Women in Security Celebration Special Edition by MySecurity Marketplace

Print Post Approved PP100003227

THE COUNTRYâ&#x20AC;&#x2122;S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Aug/Sep 2017

Women IN

SECURITY SPECIAL FEATURE

C YBER S E C U RI T Y F O R W O ME N EXECUTIVE LUNCHEON INVITATION EXCLUSIVE TO COLLEAGUES

CIO, CISO & CSO FRIDAY 27 OCTOBER 2017 12:00 PM - 2:30 PM

SAKÉ RESTAURANT & BAR BONSAI ROOM

12 ARGYLE STREET, THE ROCKS, SYDNEY

Diversity, Opportunity, Scale Mihoko Matsubara

Vice President & Public Sector CSO for Asia-Pacific Palo Alto Networks We would like to invite you to join an exclusive executive discussion featuring Mihoko Matsubara, Vice President and Public Sector Chief Security Officer (CSO) for Asia-Pacific, Palo Alto Networks. Mihoko, based in Singapore, is responsible for developing thought leadership, threat intelligence and security best practices for the cybersecurity community within the governments and academia in the region. Mihoko was formerly CSO for Palo Alto Networks in Japan and she also worked at the Japanese Ministry of Defense. Mihoko received a Fulbright Scholarship to pursue her MA in International Relations and Economics at the Johns Hopkins School of Advanced International Studies in Washington DC and was a research fellow at Pacific Forum CSIS, a Japan-US cybersecurity cooperation think-tank. In Tokyo, she worked for Hitachi Systems as a cybersecurity analyst researching cyberthreat environments and policy issues and worked at Intel K.K., Tokyo, in the role of cybersecurity policy director. She is the first Japanese speaker (2015) at the NATO International Conference on Cyber Conflict in Estonia and was most recently appointed as an Executive Committee Member of The Armed Forces Communications and Electronics Association (AFCEA) in 2017.

Discussion Focus: This will be an interactive event so we ask that you come prepared to engage with your peers as we discuss the key issues for women across the cyber environment. Opportunities abound in cybersecurity and roles for women are actively being encouraged to enter and engage in the industry. However, alongside the challenges of digital disruption and a global cybercrime industry, women themselves continue to be challenged with achieving equal diversity and inclusion, role opportunities and pay scales. Adeline Teoh On behalf of Palo Alto Networks and the Australian Cyber Security Magazine, you are invited to join Mihoko Matsubara for an intimate round-table discussion around the challenges facing women in cybersecurity, including young women, mentoring programs, women’s advocacy, cross-career training and maintaining a diverse workforce. Your participation in this discussion will hopefully enable you to identify ways and exchange ideas to address these challenges and apply them at your workplace. This is a very limited seating engagement so please register ASAP to reserve your seat.

Kindly RSVP by 20 October 2017 to rsvp@mysecuritymedia.com or 0432 743 261

PROUDLY ORGANISED BY

2 | Australian Security Magazine

Contents EDITOR'S NOTE Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiansecuritymagazine.com.au

ince taking on the role as Director &

group think or ego driven direction. Diversity

Executive Editor of the Australian Security

provides the balance to risk related decision

Magazine and introducing other publications, I

making, be it frontline services or across

have always wanted to acknowledge the many

the cyber and technology domains. Having

women who grace the industry but often do

worked alongside talented and skilled women

not get the recognition they deserve. Diversity

throughout my career, I've been proud to profile

and inclusion are critical for any industry, but

these many women across our channels. I'm

more so in the domain of public safety, security

pleased to provide this special edition which

and risk management. Not only because of the

celebrates

meritorious value diversity brings, but also to

Security series. Enjoy the read!

circumvent the domination of males subject to

PLEASE NOTE: Articles published between

Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

long

running

Women

2011 - 2017 so work titles, positions

SUBSCRIPTIONS

www.australiansecuritymagazine.com.au/subscribe/

our

and

personal circumstances may have changed.

Fighting Complexity - Bonnie Butlin

Conversation & Communication the Key - Kristine Leo

Is there a Doctor in the house - Dr Anne Aly

Keeping Justice Alice - Barbara Etter

Relationships: Make or break businesses - Marnie Tisot

Out of the box - Bluann Williams

Flash forward - Kate Fitzgerald

Protecting Intellectual Property - Heidi Ng

Learning to shine - Lyndall Milenkovic

The key to success: Just fall - Diane Smith, Jeannette Jackson, Chantelle Miruzzi, Marie-Antoinette Houssard

Women : Top Agenda - Liz Alford

www.facebook.com/apsmagazine

A six-pack of cyber security awareness - Connie McIntosh

www.twitter.com/apsmagazine

Committed to the truth - Sheila Ponnosamy

www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

Thinking before we click: the unseen face of online security - Karen Stones

But you are a woman - Michelle Weatherhead

Think like a criminal - Melissa Wilkey

CONNECT WITH US

www.youtube.com/user/MySecurityAustralia

The modern ‘Sherlock Holmes’ of the cyber world…in Silicon Valley - Prima Virani 36 www.australiancybersecuritymagazine.com.au

www.asiapacificsecuritymagazine.com

www.malaysiasecuritymagazine.com

www.drasticnews.com

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

Championing for open source collaboration - Prima Virani

From law to cyber security - Rachael Falk

Uniquely placed to lead mission critical information systems - Christine Zeitz

First in reverse for Australia - Noushin Shabab

Catwalk to tech-talk - Kan Tang

Journey to customers - Tammy Schuring

OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions. Australian Security Magazine | 3

Women in Security

Fighting Complexity By Kema Rajandran APSM Correspondent

aving just wrapped up the second annual Women in Security Lecture Series, the Canadian Security Partners’ Forum (CSPF) is busy preparing for next year’s event after being inundated with requests for information. Attended by over 270 professionals on the 7th February in Canada, CSPF Executive Director, Ms Bonnie Butlin explains that the CSPF wanted to create a common platform to bridge and bring together the unique segments of security. The CSPF represents an agile network of security associations operating across Canada with the purpose of enabling enhanced communication and collaborative opportunities. “A function of the CSPF is being able to examine security issues more broadly than any of its associations by themselves or in combination, yet being able to go deep into the issues by bringing together the key experts in the areas in question,” Ms Butlin said. Butlin believes that building security capacity and resilience is essential and while she says that it may be difficult to think long-range beyond shortterm pain in these times of fiscal restraint and cuts, she sees it as a need in the Canadian security landscape. “In our field it is essential to keep the strategic goal in sight, particularly when threat networks are working on time horizons counted in centuries not years. We need to close that gap.” “The Women in Security Lecture Series is filling a need in the Canadian security landscape in terms of bringing disparate elements of

4 | Australian Security Magazine

Bonnie Butlin - Canadian Security Partners’ Forum (CSPF) Executive Director

“In our field it is essential to keep the strategic goal in sight,”... the Canadian security capacity together and highlighting convergences among them.” This year’s event was highly anticipated with a panel of speakers covering a range of disciplines and domains, including: cyber, national security, physical security and risk management, academia and law enforcement, portfolio management, critical infrastructure and more. “Women are integral to the Canadian security effort and the Women in Security theme, which is both positive and neutral, is supported by the Canadian security community, particularly among the Canadian military.” Butlin’s passion in Political Science and International Affairs developed at a young age, growing up in a family where the key value was character, with an expectation that this was to be demonstrated through the military or law enforcement. “There was also an expectation that character would be demonstrated through personal choices and conduct that was reflective of patriotic service, individual contribution to the greater good, and a commitment to making hard decisions and acting on what one believes is true and right.” Butlin explains that these expectations were

informed by a combination of strong British and Irish military tradition; German Christian influence in terms of charitable service, emphasis on truth, and family pride; and Métis culture, with its emphasis on personal autonomy in decisionmaking and action, and personal responsibility to the community through giving of self. “I have heard the name ‘Butlin’ traces back to a French aristocratic line, and means ‘kick the villain’. In my line of work I would like to think that that element has carried through as well.” As a child, Butlin lived with the tensions associated with her mother being German and her father’s family who had every male member in two generations fight in WWI and WWII. “We moved frequently within Canada due to my family’s law enforcement postings and I became increasingly aware of the conflicts among ethnic and class groups within Canada, and over time my interest in security and national issues grew.” “The family imperative for service and high expectations for managing the complexities of one’s choices and loyalties made a lasting impression on me and continue to shape the way that I approach complex relationships today.” Focussing her bachelor’s studies on terrorism, military strategy, nuclear containment theory, power politics and advanced Machiavellian theory, Butlin went on a slightly different direction during her graduate studies after the 9/11 attacks towards counterinsurgency and counterterrorism and complex threat networks. While Butlin acknowledges that problems

Women in Security

“Women are integral to the Canadian security effort and the Women in Security theme, which is both positive and neutral, is supported by the Canadian security community, particularly among the Canadian military.”

Ottawa Ottawa

are becoming more complex, she believes that by working harder, being more creative and communicating more effectively – a place where the CSPF will be critical - are all key to fighting complexity. “People and communication are key in fighting complexity. We are seeing real results with the Forum network so I am more convinced of the need for networking than ever.” “Building networks is critical, we hear this all the time but in security, defence and intelligence, and in going up against complex threat networks, friendly networks are essential.” In addition to working with security-related associations that represent all the domains of security the CSPF works across a variety of vectors including government, professionals, educators, and is also drawing the attention and participation of international partner states in a collaborative and comprehensive security approach. “The CSPF network is a catalyst for bringing previously siloed elements of the security, defence and intelligence communities together, toward building Canadian capacity and promoting seamless interactions amongst disciplines and personnel.” “As I see it, we are all playing on the same team.” Editor’s Note: APSM was proud to be a media partner to CSPF Women in Security Lecture Series and welcomes information on any similar initiatives in the Asia Pacific region.

From Left to right: Silvia Fraser - CPP, PMP, CRM, CSPM, Corporate Security Supervisor, City of Toronto Janet Thorsteinson - Vice President Government Relations, Canadian Association of Defence and Security Industries (CADSI) Commodore Elizabeth M. Steele - OMM, CD, Deputy Chief of Staff (Materiel) Natalie Runyon - MBA, CPP, Director, Global Security, Thomson Reuters Djenana Campara - President and CEO of KDM Analytics Dr. Alison Wakefield - Senior Professor in Security & Risk Management at the Institute of Criminal Justice Studies, University of Portsmouth Christina Duffey - CPP, Vice President, Operations, Paragon Security Lisa Gordon-Hagerty - MPH, Founder, CEO, LEG Inc.

Australian Security Magazine | 5

Women in Security

Kristine Leo Security Advisor, Woodside Energy

By Kema Rajandran APSM

he security professional today is part of a diverse workforce and represents a variety of backgrounds, but despite diversity in race, age or gender, many people still believe that the average security employee is a male with military or law enforcement experience. While men represent the majority of employees in the security sector, more and more women, like Woodside Energy’s Security Advisor, Kristine Leo, are gravitating to the field. Woodside, an independent Australian oil and gas company, is one of the world’s leading producers of liquefied natural gas helping meet the demands for cleaner energy from Japan, China, Korea and other countries in the Asia Pacific region. With a team of 20 in the company’s Security and Emergency Management Department, staff have varying roles including fraud and corruption control, crisis and emergency management, and intelligence and research. “The training provided at Woodside is comprehensive but the focus is on improving the skills within each specific role, such as intelligence training, cyber security, maritime security, risk management, crisis management, audit and assurance,” said Kristine. “There is a strong focus on experiential learning and building relationships along with the academic value gained with partnerships with tertiary institutions.”

6 | Australian Security Magazine

Conversation & Communication the Key for Kristine

Women in Security

“Policing teaches you very good people skills and it’s necessary to communicate at a number of levels along with managing internal and external expectations.” Her focus is on corporate security at a strategic level. This includes the protection of people and company assets in a number of different parts of the world during development, exploration, commercial negotiations, drilling campaigns and production. While Kristine recognises that in certain situations and environments there may be benefits of physical size and strength in the industry, she believes the value of conversation and communication outweigh all other attributes. “People and communication skills are essential in the role. Mitigating threats in any environment will always involve liaison with a number of stakeholders with varying perspectives.” With experience dealing with flexible and dynamic situations and continually evolving threats in all parts of the world, she affirms that business risk owners need to be fully appraised of the environment, their vulnerabilities and provided the necessary security advice and assurance. “You also need strong engagement with government, regulators and law enforcement. You have to be able to sell the return on investment which isn’t always easy when you’re talking intangible benefits.” Showcasing an impressive academic background, with a Masters in Leadership and Management, Graduate Certificates in Emergency Management, Applied Management and Management, a Bachelor in Investigations, and a Certificate IV in Workplace Assessment and Training, Kristine spent the majority of her career in the police force. During 23 years of Policing, with the last seven as a Police Superintendent in two jurisdictions (NT & WA), she was in charge of areas ranging from remote bush stations in Arnhem Land to running counter terrorism capabilities and intelligence. The opportunity and the possibilities provided in a larger state within a larger organisation appealed to Kristine and with the support of her family the move from Darwin to Perth was positive. “Policing teaches you very good people skills

and it’s necessary to communicate at a number of levels along with managing internal and external expectations.” After 23 years in Law Enforcement, Kristine’s move to Corporate Security was a complete change in direction. “Corporate security had never been on my radar as a possibility, even though I had exposure to the industry through Policing roles in Counter Terrorism and Critical Infrastructure Protection, it’s an exciting time to be involved in the industry as Western Australia is currently the focus for the resources sector in Australia.” While there are similarities with the level of liaison required with government and industry; Kristine says it wasn’t an easy shift dealing with issues from the other side of the table. “There are obvious synergies with the two roles; however perspectives differ dramatically in the two environments which doesn’t always mean a smooth transition.” However she used this to her advantage as an opportunity to learn, not necessarily through academic pathways, but through exposure and experiential learning. “The best way to learn is to do the job itself.” Highlighting the importance of having a solid network of friends and colleagues, she attributes her profile and success to the people she has met and opportunities she has been fortunate to have along the way. “While there are many I could mention, I’d say the most I’ve learnt from anyone recently has been through my current manager, Bill Forbes. Good mentors are rare and I still maintain very good linkages with those I have mentored and my own mentors from the past.” “I am also lucky enough to have two mentors within Woodside outside the Security function who are invaluable.”

December 2012 | Asia Pacific Australian SecuritySecurity Magazine Magazine APSM | 7

Women in Security

Is there a Doctor in the house? Dr Anne Aly One of the most respected counter terrorism and counter radicalisation experts in Australasia.

by Kema Rajandran APSM

espite a view that security and counter terrorism is male dominated; Dr Anne Aly has established quite a high profile within the industry. A senior lecturer, researcher, author, Councillor for Australian-Arab Relations and mother of two who also made an appearance as a model at the Perth Fashion Festival last year, Dr Aly believes that being passionate about what you do is absolutely essential so it does not feel like work. With a Bachelor of Arts from the American University in Cairo, a Post Graduate Diploma in Linguistics, a Master of Education and a PhD in Cultural Studies, Dr Aly is one of the most respected counter terrorism and counter radicalisation experts in Australasia. Her knowledge stems around working and researching in terrorism studies, where she developed an interest in how people respond to terrorism and how those responses are part of the broader effort to counter terrorism through both hard (military, defence and security) measures and soft measures that involve social change. Previously holding a position as Senior Policy Officer within the Office of Multicultural Interests in Western Australia, Dr Aly started to focus on the issues that Muslims were facing in response to the September 11 attacks in the United States. “I really enjoy policy and have an interest in how policy can be influenced and shaped. After the terrorist attacks in 2001, I had a lot more to do with the government’s policy responses to terrorism and initiatives such as the National Action Plan.” It comes as no surprise that her advice is sought

“I think Australia is a very multicultural country. We can’t allow events like September 11 to divide us – that’s what terrorists want...” after worldwide. She has published papers on the fear of terrorism, the media discourse on terrorism, the media construction of Muslim women and Australian Muslim identity, presented papers at national and international conferences on the history of terrorism, the media and Australian Muslims and the policy response to the threat of terrorism and Australian Muslim identity. She had been working on policies and projects with Muslim communities that were under the banner of countering terrorism and after the attacks in London in 2005 when the opportunity arose for a PhD schoIslarship in the area, which she quickly snapped up. Her thesis was on Australian responses to terrorism and delved into the fear of terrorism in Australia among Muslims and the broader community. Much of the media and literature represented Australian Muslims as the victims of negative media stereotyping post the September 11 attacks and Dr Aly’s research explored the implications of the phenomenon of what it means to be an >>

8 | Australian Security Magazine

Women in Security

Australian Muslim. As part of her PhD project, Dr Aly and her supervisor - Professor Mark Balnaves, developed Australia’s first Metric of the Fear of Terrorism. As a self professed “progressive Muslim”, Dr Aly is proud of her culture as a mix of Australian, Egyptian and Muslim, while she observes Muslim traditions such as Ramadan however she chooses not to wear the head scarf or traditional dress. Dr Aly grew up in Sydney, a place she feels is very multicultural however she admitted having faced some racism and discrimination which contributed to her identity and personal strengths. “I attended an Anglican school for girls and had to learn how to navigate two very different worlds. It was a real advantage although a challenge at times.” “I think religion is a personal matter and it is about cultivating a relationship between yourself and whatever higher being you believe in.” While her beliefs and practices did not change, she observed some people become more religious after the terrorist attacks and believes the trend is about identity and the cultivation of a Muslim identity. “I think Australia is a very multicultural country. We can’t allow events like September 11 to divide us – that’s what terrorists want. Above all terrorists aim to influence populations. We cannot let them influence us by dividing us along cultural, racial or religious lines.” In 2011 Dr Aly was inducted into the West

