy a consultant to get to do security. There's no need. Security can be taught, it can be something that everyone in your team can do a bit of. We've just spent a very long time telling people that they will get it wrong and teaching them to be scared and hide from that vulnerability rather than teaching them the skills they need to change their world around them.
00:12:26 - 00:12:30
So it sounds to me like you're trying to democratize security for the masses.
Laura Bell Main
00:12:30 - 00:12:36
Pretty much. I think I'm saying in fancy terms, I want to retire one day and not have to do what I do.
00:12:37 - 00:12:52
Exactly. So, alright. So you built the platform and so you basically run training courses in building security into software for software developers that are building software for companies.
Laura Bell Main
00:12:52 - 00:13:17
Yeah. So we have a range of courses. And it's a catalog, you can come and take them whenever you like. And some of those courses are for software testers and some are for those who write code and some are for the people who do analysis and architecture. And so you can learn the skills that at every stage of that software from having an idea and no code all the way through its life. There's actions we can be taking and decisions we can be making that make us more secure.
00:13:17 - 00:13:57
So let's leap into a burning question which is comes from the fact is why should I, well, it comes from a small company going, I don't understand software security. It's all a black box. What I can't see, can't hurt me. In fact, it can hurt us. As we've discovered, we've had a lot of data stolen by big companies supposedly have some of the best security in the world. Government files have been hacked. So the list goes on and on. So, let's leap into this question. What are the top things a small growing company can do to get started with security?
Laura Bell Main
00:13:58 - 00:16:29
Well, I think there's a number of things and I'll walk you through them and everything I'm sharing are things that you can go and find guys online. So I'm, you know, reach out to the audience if you want afterwards. I love talking about this stuff. So let's start at the beginning. Firstly, security isn't something you get to later. Security is just there all the time you do security in your day to day life. All the time. You know, you keep your keys close to you, you put your wallet in your bag, instead of leaving it on the table in a restaurant, you already do this. All we're doing is we're adapting security to a different space. Now, the number one thing you want your team to do is to know what to do when it goes wrong, which sounds really, really negative, but bear with me. And that's because there are an infinite number of things that can go wrong in the world, whether it's security or other things and having a plan in place to know what you would do in case of a bad thing is super important because it's going to be the most important document in a crisis. And that tells you where can I find information like my log files? Where can I find details of my insurance company? Who do I call? So having that all together is a great starting point. From there we get into what we call the brilliant basics or you know, unsexy basics if you like, it really doesn't matter how, how you think of them. But every government Australia, New Zealand, UK, US, every single one of them publishes a set of guidelines of the basic steps that you can put in place that will get rid of 83-ish% of common attacks because most attacks are not sophisticated. So nobody in Hollywood is planning a heist against your organization, it's opportunistic. They're taking advantage of common vulnerabilities or flaws and they're using automated tools or simple techniques to exploit those. It's not about you as a company, they may not know what your company does. It's just that you happen to use that technology and they can exploit it. So they'll have a go. So find those lists and those lists include things like choosing good passwords, having multi factor authentication. So that's where you get sent a code or you have a code from an application that is on top of your password as an extra layer of security, updating your software. None of this is very glamorous, right? I wish I could come here and say cyber needs magic like cyber handles or something. It doesn't, it needs just basic steps consistently applied by everyone on your team. And that's the foundation of where we begin and from there, you get to the fun stuff about understanding why your organization would be interesting to anyone that has malicious intentions and that's almost like planning a bank robbery against your own company.
00:16:29 - 00:16:32
Right. Okay. And would just think like a robber within your own company.
Laura Bell Main
00:16:32 - 00:16:34
00:16:34 - 00:16:59
So you do all this. And so you've done it, you've the project finished or is it just an ongoing? I know you mentioned you need to update your software all the time. So WordPress, for example, the older it is the more viable it is because the more loopholes the wormholes have been discovered.
