In this engaging On Location episode from AISA Cyber Conference 2024, Sean Martin and Sian John MBE explore crucial topics such as the carbon impact of AI, the importance of OT security, and the intersection of cost, regulation, and sustainability in today’s business strategies. Their insightful discussion offers a forward-thinking perspective on how organizations can navigate emerging trends and regulatory landscapes effectively.
Guest: Sian John, Chief Technology Officer, NCC Group
On LinkedIn | https://www.linkedin.com/in/sian-john/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
During the recent AISA Cyber Conference 2024 in Melbourne, notable figures Sean Martin and Sian John engaged in a compelling conversation about emerging trends and significant topics within the cyber industry. The discussion covered a range of subjects from the importance of availability in operational technology (OT) security to the environmental implications of artificial intelligence (AI) and analytics. Sean Martin noted the communal focus of the conference, highlighting how initiatives driven by members of the industry, like those led by the AISA Perth chapter (as noted by Sian John), contribute significantly to the cybersecurity community.
Sian John MBE provided an in-depth perspective on the global regulatory landscape, pointing out how digital disruption is driving an increase in regulations. She emphasized that privacy regulations now affect more people worldwide than ever before. John observes that while some regions might roll back regulations, the overall trend is increasing around regulatory scrutiny.
Another key topic was the carbon impact of AI and analytics. Sian John pointed out the substantial environmental cost associated with training large language models, referencing research by PwC and Microsoft showcasing the significant carbon footprint involved. She argued for the need to integrate sustainability into technological advancements, coining it 'green by design.'
The conversation also touched on the vital importance of OT security in the context of achieving net-zero carbon emissions and advancing renewable technology. John pointed out that while OT security has been a topic of discussion for some time, the urgency is now heightened as regulatory focus intensifies and renewable energy projects increase. When it comes to triggers that drive action, finance could win out over regulation in this case.
The dialogue also explored the broader implications of security, extending beyond the traditional realms to incorporate business resilience. Martin stressed the necessity for organizations to adopt a risk-aware approach that encompasses both cyber and business risks. He posits that mature organizations, which effectively integrate resilience into their operations, are more adept at navigating regulatory changes and emerging threats.
Finally, the cost of security and operational efficiency was discussed. Both speakers agreed that in a world with rising power costs, the drive towards efficient, sustainable practices is also economically motivated. This underscores the intersection of cost, regulation, and sustainability in today's business strategies. As the conversation drew to a close, the future-oriented outlook shared by both speakers reflected a pragmatic approach to the complexities of modern cybersecurity, emphasizing efficiency, regulatory compliance, and sustainability.
____________________________
This Episode’s Sponsors
Threatlocker: https://itspm.ag/threatlocker-r974
____________________________
Resources
Learn more and catch more stories from Australian Cyber Conference 2024 coverage: https://www.itspmagazine.com/australian-cyber-conference-melbourne-2024-cybersecurity-event-coverage-in-australia
Be sure to share and subscribe!
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Want to tell your Brand Story Briefing as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Building Resilience in a Disruptive Digital Landscape while Being Green by Design: Addressing the Carbon Footprint in Cybersecurity | An Australian Cyber Conference 2024 in Melbourne Conversation with Sian John | On Location Coverage
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] It's good to see you. Different part of the world this time. It is, first time we've seen each other. I don't know how long it's been. RSA I guess. RSA, I think it was the last time we saw.
Decent distance back.
Sian John MBE: Yeah, a few months ago.
Sean Martin: Next one's coming up, but we're not talking about RSA. No. They did have an RSA CESA bootcamp. I don't know if you were able to attend that or not.
Sian John MBE: No, I wasn't able to attend that.
Sean Martin: Evidently a bunch of CISOs got together and uh, had CISO talk. Alright, great. I'm not allowed in those.
No. They don't let me in. But uh, here we are, Australia Cyber Conference in Melbourne, hosted by ASA. Uh, your first time in Australia, your first time at the conference. Yes. What do you make of it?
Sian John MBE: First time at the conference, yeah. So, I really uh, It's quite good to see the real spread of different interesting talks that are happening here.
Lots of, lots of talks on the same theme. Well, there's lots of themes, but they've got quite a few talks on each theme, which is really interesting. Some, some interesting talks. I went to a [00:01:00] really good one this morning. And then we go. I'm pronouncing that wrong. All about building inclusion into cyber, which is really diversity inclusion.