“...religion is a personal matter and it is about cultivating a relationship between yourself and whatever higher being you believe in....” Australian Women’s Hall of Fame in recognition of her work in counter terrorism and her contributions to the field of security studies. “It was such a humbling experience and an honour to be recognised in that way. I come from a very working class background and I never imagined that I would be recognised in any capacity. My mother was in the audience. She was very proud.” She also received the Minister for Multicultural Interests individual community services award for her work in combating racism and discrimination and is the first female Australian Muslim of Arabic background to write the first book in the area of terrorism studies with a uniquely Australian outlook. The one-of-a-kind terrorism book, Terrorism and Global Security: Historical and Contemporary Perspective, was officially launched by the Hon Kevin Rudd MP, Minister for Foreign Affairs at Curtin University earlier this year. The book takes a multidisciplinary approach to terrorism drawing from psychology, political science, criminology and sociology. “I wrote the book because I was frustrated with having to refer to US books that were very US centric and did not really apply to the Australian or Asian context so I decided to write my own book instead.” She plans to have her next book based on more case studies and focus on counter terrorism and the different approaches that governments have taken in addressing the threat of terrorism. However, at the present time Dr Aly’s major research interests are radicalisation in the Maldives as a Muslim state in transition to democracy and in the responses to the Bali 2002 and 2005 terrorist attacks. She explains the term ‘radicalisation’ as “a process of engagement with a violent or extremist ideology that can lead to acts of terrorism.” “Some scholars see it as a precursor to terrorism. There is general agreement however that radicalisation does not necessarily lead to terrorism and that individuals who have disengaged from terrorism can indeed continue to have radicalised views.” For Dr Aly, the interest is in the social,

political, environmental and economical drivers of radicalisation in the country. She holds a strong focus on the group and social factors that are influencing broad populations to adopt a more extremist interpretation. Through her research, Dr Aly found that the internet had an enormous impact on how people thought about terrorism. People are now turning away from traditional media and go to the internet as their primary source of information and it has empowered a lot of people to learn more and understand about terrorism. With her strong publication and research record, she highlights the importance of finding ways to translate research for government so it can influence policy and also to communicate to the general public. Dr Aly spends a great deal of her time giving public lectures on terrorism and responses to terrorism simply because people are genuinely concerned and want to know more. She also engages with government and law enforcement agencies and manages an international network of researchers and practitioners in the field. “Since September 11, there is such an increased awareness of terrorism now and a lot of public interest too. Governments and the public are much more aware and open to the fact that fighting terrorism is not just about military action but can involve a range of approaches and strategies. This is a really important trend and one that we need to keep going so that we can achieve long term change.” “Unfortunately terrorism is not new and it is not likely to end any time soon. It’s important to view the terrorist threat not just in terms of a terrorist attack on persons or property but also in terms of the ways in which terrorism (and its response, counterterrorism) affect our society and our lives.” “I believe that we can stop terrorism through a diverse approach that builds resilience to terrorist ideologies as well as security and defence.”

Australian Security Magazine | 9

Women in Security

Keeping Justice Alive

ll that is necessary for evil to triumph is for good men to do nothing.” - Edmund Burke.

Barbara Etter APM

‘Be Your Best – Integrity, Justice and Humanity’

10 | Australian Security Magazine

This is one of the many quotes that appear on Integrity and Justice Consultant, Barbara Etter’s business website, BEtter Consulting. A business she developed after identifying the need following her early departure as the CEO of the new Tasmanian Integrity Commission. The company’s vision is ‘Be Your Best – Integrity, Justice and Humanity’. This call to action that Etter upholds applies to individuals, organisations and society in general. It should come of no surprise that Etter has a passion for integrity, with 30 years of distinguished police service with the NSW, NT and WA Police, as well as roles at the national level; Etter was also awarded the Australian Police Medal (APM) in 2008. “I believe that it is important that we know what we stand for and what our values are and that we live consistently with those values, in both our personal and professional lives,” Etter said. “One particularly important role for the Integrity and Justice Consultant, in relation to complex criminal cases or possible miscarriage of justice issues, is to fill any gap or void between clients and lawyers. Such matters may include forensic evidence spanning many fields of forensic science.” Her journey at BEtter Consulting started with reviewing the case against convicted murderer Susan Blyth Neill-Fraser. Neill-Fraser is currently serving a 26-year jail term for the murder of her partner, Bob Chappell. Hobart Supreme Court judge Alan Blow said he was convinced Neill-Fraser attacked Mr Chappell on board their yacht and dumped his body in the river. Found guilty by a jury in late 2010, she has sustained her innocence. Etter says that as Mr Chappell’s body had never been found and there had been no confessions or direct forensic evidence it was an unusual case. “I am working closely with Sue Neill-Fraser’s legal team with a view to also presenting a petition for mercy to the Tasmanian Attorney-General in the near future on new and fresh evidence,” she said. Tight lipped on the evidence, Etter did divulge that she has uncovered new information which, subject to legal advice, she will reveal in her

By Kema Rajandran APSM

book Murderers Amongst Us, due to be launched in August this year. “The plan is to launch it at a public forum designed to ‘kick off ’ an Innocence Project here in Tasmania, drawing on models within Australia and overseas. I found the International Justice Conference held in Perth in March 2012 particularly inspiring and an invaluable networking forum.” “Innocence Projects are springing up all around the world. In fact, experts in this area talk about the growth of the “Innocence Movement”, a basic Human Rights issue. It would be unwise to think that Tasmania is immune from the diverse causal factors that have led to many proven wrongful convictions of the innocent around the world.” Having recently finished her first true crime book manuscript based on my review of Neill Fraser’s murder conviction, she has found that the role is evolving into an important public advocacy role. Having presented at over 60 conferences, majority in relation to leadership, integrity, ethics and many times interlinking those topics to women, Etter believes better gender equity and diversity are key strategies that should be employed by any organisation to ensure a diversity of skills, thinking and experience. “I am always keen to encourage more women to pursue their personal goals, whatever they may be. There should not be unfair restrictions prohibiting women from entering any profession or industry, if they are capable of performing the relevant tasks.” A lady of uprightness with many passions, she has been happily married for 20 years and supports AIDS orphans in Zimbabwe, a young boy in Africa through World Vision and sponsors three children in Bali. She also enjoys painting in water colours and acrylics. She was a President of the WA Police Sports Federation for four years and nabbed a gold medal in the Toughest Competitor Alive event at the Australian and New Zealand Police Games in 2004, showing that she is strong not only in the mind and with her values but also physically. “I believe that work is just one small but important part of our existence and that in the end it is about family, friendships and the relationships in our lives that really count. My aim in life is to live, love, learn and leave a legacy!”

Relationships: Make or break businesses ‘many people with brilliant technical abilities work twice as hard to get things done because they struggle to understand other people’

By Kema Rajandran APSM

ccording to Marnie Tisot, Transport Security Inspector at the Department of Infrastructure and Transport, relationships make or break ideas, projects and even businesses. With an academic background in behavioural analysis, psycholinguistic analysis, micro expressions and human skills, she attributes success to understanding people and building and maintaining effective relationships. Her interest and professional development in human skills has helped in many situations over the course of her career such as getting to the heart of stakeholder issues. “The key things I’ve learned from human skills training are that firstly there is a hard science behind it that everyone can use to improve, secondly that if you practice you really will see a difference, and thirdly that you need to be ethical in your motivations,” she said. She alludes that people will eventually see through manipulation and recommends that people should understand human interaction to help achieve the end goal. “I’ve seen so many people with brilliant technical abilities work twice as hard to get things done because they struggle to understand other people, and I’ve seen people with more limited technical skills have enormous influence because of their people skills.” Tisot’s career took a turning point in 2006 when she was faced with the challenge of influencing a diverse industry, spanning road, rail, sea and air. She realised that as a government

Marnie Tisot Transport Security Inspector, Department of Infrastructure & Transport

representative she would not achieve much by trying to tell industry what to do. So she developed an initiative called Industry Leading Industry that empowered businesses to be best practice leaders in workforce management. “This piece of work will always stand out for me as it taught me the value of positioning my work and demonstrating its value within the broader business context. It also taught me that if you simply tell people what to do you will only ever achieve the minimum; lead and motivate them and you will see the exceptional.” In 2010, Tisot received the award for the Young Professional of the Year CILTA (Chartered Institute of Logistics and Transport) Queensland in recognition of her work with the Queensland Government to build workforce capability in the transport, logistics and supply chain industry in Queensland. Given the opportunity to partner with industry to develop innovative and sustainable solutions to the skills and labour shortages that it was facing, the initiative she was involved in was so successful that in 2008 the model for industry engagement was adopted nationally by the Council of Australian Governments (COAG). “This role taught me the value of partnerships and the difference that true collaboration can make, and I received the award in recognition of my enthusiasm and willingness to go above and beyond to achieve results for both government and industry.” Speaking against the stereotype of being ‘big and strong’ to be in the security industry, Tisot puts value on good judgement and interpersonal

skills and encourages more women to join the security industry. “Research shows that organisations with good gender diversity are actually more productive and profitable. I always remember Maureen Frank, one of Australia’s pre-eminent experts in gender diversity describing it as ‘the magic of the mix’.” A fairly new entrant to the security industry, Tisot views her background in human resource management as positive, giving her a unique perspective on her current pathway. “Understanding people and organisations is a very transferrable skill, for instance you can have the best systems and processes in place but if you are experiencing things like high turnover and poor workplace culture then you will find it very difficult to achieve robust security outcomes.” However she does not take this for granted and is a big believer in life long education. With the security industry interfacing with so many other industries that are sensitive to change Tisot believes that we can never afford to stop educating ourselves. “For me this can take on many forms such as coaching, mentoring, job rotation and project work. I’m never satisfied with just one type of learning!” “As women we can sometimes suffer from a lack of confidence and hold ourselves back from pursuing what it is we really want. In my experience you have everything to gain and nothing to lose by trying - the times I’ve been successful have far overshadowed the times I haven’t been, and in every case I’ve been glad that I went for it.”

Australian Security Magazine | 11

Women in Security

Out of the box From shop floor to drive-through liquor stores, Bluann Williams has seen retail from almost every angle. Find out why after more than two decades in security she’s found her match in the pharmaceuticals industry.

D By Adeline Teoh Correspondent

12 | Australian Security Magazine

rugs and money. Each on their own are already targets for theft, but put them together and you have an exponentially higher profile target. With such a large threat, you’d be forgiven for thinking South Australian retail chain National Pharmacies, which operates in South Australia, Victoria and New South Wales, has a platoon to defend it. But when you meet the team, you’ll meet National Security and Loss Prevention Manager, Bluann Williams, and that’ll be the end of introductions: Williams is the team. Williams understandably has a large part to play in the wellbeing of the business. In addition to physical security – locks, keys, codes and CCTV – she is also responsible for loss prevention, training, profit protection, compliance and governance. And let’s not forget she’s on-call 24/7 for emergency incidents, which can range from a late night break-and-enter to a customer taking the wrong medication. You could say she has been in training for this for some time. Starting in retail as a checkout operator, Williams rose to store manager and soon discovered an interest in preventing retail theft. “I found a world of theft and security and prevention and ended up in supermarket retail doing investigations,” she recalls. “When the supermarket branched

out and became a group I started doing department stores.” Despite achieving a Diploma of Risk Management and undertaking numerous other forms of training in investigative services, security operations, training, governance and even accounting, Williams says it was her on-the-job experiences that taught her the most. After department stores she worked in the fuel business, and took other opportunities like liquor drive-throughs. “I pretty much wanted to get experience from every possible angle I could, so supermarkets, department stores, fuel, hotels and pharmaceuticals – which I haven’t left because it has been the most challenging.” Hooked on pharmaceuticals After six years in pharmaceutical retail, Williams has seen a lot, including some well thought out thefts. “There was a group that came in and caused a disturbance within a store in order to take the emphasis off what they were doing. They were setting up stock to come back at a later time [to steal]. The continuation of evidence there was so hard to prove because it was two different days with two different people,” Williams recounts.

Women in Security

But sometimes, she says, it’s the simplest acts that are the most surprising. “You do not expect a customer to walk in, take a handful of stuff and walk out. The simple ones are the biggest challenge.” Despite this, she knows she’ll never see it all. “When I came on board there were processes in place but security is ever evolving and the risks are always changing. Sometimes you just become a target for organised retail crime and suddenly nothing you have in place is effective enough. Just when you think nothing can go wrong, something happens and you need to think outside the box again.” It’s this evolving landscape that keeps her in the security industry, she admits. “No two days are the same. No matter how well you plan your time or how organised you think you are, you can bet something will happen and it will all change. You’re always on your toes and that’s what’s great and challenging about the industry. If you’re bored and you’re experiencing the same problems again and again it means you didn’t fix it the first time.” The side effect of this is that there’s never a sense of closure, never a 100 percent success rate. “You can reduce it, you can change it, but you’ll never stop it,” Williams states. “That can be frustrating, especially when you have a particular offender. They go to the courts, they come out and within an hour of leaving jail they’re offending again. And it drives me bananas.” She’s adamant that society is not hard enough on theft, the missing step being treatment of the cause rather than the symptom. “Offenders are continually offending. We need to get back to the original cause, whether it’s a drug habit or mental illness. They need help, they need an extra step and we just don’t provide that.” Treating risk Because she’s a one-woman team, Williams uses training to help her do her job. A big part of loss prevention is just good old-fashioned customer service, she says. “We don’t like to have our employees do anything in relation to apprehending shoplifters or anything like that, it’s all based around providing exceptional customer service. When you have interaction with people it fixes everything else.” She uses the retailers as her eyes and ears. When there’s an incident, she needs to know as many details as they can summon. “A lot of my role is explaining to the stores what we need them to tell me. I can only work on the information I’m given so once I’m given that information I then risk-analyse it,” she says. Retail presents an interesting environment for risk management. Making things convenient for customers exposes stock to potential thieves, but Williams is wary of being overprotective. “There’s no point locking everything up in cupboards. Although that’s going to stop it from being stolen, a lot of the time if they want it badly enough they’ll break in after hours and cause damage, which is probably more than the product is worth. You need to figure out whether you are willing to accept that as a loss to the business rather than implement something that’s going to cost more than the risk itself. “It’s that tightrope of what you are willing to lose in respect

“Sometimes you hear something and think ‘I don’t know how that could be related to me’ and then because it’s in the front of your mind you notice things,” she says of using techniques in other industries to help her in retail. to what it will cost you. We have budgets in relation to theft and we just have to make sure we sit within those budgets.” Collective intelligence While Williams doesn’t have security colleagues in her department at National Pharmacies, she does share knowledge and war stories with other retailers who meet with a police intelligence group once a month. “Because of the rules of privacy we have to be careful of what we say and how we say it and what we identify, but in general it’s a good monthly meeting on ‘we’re getting hit this way, how are you guys going?’” she explains. “That is a really important thing I do being a one-person department. It gives me an idea of how to move forward.” She also notes that because the security sector in South Australia is small, everyone tends to know everyone else and there’s a lot of networking across the industry. The effect of this is a broad understanding of different issues, some of which are unexpectedly helpful. “Sometimes you hear something and think ‘I don’t know how that could be related to me’ and then because it’s in the front of your mind you notice things,” she says of using techniques in other industries to help her in retail. Being human In addition to looking at retail with her security eye, Williams says she’s also partial to recreational shopping, though spends just as much time examining the behaviour of other shoppers as she does examining products. “A lot of the time I get distracted seeing what customers are doing instead of actually shopping. I am a people-watcher.” The behaviour piece has become something of a hobby, she admits. “I look at Big Brother – a show everyone loves or hates – completely differently to everyone else. I watch the behaviour when they’re faced with a situation rather than listening to them sitting there chatting.” Other hobbies include reading and cooking, with travel wistfully included on the list. “I love to travel but I don’t get that much of an opportunity because I need to be available 24/7 at the moment. It’s really just staying at home and waiting for that phone to ring.” If it sounds like work takes up too much of Williams’ life, don’t be fooled. Her advice to anyone starting out in the industry is to remember that it’s not all about living to work. “I’ve been doing this for 20 plus years now only because I’m passionate about retail theft and the billions of dollars we lose every year globally, but you can’t solve everyone’s problems overnight. Sometimes you need to sleep. Find the happy medium, have a life.”

Australian Security Magazine | 13

Women Women in in Security Security

Flash forward A flash flood changed Kate Fitzgerald’s career direction and now the emergency management professional is looking at how we can mitigate future risks.