Laura Bell Main
00:16:59 - 00:17:59
Well, yeah. So WordPress is a good example, right? Very few sites get targeted because they sell widgets or because they're this brand or whatever. If you happen to use a platform that is used by many, many other people in the world, whether it's WordPress or any other system, then think of it like almost kind of cost efficient for an attacker. They're not going to attack a custom piece of software that was built just for you, that does the job necessarily if they can attack one piece of software and get access to 50,000 businesses, that's a really good use of their time. So WordPress is a really common target and attackers or even vulnerability researchers who may not be actually looking for a personal gain themselves and they will try and find these vulnerabilities and publish them and they do this on a fairly recurring basis. Once they publish them more people read those results and will try those exploits or those techniques. And so patching when you're using a system that's used by many, many other businesses around the world is really key.
00:17:59 - 00:18:15
Okay. So let's continue with the WordPress conversation. Because basically, I think it's the biggest platform for companies as in websites in the world, I believe, I think it's in the hundreds of millions.
Laura Bell Main
00:18:15 - 00:18:17
It’s huge, absolutely massive.
00:18:18 - 00:19:01
So, okay, so let's do a little bit of WordPress 101 security what to do. So I've got a WordPress site. I do get targeted by basically bad actors that are just trying to get, send me lots of spam emails, for example, that is a very simple layer and I constantly have to update my email platform and tell them and remove the bad actors because I'm just so WordPress 101 security. How can I protect my WordPress site? Tell us, give us a few tips.
Laura Bell Main
00:19:01 - 00:23:10
Sure. Okay, cool. I'll assume as an audience, you know, you might have a WordPress site too. So I'll give you a few variations on the kind of ways you can do this. So firstly, your first thing to look at is your foundation where is WordPress hosted. So there's many options you can download it and put it on your own computer equipment and you can host it that way, you can use it on wordpress.com and they will host it for you or you can use specialist hosting providers who will provide the underlying computer equipment that it is operating on. Now, each of those has different risks if you're doing the wordpress.com option. That's cool. This is what they do day in and day out. That is literally their only job is keep WordPress safe. So, yeah, great. Fantastic. Less to worry about. If you're on a specialist provider, check on their experience for looking after and monitoring WordPress sites. So you want to be asking, okay, cool. What do you look for? What does your monitoring look for? Look for in add logs, how would I know if you see something suspicious? So, work with your hosting provider on that one. If you're hosting it yourself. Now, if you're super confident you go for it. Absolutely. But in 99% of the circumstances don't just save that, save the energy, don't host it yourself. Put it on wordpress.com, put it on a managed service because the money you spend on that service is money well spent. Okay. So moving up, next stage, biggest target for your WordPress account is somebody getting access to your administration account. So your WordPress site is very powerful because it's able to do so many things and you can have plugins that do this, that and the other, it's a huge beast of a piece of code with a lot of power and whether you just want it for, you know, an online brochure or something more complicated, it doesn't mean an attacker can't then use the same code to set up something more sophisticated. But with your, you know, hosting provider doing all of the nice looking after them for that.
So lock down your account. So make sure you've got strong account names. So don't name all your admin accounts admin, give them sensible names. Don't share those accounts, set up different accounts for different people. So that if somebody leaves your team that you can get rid of that account and you're not sharing a password between them, shared passwords and poor quality passwords are really, really nightmarish when it comes to compromising sites like WordPress because we all do it. We're bad at choosing passwords. We don't spend a lot of time on it. We're not wired to remember long complex phrases. So I'll give you a bit of a tip. We're not, we're really not. The closest I get is remembering my credit card number so I can occasionally order pizza. That's about as far as I get with long numbers. So if you want a tip, if it's for an account that, you know it's super sensitive and you don't want to have to stress about this and you reuse passwords and maybe if your password manager is a step further than you are willing to go right now, we'll come back to that, then don't try and remember your password, set your password to you mashing the keyboard just type random junk. And when you come back to it, use the forgotten password to get in because that mechanism, that loop, is actually more secure for you than choosing a poor quality password. So that's your first set of tips. Next step plugins. Not all plugins are equal, there is no vetting process on plugins. They're fantastic. They let you do extra things on your site with very little effort, but it pays to read the reviews and have a look and just look for the quality of those plugins. So if it looks too good to be true, it probably is. So read the reviews, check the status on them and check, just have a little Google online. Are there any known vulnerabilities with name of my plugin? You will find results for many of them and you can kind of make a decision. Is this worth the risk and keep your plugins to a minimum if you decide you're not using one anymore because it's not cool. It's not doing the job you want. Just get rid of it, delete it out. You don't need to keep it for a rainy day. That old code causes risk by being there. So that's three steps we can take just to start with and that's looking at your hosting, looking at your account controls and make sure you've got good quality passwords and different accounts per person and then looking at your plugins and making sure they're up to date that you've only got the ones you need and that you've done a bit of a review process.
