THEOS Cybernova - Sam Coco: The Modern CISO’s Balancing Act - Security, Business, and Innovation

Show Notes

THEOS Cybernova Ep. 6 - Sam Coco: The Modern CISO’s Balancing Act—Security, Business, and Innovation

Is the traditional CISO role becoming obsolete?

In this episode, Sam Coco, Head of Global Information Security at Fidelity International, joins host Paul Jackson to discuss the evolving responsibilities of cybersecurity leaders. With increasing regulatory pressures, board expectations, and the rise of AI-driven security, today's CISOs must go beyond technical expertise - they must be business enablers, risk strategists, and strong communicators.

Sam shares his insights on how cybersecurity leadership has shifted from a purely defensive role to one that directly influences business outcomes. He also dives into talent development challenges, the need for security to drive innovation rather than hinder it, and how organizations can use cybersecurity as a differentiator in a competitive landscape.

Whether you're a security professional, an aspiring CISO, or just curious about how leadership in cyber is transforming, this episode delivers essential takeaways from an industry veteran.

Production Credits:

Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio

Chapters

• 0:00: Intro
• 11:33: Cybersecurity challenges in Asia
• 18:02: Opportunities in Cybersecurity
• 21:33: Evolving Role of Cybersecurity Leadership
• 35:12: Resilience and Regrets in Careers
• 39:42: Favorite Music Genres and Energizing Hits

Transcript

Pau Jackson: 0:00

Wherever you are in the world, hello and welcome to Theos Cybernova Podcasts. Before we begin, I've got a quick favour to ask from you. There's one simple way that you could support our show, and that's by hitting the follow or subscribe buttons on the app that you're listening to the show on right now. It makes a huge difference in helping to get the show out there to as many people as possible. So please, please, give us a hand and click that button now. Thank you very much.

Pau Jackson: 0:35

The Theos Cybernova podcast hosted by Paul Jackson. Welcome to another episode of Theos Cybernova podcast. I'm Paul Jackson and each week I'm digging into the latest trends, challenges and innovations shaping the cybersecurity landscape, as well as talking to a fantastic mix of leading industry experts, thought leaders, technologists and legal eagles, all with a particular focus on the Asia-Pacific region. So, whether you're a professional in the field or simply curious about staying safe in the digital age, we hope Theos Cybernova will offer up valuable knowledge and actionable insights for everyone. Today, I'm delighted to welcome a good friend of mine, sam Coco. Sam is based here in Hong Kong and we're actually sat together today doing this podcast opposite ends of the room, but actually, sam, this is the first time we've done one of these things together, but in the past we've been sat together on the stage on many occasions doing panel discussions, haven't we? So we're quite familiar with how to get along with each other. But welcome to the show.

Sam Coco: 1:46

Thanks, Paul. Thanks for having me An absolute honor.

Pau Jackson: 1:49

Yeah, no, it's our honor to have you here because you are a cyber legend in the Asia-Pacific region. So why don't you tell us how you became a cyber legend, what's your story, what's your background? Tell the audience where you've got to this point.

Sam Coco: 2:03

Yeah, thanks, paul. So I'd have to say, probably like a lot of cyber people, I started outside of cyber. In fact, I was in tech and I was doing systems admin and all that sort of good stuff and really enjoying solutioning and sort of finding the right path for people who had technical issues. But I kind of got a little bit bored with that, to be honest, and I put my hand up one day and an opportunity came up for a information security officer. This is when I was back in Sydney, australia Information security officer I wonder what that is, is what my first thought was.

Sam Coco: 2:37

And I had to dig into it and look into it and I thought, yeah, this could have legs, this could be a great opportunity. Now this is over 15 years ago, and so I put my hand up, I got involved, got the role and, look, I have had quite a journey since right and I've done a lot of different things and obviously I've made my way here into Hong Kong and that happened not too long after. But certainly my career started in technology space, which is kind of my passion to start with, but it's certainly given me a lot of different opportunities and which I've embraced.

Pau Jackson: 3:14

Yeah, and you've stayed with the same company for many years, right? It's really unusual. When I get CVs from prospective hires, you normally see them move every couple of years these days, but you've stuck with the same company for how many years now?

Sam Coco: 3:29

Well, I think 19 on LinkedIn, 19 years.