W By Adeline Teoh Correspondent

hen Kate Fitzgerald left school she enrolled in veterinary science. It was a flash flood— not quite a sea change—in her Wollongong neighbourhood that took her on a completely different career path. “I remember walking around the area seeing houses destroyed. That event made me really interested in natural disasters and emergency management, even though I didn’t know it was called that.” The spark of interest turned into a volunteer stint at the NSW State Emergency Service (SES) where she met a commander who was completing a degree in emergency management at Charles Sturt University. Fascinated, Fitzgerald inquired about enrolling, then changed her degree. Now she works in Relief and Recovery Operations at Emergency Management Australia (EMA), a division of the Attorney-General’s Department, looking after the Natural Disaster Relief and Recovery Arrangements program, which assists with recovery efforts. Summer is understandably the organisation’s busiest time with a range of possible disasters on the radar: from bushfires to cyclones and floods. The team needs to be ready to activate response and recovery support as well as deal with the political aspects that accompany a major incident. The organisation’s scope also covers terrorist events. In winter it’s about ensuring recovery efforts stay on track and reflecting on the effectiveness of the previous season’s work practices. “We work primarily in the recovery space. Some of the work we do within the recovery space may then flow into a community becoming more resilient or more prepared for the season ahead,” says Fitzgerald. A global calling But Fitzgerald’s career was not always Canberra-based. In her early 20s she lived and travelled around Europe for four years while undertaking her degree by distance education. After the traditional rite of passage working in bars, she landed

14 | Australian Security Magazine

Kate Fitzgerald

an administration role in the emergency department at Dublin’s St Vincent’s Hospital, which evolved into Fitzgerald contributing to its evacuation and crisis planning, bringing her education to life. When she returned to Australia in 2008 she took on a three-month contract role with EMA to deliver a conference. In 2009, the Victorian bushfires turned that conference producer role into a substantive longer-term position helping to coordinate the offers of international assistance. Meanwhile, she had begun studying her Master of Emergency Management by distance, again through Charles Sturt University. For two years, Fitzgerald worked in the EMA office before the department was restructured, then moved into the National Security Capability Development Division. “I worked in a range of roles there. I was still in the emergency management sector, but managing mitigation, funding programs, and things like that.” That led to a yearlong stint in Prime Minister and Cabinet (PM&C) as an emergency management adviser within the National Security Division. “We had a number of significant disasters while I was at PM&C, the Queensland floods and so on. I was involved in providing advice to the Prime Minister and to the government on the emergency management implications of those disasters,” says Fitzgerald. She returned to EMA as an executive officer to a Division Head for a period of time before being offered a scholarship through the US Congress-funded Asia-Pacific Leadership Program at the University of Hawaii. “It was a 12-month program and I lived in Hawaii for six or seven months. While I was there I focused on emergency management and worked with people from around the AsiaPacific area. There were about 30 of us from 20 countries. It was pretty diverse both participant-wise and also what we focused on, which was part of the attraction for me.” Fitzgerald chose risk management, sifting through research conducted by the World Economic Forum on the impacts of

Frontline

the interconnectedness of global risks. During the program, Hurricane Sandy hit the east coast of the USA and Fitzgerald was deployed with the American Red Cross to assist. Practical in an emergency It wasn’t the first time Fitzgerald had lent a hand to a recovery effort. Her volunteer work with the SES in Wollongong involved repairing roofs and heading out in a boat to provide assistance. Since then, she’s been doing practical training alongside study. “I got that ethos from my family, just going out and helping my community. I got a lot of great training experiences, learnt a lot about team management and leadership.” It served her well, too. After her undergraduate degree she realised the qualification wasn’t enough on its own. “What I underestimated was the importance of both experience and practical application,” says Fitzgerald. “I wouldn’t have got to where I am today without having volunteered, and I also feel that I wouldn’t be as effective at my job without my volunteering experience, without keeping a finger on the pulse about the real concerns and issues of people that are impacted by disasters.” Even in Ireland she volunteered with Civil Defence, an organisation like the SES, then when she settled in Canberra she joined the ACT Rural Fire Service and the Australian Red Cross Emergency Service, which she’s served for more than five years. “I was a bit nervous about joining the Rural Fire Service because I thought it was a macho environment, but it has been one of the most welcoming environments I’ve ever volunteered or worked in,” she describes. “It has been nothing but supportive about more women coming in.” The operational sector is male-dominated, she admits, but the emergency management industry as a whole, including research, mitigation and planning, policy and administration governance, has a roughly 50/50 gender split. “AIIMS [Australasian Inter-Service Incident Management System] has a military command-and-control structure, so that tends to be a masculine leadership style,” Fitzgerald explains. “When you move into the recovery space you’re dealing with complex, long-term problems which are centred primarily around providing social support to the community. You tend to find women working in those community service roles, traditionally.” The macho stigma simply comes from the media attention, which is usually focused on the more newsworthy ‘response’ part of an incident. Fitzgerald says emergency management is actually quite an equitable environment. “My very early experience was my SES unit, which was about 50% women, 50% men. The fact that I was a woman was never really an issue. I think that’s just something I’ve been particularly blind to for most of my career.” Modern risks Volunteering has also informed her studies. Her researchbased master’s focused on volunteering within the emergency management sector, which helped her develop a national risk framework for Australia based on comparable frameworks

I was a bit nervous about joining the Rural Fire Service because I thought it was a macho environment, but it has been one of the most welcoming environments I’ve ever volunteered or worked in,” from the USA, New Zealand and the UK. Fitzgerald says it was a catalyst for the leadership positions she then secured. “It really made me think strategically about how issues within emergency management are connected and addressed and moved my career direction away from that operational focus to a broader strategic focus across the PPRR [prevention, preparedness, response and recovery] spectrum of emergency management.” This all funnelled into the Asia-Pacific Leadership Program where the threefold benefits were building her leadership skills, reaffirming her passion and direction within the emergency management sector and networking across different countries and cultures. “I got fantastic exposure to some of the work that’s going on, in both a regional and international sense, on risk management,” she says. “I was lucky to do the work with the World Economic Forum looking at global risks and developing methodologies for workshops within the region on future thinking: identifying and mapping those futures and then identifying the risks within those environments and how countries and governments can prepare for those future risks.” One future risk she’s particularly interested in is the risk of modernity, which she covered in a presentation at the Australia and New Zealand Disaster and Emergency Management Conference earlier this year. Using Ulrich Beck’s World at Risk as a starting point, Fitzgerald spoke about how society’s over-reliance on technology—such as electricity and telecommunications—can exacerbate the effects of an incident. Hurricane Sandy showed Fitzgerald what the risks of modernity looked like. Response issues quickly transitioned from providing basic needs, such as food and accommodation, to the consequences of modern society, she reports. “The American Red Cross personnel weren’t able to communicate with each other. They had no radio infrastructure, as they were entirely dependent on being able to communicate by mobile phone. They hadn’t prepared for or anticipated the complete failure of the telecommunications system.” It’s not all disaster and firefighting for Fitzgerald, however. In between her day job, volunteering and other roles, including lecturing on decision-making as part of the CSU course, she keeps active with sport, playing tennis and netball, and travels to see family members who live on the coast, as well as those in Ireland. But even she admits she can’t get enough of emergency management, with plenty of passion left in the tank. “I can’t ever imagine working in another sector, so I don’t have a lot of spare time. I’m either volunteering or reading something about it. You really do get to see on a very tangible level your ability to be able to assist following a disaster.”

Australian Security Magazine | 15

Women in Security

Protecting Intellectual Property

“...Creating a good system for my company has always been my

By Kema Rajandran APSM

hether its perfumes, lotions or shampoos; cosmetic products are being copied on a large scale. Now more than ever, corporations and individuals are experiencing the significant cost of global trademark and IP infringements, so how does a company keep its brand safe? Under the umbrella of security responsibilities many companies now include brand protection. Heidi Ng is the Regional Security Manager, Global Security and Trademark (TM) Protection in Hong Kong for Estée Lauder, a manufacturer and marketer of prestige skincare, makeup, fragrance and hair care products. Don’t be fooled by Ng’s delicate appearance, an active Martial Arts enthusiast, mainly in Taekwondo and Kick-Boxing, Ng was also a Physical Trainer and Taekwondo coach and still enjoys pistol shooting in her spare time. With a lifelong interest in the area of law enforcement and security, Ng keeps up to date with new trends through various research, training, media and external channels such as online discussion groups and “security gossip”. A brand isn’t just a logo or name; it is about caring about the business at every level and in every detail, from the mission and vision, to the employees and customers. “We cover all aspects of corporate security, for example, physical security personnel security, executive protection, crisis management, etc,” Ng said. Being the Regional Security Manager, Ng is expected to have enhanced investigation skills and experience and ability to work with various business units. Previously working at Bose with electronics and audio devices, Ng explained that her experience was easily transferable as “they are all luxury goods.” “Some of my previous experiences have taught me that a good system is more reliable and

16 | Australian Security Magazine

priority.” Heidi Ng InnovaRegional Security Manager, Global Security and Trademark (TM) Protection in Hong Kong for Estée Lauder

effective than a good employee, therefore creating a good system for my company has always been my priority.” While you may be under the assumption that working for a cosmetics brand would put you in an environment surrounded by women, this simply is not the case, “From the conferences and meetings, I can say there are approximately 90 per cent males in attendance.” And while Ng says there are currently more females in this industry than in past years, “males still dominate.” Ng says women should not be discouraged by this, she believes males currently in the industry would welcome more females to join as women have their advantages and special talents in security industry and she also thinks it’s a general view that “it’s boring to just have men in the industry.” This industry has been dominated by men for decades; however, the world has changed, and will keep changing as well. The involvement of women’s new point of views in security enables the industry to accept different angles of changes. It has been suggested that women are natural opportunity seekers and networking experts and I believe these abilities are really critical.” As the internet continues to become a more dynamic and vital part of every company, it is inevitable that today’s enterprises need to be more proactive at anticipating exploits and abuses that can tarnish their reputation and negatively impact their business operations. One measure Ng has put in place as the Regional Security Manager to monitor total online presence and strategically protect the brand, trademark, and domains is the online enforcement program. “The Online Enforcement Program involves our legal department and some other service providers. We aim at auction websites as well as domain name abuse issue and send out warning

letters, we also aim at working with all those webhosted companies.” Ng is tight lipped on the details but she did share that the company is currently processing a number of law suits for this reason, “You may have heard of Chanel shutting down thousands of TM infringing websites. We are pursuing this similar approach but that is all I can say about that now.” Big brand names take years to establish so it should come as no surprise that other companies or individuals would want to ‘piggy-back’ on another brand. A case that received a lot of media attention in 2009 was when Gucci America won a trademark case against the former wife of Paolo Gucci, grandson of Guccio Gucci, who founded the luxury-goods empire in 1921. The wife, Jennifer Gucci, was accused of licensing her name for coffee shops, bedding and other items. The trial ended in a permanent injunction and a finding that Gucci was entitled to compensatory and punitive damages as well as a permanent injunction. Since she stepped into the role, the Global Security Team has seen its largest expansion in the Asia Pacific Region, EMEA (Europe, Middle East and Africa) and Canada. The company has more than a dozen network hubs worldwide that includes divisions acquired from other companies and Ng, with her team of one, has the task of managing this in the Asia Pacific Region through “communication, security awareness, training, planning - crisis management and Business Contingency Plan - and a common sense approach to security.” Estée Lauder was founded in 1946 with four products and an unshakeable belief: that every woman can be beautiful. Today, more than 60 years later, that simple notion has changed the face of the beauty business and its people such as Ng that have helped ensure the success of this brand stays strong.

W O N

G A M EE

T U O

N I L N O

THE

OR ND C

NT A

NME

OVER

ING G

EAD Y’S L UNTR

urity

maga

zine.c

om.a

u 17

p 20 Aug/Se

the IT ating Navig the future of cape lands

ITY M

ECUR

TE S PORA

str w.au | ww

INE AGAZ

sec alian

227

100003

ved PP

st Appro

Print Po

ocus urity f Australian c e s ’s COAG onwealth & ecurity’ ‘s Comm single out s e t a t s

ity secur Cyber s in the et of ass cted era THE e n REG n o c ION ter in’S L EAD

ING

e ing th 1: Tak on 6 A T A D ’s lead Nation esearch r r cybe

ERN

MEN

T AN

POR ATE COAG urity: SEC in sec URIT YM Com ’s securiWomen ab, Senior AGA mon t ZINE b y , a r focSuh e h wealushin state c | w r a ww.a s sin No th & Aritsy -Rese Lab siap acif gle o Secu ustr ersky icse curit ut ‘se Kaaslpian yma curit gaz ine.c y’ om DATA d e ifi n 6 u 1 r u o Natio : Takin y hree ring cybe n’s lead g the Secu nications: T ions land Navigat on t r res u a r m e scap i earc com y consid e of ng the IT h e k the f uture

READ NOW

and A safe Australia? e secur

Aug/Se

p 2017

A sa f secu e and re Au stral ia

ology Psych viving a r u s k for t attac violen

Cybe of as r securit s y inter conn ets in the ected era

? US

Psyc h for s ology u viole rviving a nt at tack $8.95

GOV

INC. GS

Cyber

$8.95

INC.

GST

week

W 2017 N World oush omen in terpol ber security se in In | Secu Shabab, curity: views nd Cy ent re Connect a r v i e t l y a n Re Senior Regio Philippines Kasp searche | e r o r, ersk ingap y Lab Secu r comm ing yo ur un unic key c ations: T ified onsid h erati ree ons

in S

CYB ER FRA UD THR EAT S TO Cybe

r we

CON SUM ERS

READ NOW

ek in Sing

Re apor gional ev e | P e hilip nt review PLUS pines s Conn | Interp ol Wo ect a nd C yber rld 2017 secu rity

www.australiansecuritymagazine.com.au

Women in Security

Learning to shine When Lyndall Milenkovic trained as a teacher at the start of her career, little did she know it would include several Olympic ceremonies, the occasional music festival and the prospect of stabbing inflatable beavers. Lyndall Milenkovic

I By Adeline Teoh Correspondent

18 | Australian Security Magazine

t’s a bright Sydney afternoon in Autumn and I’m trying to find out why self-confessed sun lover Lyndall Milenkovic decided to live in Vancouver for three months during a Canadian winter. The year was 2010, and the director of The Riskworks Network had taken a job working on emergency management for the Winter Olympics. Her role? To oversee the opening and closing ceremonies, as well as the nightly medal ceremonies and concerts, from an emergency and safety perspective. “Often the creative people want to make those events as challenging as they can,” she explains. “In Vancouver they had giant inflatable beavers that filled the roadway underneath the stadium which, in their requirements, had to be left clear at all times for emergency access. My plan was that the person in charge of each team had to have a sharp implement in their belt that they could stab it with if necessary.” Stabbing inflatable beavers is just one part of the Milenkovic risk treatment and it’s challenges like these that keep her engaged in her work. That, and the people. “It’s the integration between safety, emergency and security. I’m not a security consultant but a lot of what I do sits on the edge of that so it’s important for me to have a working understanding of what the challenges are. I like that, and I like working with them,” she says. Over her 22-year emergency management career, Milenkovic has become an event specialist. With four Olympics under her belt, starting with the Sydney 2000 Olympic Games, she has also been a part of two Commonwealth Games, the Shanghai World Expo, music festivals, Australia Day celebrations and more. A casual

observer would never guess this dynamic career began in the classroom; Milenkovic studied to be a teacher but slid into emergency management unexpectedly. “I had trained as a teacher and then I left after about six months. I did sales and three years in recruitment. Every time I took on a role, I’d get promoted to a national role – national sales manager, national recruitment training manager,” she recalls. “After I had bubs I didn’t know what I wanted to do so I went back to a recruitment company I had worked with. I had worked with the general manager previously and she said ‘why don’t you join our training department?’” Milenkovic then found herself training people in emergency procedures, including a stint doing warden training with Optus that ranged from building evacuation to handling bomb threat calls. “I’d do warden training in clubs, shopping centres and high rise buildings for other people and it grew. In 1998, I got a call from a gentleman who wanted warden training for a new building. It turned out he was the operations manager at the new Olympic Stadium and we won the contract to do the training.” Making it big With her business partner at the time, Milenkovic started to build a reputation for large-scale work; not just high rise buildings and stadiums but big events as well. “The Olympic authorities saw our work and we ended up working for SOCOG [the Sydney Organising Committee for the Olympic Games] looking at different venues and safety for

International

“Making a difference in Australia, making something that people think is hard simple, helping venues establish their control rooms and giving them solutions is also very rewarding.” venues. The day after the Paralympics [in 2000] finished we hopped on a plane and went to Salt Lake City where the next Winter Olympics were going to be.” The secret to managing large-scale events like Olympic ceremonies is to look at environment and activities as the two key points, she says. “Environment can be the social environment, the political environment – what sort of risks, incidents or threats are there? You then also look at the legal requirements of the country as to what you need to measure up to, and then look at the activities; what are they going to be doing?” In 2002, she left the business and struck out on her own carving a niche for herself doing emergency work for opening and closing ceremonies, including two more Olympics. But while she says there’s nothing like being part of the ceremony (“I’d ask if we could open the window so I could smell the pyrotechnics from the control room”), since her stint in Vancouver she has largely stayed in Australia, deriving just as much satisfaction from smaller jobs. “Making a difference in Australia, making something that people think is hard simple, helping venues establish their control rooms and giving them solutions is also very rewarding.” Part of this was burnout, she admits. “After travelling so much I made a decision to stay in Australia. When I lived in Vancouver for three months I found it a very lonely existence. I had two days off in three months; my shortest week was 70 hours and my longest week was 119 hours. So you’re exhausted, and when you go back to your hotel room there’s nobody there. It’s not a great life.” Now she runs The Riskworks Network and is the deputy chair of the NSW Chapter of ASIS International, an association designed to bring together security practitioners for networking and professional development. “I’m the first female to be on the executive in New South Wales,” she states, adding that part of her mission is to look at diversity in the security industry, not just better inclusivity of women but also people of different ethnicities as well as Indigenous participation. “Basically I want to show there’s a spectrum of people who work in security, beyond AngloSaxon males.”

