Women In Security Magazine Issue 2 by source2create

MAY • JUNE

BEWARE THE BRILLIANT CYBERSECURITY JERK P16-18

GENDER EQUALITY WONT WORK WITHOUT THE SUPPORT OF MEN, TOO P76-79

DIVERSITY WITHOUT A DIVERSE CYBER WORKFORCE, YOUR SECURITY TRANSFORMATION HASN’T GOT A CHANCE P08-11

W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M

FROM THE PUBLISHER The reality of unconscious bias and what we can do about it

have always wanted to work for a cause that would

behaviour, societal expectations, and so on – defying

bring real change to supporting and providing women

our best efforts to be ‘open-minded’. For example,

in security a voice in the industry, and launching this

many people still associate men with being assertive

magazine in March was a big step towards just that.

or a better leader, while women are deemed emotional,

I was ecstatic to see the strong welcome that the first issue got, with many applauding the way we

Within masculine domains, people often judge female

were empowering women with stories of people creating

targets and work products as less competent than

real change. Many welcomed our efforts to inspire and

identically described male targets and work products.

empower women and young girls, and to help break down

Women need to display agency to overcome their

the industry’s stereotypes and smash its glass ceilings.

perceived ‘lack of fit’ with leadership roles, and if they fail

After the launch, some questioned the decision to make

to do so their competency is rated low.

the front cover pink and if it was due to our predominately

Women are also likely to experience prejudice in the

female audience. That’s what really got me thinking.

workplace, the McKinsey & Company and LeanIn. Org

The choice was made unintentionally and based purely on aesthetics – yet when questions were asked, I began questioning whether it did indeed reflect an unconscious bias on my part. Worse still: if I had missed this, then what else have I missed? And if I can stumble into a trap like this despite being a passionate advocate for breaking stereotypes, then how many other people suffer from similar bias without even realising it? Whether intentional or unintentional, unconscious bias is still common in our world – and everyone has some degree of it. This can be as simple as choosing to work with someone familiar or hiring someone you like – which

report revealed, while the problem of affinity bias persists as preconceived notions of people lead them to hire and promote people similar to them. It’s little wonder that the proportion of women in the corporate sector declines dramatically from 47% in entrylevel positions to 21% in the C-Suite level3. The numbers become astonishingly low for women of colour, whereby 18% are in entry-level positions and only 3% in the C-Suite level. If implicit biases are leading us to wrong conclusions, over and over again, it becomes crucial to ask ourselves: how can we slow down, recognise our biases, and improve them?

might seem harmless until you consider that it can hinder

We can start by looking at things like the language we

opportunities available for others competing only on their

use: using language full of male connotations shows

merits.

implicit bias, and is one of the biggest reasons for the

Unconscious bias also causes the association of genders with certain personality traits, colours, imagery,

sophisticated and caring.

WOMEN IN SECURITY MAGAZINE

presence of this huge gender gap in the industry. So, too, are media stereotypes, such as male hackers in a hoodie or male scientists with glasses.

Abigail Swabey

Over time, even the smallest societal signals reinforce intrinsic bias – which is why we must work to break down typical societal expectations of what specific genders need to do from an early age. This can be as simple as ensuring that teachers use gender-neutral language, give both genders an equal opportunity to participate in class, and avoid favouring one gender over another. You can also apply the same dynamics in workplace environments, where we need to build and reinforce structures that break down these norms and reduce implicit biases. Think about how your company operates: does it employ unbiased hiring techniques, use genderneutral language in job descriptions, provide equal opportunities to employees, ensure the firm has adequate work-life balance, and promote proper representation and championing of women in the field?

Bias emerges in many ways, and it perpetuates itself unless we commit ourselves to change. And that change is not the sole job of women; it’s a responsibility that everyone carries. So: take some time to look within, and commit to action as well. After all, if you understand your own unconscious bias, you’ve taken the first step to reducing it.

Abigail Swabey PUBLISHER, Co-founder at Source2Create aby@source2create.com.au WOMEN IN SECURITY MAGAZINE

CONTENTS Call to Action: We Must Change

COVID-19 themed cybercrime

APRA CPS 234: What you need to know

How parents can keep up with apps and online games

CAREER PERSPECTIVES

PUBLISHER’S LETTER

Refining my foundation: career

Grab the mike, it’s your turn

Why more women in cybersecurity

Start-ups, why you need to get security right from the start

transition to cybersecurity

will ultimately make us safer

102

Camaraderie 64

16 BEWARE THE BRILLIANT CYBERSECURITY JERK!

WITHOUT A DIVERSE CYBER WORKFORCE, YOUR SECURITY TRANSFORMATION HASN’T GOT A CHANCE

WHAT’S HER JOURNEY?

WOMEN IN SECURITY MAGAZINE

67 RECRUITERS PICK THE CYBER SKILLS HOTSPOTS

Dr Michelle Ellis

Catherine Dolle-Samuel

Sarah Young

Manal al-Sharif

Nicole Murdoch

Daisy Wong

Nicole Stephensen

Amber Umair

Lauren Zink

Gabrielle Botbol

Winifred Obinna

Ankita Dhakar

52 ATTRACTING WOMEN INTO CYBER TAKES MORE THAN EQUAL PAY

76 GENDER EQUALITY WON’T WORK WITHOUT THE SUPPORT OF MEN, TOO

MAY • JUNE 2021

INDUSTRY PERSPECTIVES

TECHNOLOGY PERSPECTIVES

The year that was 2020:

“Share today, save tomorrow” 104

FOUNDER & EDITOR

an AusCERT perspective on cyber threat intelligence

Abigail Swabey

Managing data risks in industrial control systems

Why did the Titanic sink?

ADVERTISING

106

Abigail Swabey

74 The 10 Commandments

A more secure future:the case for

of Human Error

Charlie-Mae Baker 109

JOURNALISTS

encouraging female participation in Australia’s cyber sector

David Braue

Why the trends in cryptography are trends?

112

Stuart Corner

Lifecycles within security

114

SUB-EDITOR

Risk-takers and challengers Women in cybersecurity startups

Swimming above

AWSN International Women’s Day (IWD) 2021 celebrations

CEO frauds

DESIGNER

116

The future prospects and

From re-writing job ads to championing women’s achievements

Stuart Corner

Jihee Park Women in Security magazine is published by Source2Create

challenges of AI and ML for cybersecurity 118

ABN 25 638 094 863

Building the foundations of a new data economy

How to be digitally secure when working from home

120

www.womeninsecuritymagazine.com contact@source2create.com.au

How Secureworks champions females in senior roles

Beware the cybercriminal state in 2021

122

TURN IT UP

132

Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine

HOW TO GET MORE GIRLS INTO STEM

MAY • JUN E

BEWARE TH BRILLIAN E T CY BE RS EC UR ITY JE RK

P16-18

OFF THE SHELF

136

GENDER EQUALIT Y WONT WO WITHOUT RK SUPPORT THE MEN, TOO OF

P76-79

SUBSCRIBE TO OUR MAGAZINE Never miss an edition! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content

SUBSCRIBE NOW

MAY • JUNE

BEWARE THE BRILLIANT CYBERSECURITY JERK P16-18

GENDER EQUALITY WONT WORK WITHOUT THE SUPPORT OF MEN, TOO P76-79

Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!

charlie@source2create.com.au

aby@source2create.com.au

www.source2create.com.au

WITHOUT A DIVERSE CYBER WORKFORCE, YOUR SECURITY TRANSFORMATION HASN’T GOT A CHANCE by David Braue

Attackers are already benefiting from a diverse set of skills – so why aren’t you?

he discussion about diversity in

female CEOs, the company’s review found, while

cybersecurity teams has taken on

just 41 of the Fortune 500 global companies were

a new urgency in 2021, fuelled by

headed by women.

the vaccine-led pivot away from the COVID-19 pandemic and stoked by growing national outrage over the

inequal treatment of women in the workplace. Yet as Australians head back to workplaces that have been indelibly reshaped by a year of home working – and the attendant surge in flexible work – diversity experts are banging the drum to argue that there is no better time for reconstituting businesses to put diversity at the heart of their workforce strategy. A recent survey, by Brisbane-based network-services marketplace Cloudscene, highlighted just how much room for improvement still remains. Just seven of the top 100 service providers in its index have

WOMEN IN SECURITY MAGAZINE

“This is representative of a wider conversation on diversity and inclusivity across our industry,” Cloudscene CEO Belle Lajoie said in response to the findings. “We’re making valuable progress but we’re not quite there yet.” Increasing diversity has become a particularly crucial priority for business leaders who have been given the opportunity to reboot change initiatives within their companies: “giving individuals from underrepresented groups a seat at the table means we can truly begin to shape our businesses based on informed and balanced perspectives,” Lajoie said. “Diversity creates the opportunity for innovation and ingenuity, and works to remove bias and improve balance across global organisations in our sector.”

F E AT U R E

With 71% of Australian CEOs optimistic about

Heather Adkins recently told

increasing their organisational headcounts in the

CyberCrime Magazine. “When

next three years, according to PwC Australia’s

I look at our teams today, and

latest CEO Survey, growing executive confidence

I look at the variety of folks

will give companies the change to breathe new life

we have on the team, I can

into diversity initiatives as companies embark on

see how different they solve

widespread hiring sprees.

problems from each other.”

Fully 95% of respondents said they see cyber as a

“I’ve got folks on the team

key threat to business growth moving forward –

who are from India, and China,

suggesting that area could see an overall uptick

and Germany and Romania – just

as executives push to contain their cybersecurity

all over the world – and they’ve all had

exposure as they accelerate digital transformation

different life experiences growing up, and how

programs.

they’re solving problems is really remarkable. And

And with 68% of respondents concerned over availability of key skills – down from 78% last year – widespread fears about cybersecurity exposure means many companies may be willing to redouble

when we’re stuck, we’ve always got somebody who’s got a crazy idea on the team that we can try out. And sometimes they work out better than you than you expect.”

efforts to find or train employees in business-critical

Indeed, surveys have shown that qualified job-

areas, particularly where interruption of skilled

seekers are more attracted to workplaces with

migration has, PwC noted, “amplified the need for

demonstrated commitments to diversity and

local upskilling”.

inclusion.

DIVERSITY = INNOVATION As they seek to maintain the cybersecurity of increasingly digital organisations, executives have a significant opportunity to invest in measures to improve the diversity of cybersecurity recruitment. “Diverse teams bring diverse perspectives, whether it’s gender, ethnicity, background, or life experience,” Google information security and privacy director

“Two-thirds of job seekers consider workplace diversity when they’re considering a job,” noted Australian Women in Security Network (AWSN) founder Jacqui Lostau, adding that 72% of those respondents consider it to be “extremely important”. “Diversity is a lot more than gender,” she added, citing statistics showing that companies with a greater focus on diversity and innovation exceed financial targets by up to 120%.

WOMEN IN SECURITY MAGAZINE

“Diversity fosters innovation,” she said, “and it’s good for business.” The promise of better financial returns has been a consistent finding in a series of McKinsey & Company research studies, with the 2020 installment finding that the greater the gender diversity in a company, the greater the chance that company would outperform its rivals with lower diversity. Companies in the top quartile for gender diversity on executive teams, the firm found, are 25% more likely to have above-average profitability than those in the fourth quartile – and this gap had expanded, from 21% in 2017 and 15% in 2014. Despite this competitive advantage, however, representation of women on US and UK executive teams has progressed slowly – from 21% in 2014 to just 28% in 2019; at this growth rate, companies won’t achieve gender equity until the year 2036. For a global industry where agility and proactivity have become key to survival, that timeframe may be too long for many companies – which is why McKinsey & Company recommends companies take five key steps to expand diversity in their workplaces as quickly as possible. These steps are based around two core elements: a systematic, business-led approach to diversity and inclusion, and taking bold steps to strengthen inclusion – which in some analyses is explained as being the how to diversity’s what. “More than ever, flexibility and versatility are becoming the key to success for individuals, companies and countries alike, and a culturally diverse environment is the best way to acquire these qualities,” a recent World Economic Forum analysis noted. A slew of statistics, that analysis notes, confirm that high-diversity organisations deliver substantially more innovation revenue than those with belowaverage diversity scores: “Assumptions need to be challenged, conversations need to be had and corporate culture needs to be updated so that the modern workplace can accurately reflect and support the population of the region.”

WOMEN IN SECURITY MAGAZINE

FIGHTING FIRE WITH FIRE As a relative cybersecurity industry newcomer, expanding consultancy CyberCX was able to integrate proactive diversity initiatives into its fundamental policies early on – not only out of a moral obligation to equality but also, chief people officer Snezana Jankulovski said, because diversity “is a business issue”. “There are massive skill shortages in cybersecurity,” she explained, “and it’s about being able to attract the best talent. We want to broaden our talent pool – and for us, what made the most sense was to start off with gender.” Yet despite the potential benefits of increased diversity, many Australian CEOs have yet to prioritise such measures – and this could have a direct impact on the effectiveness of their cybersecurity teams, just when they are needed the most. Some 53% of Australian respondents to the PwC survey said workplace culture and behaviour were the most important aspects of their workforce strategies – well above the 32% global average – and 34% said they would focus on building skills and adaptability.

F E AT U R E

in collaborative problem-solving might be admirable if it weren’t so malicious and problematic. For many cybercriminals, after all, attacking businesses is a game of wits – and to have any chance of matching their advantage, corporate cybersecurity teams need to be equally diverse. “Attackers in a cyber context are a very diverse group,” PwC cybersecurity partner Nicola Nichol, “and we need to increase the diversity of our security teams in response to that.” “Women in our population have disproportionately impacted by the pandemic,” she adds, “and this is a really great opportunity for us to upskill women in particular – but also diverse groups, and indigenous and other communities.” Ultimately, the growing recognition of diversity’s business value – and its

“More than ever, flexibility and versatility are becoming the key to success for individuals, companies and countries alike, and a culturally diverse environment is the best way to acquire these qualities,” a recent World Economic Forum analysis noted.

importance to maintaining a strong defence in areas like cybersecurity – seem set to normalise gender equality in ways that have been elusive for many years. By prioritising diversity and inclusion initiatives as rational targets with tangible results, executives will be able to position diversity alongside other key business indicators – ensuring that women are

Yet just 16% explicitly said that they were prioritising diversity and inclusion – suggesting that many

increasingly seen as essential to companies pivoting towards the ‘new normal’.

Australian CEOs are so focused on resuming

“Our differences are our greatest strengths,” said

business as usual that they risk perpetuating the

Shelley Zalis, CEO of diversity research firm The

same-old same-old despite the magnitude of post-

Female Quotient.

COVID opportunities.

“Diversity is not just a nice to have,” she continued.

This is particularly problematic in cybersecurity,

“Diversity is very important for advancing equality,

where diversity of thought and experience is

improving equity and making sure we’re all seen all

important not only for their business benefits, but

heard, and why not only do we need better data going

because adversaries are already leaning on highly

in better choices of the data – but also diversity

diverse teams – often recruiting cybercriminals from

at the table so that we are making smarter, more

around the world for different tasks, whose success

accurate decisions.”

WOMEN IN SECURITY MAGAZINE

MELANIE NINOVIC

CALL TO ACTION: WE MUST CHANGE by Melanie Ninovic

Time and time again, at security conferences,

workplace and industry more welcoming, accepting,

International Women’s Day events, in the workplace,

and safe for women, there are steps we can all take.

women have come forward to share their stories of abuse, harassment, and discrimination.

Firstly, and most importantly, be an ally. If you see a woman being discriminated against in a meeting,

All too often nothing changes. Colleagues don’t

call it out. If she is being verbally, psychologically, or

believe those who’ve come forward, management

sexually harassed in the workplace, call it out. Using

quietly fires the woman to save a man’s reputation,

the power of your voice will help those who do not

or, as we have all seen in recent weeks, the victim is

have the strength to stand up for themselves.

blamed to absolve the accused of any wrongdoing.

Let’s go through what people in various roles can do

Everyone in the cybersecurity industry, no matter their

to help make workplaces welcoming and safe for

gender, can do more: university students, consultants,

women.

analysts, engineers, managers, executives, event organisers, recruiters.

STUDENTS

These issues are very real for women every day of

There are groups you can join that work to support

their careers. They cannot be resolved by speaking about them only on March 8th each year. There are good reasons we in the industry continue to insist there are not enough women in the workforce, not enough women replying to job vacancies, or too many leaving cybersecurity altogether. To make the

WOMEN IN SECURITY MAGAZINE

women in cybersecurity: AWSN, WiT, WiTWA, STEM Women, and WiCyS. Here you’ll be able to speak to other women in the industry and find a mentor. Your call to action is to spread the word that these groups exist, and that, although a minority, there are women in cybersecurity.

CONSULTANTS, ANALYSTS, ENGINEERS

who’ve joined your

Even with one or two years

from experts and

team. Send them to conferences to learn network with those in

of experience, you can start sharing what you have

the industry.

learnt and how you joined

•

the industry.

female talent and

•

provide them with

Be a mentor to a

opportunities, whether

female colleague or

those be speaking

student. This goes

slots, promotions or

a long way. She will

new projects, to grow

know where to learn

and work outside their

more about a specific

•

field in cybersecurity,

comfort zone.

what skills she needs

•

to join the industry,

terms, position titles, and desirable skills (only include must-have

important steppingstones in anyone’s career.

skills) from job descriptions if you’re hiring for a

Encourage women to share their thoughts in

position within your team. •

are female when hiring, especially if using

for their opinion on how to do something. Be

a recruitment agency. And give them the

inclusive.

opportunity to interview with you. If you are hiring

Be a role model. Seeing women present, sharing

for a junior position, take a chance on a female student who has just completed her university studies.

other women to do the same. Seeing is believing. If you are a female in one of these roles, don’t

Call out discrimination or abuse towards a female employee and, depending on the situation, raise it

your organisation. Writing blog posts and sharing

with the perpetrator if it is safe to do so.

MANAGERS/DIRECTORS Show your support and sponsor groups that facilitate the growth of women within cybersecurity.

•

be afraid to present at a local meetup or within them with your network is also important.

•

Ensure at least 25 percent of applicants

before you send them out to clients, or ask

their ideas, showing their expertise, will motivate

•

Remove gendered

or how to progress in her role. These are all

meetings. Have them peer review your reports

•

Showcase

•

Ensure there is a process and formal training for handling these types of incidents.

EXECUTIVES It is not sufficient for your organisation to post photos of the women in your company on International

Introduce new junior female employees to a

Women’s Day. It is not enough to say you are inclusive

woman in leadership.

of women, when those same women are resigning

Provide technical and non-technical training for

because they feel discriminated against.

your female juniors, and all graduate students

Take a look at the incredible leadership of CyberCX. The company has sponsored 12 female university

WOMEN IN SECURITY MAGAZINE

students with a grant of $10,000 each for their

for in an applicant, give advice on how it can be

studies and provided them with a paid internship

improved. Additionally, if you have spare time,

with CyberCX. Smaller organisations may not be

offer to review the resumés and cover letters of

able to sponsor twelve women, but even one or two

females in your network, especially students.

scholarships/internships will help the industry grow and mature.

•

or familiarity biases in the recruitment process— initial screenings or interview questions—to

CONFERENCE/MEETUP ORGANISERS: •

ensure they are fair and equal to all applicants.

If you are organising meetups or conferences, be sure to strive to include women in your speakers, organisers and volunteers. It is crucial for upcoming talent, and for those progressing

This also pertains to hiring managers. •

Ask candidates for anonymous feedback on the recruitment process.

in their careers, to see females contributing,

If you are a woman in security experiencing some

sharing and being leaders in their fields. It is

kind of abuse, unwanted attention or harassment,

also a pathway for women to be involved, meet

please seek help. Reach out to a friend, an ally, a support group, counsellor, or more formal channels

people, and grow their career. •

Make an effort to consciously remove any gender

If you haven’t heard of the term ‘manel’, it’s a

that can provide you with the support you need. You

conference panel that consists only of male speakers. This sends a negative signal to the women in the industry that only men have the skills and expertise to present on a certain topic. When organising your panel, it is important for visibility and diversity of opinion to include women. •

Everyone in the cybersecurity industry, no matter their gender, can do more: university students, consultants, analysts, engineers, managers, executives, event organisers, recruiters.

If you are having difficulty finding women to present, either on a panel or as general conference speakers, reach out to the people who run, or are part of, AWSN, WiT and other groups. Use social media outlets such as Twitter and LinkedIn to reach members of these communities.

RECRUITERS •

If you are presented with an application that falls short of the requirements, provide feedback as to why. This is the only way women can learn and progress.

•

If you are presented with a resumé that does not meet the standards that organisations look

WOMEN IN SECURITY MAGAZINE

are not alone. If you can, stand up and speak out; if not for yourself, then at least for others who may have gone through a similar ordeal. Progress has been made, but we cannot be complacent. We need more people to challenge themselves and the status quo and be part of the solution. By doing your bit, you are helping to make the workplace a safer place for us all. www.linkedin.com/in/melanie-cybers/

twitter.com/_darkdefender_

CONNECTING - SUPPORTING - INSPIRING

AWSN Membership Benefits: Mentoring Community Support

Education Careers Events

Visit awsn.org.au for information about exclusive events, programs, and content. Join Australia's largest community of women in cyber and physical security.

BEWARE THE BRILLIANT CYBERSECURITY JERK! by Stuart Corner

here’s usually at least one in every organisation. They may be brilliant at the core competencies of their role, but as a co-worker or manager they’re a disaster, because of their personality and the ways in which

they interact with others. Jinan Budge, principal analyst serving security & risk professionals at Forrester Research, leads Forrester’s security and risk research. She says such people have a ‘hero complex’ and can create a toxic workplace culture. She describes them as ‘brilliant jerks’. Budge has studied toxic cultures and brilliant jerks extensively and has published her findings as coauthor of a Forrester Research paper Maintain Your Security Edge: Develop And Retain Cybersecurity Talent. The paper argues that complacency, lack of diversity, and a focus on technologies over people are threats to any business, and says security leaders must invest in professional development and growth for themselves and their staff and create a positive team culture and environment. Budge talked about her research at #Choose to Challenge, an online conference organised jointly by ISACA’s Sydney and Melbourne Chapters and the Australian Women in Security Network (AWSN), held for International Women’s Day, March 9.

WOMEN IN SECURITY MAGAZINE

GREATER DIVERSITY NEEDED

almost always related to culture, to having bad

She said her research had identified lack of

bosses, bad organisations.

organisational support as the main reason for a toxic

“Eight out of the top eight reasons that I analysed

culture, followed by: “What I decided to diplomatically

related to bad leadership… Low leadership maturity

call, in our formal research, the ‘hero complex’, but I’m

was huge. People started telling me about the many

calling here the ‘brilliant jerk’.

instances where their manager didn’t know how to

“The brilliant jerk came to me with many different

provide constructive feedback. There was no way to

names. People talked about the messiahs, the rock stars, the invincibles, ‘the bros’… Effectively, these were people who were not team players. They feel like they and only they can solve the problem, regardless of the impact they have on everybody else around them.” She said the impact of a brilliant jerk on an organisation’s cybersecurity could be significant: it can compromise staff effectiveness and lead

“I know from experience, and I know from talking to people that, when you have really bad toxicity you are not going to be getting the budget that you need and the security team’s reputation will be really low. So forget about security awareness and training, forget about engaging with stakeholders. No one will want to talk to you.” -Jinan Budge principal analyst serving security & risk professionals at Forrester Research

to loss of skilled people. And she has made a prediction — in Forrester’s 2021 annual cybersecurity predictions — that within the next five years a CISO from a global 500 firm is going to be publicly ousted and fired for instilling a toxic security culture.

COMPROMISED SECURITY “In my 23 years [in cybersecurity], there’s about 100 reasons why some of my friends and colleagues have left their jobs, and in some extreme cases, left the industry,” Budge said.

do 360 degree feedback. The inability of the CISO to get their team’s buy in, the very basics of leadership were just not happening.” Budge has been researching toxic work cultures by reaching out on social media. “Every single time I posted about toxicity, I got thousands of views and hundreds of comments… People talked about the imposter syndrome, and the need to be right, about low self-esteem and the many reasons that sometimes ego… can manifest into becoming toxic.”

“None of those reasons had to do with not being offered enough skills or enough training. It was

WOMEN IN SECURITY MAGAZINE

HIGH COST OF TOXIC CULTURE

“We need to stop rewarding and enabling these tech

Budge said there was no Australian data on the

gods who can barely even talk to anyone, but give

impact of toxic cultures but US research suggested it would be considerable. In one survey, over five years

place for them in our industry, but they can’t be at the

58 percent of US employees resigned because of

top of the stack.”

toxic managers, costing the economy $US220 billion.

James Turner, industry analyst and founder of CISO

She said a toxic culture would have a significant

Lens, summed it up by saying “I had a roundtable with

impact on an organisation’s cybersecurity. “I know from experience, and I know from talking to people that, when you have really bad toxicity you are not going to be getting the budget that you need and the security team’s reputation will be really low. So forget about security awareness and training, forget about engaging with stakeholders. No one will want to talk to you.” Budge asked, via LinkedIn, if people would raise the problem of the brilliant jerk in their workplace, and found the majority of respondents, 65 percent, would not do so. “The leading reason for saying no is fear of the personal impact, and fear of the impact on their mental health.” However 34 percent said it was imperative to speak out: “the main reason they gave was that you need to speak out in order to create change.” She said one of the main causes of toxic culture to emerge from her informal surveys was lack of diversity.

BYE BYE BRILLIANT JERK However, the days of the brilliant jerk may well be numbered as cybersecurity is now critical for most organisations, and front of mind with boards and management. In a panel session following Budge’s presentation, Jacqui Kernot, financial services cybersecurity partner at EY, said: “As a sector, we are too focused on having people with this cybersecurity background managing a large capability when what we actually need is someone who can understand risk, and lead people.

them a computer and they’re at home. There’s still a

WOMEN IN SECURITY MAGAZINE

some CISOs last week, and one of the comments was, ‘I’ve never found someone who was so good at their job that they were worth the poison to the organisation’.”

Source2Create Spotlight

Podcasts Here at S2C, we believe content is key. Finding the right way to reach your audience is crucial for success, that's why we're shining a light on our podcasts. Podcasts help build relationships with customers and listeners while being surprisingly cost-effective. We have readily available pre-built packages we like to call S2C ROAR to help take the stress out of planning. We're custom to the core and can mould the perfect podcast package that suits your unique needs. What are you waiting for? Jump in on the hype & get your message out there with S2C ROAR.

REACH OUT TODAY

charlie@source2create.com.au

aby@source2create.com.au

www.source2create.com.au

AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

C O L U M N

COVID-19 themed cybercrime Cybercrime is big business, thanks to the opportunities created by technical advancement and interconnectivity. This regular column will explore various aspects of cybercrime in an easy to understand manner to help everyone become more cybersafe. Anyone can become a victim of cybercrime, and therefore it is important we all stay aware and remain vigilant to maintain our individual cybersecurity. Email remains one of the main vectors criminals use to obtain account credentials, steal credit card numbers, and to trick people into installing malware on their devices. The approaches used in emails vary. However, the more successful ones exploit situations or events that are known to get a response. With the advent of the global COVID-19 pandemic, criminals now have a worldwide situation sure to garner huge emotional response, making it an excellent avenue to be exploited for illicit gain. Criminals are using our fear and unease about COVID-19 to defraud people, steal credentials or compromise systems with malware. As we all await a successful vaccine rollout, and a return to pre-pandemic days, criminals are sending out emails that spoof health authorities and request potential victims to make payment to secure a vaccine appointment. They are also sending text messages or making robocalls telling people they have been contact-traced and are at risk, so need to log in or access a link for more information.