Pau Jackson: 3:33

Wow, wow. That's pretty impressive, and is this something you recommend to future cybersecurity leaders? Stay with the same company. Build your career through that.

Sam Coco: 3:42

Interesting question because I always challenge myself and I always sort of think about what should I be doing differently? Or perhaps what does the grass look like on the other side? And my answer to your question would I recommend it to other CISOs? I think it really depends on the situation, right? They say you don't leave a job, you leave your boss, and I have, touch wood, had a number of really great managers in my time at Fidelity International.

Sam Coco: 4:13

I have not sat still. I've had lots of opportunities, I've had lots of areas to sort of grow into and work in different teams and, like I said, I've changed different, moved to a different country and I've had, you know, put my hand up for everything that's come my way. So I haven't done the same role. I keep adding more capabilities and responsibilities. So in that, it feels like it's been different jobs I've managed different people. So, for a CISO today, look, perhaps if their role wasn't right, perhaps you do want to look around. Of course you need to keep vibrant. You keep on your toes, find things that excite you, um, but I am grateful for, I've got to say, the company I work for.

Pau Jackson: 4:56

So, uh, yeah, I'm good with fidelity all right, and sam, whoever your boss is now, if he's listening in, he or she's listening in. Yeah, give him a pay rise for that. Come on, that definitely deserves one. So you spoke about your move to Hong Kong and obviously you're a native of New Zealand, is that right?

Sam Coco: 5:16

Oh, I'm getting glad he's a native of Australia.

Pau Jackson: 5:19

I'm kidding, I'm kidding. Moving from Australia to Hong Kong. I mean, wow, quite a big step. What prompted that move? And any regrets? We get a lot of negative press here, don't we? Mainly because of geopolitics. And yeah, how do you find life here?

Sam Coco: 5:38

Well, let me answer that question. First, how do I find life in Hong Kong? It is fantastic, and you know, I was just having a couple of conversations today with my fellow Australians and they were saying well, sam, what are you doing over Chinese New Year? Well, I'm going to go to Japan, for example. Actually, I am going to Japan, you know, it's five hours away.

Sam Coco: 5:57

And when I actually thought about it, this year, my wife and I have planned like five or six different trips over Asia Park over long weekends, and that's one of the great, I think one of the great benefits of being here. But there's a variety of people you're dealing with, the proximity to being, you know, working in a global organization, which I do, the time zones, and there's lots of great things about being in Asia, number one. But Hong Kong specifically, I love the fact that there is a bit of excitement. There's lots of variety of things to do here, not to say Hong Kong is perfect. In fact, I'll go out and say no place is perfect, correct, but Hong Kong there's a lot of great things about it and if you can manage the challenges that you have and we are people who can manage a little bit of risk and adversity. I'm not saying it's risky, but you can find the beauty and the opportunities. And that's what I think I've done and I'm proud to call Hong.

Pau Jackson: 6:52

Kong home. Fantastic. I think we're on the same page as you know each other. In fact, I actually bumped into the head of the tourism authority, or whatever they call it here, and I said you should get people like me and Sam on your show or to promote Hong Kong for you, because we truly love this place. I've been here many years.

Sam Coco: 7:08

That's a slam dunk for sure.

Pau Jackson: 7:09

Absolutely yeah. So look, and the other thing you do right and you do fantastically, sam is you give up your time to be part of the community, right? You're not just staying in your office complaining about the long hours you get out there. I've seen you on the conference circuit so many times, right, it's how we've become friends, really. You know, we've participated in so many conferences together and I believe this is hugely important, right, sharing of information with the community, helping to. You know, develop talent, nurture. You know potential among you know people who want to be in this industry, especially here where we live in Hong Kong. But how do you balance? You know, because you're in quite a sensitive role you've got to protect. You know your organization's systems, resources, etc. And yet you know to go public as you often do. How do you balance? You know the demands, firstly on your time and secondly, on making sure you're not revealing any sensitivities for your organization.

Sam Coco: 8:04

Yeah, it can be a bit of a balancing act and obviously we need to be very mindful about not giving away key secrets or talking about anything you know, specific brands or anything like that. But fundamentally, the practices that we're talking about is definitely something that's approachable, something that you can give in the right level of detail without sort of you know, raising the alarm bells. But, importantly, we're giving back and it gives Fidelity some visibility right, which I think is very important. It gives us showing, hey look, this is the capability that we have within our organization, something we should be proud of, and it's a good way for us to also, I find, measure ourselves against my peers in the industry.