I’m struggling with because you don’t want to be seen as someone who is difficult to work with.” For many women it is the industry that is difficult to work in considering its long, sometimes unsociable hours, and exposure to risk. While all security practitioners have such qualms, Milenkovic says there are fewer women in security management because they still tend to be the primary carers of children. Her own experience in bringing up three of her own is the exception that proves the rule; her then-husband was obligated to become the primary carer while her career took off. Although she loves spending time with her (now adult) children, she concedes the arrangement may have cost her marriage. “I got a bit pig-headed after a couple of lofty jobs,” she recounts. “My husband was still a teacher at the same school he’d been teaching at for over 20 years. He never coped with the fact that I wasn’t also teaching and the fact I kept getting promoted and I kept travelling. He felt he was left at home with small children to look after.” But giving him the role of primary carer was not the clincher. Milenkovic then changed the way she dealt with her absence. “I used to run around and prep everything; here’s the schedule, meals were cooked and everything was done. Then one day at the school gate I heard all these other mums talking about their husbands travelling and [the husbands] didn’t do anything to prep their family for their absence. So I stopped,” she says. “That was probably the downfall.” Today, she wraps that anecdote into a cautionary tale about work/life balance and the effect of an accelerating career on significant others. “Identify what goals you want to achieve and then find a way to achieve them but don’t forget to bring your partner along for that ride,” she advises. “Communicate those goals and how you want to achieve them to those who are sharing your life.” Only then will you enjoy your time in the sun.

The untamed shrew Over two decades, Milenkovic has learnt a lot about being a woman in a male-dominated industry. “Guys don’t like to be told. Asset managers in particular, guys who deal with buildings, feel threatened.” And these days she has less and less time for unnecessary jibes. “As I’ve aged I’ve become less tolerant. The older I get, the shorter my temper is,” she acknowledges. “Before I was able to laugh off the fact that guys would go ‘what does she know?’ but now I do not suffer fools easily and that makes for some quite uncomfortable arrangements. That’s something

Australian Security Magazine | 19

Women in Security

The key to success: Just fall Ever wondered what it would be like to work for a large organisation that is leading the way in aerospace, defence, transport and security? Or what path you should take to get there? With world-class technologies and the combined expertise of 67,000 employees in 56 locally based country operations, it is no doubt that Thales is a key player in assuring the security of citizens, infrastructure and nations. Kema Rajandran talked to four women from Thales Australia to find out more about how they came to work in this incredible empire.

Diane Smith

Jeannette Jackson

H By Kema Rajandran Correspondent

20 | Australian Security Magazine

Chantelle Miruzzi

aving previously worked for defence engineering companies in numerous roles, many would think that it was natural that Jeanette Jackson followed a path to security, but she says it was completely by chance that she fell into a security role. “In my previous role at Thales as Commercial Manager, I volunteered to take on the duties of Assistant Security Officer [ASO] for my business unit. As the ASO, I was exposed to a side of the business that I had not been involved in before.” As time went on, Jeannette learned more in her role, her interest in security started to build and she began seeking more challenges. As one of the largest defence companies in Australia, Jeannette says the diverse range of projects Thales offers was very appealing to her. “A permanent corporate security role became available and I was lucky enough to get it.” Jeannette wasn’t the only one that fell into security. Marie-Antoinette Houssard, Thales Maritime and Aerospace Security Officer says she too fell into security purely by chance.

Marie-Antoinette Houssard

“I was raised in New Caledonia as the fourth generation of hotel owners, so my training was in hotel and restaurant management,” says Marie-Antoinette. “All changed when I moved to Australia. I owned the Adelaide Wine Cellar in George Street, Sydney, for four years, which I then sold. I worked for American Express for ten years, and when I left did catering from home and temp work for Drake before applying to ADI. “The rest is history!” Chantelle Miruzzi, based at the Department of Defence establishment in New South Wales, liaising between Thales Defence units and base security says her move, like Jeannette’s and Marie-Antoinette’s was purely by chance too. “I have always enjoyed roles that let me interact with people, especially focusing on customer service and problem solving,” says Chantelle. “When I was looking at changing jobs, I wanted something that was in my local area, but also a bit different to my previous roles. “I was looking for a new and challenging role. Thales is a large company, which had room for my growth, development

Women in Security

and career movement. I was also aware that Thales is very encouraging in supporting the training and development of its staff.” So far, three out for four women have simply just fallen into security. So how do you think final interviewee Diane Smith, in Business Operations at Thales, came into her role? A career planned out from high school to university and so on? No, she too, fell into it. “I didn’t leave my previous role with any intention of working in the security field. I definitely fell into security, but I’m very glad I did,” says Diane. “I previously worked for Thales in a different field and enjoyed the experience. The new position here sounded really interesting and ticked all the boxes for me, so I thought I’d give it a try.” By now you might be thinking that it’s easy to weave your way into a large organisation and into a great role by simply waiting around to ‘fall into it’ like these four women. But you should note that while these women say they ‘fell into it’ they also brought with them experience and skills that were valuable to their current positions. Diane previously worked as a project manager for Boeing on defence contracts. “That gave me a good grounding with security both at the corporate and defence levels.” And it wasn’t all luck for Jeannette as she had said earlier. She brought with her experience in contract management and negotiation and strong organisational and communication skills that have proved invaluable to her current position as Security Operation Manager. Marie-Antoinette gives credit to her experience in the hotel industry saying meeting a cross-section of people was helpful to her in changing her career along with continuous study. “My development in human skills and management has been of great assistance, and obtaining my Diploma in Security and Risk Management was also an asset to my position.” Being a person who has been quite strategic with my career opportunities, I usually pursue roles according to the skills I will learn and the path it would potentially lay out for me as well as the enjoyment of the duties listed so I was curious to know what happens when you simply do leave it to chance and fall into something you hadn’t planned or considered before. The response I got was a resounding, I love what I do. “I love working in a corporate role as it gives me the chance to work across all business units within the company – I get to meet people who work in all aspects of our business across all our sites,” says Jeannette. Apart from enjoying working with a fun, highly skilled team, Jeannette thoroughly enjoys the enormous variety and challenges that her work offers. “We cover everything from armaments and protected vehicles to air traffic management and communication systems, plus many other aspects of defence contracting such as sonar and ship maintenance. “I have the opportunity to work on projects that are of major importance to the security and wellbeing of our country, and in particular for our armed forces. It is very

“I get to work with people all the time and know that I am helping to keep them safe, as well as the company. And I’m part of a project that is directly responsible for keeping our soldiers alive on operations – it doesn’t get much more satisfying than that.” rewarding knowing the work we do saves lives. “Employee development and training has come a long way since I first started working, and this is one area that Thales excels at.” She explains that Thales has an extensive in-house training organisation that offers employees numerous courses to up-skill, develop, and grow in their role. “Thales also has a set cycle of personal development activity discussions throughout the year, which encourages managers and employees to evaluate, reflect on and set an employee’s objectives and goals. “This gives employees the opportunity to develop their career path. In fact, I actively used this process to inform management about my growing interest in the security space, which ultimately led to my current role.” Career in security rewarding? Tick. “It’s definitely a feel-good job,” comments Diane. “I’ve only been in this job with Thales since March 2013, so I don’t have a lot of memories to share yet from my security role. The one thing I will remember about my role here is that I feel like I’ve been part of something important. “I get to work with people all the time and know that I am helping to keep them safe, as well as the company. And I’m part of a project that is directly responsible for keeping our soldiers alive on operations – it doesn’t get much more satisfying than that.” Career in security gives a sense of value? Tick. “In all honesty, I love my job,” adds Chantelle. “I get to meet different people each day, and there is generally always something happening on base. “I enjoy working closely with Defence, building relationships and being able to assist the individual units on site with security and access control issues. “I also get to travel to our depots throughout Australia, being able to meet the people and see the different facilities that are a part of Thales. “I have been involved in the security of a number of projects on base. There are always funny moments, such as listening to the project manager telling the team [Kangaroo Musters] saying they are not cows and don’t respond well to people clapping at them.” Career in security gives enjoyment? Tick. “The industry has evolved over the years, which makes the work much more interesting and challenging,” says

Australian Security Magazine | 21

Women in Security

“Women bring a different perspective and energy to the industry, and personally I’ve always found this industry keen and supportive of hiring and promoting women.” Marie-Antoinette. “No day is alike. I also love dealing with the variety of people and cultures, which is rewarding. ““Defence has improved the Security Officer training and developed better trainers, and overall Defence requirements are nowadays more stringent. “We now have to work on cyber security, which did not really exist when I first started 16 years ago. “Working for Thales has been a positive and enriching experience. I am happy to see through ASIS that more women are joining the security industry.” Career in security has variety? Tick. So what are you thinking at this point? Were these four women in the same room feeding off each other for responses or do Thales employ people who will be great advocates for the organisation? No, they were not in the same room copying each other’s answers. And while they have come out of the interviews being great advocates for Thales, the enjoyment these women have gotten from their roles have made them great advocates for the organisation, but I don’t think Thales was able to scope that out during the hiring process. The passion they have built in their roles are what brought out the advocacy for the organisation. If you aren’t passionate and enjoy what you do, I don’t think you could speak so highly about where you work. These were the very raw and honest responses from each woman – who are based in different offices in different areas of Thales and in very different roles. It is apparent that not only is this organisation a great place to be but falling into a role can be just as good or perhaps even better than going down a direct paved out career path. But that’s not to say we should leave it all up to chance. Having a mentor is something these women pay credit to as well. “I worked with a really good mentor for a number of years,” says Chantelle. “She was the kind of person that wasn’t afraid to tell you where you needed to improve and how to go about it. “I definitely responded well to that kind of honesty and guidance. We became good friends, and I still use her as a sounding board every now and then.” Jeannette says she has been lucky enough to have mentors through all stages of her career. “When I first joined Thales, the senior Commercial Manager was always on hand to provide guidance and advice. “At the moment, Jason Brown, our National Security Director, is providing me with a wealth of information. I feel very privileged to be able to tap into his experience and learn

22 | Australian Security Magazine

more about the industry.” Jeannette recommends that everyone has a mentor to gain more experience from and for a strong way to grow in a job. “My first mentor earlier in my career was a great support,” says Marie-Antoinette. “I also have another valuable mentor now, who goes the extra step to ensure you have understood all issues.” Diane gives special mention to the Senior Security Officer in the Protected Vehicles business. “He has been very supportive and is always there to help me when I need him.” So ladies, (and men too), are you taking notes for your next career move? This is what you should have so far: Going for opportunities that you hadn’t considered or were slightly off the course you planned; bringing skills and experience that you can adapt to the new role and continuing to up skill through study; and gaining more experience and having a mentor to offer support and guidance through the endless opportunities that are available. While these women and many others are breaking down the stereotype of security being a male dominated industry, some women may still find it intimidating to pursue opportunities. So what advice do these women have for the challenging roles in security? Diane believes that for any security role you need to care about what you do. “I do not see Thales as a company that leans towards men over women. I think it is, as it should be, a case of the right person for the job,” she says. “This is not a job that you can do well if you don’t believe in it. “Being a good communicator, developing strong relationships, demonstrating honesty and building trust are all important elements,” says Chantelle. “You need to have the confidence to ask questions and, more importantly, listen to the answers. “It is a male dominated industry, but I believe that is changing with more females moving into management roles within Thales. “I would encourage females into the industry if they find this kind of work interesting and want a challenge.” Jeannette says while the defence/engineering industry is male dominated; there are still fabulous opportunities for women. “Women bring a different perspective and energy to the industry, and personally I’ve always found this industry keen and supportive of hiring and promoting women.” Marie-Antoinette says it’s all changing and that people need to be prepared for the unexpected. “It is male dominated, but changing. I certainly would encourage women to have a go as it’s a different but rewarding field. “In this role you need to be a people person. You need to be prepared for the multitude of changes in the industry, have an open mind, and get your Diploma in Security and Risk Management.” I believe that last one may have been an order!

Women in Security

“I do not see Thales as a company that leans towards men over women. I think it is, as it should be, a case of the right person for the job,” Now to the age-old question, what about work-life balance? Because of course, the world of security is 24/7 and with the surge of social media during the last few years the online world is changing the way security is shaped. More people have more responsibility and those in security must continue to improve and stay ahead of the game. Do these women spend all their time working and studying and monitoring social media sites? Chantelle is married and a mother of two children. She says her family are very supportive of her and her job and she couldn’t do parts without them. By the sounds of it, it works both ways; she also manages her son’s soccer team. Her son does Tae Kwon Do (perhaps a defence career in the making) and her daughter dances, so she spends a great deal of time with her family and sharing in their interests. Diane is also married and a mother of two. Her husband is in engineering and previously worked for Thales and ADI. Her youngest daughter lives in Jillaroo and works on a cattle farm and her oldest daughter recently joined Thales having left the military – perhaps the model family for Thales. Jeannette is also married, has three kids and says that Thales promotes a work-life balance for families. Marie-Antoinette says she spends all her spare time with family and friends. A lover of the outdoors she is a keen traveller and with a daughter and grandson living in the south of France, whom she regularly visits, I would imagine that it wouldn’t be hard to duck across to other countries. So after all that, if you have wanted to work for a large organisation, or you are a woman who is interested in getting into the security industry, or you simply like to read and know more about the people in this industry, then I hope the stories these women have shared have been useful to you. I always like to know the journey people have taken to get to where they are. It’s the people that work hard and always strive to be better – not those that are handed everything on a silver platter – that are the backbone of this country and have contributed to the flourishing and wellestablished society we live in today. As a way of learning and sharing information, I usually explore the journey from school to tertiary education, to further training and climbing the ladder – the path a majority of people take – and find out all the avenues people have taken to reach success in this industry. I was pleasantly surprised to hear not one, but four stories of successful and educated women in security all under one organisation, having ‘fallen’ into their current roles. I for one, am considering a career switch with all the exciting things these women have highlighted in their days at Thales.

Australian Security Magazine | 23

Women in Security

Women Top Agenda Liz Alford knew she wanted to be in the police force since she was a young girl. As soon as she turned 19 years of age – whilst many others her age would have been enjoying the partying stages of young adulthood – she went and signed up to the police force and has stayed within the security and risk management industry ever since.

I By Kema Rajandran Correspondent

24 | Australian Security Magazine

n Liz Aldford’s current role as Physical Security Manager at the Bank of Queensland (BOQ), Liz is responsible for the security risk management strategy for BOQ’s network of more than 270 branches around Australia as well as managing all security incidents that occur within the branch network. It was not an easy or even a carefully planned path that lead her to this position. A former member of the NSW Police, Liz served in the inner city areas of Sydney where she spent time as an investigator in the anti-theft squad and the National Crime Authority (now known as the Australian Crime Commission). Investigating organised crime syndicates, she specialised in surveillance and undercover work and also had experience in New York with the Drug Enforcement Agency and New York Police Department in the area of organised crime; coveted experience many police cadets would yearn for. Liz talks about the challenge of the National Crime Authority in targeting high level organised crime figures using surveillance and other technologies as one of the highlights of her long-standing career but it is clear from the depth of her skills, work experience and stories that she has remained very passionate about investigation, training and CCTV advisory work.

“I am excited about the advancement in security technology systems such as CCTV and the positive feedback to the development of the online training products to assist in educating people and taking a proactive approach to addressing and preventing security issues,” says Liz. “The development and integration of technology into all aspects of security and risk management has transformed this industry over the past 20 years.” Comparing the equipment used to conduct complex surveillance operations at the National Crime Authority in the 1980s, Liz says nowadays it’s all done with resources that are available at a fraction of the cost. “For example, the handbag cameras we used back then were state-of-the-art, however, they were large and the quality of the images captured varied enormously. In 2013, cameras loaded into pens that consistently produce high quality pictures are readily available,” says Liz. With the safety and welfare of BOQ’s large network of front line staff at the forefront of Liz’s mind, she says it’s important that she always remains focussed. “Like most people who work in the sector, I have to juggle the many challenges that are presented on a daily basis and ensure we stay ahead of the security technologies and trends in the financial retail sector worldwide.”

Women in Security

Licensed Private Investigator in Queensland and NSW, it is apparent that Liz holds strong value in education and training. “We are seeing more and more courses being offered online which offers the flexibility to participants to undertake courses at a time and place that works around their busy schedules. This means learning and updating skills is easier and more relevant in today’s busy world.” And having a multitude of skills is becoming more important in the field as Liz explains that security and risk management is much more than physical resources being deployed at service delivery points. “Security and risk management are directly linked to brand protection for organisations to ensure customer and stakeholder confidence. For this reason, progressive companies need to be working proactively in the areas of investigation, holistic and integrated risk management across the business, cyber crime trends, security technologies and business continuity processes.” Along with a well-rounded approach Liz believes that welcoming more women into the industry will help businesses in this industry become stronger. “I certainly believe that more women in the industry, at all levels, would add diversity and offer a valuable dimension to security and risk management.” “It is a tough industry and I feel it can be seen as more of a challenge for females who want to enter the industry.

