Season 2 Episode 1: Andrew Penn – Preparing for cyber attacks, effective Chair-CEO relationships and governance issues at the National Gallery of Victoria
Andrew Penn AO is a director with Coles Group and a council member at the National Gallery of Victoria. He’s also a former CEO of Telstra and served as the Chair of the federal government’s Expert Advisory Panel on cyber security strategy. We talk about: lessons for boards on cyber security, advice on effective Chair-CEO relationships, and governance issues at the National Gallery of Victoria.
Transcript
Hello and welcome to Boardroom Conversations, a podcast from the Australian Institute of Company Directors. My name is Bennett Mason and thanks so much for joining us. In each episode, we'll have candid conversations with some of Australia's top directors, leaders, and experts. And when you do that, backgrounds, but also discussing many of the key issues that boards are grappling with. Our guest this time is Andrew Penn. He spent seven years as the CEO of Telstra, before leaving that role in 2022. Andy is now a director with Coles and a trustee of the National Gallery of Victoria. He was also the chair of the federal government's Cyber Security Strategy Expert Advisory Board. Andrew, thanks so much for joining us on Boardroom Conversations.
ANDREW PENN
Thanks so much, Bennett. It's a pleasure to be here.
BENNETT MASON
So, as we just mentioned, you've somewhat recently finished your role with Telstra. That was obviously a very big job, and a very large company. Why did you want to be a company director after leaving that role?
ANDREW PENN
Well, I think probably the first thing to say is that it was important to me as I thought about my professional career, that I was thinking about the next stage if I can put it that way. And I was just turning 60, and I wanted there to be another stage to my professional career where I could make an impact. And I wanted to start that when I was young enough, to do so with energy. And so, I always say that it's important that you need to leave when you're not quite ready and when people still want you to stay. Not the other way around. And so, I felt I navigated that process well. But one of the things of working at the big end of town in an executive role is you get access to contemporary thinking around corporate governance, contemporary issues, technology. And it doesn't really matter whether it's Telstra or another very large organisation. That's what I knew I was going to miss. So being a non-executive director of a very organisation, such as Coles, gives me firstly, I think it's a situation where I can make an impact, to make a difference because I've had that experience. But secondly, I knew I would miss the opportunity to be working on those complex organisation, economy-wide issues. And so that's hence the decision to join Coles.
BENNETT MASON
You had a quiet retirement after Telstra. You could have played golf or sailing or anything else you like. But you chose to take on board roles instead. Your first listed board role after Telstra has been with Coles Group. What was it about Coles that was appealing to you? What seemed interesting or worthwhile?
ANDREW PENN
Well, in many ways, Coles is very analogous with Telstra. It's obviously in a different sector but it's a nationally important business. It's part of critical infrastructure. It services communities right the way across Australia. So, all of the issues that I'm used to dealing with and thinking about in my previous role at Telstra were very relevant to Coles, whether it's thinking about the role of ESG, whether it's thinking about being an operator in logistics and supply chain. It’s a company that's clearly being impacted by technology disruption and evolution. And so, and obviously I couldn't stay within the telco sector. So, I was very keen to join an organisation that would have the same level of presence and impact and importance to the broader community and broader society, broader economy that Telstra did. And Coles really offers me that.
BENNETT MASON
You were obviously the CEO of Telstra for a long time. You were the CFO before that and even previously you were a senior executive at AXA. The role of CEO and board member is obviously very active. Have you found it challenging at all making that transition from CEO to non-executive director?
ANDREW PENN
I wouldn't say I found it challenging. But you're right, it is different. But what I would also say is that when you move into a portfolio career, it's important to try and find the right mix of things to be working on. And so, to some extent, obviously, I miss being more hands on. I miss being the CEO, which is not the same as saying I want to go back, by the way and change my mind. But in thinking about that, I know that I get certain opportunities and certain things that stimulate me by being a director of Coles. But being hands on is obviously not one of them. But there are other things that I'm doing which obviously give me the opportunity to be more directly involved, as well. but what being a director of Coles does give me is, as I say, that opportunity to be part of the discussion around really contemporary issues which affect all organisations, particularly large organisations. And large organisations tend to be at the forefront of them. So, whether it's thinking about how do we address the cyber security threat? Or how do we think about artificial intelligence and the ethics around that? How are we dealing with disclosure and the changing landscape around sustainability and ESG? Those issues are relevant to all large corporates. And being a non-executive director, I find that both intellectually interesting and stimulating. And also, I think it's an area where I can make a contribution.