HOW WE CAN ALL STAY SAFE FROM PANDEMIC-THEMED ATTACKS • Avoid responding immediately to emails or texts. Stop and think about the legitimacy of the communication first. • If a message says you have been part of a COVID-19 contact-tracing activity, verify this separately with the appropriate authority for your location. • Do not click links in messages or emails, locate the official website yourself and find the relevant page to access. • Research how your own location is doing contact-tracing and vaccine rollout so you will be more alert to fraud attempts using these topics If you have been defrauded by cybercrime in Australia you can report this via https://www.cyber.gov. au/acsc/report. Elsewhere, report it to your local police or through the relevant cybercrime reporting mechanism. COVID-19 themed cybercrime is big business – stay safe.

WOMEN IN SECURITY MAGAZINE

WHAT’S HER JOURNEY?

However, with freedom comes responsibility, and there was no way I could do this job on my own. So, I had to find some talented university students who could see the problem the way I did and who wanted to be part of something new: challenging the status quo. I initially joined the School of Science at the university as a research assistant, investigating female attitudes towards computing and security. The results showed me that most high school girls knew very little about either, had misconceptions about the people in these industries, and were very much influenced by their

Dr Michelle Ellis Outreach and Engagement Coordinator Computing and Security at Edith Cowan University

parents’ perceptions of suitable careers. I realised it would be difficult to increase female participation in security if girls were ill-informed about the discipline. I could see girls had little knowledge about computing and security and no idea of the opportunities they presented.

They had no understanding that various security jobs needed individuals who were not only technically ’m the Outreach and Engagement Coordinator: Computing and Security in the School of Science at Edith Cowan University in Western Australia. I get to work with the university’s aspiring female computing and security students, talented industry women, and a supportive Perth

community. As far as I know the position did not exist before I was appointed, which means I got to make it my own. And I do everything: director, project manager, event coordinator, teacher, mentor, marketing person, finance officer, grant writer, HR, photocopier person and community liaison officer. It is the best job ever! To keep abreast of the different industries I work with I am a member of the Australian Women in Security Network (AWSN), the Australian Computer Society (ACS) and WiTWA, a Perth-based not-for-profit that provides a framework for women in tech to extend their networks and expand their knowledge. I also sit on a local school council and am a member of two teacher groups relating to the Digital Technologies curriculum. To keep up with industry developments I read LinkedIn, Twitter and Facebook groups alongside journals and industry articles.

WOMEN IN SECURITY MAGAZINE

capable but also people smart. So, with fire in my belly and a passion for making positive changes, off I marched. We set out to challenge people’s perception of a cybersecurity professional as a lonely hooded male figure in a dark room, and to showcase the importance of being creative, collaborative and clever. I created the hashtag #ChampionsCreatingChampions to get young university women spruiking computing and security, sharing their stories, pathways and aspirations, to high school students and at the same time develop their own soft skills. I also got industry women working with and supporting our university students, so it became a chain with each link supporting and helping the other: champions creating champions. And I wanted to change the attitudes of young female high school students to afford them opportunities to see and experience the computing and security environment. So I applied for, and gained, an Athena SWAN Award from Science in Australia Gender Equality (SAGE). This enabled me to fund travel to regional areas of Western Australia with students to deliver workshops, set up computing and security

W H AT ’ S

H E R

J O U R N E Y ?

As part of International Women’s Day, I invited girls in years 10, 11 or 12 to join us for a Women Using Technology – careers, courses and connections conference. Local Perth companies hosted the day, and leading women from AWSN, ACS, Women in Tech and the Data Sciences delivered two-hour workshops on their respective fields. Amongst other things, the girls listened to, interacted with, and experienced stories, activities, and challenges that women face in their current positions. Comments on the day included workshops, pay students for their work, and to send university students to Sydney to learn about the Girls Programming Network. (GPN). GPN is a wonderful nationwide program developed out of Sydney with a mission to help high school girls gain experience of programming and, hopefully, become keen to learn more. Through interacting with university students and professionals who work in the industry, students also gain an idea of what it’s

“I enjoyed learning about the different ways women came into the industry.” Only when women branch out on their own do they realise there is a gender gap, and it will exist so long as women have to make sacrifices: family over work (therefore financial security); contract and part-time work over full-time permanent positions (and all the trimmings); short courses over paid training and professional development.

like to study and work in computer science. Here in

Trying to find that work life balance is hard. I am a

Perth, we have around 80 to 100 girls sign up each

wife, mum, daughter, aunt and sister. All those roles

term. Each workshop is different and focusses on

are important to me, so I had to sit down one day and

developing something creative or interactive, with and

over a coffee prioritise my life. I wanted to be there

without hardware.

for my family, but I also loved being with my work

We have a number of initiatives at ECU to raise awareness of cybersecurity among school students:

colleagues and the many students I work with. This is a constant struggle, but it seems to be working.

DigiTech, CyberSec and Cyber Challenges. We run

I would like to see women and male champions who

workshops for high school students, teachers, career

have made it to the top ‘pay it forward’ and bring

counsellors and parents in Perth and regional WA.

others up with them, also to shout out if they see

University students develop these workshops and teach basic programming principles, cybersecurity essentials, how to complete cyber challenges and capture-the-flags through hands on interactive workshops. We run after school coding clubs, host schools each week and run holiday workshops for all. Little by little we are breaking through.

inequity. www.linkedin.com/in/dr-michelle-ellis-4bb72493/

GPN - www.sites.google.com/site/girlsprogrammingnetwork/ home ECU Outreach and Engagement activities - www.ecu.edu. au/schools/science/events-and-activities/computing-andsecurity-discipline

WOMEN IN SECURITY MAGAZINE

Catherine Dolle-Samuel Business Continuity and Resilience Specialist at UNSW

’m a business continuity and resilience (BC&R)

management, architecture and creative practices,

specialist at the University of NSW (UNSW),

supporting continuation of teaching at field sites all

which means I’m responsible for managing the

over Australia and students and staff overseas, and

university’s business continuity and resilience

ensuring continuity of more mundane (but critically

program. This involves managing a full continuity

important) processes such as payroll.

& resilience lifecycle program - understanding critical functions, developing recovery plans, identifying improvements in the resilience of processes and at enterprise level for the organisation as a whole.

life leadership team, the student union and numerous faculty and student societies to deliver a COVID safe student orientation week (with upwards of 10,000

Like many people in cybersecurity, I came to it with

students engaged in on site activities at any given

a very different background: a bachelor’s degree in

hour).

history.

Since COVID-19 hit there has been rather less of the

Part of my current role requires that I manage

normal programming because my colleagues are

training, coaching and awareness programs for the

experiencing what is, hopefully, the longest period of

organisation. This involves managing and reporting

disruption and recovery in their lifetimes.

on exercises designed to test the ability to recover designated processes and the systems and people on which they depend. With 8 faculties and 6 divisions, across 3 major sites, this can be a challenge. At times I also have to undertake incident response and crisis management. On such days I have to drop everything else. The complexity and diversity of my role continues to excite me. Every day is different. Because I need to understand the critical functions of the organisation, and how its people can and do respond to incidents, I have pretty good insights into the entire organisation, executive decision-making and strategy. This is one of the privileges of working in business continuity and resilience. I work with incredibly intelligent and diverse groups. I can be supporting continuation of research – which can include complex and expensive equipment, cold storage or clinical environments to waste

Recently, I worked with the the academic and student

WOMEN IN SECURITY MAGAZINE

This year my focus is on analysing the data created in the past year to gain good insight and understanding for future disruptions and developing training, awareness and exercising programs for deployment in 2022. I got into business continuity via various corporate services roles in Australia and overseas. Working with boards and CEOs as an executive assistant and managing human resources, I developed a broad knowledge of organisations, good communication skills and an awareness of how to facilitate. The executives I worked for in earlier roles were engaged in continuity and crisis management so I became familiar with business continuity planning and decided to apply for a BCP position. Like my previous roles it required working with central/corporate services and with boards or their equivalent in an admin role, so I knew how executive decision-making worked, and I had a broad

W H AT ’ S

H E R

J O U R N E Y ?

understanding of organisations, both of which were

solutions, be ready to listen, and find yourself a good

key to a business continuity role. Also, my training

mentor.

as an historian enabled me to understand the interconnectedness of critical functions.

My first BC manager, Graham Nisbet, was an incredible guide and mentor, and remains so to this

I’d identify the key factors for success in a BC&R

day. The All Finance Forum group — an industry

role as being relationship building and stakeholder

business continuity and disaster recovery knowledge

management skills, an understanding of executive

sharing group made up or people from banking,

decision-making at the highest levels of the

financial services and insurance — provided excellent

organisation and the ability to see things from

knowledge sharing and problem-solving opportunities

multiple perspectives.

to me as a new starter in the field, and involvement in

However, probably the most challenging aspect of a BC&R career is the lack of

broader organisational resilience work across sectors provided incredible insights.

flexible or part time work. Most roles are not offered as job shares and have some on-call requirements (without good back up in smaller organisations). My first role in business continuity was at Allianz Australia but I left BC&R temporarily when I had a young family. However, I kept active in the BC profession by volunteering for the NSW

“I got into business continuity via various corporate services roles in Australia and overseas. Working with boards and CEOs as an executive assistant and managing human resources, I developed a broad knowledge of organisations, good communication skills and an awareness of how to facilitate.”

Business Continuity Institute as a forum leader, for conference committees, and as a member of the 20/20 Think Tank on Organisation Resilience. I was working casually at UNSW as an academic when my current BC&R role was mentioned in my network. At that time, I was lecturing in remuneration, performance management and tutoring in organisation management, international human resources management, professional skills and ethics at undergraduate and post graduate levels. The BC&R at UNSW offered the ability to work flexibly and there was no requirement to be on call 24/7, so I applied. The NSW Business Continuity Institute is actively encouraging people to join the sector and it is training leaders, when recruiting, to understand that business continuity requires the right skill sets, not formal training. So, if a role in business continuity appeals, go to industry events, get a sense of the key issues and

As with other areas of cyber security BC&R needs more women. Gender diversity means diversity of thinking, and of approaches, which increase organisational resilience. Academic research demonstrates that diversity of perspective enables organisations to make more effective decisions for all stakeholders. I still teach professional skills and ethics in the Master of Commerce program at UNSW. This is a casebased course and every case I use is drawn from actual public company experiences often stemming from a crisis instigated by poor values and corporate governance. In many instances, failure to consider alternative perspectives or ways of doing things was a huge contributor to the problem. www.linkedin.com/in/catherine-dolle-samuel-7832669/

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

MY CYBERSECURITY JOURNEY Sarah Young Senior Program Manager, C+AI Security Customer Experience Engineering (CxE) at Microsoft

our customers. And I report back to the Azure Sentinel product group on feature requests from customers.

I’d been working in a different role within Microsoft on several projects. When my current position came y university qualification, a Bachelor of Arts in history, was

up I applied and was accepted. I haven’t looked back. The work is really interesting and there are so many

about as far from cybersecurity

opportunities to grow.

as you can get. I don’t think it has

I get to help people; internal Microsoft teams, our

held me back in my career but I

customers, and our partners. And there’s great variety

did have to do quite a bit of self-

in what I do. No two days are the same.

study that might have been unnecessary had I studied a technical degree.

Generally my day will consist of meetings with customers to discuss and solve their technical

Over the years I’ve gained a number of industry

blockers, meetings with Microsoft teams to discuss

certifications: Cisco – CCNA and CCNP; CompTIA

new feature requests, researching and working

A+; CISSP; CCSP; CISM and various Microsoft

on technical solutions for Azure Sentinel, creating

certifications.

content for webinars, blog posts, and more.

Today I’m with Microsoft as a Senior Program

Getting to where I am has not been without its

Manager for Azure Sentinel in the Customer

challenges. Having a strong support network

Experience Engineering team. It’s a cloud-native

both professionally and personally has helped me

security information and event management (SIEM)

enormously, as has finding good mentors to support

platform that uses built-in AI to help analyse large

me in different aspects of my career and provide

volumes of data across an enterprise.

different perspectives.

I work with customers to remove technical blockers

I have several mentors, some within Microsoft and

to Azure Sentinel deployments, create collateral that

some external. It doesn’t have to just fall to one

unblocks certain scenarios and that can be used by all

person to mentor you. Ideally you want a mixture of mentors who can support you in different aspects

WOMEN IN SECURITY MAGAZINE

“Getting to where I am has not been without its challenges. Having a strong support network both professionally and personally has helped me enormously, as has finding good mentors to support me in different aspects of my career and provide different perspectives.”

This has become a little trickier over the past 12 months, but attend meetups, conferences, etc. and meet as many of your career and provide different perspectives. Equally, a mentoring relationship doesn’t need to be forever: you may need mentoring through a specific challenge or problem that your mentor specialises in. I’ve been fortunate to have been given some good guidance over the years. These particularly stand out. • Never surround yourself with people who just tell you you’re great: everyone can improve. Make sure you seek feedback from people who will challenge you. • Be kind: you don’t know what others are going through (especially relevant now). • In professional situations try and take the

people as you can, even if those meetings are online. It’s a good way to learn what’s out there in the security space and the kinds of roles you might be interested in. One day the person you’re chatting to, face-to-face or online, might be looking at your CV and thinking “Oh, wait, I’ve met that person before”. I am quite an introverted person and networking doesn’t come naturally to me, but it really does do wonders for establishing yourself within an industry and moving forward in your career. And I’d particularly encourage more women to pursue a cyber security career. We need as much diversity

emotion out of things. Getting emotional can

as possible in cybersecurity to counter the many and

prevent you from moving past challenges in a

diverse threats we face.

constructive way. And my most important advice to anyone considering moving into a career in cybersecurity: network, network, network!

Azure Security podcast https://aka.ms/azsecpod

twitter.com/_sarahyo

WOMEN IN SECURITY MAGAZINE

EXPRESSION OF INTEREST SPONSORSHIP Source2Create is thrilled to announce the 2021 Australian Women in Security Awards. This hybrid event will be a glamorous Gala Awards evening based in Sydney. We will be welcoming our guests in person as well as via live stream. To be a part of this energetic initiative register your interest today for sponsorship opportunities.

Deadline for sponsorships: 20th May

I’M INTERESTED!

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

Manal al-Sharif Author of Daring to Drive

The Chief Information Security Officer makes sure cybersecurity remains an agenda item for the University’s Council, for the risk committee and for internal audits. CISO works to get buy-in

for cybersecurity from management and from the faculties, and to get them to understand their roles in am a Cyber Security Strategist and enthusiast. As

managing the cyber risks the university faces.

a cyber security strategist, I lead the development

As head of the cybersecurity directorate, I oversaw

of the organisation’s cyber security strategy

cybersecurity day-to-day activities. This included: new

and roadmap that aligns with the business

projects to uplift the cybersecurity capabilities of the

objectives and focuses on mitigating the cyber

university; the day-to-day work of identity and access

risks with minimum investments. Inputs to take

management; advising on new projects; managing

into consideration in developing an effective cyber

risks and incidents.

strategy are the overarching business strategy, laws and regulations, previous audits, cyber policies, threat intelligence, recent cyber incidents, and calculated cyber risks, just to name a few. My strategy leverages international cyber security frameworks such as NIST CSF, to foster cyber security communications amongst both internal and external organizational stakeholders. Frameworks allow us to measure the cyber maturity regularly and set the desired maturity target at organization and IT levels. It also provides a clear roadmap for each part of the business and a way to monitor the progress of their short- and longterm cyber security initiatives. My recent role was the acting head of cyber security and the CISO at one of the group of 8 Australian universities. I filled this role for about seven months. I had to wear multiple hats to fulfil all my responsibilities.

For a CISO, seeking support and buy-in, is the most challenging part of their role. You can’t protect an organisation the size of a small city on your own. The CISO’s priority should always be: “To identify and protect mission-critical assets (Information, Technology and Users) from threats that can impact the cyber security Triad; Confidentiality, Integrity and Availability (CIA)” Nothing I did would have been achievable without my team and mentors. In total there were 22 positions in our team, but many were unfilled. Team members are passionate, creative, outgoing, and very driven. When I sat down with them, I learnt a lot from their different points of views and their different experiences. We said the C in Cyber stands for challenging, collaboration, communication, creativity, and critical thinking, and those were our values. We had a list of 10 team cyber aspirations:

WOMEN IN SECURITY MAGAZINE

1. We have one common purpose: to enable and

COVID-19, we come to make sure that people can

support the university by protecting it from cyber

rest assure their information is safe, wherever they

threats.

lay. Achieving cyber security is a moving target, what

2. We have clear goals and high values. 3. We celebrate our diversity because it reflects the university that we protect. 4. We work in a non-hierarchical structure because we are trusted and empowered.

makes it exhaling is also what makes it rewarding. As a student, I was so interested in math and physics. I wanted to be a scientist. I ended up being a computer scientist. The introduction of the Internet back in Saudi Arabia faced a waging war from the political and religious establishment that controlled

5. We have got each other’s back in ups and downs and we know how to lift each other. 6. We speak our mind, we challenge, and we question because this is how we grow. 7. We maintain a healthy and safe environment for

what we read or watched. I was so curious to explore all the blocked political and religious content. You see in Saudi Arabia, we grow up with answers that couldn’t be questioned, I had questions that I wasn’t allowed to find answers for. So, I spent my free time trying to bypass all those restrictions. And yes, I found

ideas and opinions to be exchanged freely and

my answers. I didn’t know that was called “hacking”.

effortlessly.

Education and Internet were my window to the world.

8. We show appreciation and lend a hand when

My first job as a summer student, I worked in Help Desk. Building machines, troubleshooting, and training

needed. 9. We believe mistakes are opportunities to learn. 10. We value when our contributions are acknowledged and when our time and space are respected.

end-users. My first job as a professional was in a proper cyber security division. In 2002, I graduated with first honor and went to join the newly established cyber security division at the Arabian Oil Company. My first professional role was a pen tester.

Separately, and voluntarily, I champion the role of women in cybersecurity and advocate for greater diversity. Globally, women make 10% only in the cyber profession.

Throughout my career I have built my confidence simply by being myself, following my passion and not trying to prove myself to other people, but that was a difficult lesson to learn. You can control your

I believe the working environment in Australia is still not ready for women in leadership positions. We endure it. We put a lot of emotional labour into

own intentions and follow your own passions and purposes, but you can’t control how others perceive you.

creating an environment that respects us and sees us for who we are, to calling out the BS, trying to build confidence and to get more diversity in the workplace. There are so much unconscious biases men in leadership need to destroy, otherwise they will destroy women as they come into those positions. I enjoy the exciting challenges this role throws at me. As the world invests more in digital transformation in response to

WOMEN IN SECURITY MAGAZINE

“Mentors are fantastic to help build selfesteem, confidence, and knowledge, but sponsors are more important than mentors. It is they that help you get to where you want to be.”

W H AT ’ S

H E R

J O U R N E Y ?

So, it’s OK to speak your mind, to make mistakes, ask

have new technology that you

stupid questions. However, you do need to be in the

need to learn how to protect.

right environment. In an unhealthy environment it can

So, unless the schools and

backfire badly and cause you a lot of harm.

tech makers start embedding

I also rely heavily on what I call my ‘tribe of mentors’: people I trust, people I admire, people who I know will help me. I also owe a lot to woman sponsors in my life. Women who have been there for me, who have advocated for me, pushed me up, helped me. I think every woman who wants to make it should have a sponsor, someone who is influential, who can help you negotiate for a better salary, a better position, and speak up for you when you are not there. Mentors are fantastic to help build self-esteem, confidence, and knowledge, but sponsors are more important than mentors. It is they that help you get to where you want to be.

security while teaching and building tech, the world will need cyber. So, if you are a woman thinking of a career in cybersecurity, do it. We need more of you. Teams with a balanced number of men and women are better at meeting deadlines. They have more creative solutions to problems. And I think collaboration and communication are healthier, because women take the time to build relationships, to build communication. Women take the time to understand, to build relationships and build structure. So yes, the world with “more women, is a more secure world”.

A career in cybersecurity is rewarding, but it is challenging. You will lose sleep sometimes, you will always be ahead of the hackers, you will always

www.linkedin.com/in/manal-alsharif/ www.manal-alsharif.com/

WOMEN IN SECURITY MAGAZINE

After graduating I worked for a number of law firms before starting EAGLEGATE Lawyers. Jumping into the law as a mature age student and then starting my own firm, meant I had to have confidence in my own abilities..

Nicole Murdoch Founding Director at EAGLEGATE Lawyers

However, I could have achieved none of this without my husband. He has supported me all the way, despite neither of us knowing what I was taking on when I embarked on my law degree. And his support of me starting and running my own firm has been invaluable. Once I got into law I discovered my skills in encryption and IT were very useful for handling cases that involved confidential information and data theft

and any case that required forensic services. I’ve also applied my skills and knowledge of IT in a number of ’m an intellectual property and technology lawyer with my own practice, EAGLEGATE Lawyers, a firm I founded in 2018. I assist clients to protect and commercialise their businesses and ideas. I love technology and very much enjoy helping people turn their ideas into viable and saleable

businesses. I came to the law by making a huge leap from a career in IT. My first degree was a Bachelor of Engineering in computer systems engineering and I worked for 10 years in various IT roles, including encryption. I loved the area of technology I worked in, but was more interested in the business development and legal side of things. So I took a huge leap, quit my well-paid job and enrolled as a mature age student in a full-time law degree course, Juris Doctor.

WOMEN IN SECURITY MAGAZINE

roles outside my law practice. I have been a director of the Australian Information Security Association and I lecture often on information security and privacy. My confidence gets a boost when clients thank me for my assistance, and realise how much value I have added to their matter, a value which a lawyer without my IT background could likely not have provided. The main part of my work involves drafting commercialisation and litigation/court documents, responding to emails and talking with clients. As EAGLEGATE is my own firm I am also responsible for all aspects of its operation, including marketing, client care, and alot of administration, particularly in terms of trust fund compliance. I also attend networking events to further the business and try not to neglect my family or friends too much.

W H AT ’ S

H E R

J O U R N E Y ?

“My confidence gets a boost when clients thank me for my assistance, and realise how much value I have added to their matter, a value which a lawyer without my IT background could likely not have provided.”

I have been fortunate to have had some wonderful

is well planned out but also agile enough to change

mentors, and some wonderful bosses who have

when opportunities present themselves.

nurtured my development and demonstrated to me the type of person a lawyer can and should be. I have also had some horrid bosses, and some horrid colleagues: people who demonstrate what not to become. I’ve also suffered from stereotypical attitudes to women that are still very much present in law. I’ve had my suggestions ignored, only to have a male (sometimes even someone junior to me) state the same thing and be told it was a great idea. And unfortunately the view persists that an olderlooking woman is “over the hill” and a younger looking woman does not have sufficient experience for the job, whereas a man with grey hair is seen as

Surround yourself with those who support you, but not those who only ever agree with you – those people won’t challenge you or help you grow. The worst mistake I see made in careers is that the person fails to grow. There is a difference between having 10 years’ experience and having 1 year of experience, 10 years in a row. Sometimes we learn through our own bitter experience, sometimes we learn through watching the experience of others. If there is anything you do, make sure you learn and grow. You will have setbacks, but how you overcome those setbacks and grow from them defines you.

knowledgeable and experienced and a younger man not questioned over his experience. This attitude needs to be overcome before women will receive fair treatment in the workplace. No career is without challenges. A career is built over time. It is a marathon, not a sprint. So, my advice to

www.linkedin.com/in/nicolemurdoch/ www.linkedin.com/company/eagle-gate/

www.eaglegate.com.au/

women is to plan a long term career strategy that

WOMEN IN SECURITY MAGAZINE

In fact my marketing skills are very transferable to my current role. A large proportion of it is about engagement, bringing people on the journey to

Daisy Wong

greater awareness of cybersecurity and influencing

Cyber Culture and Engagement Lead at Department of Premier and Cabinet (Vic)

no longer just an IT problem but a business problem,

them so they acknowledge security as a serious risk, and so they realise we can all become victims of cybercrime. I have some of my mentors to thank for helping me understand that my marketing skills and experience could be applied to my security roles. These mentors

believed in me and, when I was looking to change roles, gave me some great advice that proved to be critical to my career success. ’m the cyber culture and engagement lead in the Victorian Government’s Department of Premier and Cabinet. I get to help non-technical staff understand complex cybersecurity concepts so they are able to protect themselves from cybersecurity risks and threats.

In a previous role I was told constantly that, as a female, I was not technical, that cybersecurity might not be the industry for me, and there was no opportunity to progress my career. Those opinions really impacted my confidence, but were completely untrue. I undertook further study and found mentors

This role might seem a far cry from my first degree,

who believed in me and who provided guidance on

a Bachelor of Business with a major in marketing,

the transferability of my skills and where I could make

but it gives me an opportunity to use some of my

improvements. They were invaluable.

marketing skills and knowledge. I joke that I am marketing and selling cybersecurity, hopefully to get people interested, to get them to heed advice, and to protect themselves and those around them.

There are definitely non-technical roles within the security industry and, if anything, we need more people, especially women with interpersonal skills

“My advice to anyone interested in cybersecurity is see it not as a role requiring technical knowledge but as one that calls for communication skills and the ability to influence others.”

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

who are able to translate technical information and

There’s plenty of variety in my role. Some days I

talk to non-technical people about security issues.

will be facilitating face-to-face training sessions, or

Women are just as capable as men in both technical and non-technical roles and should be given the same opportunities to progress their careers in the security industry. I also believe closing the gender gap and creating a more diverse workforce will lead to greater diversity of thought, more thinking outside the box, and new and innovative ways to solve problems. I have now completed my Graduate Certificate in Cyber Security and would like to believe I have a little more technical knowledge. I’m also undertaking the

I will be in back-to-back meetings discussing the cybersecurity strategy and how cyber culture, training and awareness fit into that overall strategy. On other days I will be creating content such as newsletters or infographics that reflect current cybersecurity threats. No two days are the same. It can be quite busy at times, but I thoroughly enjoy it. My advice to anyone interested in cybersecurity is see it not as a role requiring technical knowledge but as one that calls for communication skills and the ability to influence others.

SANS Institute course MGT433 – SSAP: Managing

Of course it is important to understand cybersecurity

Human Risk: Mature Security Awareness Programs,

concepts such as phishing, vishing and even

which I will complete in April.

cybersecurity frameworks such as NIST, but the soft

I did not plan to have a career in cybersecurity. I

skills are equally important.

started my career as a graduate at IBM and worked in

You may understand something very well technically,

the data centre as a change coordinator. I then joined

but if you are not able to explain it in simple language,

NAB in their security assurance team and managed

you are going to find it difficult to influence others and

the pentesting team’s day-to-day operations.

change behaviours.

During this time, I realised few people understood

For example, if you are able to explain to staff the

cybersecurity and I took it upon myself to explain it

impact of clicking on links in phishing emails in

in layman’s terms, and the more I did that, the more I

simple language, hopefully you will change their

enjoyed it.

attitudes, raise their awareness of the dangers of

I then moved to the Victorian Department of Environment, Land, Water and Planning (DELWP) as a project manager for the cybersecurity program.

such links, deter such behaviour, and ultimately reduce the incidence of cyber incidents caused by phishing emails.

One of my projects was to develop a cybersecurity awareness campaign. It made me realise how much I enjoyed training. So when my current role in the

www.linkedin.com/in/daisywong127/

Department of Premier and Cabinet came up offering the chance to increase my remit from one department to the whole Victorian Government, I immediately applied.