It was really about outreach to different communities to get them to engage with cyber as a topic. I thought that was really fascinating, so. Yeah, no, it seems like a really exciting conference, so.
Sean Martin: Yeah, and the one thing that I like about, well, lots of things that I like about being here, but, um, ISA is a member driven organization.
And so, it seems they invest a lot into the community around Australia, um, and bringing more folks in, enabling them. And supporting people that are in the industry, giving them the opportunity to participate in a conference like this. And in Canberra, I think it's a little more government focused, but, uh, just very member, very human
driven
for many, many years.
Which is really cool.
Sian John MBE: And I happen to be, uh, in my hotel with somebody I know who happens to [00:02:00] run the ISA Perth, uh, chair of the ISA Perth chapter. And, yeah, it's the same, it's like the same thing. And you could see the community there of a lot of people chatting to each other. That's always when we do really well in this industry, isn't it?
When we really get together as a community and it's, it's great to see that. And in terms of the way they're really thinking about, you know, topics and environment and, and avoiding people doing too much selling, unless it's on the exhibition floor, you know, making sure that they're actually sharing insights, but I think making sure that in the talks is about sharing insights and things that are going to help and, and communities talking to each other.
It's really good.
Sean Martin: Yeah. So what, um, I don't know. So you said you got a session this morning. Are there any topics or themes that you've been following the last number of months that you see kind of transfer here and being discussed here?
Sian John MBE: There's one talk I just gave actually which is, there's about four different sessions on it, which is really good, which is really, and mine was next year on [00:03:00] cyber, but it's really about that impact, carbon impact of AI and analytics.
But then also about the need to, the need to secure all the stuff we're going to do to do renewable technology and OT security and all those environments. And that's it. Yeah, OT security has been around for a long time and people have been talking about it. But it really feels this year that people are beginning to realize how important it is, particularly with that.
Yeah, we've done the easy stuff in net zero. Now we now got to do the hard stuff. And with that drive to renewables really does mean more OT. Also, you've got more regulation, like in Europe, than this two directive in the UK bringing in their new version of the Critical Asset Infrastructure, uh, Security.
Just seeing that realization from a regulatory perspective of the impact of something going wrong in that OT environment. So, although we've been talking about it for a long time, it does feel like we're at that, that tipping point at the moment where, you know, [00:04:00] actually thinking about industrial control system security is essential.
Sean Martin: You raise an interesting point. I don't think you're saying this specifically, but it's in my head now. Um, and I'll connect it to kind of the ESG. So, for years, decades now, we talk about, or have talked about security as the CIA triad. Yeah. Confidentiality, integrity, availability. A lot of focus in recent years on confidentiality with privacy and GDPR and those types of things.
Um, some integrity when we start talking about Health records and financial records and things like that. Availability seems to have kind of, yeah. Fallen off the the, and maybe it's just transferred to it and security doesn't think about it too much, or I don't hear the stories.
Sian John MBE: I mean, I mean, in the OT world, it's all about availability, isn't it?
Right. And I think if you think about as we go through digital transformation and we rely completely on technology to run our businesses, then actually [00:05:00] availability is much more important in our world than we think about it. All you have to do is think about any of the high profile outages you've had this year and I'm not going to name any names.
Uh, but if you think, if you think about them, you know, whatever the cause, whether it was, you know, an update or, uh, uh, uh, uh, it's an infrastructure issue. The impact that had on actual the real world, because there is almost no business now that doesn't rely on technology. That's the side effect of digital transformation.
And so literally, yes, we think about availability being an OT thing, but actually it's an infrastructure issue. And I'd actually go in the integrity world. Yeah, there's a data integrity in a world of AI and large language models. That integrity has got to include provenance. So not only is it the right data, but do I know where it came from?
So that's the that's probably might be the C. I. A. P. Triangle in a few
Sean Martin: right provenance as well. Yeah, because in so then for me, the connection to E. S. G. Is not just binary. Is it available or is it offline? [00:06:00] Did we mess up? It's a scale of performance. How much resources are we using to get the value out of it?
Um, I mean, we look at blockchain, right? How much, how much money are we spending to mine coins and all that kind of stuff? And when we start looking at AI and OT.
Sian John MBE: Yeah, that, I mean, that's the key thing I was talking about. If you look at AI, particularly large language models, analytics, the environmental cost of that, the carbon footprint, environmental costs of this.
