8 minute read
Women in Security: Cyber trail blazer Kendra Ross
Kendra Ross has spent decades at the forefront of the New Zealand cybersecurity industry, writes Joanna Mathers, and the sector is all the better – and more diverse – for it.
Kendra Ross is General Manager at Duo, a division of Sektor. She is cofounder of the 1st Tuesday security professionals’ network and its offshoot, Project Wednesday.
When the Reserve Bank of New Zealand (RBNZ) suffered a data breach in January this year, the media had a field day. The news that a thirdparty provider, “secure” file sharing provider Acellion, had been hacked was met with consternation from many, as commercial and personal data was accessed by cyber criminals.
While RBNZ wasn’t the target itself, the fact that such a seemingly locked-down organisation could be so readily compromised was a wake-up call: none of us are safe from online criminal activity.
Kendra Ross, general manager of online security distributor Duo and cofounder of cyber security professional support group 1st Tuesday Security Network, is well versed in this type of breach. She’s been in the cybersecurity game decades and understands the huge amounts of damage that can be caused when cyber criminals get through the walls of digital security.
“Cybercrime can have a devastating effect on business and individuals,” she says.
“As an example, we’ve recently seen people affected by crimes involving fake invoices, with losses ranging from several hundred to half a million dollars. And due to the privacy law requirements, we are hearing more about this than ever before.”
In dollar terms, the global figure of cybercrime numbers in the trillions. And it’s becoming the crime of choice for organised crime rings – it’s safer than drugs and often far more profitable.
For Ross, cybersecurity is as much a passion as a career. A university drop-out (she didn’t enjoy the theory and wanted something practical to sink her teeth into) her first job was a sales support role at Epson.
But she’s always been a “geek at heart” and started wholesale technology distributor Duo with a business partner in 1996. They soon saw opportunities for expansion to Australia, but this wasn’t to be a success.
“We made loads of mistakes. We were trying to work remotely, but we didn’t understand the Australian market, the different rules of each state, and this was all happening around the time of the GFC. It almost sent us bankrupt. We had to shrink our business from 18 to three.”
But the self-proclaimed “dyslexic thinker” wasn’t to be defeated that easily. Looking around for new opportunities, talking to customers, partners and end users, she discovered that cyber-crime was emerging as a major threat.
So, Ross set about investigating ways in which her business could pivot to create opportunities in the underserviced sector.
The answer came in the form of IronKey. An encrypted USB flashdrive, funded by Homeland Security and the FBI. Duo gained the rights to distribute the product, and soon garnered an excellent reputation in the field.
Concurrently, Ross started to look for ways in which to broaden the company’s portfolio in the space, seeking a group that may offer ideas and support. Sadly, there wasn’t one.
In 2008, when Duo released IronKey, cyber-security was still in its infancy in New Zealand. Technology was developing apace, and cybercrime alongside it, but there wasn’t an official (or any) industry body or group where people could share their knowledge. Ross decided to remedy this. 1stTuesday Security Network offered a space for IT security professionals to share knowledge and learn from experts in the field. Now in its 12th year, the growth of 1st Tuesday mirrors the growth of the cybersecurity industry as a whole.
“When we started, we would get about 20-30 people attending each month,” she explains. “Now we get over 100 people every month.”
Just as the size of 1st Tuesday reflects the industry nationwide, so does the gender makeup. The group (and its offshoot Project Wednesday, started for those who are new to the industry and to cater for the overflow from 1st Tuesday) is approximately 20 percent female.
This percentage is possibly higher than the industry wide numbers, which Ross claims sit at around the 10 percent mark: “Diversity is something the industry lacks.”
This is significant, both for gender equality and cyber security as a whole. Ross refers to cyber-security executive Jane Frankland’s book InSecurity, which she views as an astute analysis of the current male-dominated paradigm.
“InSecurity puts forward the argument that lack of diversity makes us all less safe,” says Ross.
