Women In Security Magazine Issue 1 by source2create

MARCH • APRIL

THE FUTURE FOR WOMEN IN SECURITY IS NOW P16-19

ARE WE DOING ENOUGH? P50-51

AUSTRALIA’S FEMALE SECURITY PIONEERS P6-10

THE BEST COMPANIES FOR WOMEN TO WORK IN SECURITY P106-108

W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M

FROM THE PUBLISHER

Raising the profile of women in security may be my passion, but it’s everyone’s job here’s a difference between reading about

growing passion to make a difference – to help

the lack of women in security, and doing

Australia’s cybersecurity industry overcome the built-in

something about it.

biases that are limiting businesses and keeping our best

I’ve worked both sides of that argument – first during 10 years as publisher of CSO Australia, and more recently

and brightest young women from an industry that is already primed to give them satisfying, flexible, rewarding careers.

in partnership with the Australian Women in Security

Empowering women to join the security community is

Network (AWSN) – and I assure you that doing

a core goal of AWSN, and in the seven years since I met

something about the situation is much harder, but also

founder Jacqui Lostau we have been working hard to

much more rewarding.

build a community capable of driving change.

As publisher, I read articles about how women in security

Yet for all its successes, I quickly realised that AWSN

were sparse; blog posts advising CSOs about how

could only do so much as an association. Staff were

to retain the few women already working in security;

all volunteers and most had full-time jobs. Some had

requests for female mentors or career advice; and social-

families and some did not, but all were working every

media posts from successful security women sharing

hour of their days – as colleagues, mentors, advisors,

advice about how to not be the only female in the room.

advocates, and more – to make a difference.

It was a great job, although I didn’t understand all the

Watching their commendable and ongoing efforts, I

security parts – but I managed to work through that part

realised that it is not AWSN’s burden alone to change the

with the help of a very supportive, patient network.

way females are seen within security, or to increase their

At the same time, the debate became more than academic when I was faced with teenage girls growing up in a school system where tech subjects were just not cool. Out in the real world of education, cybersecurity and STEM still don’t get much of a mention – and IT was always advocated for by the nerdy, uncool teacher. Can we really be surprised that teenage girls wouldn’t go for this? In recent years I have been working to explore my

numbers in the industry. It’s not the responsibility of any one committed group to show females the many exciting career paths in security, or to identify standout achievers and highlight them as paragons to inspire others. It is all of our responsibility – and this publication is one small step in the ongoing effort to provide a solid platform for women in the security industry. Looking back, the ingredients were all there: the industry knowledge. The wonderful relationships I have gained and nurtured with like-minded individuals over the

Abigail Swabey

years. The amazing women who are leading IT security, cybersecurity, physical security, security resilience and privacy teams. They’re out there, doing great work every day – and their stories need to be told. We have taken some concrete steps to do this in recent years, not only by growing the membership of AWSN into the many thousands but through steps such as establishing the annual AWSN Women in Security Awards in 2019 and running the second (albeit virtual) awards last year. This publication gives the industry a platform to recognise the work of all those amazing women – not only to recognise their achievements, but to motivate the next generation of students to ignore their school’s bias, and give cybersecurity a try. I hope you’ll continue to join us on this journey to hear these stories, share your thoughts, and help make that little bit of difference in your own way. It’s only together that we can balance the playing field – and help the security industry benefit from the amazing talents of some of Australia’s most capable, inspiring women.

Abigail Swabey PUBLISHER, Co-founder at Source2Create aby@source2create.com.au

WOMEN IN SECURITY MAGAZINE

CONTENTS Building cyber culture into the business from day one

Cybercrime is big business

The future for women in security is now

A Day in the Life

Diversity in security: Not just about men and women

CAREER PERSPECTIVES

What you need to know about cybersecurity careers

Three career tips to thrive as a woman in cybersecurity

Are we doing enough? A cybersecurity career perspective from a multipotentialite 53

PUBLISHER’S LETTER

Advice on joining the infosec industry

Things to remember for women in tech

Introduce yourself to leadership the power of a strong network

Security is not just about hacking

Why cybersecurity as a career

AUSTRALIA’S FEMALE SECURITY PIONEERS

WHAT’S HER JOURNEY?

WOMEN IN SECURITY MAGAZINE

Kate Monckton

Toni James

How parents can keep up with apps and online games

Joss Howard

Tales from the trenches

Skye Wu

Rachel Okoji

Nicole Neil

Diversity, like security, should be built in from the ground up

Mary Attard

Jodie Vlassis

Bri Hadley

(CYBER) SECURITY CULTURE EATS (CYBER) SECURITY STRATEGY FOR BREAKFAST

MARCH • APRIL 2021

TECHNOLOGY PERSPECTIVES 2021 and Beyond the future of cybersecurity is promising 86 Security as basic hygience Running a digital cyber security treasure hunt

INDUSTRY PERSPECTIVES

Behind the scenes of an ICT woman during and post COVID 72

Social Media Security

Driving a slow car fast and a driving a fast car slow

Cybersecurity in companies and the protection of fundamental rights

The heroes of AusCERT2020 the women in security who made it happen 82

Infosec and RM working together for safer sharing

ADVERTISING Charlie-Mae Baker JOURNALISTS

Diversity, like security, should be built in from the ground up

Abigail Swabey

Mitigating against online Social Engineering

FOUNDER & EDITOR

David Braue Stuart Corner SUB-EDITOR Stuart Corner

DESIGNER Jihee Park

Helping businesses safely embrace digital

102

The Privacy Paradox

104

Women in Security magazine is published by Source2Create ABN 25 638 094 863

www.womeninsecuritymagazine.com contact@source2create.com.au

110

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS

Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine

TURN IT UP

114

OFF THE SHELF

118

106

THE BEST COMPANIES FOR WOMEN TO WORK IN SECURITY

SUBSCRIBE TO OUR MAGAZINE Never miss an edition, subscribe for the magazine today for exclusive updates on upcoming events and future issues, along with bonus content.

SUBSCRIBE NOW

F E AT U R E

AUSTRALIA’S FEMALE SECURITY PIONEERS by David Braue

For Australia’s female security pioneers, cyber is all in a day’s work

WOMEN IN SECURITY MAGAZINE

FOR AUSTRALIA’S FEMALE SECURITY PIONEERS, CYBER IS ALL IN A DAY’S WORK

enhance the

Different career paths, different responsibilities – and

“While amazing

a shared love of cyber’s challenges

women have always been working in cybersecurity,”

Culture change, that time-worn bon mot goes, starts

Bilal says, “it’s only recently that many of them are

nation’s threat sharing.

at the top – and Australia’s cybersecurity industry is

being publicly recognised.”

no exception.

Bilal, who actively participates in the Defence

As recent years saw the world waking to the

internship program and enjoys mentoring interns

increasing prevalence of cybersecurity threats and their real-world impact, the industry has been led by – and inspired by – a slew of talented women whose mighty efforts might have gone unnoticed but for

every year, noted the preponderance of “really supportive and high profile female leadership figures” at organisations such as the Australian Signals Directorate (ASD), Australian Cyber Security Centre

concerted efforts to bring them into the spotlight.

(ACSC) and industry-development body AustCyber.

Through awards programs, media coverage and

Ongoing support from both men and women

networking through bodies like the Australian Women in Security Network (AWSN), cybersecurity practitioners have rapidly come to learn about the significant work of women like Rania Bilal, a former

across the sector has helped Bilal advance her “exciting and rewarding” career, which has seen her working in research and development, C# software development, firmware coding, and now as a cyber

officer in CERT now working in the Australian Cyber

threat intelligence technologist.

Security Centre (ACSC) cybersecurity team to

She hopes ongoing recognition of female industry pioneers will inspire even more women to join

WOMEN IN SECURITY MAGAZINE

F E AT U R E

the industry: “It’s great to see women increasingly recognised through awards and greater leadership,” she says.

challenge and engage her. “My formal qualifications have nothing to do with computing,” she says, “but I worked in a cybercrime

“I hope this becomes normal practice so that

intelligence role. I’ve written a few books now, and

more women are inspired to join the cybersecurity

when I speak at conferences I’m trying to make

profession and discover everything this exciting

people understand that cybercrime is not something

career path has to offer.”

weird and elusive; it’s just like any other crime type, and anyone can be a victim.”

MANY ROADS TO CYBER Indeed, for many women in cybersecurity that career path has taken all manner of twists and turns – and continues to do so as they progress through the broad and deep range of options that it offers.

Her goal in working in cybersecurity likely resonates with many other women who have found the industry’s allure irresistible: “I want to help harden our community, harden our nation, and harden the world against becoming victims of cyber crime,” she

Mandy Turner, for one, wasn’t expecting to end up

explains.

in cybersecurity: her first degree was a Bachelor of

“That is something I really do care about – because

Music, for example, and she recently completed a Bachelor of Dementia Care before entering a 20-year career with a government agency before moving laterally into cybersecurity. Now, Turner works as manager of the University of Queensland Cyber Security Operations Centre (CSOC) – the latest step in a career arc that continues to

it’s never going away.” As well as advocating for better cybersecurity understanding, Turner has watched in dismay as popular media representations of shadowy hackers pollute the discussion – making everyday users believe “there’s this shadowy supervillain behind all of

WOMEN IN SECURITY MAGAZINE

this, so there’s no hope for them and they no longer help themselves.” “We need to stop that narrative of the supervillain,” she says, “because it isn’t a super villain. It’s just a criminal.”

STEPPING UP DURING A PANDEMIC Many of cybersecurity’s most high-profile women share a passion for cybersecurity that keeps them actively engaged on myriad fronts at the same time. For cybersecurity consultant Jo Stewart-Rattray, her deep fascination with the industry, and engagement with the sector, have kept her engaging with a broad range of roles – whether as director of information security and IT assurance with BRM Advisory,

the deployment of two national call centres staffed by home workers, as well as managing a widely distributed security team that was facing similar challenges from home working. It wasn’t her first secondment – and it was, she recalls, an eye-opener to the many ways that cybersecurity impacts everyday business and the operations of essential services. “I found that when I did that, it really made me recognise the needs of my clients and what they face,” she explains, “and what CIOs face on an everyday basis. It

“I hope more women are inspired to join the cyber security profession and everything this exciting career path has to offer”

puts you back in touch with the real world of security – and it’s good for the soul to not just be dropping the report and leaving.” Managing security during a pandemic meant addressing both technological and business issues, she pointed out, as well as the additional people-

vice president of communities with the Australian

management skills involved in keeping people

Computer Society, recent president of the Association

communicating across the distance.

for Intelligent Information Management (AIIM), member of ISACA’s information-security advisory board, and even part of the Australian government’s official delegation to the United Nations’ 62nd Session of the Commission of the Status of Women. Never one to gather moss, when the COVID-19 pandemic hit last year Stewart-Rattray began thinking about how she could help – and ended up seconded to health and in-home care organisation Silver Chain Group as chief security officer. Given the challenges that had descended on the entire health and aged-care industry almost overnight, she says, it became clear “the bad guys aren’t going to wait so we can’t wait.” Working with Silver Chain four days a week, StewartRattray found herself at the front line, helping secure

WOMEN IN SECURITY MAGAZINE

“It’s about the people aspect, and looking at how I can keep the team feeling connected,” Stewart-Rattray explains. “The face of work has changed, I think permanently, and we’ve seen that many organisations that I work with will continue to encourage people to work from home.” “And while I hear some people having a bit of a whine about how you can’t collaborate, I think you can. It just requires a different mindset.”

CONNECTING - SUPPORTING - INSPIRING

AWSN Membership Benefits: Mentoring Community Support

Education Careers Events

Visit awsn.org.au for information about exclusive events, programs, and content. Join Australia's largest community of women in cyber and physical security.

SNEZANA JANKULOVSKI

BUILDING CYBER CULTURE INTO THE BUSINESS FROM DAY ONE by Snezana Jankulovski, Chief People Officer at CyberCX

CyberCX’s Snezana Jankulovski is helping combine

“I’ve been literally starting from ground zero,” she

15 companies into one – so what could possibly go

says, “in building a scalable people and culture

wrong?

function – and an amazing workplace experience –

Late in 2019, the founding of CyberCX created a major player in Australia’s cybersecurity

ago.”

industry overnight. Twelve different cybersecurity

Given the range of businesses and sizes – the

consultancies coalesced into one firm with more than

member organisations had between 3 and 90 staff

500 cybersecurity professionals spread across more

each – it was a challenging task but one, she says,

than 20 offices in Australia, New Zealand, Europe and

that was facilitated as she and the transition team

the United States.

discovered broad commonality in the companies’

Since then, CyberCX has gone from strength to

workplace philosophies.

strength – adding three more companies and

“We were very selective and brought together

drawing on its consultants’ collective decades of

organisations that are the best at what they do,” she

expertise to support clients in areas such as strategy

explains, “and they were very similar in terms of their

and consulting; security testing and assurance;

cultural characteristics.”

governance, risk and compliance; identity and access management; digital forensics; and more.

“Through that process I saw that so many of these organisations had so much in common,” she

Snezana Jankulovski has been with CyberCX from

continues. “They were all obsessed about customers

the beginning – and, as the company’s chief people

and delivering great solutions, and worked so well

officer, she has taken on the challenge of integrating

together – which just made our job so much easier in

15 different company cultures into a single, unified

terms of bringing them together.”

whole.

for an organisation that didn’t even exist 12 months

WOMEN IN SECURITY MAGAZINE

D I V E R S I T Y

I N C L U S I O N

EQUIPPED FOR CHANGE

dynamics based on what was proving effective and

The novelty of CyberCX as a merged organisation

valuable.

gave Jankulovski scope to build a culture that embodies workplace ideals around gender equality

BUILDING AN INCLUSIVE CULTURE

and equal representation.

Managing the shift to virtual working was an

“We made a commitment very early on in our journey that diversity was a key part of who we are,” Jankulovski says, “and committed to create an

unexpected challenge, but it did help lay the foundations for the flexible work models that are tied to ideals around workplace gender equality.

inclusive workplace irrespective of gender or other

“It really helped us reinforce our commitment to

attributes.”

flexible working,” Jankulovski says, “and this is

As someone with extensive expertise in change management – she is a Prosci Certified Change Practitioner who has previously worked in people and culture roles with organisations like Cox Automotive,

something I and the executive are very committed to – because if we’re going to be able to attract the best people and most diverse workforce, we’ve got to embrace it.”

Dimension Data and Telstra – Jankulovski was well

CyberCX launched a formal diversity strategy on

equipped to guide CyberCX through a period of rapid

International Women’s Day this year, committing to

change.

promoting the engagement of women in cyber and

Yet just as employment contracts were formalised,

sponsoring organisations such as AWSN.

policies harmonised, payroll in place and the new

The company has sponsored cyber scholarships for

corporate culture emerging, the COVID-19 pandemic

women studying cybersecurity, and the board tracks

hit – and the executive team’s priorities shifted

gender diversity as a key performance metric of the

towards a singular focus on supporting staff safety

business. In February, the company will also welcome

and efficiency at homes.

a cohort of 15 cybersecurity graduates – with an even

“We had to work very quickly to put those things in place,” Jankulovski recalls, “and we had to produce

split of men and women – participating in its first cybersecurity graduate program.

policies that might normally take months to refine,

Through these and other initiatives, Jankulovski

overnight.”

believes CyberCX has been able to embrace diversity

This also included introducing additional leave days, supporting locked-down staff with care packages, and

as a core business issue that will serve it well as it continues to grow from strength to strength.

refining the way that project teams worked together

“We’ve got a lot more to do,” she says, “and we are

– addressing tasks such as regular communication,

nowhere near where we want to be. We want to see

ensuring regular stand-ups via videoconferencing, and

more women in leadership roles, and to see our

engaging with staff through regular virtual ‘town hall’

numbers increase – but there is no silver bullet.”

meetings attended by the senior executive team. “We were determined that everybody would work through the pandemic and that we would survive,” she says, “and we did that by managing the transition virtually. My prior roles very much equipped me to manage massive, large scale change – but at the end of the day, it’s all about communication.” Yet for all its organisational challenges, the pandemic also saw a surge in demand from customers seeking to secure their own remote-working transitions – and this not only helped CyberCX grow quickly, but helped

“The key is to understand that gender diversity is a business issue, not a gender issue. It’s something that we’re absolutely committed to – and it’s a no-brainer because diversity brings huge benefits.”

Jankulovski bed down the organisation’s cultural WOMEN IN SECURITY MAGAZINE

AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

C O L U M N

Cybercrime is big business Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunity for cybercrime. This regular column will explore various aspects of cybercrime in an easy to understand manner to help everyone become more cyber safe. TECH SUPPORT SCAMS Tech Support scammers are very active, and highly organised. They operate from rented office spaces, just like a traditional call centre. They lure their victims in several ways: website popups, cold calling, fake virus alert popups, or with websites that spoof well-known tech or telecommunications vendors. The cold call version starts with the scammer telling a target there is an issue with the target’s Windows computer that must be fixed immediately. If this ploy is successful, the victim is directed to install legitimate remote viewing software that gives the scammer full access to the victim’s computer. The scammer might then open the computer’s event log or use commands in the Windows Command Prompt screen to present information to the victim as evidence of malware on the computer. If the victim is now convinced the computer has a serious problem the scammer persuades the victim to pay to have the computer ‘repaired’. While in the system, the scammer may also configure back doors so they can surreptitiously return to the computer later and steal account credentials. Sometimes the scammer will also install malware into the victim’s computer disguised as essential repair software. It doesn’t end there. The scammer may make a follow up call offering the victim a refund for the ‘services’ provided earlier.. Their aim is to gain financial account details and steal more money from the target.

WOMEN IN SECURITY MAGAZINE

What to do if you are the victim of a tech support scam If you paid a tech support scammer with your credit or debit card, contact your bank immediately as you may be able to stop the transaction. If the payment was made using a gift card or voucher, immediately contact the organisation that issued the card and explain the situation. If the scammer gained access to your computer, scan it with up-to-date and reputable anti-virus software and change passwords to any accounts you accessed from that computer. In Australia report the crime via https://www.cyber. gov.au/acsc/report,. In another country, report it to your local police or through the relevant cybercrime reporting mechanism. Tech support scams are big business – stay safe.

20th Annual AusCERT Cyber Security Conference

11th - 14th May 2021 // The Star Hotel, Gold Coast, Australia

DAYS

50+ SPEAKERS

IN PERSON & VIRTUAL

Keynote Speakers

Ciaran Martin

Maddie Stone

UNIVERSITY OF OXFORD

GOOGLE PROJECT ZERO

conference.auscert.org.au WOMEN IN SECURITY MAGAZINE

THE FUTURE FOR WOMEN IN SECURITY IS NOW by David Braue

Surging cybersecurity investment in 2021 could turn COVID-19’s ‘pink recession’ into a force for equality

he COVID-19 pandemic changed all

to accommodate staff working from home in ways

the rules, pushing remote working

that they simply had not done in the past.

into the mainstream and driving cybersecurity into the boardroom as companies scrambled to protect their rapidly-changing security postures.

Yet while women were losing jobs or working hours faster than men early in the pandemic – leading many to refer to its economic fallout as a ‘pink recession’ – as companies pivot away from its first year many women are finding that it has also created a broad range of new opportunities. Fully 53% of respondents to the recent Arlington Research-Kaspersky Women in Tech 2021 Report – a survey of 13,000 technology workers in 19 countries – reported that the number of women in senior IT or technology roles had increased over the past two years, when the company first ran the report. With 95% of female technology workers working from home at least part-time since March 2020, many women in the survey said the lockdown had made them feel more autonomous, with companies forced

WOMEN IN SECURITY MAGAZINE

Interestingly, women living in the Asia-Pacific region have taken to remote working even better than their counterparts elsewhere in the world: 58% of APAC respondents agree that remote working facilitates gender equality, well above the 46% global figure. Yet there is still a long way to go before the cybersecurity industry reaches the levels of gender equality that it could – and 47% of respondents said that the pandemic had delayed career progression, reinforcing an underlying understanding that industry has been more positively impacted by the pandemic’s change than the evolution of socially-imposed gender restrictions.

A CHANCE TO TWEAK TEAM DYNAMICS Indeed, despite years of talk about equality just 24% of cybersecurity workers are female, according to widely-cited (ISC)2 figures derived using a lessrestrictive methodology than an earlier one that pegged the levels at just 11%.

F E AT U R E

WOMEN IN SECURITY MAGAZINE

of project teams, with just 10% of the survey

TRANSFORMATION IS ABOUT MORE THAN SYSTEMS

respondents reporting that they work in a female-

Much of that proactivity is already being seen,

This imbalance continues to shape the makeup

majority team – compared to 48% that report working in a male-majority team.

AustCyber CEO Michelle Price noted during a recent National Press Club address in which she welcomed

Despite the gender imbalance, however, there are

the increase in representation of women in Australian

encouraging signs that company culture is moving in

cybersecurity roles.

the right direction to support women in cybersecurity

From just 4% five years ago, she said, “we’re now at

better in the past.

29% – and we’re estimating that, with the graduates

Around 7 in 10 respondents believe their skills and experience were more important than their gender when applying for their first IT role, and a similar proportion believe their opinion would be respected from the beginning, regardless of their gender. “Given that the idea of gender balance is steeped in perceptions and attitudes,” the report notes, “this is a critical

“Last year, the decision was made on behalf of businesses to level the playing field in which men and women can operate… To ignore that opportunity when all statistics point towards this being an enabler of gender equality, would be an opportunity missed.”

sign of progress.” “Beyond tangible percentage rises in employment or boardroom positions,

that will come out over the next couple of years, that

how women feel in the tech space and how they

will get pretty close to 40% within the next five years.

experience daily life in the IT sector is pivotal to

But whether or not we can retain women within these

understanding real evolution.”

fields is a completely different thing.”

Coming into 2021, then, the cause of gender diversity

Supporting and reinforcing this surge in female

faces both a reiteration of an ongoing problem – that

workforce participation will be crucial – but with the

women are still underrepresented in cybersecurity –

pandemic pushing face-to-face networking online for

and a potential source of optimism, in that women

the foreseeable future, both companies and women

working in cybersecurity are feeling more included

in cybersecurity will need to get creative to keep this

than ever.

momentum.

This duality, the report notes, means the interruption

Yet Jacqui Lostau, a long-term cybersecurity

of the COVID-19 pandemic could turn 2021 into a

consultant and founder of the more than 2000-strong

great leveller for women working in cybersecurity.

Australian Women in Security Network (AWSN),

“The events of 2020 could be a catalyst for more

believes the cause of gender diversity was already

accelerated progress as long as social biases don’t

headed in the right direction before COVID-19 pushed

block the way,” the report notes, “and if tech as

the network’s activities online.

an industry is proactive in changing its traditional

“A lot of companies now come to me asking whether

processes and mindsets.”

I know of some great candidates for their roles,” she explains. “They want to increase the diversity in their

WOMEN IN SECURITY MAGAZINE

F E AT U R E

teams – which I think is a great conversation to have,

This change in spending habits has positioned

as opposed to years ago when we were still having

cybersecurity at the heart of the global

those conversations about why diversity is important.”

transformation, with recruitment firm Hays noting that

“That conversation has shifted now: most people understand that diversity is important, and they want to do something about it.” This year, those same organisations will have a very real chance to do something about diversity as they invest in staff to secure the fruits of a yearlong splurge – which saw many organisations compressing complex years-long digital transformation plans into just a few months. Fully 81% of Australian businesses accelerated their digital transformation during the pandemic, according to one recent Trend Micro survey, while IDC recently noted that 60% of Australian small businesses are now in “survival mode” – with 51% planning to

early investment in cloud-based remote work support systems “quickly shifted to cyber security candidates” as organisations began pivoting towards their longerterm digital and technology talent strategies. With the old rules gone and companies committed to change in 2021 by hook or by crook, this year marks what the Arlington Research report’s authors call “an unforeseen and (hopefully) one-time opportunity to accelerate change.” “Last year, the decision was made on behalf of businesses to level the playing field in which men and women can operate… To ignore that opportunity when all statistics point towards this being an enabler of gender equality, would be an opportunity missed.”

increase their IT spending this year and cybersecurity crucial in every instance.

WOMEN IN SECURITY MAGAZINE

2021 AND BEYOND What to expect from the Australian Women in Security Network (AWSN) AWSN was founded in 2014 as an open network of people aiming to grow the number of women in the

2022 AND BEYOND: INCREASING FUTURE PIPELINE OF WOMEN IN SECURITY

security community in Australia.