Slide I've got for some research done by PwC and Microsoft, which like, if you look at like the average human life is like 11, 000 pounds of CO2 a year to run, um, the average American about 36, 000 because you're a little bit more carbon heavy than the rest of us. Um, like our hummus. Yeah, yeah, yeah, exactly.
Yeah. And then, and then it's something like 166, 000 to train a model. So it's like you just think about that even higher, higher expansion. And I'm remembering that stuff off the top of my head. So I might have been wrong. I think might even be higher than that. And that's the reality is everyone's going, [00:07:00] let's use, use, and they're talking about, you know, large language models are going to kill search, but it's, it's probably what, I think it's up to a thousand times more carbon intensive to do an AI generated search than a, than a straight up traditional search.
So it's all that whole about, think about green by design.
Sean Martin: Who cares about that? Who's going to?
Sian John MBE: No one's cared so far. Well, actually, I'll tell you, I was taught a lot from the Microsoft. The, the hyperscalers care because that costs the money
Sean Martin: to do
Sian John MBE: the training. So A and GPU,
yeah.
Or if you actually look at what they're trying to do, cause they were trying to keep the cost down and actually hit their sustainability targets, they're trying to do things like demand shifting and time shifting and moving it to where they've got more green energy available.
And, and that's, that's what hyperscaler can do. But if you're doing it locally, it's all that thing about, you know, Yeah, we're talking about secure by design. We almost need to be secure by design and green by design at the same time.
Sean Martin: Right.
Sian John MBE: [00:08:00] And, yeah. And all of this is going to rely on OT. Because it's all about renewable energy, which relies on OT.
Sean Martin: And we were talking to, uh, of course you know Abbas. Yeah. We were speaking with him earlier. We were talking about, uh, sovereignty.
Sian John MBE: Yes.
Sean Martin: So, you might be ham, hamstrung in terms of where you can put some of these things. Yeah. Where maybe some will be. Some countries might have some carbon to give. But if your sovereignty laws say no, then you may not be able to.
Sian John MBE: So maybe what you do is you have the whole international smart grid to pull the energy off them. Or, but within, even within a country, so say within Australia, you might say, It's really sunny in Perth. Let's move things to the Perth data center. And then it's like, it's not, it's, It's windy and rainy in Melbourne, which it's actually not now, but it was yesterday.
Yeah, but you know, let's use the, the, I don't know if they've got wind farms here, but you know, that whole idea of even within a country, you can move it to whichever data center has got the best mix of power at any point. [00:09:00] If we can harness the fog,
Sean Martin: we would have done great.
Sian John MBE: Exactly, yeah, exactly.
Sean Martin: Yeah, so clearly you get to work with a lot of large organizations who are forward thinking and mature.
Um, ESG is still a thing? Exactly. It was a big thing I heard at least a year or so back. It hasn't been much on the radar, for myself anyway, in the last year.
Sian John MBE: It's still required in people's annual reports, where we are. I suspect it's going to become less of a thing in certain parts of the world, without saying too much.
But having said that, in a world where power is getting more expensive, you don't have to be about ESG to be thinking about how can I do things in the most efficient way possible. And as much as we might politically decide not to do it, the reality is what there's been more climate, um, emergencies this year than in any year.
Yeah, I've got to look at the floods in Spain, um, the [00:10:00] floods here in Australia. And they're becoming these, these once in a lifetime events are now becoming once every two or three year events. And that's the reality. So whether ESG is on the current political, uh, listing or not. Thinking about how do we do things most sustainably is about actually how do I run my, my business and what I'm trying to do in the most cost effective manner, the most efficient manner, but also in a way that maybe allows us to, to carry on for a little bit longer.
Sean Martin: It's a security story all again. Yeah. It's exactly the same thing. Do we, do we protect for the, the value of being secure? Do we protect because we have a regulation we have to, you know,
Sian John MBE: That's the challenge, obviously regulations driving it. I do think with where power costs are in the world, doing things as efficient as you are, it's not even an ESG decision, it's a, it's a, it's a save money decision.
Sean Martin: Always comes back to the pound and the dollar. Exactly, exactly. What else are, uh, [00:11:00] what else is top of mind for you? I'm sure AI, you talked about OT, are there other things? Um,
Sian John MBE: I mean, obviously, I mean, I think about in the world at the moment, it's probably what three major trends. So there's like the idea of disruption as usual being the norm.
So I was in a meeting with the Bank of England and I said, like the next 10 years, it's not, we're not going to get back to business as usual. It's going to continue being disruption as usual. I think about that in the digital world, that's digital disruption as usual, which, you know, is good in the way that that's lots of technique, new tech, new digital stuff going on.
