THEOS Cybernova - David Gee: The Leadership Playbook for Aspiring CIOs and CISOs

Show Notes

What does it take to transition from a cybersecurity practitioner to a strategic leader? In this episode, Paul Jackson speaks with David Gee— a seasoned CIO, CISO, board advisor, and author of The Aspiring CIO & CISO—to explore what it truly means to lead in cybersecurity.

With over 25 years of experience in global technology and risk leadership roles at Macquarie Group and HSBC Asia Pacific, David shares his journey from CIO to CISO and beyond. He breaks down the skills, mindset, and experiences that define great leaders. David discusses the importance of mentorship, how to elevate teams, and why authentic leadership is about empowering others.

From cyber career growth in cybersecurity to influential roles in the boardroom and the security of critical infrastructure, this episode is packed with real-world wisdom and actionable strategies for the next generation of cybersecurity leaders.

If you’re an aspiring CISO, CIO, or leader looking to make a lasting impact, this episode provides your roadmap to success.

Production Credits:

Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio

Chapters

• 0:00: Intro
• 12:12: Leadership Development and Growth
• 19:57: Recruiting and Interviewing for CISOs
• 26:10: Board Responsibilities and Geopolitics Discussion
• 36:42: Concert Technology and Career Advice

Transcript

Paul Jackson: 0:00

Wherever you are in the world, hello and welcome to Theos Cybernova Podcasts. Before we begin, I've got a quick favour to ask from you. There's one simple way that you could support our show, and that's by hitting the follow or subscribe buttons on the app that you're listening to the show on right now. It makes a huge difference in helping to get the show out there to as many people as possible. So, please, please, give us a hand and click that button now. Thank you very much.

David Gee: 0:35

The Theos.

Paul Jackson: 0:36

Cybernova podcast hosted by Paul Jackson. Welcome to another episode of Theos Cybernova podcast. I'm Paul Jackson and each week I'm digging into the latest trends, challenges and innovations shaping the cybersecurity landscape, as well as talking to a fantastic mix of leading industry experts, thought leaders, technologists and legal eagles, all with a particular focus on the Asia Pacific region. So, whether you're a professional in the field or simply curious about staying safe in the digital age, we hope Theos Cybernova will offer up valuable knowledge and actionable insights for everyone. So today I'm delighted, and in fact I'm honored, to welcome David Gee, who's with us for the first time. And David is based down under in Sydney in Australia, but obviously with very strong connections to the part of the world where I'm based in and David is an absolute cyber legend. Everybody knows him in our region. Every time you know I'm out with friends in the cyber industry in Hong Kong or wherever Singapore, wherever it may be, your name inevitably crops up. So thank you so much for taking up the time to join us on the show today, david.

David Gee: 1:55

Thanks, Paul. I'm not sure what to say, but thank you.

Paul Jackson: 1:59

No, you truly are a legend, you know, and I know you know we'll talk about your book in a moment, but it's so highly regarded and I know you're bringing out another one soon where you're inviting a lot of those other cyber legends from around the region to contribute, and I know that's going to be a fantastic addition to your portfolio of work. All right, so, David, I'm not going to read out your bio, because who better to introduce yourself than you personally? And you know.

David Gee: 2:28

I know it could take up the whole showed into risk management, my last role prior to retirement.

David Gee: 2:47

I retired in 4th of July last year Independence Day but my last role with Macquarie Group was running tech, cyber and data risk and kind of using all that scar tissue I'd accumulated for those years of management to kind of know where the bad things are and how do I help address that. And also you, I guess you you know, when you're being a CIO at CISA you've been haunted by really bad risk people who don't have a clue. So how do I actually not do that? How do I really focus on what really matters and work to protect the organization or the bank versus, you know, protecting my backside? So I've had a lot of fun doing that and so I'm still doing that now as an advisor for Bain and, you know, doing work with Chase Careers, doing cyber recruitment and a whole bunch of other stuff. So I've got eight email addresses, I think.

Paul Jackson: 3:32

So yeah, that's more than enough for now, but we're going to really dig into some of these things. And look, you are the author of the Aspiring CIO and CISO book, which we'll talk about in just a second. But before that, I'm a little bit curious about your personal history, because obviously your origins are from more my part of the world, up not far from Hong Kong, right? So how did you end up in Australia?