BENNETT MASON
We’ll get to some of those issues that you mentioned a little bit later in the discussion, especially cyber security. But just going back to what you're doing now and that transition you've made, we know from many organisations that the relationship between the chair and the CEO can be so crucial to success. You obviously worked with a lot of chairs, and board members when you were at Telstra and as a board member with Coles, you're working with the CEO. What's your advice on building an effective relationship between the chair and the CEO?
ANDREW PENN
I'm a big fan of what I describe as making the implicit, explicit. And by that what I mean is being very open and engaged on how you both see the relationship playing out and then setting up effectively a process where you can work on the relationship. So, one of the things that I've done with my chair previously is effectively have a scorecard where we identify with each other what are the four or five things that we are expecting from each other and would appreciate from each other? And obviously delivering results is one of them. It's always going to be that way. But it's more behavioural. So, things about “no surprises” or having an open conversation. And in many respects, they're quite obvious points. But the fact of writing them down and discussing them, I think is quite powerful. And so that's what I've done. And then what we would do is check-in every so often and say, and I would score myself, how well did I think I went on delivering to the things that were important to my chairman. And how well did I think that the chairman did in relation to those things as well? We just score each other. And then we’d sit down and just have a discussion about it. And I think the point is about relationships is just confronting that stuff upfront, being very explicit, being very open because I found that problems in relationships, problems in business, they're not like fine wine. They do not improve with age. And so therefore teasing those things out early and regularly, I think is, conducive to what then cultivates a strong working relationship.
BENNETT MASON
Do you have any tips on how to how to begin those challenging conversations in the boardroom? And those business relationships?
ANDREW PENN
Well, for me, I've always thought about it is trying to separate the facts, if you like, the quantitative from the qualitative. Often in a situation, whatever it may be, there's a set of factual dynamics to it – or results from it. Obviously, it may be challenging but spending the time to get really clear and aligned on those without getting emotional about them, is super important. This is a good example, performance appraisals are a really good example. It's a different context, but it's relevant. I would make sure that with my executives, we would go through and get aligned and agreed on the actual outcomes quantitatively first, without an emotional discussion, without cause and effect otherwise. And then we would go through and say: “Okay, what went well and why did it would go well. And what were the interventions that we took that went well?” The really positive. And then, what didn't go as planned. And what do we learn from that and what might we have done differently with the benefit of hindsight? So, try to change the conversation basically, to try and mitigate the dynamic where people become defensive. Because as soon as people become defensive, then it just really gets in the way of tackling the issue. So, if you can actually try and find mechanisms and ways of approaching things where you can tease the problem out in a very unemotional and almost abstract way and deal with it factually. And then rather than say, “Well, why did you do this and why did you do that?” And that to me has been ultimately what’s delivered to my success.
BENNETT MASON
Now, you would have spent a lot of time in boardrooms throughout your executive career. But you’re still relatively new to life as NED. What have you learned about the role since you joined the Coles board?
