In conversation with Tenable Chief Security Strategist Nathan Wenzler (Part 3) | Sekuro

In conversation with Nathan Wenzler, Chief Security Strategist at Tenable (Part 3)

Listen to this article

This audio has been generated with an AI tool.

As part of a new blog series, Sekuro CTO, Jason Trampevski chats with Nathan Wenzler, Chief Security Strategist at Tenable to get his take on exposure management and the broader cyber security landscape. From the human-centricity of cyber security to the role of a CISO, this is your chance to be a fly on the wall for an insightful conversation (and sometimes deep philosophising) between two cyber security leaders. 

The third in the series, this blog will focus on how Tenable stays ahead of threats. 

Staying ahead of threats

Jason: How does Tenable stay ahead of threats?

Nathan: First of all, we have a dedicated research team of around 110-120 people dedicated to zero-day research. Their whole world is essentially looking at what’s going on in the real world. Do we see trends changing? Do we see new exploit kits coming out? Are there new criminal groups on the move? Are there old criminal groups doing something new? We build a lot of threat intelligence within our own team but also ingest a lot from other sources. So it’s a combination of having a dedicated team and automation. 

We do a pretty good job of staying on top of what goes on in the public space or on the dark web (in the scary lane) ourselves. But we also have a lot of partnerships with the major manufacturers – with the likes of Microsoft and Apple, to make sure that when they’re aware of vulnerabilities, we’re aware of them too so that we can build detection capabilities and help our customers find them as quickly as possible. 

Generally speaking, we try to do this within 24 hours of a new vulnerability being detected, but we’re usually delivering something within the single digits.

A clear example is Log4j. It was such an evolving vulnerability that we kept finding it on new OSs, new pieces of firmware, new web servers – it was everywhere. I think in the initial release we had up to six detections but we ended up with over a hundred, and when you break down each of those, we were getting detections out in sometimes one or two hours.

Predicting risk with Artificial Intelligence (AI) and machine Learning (ML)

Jason:  What are you doing to drive forward and innovate?

Nathan: This is where we are looking at AI and ML. We’ve always had some amount of machine learning behind some of our threat algorithms. If we see a new vulnerability come out, firstly, our research team will look at what the exploit is capable of doing, what kind of technology the exploit attacks and what it is taking advantage of. And then we would look at the machine learning aspect of it to find what other vulnerabilities we have seen in the past that have similar characteristics. Then we can leverage that information to make predictive decisions about how fast this vulnerability would typically go from the discovery to a proof of concept of an actual exploit kit.

We can then say, “Okay, this is not as serious because these types of vulnerabilities that we’ve seen over time don’t usually get exploited for months.” Or, “No, this is a really hot thing and we typically see these kinds of vulnerabilities getting exploited within days” and prioritise accordingly. 

However, with some of the new large language model tools and their ability to provide an easily- searchable interface, we’re starting to explore ways we can take that to a customer so they can better understand what problems in their environment could be exploited in the next 14 days, for example. That’s a tough hypothetical question to ask, but that kind of data analysis is where we can start to try and answer that question, so we’re pretty excited about a lot of what we’re bringing into our products.

Trends come and go, fundamentals are forever

When we think about new technologies, the trends follow very similar patterns. Criminals try out new technology just like we would. They see what it's capable of, just like we would, and then frankly, they settle back into tried and true methods. Everyone is worrying about cyber criminals jumping on new technology, but when the annual threat reports come out, they will still find that it’s the same old patches on Windows and Linux boxes that are being attacked.

Jason: Are there any trends in relation to threats and vulnerabilities that we will see in the next 5-10 years?

Nathan: If you take a step back and think about it, criminals are basically just security people like us. You can go back to the original definition of what a hacker is. Hacker didn’t mean criminal. I’m not trying to defend criminal behaviour by any stretch, but a hacker was just someone who wanted to break things apart so they could see how it worked and understand it. It came from a place of creativity and curiosity. 

