Demystifying cyber security – Rachael Falk

Since leaving the law, Rachael has forged a career as one of Australia's leading cyber security experts, is a regular commentator on cyber security issues and was recently appointed to the Federal Government’s Cyber Security Industry Advisory Panel.

Tell us about your role as CEO of the Cyber Security Cooperative Research Centre (CSCRC).

The CSCRC is an organisation that is all about industry-led cyber security research. Our aim is to build capacity and capability and to play a key public role in cyber security advocacy, providing evidence-based commentary around relevant policy issues. The CSCRC has 25 Participants, comprising Commonwealth and state government departments, large multinationals and smaller organisations. Fostering collaboration and innovation is at the heart of what we do. The CSCRC has a seven year lifespan (we are in year three) and is facilitated by $50 million of funding through the Federal Government's CRC Program (operated through the Department of Industry, Science, Energy and Resources) and the significant contributions of participants. Aside from having a great team that do a lot of the heavy lifting, being a CEO comes with all the usual governance and corporate obligations.

What does a typical day look like for you?

There isn't a "typical" day at the CSCRC. It depends on what is going on with our research, in government and in the media. If there has been a cyber-related announcement or incident, I might be asked to do a media interview and like all good former litigators, I have a jacket handy in my room for that occasion. It could be having meetings with my team, talking about research opportunities or preparing to meet a prospective member of the CSCRC.

What do you enjoy most about your work and what has been your most rewarding achievement?

I enjoy seeing the team I have built running with ideas and really making them greater than I could have imagined. My most rewarding achievement is going from being employee number one – literally flicking on the lights – to having a great team, a wonderful office environment and watching it all grow and prosper. For me professionally, it has been growing into the role and working with my Board and Chair. No one teaches you about the nuances of working with a Board but I have to say that I have been incredibly fortunate to have a generous Chair, David Irvine AO, as well as very strong Board.

You were previously Telstra's first General Manager of Cyber Influence. What is "Cyber Influence"?

Cyber influence is an odd name but it means to influence an organisation about key cyber security risks, be it to a Board about enterprise risk or to the workforce. A lot of my role was turning what most people believe is an intangible risk into a tangible risk with consequences. And "influence" is all about shaping behaviour. People don't like to be told what to do but if you can shape behaviour and warn about consequences, people will try to do the right thing.

2020 was a crazy year –How did lockdown affect you personally and professionally?

We very much had lockdown "lite" here in Canberra, so I feel that we have not suffered as much distress and inconvenience as others. For me, while I was working full time from home, both my teenage kids were home too. We had two birthdays and while they might have felt "trapped" with me every day, I liked the time together, simple pleasures like sitting down for lunch and talking. Professionally, given my team is spread from Perth to Canberra, everyone just banded together and got on with things. But it was totally okay to work at a different pace. I have to say, I don't miss active wear!

Where do you see your industry heading – what are the key issues or changes you see on the horizon over the next three to five years?

The Federal Government recently released a draft of the proposed changes to the Security of Critical Infrastructure Act 2018. The proposed changes, if passed in their current form, will be significant and will potentially impact up to 80% of ASX companies as well as other companies in the relevant supply chains. There are both operational security changes that will become necessary but all boards will need to identify and understand their cyber risks and how they effectively manage them. Boards don't need to be technical experts but they will need to know the right questions to ask, understand the answers and satisfy their obligations with respect to the cyber risks unique to their sector. I spend a lot of time demystifying legal issues and talking publicly about the need for certainty around cyber-related risks. This is not dissimilar to the days when other physical risks were being assessed by the courts (we all remember our early days of law school and endless cases about terrible golf ball injuries). Due to the interconnectedness of how we live and how much of our lives are dependent on digitally connected systems, we do not have time for common law to shape an accepted position on these sorts of risks. I expect we will see legislation attempting to set some sort of acceptable duty of care and benchmark, which will be shaped by common law in years to come. While I no longer practice law, it very much informs how I approach my advice and how I explain this legislation to stakeholders and in the media.

What new skills do you think lawyers need to develop for the future?

It will be vital for lawyers to understand their clients, the business they are in and the risks unique to that industry (see my answer above if your clients fall into the categories above). Lawyers also need to understand they are keepers of secrets and it is important they protect their valuable data in a digital world just as well as they do in the physical world. Large law firms like Ashurst are great targets for nation states and cyber-criminal syndicates because they often have a great deal of strategic information about a deal or their clients.

What are you passionate about outside of work?

Spending time with my family and travelling – I can't wait to get overseas again! I'm also a geek at heart and I'm always hungry to learn new things, so I've just started a short course in Artificial Intelligence.

What were the most valuable lessons you learnt while at Ashurst?

I was relatively junior when I was at Blake Dawson Waldron (now Ashurst) so for me a valuable lesson was around teamwork and respect. I spent way too many hours in rooms doing discovery or preparing for a large court matter but attention to detail and working with a supportive team was something I valued and still do.

And learning that attention to detail is critical when you are a lawyer and a great life skill!

What is your favourite Ashurst memory?

There are many but Robert Todd moving my admission clearly was a highlight of my time at Ashurst. I have many other memories but they are in the vault.

I am sure I am supposed to talk about winning some case and having a client ship over crates of vintage champagne but alas, no. I do seem to recall abseiling down the side of a large hotel in Terrigal as part of a "team building" exercise. I recall thinking this was either a really bad idea and would go badly wrong or I was going to be okay and live to tell the story. I also recall my colleague Ben Houston being way too chipper about the whole experience.