Sam Coco: 8:46

Part of why I go to conferences is to learn something, perhaps, and every now and then you get a little nugget of gold, but how do I compare against A other asset managers or B against FSIs, banks and so forth? But giving back and I think that's really what I've enjoyed. I've got to say just add this one piece. You might find this surprising, and I think that's really what I've enjoyed. I've got to say just to add this one piece. You might find this surprising, but I consider myself an introvert.

Pau Jackson: 9:10

No.

Sam Coco: 9:13

I consider myself an introvert and I really always struggle with public speaking and getting in front of people, and this really took me outside of my comfort zone. And now I feel I can get on stage, particularly when I've got people like you moderating, paul, and we can have a great conversation that hopefully engages the audience and ask us good questions, but gives back and hopefully instigates some people to really think possibly differently of what they want to be doing. So I enjoy that and I really encourage my team, my team of information security officers, to do the same in their countries and regions as well. It's a great way to engage, learn and also challenge yourself.

Pau Jackson: 9:54

I think you just made one of the best points we've had on these podcasts, which is get yourself out of the comfort zone, Because time and again, you know cybersecurity experts will hide behind the fact that, oh, we've got such a busy job I can't afford the time to go and speak at a conference, or you know, my management won't like me talking at a conference and the reality is they're just not in their comfort zone when they're on a stage. And I did it many years ago, got out of my comfort zone. I was a cop but I ended up doing being on television police report and being the spokesperson for cyber as it became more prominent with the Y2K bug. I'm showing my age, I know, but you know it got me out of my comfort zone and made me feel much more comfortable about doing things like I'm doing now. And obviously the panel discussions think we've had on these shows that get yourself out of that comfort zone because communication skills are priceless as a cyber security expert spot on.

Pau Jackson: 10:51

Yeah. So, um, I had a guest on um previously called nigel, nigel fair and another australian um, and we spoke about the the differences a little bit in the approaches to cybersecurity between Southeast Asia, if you like, and Australasia, Australia specifically. I know we're all grouped together as APAC, but I think very often Australia doesn't view itself as part of Asia in many ways. But what are the key differences? You've worked in both places. Have you noticed any differences in the approaches towards cybersecurity between working here in Southeast Asia and your work in Australia?

Sam Coco: 11:28

Yeah, that can be. It depends on the locations. I tend to see that some countries and I'm just talking about Asia as a whole I think there's a little bit of island mentality in some places. They think, oh, cybersecurity issues don't happen here. Or they like to compare themselves to local industry practices and that isn't good enough. Right, if you're a global organization, that's oh well, this is what our peers are doing in our country. That is often below what you're looking at globally, so maybe that's a bit different in Australia.

Sam Coco: 12:03

I'd say perhaps they are measuring themselves against global organisation, global standards, multinationals Maybe they've also. No, maybe just they don't have that island approach, I guess, and I think maybe one thing to also consider is maybe Australia in my experience was about how do we support the business and clients to get the visibility. I think there's a bit more proactivity there. I think I might be generalising here. Perhaps In some areas people really pigeonhole themselves a little bit and perhaps they don't quite get the approach the same way as Australia does. This is our process, this is the way we go about things, so maybe that's holding people back a little bit.

Pau Jackson: 12:50

Interesting. Yeah, so Nigel commented that he believes that cybersecurity as an industry is better promoted in Australia. So you tend to get more people who are interested in being in that profession. Where there's a perception, perhaps in Southeast Asia, that it's, you know you're better off being a doctor or a lawyer or whatever. You drive the kids to be in the smart kids to be in those kind of professions. Do you get that sense or do you think that's just a myth?

Sam Coco: 13:16

I don't think cybersecurity is as sexy in Asia Pacific as it is in other locations. That's a good way of putting it. I will say that. And obviously one thing that we struggle with, I think, in Asia is the females in the role right.

Pau Jackson: 13:35

Yes, very much so.

Sam Coco: 13:36

I will say, though, there is one caveat I do have a team in China, and I'm fortunate we have quite a few in the infrasesex space who are female, which is great, but outside of that, I think it's a real challenge. You go to, obviously, our conferences, paul Yep, how many? You know how many males and females? What's the ratio?