You look at the news cycles over the last few months around OpenAI and ChatGPT. Yes sure, we’ve seen instances of AI helping hackers write writing code and better phishing emails. But are we seeing it become the norm? I don’t think so, but they are trying it out and seeing what they can do with it creatively. 

When we think about new technologies, the trends follow very similar patterns. Criminals try out new technology just like we would. They see what it’s capable of, just like we would, and then frankly, they settle back into tried and true methods. Everyone is worrying about cyber criminals jumping on new technology, but when the annual threat reports come out, they will still find that it’s the same old patches on Windows and Linux boxes that are being attacked.

Jason: That’s right, and weak passwords. 

Nathan: Exactly. So, I get that people are worried about the new phishing emails that are more grammatically correct and harder to spot, but the criminal groups are still breaking in because you don’t patch your systems. And the vast majority of attacks are still going after the low-hanging fruit, the vulnerabilities that have been around for 10 years. 

To put it frankly, why should I, as a criminal hacker, do the hard creative stuff when I can just automate it and walk in the front door? 

History has shown us that this is unlikely to change, even with generative AI. But I am always keeping an eye out for the breaking point where the criminals just give up on the old methods that we’ve been worried about and actually do move on to some really advanced data-crunching ML/AI kind of polymorphic attack structure that becomes so hard to defend. In saying that, I think over the next several years we’re going to see more of the same.

The instant gratification conundrum

Jason: Yes, I feel like that’s because organisations don’t look at the fundamentals of just doing security hygiene 101. 

Nathan: In the past, I’ve spoken about the instant gratification conundrum. It was a model for CISOs about how security programs get stuck in this cycle of always buying the newest thing. And the problem is, if you’re a CISO you’ll often come into an organisation and the board and C-suite will often tell you that everything is terrible and you’ve got to fix it. 

That CISO will take a look and realise none of the basics have been done right and with good intentions will start going down the road of fixing the fundamentals. However, the pressure from the board will start to mount, because they want an instant fix that they can tick off their list. Often the CISO will finally succumb to the pressure and find the latest acronym tool to buy so they can show the board they’ve done something. Now the CISO has bought themselves some time to roll out the technology, but by then they’re onto the next job because the average tenure of a CISO is only 18 months, and the cycle repeats itself again and again. 

Jason: I agree, I talk about this a lot 

Nathan Wenzler: It’s the whole buzzword bingo thing, right? SOAR, SIEM, Syslog! Instead, We need to stay focused on the fundamentals. It’s not sexy, it’s not fun, it’s a lot of hard work. It doesn’t let you go to the board and say, “Look at this cool thing I did. I built an asset database.” New tooling can help you do the fundamentals better and automate a lot more of the work. Better processes can help make things easier too. But at the end of the day, fundamentals are the key, period.

Jason: Yeah, one hundred per cent. I think it’s always the equal balance of people, process and technology and not swinging too hard one way or the other. 

Nathan: Yes, and getting the fundamentals of all three right. I don’t mean fundamentals in terms of buying the basic tools. It’s the fundamentals of your whole security program. 

Some people will tell me they are going to fire their team because they are going to automate everything. That’s not going to work, because fundamentally, you need humans involved to do the analysis work and to be able to make the decisions. 

I’ve talked to CISOs who try to change their best practice frameworks every two years because they think they need to jump on every new thing. They’re caught in a cycle of wanting to look like they’re doing something. So, even from a process standpoint, we have organisations that don’t build fundamentally strong processes that can support what they need to do to maintain long-term success. It has to be about getting the fundamentals right across the board. 

Often the CISO will finally succumb to the pressure and find the latest acronym tool to buy so they can show the board they’ve done something. Now the CISO has bought themselves some time to roll out the technology, but by then they’re onto the next job because the average tenure of a CISO is only 18 months, and the cycle repeats itself again and again.

Nathan Wenzler

Chief Security Strategist, Tenable

Nathan has over 25 years of experience in the trenches as CISO of Information Security programs, helping organisations to optimise, mature and accelerate their information security and risk management programs. Nathan’s focus areas include vulnerability and exposure management, PAM, incident response, process and workflow improvements, executive-level program management, and the human-focused aspects of InfoSec.