WOMEN IN SECURITY MAGAZINE

My first task was to develop a method for conducting privacy impact assessments, in that case a way for government organisations to identify and address privacy risks associated with their proposed programs or initiatives. After a very rewarding time in public sector privacy and regulatory oversight roles, I decided to hang out my own shingle, and Ground Up was born. By choosing privacy I opted for a career aligned with

Nicole Stephensen Principal Consultant at Ground Up Consulting

my values, and that’s been really important. It gets me out bed! Privacy celebrates and protects the notion of human agency – the idea that a person is best served by their government, their service provider or whomever, when they have visibility and can exercise choice and control over what happens to

their personal information. At a practical level, I do my research and keep my ’m the director and principal consultant of Ground

knowledge current. I welcome criticism, because

Up Consulting, a privacy consultancy focused on

if someone offers a critical point of view on my

privacy by design and corporate privacy fitness

work, they have engaged with it, and that is so very

that I founded in 2011.

valuable. I volunteer in areas of my passion, such

As principal consultant I lead the firm’s services that help organisations build privacy capacity.

I focus on privacy acculturation and on helping

perspective fearlessly, but with the utmost respect for my audience.

organisations to manage personal information

So, my career has been in privacy, not information

in compliance with the law and with community

security, but they are complementary disciplines, and

expectations; things like privacy impact assessments,

as my career has progressed, the line between the

developing policies and processes, and delivering

two has tended to blur.

training.

There is a saying amongst privacy professionals that

I love my education role: getting out and sharing

you can have security without privacy, for example for

what I know about privacy and its interface with

public safety surveillance in a tightly-controlled police

information security, ethics, trust and good decision-

state, but you cannot have privacy without security. I

making. I really enjoy speaking at conferences and at

believe this to be true.

industry or public sector forums. Most of all, I enjoy

Also, privacy is constantly evolving, especially in the

speaking to students. I always hope at least one student will leave a lecture with more than a passing interest in privacy, develop a passion for the subject, and take this into their chosen career. My interest in privacy was sparked when I was an undergraduate, by a university professor who was a passionate privacy advocate. After graduating I looked for public policy work that included privacy, and was offered an internship with a privacy regulator.

as children’s privacy. Most importantly, I offer my

WOMEN IN SECURITY MAGAZINE

digital era where innovation and deployment of new technologies, including those that rely on personal information, are outpacing government regulation. Privacy offers many career opportunities because it intersects with so many disciplines. The intersection between privacy and information security, for example, offers opportunities in privacy engineering, technology design, contracts administration, risk management, information governance, community engagement and training.

W H AT ’ S

H E R

J O U R N E Y ?

There is nothing like geekingout with other privacy pros on the topics that interest us most. I think it’s affirming to hear both like-minded and critical points of view. I’ve also This means you can specialise and carve a niche for yourself. A great way to learn more about privacy as a profession, and to connect with others who are also

made a point of reading a lot. I’ve always felt the need to learn and stay on top of what’s happening in my field.

dipping their toe into this exciting field, is to join the

I have also enjoyed, at various points in my career

International Association of Privacy Professionals

and life, guidance — which I have always believed

(IAPP).

to be an act of generosity, not of ego — through

And I would encourage more women to pursue privacy as a career. Any profession that is dominated

mentoring and a warm collegial connection or a ‘nudge’ down, or out of, a particular rabbit hole.

by one point of view or one group of people is

My cyber spirit guide, Amanda-Jane Turner, reminded

missing a critical opportunity to learn, innovate, excel,

me recently that I can make 180-degree turns away

and attract new membership.

from pursuits and people that no longer align with

However, its rapid evolution makes privacy a challenging field to work in if you want to take a break, as I did to start a family. In such a fast-

my values. And my heavenly guide, my Mom, taught me powerful lessons about grace under pressure and “catching flies with honey”.

paced industry, where it is vital to stay on top of

I’m also deeply grateful to my mentors and now

technological, legislative and other changes, this

lifelong friends: Malcolm Crompton, former Australian

break caused some self-doubt, and a feeling of

Privacy Commissioner and founder of Information

isolation from my professional community, simply

Integrity Solutions; Parry Aftab, globally-renowned

by me not being physically present at meetings, or

cyber lawyer and advocate for children’s online

speaking at conferences and other events.

safety; and Dr Katina Michael, Professor, Arizona

Of all the obstacles I’ve faced in my career these stand out. Interestingly, they are echoed by many of

State University and researcher on the socio-ethical implications of emerging technologies.

my colleagues who also took a professional pause when starting their families. My biggest confidence builder has been involvement with the peak professional bodies most closely aligned with my work. This has allowed me to meet

www.linkedin.com/in/nicole-stephensen-privacymaven/ www.groundupprivacy.com.au

others on the same career path and learn from them.

WOMEN IN SECURITY MAGAZINE

always looking for opportunities to acquire more certifications and credentials because I believe it is a great way to enhance knowledge.

Amber Umair Security Operations Officer at Transport for NSW

For example, CISSP certification allowed me to dive deep into information security domains while also giving me a sense of belongingness with the security community. Since then I’ve built up my expertise with several certifications: ITIL Version 3 Foundation; Juniper Certified Internet Associate and Internet Specialist; and Six Sigma White Belt Certification.

My fascination with security allowed me to start my research career with the University of Technology knew even in my early school days, that I had a passion for computers and digital technologies. I became familiar with network communications while studying computer science at the university. Soon after my graduation, I acquired

my first CCNA certification. My interest in network communications led me to my first internship, followed by my first job as a Network Engineer for Habib Bank in Pakistan. At that time, a female in network operations was a “shock” to many. There were always questions about my decision of choosing this male-dominated industry. However, it is a fascinating world, where the possibilities are endless, so I never looked back. Soon after, I had the opportunity to move into a network project-based role with IBM Pakistan, where I understood the true importance of technical and soft skills in an organisation. I also had the opportunity to learn about the multifaceted network architecture and the security domain. My interest in network and security architecture led me to join a flourishing information security team at United Bank Limited Pakistan. I took on multiple security projects, including vulnerability management solutions, SIEM and security awareness. I am

WOMEN IN SECURITY MAGAZINE

Sydney. My research was focused on information forensics using machine learning. During my research tenure, I published research articles, participated in conferences and taught cybersecurity and information warfare units at UTS and ECU. I kept myself involved in the cybersecurity industry by actively volunteering and participating in (ISC)2 Sydney chapter events and working on short term forensics-related projects. After completing my doctorate, I felt the urge to get back into the industry and contribute my knowledge and experience to the cybersecurity community. Today I am a Security Operations Officer at Transport NSW responsible for providing operational security activities across the agency and ensuring secure operational practices are in place. I undertake proactive monitoring and use a variety of tools and processes to ensure prompt coordination of responses to security alerts and incidents. My day starts with a “Stand up security operations centre meeting”. It gives me an insight into the overall state of the environment. Apart from this, every day is different because I never know what priorities will arise. On most days, I have a couple of reviews planned to ensure security practices and procedures are in place

W H AT ’ S

H E R

J O U R N E Y ?

to safeguard the organisation’s assets. New threats

Meeting other people working in cybersecurity has

or vulnerabilities are communicated, escalated and

helped me immensely to boost my confidence. I was

remediated according to the priority of the affected

fortunate to be one of the founding members of the

assets. My work also requires a lot of coordination

(ISC)2 Sydney chapter, and networking with industry

with relevant stakeholders, information gathering, and

experts at chapter events helped me greatly. These

artefacts analysis.

events provided an insight into Australia’s security

There’s no chance of stagnating in my role; staying

community and its challenges.

on top of security trends, incidents and attacks,

I would advise anyone in cybersecurity or considering

is a constant challenge. But this challenge is also

a cybersecurity career to focus on building their

an opportunity for professional development. This

network and to continue learning. The Australian

dynamic nature of cybersecurity suits my “ever

Women in Security Network, (ISC)2 chapters, ISACA

learning” nature. I’ve always been ready to learn new

and AISA(AISA) present amazing opportunities to

things, to ask questions, to move out of my comfort

meet people and learn from their experiences. As a

zone. I believe these attributes have been key to my career success, along with being willing to listen to everyone’s point of view and to take a chance, never knowing where it might take me. I’ve faced challenges like gender discrimination leading to selfdoubt, at various stages of my career. The presumption that, as a woman, I’m unsuitable for a male-dominated technical role has often exacerbated my

“The presumption that, as a woman, I’m unsuitable for a male-dominated technical role has often exacerbated my doubts about my capabilities. I’ve tried to counter these issues by surrounding myself with people who are uplifting, motivating and empowering.”

doubts about my capabilities. I’ve tried to counter these issues by surrounding myself with people who are uplifting, motivating and empowering. I have learned that trying to be a perfectionist can lead to procrastination. I have tried to overcome this challenge by sharing tasks and getting early feedback from seniors or colleagues. Throughout my career, I have been lucky to get guidance from many talented people: my seniors,

cybersecurity professional, always be ready to adopt change and learn new technology. I firmly believe there should be balance in every aspect of life, which is why I am a strong advocate for gender balance in cybersecurity The proliferation of more women in cybersecurity will allow them to feel more empowered.

colleagues, teachers and, above all, my life partner

There will be more opportunities for empathetic

who is an IT project manager by profession. I have

relationships and for a culture of mutual support.

realised that listening to and discussing other

Above all, cybersecurity will benefit from the analytical

individuals’ perspectives and their experiences has

skills of women technologists.

helped me greatly to evaluate and plan my path. Obviously, there is risk involved, but that’s the exciting

www.linkedin.com/in/amberumair/

part! www.amberumair.com

WOMEN IN SECURITY MAGAZINE

WOMEN IN SECURITY NOMINATIONS & JUDGES NOMINATIONS NOW OPEN. The Annual Australian Women in Security Awards showcases the everyday heroes who are demonstrating real leadership and ambition in their ideas, passion and drive to combat some of the issues we face in the current cyber landscape. Our mission is to continue to inspire future generations to work in the IT security/cyber/protective security fields. And to elevate technical skills, impactful solutions, and commitment to giving back to the community. Honourees will be recognised in October 2021 at the Annual Australian Women in Security Awards.

2021 CATEGORIES • Best Program for Young Ladies in Security

WHY NOMINATE •

To identify rockstars

•

To celebrate ‘hidden’ security superstars

•

To lift and empower the entire company

• Unsung Hero

•

To express admiration for fellow co-workers

• The One to Watch

•

To pause and express your gratitude

• IT Security Champion

•

To pay it forward - and give back to the community

• Best Place to Work for Women in Security

• Australia's Most Outstanding Woman in IT Security • Best Security Student

THE NOMINATION PROCESS IS 4 EASY STEPS AWAY

• Best Volunteer • Male Champion of Change • The One to Watch in Protective Security • Protective Security Champion • Most Outstanding Career Contributor in Protective Security • Australia's Most Outstanding Woman in Protective Security • Best Female Secure Coder

Your details

Details of the nominated individual, team, or company

Choose award category

Submit personal nomination & answer relevant questions

(if not your own)

(Multiple award nominations need to be done individually)

NOMINATE TODAY

INTRODUCTION TO OUR 2021 JUDGING PANEL MICHELLE PRICE

CATHERINE DOLLE-SAMUEL

CEO AustCyber

Business Continuity & Resilience Specialist UNSW

DUSHYANT SATTIRAJU

JACQUI LOUSTAU

Cyber SecOps Team Lead Deakin University

Founder AWSN

JANE FRANKLAND

TAMARA MARTIN

Owner & CEO Knewstart (UK)

Security Resilience AGL

RACHELL DE LUCA

NIGEL PHAIR

Global Security Leader Aurecon

Director UNSW Canberra Cyber

RACHAEL LEIGHTON

REBECCA WINFIELD

Principle Advisor Cyber Strategy & Awareness Department of Premier and Cabinet (Vic)

Protective Security Operations & Delivery IAG

JAMES NG

DR MARIE BODEN

GM- Security Operations AARNet

Outreach Officer Research Interaction Design University of Queensland

CATHERINE BUHLER

GAI BRODTMANN

CISO Energy Australia

Futures Council Member National Security College

SAMANTHA MACLEOD Security Executive nbn Australia

LIDIA GIULIANO Information Security

ANDREW DELL

MICK DUNNE

CISO QBE Insurance

CISO-CSO AustralianSuper

DR MARIA MILOSAVLJEVIC CISO Services Australia

IAN YIP CEO Avertro

I can’t recommend this approach enough for any career path, if you ever get the opportunity. So how did I end up doing what I do in cybersecurity? I always had an interest in technology, more

Lauren Zink

specifically security, but I started out after college

Security Training and Awareness Program Manager at Oportun

opportunity turned up at a large corporation in my

in teaching. Then, an entry level security analyst hometown. The position embraced both my passions, so I took a punt and was lucky enough that someone

saw something in me and gave me a chance. Since then I have continued to learn, grow and develop my reckon I have one of the best jobs in cybersecurity: security awareness and

I’m now in a completely different field from the one

engagement manager. I have the privilege of

I started in, partly by chance and partly from choice.

developing, expanding and maintaining security

However, I wouldn’t have it any other way. The path I

awareness programs that are fun, engaging

took has taught me many lessons that I am incredibly

and designed to educate employees in various

thankful for. Security is a really exciting field to be

security practices, policies and controls. The most rewarding aspect of managing a security

in. That’s the way it’s been from day one, and I don’t expect things to change.

awareness program is seeing the impact different

I got into security awareness when the role barely

awareness initiatives have on people’s personal lives.

existed, when you couldn’t find what the job entailed

The training I provide is meant to be carried over into

just by doing an internet search, and when few people

our employees’ home lives to help protect them, their

understood just how important security awareness

friends and their families. It’s very rewarding to hear

was to the overall success of a security program.

real stories from people I have worked with regarding how they took what they learned from our security awareness program and implemented practices to prevent someone from becoming a victim of a reallife scam.

skills, which has helped me advance my career.

Sometimes it was difficult to get my ideas taken as seriously as some bright and shiny new technology, but that simply incentivised me to get better at selling what I did and articulating its significance. However, I do believe there has been a shift to people

Another great feature of my job is that no two days

and companies understanding the importance of

are ever the same. Each day is a mix of training,

security awareness and to organisations having at

education and communications that take place all

least one individual, if not a team, fully dedicated to

while working cross-functionally with a wide array of

security awareness programs for the betterment of

people across my organisation.

the business.

I’m kept on my toes because there is always

However, my progress was not achieved without

something new to create awareness around, or a

tears and even bouts of uncertainty, which still occur

different approach to delivering content. The best way

from time to time. But I learned that my confidence

to truly understand the day-to-day nature of a job like

should not come solely from the validation and praise

mine would be to job shadow someone for a week.

of others. I finally realised that the more I could do to

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

learn and advance regardless of who was watching,

We, as an industry, need to continue to lift and

the better I would be, for others and for myself. Once I

promote awareness and develop a strong pipeline

understood that I started to find my voice and realised

that will fill open positions in the field. So, if security

what I had to share was valuable, people wanted to

awareness training appeals but you don’t understand

hear me and my ideas.

it, reach out to people, build your network and ask

One thing I wish I had done earlier in my career is to have sought out a one-on-one mentor, and that

questions. Most people in the field are ready and willing to help, because they are excited about what

is something I probably still need to do. I have always been a mentor to others, but never had one I could learn and seek guidance from, and I do think that is very instrumental to success in any career. I’ve always been hungry to learn more and I’ve always put myself out there to participate, to speak and to share my knowledge. Saying yes when I was scared was difficult at first, but it has given me some amazing

“I reckon I have one of the best jobs in cybersecurity: security awareness and engagement manager. I have the privilege of developing, expanding and maintaining security awareness programs that are fun, engaging and designed to educate employees in various security practices, policies and controls.”

opportunities that have helped me grow in my career and made me a better person. Along the way I’ve learnt a lot from others. They, and a good network I work constantly to expand, have been critical to my career. I’ve met a few great leaders along the way who gave me brutally honest and constructive feedback, which some people may have found hard to hear. It was the best thing they could have done for me, because what they said was what I needed to hear to improve my programs and take them to the next level, and to better myself. While I’ve come a long way and so has acceptance of this role in the field, we still need more people in security awareness positions. I’ve talked to many K-12 students, college students and even those new to the security field who were unaware that a position

they do and eager to see the field grow. Also, we need more women in the security awareness business and in security in general because there is an acknowledged gender disparity. I think many who might consider a role may find the prospect intimidating because of the lack of women, but if they see and hear the voices of women similar to themselves who are thriving and ecstatic about their work, more and more will join. www.linkedin.com/in/laurenazink/ www.linkedin.com/learning/instructors/laurenzink?u=2125562 twitter.com/LaurenZinOH

creating awareness for employees and providing training in logical and physical security even existed.

WOMEN IN SECURITY MAGAZINE

With my interest in web development growing, I

Gabrielle Botbol Offensive Security Consultant at Desjardins

enrolled for a bachelor’s degree in computer science and after graduating worked for a large international company as a software developer. For four years I developed applications, websites and chatbots, and participated in the development of several product prototypes.

It was then I became interested in cybersecurity, and I created an open learning program to approach cybersecurity in a holistic way, based on technical s a girl I thought my career choices

subjects and subjects related to digital humanities.

were limited. At school, despite being

The experience inspired me to become a pentester.

very attracted to science, I pursued a literary education because various barriers prevented me from gaining a scientific education.

Before getting into cybersecurity, I was a receptionist in a luxury hotel in Paris, and an actress. My receptionist role taught me how to anticipate the needs of customers, and I still use my acting skills for physical intrusion mandates (sometimes customers hire pentest companies to test if their building is safe

Pentesting is the process of attempting to break into a system to check its safety. It aims to find vulnerabilities so they can be patched. There are different phases in a pentest: planning, discovery, attack, and reporting. When we test, we do not go straight to the attack phase. We plan the test program with the customer, define the scope — the items the customer wishes to test — and take care of the legal matters.

and if someone could break in easily and access

Then, it is necessary to gather information about the

sensitive locations). Even then, in my spare time I

target; how it works, what technologies are used,

programmed websites about the theatre and about

etc. This is the discovery phase. The next step is the

art in general.

attack phase, where we test different attacks and take note of the technique and the results. Finally, in the reporting phase, we produce a report describing the

“My first employer hired me because they liked my blog and because I was able to show my skills through a CTF exercise during the interview.”

vulnerability and how it can be removed. The National Initiative for Cybersecurity Education (NICE) Workforce Framework provides a taxonomy and common lexicon that describes cybersecurity work and workers irrespective of where or for whom the work

is performed. It provides a good description of pentesting and other cybersecurity roles.

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

employers are looking for, and to view any interview However, pentesting is still an immature discipline and in job postings employers ask for a wide range of skills. This can be confusing for applicants. To help people wanting to break into the field, a few months ago I looked at many pentesting job advertisements from several countries to identify the skills and knowledge required. I checked more than 100 postings from The Netherlands, Germany, Canada, France, Australia, USA and Switzerland. Here are what I determined to be the most common requirements for a pentester position. • Security testing tools: scanners, proxies, fuzzers. • Certifications: OSCP, OSWP, GPEN, GWAPT, OSCE, OSEE, GXPEN. • Soft skills: sense of commitment, self-reliance, teamwork, perseverance, curiosity, lifelong learning, ability to explain and simplify technical concepts, critical thinking, communication, writing. • Technique: threat hunting, mobile testing, incident response, threat intelligence, reverse engineering, malware, ciphers, data obfuscation, social engineering, code review, IoT, architecture review, application threat modelling, forensics, vulnerability assessment, cloud security, scripting, crypto, python, NIST, MITRE attack, AWS, SAP, Azure, Windows OS, Linux OS, pentesting standards • Plus: bounty hunting, CTF, writing articles.

as a training exercise for the next one. People often ask me about certifications. In my opinion, certifications are not mandatory. Skills can be sharpened by working on capture-the-flag (CTF) platforms or participating in bug bounty programs. I understand certifications are an asset to any individual, and well-known certifications give job candidates credit with prospective employers, but they can be costly. They disadvantage both beginners and skilled people who do not deal well with the pressure of exams. I usually recommend those who can afford the fee and feel comfortable with doing so to obtain certifications, and suggest others demonstrate their expertise through blogs, articles, podcasts, CTF writeups, bug bounty reports or anything that shows their knowledge and skills. My first employer hired me because they liked my blog and because I was able to show my skills through a CTF exercise during the interview. Apart from the technical challenges of pentesting I enjoy the role because it helps to protect cyberspace and enables people to surf the net safely and securely. It’s a complex and never-ending task because cybercriminals are becoming more numerous every day, endangering individual liberties, democracy, economic stability and sovereignty. Such challenges make me proud to participate in helping society achieve cyberpeace.

In my opinion, job advertisers expect you to know everything and be multiskilled. But to get started you have to focus on one specialty. This is why I always advise newcomers to pentesting to apply for many jobs, whatever the level of experience required, to better understand what

www.linkedin.com/in/gabriellebotbol/ twitter.com/Gabrielle_BGB

gabrielleb.fr/blog/

gabrielleb.fr/blog/category/podcasts/

WOMEN IN SECURITY MAGAZINE

I work very hard to improve my team’s performance by instilling scrum values and principles and ensuring they follow the fundamentals of openness, honesty,

Winifred Obinna Scrum Master at Blue Cross and Blue Shield

and respect in their work. I’ve led and coached eight scrum teams developing software products and automated tools for long-term care pharmacy services. I deliver course-correction with respect,

straightforwardness and encouragement, and offer a trusting and productive medium to grow confident and exceptional workgroups who provide high-quality ’m a scrum master at Blue Cross and Blue Shield of Illinois, Montana, New Mexico, Oklahoma and Texas, part of a federation of 36 US health insurance companies that provides health insurance to more than 106 million people. I also freelance as an executive consultant identifying

and mitigating cybersecurity risks and vulnerabilities. As a scrum master I manage the implementation of the scrum framework, an agile framework to develop, deliver and sustain complex software products. I’m also responsible for coaching others and for managing and maximising the productivity of the scrum team, keeping them focussed on the end result. We undertake high visibility projects, taking them from ideation to implementation on time and within the allotted budget. My daily responsibilities include: • Creating an environment where my teams can thrive and be effective; • Ensuring good communications and relations between teams and product owners; • Tackling and improving team dynamics; • Protecting teams from disruptions and distractions; • Clearing obstacles that impede productivity.

products, services, and processes. Through change management and continuous improvement initiatives, I have been able to increase scrum team productivity by 15 percent and deliverables quality by 30 percent. This resulted in us delivering a $US2 million plus software rollout with zero defects, on-time and under budget, which immediately doubled RoI. Scrum helps generate great value through adaptive solutions, and organisations incorporate the scrum framework in specialty areas, like cybersecurity, to solve complex problems. So, scrum master skills are transferable into other, specialty, areas of IT, including cybersecurity management. When I realised my scrum master skills were transferable I pivoted into cybersecurity, brought my experience and skillset to a new landscape, and took on complex cybersecurity challenges. Cybersecurity is a growing field; there is high demand for skilled people and my skill set was, and still is, in high demand. Understanding the foundation of scrum was essential to me when I was studying to become a scrum master and I wanted to challenge myself, see what I could pursue after I gained my scrum master certification from SCRUMstudy, the accreditation

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

body for scrum and agile. This built on my earlier

It has helped guide me through much of my

Project Management Professional (PMP) certification

cybersecurity career.

from the Project Management Institute.

And it is a career I would urge more women to

As a scrum master, it is my job to clear obstacles

choose. We need more people to address the skills

for my teams, but I’ve also faced a few of my own

shortage, but especially we need more women, to be

roadblocks on my journey to get where I am today.

heard and to discredit toxic masculinity in this male-

I have had to keep abreast of the latest and most

dominated industry.

relevant skills, technologies and practices in my discipline. I have had to strive for excellence, practice immense patience, and learn from my mistakes. This has not always been easy.

Women can bring new perspectives and new solutions to replace the tired old perspectives that have been around for decades, and not only

I started out with a degree in psychology and followed that with an MBA in management. Then I had earlier stint with Blue Cross and Blue Shield where I progressed from project coordinator to project manager, honing my skills and building a reputation as an exceptional communicator, relationship builder and strategic leader of high-performing teams.

“When I realised my scrum master skills were transferable I pivoted into cybersecurity, brought my experience and skillset to a new landscape, and took on complex cybersecurity challenges. Cybersecurity is a growing field; there is high demand for skilled people and my skill set was, and still is, in high demand.”

I’ve been helped along my journey by some great mentors and coaches. Most recently, as I pivoted into cybersecurity, I found guidance through completing an eight week Gateway to Cybersecurity accelerator program, run by cybersecurity maven and

in cybersecurity. All businesses need more skilled women who have business knowledge, management skills and technical knowledge.

success strategist Courtney H Jackson. It helped me

There is a serious lack of women in STEM fields, and

gain relevant, hands-on real-world experience.

this is not due to any lack of interest, rather it is due to

Another major source of guidance has been my acceptance into the Empower(H)er Cybersecurity Institute—a non-profit organization focused on providing a safe space for women of colour interested

a lack of validation. Girls today need to be validated. They need to see women thrive in business and industry so they can be inspired to carve out similar futures for themselves.

in or working in cybersecurity—for a program called

To anyone considering a career in cybersecurity, or

Elevate U. It is run in partnership with Cybrary, a

becoming a scrum master, my advice is to be strong,

community of people, companies providing open

straightforward and hopeful. Be open to challenges

source cybersecurity educations.

and face them head-on. Show honesty, integrity and

The Elevate U program offers one-on-one mentorship, a clearly defined career path and a program structure tailored to participants’ desired career outcomes.

respect in your work, whatever it may be. www.linkedin.com/in/winifred-obinna

WOMEN IN SECURITY MAGAZINE

CHAMPIONING A CYBER-SAFE WORLD Ankita Dhakar Managing Director, Security Lit Ltd.

fearless young leader determined to

is this passion that makes her such an inspirational

help make the digital world a safer

leader.

place. That is Ankita Dhakar, founder and heart and soul of New Zealandbased cybersecurity company, Security Lit.

decisions. Her kind-hearted and friendly nature also inspired Jozsef Gacsal, former managing director of Fujitsu Hungary, to join her team as CTO. He has

She has neither a formal background nor a degree

previously held senior roles in Europe with Intel,

in digital security. She learnt about cybersecurity

Microsoft and IBM.

incidents and the very real threats businesses and individuals face in the digital era while working for an information security company, and knew she had to help.

Ankita believes in herself and in her team, which is how she achieves her goals for Security Lit. Ankita is an honest and genuinely caring person. She inspires everyone she works with, but especially women. She

In the short time since founding Security Lit in

shows other women they can achieve their goals by

February 2020, Ankita has built a strong team and

believing in their vision, trusting their team, and giving

acquired noteworthy key clients. But she’s not resting

back to the community.

on her laurels.

She puts her team first and involves them in

She founded Security Lit on the values of

Her vision is to take Security Lit global — she

commitment, integrity and collaboration, and

already has offices in India and Hungary — and

she lives those values every day. Her energy and

to keep educating businesses and individuals

commitment motivate the team when things get a

about cybersecurity threats and ways to protect

bit messy. Ankita has exceptional leadership qualities

themselves. Ankita came into the industry with a

and decision-making skills. She values her clients’

genuine wish to protect people against cybercrime. It

time and respects the trust they put in her.