00:23:10 - 00:23:26
Right. Okay. So let's move on to another one where typically a lot of sites get hit too, which is email marketing platforms, which I think end up being plugins on your WordPress site. Is that right?
Laura Bell Main
00:23:26 - 00:23:27
00:23:27 - 00:24:02
Sometimes they do. So how can I stop just getting spammed all the time because that's the ban for almost everyone. That's like, and you don't even have to give anyone permission. I got a request via email from Donald Trump's email platform to donate money to Donald Trump and I certainly did not agree to that. So, obviously they've used a scraping tool and put me on their list.
Laura Bell Main
00:24:02 - 00:25:42
We're all on many lists. I think all of us are on a list somewhere now. I think it used to be a rare thing but now I think it's really unusual if you're not. I think particularly in our part of the world. So in New Zealand, we do have Telcos and we have email providers that have been around a very, very long time and they still do the job. You still get email, but they don't necessarily have as many of the modern technologies involved in them that would help filter and stop that spam from reaching you. It's, I think, you know, we're definitely reaching a time now where I'm not particularly pro Google or pro Microsoft. But if you spend a little bit of money and get yourself, you know, a Google for business account or a Microsoft 365 subscription to get your email through there, the filtering that they have there now is substantial and you can set up all of those groups and aliases. So you can have your hello at email address and all of those kind of things. I help a number of people from, you know, folks, you know, very elderly folks who just want to get stuff done right the way through to young folks and a lot of the issues come from the email providers just not being able to keep up. And so sometimes it's better to choose one of these big ones where they've just got a lot more strength behind them and they're dealing with a scale that means that they're able to spot these things. For example, I see probably less than two actual spam emails a month now. Whereas if I look through and look at the filtered emails and what has been pulled out, there's hundreds every day. So you really got to be discerning. It's not, it's completely okay to move your email to a provider that is going to do a bit more work on your behalf.
00:25:42 - 00:26:34
So we basically use Google as a sort of email provider. So in other words that allows you to use your domain name on that as well as Gmail. What really you talked about, these people should know what they're doing, but this is what blows me a little bit away with Google, for example, in that they will send you a reminder, for example, to update your GA for Google Analytics or some other reminder that you know, update your Drive. Guess one of those emails turn up? In spam. They don't even know how to contact me via their own platform. In other words, their own technology, it gets sent to their trained spam box or trash box. It's like, so anyway, I think it's still early days, isn't, everyone's trying to work out how to control this beast.
Laura Bell Main
00:26:34 - 00:26:57
Yeah. And, and I think we'll always be learning. I don't think there's a done with security and that's the thing that can frustrate people. We like to be done with something we like to go, oh, I've done that now, tick, off I go to do something else. Security is less about doing a lot of work for a month and being done than it is about doing a small amount of work frequently. Just as part of what you do every day.
00:26:58 - 00:27:49
Okay. So before we move on to the next question, which is how can you secure and grow your company rather than getting in the way. Which is the next question I want to ask is, what was, completely lost. Anyway, let's just go to that question. I've just completely lost the thought on that while I said, so, alright, just how can, so how can security be implemented? No, I was gonna actually, I just remembered it. So before we get on to that question. Sorry, everyone. Essentially, what's a simple checklist to make sure that you're keeping on top of things from a security viewpoint. What is the ongoing checklist? Is it a simple, is it seven checklist? Is it 55 points? What, to make sure that you continue to secure.
