Hear former Prime Minister Sir John Key (Director – Palo Alto Networks) and Misti Landtroop (Managing Director NZ- Palo Alto Networks), as they join Paul Spain to explore the evolving landscape of cybersecurity.
Sir John Key shares unique perspective drawn from his current and past experiences, including:
- Prime Minister of New Zealand
- Minister responsible of Special Intelligence Service (SIS) and Government Communications Security Bureau (GCSB)
- Director at Palo Alto Networks
- Director at ANZ Bank
- Director at Air New Zealand
The episode is focussed on cybersecurity viewpoints – including predictions for 2025 from Unit 42, and reflects on the importance of continuous adaptation, education, and integration in the fight against cyber threats from various sources including powerful nation state actors. A range of other topics were discussed including weighing up the importance of privacy vs security.
Special thanks to our show partners: One NZ, 2degrees, Spark NZ, HP, and Gorilla Technology.
Episode Transcript (computer-generated)
Paul Spain:
Greetings and welcome along to the New Zealand Tech Podcast. I’m your host, Paul Spain. And today, real privilege to have Misti Landtroop, the managing director of Palo Alto Network’s joining us. How are you, Misti?
Misti Landtroop:
I’m doing great, thank you.
Paul Spain:
Great to have you back in the podcast NZ studio.
Misti Landtroop:
Very happy to be here.
Paul Spain:
And Sir John Key.
Sir John Key:
Hey, Paul, how are you?
Paul Spain:
Yeah, good, good, likewise. And well, you’re wearing your hat today. As the director of Palo Alto Networks.
Sir John Key:
I am very proudly. Company’s doing extremely well. That’s not a offer to buy shares or anything, but. No, look, it’s been an amazing company. I’ve been on that board six years and it just goes from strength to strength. So it’s been doing incredibly well.
Paul Spain:
It has been, yeah. It was interesting, you know, looking at the share price and to see how it’s, you know, continuing to do. To do strongly. The company’s had a lot of acquisitions even, you know, just in the last few years, right?
Sir John Key:
Yeah, well, I mean when I joined it was about an 18 billion market cap company in US dollars. Today it’s around about 125, 130 billion. So, you know, exp. To your point, we’ve probably acquired about 30 companies that maybe even more, but many of them are within the delegation of the CEO, so they don’t always come to the board combination. Really quite a lot out of Israel and a big number obviously out of Silicon Valley. And they’ve really been part of. If you think about the company, Sad Life is a firewall business. Very good firewalls.
Sir John Key:
But as of course our customers morph towards the cloud and to the services that come off that. Everything from sort of unit 42 to better sock management. We’ve joined that evolution with them and the real aim has been do two things, either build or buy best in breed. And the second thing is to offer a holistic solution to our customers. So, you know, the big sort of internal buzzword is platformisation. I don’t even know there is such a word, but we’ll tell you that there is. And that really just means end to end, from sort of entry point through to, you know, the back end of it. A solution that means that you deal with Palo Alto and a selfishly, that’s great for us, but actually far more importantly for you, it’s actually as a customer, a lot better way to operate because it’s those intersections between various vendors that create one of the stress points and one of the vulnerabilities.
Sir John Key:
So that’s really the aim around it. And yeah, it’s been working very well.
Paul Spain:
Yeah. Oh, that’s good. Now, before we jump in, we should thank our show partners. So a big thank you to HP, One NZ, Gorilla Technology, Spark and 2degrees now. Misti, how long have you been heading up Palo Alto in New Zealand now?
Misti Landtroop:
So just over five years. And I just want to say something quickly about the platformisation. This is so interesting. Our competition has now started to adopt that as well. So I just was on a call this morning with one of my team going through her quarterly business review and she had an example from a customer of one of our competitors and they almost identically adopted all of our messaging, all every single thing around platformisation, but then put it into their vernacular. And so not all of their stuff was exactly like ours, obviously, but they didn’t let the truth get in the way of a good story. But I think that just reaffirms that what we’re doing is we’re heading in the right direction. So a year ago if we said platformisation, then people are like, what is that? And so now I feel like it’s starting to become something and I feel like we’re in the best position to be able to move forward on that.
Misti Landtroop:
So anyway, so I found that quite funny. My sales rep was really angry and I was like, no, no, it’s okay.
Sir John Key:
Flatteries, you know.
Paul Spain:
Yes, well, it’s the way that, I mean, not just the technology and cybersecurity industries go, as somebody finds something, figures out a new way of doing things and, or a particular approach and, you know, others tend to follow.
Sir John Key:
Right, Yeah, I mean, it’s very rapid moving, I think for a number of reasons. One, it’s in response to bad actors, of which there are many, and they are very sophisticated and they’re everything from nation states to people who just want to build a profile and, you know, better get into, I don’t know, some high profile place like NASA and leave their, their fingerprints there. So that’s one thing that’s driving it. I think. The second thing is technology is just evolving rapidly, but I also think that move towards the cloud. I mean, we talk quite a bit about it at work and we think, you know, at one level you kind of think Ivorin’s in the cloud, but I mean, but they’re not, you know, I mean, there’s still more people on premise than they are in the cloud or a hybrid of those. So as people have morphed towards that and public cloud just gets bigger and bigger, then more you’re having to See new solutions. So.
Sir John Key:
And technology, you know, rust never sleeps, goes to Silicon Valley. There’s always a new toy coming along very quickly. So, yeah, we’ve been lucky enough to adopt or build or do all those sorts of things.
Paul Spain:
Now, you mentioned around nation states, and I’ve been in a few sessions recently, taken content from hearing some stuff from sis who have been giving guidance to New Zealand entities, and particularly those on the cutting edge of tech and aerospace and so on. And I guess the feedback from them and five Eyes, they call out particular countries, some of those are countries that you do business in. How does that work for you in terms of when, you know, let’s say China or another country is well known as a state actor to kind of do some things that we might not necessarily like as a country, and you’ve got to do business in these countries as well. How complicated does that make things?
Sir John Key:
Yeah, I mean, look, I think it’s sort of. If you talk to our people internally about cybersecurity and protecting your enterprise, their buzzword for that is zero trust. Everything’s on zero trust. You don’t get access to a part of the network or the data or whatever unless you actually need to have that. Right. So that’s quite a different approach to what maybe occurred a long time ago. And so I don’t want to say that you got to have zero trust when it comes to every country you deal with. But the truth.
Sir John Key:
But the truth is probably all countries are involved in one form or another trying to get better information and maybe access to a few secrets. So I think the first thing is just assume that you’re vulnerable, I think, is the first point. Secondly, you know, my experience of being Prime Minister and being the minister of SIS and gcsb, what I’d say is there are often many motivations. So you sometimes sort of think, and I’ve kind of came at cybersecurity a bit from the point of view of thinking, well, gosh, it’s really about ransomware and people making money and all that sort of stuff. But actually, you know, that is true. I mean, there’s obviously a very big industry and sadly, a lot of people fall prone to that. But I don’t think it’s quite as simple as saying it’s solely that. It could be that a nation wants to understand, for instance, its nationals traveling to your country, or it could want to understand your negotiating position, something.
Sir John Key:
Or it could want to say, well, you know, understand your technology because they’re developing their own, their own vaccine or their own Whatever it might be. And they, you know, they want to. They want to borrow your secret. So all I can say is that there are many examples and also I think wrapped up in nation state, funnily enough, and I might be wrong, it’s a bit of a personal view, but I think that there are some people that live in a country and, for instance, they want to ingratiate themselves with the leadership of that country. And so what they do is they do go and gather information. They look a bit like a nation state, but they weren’t necessarily sanctioned by the ruling party to do it. They were probably very happy to accept the information when they get it. So my point is they kind of end up being nation state.