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

For example, one client was not entirely happy with

through people like Ankita. There is a real shortage of

its experience of Security Lit so Ankita stepped in

professionals in this field in New Zealand and women

and listened to understand where the problem was.

are still underrepresented.

She made changes based on the client’s experience because she is determined to continually evolve and improve.

She has built a cybersecurity company without having a technical background or formal cybersecurity education. She has lived in New Zealand for only

Ankita sees no sense in dwelling on the past and

five years and has a plan and vision to create an

instead is always looking ahead. She is a real optimist

environment where businesses and individuals have

and moves quickly once she has made a decision. Her

no need to worry about their digital assets.

primary focus is solving problems and empowering the people involved in a problem and its solution. She leads by positive example but also creates opportunities for others to rise. And because she is a people person, she always considers the impact of significant decisions on people and their situations. With the right publicity, Ankita’s story can inspire

She moved to Hamilton soon after incorporating Security Lit because she wanted to help the graduates of the University of Waikato by training them, giving them real-world experience that would enable them to find employment quickly, and inspiring them to help protect New Zealanders and SMEs from continuously evolving and increasing cyber threats.

young women to get into cybersecurity. It is a rapidly growing field that many do not see as presenting a career opportunity, but could be inspired to do so

www.linkedin.com/company/securitylit www.securitylit.com

WOMEN IN SECURITY MAGAZINE

KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile innovative group who works with SMEs to protect and grow their business by addressing their cybersecurity and governance risk gaps by demystifying the technical.

C O L U M N

APRA CPS 234: What you need to know Australian Prudential Regulation Authority (APRA)

HOW DO I COMPLY?

Prudential Standard CPS 234 Information Security

The actions you undertake depend on your

(CPS 234) is a mandatory regulation outlining cybersecurity requirements imposed on all APRAregulated entities. It came into force in July 2019, but here is the kicker: from 1 July 2020, third parties handling APRA-regulated entities’ information assets must follow CPS 234 requirements and, when requested, attest to the security controls they have established. This means vendors and channel partners of APRA-regulated entities will have to comply with CPS 234. Here is some food for thought:

WHAT ARE APRA-REGULATED ENTITIES? Banks, credit unions, authorised deposit-taking institutions, super funds, life insurance companies, friendly societies, general insurers, and private health insurers, etc.

WHAT IS THE AIM OF CPS 234? To make APRA-regulated entities identify and harden

interpretation. There is no checklist!

FUN FACT Starting this year, it is expected that APRA will be requesting one-off tripartite independent cybersecurity reviews. External audit firms will be reviewing CPS 234 compliance and reporting back to APRA. You may find yourself answering audit questions and having to provide evidence. So be ready.

BOTTOM LINE The responsibility for maintaining information security sits with each APRA-regulated entity’s board, but cybersecurity staff will need to be ready to act so boards can meet their obligations when APRA’s auditors request information and evidence. The process will be very similar to providing a SOC2 report.

their information security measures. It puts strong cybersecurity measures front and centre. Think of it as a refocus on better cybersecurity, which is no bad thing considering the Sensitive and / or Personally Identifiable Information these entities hold.

WHY HAVE CPS 234?

www.linkedin.com/in/karen-stephens-bcyber/ www.bcyber.com.au

It’s trying to minimise the likelihood and impact of information security incidents on the confidentiality,

karen@bcyber.com.au

integrity or availability of APRA-regulated entities’ information, and on information assets managed by related parties or third parties.

WOMEN IN SECURITY MAGAZINE

twitter.com/bcyber2 youtube.bcyber.com.au/2mux

CAREER PERSPECTIVES

ATTRACTING WOMEN INTO CYBER TAKES MORE THAN EQUAL PAY by David Braue

It’s a good start, but there are other things that make cyber appealing

alk to a woman working in security,

expecting to be with my career” – compared to 20%

and you’re likely to hear a story of

of men.

enthusiasm and engagement for a career more varied and interesting than she may have originally expected. So: with companies

desperate for more security staff, why are they still struggling to find and attract more women into these roles? As usual, the answer is both simple and complex – and it depends on whom you ask.

Such figures suggest that – when they can be brought into the industry – women are both more likely to stay as productive members of the team, and more likely to stay for longer in a job where they feel they are getting what they expected from the position. Yet just because women in security are more positive about their roles than their male counterparts, doesn’t mean there aren’t still glaring problems:

By the numbers, women are more engaged in

22% of women told (ISC)2 that they had experienced

cybersecurity careers than ever: the latest (ISC)2

discrimination in their career – compared with 13%

Cybersecurity Workforce Study of 3237 global

of men.

security professionals, for one, found that women in cybersecurity “view cybersecurity as a viable, rewarding career and a solid majority [68%] of them plan to stay in the profession until retirement”. Interestingly, fully 53% of the women responding to that study said they started their careers in cybersecurity – compared with 38% of men.

Women were also less likely to report that they had enjoyed career milestones such as becoming a go-to specialist, becoming a go-to source of information for colleagues, building a strong professional network, and being assigned a leadership position. Yet the survey also unearthed a significant discrepancy in salaries, with women in cybersecurity

Women were also more likely to say they “have a

being paid an average of $21,500 ($US16,500) less

good idea” of their career path, compared to 48% of

than their male counterparts – who are earning an

men. And 32% said they were “exactly where I was

average of $125,000 ($US96,500) in North America, and $87,500 ($US67,000) in Europe.

WOMEN IN SECURITY MAGAZINE

F E AT U R E

While this is a win for pay equity, findings that women are happier overall with their cybersecurity careers despite being paid less than men suggest that money alone won’t bring women into the industry. Indeed, Christie Struckman – a vice president within Gartner’s Leadership, Culture and People team – offers nine strategies for building the pipeline of women candidates other than ensuring genderneutral payment. Creating better job descriptions is one way of making sure women aren’t put off of a role before they even come through the door (pro tip: feed copy through the Gender Decoder to identify potentially dissuasive Fewer women than men reported a range of career achievements. Source: (ISC)

gendered language).

MORE THAN JUST MONEY

tend to have technical degrees, Struckman told

(ISC)2 offers an obvious conclusion from this data:

Gartner’s recent APAC Security & Risk Management

“while the overall trend is positive, some issues still

Noting that less than half of women in her audiences

Summit 2021, companies should expand their criteria

need to be addressed,” the report’s authors note.

to include other roles, degrees, and professionals:

“Women in the field face more discrimination and

degrees we really think people need in order to be

receive lower compensation than men. If these inequities are corrected, the cybersecurity profession

“we all just need to take a reset,” she said, “on what successful in your particular organisation.”

may attract more women.”

Yet, pressured by the need to tick governance boxes

A simple fix, right? Of course not.

said, many companies are still filling job descriptions

or meet customers’ specific requirements, Stuckman

After Secure Code Warrior recently hired male and

with esoteric technical requirements that make them

female candidates for roles that were basically

come across “like a contract – which is not a very

the same – but paid the male employee 10%

attractive way to represent your company.”

more – senior vice president of customer success

Use a “marketing lens” to make job descriptions more

and operations Fatemah Beydoun started asking questions.

appealing, she added, advising hiring managers to consider “what are we doing to talk about the great

The issue was not some conspiracy to pay the

work that we do and how it really makes a difference

female candidate less; rather, the male candidate had

to our organisation?’ Think about selling the job to

negotiated his salary package upwards while female

your prospective clients, versus making them feel like

was happy with what she was offered.

this is going to be the beginning of a contract.”

“I know from the research I have done on diversity

Other recommended strategies include offering

that males tend to negotiate a lot more and it’s harder

options for work flexibility – particularly relevant as

for a female to have those negotiation conversations,”

workplaces rebalance in the wake of the pandemic’s

Beydoun told a recent AustCyber panel session, “so

disruption – as well as recruiting internally across

I decided to raise it with the leadership team and we

the enterprise; targeting women’s universities and

had a long discussion about the best thing to do.”

colleges for direct recruitment efforts; promoting an

“The decision was made that if they’re both the same role, and have the same background, then the right thing was to go back and rectify that,” she said. “The

employee referral plan; gender-blind hiring practices; and enhancing corporate branding to reinforce perception of being a female-friendly workplace.

salaries should really align – and we’re making sure that we set the standard going forward with that.”

WOMEN IN SECURITY MAGAZINE

STRATEGIES TO BUILD THE PIPELINE

THE MISSING LINK

1. Create better job descriptions

Yet actively building the pipeline is only part of

2. Ensure gender-neutral payment 3. Offer work flexibility options 4. Expand your criteria – other roles, degrees, professionals 5. Recruit internally across the enterprise 6. Recruit from women’s universities and colleges 7. Reach students during college via internships 8. Promote employee referral plan 9. Gender-blind hiring practices 10. Enhance corporate branding as a female-friendly workplace Source: Gartner

the challenge: many of the things that may attract women to cyber, or to a particular company, are less intentional factors that can’t be rapidly pushed out with a strategy. “For me personally, it’s about role modelling,” Nichols says, noting the high-level participation of female cybersecurity executives like PwC trust and risk business leader Corrine Best, who is one of three women sitting on the federal government’s cybersecurity Industry Advisory Committee. “Being able to show that pathway is really important,” Nichols adds, “and it’s wonderful to get that visibility to showcase women in these really senior cyber roles.” Companies may need to improve their representation of role models but the industry has its own challenge, notes Dr Taniya Mishra, founder and CEO of AI

WOMEN IN SECURITY MAGAZINE

F E AT U R E

“I wouldn’t say I’m a traditional women’s rights activist by choice,” she adds, “but as I have a cyber security role in the industry, it kind of makes me one automatically – and this is due to the lack of strong female leadership.” Things are getting better, she says, noting that she has “definitely seen a shift” in recent years, with more engagement stemming from “increasing awareness within our workforce and expanding and creating mentoring opportunities – and forging womenoriented communities.” startup SureStart, pointed out during a CES 2021

Ultimately, that sense of belonging to a community

panel session examining similar issues in the fast-

can make all the difference in flagging cybersecurity

moving AI industry.

career opportunities for the next generation of women

After 12 years in the industry and years as a

in security.

graduate student before that, Mishra said, “it has

Sometimes, the difference between attracting a

been disheartening” to watch the persistent under-

woman to cyber and losing her can be a fine line.

representation of women, for example through the composition of industry panels.

After participating in a girls-in-STEM workshop at a major bank, 16-year-old student Tamara Baker – a

“The lack of representational role models is a huge

Code Like a Girl Ambassador and AWSN Women in

problem,” she said, “because you cannot be what you

Security award recipient – recalls the thing that made

cannot see. And so the next generation of AI builders,

her realise she could have a future in security.

technologists, and change makers – are they seeing themselves represented? Unfortunately, right now, they’re not.”

One of the workshop leaders “saw how much passion I had,” she told a Cyber Week 2020 panel after attending the previous year’s “enormous” event, “and

Mentorship programs may be explicit, or mentorship

she pulled me aside out of 50 girls in the workshop

may evolve as part of the everyday function of

to say ‘we would like to specifically offer you work

working in cyber.

experience’.”

This was the experience of Atlassian senior security

“I just remember literally crying on my way home,” she

trust analyst Jodie Vlassis, a “de facto mentor” who,

said. “I almost got run over by a tram – because I’m

thanks to the easier connectivity afforded by COVID-

this tiny, to them, girl and someone saw how much I

era remote working, has been increasingly advising

cared, and how much I wanted to go far.”

young women around the world “on how to make it in an industry where, unfortunately, women are still largely marginalised.”

“It was a really humbling experience – but it also showed me that the work you put into it can really pay off.”

WOMEN IN SECURITY MAGAZINE

DO YOU WANT YOUR VOICE TO BE HEARD?

REACH OUT NOW 56

WOMEN IN SECURITY MAGAZINE

MEGHAN JACQUOT

REFINING MY FOUNDATION: CAREER TRANSITION TO CYBERSECURITY by Meghan Jacquot, Cybersecurity Specialist | Google IT Support Professional Curiosity is a murderous word...it kills cats (note that

But we all have limited time, so to become the human

I am not advocating killing cats). It is an adventurous

you want to be it is imperative to ask yourself these

word. It is a word of beginnings, and it is a word

questions:

that describes me and my childhood. My nickname growing up was Curious George, the main character in a series of popular children’s books with the same name, because I was always asking questions and starting experiments. I tinkered, built, and wanted to understand how things worked. But I did not go on to study computer science. Which is why, after teaching for 12 years, I found myself pivoting to a second career in security. I want to be tinkering and working on novel experiments as well as solving the problems of the future. Security is awash with jargon and acronyms. RMF is one of many. Traditionally RMF stands for risk management framework, and with any pivot there exists risk. So I took a risk when I decided to refine my foundation and embark on a career transition to security. Refining is an iterative process. In the case of a career transition it manifests as constant modification and adjustment of goals.

1. What do you like to do? What do you spend your time learning? 2. What are your skills now? What are you highly skilled at? These can be soft skills with a high emotional or intelligence quotient, and technical skills. 3. Are there any intersections between number one and number two above? 4. What are your professional end goals? 5. What steps are you currently taking to refine your foundation to get to your end goals? 6. What are some gaps between where you are now and where you want to be? 7. How will you fill in those gaps? Try to be strategic and realistic with this planning - think SMART goals. 8. Celebrate - you are one step closer to getting to your end goals! You are refining your foundation!

I embrace a growth mindset. I believe we can learn

I’m glad that you’re on your path and refining your

anything. As the poet Cleo Wade said: “I think we’re

foundation. I’m happy to connect, cheer you on, and

always becoming the woman we want to be.”

start a conversation. www.linkedin.com/in/meghan-jacquot-carpe-diem

WOMEN IN SECURITY MAGAZINE

EMILY EDGELEY

GRAB THE MIKE, IT’S YOUR TURN by Emily Edgeley, Public Speaking Coach for the Tech industry

An email arrives in your inbox. It’s a request to speak

me, becoming a speaker and having everybody’s eyes

at an upcoming security conference. What’s your

on me was out of the question.

immediate reaction? Is it one of butterflies in the stomach and of dread?

(mostly men) take the limelight. I let that voice in my

Or is it one of excitement? Do you shy away from the

head take over, and I stayed silent.

invitation, or do you accept it without question?

Did I limit my career? Absolutely! Did it impact my

I know for me, it was one of dread. During my whole

personal brand? You betcha. Did it keep me playing

career in cybersecurity I had never spoken at an

small? Of course it did!

event or conference. I had a pure maths degree and a master’s degree in information security, along with more than ten years’ experience under my belt. However, I still did not consider myself an expert, nor did I think I had anything worth sharing with others. I loved going to conferences, but I did not see a place for me on the podium. Looking back, that seems to have been crazy. I now know I had a unique background and a unique perspective. I had experienced failures and gained learnings that had informed my own take on things. I had interesting observations, realisations and aha moments that I could have shared, that other people would have learnt something from. I just did not realise this at the time. I was also terrified of public speaking, so much so I even struggled to ask a question from the audience. So, for

This meant I stayed in the shadows. I let other people

WOMEN IN SECURITY MAGAZINE

You see, if you ask 10 men to speak at a conference, it’s likely nine of them will accept. However, if you ask 10 women to speak at a conference, you’re lucky if one will accept. There are many factors at play here, one being that women may have less time to commit to such a request. However, based on my own experience and that of my clients, one of the main factors is a lack of self-belief. It seems a lot of us don’t believe we have something worth sharing, or we simply don’t feel sufficiently confident to get up on stage and deliver our message. On my journey to becoming a public speaking coach, I learnt two really important lessons

C A R E E R

P E R S P E C T I V E S

YOUR UNIQUE PERSPECTIVE IS WHAT MATTERS You don’t have to be the most experienced person in the room to tell others something they don’t already know and will gain value from. You just need to solve a problem for them, or see a big issue from a different perspective.

LESS IS MORE WHEN IT COMES TO YOUR MESSAGE The more you pack into a talk, the less people will get out of it. So don’t worry if you don’t have a massive project or complex approach to share. A great talk is often about one very simple idea that is meaningful and that solves a problem for the audience. I wish I could go back, knowing what I know now, because I’d grab that mike and take on the challenge.

3. Who would be interested? E.g. What type of people would you like to help, or what

But I don’t want to stop here. I want to help shift the

organisations or events would you really like to

gender balance of public speakers dramatically in our

speak at? What type of support would you want

favour. Having given birth to a daughter just over a

for this?

year ago, I’m even more determined to help improve the number of women gracing our stages, because I

Now, I implore you to commit to one bold action that

don’t want my daughter to grow up doubting herself,

will get you closer to sharing your knowledge. Maybe

or what she has to say.

it’s identifying the right event to speak at. Maybe it’s

We need more women on stage. We need the diversity of thought. We need to be represented. If you’re with me, let’s make this happen. We all have interesting stories. You can help people overcome obstacles you’ve already surmounted, and prevent them from making the same mistakes. You can use your learnings, or your failures, to shape a great talk that people will thank you for. If you’ve never spoken at an event or conference and find the prospect daunting, I want you to set aside 15 minutes to answer these three questions. 1. What makes you unique? E.g. what’s your background? What diverse experience do you have? What perspectives do you have that others don’t?

figuring out in detail what you’d talk about. Maybe it’s honing your storytelling skills. Whatever it is, note down the action, the date and why it’s important to you. If you’re already speaking on stage, reach out to someone who isn’t and offer them your guidance and support to do the same. So, when the next generation grows up and starts entering the workforce, what they’ll see when they go to events and conferences will be very different, because of you. Wouldn’t that be an awesome story to tell? www.linkedin.com/in/emily-edgeley/ www.instagram.com/emily_edgeley/

2. What could you talk about? E.g. What are you really passionate about, what aha moments have you had, or experiences / big learnings / failures / insights that others might find really interesting

www.emilyedgeley.com/ twitter.com/Emily_Edgeley

and useful?

WOMEN IN SECURITY MAGAZINE

JESSICA TIEU

BREARNA LEOPOLD

WHY MORE WOMEN IN CYBERSECURITY WILL ULTIMATELY MAKE US SAFER Interview with CrowdStrike’s Jessica Tieu, Senior Director of Legal, Asia Pacific & Japan, and Brearna Leopold, Inside Channel Account Manager, Australia & New Zealand WHAT IS YOUR ROLE AT CROWDSTRIKE AND DESCRIBE YOUR CAREER JOURNEY SO FAR?

you combine this with laws that are constantly in

Jessica: I am the Senior Director of Legal for

Brearna: I started at CrowdStrike during my third

CrowdStrike Asia Pacific and Japan and have worked

year of university as a sales development intern. I

in the IT industry for over 23 years. After completing

was then offered an opportunity to take on a unique,

a double degree in law and business, I joined

permanent part-time position as a sales development

Accenture as an IT analyst and then moved to their

representative while I completed my final year of

legal department. I really enjoyed being an in-house

studies. After graduating I moved into a full-time

lawyer because it enabled me to both learn about

role and became the sales development team lead.

the business and apply the law. From there I built my

This role exposed me to larger enterprises and their

legal career in the IT industry starting at Siebel, then

requirements for cybersecurity, and it was also where

Symantec, McAfee and now CrowdStrike.

I started developing my leadership skills. I have

At both McAfee and CrowdStrike I was the first legal

recently been promoted to inside channel account

person hired in the APJ region and helped to build and lead the APJ legal teams. As nerdy as it sounds, I find it interesting to learn about how we are helping to keep the world safe from cyber attackers. When

WOMEN IN SECURITY MAGAZINE

catch-up mode, it makes for a very dynamic work environment in which I am constantly learning.

manager, which involves working with our partners to strategise and drive new business initiatives.

C A R E E R

P E R S P E C T I V E S

CYBERSECURITY PROFESSIONALS ARE MOST LIKELY TO BE MALE, ACCORDING TO ISC’S WOMEN IN CYBERSECURITY REPORT, WITH GLOBAL FEMALE REPRESENTATION SITTING BETWEEN 23 AND 30 PERCENT. FROM YOUR EXPERIENCE, WHY DO YOU THINK THIS IS?

companies because it’s been proven to foster higher

Jessica: There is a lack of female interest in STEM-

experiences that each staff member can bring to the

based courses which, from the outset, means women

table.

employee engagement and increase profits, amongst other things. Brearna: Diverse individuals are needed to ensure success in any business, and cyber safety is no different. Women can bring unique points of view into conversations around cybersecurity. Businesses must take advantage of the variety of backgrounds and

are underrepresented in the sector. Too often this

meet close to 100 percent of the requirements listed,

CAN YOU OFFER INSIGHT INTO HOW FEMALE CYBER PROFESSIONALS CAN SUCCEED IN A TRADITIONALLY MALEDOMINATED FIELD?

whereas men are more willing to apply regardless.

Jessica: Don’t try to be “one of the boys”, instead

is attributed to a lack of female applicants for cyber positions. However, research has found that women tend to apply for roles only when they believe they

I’ve also heard from women working in the industry that job ads can sometimes use “aggressive” language which can deter people from applying. If companies truly want to hire more women they need to look at their recruiting practices to ensure they are not inadvertently discouraging female applicants, and women need to be more confident in applying for positions even when they don’t meet all the requirements. Brearna: Although positive changes are being made, there still seems to be a sense of a “Boys’ Club” in the industry. Young women may associate working in technology with beers, hackathons and office table tennis, activities typically skewed towards male preferences. As a result, there are significantly fewer female role models from which younger women can seek guidance and advice. I would encourage experienced women in the industry to speak openly about their journeys, and ensure that other women entering the industry have access to continued support.

WHAT DO YOU SEE AS THE KEY BENEFITS TO HAVING MORE WOMEN WORKING IN THIS INDUSTRY? Jessica: Women bring different skills and experiences to the positions they hold, which often means a variety of new ideas and solutions. This is invaluable at every level of a business because it generates greater collaboration, creativity and innovation.

leverage your strengths as a woman. In a maledominated environment, women can sometimes try to blend in by mirroring what their male colleagues are doing, without realising that one of their many strengths lies in the unique perspectives they can offer as women. Voice your opinions and ideas rather than simply taking the lead from others. Brearna: When you are the only female in the room it can be easy to fall into the mindset that you don’t belong or that you don’t have the experience to contribute real value. Be aware of imposter syndrome and try not to fall victim to it. This can be easier said than done. However, having the guts to speak up and volunteer for opportunities can only improve your confidence and learning. It will become easier each time you put your hand up!

WHAT’S YOUR ADVICE FOR WOMEN SEARCHING FOR A JOB IN CYBERSECURITY OR LOOKING TO ADVANCE THEIR CAREER? Jessica: Apply for any role that appeals to you, and don’t underestimate your skillset. There is a broad range of roles in cybersecurity and not all roles require advanced technical knowledge or skills. Don’t let the fact that it’s a male-dominated industry deter you. Instead, see that as an opportunity to challenge the norm and to bring a different set of skills to your chosen role.

Diversity is becoming an important focus for

WOMEN IN SECURITY MAGAZINE

Brearna: Take advantage of the interesting

Be courageous. Try something different, stand up for

opportunities presented to you and never

something you believe in, challenge the norm, voice

underestimate the power of networking. When

your ideas and opinions, and self-advocate.

applying for promotions and new roles, do your research and, if you are interested in a company, look them up on LinkedIn. Reach out to individuals who

BREARNA

currently work in the role you aspire to and invite

Don’t underestimate the power of a strong network.

them to coffee. Don’t be afraid to put yourself out there and ask for help. We all started somewhere. Above all, always make your goals and ambitions clear. Set your intentions for your career path and communicate these regularly to your mentors and managers.

Your network is valuable. Invest time in developing and maintaining relationships, because these will give you access to new perspectives, ideas and opportunities. Remember to give back. At some stage in your career, someone will have given their time to help

HAS THE PANDEMIC CREATED MORE OPPORTUNITIES FOR WOMEN IN CYBERSECURITY?

you. Acting as a mentor yourself will encourage self-

Jessica: The pandemic has certainly challenged the

Be an effective listener. Listening not only

idea that workers need to be physically in the office to be productive. Working from home has also offered the men in the industry the opportunity to gain greater appreciation of the challenges their female

reflection, help you see new perspectives, and give you an opportunity to practice leadership skills. demonstrates respect for your peers, it also gives you clarity and access to better information. In a world where knowledge is power, listening is an effective, yet simple, way to gain information.

colleagues face. This could go a long way towards getting men to better advocate for and support their female colleagues’ careers in the future. Brearna: COVID-19 has seen the workforce embrace

BREARNA LEOPOLD www.linkedin.com/in/brearna-leopold-21419a134/

a flexible way of working. In the past, women may have felt pressure to choose between time spent supporting their families and time spent developing their careers. Knowing I am likely to have access to

JESSICA TIEU www.linkedin.com/in/jessica-tieu-4386a43/

flexible working arrangements when I choose to start a family gives me the freedom to set both long and short term career goals.

FINALLY, WHAT ARE YOUR STRATEGIES FOR OTHERS TO SUCCEED IN A CYBERSECURITY CAREER?

CROWDSTRIKE www.linkedin.com/company/crowdstrike/ @crowdstrike www.facebook.com/CrowdStrike/

JESSICA

twitter.com/CrowdStrike

Be adaptable. It is a fast-paced and dynamic industry that is constantly evolving, so being able to adapt to change is important. Embrace being in the minority. The fact that there are few women in the industry can work to your advantage if you focus on the positives and the value you bring to the table.

WOMEN IN SECURITY MAGAZINE

www.youtube.com/channel/UCsRdY9CtEVWTNO4ulwfzqVA

A PROGRAM THAT CONNECTS, SUPPORTS AND INSPIRES FEMALEIDENTIFYING TERTIARY STUDENTS AND EARLY CAREER PROFESSIONALS.

"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Cadets program today!" - Liz B, Co-Founder

Studying or an Early Career Professional in information security? Learn more at awsn.org.au/initiatives/awsn-cadets/

SAI K. HONIG

CAMARADERIE by Sai K. Honig, CISSP, CCSP Co-founder - New Zealand Network for Women in Security Board Member – Black Cybersecurity Association

There have been many studies, articles and

the majority of housework is still done by women.)

talks about including women and minorities in

Women need a space to “belong” and share their

cybersecurity. Some have canvassed introducing

thoughts. During this pandemic, with its various

policies to promote inclusivity, such as flexible work

lockdowns and other social gathering restrictions,

hours, parental leave, remote working, unspoken

this need to “belong” has been even greater.

bias training, etc. Others have called for changes to the hiring process to make it more open to people with diverse backgrounds and talents. A majority of these proposals are well thought out. Businesses that espouse them may see greater diversity in their workforces. Being a woman and from an ethnic minority, I feel that there is one thing that well-meaning policies cannot implement – camaraderie. The Oxford English dictionary defines camaraderie as “mutual trust and friendship among people who spend a lot of time together”, but it’s a term perhaps more often associated with men, “the old boys club” or “mates”. Camaraderie is also necessary for women. They too need to be part of something outside of work, school, childcare, dependent care and housework. (Yes,

WOMEN IN SECURITY MAGAZINE

Those of us in fulltime employment spend the majority of our week working, and a great deal of time with our coworkers. Even though we may be working remotely, we are still online with work colleagues. There is an expectation of “mutual trust”. We expect everyone to do their jobs to the best of their abilities. After all, that is why they were hired. Friendship is another thing. It is defined as “the emotions or conduct of friends; the state of being friends”. This state can be based on a number of things, such as a common interest or background. It is organic and can develop over time. It is not something that organisations can foster or manage. That is why organisations like the Australian Women in Security Network (AWSN) are so important. AWSN is “an open network of people aiming to grow the

C A R E E R

P E R S P E C T I V E S

on a number of projects with other like-minded organisations and with allies. Through BCA I have been able to develop meaningful relationships. These colleagues from around the world learn of my challenges, and I of theirs. We offer mutual advice, support and mentorship. In the short time I have been with BCA, I have developed the camaraderie I was missing. This camaraderie extends beyond cybersecurity. One member reached out after learning that New Zealand was back in limited lockdown. Shortly after it was reported that there had been large earthquakes off the coast of New Zealand members reached out to see if I was alright. I have checked in with members to see how their families are doing. (We even refer to each other as “fam”.) And it’s good

“Women need a space to “belong” and share their thoughts. During this pandemic, with its various lockdowns and other social gathering restrictions, this need to “belong” has been even greater.”

to wake up each morning to “Good Morning” messages and uplifting words. So, how can businesses support this type of camaraderie? By making space for these organisations. They could offer space to enable staff to meet in person, or provide them time during the day to attend virtual

number of women in the security community”. There is a sister organisation across the Tasman, New

sessions. Support could simply be allowing a

Zealand Network for Women in Security (NZNWS)

member to use internal communications channels

which is “about bringing women in security together”.

to announce any achievements made through these

These organisations foster friendships among

organisations.

women. Through them I have had the privilege of

Camaraderie is developed by individuals with other

getting to know a number of women who are doing amazing things in cybersecurity, and giving back to their profession.

individuals. It is not something that can be created by an organisation. Businesses should accept this and allow camaraderie to develop during the normal

For the past six months I have also been part of a new

course of work, not just at the office party or after

organisation, Black Cybersecurity Association (BCA).

work drinks.