Laura Bell Main
00:27:50 - 00:31:30
So, let's look at this as an individual and as a business, we'll do the two because you kind of need both. As an individual the basic things. If I was just going to arbitrarily pick four things, choose good passwords. Now, we have lots of sites that you need a password for. I'm not saying every single site needs, you know, a huge ridiculous password but care about those sites that are going to have the most impact on you. So for me, it's for example, my email account as well as my bank account, I've got two or three that are absolute stand out if they were compromised, this is going to really hurt me. And so figure out which ones those are for you and make sure they have good passwords that they have two factor authentication turned on. So your bank might send you text messages when you do a transfer, for example. Those kind of controls where you know that it's unlikely somebody is going to be able to log in and act on your behalf or see the information you have inside. Secondly, your browser, the web browser, you connect to the internet every day is probably nagging you right now. It might be saying in the right hand corner update, hi, update me, do this. You need to get into the habit of doing that once a week. Just let it do its thing. It will open your tabs up again, just update it whenever we hold on to software and we prevent it from updating because we don't want to restart our computer or don't want to restart our browser. We get a backlog of security flaws that build up in the background. So by allowing it to update and allowing it to refresh, you're getting the latest version of the tool, which is cool, but also you're solving a lot of security issues in the background. And my final personal tip would be to be really vigilant, scams and malicious actors. They're not using anything that's magic.
So if any of you have a background in marketing or in psychology, a lot of the triggers they use to get you to change your behavior are ones we would use in marketing and in psychology, things like scarcity making you feel like something is going to run out. You need to act now with urgency or authority telling you that. It's the police or oh, it's NZTA over here. Our Transport Authority, we get a lot of scams looking like the Transport Authority, you're going to get a ticket if you don't do this now or your ticket is overdue every time you receive something, take a step back and if you weren't expecting it, go alright. What emotion is this email or this message trying to trigger in me and have a look at the context and see is that actually a rational thing to be happening to me right now that extra breath, that extra 10 seconds is normally enough for you to go hang on. That's I was no, this isn't right. It's not the case anymore that we can just look for spelling mistakes and you know, the wrong logo because our scammers are using very convincing copies. So they're the three things I do as an individual as a business, you set the tone as the leader. So if you are not following your guidance, you know, you've never updated your phone, your pass code is always 11111, then that's going to echo down into your company. So model the behaviors you would like to see in your team, make it okay for people to say, hey, I've seen this strange thing. Can someone else take a look and for them to talk about security openly. And then make sure that you invest in security in your technology in the same way you would, it's health and resilience. So I consider security to be part of a well built resilient system. So doesn't mean you're spending money on consultants or anything fancy. It just means you're spending an extra hour saying, okay, have I just looked at this from a security point of view? Have I taken the steps? I need to do so, just building in that extra little bit of time to allow people to consider it as they make technology decisions.
00:31:30 - 00:31:41
Right. Okay. Alright. So some really good advice there. Alright. So let's get on to how you secure and grow your company rather than get in the way? So how do you secure and grow your company?
Laura Bell Main
00:31:42 - 00:34:06
Well, it all depends on your business obviously. But let's talk about a few examples. Now, historically, security was the big stick. We were here to tell you you were wrong. You're gonna fail an audit. You know, let's be more serious. But actually increasingly, one of the biggest barriers to us growing as companies is the due diligence process that happens during procurement type affairs. So if you're going to sell to a big company or another company, and they're gonna ask some questions, you're in that process saying, hey, cool, like what you're doing, but is there any risk I'm going to inherit by making this relationship with you. Now, security is often now frequently part of that list and it can be as small as a few little questions or it could be a huge checklist of audit requirements depending on who you're trying to sell to and if you're growing, I'm assuming you're probably going to be selling to either lots of people or a small number of much larger organizations. Now, if you know this in advance, then you know that security and getting through those questions is going to make your life a lot, lot easier.