ANDREW PENN
Well, it's interesting. I would say I'm still absolutely still learning. But I think directors obviously do have an important governance role. There's a reason why lots of different pieces of legislation ultimately hold responsible officers accountable. And so, they do play that important role. And so, I think I've had a better appreciation of that. Because obviously, when you have been an executive, the chief executive of the company, you have that responsibility as well. But you obviously have your hand on many of the levers. And so, trying to really tease out the differences in the roles between management and the board is super important. I think learning to not necessarily have to have an opinion on every single issue, is important. Obviously, there's a group of people around the boardroom table. You have a finite amount of time to discuss issues. I try to be very thoughtful about where I can make a contribution, add value, as opposed to just wanting to say something for the sake of it. And then I think also, for me, I reflect on my own experiences, and I've always tried to draw out of the patterns, that I can then help to use in relation to confronting future issues, which may not be the exactly the same, but they have same pattern. So, I've, found trying to provide that, rather than necessarily trying to come up with answers because inevitably, on pretty much every topic management are going to be far more across the detail, than I am. But and I also think another really important dynamic is asking questions. There’s a great acronym or a model for this – it’s called “TELL”. Which is: can you tell me something or explain something to me or describe something to me? And so, I think asking pertinent questions is actually a really powerful way of actually elevating issues or exposing issues or bringing issues out without doing it in more of a telling, confrontational way.
BENNETT MASON
Let's shift now to another one of your roles. You were the chair of the Expert Advisory Board, which guided the government to the government's cyber security strategy. Many people will have read about the strategy and the board or might have seen you in the media talking about it. And can you just describe what the advisory board’s role was?
ANDREW PENN
Essentially, we worked alongside, the Department of Home Affairs and the Minister for Home Affairs, Claire O'Neill, and then other relevant agencies to essentially assist in the development of the 2023-2030 Cyber Security Strategy. What we didn't do is, we didn't write an independent expert’s report and then pass it over, if you like. We were actively involved in the evolution of and the contemplation of all the very different aspects of that process, which started with a lot of deep consultation, a lot of deep analysis. And then ultimately, the development of strategies. We also had, by the way, for our benefit, an international advisory board as well, which was part of the process, which was chaired by Kieran Martin. Kieran is the former head of the National Cyber Security Centre in the UK. It was also Mike Rogers who used to be head of Cyber Command at the NSA in the US. So, we had some pretty heavy hitting input, and the job was really to help direct that into the development of the various different initiatives which formed part of the strategy. So, it was quite hands on. When I was doing that work, which was really all through 2023, I was about 50% of my time is on that.
BENNETT MASON
The strategy has now been released, and there's a lot of important information in there. But what do you think are some of the key elements of that strategy for boards and directors?
ANDREW PENN
Let me answer the question slightly differently. In the sense of what would I do? Or how do I advise boards and directors in terms of dealing with cybersecurity? And then, I can come back to the strategy piece in a second. Because I think the point is, if we don't do this thing, there are some legislative and regulatory things which are both been already promulgated, and to come, that will impose greater responsibility on directors. But essentially, I think from a cybersecurity perspective, there's really four things that I think are super important for a company. And I would be asking as a director,
the first is: you can't protect what you don't know that you have. And so, what you must do is develop an inventory of all of your digital assets and all of your critical assets. And that sounds simple, but it's actually quite hard. And not many companies actually really have that comprehensively developed. But the process of even doing it is in itself very, very instructive because you start to think, well, what's a digital asset? Is it applications, the software, there's hardware, there's encryption keys, there's data sets. There's incidences of AI. How do I even categorise them? So that's point one.
Point two is, you need to then identify which of the appropriate frameworks, control frameworks for which to measure we've got the adequate controls of each of those assets. And I say in boardrooms and in other conversations, lots of debate about should we use the Essential Eight? Should we use this? Should we use something else? I think that's the wrong conversation, actually, because they're all slightly different, but they're slightly different for a reason, because they're doing slightly different things. And what's the relevant point is: what's the category of asset and therefore, what's the right control front of it? The third thing I would say is that the worst possible time to develop a crisis plan is in the middle of a crisis. So, make sure you've got an incident response plan. The AICD, you guys, and the Cyber Security Research Centre have done a great paper on that, very recently.