Sir John Key:
But did they really start as that? I’m not sure. But look, the simple facts of life are, is that there is a lot of different threat actors. Some of them are just people who live in Russia or whatever and running very sophisticated schemes. And sadly, a lot of our, you know, you know, of clients that we see come to our unit 42, which are the people that come and help you when you’ve got a big problem, end up paying ransom to them because that’s the only way to get your systems back up and running again if you haven’t, you know, if you’ve left something open or haven’t protected them properly on the way through.
Paul Spain:
Yeah. Is that something we’re still seeing a lot of, is the payment of ransoms? Do you have any stats on that? I’m always curious because I’ll hear different bits and pieces from differing directions. And obviously there are some scenarios where it’s very hard to pay a ransom. Right. So governments don’t seem to be. New Zealand government wasn’t that keen to pay up a rents and when Waikato District Health Board got hit. But you could also see the flip side. There’s a whole lot of patients whose data was gonna go out there.
Paul Spain:
And so, you know, there’s no winners in that one other than the bad guys. Right. So, you know, even if money was sort of paid out, you know, that was, you know, wasn’t gonna be good. And of course, every time money gets paid out, that just encourages them to keep. To keep coming.
Misti Landtroop:
Yeah. It’s interesting. Every time I hear someone say, absolutely never would I pay a ransom, then I always think, okay, well, be careful with that absolute descriptor. We have some folks within our organisation that have a lot of skills in negotiations and things like that. I think if you can avoid pain. And obviously that’s the Best thing to do from the example that you just mentioned. But absolutely, it’s still, I mean it’s a big business out there, just depends on what the situation is. So I don’t know what the numbers are for how many, how many millions, billions of dollars, what have you are being spent on ransomware.
Misti Landtroop:
But yeah, I think it’s definitely still, there’s a reason why it’s still happening. It’s because people are still paying and I’m not advocating that they should be paying, but it’s just, it just depends on the circumstances and how dire the situation is. One of the things with unit 42, our threat intelligence team, then we have a few of the experts that are here in this part of the world, but then also that come over from the US and Israel and things like that and we do some one on one closed door briefings, whether that’s with government or with some of our customers. And that is a way as well for them to show what’s actually happening from a global perspective that can help them to make their decisions. So as John mentioned, you might have someone, he didn’t say this, but kind of got lucky like, oh, here’s a nation state, but then I’m going to tag onto that, go do something else. And so being able to have that visibility on what’s going on from a global perspective, that’s something that we try to do to bring back to New Zealand on a constant basis so that we know that just because we live on this small island on the other side of the world that we’re not immune to all of these different things that are happening in today’s world. And so that’s something that I did have one CISO around this time last year as we left the session, she said, I’m slightly terrified now that you showed me all these things, but I think knowledge is power and that’s what we’ve got to keep doing.
Paul Spain:
So yeah, it’s really important. I still remember the first time I heard and came across, I guess the very earliest kind of ransomware. And I shared about it on a breakfast TV interview because I thought, well, this is something that New Zealand needs to know about, we need to be aware of. And it was mostly targeting individuals probably more than anything. And I think the ransoms were, well, it might have been half a bitcoin at the time, but it was in New Zealand dollars. It was about 500. Yeah, it was a few hundred dollars, right, of course, yeah, that had to be paid using crypto, little bit more now a Little bit more. Now, I’ve seen from some of the reports and fortunately haven’t had any firsthand examples to deal with.
Paul Spain:
But the numbers are continuing to track up in many cases into the millions of dollars. Do you have any sort of knowledge or viewpoints on what the numbers are in terms of what people are paying in terms of ransoms? And I know it does vary according to sort of size and scale of organisations.
Misti Landtroop:
Is that what you’re looking at? I don’t have the actual numbers. I just know that it continuously goes up and so year on year. I don’t know if you know, look.
Sir John Key:
I think far more people pay ransom than one will admit for the reasons that Misti said that in the end they can start at that position, but they end up in a different place. You know, as Prime Minister, I can tell you that we didn’t pay ransom, forget about cyber for a second, but we didn’t pay ransom. For instance, if your daughter got kidnapped in some far flung part of the world, we didn’t pay ransom. The US had a thing where not only did they not pay ransom, but the family couldn’t pay ransom. And Obama actually changed that law, said, well, ok, the family can pay if they want to. And the reason for that is that what we were terrified of is the very point you made, which is, okay, we say, yeah, we do pay, and some countries do pay ransom, and then their citizens are their youngsters, usually young people backpacking through very weird places. They get targeted because they know they’re gonna get. There’s a payout right on the other side of the coin, if you get to a point where, okay, your system’s just completely debilitated, there’s a whole lot of information, data, you just are critical and you haven’t backed up properly, there might come a point where that’s far cheaper.
Sir John Key:
And weirdly, I think, I don’t want to say bad actors have good morals because they don’t. But it’s not a good business to do that and then target you the next day. So, yes, so people do pay. First thing is they pay. And the moral of the story is protect yourself so you don’t need to pay. But in one of the organisations I was on the board of, we had a cyber attack. Now, in the end, we kind of rebuffed them, but it was going work it out, I’m sure. Very large denial of service attack.
Sir John Key:
And they were bouncing around other institutions as well. When they saw us trying to backfill that because we use combination of different providers, there actually that organisation did. Then the ransom demands went through the roof. Far greater than the numbers you were talking about. Far, far greater than the numbers you’re talking about. So my point would be, look, you know, you never say, you know, can never say never. But to Misti’s point, there’s a reason why these people spend a lot of time. One, they can leverage it, you know, AI lets them do, you know, remarkable things like, look, it’s like no different from Nigeria, these scams and, you know, love scams and investment scams.
Sir John Key:
You know, you send enough of them out on the Internet, which has no cost, and if you get 0.0001%, that adds up to a lot of money. But the truth is there’s a hell of a lot of money that’s been paid and those kinds of things. This is different because it’s not a scam. You’re actually getting robbed effectively. But if you need your systems and data, sometimes you pay and they’ll tell you they won’t, but they do. So I think the moral of the story is you really, really have to do everything you can, I think, to work out how secure are your systems. Now, maybe no system’s secure enough for the incredible feats these people are capable of. But we have lots of products.
Sir John Key:
So we have a product, for instance, called Expense, which looks outside in the way a bad actor would look at your place. You can obviously run lots of things here, unit 42 and other people can guide diagnostically within your organisation. There are other providers as well that do that. It’s not just us, but when you look at a lot of the different cyber attacks, usually, usually someone’s left an API open or they haven’t had the proper security around their identity access, or maybe the person’s even bad lived on that system for a very long time, working out what you’re doing. Like these things are. In fact, I watched a thing actually on. It might have been a podcast actually on a flight recently. And the guy was saying he was a cyber ex.
Sir John Key:
He said, look, it’s not rocket science. It’s very. Sounds like it is, but he said it’s very logical. They just work through the coders and they know how everything works. Way beyond my pay grade, but apparently they just go line by line and they can work it out and they have the technology and the tools and eventually it’s like if you. It’s like a burglar walking around your house. If you happen to leave one of the windows unlocked, that’s the entry point and they eventually try every window, sometimes front door and they walk in.
Paul Spain:
Yeah, well, I guess there’s so many possibilities, aren’t there? Just in the same way with offline crime, there’s kind of an unlimited number of possibilities for people to do untoward things.
Misti Landtroop:
Yeah, I think in being vigilant, that’s what. And being able to be plan and be resilient if something does like that happen. We were talking before the show around still the number one way that people get in are from people doing something that they shouldn’t be doing or with social engineering and with the sophistication of technology. But then really it’s someone at the end of a keyboard. We’re getting into the holiday period. We’re going to have to see the same things happen again. With cybercrime and, you know, targeting vulnerable people, what’s the easiest path if it’s a business to them, so they’re trying to make money. Unfortunately, it’s not very.
