How to exude values and ethics in the cybersecurity sector

We speak to Shannon Sedgwick about the Cyber Security Strategy 2020 and the importance of ethics and values in business.  

In the dog-eat-dog world of business, it’s easy to forget your company’s purpose and values when it’s time to negotiate contracts. But Shannon Sedgwick, Senior Managing Director at Ankura, says an ethical approach is essential for greater productivity and profitability – particularly for those in the cybersecurity sector. We speak to Shannon about the recently released Cyber Security Strategy 2020, and how ethics and values should be a key driver for all companies in the sector. 

Recently the Australian Government released its Cyber Security Strategy 2020. What are your thoughts on the position that puts cybersecurity companies locally?  

It hasn’t been getting the best feedback, as it’s been summarily smashed by industry leaders. I don’t think it’s all bad. I think it’s a good first step; it’s better than nothing. A lot of funding has been thrown towards it and it shows the government is taking it seriously. I do wish that any funding at all had been allocated to helping the Australian cybersecurity industry grow both products and services, and helping us export our services globally. 

Our economy is far too reliant on just a few industries – mining and tertiary education and tourism. And we’ve seen two of those fall over with the coronavirus pandemic and the closing of our borders. Those two industries are struggling and I feel that innovation, technology and cybersecurity should go hand-in-hand. It could be a useful arrow in the quiver of the government to diversify our GDP and our economy. And I feel that that Cyber Security Strategy fails to take advantage of that opportunity and to support local businesses, particularly SMBs in Australia.   

What do you think the disconnect is?

I don’t think they have enough representation of those who develop such strategies. The government’s strategy doesn’t encompass all of the requirements, culture, belief and needs of the industry as a whole. It’s taken from a fairly small subset of where cybersecurity touches all industries. 

It has a very heavy focus on telecommunications, defence, critical infrastructure and law enforcement. You could see that even when Peter Dutton announced the Cyber Security Strategy, his entire focus and his verbiage was around law enforcement and how this strategy would help benefit the government and its intelligence agencies to catch cybercriminals. 

But that’s an extremely small portion of what we should be focused on as an overarching cybersecurity strategy for all of Australia. They missed the mark by quite a bit.  

Sometimes an industry will have a fantastic piece of technology and they’ll use a group of technologists to represent it. But what’s often missing is that representation from a commercial standpoint. What’s the functional benefit of an amazing piece of kit? 

You’re exactly right. You get these amazing companies who have vast technical expertise, but they lack the ability to translate their offering into a lingua franca that is understandable to the client and to the market. You need to get your message out there and do it in a way that isn’t salesy – nobody wants to be sold to. You also have to look at this for the long term – you have to build relationships and chase collaborative projects that can add value to both your team and your client. It can’t be transactional.  

I’ve long been a proponent of having a purpose that goes beyond profits. I think that’s necessary not only for your business to be trusted and to have transparency about what you’re doing in the market. But it also helps to harness the energy of your team, especially when they feel that they’re acting towards a greater good or making a real impact. If you can make them love coming into work and feeling like they’re making a real difference, the output that your business generates and the effectiveness and the work that they do is just so much higher. 

You’re a big advocate around this concept of values-based contracts, particularly speaking to the intent of a relationship over and above the functional outcome that you get from purchasing and exchanging. So what is a values-based contract?

It’s something I’ve been researching for quite some time now, and it’s one of my pet projects. It taps into my enthusiasm around a purpose beyond profits, living by your values and running a values-based business. 

Now, think about most companies. They usually start with a purpose statement, and then they have guiding values or principles by which they make company decisions and carry themselves in the market. And most companies try to follow along with those. But as soon as it gets to contractual agreements and bringing in internal or external lawyers, that all goes out the window. You never hear anybody talking about how this contractual process is tied to their overall business or their purpose or their values. It becomes adversarial. It becomes a process all about protecting themselves – how can they prevent being taken advantage of, how can they limit their liability, and how can they limit their risk to a degree that’s acceptable?  

But this is a completely adversarial approach. It’s combative, and it leaves a bad taste in everyone’s mouths. To me, for a company that purports to stand by its values and live to this higher purpose, it’s completely counterintuitive. Why would you not embed your values and a collaborative nature throughout the entire lifecycle of your client dealings? It makes no sense.  

So you have these values-based contracts – they are often called ‘relational contracts’ – and they carry much of the same content as a standard legal contract. Except at the start, before you get into the nuts and bolts of the legal contract, you sit down with your client, you sit down with your supplier, and you speak about what you want to get out of the project. You ask the question: what is our joint mission? Complete transparency is needed here. You put all your cards on the table and then you establish a governance structure around the joint mission together. It really enforces collaboration.  

Typically, it’s mostly healthcare and religious organisations that have been using these types of contracts with any regularity. But the stats and the research that I’ve done and the benefits that I’ve experienced are just staggering. We’re seeing up to a 70% reduction in costs and wastage – not just legal costs, but the costs of running the project. Think about the amount of time you waste on a large-scale project where you’re holding each other up and it becomes a tit-for-tat where one party feels like they’re not getting what they need. Instead of committing their team, they’ll commit to saving on costs. Quality goes down and it becomes this death spiral. 

Having a values-based contract instead actually sets up a collaborative ecosystem. It allows you to live by these joint established values and be guided by the agreed-upon principles throughout the entire lifecycle of the project.  

You’re an expert in your field. You’re also very focused and passionate about driving cybersecurity capability locally, and doing business ethically and morally. So if you could give one piece of advice to organisations operating within the Australian cybersecurity market, given the current environment, what would it be?  

Two things. Be kind to one another, no matter who you’re talking to, whether it be the CEO or one of your graduates. It takes courage to be kind constantly, and it’s free. And second, specify – find out what you could be the best at and concentrate solely on that. Don’t try to do everything. Find out what you can be the best at and chase it as hard as you can.  

Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.