And the last thing I would say is that what's safe today may not be safe tomorrow. And by that, what I mean is that it's super important to keep an eye on emerging and changing technology. So, things like AI, quantum development, encryption, they're all going to have an impact, in the future. So, switching that back to the strategy. One of the things I think is important in the strategy, one of the philosophies was to shift responsibility for cyber security to those that are better able to, if you like, play a role there. Because at the moment there's a disproportionate, if you like, burden on those that are least well equipped to deal with it, which is effectively individuals in the community, which means that, companies are going to need to take more action and be held more accountable. And we're seeing that through some of the legislation in the Security Critical Infrastructure Act. And then also in some of the standards and guidelines, which again, you guys have been involved in, in terms of what constitutes best practice at a board level. And we will see more of that. coming through.
BENNETT MASON
We talked about the importance of always asking questions. What questions should a director ask management on cyber security?
ANDREW PENN
Well, it would go back to my point. Do we have an inventory of all of our digital assets? Can we it, Or least a summary of it. Have we had that effectively independently verified? And can somebody come in and have a look and see if we've missed anything? It's a harder thing to do than you think. But there are some interesting tools that are becoming available now digitally to actually help you discover all of your digital instances, if I can put it like that. And then I'd be asking questions. Well, what is the right control framework? Where do we sit in relation to that control framework? What do we need to do to close the gap and to, if it's the Essential Eight, to bring ourselves up to the appropriate maturity level? The other thing I would say is on cyber security, I've developed from experience, a perspective, and a view on, is that I think we're deluding ourselves if we think that we can retrofit robust, or if you like guaranteed, digital protections into old legacy systems. We're deluding ourselves. I think one of the biggest issues that companies face today is the complexity of the technology environment, the legacy technology environment. And of course, that's where a lot of vulnerabilities sit. And so, they're all desperately trying to go through and patch and do all the work necessary to try and protect it. But it's always going to be vulnerable. So actually, I think one of the key initiatives that companies can do is to update the technology environment. But I also think that what's related to that is where companies make a mistake is that they don't simplify the business environment first. Because if you think about why technology and legacy systems exist, they exist to record all of the stuff that we've done in the past and are going to do in the future. And so, all of the products we've sold, all of the employee terms and conditions that we have, all of the supply arrangements we have, and everything else that goes with it. And if all of those things are complex and there's multiples of generations of them, your systems are going to be complex. And if you try and write that all into a new digital environment, you're probably going to fail. Whereas if you can actually simplify, that’s one of the things that we did in Telstra. We radically reduced the number of skews in our consumer business from 1800 to 20, and then we built those in a new technology stack, and then we migrated everything to the new technology. That then becomes a much easier place to then deploy cyber security controls than trying to retrofit it to legacy systems. So, I think your whole digital strategy is actually going to determine how well you protect yourself from the cyber security perspective.
BENNETT MASON
Cyber security is obviously enormously complex. Do you think boards and directors know enough about this topic? Going beyond that, do senior leaders in management know enough about it? Or do we need more upskilling here?
ANDREW PENN
Well, I think we yes, we do need more upskilling. But I've always been of the view that of course we need more deep cyber security experts. But we actually also need to build more cyber security skills into just general management. And in the context of IT, into just general IT curriculum. So, for example, more basic cyber security skills in software development, in robotics. So, pretty much everybody's working in a digital environment today. So, everybody needs some basic cyber security capabilities and expertise. Not everybody is going to be a deep cyber security expert and be able to understand every single aspect of the technology. But I do think that more base level, so that ultimately people can ask the right questions. And I think why boards struggle with this, and not just boards. Because candidly, I think many, many senior leaders struggle with this, is that they find the digital landscape so intangible to get your head around, that when people come and talk to that cyber security, they find it really difficult to even conceptualise. And that's why I had my simple basic framework around: know what your digital assets are. Because ultimately that's what you're trying to protect. So, if you don't have a good handle on that and actually once you've got a good handle on that, it starts to make a lot more sense. I mean, you don't necessarily understand how people do, maybe develop a phishing email or you couldn't necessarily write the code of the malware, but you understand the concepts.
BENNETT MASON
Some organisations have tried to upskill by appointing cyber security experts or specialists on the board. Do you think that's something worth considering?