Misti Landtroop:
From a moral perspective, it’s not very good. But yeah, so that kind of stuff hasn’t changed and I think it’s just going to continue to accelerate with the advancements of what’s happening with AI.
Paul Spain:
So, yeah, I was noting the last report was probably earlier on in the year from unit 40, which of course is part of Palo Al Networks. They highlighted there’d been this change where phishing used to be sort of the number one way of compromising an organisation to where software vulnerabilities actually had certainly during 2023 had taken that sort of top spot. Any idea on why that changed? Is that because it’s got much harder to. To do phishing? Because people have had a lot of training. I guess multi factor authentication makes it harder to a degree. Although I understand phishing itself has got more sophisticated in terms of how they do these things.
Misti Landtroop:
Well, I think it also goes back to there’s just such an enormous amount of data out in the world today and when you look at it from a software developer perspective, then you’ve got their developing code, so code to cloud, but then you’ve got all the cloud service providers that there’s opportunities there from a tech surface management and then the linkage back to the security operating center. So one of the things that we’ve done is there’s so much of a tighter linkage now between what’s happening with our, we call it our Prisma cloud or code to Cloud solution and our soc. And so because that’s one of the things that’s probably exploding and I was reading we do nine petabytes. We process nine petabytes of data every single day from about 80,000 customers. So they’re think about all that data and ingestion that’s coming through and whenever you’re trying to develop a new software program, solution, what have you, then there’s a lot of opportunities and vulnerabilities within that process that bad actors can get into. And so being able to keep all that secure is super important. And then having that pathway all the way to the SOC is also quite important for us. And so, and for anyone that’s, that’s out there doing that.
Misti Landtroop:
So it’s, I think that’s probably why that there’s been such a shift with. And also you’re right, people are getting more trained around phishing and multifactor authentication and we still get on a regular basis of various types of tests and things like that. I was actually just talking to somebody recently and they got a report from their company, they happened to be the CEO of a smaller company and they were embarrassed and then they sold their name next to it as well. And so going back to our other point that you still do have just the human factor of that, but then also the sophistication as we’re moving more towards that with developers and then going into the SoC as well.
Paul Spain:
Yeah, nine petabytes. That’s an eye watering amount of time.
Misti Landtroop:
Yeah, I know. I can’t even get my head around it, to be honest.
Paul Spain:
Every day. I guess one of the challenges is that these new vulnerabilities are found all the time. Every week or every day we’re hearing about another zero day vulnerability. And I guess, you know, Palo Alto’s not immune to that sort of stuff either. So you know, how do you kind of look at that sort of challenge? Because one of the things, you know, I guess Palo Alto comes from that firewall background. But often the firewalls are kind of the entry point and then, you know, we get these zero day vulnerabilities, I think across, you know, every vendor. But there’s that challenge, I guess, in the way that each organisation has to take a lot of responsibility for themselves and maintaining them. And I think one of the stats we heard earlier on in the year, I think it was to do with Fortinet and their firewalls and they’d had a particular zero day and some months later the percentage of firewalls, I guess someone had done some sort of online scan, weren’t patched.
Paul Spain:
There had been a zero day and that had been, you know, a Patch had been made available, but basically a really, really high, you know, percentage of organisations just actually hadn’t done anything with it. So it was like leaving the window open, right, or leaving the front door open. And I, you know, I think we, you know, we have this challenge. There’s so much work for IT organisations, be it internal or external to do, and so many things to know. That becomes a real challenge. And I guess even more so within probably the smaller organisations who might have zero awareness that they’re even supposed to look after these sorts of issues.
Sir John Key:
I mean, one of the. Yeah, I mean, I think that’s right. I mean, there’s so many changes and so much technology and all that sort of stuff. But one of the things is that the more that we can automate and use AI and digitize solutions for customers, the better we can help them actually identify what the real problems are. So if you look at Xiam, for instance, as a digital dashboard, basically for your SoC, the big advantage of that is it does drill down on what is tens and tens of thousands of alerts you might get every day. And in the income down, say, these are the three, four things you need to look at. Right. And I think if you can get to a point where you can use technology to drive that, then you can free your people up.
Sir John Key:
Because I think one of the big problems that you have is we’re overloading them with absolutely a gazillion things and they either get to the point where they get a bit immune to it and so they might miss it, or alternatively, they just say snow and they actually have the time for it. So I think we do a lot of that’s what we’re trying to do is to say how can we either patch a problem for you or automate a solution for you? Because to your point, I mean, we do our own upgrades for our firewalls. And yeah, we looked at some data at the board the other day about the number of people that adopted those patches, and they were pretty good, to be fair. But it taken a massive outreach for our people to push them to do it, and there were still quite a few that weren’t that they hadn’t done it. And you know, that. And that can, you know, there’s a reason we have a patch, and that’s because, you know, it might not have been a vulnerability back then, but it’s a vulnerability now.
Misti Landtroop:
Yeah, absolutely. And I think us helping them to make sure that they stay up to date. Because staying up to date on the patches is absolutely critical things. Change so quickly. So getting a critical vulnerability, even if it’s with one of our competitors, I would never wish that on anyone, obviously. And so it’s amount of how much time does it take to kind of make sure that that can happen? And then also we rely heavily on our channel partners and so making sure that our channel is up to date and then they also understand how to keep their customers, which are collective, joint customers, then that’s super important as well. So it’s a massive partnership to make sure that that all happens.
Paul Spain:
Yeah, big job now, I guess a bit of a pivot sort of looking at things from a governance perspective. You must have seen some interesting things there from Prime Minister level through to, you know, sitting on varying boards. How have you seen things evolve from a cyber perspective at that level? I mean, I’m picking that, you know, the importance of cyber security over your history has, you know, just completely evolved. And as it continues to do so.
Sir John Key:
Yeah, I mean it’s developed very rapidly as the industry has. I mean, when I first became Prime Minister and became the Minister of gcsb, I actually thought we were quite sophisticated because, you know, we developed some really good technology. And it was technology that we were kind of filling the place of a private sector provider, really, because Cortex was a system that we rolled out on top of what we saw as critical infrastructure. Obviously we had it around treasury or the Reserve bank or whatever, but we also gave that technology to some core players that we thought were critical to New Zealand’s secure operation. So at the time we thought that was, you know, we thought that was quite sophisticated. And to be frank, it probably was. But it’s changed. It’s really, really changed rapidly.
Sir John Key:
I think there’s a few different things in there. I mean, one is, firstly, government has actually been quite slow to adopt technology. So there are lots of reasons for this. You know, Misti’s sick of me talking about this, but when INSTAS came along, which you’ll probably remember back in the 90s, and the police invested in that IBM system and it failed, it scarred the public service beyond belief. And so the public service who really lets beyond this are paid to say no, not paid to say yes because you say no, there’s not a problem. But as we say yes and you know, we hit it with NovaPay when I was Prime Minister, you can sort of name them, obviously all of a sudden it becomes a massive problem. So the government’s been quite slow, but of course the reality is saying no is doing something is often doing very much the Wrong thing. So the government and the way we provide services, the way we engage with our citizens is going to have to change rapidly.
Sir John Key:
Estonia is the country they kind of roll out as the poster child and there’s no reason that New Zealand can’t do that as well. And there’d be a lot of great outcomes from that. But we are going to have to get better both at developing that technology and also the cyber protection. I think from a company point of view, what I’d say is for directors, this is a really hard challenge because I think no director wants to sit around, have their company hacked or their core systems compromised or have to pay ransom or whatever, have their customers embarrassed or their private emails out there in the domain for people to read. So we’re not all stupid, I mean, and we’re quite well educated at different events. So therefore the question is, well, why doesn’t it work out like that? And the answer in part is I think boards really struggle to know what’s the right question to ask. I mean, just before we had the denial of service attack in the organisation I was at, I actually asked that question at a board meeting about a month earlier, said, tell us a bit about this. We’re using a different provider from a parent.