It also helps you make decisions. So if you know that someone in your customer base is going to care a lot about your risk decisions or they're going to ask about security, then when you're deciding, should I do path A or path B you can go, alright, well, does this impact our security? And if the security is being changed, if the risk is greater or you know, your customers may lose confidence as a result, then that's a filter you can apply to make better business decisions and that's not about not doing innovation, not at all. It's about you've got many options at any time as a business owner, one of the hardest things we have to do is choose which one we follow. And this is an additional criteria to really help you focus and know that those decisions are well articulated and well executed, then translate to a smoother sales process when people are asking you about this later. So you can actually bring security into every growth conversation you have about how it enables sales, how it enables fast decision making or gives you an extra set of criteria to follow and eventually when you finally get to, you know, whatever success looks like for you, if you were going to sell your organization, if you're going to get investment, if you're looking to IPO if you're going that way, each of those stages has warranties and has controls in it that look for the quality and health of your business. And a poorly secured company is going to have a much lower valuation than one that is taking care of those things because the risk is higher.
00:34:06 - 00:34:19
So essentially what we're saying is that you're building trust with your clients along the way by saying we value your privacy and our security highly. So this is what we do as part of the process.
Laura Bell Main
00:34:19 - 00:35:16
Exactly. Now, if you look at an example, right, you're making a decision as to whether to capture some information from your customers for a bit of your application. Now that application might do something cool, you know, new feature, new widget, but at the same time, you're now storing more of your customer's information, which makes it higher risk. So if you bring security into that discussion, you can have the debate of whether the benefit of that new functionality is worth the additional cost of us having extra regulation or extra risk. If something goes wrong, now, it could be the answer of that is not do nothing or do something. It could be I'm going to do it but I know that this data gives me an extra burden. I don't want to do that. So what if we only keep the data for three weeks and then we flush it out because we don't need it. There are middle grounds in all of this that security can help you make these decisions that otherwise you may not have anything that's going to encourage you to make that middle ground between the two.
00:35:16 - 00:35:40
Right. Okay. So, yeah, because a lot of customers, for example, there's a big, there's a financial company in Australia here that got hacked and I think 15 million contacts were actually stolen. And they actually were keeping the old contact details of non current customers. So yeah.
Laura Bell Main
00:35:41 - 00:36:43
Well, if you look at real estate as an example, right? We've all, you know, been involved, whether we're renting a house or buying one or selling one. That process involves collecting a lot of personally identifiable information. So passports, bank statements, all sorts of these documents that help identify you that pass the money laundering laws so that you can meet the checks and balances. But our laws can be quite unclear about how long you have to keep those documents for or if you even have to keep them at all. And so we end up in a situation where organizations that aren't necessarily technology businesses that, you know, a real estate agent are making decisions and storing data because they're not sure where the law lies and that puts things at risk later. So whatever industry you're in, there are moments for us to kind of take stock of what sensitive data we're holding and made the decision not to hold it. Unless we absolutely have to. And if we have to, then there are ways that we can make sure the risk for that is reduced. But at the moment, I don't think we have the maturity in our approach for that.
00:36:44 - 00:36:54
Right. The challenge with smaller companies is you can be doing this all the time and not getting work done. Bigger companies have maybe got the teams to do this and processes and systems because it's important.
Laura Bell Main
00:36:55 - 00:37:27
I kind of argue on that one a little bit. So if you, you take a smaller business, right? And you know, law requires you to check X,Y and Z document. Cool, you get it done. If the process is as simple as just a checklist that you tape to your desk that says once this is done every Tuesday, go back and delete last week's files. That's not a laborious process. It doesn't take high tech to do that. The tech processes that we see in larger organizations are efficiency players because of the scale they're working at. So I don't think it's in small businesses. We can't do it. I think we just have to do it a little bit more hands on.