“It is a tough industry and I feel it can be seen as more of a challenge for females who want to enter the industry as some may feel they have to align with male traits to be accepted and promoted.” With three teenage girls in tow, she credits her supportive partner and the good fortune of having worked with many experienced and talented people throughout her career. “At various points, different people have acted as mentors. These have included people who I worked closely with in the Police to friends, family and colleagues who share and impart their wisdom on various topics. All of them have had a major impact on my career.” With Diplomas of Security and Risk Management and Loss Adjusting and various certificates in the areas of Investigations, Government Investigations, Training and Assessment, Security (Operations), Loss Adjusting and a

Australian Security Magazine | 25

Women Security Women in in Cyber Security

A six-pack of cyber security awareness

C By Kema Rajandran Correspondent

26 | Australian Security Magazine

onnie McIntosh, the woman who took out the Miss World Fitness and Miss Fitness Australia Championships 2000 and 2001 is more than just a model and fitness fanatic, she is also the Senior Adviser at CERT Australia – the national computer emergency response team. With a Bachelor of Communication (Honours) in Information Technology, a Diploma of Management and a Diploma of Government (Contract Management), it’s a wonder how McIntosh has fit in becoming a wife, mother of two children and a qualified personal trainer and fitness instructor; all within her early thirties. “I have been married for 12 years to my partner Graeme, we have two amazing, talented and beautiful children, one boy and one girl who keep me busy with Academic competitions, Soccer, Tennis, Acting and Modelling. I am an animal lover; I have two horses, a dog and cat.” “My hobbies are Fitness, I am a qualified personal trainer and group fitness instructor and I won the Miss World Fitness and Miss Fitness Australia Championships 2000 and 2001 - hobby taken to the extreme I know.” A self confessed lover of Ultimate Fighting Championship (UFC), Mixed Martial Arts (MMA), stand up paddle boarding, bushwalking, the beach and outdoors and above all having fun some may think the cyber world is a strange fit for McIntosh. “I have always been interested in computing and saw it as an exciting area which had many different opportunities. I knew it was a career that would never be boring and one which would allow me to continually learn which is something I love to do and it’s constantly evolving and always busy.” McIntosh said. “Security has been paramount throughout my career and it is one of the most exciting career choices you can make, the work is exciting, interesting and ever evolving.”

Connie McIntosh

CERT is part of the Federal Attorney-General’s Department and is the point of contact in Government for cyber security issues affecting major Australian businesses. “We also work in the Cyber Security Operations Centre, sharing information and working closely with the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD).” In her first two years at CERT Australia, McIntosh’s’ role was Senior Technical Adviser. She assisted partners during incidents, liaised with partners on technical issues, analysed malware, actively identified vulnerabilities, provided technical guidance on mitigating threats and vulnerabilities, provided advice and assistance during an incident as well as worked with international partners to seek remediation of attacks originating overseas. McIntosh says that awareness of Cyber Security is on the rise amongst Australians however in general the number of incidents increases each year. “There are a number of factors that contribute to the rise of incidents, such as; increased use of internet and digital products, increase in the abilities and number of hackers, the sophistication of malware and targeted campaigns, software or hardware vulnerabilities, antivirus, antispyware, firewalls, lack of personal security around passwords (i.e. having different passwords for all your accounts online or sharing your password), computer sharing and non hardening of systems.” “Hackers are successfully using events such as G20 and MH370 to send phishing emails that attract attention and entice users to click on links which unbeknown to the user then installs malware onto their device, allowing hackers to gain access to the device.” As technology is ever changing and mobile devices are increasing in the workplace, McIntosh keeps up to date with topics of interest around the world through webinars.

Women Women in Cyber in Security

“I really enjoy collaborating with International and National Partners on improving Cyber Security. The Cyber Security Community is a very positive one and are highly collaborative in an effort to achieve good outcomes.” “There is certainly more focus on security since September 11 and that is for the benefit of society.” “I am now a Senior Adviser focusing on engaging international and national partners, hosting information exchange events, signing up new partners, business analysis, liaising with government, industry and international networks.” “I really enjoy collaborating with International and National Partners on improving Cyber Security. The Cyber Security Community is a very positive one and are highly collaborative in an effort to achieve good outcomes.” But it’s not all desk-bound for this multitalented pocket rocket, last year McIntosh ran the 2013 Asia Pacific CERT (APCERT) Conference and Annual General Meeting. Hosting 19 countries for four days with over 100 delegates; something she truly enjoyed. “I am really lucky to have the ability to work in the technical and non technical areas being able to keep across issues affecting our Partners and being able to see the work we do making a difference.” Being treated as one of the boys from early on in her career, McIntosh admits security is very much man’s world

however loved it having grown up with brothers and being comfortable in a male environment. “A very memorable time was at the Department of Finance when I started my career in the Australian Public Service will always be a treasured time. The guys Barry, Andrew1, Andrew2, Owen, Wayne, Siggy and Pete all taught me so much and watched me grow up, get married have children, we were like family.” “Since then much has changed in gender diversity, in CERT Australia we have approximately 40 per cent females. Security is a real option for women as a wonderful career choice.” Having worked across three key Federal Government Department’s in her career thus far; McIntosh was not afraid to get her hands dirty and began at the Department of Finance in an operational role. “I was splicing fibre by hand, making pin cables, building and monitoring systems and networks. I worked in Parliament House which was great, I was in and out of the Prime Minister’s and other Minister’s offices frequently.” Four years later she moved across to Defence undertaking an IT role for two years before moving to the Attorney General’s Department where she worked in their Technical Operations environment. “I returned to the Department of Finance in the Government Fibre Network team, building fibre networks for the government, project managing installations and business relations.” It was only five years ago that McIntosh returned back to Attorney General’s Department working as Operations Manager in Networks and Systems before she joined CERT Australia in 2011. “CERT Australia is at the forefront of Cyber Security and we constantly work on actively identifying vulnerabilities and notifying our partners. We assist Critical Infrastructure in protecting their networks; we assist in incident investigation and information sharing.” “Our capabilities are growing rapidly and I highly encourage women and girls to seriously consider a career in security, IT and in particularly Cyber as it’s exciting, challenging, interesting and evolving.” “I have always worked in Security focussed roles and I have found throughout my career I’ve been fortunate to work with great managers who embody professionalism and I’ve strived to learn from them all.”

Australian Security Magazine | 27

Women Women in in Security Security

Committed to the truth Sheila Ponnosamy

S By Kema Rajandran Correspondent

28 | Australian Security Magazine

heila Ponnosamy made history last September by being the first Asian woman to be elected president of the Council of International Investigators (CII), a US-based association that brings together more than 300 members from over 50 countries that network, share resources and refer work to each other all with an emphasis on quality. As Operations Director at Mainguard International, this 43-year-old Peranakan Indian woman may have had her destiny set out for her long before she was born. Daughter of Mr Ponnosamy Kalastree, a well known Singaporean investigator and security expert and Mrs Dora Kalastree, also a private investigator, both of whom have been in the field for over 40 years, it would be safe to say that it was only a matter of time before Ms Ponnosamy gravitated towards private investigations. With a Double Major in Management and Marketing and a Masters Degree in Business Administration, Ponnosamy worked as a conference producer in Perth for 10 years before returning to Singapore and becoming part of the investigations business. “This happened by chance as I was helping dad prepare an investigations report. He realised then that I had an interest and aptitude for the work so he gave me an opportunity to move to the investigations side of the business,” Ms Ponnosamy said. “Fortunately, I think we share the same passion for investigations so I don’t feel like I was being forced to be in the investigations industry.” Passion isn’t all they share, Ms Ponnosamy and her father clearly possess the right skills to pursue and solve cases as well as network and lead in their field. Mr Kalastree, who won CII’s International Investigator of the Year in 1998, became the Council’s President in 2001. Nine year’s later he would witness his daughter win the same award for her investigation

into an international human trafficking case. “I was very surprised to win the award. I do hope it was my father’s proudest moment.” “It was a 10 year investigation and the case was referred to me as the Subject of investigations was last spotted in Malaysia.” The subject was a woman with dual US and French citizenship who had disappeared from a healthcare facility in France with an Egyptian man. Her American mother had been trying to track her down for 10 years. Ms Ponnosmay was contacted in 2009 when the subject was traced to Malaysia. The woman was seemingly in good health but emotionally unstable and thought to be aggressive when approached. But it wasn’t just Ms Ponnosamy’s extensive investigative skills that helped her solve this case; her determination and passion also played a crucial part. “The case went pro bono as the client ran out of money so I worked on it in my own time for a year until the case was closed. I do attribute it to a lucky break though.” “Finally we located the subject and due to my efforts at persuading her “kidnapper” – she already had Stockholm syndrome – he put her on a flight back to the USA. I did not expect him to, but for me, anything is worth a shot, if you never try, you never know!” And it’s this ‘trying’ attitude that has seen Ms Ponnosamy’s career flourish in a male dominated industry. “Honestly, I do not really think too much about being a woman and being Asian, though of course, most investigators especially in Asia are men.” As my work is focussed in the Asia-Pacific region, I do tend to be able to provide more input from an Asian perspective.” Living and working between her two homes in Perth

Women in Security

“A lot of information is public in the USA and for them a due diligence is database checks. In Asia, I always encourage them to do ground work too as our databases are not always accurate, updated and accessible.” and Singapore, she says while it is a bit of a ‘Boy’s Club’ she doesn’t worry too much about building a profile or climbing the ranks, instead she just does her work. “It is more important to me to serve my clients’ needs as they are paying for our service.” Mainguard International’s clientele are mainly from USA and Europe resulting in plenty of challenges for the team based in Asia where most of the work is done. “A lot of information is public in the USA and for them a due diligence is database checks. In Asia, I always encourage them to do ground work too as our databases are not always accurate, updated and accessible.” As Operations Director, Ms Ponnosamy is involved from beginning to end of each case. She manages everything from the tasks that need to be undertaken, how to retrieve the information, she reviews all the information and then presents it to the client. “What I enjoy most is being involved in the case from A to Z. I secure the business as I serve as the client liaison.” Ms Ponnosamy’s involvement is exhaustive. For those wanting to move into private investigation be prepared for very long hours and sacrificing weekends with your family and friends. And don’t dream of becoming rich, it isn’t an industry that will rake in the dollars quickly. “I am blessed to have a supportive husband that knows my passion for the business. We have a similar work ethic so, we motivate each other with our time management schedules and he helps me with the domestic chores.” But don’t let all the hard work and limitations of being a millionaire put you off; private investigations really is as interesting and varied as it looks on TV, albeit without the glamour. “Every case that you get is different. Hence is it never boring. Every case has different requirements and you are constantly stimulated in your work,” she says. “There are so many cases in the past 15 years that do stand out. Too many to mention but some of them briefly: • Locating US singer-actress, Leandra Ramm’s cyberstalker • Working undercover as a fashion buyer in Indonesia to get legal evidence in a breach of contract case • Researching counterfeit cigarettes and locating the factory in Indonesia • Getting thrown out of an offshore bank in Singapore (I needed to proved that the bank was defrauding its customers and being unco-operative) • A missing persons case where a wife from Thailand turns out to be married to another man in Singapore and using a different identity • Finding people alive after they have been certified dead in several countries in Asia in insurance investigations cases.”

So what’s next for this hard working, ambitious, selfconfessed lover of crime thriller novels? “Hopefully I can do a PhD in my later years and if I do, I’d like to focus on the role of private investigations in combating hideous crimes such as human trafficking.” For now she is happy thriving in her role at Mainguard International and loves working with her parents. The combination of qualities they each bring to the table is evidently successful for the company that was established 30 years ago in Singapore. “We definitely need new and young blood in the investigations industry. To survive, you need to have an interest in the type of work – a desire to unearth the truth. “

Australian Security Magazine | 29

Women Women in in Security Security

Thinking before we click: the unseen face of online security

W By Kema Rajandran Correspondent

30 | Australian Security Magazine

hen - left school at the young age of fifteen, she never imagined she would be receiving the award for Information Security Professional of the Year from the Australian Information Security Association (AISA). Last October, Ms Stones became the first female AISA member to win the award. Voted by her peers, the award reflects Ms Stones’ significant contributions, achievements and initiatives to the security sector. “I was very surprised [to win] to be honest, especially given the quality of all the nominees. However I do feel honoured to be considered worthy of the award and particularly in light of the actual fact that I’m a strong advocate of workplace diversity, including gender equality,” she said. Upon completing her GCSE’s in the United Kingdom, Ms Stones left school without advanced qualifications for economic reasons; the appeal of working in a bank was originally for the benefit of job security for her. “I started life as a teller in a mutual society in the UK and progressed from there. Once I became involved in information security there were significant opportunities to progress within the banking area – the work being diverse and a constant challenge.” Tasked with managing a talented high performance team at Bankwest in her most recent role, her team supported the delivery of security in all business change, including projects of all sizes.

Ms Stones was responsible for managing a large portfolio of up to 70 concurrent projects at Bankwest and then went on secondment to Commonwealth Bank with a mandate to review, revise and implement the Group information security policies and framework. With a stellar 27-year career and still going strong, Ms Stones is as passionate about Information Security as she was from those early days. “Information security is a passion for me. When I first started out in my career in banking, a large proportion of my role was investigating staff fraud.” “I played a huge role in reporting on, and disciplining many of my colleagues until one day I realised that there was actually more I could do to help my colleagues do the right thing through policy and compliance and basic security awareness.” It was undergoing research at this stage in her life about information security - combined with a great manager that lead Ms Stones into her self-confessed addiction for information security. “I like that information security is a subject that effects everyone, of all ages, and that every change, advancement or initiative has to consider information security implications.” Effect everyone it certainly does, with our reliance on technology growing exponentially as companies find ways to be more efficient, respond quicker, work harder and save costs by moving more services online. But with the rise of technology comes a lack of face-

Women in Security

to-face communication leaving many open to cyber security issues such as identity fraud or bullying. As a mother and step-mother to five children, Ms Stones says we need improvements to cyber security. “The reliance on social media and its implications on our privacy is a topic that is close to me and I regularly present on this.” “Speaking as a parent, I regularly talk with other parents and schools about why this is the case, and I believe it’s because of the 24/7 nature of the internet.”

“All children want is to belong in some way and the different social media sites provides a perfect outlet for this, unfortunately it’s not always a positive experience. Coupled with the fact that we no longer equip our children and young adults with resiliency tools, we, I think, have a bullying epidemic on our hands.” Ms Stones thinks terrorism is a fact of life and it’s unlikely to change. “Unfortunately, when hysteria is brought into play, there are no hard rules around what the reaction might be.” “Social media provides a platform for societal ‘sheep’ to huddle together knowing that life will never be the same, that normal activities, must be cut short or ceased.” Ms Stones says that it’s in this way that social media is spreading messages far better than any one terrorist can. “I think there is a level of activity and media hype around terrorism that I find distasteful at best and at worst damaging to international relations.” With that said, perhaps there is a need for binding international laws that govern how countries behave online. “No. Independence in thought is what makes up our world and I don’t believe that what works for one country would necessarily work for all. Of course there always some exceptions.”

“The reliance on social media and its implications on our privacy is a topic that is close to me and I regularly present on this.”

Australian Security Magazine | 31

Women Women in in Security Security

‘But you are a woman’

T By Kema (Johnson) Rajandran Correspondent

32 | Australian Security Magazine

o some, being in financial crime may seem like an area where you’re deskbound, staring at a computer screen and crunching numbers, but to Michelle Weatherhead, the variety couldn’t be more interesting. As BAE Systems Applied Intelligence head of financial crime ANZ, Michelle manages eight consultants and works primarily with financial institutions across the Asia Pacific. Her role takes her from Australia to Singapore, Malaysia, Indonesia, Thailand or the Philippines at any given time. She says the appeal of working with BAE Systems Applied Intelligence is the ability to work with military grade technology; cutting edge and sophisticated solutions to combat a variety of problems in security – from cyber and fraud to terrorist financing. “We help our clients detect fraud, comply with AML legislation and combat cyber crime through data, software solutions and professional services,” Michelle says. “I really enjoy the variety of the work. One week, I am doing a presentation in Manila for one-hundred employees and the next week I am working with a client in Singapore helping them to solve a complex and high profile financial crime problem,” she says. With an abundance of highlights to date, Michelle says she’s been very fortunate in her career so far and shares some memorable and noteworthy parts with us. “In July, BAE Systems Applied Intelligence hosted a women in cyber security and financial crime networking

event. Twenty women from a variety of roles across the industry attended and it generated a lot of positive conversations.” “As a networking evening, we placed an emphasis not on technical learning but on essential career and development skills and shared discussion. It demonstrated what the impact is of a positive mindset and the importance of networking.” Michelle shared a very personal story at this event about working as a woman in this industry and the difficulties she encountered. “Over the past ten years, I have worked in many countries and it hasn’t always been easy being a woman in this industry.” “Prior to working at BAE Systems Applied Intelligence, I was sent to on a financial crime consulting engagement in the Middle East. When I turned up, the head of IT looked at me and said: “I thought you were Michael, but you are a woman!” “Being a little naïve, my innocent response was: “Yes I am Michelle and I am a woman, but I am the best consultant to write your detection rules. Do you want the best consultant to solve your fraud problem or would you like to wait for Michael?” “He waited for Michael, his loss of course…” Ouch. “That was ten years ago and many things are different

Women in Security

“Criminals collaborate; share what they are doing and what works on the dark web. They work together to conduct the crime, so we must do the same thing to combat it.”

now, but it’s still an indication of the struggles we sometimes have in a male-dominated environment.” She never let these moments deter her from what she enjoyed and ultimately to an incredible career. Working with the best and brightest in their field has been very rewarding for her, saying it’s the people that make the job. “I love meeting new people, getting to know them, helping them with issues and becoming lifelong friends. People in this industry are very practical. They get the job done and I appreciate that. It’s also very close knit – the people I met in my first job are still in this industry.” This is one of the reasons why she says collaboration and relationships are so important. “Criminals collaborate; share what they are doing and what works on the dark web. They work together to conduct the crime, so we must do the same thing to combat it.” She also points out that she has two mentors that she uses as a sound board. “A mentor must have your best interests at heart. As a mentee, you must feel safe to share your heart and soul, tell them how you feel and ask for advice. If you can’t be yourself and are scared to ask questions because you’re afraid of being judged, I don’t think it’s the right fit.” “Both of my mentors have seen me at my worst, but they believe in me and guide me. They know my strengths and weaknesses, when to push me, which is important to me.” “It is so important to have a mentor that has your back,

but also knows when to push your boundaries. My mentors encourage me to do things that I would otherwise not do and it always turns out well and feels good afterwards.” But mentorship isn’t everything, and Michelle nominates two other key things in a company that help women climb the ranks: flexible and supportive working conditions and female role models. “Everyone needs someone to look up to, so if you can’t relate to someone in a leadership position it can be hard to encourage yourself and aspire to be one of them. Having a female role model also subconsciously affects others, as it influences their perception of women in power.” With hopes of being a mentor herself, Michelle definitely has a wealth of work and life experience to be a good role model for others and fuel the fire of change in the industry. A wife and mother, who wanted to be a clinical psychologist when she left school and ended up in IT without regret, offers the advice to women starting out to think about what you’re good at and reach out to people in the industry. “Join an association and decide where your strengths lie. If you love being surrounded by people then perhaps a front line fraud investigator may be a good option. If you’re inquisitive and like delving into data then perhaps Cyber Crime Analytics is right for you.” “Those who succeed in this industry are willing to take risks, give things a go and also know when to reach out and collaborate. Big networks rule.”

