Andrew Morgan: From drug cop to CISO

During the early part of his career, Andrew Morgan spent a lot of time chasing some nasty critters. As a detective at Victoria Police, his primary focus was catching criminals involved in international drug, gun and people trafficking.

“It was totally consuming and the most fun you can ever have at the same time,” the current chief information security officer at La Trobe University tells Sit-Down.

Morgan, 57, recalls one operation in 1999 when he was working at the National Crime Authority (which was wound up in 2002) where he led a team that was targeting a Singapore-based triad group of criminals who were trafficking heroin into Australia. His team identified bosses in Singapore with links to China, and criminals in Australia who were selling the drug in bulk as wholesalers, as well as retail dealers, “everything from the street runners right up to the head of the triad,” says Morgan.

“It was bloody awesome; normally you only get one layer, you kick it out and they replace it with another layer. But this [investigation involved] all of the tentacles, which was just magnificent,” he says.

Morgan and the team identified the lead player in this criminal organisation who would regularly stay at Melbourne’s Crown Casino. The team was able to install covert cameras and listening devices across two adjacent rooms that he would book on trips to Australia. Around 100 police were working together to gain intelligence on the drug trafficking operation.

“We started to pick up chatter around the place that the big motherload [heroin shipment] was about to come in. I was home one Sunday afternoon and the guys that were manning the listening device post – we had guys doing that 24x7 – picked up some chatter that said, everybody is being called into a meeting tonight, the gear [heroin] is here … somewhere close to Crown.”

The team discovered that a heroin shipment had arrived and was sitting in the boot of a car parked across the road from the hotel in full view of the gang member’s room window. They waited for a few days armed with guns, bulletproof vests and forensic kits and gathered intelligence that they hoped would result in the downfall of the entire network across Australia.

“You’re living off coffee and burgers, you smell, you haven’t slept, it was nuts,” he says.

Eventually, raids were conducted with Morgan and other detectives crashing through doors and making arrests. Main players were taken to police headquarters and interviewed and because they had Asian backgrounds, interpreters were required. An arduous process for Morgan, who could be seen drifting off to sleep at his desk during these interviews due to the intense workload and lack of rest.

After four days of being awake, gathering evidence, conducting interviews, remanding villains, locking away guns and heroin, and almost 13 years at Victoria Police working on these cases, Morgan decided to call time.

A catalyst to get out

Morgan says he quickly realised that there was life outside the police force. He was coming to the end of his time at the National Crime Authority (now the Australian Crime Commission) and baulked at the possibility of going back to Victoria Police as a detective in his local area.

“After what I had been exposed to in the force and the work that I had done. It didn’t fill me with love anymore. I think I lost my empathy for the victims; somebody who has had their house burgled, that’s a really significant thing for them. It wasn’t something I was getting charged up for. If you’re not going to do that, it’s probably time to move on.”

Morgan was hearing about how professional services firms were setting up forensic practices with the possibility of becoming a partner which would involve flying up the pointy end of an aircraft, doing amazing work and getting well paid while taking clients to the football, concerts and lunches.

After stints as an investigation manager at Westpac and National Australia Bank, Morgan became director at Deloitte Digital and Deloitte Forensic in 2004, followed by other forensic roles at PPB Advisory; whistleblower program provider, Stopline; and business advisory giant, BDO.

“I got there [to these organisations] and found out that they had lied to me. But the people that hire you to do work [want] you to look after their biggest and worst problems so you are always getting involved in something meaty. I loved that part, the exposure I got to big problems was good. It was not how it was sold to me, but it’s good stuff to have on your CV,” he says.

Morgan says these roles were not just about using his investigative skills to put together a brief of evidence and write reports, but they were an opportunity to build interpersonal and soft skills, solve problems, think on the fly, soak up pressure and make decisions when “everything around you is on fire.”

“That’s what you get out of the police force if you hang around long enough,” he says.

Soft hands for a diverse community

These days, Morgan has what he describes as ‘soft hands’ as chief information security officer at Victoria’s La Trobe University, a role he undertook in November 2021 after almost six years at NBN Co. His last role at NBN was as general manager at the organisation’s National Cyber Operations Centre.