This is an organisation of volunteers whose mission is to inspire, engage and empower African Americans to reach their full potential, to become leaders, and to positively impact their communities. In less than one year it has grown to more than 2,000 members from around the world. Programs to learn new skills and gain real world experience are in place. We have mentorships for students and those transitioning into

www.linkedin.com/in/saihonig/ NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com BCA www.blackcybersecurityassociation.org

cybersecurity from other professions. We partner

WOMEN IN SECURITY MAGAZINE

Cyber Security

# TO PWOM ENI NS ECURITYASE AN WO MENINSECURI TYASEANRE G ION . COM

NOMINATIONS CLOSE 30 MAY 2021

his initiative has been established to recognize women who have advanced the security industry within the ten countries of the Association of Southeast Asia Nations (ASEAN). Nominations were scheduled to open on Monday March 8, 2021, coordinating with International Women’s Day. The Top Women in Security ASEAN awards follow similar initiatives in India, as well as Africa, Europe and Canada and form part of a global campaign by the Women in Security & Resilience Alliance (WISECRA). This initiative is open to all ASEAN countries following very successful Top Women in Security Awards held during 2020 in Singapore, Malaysia and Philippines.

O RGA N I S ERS

ME D I A PA RT NE R S

We have gathered unique industry partnership arrangements, bringing together key chapters of premier, global security industry associations and professional women in security groups in Singapore. Malaysia, Indonesia, Philippines, Thailand and including the ASEAN Region Women in Security Network. We thank them for their support. Nominations close 30 May, 2021. The awards will take place in July 2021. Please nominate at your earliest opportunity.

NOMINATE HERE

SU PPO RT I N G PA RT N E R S & ASSO C I AT I O N S

ASEAN REGION

WOMEN IN SECURITY NETWORK

F E AT U R E

RECRUITERS PICK THE CYBER SKILLS HOTSPOTS by Stuart Corner

here was plenty of good advice for

equally important as the technical yet can be harder

aspiring and current cybersecurity

to develop.

professionals from a panel of four Cyber Security specialist recruiters at #Choose to Challenge, an online conference organised jointly by

ISACA’s Sydney and Melbourne Chapters and the Australian Women in Security Network (AWSN), held on March 9, for International Women’s Day.

Ben Sawyer, Senior Associate, Cyber Security and Risk at u&u. Recruitment Partners summed up the situation, saying: “I’ve got one customer who is a director for cyber in the public sector. She’s struggling so much to find the right resources that she’s decided to identify people who have got really good soft skills, show some technical aptitude and some passion for

The theme of the session was In-Demand Skills &

cybersecurity and information security, and move

Career Pathways. And from panellists’ comments

them, if they’re willing and enthusiastic, into more

it was clear that the in-demand skills extend well

cyber and risk roles. I think is going to be a strategy

beyond the technical aspects of cybersecurity and/or

we will see more and more of in the future to try and

IT skills.

combat what is just simply a skill shortage.”

In part, this is due to the substantial shortage of experienced cybersecurity professionals. Employers now realise they need to identify key soft skills in candidates, for example critical thinking, communication and a passion for security - are

CYBER NEEDS LAWYERS He also identified opportunities in cybersecurity for people with a legal background. “I think anyone with a law degree will do well for some of the roles

WOMEN IN SECURITY MAGAZINE

“There is a genuine need for security awareness professionals to bridge the gap between Business and Technology and tell the story right from both sides. Security Awareness could be a great area for nontechnical professionals to break into Cybersecurity.”

we’re seeing now. It’s not enough to be good in the

is about protecting the business and it’s people. So if

governance risk and compliance space. A legal

you understand the business needs you can add value

background is going to be really helpful.”

and upskill yourself on the technical side of security.

“Privacy is going to be a key areas. So for any lawyers that want to move into cybersecurity, that area is primed for the taking.” Kate Broughton, Head of Delivery at the Decipher Bureau agreed, stating she has seen an increase in requirements for people with a legal background. “We have had a significant rise in Privacy roles across our business and our clients are looking for hires that can bring their legal expertise to privacy engagements”.

COMMUNICATION SKILLS & PASSION Riki Blok, Principal Consultant, Cyber Security at Talenza, said: “It doesn’t matter what your job is, even if you’re a penetration tester, everybody needs to write a report at some point. Everybody needs to be business-facing. So you can’t just fall back on [technical competencies] anymore.” Palak Trivedi, Sr Principal Consultant-Technology with Capstone Recruitment, stressed the importance of cybersecurity professionals having industry knowledge and good communication skills. “Security

You can talk the language that business stakeholders understand and influence early adoption.” Broughton mentioned a significant increase since the beginning of COVID in the number of security operations roles. “of course there needs to be a technical aptitude, but [the interviews] were definitely more around the passion and the communication skills. At a senior level you need to clearly articulate the how and why of your role. At the entry level, you need to demonstrate what you have done through your university training, or other courses, to show that you’ve got critical thinking and analysis skills. Blok reflected on the need to make sure that you also articulate the extra steps that you have taken to increase your knowledge and to demonstrate your “passion”. Make sure to talk about “the extra bits and pieces you’ve been involved with – they are the bits that make sure you stand out from the crowd” in your CV. While all were in agreement there is a shortage of experienced cybersecurity people across the board, other identified areas included: cybersecurity awareness, and governance risk and compliance (GRC).

WOMEN IN SECURITY MAGAZINE

F E AT U R E

Sawyer tipped GRC to be one of the most in-demand

the message across in the security education and

skills over the next few years. “There are not going to

awareness space.”

be enough people in a few years’ time with the way the banking regulations are going.

Palak said “there is a genuine need for security awareness professionals to bridge the gap between

“Now you’ve got separate cyber boards in financial

Business and Technology and tell the story right from

services firms. What I’m hearing from CISOs is that

both sides.” She also added that security awareness

they don’t know what they are going to do when

could be a great area for non-technical professionals

more and more regulations come. There will not be

to break into cybersecurity.

enough people. We need tools and processes that are automated within GRC. That would be my number one thing in four or five years.”

Additionally, Broughton suggested other pathway’s for both organisations and those wanting to career transition is use the skills you have today to get into

Trivedi said; “There will be a huge demand for data

an organisation that has a team and role you want to

and cloud security professionals, because everything

move towards in the future.

is on cloud these days, whether it’s on the vendor side, or in house. We are also seeing a surge in demand

TECHNICAL ASPECTS STILL MATTER

for application security professionals who will help

Blok touched on the more technical aspects of

secure codes at the fundamental level.”

RAISING CYBER AWARENESS

the industry with skills and automation. “there is a shortage of all technical skills within cyber” due to the lack of skilled overseas resources entering the market

Panel moderator, Laura Lees, Vice President, of

so employees are more likely to be willing to “upskill”.

ISACA’s Sydney Chapter, said the security awareness

Then there is the “shift towards security automation”

role presented opportunities for non-technical people

and “automation is going to become more a part of

to break into cybersecurity.

what people are asking for”.

“I know one organisation that has a graphic designer on their cyber team, because that’s a great way to get

WOMEN IN SECURITY MAGAZINE

NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

C O L U M N

How parents can keep up with apps and online games Have you ever clicked into Apple’s App Store or Google Play Store and been thoroughly amazed at the number of apps there? At the touch of a button your tween/teen could download any app their heart desires. It’s nervewracking, knowing some of these apps and online games have hidden dangers. You’ve heard other parents talk about situations you never want your child to find themselves in, and you’ve read dozens of media reports on dangerous apps. The good news is you don’t have to be across ALL those apps and games, just the ones already installed on your child’s device and the ones they ask to download. Here are 10 tips to help you decide which apps are OK for your tween/teen. 1. Know what apps and online games your kids are currently using/playing/have downloaded. 2. Make sure the settings on your child’s devices block them from downloading apps without your permission. 3. Check the game ratings in the App Store/Play Store. 4. Understand the basic functionality of apps and online games. For example, does the app allow anonymous chats, private/public groups? Does it contain frequent swearing, nudity or encourage gambling? 5. Download the app/game yourself to get a better idea of what it does. Use it yourself. Then sit with your child and play.

WOMEN IN SECURITY MAGAZINE

6. It’s OK to tell your child that, although an app looks safe for their age, you just aren’t sure about it. Explain why. Suggest downloading a game they want and playing it with them so you can make a final decision. 7. Consider your child’s maturity. Have you educated them about online safety? Do you already have rules around the use of apps and social media platforms? 8. Make sure you have turned on the setting that prevents your child from re-installing deleted apps. (Settings > iTunes & App Store purchases > tap to turn off) 9. Have a list of reliable sources you can consult. Great websites to bookmark are https:// www.esafety.gov.au/, and https://www. commonsensemedia.org/. 10. Google can be your friend. A few searches on Google can confirm whether or not an app is one you want your tween/teen to be using. Remember – you are the parent guiding your child’s online activities. There will be times when you will need to loosen the reins and times when you will have to give a flat out ‘No’. You know your tween/teen best. So follow your feelings.

www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum

www.pinterest.com.au/thetechmum

INDUSTRY PERSPECTIVES

WOMEN IN SECURITY MAGAZINE

DR DAVID STOCKDALE

THE YEAR THAT WAS 2020:

AN AUSCERT PERSPECTIVE ON CYBER THREAT INTELLIGENCE by Dr David Stockdale, Director AusCERT, Australia’s Pioneer Cyber Emergency Response Team

uch has occurred over the past

Criminals took advantage of the rapid (and often

twelve months, in all aspects of

chaotic) transitions that many organisations went

life, cybersecurity included. Daily

through in early 2020, which correlated with AusCERT

life has changed, and we have

experiencing a peak of reported member incidents for

been required to adapt in both

quarter one, 2020 in March.

our social environments and our

workplaces. Many people have pivoted to working from home using a variety of IT equipment, both old and new; patched and unpatched, supported and unsupported. Additionally, our perception of what is “safe” versus “unsafe” is very different when we’re sitting with a laptop at the kitchen bench with no one to remind us of the ever-present cyber threats. The risk profile has changed, sadly creating an opportunity for the cybercriminal, and one that has been exploited significantly.

In addition to the volume of activity, we also know organisations that had not implemented a strategy for secure remote working were significantly more likely to be impacted by some form of cyber disruption than those that were prepared. In 2020 AusCERT assisted with over 3,800 reported member incidents, on average fourteen incidents (“tickets”) per day. The three most commonly reported incidents were phishing email response, incident response advice and malware analysis. AusCERT also issued more than 4,700 security bulletins, more than 200 of which originated from the AusCERT team. Security bulletins are a fundamental tool to streamline security patching.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

ADAPTATION IS KEY TO WINNING THE BATTLE: 2020 CYBER SECURITY SURVEY RESULTS

compromises will result in a further rise of spoofed or compromised payments.

Australia, we surveyed organisations across Australia

INSIGHTS FROM THE FBI INTERNET CRIME COMPLAINT CENTER (IC3)

and New Zealand. We were able to clearly assess

In 2020, the IC3 agency saw a 69 percent increase

the COVID-19 pandemic’s impacts on cyber, and

from 2019 in the number of complaints. Reported

detail significant shifts in the way organisations

losses from Internet crimes exceeded $US4 billion

are impacted by, and responding to, evolving cyber

with Australia ranking fifth as a nation in terms of the

threats.

number of victims reported.

Our survey results showed a definite shift in

2020 also saw a large increase in elderly victims of

attitudes by organisational leaders when it came to

Internet crime. Statistics provided by IC3 showed that

cybersecurity preparedness. COVID-19 was a ‘cyber

approximately thirteen percent of complainants were

reality check’.

aged over sixty, with total losses in excess of $US960

For the fifth year in a row, with our partner BDO

Respondents indicated a significant increase in data breaches caused by malicious hacking and accidental disclosures by staff. This increase is indicative of the support challenges presented by remote working, and of a lack of preparedness for increased cyber-attacks. Organisations that already had secure remote working capabilities, approximately sixty percent of the respondents, experienced 40 percent fewer incidents in 2020. Those unprepared experienced (and reported) four times the number of data breaches and payment directions, and three times the number of business email compromises and malware infections.

million. Tech support scams were identified as the top ranking Internet crime category affecting these elderly victims.

PREPARATION IS THE KEY WORD WHAT’S NEXT? We prepare through knowledge and planning - with our knowledge informed by information, in this case, cyber threat intelligence. Cyber threat intelligence comes in many forms, from the operational through to the strategic; even via public agencies. During 2021, AusCERT will develop its capabilities to deliver more of this information, at all levels, to make organisations safer.

“CYBER THREAT SIGNAL”, KEY 2021 PREDICTIONS BY THE CERT COMMUNITY

While there are doubtless many unknowns awaiting

In late 2020, AusCERT, alongside CERT partners from

•

us in 2021, here are some key issues on the AusCERT agenda this year:

Korea, India and Sri Lanka, released a joint prediction of the most pertinent cyber threats that 2021 might deliver. Perhaps to no one’s surprise, ransomware attacks were expected to dominate the sector in 2021 in both volume and impact. We also predicted the emergence of “masspearing” – the combination of spamming and spear phishing based on intelligence gained from the dark web – along with an expansion of the dark web markets for sensitive information, in particular a surge in

Expand and enhance our delivery of threat intelligence.

•

Remain a trusted incident response partner, both locally and globally.

•

Consistently and usefully engage with our members.

The cybersecurity landscape is ever-changing, and AusCERT continues to be passionate about engaging our members to empower their people, capabilities and capacities.

authorisation information. The remote workforce will continue to be targeted

www.linkedin.com/in/dr-david-stockdale

leading to greater corporate data leakage. And increasingly sophisticated business email WOMEN IN SECURITY MAGAZINE

QUEEN A AIGBEFO

WHY DID THE TITANIC SINK? by Queen A Aigbefo, Research student, Macquarie University The date May 31, 1911; the location, Belfast,

An organisation’s board and C-suite are often

Ireland. Thousands of people gathered to watch the

concerned about the return on security investments,

Titanic launch, at the time the world’s largest ship.

and, as the saying goes, if it’s not broken, it does not

The Titanic was a beauty to behold and boasted

need fixing.

numerous luxurious features, especially for firstclass ticket holders. The Titanic was also fitted with state-of-the-art-technology: elevators and wireless communication systems that could transmit and receive Morse code.

a decrease in security spending. Boards may not always fully comprehend that consistent security investments are necessary to prevent cyber-attacks rather than cutting security budgets, managements

Yet just over a year later on the night of April 14, 1912,

should reassess their risk landscape and refocus

four days into its maiden voyage from Southampton

on areas where the business is most vulnerable as

to New York City, the Titanic struck an iceberg and

employees adapt to the new normal, post-Covid.

sank, taking the lives of many on board, including the

They should reassess the organisation’s business

Captain.

and security risks, vulnerabilities and threats before

Multiple errors of judgement, process and procedure contributed to the ship’s demise, and they provide salutary lessons today for those charged with securing organisations against cyber-attack.

YOU GET WHAT YOU PAY FOR Research into the loss of the Titanic discovered that, to save cost and speed up construction, low-quality steel had been used for the rivets that held the ship together. Cost-cutting, despite being a popular strategy to secure the financial position of a business or government department can have dire consequences.

The global pandemic in 2020 led to budget cuts and

WOMEN IN SECURITY MAGAZINE

making cuts to the security budget that may result in future costs far in excess of any savings achieved.

A BIRD OR A PLANE The lookout crew stationed in the Titanic’s crow’s nest had no access to binoculars. Before departure the ship’s second officer was transferred off the Titanic. He had the key to the binoculars store in his pocket and forgot to hand it over. Communication is essential to effective and efficient cybersecurity of organisational information assets and resources. The security terrain is always evolving, and changes should be communicated properly down the security line as they occur.

I N D U S T R Y

P E R S P E C T I V E S

Lapses in communication prevent information flow from top to bottom and from bottom to top. Management needs to plan and duly inform employees when changes occur so employees know where they can get access to security resources, and how to avoid getting stymied when dealing with cybersecurity complexities. Additionally, the Titanic’s radio operator had received several iceberg warnings that night. Most of these he passed along to the bridge, some he dismissed. A judgement call not to relay a particular iceberg warning to the ship’s captain became a costly mistake a few hours later. Employees are often not aware of the consequences of their actions when dealing with security processes or procedures. They may not be interested in staying abreast of the evolving security threat landscape and may not understand how a simple action, such as downloading a piece of software, could initiate a cybersecurity attack. As the security landscape evolves, organisational managements need to keep employees updated on security risks and threats peculiar to their business sector. When employees are aware of likely threats, the organisation stands to benefit by getting feedback on vulnerable business processes where a malicious actor might gain access to the security management system. Cybersecurity is everybody’s responsibility, not just an IT function.

SOUND THE ALARM After the Titanic struck the iceberg the captain failed to sound a general alarm. Some passengers on board did not fully comprehend the direness of the situation until it was too late. Employees are usually called out (or sent to training) when they mistakenly click on malicious emails and links. In most cases their work colleagues remain ignorant of the fact that cybercriminals have attempted to gain a foothold in the organisation’s network. It is best to sound the alarm and inform employees about every intrusion attempt so they can recognise when they are being socially engineered. It has been more than a hundred years since the Titanic’s sinking in the North Atlantic Ocean, but we

DON’T SKIP THE DRILL

can still learn from the mistakes that contributed

Lifeboat drills were scheduled to be held on the

to the disaster and resulting loss of life. Security

Titanic every Sunday, but on Sunday April 14, the drill

investments to ensure the protection of organisational

was cancelled. Later that night, the poorly-trained

information assets are vital.

crew were ill-equipped to carry out the evacuation

However, it is also essential to equip employees with

procedure. As mentioned previously, employees who are less aware of security threats and not properly trained are more susceptible to being exploited as attack vectors by cybercriminals. Periodic security training exercises, drills and awareness campaigns will keep employees alert for security incidents. Humans are the weakest

the appropriate security skills and resources to enable them to recognise and resist social engineering tactics. As a captain steers a large vessel through treacherous waters to successfully arrive at harbour, organisations also need to navigate the treacherous security sea, avoiding “icebergs” in order to stay afloat.

link in the security chain. However, they are also the best last line of defence if equipped with appropriate

www.linkedin.com/in/queenaigbefo/

security training, knowledge and resources. twitter.com/queenaigbefo

WOMEN IN SECURITY MAGAZINE

GENDER EQUALITY WON’T WORK WITHOUT THE SUPPORT OF MEN, TOO by David Braue

As the prime minister’s woes have laid bare, male leaders must set the standard for gender equality

echnology companies around the

believe strongly in allyship,” she explains. “Seeing men

world celebrated International

participate gives [other men] permission to say that

Women’s Day in different ways, but

this is OK – and maybe it’s something that I should

their common goal – to raise the

think about.”

profile and promote the equality of women – resonated so strongly with

the senior executives of Progress Software that they gave all of the company’s 1500 staff, in 16 countries, the day off. It was just one day but, Sara Faatz says, represented “a huge step” in support of the company’s efforts to promote diversity among its workforce.

By engaging men in the group’s diversity initiatives, adds Faatz – a senior manager on the firm’s Telerik and Kendo UI developer relations team – men come to understand that gender inequality is about much more than simply “men not being good to women”. “It’s good for men to see that what we’re talking about is an empowerment, and needing to change perspective. When they don’t understand intent, it’s

“A lot of companies talk about diversity, and this

easy for people to be antagonists – but if you can

was a really powerful way of showing that this is

provide a safe environment for allies to participate,

something that we as an organisation believe,” she

that’s when barriers are broken down.”

explains, noting the ongoing efforts of an internal group of like-minded diversity champions known as

ORGANISING FOR CHANGE

Progress for Her.

Over the past decade, that shared goal of breaking

“The goal is to support women, empower women,

down barriers has driven a global subset of the

provide leadership and networking opportunities, create the tools they need to create influence, and to create a supportive space to amplify women’s ideas and concepts in an inclusive environment.” Importantly, she notes, the group has also welcomed numerous men from across the company: “we

WOMEN IN SECURITY MAGAZINE

women in tech movement by which men are being explicitly engaged to bring new perspectives to something that many have been quick to dismiss – often because they believe their company simply doesn’t have a gender inequality problem. One of the key voices in this targeted engagement of men has been the Champions of Change Coalition,

F E AT U R E

which was founded in 2010 by then Australian Sex

compassionate, no BS, no games, and underpinned

Discrimination Commissioner Elizabeth Broderick and

with integrity and a commitment to making the way

has since expanded to include sixteen groups and

we work better for everyone.”

250 industry leaders across 10 industries.

Kane’s support for female-friendly initiatives such as

Broad and deep support for its mission – of having

job sharing has helped entrench gender equality for

men stand beside women in the push for gender

employees of Kane’s cybersecurity team – and set an

diversity – is producing concrete results, with

example for other parts of the business as well.

the group’s Impact Report 2020 confirming “an improvement in organisational gender equality actions and a sustained increase in women’s representation in most employment categories.” Those improvements are coming thanks to “members stepping up and leading innovative and disruptive initiatives designed to challenge the status quo and shift (disrupt) the systems of inequality beyond their organisations and industries,” the report notes. Driving that disruption through the IT industry in general – and cybersecurity in particular – has been particularly successful under the leadership of executives like NBN Co’s Darren Kane, whose efforts towards gender equality were recognised with the 2020 Women in Security Awards as a Male Champion of Change.

“Without a strong leader championing and prioritising that change,” his supporters noted in nominating him for the award, “none of what we have achieved would have been possible.” Similar stories recognise the superlative efforts of the other category finalists – including Victorian Department of Premier and Cabinet CISO Shane Moffitt, CyberCX CEO John Paitaridis, WA Police CISO Hai Tran and highly commended winner Matthew Wilson, CEO of Penten. Working with his management team towards a 50/50 gender split within the company, Wilson credited “innovative initiatives” around sick, reservist, domestic violence, carer’s, paid parental leave and paid super on another 26 weeks’ unpaid leave, as well as the availability of multicultural and paid training and study leave.

Over the course of his more than five years with the company, co-workers commended his “decisive and compassionate leadership” that is “real and

WOMEN IN SECURITY MAGAZINE

CHANGE COMES FROM THE TOP – BUT GROWS EVERYWHERE

Cybersecurity firm CyberCX, for one, has added the

Much of the dialogue about engaging men in gender-

to the board along with other key business metrics

equality initiatives revolves around engaging with

current gender split as a core KPI, reported monthly – and ensuring that gender diversity remains at the

male CEOs and senior executives – a necessity

forefront of the board’s priorities.

in an industry where men still hold the majority of

“We’ve got a lot more to do,” says chief people officer

executive roles.

Snezana Jankulovski, “but it’s not easy. It’s something

Normalising pro-equality viewpoints at the top of the

we’re absolutely committed to, and we’ll continue to

leadership pyramid is about much more than token

focus on.”

wins and media sound bites: cultural change trickles

Finding ways to insert the cause of diversity into

down, and engaging with vocal policy-setters helps

everyday conversations – keeping it top of mind

establish and maintain the right tone for like-minded

across the company – can be the difference

men to follow – reprogramming the organisation to

between backing gender equality with headline

normalise gender quality.

workforce policies, and building a durable, top-to-

“We should all be not only striving to achieve

bottom business culture where the contributions

diversity requirements,” says Bevan Slattery, founder of industry networking venture Cloudscene, “but

and capabilities of women are intrinsically valued as much as those of men.

also be fundamentally improving our approach and attitude to inclusivity in our workplaces and

the success of those initiatives

“It’s good for men to see that what we’re talking about is an empowerment, and needing to change perspective. When they don’t understand intent, it’s easy for people to be antagonists – but if you can provide a safe environment for allies to participate, that’s when barriers are broken down.”

than through the feedback of direct

Sara Faatz, Director, Developer Relations at Progress

taking tangible action to make a difference. Whether it’s related to gender, race, age, or any other minority group, change comes from the top down.” There’s no better way to measure

reports, whose perceptions of successes around gender diversity – and lingering shortcomings –

can be crucial in understanding cultural roadblocks that are maintaining problematic issues.

Leadership, Culture and People team – advises

“My managers are all very supportive and my

of equality through every part of the organisation, and

colleagues and I look after each other,” says Mandy Turner, manager of the University of Queensland Cyber Security Operation Centre (CSOC). “That’s extremely important because we are all just trying to

managers to use five key strategies to drive the cause to keep it alive as part of everyday operation. These include creating internal networks and encouraging both men and women to participate

protect the university from cybercrime.”

in external networks; improving visibility of women

“It’s an ever-changing landscape, and we don’t need

high-visibility projects, and facilitating broad career

to be worried about whether we will be supported in what we do. If businesses want cybersecurity teams to work really, really well, then managers need to be very supportive of their teams and their people.”

by rotating staff through roles, appointing them to experiences; reviewing criteria for promotions, ratings, pay, and bonuses to ensure equitable representation; “normalising life needs” by embracing diverse types of leave and flexible work policies; and

Given men’s ongoing prevalence in senior executive

proactively confronting behaviours that marginalise

roles, one way to steadily push towards gender

women.

equality is to find ways to represent the current situation in ways that make sense to them.

Christie Struckman – a vice president within Gartner’s

WOMEN IN SECURITY MAGAZINE

F E AT U R E

A JOURNEY OF 1000 MILES BEGINS WITH A SINGLE STEP The consequences of failing to stamp out discriminatory behaviour and language have been writ large in the media this year, with the toxic Parliament House culture – and the reverberations once such a

10 WAYS MALE EXECUTIVES CAN STEP UP Executive consultant Katherine Lazaruk offers 10 tips for men who want to improve their engagement and support for women colleagues

culture is exposed – a precautionary tale for men at

and employees. These include:

every level, in every organisation.