00:37:27 - 00:37:58
Okay, cool. Alright. Let's get into the, one of the current topics at the moment with the social, with security such as we've seen the rise of ChatGPT and AI, with ChatGPT being the friendly user face to AI generative AI. So what are some of the opportunities and challenges for security for a company in an age of AI which has exploded in the last six months.
Laura Bell Main
00:37:59 - 00:43:17
Yeah, I love this space because it's chaos. And half of me is very excited about what it can do and half of me is terrified and I think that's a healthy place to be right now. You should always be, you know, excited but slightly wary when things change rapidly. But I think there's some key things that, like my little company, we're 24 people. So we're not a huge enterprise like, you know, that we see out there, but we've just written our first policy and I think it's actually probably something we can share here that might be something your teams could do themselves if you're listening. Now, our policy, we, what we wanted to do was, well, how can we use this safely? What circumstances is it okay to use it? And are there circumstances that aren't safe yet? And, why are they not safe? And so we articulated this as a very lightweight policy. Now we're a minimum viable policy organization. So, policy for us is we wrote something down in plain English and we shared it with the team. And for us, we decided that right now for the moment we're in, ChatGPT and other of the LLMS and generative AIs are really great productivity tools, but they're not something that we would necessarily want to trust with vast amounts of our sensitive information. So there are tasks in your business that they can be great for. Hey, I've got this idea. Can you help me think through a strategy type thing? Fantastic. I need to do some social media posts. And I need to have 15 variations of this thing that largely shares this message much quicker to do it in ChatGPT than it ever would be by hand. And those are fine, that's not taking jobs off people. It's just making them way more efficient. The things that we're not comfortable doing yet are things where we're putting very commercially sensitive things into it because that data is then used to train these open models. So anything that goes into things like ChatGPT are used to train the model behind it. So as more people use it, the data set grows, the model grows same with the generative images in things like Midjourney. The more images it sees, the more it can do. So the last thing you want to do is put your secret source into it unless you're happy for that to somehow make its way into the algorithm itself. The other side is you don't want to share anything that's not yours. So there's the documentation and data you have, that's about your company and how it operates. And then there's the data you have, that's your customers or your suppliers or somebody else in your ecosystem, that's not yours to share in an AI model and an AI model would be sharing that data. So remember when you sign terms and conditions with customers, when you've put arrangements in place, they haven't consented to you doing that. And so if you were going to be using any AI that was going to include their data, you need to communicate and get some form of acceptance that they understand what you're going to be doing with it and what the implications could be from them for a privacy and security perspective.
Now, the final thing is I think AI is great for us to use as a tool, but also it's a tool that's going to be used against us a little bit. I'll give you an example. We hire software developers, we hire marketing folks and as part of that process, we ask them to submit written pieces or pieces of code. And we're now in an age where you can ask an AI to help you write that, much like teachers must be having the same problem at the moment. And so you've got to have a chat amongst yourselves of how you approach that when you're recruiting. Is it okay for people to do this? Is it okay but they need to tell you what they use as their prompt and which bits they used and which bits they changed? You need to face that and have a discussion. Now, the most important thing before you get to any of that though is you need to have this chat with yourself. Now, when ChatGPT started getting really loud, a couple of months ago, I had a bit of an existential crisis. I'm gonna be honest because I started playing around with it and I started seeing what it could do and there was this weird part of me that was like, oh, hang on what this can do all of these things and what does this mean for me and my world? And I think each of us approach that slightly differently. You know, is it going to take this part of my job away? Is, can I trust this? Is it better than what I'm doing right now? Is it worse? How do I know what I'm doing here? And that feeling you have as a leader you've got to come to terms with before you then set the tone for your organization. So you need to go play with it. You need to go and have a look and you need to get stuck in and see how it makes you feel. Process that. Then do policy, don't do it first. But I think it's gonna be a really interesting space to watch. I'm married to an artist and in the art community, they have started embracing the old school art techniques like no other at the moment, sales of paints are through the roof in New Zealand. And that's because there is something inherently valuable in imperfection in the things that we create ourselves. And we need to remember that in all of this generative AI that sometimes the thing we did ourselves can still be better. We just need to remember the value was in the bit that was unique to us and not necessarily that it looked as glossy as everything else. So watch the art community if you want to see how this plays out because they're about to lose all of their income for Midjourney. So they're all adopting and adapting.