• Future plans of the network are to establish new programs focusing on high school students and a

Since it’s formulation, the network has come a

return-to-work offering for women in security who wish

long way and has continued to inspire, support and

to re-enter the workforce after a career break or hiatus.

connect women in the industry to those looking to enter the field with the tools, knowledge, network and platforms needed to build each members’ confidence and interest. As we look towards embracing a new phase of the network, here are are some key focus areas on the AWSN agenda in 2021 and beyond:

UPLIFTING CURRENT PROGRAMS • The network is committed to the quality delivery of its core capabilities which span across networking events,

HOW TO CONNECT, SUPPORT AND INSPIRE WOMEN IN SECURITY As the network continues to mature, AWSN is absolutely in need of supportive colleagues, champions, women and men, to be part of our cause and vision. Let’s support women in every step of their career journey, inspire them to pursue a career in security and help build the Australian pipeline of talented security professionals.

its AWSN Cadets Program and the annual AWSN Awards programs. • The network aims to optimise and uplift the National

YOU CAN DO THIS BY:

AWSN Cadet Program, increasing the number of



Becoming an AWSN member or

participants, workshops and study groups.

encouraging someone to be a member



Signing up to be a mentor

2021 FOCUS: SUPPORTING WOMEN IN SECURITY



The network recognises that we must focus on



initiatives to help retain and support the current



women working in this industry. • The network is committed to the goal of retention and

union of women working across the sector. • The network is implementing various programs to

Nominating someone for an award Speaking, or encouraging someone to speak at one of our events



Writing, or encouraging someone to write for the magazine

advancing women in security across • Australia by understanding the current state-of-the-

Hosting or attending one of our AWSN events



Post internship or jobs with us



Volunteering, Sponsoring, Supporting the organisation

support and help the cohort of women in security grow; these include: a Mentoring Pilot program (sponsored by ASD and powered by OK RDY), a

Come and join our AWSN community. To find out

series of Women in Leadership programs, a Women

more about the network’s initiatives, please visit:

in Security Study survey, a and a Small Business

awsn.org.au

Mentoring Pilot program. • The network sees itself as the conduit between other great initiatives and partners within industry aiming to achieve the same mission. For example partnering with companies such as Source2Create who have produced this incredible magazine.

WOMEN IN SECURITY MAGAZINE

The AWSN would like to thank their sponsors, volunteers, members and supporters who have helped shape the community into what it is today.

WHAT’S HER JOURNEY?

On a Symantec trip to Hawaii I met my future husband, who lived in Sydney. Three months later I quit my job and being just shy of 30 was still eligible for a backpacker visa so I came to Australia to have some time off and see what happened. Within two months I had landed a role as the Security and Privacy Initiatives Lead for Australia at Microsoft. Around 2010 my then boss at Microsoft became the first permanent CISO hired by nbn. When he was building out the team a role came up that looked like a great new challenge in an exciting young company doing something great for the country. So I made the move, along with a few of my Microsoft colleagues.

Kate Monckton

I started at nbn in July 2011 when the company was

General Manager Security and Privacy Assurance, Risk and Consulting at nbn

years, because of the speed at which the company

planning a full FTTP rollout. Over the next nearly 10 grew, I had a huge array of amazing professional experiences and challenges. I doubt there are many companies where I would have had similar opportunities.

I’ve always been in the security group at nbn in y journey into cybersecurity started very far away: with a degree in German and philosophy from the University of Leeds in the North of England.

My first job after graduating was in the European arm of an American boutique management consulting company that specialised in helping IT and CE vendors with their retail and SMB sales and marketing strategies. One of the company’s major clients was McAfee, and working with McAfee sparked my interest in cybersecurity. That was back in the mid 2000s when people were becoming more connected and threats were becoming more mainstream. After four years with that consultancy I fancied a stint client side and went to work in Symantec’s marketing team. Much of my work at Symantec was on the consumer side and that was when I became really interested in

security and cyber safety influence/culture programs. My current, recently created, role is a fantastic professional opportunity. It encompasses the privacy, information security consulting, risk and assurance. I am presently on parental leave but normally I share the role with Sarah Hosey with each of us working four days a week. I’m unaware of any other GM level job share arrangements in the industry. Sarah and I are really proud to role model how effective it can be and I hope that these kind of things become more the norm for everyone. Our portfolio comprises everything to do with managing the privacy program at nbn, from helping the operational front end of the business understand and manage its privacy risks to developing the long term strategy and policy for handling personal information. We also lead the teams that provide hands-on security consulting support to the business, and the teams that manage security risk and provide

cybersecurity, cyber safety and privacy. Looking back

internal and third party security assurance.

I bored a lot of people in my personal life with stories

My typical day has a lot of meetings (most of them

about protecting themselves online!

various leadership roles, generally in privacy and

WOMEN IN SECURITY MAGAZINE

remote at present). Most mornings we have a senior

W H AT ’ S

H E R

J O U R N E Y ?

need for a trusted and secure network that’s reliable and readily available to all Australians. We have an amazing culture within the Security Group that cuts across all levels of the organisation. Last year we came second and highly commended in the Australian Women in Security Network awards for the Best Place for Women to Work. I try to be offline by 5:30 so I can have some family time before my daughter goes to bed and only log on after 7pm if it’s absolutely needed. I spent the first 10 or so years of my career smashing out 80 hour weeks but since I got a handle on my work/life balance by prioritising much better I have had more success professionally and personally. leadership team (SLT) stand-up and once a week we have a longer SLT half day meeting with Darren Kane, nbn’s Chief Security Officer. On the days Sarah and I both work we have a 1:1 meeting first thing to make

When I was younger I felt I had to know everything to be credible professionally, especially in my first role with the consultancy. Over the years I’ve learned that is just not true. Pretending to know more

sure we’re clear on our plan of attack for the day and

than you do is incredibly detrimental.

the week ahead.

But you do need people around you whose knowledge

When you work in security what you think your week

and judgement you trust and can draw upon when

is going to look like is often not the way your week goes. So clear and open communication with Sarah, with the wider leadership team and with our direct

you need some help. I am lucky to have a great professional support network, many of whom are also good friends. I run things by them and sanity check

team is critical.

when I doubt myself.

The rest of the day is generally a mix of formal and

I also got really lucky with some amazing mentors

informal meetings that includes meetings with individual teams and leaders who report into our function, meetings with the cross-company Steering Commitees and project meetings. I am a natural early

who challenged me and helped build my confidence by throwing me in the deep end and letting me figure out that I can swim pretty well when given the chance. It’s also a great relief when you realise that it’s OK to

riser so I tend to spend an hour or two before my

make the wrong call sometimes.

toddler wakes up clearing email and reading through

If a decision you make is what you think is the best

reports etc. before having breakfast with her and doing the day care run. From 8:30 onwards it’s pretty much go go go in meetings.

at the time based on the information at hand, it’s not the end of the world when things change. How you respond to and acknowledge those changes is far

We all work incredibly hard but have a lot of fun every

more important.

day. We challenge each other constantly so there

I have had some great advice from past and current

is no scope to stagnate or stop learning. I also feel strongly about the mission of the company and the

colleagues and mentors. When this was critical

WOMEN IN SECURITY MAGAZINE

of how I had handled things it was really hard to

It is important to have diversity, with representation

swallow. But, without fail, with hindsight I have totally

of different genders, cultures, nationalities, abilities

agreed with the feedback.

and socio-economic backgrounds in all walks of life.

Darren Kane, my current boss, always talks about the key to success being to get the right people working with you. It can be easy to hire people because you have a need and they have the skills, but if their attitude and approach does not compliment the culture you want to promote they will cause you more

Without this we are limiting ourselves to an incredibly narrow way of thinking and acting. By harnessing the power of a wider variety of experiences we open the door to some really exciting opportunities to do things better, which in security and privacy can only be positive.

pain in the long run. I’ve definitely learned this the

I really love the human side of my role, helping grow

hard way over the past 15 years.

and develop the team. I’d say I have a reasonably

In the early days I often felt like my lack of technical or vocational training was a huge negative and felt out of my depth in many a product discussion. Over time I started to see how my background and strengths in communication and strategy were very complimentary to those of the technical people I worked alongside.

high level of emotional intelligence that helps me build genuine trust with the people I work with. I gave up trying to have a work ‘persona’ many years ago when it became too tiring trying to be who I thought I should be professionally versus allowing my ‘at home’ self to come with me to work. I don’t shy away from hard conversations with people, because I think if you’re honest and straightforward people will

“When I was younger I felt I had to know everything to be credible professionally, especially in the consulting role. Over the years I’ve learned that is just not true. Pretending to know more than you do is incredibly detrimental.”

respect you and want to keep working with you. I really encourage people into careers in security and privacy. The need is growing and there are some amazing roles out there, and you never stop learning or being challenged. Get involved in as many

I have really seen a shift over the past ten years

professional groups as you can, such as the

towards the industry being much more welcoming of

Australian Women in Security Network (AWSN), the

people who don’t have tech backgrounds, which has

Security Influence and Trust Group, the Australian

been a huge benefit by promoting diversity of thought

Information Security Association (AISA), etc. Join the

and approach. Early on I definitely felt judged for not

virtual meet-ups, or even better, offer to help with the

having a computer science degree and not being able

organisation behind the scenes. This is where you will

to make jokes about TCP/IP.

meet people in the industry and figure out what you

I’ve often been the only woman and the only nontechnical person in leadership teams within security

If anyone reading this wants to chat to me about how

groups (although thankfully that has changed a great

to move into the industry I’m always very happy to

deal over the past five or so years). At times it’s made

do so (via LinkedIn message is probably best), but

things harder, but more often than not there have

maybe give me a couple of months to get this new

been benefits to being able to provide a different take

baby into some kind of routine!

on things.

enjoy.

WOMEN IN SECURITY MAGAZINE

Mentoring Pilot AWSN is pleased to launch the 2021 Australian Women in Security Network Mentoring Pilot.

Looking for ways to give back? We need you Learn more at awsn.org.au/initiatives/mentoring/ Sponsored by

IT’S NEVER TOO LATE TO CHANGE YOUR STARS

started my security journey long before I knew the security industry to be an option. My daughter was three years old and I was working a job I absolutely loved in the snowboard industry, but the pay was low and jobs were

seasonal. Life was stressful because money was tight and I wanted more options: more freedom for my family, more opportunities for my daughter. I knew there was so much more I could do with my life. I grew up with computers, playing video games and learning programming in school, so I knew tech was an option. I even started down that path straight out of high school, before being quickly derailed by the lure of the snowboard industry. Don’t get me wrong, getting into that industry was

Toni James Product Owner | Security Advisor | ChCon.nz Organiser | Diversity Advocate | Speaker SafeStack Limited

WOMEN IN SECURITY MAGAZINE

the right decision at the time. It brought me around the world to New Zealand from my home in the USA, and led me to meet my husband (in the lift line while snowboarding). I regret nothing about choosing that path in life.

W H AT ’ S

H E R

J O U R N E Y ?

What I do regret is getting stuck, doubting I could

I didn’t win the first scholarship I applied for, but I was

take a new path or pursue a different career when I

a finalist, which got me a trip to Sydney and training

had no guarantee of success. It was the absolute fear

in diversity and inclusion initiatives. This opened

of failure that held me back. It was far easier to just

up further pathways into research and leadership

apply for another job, settle for the best pay you could

opportunities. I applied for a software engineering

get, and make ends meet. Believe me, it took me nearly five years and a bout of depression to realise this and work up the courage to change my stars. When I finally worked up the courage to change my stars and do something different, I didn’t know what I wanted to be. I really

“What I do regret is getting stuck, doubting I could take a new path or pursue a different career when I had no guarantee of success. It was the absolute fear of failure that held me back”

envy people who can answer the question “What do you want to be when you grow up?” They seem so driven and confident, so clear on what they want in life, and so focused on achieving it. I’m not one of those people. I want to be happy. I want to be financially stable and have time to enjoy life with my friends and family. I want to contribute to society in a positive way. I want to help others through the tough times in life. I want to share my story, to help others find their place in the world, and support them along the way. One thing I did know was that a job in the tech industry could give me opportunities to be all those things. So I chose to study for a degree in computer science. It’s an extremely versatile degree, the study

internship at a local software company, and got one for two years. Many things I applied for I did not get, but the key here is: I applied, and when the opportunity was right, I said yes. The opportunities I’ve followed have taken me to Australia, India, Singapore, Argentina, and the United States, and I’ve learned so much along the way. Eventually, those opportunities led me to the security industry. When I was working as a software engineer in a healthcare software company, I found security to be a high priority. This sparked my interest, and the more I learned about security, the more I wanted to know.

regime was flexible enough to accommodate my

I applied for diversity funds so I could go to security

childcare options, and I was able to choose classes

conferences. I spoke at security conferences and

that interested me.

meetups, and I studied security “for fun”. And when

One notable benefit it gave me was being able to take opportunities as they presented themselves. I’m still limited by where I live, and by my education and training, but when someone says “Hey you’d be great at X! Have you ever thought of working in Y?”, it opens options I never knew existed. During my first month at university Google visited my campus on a recruiting mission and hosted a Women

someone said “Hey, you’d be great at this! Ever thought about working in security?” I took that opportunity, and I changed my stars again. I still don’t know what I want to be when I grow up, but right now, I love where I am. www.linkedin.com/company/safestack/ academy.safestack.io/about-safestack/

in Tech event. I met several Googlers who were interested in my story and encouraged me to apply for

twitter.com/safestack

scholarships, internships and programs.

WOMEN IN SECURITY MAGAZINE

y journey into cyber security started in the early 1990’s with a recalcitrant computer. I was in the Royal Air Force and helped my commanding officer prepare PowerPoint

presentations for his meetings. The computer I used kept breaking down, so I took it upon myself to learn how computers worked and fix it. Then a friend who worked in a new area in the RAF called ‘computer security’ told me she was leaving and suggested I apply for her position. I did. I got it, and I’ve never looked back. At that time information and systems security was a very new area. Few of us understood what was needed. But we worked together as a team (all male, except for me) and we evolved with the industry.

Joss Howard

Our managers encouraged us to research, to learn,

Cyber Security Senior Advisor, NCC Group APAC

Support and guidance from them were available

and to try and resolve issues as best we could. in abundance. A mistake wasn’t a mistake, but an opportunity to learn and try again. Today there seems to be too much pressure to get things right first time, and too much emphasis on blame, which is such a shame. In those early days computer security conferences were male dominated. I found them tiresome: it was hard to find anyone who looked or thought like I did. There were men who would champion the cause of equality, but they were few and far between. Things are much better today. There are opportunities to discuss security and share opinions with a wider audience, and long may that continue. The inclusion of different cultures and backgrounds in cybersecurity is important. Diversity breeds

“The inclusion of different cultures and backgrounds in cybersecurity is important. Diversity breeds collaboration and innovation. Hackers don’t discriminate, so why should we? ”

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

collaboration and innovation. Hackers don’t

J O U R N E Y ?

•

discriminate, so why should we? In security, to be effective we need to stop discrimination and take on the challenge of diversity.

Assisting sales in qualifying, proposing and designing solutions to bids and other responses.

No two days are the same. Regulatory changes, new cyber security standards, changes in technology, new

I have led and managed teams from diverse

cyber-attacks, sales and research, keep me very busy

backgrounds and each member brings a different

and out of trouble!

perspective based on their experience. These different experiences lead to pragmatic, flexible solutions that fit with an organisation, making that organisation an easier and, frankly, a more pleasant place to work. I’ve learnt much from team members that has helped me serve the team better. It’s been enjoyable to hear (and sometimes experience) other cultures. Today I consult to boards, senior management and department heads on how to reduce cyber risk and increase cyber resilience in their organisations. My consultancy can take the form of strategising, operational transformation, assessing an organisation’s current security posture, or providing security awareness. My role is diverse and continually changing. One day I might get to speak to the most senior people in the business and help solve their cyber security challenges. Next day I could be helping my client improve their cyber resilience.

I’ve been in information security – in one way or another – for 30 years. I have had great privilege of working in more than 10 countries in the EU, North America and APAC. I have had the honour of helping more than 60 clients ‘change the security dial’ for the better. I never expected this when I started out! I am an avid reader and apply what I learn. In the early days, I built my own computers and networks at home and tried to hack them. I would then build on that experience. I also set personal goals to see what I can achieve in a given time. Then I reflect on what I had achieved. I am also willing to take a risk and follow an opportunity. I have found there is usually a small drop when you take that initial step, but it’s followed by a rise. I have taken many courses over my career, generally around leadership and management, operating systems and networking, information and cyber risk management, and privacy. These have also included:

As an executive principal consultant my role covers

Certified Information Systems Security Professional

marketing, sales and delivery. My day could include:

(CISSP); Information Security System Management

•

Leading the client in defining their cyber security strategy;

•

Providing thought leadership through conducting webinars, delivery of blogs, articles and interviews with journalists;

•

Conducting control assessments of a client’s security posture and creating security roadmaps;

•

Recommending boards and C-level clients on options to reduce cyber risks in their organisation;

•

Conducting an incident response scenario exercise to improve a client’s cyber resiliency;

•

Writing and delivering policy;

•

Acting as the point of contact between sales, the

Professional (ISSMP); Certified Information Systems Auditor (CISA); Certificate in Information Security Management Principles (CISMP); Certified Data Privacy Solutions Engineer (CDPSE). So, if you are considering a career in cybersecurity my advice would be: go for it! Take risks and grab opportunities as they come along. Accept that there will be challenges along the way, but know you can overcome them. Be open to learning and put in the hard work needed to be successful. Get yourself a mentor or coach to help you along the journey, for either professional or personal development. They act as a great ‘sounding board’ and provide independent insight and guidance to help you along the way. www.linkedin.com/in/joss-h-5571981/

client and our business;

WOMEN IN SECURITY MAGAZINE

identify business risks that are unknown to the organisation.

Skye Wu

I see the most important part of my job being to

Cyber Security Investigator, Speaker, Mentor & Champion for Diversity

away from the team so its members can focus on

take mundane work, such as administrative tasks, the important tasks, like working with data to distil interesting findings that can be turned into actionable

fell into a career in security after I became interested in digital forensics at university for my bachelor’s in information systems degree. I enjoyed problem solving and working out how/why something happened. I realised that by doing digital

No two days are the same. Generally I like to start my day doing a bit of reflection and thinking, be it looking over the project we are working on, or the team’s annual plan and the goals we are hoping to achieve in the current financial year.

forensics for law enforcement I would also be able to

Most of my time is taken up with data analysis work,

do some good for society. So it became a no-brainer

asking questions of the data to distil interesting

for me to start my career there.

insights, and playing with visualisations so the insights

I was recruited into the computer crime squad with no practical experience, only knowledge gained from books (before YouTube!). The senior sergeant who hired me told me on my first day I would have a steep technical learning curve, but he hired me because I was

can be presented to and consumed by a range of audiences (technical and business). I also look for potential opportunities for continuous improvement, and document our findings and learnings in our growing knowledge base.

able to show I had the aptitude and thinking of a digital

I also work in the Australian Women in Security

forensic analyst.

Network (AWSN) where I lead the AWSN cadet

I spent years working in law enforcement, followed by several stints in consulting. I was fortunate to have worked with some of the best minds in the industry very early on, and I learnt much from my colleagues in law enforcement, and later those in consulting.

program. I became involved with AWSN after meeting founder Jacqui Loustau several times at networking events. I initially became an industry advisor to AWSN’s Melbourne chapter and ran a workshop for the Melbourne cadet members. I really believe in what the cadet program hopes to achieve. So when

However, my job was always to investigate something

the opportunity came to expand my role and lead the

after the fact; get involved after a litigation had already

program nationally, I jumped at it.

begun, and I became weary of being always on the responding side of the equation. I began to wonder if it were possible to move into an area where the work would be more preventative than reactive. I joined Telstra in 2014 as an open source security analyst and a few years later my boss, Chris, dropped me into the discovery team to help on a temporary secondment. I became really interested in the proactive nature of the role, so I decided I wanted to stay. Luckily the feeling was mutual! Since September 2019 I have been acting Discovery manager at Telstra. The Telstra discovery team uses data the company is already collecting to proactively

intelligence internally.

WOMEN IN SECURITY MAGAZINE

I work with AWSN leads, including other cadet leads, and with AWSN committee members to provide a safe environment in which our cadet members can learn, collaborate and interact with their peers and industry professionals. I dedicate a few hours each week to cadet work. This includes looking after the Slack channel where our members collaborate. Since COVID the security workshops for our cadet members have run virtually nationwide, and I also work with committee members to ensure our planned workshops go ahead. What I love most about both my roles is the opportunity to be proactive. In my day job, I can help the

W H AT ’ S

H E R

J O U R N E Y ?

business get on top of potential problems. As AWSN

Working in digital forensics, I was not taken seriously

cadet lead I help new talent prepare for careers in

and accepted as an equal by my male counterparts

cybersecurity. It’s an opportunity for me to reciprocate

who performed the same role. And I was sought after

the support I had on my journey.

for roles and opportunities because to my gender

The industry is an ecosystem; it’s important to help

rather than for my experience or qualifications.

develop others at the same time as you develop

I was then made to feel unworthy and undeserving

yourself. I have learnt a lot about myself through

of recognition for my skills and expertise, with

mentoring and supporting others.

discouraging comments from male colleagues in

In the early days of my career my self-doubt and lack of mentorship from leaders who were able to recognise

senior positions, such as “You only got recognised as a diversity stunt.”

my personality traits and how I worked limited my

Being female and also a first-generation migrant from

personal development.

China led to advice such as “you should not apply

My main personal challenge stems from traits I was, unfortunately, born with: self-doubt, self-defeat and

for federal government roles as you are Chinese and people won’t trust you.”

self-sabotage. For a very long time I would turn down

I’ve also been accused of not behaving as a member

opportunities unless I knew I could do 100 percent of

of the team, because I outed a “team-bonding”

the job. I would sometimes put myself down believing

competition that involved weight-lifting and other

it to be a sign of modesty. I experienced my most

weight-related gym exercises in which the whole team

personal development and growth only when I took a

could not participate equally.

leap into the unknown.

I believe companies need to not only close the gender

Understanding what motivates you and why you do

gap, but also consider broader diversity, including

it will guide you on your career journey. And don’t be

diversity of skill, thinking, experiences, etc. Teams and

afraid to fail: sometimes our biggest setbacks are

organisations that do not take an interest in broad

opportunities to propel ourselves further.

diversity run the risk of applying tunnel vision to the

Over time I got comfortable with the idea of putting myself into situations that terrified me, like public speaking. I also started to get comfortable with making

work they do, the products and services they provide, and of missing opportunities to recruit and maintain talent that could help drive their organisation forward.

mistakes and failing. A very wise industry influencer

So, build yourself a solid support network, attend / seek

once told me “if you are feeling challenged, it means

out industry events, join industry groups such as AWSN,

you are growing!” Having that kind of support and

and the AWSN Cadets. There are many experienced

advice really helped me on my journey.

men and women in the industry who are supportive of

It took a great manager who recognised my abilities and prodded me in the right way to get me to move out

new talent entering the industry. Networking will help you connect.

of my comfort zone. That came after several years in

Be open to new opportunities, even if people and

different workplaces with different managers.

your own inner voice are telling you ‘no’. Be open

I also faced many challenges simply by being female. At university I was discouraged from pursuing a career in digital forensics because the industry is very maledominated. From the moment I decided I wanted to work for law enforcement doing digital forensics without any handson experience, I knew I had to grow a thick skin. I had to swim or drown, and drowning wasn’t an option.

to failure, own your mistakes; people aren’t likely to remember how you failed, but they will remember how you picked yourself up. Know who you are, know your values as an individual. Write them down on Post-it notes and put them somewhere you can see them whenever you need to. www.linkedin.com/in/skye-wu-ba390919/ www.skyewu.com

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

A PROGRAM THAT CONNECTS, SUPPORTS AND INSPIRES FEMALEIDENTIFYING TERTIARY STUDENTS AND EARLY CAREER PROFESSIONALS.

"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Cadets program today!" - Liz B, Co-Founder

Studying or an Early Career Professional in information security? Learn more at awsn.org.au/initiatives/awsn-cadets/ 32

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

Rachel Okoji Virtual Intern, Mossé Cyber Security Institute

Most female success stories tell of battles won against gender discrimination, as they should. I have encountered such battles, but my journey so far has been driven by sheer stubbornness. I was the kid who played soccer in a boys’ only team and then went home to play with my dolls. I insisted on being in the science class even when my teachers suggested arts would be a better fit. I was also the kid who went and did things simply because nobody thought I could. For the average female child from a traditional Nigerian home there is a pretty clear-cut life path – go to school (if your parents are open to that), maybe get a small job until a rich prince shows up to ask for your hand, and then have children. Basically, the life of a typical Disney princess complete with the ‘happy ever after’. Unlike the male children, you are expected to aspire only to becoming a good wife and mother. My family is both traditional and modern, so I could very easily have settled for that life. Maybe I would have been happy, but I wanted more, and I went in search of it. With my transferable skills, I was able to jump from one job to another but I did not. I was not satisfied. So, I decided to take a daring step away from nine-tofive jobs and into freelance writing, mostly because I needed time to figure out what I really wanted to do. Of course, there were days when I questioned this decision and on one such day, I stumbled upon a training opportunity for women in cybersecurity. Because my IT proficiency did not extend beyond basic PC operation, I did not expect to be selected, but I was.