Sir John Key:
And it wasn’t that the answer was wrong, actually, as it turned out was believed to be the right solution. It kind of. Well, it held, so I guess it was. But so where that leads you quite often is eventually. Eventually. I mean, yeah, there’s complete knowledge imbalance. I mean, you know, if your SISO comes in, they’ve got way better technical capability than you’ve got and don’t even know really 100% what questions to ask. I mean, you know, like, how do you know how you know, Palo Alto Networks fits in with Splunk or Zscaler or any number of providers, or whether a third party provider like Salesforce is doing their job properly or whether we’re properly protected in cloud.
Sir John Key:
There’s a million different questions. They might have better knowledge than you. Well, they will have better knowledge than you. And so where it ends up in my experience is boards eventually morph to how much did we spend last year? How much are we spending this year? And then what happens is on one level they want to spend more, even though the company might be struggling or the company might be trying to cut costs every, everywhere because they’re terrified not to, but even then, is that the right level of expenditure and are they doing the right thing? And so I think what I’ve tried To do as a director is to say, yep, look, expenditure is one thing, that’s like one data point of how you’re going. I think, I think what I’d encourage boards to do is get better knowledge of how, you know, potentially vulnerable your systems are. So get a Palo Alto or someone to come in and be an external tester and we do that internally. I mean, you would be amazed what we do at Palo Alto Networks to try and rip ourselves apart.
Paul Spain:
I guess you need to because your reputation is 100%.
Sir John Key:
And I tell you, the world’s changed. They’ve gone from a view that could never happen if it didn’t be the end of the company too. You better get used to it could happen and work out how you’re going to deal with it because the world’s moved on. Hopefully it won’t. But my point, sort of more being for boards and directors, I think, ask those kind of questions, what sort of external probing have you done? What sort of internal probing have you done? You know, I know the sort of, you know, the continuum of the products that you’ve got. I don’t know. There aren’t easy answers for this because as I say, I reckon on average most directors are well meaning and they want to spend the money and do the right thing. They just don’t know what the right question to ask is.
Paul Spain:
How much of a challenge is.
Sir John Key:
The.
Paul Spain:
Legislation that exists in New Zealand versus other parts of the world? We look at Australia and they’ve really doubled down cybersecurity wise. Data privacy issues. Companies and directors get a pretty big slap if things go wrong here in New Zealand. It’s sort of like a wet bus ticket. And yeah, I was delving into some things in the banking sector with some folks recently and the feedback I was getting was actually that the investment into cybersecurity within some of our banks in New Zealand has actually gone down. Whereas in Australia, you know, there’s a very strong push that you’ve got to be, you know, really increasing that level of investment.
Misti Landtroop:
Yeah.
Paul Spain:
And also even looking at it per capita wise, the investment on cybersecurity into our New Zealand banks. Yeah. Doesn’t seem to line up at all with Australia. We’re just, we’re so, so light. I mean, that’s just one sector. Obviously you’ve been worked in that area, but I guess, you know, this is probably across the board for New Zealand. Right. We are pretty light when it comes to sort of cybersecurity investment from what I can see on an international scale.
Sir John Key:
Yeah. I Mean, I think firstly there’s no question in Australia, if you take Anz, where I was chairman in New Zealand, just recently retired and on the group board, as a group director you’re subject to penalties either by ASIC or apra. I think it might apra, but and so, and they changed that law and they basically said as, you know, as a director you’re, you know, there’s all these different penalties and sanctions that could fall upon you. So there’s no question there’s a big stick, let’s put it in those terms. And I don’t think that’s quite true in New Zealand that the stick is there at the same level. Although there’s no question that the RBNZ when they do their governance reviews and things of you which you know, all banks, all the big banks have, and certainly Anz had, that was one of the areas they did probe in quite a bit I think. So that’s one thing I think, you know, so the question is, do you need the really, really big stick? I mean like for instance I put a seatbelt on in the car and I know under the Land Transport act there’s a fine if you don’t wear one. And also my car would drive me nuts cause the little bell would go off for so long and most cars would these days.
Sir John Key:
Right. But I don’t wear it so much because I’m terrified of the hundred dollar fine. I’m probably good for that. Or that the BEL would drive me nuts. Although it would. I do it because I bright enough to know that the two things that kill you on the road are speed and alcohol and coupled with not wearing a seat belt. Right. So it’s not always a matter of having a massive stick to belt someone over the head with I think, I don’t think there’d be too many companies that want to go through the embarrassment that you know, you know that’s gone through.
Sir John Key:
So. So I think, but it’s an interesting thing. I think the second thing is sometimes the organisation is just a lot bigger. I mean if you take Anz, Australia Group is about, we’re a quarter of all group earnings and we’re the overweight bank. So like we had 25% of group earnings like ASB I think is about 11% of CBA’s earnings for instance and BNZ a similar sort of number I think of NAB’s earnings. So the question is, we used to, there was a lot of interoperability between the SOC and Australia and what we did in New Zealand. So I’M not sure. I’m just not sure whether we’ll put it this way.
Sir John Key:
We would definitely, definitely, definitely take it as seriously on both sides of the Tasman. But there’s no question that their operation looked bigger and more sophisticated.
Paul Spain:
Right?
Sir John Key:
It just did. Yeah. You went into the SOC in Melbourne or in Sydney and that, you know, Melbourne, it’s a big operation, it looks really impressive, but it did have some responsibility for what we were doing.
Misti Landtroop:
So, yeah, just the sheer size. I was thinking of another bank at the moment that’s a customer and in talking about what they have in New Zealand, that might be one person or a couple of people, then they may have hundreds and doing those same functions in Australia. So just the order of magnitude is so much larger. But I am finding with the banks that specifically within this, since we’re talking about the sector, there’s a lot more collaboration now than what I saw even probably five years ago amongst the banks themselves. Amongst the banks themselves as well as across the Tasman, within their own. But then also, yeah, more collaboration amongst the banks. The other thing that just was thinking about, just given the last year that we’ve had from an economic perspective, I’ve had some interesting conversations with customers around in the past when money was free flowing. I won’t mention who these customers are that I was talking about.
Misti Landtroop:
Then the CISO and some of the other folks in security kind of had a blank check. And so they come in and be able to kind of go and do whatever they wanted to do, partially because the leadership team or the board was scared. They don’t want something like that to happen. So it’s been interesting over the past year because everyone’s had to tighten their belt, they’ve been forced to. So then they’ve also had to make very strategic decisions around where they place their bets and where they spend their money. And how do they obviously keep their security posture as high as possible, not sacrifice that. Which is why I will put a. I mean, we’ve already talked about platformisation, but that is something that we feel like we’re very well positioned in the market because across all of our platforms, from a security perspective, whether that’s cloud, whether that’s society, whether that’s network security, then we’re in the top right of all the quadrants.
Misti Landtroop:
So when you’re looking at a total cost of ownership across that, then those are the types of conversations that we’re having now, more so than what we had in the past, where everyone’s like, no, I want that bright, shiny Thing that only does that. They are looking at things across the board. So that’s been an interesting revelation, I guess, for some of the customers as well as we’re looking at that across the board.