Pau Jackson: 13:57

It's not high 100% agree and shameful on me, but every single guest we've had on the Cybernova podcast to date has been male and I'm trying my best to rectify that and you will see in future episodes we are trying to balance things out better, but it's hard because the vast majority of, unfortunately, of leading professionals in this region tend to be male and diversity is not great and I think it's something we need to change. Certainly, at theos, I'm trying to hire more females and to help them to achieve those leadership positions, help with the career development, etc. Because it is a big bugbear of mine why we are not able to strike that balance in our industry. Okay, let's move on.

Pau Jackson: 14:41

So, um, when, also when I just talked to Nigel, there was definitely a perception, I think, that there's more cyber incidents in Australia than the rest of the region. Maybe it's because the news is bigger, you know, but you know you spoke about the perception that it's an island and she'll be right, kind of mentality and be OK, but yet we see lots of stories about breaches in Australia, big ones. What do you think about this? I mean, do you have any thoughts on why this might be? Or, again, is it just because the media are overblown?

Sam Coco: 15:12

Everybody wants a piece of Australia, paul. I think that's probably mostly it. Look, maybe it's a few things perhaps. Maybe because Australia's got such a great economic situation, maybe it's great visibility, such a great economic situation, maybe it's greater visibility, maybe it's the geopolitical situations it finds itself in from time to time maybe just gets a because of those factors, gets a larger target on its back as well. You know, maybe you know, depending on who the attackers are, maybe if it is a nation state, obviously geopolitical perhaps. But perhaps you know, if there's a financial gain from it. Maybe people think, or maybe attackers seem to think, opportunity exists for greater monetary gain in Australia.

Sam Coco: 15:59

Yeah, it is odd because you do see large, large breaches in Australia, right, the ones we had a couple of years ago all over the news, pretty much every Australian impacted. I'm not sure we've seen to that scale anything else in Asia. Now that could be also because I think Australia is more mature in the way that hey, we had a breach, let's put a hand up and notify. And obviously there's new cybersecurity laws being discussed and drafted around ransomware payments you pay a ransom, you have to notify the authorities, which is an interesting and quite a forward-thinking approach. But I don't think. In Hong Kong, for example, I'm not sure we are anywhere near how many actual incidents occur versus what's reported.

Pau Jackson: 16:47

I'm sure the discrepancy is very large I think you just uh, you know, hit the nail on the head with your last comment there. Yeah, I do think there is an under reporting of incidents out here because, yeah, maybe they're not obliged to, but that's changing. I mean, the new laws coming in are going to require changes in notification and I'm sure we will see more incidents coming out of this part of the world. So let's see, let's see how it progresses, but it is an interesting dynamic. Certainly, let's switch gears a little bit and talk about talent and the perceived shortage of talent. So do you agree with this? I mean, I spoke to again another previous guest was in the recruiting business, cyber recruiting business, craig Johnson, and you know we spoke a little bit there about the perceived talent shortage. Is this something you see in your role? Because obviously you're hiring people, you're trying to hire people, so are we, obviously? And do you find issues in hiring good quality people?

Sam Coco: 17:51

Yeah, look, hiring at the moment is a little bit is pretty much slow at the moment because we are not increasing our head count with with focuses on cost and so forth. But if I cast my mind back not too long ago, um, the challenges definitely exist because what you're looking for it often is well, you know, you want five, ten years experience and I want all these great skills and all these great capabilities and I need you to be facing off with management and doing these reports and handling all these kinds of incidents. You know you're looking for the unicorns, which isn't realistic, but I think the challenges do exist, depending on the location. Some locations, I think their skills are probably more surplus or more available than others, and also there's perhaps a drift in people's expectations on salary. Yeah, I think that's also happening. They know there's perhaps a shortage and people are a little bit inflated in what they're looking for and budgets aren't quite accounting for that, particularly in large organizations. That could be a challenge. So, yeah, we know it takes lead time.

Sam Coco: 18:57

We one of the things we are think we are looking at is how can we Build skills on the inside right, how can we perhaps build up right training Platforms and sort of pathways for staff to perhaps in the wide tech. Think about me in my early days I was in tech, I wanted to get into security. There's a pathway for me to build up some skill, build up some knowledge, so perhaps I can step into that role if and when it comes available. That's the opportunities we are looking at, and also graduate programs. So it isn't always about skills, um, skilled professionals. Is is a challenge again, depending on location, um. But but finding ways you can supplement that with internal people is sort of what we are looking at. Yeah, yeah.