I rated my technical experience as being almost the lowest in my cohort. To get up to speed, I did some research into cybersecurity and ended up doing a deep dive into the history of computing. There I encountered the amazing contributions of Charles Babbage and a number of remarkable men. Much deeper into the dive, I stumbled upon the less talked about contributions of women like Grace Hopper, Shakuntala Devi and Ada Lovelace, to name a few. It was rather disturbing to find I had never heard of the first two women in any of my computer science classes, despite their huge contributions. I was no stranger to the fact that, over the years, women’s achievements have been mostly downplayed or completely ignored. My discovery fuelled my desire to follow this track even further. I went through my cybersecurity training like a wide-eyed child, filled with wonder as we explored the fundamentals of security in the cyber world. Despite the less than ideal circumstances brought about by the pandemic, I was able to complete the training with the steady support of a community of determined and intelligent women who were breaking the glass ceiling and clearing the path for others. While my career journey is still at the very beginning, I am determined to play my part. I may not emulate the locked-up-in-a-castle princess or the sleeping princess, but my hard-headedness can certainly be likened to Mulan’s. www.linkedin.com/in/rachel-okoji-714a14138

WOMEN IN SECURITY MAGAZINE

THINGS TO KNOW IF YOU ARE CONSIDERING A JOB IN CYBER SECURITY

Nicole Neil Senior Manager Information Security - APAC at Newell Brands. She is passionate about security training and awareness, by making it personal the hope is to change behavior at home and at work. She is keen to see more women in Information Security and enjoys encouraging and educating others to learn. She is currently studying a Masters in Cyber Security at Charles Sturt.

y journey into the world of cybersecurity was probably different from most. A cybersecurity role came up in the company I worked for. I applied and was successful.

At the time, I was told I did not have the necessary certifications, experience, or knowledge. Looking back, that was a fair statement. This article describes what I learnt from my journey into this exciting and fascinating field. I hope it will help others considering work in cybersecurity.

1. UNDERSTAND WHAT INFORMATION SECURITY/ CYBERSECURITY IS There are many disciplines and technologies in cybersecurity, such as Identity and Access Management (IAM), or Security Operations (SecOps), and Governance Risk and Compliance (GRC). Decide which area interests you the most. For example, I see GRC as the domain of the police, those enforcing policy and educating people. SecOps is about finding vulnerabilities and reducing threats. SecOps specialists work in parallel with the GRC team because the R in GRC is about risk, identifying it, and conducting assessments. Finally, the IAM team looks

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

after access controls, again working with the SecOps

5. WATCH WEBINARS.

team to control who can log in, making sure they are

Whenever I was in a meeting, and a particular product

logging in securely, and that they have been identified, authenticated, and authorised on a network.

2. ACRONYMS

was being looked at, I googled it and then joined webinars on it and read a lot about the vendor and the product. I have found this to be another way to get access to free learning. These webinars will give you

I can laugh about it now, but when I first joined the

information on how vendors use products to mitigate

Information Security team, I spent the first few

risk and counter threats.

months living in Google. I had no idea what an ISMS was. For those that don’t know, it’s an Information

6. JOIN GROUPS

Security Management System, or even what a SOC

There are many. I would highly recommend the

was. No, it’s not what you put on your foot. A SOC is a security operations center. There are 100s of acronyms to learn, and some acronyms cover three or four different things. Take MAC, for example. It can be the media access control address of a computer or mandatory access control. And in cryptography, a MAC is a message authentication code. I mean really, it’s crazy. Get ready to learn a lot of acronyms.

3. CERTIFICATIONS, STUDY, CONTINUAL LEARNING

Australian Woman in Security Network (AWSN). This is an organisation of women who are passionate about cybersecurity, connecting, supporting and inspiring each other. There are also other groups such as ISACA, CompTIA and ISC2 that are industry bodies for cybersecurity education, and the International Association of Privacy Professionals (IAPP). I have subscribed to the Social-Engineer Newsletter, and I can recommend Mike Chapple’s website, who provides great free training and resources on the CISSP and Security + certifications. There are many

I would encourage anyone looking to get into

online groups focused on cybersecurity. Some require

cybersecurity to study. There are many free learnings

a fee, but the long term benefits can more than justify

available, but there are also many industry body

the cost.

certifications you will need to pay for. I started with the Security + by CompTIA and found this to be

7. FIND A MENTOR

a very good basis for learning. From there, I went

I have a mentor in my manager, and I would highly

into the CISSP and then onto a number of ISACA certifications. My favorite course at the moment is my master’s in cybersecurity. I am thoroughly enjoying the content and have learned a lot about networking and cryptography, the dark web, forensic investigations, ethical hacking, risk, and

recommend finding someone who sees your value and your passion, working with them, and learning from them. There is much to learn in this industry. You can never know everything, but you can learn from others and grow and find new ways to do things.

the foundation of information security. It’s a great experience if you have the time and the money.

4. PRIVACY

If you find cybersecurity exciting and you look forward to learning, I encourage you to get involved, learn as much as you can, and don’t believe you can’t do

As much as you need to know about information

it because you lack the right certification. You can

security and all the threats, acronyms, and lingo, you

learn and you can grow. I am proof of that. It’s about

need to also understand privacy, how data is used,

passion. It’s about seeing the need to educate users

stored, and retained. In particular, you need to know

and people in general and helping them learn how to

the General Data Protection Regulation (GDPR), the

stay safe and be more cyber-aware.

Australia Privacy Principles, the Australia Privacy Act, and the Australia Signals Directorate’s role.

www.linkedin.com/in/nicole-neil-2ab56422

WOMEN IN SECURITY MAGAZINE

I quickly learned the value that my business knowledge and experience brings to the table. I’m able to bridge the gap between ‘the business’ and

Mary Attard Partner, Cyber Security & Digital Trust - Identity & Access Management at PwC Australia

security, and in today’s digital world this couldn’t be more important. I chose to pursue a career in security because of the impact I can have in helping organisations understand how good security practices are fundamental to enabling their businesses. I’m now a Partner at PwC in Cybersecurity and Digital Trust and lead our Identity and Access Management (IAM) practice, helping my clients manage customer or enterprise identities through the design and implementation of identity management solutions. I love my role - it gives me the opportunity to work with some amazing clients from organisations of all sizes and industries. I help them solve their cybersecurity and IAM problems, working with a brilliantly talented team whilst mentoring and supporting the careers of my team. I really enjoy the variety of my work. No two days are

L 36

the same. My days are often full of meetings: client meetings to talk about the status of an inflight project ike many people I was never really sure what I wanted to be when I grew up and I definitely never planned for a career in cybersecurity. I have a background in risk management and experience in technology

or a new challenge they’re facing; team meetings focussed on delivery of our projects; career coaching conversations; working with the other partners on the day-to-day operations of our business. Many things have contributed to my success, but I

implementation projects. I ventured into the world of

think the most important is confidence and an open

cybersecurity when I was offered an opportunity to

mind to the possibilities on every level, from how I

manage an Identity and Access Management project

approach a problem on a project to how I go about

at PwC.

finding my next role.

This opportunity came up during a conversation

Confidence is like any other muscle: you have to

over coffee with a PwC Partner - I had no idea

continually exercise it. I build confidence (and

such a role existed and wasn’t even sure that I had

continue to, everyday) by putting myself out there

the right experience for it. The lesson there - don’t

and just giving whatever it is a go. Confidence comes

underestimate the value of your network; you never

from backing yourself in. Sure you’ll make mistakes

know when your next coffee could turn into a career-

and things won’t be perfect, but it’s not the end of the

changing opportunity!

world, you learn the most from those experiences.

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

And success doesn’t come without hard work. That

management, Agile delivery, risk management and

doesn’t have to mean long nights and weekends. It

Lean Six Sigma. I have a Green Belt (is that still cool?)

sometimes means taking on the challenges others

and executive coaching qualifications. I’m very much

shy away from. Don’t be afraid to take risks, step

an experiential learner. I love learning by just diving in

outside your comfort zone and learn from your

and trying new things.

experiences. Finally, make sure to find sponsors and advocates in your organisation and in your network. Everyone needs a cheer squad. Make sure to surround yourself with people who can remind you of how awesome you are when you need to hear it.

I’m sure there’s a straighter career path than the one I’ve taken, but I think it’s also what I’ve loved most about getting to where I am today, and a big part of my success. I would encourage others to be open to opportunities that may not be on their direct path.

Many amazingly talented individuals have taken

Always be inquisitive and open to learning new things,

the time to coach and mentor me throughout my

even when you think they aren’t relevant to your

career. I’m sure I haven’t made it easy for some of

current role.

them, but I can’t stress enough how important it is to surround yourself with people who you respect, are the kind of leader you aspire to be, and can provide you with advice, counsel and the hard truth when you need to hear it. They might work in your

“ The lesson there - don’t underestimate the value of your network; you never know when your next coffee could turn into a career-changing opportunity!”

organisation, or be someone in your network. It doesn’t really matter. What matters is that you find the right people to give you the guidance you need to continue to grow and learn.

Having a broad understanding or perspective of the world means you can bring more to your current role and open your mind to what else is out there. Put your

I believe my biggest obstacles have led to my greatest

hand up, have a voice and don’t be afraid to ask for

achievements. When starting a new role I try to prove

opportunities. Try not to let fear stop you from doing

myself and build my credibility rather than starting

something. I’d rather look back and say I gave it my

from a place of acceptance that if I’ve been appointed

best shot than look back with regret for not taking an

to the role I must be the right person for the job. My

opportunity, or not giving something a go.

unconscious bias means I’ve had to work twice as hard to make sure there is no doubt about what I’m capable of, more so to prove this to myself than to anyone else. So I’ve pushed myself beyond what I ever thought I could achieve in my career, and I’m nowhere near done yet. So far I’ve followed a diverse career path. I have a

The gender gap still exists, and we women continue to limit ourselves by looking at the world through the same lens of how things have always been. But, as we close the gender — and the diversity — gap we bring new perspectives and thought leadership to an industry that is rapidly changing. This can only be a good thing.

bachelor’s degree in business majoring in accounting. I’ve completed courses in project & operations

www.linkedin.com/in/maryattard/

WOMEN IN SECURITY MAGAZINE

REMOVING BARRIERS, AT WORK AND OUTSIDE OF IT Yet even at a young age, Vlassis says, she recalls that she “really knew cyber security to be very male oriented”. While doing consultancy work with Deloitte, Vlassis ran into Atlassian representatives at an industry

Jodie Vlassis

function – and, although she wasn’t looking for a job

Cyber Security SME in Trust and Security at Atlassian

grabbed it with both hands.

at the time, the new job opportunity arose – and she “I was fortunate to have joined an organisation like Deloitte where there were other females around,” she

REMOVING BARRIERS, AT WORK AND OUTSIDE OF IT Atlassian’s Jodie Vlassis warmed to cybersecurity at an early age, and never looked back

they’re too good to refuse, you have to put yourself out there.” Now working as Security Trust within the Trust and Security team in Atlassian’s Cyber Security SME,

Jodie Vlassis traces her interest in technology back

Vlassis explains that her responsibility “is to remove

at least to the age of 12, when she would watch

barriers, such as security blockers or any issues that

her brother “do some pretty cool things” developing

may prevent customers or potential customers from

software and decided she wanted to learn to do the

growing with Atlassian.”

same thing.

As someone supporting customers from the vendor

She learned Java programming at a young age and

side rather than the consulting side, Vlassis admits

steadily moved towards cybersecurity, which she

the new role has been a change – but in the end, she

eventually realised she savoured “for the pureness of

says, cybersecurity is cybersecurity.

it”.

says, “but when opportunities arise and you know

“The foundation of cybersecurity doesn’t change”

Cybersecurity is “constantly evolving,” she says.

from role to role, she explains. “What changes is

“It’s a fast-paced environment where there’s always

your end audience. But at the end of the day, we’re all

something new to learn – and that’s something that

here to achieve the same goal – to ensure that cyber

really excited me, and that I really wanted to be a part

security is at the forefront of every business, and we

of.”

do that by building trust through security.”

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

THE JOY OF MENTORING

mentor and support. It has opened up a new online

A nominee in several categories in 2019’s inaugural

world where we can now connect with anyone at any

AWSN Women in Security awards, Vlassis was a finalist in this year’s Best Champion for Women in

time – and I have enjoyed advising young women on how to make it in an industry where, unfortunately,

Protective Security/Resilience category.

women are still largely marginalised.”

It’s a badge she wears with pride, although she points

That situation has changed in recent years, she adds,

out that she grew into the role rather than seeking it

through greater advocacy for women in cybersecurity

out.

roles and the greater attention that many executives

“I’m not a traditional women’s rights activity by

representation.

are paying to issues around gender equality and

choice,” she says, “but because I have a role in the cybersecurity industry, it makes one me automatically – and I guess this is due to the lack of strong female leadership. As a result, I’ve become a de facto mentor.” Mentorship has proven to be in her blood, Vlassis says: “it brings me a lot of joy

Atlassian’s Jodie Vlassis warmed to cybersecurity at an early age, and never looked back

knowing that if I can be present and help at least one person, then at least I know I’m doing what I’m meant to do.”

Longer-term institutional change, however, will take

Her own career has been supported by mentors both

time – and broad buy-in.

in and out of her working environment, which she

”In my years in boardrooms I can attest to the

says has been invaluable by providing an unbiased opinion or point of view.

underrepresentation of women– and it’s a systemic problem that definitely needs to be changed,” she

“But don’t have a mentor just for the sake of having

says.

a mentor or because everyone else has one,” Vlassis

“Boosting economic and job opportunities for women,

says. “You need to make sure that a mentor is going to help guide you, and help you become the best version of yourself – so you can provide that to the

and marginalised groups, needs to be part of the solution,” she says.

next generation.

”But It’s not just a one-person solution, it’s an

She was given an opportunity, she says, “and if I can

within our workforce, expanding and creating

give back and pay it forward to someone, then I know I’m doing my job.”

REACHING OUT IN A TIME OF PANDEMIC The challenges of this year’s COVID-19 pandemic

everybody solution – and by increasing awareness mentoring opportunities, and forging womenoriented communities, we can really ramp up female representation.”

www.linkedin.com/in/jodie-vlassis-285074104/

brought the role into finer focus, as the shift to isolated remote working fostered a greater emphasis on networking and one-to-one support. “Since COVID happened, I feel like I’ve been given the opportunity to network more than ever,” she says, “and it has provided me opportunities to connect and

Follow Atlassian on LinkedIn, Facebook, Instagram and more; www.atlassian.com Want to know more about the security of our products? Head over to the Atlassian Trust Center www.atlassian.com/trust

WOMEN IN SECURITY MAGAZINE

WHERE ARE MY LADIES AT? Bri Hadley Creative, connector, and knowledge vacuum

BREAKING ASSUMPTIONS, CHANGING OUR PERSPECTIVES, AND OWNING OUR PLACE For most of their existence public policing and private security have been a ’boys club‘. Social expectations, ideas of ’propriety‘, and fear all played a role in the assumption that women and security do not mix. Under these assumptions, men designed the security industry, from its aims to its ideal candidates. Arguably, these were smart, rational men. In most circumstances, though, they would not (or could not) challenge their underlying assumptions—including their assumptions about the role of women. Our post-modern culture, even with its focus on diversity and inclusion, still suffers from this assumption blindness. If we want to move forward as an industry, we need to find and challenge these assumptions, keeping what is useful and replacing what is not. I like to use my career as an example of the impact of assumptions. I have always been an investigator— always curious, always wanting to know why, and always making connections. I come from a long line of security workers and first responders—police, military, private security, firefighters, nurses. I initially resisted a career in both traditional public policing and in the private sector. Growing up, I could not see myself thriving in the regimented culture of public police services. Also, I did not want to spend my time serving legal paperwork and chasing down cheating spouses. I assumed that, if I wanted to be in security, I had to choose one or the other.

WOMEN IN SECURITY MAGAZINE

After many twists, turns and false starts, I landed in investigations in my late 20s—all thanks to a few months of rather dramatic mistakes. Fortunately, I had a brilliant manager with a plan. While both embarrassing and frustrating, this plan gave me the time and connections I needed to redefine what a career in security (in this case, investigations) could look like. I met women who would become mentors who showed me where my career could go. Just over a year after being hired into the unit I went from being bored and disengaged to finding fulfillment in my work, every day. Over the years my role has included investigations, data analysis, business intelligence, and consulting functions. I love it! I think most people still assume that security workers have uniforms and badges, carry guns, put themselves in harm’s way to protect (or control) people. This, at best, is an incomplete picture. In the years since I joined the security industry, I have developed a very different picture of what policing and security look like. I have learned that physical security and information analysis are interdependent parts of the same whole. We ask questions, assess risks, and identify threats. Some of us collect, compile and analyse large amounts of information from an increasingly complex array of sources. Some of us find connections across seemingly unrelated groups of information and create risk-mitigation plans. Some provide advice and write policy. Others protect physical assets. If we want to do our jobs well (and I believe we do), then we need to paint this picture of the security industry, in all its diverse roles and functions. We need to be willing to challenge even our most basic assumptions. We need to take on new perspectives, and find ways to incorporate those perspectives into our daily work and our organisational structures. This is how we own our place in security. Then perceptions and assumptions can shift, opening a window into the world of security. When more women see what a career in security has to offer, they will come.

CONTACT NOW

DO YOU WANT TO PROMOTE YOUR BUSINESS TO A NEW TARGETED AUDIENCE? Contact us today to find out how you can be a part of the Women in Security Magazine!

Sara Moore Cyber Threat Intelligence Analyst

DAILY ROUTINE

A Day in the Life of a Threat Intelligence Analyst One of the most important aspects of my day as an analyst is my routine. Many people in cyber threat intelligence will tell you the job can be overwhelming, and a routine can help you navigate all sorts of confusing and difficult circumstances. I deliberately keep a close watch on how I spend my time so I can focus on my own wellbeing and my family’s wellbeing as well as my profession. I’ve done this consistently since becoming a mum, which any parent will tell you changes your life! It changed mine in many ways, one

vibrates to wake me up. This is because I really do not want to wake up the baby! I get up, put on my dressing gown and sneak downstairs to make a coffee. Then I read until 6:00am, because I am constantly being recommended fantastic books but cannot find the time to get through them. Fitting in reading has an immediate positive impact on my self-development.  6:00am: I do Yoga and meditate, to wake up my body. And I use meditation to help strengthen my focus for the day ahead. Focus (whether on data analysis or on a conversation) is key to being detail-oriented.  6:15am: I update my journal. This is one of the most valuable parts of my routine. One of the important characteristics of a good intelligence analyst is selfawareness and emotional intelligence. By writing down and understanding my fears and stresses before the day has begun, I can move more easily through whatever difficult circumstances might arise later, including those resulting from my own biases.  6:30am: Self-development time. This is when I work on something important for me. It could be a blog or an idea I have. It could be a course I am trying to get through. Self-development time gives me the chance to

of which was I developed a rigorous daily routine.

grow as a professional.

The first part of my day is most important. I get up

 7:00am: I wake my baby! I have lots of sleepy

at 5:00ams o I can be a more present mum to my

cuddles with her before making her breakfast and

nearly two-year-old when she is awake, and fit in

getting her to nursery.

some important steps before I start parenting and

 9:00am: I am at my desk. This is the ‘morning

working. This routine works for me, but I appreciate it might not suit other people with different pressures, especially those brought on by lockdown and homeschooling. Being a cyber threat intelligence analyst requires curiosity, awareness (of self as well as current affairs and threats), technical skills and communication skills. I try to think of these aspects of my profession in my daily routine. It’s a dynamic industry so it is important not to let yourself stagnate!

 5:00 am: I have a ‘silent alarm’ on my watch which

WOMEN IN SECURITY MAGAZINE

rushes’ part of my day. I spend a good half an hour reviewing my sources for information and reading news articles. This is to keep me abreast of what’s going on. If there is anything pertinent to the organisation, I will save the article. I will keep a note of any questions I have for potential reports or investigations. After this I look at my inbox and send any emails required. This means I have spent time being focused before getting distracted by emails and phone messages.

D A Y

I N

T H E

L I F E

The rest of my working day can be unpredictable. The day might be quiet or there might be an incident, but whatever transpires I have made the effort to be ready. On a quiet day my working morning consists of collections and hunting for malicious activity. On a busy day, anytime is incident time! Meetings can be spun up and a lot of activity can develop very quickly.

 12:00pm: I make space to exercise at lunch time: I walk, cycle or run. This is made easier because, like many people, I am presently working remotely. If the afternoon is quiet I car ve out time for analysis and report writing., for examp le, assessment and analysis of a particular top ic or a ‘business as usual’ distribution for situational awareness.

This routine has helped me find a way to multitask

 4:45pm: Wrap up tasks

and meetings. Before picking up the baby from nur sery I will try to write down at least one priority wo rk task for the following morning. This leaves me fee ling prepared to be productive.

develop self-awareness, two very important personal

 5:00pm: I pick up my dau

Robin Sharma in “5 am Club”. If you want to know

and have some fun before

 8:00pm: Baby is in bed,

ghter from nursery, we play

dinner, bath and bedtime. I go over my day, any

lessons learnt, any wins and

other ideas, I will write them

positives. If there are any

down. I might do some puzzles or catch up with fam ily and friends. 9:30pm: Bed. I leave my pho

ne outside the bedroom.

and meet my own needs, those of my family and my work. It has helped me think creatively and attributes that help me join dots and generate good assessments. Many aspects of my routine have been inspired by authors such as James Clear in “Atomic Habits” and more about cognitive aspects of intelligence analysis (biases) I would recommend the well-known classic “psychology of intelligence analysis” by Richards J. Heuer. www.linkedin.com/in/sara-moore-698594168/

WOMEN IN SECURITY MAGAZINE

CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

C O L U M N

Diversity in security: Not just about men and women That heading in this magazine, in an article written

problems from a different angle you just might find a

by a MAN. Yeah, I know its probably a little risky but

simple yet eloquent way to solve a defence problem.

I not afraid of a little heat and if you are reading this you either work in security or would like too. Security is a risky job, we are all used to jumping in front of a train that is careening out of control, while on fire and we have no real way of stopping it. We just have to stare out at our pending doom, knowing we may fail. With that in mind stick with me for a minute, there is a point to this piece. Diversity is regularly seen as just bridging the gap between men and women but that is not enough.

Age is just one part, just like gender. Try adding any of the others listed and really mix things up. I am certain that if we all start to look at diversity in this light we will make big things happen in 2021. Let’s broaden the scope and work together. See it wasn’t all that bad, I am glad you stuck with me. Now go do your part and I will do mine to achieve true diversity. Until next time…

We need to look at diversity with a wider lens, see a broader diversity opportunity and capitalise on what we could achieve through that focus. Each person will look at things in their own way, depending on many things like personal experiences, education, personality, culture and just how their brain works or solves problems. Everyone is different and we need to embrace that, use it. If we focus on just one area of diversity, let’s say age. If you build a team of both men and women of all different ages from 18 through to 65, you will quickly

www.linkedin.com/in/craig-ford-cybersecurity

see that the different generations will approach problems in completely different ways. For security, this is a great thing. The mounting problems we face are complicated, the opponents we face are well funded and are incredibly skilled but if you look at

WOMEN IN SECURITY MAGAZINE

www.amazon.com/Craig-Ford/e/B07XNMMV8R www.facebook.com/pg/AHackerIam/ twitter.com/CraigFord_Cyber

CAREER PERSPECTIVES

MARIE-EVE LAPLANTE

WHAT YOU NEED TO KNOW ABOUT CYBERSECURITY CAREERS by Marie-Eve Laplante, Cybersecurity Strategic Advisor

Starting a new career in cybersecurity can be a little

solutions, antivirus, vulnerability management

intimidating. Media coverage of data breaches and

and more. Incident response teams are needed

cybersecurity incidents is becoming more common.

to manage crises, coordinating all stakeholders

Movies and TV series tend to focus more on hackers

and working under pressure. Audit teams are also

than on all the other professionals essential for the

essential to give an organisation and its shareholders

protection of information in an organisation. So, if

reasonable assurance that the security measures

you are not a hacker spending your evenings and

deployed are adequate. Your skills may fit many of

weekends on the dark web and developing scripts,

these profiles and could lead to an interesting and

should you consider a career in cybersecurity? The

fulfilling career in cybersecurity.

answer is a resounding YES!