 “The NBN is the single and most precious piece of infrastructure Australia has ever had; it connects our entire country to the rest of the world. It was complex and I had to use all of my consulting and relationship management skills,” he says.

La Trobe, he says, is at a basic level of cyber maturity and he wants to beef it up. His days involve putting out fires, and importantly, building a strong cyber culture at La Trobe where the cyber group and staff across the university are aware of each other’s priorities.

“People know what they care about, they know what I care about and the two coalesce reasonably well. I’ve got willing participation in what I am trying to do, I understand what they are trying to do, and we work together.”

This enables Morgan to identify and manage risk, build the right processes, make sure people are appropriately trained across the cyber group and finally, select the appropriate cyber tools. The technology part, he says, is the last consideration. If the culture battle is not won, the technology doesn’t matter.

Morgan shows university staff that there is value in having cyber guardrails. He sets boundaries and makes it clear to staff that if they go outside those boundaries, he can’t offer protection. It’s a diverse role in an eclectic community of domestic and international students who come from different cultures, administration and IT staff, as well as researchers who want their research published.

“Researchers and academics generally have an incredibly deep level of knowledge in whatever their specific area of expertise is, and they are pretty set in their ways as to how they like to do things. So, to come in and try and push change through, you’ve got to engage with the academic community in a very different way to how you engage with the corporate services and students.”

Morgan’s consulting skills and resilience are certainly of use when dealing with this community.

“Everything is about consultation and agreement. It’s tricky and it takes a lot of focus and energy but it’s satisfying because if you can get a critical part of the university saying, ‘yeah, we get that, we’re happy about that’, it validates my personal philosophy, which is different from a lot of the CISOs I know. Many have come from technical or maybe a network engineering background, they’re incredibly smart and that’s their focus.

“I don’t know how to do network engineering, so I am not going to focus on it. I’m going to focus on the bit where I can make a difference.”

A never-ending cyber threat

Australia has fast become a key target for cybercriminals with high profile attacks on Optus, Medibank, and Latitude Financial Services increasing awareness so cyber security is a top priority for corporations and government departments of all sizes. Morgan expects attacks to ramp up as illegitimate businesses create commoditised pieces of nastiness using technologies that are getting smarter and ‘making this stuff more accessible.’

“Some goon went and invented ChatGPT and all this other AI stuff which, again, is just making life easier for [criminals]. It’s going to have an impact on me on the white [ethical] side but also on the black side as well. ChatGPT is better than a YouTube video because you don’t have to know what you are asking for.”

When asked about the preparedness of Australian organisations and governments to deal with the cyber threat, Morgan says it’s a case of the ‘haves and have-nots.’ Companies in heavily regulated industries such as financial services, telecommunications and utilities are investing very heavily in cyber security.

The Australian government’s Security of Critical Infrastructure Act has made their requirements crystal clear, he says.

“The security agencies and government as a whole are taking a very active interest in what their security, maturity and postures look like. After those ones, it [cyber readiness] starts to drop away very quickly because I think that historically, there hasn’t been a focus on security.

He says the next tier down of critical infrastructure organisations, healthcare providers, for instance, have a lot of personally identifiable information, making them a significant target. But healthcare companies haven’t historically been as cyber mature or capable as the top end of town.

Higher education organisations, which are also on the critical infrastructure list, are still lagging on the cyber front, he says.

“In higher ed, it [cyber] has never really been a thing; people did stuff on a ‘best endeavor basis.’ We still don’t have CISOs in every university in the country. So, we are desperately trying to ramp up the capability of cyber security across the sector.”

Morgan is the chair of the Cybersecurity Community of Practice, which aims to take learnings from universities that are doing well with cyber security and increase the maturity and capabilities of some of the lesser-known and smaller universities that don’t have the funding or resources to improve their posture.

“It’s a very collegiate sector and this a good way to bring them up [to the right level],” he says.

Small to medium enterprises, K-12 schools, and organisations in the not-for-profit (NFP) sector also need assistance, he says.

“I’ve been a company director for an NFP, so I’ve got direct exposure to [their challenges] and I get really concerned about what sort of information these places are holding and how open they are [to attack], and how basic security hygiene stuff, which would lift their capabilities massively, isn’t done,” he says.

‍