Pau Jackson: 19:43

No, this is, uh, some very valid points that you raised there. So when you're interviewing and I've done a ton of interviews down the years, as you might expect, in my previous roles for potential candidates, it's always interesting to try and throw in a bit of a curveball, isn't it? And I kind of like to ask security leaders, you know when are you interviewing, do you throw in curveballs? Ask security leaders, you know when are you interviewing, do you throw in curveballs? Do you ask a question that you know that just really challenges the lateral thinking of candidates. Are there any good questions you want to share?

Sam Coco: 20:17

Yeah, I think I've got to ask this one question one time and now I throw it back to people. So what role does information security play in innovation? So it really makes people think about, well, innovation, security, and you know when you think about it. Of course they go hand in hand, but for people to be thinking about, there's no right or wrong answer. I want to see how people approach it right. Are they thinking about well, you know, security has a role to do this, this and this? Or perhaps they're thinking about well, you know, innovation as a whole and perhaps thinking about business requirements and regulations and so forth? So it's a curveball and I want to see how people respond quickly to these kinds of questions.

Pau Jackson: 21:01

Interesting. Yeah, no, that is a great question. And yeah, anything that challenges their lateral thinking and communication skills. Perhaps more importantly, that is the key. And, yeah, I always throw in questions that challenge them in a way that there's no right or wrong answer. It's how you express yourself and how you communicate. So any aspiring future leaders be aware that the expectation is not on a right or wrong answer, just how you articulate things and how you can reason and how you logic, how you use logic in your answers. So good one, good one. I like that. Without getting into specifics, you're, you know, head of cybersecurity, etc. With your current organization. What are your main priorities at the moment? What are you? What are you really focused on right now?

Sam Coco: 21:47

Just to clarify, it's a head of global information security, so my role is very much a GRC side. You know a big part of what we do on my team. I've got information security officers across the globe. We've got the cyber risk team under my group and we look at vendor risk and so forth. Priorities, you knowities is definitely around understanding regulations and how we can work better with the business, not just making sure applications are safe or make sure their projects are going through the right checks and balances, but also with our client engagement. How do we utilise security as perhaps a differentiator to say, hey, this is how great our organization does with information security or cybersecurity and how we protect your information? Because there is a growing focus from clients on due diligence, right, just like we do due diligence on our vendors. They want to know all the ins and outs, not just security but all the ins and outs. But we really want to sell how much we invest and focus on security. So there's that part and how can we use it as a differentiator? The regulation piece that is not a small piece of work and that's complex. Then harmonising it all and then bringing together global requirements and inter-reporting requirements and, of course, your operational resilience. There's quite a lot happening in that space.

Sam Coco: 23:10

I think, finally a big part for us in the next 12, 24 months. How do we get a better understanding on A, how we measure cyber risk and bring that to the boards and bring it in a way that means something to the organization, right? Not just, oh, ransomware is such a big threat. This is what it means to us, this is our controls and actually this is our risk appetite, and what should we be doing differently, if anything, in order to reduce our risk appetite? But, on the flip side also, how do we measure our compliance? Kind of fundamental, but how do we measure our controls, measure our compliance and so forth?

Sam Coco: 23:48

Also, one more thing is a real big focus for us, and Gen AI is all over the headlines, but we really want to utilize that in a way that will help us to achieve that compliance. Fundamentally, we create all these policies and standards and we make it so damn complex, right, we make it so hard for people. How can we utilize these tools to perhaps simplify the wording, help people to consume that or distill it into something meaningful to them so they can comply, because sometimes we bamboozle people, right, we don't do ourselves favors. Oh, just look at that library of 20 documents over there. I mean, let's help people and I really, I really hope that we can utilize these great capabilities to simplify what people need to do and then hopefully get us to a better position of compliance.