Jason Trampevski

Chief Technology Officer (CTO), Sekuro

Jason is a strategic technology leader dedicated to helping organisations achieve their goals through the effective use of technology. His expertise lies in building resilience and driving business success. As a specialist in transforming complex business requirements into streamlined technology solutions, his focus lies in harmonising the essential components of people, processes, and technology to empower organisations to maintain agility and competitiveness in today's rapidly evolving digital world.

Scroll to Top

Aidan Tudehope

Co-Founder of Macquarie Technology

Aidan Tudehope, Co-Founder of Macquarie Technology

Aidan is co-founder of Macquarie Telecom and has been a director since 1992. He is the Managing Director of Macquarie Government & Hosting Group with a focus on business growth, cyber security and customer satisfaction. 

Aidan has been responsible for the strategy and execution of the investment in Intellicentre 4 & 5 Bunkers, Macquarie Government’s own purpose-built Canberra data centre campus. This facility is leveraged to deliver Secure Cloud Services and Secure Internet Gateway.

With a unique pan-government view on the cyber security landscape, we are invested in leading the contribution from the Australian industry on all matters Cyber policy related.

Aidan holds a Bachelor of Commerce Degree.

James Ng

CISO, Insignia Financial

James Ng, CISO, Insignia Financial

James is a leader with a range of experience across various cyber security, technology risk and audit domains, bringing a global lens across a diverse background in financial services, telecommunications, entertainment, consulting and FMCG (Fast Moving Consumer Goods). He is currently the General Manager – Cyber Security at Insignia Financial and most recently was at AARNet (Australia’s Academic and Research Network) where he oversaw a managed Security Operations Centre (SOC) capability for Australian universities. Prior to this James was the acting Chief Information Security Officer for Belong and led the cyber governance and risk team at Telstra.

Noel Allnutt

CEO, Sekuro

Noel Allnutt CEO | Sekuro

Noel is a driven and award-winning IT leader. He has a passion for developing great teams and accelerating client innovation, and in enabling organisations to create a secure and sustainable competitive advantage in the digital economy. Noel also hosts the ‘Building Resilience Podcast,’ which explores the world of sport and deconstructs the tools and ethos of world-class athletes that can help create growth and optimise business and life.

Audrey Jacquemart

Bid Manager, Sekuro

Audrey Jacquemart, Bid Manager, Sekuro

Audrey is an innovative cybersecurity professional with a versatile profile spanning across Product Management, Presales and Delivery. She has worked within organisations from start-ups to large international organisations in Europe and APAC before joining Sekuro.

Nicolas Brahim

Principal Consultant, CRP and OT

Nicolas Brahim, Principal Consultant, CRP and OT

Nico leads Sekuro’s Cyber Resilience Program and OT Cybersecurity, ensuring continuous support and effective program execution for our clients. With over a decade in the security industry, including the creation and leadership of several Security Programs for IT and OT across Australia, New Zealand, Argentina, Chile and the US, his core philosophy emphasises an equal balance of people, process, and technology in delivering actionable and simple solutions.

Trent Jerome

Chief Financial Officer, Sekuro

Trent Jerome

Trent is a seasoned CFO with over 30 years’ experience in Finance. Trent has broad experiences across Capital raises, debt financing, M&A and business transformation. He is a CPA and member of AICD. Trent works with Boards around risk and risk mitigation plans and assists Boards in navigating the risk mitigation versus cost conversation.

Ada Guan

CEO and Board Director, Rich Data Co

Ada Guan, CEO and Board Director, Rich Data Co

Ada is the CEO and Co-founder of Rich Data Co (RDC). RDC AI Decisioning platform provides banks the ability to make high-quality business and commercial lending decisions efficiently and safely. With over 20 years of global experience in financial services, software, and retail industries, Ada is passionate about driving financial inclusion at a global scale.