NOT EVERYBODY IN CYBERSECURITY STARTS WITH A HACKER PROFILE

Cybersecurity is constantly and rapidly evolving. A

Ethical hackers and people with the skills to penetrate

couple of years ago few organisations were talking

systems are important for cybersecurity defence,

about cloud security, about user behaviour analysis,

but there are many jobs in cybersecurity that do not

or discussing how artificial intelligence would impact

require these skills. For instance, an organisation

defence and offence capabilities. New threats, trends

needs people specialised in governance, risk and

and technologies are emerging all the time. This

compliance to help manage priorities, investments

means, as a cybersecurity professional, you must

and regulatory requirements.

stay informed and adapt and evolve to meet the new

Operational security teams are needed to implement access controls, network security, data protection

YOU WILL NOT BE DOING THE SAME THING ALL YOUR LIFE

WOMEN IN SECURITY MAGAZINE

risks and priorities facing your organisation. No time to get bored!

C A R E E R

P E R S P E C T I V E S

WOMEN IN CYBERSECURITY

line with their perceived risks. Hence, it is important to

Cybersecurity professionals are typically cast as

develop a risk mindset early in your career.

nerdy, hoodie-wearing males, but a wide spectrum of

Cybersecurity professionals can be frustrated by their

skills is needed, and people of any gender can find

difficulty securing budget to fix what they see as an

a place. Furthermore, cybersecurity is constantly

important security issue. This frustration may arise

being reinvented in response to new threats, trends

because they have been unable to communicate the

and technologies. The idea that only men can be

level of risk to higher management, or because they

interested or thrive in cybersecurity is completely

have inflated the level of risk.

outdated.

FIND A NICHE OR BECOME A GENERALIST There are many domains in cybersecurity. So take the time to familiarise yourself with the most used frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or the Center for Internet Security (CIS)

Ask yourself not only if the vulnerability or weakness you identified could lead to a security incident, but also how it could hurt your organisation. A critical vulnerability that could give any malicious actor access to a system will represent a high risk only if the system itself contains sensitive information, is critical for the company’s operations, or can be used to gain access to another more important system. Being mindful of the actual risks faced by your organisation will help boost your

“If you are not a hacker spending your evenings and weekends on the dark web and developing scripts, should you consider a career in cybersecurity?”

credibility. In conclusion, there is no single profile of a cybersecurity professional. More than ever, organisations need your skills to help them enhance their security posture. They need analytical minds. They need coordinators.

Controls Framework. From there you can decide to become a generalist, by getting basic knowledge and skills in all domains and controls, or you can develop your expertise in a specific niche. Generalists are needed for roles such as audit, governance, risk,

They need technology-oriented people. They need managers. They need auditors. They need businessfocused people. They need hackers. They need security developers. They need testers. They need you.

compliance and information security management that call for a good understanding of roles played by

www.linkedin.com/in/marieevelaplante/

niche experts who focus on a particular aspect of cybersecurity. Their specific skills will be sought after to maintain and improve an organisation’s defences against current and new threats.

DEVELOP A RISK MINDSET In an ideal world, organisations would be able to finance any initiative to enhance their security posture. In reality cybersecurity budgets are limited, and organisations must therefore prioritise their investments in resources (people, money and time) in

Marie-Eve Laplante is a strategic advisor in cybersecurity for Desjardins. With 20 years of experience in information technology, including 15 specifically in information security, she now specialises in governance, risk, strategy and compliance. Her expertise includes cybersecurity management and risk management, strategic security planning, cybersecurity governance, risk and performance measurement, maturity assessment, business continuity, privacy, IT risks and operational risks. She has also undertaken several engagements in finance, energy, media, aviation and retail, among others. She has also frequently given training sessions, conferences and presentations to management and has been a lecturer at the Polytechnique de Montréal.

WOMEN IN SECURITY MAGAZINE

GIULIA TRAVERSO

THREE CAREER TIPS TO THRIVE AS A WOMAN IN CYBERSECURITY by Giulia Traverso, PhD- Senior Consultant Cybersecurity, EY

talk about my journey to becoming a cybersecurity

TIP #1: PAY ATTENTION TO THE COMMUNICATION CULTURE OF THE COUNTRY YOU’RE IN

expert, and my experience in the role. The panel was

I am Italian and I did my PhD in cryptography in

Back in November I was invited to join an online panel organised by the European Space Agency (ESA) to

organised primarily for students of the prestigious École polytechnique fédérale de Lausanne (EPFL), in Lausanne (Switzerland) to promote working at ESA. In particular, the goal was to show students the many different types of expertise, including cybersecurity, needed in the space industry.

Western European countries there were many adjustments I had to make to integrate into the German community. The most evident difference between Italy and Germany is the way people communicate. Italians tend to use long sentences

During the Q&A session I was asked (probably by

and to provide a lot of background before saying the

a girl) whether I had encountered resistance in my

thing they really want to say. This, I suppose, is to

career because I was a woman, and if I had some

better justify their request or opinion. This type of

tips to offer. I greatly appreciated this question and

communication, which I later discovered is known as

my answer received some positive feedback. So, I

‘high-context culture’, is very different to Germany’s

would like to share with you three career tips to help

‘low-context’ culture. In Germany, you just go straight

women thrive in male-dominated environments such

to the point and say what you want to say, period.

as cybersecurity.

Germany. Even though Italy and Germany are both

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

rude and aggressive. Because I was working in a male-

TIP #3: KEEP IN MIND THAT NETWORKING IS STILL WORKING, ESPECIALLY DURING LOCKDOWN

dominated field, it was easy for me to blame the males

There is a very interesting book

In a discussion, Germans value clarity and brevity. As a result, unprepared Italians like me see them as being

for my not being at ease during discussions. After a more careful analysis, I realised that, although males tend to be more aggressive than women, my perception of them as being aggressive was the result of me being ignorant of the local culture.. This realisation was liberating. Also, I knew I could train myself to communicate in a more low-context manner, which is also the way scientists are supposed to communicate. As a result it became easier for me to join discussions at work and my discomfort disappeared.

called “Nice Girls Don’t Get the Corner Office” by Lois P. Frankel, PhD that I highly recommend. One of its suggestions that caught my attention was to consciously and actively dedicate at least five percent of your working time to networking. According to Frankel, many women tend to undervalue those breaks and chit-chat moments in front of the coffee machine, seeing them as time wasted. In the short-term that is certainly

“Communication is key, so use it wisely. You cannot thrive unless you own your value and make it visible to other people”

true, especially under tight deadlines, but in the long-term such behaviour is likely to harm their careers. In turns out that the people who get promoted the most are those who are more visible and to whom other people can relate. If

TIP #2: ASK QUESTIONS WITHOUT UNDERMINING YOURSELF

you never join social breaks, you never give yourself a

I have noticed over and over again that, during the Q&A

The move to working remotely established during the

sessions of seminars and presentations, we women

COVID-19 pandemic is likely to make things worse.

tend to begin our questions by saying things like:

People are less visible when they do not come to the

“I’m not sure I understood the key concepts of Slide

office. So please, set aside at least one hour each

12”, or “Correct me if I am wrong”, or “I might have

week to expand your network and make yourself

misunderstood, but it seems to me that”, etc.

visible through LinkedIn, remote coffee breaks in

No way! Undermining yourself before asking the actual question is not the right way. Just go straight to the

chance to stand out.

Zoom with your co-workers etc. The only way to get noticed is to make an effort to get noticed.

point and say instead: “Can you clarify again Slide

The bottom-line tip of this article is: communication is

12?”, or “This is what I got from what you just said, is

key, so use it wisely. You cannot thrive unless you own

that correct?”, or “Can you articulate again your last

your value and make it visible to other people.

argument?” This tip is somewhat related to tip #1 above, because

www.linkedin.com/in/giulia-traverso-phd-13a749150/

it cautions against adding words additional to those related to the question itself. And by the way, the

www.breakingthirty.com

implicit tip here is: do ask questions! Do not be afraid of looking stupid just because you want more information or clarification. It is likely that other people in the room also need additional information and clarification.

WOMEN IN SECURITY MAGAZINE

ABIGAIL SWABEY Co-founder Source2Create

Are we doing enough? For years now, I’ve been working on finding as many

the roles – and the company finally started to see a

ways to elevate women within the Australian security

difference in the diversity of the applicants.

market. In that time, I’ve been asked for all kinds of things – some stranger than others – but several requests have really hit a nerve with me. Those are the ones that made me wonder: despite everything that I try to do – and groups like AWSN and others do – it is really going to make a difference? Job specifications are a good example. I get job specs sent to me more often than I can say, along with requests to help figure out how to find more female applicants.

To answer this question, let me direct your attention to the Gender Decoder – a text parser that analyses job ads (or other text) for hidden biases that many people often use, quite unconsciously, in their writing. Paste your text into the Gender Decoder and it will highlight the “linguistic gender-coding” that, research has shown, “puts many women off applying for jobs advertised with masculine-coded language”. Words like ‘active’, ‘adventurous’, ‘confident’, dominant’, ‘impulsive’, ‘superior’, ‘self-confident’,

“I have had this job spec out in market and also

‘independent’ and dozens of others, it turns out, are

pushed through a recruiter for several weeks,” one

often used in writing job descriptions and create an

cover letter said, “and we had one female applicant

overall sense that a role has been intended for men.

for this position out of 32. How can I increase the diversity within our company, if I can’t even get females to apply for positions in my team?”

A landmark 2011 research paper explored the strength of these associations and their effect on perceptions of written communications – and found

But is the real issue the job spec – or are we women

that women interpreted jobs written with masculine-

doing ourselves a disservice because we don’t think

coded language as being less appealing, and that

we are good enough?

they didn’t belong in those occupations.

To try to get an answer, I put this job spec to the

There are feminine-coded words, too – words like

test. I sent it to several individuals within the security

‘compassion, ‘emotional’, ‘inter-personal’, ‘pleasant’,

community who are well versed in job hunting. These

‘quiet’, ‘submissive’, ‘flatterable’, and ‘tender’.

are people that I highly respect, and trust to tell me how I could advise this company without the BS. The instant feedback said it all: • I see many issues with these job descriptions, and why they just aren’t appealing for women • I would never apply for this job. • The language used sounds like this role is for a man. • The list of certifications and education required would put anyone off and is not necessary. Some of these esteemed individuals took valuable time to rewrite the job description and advise on

So, what was different?

WOMEN IN SECURITY MAGAZINE

By now, your blood is probably boiling as much as mine was. No wonder employers are having so much trouble attracting women to cybersecurity jobs that would, if they weren’t put off by the job description, suit them to a T. This is just one scenario, and I could share many others. I recall an answer one woman gave while sitting, a while back, in a mixed panel session about increasing representation of women in security.

C O L U M N

“If I can’t tick 9 out of 10 requirements on a job spec I

And that’s just the people entering the company –

won’t even apply,” she said – compared to the male on

say nothing of the need to promote women vertically

the panel, who said “If I get to 3 I’m good”.

to add the invaluable voices of diversity to the way

Are we women our own worst enemies – setting our expectations too high and avoiding applying to jobs when we should just apply and see how we go? Have we simply stepped back and allowed the market to skew towards men in roles that we want, on the stage that we should be on? Or is it, despite all the hope, truly a man’s world and we are just along for the ride? Throw in a very real disconnect with the recruitment community – who often contact me completely unaware about who they can reach out to within our community to talk about their roles – and it’s completely understandable why Australia’s cybersecurity community has struggled to access a

the company is positioned with stakeholders and customers. Big change starts with small changes – and if your company is reaching out to fill up cybersecurity positions, I urge you to take the time to get the job specifications correct. Make sure that you focus on what the job involves, rather than using exclusive language that may prevent many otherwise talented applicants from even updating their CVs. I don’t know all the answers, but I do know that if we start by being more self-aware – all of us, both recruiters and job-seekers – then we can make a great start towards a more inclusive world. What do you think we can do to fix this situation?

pipeline of qualified candidates.

WOMEN IN SECURITY MAGAZINE

DO YOU WANT YOUR VOICE TO BE HEARD?

REACH OUT NOW

SAI K. HONIG

A CYBERSECURITY CAREER PERSPECTIVE FROM A MULTIPOTENTIALITE by Sai K. Honig, CISSP, CCSP

I came into cybersecurity through indirect means.

Before I go any further, here is the definition of a

Many people who come into cybersecurity have a

multipotentiality:

computer science degree, are familiar with several coding languages, have built systems or run tools. They may even have participated in several hacking events such as “Capture the Flag” or attended conferences devoted to hacking.

“An educational and psychological term referring to a pattern found among intellectually gifted individuals. Multipotentialites generally have diverse interests across numerous domains and may be capable of success in many endeavours or professions. As a

I don’t have a degree in computer science. I do know

result of their diverse interests they are confronted

some coding languages. I like to teach others about

with unique decisions..”

security practices, and to teach technical and nontechnical people about technology architectures or software design. I even like to speak to members of the public about keeping safe online. Everything I learned about cybersecurity, I learned through my own study. Lots of reading. Lots of diving into systems and looking around. My journey to cybersecurity may not have been a conventional one., but I have abilities that many in our field do not possess. That’s because I’m a multipotentialite.

Cybersecurity is my third career. I had studied and worked as an aerospace engineer, then studied and worked in finance and accounting. I enjoy learning, so cybersecurity is a great profession. I am constantly learning to stay current with new challenges. To be fair, I was introduced to aspects of cybersecurity as a young person. I learned to devise cryptographic ciphers so I could hide messages I sent to my friends. I was introduced to coding in high school.

WOMEN IN SECURITY MAGAZINE

“Getting recognition as a cybersecurity professional is not easy – especially if you came into cybersecurity through indirect means”

It took a bit of time for me to realise that I do have much to offer as a cybersecurity professional. After a term as a board member of (ISC)2, I cofounded the New Zealand Network for Women in Security which seeks to encourage the

When working as an aerospace engineer, I had to send complex drawings securely. That’s when I learned about encryption and networks. I came into cybersecurity by accident. I was working as a financial auditor. As it turns out, financial systems are IT systems., so many of the things I had to review were technical controls. My engineering background helped me to understand systems.

advancement and capacity of women involved in all aspects of the New Zealand security industry and community, through the exchange of information and the cultivation of productive relationships. I also volunteer with the Black Cybersecurity Association, a non-profit organisation focused on building community, mentorship and job opportunities

My financial background helped me to understand

in cybersecurity for under-represented minorities.

controls.

I am also on Cloud Security Alliance’s Asia Pacific

Eventually, I transitioned to an IT auditor role.

Research Advisory Council whose purpose is is to

This required me to understand how systems are built, to understand access control, data lifecycle management, network and software security, web and mobile security. Every time I looked at a new system,

provide high level advisory, guidance, directions, ideas to CSA APAC-driven research initiatives (e.g. Working Groups, projects, events, outreach) with a collective APAC voice.

I had to learn about that system, its purpose, its design and how it was being used. I became interested in cloud technology because it is very much a democratised technology that enables anyone to build systems and services, but security is sometimes an afterthought. So, I became interested in the security aspects of cloud technology. I also believe my work experience outside of cybersecurity helps me to understand the need for practical approaches. Too often, policies or standards are quoted without an understanding of how to apply them practically. Also, since I started out as a nontechnical person (finance and accounting), I can talk about technology (and the need for controls) in a manner that can be understood. Getting recognition as a cybersecurity professional is not easy – especially if you came into cybersecurity through indirect means. Despite all the study and hard work, I had people tell me to my face that I was not a cybersecurity professional. There was even a time when I wanted to quit the profession.

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/saihonig/ NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com BCA www.blackcybersecurityassociation.org

MISSED OUT? IF YOU MISSED THE 2020 AWSN WOMEN IN SECURITY AWARDS YOU CAN WATCH IT NOW ON OUR YOUTUBE CHANNEL!

WATCH NOW

MELANIE NINOVIC

ADVICE ON JOINING THE INFOSEC INDUSTRY by Melanie Ninovic, DFIR Consultant, ParaFlare.

Credit: consultancy-me

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

The past few years in cybersecurity have been

Once you set these objectives, you can start focusing

everything from eye opening and rewarding to

on the skills you need to achieve them. When you

downright challenging. There have been challenges

focus on one or two related areas at a time, you are

you cannot begin to prepare for, even though you’re

likely to grasp them more efficiently and effectively.

ingesting copious amounts of new information every I’d like to offer some advice I wish I had been given at

TECHNICAL ABILITIES VERSUS SOFT SKILLS.

the start of my career. Hopefully it will provide some

Technical abilities will give you opportunities in the

day. I’m fairly new to the world of cybersecurity and

tips to anyone looking to join this industry.

YOU WON’T KNOW EVERYTHING. Take a look at the graphic below. Each time I come across it, I am overwhelmed by the range of disciplines in this industry. It’s quite common for people to become experts in one field, for example, digital forensics, and have knowledge in another field, such as penetration testing. Some of these disciplines go hand in hand. It’s useful for a forensic practitioner to think like a hacker, by learning how to exploit vulnerabilities. However, this is not a requirement for a career in forensics. It is easy to fall into the trap of striving for accomplishment in multiple domains. Trying to learn all there is to know about cybersecurity would be almost impossible. My first piece of advice is to understand, within your first year or two, where your interests lie, and how you want your career to progress.

cybersecurity industry, but are by no means the only skills you should focus on. Each security domain requires the following soft-skills, and I would argue that you would not last very long without them. Communication: how to speak and present professionally and effectively to your colleagues, manager and, most importantly, your clients. Collaboration: you will almost always be working in a team, assisting with reviewing your colleagues’ reports, and collaborating towards a common goal. Writing: writing reports and status updates is the pinnacle of a digital forensics and incident response, red-team/pentest, or governance, risk and compliance engagement with a client. Your findings must be communicated in a way that can be understood by both technical and executive level stakeholders. Business Acumen: knowing the drivers of a business, being able to present a case for new security tools or training, or advise clients on how to improve their

Henry Jiang: https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp/

WOMEN IN SECURITY MAGAZINE

security team and posture are all useful attributes

presentations and speaking with people who have

you can bring to an organisation.

more experience than I has assisted my professional

There is a place in cybersecurity for everyone, whether you have formal security training or not. This industry spans numerous, distinctive domains.

development in ways that would not have been possible during work hours. These activities were directly responsible for me landing a new job.

It needs professionals with diverse educational and career backgrounds.

BURNOUT IS REAL. According to healthguide.org, burnout can be defined as: a state of emotional, physical, and mental exhaustion caused by excessive and prolonged

stress. It occurs when you feel overwhelmed, emotionally drained, and unable to meet constant demands.

Community: There is a curated list of Asia-Pacific

It is a common problem in the cybersecurity industry,

information/cyber security meetups here. I also

because we often feel the need to push ourselves

recommend the Australian Women in Security

to learn as much as we can. Even if you take the

Network (AWSN), and there’s a list of Asia-Pacific

sensible approach of focusing on one skill at a time,

infosec conferences here.

you can still suffer the effects of burnout. Studying on top of everything else in life — work, family, hobbies — can be overwhelming.

Online Learning Resources: As part of my InfoSec 101 series, I’ve provided a small inventory of places to start learning online. Most of these resources are

It is important to recognise the signs early on and

free. For more practical challenges such as capture

take preventative measures as soon as possible.

the flag events and running your own virtual machine,

The signs are different for everyone, and the site I’ve

have a read of this post.

linked to above does a good job at detailing them. It’s important to be transparent with your employer too, to ensure you are given time to recuperate and rest.

GET INVOLVED. Before landing my first full-time security-related role as a security operations centre analyst, I had spent the previous year studying to my heart’s content. I knew, without at least some knowledge of important security concepts, I would be unable to land an

We all have our different paths, challenges, hurdles and timelines. There is no point in comparing yourself to others. More important, is that we are all working towards the same goal: improving the security of those around us. Whether you decide to join the industry tomorrow, or next year, I hope this article helps you to manage your expectations, and I’m happy to answer any questions you may have. www.linkedin.com/in/melanie-cybers/

interview. There is an abundance of online resources that can help develop and fine-tune your skills, and an

www.darkdefender.medium.com/

online and physical community where you can meet like-minded individuals. Of course, this isn’t a necessary part of your job, we all have lives. However, I have found watching

WOMEN IN SECURITY MAGAZINE

twitter.com/_darkdefender_

Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!

charlie@source2create.com.au | aby@source2create.com.au

www.source2create.com.au

Aspiring Women in Security CISO Masterclass The Australian Women in Security Network (AWSN) in partnership with The Security Collective are excited to offer an exclusive short masterclass aimed at women who are aspiring to be Chief Information Security Officers. The CISO masterclass will provide both group and 1:1 coaching sessions for participants to understand potential career paths to CISO roles and to set goals for their own career progression. Starting 23rd March, 2021

Visit awsn.org.au for information about exclusive events, programs, and content. Join Australia's largest community of women in cyber and physical security. 60

WOMEN IN SECURITY MAGAZINE

MIN KYRIANNIS

ELISA MULA

THINGS TO REMEMBER FOR WOMAN IN TECH by Min Kyriannis, Diversity in Security & Technology Champion & Elisa Mula, Inclusion Advocate in Security

Being a woman working in technology or security has

did not have the right viewpoint? There are so

its challenges. And if you started when the workforce

many beliefs ingrained into every individual that

was predominantly male, it was an uphill battle to be

influence our behaviour, often unconsciously.

viewed as an equal. We have spoken to many women,

They take away our self-esteem and confidence.

from the feedback we’ve received we’ve compiled

Only recently have we started seeing more

some useful advice.

diversity in technology industries, which fosters

So, if you are feeling stuck, underappreciated or angry, here are some recommendations from women in our industry to help boost your self-esteem and garner the recognition you deserve. 1. Never lose confidence in your ability and yourself. How many times have you felt intimidated by your male colleagues? Have you felt you could not compete with a male colleague, or you were not smart enough, or

a different mindset. So never lose confidence in your ability and your belief in what you are capable of. 2. You do not have to justify your expertise. Women are continually fighting for their voices to be heard, or for seats at the table. Many women claim to constantly feel the need to trumpet their accomplishments in order to be respected by their leaders and their peers. One effective way you can deal with this is by finding a supportive

WOMEN IN SECURITY MAGAZINE

If you started when the workforce was predominantly male, it was an uphill battle to be viewed as an equal.

advocate for diversity in your organisation.

6. Give credit where it is due. We all hear horror

They will reduce the pressure on you to justify

stories about people having their ideas stolen

your existence and prove your worth. Simply

by their peers. When you give credit to your

having that person in the room can change the

colleagues, it builds your own integrity and

dynamics and make you less defensive.

reputation as an ethical team player. Falsely

3. Feel proud of your accomplishments and do not shy away from promoting yourself. You have accomplished something amazing! Be

claiming credit is all to frequent in a world where everyone is striving for advancement. 7. Be empathetic. Women are much better than

proud of it and announce it. Why hide it? You

men at reading people. Use that emotional

should embrace the accomplishment and let

intelligence, it will serve you well. When you see

people know what you have done. Often we

someone in need in the workplace, offer your

see men talking about their accomplishments

assistance.

and getting high fives. Women do not always get the same level of acknowledgement from contemporaries and shy away from making such announcements. But they are important for building your ‘brand’ and demonstrating your credentials. Make sure you broadcast your achievements and gain recognition for them. 4. Never Stop Learning. Avoid stagnation, and move with the times. Continue learning, listen to new ideas, read, and brainstorm your future. When you stop dreaming, you stop evolving. 5. Create a network of people you can speak to.

8. Be kind, have integrity and have fun. It has been scientifically proven that your brain functions better when you are in a good mood. When you are kind to others, you are being kind to yourself. Practicing a positive attitude can be one of the best ways to further your career and improve your quality of life. But most importantly, enjoy your work and have fun. This will further your self-development and creativity. These are not skills solely for women in security or women in technology. They are for every professional, for anyone looking to stay on the right track. But

For some women one of the hardest things in

women need to keep reminding other women of

male-dominated industries is finding people

these points. So send this today to a woman you

to connect with. Communicating with your

know who might need to read it!

community helps build your network and is extremely important for your professional

www.linkedin.com/in/mkyri/

development. It’s most important to reach out to people, to collaborate, to learn new things, and gain supporters and advocates.