00:43:17 - 00:43:50
it is very interesting, isn't it? I think AI, I think it can help us be more creative because it basically rearranges the deck chairs and everything around it. So you get new recombination. But yes, it's a fascinating space and I, we're experimenting with it. The whole team leaned in and but, you know, essentially, I think it's becoming the conductor rather than, you know, allowing it to do the heavy lifting for you. But then wrapping your own humanity around it as well, I think, which is the fun part.
Laura Bell Main
00:43:51 - 00:44:26
Yeah. And it's the stories, right? As humans, what makes us human, what makes us experience interesting is that each of us tell our stories in different ways and that we have a different view of the world and we're not aiming to all sound like each other. That might be, you know, the convenience factor of these things. So in some ways, it's going to make us a better editor because you're going to receive the output from these things and it's not going to sound like you, it's not gonna be your voice, it's not gonna be your view of the world. And so part of what we have to do is really understand what makes your voice and your business special and make sure that's still there. And I think that's a fun challenge to try and solve.
00:44:26 - 00:45:02
It is and that's where you maybe using stories a lot more because they're basically gonna be yours. No one else is. So, just made to wrap it up here in terms of how you can help companies and individuals, you've got some courses. So you really help both these software developers weave security into the code they're writing for corporations and businesses. On the other hand, you've also got courses that teach people the basics of security. So they've got an overall or overarching understanding. Is that correct?
Laura Bell Main
00:45:03 - 00:45:42
Yeah. Absolutely. And most excitingly, and I love being able to share this. We work with 1500 organizations in 76 countries. And a number of those are on our free plan and you can sign up for our free plan. There's no tricks, no gimmicks, no credit card promise absolutely. And you can train 50 engineers and 250 people in your main team on the essentials of secure development and security awareness with no costs, no tricks because we fundamentally believe that this is essential to us building amazing things in the future. So you can get stuck in, go to safestack.io and just get started for free. And so we welcome you and whoever else is in your business community.
00:45:43 - 00:45:54
That's awesome. So any other tips to leave with our audience before and also how people can get in touch with you? What are some top tips and how can people get in touch with you and SafeStack?
Laura Bell Main
00:45:55 - 00:46:37
Well, I share a lot of security related content on my LinkedIn so folks can follow me or connect with me. There's Laura Bell Main. You can also find me on Twitter at Lady_Nerd. And what I recommend is security is vast and we're never done. So you know, do little bits at a time, try and break it off into chunks and just start with the basics you can control. So the next time you have to choose a password, make a good choice. Even if that good choice is to randomly mash your keyboard for as many characters as that box will let you and never try and remember it because you know what that will save you a lot of heartbreak later from preventable breaches.
00:46:37 - 00:46:46
Okay. I think that's a great tip. Thank you very much, Laura. It's been an absolute pleasure to have you. So how can people contact you?
Laura Bell Main
00:46:47 - 00:46:51
So, I think LinkedIn is probably, yeah, LinkedIn would be a good place to start there.
00:46:51 - 00:47:01
Alight. Awesome. Okay. That's the best one. Alright. Thank you very much. And I don't know what the weather's like in North New Zealand at the moment. It's sunny here in Sydney.
Laura Bell Main
00:47:01 - 00:47:07
We're raging tropical storms. So, hopefully we'll inherit some of your sunshine soon.
00:47:07 - 00:47:10
Okay. Great. Fantastic. Thanks, Laura. It's been an absolute pleasure. Thank you.
Laura Bell Main
00:47:10 - 00:47:11
Awesome. Thank you.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.