Australian Security Magazine | 33

Women Women in in Security Security

Think like a criminal She works for one of the ‘Top 50’ global banks with operations where there is almost always a state of emergency somewhere in the world; but Melissa Wilkey says this isn’t her most challenging role.

T By Kema Johnson Correspondent

34 | Australian Security Magazine

he Manager of Group Security at ANZ says being a parent has been the most challenging, perplexing, intense but also the most rewarding role she’s had. “My greatest achievement is remaining happily married for the last 20 years - and during that time, David and I have produced two bright and precocious children, Emma, aged seven and Max, aged five,” said Melissa. With a penchant for dissecting mechanical and electrical household items as a child, and after a ‘foundation stone’ conversation her grandad, at the age of 14 Melissa researched and identified the Mechanical Engineering degree at Canterbury University in Christchurch and set her mind on completing that. Fast forward a few years and she indeed graduated with an honours degree in Mechanical Engineering and went on to work in a large engineering consultancy firm in Auckland where she was introduced to the world of construction. “I spent a couple of years designing and overseeing construction of air conditioning, ventilation, heating, escalators, lifts, plumbing and drainage, and other building services systems, and then began project managing contractors, engineers, and leading business discussions with

clients,” she said. “My consulting work covered a number of industry sectors including government, education, banking and finance and corrections. I have the dubious privilege of having worked on 14 of New Zealand’s 18 prisons!” Through her years of construction, contract and project management she casually but professionally slid her way into security risk consulting, where she met Jeremy Eggleton, Principal -Security for Opus International Consultants Limited. “Jeremy became my teacher, my mentor and my friend. Amongst other things, he taught me to think like a criminal,” she said. “Effective security design incorporates a significant amount of behavioural analysis – this was never as clearly demonstrated than when we were designing prison complexes.” “Inmates have 24 hours a day to figure out ways to escape, hurt other inmates or correctional officers, or even hurt themselves. As a designer you have to anticipate how the building can be used, and how emergency response plans will unfold within them.”

Women in Security

“Effective security design incorporates a significant amount of behavioural analysis – this was never as clearly demonstrated than when we were designing prison complexes.” In 2002 Melissa was Runner Up in the Institute of Professional Engineers New Zealand Young Engineer of the Year Award and it was at this stage of her career she decided she was going to swap her steel capped boots for high heels and jumped across into corporate risk management world. Being part of ANZ since late 2002, Melissa says her job gives her a sense of making a difference every day. “I am at heart a ‘protector’ and ‘builder’, so the role of providing or improving safety and minimising risks to people is very satisfying.” “I love that every day working in security is different – every incident, event, and issue is unique.” As my curiosity gets the better of me, an example of a unique issue, Melissa explains, is a blended attack. What’s that you may ask? To put it simply, a blended attack is a threat scenario, which can play out in the both the physical world, and in the digital world or cyber space as one may call it, either consecutively or simultaneously. “Blended threats require an enterprise-wide response for prevention, detection, recovery, and business resilience. Blended threats may be global or domestic in both source of origin and sphere of influence,” she said. “An example of a blended attack is an event that occurred in October 2014 – a number of affiliated issue motivated protest groups planned in the digital space a co-ordinated physical occupation of ANZ Centre, the global headquarters in Melbourne.” “Unlike previous events, this protest action was not advertised in social media which would have enabled proactive security preparations to be made.” “More than 50 protestors entered the public foyer of the building in pairs, or individually – some wearing casual clothing, others dressed in corporate attire, others as tradesmen – and gathered in a ‘flash mob’ style in the centre of the building foyer.” “The protestors remained there all day, and were ‘live streaming’ to a local radio station; various Twitter feeds, and Facebook posts. Digital and physical protest; simultaneously.” “It was a very stressful day at the office, but delivered successful management of the security risks to our staff.” Giving credit to her mechanical engineering background, Melissa says her engineering consulting experience gives her strong problem-solving skills, structured and methodical approaches to getting things done. “My corporate experience has given me the ability to make an omelette without breaking all of the eggs in the carton.”

“Whilst technology can be incredibly liberating, it can also open up another field of vulnerabilities. There is now an even stronger drive to integrate the various speciality risk management areas to more effectively treat the new and emerging threats.” A stellar career path riddled with achievements, learning’s, hurdles and successes, Melissa is set for a fresh challenge, transferring to a new role at ANZ in the Global Payments and Cash Operations team in the near future. “The role has a mixture of business continuity management, crisis management and process improvement responsibilities and is a great opportunity to flex my risk management skills in another direction.” While she does believe it’s harder to climb the ranks as a woman, mostly because of the pressure women place on themselves to have it all, she says, “you can have it all - just not all at the same time.” Her advice is to be tenacious, and be yourself – clearly speaking from experience.

Australian Security Magazine | 35

Women Women in in Security Security

The modern ‘Sherlock Holmes’ of the cyber world…in Silicon Valley

I By Kema (Johnson) Rajandran Correspondent

36 | Australian Security Magazine

t’s no secret that information is power and it’s this notion that has sustained the initial interest in cyber forensics for young Security Engineer, Prima Virani. With an interest in information security and forensics from an early age, Ms Virani was drawn to the cyber security domain, much like Sherlock Holmes to a difficult case. Originally from India, she left her parents and moved to Perth to chase her dreams and complete a Bachelor of Science in Information Technology. For those who aren’t too tech focussed, the world of cyber forensics may not seem so self-explanatory. Virani explains that after a crime occurs, a computer or network forensics analyst would be responsible for gathering evidence from a suspect’s workstation or mobile device of the network their workstation was on – in simple terms, playing Sherlock Holmes but on a computer or a network. While she says it’s an ever-changing field with big challenges, it’s exactly these facets that make her love her work. Virani has worked in a couple of different roles, including Information Security Coordinator at INPEX before country hopping again, this time to the USA. “My role at INPEX entailed a variety of infrastructure security-related tasks such as daily monitoring and analysis of security logs, reviewing infrastructure changes from security point of view, vulnerability management, building and deploying firewall clusters etc,” she explains. “In the short career of mine, so far the biggest highlight

has been to be able to crack through the job-market in the USA and land my job at Pandora Media Inc just a couple of months ago.” While only being in the USA since April, Virani says the opportunities are better, especially in the Silicon Valley, San Francisco Bay Area, where she’s based with Pandora. “There is so much innovation and so many emerging companies right now. I hear that the area is going through another tech-boom at the moment and this one being much better and much more stable than the one in the early 2000s.” A hard-working, intelligent individual, Virani never stops learning but doesn’t forget the help of others in her achievements so far. “My supervisor at INPEX, Eric Appelboom, I reported to him directly for the last couple of years. I have learnt 75 – 80 per cent of what I know today in my job from him – mostly technical things and a lot of non-technical things like organisational, and political as well.” “My only previous role to INPEX was in Incident Management support at a University and the experience gained from my degree. It definitely helped to know the basics well but I have learnt the most on the job.” Cyber forensics has become a popular topic in security and aside from the knowledge of IT technology, Virani says it is important to be adaptable and learn things quickly, particularly as it is becoming one of the fastest growing and in-demand areas of security.

Women in Security

“I think of the biggest benefits of social media is that the youth are a lot more aware not to generalize and stereotype racially which in turn eliminates a lot of hatred against certain communities and races, which means there will be a lot less people left out or sidelined.” “The word ‘hacker’ only started becoming popular about 4-5 years before I completed high school. Statistics dictate that identity theft is on the rise. It’s been steadily increasing for the last 4 years now. With the amount of information about people out there on the internet, it’s easier now than ever to steal someone’s identity.” “It’s very hard being specific about laws regarding IT since it moves so fast, I think we have enough laws to cover most of the basics.” “If we did have binding international laws, it would more likely mean that a few countries would benefit out of it and the rest would fall victim to it.” “I believe in the larger scheme of things, the internet is the last place right now that should become just another politically controlled environment.” With the rise, popularity and dependence society has on social media today, some would say that it’s made it easier for law to be broken, identities stolen and terror to spread however Virani says its affecting us in great ways. “I think of the biggest benefits of social media is that the youth are a lot more aware not to generalize and stereotype racially which in turn eliminates a lot of hatred against certain communities and races, which means there will be a lot less people left out or sidelined.” “With the availability of so much information out there it’s increasingly harder for the political leaders to misguide people about what they’re doing and the impacts of it. Collectively it’s definitely helping stop feed the beast of terror and hatred in the long run.” With the support of her parents, Virani is striving ahead ready to take any opportunities as they arise and says she hasn’t yet experienced any difficulty or roadblocks due to her gender. “Technically no, but culturally sometimes it seems like it is harder, however I don’t think I have enough experience yet. If you ask me in five years time, I would have an answer.” A statement which could be down to the fact she is early in her career or it could be a sign of changing times – a fast growing area that could just as quickly be leaving behind the stereotype that it’s a male dominated field. Let’s hope in five years time, Virani’s answer remains the same but progressed; that technical skills are more important and valued than ones gender and that it no longer “seems” hard to be a woman in the field.

Prima Virani - Security Engineer.

Australian Security Magazine | 37

Women in Security

Championing for open source collaboration

H By Chris Cubbage Executive Editor

38 | Australian Security Magazine

aving been fortunate to be in California’s Silicon Valley courtesy of NetEvents Global IoT and Cloud Innovation Global Summit, I took the added opportunity to stay on for a few extra days and catch up with our June/July 2015 ‘Women in Security’ series participant, Prima Virani who was scheduled to speak at the Structure Security Conference in San Francisco. When we first me this 25 year old Security Engineer graduate at an Australian Information Security Association meeting in Perth, Western Australia, in 2014, she was just 23 years old and starting out her cybersecurity career having graduated from Murdoch University and with the aspiration to head off to San Francisco. Within just two years, Prima has not only found herself on a small security team for a major American brand in Pandora Media, a music analysis application that personalises music according to the listener’s taste, but alas we find her speaking on stage being interviewed Bob McMillan, computer technology reporter with the Wall Street Journal and fellow security engineers Nick Anderson of Facebook, Hudson Thrift of Uber and Leigh Honeywell, security lead with the collaboration tool, Slack. Open source software and security collaborations are being increasingly advocated for small to medium sized

companies that are essentially growing so fast and at such a speed that their focus is on developing their product and they primarily also have to be working on product security. As Prima elaborated, “they have to protect their infrastructure but with a small team that don’t have expertise or resources in all areas, and so there is a need for more support and this is where open source can contribute a great deal for fast developing commercial products.” This thinking is supported by the likes of Facebook’s Nick Anderson who has also seen the advantages of open source, highlighting that “with the build up of open source communities, there are bonds being built, with problems being solved and often with the common intent of improving a product so it works better for them, just as much as for you.” As Prima also asserted, “one of the biggest advantages of open source communities is giving the capability of scaling. It doesn’t come with a hefty price tag and it makes the company better prepared if the product takes off quickly.” One of the key outcomes of the Structure Security event was to highlight that there has never been a greater liberation of information and a greater variety of choice for infosec workers and this is in contrast to the traditional ‘lock it down’ and ‘restrict access’ approach. Some of the favourite open source tools being touted included OSQuery, touted as

Women in Security

'Whereas Perth and Australia may be tending to just follow the template. Perth was also very focused on just a few key industries, such as Oil and Gas, where in Silicon Valley there is a multitude of industries but a majority of them here are in the technology domain. If you threw a stone in San Francisco, 70% of people you hit would be a techie'

having a Swiss army knife capability, while others included Box and BlastAlert. Aside from the championing for open source adoption, the panel also showed that Women in Security is a little more balanced in the US than possibly Australia – we still see industry panels made up on only men. Having spent a couple of years in the USA now, Prima has found there is really a different attitude to security engineering in the US than in Australia. She points out that a lot of the companies in the US are ‘huge’ brands and super resourceful in terms of the kind of people they hire and the creativity they are prepared to try. “There is a younger workforce and the transition out of college and university into the industry is quite straight forward. Whereas Perth and Australia may be tending to just follow the template. Perth was also very focused on just a few key industries, such as Oil and Gas, where in Silicon Valley there is a multitude of industries but a majority of them here are in the technology domain. If you threw a stone in San Francisco, 70% of people you hit would be a techie.” The approach taken in the USA is likely to be different to that to the company next door and there is greater diversity in thinking and openness to different forms of thinking. Despite that, being in America you do need to be careful of group think and ‘over’ Americanisation. With Prima’s current role on a five member security team, her tasks include infrastructure security, incident management, endpoint and network security and information security program management. For a young adventurist and an average Aussie who wanted to head out and see the world, it hasn’t been that much of a challenge. “My move to the USA wasn’t so much about the job, it was more about the lifestyle and the experience as a whole. I travelled to San Francisco about six months before moving here and stayed for a week, which was enough time to fall in love with the place. When I got here I stayed in a hostel for a week and then a friend’s place before I set myself up in a studio apartment.” “After I had made up my mind that this is where I wanted to come to, it took about four months before I got a positive interview. Most of the companies weren’t even considering my resume because they didn’t understand the

visa requirements and the ‘Valley’ has enough engineers being developed that they don’t really have to be looking outside of the country, unless the company is being very particular about who they’re looking for. Despite a lot of talk about the cybersecurity skills gap, there is still limited risk being taken to employ from outside the country and how immigration and work visas can be in America. I was fortunate to get an E3 Visa for Australians living and working in the US.” Prima highlights the importance of developing a local network, having had a friend in San Francisco through whom she was able to connect with more friends and by keeping in touch, this network continued to grow and become a support and friend based network. One channel that proved most useful was ‘Meet-up.com’ which connects industry professionals and special interest groups. Prima took a focused approach, “I like to attend events that are of interest and meet people that way, rather than randomly showing up and meeting people at random.” Importantly, Prima confirms her education in Australia grounded her very well and established her with the required skills to at least 70 per cent in some areas but like any graduate, achieved only 50/50 in some other areas. “I was fortunate to have had some experience first in Perth where I laid my foundation. Had I been thrown into this pool at the outset then I may have not had the perspective as I do now, as I now have a wider perspective and it helps to a degree with a global brand like Pandora. But the relevance is subtler than a direct skill base.” Parts of San Francisco can be intimidating and took a while to get acclimatised. “The gun situation in the US still frightens me to a degree and in that sense Australia is so much better. But that aside there is so many more opportunities here outside of work in technology.” Prima has an active and expanding interest in Art, poetry and performance dancing and she is multi lingual in English, Hindi and Gujarati. Despite being young, she has taken on coordination roles, including for an industry group called ‘Ladies who Linux’. “There is a great sisterhood building here and a key mentor for me as been a fellow Aussie, Tammy, and I find my interests and work feed off each other and supports each other.” With this type of dedication, participation and skills development, we’re proud to have an opportunity to follow up on Prima’s progress and success. We hope this inspires other Australian women and cyber security professionals to get active and seek out their aspirations, be they local or overseas. The opportunities abound!