1. Explicitly tell women they can succeed, that

Gartner advises leaders to watch out for telltale behaviours that indicate a less-than-ideal commitment to gender equality – things like overexplaining, gender-biased language, assumptions about a woman’s lack of confidence, ignoring women, idea theft, profiling, tokenism, use of pet names, and more. Executive coach Katherine Lazaruk, of LZRK Consulting, knows better than most male executives think and what they need to do to improve their participation in the push towards gender equality. “I’ve been working with some strong alpha m ale leaders in… male dominated industries on their leadership presence,” she writes, “and have been

they are capable, and that they belong in the field. 2. Actively engage and sponsor women into different roles and activities. 3. Talk about their capabilities to others and give them explicit credit for their roles/ experience. 4. Suggest possibilities to them for further work/study/engagement opportunities. 5. Realise that women don’t always step up, speak up, or put up their hand – so call on them. 6. Participate in women’s diversity programs

encouraging them to broaden their perspective on

to recruit young women for your field, and

what leadership looks like.”

create them if they don’t exist.

She believes that “it’s time for male leaders to step

7. If you hear gendered messaging or jokes, or

up and become champions so we can advance the

notice the work culture isn’t welcoming to

pace when it comes to achieving gender parity” – and

women – call it out and work to change it.

offers 10 tips for male executives to be proactive about building female-friendly cultures (see sidebar). Based on progress to date, the engagement of men has been a powerful ally in promoting the cause of women in security – whether in levelling the playing field when choosing a career, building a culture that abolishes the intimidation and subtle gendered exclusion, or any of the myriad other ways that men can help the cause of equality. Jacqui Lostau, founder of the Australian Women in Security Network (AWSN), believes the conversation has passed the tipping point – and that companies now approach her to ask if she can nominate some good candidates for their roles, rather than asking her to explain why diversity is important.

8. Be aware of the study results on negative effects of bias. Educate yourself on unconscious bias and how people engage. 9. The negative talk/challenging/competitive nature/macho style of interaction in STEM (and elsewhere) is bad for both men and women, but particularly for decreasing engagement with women. Watch yourself and be intentional with your communication. 10. Stop treating pregnancy like an illness. Challenge policies where maternity leave/ return to work isn’t flexible, and where men don’t get to participate in paternity leave/ early involvement with their children.

“That conversation has shifted now, and people understand,” she says. “Most people understand that diversity is important, and they want to do something about it.”

WOMEN IN SECURITY MAGAZINE

JOANNE WONG

A MORE SECURE FUTURE: THE CASE FOR ENCOURAGING FEMALE PARTICIPATION IN AUSTRALIA’S CYBER SECTOR The cybersecurity workforce is skewed towards young males, but there are tremendous opportunities for young women who enter this fast-growing profession. Let’s encourage them to do so, writes Joanne Wong, Vice President International Marketing APAC and EMEA, LogRhythm. Hands up who remembers when ICT was almost a

Women lost jobs and hours of work at a greater rate

female-free zone; the exclusive province of geeks in

than men after shutdowns were implemented last

polo shirts?

year. They bore the brunt of additional responsibilities

As an industry, we’ve come a long way in the last couple of decades. Recent research from Access Economics suggests women now comprise around 28 per cent of the local ICT workforce, up from just 16 per cent in the late nineties and early noughties. As I see it, further increasing the percentage of women would be good for the industry and good for women, particularly today when there’s much talk of a ‘pink collar recession’, a reference to the fact that women have suffered disproportionately more than men as a result of the COVID crisis.

WOMEN IN SECURITY MAGAZINE

at home, such as childcare and home schooling, and it looks likely they’ll find it harder to obtain stable, reasonably-paid work going forward.

JOBS FOR THE FUTURE Government efforts to stimulate the economy out of the COVID downturn have focused on construction, infrastructure and the rapid launch of ‘shovel-ready projects’ to create economic activity and jobs. It’s not a bad approach, but there’s no getting around the fact that most of those jobs are for men. There’s been less effort expended on coming up with initiatives

I N D U S T R Y

P E R S P E C T I V E S

to get women back ‘on the tools’ in hard-hit service

STEERING GIRLS INTO STEM

industries like retail, hospitality and childcare.

All this adds up to attractive career opportunities for

One place where women’s talents could be put to

women who are willing to enter the cybersecurity

good use is the sphere in which I’ve earned my living

sector, and now is the time we should be encouraging

for the past seven years: cybersecurity.

them to do so. This means engaging with girls in their

Even before COVID, the industry was severely shorthanded, and the rapid digital transformation triggered by the pandemic has only exacerbated that shortage. According to AustCyber, we’ll need an additional

high school years, building their interest in STEM and educating them about the plethora of possibilities the ICT industry in general, and the cybersecurity sector in particular, have to offer.

18,000 cybersecurity professionals by 2026 to ensure

In short, we need to get girls excited about the

the country’s digital security needs are met.

possibility of a future in technology – and we need to ensure the pathway to that future is well signposted

BUILDING A HIGH-TECH ARMY

and well lit.

If we fail to reach those numbers Australian

As female cybersecurity professionals we can all do

businesses and organisations will be increasingly

our bit by sharing our stories and offering mentorship

vulnerable to cyber-compromise and attack, from

and support to students and women who are new

sophisticated state-based actors, criminal syndicates

to the industry. Those of us in senior roles may also

and opportunistic hackers.

be able to advocate for more ‘gender fairness’ in

The federal government has committed $1.67 billion over the next decade to programs aimed at helping businesses, organisations and individuals better protect themselves. Skilled personnel will be a big

our own organisations, via the introduction of hiring, retention and performance appraisal policies that ensure women are given every opportunity to excel and advance.

part of the solution, with the government expected to

That’s what I’ll continue to do, this year and beyond.

employ its own cyber officers to provide an outreach

As someone who’s enjoyed a wonderfully satisfying

and advice service for small and medium sized

and rewarding career in the sector, I believe it’s

businesses.

my time to pay it forward. If enough of us do the

Large businesses won’t be relying on the state to secure their systems and data. Rather, we’re seeing them redouble their efforts to ensure they have solutions and skilled staff in place to lessen the

same, we can make a real difference to female representation. Helping more women secure, interesting well-paid work in cybersecurity means a safer future for them, and for our country.

likelihood of them becoming the next hack attack victim to hit the headlines.

www.linkedin.com/in/joannepeileewong/ www.linkedin.com/company/logrhythm/ logrhythm.com/

WOMEN IN SECURITY MAGAZINE

HOW TO GET MORE GIRLS INTO STEM by Stuart Corner

pursuing careers that require science, technology,

10 YEAR MASTERPLAN FOR WOMEN IN STEM

engineering and mathematics (STEM), the

Kingsley said one of the most important initiatives

n a bid to get more women, especially girls,

Australian Government created the Office of the Women in STEM Ambassador in 2018 and appointed professor Lisa Harvey-Smith as the

inaugural Women in STEM Ambassador, the first position of its kind in the world. She was re-appointed for another two year term in September 2020. The office is one of several initiatives in Australia designed to increase the percentage of Australians pursuing STEM related careers. Isabelle Kingsley, research associate for the Office of the Women in STEM Ambassador, detailed some of these and, in particular her organisation’s aims and achievements, in a presentation at #Choose to Challenge, an online conference organised jointly by ISACA’s Sydney and Melbourne Chapters and the Australian Women in Security Network (AWSN), held for International Women’s Day, March 9.

WOMEN IN SECURITY MAGAZINE

to get more women into STEM was a 10 year plan called the Women in Stem Decadal Plan, developed by the Australian Academy of Science in collaboration with the Australian Academy of Technology and Engineering. It offers a vision and opportunities to guide stakeholders as they identify and implement specific actions they must take to build the strongest STEM workforce possible to support Australia’s prosperity. “It’s our roadmap. We follow this plan, with the goal in 10 years of really shifting the dial to get more girls, studying STEM and more women in STEM roles, but also in senior leadership positions,” Kingsley said. “Most of the work of the government and many organisations [to get more women into STEM] is driven and guided by this plan.

F E AT U R E

“We’ve identified some of the barriers we want to

EVALUATING STEM INITIATIVES

tackle. Then we look at what has worked before, and

Her organisation has developed a national evaluation

we base what we’re going to do on evidence. Then we look at what we did, what was the outcome. So we measure, we evaluate to find out what works and how to improve what doesn’t.”

TARGETING TEACHERS AND PARENTS She said teachers and parents were the main influences on children, so the Office of the Ambassador had launched a project to educate these people on STEM opportunities for girls.

framework for girls into STEM initiatives. “We put together a resource called the Evaluating, Stem Gender Equity Programs Guide. It’s a really useful, very simple, step-by-step tool to measure your initiatives and your programs in your workplace, to see if they’re actually doing what you want them to do,” she said. “The guide breaks evaluation down into five steps, defining what you’re trying to achieve, planning your activity or your program and your evaluation:

“We have a big awareness raising initiative called

designing it, executing it, and then how to share it

Future You. There are video games and characters

publicly and openly and transparently.

that have really cool STEM jobs that challenge the stereotypes. We are trying to engage young people into thinking differently.”

“We published this in December and our plan is to get this broadly used across the country for equity programs, and make evaluation a condition for

She said the campaign, in October and November,

funding a lot of the programs that do get funded

had been very successful. “We were able to see that

by the government, and then have a repository of

we had increased kids’ interest in stem from 36

evaluation so people can look at what’s been done

percent to 63 percent, and threefold for the girls.”

before, see all the evaluation findings, see what

There were many similar programs run by other

worked, what didn’t.”

organisations. “One of the best places to find all of those programs, especially for school kids is the STARportal run by the Office of the Chief Scientist,” Kingsley said.

WOMEN IN SECURITY MAGAZINE

RISK-TAKERS AND CHALLENGERS - WOMEN IN CYBERSECURITY STARTUPS by Kirstin McIntosh, Head of Partnerships, CyRise

Where are the women in Australian cybersecurity

in cybersecurity startups. It is not a career path many

startups? That’s a question I am often asked. And I’m

people are aware of, or decide to take. Corporate

probably one of the few people who can answer that

cybersecurity roles offer good money, interesting

question. As head of partnerships at CyRise, I work

work, structured career progression and job security.

with some of the most talented and ambitious people in the cybersecurity community.

Faced with this attractive alternative, people who choose to work in cybersecurity startups have to really love what they do. It’s not for everyone. Those who make the choice face job uncertainty, low pay compared to mainstream cybersecurity roles, and crazy hours. Startup roles are all-consuming, but

CyRise is a venture accelerator funded by Deakin University and NTT that champions early stage cybersecurity startups in the APAC region. We invest in founders who are building innovative and globally

the lure of future success, and the opportunity to take charge and create. Most of all, those in these roles see the potential for their ambition, energy and ideas

scalable products, and we help accelerate their

to make an impact on the world.

growth.

Interestingly, when CyRise and the Australian

Since 2017 CyRise has invested in 27 startups,

Information Security Association (AISA) ran an online

and five of those are led by women founders. They account for 18 percent of our portfolio. However, that’s not a complete picture. Alongside these women

survey in 2018 asking about five-year career goals, 26 percent of respondents saw themselves working in a cybersecurity startup. There was no difference

founders there are women who work inside startups

between men’s and women’s responses.

and women who support startup founders. They have

In 2020, under the shadow of COVID-19, CyRise

something in common: they are all risk-takers.

STARTUPS IN THE AUSTRALIAN CYBERSECURITY INDUSTRY

come with the adrenaline rush of constant learning,

had many conversations with people from different backgrounds contemplating a career change, wanting to develop a big idea or solve a problem. So, perhaps there will be a surge of new startups over the next

AustCyber estimated there were about 26,500 people

12 months, and more women seeking a career in the

working in cybersecurity in Australia in 2020, but few

startup world.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

WOMEN IN CYBERSECURITY STARTUPS

The most recent (and only) Australia-wide startup report, Startup Muster 2018, reported that 22.3

1. THE FOUNDER

percent of respondents who had founded startups

At CyRise, we track cybersecurity startup founders,

and 37.1 percent of those planning a startup were

often from the very early stages of a product idea.

women.

We talk to as many as we can to help them progress. Some people may never go further, but others pop up and surprise us. We never know where a brilliant new startup founder will emerge.

More recently, the State of Australian Tech Report 2020, released in March 2021 by PauseFest, said: “The data we received regarding the founders’ backgrounds is a representation of the Australian

We have identified 13 women founders out of

startup sector as a whole in that it is still very much

202 active early-stage startups, six percent of the

male-dominated, with women underrepresented

Australian cybersecurity startups we track. Seven of

across STEM and leadership positions.”

these companies have the woman founder in the role of CEO. There are only three companies where the woman founder leads alone, without the support of a co-founder.

The Australian government recently set up a $52 million Boosting Female Founders grant funding initiative with the aim of increasing the number of female founders who scale their businesses successfully.

We have started two businesses, the first was a consulting practice, and our second a startup. It was a natural progression for me. Consulting is really hard - you have to find work for every staff member all the time. We sold this business, and decided to challenge ourselves to do hardware. It’s exhilarating when it starts working. You own everything. You are creating everything. The good is you, the bad is you. It fuels itself. It’s The ex-consultant who seeks a challenge

so motivating to know you are doing something you are in charge of, something people want.

TRACIE THOMPSON

I never have Monday-itis. I am excited to get up every day to start work.

CEO and Co-founder, HackHunter

I’m always driving things forward to meet our goal, being challenged with a roadblock, thinking on my feet. It’s exciting and invigorating knowing we can do it. I know that we, as a team, can solve anything that comes up.

I love “getting shit done”. I don’t think that far ahead. I’m a medium term planner. In startup life, there is no need to plan too far ahead. Being able to adapt quickly and get shit done is very appealing after 15 years in corporate life where change happened through templates and plans that were pushed up through the ranks before anything could happen. Freedom to do what needs to be done is amazing. Culture is important to me. I thrive in fast-paced, supportive cultures. The corporate escapee

SUSIE JONES

I love sharing and creating the culture I work in, rather than having to adapt to somebody else’s. We talk about “People for Susie”, and it’s been an interesting challenge to create that from nothing.

CEO and Co-founder, Cynch Security

WOMEN IN SECURITY MAGAZINE

2.THE BUILDER In startups, often only the founders get noticed. Yet there are key team members who contribute their talent to a startup’s growth. There are currently no statistics available for the number of women working in cybersecurity startups in Australia. Here’s the voice of one woman builder who chose this path.

I am knowledge-greedy. I want to know it all. Technically, I’m an electrical engineer who retrained. My background is completely different from cyber, but the principles are the same. If a company is willing to allow me to grow, I will join it. However, it was really hard to find a job as a woman and an immigrant. People see you as your role, and don’t want you to expand it. Even though I was capable, I was stuck and bored and not valued. A mentor pointed me towards startups. “You can learn on the job. They will allow you to achieve what you want, and you will help them. You won’t get The voracious learner

paid a lot, but you will enjoy it.”

YAEL STEINBURGER

It was the best decision I ever made. I achieve my goals, and I am doing

full stack software engineer, badook.ai

almost everything. I now have a wider view, which helps me make better decisions and create better solutions. So I am pleased and satisfied. You don’t get paid much. It’s a small place, like a family, and you aren’t a number.

3 . T H E PA R T N E R These awesome women play key roles in the cybersecurity startup ecosystem, yet are the unseen champions of our small community. Simply put, without them quite a few Aussie startups would not exist today.

I was a snowboarding instructor working in Australia, Canada, Austria and the States, when I first met Paul, and he followed me to Australia. Paul McCarty founded SecureStack in November 2018. I didn’t really know what we were in for with SecureStack. Was I brave, or ignorant? I put a lot of trust, both in Paul and in his confidence in his idea. I knew he could do it. It’s exciting, and even though it is taking a lot longer than we thought, I’m The Gold Coast snowboarder

ELLE MCCARTY SecureStack

still ok with it. It was more of a challenge and a shock than I expected. Paul was able to do one or two days consulting a week while starting SecureStack. It was important to have that buffer, along with a good nest egg of savings it. He keeps me involved. I feel SecureStack is part of me. He gets excited, so I get excited! We enjoy the wins together.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

Thoughts on why there aren’t more women in the

Yael Steinburger of badook.ai is forthright about

cyber startup scene:

the cultural changes required around gender roles

This is a complex question. It is certainly bound up in the wider debate of diverse participation in the technology sector as a whole. On top of that, there is the unhelpful stereotype ‘hoodie/ hacker’ reputation of cybersecurity. But startups? Don’t they offer an alternative? Here’s some searingly honest views that

“Management must be feminists - they should measure you on your concrete attributes, not your organs or where you come from! More equal attitudes will make a difference. It is changing, and it’s slow. But I am optimistic.” Susie Jones of Cynch Security believes there to be

are important to acknowledge if we are to affect change. •

Startups as a career choice: “People still don’t know that startups are a thing. Most equate working for a startup with working for a small business. People like working in large corporates, and want to solve big problems right now.”

•

“I love “getting shit done”. I don’t think that far ahead. I’m a medium term planner.”

Financial stability impacts choices: In the 2018

- Susie Jones

Startup Muster report, 37.5 percent of founders

CEO and Co-founder, Cynch Security

agreed that life circumstances requiring a stable income were the main hindrance when founding a startup. “The money does matter - you are paid less, you have less financial stability, and •

it’s all-consuming.”

a great story about what startups offer - “We can

Motherhood: “Being a startup founder and a

talk about all the good stuff and the opportunities

mother, it’s hard to balance.” “Women manage families. If you are a mother, it’s harder to take the risks. It takes time to develop or invest in yourself. This can prevent women from even starting.” •

Discrimination: “There are still a lot of double standards. I worked in an electronics startup and I had a female colleague from the most prestigious university in the country, but the founders gave her a low role, not in R&D where she would have fitted best. I am not going to fight this - I will go elsewhere. Your loss.”

What would help make a real difference? There are many ways to bring about change. Some

available that will attract women. Startups solve amazing problems. We have the ability to have a real impact on the lives of our customers. We actually help people - cyber is more than tech, it’s about people. What’s more, I could never have imagined I would have had access to such amazing people, who I would otherwise never have had cause to meet. And while it can be daunting to work with only five or six people, we have many interested people in the wider community always trying to support us.” People join startups for many different reasons. Personally, I am continually humbled by the courage and audacity of the cybersecurity founders I see. It’s an amazing journey, and I absolutely want to encourage more women to take that first step.

are systemic, some are attitudinal, and some are things we can do now, today. Improvements in the gender pay gap, and changes in women’s financial stability and domestic responsibilities will all have a huge impact on the participation of women in the economy, and will result in more women being visible

www.linkedin.com/in/kirstin-mcintosh/

www.cyrise.co/

in startups.

WOMEN IN SECURITY MAGAZINE

SPONSORS IP OPPORTUNITIES AWSN is now accepting new sponsors for 2021 Make a difference and help us create and maintain a supportive and inspiring security community for women Please reach out to sponsorship@awsn.org.au to discuss in more detail

Welcome to our 2021 sponsors so far: CyberCX CISOLens Afterpay IAG

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

AWSN INTERNATIONAL WOMEN’S DAY (IWD) 2021 CELEBRATIONS by Laura Jiew, AWSN National Social Media & Marketing Lead

March 8th is recognised as International Women’s

The event was moderated by the Hon Kate Lundy, and

Day (IWD) – a global celebration of the social,

featured a number of panellists, all with career paths

economic, cultural, and political achievements

that are challenging, fulfilling and important.

of women. This year’s theme was “Choose to Challenge”. Australian Women in Security Network (AWSN) members around Australia chose to mark the occasion by hosting several events during the week:

CANBERRA High tea & panel discussion, sponsored and hosted by Penten This Canberra event celebrated contributions made by women in the cyber, technology and security sectors in our nation’s capital.

• Katherine Ziesing, Managing Editor of The Australian Defence Magazine • Nina Terrey, Chief for Gender Equality and Global Partner of ThinkPlace • Eloise Robertson, ICT cadet in the Department of Home Affairs, Founder of the University of Canberra’s Supporting Women in STEM (UCSWIS), and AWSN Canberra Chapter Lead The event was very well received and left the audience looking forward to the next IWD event in 2022!

Image: Penten

WOMEN IN SECURITY MAGAZINE

PERTH

BRISBANE

Inaugural ‘Women Using Technology’ day, hosted by

What makes a successful security program - panel

Edith Cowan University

discussion

As part of International Women’s Day Edith Cowan

Our first IWD2021 event was organised by the AWSN

University invited girls in Years 10, 11 and 12 to a day

Brisbane chapter. Panel members included Isabella

of ‘courses, careers and connections’.

Manning, Jane Hogan, Teagan Cliff and Marie Bylina.

Women from AWSN, the Australian Computer Society

Each gave their views on “What makes a successful

(ACS)) Women in Tech and Women in Technology WA (WiTWA) provided two-hour workshops in which

security program?”, focussing on their individual areas of expertise:

each presenter shared a video of their workspace,

• Strategy, support and program management

outlined their career journey, including accreditation

• Delivery

processes, and staged a hands-on workshop that

• Business transition

simulated their job. Alice White, an AWSN Perth Chapter Lead represented her company, Atlassian, and spoke on the topic of cyber risks. Other topics covered included: • Ethical Hacking – Laura Davis, Raman Gill and Catriona Forde • Destructive Testing – Joanne Church

• Change management We hope everyone who attended and tuned in via Zoom benefited from the key points shared at this session. A copy of the recording from the event will be shared via the AWSN website in due course (member access only). We would like to thank our sponsors RiskLogic and Flex by ISPT for making this event in Brisbane happen.

• Scrum Master – Sonia Knox • Software Development – Zainab Meleki • Mathematics in 3D – Dr Julia Collins

SYDNEY AND MELBOURNE

• Chatbots & NLP – Michelle Sandford and

AWSN-ISACA joint event – IWD2021 Choose to

Jiaranai Keatnuxsuo • Machine Learning and AI - Elizabeth Antoine • Data Science – Anne Backhaus

Challenge March 9th was a flurry of activity across our two largest network cities: Sydney and Melbourne. The program consisted of several outstanding speakers and topics: •

Challenging with

Confidence - Kate Boorer •

In-Demand Skills and

Career Pathways - Ben Sawyer, Kate Broughton, Palak Trivedi and Riki Blok •

Don’t Reward the Brilliant

Jerk: Fix Toxic Security Culture Jinan Budge, Jacqui Kernot and James Turner •

Women Forging Innovation

Through Technology - Raisa Hashem, Jayne Leighton, Source: ECU, School of Science | Image credit: Dr Michelle Ellis

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

like to thank our sponsors and supporters: SheLeadsTech, EY, Cyber Leadership Institute, Amazon Web Services (AWS) and Privasec for making these sessions in Sydney and Melbourne happen. Over the week many topics were discussed and many minds fuelled with new ideas and the theme: “Choose to Challenges”. From challenge comes change, so let’s all

Image credit: Marie Bylina

choose to challenge. This year for IWD, Jacqui Loustau, AWSN Founder,

Martha Mckeen and Evangeline Endacott • Mentoring Matters - Sara Gray, Olivia Carline, Cindy Schwartz and Lilian Dean • Breaking Down the Barriers to Girls and Women’s Participation in STEM - Isabelle Kingsley • Why Cybersecurity and Resilience Matter, Especially to Women and Those who Love Them - Lisa Young • How to Challenge for Change masterclass -

challenged anyone and everyone to do something to help change the gender balance in the security industry. It’s not something we can achieve in all male dominated fields, but we can all help make the change in our own field. Every small thing can help make change. Everyone can do something. Everyone can choose to do something.

Markus Ottomar Winzer And finally, the day also saw announcement of the annual AWSN-ISACA scholarship recipients by the team from Cyber Leadership Institute. Congratulations to Charlotte Wood, Yvonne Sears and Annette Peploe! Colleagues from ISACA Sydney Chapter and ISACA

THREE ACTIONS ANYONE CAN TAKE TO HELP ENABLE GENDER BALANCE: 1. Take a chance on someone you see with potential 2. Be a mentor

Melbourne Chapter put in a terrific effort. We would

3. Call out inappropriate behaviour or gender bias

Image credits: ISACA Sydney Chapter and Privasec

(discreetly or otherwise)

WOMEN IN SECURITY MAGAZINE

JEFF JACOBS

FROM RE-WRITING JOB ADS TO CHAMPIONING WOMEN’S ACHIEVEMENTS Here’s how IAG won the 2020 AWSN award for Best Place for Women to Work in Security by Jeff Jacobs, Executive General Manager, Corporate Security Group, IAG

Q: WHY IS DIVERSITY, PARTICULARLY IN RESPECT OF WOMEN, IMPORTANT TO THE CORPORATE SECURITY GROUP (CSG) AT IAG?

discussion, decisions and overall outcomes.

A: IAG has been taking diversity seriously for a very

about cybersecurity, the stereotypical image is still of

long time. I could see this for myself when I was

a guy in a hoodie. That’s so 1990s. It’s time for us to

first consulting here and then after I joined as a

change this image and move forward. Only when we

permanent employee.

have more women in the industry will we truly see the

In the Corporate Security Group we believe, first,

benefits they can bring.

that building a diverse team is just the right thing to do. Second, from my experience, you get better

WOMEN IN SECURITY MAGAZINE

Third, our industry is one of the worst in terms of the number of women working in cybersecurity, and that can’t be a good thing. When people talk and think

I N D U S T R Y

P E R S P E C T I V E S

Q: WHAT ARE CSG’S MAIN STRATEGIES FOR ENCOURAGING DIVERSITY? A: When recruiting, we make sure that the short list has enough women on it. Often you will hear recruitment firms say it is too hard—there aren’t enough women in the pool. When you hear that, don’t accept it. Ask talent teams to be creative, to focus on skills, and perhaps look in neighbouring fields. If they can’t do that, find others who can.

and talents to IAG, they also encourage the women in their teams—and across the industry—and work hard to bring more women into security.

Q: HOW WILL CSG CONTINUE TO ENCOURAGE DIVERSITY? A: Our team will continue to develop and implement the strategies outlined above, especially in recruitment and position descriptions, and encourage more of our women to play leadership and mentoring roles at an industry level.

We have also started to make sure that job ads aren’t worded to alienate women by taking out gender-specific stuff, such as terms associated with typical male stereotypes. we encourage the women already in CSG to build industry profiles, and engage with other women and mentoring programs. We also celebrate the success of senior women in

“I am determined to encourage our women to try new roles in our new fused cyber and protective services function, even if they don’t feel they are perfectly qualified for those roles.”

CSG—to both acknowledge their achievements and to attract more women into the industry.

Q: WHAT DOES WINING THE 2020 AWSN AWARD FOR BEST PLACE FOR WOMEN TO WORK IN SECURITY MEAN TO CSG?

We will continue to make sure women in CSG have

A: We are so proud to have won this award. It was a

women succeeding to know they too can succeed.

great acknowledgement that we are on the right track

Continuing to change our behaviour and culture is

at IAG. It was also an opportunity to draw attention to the women who work in security at IAG. Five won AWSN awards in their own right: Elaine Muir, who won Security Champion; Chen Yu, who won Best Secure

profiles within the organisation and their talents and work are showcased. Women need to see other

a big part of our plans. We need to make sure that women get the chance to speak. I have been in far too many meetings where some voices overshadow those of others. As leaders we need to be more aware when this happens and enable our women, and any

Coder; Rebecca Winfield, who won Best Champion

others who don’t get a chance, to speak up.

of Women in Protective Security/Resilience; Amanda

I am determined to encourage our women to try new

Pitrans, who won Best Newcomer in Protective Security/Resilience; and Natasha Passley, who was highly commended for Australia’s Most Outstanding Woman in Protective Security/Resilience. Every day these women not only perform their roles to the highest standard, bringing a diverse array of skills

roles in our new fused cyber and protective services function, even if they don’t feel they are perfectly qualified for those roles. Lastly, we will keep talking about this important issue. By keeping it on the agenda we have a chance to encourage and build more diversity, not only in IAG, but in all industries.