ANDREW PENN
Well, I definitely think that, like in any boards you want a mixture of skills around the boardroom table. We don't want everybody to have the same level of general knowledge on every single topic. And so, I think it's certainly helpful to have somebody who's got more experience at a practical level on cyber. We've got to be careful at the same time that we don't delegate responsibility for cyber security discussions to that particular director. And so, again it comes back to the same point. I think every director needs to have a basic level of understanding. Because once you know how to ask the right questions and once you know what the right framework is, then it's much easier to actually get expert advice because you know how to brief experts. It's making sure you got your arms around the whole problem. As opposed to, going deep on any aspect of the problem because at a board level, that's really what you need to do. I mean, there wouldn't be enough time in the day to go deep on every single aspect problem.
BENNETT MASON
Let's say the worst happens and your company or your organisation does fall victim to a cyber-attack. What should the board do? How do directors respond?
ANDREW PENN
Well, I think firstly, there's a good chance that every company will experience a successful, malicious attack against it. I think the question is how big is it and how significant is it? But my point of saying that is that I think everybody needs to be prepared for it. Secondly, as I mentioned before, that's not the time when you want to be developing your crisis plan. So, make sure you have a crisis plan in place. And it's actually very clear in terms of who's accountable, who's doing what. Particularly around communication and engagement with stakeholders. And make sure that you've done plenty of really high-quality scenario simulations. Because you could write down a response plan, but there's nothing like actually really trying to experience it as real as you can probably make it. That's super powerful because you always end up learning some things out of that. I think one of the things also that boards have got to be careful of, and I think even CEOs have got to be careful of is, in my old world at Telstra, we had a very robust crisis management approach, not necessarily just cyber, but just generally. So, there were lots of crises of network outages or cyclones or whatever it may be. And there's a lot of people that are part of that process, including the chair of the crisis management team. And the board’s just got to be careful that it doesn’t, if you like, suddenly see itself as needing to take over the crisis management. Because the reality is they're probably not well equipped to do so. And so, the issue will be, is to make sure that the board's playing an appropriate role and fulfilling its responsibilities and supporting the team. And also, particularly around engagement and communication, but not seeking to step in and try and take control of the process. Leave that to the experts, leave that to the people that are closer to the issue. And I think getting that balance right is important. So, I think when you do scenario planning, it's important that boards involved in it.
BENNETT MASON
Sticking with, cyber-attacks for a moment. Ransomware is an issue that many organisations struggle with. A lot of boards are still undecided on whether they would pay a ransom or not. What's your view on that question around ransomware?
ANDREW PENN
Well, it's obviously a particularly pernicious type of malware and malicious cyber activity. And it's obviously very extensive through the Strategy. Our view was we should not ban ransomware payments. That would be too much of a blunt instrument and too difficult to determine what the unintended consequences may be. But we strongly discourage them. And we recommended that it becomes compulsory to report them for most organisations and maybe not very small businesses, but for most organisations. So that’s philosophically, from a policy point of view. Again, a simulation or a scenario process should absolutely confront, and you should get presented with lots of different situations and examples of what the ransomware claim may be, so that directors actually fully prosecute all those issues. The other thing the directors are going to be thoughtful about is, if in the event they did determine that it was the right thing to do to pay ransomware payment. And I could think of, well, I won't say I can think of situations where it is the right thing to do. But I can think of situations where, particularly with health and safety and human life is at risk, where it's something we would need to consider very thoughtfully. But you also need to take responsibility for where is that ransomware payment going to? Who are you financing? You may have ESG policies within the company that you're actually now going to conflict with by paying a ransomware payment. So, I think that ransomware payments should be avoided at all costs. But as I say, we stopped short of recommending that they're banned just because we think it's too much of a blunt instrument.
BENNETT MASON
One final question on cyber security. A number of our listeners might be from SMEs or NFPs and they may not have the resources of large companies like Coles or Telstra. Do you have any advice on forwards to those sorts of organisations on cyber security?