WOMEN IN SECURITY MAGAZINE

twitter.com/mkyri3

Committed to creating, promoting and growing cyber security careers for all women.

cybercx.com.au/careers

MARIANE C LOUVET

INTRODUCE YOURSELF TO LEADERSHIP, THE POWER OF A STRONG NETWORK AND CONNECTIONS by Mariane C Louvet, Channel leader - Cyber Security Over the past 20 years I have come to a realisation:

and to give me confidence in this new role. He

a title is just that, a title. It refers to a human being

introduced me to all of our partners and one thing I

with a function in their industry. We get hung up about

realised quickly was that relationships were key to

hierarchy and about who we are supposed to engage

success. I found ways to connect with our partners

with, or not.

and our vendors by engaging with them on topics

I was 23 and my career goal was to become a fashion buyer; I had taken college courses in fashion

senior leadership at events and during meetings.

merchandising and had plans to travel the world in

Within my first year in the role, I had won an award

search of the latest and greatest in apparel trends,

for top sales assistant, and as a team we won the top

until a market crash changed my destiny. Instead

sales award. Seven years later I had become a sales

I took a job as a sales assistant at a technology

rep with a sales assistant of my own.

distributor. Technology was an industry I knew nothing about, and had no interest in, but it paid well. So I jumped on it. My first manager should have been a stand-up comic, which made my job not only fun, but interesting. He made certain to take the time to help in my training

other than technology, and I presented myself to

WOMEN IN SECURITY MAGAZINE

I took a break from IT to raise my daughters. I kept in touch over the years with my partners and with vendors and stayed on top of technology trends and industry developments. The president of one of my old partners reached out to ask if I would be interested in a role supporting a

C A R E E R

P E R S P E C T I V E S

vendor from overseas, part time. He thought I would

ladder, to let them know I was available. I had four

be a great fit. Within a few weeks I had connected

offers. The hard part was deciding which one to take.

with their leadership team and introduced myself to

I opted for a director role at Forcepoint

them. I spent four years rebuilding and expanding my network and reconnecting with the industry.

Networking is not hard, however, you have to know how to approach people. I had the pleasure of

An opportunity came up as an executive account

attending an incredible charity event in New York

manager at Symantec, and during my new hire

in November of 2019. Dress for Success (a global

training at our corporate HQ, I made sure to listen

not-for-profit organisation that empowers women

carefully when leaders were speaking and reached

to achieve economic independence) had a fireside

out to many upon my return with questions on their

chat and their fearless, classy CEO, Joi Gordon made

presentations. This created visibility for me. Over

time to speak with me because I had sent her an

my six-year tenure I made sure to approach C-level

introductory email prior to attending. I also had the

executives at our sales kick-offs and at various

opportunity to chat with renowned US television and

industry events, in the hope they would offer me

online journalist, presenter, producer, and author, Katie

opportunities to grow my career.

Couric. These amazing women are now part of my network. All it took was a simple “hello” and some conversations.

“A title is just that, a title. It refers to a human being with a function in their industry. We get hung up about hierarchy and about who we are supposed to engage with, or not.volupicte cus aut ad”

Over the years I have created numerous connections, and many have become mentors, friends and part of my daily life. It does not matter if someone is C-level, SVP, senior- something or other. Those are just titles.. Doing your homework on who they are and what they do, and finding common interests are all great ways to start a conversation. I have no issue

I then decided I wanted to leave sales and move to

picking up the phone, texting or emailing anyone in

the channel. We were launching a new division and

my network to say hi, to recommend someone, to ask

they were looking for a leader to support the Canadian

a question, or to congratulate them on their success.

market, so I approached our SVP of global sales and told him I wanted the role. I then connected with the VP for EMEA who would be running my team. It took some time, but I was persistent, took a leap of faith and moved to our brand-new cloud channel team. I spoke with our CIO at an executive briefing in California and mentioned what I was doing. She was very supportive. Once again, had I not taken the time to get to know these people, I might have missed a

My nicknames over the years have been “fast talker”, “411”, or the “networker”. I embrace them all. They have opened doors for myself, my family, and friends; as much in my personal life as in my professional life. A final reminder that a title is simply a title. At the end of the day, effective communication and knowing who you are approaching are all it takes to make strong connections and create a solid network.

tremendous opportunity. When I was looking for a new position a little over a

www.linkedin.com/in/mariane-louvet-94340a6/

year ago following the sale of Symantec’s enterprise security assets to Broadcom, I reached out to my network, including some at the top of the leadership

WOMEN IN SECURITY MAGAZINE

HARPREET KAUR NAHAR

SECURITY IS NOT JUST ABOUT HACKING by Harpreet Kaur Nahar, student at Edith Cowan University

There are several misconceptions held by individuals

SECURITY - A BROADER PERSPECTIVE

seeking a career in security. Most, especially

Many people see the terms ‘hacking’ and

women, abandon their aspirations to be a security professional because they believe a security professional must be an expert in coding. However, this is not the case.

‘cybersecurity’ as synonymous, but that’s not the case. Although hacking and cybersecurity are related, they are quite different disciplines with different career options. However, the skills required for each,

When I entered cybersecurity, I chose to study

and for most technical cybersecurity jobs, are similar.

for a master’s degree in cybersecurity because I

Let’s talk first about hacking. Hacking refers to

aspired to becoming an ethical hacker, not because I found penetration testing interesting, but because I believed ethical hacker to be the only career option for a graduate in cybersecurity. When I explored the available study units in my master’s course, I discovered my degree course could give me other options for a career in cybersecurity.

gaining unauthorised access to a system. Hacking is illegal when undertaken by a cyber criminal, and ethical when undertaken by cyber professionals with written permission from the organisation being hacked. Ethical hackers look for vulnerabilities that could be exploited by cyber criminals in order to prevent such exploitation. Ethical hacking is what most non-cyber people see as being the role of the cybersecurity professional. However the role is much wider, and there are many career paths in cybersecurity. Here are some of them.

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

z IT SECURITY SPECIALIST The responsibility of an IT security specialist is to provide support to the security features of IT systems, and immediately respond when a security incident occurs. The essential skills required to be an IT security specialist are in-depth knowledge of computer networking concepts, and an understanding of operating systems such as Windows and Linux. IT security specialists may hold one of several different job titles, including: • Information Security Specialist • Cyber Security Specialist • Network Security Specialist • Computer Security Technician z IT SECURITY ANALYST IT security analysts need great experience and strong analytical skills in order to understand systems in depth. A common job title for in IT security analyst is penetration tester. Others might be: • Compliance Analyst • Incident Response Analyst • Intrusion Detection Analyst • Vulnerability Analyst • Audit Analyst

systems. Common job titles for IT security consultant include: • Information Security Consultant • Computer Security Consultant • Database Security Consultant • Network Security Consultant • Cyber Security Consultant z IT SECURITY ENGINEER IT security engineers are the technical experts who build security systems and solve complex technical security problems. Their job is to install, configure and troubleshoot security infrastructure. Common job titles for IT security engineer are: • Network Security Engineer • Information Assurance Engineer • Information Security Engineer • Information Systems Security Engineer z IT SECURITY ADMINISTRATOR IT security administrators are responsible for supporting security systems such as firewalls, and for anti-malware software configuration. Their job is to manually administer user access rights so only legitimate individuals can access the system. Some of the job titles for security administrator are:

z IT SECURITY AUDITOR

• Systems Security Administrator

IT security auditors play a vital role in IT security.

• Network Security Administrator

Their job is to review the status of all security controls in a system and prepare a detailed report on their findings. They must have in-depth security knowledge

• Information Security Administrator z IT SECURITY ARCHITECT

so they can understand what constitutes a highly

Security architects research and design security

secure system. Again, the role has multiple job titles,

architectures. They need the skills of security

including:

engineer and security analyst. They require many

• Information Security Auditor • Security Compliance Auditor • Information Systems Auditor

years of experience to enable them to develop complex security solutions, making them the most highly skilled professionals in IT security.

• Information Assurance Auditor • IT Auditor z IT SECURITY CONSULTANT IT security consultants are security professionals with in-depth knowledge of security technologies and great experience in security functions. They provide expert security advice and specify the technical measures an organisation should implement to secure its IT

Apart from the above roles, there are managerial cybersecurity roles. These require experience in security and network technologies. So, if you are looking for a career in cybersecurity, you will find a plethora options in addition to hacking and penetration testing. www.linkedin.com/in/harpreet-kaur-nahar/

WOMEN IN SECURITY MAGAZINE

ANOORADHA GOEL

WHY CYBERSECURITY AS A CAREER? by Anooradha Goel, Security is everyone’s responsibility As technology grows so do the risks associated with

who can provide those solutions. As a cybersecurity

it: each new wave of technology brings new risks.

professional you will be constantly learning, working

Cybersecurity professionals must identify, understand

with companies that would further help in your career

and address these risks.

growth and a development.

The role of cybersecurity professional covers a wide range of responsibilities, but it can be summarised as being to protect online data from compromise. With ever more personal information being stored online, cybersecurity professionals play an increasingly

Because you’ll possess highly-transferrable skills that companies need, a variety of opportunities will be available to you in many different industries around

important role.

the world. As digital technology evolves and as

EXCITING CAREER PROGRESSION OPPORTUNITIES

for cybersecurity will increase. As a cybersecurity

Cybersecurity offers a broad range of opportunities

finance, or in the media.

for professionals from different backgrounds. Entry

more companies become dependent on it, the need professional you could work for technology giants such as Google and Facebook, in retail, banking and

include systems administrator, web developer,

A MENTALLY AND FINANCIALLY SATISFYING CAREER

IT technician and computer software engineer.

For students and professionals who are naturally

level IT jobs that can lead to a cybersecurity career

Common career paths from these roles lead to those of security architect, security manager, penetration tester or chief information security officer (CISO).

GREAT JOB SATISFACTION The world of cybersecurity is evolving, hence great demand for solutions for the new upcoming problems. . Companies are willing to invest in people

THE WORLD IS YOUR OYSTER

WOMEN IN SECURITY MAGAZINE

curious and inclined towards pursuing a career in software and technology, cybersecurity offers an unmatched opportunity to work in a dynamic environment, and be paid handsomely. Cybersecurity has been one of the hottest professions for many years. Companies across the globe are targeted continuously by cyber attackers.

C A R E E R

P E R S P E C T I V E S

them is massive, and unmatched in any other

ELIGIBILITY FOR A CYBERSECURITY CAREER

technology domain.

A relevant technology degree and knowledge about

Data is the main entity organisations in every

basic and/or advanced cybersecurity concepts

Demand for cybersecurity professionals to protect

industry strive to protect. Compliance requirements and security approaches vary from company to company and from industry to industry, but for all the ultimate goal is to ensure confidentiality, integrity and

would make a good starting point for a career in cybersecurity. However, the rise in cyberattacks is increasing the opportunities for professionals from all backgrounds who want to make a career in

availability of data.

cybersecurity. So you can start a cybersecurity career

Organisations deploy people, processes and

background is your approach to cybersecurity, and

technology to achieve this goal. Cybersecurity professionals develop, configure and troubleshoot a variety of technologies such as encryption, firewalls, intrusion protection, advanced malware protection, network analytics, and processes like identity and access management and authentication. Many organisations are required to implement specific data protection measures to ensure they comply with regulations. Organisations’ cybersecurity requirements create many opportunities. They require process managers and auditors of security controls. They need governance, risk management and compliance (GRC)

regardless of your background. More important than how you do the job of protecting data, analysing threats and preventing attacks. Your first step should be to acquire basic cybersecurity skills. Then choose a specific domain based on your personal interest and market demand. You’ll need to undertake in-depth training, develop skills, and acquire specific certifications in security. You can then build your expertise in niche areas through targeted certifications. You will never be bored in cybersecurity. You will always have scope for growth, and for continuous learning. New challenges will pop up and you will

professionals and legal experts, incident response

encounter new people, situations, and opportunities.

people, forensic investigators, threat analysts,

What more could you ask for in a career? Dive in now.

developers, IT operations staff and security architects.

Get inspired and keep learning.

WOMEN IN SECURITY MAGAZINE

NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

C O L U M N

How parents can keep up with apps and online games Have you ever clicked into Apple’s App Store or Google Play Store and been thoroughly amazed at the number of apps there? At the touch of a button your tween/teen could download any app their heart desires. It’s nervewracking, knowing some of these apps and online games have hidden dangers. You’ve heard other parents talk about situations you never want your child to find themselves in, and you’ve read dozens of media reports on dangerous apps. The good news is you don’t have to be across ALL those apps and games, just the ones already installed on your child’s device and the ones they ask to download. Here are 10 tips to help you decide which apps are OK for your tween/teen. 1. Know what apps and online games your kids are currently using/playing/have downloaded. 2. Make sure the settings on your child’s devices block them from downloading apps without your permission. 3. Check the game ratings in the App Store/Play Store. 4. Understand the basic functionality of apps and online games. For example, does the app allow anonymous chats, private/public groups? Does it contain frequent swearing, nudity or encourage gambling? 5. Download the app/game yourself to get a better idea of what it does. Use it yourself. Then sit with your child and play.

WOMEN IN SECURITY MAGAZINE

6. It’s OK to tell your child that, although an app looks safe for their age, you just aren’t sure about it. Explain why. Suggest downloading a game they want and playing it with them so you can make a final decision. 7. Consider your child’s maturity. Have you educated them about online safety? Do you already have rules around the use of apps and social media platforms? 8. Make sure you have turned on the setting that prevents your child from re-installing deleted apps. (Settings > iTunes & App Store purchases > tap to turn off) 9. Have a list of reliable sources you can consult. Great websites to bookmark are https:// www.esafety.gov.au/, and https://www. commonsensemedia.org/. 10. Google can be your friend. A few searches on Google can confirm whether or not an app is one you want your tween/teen to be using. Remember – you are the parent guiding your child’s online activities. There will be times when you will need to loosen the reins and times when you will have to give a flat out ‘No’. You know your tween/teen best. So follow your feelings.

www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum

www.pinterest.com.au/thetechmum

INDUSTRY PERSPECTIVES

NANCY BENJUMEA

BEHIND THE SCENES WITH AN ICT WOMAN UNDER COVID CONSTRAINTS by Nancy Benjumea, Data security analyst and amateur writer It is not easy to dredge up your unpleasant memories, and harder still to then share them with many people. So, imagine you are sharing them only with yourself. Today I want to share the work-from-home experience of a migrant woman living alone, and relate how the pandemic tested my strength in ways I have never previously experienced. 2020 wasn’t an easy year for anyone. Our lives changed dramatically. We were forced to re-invent our daily routines and accept that we could no longer go outside whenever we wanted. I know families with children for whom working from home was very challenging, because they were trying to juggle their jobs and help children with schoolwork. Parents working from home or in an online meeting need to be very creative to keep children occupied. Working from home myself, I thought there was something wrong, but could not put my finger on it: loneliness, uncertainty, fear, confusion, mixed emotions, and being unable to share with a loved one. But, as an ICT security woman, part of my job is to investigate, to find root causes when security incidents happen. So, I applied the same methodology to understanding why I felt as I did. I was not prepared for a pandemic, for having restrictions imposed on my life, for having a constant invisible threat increasing my anxiety.

WOMEN IN SECURITY MAGAZINE

I read many articles about how to deal day-to-day with the new normal by exercising, sticking to a routine, etc. But what helped me most was being able to acknowledge that I was fully entitled to have all those feelings, especially sadness after losing my job last August! I searched my soul. I accepted I was mourning because I had lost my freedom and my job. By acknowledging my circumstances I started my healing process. This awareness was gold. I am still struggling, facing daily challenges and moving slowly forward. But hey, I am part of this big group called ICT Women, brave girls that even in their darkest moments can find hope. Sometimes our vulnerabilities make us forget we are women who aspired to work in technology. We were empowered to advance our careers and personal lives, and we succeeded. We are brave and strong, but if one day we are not very strong or very brave it is OK to stop, breathe, maybe cry, and start again. In security, we recommend having at least three backups to protect organisational data; one on-site, another off-site and the third in the cloud. Do the same. Have backups for your own life, look for help, talk with friends, nourish your soul. Then you will be ready for every new day. www.linkedin.com/in/nancybenjumea/

KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile innovative group who works with SMEs to protect and grow their business by addressing their cybersecurity and governance risk gaps by demystifying the technical.

C O L U M N

Tales from the trenches In 2020 COVID-19 paid us a visit and wrought changes at a speed few expected. The cyber community will remember 2020 as the year when “cyber” became a business issue rather than an “IT problem”. With an increased focus on all things cyber, many cyber professionals can expect to find themselves fronting a board or senior management whose idea of cybersecurity starts and stops with “user support”. It will take time for cyber professionals to be considered trusted, essential advisors and not merely a cost centre, but here are somethings to remember. •

safety education program that never changes helps the cybercriminal. It needs to be fresh and

Understand your audience. What is the level of

relevant, so its lessons become second nature.

their technical knowledge? What is important

It’s when people are preoccupied, stressed or

to them and/or the company? Then tailor your

generally “under the pump” that they fall for a

message. For example, don’t use technical terms

seemingly basic phishing, vishing or smishing

nobody but a security analyst understands.

(respectively a voice or text message-based ploy

To some, a bad actor is a NIDA dropout, not a

to gain personal information) attack.

cybercriminal. •

Demystify the connection between IT investment and the advancement of your corporate strategy. The board needs to understand both your relevance and your ability to support the overall business strategy.

•

Provide live examples that show how breaches can affect a business in your industry. This helps contextualise the importance of cybersecurity. Learn from the mistakes of others rather than waiting until you have your own breach to learn

www.linkedin.com/in/karen-stephens-bcyber/ www.bcyber.com.au karen@bcyber.com.au

from. •

Zero trust is not a reflection of a bad corporate culture; it can be a smart business decision. Insider threats are real, just ask Landmark White.

•

twitter.com/bcyber2 youtube.bcyber.com.au/2mux

Empower all levels of the business to be a strong first line of defence. For example, running a cyber WOMEN IN SECURITY MAGAZINE

QUEEN A AIGBEFO

DRIVING A SLOW CAR FAST AND DRIVING A FAST CAR SLOW by Queen A Aigbefo, Research student, Macquarie University

In the world of motorsports every racetrack is

and respond to cybersecurity threats and attacks.

different, but race car drivers can increase their

A security arsenal — robust like a fast car, or limited

chances of winning if they have a great team,

like a slow car — may not guarantee the security of

finance, talent and ‘luck’. In cybersecurity, the same

organisational information assets.

attributes can ensure the security of organisational information assets. But, like a racetrack, the security environment incorporates many challenges. Navigating the cybersecurity threat and attack circuit may require more skill than we possess, because we will encounter many unexpected twists, turns and

the security tracks with their never-ending twists, turns and obstacles, and rely on some of the same attributes that make for a successful motorsports team.

obstacles.

SPEED

Top speed does not always guarantee a win; the

The global pandemic in 2020 increased our

ability of a talented race car driver to skilfully handle a fast car or a slow car will often determine victory. As security practitioners, we possess different skillsets and use a diverse range of security tools, tactics, techniques and procedures to mitigate risk

Security professionals need to skilfully navigate

WOMEN IN SECURITY MAGAZINE

dependence on technology as well as our susceptibility to security threats and attacks. Irrespective of the size or quality of your security arsenal, you will need rapid response to keep a threat or attack under control. Speed is also necessary for

I N D U S T R Y

P E R S P E C T I V E S

learning about and implementing new technologies

helps to enlighten the security practitioner on the

in the face of rapidly evolving threats. Your ability

cause of a security problem. Top management

to respond to an event, or to implement necessary

interaction is vital to get security buy-in. However, the

security measures, will depend on your knowledge

various business units and non-technical users who

and on the ability of your security specialists to work

interact within the organisation should not be left

as a team.

out. Every node within the organisation from physical security to cyberspace can contribute the security

KNOWLEDGE

data needed to create a reliable security program.

Speed without knowledge may not produce the appropriate outcome, and vice versa. Attacks may occur in rapid succession. Without the know-how to respond, mitigate, or contain a security event, speed becomes a disadvantage. Because the security terrain is always evolving, learning is essential. Additionally, a thorough knowledge of the security resources and tools at your disposal Improves your chances of responding rapidly and appropriately to any security event.

TEAM INTERACTION Security is everybody’s business. Sometimes a race car driver driving at over 200km/h may not be able

I love the world of motorsport and can relate to the adrenaline rush on race day. As security practitioners, we live with a somewhat similar adrenaline rush. Every day is unique; speed is always present, knowledge acquisition should be continuous, and team interaction forms the glue that helps the security practitioner drive a fast car slow or drive a slow car fast. www.linkedin.com/in/queenaigbefo/ twitter.com/queenaigbefo

to analyse the cause of a problem. Team interaction

WOMEN IN SECURITY MAGAZINE

(CYBER) SECURITY CULTURE EATS (CYBER) SECURITY STRATEGY FOR BREAKFAST on government, business and the community. The recommendations made are all great, however, achieving the desired outcomes will be challenging

Jacqueline Jayne Security Awareness Advocate, KnowBe4

nation go about creating a (cyber)security culture to support the strategy.

THE MISSING LINK IS THE HUMAN ELEMENT. professionals around the world have some thorough and detailed frameworks and guidelines to use when it comes to developing a robust information security strategy, but there is one thing

missing – the human element. The cyber threat landscape is out of control across the globe and organisations can’t seem to get ahead of the curve. Cyber attacks are increasing as cybercriminals are

Protecting systems and information is the core purpose of anyone working in the information security world, which includes cybersecurity. Yes, some people see these as one in the same and others see them as separate disciplines, but that’s a discussion for another day. Today, we are looking at the human operating system and what you can do to attract its attention, raise curiosity, get buy-in and have yourself a powerful culture of (cyber)security in your organisation.

becoming more and more sophisticated and their

Context and understanding are important in this

methods are quite frankly abhorrent. They continue

process, so let’s start with some definitions.

to target our human vulnerabilities and leave a trail of destruction in their wake without a care in the world.

if there is no clear way forward as to how we as a

Strategy is tangible and visible with clear guidelines. It’s the road map, the plan, the goals, the logical

Most organisations have a well-documented

process of taking us from where we are to where we

cybersecurity strategy. The Australian Cybersecurity

want to be. A place where outcomes are defined and

Strategy 2020 was released in August with a focus

results are measured and managed.

WOMEN IN SECURITY MAGAZINE

F E AT U R E

Culture is tacit and elusive in its very nature. It’s

if not defined, is formed by the people, their attitudes,

often unspoken, based on behaviours, hidden in the

values, unconscious bias and overall approach to the

thoughts and minds of people. We have all heard

world. Unchecked, group thinking emerges, silos form

things like ‘the behaviour you ignore is the behaviour

and if you are not careful, you may find yourself amid

you accept’ or ‘the fish rots from the head’ or ‘monkey

a toxic culture.

see monkey do’. These sayings can all describe culture. We often see the framework of culture in an organisation’s vision, mission and values which can describe the attitudes they have towards various elements. For example, do they value innovation over tradition? Observable culture is the way an organisation welcomes new employees, comes together (or not) at a time of crisis, manages performance, celebrates birthdays, responds to change and ideas or treats its customers and vendors. It is also the way you go about your day-to-day work when no one is watching which has been highlighted as we moved to a remote working situation in this year of COVID-19. Strategy is usually an annual event -- ‘here is our 2020 strategy’. The road map for the year is clear and hopefully, we all know what our role is in it. Culture,

For organisations that are about to go through a lot of change, it is going to be important for them to understand what the culture-related change is for their people. Do they embrace change, or will they fight it every step of the way? This is the very reason many strategic plans fail because the culture was ignored or dismissed as being irrelevant. Big mistake! We can have the most brilliant (cyber)security strategy the world has ever seen, and it will never be completely realised if we fail to engage the hearts and minds of the people. Before we look at how to go about creating a (cyber) security culture, let’s look at the benefits of having one versus not having one. The following examples are situational and are from the point of view of the human, your users and represent what’s going on in their minds.

Situation One – Phishing (malicious emails)

Without a (cyber)security culture

With a (cyber)security culture

OMG, an email from my bank – looks like someone has tried to illegally use my credit card. I better click on this link and update my password.

Hold on a minute, I know what red flags to look for that could indicate a phishing email and I know that I must not engage with it. I will call my bank to confirm.

This email looks suspicious, I don’t even bank with them. I’ll ignore it and delete it later.

I need to report this suspicious email to the cyber team. I better not delete it because I know they will want to look into it further.

Oh no. I don’t think I should have clicked on that. Nothing bad happened – phew.

Oh no. I don’t think I should have clicked on that. I better let the cyber team know straight away.

IT wants me to change my password again – this is getting ridiculous. I did this last week too.

Hmmm – IT wants me to change my password again and I only just changed it. This could be one of their tricky phishing tests. I think it’s bogus and I will report it using the phish alert button.

WOMEN IN SECURITY MAGAZINE

Situation Two – USB devices

Without a (cyber)security culture **USB found in carpark with ‘payroll’ written on it**

With a (cyber)security culture As much as I want to look at this, I am going to take it to the cyber team.

LOL – this is going to be good. I’ll take this back to my desk, plug it in and show the guys.

**Vendor comes in for a meeting and wants to plug in their USB** Yep, I will plug it in and set that up for you.

Sure thing, I will just get the cyber team to scan it first. OR Unfortunately, our cyber policy is very clear with USBs – we can’t use them.

Situation Three – Working from Home or Remotely

Without a (cyber)security culture This is cool! Now my kids can use the work computer at home!

I wish the kids could use the work computer at home. However, I know that there are too many risks associated with that.

I can use free Wi-Fi on my work mobile – this is awesome!

I better make sure the VPN is on before I connect to free Wi-Fi.