Sir John Key:
I mean, one of the things that is hard is that it’s an area where there’s been a proliferation of different providers. It doesn’t matter whether it’s CrowdStrike or Zscaler or Vortnet or whatever. I mean, you can name list them all off. There’s a long list of them. And so one of the things that happens is you go to a customer and you say, well, we want to give you this integrated platform solution. And they go, they actually want to do that. They go, yeah, but I got three years of my contract to run or I’ve got this thing and it’s sort of working. And it’s a bit like, you know, I don’t know anything in your household and saying, well, I want to sell you a new fridge, by the way.
Sir John Key:
At the same time, I’ll throw your toaster and your microwave and three other things away and you’ll go, but, yeah, but they work really well or they work good enough. You know, they’re not perfect, but they’re good enough. Go, yeah, we’re going to convince you to do that. So it’s all I’m sort of saying is it’s. I think you are going to see greater consolidation and I think there’ll be less and less players that will be able to keep up because the technology investment is so great. And that’s one of the reasons, like when we look at the companies that we bought when I’ve been there, you know, we bought a hell of a lot of companies that have been amazing businesses. I always say to our guys, why are they going to sell? Why do they sell? And they go, well, two reasons. Healthy paranoia.
Sir John Key:
They’re always convinced there’s another better mousetrap coming along. But the second reason is, you know, if you take Palo Alto and a gigantic global sales force, our capacity to leverage a new product is just way different from their capacity. So usually when we buy these businesses, honestly, I am amazed what we’re buying. We’re literally buying some really good technology. Three founders, maybe two, and about 10 customers. But we can turn them into something amazing. But you’re buying less than you think. Half time, paying more than we want to for as well, by the way.
Sir John Key:
But yeah, I don’t know, it’s a.
Paul Spain:
Yeah, I guess it’s an interesting challenge for customers as well, right? Do they pick what maybe their tech team, you know, believe is the very best pinnacle kind of product in a particular space? Or do you buy a sort of suite of tools that work together, which, you know, hopefully most of the time are gonna, you know, are gonna be reasonably, you know, competitive, but there probably is in some of those fields, you know, you can’t be the best at everything all the time. Right. So. But I think there’s a lot to be said for that simplicity, you know, from a platform perspective.
Sir John Key:
Well, it’s like if you take Apple, we’re not here to plug Apple, but, okay, our house is an Apple.
Paul Spain:
What’s your phone, John?
Sir John Key:
Yeah, it’s an Apple phone. Yeah. Okay. Yeah, it’s broken down. So if Apple are listening, they want to send me a new one. I feel very affronted because I can’t charge through my port and I gotta go and buy myself a new one. But my point was gonna be, notwithstanding that the brilliance of the late Steve Jobs, part of the reason why Apple’s such a great product is just everything works with it. You know, you turn on your.
Sir John Key:
You put on your AirPods or your. Just everything, you know, like everything is interwoven in it, and it makes solutions so easy for me as a customer. And that’s the brilliance of what they’ve done, you know, and you can see I was. There was little story in the US Last week about how they’re going to integrate the Apple airtag into the. Into Delta and United. And so that won’t just be on your phone, it’ll be in their systems. And everything kind of everything works for you. And that’s.
Sir John Key:
That’s where we’re trying to get to with Palo Alto. I mean, of course we want to sell you more stuff because it’s good for us. Just be honest. But equally, we do it because everything works better when it’s all one thing. And that’s where I think the world ends up a lot more. I think there’ll be less providers, but there’ll be two or three big behemoths and hopefully we’ll be one of them, you know.
Paul Spain:
Yeah, yeah. Well, that consolidation seems natural. Now, you mentioned Estonia before and. Yeah, I’m kind of curious. They’ve got this thing called E. Estonia, which is their, you know, Digital Society of Estonia. Oh, yeah.
Sir John Key:
And they’re all on.
Paul Spain:
And it is really interesting to me, and, you know, I’m a big advocate for, you know, leveraging technology for, you know, New Zealand, you know, really leaning in more to technology. But I Think there’s also. There’s risks associated with this stuff. Right? Cause there’s private data that gets sort of swept up along the way. I think you might have had a controversy around private data and stuff some years back. John, how do you think we, you know, we get these things, right and governments sort of don’t, you know, overreach in our digitisation and our collection of data. Because whether it’s Palo Alto or anyone else you’re leaning on, no one can absolutely guarantee that the data that a government, you know, amasses is going to be, you know, kept completely safe and that, you know, we’re not going to end up with it sort of getting used and in weird and wonderful ways. Right?
Sir John Key:
Yeah. I suppose what I’d say, which will be definitely not universally supported, it may not even be supported by the majority, is I reckon that horse is kind of bolted. I mean, honestly, she. I reckon Buddy Google understand way more about me than GCSB ever will. And I was their minister, you know, like, I just think in the end you’re right. I mean, you know, a lot of people, a lot of people feel uncomfortable that the, you know, the nanny state understands things about them and they believe it should be on a kind of right to know. And I remember when we were passing the law about. It was all to do with, I think, with mobile phones and whether a customs officer could look at your mobile phone and all hell broke loose.
Sir John Key:
Like some ministers were just outraged. They were like, no, no, no, Hell or Freezo before I’ll ever support that. And I was going, oh my goodness, I don’t care if someone looks at my mobile phone. I mean, I leave it unlocked on thing. I’ve got no secrets. So you knock your socks off.
Paul Spain:
You lock it now though, don’t you?
Sir John Key:
Well, I lock it, but my point is, I don’t care who locks at it because it’s sort of, you know, this is what it is. But the point sort of being everything’s a trade off. So the trade off is like, for instance, if we all had a National Security number, we all had retina id, we wouldn’t need a passport, we’d have a hell of a lot less fraud. I wouldn’t have to ring up all the time and go, hi, I’m John Key, I’m born on 9th of August 1961 and bark out my passport number and all that sort of Karen. Because they’d know all that, right? And the question is, am I prepared to trade off some privacy for that? And in my world I guess I’ve lived my life an open book for 20 years, so therefore I’ve got over it. But I am happy with that. And I mean take to the extreme. You go to China and crime rates are really low.
Sir John Key:
Why? Because there’s a CCTV camera on every post everywhere. And actually it’s quite a good deterrent for people committing crime. So I don’t know. I can assure you lots of people won’t agree with me. But I do think that we’re in a world where nowadays big tech companies understand what we do incredibly well. And are we really giving up that much? I guess is my point. I’m not sure.
Misti Landtroop:
We are kind of like do we have our head in the sand or not? So if you look at TikTok as another, I mean, and I’m not a Tiktoker, but my daughter has been on it and Snapchat and all the horrible. I think they’re both horrible. Just the algorithms and the targeting and knowing and the data and knowledge and it’s unbelievable. And so yeah, I agree the algorithm is amazing.
Sir John Key:
You know, you look like it’s an incredible algorithm. Right, but. And I’m don’t frequent that stuff these days, don’t have to worry about those things. Leave that for Chris Lux and he can get water thrown all over and promote his tax cuts on TikTok or whatever. But, but although I’m a hole in one in golf goal and you know, got millions of views on TikTok, that was pretty cool. But yeah, outside that, no, don’t worry. But I don’t know, I mean we did a thing for Google when I was Prime Minister, they wanted to test something in New Zealand and so we let them do it. Cause it really suited well, didn’t worry.
Paul Spain:
Did Google learn things?
Sir John Key:
Yeah, we did learn, yeah, exactly, yeah.
Paul Spain:
So.
Sir John Key:
And Eric Schmidt rang me actually afterwards just to thank me and I was sort of having quite long talk to him and I said, tell me about the countries you think are doing really well. And that was when I first realised, well, Estonia wasn’t really the one I was going to pick to be the digital sort of warrior of the world. And he said yeah. And I said well okay, what happens to the 84 year old Estonian grandmother who doesn’t have a laptop or an iPad or a mobile phone by the way, doesn’t want one either. How do you get them on board? And he said well, eventually every little town that she’s going to live in and it might be a one horse town with a dairy that will actually have a place and someone to assist them. Right. And what I found when I was chairman of Anz, you know, we went from people literally going to branches to no one going to a branch. People just do not want to go.