ANDREW PENN
Well, look, I think there's plenty of help out there. The ACSC, the Australian Cyber Security Centre, in particular produces some really good materials on basic cyber security, good hygiene if you like, and best practices. A lot of that is provided for free. And also, companies like Telstra, I know provide support for small-medium businesses. But there's also an element where, if you're going to do business online, there's a lot of benefits from doing business online. There's a lot of efficiencies for small, medium businesses. It's a great way to actually get access to global markets that you wouldn't have otherwise got access to. But it is going to come with the responsibility that you need to, ultimately, you can't discharge that responsibility to a third party. You're going to have to get your hands dirty a little bit. But I know it's tougher for small businesses because they don't necessarily have the resources. But the more stuff they're going to do online, they're going to need to effectively skill up and get those. And I think the good news is that there's a site plenty of assistance out there, if you just do a bit of research on it. You just Google: “What's the small-medium business great framework for best practice cyber security?” You’d get 30 different options for that. But if I was to point you somewhere, I'd point you to the Australian Cyber Security Centre's website.
BENNETT MASON
That's good advice. before we let you go, I want to ask you about one of your other roles, which is on the council of the National Gallery of Victoria. What is it about the NGV that makes a board position there so rewarding?
ANDREW PENN
I’ve been on the board there for four years. And it's always been important to me to play a role in the not-for-profit space and make a contribution. All of the government policy stuff I do, I decline any remuneration for that. But also, outside of that, I've got other areas of interest. I've always been passionate about the arts. I paint a bit myself, I should say not very well. But Winston Churchill wrote this book called “Why I Paint.” And in the book, he describes basically the main reason why he started painting was he wanted to exercise a part of his brain that wasn't necessarily being exercised as a politician and as an administrator. And I found that finding ways to bring creativity into my life, I find both pleasurable, but also actually makes me a better person, a better leader, makes me reflect on things, bringing more reflections just than pure logic and rationale and analytics and numbers. So that's what interests me in the arts. And so, there isn't a better arts institution in Australia than the NGV. I apologise to the others. But look at the numbers. The NGV is one of the top 20 most visited galleries In the world. They do outstanding work. Just the creativity and the ambition of some of the programs, the Triennial. We're building currently a third art gallery here in Melbourne called the NGV Contemporary. And of course, given the impact of Covid on city centres, I think the opportunity for Melbourne and for other cities is to really lean into their cultural and arts and sports and other reasons why people come to the city. And it's a great privilege to be able to be part of the team at the NGV and play a small role.
BENNETT MASON
Podcasts are obviously an audio medium, but are you able to describe what your paintings are like? Landscapes, portraits, still lives?
ANDREW PENN
So, they're sculptural landscapes. And I paint in large scale, so typically two metres by two metres. And when I say “sculptural” - because while I'm using paint, and while they’re paintings, I typically use a more textural material. So, like oil. I might use pumice or concrete or wax. And they’re figurative landscapes.
BENNETT MASON
The NGV is a beloved cultural institution, not just in Victoria but across the country. People visit from all over Australia and around the world. Are there unique governance challenges and also opportunities that come with an organisation like the NGV?
ANDREW PENN
Absolutely. Just thinking about the collection overall, and then the preservation and conservation of the collection and then also thinking about collections strategy, is super important. And then working that in conjunction with the supporters, donors, philanthropic and also the Victorian government. So, you're really anchored in the purpose of the gallery. And then there are contemporary issues in art such as stolen art. And then art galleries are used as areas of protest and then how you respond and deal with that particular dynamic. You've seen people throw cans of paint at very valuable paintings and things like that. And so that's another dimension to it. And then of course, art can be controversial. And so, as a governance body, you need to think about that. Either the subject matter is controversial, not everybody agrees with it. Generally speaking, getting an opinion on something. And sometimes the artists themselves are controversial and say controversial things. And so, they're all tricky things to navigate.
BENNETT MASON
Andrew, we might leave things there. I know you're busy. So, thank you very much for your time. It's kind of you to speak to us on Boardroom Conversations.
ANDREW PENN
Thank. Thanks so much. It's been a pleasure and a lot of fun.
Latest news
Already a member?
Login to view this content