Before launching RDC in 2016, Ada led a Global Client Advisor team at Oracle Corporation, where she advised Board and C-level executives in some of the largest banks globally on digital disruption and fintech strategy. She also drove Oracle’s thought leadership in banking digital transformation for Global Key Accounts. Previously, Ada implemented a multi-million dollar program to deliver a mission-critical services layer for Westpac Bank in Australia and formulated the IT strategy that was the basis of an $800m investment program to transform Westpac’s Product and Operation division and complete the merger with St. George Bank. Ada is an INSEAD certified international director and holds an EMBA from the Australia Graduate School of Management, and a Master of Computer Engineering from the University of New South Wales, Australia. She also graduated from the Executive Insight Program at Michigan University Ross Business School and IESE Business School.

Megan Motto

Chief Executive Officer, Governance Institute of Australia

Megan Motto, CEO, Governance Institute of Australia

Megan Motto is Chief Executive Officer of Governance Institute of Australia, a national education provider, professional association and leading authority on governance and risk management. The Institute advocates on behalf of professionals from the listed, unlisted, public and not-for profit sectors.

Megan has over 25 years of experience with large associations, as a former CEO of Consult Australia, as well as holding significant positions in Australia’s built environment sector and business chambers.

She is currently a director of Standards Australia, a member of the ASIC Corporate Governance Consultative Panel and a councillor of the Australian Chamber of Commerce and Industry (ACCI) where she chairs the Data, Digital and Cyber Security Forum.

Megan’s expertise spans governance, risk management, public policy and education. She holds a Bachelor of Arts/Bachelor of Education, a Masters of Communication Management and a Graduate Diploma of Corporate Governance and Risk Management. She is a Fellow of the Governance Institute of Australia, the Chartered Governance Institute and the Australian Institute of Company Directors and is also a member of Chief Executive Women. Megan is also an Honorary Life Trustee of the Committee for Economic Development of Australia (CEDA) and was a 2014 recipient of the AFR/Westpac 100 Women of Influence.

Shamane Tan

Chief Growth Officer, Sekuro

Shamane Tan, Chief Growth Officer, Sekuro

Sekuro’s Chief Growth Officer, Shamane Tan, is passionate about uniting minds and experiences, excelling in aligning C-Suite and Board members with cyber security imperatives. As the author of “Cyber Risk Leaders,” she unravels executive communication nuances and distils C-Suite expectations. 

Her work extends to “Cyber Mayday and the Day After,” a roadmap for navigating crises by mining the wisdom of C-level executives from around the globe. It’s filled with interviews with managers and leaders who’ve braved the crucible and lived to tell the tale. Her most recent book, “Building a Cyber Resilience: A Cyber Handbook for Executives and Boards,” was featured on Forbes Australia’s top list of books for CEOs. 

Shamane has also founded a transcontinental cyber risk and executive meetup spanning Sydney, Melbourne, Adelaide, Perth, Singapore, the Philippines, and Tokyo, fostering mentorship, women’s empowerment and thought leadership. As a strong advocate for the importance of having a voice and helping others use theirs, Shamane Tan has spoken at TEDx and global conferences, including FS-ISAC, RSA, Silicon Valley, Fortune 500 and ASX companies. 

Recipient of the IFSEC Global Top 20 Cybersecurity Influencer award and named among the 40 under 40 Most Influential Asian-Australians, Shamane leverages her unique fusion of technical prowess and business acumen to help organisations progress on their security maturity journey.

David Gee

David Gee, CIO, CISO, NED, Board Advisor & Author

 

David Gee, CIO, CISO, NED, Board Advisor & Author

David has just retired in July 2024 and is building out his portfolio. He is an Advisor with Bain Advisory Network and also an Advisor to JS Careers (Cyber Recruitment) and Emertel (Software Commercialisation).

He is a seasoned technology executive with significant experience and has over 25 years’ experience in CIO and CISO roles across different industries and countries. At Macquarie Group David served as Global Head Technology, Cyber and Data Risk. Previously was CISO for HSBC Asia Pacific. His career as a CIO spans across multiple industries and geographies including – Metlife, Eli Lilly and Credit Union Australia. He was winner CIO of the Year 2014, at CUA where he successfully completed a significant Transformation of Core Banking, Online and Mobile Banking systems.