Pau Jackson: 24:37

Absolutely, and I think we were both at a conference recently where the focus was on using AI for security, for the benefit of security and compliance, and there were some brilliant ideas that were brought out of that conference. So, again it's, there's a lot of value, isn't there, in getting out into the community and hearing different, different points of view and different thoughts. So, yeah, great point. Um, I I was reading and I shared this with you a LinkedIn post just recently. Uh, that uh proposed that a CISO is no longer needed, and I'll quote from it. It said that cybersecurity is a shared responsibility, not owned by a single executive, and that boards now expect other executives, cios, ctos and CEOs, et cetera to demonstrate cybersecurity literacy. Reducing reliance on a single point of expertise, and quote the end of the traditional CISO does not mean the end of cybersecurity leadership. It means evolving beyond a single point of accountability to a model that is integrated, dynamic and resilient. It's an interesting way of thinking, isn't it? And what do you think about that?

Sam Coco: 25:51

I think we're somewhere away from there. I agree with the first part of that statement the accountability, the broad, the literacy, 100%, and that's not new. But again, let's be clear here we're talking about organizations that have cyber maturity. Right, they're in the conversations. Oh well, we're this, we're that level of maturity, not the, you know the bare bones, and we don't have an IT security function. We're talking about mature organizations. And how much of that is the whole population? It's not a great deal, I don't think.

Sam Coco: 26:20

But in terms of the CISO role, look, there is, has to be, accountability across the senior leadership. But when a push comes to shove, people need someone to make decisions, right, somebody to make a decision on how we're going to. You know what's going to be our baseline on doing this level of control, or what's going to be our choice in terms of this solution? Or, hey, are we going to set up a function in this part of the world or that part of the world? Or, hey, what geopolitical risks do we have to manage at? You need somebody at the forefront to make those calls, because it's all well and good to say well, it's greater accountability. But, um, cyber, look, if I talk about cyber security, sometimes people don't want to make the decisions right and they always look up, and you can't go to the board for every single decision. That's not feasible, right? So I think there is a role, definitely a role. There's a figurehead, someone who's visible, someone who's engaging externally as well. But it will evolve in time, for sure.

Pau Jackson: 27:18

Yeah, I guarantee you. Yeah, that's a good answer to that, you know. I think it's important, though, that we put these points out for discussion, because, you know, the role of the CISO is ever-evolving, right. It's ever changing. It's a dynamic role for sure, isn't it?

Sam Coco: 27:32

Every I'd say every role in cybersecurity is evolving, right Like back to when I my early career. Maybe I didn't mention, but when I picked up this role I was the only person in information security cybersecurity, I should say, in Asia Pacific. Now I grew the team and you know today we're about 50 or 60 people, but I was only person and you know the thought of having. You know the granularity of functions we have today didn't exist. So it is a fast evolving space. We all have to, of course, learn, keep up to date, understand the regs, certifications there's so there's so much to do. We're important to adapt with our business. And to the point about the evolving role of the cso, I understand the regs, certifications. There's so much to do, but importantly, we have to adapt with our business. And to the point about the evolving role of the CISO, I'd say a big step forward, I should say an important step will be that greater collaboration. Right, that they are a business partner, that they are. You know, how do we enable the business, not just the oh well, this team says no or this team is going to push the button to stop things or whatever else. No, it's more than that. How do we add greater impact in a positive way to the business.

Sam Coco: 28:39

Understanding, I think the CISO need to be obviously understanding the tech, but the business, the regulations, the privacy aspects, bringing all of that together, I think there's a lot of gray area. Certainly, I find in my role as an ISO there's a lot of gray area. But I kind of enjoy that gray area because I get to engage with so many different people and that's what I love about my job, right, working with different teams up and down. I mean yesterday at a board meeting doing some cyber awareness, right, really enjoyed it. You know, obviously, board members there really really, you know, enjoyable conversation. We engaged well and hopefully took something away from it. But being able to converse, being able to engage and have those different conversations, I think is an important role and I see that happening. I see so, but across different teams.

Pau Jackson: 29:32

Yeah, that's fantastic and I love your energy, by the way, and your passion for this is coming across loud and clear here. But one of the questions I'd listed down here is actually related to boards and EXCOs, and I know you've been with the same organization for a long time, so you're probably only seeing one perspective. But you know, obviously you're part of the community, the Cyber Legends community, and how do you see you know others discussing this, Do you feel that boards and ex-cos are now taking cyber much more seriously than they were, say, five years ago.