David Gee: 3:55

Look, I think my great grandfather somehow wandered into Australia he was, which believes he's a tailor by training and he had. That was his training and he, you know, the chinese surname is ju, as in ju wrong g, the two. But you know they write, they write something down which is g, so I became g and so um, you know, my grandfather, fred g, was up in the northern territory in western australia running businesses, you know, where there's towns where there's no chinese people and aboriginal people. I think so it's, I guess, a hard life. You know where there's towns where there's no Chinese people and Aboriginal people. I think so it's, I guess, a hard life. You know, because you're in the outback.

David Gee: 4:30

So yeah, I was kind of privileged to grow up in Darwin, which was a very multicultural society where you know, there's an Aboriginal, then an Asian, then an Italian, then a white person. It was very much that way and so a lot of what I am, I think, is formed from, you know, that sort of living in a very safe place. We didn't lock the door at night. You kind of felt, you know, secure. No one stole from each other, people knew each other and I never encountered racism until I left and went to Sydney. So I grew up in this little cocoon in a way.

Paul Jackson: 5:03

Yeah, Wow, but you say it's safe, but all I ever hear about Darwin is crocodile snakes and things that want to kill you, right?

David Gee: 5:09

Yeah, no, don't worry about that, that's an Australian thing. So so many times, you know, as a kid we'd been, you know my parents would be playing mahjong in a stream of water. I'm holding, you know, sorry, two inches, so the old imperial scale. We'd be sitting at a table playing mahjong and the kids would be out in the billabong, you know, swimming. The following week there'd be a crocodile that took somebody and the water's dark and murky and cold. So I don't know how we survived, but we somehow survived all those nasty crocodiles and sharks and stingrays and everything else. Yeah, no, it was all fun.

Paul Jackson: 5:44

That's a great story. Yeah, should we switch to cantonese then, to do the rest?

David Gee: 5:49

yeah, my cantonese is okay, not great, mandarin, sort of a little better living in shanghai, and then, uh, also a little bit of the man, japanese as well, but all all badly, unfortunately yeah, all right, all right.

Paul Jackson: 6:06

Okay, let's uh move on to your book, the aspiring cio, and see so what a fantastic book. It's got so much great feedback. Look at all those five star reviews you're getting. I'm sure they're not your friends or anything like that, but no, these are. These are great reviews. So tell us a little bit about the book and what prompted you to write it, because you know you didn't decide to disappear and sit on a beach after retirement. You're giving back to the community and sharing your experience, which I absolutely love, and so tell us a bit more about the book.

David Gee: 6:33

It looks a humbling experience to write a book because and I've, you know, always been a writer in the sense of writing for magazines. So I now write for Foundry and the CIO of CISO magazine and they have a 1.2 million readership each month. So it's a huge. But eight, nine years ago I was really also writing for the Australian version and they were syndicating my articles to other parts of the world. But I've always loved writing. So but for me the motivation is not money, because you don't get much money from book. You know you get a coffee every time you sell a book. I've always enjoyed helping others and I put it down to this, you know, when I was a kid, growing up in Darwin, and I was kind of a fat, lazy kid, right Spoiled and chubby, and I went to boarding school in Sydney and then I got sort of more sporty. But at some point in my life, you know, the coach said to me David, we're going to put you into the first team, we're going to make you the and I was in the first team for two years we're going to make you the captain. But actually we're going to ask you one thing Can you stop shooting? Because you're the best shooter, but we want you to actually pass the ball. And I was like wait, wait, wait, wait. Why should I pass the ball? I'm the best shooter. And so, of 16, 17, I started to learn about how do I make others better. And it was really uncomfortable because I just liked shooting the ball right, I was good at that and I felt the infamy of being the best shooter of the team. I'm the star player of the team. Suddenly, no, no, your job is to make others better, pass the ball and be the point guard. And so I've kind of carried that advice with me almost through my life. Is how do I make others better? Because if I do that, I've kind of carried that advice with me almost through my life. Is how do I make others better? Because if I do that, I can actually help myself right Versus being selfish and trying to just do what's about me, how to be a team player and make others better. And so the book was part of me trying to say how do I help others grow? Because I've enjoyed that in my career and I think, paul, you know I just had a different experience in my career, but one of the things I got into.