WOMEN IN SECURITY MAGAZINE

ABOUT JEFF JACOBS

Before joining IAG I spent 12 years in banking in

I am currently Executive General Manager of the

various roles, including as Chief Technology officer

Corporate Security Group at IAG. I started as the Chief Information Security Officer in November 2015 and my remit covered cyber strategy, governance, defence, response, assessments and education and

for Westpac Group, General Manager of Strategy and Architecture for CBA, and in delivery roles at Colonial First State. Prior to banking I was at both AMP and Zurich Financial Services in various IT and business

awareness.

roles.

A few years into the role I started to implement what

In my career I have had the pleasure to have been

we call internally our Security Fusion strategy. It is about merging security, safety and trust-like functions to reduce duplication, better share data and insights, and improve the way we keep our people, places and

almost always in roles where I worked on new and emerging technologies and trends, where the organisation was trying to build or uplift its capabilities, such as in digital, analytics, workspace of

data safe.

the future, cloud and cyber.

Initially this started with bringing into my team all

Jeff Jacobs, Executive General Manager, Corporate

aspects of physical security (which we call protective security) and co-locating our staff in a new joint security operations centre. Just recently we extended

Security Group, IAG, reflects on the importance of diversity, challenging workplace culture and what winning the award means to the company.

this fusion to include operational resilience, crisis management and internal fraud. Once again, we

www.linkedin.com/in/jmjacobs/

will look to co-locate our people to the new Security Fusion Centre, which, of course, will be both a physical location and a virtual one, because many people will be working remotely at various times.

WOMEN IN SECURITY MAGAZINE

www.iag.com.au

JOANNE COOPER

BUILDING THE FOUNDATIONS OF A NEW DATA ECONOMY by Joanne Cooper, CEO of ID Exchange Pty Ltd

For Joanne Cooper, CEO of ID Exchange Pty Ltd,

respond to data requests from consumers, not just

which in December 2020 launched the Australian

the Big Four as at present.

Data Exchange brand, a secure data sharing service, the opportunity offered by secure sharing of personal

FINTECH A KEY ATTRACTION

data was obvious. Data shared with consent, she

The second development is a talented and fast-

says, offers enormous potential for innovation and personalised services for consumers, businesses, healthcare and governments alike.

growing fintech sector being touted as a key attraction by the new Global Australia programme designed to lure high-flying businesses and

Today the market is nascent, but growing fast as the

individuals to the country.

enormous win-win potential of data sharing leads to a

Cooper is excited about what the next year will bring

surge of data-enabling technologies, most obviously in the fintech and regtech arenas. Two key developments are set to speed this up. The first is a critical phase of the government’s consumer data right (CDR) regulation coming into force on July 1. It will give consumers greater control over the consented use of their own data, including the ability to share it securely. This will see all banks obliged to

as education, innovation and opportunity collide. Data, she says, can be the fuel for a whole host of new services in both the private and public arenas, and is the bedrock of the growing sharing economy. However, there will be compliance and cost bottlenecks for access to this data unless it is held by the individuals who create it and shared with their consent, and on demand. Achieving this would open

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

the door to unlimited innovation and progress. It is

banking services and

this model that Cooper, through a partnership with

opening up a wealth of

award-winning personal data sharing platform digi.

new options and services

me, is bringing to the Australian market.

for consumers.”

Cooper is a leading enthusiast and innovator in this

Australian Data

space and is excited at the opportunity to educate

Exchange sees itself

and make waves in the traditional banking services

as underpinning

world. She recently spoke at the Microsoft-sponsored

and accelerating the CDR regime. Cooper says

#ACCELERATERegTech2021 event on why good data

the creation of a data-enabling environment will

is the cornerstone of this new economy.

supercharge the CDR’s intermediary potential, enabling app developers to create tailored services

CONSENTED DATA SHARING A WIN-WIN

that leverage ethical data services with direct-

She says consented data sharing is a win-win for

to-consumer access, harnessing the innovative

both parties. “Businesses gain access to vastly richer, wider and more accurate sources directly from

data.

consumers, which in turn opens the door to a new

She firmly believes that this gives early-stage

wave of hyper-personalised and consumer-centric financial services that can be developed rapidly, free of the need, or cost, to establish and maintain costly backend infrastructure. “This is especially true in the financial services arena, where plug-and-play models are disrupting traditional

possibilities of wider, multi-source and consented

WOMEN IN SECURITY MAGAZINE

businesses, in particular, the ability to jump to the next level, confident that all consent and privacy considerations have been taken care of, leaving them free to focus on developing their service and unique selling proposition.

I N D U S T R Y

P E R S P E C T I V E S

rapidly to Australia’s enlightened open banking and data rights movements, and high rates of fintech adoption. Cooper says this positioning, in combination with being a gateway to the important APAC market, is helping push the country steadily along the path to economy-wide data sharing.

RIGHT PRODUCT, AT THE RIGHT TIME She likes to call digi.me ‘a little black dress’: a borderless and sustainable platform solution that complies with all privacy laws around the globe, making it always the right product at the right time, whatever the sector and whatever the use case. The need for a universal solution for smooth, secure, consented access to consumer data becomes even greater as governments worldwide seek to build back better after the COVID-19 pandemic. As the benefits of better direct-to-consumer reach become ever more obvious in multiple arenas, including health, it is also increasingly clear that an economy built on data is better for consumers, and

MAGIC CAN HAPPEN “Now the magic can happen through the ability to forge countless tailored value exchanges across every sector as the CDR cascades into other sectors of the economy including energy and telecommunications,” she says.

better for businesses, healthcare services, and for governments. Cooper has made it her mission to fulfil the potential of a global data economy: to lead, direct, accelerate and pull the various strands together. Collaboration and partnerships, she says, are the secret to success, and she is determined to leverage these to the hilt to

“As it does so, it will fast-track market disruptions

bring about a personal data revolution, for the good of

by turning on the tap to the most effective resource,

us all.

data.” She is clear that collaboration – both within Australia and across borders – is key to maximising the market opportunity for consumers and businesses alike. Examples of this collaboration include the imminent UK / Australia Free Trade Agreement (FTA), which has a specific focus on fintech, and the well-regarded Fintech Bridge between the UK and Australian governments, for which both ID Exchange and digi.me are ambassadors.

www.linkedin.com/in/joanne-cooper-50369734/ www.idexchange.me www.digi.me www.facebook.com/australiandataexchange.com.au twitter.com/idexchange_me

While Europe has traditionally been seen as the leader of fintech progress, the eyes of the world are turning

WOMEN IN SECURITY MAGAZINE

WENDY THOMAS

HOW SECUREWORKS CHAMPIONS FEMALES IN SENIOR ROLES by Wendy Thomas, President, Secureworks In 2020 the proportion of women in senior

conversation across the company. But I believe all

management roles globally was just 29 percent . This

organisations, including Secureworks, can make

would be a remarkable statistic in any year, but in the

a significant difference for female employees by

midst of a global pandemic, when one in four women

adopting a few simple, impactful practices, including:

were considering leaving the workforce to focus on caregiving, this was a wake-up call. The impact of the pandemic on women’s career trajectories remains to be seen, but as I consider the future of work and the opportunities for women to advance within it, I’m optimistic about what’s ahead.

1. Pay consistency regardless of race or gender. Despite the years of discussion and global attention on the gender pay gap, this is still a prominent issue for most organisations. Often, it starts at the beginning of a woman’s career and is perpetuated by organisations that

In the last 25 years I’ve held a series of leadership

base compensation on what candidates have

roles including chief financial officer, chief

historically earned rather than the position’s

product officer and, currently, president at a global

grade level and market value.

cybersecurity company. In these roles I’ve had the

As noted by the Center for American Progress, in

opportunity to pay it forward and share with others

the article: Quick Facts About the Gender Wage

the lessons I’ve learned throughout my career

Gap, “For context, a woman working full-time,

journey and create a culture that is both inclusive

year-round earned $10,194 [AU$13,404] less than

and rewarding. At Secureworks we strive to create

her male counterpart, on average, in 2018. If this

a new narrative for women working in technology, a

wage gap were to remain unchanged, she would

narrative of growth and opportunity equal to that of

earn about $407,760 [AU$536,150] less than a

their male counterparts. We are not perfect, and how

man over the course of a 40-year career.”

to best foster equity is an intentional and ongoing

One practice all companies can adopt to decrease the gender pay gap is to stop asking

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

for a candidate’s current compensation and using

FEEDBACK, MENTORS AND SPONSORS

that as the basis for their offer. Instead, the talent

In my experience, members of underrepresented

acquisition and hiring team can develop what they consider to be fair compensation for the role. 2. Recruiting practices. At Secureworks we’ve been scrubbing our job descriptions around pre-qualifying requirements that are nice-to-have versus must-have to ensure they encompass a broader talent pool. For example, some of our best and brightest employees don’t

groups, who don’t see someone like themselves in a leadership role, tend to be more hesitant to ask for mentorship, feedback, or support. This is why I encourage my leadership team to adopt three specific practices: feedback, mentorship and sponsorship. For women looking to grow into senior roles in their careers, I recommend they proactively seek out these opportunities. • Feedback: Seek feedback proactively, regularly,

have a traditional education, but their drive to

and with an open mind – and not just from

self-educate and pursue certifications is an

your managers. Colleagues, friends and family

impressive trait that makes them tremendous

members will also provide observations and

assets to the organisation.

feedback that can help you understand how

It’s also important to stay flexible and open to candidates with what were traditionally

you’re perceived, and enable you to grow. • Mentors: Though it is often mistakenly perceived

considered “gaps” in their resumé, particularly

as a one-way relationship, mentorship should

in the wake of the COVID-19 pandemic. For

be mutually beneficial. A great mentor also

example, a female candidate who took a year or

seeks knowledge, so it’s important to be

two off to home-school her children or care for an

equally thoughtful about what you bring to the

ailing parent shouldn’t be eliminated on that basis alone. 3. Flexibility. With broader adoption of the cloud and advances in collaboration tools and secure remote access, a growing percentage of the worldwide workforce can – either by choice or necessity – work from home. By eliminating the requirement that employees complete all work in a physical office during prescribed work hours, and by focusing on outcomes and impact rather than time spent, companies can reduce barriers to recruiting great talent. 1. A flexible approach can benefit everyone, but statistically, women carry the majority of household and family responsibilities even when both parents work full-time. According to a McKinsey report, “Women...do an average of 75 percent of the world’s total unpaid care work, including childcare, caring for the elderly, cooking, and cleaning.” Flexible working policies help those

relationship. • Sponsors: Identify your sponsors. Mentors are important, but careers rarely progress without strong sponsorship inside your organisation. Sponsors are the senior level people within the organisation who advocate for you, promote your work, champion your projects, and ultimately influence your career success. The cybersecurity industry is ripe with opportunities to build a rewarding career and to make a positive impact on the world. Our mission at Secureworks is securing human progress by outpacing and outmanoeuvring the adversary, and we have a unique opportunity in the current climate of growing social awareness and dialogue to drive fundamental change. I am honoured to pay forward all the helping hands I have had over my career, and to champion women’s success for the benefit of the security community. www.linkedin.com/in/wendy-thomas-7133283/

individuals create balance and manage priorities. Without this flexibility, organisations risk losing

www.secureworks.com/

out on great talent. 1

Grant Thornton, Women in Business 2020: Putting the Blueprint into Action (2020): p. 3.

WOMEN IN SECURITY MAGAZINE

20th Annual AusCERT Cyber Security Conference

11th - 14th May 2021 // The Star Hotel, Gold Coast, Australia

DAYS

50+ SPEAKERS

IN PERSON & VIRTUAL

Keynote Speakers

Ciaran Martin

Maddie Stone

UNIVERSITY OF OXFORD

GOOGLE PROJECT ZERO

100

WOMEN IN SECURITY MAGAZINE

conference.auscert.org.au

TECHNOLOGY PERSPECTIVES

CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

Start-ups, why you need to get security right from the start Security is important in any business, right? What

You continue with devilish speed for what feels like

about start-ups? Are they any different? Do they need

minutes but suddenly the power steering fails and

to have a focus on security? They are fast-moving

it becomes harder to control the car. You lift your

and innovative businesses that do not always have a

foot but then a tyre blows and the car starts to pull

free-flowing budget to spend on cybersecurity. They

wildly left and right. You are losing control. You hit the

want to focus on the core function of their business

brakes but the car doesn’t have antilock braking (It

and push forward at lightning speed towards

was built for speed not comfort and safety after all).

whatever goal they have set. Right? A “she’ll be right”

You panic and pull on the handbrake. The car jerks

attitude comes to mind.

sideways and flips, rolling over and over, throwing you

Picture this, you have a beautiful red sports car (I am a Mustang guy so let’s say it’s a Mustang). It’s shiny, it’s new and it looks like a million dollars. You get in behind the wheel and the fresh new car smell hits you. The soft but hugging leather seats seem to

plastic flying around the car, hitting you at every turn. There are no airbags. They didn’t think people cared about those. People just wanted to look good and go fast.

mould around you as though they were made just for

You don’t know how many times the car rolled. You

you. You reach over to grab the seat belt but there

are badly wounded, the car is lying on its roof and you

isn’t one. Strange, but if you needed it they would

can feel injuries everywhere in your body. I bet you

have put one in for sure.

wish they hadn’t cut some of those safety corners.

You hit the ignition button and you hear the engine roar to life. The sound of that V8 almost makes your heart jump out of your chest, but you calm yourself, grip the steering wheel. You’ve got this. You look around quickly to check your surroundings. Everything looks good so you punch the accelerator to the floor. The acceleration throws you back in your seat and you feel the rear end of the car slide out a little, so you let up on the throttle. You are screaming down the road so fast objects on each side are going by in a blur. Shouldn’t you slow down? No, let’s push it. You punch the throttle back to the floor and your pulse increases with the Mustang’s speed.

102

around the vehicle,. There are bits of glass and cheap

WOMEN IN SECURITY MAGAZINE

That seat belt could have kept you secure in your seat, the antilock brakes might have helped you keep control, and airbags might have protected you from further injuries. Yes, they probably wouldn’t have saved you from yourself, ignoring the dangers. And they wouldn’t have stopped the steering malfunction or even the tyre blowout. Those just happened. What about your decision to yank on the handbrake when all hell broke loose and you had already lost control? Too late, and not something that could have saved you from the ensuing catastrophe.

C O L U M N

Do you see the picture now? Or are you sitting there reading this going “what is he ranting on about?” What do a sports car and an idiot driving like crazy have to do with cybersecurity? Glad you asked (Well you didn’t really, but let’s pretend you did). Cybersecurity is very important for every business. It can help protect you and your business from oncoming threats. The seat belt could be your EDR (Endpoint detection and response) platform. It could help protect you from viruses, system breaches (or at least tell you about these so you can deal with them),

worst-case scenarios so they can cope with them when they happen. (Trust me, they will happen, just make sure you have a plan). Chaos does not end well for anyone. Yes you can survive, but at what cost?

malicious apps being run by unsuspecting staff, and

Could a major breach cost your company its

so much more.

reputation and destroy it when you’ve barely

The airbags could be your email protection and filtering. They could stop a scam email getting into your systems and to your users. They could stop

got started? Could you end up in the rubble of a collapsing office or a rolling car with no hope for recovery? This could be the fate of many start-ups.

users from clicking on a malicious link in an email, or

So, don’t treat security as an afterthought. Bake it into

opening an attachment.

your systems and processes. Make it an ingrained

Maybe some user awareness training could have taught your team members how to protect themselves from threats and maybe they would not

part of your business and culture. Don’t be that glimmering light that is shrouded in misery because you didn’t think security was important. It is.

have pulled the handbrake and panicked. Maybe they

Stop for a moment, think about this and make a plan

would have seen the scam or threat coming, stopped

to bring security to the top of your priority list. Then

and thought about the situation. They might have

you can get back to launching rockets into space, or

sought a second opinion, or called the person who

curing cancer. You can’t do any of those things if you

said they wanted their bank details changed. They just

don’t exist.

might have. Maybe the people behind this awesome start-up that shines like a glimmering sports car and moves at lightning speed will slow down for just a few moments. Maybe they will see the value for both them and their customers in getting things right first time. Maybe they will spend just that little bit more getting

www.linkedin.com/in/craig-ford-cybersecurity www.amazon.com/Craig-Ford/e/B07XNMMV8R www.facebook.com/pg/AHackerIam/ twitter.com/CraigFord_Cyber

those safety protections in place and planning for the

WOMEN IN SECURITY MAGAZINE

103

LAURA JIEW

“SHARE TODAY, SAVE TOMORROW” How AusCERT helped its members tackle the recent Microsoft Exchange server ProxyLogon critical vulnerabilities and exploits by Laura Jiew, Events and Marketing Communications Coordinator AusCERT, Australia’s Pioneer Cyber Emergency Response Team

n the 2nd of March, news broke

customised for each of our member organisations,

revealing that multiple zero-day

based on their supplied IPs and domains and drawn

Microsoft Exchange vulnerabilities

from AusCert’s large overseas and local threat

had been exploited.

intelligence feeds of information on incidents that

AusCERT quickly communicated this news to its members by retweeting

Details from the Shodan scan were shared with

the active exploitation advisory from Volexity, a

affected members, and they were offered assistance

security firm based in Reston, Virginia USA.

with interpreting the results, patching their systems

This was quickly followed by a security bulletin alert

and checking for compromise.

the same day and the sharing of multiple articles

As time passed, the vulnerability became known as

through ADIR; the AusCERT Daily Intelligence

the ProxyLogon exploit and the party responsible was

Report, a summary of curated infosec news we

identified by the Microsoft Threat Intelligence Center

email to subscribers by close of business, Monday

(MSTIC) as a state-sponsored threat actor named

to Thursday. We also monitored and facilitated a

HAFNIUM.

number of discussions on our member Slack channel and relayed all relevant information to our members.

It became clear to AusCERT that ProxyLogon was evolving. The associated AusCERT security bulletin

Following the release of our security bulletin alert, our

is now in its fifth iteration and the team has also

team of analysts quickly conducted a Shodan scan to

produced a blog titled “Patching for HAFNIUM is just

determine the effects of this exploit on the AusCERT

half of the story.”

member constituency as part of our Member Security Incident Notifications (MSINs) service. MINS are relevant and security reports containing notifications

104

have been detected by other parties.

WOMEN IN SECURITY MAGAZINE

On the 12th of March, the Australian Cyber Security Centre (ACSC), the Australian Government’s lead agency for cybersecurity, issued a high level alert

T E C H N O L O G Y

P E R S P E C T I V E S

advisory to members of the Australian public which

At the time of writing, Microsoft has claimed that

did much to raise public awareness of the severity of

around 30,000 of a total of 400,000 Exchange email

this exploit.

servers deployed on-premises across the world

AusCert would like to acknowledge and thank our colleagues from the Shadowserver Foundation team

are still vulnerable to attacks associated with the ProxyLogon exploits.

for releasing nine special reports on ProxyLogon as

Until there are no more indicators being published

part of its Shadowserver Special Reports – Exchange

and shared by the various cyber threat intelligence

Scanning series.

agencies within our sector, it is important to remain

On the same day that ACSC issued its high alert

vigilant.

advisory on ProxyLogon, Shadowserver distributed

We hope that by sharing our experience in dealing

to 120 National CSIRTs and more than 5900 network

with this wide-scale, highly-publicised cybersecurity

owners across 148 countries (a group that AusCERT

exploit, we can encourage organisations to be

is proud to be a part of) the first instalment of its

proactive with their cybersecurity posture -

special report series containing information on what were believed to be victims of the HAFNIUM Microsoft

“share today, save tomorrow.”

Exchange Server exploits.

As a not-for-profit organisation, AusCERT is

Our team of analysts conducted further analyses

passionate about engaging with members to

and reached out to all affected members each time a detailed report came through from Shadowserver. These emails contained remediation advice additional

empower their people, enhance their capabilities and capacities, and help them prevent, detect, respond to and mitigate cyber-based attacks.

to standard patching and mitigation steps. www.linkedin.com/in/laurajiew/

WOMEN IN SECURITY MAGAZINE

105

MEL MIGRIÑO

MANAGING DATA RISKS IN INDUSTRIAL CONTROL SYSTEMS by Mel Migriño, group CISO of Meralco, co-founder, Women in Security Alliance, Philippines Industrial control systems (ICS) are critical for the

2. Implement an external DMZ to provide access

delivery of power, water, transport and other essential

to external facing assets. No transit traffic is

products and services. This makes them a favoured

allowed across servers located in the DMZ.

target for cyber criminals motivated by financial gain or ideology. Attacks can also come from market competitors or employees with malicious intent.

3. Provision a next generation firewall between each security zone to control the traffic and detect any malicious traffic between network

Compromise of an ICS network could produce a

zones. Strengthen the security of the network by

massive outage of a service such as transport or

implementing a unidirectional gateway to control

power, impact a great number of customers, and

the flow of information, and implement an

possibly plunge a nation into crisis.

intrusion detection system for traffic visibility.

For many years ICS were isolated from the Internet

4. Use strong encryption to ensure the integrity of

by an air gap, but today it is a different story. All

data on critical communications links, and data

the different components of these systems—smart

associated with important processes.

meters, controllers, sensors, etc—connect to the internet to send data to the Big Data platform that resides with the IT environment for correlation and insights and communicate to various IoT devices within the Enterprise of Things. This also makes them, potentially, accessible to anyone from anywhere. Hence it is imperative to implement a robust security framework for ICS, one that is commensurate with the level of risk associated with these networks. Here are some recommendations to safeguard the ICS environment: 1. Define a security zone. Segment the operational

5. Implement access control at all zone entry points. 6. Put in place a mechanism for visibility, detection and response with next generation anti-virus software integrated with a cyber incident response platform. Correlate traffic, user activities and information flows with a next generation Security Information and Event Management (SIEM) system for OT. These measures represent significant investment and require a lot of work, but they are essential to ensure the security of the rapidly growing number of integrated IT and OT systems.

technology (OT) architecture into at least five security zones, namely external third party connections, enterprise DMZ, enterprise, OT DMZ, and process and operations.

106

WOMEN IN SECURITY MAGAZINE

https://www.linkedin.com/in/mel-migri%C3%B1o-b5464151/

Aspiring Women in Security CISO Masterclass The Australian Women in Security Network (AWSN) in partnership with The Security Collective are excited to offer an exclusive short masterclass aimed at women who are aspiring to be Chief Information Security Officers. The CISO masterclass will provide both group and 1:1 coaching sessions for participants to understand potential career paths to CISO roles and to set goals for their own career progression. Starting 23rd March, 2021

Visit awsn.org.au for information about exclusive events, programs, and content. Join Australia's largest community of women in cyber and physical security.

Deadline for sponsorships: 20th May

I’M INTERESTED!

108

WOMEN IN SECURITY MAGAZINE

JACQUELINE JAYNE

THE 10 COMMANDMENTS OF HUMAN ERROR by Jacqueline Jayne, Security Awareness Advocate, KnowB4

THOU SHALT UNDERSTAND YOUR ROLE IN CYBERSECURITY

1. Thou shalt understand that you have a role to play in staying safe online

Let us start with the stats and nothing but the

2. Thou shalt complete all training and

88% of data breaches are caused by human error.

education 3. Thou shalt pay attention to the red flags of social engineering 4. Thou shalt ensure good password hygiene 5. Thou shall not walk away from one’s device and leave it unlocked 6. Thou shalt pay attention to your surroundings 7. Thou shalt dispose of all data and information in a thoughtful manner 8. Thou shalt report all suspicious activities 9. Honour thy company IT policies 10. Above all else, accept that cybersecurity is everyone’s

stats. In a recent report from Stanford University, In the same report, “One third of respondents (33%) told us they rarely or never think about cybersecurity when at work”. When you stop to think about it, this concept makes sense. We are working in a super fast-paced world where our attention is spread thin. For example, people in HR are focussed on HR, marketing people are focused on marketing and you guessed it, finance people are focused on finance. It does not matter what your role is, you need to protect the data in your business unit and keep cyber criminals out of your systems. HR are protecting all the Personal Identifiable Information (PII) for all employees and a lot of confidential information, marketing are the guardians of the brand, communications and sometimes Intellectual Property and I am sure you all know what finance are protecting. Your IT staff are working around the clock to protect everything all the time and they need your help.

responsibility

WOMEN IN SECURITY MAGAZINE

109

THOU SHALT COMPLETE ALL SECURITY AWARENESS TRAINING

THOU SHALT ENSURE GOOD PASSWORD HYGIENE

Oh no – please, not death by PowerPoint. Do

The five most popular passwords across the globe

not worry; there is no death by PowerPoint here.

are:

When the training you are asked to do is engaging, entertaining, educational, relevant and you learn something, it is not a chore. Especially when everything you are learning can help you stay safe online outside of work too. Annual security training is a thing of the past as the threat landscape is literally changing every single day and there is no way we

1. 123456 then 2. Password and 3. 12345678 followed by 4. Qwerty and finally 5. 123456789 When you think about it, remembering more than twenty unique passwords is not an easy task. Especially if each one needs to use a combination of uppercase, lowercase, symbols and numbers while

can bundle that all up in one session and expect you

being more than twelve characters long.

to remember it. That is not fair to you. When training

In Ponemon Institute’s The 2020 State of Password

content changes from a one-minute video to a tenminute eLearning module or even a highly addictive Netflix-style series, your ability to retain information is increased. As humans, we need to see or hear information at least three times before we start to remember it. Therefore, an ongoing program of training is the way to go.

THOU SHALT PAY ATTENTION TO THE RED FLAGS OF SOCIAL ENGINEERING Social engineering is a remarkable beast, as it is the act of manipulating people into performing an action or divulging confidential information. In most cases, the attacker never comes face to face with the victim. We see it in malicious emails (aka phishing) where the intent is to trick you into clicking on a malicious link or attachment and even a link that takes you to a fake login page where you can hand over your login credentials. The level of sophistication we see is high and the ability to spot all the red flags is getting harder. There are two other members of the ‘ishing family’ I would like to introduce to you. Smishing (the SMS version of phishing) and vishing (the voice version of phishing). Both of these attack vectors are as clever as their big brother phishing and we are seeing an increase in these attacks globally. It is unfair to expect a non-IT person to know all of the social engineering red flags without any form of awareness and education. NB: Check out our Social Engineering Red Flags resource here (safe link – copy and paste it into your browser if you prefer not to click on links) https:// www.knowbe4.com/hubfs/Social-Engineering-RedFlags.pdf

and Authentication Security Behaviors Report, 42% of organisations rely on sticky notes for password management and surprisingly, IT professionals reuse passwords more than average users. Google have reported that 59% of people use their name or birthdate in their password and 43% have shared their password with someone. To round off the stats, Microsoft reported that 44,000,000 – yes, 44 million of its users were found to have reused passwords. Therefore, consider the best practice for good password hygiene and use a password manager tool, use Multifactor Authentication wherever you can, change your passwords often and never reuse or share your passwords.

THOU SHALL NOT WALK AWAY FROM ONE’S DEVICE AND LEAVE IT UNLOCKED If I had a dollar for every time I walked past an unattended and unlocked laptop or desktop, I would have at least $3,402 by now. This is such a simple task to do, so why don’t people do it? It is because it is not a habit (yet). Get yourself a sticky note and write ‘Lock this device’ on it, then stick it on your keyboard or screen. This will help prompt you to remember. Good news! There is a short cut for locking Windows machines by pressing the Windows + L keys and for Macs, Opt + Cmd + Eject: Puts your computer to sleep and Ctrl + Shift + Eject: Turns off your monitor without going to sleep.