Sir John Key:
People go occasionally for business banking. We don’t even sell foreign exchange anymore. Like, I think people go on Anz go money once or twice a day and they go into a branch belt once a year, maybe once every two years. So the world’s moved on. So unfortunately, unfortunately, you’re going to have to give that group that aren’t that digitally engaged a shop. And that is the big moral dilemma that you’re creating. Because when they get scammed, they then go, but hold on a minute. You, the big bank, you told me to go online and then I fell for whatever happened and now you’re telling me it’s my fault.
Sir John Key:
And you can see that dilemma actually for the regulator, the banks, the individual. I get it, actually.
Paul Spain:
Yeah. I was in Waiheke over the weekend and I saw one of the banks had basically changed to a lobby with an ATM machine in it or something along those lines. Right. Clearly nobody there. On the other corner was Anz, who probably decided, well, actually we can sweep up all the business by actually keeping a branch.
Sir John Key:
We didn’t want the politics opening it, probably. I think I remember it being on the list of make sure you keep it open. No, but your point is, right? I mean, it’s look kind of as what it is, but I guess what I’d sort of say is, you know, you’re going to get to a world, aren’t you, where, and particularly with AI, where it has the capacity to do amazing things over time. Then I think, you know, that the digital convenience of that world will win over the digital privacy. Not for everyone, but for a lot of people, I reckon.
Paul Spain:
On the banking front, it seems as though, yeah, we’ve gone through this transition. There was a period there where anyone gets scammed and the banks would sort of front up and they would cover it. But of course, that can’t go on forever. Right. Because you start, you know, people take advantage of the banks. Yeah. Willingness to front up when it’s not necessarily their fault. Most of those doors closed now.
Paul Spain:
I mean, I remember a situation, I got a call from a small business, a small accounting firm. Bank accounts wiped out. We’re picking somebody was able to get into their email, then was able to port their mobile number out. So they were able to do multifactor and basically the funds disappeared. Now, in that case, the bank stood up and said, look under a non disclosure, so I won’t tell you which bank it was, but they fronted up and refunded all the money even though it had disappeared offshore. But that sort of thing, it’s pretty much a thing of the past now, isn’t it? Unless it’s really on the back.
Sir John Key:
So it’s sort of yes and no. So, ok, if you have a look at bank scams, they fall into two big categories, investment scams and love scams. You know, dollar bride and investment scams. Right. Doesn’t mean you can’t get scammed in other ways, but they are the big kahunas, those two. And the ones reported on love scams are a lot less because the customers are embarrassed to say, yeah, I was on a site looking for a girlfriend and you know, Russia or wherever it is, you know what I mean? But nevertheless, they fall into those categories. So when you actually take those out because you sort of sit around thinking, well, we are all vulnerable, but we’re all going to get scammed, but we don’t actually, and that’s because we’re probably not investing our money on some marketplace or some dodgy scheme or we’re not on those love sites. Right.
Sir John Key:
Romance schemes. So then, having said all that, what’s happened is banks have been, I think, to be blunt, quite schizophrenic in the way that they’ve dealt with it. So to your point, they started in one place and maybe they’re ending in another. It isn’t as simple as that either. I think they’ve gone away and said, okay, not only what vulnerability do we have and our people have, but the second question they’ve asked is, well, you know, if you were old and look a bit vulnerable and the story wouldn’t play well, they’re likely to be more sympathetic, I guess. You know, it just. So that’s a problem. And I’ve been saying to the regulators for a long time that can’t carry, that can’t be the test, you know, whether you think you’ll be in trouble.
Sir John Key:
So the problem is taken to the other extreme in the uk, they partially, just like that, basically said the banks are on the hook. And that’s made it worse because there is no, you know, you don’t have that, you know, create the moral hazard that people don’t have to be as vigilant with their cheques. So there’s, honestly, when I tell you, there’s no easy answer, that’s why you’re seeing the banks Hammer these things. I mean, at Anz, I think maybe with the others, but certainly at Anz we paid for the Nigel Latta, you know, docos that were done on tv. I saw Anz just a bit, sorry Westpac the other day of a board that they had when I was out walking yesterday and it was someone using their mobile phone, their Apple wallet to pay or whatever, saying, this is good because you’re not giving the credentials of your card. You know, all of the banks are out there trying to hammer into that scam message. One of the, I’ll tell you what, one of the worries, and this shows you how tough the space is. When I was in the US a couple of weeks ago, they were telling me that the big scam in the US is they ring you on some fake call, you answer go, hi, it’s John here.
Sir John Key:
And they, and they go something and go, and you know, bugger off because I don’t want your, you know, dodgy whatever it is. They’ve then got your voice and then they clone your voice. So when you’re at Anz going, my voice is my identity. And by the way, that’s why I’m saying to the password, they’ve now got my voice. So that’s. Yeah, these things are incredibly sophisticated. I mean you can’t rely on voice anymore. No.
Paul Spain:
And I think that, you know, that’s an important thing that, that everyone needs to be aware of. Right. Someone could call up, but it sounds like it’s you and it’s completely not you at all.
Sir John Key:
No. And you were saying like with the emails that, I mean the trouble is here in the old days when they had spelling mistakes and all fine, but now they look so sophisticated. I think in the end what we were trying to get to when I was at Anz was very much saying, look, if we communicate with you, it will be via our website in our portal and that’s the only way we’ll never ring you, we’ll never do this, we’ll never do that, we’ll send you a message through that and then you contact us. But it’s really hard. It’s really. Because, you know, the group that’s the most vulnerable to scams, sort of, I think they’re 35 to 55 year old, basically working people because they’re really busy and someone rings up and goes, oh, you know, blah, blah, and you’re like, oh yeah, yeah. And then next month as they say, yeah, it’s not good, it’s really hard. I really feel for people because there’s no easy answer.
Misti Landtroop:
Yeah. And, you know, it’s crazy how easy it is to replicate the voice as well during Scary. It is scary. Somebody from my team did that. She asked if she could use my voice. That’s fine. So I think it may have been a podcast I did in here somewhere, and it was scarily, the shorter it is, the better. So the longer it is.
Misti Landtroop:
And evidently it’s easier with some of the free technology with American accents. I don’t know why, but, yeah, she had a whole presentation during Cyber Security Awareness Month for one of our customers and just showed it was free software that did it, did a live demo and basically used my voice to say, hey, can you go and use your credit card and pay this for this event that we were doing? And, yeah, so it’s so prevalent out there today. I think we’re gonna see way more people falling for that as we keep going.
Sir John Key:
It’s out of control. I was really grizzly with Facebook, but they did. These guys, some dodgy people, put together a montage of basically me promoting crypto. And they’d taken a whole series. They hadn’t even done it through AI. It wasn’t even that sophisticated. They literally got a whole bunch of different. Different things I’d said and then put them together, mash them together, and it looked like me.
Sir John Key:
And I went to Facebook and said, well, it looks fake, so I can take it down because people are investing on that. I used to get thousands of emails from people thanking me for the advice because Bitcoin went through the roof and it was all good when it was going up. And we went to them and we said, look, it’s fake. We’re telling you it’s fake. And Mike Hosking’s been going on about the same thing. That’s where I reckon, you know, I think we’ve had scams occurring over mobile phones. I think the telecommunication providers have got a real. They know those calls are fake, they know those numbers are fake.
