Cyber Spotlight: Cyconsol

October is Cyber Security Awareness Month, and we’ll be profiling some of the industry’s superstars to help bring attention to this very important sector. Canberra’s home to some some of the most innovative leaders in cyber the world over — get to know them here!

This week we spoke to Ken Hendrie, Founder and Director of Cyconsol. Learn about what they do, what they’re proud of and why Canberra is the best place for them (and you!) to do business.

Tell us about your company. When and why was it founded?

Cyconsol was founded almost three years ago with a focus on providing high-quality security consulting advice backed by our ICT Systems design and engineering capability to assist our clients in effectively and efficiently deploying and operating secure systems.

We found that the traditional consulting model of security advice being provided to internal IT teams or service providers for them to then implement and run, had many issues that lead to insecure systems. This is not only when first implemented, but over the lifespan of the system often through a failure to maintain the measures in place to manage risk. With a strong background in security review and audit, our staff had become tired of seeing the security maturity of IT environments fail to improve over time and decided to do something about it.

Our difference is that we strive to achieve real, tangible improvements to the security programs of our clients that will be able to be maintained over the long term, not degraded the minute we leave the building. Forming strong relationships to better understand the problems clients face to implement controls that align with the context and culture of the organisation and then ensuring that the security baseline is maintained over time.

What products and services do you provide?

Cyconsol has three core focus areas of the business: security governance, risk and compliance; ICT systems development and operation; and technical security.

Security governance, risk and compliance focuses on directing the security program of organisations using better practices approaches to identifying and managing risk. Specifically, this includes security advisory, information security audit, threat and risk assessments, policy development, cyber security training and awareness. Cyconsol also have a number of engagements where we operate a ‘CISO as a Service’ or ‘Security Program as a Service’ where we are responsible for entire components of security roles or program of organisations.

Our ICT systems development and operation, which is heavily linked to our other capabilities, focuses on the planning, design, implementation and operation of systems that balance both security and operational requirements.

Our technical security business is focused on the technical design and validation of controls and the operation of security monitoring capability. Specifically, this includes penetration testing, vulnerability assessment, configuration and code reviews and security operations.

Tell us about the skillset and dynamic of the team.

Cyconsol is made up with people from a diverse range of backgrounds and skillsets from all over Australia, working together to develop and implement solutions as a collaborative team. We operate a decentralised team model with staff in Melbourne, Canberra, Brisbane, Cairns and Darwin allowing us to not only source great talent but allow staff to live in areas that match their current personal life requirements and desires. We are always looking to bring on new members of the team that can further enhance the capability we can provide to clients.

Tell us about the current cyber landscape in Australia.

It’s fair to say that there are a lot of challenges facing the Australian business environment in regard to cyber. Significant cyber threats, limited available workforce, fairly immature sets of tools available and limited money to tackle the major issues. This is now more evident at the small business layer of the industry, where businesses don’t have the capability and resources to appropriately secure their businesses. There are, of course, numerous initiatives at the global, federal, state, and local levels, as well as significant industry participation to resolve these issues, but it really is a matter of time before we’re fully prepared for these problems. Time for the education system to deliver capable students at significant capacity, time for technology to automate and innovate to increase effectiveness and reduce cost and time for governments to implement initiatives at all levels to reduce the prevalence of global cyber threats.

It isn’t all bad news. We’re seeing some fantastic Australian companies showing up on the scene with innovative products and services that show real promise in combatting the ongoing issue of cyber threats. We look forward to partnering with a number of these capabilities as they evolve in the hopes that we can create a safer and more secure environment for Australian businesses to operate in.

What advice do you have for startups and businesses around cyber security?

If I was to give advice to businesses attempting to operate in Canberra, primarily targeting the Federal Government, it would be to make sure that they understand some of the barriers to entry that can have a significant impact on obtaining business and maintaining revenue and cash flow. There are three main areas that are often mentioned as constraints to business, including:

  • Panels, panels, panels. While the Digital Marketplace has made some improvements in enabling smaller businesses to obtain work, there are still many government organisations that rely on panels or selective RFQ go-to-market approaches, effectively preventing new businesses from obtaining work. Strengths in understanding the panel system, growing strong networks and forming strategic partnerships with organisations who have panel access, can assist with this.
  • Security clearances. Most government organisations will mandate minimum security clearances for staff who are accessing, processing and transmitting Australian Government data. Having cleared staff or partnering with an organisation that can help with clearances can be helpful here.
  • Government procurement can be slower than in the private sector, especially for larger projects or product sales. This needs to be factored into your pipeline and cash-flow planning.

What are you most proud of so far?

We’ve managed to assemble a team of fantastic people from all over Australia who are delivering incredible results to our clients while juggling the constantly changing conditions of COVID-19.

What quote or philosophy do you stand by?

I have long subscribed to the principles and ideals of a ‘trusted adviser’ that have been documented by practitioners such as David Maister.

Why do you think Canberra is a great place to do business?

Canberra not only provides a significant business opportunity with the Australian Federal Government, but also provides a well-balanced environment for our staff to live. Our relationships with both the ACT and Federal Government have been very rewarding and supported us in the continued growth and advancement of the company. The cyber security community within the ACT is also very co-operative and supportive and it is not unusual to see companies that would normally be considered direct competitors actively engaging and partnering with each other.

Canberra also provides a fantastic base for the hiring of capable junior staff from the numerous tertiary education institutions.

If you’ve attended any Canberra Innovation Network events or participated in our programs, how have they helped you along the way?

Cyconsol was recently involved in the Cyber Security Business Accelerator operated by CBRIN which provided a great opportunity to network with other cyber security start-ups in the Canberra Region.

We are very focused on partnering with other local companies and CBRIN has greatly assisted us in identifying and starting discussions with other organisations in the market.

What does the general public not understand about cyber that just leaves you flabbergasted?

I think the events of COVID-19 and other incidents that have occurred in the world including election interference, high profile security breaches and the spreading of misinformation, has greatly improved the understanding of many in the community to the cyber threats that are present. I would not say there is anything I am flabbergasted about but would say that there appears to be a disconnect between what people think is required to secure systems and information and what actually needs to occur. There is still very much a “set and forget” attitude to security, that once a system or account is setup securely on day one, then everything is going to be fine from then on. I believe that the scale of effort needed to resolve many of the security weaknesses is exponentially larger than what the general public believe to be the case.

Thanks, Ken! We appreciate your insight (and will pass along your details for those looking to work with you!).