David Gee: 8:26

I got into management really early in my life, you know. I just, you know, was managing a team of three, four when I was 25, 26 at some point that the cio was probably called something back different. Back then, mis director just fired the number two in charge and said dave, we're going to promote you. You're 27, we're going to promote you to run this team of 40 people. And I was, oh gosh, okay, how do I do this? Oh, I don't. These guys know more than I do. They're smarter than I, they've got PhDs and master's degrees and they're much smarter in developing code than I am and supporting these mid-range computers. And so I had to learn and grow up really fast to become a leader and try to find people. How do I get people to follow me, given that they know more than I do, and how do I then try to inspire them? Inspire myself. So I've always found that a big challenge and even to this day, I try to inspire myself to what's going to be the things I want to do to make a difference.

Paul Jackson: 9:20

Yeah, that's fantastic. And do you know what? We a an episode earlier with a guy called dickie wong, and dickie said exactly the same or almost the same thing as you said, which was sport played a huge role in in developing you know how he managed teams. He spoke at rugby he's a great rugby player, right and how it taught him. You know about teamwork, how it taught him to absolutely to be a leader on the field, and he took a lot of that back into his working life.

David Gee: 9:46

And Paul, this is where you, you know, I told people actually, you know you can practice leadership through that. And for me it's the same story as Dickie. I know Dickie, by the way.

David Gee: 9:55

I was in the Dragon Boat team for Australia and we had big ambitions to, you know, to be in the Australian team. We tried to create an Australian-Chinese team and the big white boys who were, you know, triathletes and Ironmen and stuff, so it was a real challenge because they're professional athletes who train seven days a week and we're professional accountants and management and whatever right and so. But for me, I learned my management, like Dickie, by running and creating a drag and brown team club with one, two, four teams and then organizing. Gosh, we did trips to Malaysia, singapore, hong Kong, and then suddenly you're in charge and you're young and you've got all these passports and all this cash and you're organizing the breakfast and the dinners and telling the people older than you to go to bed tonight, don't go out, don't play out, and so yeah, like Dickie says, you learn a lot about yourself and around how to get people to achieve something through other mechanisms, and then you take it back to work and you say, actually this is easy. That's right, because these people are being paid.

Paul Jackson: 11:06

There's other stuff that's pro bono 100%, and I've got a great Dragon Boat story, by the way. I'll save it for another time, but it involved my time when I was in charge of Tai O Police Station on Lantau Island. It's actually a really embarrassing story, but it is quite amusing amusing, but I'll save that for another time. But, uh, let's talk more about uh, you know some of the key components of your book because I was out to dinner with, uh, well, with a group who call themselves legends of cyber in hong kong, which is, um, quite amusing. But uh, they're you know a lot of them, of course they're.

Paul Jackson: 11:36

They're all senior executives in in the, in these positions, and we had a dinner and, uh, they were talking about yourself, actually and because I've mentioned that you'd be on the show a bit of a teaser, you know, ahead of this episode, and they said one of the things they loved about you is you were a fantastic mentor, right, and that resonates with me because I think you know we're both obviously of an age and it's important to be that mentor and help young professionals to develop in their career. What's the secret? You know, because you touch on this in your book, so people don't have to read your book. What's the? I'm joking. What's the secret to good mentorship? You?

David Gee: 12:11

know it is interesting. I landed my first CIO job in Australia with Eli Liddy and then they promised and I'll talk about this in some keynotes I do I was sort of torn up in my world. You know, I had these job offers to be a partner with EY Consulting or be a partner with AD Carney or go off in the CIO career and I said, actually if I do a partner, I'll get this nice office, I'll make all this money. You know, people think it's prestigious but actually it's kind of like short-term, not very strategic, not really doing things for the world. Why don't I do something important? So I, I made that choice, paul. So when I get to I get to my first assignment, second assignment, so as a ceo in shanghai, and this is 1999, so china's like an idea, right, and there's a 10-year strategy put together with bcg consulting.

David Gee: 12:59

And my first meetings with hr and hr said david, we're coming here, we're trying to build. You know what's going to be number one, number two, you know, for this company globally, can you leave deep footprints? Yeah, and I thought, okay, that's interesting. You know I've been building data centers, I've been building applications, you know doing all this other stuff. Deep footprints what does she mean by that? She said, well, I mean, we do people. You know how do you do that. And I said, well, I'll be doing that in Australia. I've created, you know now, a regional team. And then I realized that, you know, it was really the calling I had as a leader is how do you then great, you know, hire people, make them the best versions of themselves? And I take a, I take a snippet out of my, my learnings, in which I put in the book you take a very simple equation, paul, and you said okay, you walk into a team anywhere in the world, right, a bank and insurance company. You can't file everybody. You have you got to usually work with them, right, and you might make some changes over time. So, as a leader, how do you make this team supercharged? And so they can't always be superstars, unfortunately, that's just the way it is right.