Sir John Key:
Right. I think the social media platforms have got a real job to play. So I don’t think it’s just the bank or just the healthcare provider. We’re one part of it, but we’re not the only part of it. And government’s going to have to get a lot better if it wants to get tougher. No issues with them getting tougher, but get tougher on everybody, you know, and your sponsors might not quite like that, but it’s true. You know, they can tell off their systems that that text message is a phishing Text message.
Paul Spain:
Yeah. And I think they certainly, they’ve got mechanisms in place that’ll block when they, you know, when they do know. I mean, for me, it tends to be the social media companies I sort of lean into as the, the most culpable in a lot of these things. And you know, we’ve had meta around the table here for a private conversation and you know, they just wanted to promote their latest stuff. It’s their PR team. But when I threw a few questions at them around some of the things that they were doing really, really poorly, which, you know, like the example you give that they should just be able to cater to. Right. I mean, well, it was making insane amounts of money.
Paul Spain:
They should be able to, you know, block these things. I mean, I had my Instagram account duplicated I don’t know how many times and it was, you know, so obvious. Any, you know, company could create the technology that looks out for something that’s got your name or a slight variation on it, your photo off your profile. They lock it in a particular way. Yeah, just so, so obvious. Yeah, it would just keep happening and happening and happening. And it took them, I don’t know, maybe a year or two before that stopped happening. And you know, that all of these issues and they just seem to sit there and happy to rake in the money and cause all sorts of dramas and people’s families and people taking their own lives and so on because of some of what happens on their platforms.
Sir John Key:
And I think could be a real worry. I mean, what happens if they go out there and these platforms aren’t prepared to play ball? And to give you an example, someone goes along, let’s say I was still chairman of Anz, and then they put together a little thing using AI or whatever and it’s me saying, oh, there’s a yes, there is a liquidity problem. And then they get the reserve bank governor and they’ve copied his voice and he’s saying, yes, I’m very worried about xyz. That’s a run on the bank. I mean, that’s really serious stuff. So the point is we are all in this together and we are all going to make a march towards a digital world where it’s totally digital and where, I mean, it’s not going to change. If we fell asleep today and woke up in five years time, we’d be a little bit hungry. But the second thing would be we’re way more digital world.
Sir John Key:
And you talk to someone like Nikesh, who’s our CEO at Pallet, who’s Stunning CEO. He always says to me, look, if you look, it doesn’t matter whether it was the mobile phone or the Internet or whatever, or AI. He says, we always overestimate in the short term how good things are. We always underestimate how powerful they are in the long term. And he just says, you give it time and eventually its capacity will be incredible and there’ll be a lot of good from that. Its capacity to analyze health data and predict, you know, whether you’ve got a problem or what you might need to do or what the cure might be. I mean, when you think about it, looking at a, you know, a sort of CT scan visually, that’s a pretty old fashioned way of looking at, you know, theoretically 20,000 photos or whatever of the MRI scan.
Paul Spain:
Yeah, 100%. And I guess this is sort of the challenge we have as society is how do we move forward and get as much of the uplift and the leverage of technology whilst we minimize those downsides. Right. Because, yeah, social media causes harm. Bad actors in the cybersecurity world cause a lot of harm. There’s a good side and a bad side to every part of technology. And I guess, I wonder, how do we find that balance? Should we, you know, should we allow and encourage more surveillance like some countries do? Should we say, actually, you know, the upside on that surveillance isn’t enough to, you know, to justify the level of surveillance that goes on. But I don’t know how you kind of get that stuff right, because it just seems like it’s all moving forward.
Paul Spain:
There isn’t, you know, there are very few breaks that are kind of, you know, put on to the use of, of technology. And legislation always seems to sit years and years kind of behind where the technology goes. Right. So we’re just starting as a country to look at, oh, do we create some legislation that stops Google or Facebook from taking advantage, I guess, of the news media’s content? Right. But of course that’s been going on for a really, really long time and now they’re maybe trying figure it out. But a lot of these things, we maybe leave them way too late.
Sir John Key:
Yeah, I mean, I think in the end, yeah, I still believe on balance there’s more good that stem from technology and harm. Way more good. And so, you know, I think eventually where you have to get to is companies have to say, look, I need to have a social licence to operate. And that doesn’t really matter whether you’re a bank or it doesn’t matter whether you’re the police force. I mean, we’re lucky in New Zealand, in my personal opinion. We have a world class police force of honest men and women who do the right thing. You know, 99.999% of the time. I’m not sure that’s true in every other country.
Sir John Key:
Actually some countries aren’t like that, but in New Zealand we are very low corruption, very low corruption, good behaviour, you know, they don’t come do crazy kind of things. But it’s very vulnerable that social license to operate. So if you take something like a social media platform then, I mean, when Jacinda was arguing about the Christchurch call and whether, you know, again, social platforms like Emetta should be displaying a live feed of the massacre. I mean, yeah, I accept that no one wants to have that displayed and they would be trying to stop it. But the point is, her point was right, you know, that ultimately that whether we like it or not, people like, people like watching social media. So if you’re gonna have bad stuff up there that none of us want, they are gonna have to be to a certain degree the gatekeeper. And they don’t wanna be the gatekeeper because to your point, they want every piece of revenue and every eyeball they can get. And that stuff’s obviously wrong, but there’s other stuff that, where it’s more marginal.
Sir John Key:
But I think at some point they are going to have to say, well, okay, we don’t live in a world that just is completely unfettered. You know, we live in a world that there are some things you have to accept and they’re going to have to step up to that more than they have, in my view. And that’s why I think they’re under pressure in the United States. I think that’s why they’re in congressional hearings all the time. And, and you had a whole lot of people during the last election campaign saying they’re going to break up some of these platforms if they’re not careful.
Misti Landtroop:
It’s going to be interesting to see what the new, what they actually do. Yeah, yeah. What it actually happens, maybe.
Paul Spain:
Yeah. It sounds like Google are under some.
Misti Landtroop:
Pressure, which I’m really proud of all of us by the way, for not talking about the US election. That’s all anyone’s wanted to talk to me about for the past few weeks.
Sir John Key:
So.
Paul Spain:
Yeah, yeah. And look, there’s probably a lot more that we could go into here. But look, I have to say I agree. The uplift that we get from technology, you know, to date has been really, really good. I think there’s a Lot more opportunity ahead of us. Yeah, well, if I hadn’t used Google.
Sir John Key:
Maps, I wouldn’t have made it here today. So there’s a godsend for a startup.
Paul Spain:
Yeah, yeah, yeah. So, but yeah, I think there is that need that we have to kind of keep evaluating and looking at those, looking at those downsides and yeah, cybersecurity and what Palo Alto does obviously, you know, as a part of that picture. But I think there’s the legislation side and a lot of other areas we have to kind of keep working on and you know, hopefully as a country we get that right. I guess just sort of, you know, wrapping up. How do you both feel how as a country New Zealand does from a cybersecurity perspective? I guess my sort of long standing, you know, concern is that because we lean to, so we have so many sort of smaller businesses that are very stretched in terms of resources and finances and so on that it’s actually quite hard for us to be successful in terms of protecting ourselves from a cyber perspective because not every organisation has the budget to throw at a high end, end to end solution or be able to have a chief information security officer to be living and breathing this stuff every day.
Misti Landtroop:
Well, that’s something obviously Gorilla technology helps as well from a SMB perspective. And you know, I think we talked about a little bit earlier, I believe, and I agree with some of the things that John was saying, we can do better as a country, we as New Zealand Inc. I do think over the past few years I have seen improvements. And so even having cybersecurity on the agenda for a board meeting, which used to not be, I’m not as an experienced board director is what John is, but it used to be not something that you would see. One of the things that I’m really proud of because I feel like at Palo Alto Networks we have a huge sense of responsibility. And so we just recently launched into New Zealand’s cyber fit nation. And that’s something from when we look at education and enablement from we say from Kendi to the boardroom and then we’ve also started extending that onto out to retirement. And so that kind of looks at everything across the board.