Sam Coco: 30:06

Yeah, I think they have to. I mean, there's obviously the regulations are sort of pushing in that way. One of the roles that's you know personally, my role, personally, my position in region there's regulated responsibilities. So I have a duty to making sure that you know board members and senior management are aware of their accountabilities. They're aware and they are sufficiently aware of you know, perhaps, processes and how to handle an incident and so forth. So there's definitely there's definitely an understanding, a level of understanding. So that's that's changing. I don't think it's changing dramatically recently, though I think it's kind of. I think it lifted a lot and I think it's kind of tapered off right. We had singapore, hong, Hong Kong put in some regulations, Taiwan's put in new requirements for larger organizations. You know we've got certain in other locations that you have to provide cybersecurity specific training to some boards. So it's happening in pockets, but I think it's more that can happen.

Pau Jackson: 31:07

Absolutely. I do a lot of board briefings, Exco-level briefings, and I think you're right, I am seeing definitely taking this extremely seriously, as they have to in their roles managing risk for organizations, because cyber risk is probably top of the list these days for many organizations. But again, it's tough because their skill sets tend to be in different areas it's more business-driven and finance-driven, et cetera. So it's a whole new world for a lot of them and I think one of the skills that leaders in cyber or information security need to have is again it comes back to those communication skills and being able to translate what are very complex concepts into business language, right 100%.

Sam Coco: 31:46

I mean, how do you keep the narrative narrative relevant? Right, it's all good to show stats and all here's uh, you know this and these are incidents and this is what we're seeing here but how do we keep it relevant for them? How do we make it meaningful for them to say, hey, this is what I'm doing for you to keep your entity or your organization, uh, safe? So that's, you know it's not easy, right, because you've got different countries, different requirements, different, this different. That it's not easy.

Sam Coco: 32:12

But making it relevant and, to your point, you said, bringing in language, you know, distilling it in a language that helps them to understand and consume in a way that is meaningful. And the fundamental thing you know, always think about your audience when you do your update or whatever you're doing. Are they going to say, so what? So what right you're going to be able to answer into that? So I think, uh, making sure they know what that, so what is? And, hey, we did this. Well, this happened externally and this is why it's important for you and why we do it better here, or whatever the message is changing. That narrative is certainly one we need to work on fantastic.

Pau Jackson: 32:50

Okay, let me switch things around a little bit because, as you know, I recently joined theos as their ceo. A bit of a bold step for me, a step into the unknown, but, uh, you know, a few months in, I'm loving life there. But what I'd like to do is listen right, understand from the client side what we could do better. And you know, I've sat on your side of the table as well in big banking world and I always think you know what advice would you have for cybersecurity, information security vendors in this day and age? What would you like to see done better? And I know we have a lot of vendors who listen to this podcast, so maybe this advice could be useful for a lot of the listeners.

Sam Coco: 33:30

Let me first of all just say again congratulations on the role, paul, because I'm super happy and it suits you very well and you've even got a special hat, so good on you. I have the guidance to do vendors. This is a tricky one because probably like a lot of leaders, inundated with can I say, crap. Sometimes we get inundated with with stuff and noise. What what I hate the most is, uh, vendors who are trying to trick you or perhaps being a little bit coy about what their message is. You know a few emails. Oh hey, sam, I understand, you do this, this and this.

Sam Coco: 34:09

Well, we found a, b and c and sort of suggesting they may have found an issue or a vulnerability, and and that's using that as a gateway. And, of course, you engage, right, you got a duty of care. What you found something great tell me about. Let's have a conversation. Oh no, we didn't find anything, but we could, and this and that and that's cheeky and and that I don't, don't't agree with. Let me tell you what engaged me really positively a little while ago.

Sam Coco: 34:36

So it was about the panel conversation I was doing I think it was in December, and of course that's on LinkedIn and it talks about AI and cybersec or the topic, and somebody at an organisation saw that and they reached out to me and they said, sam, hey, listen, here's some material from us which relates to your panel, which you might find useful. They sent me a few PDFs. It's a consultancy, I won't name any names. They sent me a couple of PDFsfs saying hey, this is the. This relates to your topic. You might find this useful. Good luck for your panel tomorrow. You know what? I was super impressed. How, how easy is that? That is good. That is, how is that? I'm probably giving away this person's secrets, but I was super impressed and I said, yep, you want my time. Good on you. Yeah, let's have a catch-up, let's talk about it and we're having a conversation, right. But just that little bit of finding something meaningful and change the narrative to say, hey, this might help you. Yep, you got the foot in the door.