David Gee: 14:07

So you know, I walk in, I've got Paul, paul's really good. Paul, on a good day can be a 7 out of 10. And a better day can be eight out of ten, right, but when he's got a bad day, he's six. How do I, how do I encourage paul to understand and paul's thinking, paul's mindset to say how do I help paul be an eight? What makes him an eight? Is he gonna? Is he needs some encouragement? Is it actually that he's a bit afraid to take chances? How do I stretch him? And david? He's rubbish and he's three out of 10. How do I get him to be a six? Maybe six is a stretch, but if I encourage him to figure out how he thinks, I can get David and Paul to be the best version of themselves. And how do I get them to be a good team so they're actually working together.

David Gee: 14:52

So it's not a negative conflict situation, it's a minus, it's's a multiplication, which means as a leader, I'm getting fantastic results. Now, to me that's just a simple equation. You know, a number versus another person, versus another person, coaching them to be the best version themselves, giving them and actually I've said this to my team members I said today, bob, I know you can be a seven. Today you're five. And the reason why you're five can be a seven. Today you're a five. And the reason why you're five is you're not doing this or you're not engaging stakeholders, you're not actually stretching yourself and you stay in the comfort zone. And when you're in comfort zone, you're a five and I want you to be a seven. When you're a seven, I can reward you, I can do more things for you and you can get more opportunities as a leader, because you're being comfortable, being uncomfortable that's fantastic.

Paul Jackson: 15:40

It's great insights, because as soon as we finish this, I'm gonna I'm in the office right now and I'm gonna walk out the door and go to one of my team. You're a five and no, but, in all seriousness, you know, this is actually a great way of looking at it really great.

David Gee: 15:53

Being straight's important. But also then, how do you be specific? Right, telling Paul that his communication skills are poor doesn't help. What does that mean? Is it the listening? Yes, is it when he's in a group of 10 people that he goes quiet? You know what is it specifically? Yes, if you can figure that out. So I always tell people this story and say, when I was 25, 26, 27, getting promoted at these big jobs and I had to run a team meeting, I was scared. I mean, I didn't want to speak in public like that. I liked one-on-ones, 10 people, oh gosh. And so I said, okay, how do I volunteer to do this? How do I volunteer to run workshops? 50 people, 100 people, 200 people, people, 500 people, thousand people, different countries, 5 000. You know how do I do that, right, and so I focus on that as being a weak point to make it into a strength. So you have to understand where are you and what scares you. And then, therefore, how do I then try to practice that, if that makes sense?

Paul Jackson: 16:55

yeah, look, I think we've both been leaders for a long, long time and I'm with you on this, because it's no point just picking holes or pointing out failings without showing a path to the improvement, what, what steps they can take to get from that five to six to seven to eight and up and and and the structure I put my book made is the skills, knowledge, experience, behavior.

David Gee: 17:15

Right, yes, all quadrants. You pick one of those and say, okay for me to be two jobs ahead of where I am. Okay, I need to be thinking about this. Look at a good example. So I was HSBC CISO in Hong Kong for three years. I can go and get another CISO job. I go back to be a CIO.

David Gee: 17:31

Why don't I go and do risk management? Why would I do that? And why would I do that? Because I wanted to be better at asking questions. I've been really good at doing things. If I want to be a board member and board members get a chance to ask one to two questions each quarter, maybe right how do I make sure that I ask the right question, not the question number 20 or 19,? By really thinking through what's going to make a difference from the risk at enterprise level versus me being the person who gets all the stuff done, the transformations, shit, right, I'm good at that. But if I want to be progressing in that field, I need to be thinking about myself two jobs ahead, which is boards, and then making sure that I spend the next three years just asking really hard questions.

Paul Jackson: 18:13

Yes, you're absolutely right and again you've resonated with me, because a lot of people ask me why have you moved away from being client-focused, client-facing in my previous roles as leaders of delivery teams in Asia to being a CEO of a company, the people that are in this company, and helping them to be better, to go on, to reach greater heights and and to show that this company, an asia-based company, can compete with the best of the international companies and be, you know, something to be proud of in asia? So, yeah, it's.