Misti Landtroop:
So it’s a lot of our education and enablement and awareness and all kinds of stuff for every single demographic that we can have. It’s small. I have been asked a few times what is Palo Alto Networks going to do to give back to New Zealand Inc. And that’s one small thing. And we also are looking at being able to get that One of the things that we recently went into partnership with the Network for Learning and so two and a half thousand schools across New Zealand. So we’re also using the Cyberfit Nation curriculum and some Cyber Aces and the Cyber Academy and those types of things to be able to do that. So it’s, that wasn’t an opportunity necessarily for me to try to just put some plugs in for that. But we’re constantly trying to figure out how do we give back, how do we do more for that.
Misti Landtroop:
Because you’re absolutely right, there’s a lot of companies that absolutely do not have the means to be able to do what they need to do to be able to combat some of the sophisticated threats that we have out there. The other thing I’d say is from an AI perspective, generative AI and then you’ll hear Gentec AI that is getting even smarter and more autonomous. Then everyone needs to stay vigilant and everyone needs to stay educated. So be curious and make sure that you’re staying on top of that because it’s something that is not going away. And I can’t imagine if we went to sleep for five years and woke up in what world that we would live in. I think it’s going to be drastically different. So yeah, so I think New Zealand’s gotten better, but I think we have an opportunity presented in front of us right now specifically with what’s going on from an AI perspective that we can leapfrog from education, from healthcare, from critical infrastructure, just everything if we play our cards right and then also try to make sure that that is obviously secure across the board.
Sir John Key:
So yeah, I think at one level I have always thought New Zealand does pretty well on technology. Like if you look at the banking space sometimes when I’m in the US actually I think oh, they’re not very sophisticated. I mean, you know, like still writing checks. Oh yes, writing checks. It’s a very cash driven society. You know to be fair, I’m a customer of Banker for Y and they’ve been recently improving quite a lot actually their technology. But I’ve thought for a long time we do pretty well, you know, and, but I think we are a victim of being small to your point. So where we part of a multinational world or you know, you’re a branch or whatever, I think those sort of organisations that’s you know, a lot easier.
Sir John Key:
But to your point, when you get to the small and medium size it’s really tough. Now they can kind of accommodate that by buying services from external providers and you know there are lots of things they can do and it’s sort of weird like sometimes in technology it’s not all straightforward. Like I remember we used to get so much correspondence and even my wife would say to me, can you explain to me why we have to pay a surcharge when I go tap and go to get my coffee but if I use my EFT boss, it’s all fine and in Australia I go and use tap and go and it’s free. I go, well, because the way they negotiate the deal but it looks really bad, you know. So the point is we’ve got to fix that one. Actually that’s not the bank, it’s actually a third party provider. But it is what it is. So I guess my point would be a lot of it’s good, we need to be a bit realistic that we can’t develop it at the same rate that other countries can.
Sir John Key:
I think one of the things that’s actually happening in the New Zealand space, I suspect I don’t know firsthand but I bet you it’s true. The capacity to do development out of, of India for instance in countries that are quite low cost providers. Going to a tech Mahindra or something and getting stuff written now, you know, like my son, he’s a little property developer and he’s got a couple of other little businesses and he’s been using a guy out of India who’s been developing it’s just amazing stuff at incredibly low prices.
Paul Spain:
Has he got someone to have a look at the cyber security?
Sir John Key:
Well, just his father’s contract with it. Yeah, little assistance. Yeah, he’s advising her.
Paul Spain:
He’s got to look at the whole security posture assessment.
Sir John Key:
Yeah, well we kind of think the family’s got it covered. But yeah, so look, I don’t know, I mean I don’t think we have to sit there and be ashamed if we’re not walking around with, you know, you know, third world technology. But I mean that was one of the reasons why when I was prime minister I pushed so hard to roll out ultra fast broadband. If we hadn’t had that, we wouldn’t even survive during COVID And I remember at the time the OECD and others came out and wrote reports saying it was terrible investment. Well actually guess what? They later on came out and said it was great investment. So sometimes you just have to lead. And it just comes back to that point of saying okay, I’m not asking to be Nostradamus, you know, you don’t have to be a visionary of A thousand years. But let’s just sort of sit there and say, what do we think the world will look like in five years? And here’s a clue.
Sir John Key:
More of you will be doing more online, you know, doing very little, you know, in person. It won’t take away every job. It’ll take away some jobs and it’ll replace them with other jobs. But, but why do people do all the things they do online today? Here’s a clue. It’s convenient.
Paul Spain:
Yeah.
Sir John Key:
And people morph to convenience, you know, and so that’s what you do. And I think, you know, it’s, it’s, it’s not going to go away. So you got to invest in technology and you got to understand it.
Paul Spain:
100. Yeah, I like that. That thought of looking forward and, you know, always encourage that futurist mindset. We all need to put on our futurist hats and think, where are things going to be going? We might sometimes disagree on where they’re going and what the results are, but I think if we’re not doing that, then we’re definitely setting ourselves up for failure. Right.
Sir John Key:
Well, and also if you think about New Zealand, what’s been its biggest challenge and possibly biggest strength? The answer is geographical isolation. We’re at the bottom of the world. Last bus stop before Antarctica. So of thing. Well, the reality is that digital solutions open up a global marketplace for us and, you know, there will be thousands, like customers. I mean, even if you take simple things like teleconferencing, zoom or teams or whatever, I basically don’t work for a New Zealand company. You know, like everything I do is offshore. And yet I don’t always have to travel offshore because I can use that technology.
Sir John Key:
I mean, there’ll be tons of people listening to this where they’re major clients, you know, all around the world, accessing through a website and whatever, you know, so it’s opened up the opportunities for people to say, my passion is to make brooches. And I’m going to do that and sell that to people in Nebraska and, you know, Estonia. That’s a good thing, I reckon.
Paul Spain:
Yeah. We should be selling right around the world. Misti. Maybe just sort of finish up in terms of, you know, where are things heading for 2025 for the year ahead? From a cybersecurity perspective, anything that we should be, we should be especially aware.
Misti Landtroop:
Of one thing I think that would resonate with everyone. And if you look at just recently, we came out with our 2025 cybersecurity predictions from unit 42 and the enterprise browser or the secure browser. So about a year ago, around this time, it’s been huge, so we bought a company out of Israel, Talon, and now the solution has been completely integrated into our SASE solution and it’s called Prisma Access Browser. So we’re all using it internally as well. So when you think about all the SaaS applications and everything, and the power that happens in your browser, we’re in our browsers constantly and making sure that that’s secured end to end. So I thought. I think that was another one that was very interesting that Nikesh and other executives within our organisation had the foresight to. And I think that’s probably one too, where people are like, what are they? What’s this? What’s going on? And then now everyone’s like, oh, wow, we should have done that as well.
Misti Landtroop:
So that’s just one thing that I think is universal to everyone, is. And when you think about organisations who have a lot of contractors, we think about schools and byod and what does. Does the security stop and start at the school gate or does it need to kind of continue on, whether that’s with family and so on and so forth. So I think that is a huge responsibility and some barriers that we’ve been putting on to be able to help pretty much anybody that’s out there.
Sir John Key:
So great.
Paul Spain:
All right, well, thank you very much.
Sir John Key:
Thanks a lot, Paul.
Paul Spain:
Thank you, John. Thank you, Misti.
Misti Landtroop:
Thank you, Paul.
Paul Spain:
Really appreciate it. And of course, a big thank you to our show partners, 2degrees Spark, HP, One NZ and Gorilla Technology. And thanks everyone for listening in.