Australian Security Magazine | 39

Women in Security

From law to cyber security With Rachael Falk Director of Technology, Security & Strategy at .au Domain Administration Ltd Rachael practiced as a lawyer in Australian and overseas law firms before commencing with Telstra. Moving from legal to cyber security, Rachael had several roles in Telstra Security Operations, including National Security Advisor. Now in a new executive position, Rachael has a clear remit to shape auDA's role in the cyber security ecosystem both with Australia and internationally. ASM: How did you get into the security Industry? I have always liked solving problems and challenges and when I was at Telstra, I became more involved in data breach issues and it became clear to me that cyber security was regarded everywhere as more of an IT problem. I saw an opportunity to change this and help the business understand that cyber security was a risk that everyone from the board down should understand and manage. So, I was offered a one year secondment from Telstra Legal to Telstra Security Operations and it was a great move. Telstra hired a new CISO in 2013 who had a very strategic approach to cyber security and approached it as a business risk. Since then, I have never looked back. ASM: How did your current position come about? The .au Domain Authority (known as auDA) is both the regulator of and manages the .au domain zone and it has gone through a period of transition over the last 12 months. They wanted an innovative approach to security and to play their role in Australia’s cyber security eco system. I had left Telstra and was enjoying a long break but the opportunity to help shape a different cyber security narrative was too hard to refuse. ASM: What are some of the key challenges you think the industry is faced with and what difference do woman in leadership roles make to meeting these challenges? The key challenge is for leaders to understand that cyber security is a risk that can be effectively managed but the tone is set from the top. Leaders who demonstrate that they care about customer data, they invest in effective security outcomes and that they have thought about how they can recover from an incident is critical. I still think there is far too much reliance on a magical technology solution or for compliance frameworks to solve this issue. Compliance does not equal security and putting a whole bunch of tech toys in your SOC (Security Operations Centre) does not equal effective security. It has to be a combination of leadership, culture, good tech and awareness. I think women, no matter which industry they are in, bring diversity of thought. I see my key strength as not necessarily being female but being a former lawyer, who can think critically and can write in accessible English. So, I think we bring our backgrounds and a different perspective.

40 | Australian Security Magazine

ASM: Where do you see the industry heading and are women sufficiently or increasingly being recognised and respected? I see it heading towards hopefully a greater understanding that cyber security is a business risk. I think recent events have shown us that Australians are becoming more cyber aware and that they in turn should demand that anyone wanting to use and store their valuable data need to be accountable should it be lost or stolen. All of us (me included!) want to know that our valuable data is being protected at all times. And I want to know that the boards and Leadership Teams of all organisations that handle valuable data care about that data and build security into all that they do. I still see far too many conference flyers with all men in the photos and the fact that this seems to not be noticed by those conference organisers astounds me. But thankfully there are great men in the industry who share these views and go out of their way to promote women into leadership roles, recognize their talent and not attend those conferences. I think women to need to be confident and put themselves forward for events. ASM: Are you an active mentor or being mentored and how important has a mentoring framework been to you? I am a strong believer in mentoring both for me and for what I can give to others. There is nothing better than being able to bounce an issue or problem around with someone else. It is great therapy but also broadens your perspective. There are a range of very talented women I talk to within the industry. Some are still students right through to working in cyber security. I see my role as bringing others through with me and where I can connect them with other people in the industry or help create opportunities for them. I also like sharing information or ideas with them. As for me being mentored, I have a panel of advisors (not sure they all know they are on my panel!) because I do often ask for advice on a particular issue or situation but I am a strong believer in being open to different perspectives. I am very fortunate to have a wide range of people I can call on should I have an issue or question. ASM: Do you have a particular agenda or focus that you would like to highlight? I see great opportunity and challenges in cyber security. It is a great area to work in although when I was admitted to practice law 20 years ago, this role didn't even exist. The importance of cyber security is a leadership issue that needs to be addressed at a board level but also filter down an organisation. I also don't mean that boards should be bombarded with what I call ‘packs & stats’ which traditionally involve lots of ‘attack’ and ‘threats’ numbers in large packs. Do that with a board or leadership team and you are in eye glazing over territory. Engage all leaders with stories about the impact of losing valuable data both at a customer level and at a reputational level. You need to engage the hearts and minds so that the organisation understands that cyber security is a business essential and not an optional extra. My second point would be that diversity within the industry is key and we need to involve key men in the industry because those with strong voices pave the way for others as well. ASM: What do you do when you're not working? I work full time so far too much cleaning!! I enjoy cooking, reading, being with my kids (when I can get them off devices) and planning our next holiday (where no one seems to agree on any destination). I am afraid I'm not a good example of work life balance but having a good long break last year really made me appreciate the little things.

Women in Security International

Uniquely placed to lead mission critical information systems With Christine Zeitz Managing Director of Leidos Australia

ASM: How did you get into the security Industry? I’ve been working in the defence and security arena for most of my career, spanning 25+ years. I landed a graduate role at BAE Systems, and while I didn’t target the defence and security sector, I have become committed to the mission of defence and security and couldn’t imagine leaving the sector. ASM: How did your current position come about? I joined Lockheed Martin (LM) in August 2015, where I managed LM's Information Systems and Global Solutions (IS&GS) business in Australia and Asia Pacific, then the business merged with Leidos in August 2016 and I was appointed the Australian Managing Director. ASM: What are some of the key challenges you think the industry is faced with and what difference do woman in leadership roles make to meeting these challenges? There are daily reports and accounts around the security threat our country and our allies face. Security is the priority of the new US president and our Prime Minister has launched his new cyber policy. The current and most immediate threat we face is the security of our businesses and government. The security business is people driven. Without the right skilled people who have experience in areas like analytics and computer sciences we can’t operate. Resourcing this skill base is the key challenge. To counter the threat, we need to build the right skills and knowledge in the security sector. To this end, we need to access the whole talent pipeline, which includes both men and women. We are missing a large talent pool by not attracting women into this industry, we can't afford to do this. At Leidos, we have equal representation of women and men on my executive team. Through this leadership I look forward to improving the representation through the rest of our company. I am very supportive of the many focussed initiatives across our sector to improve the representation of women in our industry including women in security forums, STEM training activities and mentoring programs. ASM: Where do you see the industry heading and are women sufficiently or increasingly being recognised and respected? There is a greater need to collaborate with our allied countries. We also

need comprehensive tools to collaborate within the many agencies that exist in Australia to really make a difference. Regarding women in our industry the statistics are slightly better for government than industry. Frankly, the defence and security industry needs to do better. Defence industry employs around 15% - 20% of females. In leadership roles, there is even less women – sadly of the top twenty defence companies in Australia, I don’t believe I share a female peer in an MD/ CEO role. ASM: Is there anything else of importance to note about your current position/company? It is a really exciting time to be working in the Leidos Australia business. We have nearly 1,000 highly skilled people based in Australia, primarily in Canberra and Melbourne. This number continues to grow, as does our footprint across the country. We work on a wide variety of projects for Defence and the Australian Taxation Office (ATO) and have a culture of working hard and delivering critical outcomes on complex projects for our customers. Leidos Australia is uniquely placed to support clients' mission critical information and data analysis systems, as our heritage gives us a deep understanding of the outcomes required. We understand the role of major platforms in the collection of data, how to securely transmit large volumes of data, how to analysis the data and most importantly how to represent the data in a meaningful way to multiple audiences. This enables clients to make better decisions and improve processes based upon large volumes of data. The security of the data is critical to Government and commercial organisations alike. At the moment, we have over 100 vacancies based in Melbourne and Canberra so our business is in serious growth mode. What excites me is that we are building an enduring capability in Australia to deliver a long-term profitable business to our shareholders, while meeting the current — and future — challenges of our customers. ASM: What is your previously notable positions? Prior to joining Lockheed Martin, I was President of BAE System’s North East Asia region in Japan where I carried responsibility for government, customer and industry relationships for the region with annual orders of $US600M per annum. Before that, I was part of BAE System’s management board and held senior positions in logistics, strategy, business development, commercial, procurement, government relations and communications. I also held the role of Director of Defence Logistics in Australia (20102013) at BAE Systems was responsible for P&L of $A200m per annum, 1,500 staff, and 1 million hours of maintenance per annum across 26 sites. Earlier in my career with BAE Systems I held a number of senior procurement and commercial positions responsible for the negotiation, execution and administration of commercial agreements in a number of countries, including Israel, USA, Canada, Kuwait, UK and Indonesia. ASM: Are you an active mentor or being mentored and how important has a mentoring framework been to you? I strongly believe in the value of mentoring and actively do so. What is equally important is to become more of a ‘sponsor’ than a mentor. This means that you don’t just provide counsel, but you take an active part in supporting people by providing real career opportunities (where possible) and actively promoting them through your own networks. What do you do when you're not working? I am a bit of a football tragic so you can find me watching my favourite team - Port Adelaide. I also love the outdoors and sport. Spending quality time with my husband and two children is also very important to me.

Australian Security Magazine | 41

Women in Security

First in reverse for Australia

Noushin Shabab, Senior Security Researcher, Kaspersky Lab

oushin is Kaspersky Labâ&#x20AC;&#x2122;s first security researcher from the Australian and New Zealand (ANZ) region as a Global Research & Analysis Team (GReAT) member and is the first woman in ANZ that specialises in reverse engineering. With more than 5 years in the security industry, Noushin has been with Kaspersky Lab since July, 2016. How did you get into the Security Industry? I started my career in cyber security as a junior malware analyst a Windows antivirus team for a cyber security company called AmnPardaz. After a few years when I became more proficient in malware analysis and reverse engineering I moved to the companyâ&#x20AC;&#x2122;s newly setup antirootkit team as a senior malware analyst and software developer. The last role I had in AmnPardaz was leading a small malware analysis team of the Android antivirus product which was again a new project. I have always been fascinated by solving problems, especially with puzzles and board games. I learned computer programming relatively early when I was in middle school and in high school I competed in a number of national programming contests. By high school I definitely knew that I wanted to pursue a career in computing, so I naturally did a degree in computing in university. After finishing university, I was not specifically thinking of getting into cyber security but then my first professional role happened to be with a cyber security company as a malware analyst. As I started to work in this field I realised

42 | Australian Security Magazine

itâ&#x20AC;&#x2122;s something I really liked to do and I continued in this field since that time. How did your current position come about? I was looking for a job in cybersecurity specialising in my field of reverse engineering. There was a slim margin of jobs in that field. However, after a few months, Kaspersky Lab placed an ad offering a researcher role in cybersecurity. Unlike the other interviews I attended, Kaspersky Lab was the only company to actually examine my technical skills, especially with my niche in reverse engineering. A tough piece of homework was given to me to solve after my first interview. Although it was a malware written in a programming language I was not familiar with, I jumped at the chance. Vitaly Kamluk, my direct manager who previously worked for INTERPOL, said my results exceeded his expectations and that was how I landed my dream job! What are some of the key challenges you think the industry is faced with and what difference do women in leadership roles make to meet these challenges? We in cyber security industry are all fighting with cybercrime and a very important challenge in my perspective, is how to join our forces to win this battle against bad guys. Countless cases showed that cyber criminals are very skilled today and for the industry to be able to overcome their skillset, broad and diverse vision in this field is essential. This is where I believe women bring the solution by addressing this diversity in the point of views.

Women in Security

Where do you see the industry heading? Being in GReAT we often have to predict what will happen in the future to protect our clients and consumers. With our colleagues and company efforts, Kaspersky Lab launched Earth 2050 recently. We have brought together men and women of art and science, dreamers and innovators, to predict the world, technology and cyber threats of 2050. One of my favourites is the example in Shanghai. Once the experiments with spray-on fashion had proved to be successful, designers begin to consider the possibility of creation of similar clothes. Here are a few predictions - In Canberra, Australia, Kaspersky Lab predicted what we can expect in 2030: • Intellectual advertising is spreading everywhere: With Big Data, there is an opportunity for marketers and advertisers to change the content of the advertising message depending on the preferences of people who are closely matched. There is concern about the massive use of these technologies as personal information being involved in global project, threatens the privacy and protection of personal data. But business interests seem to override for now. • Cyber insurance becomes habitual: Accelerated transition to digital business makes cyber threats one of the major global problems of commercial companies. Big data enables real-time monitoring and evaluation of the level of danger and partial management of IT-risks of traders. All major insurance companies are now advertising cyber insurance. • Students are now going to the virtual space: Today, 80% of higher education takes place online, making physical space of universities and colleges a very questionable concept. However, the remaining 20% are adherents of traditional higher education system based on direct interaction with a professor, but it is becoming more elitist and expensive.

Noushin Shabab Senior Security Researcher, Kaspersky Lab

Are you an active mentor or being mentored and how important has a mentoring framework been to you?

in cybersecurity, I believe that women are getting more

When I start working on a research, I try my best to complete it in the most efficient manner. However, as we see new challenges every day in this field, we are constantly learning and seeking assistance from colleagues especially from those who are more experienced. A 100 per cent of my cases are worked on by myself. However, being in a junior role compared to my peers who have had extensive experience, the occasional assistance is needed from them. Are women sufficiently or increasingly being recognised and respected? Although at the time this field is almost dominated by men and in cyber security events you can barely see women, but with increasing number of events which intend to engage more women in cybersecurity, I believe that women are getting more recognition and respect in this industry. A very good example is that we in Kaspersky Lab hold these sort of events from time to time. There are lots of experienced women or at least interested in this area and it’s important to encourage them to show up and be more active.

"... this field is almost dominated by men and in cyber security events you can barely see women, but with increasing number of events which intend to engage more women

recognition and respect in this industry." What has been some of your recent highlights? This July, my latest report on a resurgent threat actor targeting South China Sea going by the name Spring Dragon was presented at my biggest event to date at INTERPOL World, Singapore. It was also shared at the upcoming Cyber in Business Conference 2017 held in Sydney at the end of July 2017. I’ve also been invited to present my research at the ARN Edge Conference 2017 to target the channel which I’m quite excited about. For more information, SECURELIST is our go-to for all published reports the public can read and anything further can be found on the Kaspersky Lab website. What do you do when you're not working? I actually quite like going to the theatre. I was also raised in a family with a great passion for literature. Every piece of work from Persian literature has had a great impact on my world view. For those poetry lovers out there, I highly recommend The Shahnameh Ferdowsi.

Australian Security Magazine | 43

Women in Security

Catwalk to tech-talk Insights with Kan Tang, Distinguished Technologist and Worldwide Chief Technologist for DevOps, HPE Software Services

Kan Tang CTO, HPE Software Services WW DevOps

By Kan Tang CTO HPE Software Services, WW DevOps & Chris Cubbage Executive Editor

44 | Australian Security Magazine

am the kind of person who loves to learn, but when I have learned something I want to move on to the next challenge. I commenced my technology career in coding, as an Application Developer and moved on to become an Application Architect, then Solution Architect. This allowed me to be increasingly exposed to IT operations. With a desire to balance my knowledge between Dev and Ops, I moved to a project with Sabre Airline Solutions, one of the world’s largest Airline suppliers and worked on their operational side of the business. This involved configuring Network Interfaces, IP address, Network security, firewall, load balancer, Disaster Recovery, proxy server and so on, which provided a greater sense of what operations are about. It has been a benefit to start out as a Coder and Application Developer. In DevOps, if you want to maintain some credibility, you still need to be somewhat hands on. You have to get your hands dirty, otherwise you’re just talk. I worked on a lot of heavy duty Java applications early on, including with American Airlines, General Motors, Adobe, Disney, FedEx Office, Delta Dental, Shell, US National Veterans Healthcare and each in different industries. In my early career, I spent most of time in technology, but I realised that a lot of inefficiencies are actually in the processes. When I was at FedEx Office, I was involved with Agile software development and took a role of Master of Scrum Master for their Agile transformation. I learnt a lot of the ‘good and bad’ of software development, testing and operations, as well as people and team dynamics. It is a challenge to keep the team focused, innovative and working together, with different personalities and hierarchy of the organisation, including working with the senior level executives. I then worked for Disney, as a Lead Chief Technologist and assisted in the build of a $1 billion system, called Disney NextGen Experience (NGE) using Magic Band, with a focus on designing for the Media group. The system was

architecturally challenging, with multiple programs and we used the HPE Fortify for the code scanning. The Magic Band is effectively the key to the kingdom and can be used for all transactions, be it to access your hotel room, make purchases, as well as set up the allowance for your kids. For the Media Group, we were designing how to use the band to link to guests’ media which include photos, videos and eBooks. As you tour Disney and have a photograph/video taken, you can access it immediately from your mobile apps or within the minute can walk into a view station, see your media, as well as allow you to do editing including rotations, black and white, cropping and add Disney Characters to your photos. When we evaluated these use cases, we asked; what are the security risks surrounding this? At the beginning, being the Media group, some asked; what has this got to do with security? However, the architecture leadership team determined that these media are the company’s most important Intellectual Property that can be stolen or manipulated. Or by an attack, such as SQL injection attack, you can manipulate the resolution. The images were able to be displayed in low, medium and high resolutions, with the highresolution images requiring to be purchased. We would only allow the low-resolution for guests to choose their preferred images. But by SQL injection or with privacy violation, with this level of access you could allow free downloads or downloads of other guest images. This type of unauthorised access could be used for all kinds of nefarious things. So, the DevOps team ensured they were conducting code scans and checking the code for these types of vulnerabilities. Identifying and accepting these types of ‘user’ behaviour risks was a cultural change for the team to appreciate the wider risks involved. This is where the HPE Fortify allows architectural teams to build, test and verify the code, often multiples of times to truly force the team to meet security requirements,