David Gee: 18:47

it's all about not only pushing yourself, but also putting yourself in a position where you can help others to be better than they are, and I think you know we're both on the same page yeah, and make this this pride, this pride in in going back and see you know, people you've built, developed, and you know, I sometimes speak to people who are now ceos, coos, cios, and then I'll contact them or the you know, or someone contacted me after reading my book and and they say, david, I've read the book and I actually can hear your voice as I read the book.

David Gee: 19:15

And then then I actually said, actually you told me I should be doing this all those years ago, 12 years ago, and that's still in my head. I'm still thinking about am I doing this? Am I delegating enough? Because if I don't delegate, I'm not growing my team and their capability, but I'm holding it on being a really good leader and getting stuff done. That's great, but actually I need done. That's great, but actually I need to also build these guys below me and guys and girls below me. And that was a woman, by the way, who said that to me and said, david, that advice I'll carry for 12 years now, and now she's a ceo for a large organization in australia.

Paul Jackson: 19:46

So that makes me really proud so if, at this point in the podcast, if any of our listeners aren't already on amazoncom looking for the aspiring cio and cso, well you really should be. But let's pick another aspect of this book, which is how you get in that front door in the first place, because I know in the book you talk about preparing for interviews, interview questions. What's your top tips for somebody who is an aspiring CIO or CISO? Let's focus on CISO, as we're a cybersecurity podcast. What is the most important tips you can give to somebody who wants to open that door?

David Gee: 20:20

Yeah, now look, I go back to the experience of behavior. Right, it's in the day. If you got these certifications, these accreditations, these degrees, it's kind of so what you know. I mean, it's all that's all foundational. You've got to have it right, you've got to have these things and have some knowledge. But what you're looking for is, you're looking for the experience. People have got experience doing hard things, solving problems. You know, okay, you've been hacked, actually, great, you actually understand how to recover from being hacked.

David Gee: 20:46

I see it as being a positive, right, paul, it's no different to, you know, interviewing a person in China one time, and then I was saying, oh, you've got a five-years gap in your CV. Oh yeah, I hacked the US government, so I got put in jail by the Chinese. Love it because he's honest, love it because he can do it, okay, right. And so HR was like, oh gosh, you can't hide this. Oh, no, no, no, this is tick, tick, tick for me. And so for me, trying to figure out, you know, what are the pointy things around experience that make a huge difference. Yes, show leadership, show you can do things Now. The behavior side right. The B side Now.

David Gee: 21:21

So can you work with difficult stakeholders. Can you say no to them? Can you say no to the board? Can you say no to the chief risk officer when they're pushing you to do things you shouldn't be doing? Now, let's take a great example and I've had this, not myself, but others I've seen done and you're the new CISO.

David Gee: 21:39

Okay, they ask me for advice and I say, well, actually you don't have enough budget, you don't have enough resources, and this is your first board meeting. What are you going to say? Are you going to say what the boss tells you to say, the CIO? Or are you going to say I need to look into some concerns, don't throw them under the bus, or under the bus but actually say I'm not sure we're there yet. I'm not, you know. How do you then show the right leadership behaviors so you're not becoming a victim? So when they get a hack and say well, you know, you asked and you didn't ask for anything, david, right, that's, it's a bad, bad lose win situation, right, how do you make sure you stand up for yourself and what you need? And that's behavior. That's having the backbone, that's having kahunas. Right, they say right. So how do you? How do you show me that? Show me that and if you got that, I will always back those people every time fantastic advice and I'm 100 with you on that.

Paul Jackson: 22:26

And I also agree with you on the qualifications. Yes, they're. They're a way to get you know through the hr paper mill, but at the end of the day, it's that passion, it's the you know, the aptitude, the, the willingness to push the boundaries and to show yourself as a leader that are really truly important.

David Gee: 22:43

So, 100% agree no, so I'm not advertising the jay's career stuff because that's in australia, but as a recruiter now advising a recruitment firm around tech, cyber and data, you know I, I do people screening every day. Okay, yep, and I, and I'll call you Paul, I've seen your CV or LinkedIn account and I'll call you and I can figure out in five minutes whether you've got the right thing. Provided you're not in a work environment where you can't speak. Well, I can figure out. Does he have the right stuff? Is he curious? Is he, you know? Is she one-size-fits-all? You know what's the word I used the other day. I'd said, okay, are you a vitamin or are you a painkiller? I want to hire the painkillers. Right, painkillers help me. Vitamin or a painkiller? I love that. Vitamins make you feel better. Yeah, right, they don't fix anything, but painkillers really fix the problem and they make it. They make a big difference we?