It postulates that women and men are fundamentally different: women are more risk averse, compliant with rules, and embracing of technology changes than men. She also claims that women have more intuition, plus the ability to remain calm in times of crisis.
The upshot of this is, in Frankland’s view, that a lack of women in cybersecurity roles equals greater risk of threats being realised – to the detriment of all.
It’s not just gender diversity that matters in the cybersecurity industry, Ross says. In a world where millions of attacks occur every minute, ethnic diversity and diversity of thought are also vital.
“If you just have one type of person working in cyber-security, they will be missing things that people with different ways of thinking may identify,” says Ross. She says the role, while often seen as tech-heavy, actually requires thinkers of all sorts.
“We have seen people coming into our company with degrees in music, marketing people who are skilled at messaging and storytelling. There are so many different roles in cybersecurity, and there is a huge skills shortage across the world.”
The past year has been uniquely challenging for all of us, and further outlined the need to a robust workforce that tackles cybercrime.
With Covid-19 necessitating remote work, cyber security threats widened significantly.
Digital transformations that may have been in the pipeline were fastforwarded as work moved from the office to home.
But the speed with which this was expediated opened up organisations to major security threats, with sensitive information being shared to remote devices that didn’t have the appropriate layers of protection.
Ross says that the pandemic highlighted just how underinvested many organisations and individuals have been in cybersecurity. The convergence of physical and the digital with the development of internet of things (IoT) has compounded this. For canny cyber criminals, there are opportunities everywhere.
The classic Kiwi “she’ll be right” attitude extends to cybersecurity, she says. “A lot of people make the mistake of thinking they are too small to be a target, but what they don’t realise is that they might be part of the supply chain; that cyber-criminals might be using them to get to a much bigger target.”
“You see people setting up IoT devices with their default user names and passwords, and not changing them. People at all levels, including consumers, need to come to the party and be aware of the importance of protecting their information.”
Covid-19 also highlighted just what data was important for organisations.
“A lot of businesses don’t know what their ‘crown jewels’ are when it comes to data. This is a big part of what Duo does, working out which data is the most important and how to protect it.”
Ross says that New Zealand’s cybersecurity landscape has been greatly enhanced by the development of Cert NZ, established in 2016. The national Computer Emergency Response Team (CERT) is part of an international network that provides information and advice around cyber risks, as well as collating risk reports and presenting them in a quarterly publication.
The most CERT recent report from the third quarter of 2020 showed no let-up in malicious online activity: in fact, the opposite. In Q3 cyber-attacks rose by 33 percent. There was $6.4m of direct financial loss (up a whopping 255 percent from Q2) reported.
Phishing led the activity, with 1064 reports; followed by malware then scams and frauds. Individuals, organisations, and IT professionals are all able to report to CERT.
The threats are increasing, but the perennial skills shortage means that many of these can slip through the gap. Ross says that this is the biggest issue within the industry, and she is committed to educating people around the possibilities of this as a career.
Ross is involved with Year 13 students; educating them around the opportunities to be found in the cyber security sector.
“There are so many different roles in the sector, including nontechy roles. We get students together in a room with partners across New Zealand (including Ernst and Young, Deloitte, Trade Me, and many others) and get grads to talk about a day in the life of a cybersecurity professional.”
When it comes to women and cybersecurity, Ross is passionate about the opportunities it offers.
“Women have the opportunity to blaze their own trail. We are still pioneers,” she says.
She admits that working in such a male dominated industry comes with some challenges, but these can be surmounted.
“You do need to have resilience and a good support network. And there are great women in security groups where women in the sector can find help and advice from people in the same industry.”
Duo was bought out by business tech company Sektor in July 2019, but Ross continues to head Duo as general manager. In 2016 she was granted a Massey University sponsored New Thinking gold award; she was also asked to be a guest speaker at a graduation ceremony for the university.
“I thought it was very good of them, seeing that I didn’t actually complete my degree!” she laughs.