I don’t need to lock my computer at home.

Even though I am working from home, I really need to lock my computer just to be safe.

Whilst these situations seem second nature to those

the curb involves multiple steps that are hard to

of us who live and breathe information security and

remember at the beginning. Your first drive is

cybersecurity, they are not second nature to everyone

terrifying. Other cars on the road, pedestrians, street

else. I can promise you that this is exactly what your

signs, weather changes, the rear-view mirror, side

people are thinking and doing every single day.

mirrors, accelerate, brake, indicate, clutch, slow down,

A (cyber)security culture is not just completing training or reporting phishing emails. It’s the unseen and sometimes unmeasurable situations that occur and the subsequent response. A non-cyber example is driving a car. You don’t get handed the keys and told to drive safely. There

With a (cyber)security culture

speed up, windscreen wipers and so much more. It is only after time and practice and testing that it all comes together. Even then, there are constant reminders of the dangers and our role in keeping the roads safe for everyone. The same can be said for cybersecurity.

is documentation to read and absorb, rules to

You want a culture where your people are aware of

remember. Then there’s a process of familiarisation

their responsibility to keep things safe, the cyber

with the car itself. Preparing to drive away from

threat landscape and the tricks cybercriminals use.

WOMEN IN SECURITY MAGAZINE

F E AT U R E

You also want them aware of your policies when it

6. When it comes to the unwritten rules of conduct

comes to keeping everything secure, to understand

at your organisation, have you thought to include

what is acceptable online behaviour, how to spot the

(cyber)security?

red flags and report any potential phishing emails.

HOW DO YOU DO IT? By taking the time to define your (cyber)security expectations when it comes to the human o/s with these seven (7) questions: 1. What attitudes do you expect your people to have towards security? 2. What behaviours are you wanting to change or see?

7. Lastly and perhaps most importantly as without it you are doomed to fail – do your people understand why cybersecurity is everyone’s responsibility and that they have a critical role to play? Once you have the answers to these questions, you are on your way to developing your (cyber)security culture. Enjoy your breakfast! This article was first published in Issue 3 of the Cyber Risk Leaders Magazine 2020.

3. Do your people have an understanding, knowledge and sense of awareness? 4. How do you go about communicating with your people? Do they feel like part of the solution? 5. Have you considered and included your people in your policies, and do they know what to do?

www.linkedin.com/in/jacquelinejayne/ www.knowbe4.com/ jacquelinej@knowbe4.com twitter.com/JakkiJayne

WOMEN IN SECURITY MAGAZINE

RIMONDA OHLSSON

DIVERSITY, LIKE SECURITY, SHOULD BE BUILT IN FROM THE GROUND UP by Rimonda Ohlsson, VP, People & Culture at Secure Code Warrior

Rimonda Ohlsson knows diversity is key to the success of fast-growing Secure Code Warrior Secure Code Warrior (SCW) has grown rapidly in recent years, evolving from an ambitious startup into a global Australian success story by producing secure developer learning tools that have tapped into the global awareness of the importance of building cybersecurity into products from the ground up. In a similar way, Rimonda Ohlsson, the company’s director for people and culture, recognised early on that building the right culture – of inclusion and diversity, among other things – required building from the ground up, and support from the top down. That support was already present under the guise of founder and CEO Peter Danhieux, who hired Ohlsson

WOMEN IN SECURITY MAGAZINE

18 months ago to lay out a long-term people strategy after short-term contractors helped the fast-growing startup find its footing. Danhieux “was always about creating a new kind of people culture agenda that is modern and evolutionary and creates a place where people can be successful,” Ohlsson says, noting Danhieux’s long engagement with gender-equality efforts such as the Australian Women in Security Network (AWSN). The overall goal, she adds, is to “create a place where people can be successful, feel supported, and feel like they want to come to work every day – supporting them to be successful and not bound by rules or bureaucracy.” That culture has resonated with workers and helped drive SCW’s growth: During 2020 through the

D I V E R S I T Y

pandemic Secure Code Warrior has seen continued growth with 63 additional hires across UK, US, Sydney , Iceland, India and Belgium, bringing the total to 165 employees globally. “It has been really exciting but also very challenging,” she says, noting that after years in large institutions she had become “passionate about culture” and was attracted to the potential of “more niche businesses where I felt I could make a difference”.

COMPANY CULTURE AS A GUIDING LIGHT Her work to help make that difference has driven development of a range of initiatives specifically designed as a “north star to people” – a ‘Warrior Code’ that includes five guiding principles “that talk to the way we like to treat each other, what we stand for, and how we work together.” Ongoing awareness and engagement campaigns ensure the Warrior Code’s messaging remains prominent in the office and on the minds of employees, with whom a dedicated employee experience team engages continuously, as well as with the new recruits that the company actively courts and hires. “I’m quite creative and I like thinking in new ways,” says Ohlsson, “and I like thinking of ways that we can engage our people… I think everybody has some great ideas, and we want to involve everybody in that journey.” That sense of universal engagement pervades everyday working environment, where employees are invited to provide feedback and policies are adapted based on that feedback.

I N C L U S I O N

“The culture comes from the top, and then it becomes a place where everybody contributes to it,” she says. “You need to have some kind of focus in your people and culture strategy to give clarity to people – and that doesn’t mean more rules or policies. It just means having a place where they can feel and navigate their way through the business, feel supported and where they can go to talk to someone if they need to raise a problem.” SCW’s workforce is around 41 per cent female at the moment – well ahead of industry averages – and the company this year introduced initiatives such as in-office school-holiday programs for employees’ children, and a gender-neutral global parental leave policy available to all workers around the world. Yet that achievement is just a stepping stone towards an overall diversity strategy that has, Ohlsson says, been aligned “from a cultural perspective”. “We look at these life experiences that influence the way we work, how that impacts how we build our product, and the way we grow our teams.” This focus has driven engagement with organisations such as Australia’s Indigenous Literacy Foundation, as well as internal staff-development opportunities and an ongoing roster of partnerships to support workplace diversity. “We’ve gotten to where we are through diversity,” Ohlsson says, flagging the coming launch of a careers page showcasing just how diverse the workforce is. “It’s really about taking people on a journey and telling their unique stories.”

WOMEN IN SECURITY MAGAZINE

LAURA JIEW

THE HEROES OF AUSCERT2020 THE WOMEN IN SECURITY WHO MADE IT HAPPEN! by Laura Jiew, Events, Marketing and Communications coordinator for AusCERT, Australia’s pioneer Cyber Emergency Response Team The story is all too familiar; for millions of working

security conference in the APAC region; one that

women the COVID-19 pandemic delivered the tough

connects friends and colleagues across borders.

challenge of keeping up with the tasks of home life as well as shouldering various responsibilities at the office. For the women of AusCERT and its supporting networks, things were no different. In late April 2020 a decision was taken to pivot the annual AusCERT conference into a virtual-only event. The decision created a major challenge for the team. This is the story of how women in security made AusCERT2020 — whose theme, coincidentally, was “We Can be Heroes” — happen. For the first time in its 19-year history, AusCERT featured two female keynotes, Kana Shinoda and Julie Inman-Gran, heroes in their own right.

spoke on the topic of “Online Safety during & after Covid-19”. The work she does within the eSafety portfolio helps keep Australians safe in today’s online world. Not only did the conference feature two female keynotes, two of the three winners of its annual Information Security Awards were female. Folks in the Australian cyber and information security community will be very familiar with Michelle Price, CEO of AustCyber. Michelle has been a tireless champion for the sector since her appointment in 2017. At AusCERT2020, Michelle’s contribution was

Kana Shinoda, known as the “mother of hackers”

recognised with her winning the Information Security

in her home country of Japan, told how she

Excellence award.

successfully established Code Blue, widely known as a pioneering hacker conference in Japan. Code Blue has established itself as a well-respected information

Julie Inman-Grant, Australia’s eSafety Commissioner,

WOMEN IN SECURITY MAGAZINE

The other deserving female award recipient was Rachael Leighton. Her work as Principal Advisor,

I N D U S T R Y

P E R S P E C T I V E S

Bek Cheb, the AusCERT Business Manager, was able to bring her business acumen and decadelong conference management experience to the table alongside Laura Jiew, AusCERT’s Events and Cyber Strategy & Awareness in the Victorian Government’s Department of Premier and Cabinet was recognised by her being named AusCERT Member Individual of the Year. Both women continue to make significant contributions to their workplaces despite the challenges brought by COVID-19, and they emphasised the importance of collaboration in the cyber and information security sector, saying the community needs to work together to make things happen. The AusCERT2020 program also featured several female speakers. Topics covered ranged from combating cybercrime and analysis, and reverse engineering of exploits, to the application of machine learning in cyber awareness training programs. Each presenter brought a unique perspective and shared this with the conference’s 1000+ delegates. Last but not least, the AusCERT2020 conference team was led by two women who rose to the occasion and put in months of hard work corralling more than 30 sponsor exhibitors, close to 80 remote presenters, and a myriad of delivery partners.

Marketing Communications coordinator, who drew on her communications and project management skills to ensure the conference was able to go ahead as planned. In the end, the conference was delivered as more than 80 hours of viewing material across four days and five streams from two production studios. In a year filled with challenges and uncertainties delegates were impressed with the conference experience, and very happy. Women have been especially affected by the COVID-19 pandemic through employment cutbacks in service-related sectors, their caregiving role and the constant demand from society to “juggle-it-all”. However AusCERT2020 amply demonstrated that, in cybersecurity, women are a force to be reckoned with. In the words of the famous sociologist and historian W.E.B Du Bois - “There is no force equal to a woman determined to rise.” www.linkedin.com/company/auscert/ twitter.com/AusCERT

WOMEN IN SECURITY MAGAZINE

20th Annual AusCERT Cyber Security Conference

11th - 14th May 2021 // The Star Hotel, Gold Coast, Australia

DAYS

50+ SPEAKERS

IN PERSON & VIRTUAL

Keynote Speakers

Ciaran Martin

Maddie Stone

UNIVERSITY OF OXFORD

GOOGLE PROJECT ZERO

WOMEN IN SECURITY MAGAZINE

conference.auscert.org.au

TECHNOLOGY PERSPECTIVES

DEIKA ELMI

2021 AND BEYOND THE FUTURE OF CYBERSECURITY IS PROMISING by Deika Elmi, Security Risk Manager

2020 is finished but distributed, cloud-based

1. DISTRIBUTED OPERATIONS

operations are here to stay. As every financial investor

Whether you hate working next to your cat or love it,

and lottery winner can tell you, past performance is no guarantee of future results. That said, looking back on 2020, there are some things we can reasonably expect in 2021.

at present. That’s a good thing; the “nuclear model” of an SOC comprising a few specialists in a room was already on its way out. There are advantages with

Change is inevitable, but the pandemic has

distributed operations, and they are the way of the

accelerated changes already in progress in 2020,

future.

in particular increased use of remote working and

A distributed team can cover operational gaps. Most

cloud services. Their growth has created fragmented environments where there are many owners, and has brought new security challenges. Gone are the days of security operation centres (SOCs) cramming teams into cosy, windowless rooms. SOCs are now dispersed but not dispensable. In fact, their work is now extremely critical. For example, preventing just

people dislike having to work the “graveyard shift,“ and with a team spread across time zones night shifts are unnecessary: the sun never sets on a distributed operations empire. Also, remote workers can provide skills that might be hard to find locally. Skills aside, with cloud services security teams no

one breach can, typically, save $682,000.

longer have unilateral control over the tech stack that

So, how should SOCs go about adapting to this brave

AWS Inspector can do forensics better than almost

new world? John Velisaris of IBM argued in a recent keynote speech- that future SOCs will show four key characteristics:

you probably have no choice but to work from home

WOMEN IN SECURITY MAGAZINE

runs their SOC. The good news is that cloud tools like any in-house tool. When possible, you should use open standards like DXL and STIX/TAXII to make sure your tools can talk to each other.

T E C H N O L O G Y

P E R S P E C T I V E S

2. AI POWERED ANALYSIS

monitor the plane and intervene when necessary.

“Alarm fatigue” is a widely discussed problem in

Security is becoming automated in a similar way.

many industries. Too many alerts overwhelm people.

The latest security tools are born with the kind of

Ignoring alerts becomes a habit, then a disaster.

automation that can easily enforce policies without

When Facebook starts to notify you each time your

human involvement, such as automatically deleting a

great aunt posts a picture of her cat, you may start to

hazardous file in a container. Fully automated SOCs

disregard Facebook notifications and miss something

won’t come in 2021, but they’re on the horizon.

important: like being tagged in a super flattering photo. The same problem happens in security. You

Best Practices for Adopting the Four Characteristics:

can tune your settings, but you can’t totally eliminate

To avoid the costs of moving and reformatting a lot

noise.

of data:

AI-powered analysis can greatly mitigate this problem.

If you’re generating data in the cloud, leave it in the

Some tools can automatically enforce policies without

cloud! Don’t pay to move it into your data centre.

involving humans. In other cases, machine learning can compare incoming alerts to past alerts, and decide which to escalate for human attention. The kind of comparative analysis required to set up these rules manually would not be feasible for most teams. Even the best AI technologies cannot yet replace humans, but their algorithms can compare ~60 parameters across two years of alerts.

3. NEXT GENERATION EXPERTISE The missions of SOCs continue to be redefined and their roles expanded to meet changing demands: the next-generation of security experts must get closer to their businesses and closer to the cloud. To get closer to business operations security experts must learn the language of business, and pick up domain knowledge of the business they serve. Today, not matter what business they support, everyone in security needs to know cloud platforms. Security in the cloud is far from standardised, but there are some serious developments underway. “AWS re:Invent” is a virtual conference happening now that will launch many new cloud-native security controls, and Microsoft already has over 1,000 cloudnative security controls for Azure. You should use open standards wherever you can, such as the DXL data exchange format. Open standards tend to become general standards.

4. AUTOMATED PROCESSES Airplanes are heavily automated, capable of flying themselves between take-off and landing. Modern

Use tools that have federated data search capabilities, so that you can search multiple data sources simultaneously. Use tools that are grounded in open standards and can interact with each other, so you don’t have to move data between formats.

When pioneering new processes: Buy tools that allow you to use your own in-house AI or machine learning. By acquiring other people’s AI or ML you often end up with tools that don’t fit your exact needs. Try piloting just-in-time expertise with one function, one process. Don’t try to implement it everywhere at once. So, in summary, there are many lessons from 2020 to put into practice in 2021. If you’re a human reading this, make sure to take full advantage of automation and skip repetitive tasks. Where you are automating, consider machine learning to monitor the automation and filter out excessive notifications. Cloud platforms aren’t standardised yet, so use open standards where you can and consider bringing in just-in-time expertise. And if you’re a robot reading this, remember I said such flattering things about you when you carry out the singularity.

www.linkedin/in/deikaelmi

twitter.com/DeikaE

pilots don’t constantly adjust the controls, they WOMEN IN SECURITY MAGAZINE

MARISE ALPHONSO

SECURITY THROUGH A HYGIENE LENS by Marise Alphonso, Information Security Lead at Infoxchange The advice from local and international authorities

measures that can be applied to people, processes

for protecting ourselves and others from coronavirus

and technology.

(COVID-19) is all about washing or sanitising our hands, physical distancing, wearing masks, selfisolation, quarantine, signing in at locations we visit, and cleaning our workplaces and other common areas. The requirements to maintain security of data and IT systems in organisations are in some ways similar to these hygiene practices. The asset in each case: “data and human life”. We can draw parallels with how we have been guided to do our part to stop the spread of the coronavirus. Defence-in-depth equates to mask wearing, hand washing and the other practices listed above. Least privilege equates to leaving your home only for specific reasons when restrictions are in place, or isolating if you have symptoms. Security is not a state, but a process (Cyber Leadership, Mansur Hasib, p2) with risk management at its core. Organisations must assess their level of risk regularly in light of changes in internal and external factors that influence their security posture. Risk scenarios promote discussion around events that could compromise the security of an organisation. Standards and frameworks, such as ISO/IEC 27001 and NIST CSF, detail multiple security

WOMEN IN SECURITY MAGAZINE

Similarly, risk assessments have been performed in workplaces across Australia based on COVID-19 government advice, and COVID-Safe workplans have been developed and implemented to keep employees and customers safe. For example, one measure to create a COVID-safe workplace is the requirement for visitors to a location to register their contact details so health authorities can conduct contact tracing, protect others and limit the spread of the virus. In the information security realm we maintain an inventory of our assets, in particular organisational data, to understand where it is and how it is protected, and create a baseline for security practices. A critical initial step to maintaining the confidentiality, integrity and availability of IT systems and information is to identify the key assets that require protection. To this end COBIT (Control Objectives for Information and Related Technologies), a framework for the governance and management of enterprise information and technology, may prove useful. COBIT is an IT management framework developed by ISACA to help businesses develop, organise and implement

T E C H N O L O G Y

strategies around information management and

P E R S P E C T I V E S

•

governance. COBIT references components of a governance

and depended on by key assets. •

system and can be used to understand how asset management, as a process, works in an organisation. Its application to specific practices within an organisation will, over time, increase the efficiency and effectiveness of those practices.

Information: details recorded about assets that facilitate their lifecycle management.

•

Services, Infrastructure and Applications: asset management systems or repositories.

•

People, Skills and Competencies: staff awareness and training on asset management

An overview of the contribution of COBIT’s components to asset management is outlined here:

Processes: business processes dependent upon

practices. •

Culture, Ethics and Behaviour: information security is a part of the operational practices of

“It should come as no surprise that the hygiene practices we apply in the physical world have parallels in the digital world”

the organisation. By applying the COBIT framework an organisation should be able to: identify and understand the assets to which information security hygiene practices are applicable; perform risk assessments linked to those assets; apply protection measures using defence-indepth, least privilege and separation of duties. As we move more of our lives and organisational

•

Principles, policies and procedures: documented information outlining practices and activities for managing technology assets and information.

•

Organisational structures: roles and

activities into the digital world, the physical and virtual worlds begin to merge. So it should come as no surprise that the hygiene practices we apply in the physical world have parallels in the digital world. www.linkedin.com/in/marise-alphonso/

responsibilities allocated to ownership and administration of assets.

WOMEN IN SECURITY MAGAZINE

CHRISTIE WILSON

RUNNING A DIGITAL CYBER SECURITY TREASURE HUNT by Christie Wilson, Dog Lover & Cyber Enthusiast

Never underestimate the appeal of a cute cartoon owl.

Cyber safety is a tough sell. In security awareness

‘Nudges’ are also useful in security awareness, to

circles you’ll often hear people talk about teaching

promote good security habits. Little reminders,

‘security as a life skill’, the idea being that people will

incentives, give-aways, and prizes can encourage

adopt good security habits in the same way they

people to lean in and listen to your message.

‘naturally’ adopt healthy habits. But really, who adopts healthy habits naturally and easily?

As with many companies, our employees pivoted to working from home last March, almost overnight.

We all know we should eat well, exercise regularly,

Our security awareness and training program runs

visit the dentist twice a year, have an annual health

throughout the year and comprises ‘mandatory’

check-up. Who has time for that? Life gets busy, and

compliance training, phishing fire drills, and nudge

it’s easy for healthy habits to fall by the wayside.

tactics to raise awareness. It was a challenge finding

That’s why our health funds give us little incentives

new ways to get engagement and buy-in from our

like Fitbits, gym membership discounts, and healthy

people as they adjusted to new ways of working,

extras. They’re little ‘nudges’ to encourage us to do

juggling everything that entailed.

the right thing to keep ourselves healthy.

With our people working from home, it was even more important to develop fun and engaging means

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

of reminding them where to find cyber security

else had shared. The daily search for Al reinforced his

information. So I created a digital treasure hunt to do

role as a visual representation of security. Whenever

just that.

our people see Al, they know he’s sharing a cyber

A treasure hunt motivates players to find clues and objects, reach locations, solve puzzles and win prizes, all while learning something. I used the treasure

safety message. The more raffle tickets people won, the more chances they had in the prize draw, similar to playing the

hunt to promote Scams Awareness Week.

lotto. At the end of the week I used a

I created incentives for our people to

competition randomiser — a random

explore information on our intranet

number generator you can find on the

site and social media channel,

web — to draw the winning ticket for

Yammer, while contributing to the

the treasure hunt prize.

ongoing cyber safety conversation.

Most people found it pretty difficult to find Al on the Yammer site, and I

The Scams Awareness Week

was concerned I might demotivate

theme was: ‘Be yourself. Don’t let

them for the rest of the week. So, I

a scammer be you’. Its aim was to

was pleasantly surprised when someone

educate and empower people to protect

emailed me one morning to say, “yesterday’s

their personal and financial information in an increasingly digital environment. And I had a secret

clue was really hard, which motivated me to try harder

weapon to help me. Al the Owl is our cybersecurity

today”.

mascot. I use him to promote cyber safety messages across the organisation. He appears in presentations, email signatures, and even his own ‘security tips’ videos. For the treasure hunt, Al became our ‘treasure’. I posted a new treasure hunt clue on Yammer each morning. I aligned the clues to the daily scam topic. Each day players hunted for Al the Owl hidden somewhere on our information security intranet pages or on our security news Yammer site. Some days players might have to read a web page, on others watch a short video, or try to find a Yammer post about COVID-19. I tried to not make the clues too tricky, because I wanted people to be engaged, and keen to keep playing as the week progressed. Also, the prize up for grabs needed to be sufficiently appealing to encourage people to keep playing throughout the week. So I created a prize draw for an iPad mini. To enter the draw, players needed to secure

Sharing learnings on Yammer encouraged people to have a conversation about cyber safety. Often, people respond better to messages from their peers, and that‘s also the case for cyber safety messages. It was brilliant watching the chat each day and seeing what information people found valuable and wanted to share. It was also a terrific way to gauge the effectiveness of our current training materials, and I’m using that information to develop new content. Overall, the treasure hunt was successful. It increased the Yammer group membership, and we had lots of unique visits to the intranet site. Best of all, we got two new cyber evangelists for our security champions program. My learnings from this exercise? People do want to stay safe online, and a prize may be the nudge they need to learn more. Oh, and never underestimate the appeal of a cute cartoon owl.

raffle tickets. Each day of the treasure hunt, to get a raffle ticket, players had to find Al on the site the clue

www.linkedin.com/in/christie-wilson-9135317/

had led them to. They also had to post on Yammer one new thing they’d learned from the site that no-one

WOMEN IN SECURITY MAGAZINE

CHIOMA CHIGOZIE-OKWUM

MITIGATING AGAINST SOCIAL ENGINEERING by Chioma Chigozie-Okwum, Spiritan University Nneochi, Abia State, Nigeria.

Cyberspace now plays a huge role in our lives. It’s

the emotions and humanity of their victims to build

a place of work, learning, recreation, leisure, and a

trust and, ultimately, to defraud them.

means of building new connections and friendships. It provides company for many lonely hearts, giving them boundless space and a seamless interface for interaction. Little wonder many people spend endless hours online connecting, interacting and maintaining relationships.

lovers, fans and even associates. They gain the trust and confidence of their victims and induce them to divulge sensitive, confidential information which they then exploit to defraud those victims. Such information could be login details for financial

However, much as cyberspace offers a solution

accounts, or other personal confidential information.

to boredom and loneliness, it also creates a safe

Losses can be enormous.

haven from which those lacking scruples can exploit unsuspecting individuals. It gives them an easy avenue through which to reach large numbers of victims whose lives they can damage, anonymously and by stealth. Social engineering is as old as humanity, but has become more prevalent as the internet has provided easier and faster communication channels for individuals. Social engineers are criminals who exploit

These criminals present themselves as friends,

WOMEN IN SECURITY MAGAZINE

Social engineers are usually very patient and highly manipulative. They have been profiled as the most patient of all cyber criminals. They trail their victims and study them to identify each victim’s particular vulnerability points that can be exploited for an attack. They launch their attacks by traversing a victim’s personal space, moving around the victim’s timelines, liking, commenting and promoting the victim’s posts

T E C H N O L O G Y

to gain confidence and trust until the victim sees the scammer as a kindred spirit and trusted ally, at which point they unleash their attack.

P E R S P E C T I V E S

2. Carry out independent investigation before committing to online relationships. 3. Always make unscheduled calls and visits to

Popular strategies include stories of family members

online contacts. This will help poke holes in the

being terminally ill and in hospital, of job losses, of

scripts played out by social engineers.

becoming victims of natural disasters, etc. Every story is designed to invoke the victim’s sympathy and get the victim to start paying. The scammers repeat the same stories to multiple victims. So, be extremely careful online especially with how you share your personal details and information. Stay vigilant and be very suspicious of any request for money.

4. Before you part with your hard-earned money listen to your intuition and instincts. The cyberspace is home to the good, the bad and the ugly and hence you need to remain awake and vigilant at all times. Be cyber aware and stay safe online at all times. www.linkedin.com/in/chioma-chigozie-okwum-376793122

1. Beware of people who offer love, support and friendship online. Be vigilant; all that glitters

www.facebook.com/chioma.chinakachigookwum

online is not gold.

WOMEN IN SECURITY MAGAZINE

NISREEN AL KHATIB

SOCIAL MEDIA SECURITY by Nisreen Al Khatib, CISA, CISM, CRISC, CSXF, Cybersecurity Consultant and Educator

Tina is a very active person on social media where

She called her trusted friend Lina who works in

she always shares her updates and activities. She

Information Security trying to find answers and

is 20 years old studying business administration at

understand what could have happened. Lina directly

the university. She loves taking selfies and photos

advised her to report the issue to Facebook.

and shares her fun moments on her social media platforms. The popularity of her photos is reflected in a large number of likes and comments. One day her friend Karim called her. He expressed surprise and astonishment about an inappropriate message he had received from her on Facebook Messenger. Tina was surprised! She has not sent any message! She rushed and opened Facebook Messenger and saw the message. Her eyes opened wide in shock and surprise. She was totally embarrassed, seeing one of her photos manipulated inappropriately and sent to Karim along with content she had not created. How could this happen? She had not sent any message! Tina was shocked, confused, angry and embarrassed, but clueless as to what has happened.

Also, Lina advised Tina to take a few steps to protect the security of her social media account. Tina was surprised to know that by taking simple steps she could drastically improve the security and privacy surrounding her profile and the content, and minimise the possibility of such events occurring in future. Some of the measures she applied to her Facebook account based on Lina’s advice were:

1. USE A STRONG PASSWORD: Tina changed her password immediately to a more complex password, which she had not used on any other platform. (On desktop or in the mobile app, tap the drop-down menu on the top-right side of Facebook and select “Settings & Privacy -> Settings-> Security and Login-> Change password)

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

2. USE TWO FACTOR AUTHENTICATION

Meanwhile, Lina continued her investigations

Tina activated two factor authentication so she

to discover that Tina used several third party

needed authentication in addition to her password to

applications on Facebook. This happens when a user

access her account.

opens an application and selects the option to “log

(Tap the drop-down menu on the top-right side and

Because she had done this, it was highly likely that the

select Settings & Privacy -> Settings-> Security and Login-> Use Two-Factor Authentication)

3. SIGN-OUT FROM UNKNOWN DEVICES Tina checked devices used to access her Facebook account and signed out from all unknown devices.

in with Facebook” instead of creating a new account. people or companies behind those apps knew a lot about Tina. According to Facebook: “each app that you log into will get your gender, networks you belong to, username, your user ID, your full name and your profile picture. They also get access to your full

(Tap the drop-down menu on the top-right side and

friends list and any other public information on your

select Settings & Privacy -> Settings-> Security and

profile.” Moreover, some apps which are malicious

can steal username and passwords. This is what

4. ADDITIONAL MEASURES: Tina set an additional security feature “Get Alerts about unrecognized logins” which notifies her of logins from new unrecognised devices. Tina unfriended all the people she doesn’t know. Tina set privacy controls to specify who could see

happened to Tina. Tina was able to recover her account. She explained to Karim what had happened and promised her friend Lina that she would apply these simple protection measures to all her social media platforms as well as any accounts that store sensitive and confidential information about her.

your posts, activities, friends, etc. https://www.linkedin.com/in/nisreenalkhatib/

WOMEN IN SECURITY MAGAZINE

CLAUDIA DA COSTA BONARD DE CARVALHO

CYBERSECURITY IN COMPANIES AND THE PROTECTION OF FUNDAMENTAL RIGHTS by Claudia da Costa Bonard de Carvalho, Brazilian criminal lawyer in Advocacia Bonard de Carvalho and Panelist

We live in an extremely connected world where

There are already numerous information security

virtually any activity depends on the use of

tools that can protect data and systems from

technology: the so-called information society.

cyber threats. However, efficient and responsible

This has become more evident as a result of social distancing and lockdowns imposed in many countries to contain the spread of COVID-19. Thousands of

security protocols; it requires conscious cyber governance of all aspects of business operations.

people have been forced to work and study at home,

Data protection strategies and systems must protect

buy products and request many online services.

not only companies and their systems, but the rights,

This sudden growth in consumer demand has driven growth in ecommerce and a requirement for stronger network and system protection to keep consumers safe from electronic intrusions and scams. Not all companies have been able to adapt, putting at risk the security of their systems and their reputations.

cybersecurity requires more than software and

WOMEN IN SECURITY MAGAZINE

privacy and freedoms of their customers. The need for customer protection, and a history of failures by organisations to maintain it, has resulted in various legislative, administrative and judicial measures for customer protection.

T E C H N O L O G Y

P E R S P E C T I V E S

The right to privacy and the unauthorised sharing of

receiving treatments as a result of loss of insurance

personal data by companies has led to several laws

cover.

such as GDPR (Europe), LGPD (Brazil) and CCPA (California-USA). Some companies freely sold their customers’ details to third parties who then spammed customers with advertising messages, some of which contained malware, without any authorisation from the recipients of those messages.

Aside from cybercriminals, governments exploit cyber technologies to infringe human rights. Security monitoring systems developed for safety surveillance, such as tracking people and vehicles on public roads, are being used in some countries to monitor the

Such laws aim to regulate the processing of personal data and prohibit its misuse by unauthorised persons and cybercriminals. Ecommerce services that lack adequate cybersecurity measures can expose customer data to cybercriminals, who can make

“Efficient and responsible cybersecurity requires more than software and security protocols; it requires conscious cyber governance of all aspects of business operations.”

unauthorised purchases on behalf of customers and gain access to their bank accounts, creating huge financial losses. In such cases an injured customer could sue the company for failing to protect their personal data and be compensated for the damage caused. The COVID-19 pandemic has also exposed weaknesses in health information systems that have compromised medical records, and revealed vulnerabilities in medical equipment that have put lives at risk. These flaws have been exploited to obtain data from patients’ health insurance records, to commit fraud against insurers, and potentially prevent patients

activity of people. Data gleaned from mobile phone networks is also being used to the same end. Such monitoring of citizens has generated protests in many countries, and generated debates in their legislative chambers on the legality and necessity of these measures. Thus there is a range of non-technological issues to be considered around companies’ cybersecurity activities to ensure companies behave ethically and fundamental human rights are not violated.

www.linkedin.com/in/claudia-bonard-de-carvalho-5187b645/

WOMEN IN SECURITY MAGAZINE

Visit awsn.org.au for information about exclusive events, programs, and content. Join Australia's largest community of women in cyber and physical security.

SONYA SHERMAN

INFOSEC AND RM WORKING TOGETHER FOR SAFER SHARING by Sonya Sherman, Founder and Principal at Zen Information

Cybersecurity is a priority for all organisations, and

analysis from the UK shows an element of human

an especially hot topic in government. Throughout

error in up to 90 percent of notifiable breaches and

2020, pandemic response drove rapid digital

it’s the only cause that has continued to increase in

transformation. Barriers and objections were

frequency2.

swept aside to swiftly enable remote working and coordinated action. In one survey, 85 percent of CISOs admitted they had sacrificed cybersecurity during this transition.

The pandemic has also seen a surge of concerns around accidental or improper sharing of data, with 92 percent of organisations considering it a critical threat3. This is hardly surprising when the leading

Both national security and crisis management require

factors influencing mistakes are stress, fatigue

highly sensitive information to be securely shared

and distractions4. It’s difficult to create a physical

between applications, individuals, organisations

environment that supports concentration and focus

and jurisdictions. It’s also well recognised that data,

when people are operating from home alongside

information and digital infrastructure are the keys to

partners, kids, housemates and pets.

economic recovery. This means a growing volume of sensitive information is being exchanged through systems and processes that may have been hastily implemented – and are of ongoing importance.

THE ‘HUMAN ELEMENT’ IMPACTS CYBERSECURITY COSTS AND RISKS But security is not just about technology; it’s about people. Human error remains the second largest source of data breaches reported to the Office of the Australian Information Commissioner (OAIC)1. Similar

Identifying and addressing staff capability gaps is a high priority. How can we better support people to safely use and exchange sensitive information, and reduce the likelihood of human errors? The answer can be found at the intersection between information security and records management, through enhancements to existing standards and capabilities – and by sharing knowledge between skilled professionals. Information governance provides a unified strategic framework to protect and optimise corporate

WOMEN IN SECURITY MAGAZINE

information assets5. Each element of information

they can be handled consistently by both the

governance is focused on specific risks and benefits.

sending and receiving systems, regardless of the

Organisations can gain the most when different

software.

elements work together. Interoperability requires the systems and services that create, exchange or consume data to have clear, shared expectations for the content, context and meaning of that data6.

AN EXAMPLE: SHARING SENSITIVE OR CLASSIFIED DOCUMENTS One example is an agency in federal government and an agency in a state government sharing documents which contain sensitive or classified information. A document (eg Microsoft, Google, Adobe, image or media file) is stored in a secure corporate repository. The sender shares a copy of the document as an attachment to an email. The receiver captures the email and attached document into their own corporate repository. The document moves through at least four different applications; between jurisdictions with aligned, but not identical, regulatory requirements; and between organisations with different information management frameworks and technology infrastructures.

policies in a machine-readable form. This metadata can then be used to drive automation, reducing manual handling and human decision-making, and decrease the risk of mistakes. The Email Protective Marking Standard (EPMS), now in its third iteration, is an Australian innovation to identify the sensitivity of content shared by email. It was through conversations with some of the coauthors of the original EPMS that the concept for this paper was formed7. As a technical specification recognised by diverse vendors, EPMS enables nonproprietary information exchange. A similar open standard for documents seems long overdue. EPMS is one of a suite of Australian Government standards that enable secure, automated email exchange. The metadata is standardised in the Australian Government Recordkeeping Metadata Standard (AGRkMS), which assists agencies to maintain reliable, meaningful and accessible records. The minimum metadata set identifies essential

This involves manual handling and human decision-

properties for management and use of business

making. It requires staff to have knowledge of policies

information and transfer between agencies.

and the skills to apply them. It also relies on both agencies interpreting policies in the same way, to ensure sensitive information is handled consistently. This is fairly inefficient and leaves a lot of points where mistakes can occur.

Another Australian Government standard, the Protective Security Policy Framework (PSPF) assists agencies to protect their people, information and physical assets. The goal of PSPF is to maintain the confidentiality, integrity and availability of official

However, some parts of the process are streamlined

information. It establishes the rules for grading,

by automation and interoperability. Specifically the

labelling and handling sensitive and security classified

Email Protective Marking Standard (EPMS) provides a

information.

standard format for protective markings to be applied to the internet message header extension and/or subject line of an email. This helps with construction and parsing by email gateways and servers, and allows for information handling based on the protective marking. • Emails are consistently marked: prominent labels visually flag sensitive content and prompt staff to handle appropriately; • Message files include standard metadata: protective markings are machine readable so

100

The metadata provides the means to codify rules or

WOMEN IN SECURITY MAGAZINE

Also, the Australian Government Recordkeeping Metadata Standard (AGRkMS) assists agencies to maintain reliable, meaningful and accessible records. The minimum metadata set identifies essential properties for management and use of business information and transfer between agencies. These policies reference each other. They are designed to work together, and to support other types of access restrictions, such as personal privacy and legal privilege. The PSPF and EPMS require Australian

T E C H N O L O G Y

P E R S P E C T I V E S

Government agencies to apply the AGRkMS metadata

the challenges of an evolving regulatory and

properties.

technological landscape.

However, AGRkMS does not specify the means

Geopolitics and COVID-19 have increased the need

of encoding metadata into the properties of a

to share sensitive information and changed the way

document. This is a missed opportunity for security,

we work, bringing renewed focus to cybersecurity.

digital working and records management. If standard

Human error remains a significant source of risk,

metadata were embedded (or bundled/encapsulated)

despite heavy investments in awareness training.

and could ‘travel with’ a document, any other system

Automation could help by reducing decision-making,

could use it to drive automation. For example, a

manual handling and rekeying of data.

system could confirm an attachment had the same or lower security classification as the carrier email; or downgrade security according to expiry rules.

POLICIES AND STANDARDS ACROSS JURISDICTIONS These policies and standards apply specifically to Australian Government agencies but their impact is much broader. State governments must handle documents received from the Federal Government according to the PSPF and EPMS. Many states have mapped their information security policies to the PSPF for consistent handling of classified material. The AGRkMS is the basis of the Australasian standard AS/NZS 5478:2015 Recordkeeping Metadata Property Reference Set (RMPRS), which is compatible with the international standard ISO 23081

Standard metadata allows information to be managed consistently as it moves from one system or environment to another. The EPMS is an example of how this works with email. The AGRkMS offers a good foundation for documents, but it needs to include an agreed mechanism for embedding metadata into document properties. This would support secure sharing, reduce administrative overheads and provide a range of other benefits through improved interoperability. You can find a more detailed analysis of this topic and contribute your thoughts to the conversation here. www.linkedin.com/pulse/integrated-informationgovernance-sonya-sherman/ www.sonyasherman.medium.com/

Metadata for Records series. twitter.com/RMrisk

CONCLUSIONS AND NEXT STEPS An integrated and multidisciplinary attitude

twitter.com/ZenInformation

to information governance helps us tackle

ENDNOTES Notifiable Data Breaches Report: January – June 2020. Office of the Australian Information Commissioner. 31 July 2020. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-january-june-2020/ 1

90% of UK Data Breaches Due to Human Error in 2019. 6 February, 2020. https://www.infosecurity-magazine.com/ news/90-data-breaches-human-error 2

The role of human error in cybersecurity. 8 October, 2020. https://www.comparitech.com/blog/information-security/human-error-cybersecurity-stats/ 3

Human Error: Understand the mistakes that weaken cybersecurity. 23 July, 2020. https://www.helpnetsecurity. com/2020/07/23/human-error-cybersecurity/ 4

5 Information Governance: Optimising the lifeblood of organisations. Information Governance ANZ. 12 November, 2019. https://www.infogovanz.com/information-governance/information-governance-optimising-the-lifeblood-of-organisations/ 6 Data Interoperability Standards Consortium. https://datainteroperability.org/ 7 The author wishes to acknowledge the contributions of Greg Colla and Neville Jones from Janusnet in the formation of ideas for this article. Any mistakes are the author’s own.

WOMEN IN SECURITY MAGAZINE

101

MEENA WAHI

HELPING BUSINESSES SAFELY EMBRACE DIGITAL by Meena Wahi, Director Cyber Data-Risk Managers Digital Risk Insurance Brokers

102

The rise of cyber-risks is however bringing new

most of them do not have the internal resources to

challenges and opportunities to cyber-security

stay informed about the risks they are exposed to.

and cyber-insurance professionals. The global

To start with, they should be able to know where they

cyber insurance market is projected to be valued at

are at, run diagnosis and identify the gaps in their

more than US$28,600 million by 2026, according

security. Then, they need to have a plan tailored to

to Allied Market Research’s recent forecast report.

different scenarios. Digital technologies are definitely

Perhaps you are already feeling these changes and

saving costs and time when used correctly in all

noticed that your portfolio of clients has changed, or

areas of their business (accounting, management,

expanded. On the flip side, this means a whole new

communications…), the whole business is online, but

market to approach, and it comes with questioning

the threat is real and growing as we have witnessed a

the way we do it and reconsider our methods.

rise in cyber attacks. So, how do we approach clients?

Cyber-security is no longer reserved to tech savvy

They key here is reassurance, and this would come by

or digital only businesses, it has become a non-

offering them an end-to-end approach, that releases

negotiable to all companies, even if they might not

them from all worries. This opened an opportunity for

be aware of it. SMEs are the new target market, and

collaboration between cyber security and insurance

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

experts. Your role is crucial in raising awareness

We have seen a rise in cyber risks, such as data

about the risks, and guide clients through processes

breach, hacking or phishing. Not only have the

on how to be and feel safe. However, in these

number of cyber attacks risen, a big wave of digital

changing times, residual risk remains and this is when

newbies have joined the online business world. We

insurance can fill the gap.

have seen everyone jump onto Zoom, the online

Welcome to a new business era where uncertainty is the new norm and all is happening online. These past

teleconference technology. But how many of them have thought about their data protection?

few months have redistributed the cards and showed

Recent cyber attacks scandals in the news such as

us the importance of reactivity and adaptability.

the Lion case should not overshadow the fact that

These qualities surely apply to businesses of all sizes,

small to mid-size businesses are targeted daily by

but put small to mid-size companies particularly

those threats. Lacking time to prepare, most of them

at risk. Because they are more flexible than their

probably jumped on board without giving too much

biggest sisters, they are facing one major challenge:

consideration to their safety. Privacy, data or their

preparation. In a context that not even the best

own company, but also the ones of their clients, which

experts could have predicted, we have witnessed

would not only be an issue for the latter, but also for

adoption of new digital tools, technologies or

their own reputation. Without sounding dramatic, it

methods in an impressive rapid timeframe. Whilst this

is crucial to remind our clients that cyber risks are a

is admirable, the issue is that assuring security might

constantly evolving threat.

not have been part of the plan. Many businesses that the cyber-security industry had not been used to working with have embraced digital technologies and this trend is most likely to last. Unfortunately, because of misconception not all are investing in insurances. The reality is that this

www.linkedin.com/company/cyber-data-risk-managers/ www.dataprivacyinsurance.com.au/digital-riskinsurance/helping-businesses-safely-embrace-digital/ twitter.com/cyberdatarisk

should be on their top priorities list, and this is our role to make them realise that, and to guide and reassure them through this digital journey.

WOMEN IN SECURITY MAGAZINE

103

KAVIKA SINGHAL

THE PRIVACY PARADOX by Kavika Singhal, Western Sydney University You are being watched! It can be an alluring tagline

invasion of privacy a benefit or a detriment? This

for a spooky movie, or a cruel reality for many.

example perfectly defines the PRIVACY PARADOX.

Technology is an essential element in the lives of more than 3.4 billion people across the globe, almost 50 percent of the global population. Their every action uses technology, that generates huge amounts of data every day. This data can reveal more about you than your personal diary. Infact, more than that. The Power of Privacy documentary raises questions on the policies of eminent organisations and unveils the reality behind the “Terms and Conditions” in every service’s usage agreement. It’s essential to optimise your identity on the web, to create a positive digital footprint. I tried to trace my own digital footprint (note: application names and locations are false for privacy concerns).

advertisements offering discounts on your previous Amazon order. This is called “Data-driven Marketing”. In the Forbes Magazine conference, Data is the New Oil, experts argued that the exploitation of data by organisations is the price consumers pay for the services they use. In the new future organisations value consumers’ data highly. So, are consumers to be blamed? In my opinion, internet millennials value their personal information and take appropriate security measures to avoid leakage of private information via the web, but they are hampered by loopholes in the privacy policies of governments and ‘prestigious’

If we examine the last section of the table, on the

organisations, and fall victim to zero-day attacks and

one hand marketing of irrelevant healthcare products

data breaches.

could harm me, but on the other hand, suggesting a new workout could improve my healthcare routine. Is

104

Often while reading news, you may come across

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

TRACING MY DIGITAL FOOTPRINTS

Daily Activity

Data Generated

Waking up: alarm

My phone/ smartwatch will record the time I wake up. It can track my sleep cycles, regularity, hours of sleep.

Who has access to this data?

How this data may be misused?

Google and Fasttrack, internet service provider.

To advertise products, count me as a sample in research conducted for students that wake up late in the morning, display articles related to the importance of sleep for good mental health.

Google, Fastrack, YouTube, Spotify, Amazon Music.

To create target audience for healthcare products, gym memberships. To create a playlist or promote more inspirational songs/ podcasts. To endorse instant fitness products and methods.

Exercise

Fitness routine -duration of workout. Location of my gym, tennis court, equipment used, songs I prefer during workout.

Travel

Location of workplace/ study, mode of transport, courses studied/ job profile. Songs I listen to while travelling.

Google Maps, Australian Government, University, Spotify.

To promote more universities to me around the same area offering me similar courses at cheaper rates. By fraudulent companies to promote graduate roles/ internship opportunities.

Using social media while travelling

My reading preferences, pages followed, personal interests, details of my connections and conversations via text, call, celebrity crushes, etc.

Facebook, Instagram, Google, Pinterest, YouTube, LinkedIn, BuzzFeed.

Suggestions for mutual friends. Promotion of brands, dating applications, fake celebrity profiles luring me to scams.

University, Zoom, Microsoft, Google (Search engine).

To track my study patterns. To advertise tools/resources used by university students, and new opportunities on & off campus.

Watching/ attending lectures

Time of lectures, courses enrolled in.

Privacy cynicism is a

passwords, firewalls, avoiding swearing on social

defence mechanism

media, attention to details in emails, not linking

adopted by users against

free links, privacy drills in large organisations) and

the Privacy Paradox.

those beyond our control (government policies, data

Privacy abuses such

breaches, totalitarian societies, lack of transparency).

as snooping by the NSA, Facebook Data Breach 2018 , have blurred the line between spying and surveillance. (Privacy cynicism, 2016) It’s the shared responsibility of consumers and the government to ensure a safe surfing environment. The Forbes article on online privacy and security

Each touch, each click triggers a series of algorithms that work to either benefit or harm users of technology. Both governments and people are accountable for the consequences. What do you think? www.linkedin.com/in/kavika-s-b60969192/

lists the privacy measures we can take (encrypted WOMEN IN SECURITY MAGAZINE

105

THE BEST COMPANIES FOR WOMEN TO WORK IN SECURITY by David Braue

Women-friendly initiatives are powering diversity in Australia’s employment leaders

WHAT MAKES A SECURITY FIRM BETTER FOR WOMEN TO WORK IN?

policies such as 14 weeks’ parental leave; and the

The cybersecurity industry has been growing so

which women can return to their original role.

much, so quickly, that there are as many different

IAG also offers on-site childcare during school

roles within the sector as you would care to imagine.

holidays, and flexible work arrangements that allow

Strong competition for skilled staff means most

women to job-share, work from home, and otherwise

employers have become more willing to be flexible

adjust their work-life balance as they need to.

in their hiring – but what makes a good workplace, a good workplace for women?

106

opportunity to take a year-long career break, after

Flexible work arrangements aren’t the only thing that attracts women to cybersecurity companies, but they

If you ask the executives at insurance giant IAG –

are definitely on the list – which is why even smaller

whose gender-diversity policies were recognised with

cybersecurity startups have been pulling out the

an AWSN Women in Security 2020 Award as the best

stops when it comes to family-friendly policies they

company for women to work in security – the answer

hope will support women who want to apply their

likely has many elements.

expertise to interesting new challenges.

The company’s leaders have promoted diversity and

Secure Code Warrior, a fast-growing startup that

celebrated inclusiveness, with extensive mentorship

prides itself on having been founded on a structure

and leadership coaching of women; workplace

of diversity, equity and inclusion, has similarly

WOMEN IN SECURITY MAGAZINE

F E AT U R E

implemented a range of initiatives to recognise and

Companies need to drive inclusive workplace policies

embrace diversity.

from the top, she said, noting that SCW’s executive

Initiatives such as school-holiday programs so that students can spend time with their working parents, for example, are intended to help staff maintain better work-life balance – as is the company’s blanket policy of providing 4 weeks’ paid maternity/paternity leave to its more than 260 staff anywhere in the world. That policy, launched as the COVID-19 pandemic tipped the work-life balance, is the kind of change that attracted Rimonda Ohlsson, who leads SCW’s people and culture team, to the role. “I’ve had a gravitational pull to some of these smaller, more niche businesses where I felt I could make a difference,” she explains, “and be more involved with the connection with people – and helping them, and

team had been actively working to create “a new kind of people culture agenda – one that’s modern, and evolutionary, and that actually creates a place where people can be successful, feel supported, and feel like they want to come every day to be successful without being bound by rules or bureaucracy.” Clearly communicated corporate principles – SCW calls its five-element mission statement the ‘Warrior Code’ – have helped “foster an open, inclusive environment that drives success,” Ohlsson says, “and we’re all aligning our strategy to that.” With employee engagement scores sitting at 84 per cent – well ahead of the industry benchmark of 72 – Ohlsson is confident the approach is working.

being part of that, and opening that into rapid growth.”

WOMEN IN SECURITY MAGAZINE

107

Yet maintaining this cultural momentum, she says,

staff – particularly the problem solvers that every

remains an ongoing effort as the company grows

company values – will feel engaged and valued.

– with the help of ‘culture warriors’ that are actively engaged in evaluating new ideas and shaping policies to continue promoting the company’s core culture of diversity.