Paul Jackson: 23:35

we just heard a soundbite for this episode, haven't we? You're a vitamin or a painkiller. I love that. But you're right, because when you talk about five minutes in, when I was at JP Morgan building out the team there based out of New York, running the big team there, I was doing hundreds of interviews literally, and you're right, probably within five minutes I'd made my mind up and the rest of it was all just fellow which is unfortunate because you didn't spend the next 55 minutes thinking okay, how do I justify my decision?

Paul Jackson: 24:02

yes and uh, you're 100 right on that. And look you know, I always showed people respect, of course, by going through the entire interview, even if I decided within those five minutes. But still, those first five minutes are crucial and if you can't get your talent across, your potential across, then….

David Gee: 24:19

And you know I've seen interview. You know people come to interviews and there's no eye contact. I was once interviewing an architect and say, okay, so here's the pen, can we just go and draw? Can we just go and…. I want to understand what you think. And a person wouldn't draw, he wouldn't give me. I said I don't care if it's a data model or a system diagram or a rich picture. I just want to understand how you think through a problem. And because he wouldn't and he's an architect he wouldn't grab the pen. I was like wait, wait, wait. You're an architect, you should love drawing.

Paul Jackson: 24:51

No, absolutely, and I actually really love the fact that you're working in the recruitment space now, because it's been a big bugbear of mine down the years how poor cyber recruiting is, and you'd probably be aware a couple of episodes ago we had Craig Johnson on, who's an absolute leader in the cyber recruitment space, somebody who takes it seriously. You know, lives and breathes this sort of stuff, and he's brought in people like yourself, right, who are experts, to be advisors and I think that's a great model where you know you've got people who've been there done that, who can actually help with interview processes or assessments. Because you know, sometimes it's the blind leading the blind when in recruiting you know you get, say, I don't know, a CEO of a company who's trying to hire a CISO, but obviously their skill sets are in the business, not in cyber, and how are they supposed to determine which cso is better than the other, right? Yeah?

David Gee: 25:38

now look, you've seen it so many times when we're doing these recruiting roles for cso's and and the team below which is, uh, you're trying to do a, a tindall match, okay, so how do they match up that the cultures fit, that they're looking for the right, you know, interface to board, interface with team, interface with peers, level of you, level of competency, because the level of depth requirements may vary depending on the size of the organization. Whether it's a large organization, they maybe can get by without having everything on their CV.

Paul Jackson: 26:09

Yes, absolutely Okay. I want to switch gears a little bit, because you mentioned earlier about boards, your aspirations to be on big boards, etc. You'll remember a year half ago whatever it was, the SEC were, you know put out the discussion around what the roles and responsibilities should be for boards of listed companies, and there was a lot of debate as to whether there should be a cyber expert on the board. I'd like to hear your views on that.

David Gee: 26:33

Now, this shouldn't be. Now, it's interesting. I got a biased position here, of course. You know being sort of a digital CIO, a risk professional and a CISO. Right, I'm covering triple threat. I'm doing all kinds of different things.

David Gee: 26:45

When you understand what boards do, if you're a member of a board, you need to be more than the cyber expert. You need to actually be a board member first. That helps the organization grow, help them with their strategy, help them with their people, association planning and the whole those dimensions around you know the environmental, all those issues you got to weigh in on. Okay, you can't just be the person who can solely talk about that. Now, that being said, you know, because I've I know too much about cyber, I'm kind of cautious which ones I would join anyway, because because you, suddenly, if you're the cyber person, you're hacked, then it's my fault, right, and you you're the cyber person, then it's my fault, right, and you're not even operational. So it is interesting. Same token I did prior to retiring. I did meet a lot of technology board members around town and figured out a lot of them are ex-CIOs or project people and they don't necessarily understand cyber. They might understand some of it. So it is an interesting one.

David Gee: 27:38

People will get there, but you do need to be rounded. You need to have all the other dimensions in that sort of board portfolio prioritization with skills metrics. They do. You got to tick a few boxes. You can't just tick one box and think that's enough, because I think they're going to be saying I want this person to help drive digital change, I want this person to help be digital change, I want this person to help, you know, be on the risk committee and look at risks broadly, and cyber risk is one of those risks very important. Of course, I don't know to state that, but actually, yeah, you can't just be one one dimensional, expect to get the job because sec says so and that's fair 100.