And then it's chaos. Bad in the way that, you know, it's not a very stable geopolitical, socio technical environment. across the world at the moment, so economic environment. So from a point of view of what we've got to do, it's like, how do I harness new technology in the best way possible, most securely I can, but in a world where long term investment is all very difficult and, and funding and things like that.
You know, the next one is that, that global regulatory landscape just [00:12:00] exploding because all that digital disruption, people being worried about it. And whatever's going to happen in certain parts of the world about whether they're going to have regulation or not, obviously your part of the world, whether they might roll back regulation.
The reality is that everywhere in the world is regulating. I think, you know, Sir Gartner said something a couple of years ago that really struck home to me that there's more people in the world that are now subject to privacy regulation than actually have access to clean water. And that's, you know, whether they actually appeal a plea with it, but that's the reality we've got.
And then obviously the cyber threat's not going away. And obviously that expanding and growing cyber threat. So it's My threat intelligence team are here with me this week talking about that. And then we think, Oh, great. The cyber threats driver, that's going to drive investment, but it's almost like it's becoming endemic now.
And when anything becomes endemic, it becomes more BAU. So it's like, it's less fear, uncertainty and doubt. So if you think about, you know, even going through like COVID and the pandemic, it was all big, you know, when it was a pandemic, it was. Lots of big [00:13:00] reactions, depending on where in the world. And now it's endemic and, you know, people are still catching it.
People are still getting sick, but it's just part of life. And there's a different level of investment that goes at those levels. And I think we're probably at that point now where, yes, the cyber threat is rapidly rising, increasing, but actually is endemic, which is why cyber resilience is such an important topic.
At the moment, it's talked about from a regulatory perspective, but actually just think about it in a world where, There's digital disruption, everything's changing, there's a growing regulation and a cyber threat's growing. That's why resilience is so important because you've just got to be able to build your business to carry on and operate.
And there's business resilience and then cyber being a key part of that. Not, let me have a big, massive investment and program right now. It's almost part of the maturing of our industry, isn't it really, as we invest.
Sean Martin: I'm glad you went there because I was going to ask you, back at RSA, and even For a few months following, there was a lot of conversation around resilience.
And with a focus [00:14:00] on cyber resilience, but then an expansion to business resilience. And so for me, I'm a risk guy. I like to look at things from a risk perspective. And it's not just cyber risk, it's business risk. And how do we mitigate that? How do we respond when, when something bad happens? Um, do you see, um, Obviously we're going to see shifts in policy, shifts in global positions on different things.
Um, my sense is if you're a mature organization and think about risk in the right way and resilience in the right way, you can maneuver your operations and the way you manage your organization to where those things flow. If you're not looking at it, if you're too myopic, you might be off the mark and not be able to handle it.
To ride that wave.
Sian John MBE: And it's always the challenges, like, even with any cyber incident, if you're large enough, you'll probably survive it, [00:15:00] and if you're small enough, you maybe haven't got the cash flow to get through the incident, so, uh, it's the same principle, and I think that's why resilience is important, and even from a small organization, it's like, you're not going to be able to spend, you know, 90 percent of the money you make on, on cyber, but you don't need to.
It's about making sure you're thinking about the risk and investing in the right place to be most resilient. And if that's following a government standard or something like that that helps you, that's great as long as you don't just tick the checkbox without thinking about is this actually helping me reduce my exposure.
Sean Martin: Yeah. It's fascinating. It's going to be interesting times ahead. It is. Very interesting. Interesting times. And then of course there's all the, what your team looks at, all the threat.
Sian John MBE: Yeah.
Sean Martin: Which is a whole other game. Maybe we can chat about that at another time. But, um, yeah. I mean. We're just trying to survive and then we have the bad actor
having fun with us too.
So, um, good times ahead. Well, it's always a pleasure, Sean, to see you. [00:16:00] And, uh, this time down under, maybe back in San Francisco.
Sian John MBE: Yeah.
Sean Martin: After the new year anyway.
Sian John MBE: Yes, hopefully. Yes, definitely.
Sean Martin: And, uh, fabulous chatting with you. Always good to see you. Great, good to see you. Thank you.
Sian John MBE: Thanks very much.
Sean Martin: Thanks everybody for listening.
Thanks. And, uh, please connect with Sean John. Super smart, obviously, and stay tuned for more episodes here coming to you from AU CyberCon in Melbourne.