Pau Jackson: 35:43

Great advice, great advice. Thanks for that, sam. Okay, look now. When we're on panels, you know where I'm going with this, don't you? When we're on panels, you often turn the tables on me and you know I'm the moderator and you're one of the panelists and you start asking questions back to me and there I think I'm in for an easy ride and I just get to sit there asking all the tough questions and now you throw them back at me. So I'm going to give you another chance at this. So if you were hosting this show right now, what key question would you be asking me?

Sam Coco: 36:12

uh, look, obviously you've had a, from where I'm standing, a very varied and exciting and probably um exciting career full of stories. Paul, if there's one thing that you would change in your career, what would it be? Oh, wow, and you can't say nothing.

Pau Jackson: 36:32

That's not fair because I think, yeah, there's very little I would change, and I'm not saying that in an arrogant sort of way. I'm a great believer in having no regrets. So, yes, there have been disappointments along the way. You know, my previous company shut down the capability in Asia just as it was growing and becoming the brand to go to right, certainly for DFIR and for many other things, and those were out of my control, beyond my control.

Pau Jackson: 36:58

So how can I ever regret about something that's beyond my control? It's a really great question and I know I'm copping out, but really there's nothing, because I've made mistakes, we all make mistakes, but I've learned from all those mistakes. I don't dwell on them, I don't, you know, sit down and mope about them. I, I go, I'm not going to let that happen again and move forward right and and by taking this step into being the ceo of a company, it's I. I could have easily gone back to being, you know, an same old role of being a regional MD in a larger company, but instead of which I'm embracing a new challenge and doing things outside my comfort zone, to your point earlier, and trying to leave a legacy, and I will make mistakes on the way I know it, but I'll learn from those mistakes and do it better. So it's very hard for me to pick on a specific thing that I regret, because I try not to have regrets in life. So cop out, I know, but that's my answer.

Sam Coco: 37:55

Damn you, Paul. That was a good answer, I think it's well. You know what? I'm not hugely surprised. It's about resilience, right, I think in our roles you have to be resilient and I've always been a believer that you make your own luck and you know you make things happen. So, similarly right I'm answering my own question here I've got no regrets. You know you learn from things, you develop from things and you take that as opportunities to grow and sort of pivot. But it's life and you've got to be ready for the ups and downs. So you know I wouldn't be the ups and downs so, um, you know I wouldn't be where I was today with, uh, you know, making some some wrong choices, um, but you know we've got to the right place and I think it's a journey.

Pau Jackson: 38:38

That's, uh, you know what it's all about that's a wonderful way to close out the show, but I always have one last question for my guests, and I'm a music lover right here, you know that and I get fascinated by because I don't know in advance the answer right. So I always get fascinated by the music choices of my guests. I think it speaks a lot about the personalities as well, and I've had a few surprises along the way. So tell me, what do you listen to where you know? Do you have music on in the background when you're working? Do you use it to decompress after work or do you? You're not a music person at all uh, I wouldn't say I'm.

Sam Coco: 39:14

Let me answer your question this way. So you say you you try to tell about somebody, about their music choices? You know you can't look past the 1990s classic by robert van minkle, aka, known as vanilla ice, ice, ice baby, one of the world's best songs ever written. Now I'm not sure what you can by Robert Van Muenkel, aka, known as Vanilla Ice, ice, ice Baby, one of the world's best songs ever written. Now, I'm not sure what you can take from that, paul, but look, I do like Ice Ice Baby. It was definitely one of the classics.

Sam Coco: 39:39

But, in answer to your question, I do a lot of running. As you know, I try to keep in some sort of shape. So I like music that energises me and keeps me going and maybe on the 1990s sort of theme, there I do listen to a lot of 1990s, 2000s, 2010s, like top of the top of the hits, right, a bit a bit of everything, um, but I'd probably say I do probably favor towards. This might be surprise to you, but uh, edm or electronic dance music um, that gives me a bit of energy. So, yeah, it's probably my favourite kind of genre.

Pau Jackson: 40:14

Fantastic, great way to end the show. Sam Coco, you've been a nice, cool guest. Thank you very much for joining me today. So Theos Cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeBonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio.