THEOS Cybernova
THEOS CyberNova is a cutting-edge podcast that explores the dynamic world of cybersecurity, hosted by THEOS Cyber CEO Paul Jackson.
Each episode delves into the latest trends, challenges, and innovations shaping the cybersecurity landscape, featuring insights from industry experts, thought leaders, and technologists. Paul brings his expertise and passion for cyber security to engaging discussions on topics ranging from emerging threats and data privacy to the future of AI in cyber defense.
Whether you're a professional in the field or simply curious about staying safe in the digital age, THEOS CyberNova offers an invaluable insight into the world of cybersecurity.
THEOS Cybernova
Tim McNulty – The Anatomy of Crisis Management: Preparation, Communication, and People
For Group Chief Security Officer Tim McNulty, crisis management is not firefighting; it is foresight. Preparation, horizon scanning, and above all, communication are what turn chaos into resilience. His rule is simple: communicate up, communicate internally, communicate externally.
Tim also reflects on the human side of crisis leadership. He explains how the Asia Crisis and Security Group, formed in response to the 2003 tsunami, demonstrates the power of networks rooted in real-world events, proving that resilience is ultimately about people helping people. Along the way, he shares lessons from his journey through law enforcement and global finance, from breaking down silos to showing boards that security is a business enabler.
Essential listening for senior leaders who want to see how preparation, communication, and people shape true resilience.
Production Credits:
Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio
This week on the Theo's Cybernova podcast. Banking was when I joined. The bank was a bank. Now it's a technology company that does finance Physical security, which is the backbone of cybersecurity. You have to protect your servers physically as well as protect them logically. How can you say that cybersecurity starts at firewalls and not say that it's actually the perimeter of the data center? I love crisis that's when I'm alive, because I think it's the perimeter of the data center. I love crisis that's when I'm alive, because I think it's the essence of the job that we do. Three most important things you have to understand in crisis. Number one is communication, number two is communication and number three is communication. The Theos Cybernova Podcast, hosted by Paul Jackson.
Speaker 2:Welcome to Theos Cybernova, season 2, episode 6. Today I'm joined by a legend of the security industry, a chief security officer that everyone looks up to, well known throughout the world, worked on three continents, and he's here with me today in Manila. Thanks for joining us today, tim McNulty. Thanks, paul, that's a very nice intro. Well, it's one that's well earned. You know you are extremely well known. You've worked with major banks well, some of the biggest banks in the world and you know you're moving on to a new journey which will be disclosed at a later date, and we're all looking forward to seeing how that goes for you.
Speaker 1:Yeah, yeah, I can't talk about that for obvious reasons, but happy to talk about anything else, Absolutely Well, let's start off with a cracker.
Speaker 2:Let's ask you how does one become a great security leader?
Speaker 1:That's always one of those million-dollar questions, isn't it? It's very personal to everybody. I think it starts off with training, experience and then practice. So if I go back to training, when I was at university in Newcastle, I was made the club captain of the rugby organization and that wasn't just the team captain, that was running six teams at Newcastle University. So it meant choosing the right teams on a Wednesday and on a Saturday, so you let people down and you were trying to get the best people or the best teams together, choosing the right leaders for those teams, also dragging people out of bed who slept in and you had to throw them in.
Speaker 1:I had a mini and I ended up with about six or seven rugby players in a mini, dropping them off at the various places to get them into the right place and then obviously going to have to play yourself. And so there's that administration or organization picking the right people in the right place at the right time and be able to cajole people and work with people and understand them so you get the best out of them. And it was really interesting because you don't know this is forming you when you're doing that. To me it was just I love rugby, I love playing, I love teams and we just had a great time. But you don't realize that those are the foundational steps.
Speaker 2:You're the third guest I've had on who's attributed rugby to their success in leadership, and I think, for all our listeners, maybe you need to don a pair of boots, right, yeah.
Speaker 1:I mean, you know, and I think you know rugby is always was the start of my journey. I guess, and it's always taken me through. It's one of the reasons I joined the Hong Kong police, because they paid you a salary and you were able to play rugby in police time, absolutely, and so that was a real motivator for me. And at the time you don't realize it, but all of that being part of a team is really important. Being able to lead a team is slightly different, because you have to be part of something you're leading and I think, if you look at global organizations, you have to be part of something you're leading. And I think, if you look at global organizations, you have to be part of a large organization but also be able to lead it. And that's about, again, about people having the right people in the right place, doing the right things.
Speaker 2:I entirely agree with you and when I'm interviewed on podcasts, I always attribute the learnings I got from the Hong Kong police in those early days, because we were both young when we joined. Yeah, and you're thrown into a leadership position right from an early age and so alongside the sport and you know you've got the actual work. Yeah, and you're leading teams, often with officers in there who are older than your dad, right? Yeah?
Speaker 1:I don't know if you remember, but we used to have leadership training, yes, and I always thought that was great fun. It was like playing cowboys and Indians, Because you know you're out there with a map and you had to take a group of people to a point and then you had to do an ambush, you know all that good stuff. But that's kind of more about the formality of training, because that was teaching us how to brief, how to lead and how to make decisions, and I think decision making, again, is a really important part of leadership. I do see around me a lot of the time people who like to manage, but when it comes to making a formal decision that's going to either make or break a situation, there's not many people who will take that.
Speaker 1:And I think one of the things about my journey is I've always felt that if you take all of that information you have on hand and a decision needs to be made, it's your responsibility as a leader to make that decision and take the responsibility. And you're taking that responsibility on top of the people you're leading so that they don't feel responsible for it. So the responsibility is all on you, and that's really important as well, because I think if people respect you when you take the good with the bad, if something doesn't go so well, you take it on the chin, even though it may be one of your people who've caused that particular problem or issue, but you've led them into that. So it's so important that you take that responsibility and that's success and failure 100%.
Speaker 2:So you know well, as you know very well, because you were the one who brought me across from the police to a certain large US bank. Well, we can name them, can't we?
Speaker 1:Yeah, sure, yeah, yeah, I mean, I took you out for a steak, I think sort of biannually, yes, and asked you the same question are you ready to leave? And it cost me quite a lot of stakes, to be honest.
Speaker 2:Well, I do like meat.
Speaker 1:And again, that was. You know, I could see the way that when I started working at JPMorgan Chase an Asia sort of regional remit I had at the time but it was so obvious that the world was moving into technology Banking was when I joined. The bank was a bank, now it's a technology company that does finance. And that journey started then. And it was people with your experience in forensics, certainly around the investigation side.
Speaker 1:What we were trying to do was obviously get the right evidence if we had an issue within the organization. We hadn't got the skills to do that because we were all less formally trained in that technical aspect. So your hiring, or me trying to grab you into that organization, was because I saw the development of that area and I think it has obviously proven to develop that way. But that's another reason. You know we've known each other for a long time but I always knew I was going to hire you before anyone else, and that's the other thing. Is that just because somebody doesn't apply for a job doesn't mean to say that they don't want to work for you.
Speaker 2:Yeah. So this is a really good point, tim, because you know I love police work. I absolutely loved it. It was, you know, we were pioneers in the Hong Kong police developing new technologies for investigation, for high-tech investigations, because we had the budgets, we had good manpower there and it was very advanced and law enforcement came from all around the world to come to our training. It was a fabulous time and I absolutely loved it, loved it.
Speaker 2:But, you know, cometh the day, cometh the time and yeah, we both knew that there would be the right time to move. Yeah, I did move, but I've got to be honest, I'd done 20 years in the police by then and I was thinking you know, I'm going to JP Morgan Chase right, it's the world's biggest bank by assets, or whatever and I'm going to be the dumb guy in the room, you know. But what I quickly learned is exactly what you said earlier is you make decisions, you take charge of things, you, you know you you design strategy, you know you come forward and and you are actually well respected in places like that.
Speaker 1:So it proved to be, because both of us obviously did very well there yeah, and I think you know, with the, when I joined JP Morgan Chase, it was very much a a traditional security role. Yes, we were doing, obviously, physical security, which is the backbone it's actually the backbone of cybersecurity. We see that today. I mean, you know you have to protect your servers physically as well as protect them logically. But we were doing investigations, we're doing pre-employment screening and we weren't really doing, we weren't really using intelligence, we weren't looking at what was happening in our region, we weren't looking at crisis management, we weren't looking at some of the issues where you can do pre-preparation to try and keep you as business as usual as possible.
Speaker 1:And I started seeing all these opportunities due diligence, you know, looking at potential clients, and I didn't look at it as no, your client, kyc, regulatory compliance. I saw it as how do we get the bank in a position, with the right information, to make the best deal? Yes, because there were a lot of people at the time turning away from indonesian clients because of the saharto regime and anybody who'd play golf with saharto, you know, couldn't, we couldn't do business with them and that was de facto. Well, I changed all that by getting more information and talking about the statute of limitations on people and where compliance in companies was starting to get better. So I started to see opportunities.
Speaker 1:Weirdly, because, you know, from a police background, you kind of don't expect that, but I think what drove me was that, as a policeman, you kind of don't expect that, but I think what drove me was that, as a policeman, you are the point of the organization. When you go into a corporate, you help manage some of the risk in an organization and I didn't like being in the back room. I wanted to be helping the business do what the business do. I wanted to be the point and that's always driven me with crisis management, due diligence and all of the other things that I've done and set up.
Speaker 2:It's always driven, probably by the fact that I know what we know and what we learned can really help a business be successful as opposed to just protecting it and I think a couple of the key points you touched on there are that security shouldn't just be seen as a cost center right, it should be a business enabler, business driver, and I think we've both seen it that way.
Speaker 2:Cyber can be a business driver because you look after your clients, you help them on that cybersecurity journey that they may not understand these high wealth individuals from a banking perspective anyway, and, sure enough, it facilitates the business right From your point of view, things like that making sure that you've got the right clients and using the investigative mindset to you know, sort out who is a valid client versus who, well, frankly, shouldn't be a client yeah, is of huge value. So, yeah, I think that mindset has obviously set you well and, you know, led to you obviously expanding your career and going on to another CSO role where you actually led the cyber teams as well, a very unusual position where the CSO well, the CISO actually reported to you, right, yeah, I mean, yeah, at JP Morgan I kind of ran everything but the CISO organization.
Speaker 1:But it became very clear and this was sort of late, sort of't know 2018, 2050, 18 I was at jp morgan. It became so obvious that those pieces were so in, so siloed, but the collaboration was needed. And collaboration, at the time when I was there, was seen as eating someone else's lunch, comments like stay in your lane, et cetera, et cetera, and I just thought you know what this is actually going to weaken the organizational strength. And when you talk about you know, if a CISO doesn't understand their physical security sort of objectives within the organization, how can you say that cybersecurity starts at the logical end, at firewalls? How can you say that starts at firewalls and not say that it's actually the perimeter of the data center or it's how are Amazon managing their data centers? That's actually the cloud, right? That's the first place to start. And then we can start talking about cloud, right, that's the first place to start. And then we can start talking about zero trust and all this other good stuff. But unless you get your basics right and unless it talks to the whole organization, I don't think it's holistic risk program and that's always been my belief.
Speaker 1:So an example when I joined my current company, we had a lot of attacks on our ATMs. There was a very distinct sort of round hole being drilled in the top right-hand corner of the ATM and our physical security team couldn't understand why we were being vandalized that's kind of how it was being described and I started putting together a team meeting every morning to discuss cyber issues, physical issues, investigative issues, fraud issues, and we started talking about what happened in the last 24, 48 hours. So they came on and started talking about all these ATMs that had this hole drilled in them and how they were going to put a plate on it. And somebody from the cyber side said well, obviously they're trying to jackpot the machine, because that hole is to enable them to pull the wires up to jackpot the machine and pull the money out. Oh, said the physical security team, and it was just that first one, the first win. And then people started to understand within the organization that actually they needed to be talking about holistic risk and not about siloed risk.
Speaker 2:Yeah, they got the rationale for it and that's so important to get that first win, isn't it Because there's so much resistance? I've seen it time and again. Now I work on the consulting side. We go into, I've seen inside a lot of companies and there's still that siloed, stay in your lane mentality that you alluded to. So when we do go into clients now we try to get them in the same room.
Speaker 2:We try to get, you know, security and physical security I mean, and cybersecurity and risk and all the other components talking together and, you know, trying to come up with solutions and thinking of the human nature of the problem rather than just from IT thinking in ones and zeros and from physical thinking of cards and guards. So it's slowly happening. I think we're seeing more and more companies embracing it and what is good is that I get a lot of physical security leaders actually coming to me and saying hey, paul, what courses should I be doing to improve my understanding of cybersecurity? I don't want to be a hands-on, you know technical, I just want to understand it. And that's a good sign.
Speaker 1:I think more and more security leaders are now embracing the fact that they need to be you know crossover, and I think there's some fear amongst security managers who haven't sort of been formally trained in cybersecurity. I think, if you boil it down to its basis, security hasn't changed since they built the castle and they still have visibility by mowing the fields down. They still operate intelligence by having horseback riders running around the forest to see if there's anybody watching. They still have thick walls. They still have defensive depth and the concept of looking after all of the gold at the center of the castle in the strong room well, that's your data center. And so you know, fundamentally, security hasn't changed. How we actually employ the controls has changed enormously and continues to change because we're moving now into cloud environments etc. But I think physical security managers should embrace their own knowledge and certainly when I was managing Insider Threat when I was at JP Morgan and when I moved into my next organization, as you say, I was managing the whole function and I did do.
Speaker 1:I'm a great believer in getting a basis of an understanding, so I did do some reading and I kind of understood where I needed to go, what I needed to do from a leadership perspective.
Speaker 1:There's a humility aspect that you don't know everything and what you should be doing is working out what you don't know. And when I first went there, we had some quite interesting DDoS attacks. So it was layer seven DDoS attacks, et cetera, et cetera, and I didn't understand what that was. So we had an office near Manchester and I went up there and I spent a day with one of our engineers who took me through what all this meant, how it worked, how it fitted together, and that's really stood me in good stead. And so what I've done, what I did over the seven years managing this function, is, with every incident and every issue, you've got to be able to deep dive, except you don't know something, but it'd be able to deep dive enough except you don't know something, but be able to deep dive enough into it so that you can actually then explain it to other people. And I think that's really important. So you have to work really hard at doing that and that's a constant education and I educate myself all the time.
Speaker 2:So this is you know you again. You touched on a really important point, because to be a leader of these functions, you don't need to be an expert, right, you need to know how to lead and how to identify and manage the right people. So people often ask me where should the CISO function, the cybersecurity function, sit in terms of the org chart, and I highlighted already that yours was of quite a unique situation where it was reported to the CSO, and that doesn't happen very often.
Speaker 2:So what are your views? I know you're going to say it's about the person, but really, if you didn't know the organiser or the person in charge of the organisation, where would you sit the cyber security team, if you think about operational risk.
Speaker 1:If you look at most organisations who have a chief operating officer, their responsibility is is managing the risk for the organization, and they normally, again, have, are trained in a certain way. They could be a technologist, they could be a finance person, they could be from the business, but what they actually hold is that ability to look at holistic risk across the firm. So you have to understand what the firm's strategic objectives are, how that translates into what requirements are needed in technology and operations, what risks are involved in that, and that could be regulatory, it could be resilience, it could be cyber, it could be anything and then ensure that the programs that you have in place are meeting those objectives. And so me, as the CSO, I took a lot of that responsibility from the COO because I reported to them, but I was looking after resilience, cyber investigations, physical security, crisis management. That's huge.
Speaker 1:How many people did you have? I had about 2000 people to run all that, and it's a big organization. It was almost like a mini COO to run all that and it's a big organization. It was almost like a mini COO. So I would say that that was what my role was and when I started thinking about it in terms of risk and strategic decisioning, then it helped me a lot. I had a really good CISO, I had a really good head of investigations, had a really good head of physical security. These were all very mature, experienced people. But to bring all that together into a holistic program, that was what my responsibility was, and I think that's really about understanding the risk the firm need to take in order to be successful and managing that risk accordingly.
Speaker 2:So what advice would you give to an aspiring CSO somebody who's looking at you who went from being a police constable well, first of all, obviously, hong Kong. Who went from being a police constable well, first of all, obviously, hong Kong police, but then a police constable in the UK to being, well, one of the leaders, the strongest CSOs in the world. It was all an accident, I don't believe that for one minute.
Speaker 1:To be honest, it was because I just said yes. So the reason I ended up at JP Morgan was I was asked by. It was an ex-Royal Hong Kong police colleague who I met at a barbecue in Sussex because they were currently working for JP Morgan in Asia and somebody had just left them who was looking at due diligence and investigations. He just asked me if I was interested and I wasn't massively interested. I mean, I was running a surveillance team. I was driving up and down the country at 300 miles an hour. I was calling in helicopter.
Speaker 2:You can't be police work, can you?
Speaker 1:no, and it was really exciting. But then in my 30s it was like how long can you play cowboys and Indians? How long can you chase the bad guy? How long can you, you know, call in the gunships? And, and there was part of me again that hankered back for Asia. I love Asia. We're in the Philippines today, yes, and I'm here, you know, on my own volition, but I love Asia, and to get back to Asia was something that I sort of hankered for.
Speaker 1:So this role was in Singapore and I didn't really know what it was. I just said yes and then when I arrived, I sort of thought, oh, what do I have to do? So I said yes because I like the overall opportunity. And then from there I started off at sort of running investigations crisis. I developed a crisis management program, I developed an intelligence program, sort of underneath, and then he, my boss, then left and at the time chase were buying jp morgan and the the head of the region for chase in asia was sitting in new york, which was probably my advantage, because they suddenly thought well, we've got somebody sitting in the region, why don't we use them? So I don't think I necessarily I interviewed for the job, but I don't think I necessarily won it on merit, because I just think I've won it on location.
Speaker 1:But from there that then it got really interesting because then I could start playing with what I had. I built the first command center in a virtually a broom covered in capital tower in singapore. That was taking an. All I was trying to network at our technical security and so you know so I've not always been involved in just sort of physical security. I was getting involved in technical security and in order to do that I went on a week's course learning how to wire access control systems. So actually I'm a qualified fitter of access control systems, wow.
Speaker 2:Have you ever fitted one?
Speaker 1:No, but I built one in the lab but I've never fitted one, but it allowed me when I went to test, to commission them, to actually catch out some of the installers who weren't necessarily as diligent as they should have been, but that allowed me that knowledge, allowed me then to be a bit more powerful in that area because I needed to understand it. I've always done that. I've always pieced pieces of information, grabbed a course here, done some education there, because that's really important to develop yourself as you move forward. And I do the same today.
Speaker 2:Now, like myself, you're a great believer in governance and you recently, again like myself, a great believer in governance and, uh, you recently, like again like myself attended a non-executive director program yeah, yours in the uk. I did the financial times and you were at the, which one institute of directors in london got it. Yeah, what, what did you get out of that and what was your reasons for?