Paul Jackson: 28:13

So you know one of my key roles I I spoke earlier that as a ceo I've stepped backwards, obviously for client delivery, but one of the areas I do still engage with clients is delivering board briefings because of my background, and risk is, of course, the most important function really. I think managing risk and as a former police officer, et cetera, I've seen all sides of risk, obviously, and so I'm able to sort of put this in a perspective that is meaningful for boards. So I do do a lot of board briefings, and I know you do as well. But I'd love to pick your brains a little bit, because nobody's perfect at doing this. What kind of things do you focus on when you're talking to boards? What do you think resonates most with them?

David Gee: 28:51

It's interesting. When I was with HSBC, that was one of the things I did a lot of because that was part of my job globally, and so I think I would do a few hundred board briefings in a year and prepare the board packs that others would use as well. Now, interestingly to me, given that the audience, the board members, actually don't necessarily understand this in depth, how do you provide to them without telling them to suck eggs? How do you provide to them respectfully? Here's the position, here's where we are, here's our risk position. You know, here's our path to goodness I don't want to say green, our path to goodness and let them understand that this is where we are. And, you know, just give them the facts.

David Gee: 29:30

I think I've seen so many. You know, cios and CISOs provide a very tainted version that looks better than it is and that doesn't do you very much good. The whole advice and I got this from Robert Veras, who's one of the CISOs here, which is really good advice which is boards have to challenge the greens, and you know that's not typically what they do. They challenge the reds, but how do you, you know, challenge the greens and say is that really green? You know, and then support the reds. But how do you, you know, challenge the greens and say, is that really green? You know? And then support the reds. Got it? Because the reds mean and I said this to CISO recently, helping a bank in Australia.

David Gee: 30:06

You know, how do you get help? How do I help you get the right help for your risk tech cyber appetite, which means you've got to have this amount of support for the next X number of years. And then they actually understand that every time you do, you know, end-of-life, end-of-service support thing, that's bad, right, that's actually negative to your risk appetite. And so don't assume that metrics are going to be good. They're going to be bad. That's okay. As long as we know those are there and we're going to track them and try to do more to contain that. That's good. But that's a mindset shift, cultural shift, and so how do you get the board to help you with that? And so a lot of dimensions there around board reporting and having boards involved in exercises, all that sort of stuff works.

Paul Jackson: 30:50

Agreed, and if you'll do me the honour of appearing on another episode in the future, I think that's a topic that we can drill into really. That's a topic that we can drill into really. You know governance and board responsibilities, because I think such a hot topic right now. I get asked this all the time, but I'm conscious of time here, and I do want to touch on one more point before I hit the music question, which always appears at the end of these shows. Um, it's that. Um, look, you're australian, you've got a lot of history of working in china, hong kong, and your chinese heritage of of course, I'm predominantly in Hong Kong et cetera. Geopolitics, ouch, without diving into that too deeply and getting in trouble. You, though, have a new role, don't you? Because you're the ambassador for the CIISAC. Could you explain a little bit about what that means and what those responsibilities are?

David Gee: 31:35

Look, I took that role on a few weeks ago and it's interesting. Responsibilities are. Look, I took that role on a few weeks ago and it's interesting. I, I spent three, four years longer as the chairman for fsi, sex asia, pack um of the strategy committee, and I and I, you know, to me it was all around. How do we, how do we work to protect us ourselves and others? And um, I think I remember at the julyISAC meetings in Singapore, the CISO Congresses, and I said look, here's where we are, guys, if I think about this and I wrote a story about this from CSO Magazine which is called the Mussox Strategy, right, and I said here's the story.

David Gee: 32:11

We're all working together and we're kind of saying the wolves are coming, the wolves are coming, the wolves are coming. And then we, as good Mussocks, will put our horns up, go into a semicircle, put the babies in the middle and protect the babies. That's what the mussocks do and it's good because that means so. If I took this a step further right and put this analogy of nature into our world, we're doing this every size. We're saying the wolf's coming, we don't put our horns up, we our horns up, we don't put our babies in the middle. Our babies could be our vendors. They're all subsidiaries. We kind of say, hey, the wolf's coming, and then they're on their own Not good enough. Can we go the step further? Can we think about evolving our defenses more in that fashion that we think about others rather than just ourselves? Now I said as in, and jokingly, which is in the article, when the musk ox is the bear, they run. They just run because they realize that it's every man for himself. So there's always self-preservation in cybersecurity, because that pays your bills, right. So I get that. But what can we do more broadly? So to me the CISAC stuff is exactly that. Financial services is the most advanced because we've spent the most money. We've spent the most money. We've been the most attacked in the past, not longer anymore. Others have been attacked more, but we attacked a lot. So we got good at this, I think, or better at this.