GIVE THEM INTERESTING WORK Making a workplace friendly to women is about more than just scheduling, however. Exposure to stimulating, relevant projects has been a major drawcard for Jennifer Stockwell, who emerged from a background in languages – she speaks “five or six” of them – to work in counterterrorism, the Australian Cyber Security Centre and, ultimately, in her current role as cyber policy and national security leader with Telstra. Working at a company as large and varied as Telstra

Employers should also, Stockwell advised, be careful that they strike a good balance of technical and nontechnical staff, who bring skill sets like hers to offer different perspectives on the problems the company faces. “There is definitely a massively important place for really, really deep technical skills, she says, “and we have some amazing deep technical specialists in our team. But you’ve got to have people who can pull that out and say what it actually means, and translate and communicate it.” Finding those people often means thinking outside the box – recruiting women as readily as men, and people from all kinds of backgrounds. “Make sure you’re getting that balance,” she says, “and that you’re not just recruiting in your own image and recruiting people with a certain type of background. Because that limits

“Diversity fosters innovation, and it’s good for business. Diverse workplaces are a lot more productive, and they hit their financial targets by up to 120 per cent – but we need to understand the real challenges faced by individuals, in order to take the right steps to address it”.

innovation and creativity– and you can have less innovative thinking.” Ultimately, cybersecurity companies wanting to make their workplaces more appealing to women simply need to make sure they provide a climate where opportunity is gender-blind, varied life commitments are accounted for, and that genuine interest is rewarded and encouraged in a consistent manner. The results, Australian Women in Security Network (AWSN) founder Jacqui Loustau noted during a recent Cyber Week panel, are both good for

has put Stockwell in the driving seat of major initiatives such as Telstra’s Cleaner Pipes project, a government-backed initiative for filtering malware and security attacks at the telco level.

“Diversity fosters innovation, and it’s good for business,” she said. Diverse workplaces “are a lot more productive, and they hit their financial targets by

Her team is also involved with “putting a geopolitical

up to 120 per cent – but we need to understand the

and nation al security lens on threat intelligence,”

real challenges faced by individuals, in order to take

she says. “It’s all about securing the network for the

the right steps to address it.”

greater good.” That sense of purpose is crucial for making a workplace somewhere where good cybersecurity

108

women and good for business.

WOMEN IN SECURITY MAGAZINE

AWARDS NOMINATIONS

O N 9T MAR www.surveymonkey.com/r/XHZ3GJV

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01

1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

2. RACHEL OKOJI

Virtual Intern, Mossé Cyber Security Institute

3.KATE MONCKTON General Manager Security and Privacy Assurance, Risk and Consulting at nbn

4. TONI JAMES Product Owner | Security Advisor | ChCon.nz Organiser | Diversity Advocate | Speaker SafeStack Limited

5. JOSS HOWARD Cyber Security Senior Advisor, NCC Group APAC

6. SKYE WU Acting Discovery Manager, Telstra Cyber Security Investigator, Speaker, Mentor & Champion for Diversity

7. MARY ATTARD Partner, Cyber Security & Digital Trust - Identity & Access Management at PwC Australia

8. NICOLE NEIL Senior Manager Information Security - APAC at Newell Brands.

9. SNEZANA JANKULOVSKI Chief People Officer, CyberCX

10. JODIE VLASSIS Cyber Security SME in Trust and Security at Atlassian Follow Atlassian on LinkedIn, Facebook, Instagram and more; www.atlassian.com Want to know more about the security of our products? Head over to the Atlassian Trust Center www.atlassian.com/trust

110

WOMEN IN SECURITY MAGAZINE

11. BRIANNE HADLEY Creative, connector, and knowledge vacuum

12. SARA MOORE Cyber Threat Intelligence Analyst

13. MIN KYRIANNIS 13

Diversity in Security & Technology Champion

14. ELISA MULA Inclusion Advocate in Security

15. ABIGAIL SWABEY

Co-founder Source2Create, Organiser of AWSN Women in Security Awards, and Publisher of Women in Security Magazine Source2create Source2create Women in Security Magazine

16. Marie-Eve Laplante Cybersecurity Strategic Advisor , Desjardins

17. ANOORADHA GOEL Security is everyone’s responsibility

18. GIULIA TRAVERSO PhD- Senior Consultant Cybersecurity, EY

19. SAI K HONIG 19

NSNWS BCA

20. MELANIE NINOVIC DFIR Consultant, ParaFlare.

WOMEN IN SECURITY MAGAZINE

111

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 21

21. MARIANE C LOUVET Channel leader - Cyber Security

22. HARPREET KAUR NAHAR Student at Edith Cowan University

23. RIMONDA OHLSSON 23

VP, People & Culture at Secure Code Warrior

24. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

25. CRAIG FORD 25

Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

26. KAREN STEPHENS 27.NANCY BENJUMEA Data security analyst and amateur writer

28 28.QUEEN A AIGBEFO Research student, Macquarie University

29. JACQUELINE JAYNE Security Awareness Advocate, KnowBe4

112

WOMEN IN SECURITY MAGAZINE

30. SONYA SHERMAN Sonya Sherman, Founder and Principal, Zen Information

31. DEIKA ELMI Security Risk Manager

32. MARISE ALPHONSO Information Security Lead at Infoxchange

33. NISREEN AL KHATIB 33

CISA, CISM, CRISC, CSXF, Cybersecurity Consultant and Educator

34. CHIOMA CHIGOZE-OKWUM Spiritan University Nneochi, Abia State, Nigeria.

35. CLAUDIA DA COSTA BONARD DE CARVALHO Brazilian criminal lawyer in Advocacia Bonard de Carvalho and Panelist

36. CHRISTIE WILSON Dog Lover & Cyber Enthusiast

37. KAVIKA SINGHAL Western Sydney University

38. MEENA WAHI Director Cyber Data-Risk Managers Digital Risk Insurance Brokers

39. LAURA JIEW 39

Events, Marketing and Communications coordinator for AusCERT, Australia’s pioneer Cyber Emergency Response Team

WOMEN IN SECURITY MAGAZINE

113

TURN IT UP

LOCAL AUSTRALIA PODCASTS

THE SECURITY COLLECTIVE By Claire Pales

CLICK TO LISTEN

CYBER IN BUSINESS

By Beverley Roche

By CTRL Group

CLICK TO LISTEN

The Security Collective, hosted by Claire Pales, is the podcast for all people who are interested in the foundations on which effective and robust cyber security is built on: people, process, data and technology.

Interested in staying safe online or a cyber security professional? Leading cyber security consultant and advisor, Beverley Roche talks to global experts, academics and researchers to provide insights on the issues impacting the cyber security profession and our connected life.

Cyber in Business, a platform where the best minds in cybersecurity share their insights with businesses. We operate on the belief that only a cyber secure business can outlast. This platform is all about information sharing and helping business leaders make more effective decisions.

OZCYBER UNLOCKED

GET WISE

By AustCyber

By WiseLaw

AFTERNOON CYBER TEA

CLICK TO LISTEN A podcast series aimed at helping Australians deepen their understanding of the local cyber security industry.

114

CYBER SECURITY CAFÉ

WOMEN IN SECURITY MAGAZINE

CLICK TO LISTEN Get Wise is a regular podcast organised by Principal - EJ Wise of the specialist cybelaw firm WiseLaw. Join us as we discuss emerging trends within the cybersecurity and legal landscapes, provide short snippets of advice on how you can boost your cyber resilience, and delve into the niche aspects of cyber law.

By PodcastOne

CLICK TO LISTEN Ann Johnson, Corporate Vice President, Business Development, Security, Compliance & Identity at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers.

KBKAST By KBI

CLICK TO LISTEN The Voice of Cyber - KBKast brings you interviews, discussions and presentations from global leaders across information security and emerging technology.

PRIVACY MATTERS WITH NICOLE STEPHENSEN By IoT Security Institute

CLICK TO LISTEN Privacy and the protection of personal data in the context of Internet of Things technologies. The Privacy Matters podcast, hosted by Nicole Stephensen is an initiative of the Internet of Things Security Institute (IoTSI).

‘THE OTHER SIDE OF CYBER’

THE AZURE SECURITY PODCAST

By Jacqueline Jayne and co-host James Azar

By Michael Howard, Sarah Young, Gladys Rodriguez and Mark Simos

CLICK TO LISTEN From both sides of the world, it’s The Other Side of Cyber. Join your hosts James Azar and Jacqueline Jayne (JJ) as they go beyond the crime and explore the aftermath of the human element and the price we pay.

CLICK TO LISTEN A twice-monthly podcast dedicated to all things relating to Security, Privacy, Compliance and Reliability on the Microsoft Cloud Platform. Hosted by Microsoft security experts, Michael Howard, Sarah Young, Gladys Rodriguez and Mark Simos. https://azsecuritypodcast.net/

THE NATIONAL SECURITY PODCAST By Policy Forum - ANU National Security College

CLICK TO LISTEN Chris Farnham and Katherine Mansted bring you expert analysis, insights and opinion on Australia and the region’s national security challenges in this pod from Policy Forum and the ANU National Security College.

ISACA PODCAST By ISACA

CLICK TO LISTEN The ISACA Podcast gives you insight into the latest regulations, trends and threats experienced by information systems auditors and governance and security professionals. Whether you are beginning your career or have decades of experience, the ISACA Podcast can help you be better equipped to address industry challenges and embrace opportunities. WOMEN IN SECURITY MAGAZINE

115

TURN IT UP

GLOBAL PODCASTS

WOMEN IN SECURITY PODCAST By Lifen Tan

CLICK TO LISTEN This podcast is devoted to the world of information & cyber security and the great women who make it turn. In each episode, I sit down with a guest speaker to discuss their experiences and touch on some of the lesser known aspects of the industry.

By Monica Verma

CLICK TO LISTEN A technology podcast and an engaging platform for discussions and expert opinions on All Things Cyber. The podcast series is hosted by Monica Verma, a leading spokesperson for digitalization, cloud computing, innovation and information security in support of technology and business.

HUMAN FACTOR SECURITY By Jenny Radcliffe

CLICK TO LISTEN Jenny Radcliffe interviews experts about human behaviour, social engineering, business, security and life.Podcast.

WE HACK PURPLE

THE CYBER JUNGLE

SMASHING SECURITY

By Tanya Janca

By Ira Victor and Samantha Stone

By Graham Cluley, Carole Theriault

CLICK TO LISTEN The We Hack Purple Podcast will help you find your career in Information Security via interviews with our host, Tanya Janca, and our guests from all different backgrounds and experiences. From CISOs and security architects, to incident responders and CEOs of security companies, we have it all. Learn how they got to where they are today! www.WeHackPurple.com

116

WE TALK CYBER

WOMEN IN SECURITY MAGAZINE

CLICK TO LISTEN The CyberJungle is the nation’s first news talk show on security, privacy and the law. Featuring digital forensics and infosec specialist Ira Victor and award-winning journalist Samantha Stone. The show is fastpaced and includes hard hitting news analysis. Formerly The Data Security Podcast.

CLICK TO LISTEN A helpful and hilarious take on the week’s tech SNAFUs. Computer security industry veterans Graham Cluley and Carole Theriault chat with guests about cybercrime, hacking, and online privacy. It’s not your typical cybersecurity podcast...

on the couch WITH VANNESSA MCCAMLEY WWW.WOMENINSECURITYMAGAZINE.COM

OFF THE SHELF

UNMASKING THE HACKER: DEMYSTIFYING CYBERCRIME Author // Amanda-Jane Turner Do you use computers, smart phones and the internet? If you do, please read this book and help protect yourself from cybercrime.There is no solely technical solution to fight cybercrime and neither is there a solely human solution. That is why everyone who uses technology and the internet need to have at least a basic understanding of what they can do to help protect themselves in cyberspace. The stereotype that cybercrime is committed by mysterious hoodywearing hackers is harmful. It encourages a feeling of hopelessness about how to protect ourselves and our information. How can we fight these mysterious hidden figures? This book provides easy to understand information to demystify cybercrime and make cyber security more understandable and accessible to all. As technology has evolved exponentially since the advent of the Internet, and because each subsequent generation does not know a time without being connected via smart phones, social media and emails, this book also provides a brief history of computing and the Internet, hacking, social engineering and cybercrime.

BUY THE BOOK HERE

118

WOMEN IN SECURITY MAGAZINE

CYBERSECURITY FOR EVERYONE Author // Amanda-Jane Turner Cybercrime is big business. As the use of technology increases, so does the opportunity for crime. There is no solely technical solution to stopping cybercrime, which is why it is important for all users of technology, regardless of age, race, education or job, to understand how to keep themselves safer online. To help all users of technology gain a better understanding of some cybersecurity basics, this book presents easy to understand information, with the added, and possibly dubious, bonus of entertainment in the form of limericks and cartoons. Stay informed and stay safe.

BUY THE BOOK HERE

MOTHERS OF INVENTION Women in Tech Author // Amanda-Jane Turner This colouring-in book, a companion to the non-fiction book Mothers of Invention - Women in Tech is aimed at young people and the young at heart.

BUY THE BOOK HERE

WOMEN IN THE SECURITY PROFESSION Author // Jacqui Loustau, Helaine Leggart, Yvonne Sears A Practical Guide for Career Development is a resource for women considering a career in security, or for those seeking to advance to its highest levels of management. It provides a historical perspective on how women have evolved in the industry, as well as providing realworld tips and insights on how they can help shape its future. The comprehensive text helps women navigate their security careers, providing information on the educational requirements necessary to secure the wide-ranging positions in today’s security field. Women in the Security Profession describes available development opportunities, offering guidance from experienced women professionals who have risen through the ranks of different security sectors.

BUY THE BOOK HERE

THE SECURECIO

A HACKER I AM

A HACKER I AM VOL.2

How to Hire and Retain Great Cyber Security Talent to Protect your Organisation

Author // Craig Ford

A Hacker, I Am is not your normal cyber security book, it explains topics in stories, scenarios, without all the Jargon. Its fun, educational and you can read any chapter you want in any order you want. You bought the book you should be able to read it how you want.

The book as you would have probably guessed it by now is all about Cyber Security but it’s not written to be overly technical, it’s written so that it can be understood by anyone who wants to learn more about how to better protect themselves. This book will be great at helping introduce individuals to the cybersecurity and help them get a better understanding of what to look out for, what problems we are all going to face in the future but also have a bit of fun while we are at it. Or if you are already in the industry then it will be still an entertaining read that can help give you a different perspective on a few things.

Author // Claire Pales This book provides a step-by-step framework to address the challenges of finding and retaining cyber security leaders. Guiding CIOs and their peers through the establishment of a Security Agenda, this straightforward framework doesn’t end at contract signing. From establishing nonnegotiable traits to ensuring the new leader effectively transitions into the role, The Secure CIO removes the burden of hiring a cyber security leader.

BUY THE BOOK HERE

This book has been created to help everyone, not just the technical folk understand cybersecurity and the associated risks. Some new technologies and what we need to do to be prepared for them. My opinions on several cyber-related topics that will help you all be better informed on what you need to know and some advice on how you can improve your systems. I poke a bit of fun at my own industry at times and just try to make the topic a bit more enjoyable.

BUY THE BOOK HERE

LIFE IN CYBERSPACE Big Ideas : Book 5 Author // Cindy L. Otis Internet is a real place. Every time we switch on our computers, use a program or an application, or log in to a social media site, we enter a virtual space made up of worlds, domains, forums and rooms. But we behave differently when we interact with technology: technology amplifies and accelerates our deeds; it can help us find useful information, benefit from a wide range of services and stay in

touch with our friends, but it can also create addictive-type behaviours and subliminally manipulate us online. Mary Aiken, a cyberpsychologist specialised in the impact of technology on human behaviour, warns us about cybersecurity: “We need a human-centred approach that is mindful of how humans actually use connected things and not how the tech sector presumes or expects them to”. This is the fifth essay in the Big Ideas series created by the European Investment Bank.

BUY THE BOOK HERE WOMEN IN SECURITY MAGAZINE

119

OFF THE SHELF

PENETRATION TESTING A Hands-On Introduction to Hacking Author // Georgia Weidman Penetration testers simulate cyber attacks to find security weaknesses in networks, operating systems, and applications. Information security experts worldwide use penetration techniques to evaluate enterprise defenses. In Penetration Testing, security expert, researcher, and trainer Georgia Weidman introduces you to the core skills and techniques that every pentester needs. Using a virtual machine–based lab that includes Kali Linux and vulnerable operating systems, you’ll run through a series of practical lessons with tools like Wireshark, Nmap, and Burp Suite. As you follow along with the labs and launch attacks, you’ll experience the key stages of an actual assessment— including information gathering, finding exploitable vulnerabilities, gaining access to systems, post exploitation, and more. With its collection of hands-on lessons that cover key tools and strategies, Penetration Testing is the introduction that every aspiring hacker needs.

BUY THE BOOK HERE

INSECURITY

TRIBE OF HACKERS

Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe

Cybersecurity Advice from the Best Hackers in the World

Author // Jane Frankland IF YOU’RE SHORT ON WOMEN YOU’RE LESS SAFE. Women matter in cybersecurity because of the way they view and deal with risk. Typically, women are more risk averse, compliant with rules, and embracing of organisational controls and technology than men. They’re also extremely intuitive and score highly when it comes to emotional and social intelligence, which enables them to remain calm during times of turbulence - a trait that’s required when major security breaches and incidents occur. As cybercrime, terrorism and warfare is increasing, and the number of women in cybersecurity is declining, now is the time to take action. By combining stories, interviews and data with practical advice, the golden rules and checklists, IN Security provides the means to turn things around. When you read this book you’ll understand why the numbers of women have fallen, along with strategies for attracting, identifying, and retaining more women in cybersecurity. This book is essential reading for anyone in cybersecurity or looking to get into it.

BUY THE BOOK HERE

120

WOMEN IN SECURITY MAGAZINE

Author // Jennifer Jin and Marcus J. Carey Looking for real-world advice from leading cybersecurity experts? You’ve found your tribe. Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street. •

Get the scoop on the biggest cybersecurity myths and misconceptions about security

•

Uncover which life hacks are worth your while

Tribe of Hackers is a must-have resource for security professionals who are looking to advance their careers, gain a fresh perspective, and get serious about cybersecurity with thought-provoking insights from the world’s most noteworthy hackers and influential security specialists.

BUY THE BOOK HERE

CHILDREN’S BOOK HOW WE GOT CYBER SMART Author // Lisa Rothfield-Kischner How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary schoolaged children.

COUNTDOWN TO ZERO DAY Author // Kim Zetter Top cybersecurity journalist Kim Zetter tells the story behind the virus that sabotaged Iran’s nuclear efforts and shows how its existence has ushered in a new age of warfare-one in which a digital attack can have the same destructive capability as a megaton bomb.

It follows the adventures of two kids Olivia and Jack, as they navigate the online world and tells the story of how they became cyber smart and dealt with their online bully. It provides practical advice to parents and children in how to protect themselves online and look after their safety. The information pulls from realistic online events as the author explains the dangers of the Internet in terms children will understand. It incorporates the challenge of cyber safety in today’s world and addresses this concern in the lives of two

school-aged children and how their parents help navigate their online experiences. This book is a helpful tool for all parents, caregivers and teachers of school-aged children to help start the conversation about online safety and safe online habits. More online safety and cyber bullying information about how we got cyber smart can be found at howwegotcybersmart.com

BUY THE BOOK HERE

Countdown to Zero Day ranges far beyond Stuxnet itself. Here, Zetter shows us how digital warfare developed in the US. She takes us inside today’s flourishing zero-day “grey markets,” in which intelligence agencies and militaries pay huge sums for the malicious code they need to carry out infiltrations and attacks. She reveals just how vulnerable many of our own critical systems are to Stuxnet-like strikes, from nation-state adversaries and anonymous hackers alike-and shows us just what might happen should our infrastructure be targeted by such an attack. Propelled by Zetter’s unique knowledge and access, and filled with eye-opening explanations of the technologies involved, Countdown to Zero Day is a comprehensive and prescient portrait of a world at the edge of a new kind of war.

BUY THE BOOK HERE

WOMEN IN SECURITY MAGAZINE

121

OFF THE SHELF

DARING TO DRIVE

CYBER RISK LEADERS

WOMEN KNOW CYBER

A Saudi Woman’s Awakening. The young Saudi woman who stood up to a kingdom of men

A Hands-On Introduction to Hacking

100 Fascinating Females Fighting Cybercrime

Author // Manal Al Sharif

As a leading voice in the cybersecurity space, executive advisor Shamane Tan shares tips on navigating corporate challenges and reveals what C-Suite professionals are looking for in a professional partner

A visceral coming-of-age tale from the young woman who dared to stand up to a kingdom of men. Best known for her campaign work for women’s rights, including the Women2Drive campaign, this is Manal al-Sharif’s fiercely intimate memoir. ‘Future generations will marvel at Manal al-Sharif. Her gripping account of homegrown courage will speak to the fighter in all of us. Books like this one can change the world’ Deborah Feldman, New York Times bestselling author of Unorthodox ‘Manal al-Sharif is following in a long tradition of women activists around the world who have put themselves on the line to expose and challenge discriminatory laws and policies’ Malcolm Smart, Amnesty International News

BUY THE BOOK HERE

Author // Shamane Tan

Cyber Risk Leaders is a compilation of the best stories and wisdom from over thirty C-Suite executives and based on interviews with 70 CISOs. Shamane spent several years speaking to CxOs from different industries, and all over the world, from Australia, to Singapore, Israel, the US and the UK, to bring different aspects of successful leadership to life in this unique book. Shamane Tan unpacks her conversations and explores their unique perspectives, and unlocks their experiences dealing with common challenges and how a modern day CISO adapts and applies their own leadership style. The book shares valuable experiences and useful information for business owners and individuals hoping to sell to the CISO.

BUY THE BOOK HERE

122

WOMEN IN SECURITY MAGAZINE

Author // Steve Morgan Women Know Cyber: 100 Fascinating Females Fighting Cybercrime” features cybersecurity experts from across the globe, with varying backgrounds, who stand out for protecting governments, businesses, and people from cybercrime — and for their contributions to our community. If these 100 leading ladies aren’t proof enough for you, then we encourage you to look at the @ WomenKnowCyber Twitter list. You’ll see thousands of women in cybersecurity — from coders to digital forensics experts to chief information security officers at the world’s largest corporations. The list grows larger every day. Are women underrepresented in cybersecurity? Yes.

BUY THE BOOK HERE

WOMEN IN TECH Take Your Career to the Next Level with Practical Advice and Inspiring Stories

HACKING CONNECTED CARS Tactics, Techniques, and Procedures

Author // Tarah Wheeler Van Vlack

Author // Georgia Weidman

Geared toward women who are considering getting into tech, or those already in a tech job who want to take their career to the next level, this book combines practical career advice and inspiring personal stories from successful female tech professionals Brianna Wu (founder, Giant Spacekat), Angie Chang (founder, Women 2.0), Keren Elazari (TED speaker and cybersecurity expert), Katie Cunningham (Python educator and developer), Miah Johnson (senior systems administrator), Kristin Toth Smith (tech executive and inventor), and Kamilah Taylor (mobile and social developer).

A field manual on contextualizing cyber threats, vulnerabilities, and risks to connected cars through penetration testing and risk assessment

Written by a female startup CEO and featuring a host of other successful contributors, this book will help dismantle the unconscious social bias against women in the tech industry.

BUY THE BOOK HERE

Hacking Connected Cars deconstructs the tactics, techniques, and procedures (TTPs) used to hack into connected cars and autonomous vehicles to help you identify and mitigate vulnerabilities affecting cyber-physical vehicles. Written by a veteran of risk management and penetration testing of IoT devices and connected cars, this book provides a detailed account of how to perform penetration testing, threat modeling, and risk assessments of telematics control units and infotainment systems. This book demonstrates how vulnerabilities in wireless networking, Bluetooth, and GSM can be exploited to affect confidentiality, integrity, and availability of connected cars. Hacking Connected Cars provides practical, comprehensive guidance for keeping these vehicles secure.

BUY THE BOOK HERE

TRUE OR FALSE A CIA Analyst’s Guide to Spotting Fake News Author // Mary Aiken, European Investment Bank (Editor) “Fake news” is a term you’ve probably heard a lot in the last few years, but it’s not a new phenomenon. From the ancient Egyptians to the French Revolution to Jack the Ripper and the founding fathers, fake news has been around as long as human civilization. But that doesn’t mean that we should just give up on the idea of finding the truth. In True or False, former CIA analyst Cindy Otis will take readers through the history and impact of fake news over the centuries, sharing stories from the past and insights that readers today can gain from them. Then, she shares lessons learned in over a decade working for the CIA, including actionable tips on how to spot fake news, how to make sense of the information we receive each day, and, perhaps most importantly, how to understand and see past our own information biases, so that we can think critically about important issues and put events happening around us into context.

BUY THE BOOK HERE

WOMEN IN SECURITY MAGAZINE

123

Save the date and celebrate!

THE ANNUAL AWSN WOMEN IN SECURITY AWARDS October 13th 2021, 5-9PM AEST