Speaker 1:so I I spend a lot of time with boards and we spend a lot of time talking to boards about risk, cyber crisis management, ransomware was the big thing I was doing and I was trying to get more involvement from the board. But you really then have to understand what the board's responsibilities are and try and hit the key points to allow them. So they're looking at managing the strategic risk of the organization as opposed to the operational risk of the organization the credit risk, the market risk. They have a view on that, but it's not their job to do that. It's their job to set a kind of a strategic direction.
Speaker 1:So doing that course understanding how companies run, how balance sheets work, how boards are comprised, what the fundamental sort of elements of board duties are I think it really helps you, and it did actually the first time I spoke to the board. After that it was obviously a completely different conversation, just naturally because I kind of knew what they wanted to hear and that was why I did it. But also I think that's given me a much broader understanding of how businesses are run and therefore how the banks run, and also allows me to do my job better. So, again, education is important and I did a master's in security and risk management soon after I joined JP Morgan in order to try and be able to translate my experience in law enforcement into what a corporate organization would understand. The language is different, the outcomes and the elements are probably not.
Speaker 2:No, I think, yeah, we joined. Well, we attended those courses for pretty much the same reasons then, yeah, because obviously, in my job, I speak to a lot of boards as well, and it's absolutely the right thing to do to understand what their focus is, what their interests are, what their interests are, what their responsibilities are, and it's no use to me just talking about cyber without making it relevant to them. So I found it extremely helpful, I have to say so, yeah, it's very much a good thing. So another thing I want to touch on with you is crisis. Now, you mentioned it a few times already in this podcast, but crisis is a big word, isn't it? And crisis can take many forms. I love crisis.
Speaker 1:That's when I'm alive, because I think it's the essence of the job that we do. People in our organizations haven't had the training we've had. We've had to be able to make quick decisions in a dynamically changing situation, and I think that skill is really important to bring to an organization. But there's so much you can do with crisis. It's not about the crisis. The work is before. And if you don't do the work before, if you don't see how a crisis might start, if you don't understand how issues occur and start to try and minimize those far out, then you'll have lots of practice at crisis.
Speaker 1:The idea is, with crisis management is not to have a crisis, albeit when you do have a crisis, you have to have a really good way of managing that and informing people and making the right decisions. So, okay, my view on crisis so long-term intelligence, horizon scanning so important understanding what is going to impact your business in lots of different ways. And that that requires working with the business to understand what makes them tick, what makes them float, what worries them on a day-to-day basis, taking that and saying right, if we knew a day before that they got impacted, how would that help them? And then that starts to help you understand resiliency planning, and so I think it's about giving the business time to respond. So all of the work you do at horizon scanning level, intelligence management, talking to the business, early, mitigating and mitigating you're providing time for people to understand it and what we try and do with horizon scanning if this is the best outcome. So horizon scanning identifies a potential impact that you know the business is going to have a big problem with. You manage to get them two weeks notice.
Speaker 1:As a result of getting that two weeks notice, you're able to look at that impact, see exactly where it's going to impact and run a test on that. So you do a crisis management test on that particular scenario. Out of that scenario, you get lots of different controls that you need to mitigate and work out and enhance. You then look at that, you do an after action report on that and you're still before the crisis has hit, and by the time the crisis hits you, you're almost bau. Yes. So an example of that is actually, as we're sitting in the philippines. When I was at jp morgan, every year we had a typhoon and every year we know that the typhoon tracks around through the philippines and up towards hong kong, china and we know that it happens between a certain amount of months and every year around through the Philippines and up towards Hong Kong, china, and we know that it happens between a certain amount of months and every year the office used to get flooded and knocked out and people wouldn't be able to get to work.