David Gee: 33:27

So for me the whole argument is interesting, because you know we said that if you're actually protecting yourself and don't think about other sectors, you're kind of being foolhardy because your resilience is relying on others. So that water, that electricity, that data center, that network, all these have critical infrastructure. If they don't work, you don't work right. So it's great you're being protected here and you're providing intel to each other, but what about sharing that with your buddies? And so, for me, the story was we wrote to all the top CIOs and CISOs as a letter a few weeks ago to invite them to come and join us, to work together, to share information, have a meeting and join this cause. No stick, this is not regulatory right. This is a carrot, which is how do you help yourself? And the words I wrote in the letter and I had the chairman this is not regulatory right. This is a carrot, which is how do you help yourself? And, uh, the words I wrote in the letter and I had the chairman, um of ci ci. Isaac also co-signed this, which was um.

David Gee: 34:26

My dad fought in the army. Uh, in new guinea against the japanese. Um in the jungles. Right. Um, trying not to be shot by his own soldiers because he looked the wrong colour. And similarly, stephen, our chairman. He spent 35 years in the Australian Army and then ended up running cybersecurity for the government Dedicated to protecting Australia. This is the same thing. It's becoming that way in this world that we have these polars happening. So we need to be thinking about this. It's not just the company, it's all about I live in this world that we have these polars happening, so we need to be thinking about this. That's not just the company, it's all about I live in this country. I've got to protect the country. I've got to protect my partners as well, other countries that we're partners. How do we do that? More broadly? That's the cause and I love that because that gets my juices flowing about it's no longer just protecting this organization, but also protecting everybody that sits within that ecosystem.

Paul Jackson: 35:22

Well, with the proliferation, if I can say the word, of new critical infrastructure and, by the way, I should have said sea ice for critical infrastructure, of course, bills coming out across our region. This is indeed a hot topic and do you know what? You've just signed yourself up for yet another episode where we dig into critical infrastructure protection. So, look, this has been fantastic and look, I recognise we're running out of time, unfortunately. So my last question to you music. You know, I always tell the audience this is my way of decompressing putting a vinyl record on, you know, and just listening to some good music. What about you? Do you enjoy listening to some good music? What about you? Do you?

David Gee: 35:58

enjoy listening to music. What do you listen to at the moment? I do. I mean. I was in Vegas in October and then Vegas recently for another event kick-off event recently and I went to two concerts. I went to see Lionel Richie in Vegas three weeks ago, which was fun because Lionel's just entertaining. He's, you know, 70 years old and the girls are still passing him notes on stage. I'm old for this, so that's really fun. And then in October we had the privilege of going to see the Eagles at the Sphere Fantastic, and the Sphere is 20,000 seats with 116,400 speakers.

Paul Jackson: 36:37

I would love to go. I saw the YouTube videos et cetera. It's just nuts.

David Gee: 36:42

We had this we had our friend who knows the sound engineering got a staff price tickets which were street value two and a half thousand dollars for 400 bucks. So we had the best seats in the house and the sound just blew my, my mind. It's just. Quality was just nuts. The visuals was nuts. No, quality was just nuts. The visuals was nuts. Um no it, I think I was. I was at a coldplay concert a month later and going like sounds rubbish. The band's fantastic, the light show is great, but from a visual standpoint, literally you're crying. You are literally crying because it's so beautiful and they have a sorry, they have a 200 piece orchestra that they did live with you two. And my friend's friend said no, no, no. What they decided to do was they recorded that and mixed it in live because they can sell 200 more seats. Wow, that's crazy. So the technology is off the charts.

Paul Jackson: 37:32

Yeah, Crazy, Right, everybody the Aspiring CIO and CISO a career guide to developing leadership skills, knowledge, experience and behavior. Get on Amazon right now and buy it by David J. What does J?

David Gee: 37:46

stand for, by the way, jordan, as in Michael Jordan.

Paul Jackson: 37:50

David J and it's in all good bookshops, but probably best to get it off Amazon. And yeah, it's a great read. David, thank you so much for being on the show today Definitely going to get you back and thank you so much for giving up your valuable time to be with us today. Pleasure, thank you. So Theos Cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeBonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio.

David Gee: 38:27

The Theos Cybernova Podcast.