Women in Security

"I then worked for Disney, as a Lead Chief Technologist and assisted in the build of a $1 billion system, called Disney NextGen Experience (NGE) using Magic Band, with a focus on designing for the Media group. The system was architecturally challenging, with multiple programs and we used the HPE Fortify for the code scanning. " as part of the build process and throughout the pipeline. The automation captures code vulnerabilities earlier and makes sure the fixes are made before verification. We have successfully launched Disney NGE with an enormous impact on the guest experience. When the NGE launched, millions of Disney guests enjoyed their online editing on their photos and keep their precious memories with Disney characters that they customized to their own photos. Industry has not put enough focus on Application security. Gartner Maverick Research, found that 84 per cent of breaches exploit vulnerabilities in the application layer, yet the ratio of spending between perimeter security and application security is 23-to-1. This is confirmed by Forrester’s recent research, which also determined that Security pros should be alarmed at the growth in breaches

through web apps which rose from 7 percent in 2015 to 40 percent in 2016. Another area that is often lacking is identifying the security non-functional requirements of new applications. In a security context, culturally people are often not attuned. They may be a developer who is in a different mindset - they have enough to do and focus on, so can’t be thinking about the broader security context that the application relates to. Security is also often seen as ‘the police’ who are there to stop innovation or creativity and so don’t get invited early in the DevOps process, as they are viewed as not being needed, yet. It is a cultural aspect of the industry to exclude security. From a skill set, there are a lot of developers who understand functionality requirements, they understand nonfunctional requirements from performance and scalability aspects, but a lot of them ‘don’t know what they don’t know’ and that is they don’t understand the Application security part. I see it is very weak in the industry and it is a huge opportunity to really understand the non-functional security requirements that need to be captured at the beginning of DevOps projects. Diversity and Mentoring I’ve now been with HPE for 17 years and have worked mainly in the services role, often with a client for two years and working on their projects from beginning to end, and then moving on to the next account. Now I’m in a worldwide role in DevOps space and find I’m not as project focused, travelling extensively for the face-face contacts. Still nothing can replace the face-face relationships. I’ve found that the higher you go, the less females there are, so I’m one of very few females in the CTO role. I’m very blessed to have a leadership group which supports my development, including the opportunity to attend the

Australian Security Magazine | 45

Women in Security

Our Solution: HPE Enterprise DevOps Operating Model

Harvard Business School Leadership Programme. This is where I learned about strategy. Working with Harvard Professors there was two key things I learned. First, what strategy is, three basic elements: Objective=End goals; Scope=Domain; Competitive Advantage=Means. These three areas you have to get very clear, so you have a full understanding of the state of play. The second thing I learned is to have passion for customers. This involves thinking on behalf of customers or having their long-term goals and perspective in mind and also responding to customers quickly. Though this doesn’t have to be providing an immediate answer, but acknowledging their question and keeping them informed as you undertake to provide it to them. I am involved with mentoring, including mentoring many women in IT. I mentor not just HPE personnel but also external women in IT across the world, and this is both formal and informal. Mentorship is a bi-directional relationship. People often say: find a mentor so you can excel. I always believe when you excel, you will find a mentor because people like to invest in people with future potential. In my early career, I decided to follow people with integrity, competency and energy regardless of their level or title. That was the best decision I have ever made in my career. Those people I called mentors made me who I am today. I had a very unusual career change, many years ago, while I was at College, I did five years professional modelling and so I wrote a paper on Linkedin, ‘My Journey from a Fashion Model to a Chief Technologist’ to provide insight and my personal experience for those who transition into technology from other careers. I am very fortunate to be mentored by many senior leaders and this helps get guidance on my own career aspirations. One valuable lesson I learned from my mentors is the bigger the challenges, the bigger the opportunity, the bigger

46 | Australian Security Magazine

the learning. As long as I’m learning and I will always welcome the next challenge. As it happens, as at September 1, 2017 HPE Software will formally transition to be Micro Focus. I’m looking forward to this business challenge and the opportunities the transition brings. Kan Tang, CTO, HPE Software Services WW DevOps As a DevOps CTO of Software Services, Kan is responsible for the strategy of the DevOps in HPE Software Services through a deep understanding of customers’ challenges and business requirements, the market, the industry trend, competitive landscape, HPE & HPE Software strategy and software services portfolios. She contributes to thought leadership vs. internal and external presentations, webinars, blogs, and social media. She actively participates and represents HPE in HPE-sponsored and industry events. She has won many awards such as “Distinguished SE” Award, GM CIO Supplier Award, Global Diversity Pacesetter Award Nominee, Outstanding Contribution to Disney NGE Award, One PS Award worldwide winner, Debut of the Year worldwide winner, world-wide Leadership Star Award, Innovators at Heart and many Client Service Awards. She also won several innovation awards at HP TechCon. She was invited as a guest speaker at Korean CIO Forum for DevOps in 2016 and Keynote Speaker of Secure DevOps in Australia Government Summit in 2017. She graduated with a Bachelor of Engineering degree in Electrical Engineering, and a Master of Science degree in Computer Science from Rensselaer Polytechnic Institute, NY, US. She recently graduated from Harvard Business Leadership Program. She was a musician and a track & field athlete. She is interested in IoT, 3D printing, Forensic Science, Media & Entertainment and psychology. She enjoys reading, writing, teaching, sports and activities to support women in technology.

Women in Security

Looking to commercialise innovative cyber security or physical security related technologies?

GET IN TOUCH www.securityventures.com.au

Australian Security Magazine | 47

Women in Security

Journey to customers:

HPE SECURE DATA’S INNOVATION, APPLICATION & SOLUTION Insights interview with Tammy Schuring, Vice President of Sales, Hewlett Packard Enterprise

W By Chris Cubbage

48 | Australian Security Magazine

hen discussing the focus for data security at Hewlett Packard Enterprise (‘HPE’), it becomes apparent that the worldwide news and headlines of cyber-attacks over recent years, remains a prime motivator for treating the risk of a data breach. Based in Silicon Valley, Tammy Schuring, Vice President of Sales for HPE Security – Data Security, came into the role in 2015, having dedicated over a decade to growing a loyal customer base. Tammy continues to evangelise a fundamental security approach, protect ‘the data’. Tammy was in Australia meeting with customers to provide her own insights into the capability of monetising data—be it personally identifiable information, healthcare, financial or similar sensitive information. Tammy asserts, “unfortunately, companies the world-over are faced everyday with the daunting realisation that it’s not a matter of ‘if ’ they are breached, it’s a matter, ‘are’ they being breached now, have they ‘already’ been breached or are they ‘about’ to be breached. It’s a change in mindset. Whether it’s an insider threat, or a cybercrime organisation that’s patiently looking for a way to get in or that is already syphoning off data. It’s stepping out and saying at the outset: it’s not a matter of whether we can keep them out, we need to start seeing through the lens of its already happening.”

INOCULATING SENSITIVE DATA HPE is attacking the data protection problem right at the heart of a much-needed solution. Tammy explains, “What we do at Data Security inside HPE is inoculate sensitive data, so when it’s in the wrong hands, it cannot be used against the customer, be it a company or person. The ability to take sensitive data that the cyber criminals can use, to create money, be it a fraudulent tax return, or credit information, and protect it yet have the data retain its format and its logic inside the company, is huge. This way, if the protected data gets stolen, it cannot be monetised. It cannot be used somewhere else – it’s not actually the real data.” Typically, when encryption or tokenisation is applied, it transforms the data into an unusable, very long string—be it a 256-bit or 128-bit string; and applications cannot function with de-identified data. HPE SecureData has enhanced the cryptology in such a way that when the data is de-identified, what comes out the other side retains that expected format. It retains the logic, as a random set of numbers or letters would otherwise not present. For example, HPE’s Secure Data will pass Checksum, in the case of PAN (primary account number) data. “The other key element,” Tammy highlights, “is it can

Women in Security

“There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the 'get out of jail free' card."

also retain data relationships, with what in technology is called, ‘referential integrity’. By preserving the referential integrity—your relationship to your address, phone number, your credit card data, your account number, your health data—all of those relationships are preserved, even when we are encrypting or tokenising those elements. Metadata can also be preserved, and that’s an aspect of its logic. The ability to retain as much of the principals of the data. Companies can start to operate on the de-identified data and you will find companies typically have 50 and up to 120 data types that are viewed to be sensitive data.” “We’re taking the threat surface and drastically reducing it.” As an analogy, Tammy commonly likes to use, “it is gold versus fool’s gold – we are figuratively transforming the gold into fool’s gold. It looks like gold, it acts like gold. The data ‘shimmers’ throughout the system; but when the bad guys steal it, they spend a lot of money and time trying to monetise it and they simply can’t—because it’s not real data, but it absolutely looks like data.”

Tammy Schuring - Vice President of Sales for HPE Security – Data Security

ABILITY TO DECIDE ON SECURITY HPE SecureData has built a loyal customer base across a wide range of industries, with the standards-based technologies of HPE Format-Preserving Encryption (FPE) and HPE Secure Stateless Tokenization (SST). HPE FPE is an encryption technology that preserves the original data format in the encrypted state, as well as context value, relationships and meaning, enabling business process and secure analytics. HPE SST provides advanced data security without token databases. HPE SST improves speed, scalability, security, and manageability over conventional and first-generation tokenization solutions. These technologies protect the data, and the protection is carried with the data itself – wherever it goes – in-motion, at-rest, and while in-use. Tammy described how customers have the ability to decide, from a rules perspective, how they want the de-identified data to appear, either once it’s been encrypted or decrypted, she said, “One of the things customers can do is called ‘obviously protected’. They can choose to transform it, perhaps as an example, add letters and visually see that this is in fact not the real data, so there are ways to decide, for a particular attribute of the use case or bi-product of the system.”

PSEUDONYMIZATION MEETS GDPR There are a number of regulations that companies must comply with, such as PCI DSS (Payment Card Industry Data Security Standard) through to the emerging regulation of GDPR (General Data Protection Regulation), and a wide range beyond that. Tammy notes, “At the end of the day, interestingly, regulations and audit compliance may be only pointers in the right direction. Just ask any compliant company that has still experienced a data security breach.” Tammy assured, saying, “If anybody believes that compliance equals security, just go read the news any day of the week. Customers are able to leverage our solution to greatly reduce their compliance scope and save personnel hours, and that’s not even the best part of the story.” “The best part of the story,” Tammy says, “is where they end up at the other side. It is truly addressing the risk. The

Australian Security Magazine | 49

Women in Security

“When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. " itself cannot be monetised. The ability to leverage the format preserving encryption and format preserving tokenisation, that we bring to the market, enables them to protect the data at capture and keep it protected throughout its lifecycle. There’s no longer a need to decrypt it to determine where it goes next. It ends up staying in it's protected state. GDPR will greatly impact how companies will deal with data, going beyond just fines and protecting personal information, but opening avenues to a world of lawsuits and empowering the individual to take action. Up to four percent of a company’s annual turnover (Article 83, GDPR) is potentially at risk, so the stakes are tremendously high. Tammy explained, “There are specific aspects within GDPR that deal with data protection, and I am talking about pseudonymization. If you leverage this, to a great extent, it is almost the “get out of jail free” card.” Tammy said, “If you are taking this personally identifiable information as defined by GDPR, and you’re leveraging a data protection solution such as HPE SecureData, you’re keeping all the benefits of the data but you’re leveraging pseudonymization. Such that, should something happen to the data, and it is lost or stolen, the data is useless to the attackers, and is therefore a nonevent and that is the ideal scenario.” BIG DATA INNOVATIONS One of the big innovations is around data itself. Tammy notes, “If you go back just a few years, the amount of data that we could consume and do real-time analytics on pales in comparison to what we can do today. There is so much value in being able to take not only the data a company has, but bringing in data from other sources. Working with some of the car manufacturers and their belief there should never be a recall on a car again, because these cars are so instrumented and with so much data coming out of them, they should get ahead of any problem that would come up. But it wasn’t until ‘big data’ that they could see the patterns light-up in real time, in order to determine where they needed to make adjustments. Once they figured out with these innovations in technology, there was a major inhibitor standing in their way – and that was security.” “The proposition was there, but how could you take so much sensitive data about just one person? Their personally identifiable information, the vehicles’s identification number

50 | Australian Security Magazine

or VIN, where they’re going, GPS data, how fast they’re driving, you name it. How many times are they are hitting the breaks, and to put that essentially into a huge soup pot that’s based on Hadoop, innately probably the most insecure platform on the planet right now. The risk was too high.” “What we’ve been able to do with the SecureData technology is apply it into the world of big data analytics. For example, with the car manufacturers, that ability to protect the data in a way that the format is preserved, the logic is preserved, and most importantly the relationships. It is not important to know all the individual pieces of information and details. What is important is ability to detect the patterns. There is so much data there, the problem really isn’t an ability to associate with one particular person, but the ability to see those patterns.” WAVES STARTING TO HIT: ACCESS TO THE CLOUD & INTERNET OF THINGS Tammy highlights, “One of the key aspects that is shining a light on this technology’s evolution is access to the cloud. The ability to embrace public cloud can save companies a tremendous amount of money by giving them access to things that they didn’t have access to before.” Referring to a large car brand as a customer, Tammy said, “they discovered they can save 40 per cent, per application, per year, if they moved their .NET applications to Microsoft Azure. This value proposition is potentially tens of millions, if not hundreds of millions of dollars in some cases, over a five-year period. When this was realised in one of the business units, the CEO was naturally very excited with such an innovative, costsaving measure. Before proceeding, Security asked one simple question—is there any sensitive data, including PAN data, involved? The answer was, ‘yes’. Yet before objecting to the project, someone on the CISO’s team had recalled our ability to secure the data and preserve the format. Without creating a bigger processing footprint in putting this data into the cloud, in these .NET applications, the concerns the customer had around the data were addressed. The applications did not have to change their data model. With the data format and data relationship integrity staying intact, there was no need for any rule changes.” “We match the elasticity model in the underlying platform,” Tammy continued, “so most of our customers decide they want this data-centric protection model across their entire organisation. They don’t want to have to decide if it will only be in the Hadoop environment, or only in their mainframe, or .NET, or J2EE ( Java Platform Enterprise Edition) applications, or open system applications. What we do is match to the acuity model of that environment. Such as in Hadoop, that is a node-based environment and we can sell our product based on the node count; for a smaller organisation with 10-20 nodes, through to some of the largest customers in the world, with tens of thousands of nodes, we have a model that can be adapted for all.” IoT is an exciting paradigm and the wave is just starting to hit. However, Tammy asserts, “there is so much data and this can be used very maliciously. Be it a driverless car or a medical device, should someone manipulate that, the impact is no longer how much data can I monetise, the impact is on

Women in Security

people’s lives.” The HPE SecureData technology comes packaged as either an API (Application Programming Interface) or an SDK (software development kit). HPE has a mobile SDK which allows companies to build right into their mobile applications. The capture of data and format preserving encryption paradigm, as we’re all out on the go, entering various information into our devices, right at capture, can be protected. Tammy explained, “It’s not sitting in memory in clear text. The vulnerability aspect of what these mobile devices bring is addressed. We’re seeing with IoT, the power, scale, innovation, is exponentially improving, not in years now but in months. What could be done a year ago, pales in comparison to what will be done a year from now. The ability to build in this encryption, right at capture from inside these IoT devices, is there in many cases, or on the verge of being there.” “When you look at the difference in the innovation, in regards to encrypting and keeping the format the same, versus bloating it into a 256-bit string, that impact is minimal. We’ve been deployed with two of the biggest card brands in the world, with every single card transaction related to them. The ability to be in every single transaction means it has to meet requirements in performance and scale. SecureData has the ability to take any production data, like transaction information, be it per second information, latency information, and then turn it around and apply it in the world’s top financial institutions, healthcare and retailers. We can show that at scale, so the customer’s requirements are often so much lower than we’re already being applied to.” “One of the key elements of what powers a lot of what HPE SecureData does and why this is being adopted so broadly now, is that the technology has format preserving encryption, now a mode of AES (Advanced Encryption Standard). We have received our NIST (National Institute of Standards and Technology) certification as FFX1, and our FPE technology provides accelerated encryption performance up to 170 per cent in conservative scenarios. Building on today’s proven high-speed FPE technology, while aligning to the high-volume needs of next generation Big Data, cloud, and IoT scenarios. With the power of what this algorithm

can do in terms of enhancing the encryption footprint, the US Federal Government fast-tracked it to make it a standard and now, as we’re finalising our FIPS 140-2 and Common Criteria, this opens up many areas. Where it was already being leveraged before that certification, it is now able to be used by government entities and other entities who set the bar and this standard is a requirement.” CAPTIVATING AUSTRALIA “Australia is a very interesting market,” Tammy observes, “we started investing here about seven years ago and have a lot of interest. One of the main discussions back then was PCI (payment card industry) and companies wanting to get to compliance – there wasn’t the view that there was the same kind of risk as there was in other parts of the world.” “Paradigms like big data, cloud, mobility and with data so transient now, the Australian market is much more exposed, and a light has been shone on it. Big data is probably the biggest driver now, and regulations like GDPR are right behind it, as well as the drive to public cloud.” The Australian market has a tremendous need, Tammy notes, “I spent time with the Government and large financial services, telecommunications, retailers, sports betting—and I was shocked. I was last in Australia, literally at the time when the Census breach was happening, and seeing the way that sensitive information is being used in this country. I found having been an evangelist of this approach across the globe, it has really surprised me how often a national ID, or a credit card number or an account number is used as a primary key and mode of identification. There is a lot of ground to cover here.” Tammy concludes, “I think the Census example, of showing how systems can fundamentally break down, showed when the confidence of the citizens in those systems evaporates. So, having returned to Australia this year, there is such a desire now to protect the information and it’s no longer about meeting a particular regulation as the driver, be it PCI or GDPR – it’s really about the overarching sense of confidence and protection of brand.”

Australian Security Magazine | 51

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 2, 2017

Digitisation and Internet of Things

Cyber Insurance: A Buyer’s Guide

Cyber Hygiene: Tips to improve your security organisation

Threat Hunting – Pursue your adversaries

! W O N T U O

A Beginners Guide to Bug Bounty Programmes

Hacking your own company

READ NOW

PAGE 8

M E M B E R FOC U SE D