Speaker 1:And so I was thinking about this and I said, look, if we were able to get some sandbags because we know where areas flood, because we've seen it every year if we were able to understand who was keyed, needed to be in the office, and we got some supplies and some cots for them to sleep in, and what have you, we could do a preparation session before the typhoon season and then, when, with typhoon season comes, we can actually then ride through it because we know exactly what we're doing and and that's a really good example of horizon scanning right, and that's seasonal, it's not just something that blows up like SARS or coronavirus or whatever.
Speaker 1:So that's a really good example. But you take that example and you apply it to everything a business does, and so that's a really simple concept. A lot of hard work, but crisis is about planning and intelligence and then having a really good process for managing the aftermath of when you do actually get hit by things, because cyber attacks and happen like that and we have to respond and jump to that Having a really good communication system and being, I think, as the crisis leader, being in charge, making decisions really important.
Speaker 2:Well, I try, because we obviously do a lot of these crisis exercises, cyber crisis drills, and each one is different because you know, as you rightly say, you have to find out what would hurt the organization most. You know what's the biggest point of failure. What I find is one of the weak links of many companies is that key role of communication, right, Somebody who manages the crisis, and for the longest time. I'm normally brought in by a CISO or somebody in cyber IT or whatever to run the exercise and I say, well, have you told your chief security officer? And the answer 90% of the time is no. Why would I your chief security officer? And the answer 90% of the time is no. Why would I? It's kind of frustrating because I always find or not always, but mostly find that if the CSO is involved, that person knows crisis, they could take charge and even if they don't understand the ins and outs, they can manage. Make sure the playbooks are being adhered to, the communication channels are there, it's managing the structure of the crisis.
Speaker 1:So whatever the crisis is doesn't never matters. Yes, so it's interesting because when I do crisis training, I always start off which really annoys people by saying the three most important things you have to understand in crisis, and everybody gets their pens out. Think, here he goes, he's going to sort it all out and and I say, number one is communication, number two is communication and number three is communication.
Speaker 1:And then I break that down into number one is communication up, Number two is communication internally and number three is communication externally. And if you get all those things right, you pretty much win. If you forget one of those, you pretty much lose. Even if you manage to get back into some kind of BAU activity and you solve your tech problem, whatever it may be, you'll have to avoid is things like a run on the bank. Customers need to have confidence in the fact that you can supply them with money. Interestingly enough, the most used if you look at any banking app, the most used part of that banking app is people looking at their balance. They do it multi times a day. If they can't look at their balance, then that confidence starts to go. So if you were able to design your technology system and your mobile app so that actually checking your balance is kind of separate from everything else, If you've got a big problem with your payment system and you can still see your monies in the bank, that's massive.
Speaker 2:That's massive that's interesting, very interesting. Yeah, I wouldn't have thought of it that way, but I guess you've put a lot of, um, yeah, study into that and uh, look, looked at a lot of metrics. That's, that's quite fascinating. But, yeah, crisis, so uh, you know, because I know we're running out of time on this one but, um, I I also, by extension from the crisis you got involved with the asia crisis and Group. Would you like to tell listeners a little bit about that, because I think that plays a very important role?
Speaker 1:I mean, look, the other part of a good crisis manager is also having help from other people in the organization and their network. And network is something you really have to build, but it takes time. The right people in the right places. So Asia Crisis and Security Group was formed after the tsunami, I think in 2003? Have to build, but it takes time. The right people in the right places. So asia crisis and security group was formed after the tsunami, I think in 2003.
Speaker 1:I think so, I think 2003 so I was in singapore, tsunami occurred and unfortunately, there were lots of people who were holidaying at that time in in that area thailand and sri lanka and all these other areas that were affected and so it wasn't necessarily a business crisis, so the business were not impacted, but their people were, and we weren't really that well set up to manage a big sort of disjointed people operation. And so there were many of us got together, all of the different banks got together and wider organizations beyond banks I mean, we had JCB, we had all sorts of different people and we all got together and said look, you know, we all have resources, we all have some bigger operations in some of these countries than others. How do we use the resources we've got if we pool them? And so we, you know, if I was looking for 20 people in thailand, we already had people on the ground in thailand working for another company, so I would give them the names and the and the, the identification of those people, into an order for them to help find them. And so we we really were just a we a coordinated sort of UN type approach to managing crisis, and it was really successful.