David is past Chairman for the FS-ISAC Strategy Committee and awarded Global Leaders Award in 2023 for his contributions to the cyber security industry. A regular conference keynote speaker and 150+ published articles for CIO Australia, Computerworld, iTnews and CSO (Cyber Security), David now writes for Foundry CIO.com and AICD.

His most recent book – the Aspiring CIO & CISO was published in June 2024 and David is writing his second – A Day in the Life of a CISO with a number of CISOs from around the world for 2025.

Naomi Simson

Co-founder, Big Red Group and Former Shark Tank Judge

Naomi Simson, Co-founder, Big Red Group

INTRODUCTION

For 25 years as an entrepreneur, Naomi Simson has been bringing people together whether it’s with her business experience, her speaking or writing. Passionate about small business and local community, Naomi is considered a home grown success story.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia and she appears regularly on ABC The Drum. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano, as well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has four seasons of her podcast ‘Handpicked’, and she has authored two best-selling books Live What You Love, and Ready to Soar, and is sought after speaker.

FULL BIO

For 25 years Naomi has been bringing people together whether it’s with her business experience, her speaking or writing. She is a strong advocate of business owners.

Known as an entrepreneur and business leader; following the growth of RedBalloon which she founded in 2001, Naomi co-founded the Big Red Group (BRG) in 2017.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano. As well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has authored two best-selling books Live What You Love, and Ready to Soar, and is an engaging, humorous and insightful speaker. She has four seasons of her Podcast – Handpicked.

Naomi is relatable across a broad variety of audiences and topics, often drawing on her personal experiences to provide thoughtful and valuable views into topics; including the customer obsession, intentional leadership, growth mindset, personal development. She is a regular panellist on ABC The Drum.

Peter Ngo

Product Line Manager, Global Certifications, Palo Alto Networks

Peter Ngo

Peter leads the Commercial Cloud, Global Certifications organisation at Palo Alto Networks which oversees global cloud security compliance efforts to various frameworks and standards including IRAP, SOC 2, ISO, PCI, C5, ISMAP, and IRAP and more for 25+ cloud products.

He has held many roles over the years covering areas of IT Operations, and Governance, Risk, & Compliance (GRC) for a wide range of industries including technology, insurance, and manufacturing.

Peter holds various security and professional certifications, including the CCSP, CISSP, PCI ISA, CISA, CISM, CDPSE & ISO Lead Auditor, in addition to a Master of Science degree in Information Assurance. 

Jack Cross

CISO, QUT

Jack Cross

Jack Cross is an experienced business leader with expertise in digital technologies and risk management. Through a steadfast commitment to integrating people, processes, and technology, he champions the fight against cyber threats while mitigating organisational risks. 

Over the past 15 years, Jack has navigated diverse leadership roles within the Defence and Education sectors, honing his skills in steering multidisciplinary teams through intricate and sensitive technical landscapes. In addition to this experience, he holds numerous formal qualifications such as: a Master of Systems Engineering (Electronic Warfare); CISSP; and CISM certifications.

Nadene Serman

Global CTO, Infotrack

Nadene Serman

Nadene Serman is a leading IT executive with a proven track record spearheading first-of-its-kind technology and business transformation for some of the most prominent organisations globally and in Australia. As the Global Chief Technology Officer of InfoTrack, she is a key protagonist of innovation as an enabler of InfoTrack’s next stage growth. Her energy, commercial acuity and strategic capability have fueled her success.

Nadene leads with clarity, transparency and urgency, uniting people in complex, multi-layered technology and business execution, and go-to-market transformation and innovation. She tackles and resolves complex and seemingly intractable challenges while building support and collaboration – even in times of crisis. Her people-first, ‘think straight, talk straight’ approach makes her a formidable force.

John Doe

President Great Technology

Cyber Resilience Program | Sekuro

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.