Speaker 1:As a result of that, the ACSG was born and then it became a shared information sharing situation. So then it really looked at what's happening in the region and that's the pre-planning, pre-crisis. If we see a situation happening in Indonesia that may affect business, then we start talking about it. And there's somebody on the ground in Indonesia might not work for JP Morgan, but they work for the Bank of America or whoever, and so that pooling of information was really really important. And then you know the Mark Hargraves who sadly is not with us anymore, who was really the life blood of that, and almost you know singly kept that going for many, many years and it's still going today, and I'm now an advisor to that organization.
Speaker 1:We just had the 20-year anniversary, I think this year or few, and I came over for that in Singapore. But the element of coordinating and helping each other in crisis really does help protect organizations, really does, and it's so important. I tried to build a similar kind of thing in europe and it didn't quite go the same way. But there are, you know, there are various small organizations, but I think there's so many competing organizations that are focusing on so many different things that it's a little difficult to create something that everybody buys into without having that thing that people can touch. We formed it out of a crisis so everybody realized it was working.
Speaker 2:I agree, it was timing, but the reality is it's now attracted some superb professionals. Of course, I'm not allowed to be a member anymore because I'm on the dark side as a consultant. It's only for in-house chief security or security folks. But I feel honoured whenever I get invited to attend these meetings and speak at these meetings as the cyber contributor or whatever. But yeah, it's just a fascinating bunch of folks who I love talking to, and we're about to meet a couple of them in a few minutes' time from that organization and you know it's recognized by the International Security Managers Association, isma.
Speaker 1:It's also recognized by OSAC. So you know it works and it works closely with governments as well and certainly when we were looking at the tsunami in Thailand, we were working very closely with the British government as well, with their emergency teams.
Speaker 2:Right, so the likelihood our listeners are probably from a cyber background rather than a physical security background, but anybody who is, if your physical security leads, aren't members or aren't involved. They should be, shouldn't they, tim, really?
Speaker 1:They should. They should, and it doesn't just sort of come together in crisis that we do a lot of mentoring, trying to bring on sort of our more junior members of the security organizations in Asia specifically because I think you know Europe and the US. There's lots of courses and lots of hands-on issues. I think in Asia sometimes people need a bit more guidance because the industry is a little younger here, but that's really developing, yeah, and it's just a good place to share information.
Speaker 2:Well, that's a good point to end on a good high note there. But I always ask my guests one last question every time, because, well as you know me well, tim, you know I'm a music lover, of vinyl music predominantly, and it's my way of decompressing, because we all operate in a stressful world, right? So I love listening to music. How about yourself? What do you listen to these days?
Speaker 1:So ACDC when I'm driving Fantastic, so that's my go-to. And my daughters always say if they put ACDC on when I'm in the car, I get there quicker. I'm not sure that's breaking speed limits. And then I, you know, I like a bit of soul. Teddy Swims is a kind of YouTube now moving into the kind of more mainstream. And then there's a guy that I've been following in Brighton called Ren R-E-N who's doing some interesting things, but that's a bit rap oriented and quite out there. So I've got quite an eclectic mix, but I do hark back to, kind of you know, the 80s anthems. That's kind of where my general music sort of taste sits Right Well, well, very interesting.
Speaker 2:And, tim mcnulty, thank you so much for joining me today, taking up a bit of your time on your vacation to to talk to us. Some of the stuff you talked about is absolutely fantastic information. I really appreciate your giving me a time to be with me today no problem, it's been great. Thanks, paul theos cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeMonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.
Speaker 1:The Theos Cybernova Podcast.