110

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

THOU SHALT PAY ATTENTION TO YOUR SURROUNDINGS 2020 saw the big shift to remote working, which added an extra layer of complexity for everyone. Cyber criminals stepped up their attacks because our guards are down when we are at home. Many people were using personal devices for work or using work devices for personal things. Additional distractions at home saw an increase in security issues, with more sensitive information being sent over email and personal online storage such as DropBox or Google Drive being used for business purposes. While the intent is not to cause a security breach or do the wrong thing, we must pay attention to the new

P E R S P E C T I V E S

we forget (or have never thought) that IT are there to support us all to get our work done in a safe and efficient manner. Make sure you read every policy and understand what your role is for each of them and if you are unsure, ask!

ABOVE ALL ELSE, ACCEPT THAT CYBERSECURITY IS EVERYONE’S RESPONSIBILITY If you have a license and drive a car, you have a responsibility to keep the car roadworthy and follow the road rules to stay safe. If you do not, you risk a fine and at the extreme, you could injure yourself or others. At your work desk, you have a responsibility

surroundings and modify our behaviour to suit.

to set it up as per the Work Health Safety regulations.

THOU SHALT DISPOSE OF ALL DATA AND INFORMATION IN A THOUGHTFUL MANNER

your screen and if you should need to move a box

Hopefully, this is a self-explanatory commandment.

Your chair needs to be at a certain height, as does of papers, you have a responsibility to pick it up correctly. If you ignore these guidelines, you risk injury or pain.

If you are in possession of confidential information,

The same goes with cybersecurity. As humans, we are

you are also responsible for disposing of it correctly.

the last line of defence and perhaps the biggest asset

Especially with remote working, one just cannot

when it comes to keeping the cyber criminals out of

simply throw out this information in your home

our networks. The human firewall is a real thing. It is

recycle bin. The best option is to store it in a secure

your responsibility as a parent to keep your kids safe

place until it can be shredded, or you can dispose of it

online, keep yourself safe online and protect your

properly back in the office.

place of work safe. If we accept this, keep up to date

THOU SHALT REPORT ALL SUSPICIOUS ACTIVITIES

with the cyberthreat landscape and take the time to stop and think before we act, the online world will be a much safer place for everyone.

If you see something, say something. This includes and is not limited to suspicious emails, SMS, phone

www.linkedin.com/in/jacquelinejayne/

calls, random USBs found lying around or someone who is trying to follow you into your place of work without a security pass or you might observe odd behaviour from a colleague. Take the time to stop and pay attention. Nothing is that urgent. Even if you are completely wrong, it is better to err on the side

www.knowbe4.com/ jacquelinej@knowbe4.com twitter.com/JakkiJayne

of caution. Gone are the days of ignoring suspicious activities. Please ensure that your IT team are made

Sources

aware of everything so they can investigate further.

https://www.tessian.com/research/the-psychology-of-humanerror/

HONOUR THY COMPANY IT POLICIES

https://www.comparitech.com/blog/information-security/ password-statistics/

I know that there is a collective sigh when we talk about policies. However, they are important and require acknowledgement and adherence. Sometimes

https://mms.businesswire.com/media/20200219005336/ en/773763/5/191522-Ponemon-Infographic-2020-final-1. jpg?download=1

WOMEN IN SECURITY MAGAZINE

111

GUILA TRAVERSO

WHY THE TRENDS IN CRYPTOGRAPHY ARE TRENDS? by Guila Traverso, PhD- Senior Consultant Cybersecurity, EY

Cryptography is the aspect of cybersecurity about

powerful supercomputer hundreds of thousands of

which I am most knowledgeable. And (I may be

years to solve. However, the protection afforded by

biased) it’s the core of cybersecurity. Sharing is

today’s cryptography enabled by these mathematic

caring, so I would like to give you some information

problems is under threat from the emerging

about cryptography, especially about recent trends,

technology of quantum computing. Quantum

and where they are heading.

computers (of large size) will enable these very

Cryptography uses mathematics to make data secure. Essentially this means attaining three

Quantum computers able to crack today’s

goals: confidentiality, integrity and authenticity.

cryptography are not expected to become reality until

Confidentiality is achieved through encryption that

after 2030, but there are a couple of reasons why we

makes data unavailable in clear except to the sender

need to worry today about the threat they pose.

and the designated receiver of the data. Integrity and authenticity are achieved through signature schemes that ensure data cannot be tampered with and that create digital signatures to verify the data.

Firstly, hackers could intercept and store internet traffic today that has long term value and wait until quantum computing is able to solve the mathematical problems used to encrypt that data.

Encryption and signature schemes rely on

There are certain datasets such as health records

mathematical problems that are, in principle, solvable

that retain value and remain sensitive for decades.

but that would, in practice, take even the most

112

intractable problems to be easily solvable.

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

Needless to say, the threat posed by quantum computing is spurring research to design and develop quantum-resistant cryptographic primitives (the wellestablished, low-level cryptographic algorithms used to build cryptographic protocols for computer security systems). Research to develop quantum-resistant cryptography is following two main avenues: postquantum cryptography and long-term cryptography. Post-quantum cryptography is the “computational” response to the quantum threat. Basically it means developing cryptographic primitives based on mathematical problems that are extremely difficult for even a large-scale quantum computer to solve. Plenty of research has been done in post-quantum cryptography and many good candidates for standardisation have been proposed. The US National Institute of Standards and Technology (NIST) announced in 2016 a call for proposals for postquantum cryptographic primitives to be included in a new standard for quantum-resistant security.

they are uncrackable by either today’s large supercomputers or tomorrow’s large quantum computer.

The standardisation process has several rounds of

Such cryptographic primitives are already available

evaluation. At each round some submitted candidates

to protect the confidentiality of long-lived data at

are rejected and the others go on to the next round

rest (secret sharing) or to enable compute operations

of evaluation. The latest round, the third, concluded

to be performed without revealing the input data

in July 2020 (see the NIST’s website for more

(multi-party computing).

information).

There you go. Trends in cryptography explained. I

Long-term cryptography is the information theory

hope I convinced you that cryptography is the core,

response to the quantum threat. It involves creating

and the most interesting part, of cybersecurity!

cryptographic primitives that are simply impossible to solve. The security of these primitives relies on an attacker not having information sufficient to solve the mathematic problems on which they are based. They are referred to as being ‘information theoretically

www.linkedin.com/in/giulia-traverso-phd-13a749150/

www.breakingthirty.com

secure’. These primitives can be used today because

WOMEN IN SECURITY MAGAZINE

113

MARISE ALPHONSO

LIFECYCLES WITHIN SECURITY by Marise Alphonso, Information Security Lead at Infoxchange

Do you remember learning about the lifecycle of

Human Resources. To raise and maintain awareness

a butterfly? A tiny egg turns into a caterpillar that

of cybersecurity it should be part of the induction

encases itself in a cocoon of silk from which, after a

procedure for new employees and part of ongoing

time, a beautiful butterfly emerges.

training and messaging. It is also important that

Security processes can be thought of as cycles of continuous improvement that must occur within an

and other resources they require to fulfil their roles.

organisation: essentially Deming’s cycle of Plan-Do-

Assets. Maintaining an inventory of information,

Check-Act (PDCA). Think of each of these stages as

IT systems and IT equipment assets that captures

phases of a capability maturity model. In a security

attributes such as classification levels and system

program there is the overarching PDCA theme, where

owners provides the basis for risk assessments,

security governance supports and enables business

business impact analysis, license management,

objectives by defining policies and controls to

support arrangements and maintenance

manage risk.

requirements.

When this works well, one could almost see a

Information. Information must be managed.

beautiful butterfly fluttering around!

This means incorporating security measures

Embedding security within the management of the following processes will serve an organisation well by addressing a baseline of information security-related risk. Policies. Policies are statements of intent set out and approved by management, and communicated to stakeholders. Policies and related documents such as standards and procedures require review and revision based upon changes in an organisation’s operating environment. It is important they are properly managed across their lifecycle.

114

individuals be given secure access to the IT systems

WOMEN IN SECURITY MAGAZINE

commensurate with its classification level and maintaining these across the lifecycle of creation, storage, use, sharing and deletion or retention of that information. Suppliers and third parties. The management of supplier relationships to ensure value for money for an organisation includes risk assessments when engaging a supplier, monitoring suppliers to validate achievement of expected service levels, adherence to contract requirements, and termination

T E C H N O L O G Y

P E R S P E C T I V E S

of engagements in accordance with the requirements of supplier contracts. Incidents. Security incidents provide a rich source of information for understanding where an organisation is vulnerable. Incident detection or notification, containment, eradication and recovery are

“Security processes can be thought of as cycles of continuous improvement that must occur within an organisation: essentially Deming’s cycle of Plan-Do-Check-Act (PDCA). Think of each of these stages as phases of a capability maturity model. ”

the steps that should be taken across an incident lifecycle. Ensuring feedback on the effectiveness of the measures

requirements including any changes that occur, and

taken in each of these steps will enable them to be

operational process changes made in response.

progressively refined, leading to improved security.

It is necessary to balance the risks faced by an

Software development lifecycle (SDLC) and

organisation against the rewards to determine

DevSecOps. Security can no longer be an

the extent to which these processes must be

afterthought. It should be built-in across all phases

implemented. Having the necessary checks and

of software development: requirements gathering,

balances ensures that security governance supports

coding, testing and, thereafter, deployment, operation

the achievement of business objectives.

and maintenance.

A well-functioning lifecycle is a thing of beauty. After

Compliance. To maintain corporate and security

all, who doesn’t love a beautiful butterfly?

governance and enable an organisation to meet stakeholder needs there must be a check on

www.linkedin.com/in/marise-alphonso/

applicable legal, regulatory and contractual

WOMEN IN SECURITY MAGAZINE

115

CHIOMA CHIGOZIE-OKWUM

SWIMMING ABOVE CEO FRAUDS by Chioma Chigozie-Okwum, Spiritan University Nneochi, Abia State, Nigeria.

CEO frauds, in which cyber criminals impersonate

out the legitimate party, and instruct the payer to

chief executive officers of organisations and lure

make payment to an account they control. This

unsuspecting victims into authorising fraudulent

happens without the parties being aware that there

transactions are not new, but they have become

has been a breech.

more prevalent and more sophisticated. With more women taking up CEO roles in organisations, we need to be conscious of how we can be exploited by cybercriminals through CEO frauds.

During the COVID 19 pandemic lockdown several enterprises suffered huge losses as a result of falling prey to CEO frauds. These can usually be spotted with careful observation, but executives pressed for time

CEO frauds are usually preceded by man(or

and with busy schedules often ignore the signs.

woman)-in-the middle attacks, where the criminals install bots to listen in on the communications of the parties involved in a transaction. With this technique they gather information about legitimate business transactions being undertaken between these parties. When they have sufficient details they impersonate the party receiving payment in the transaction, completely shutting

116

WOMEN IN SECURITY MAGAZINE

“In a fast moving world and with more transactions moving online, there is need for us to be cyber aware and stay safe online always.”

T E C H N O L O G Y

P E R S P E C T I V E S

4. Verify proxies, clients and contacts by looking out for them on social media platforms. Every notable CEO has at least one verifiable presence on social media. 5. Visit websites of the enterprises you are transacting business with. Do not rely on links provided by the proxy you are working with. Type websites into browsers and don’t click on links provided. 6. If you can, make an in-person visit, or send somebody to the location of the person you are Red flags that indicate cyberattacks of this nature

dealing with. This helps to verify claims. Some

include:

scammers go to extraordinary lengths to make

•

The criminals will tell victims who they should be communicating with to complete a transaction;

•

There is often a sense of urgency in their communications;

•

They present new links, phone numbers or email addresses.

The watchword to beat CEO fraud is alertness. Stay vigilant and doubt the authenticity of everything until

everything look normal online. An unscheduled site visit can uncover their plans. In a fast moving world and with more transactions moving online, there is need for us to be cyber aware and stay safe online always. www.linkedin.com/in/chioma-chigozie-okwum-376793122 www.facebook.com/chioma.chinakachigookwum

it passes integrity tests. 1. If you are an executive in an enterprise, ensure your enterprise runs a standard cybersecurity protocol. It is necessary to adopt both proactive and reactive approaches to security to ensure that channels are scanned for eavesdroppers and person-in-the-middle attacks. Ensuring that communication channels used to discuss business transactions are clear and devoid of compromise is a first step towards curbing this menace. 2. Always trust your gut feeling. If you have doubts about a discussion, or an email or even a link, follow your instincts. 3. Carry out independent research about company proxies and representatives before interacting with them to confirm they are in the roles they claim to be.

WOMEN IN SECURITY MAGAZINE

117

FARWA SAJJAD

THE FUTURE PROSPECTS AND CHALLENGES OF AI AND ML FOR CYBERSECURITY by Farwa Sajjad, Journalist & Cybersecurity Blogger

(AI) and machine learning (ML) are putting

FUTURE PROSPECTS OF AI AND ML FOR CYBERSECURITY

cybersecurity at significant risk, increasing the

In cybersecurity, time is vital. Security measures

The emerging technologies of artificial intelligence

volume and sophistication of cyberattacks and fuelling an unending cycle of offensive and defensive innovations.

need to work quickly to keep pace with hackers, and ideally, they need to be proactive and stay ahead of the challenges and threats. This is where AI and ML-

Every year is proving to be worse than the one before,

based tools excel.

and threats and vulnerabilities. Despite the steady

The most exciting thing about AI is that it can learn

increase in the instances of cyber-attacks, security threats are getting complicated and multifaceted.

users’ normal behaviour patterns, pick up anomalous behaviours and provide timely alerts to enable an

In recent times, an increasing number of connected

attack to be thwarted.

IoT devices add to the complexity of cyber threats,

A well-trained AI system can also recognise malware

making cybersecurity specialists more difficult. However, AI and ML can also aid cybersecurity and give experts additional resources to secure vulnerable data and networks from cyber attackers.

and ransomware attacks and quarantine them from the system. AI systems can scan multiple online sources for information about cyberthreats and, by combining various articles and studies, give great insight into cyberattacks, abnormalities, and prevention strategies far more rapidly and efficiently than any human reader. This enables cybersecurity companies

118

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

to keep up to date on the latest risks and develop strategies and tools to combat them. Moreover, AI systems can supplement and strengthen multi-factor authentication access controls, altering users’ access requirements and access privileges in real-time according to their network for access and location.

HOW AI CAN HELP ENTERPRISES DEFEAT CYBER CROOKS Intelligent systems powered by data-centric algorithms and innovative technologies such as machine learning can boost cybersecurity by detecting, responding to, and neutralising real-time threats. AI and ML technologies can learn about user behaviour patterns, specific signals, deviations, and vulnerabilities to detect and counter a threat early and protect the system from potential data breaches and intrusions. However, AI-powered systems are a double-edged sword: an integral part of both cybersecurity threats and solutions. Criminals use AI to create automated attacks and advanced threats. Cybersecurity specialists use AI to counter cyber-attacks and automate routine tasks, freeing them up to devote more resources to countering sophisticated

and interactions. Researchers working on different ML projects believe the cyber community and ML professionals can both play more active roles to better ML. Massive amounts of data can now be put under advanced analytics tools

challenges.

to gather valuable data-driven insights.

KEY CHALLENGES FOR MACHINE LEARNING AND CYBERSECURITY

cybersecurity experts who possess the

Machine learning has considerable promise to play a prominent role in cybersecurity by detecting potential threats and malware early, enabling security to be proactive. However, the technology is still immature, and challenges remain. By accessing appropriate datasets AI and ML can be used to investigate cybersecurity issues. Lack of such can pose a significant challenge to security practices seeking to exploit AI and ML for this purpose.

Still, there is a significant shortage of awareness and skills needed to work with AI and MLbased security algorithms.

FINAL THOUGHTS Despite all the challenges and problems, AI and ML have the potential to be competent technologies for dealing with cybersecurity threats and issues of all types. AI and ML will reach their full cybersecurity potential only if cybersecurity specialists enhance their expertise and understanding of these new technologies.

GREATER AWARENESS OF AI AND ML NEEDED

www.linkedin.com/in/farwa-sajjad-7b406a180/

At present, the use of ML in information security is

twitter.com/farwa_sajjad96

limited to understanding user behaviours, inputs,

WOMEN IN SECURITY MAGAZINE

119

HARPREET KAUR NAHAR

HOW TO BE DIGITALLY SECURE WHEN WORKING FROM HOME by Harpreet Kaur Nahar, Student at Edith Cowan University

The ‘new normal’ of working from home has created

USE A VIRTUAL PRIVATE NETWORK

many new opportunities for cybercriminals: home

A virtual private network (VPN) encrypts your Internet

computers with unpatched vulnerabilities; insecure WiFi networks, bad password practices. And the surge in collaboration tools like Zoom has created an avenue of attack that hardly existed before the pandemic.

traffic and disguises your IP address. Anyone able to access your internet traffic cannot see what websites you access and read the data travelling across that link. Many organisations will mandate use of their corporate VPN for staff working from home, but there

Fortunately there are a few simple measures that can

are also many services available that anyone can sign

greatly increase cybersecurity and make life more

up for and use.

difficult for the criminals.

TWO-STEP VERIFICATION

SECURE YOUR INTERNET CONNECTION.

This requires anyone trying to access an online

A hard-wired internet connection is much more

service with a password to confirm they are the

secure than wireless, but impractical for most homes.

password holder. A common two step verification

So the WiFi link must be as secure as possible. This

process is to send a text message with random

means having a long and complex password that

number to the password holder’s mobile phone

is used only for that WiFi service and, ideally, using

after they enter their password. This number must

separate WiFi networks for work and home-related

be entered to gain access. Users cannot implement

internet activity.

two-step verification if it is not offered, but where it is available as an option, it should always be activated.

120

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

KEEP YOUR SOFTWARE UP TO DATE

P E R S P E C T I V E S

•

person wanting to join a meeting must be

One of the avenues of attack most used by

manually approved (although this would be

cybercriminals is vulnerabilities in operating system

impractical for meeting with many participants).

software and applications. New vulnerabilities are being discovered all the time, and then countered by software developers issuing updates to their software. However it is usually incumbent upon users to install these updates – many fail to do so.

COLLABORATE SECURELY Collaboration tools like Zoom and Microsoft Teams require new practices and procedures that meeting hosts need to implement to ensure security. •

Every meeting should have a unique password so

Enable the waiting room facility so that every

•

Disable the features that participants will not require, such as screen sharing, file transfer.

All these technical measures are robust and reliable. Most cybersecurity breaches are achieved, directly or indirectly, because of the weakest link: people. If people follow these measures consistently, the number of successful cyber attacks will be greatly reduced www.linkedin.com/in/harpreet-kaur-nahar/

only those invited can participate.

WOMEN IN SECURITY MAGAZINE

121

DEIKA ELMI

BEWARE THE CYBERCRIMAL STATE IN 2021 by Deika Elmi, Security Risk Manager To top off an already dismal year, there was one final

because it was never widely released. North Korean

parting shot from 2020. In December of 2020, the US

state-affiliated actors hacked Sony Pictures, leaked

Government acknowledged a massive data breach.

personal information about Sony executives, and

US Secretary of State Mike Pompeo identified on

demanded Sony withdraw the film.

America’s digital infrastructure.

In a considerably less whimsical example, Russian

The attack began in March when the attackers

state actors in 2014 staged a series of cyberattacks

exploited vulnerabilities at Microsoft, VMware and

against American and European water and electrical

SolarWinds to breach three federal agencies. Affected

systems. They gained access to power plant control

agencies included the Departments of Defense,

systems and, even though they never actually shut

Homeland Security and Treasury along with hundreds

down or sabotaged the plants, they may still retain

of private companies, bringing the total to 250

access. In June of 2019 the US retaliated against

targeted entities.

Russia with a similar attack on Russian water and

It’s not as if government employees were giving out

power infrastructure.

their social security numbers to win a free trip to

These are only two examples of state-sponsored

Aruba. These were cybersecurity-savvy agencies.

cyber warfare. On some estimates since 2006, each

Yet the hackers were still able to access the email

with at least $US1 million in damages. So what can

inboxes of high-ranking officials at the US Treasury

we learn from this latest breach?

and Commerce Departments.

LESSONS

A CONCERNING PATTERN

The newest front in espionage and warfare is online,

Cyberattacks from state actors

right behind the screen you’re reading this on now. So,

are a growing trend. Remember

this is everybody’s problem. Here are some tips.

the 2014 Seth Rogan comedy movie The Interview about stoners

1. This could happen to you.

trying to assassinate North Korean

This isn’t just a problem for governments. Private

leader Kim Jong Un? Probably not,

companies like , were targeted for hacking, along with government agencies. It’s not as if the treasury

122

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

secretary used “Password1234” as his password.

P E R S P E C T I V E S

5. Red flags today mean white flags tomorrow.

These were sophisticated hackers and this breach could have affected you too. So no more mental

There were so many warning signs that SolarWinds

compartmentalisation. This is a problem for all of us.

should not have been trusted with this sort of access. Executives at the company ignored security warnings

2. Government and industry must share

three years prior to the attack. According to one

cybersecurity intelligence.

employee, the company was using outdated web

Cybersecurity is one of the most siloed and piecemeal

browsers and operating systems. And even worse,

national security concerns in the United States. As 9/11 taught us, the only way to avoid future attacks is to continually pool and unify our intelligence about the threat. 3. Cyberwarfare is an equaliser. In traditional warfare, one country’s soldiers fight another country’s soldiers. In cyberwarfare, there are no civilians. Any company with valuable information can be targeted by anybody else. Private companies must become accustomed to assessing their vulnerability to state-sponsored hackers. All is fair in love and cyberwarfare. 4. Know your cybersecurity vendors. With the rise of “smart” devices, any connected thing can become a Trojan Horse. In 2014, department

in 2019 the password for one of its servers leaked online. What was that password? solarwinds123. Yep, really. Finally, the company didn’t even remove the tainted software update from its website for several days after the Russian attack was announced publicly. 6. We’re all in uncharted waters. Most people don’t expect to deal with any sort of warfare (cyber or otherwise) when they start businesses. Hacks on the scale of the 2020 SolarWinds attack are truly unprecedented. Governments and private companies at every level are still calibrating how to respond. But here’s some positive news. While these hacks are insanely dangerous, they also haven’t [yet] caused any physical damage. So… hooray?

store chain Target was breached by exploiting the

7. Be open-minded.

systems of an HVAC vendor: the epitome of “not

Remember the optimist says things can’t get any

cool”. In 2017 attackers stole millions of credit card

worse, but the pessimist says, yes they can.

numbers and related data from Mandalay Bay, a casino, via a . So vet all your connected equipment vendors; there are other fish in the sea. Also, try not to be paranoid, but your smart fridge might be spying on you.

The discovery in 2020 of the SolarWinds attack is the latest and loudest alarm bell. Other sophisticated, state-sponsored cyberattacks are coming. But, since we’ve all received a crash course in immunology this past year, we know that, in response to a breach, the

SolarWinds is now famous for being a vector for

body produces antibodies. Similarly, our cybersecurity

cyberattacks but before that it was a popular network

efforts will have to rise to the level of the antagonists

monitoring company based in Austin, Texas. It was

trying to infect our systems.

probably compromised some time in October 2019. In March 2020 the hackers hid malicious code in a standard SolarWinds software update. About 18,000 companies downloaded the tainted update. The

So, if you’re a cybersecurity professional, or if you’re interested in improving your firm’s cybersecurity, keep these lessons in mind.

cyberattack was highly successful and wide-ranging because the hackers attacked the supply chain. So know your vendors. A company that doesn’t make cybersecurity a priority should not have high level

www.linkedin.com/in/deikaelmi/

twitter.com/DeikaE

access to your networks.

WOMEN IN SECURITY MAGAZINE

123

LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller

Hello Friends,

•

My name is Olivia, I love to learn maths and science at school and I am very interested in technology! My teachers say I have a curious personality and are always encouraging me to learn more about the world. I also have a twin brother, Jack.

Try not to spend too much time on your device because you can damage your eyes. It’s also good to get outside and run around.

•

Never ever give out your personal information to anyone online and only chat to people you know like grandparents.

Last year for my birthday I got my first device, a tablet from my grandparents! I was so excited and couldn’t wait to use it so one night when my parents were asleep Jack and I snuck into the kitchen to take the tablet. We downloaded a game onto it and after we started playing on it another player wanted to play a game against us and we thought we would - but we shouldn’t have!

•

Don’t ever share any photos.

•

Never respond to any emails, app messages, or text messages sent by cyberbullies.

•

If you receive a nasty message you should save, screenshot, and print out the message as evidence of cyberbullying and never forward them to other kids.

The other player turned out to be a cyberbully and it was really scary.

•

Always show or tell a parent or teacher immediately if you are unsure about something that happened online or if you receive a nasty message.

•

Never download a game or app without permission!

•

Always be polite and respectful to others online and try to stay calm if something bad happens.

My cyber safety tips to you are:

124

•

Ask your parents and teachers to teach you how to stay safe online

•

Use your devices with a trusted adult’s permission and it is better if you are being supervised.

•

Keep and use your device in a shared area like the kitchen bench.

•

Sometimes parents use special controls and filters to help keep you safe from bad people and cyberbullies.

WOMEN IN SECURITY MAGAZINE

The internet is a wonderful tool to help you learn about the world but it’s very important to be safe. Stay safe online my friends, Olivia xo

Recom mend ed by F amily zone

How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.

READ NOW

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01

1. MELANIE NINOVIC DFIR Consultant, ParaFlare.

2. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

3.MICHELLE ELLIS Outreach and Engagement Coordinator Computing and Security, Edith Cowan University Security Risk Manager

4.CATHERINE DOLLE-SAMUEL Business Continuity and Resilience Specialist at UNSW

5. SARAH YOUNG Senior Program Manager, C+AI Security Customer Experience Engineering (CxE) at Microsoft

6. MANAL AL-SHARIF Author of Daring to Drive

08 7. NICOLE MURDOCH Founding Director at EAGLEGATE Lawyers

8. DAISY WONG Cyber Culture and Engagement Lead at Department of Premier and Cabinet (Vic)

9. NICOLE STEPHENSEN Principal Consultant at Ground Up Consulting

10. AMBER UMAIR Security Operations Officer at Transport for NSW

126

WOMEN IN SECURITY MAGAZINE

11. LAUREN ZINK Security Training and Awareness Program Manager at Oportun

12. GABRIELLE BOTBOL Offensive Security Consultant at Desjardins

13. ANKITA DHAKAR Managing Director, Security Lit Ltd.

14. WINIFRED OBINNA Scrum Master at Blue Cross and Blue Shield

15. KAREN STEPHENS 15

CEO and co-founder BCyber

16. MEGHAN JACQUOT Cybersecurity Specialist | Google IT Support Professional

17. EMILY EDGELEY Public Speaking Coach for the Tech industry

18 18. BREARNA LEOPOLD Inside Channel Account Manager Australia & New Zealand

19. JESSICA TIEU Senior Director of Legal Asia Pacific & Japan

20. SAI K HONIG NSNWS BCA

WOMEN IN SECURITY MAGAZINE

127

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 21

21. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

DR. DAVID STOCKDALE Director AusCERT, Australia’s Pioneer Cyber Emergency Response Team

23. QUEEN A AIGBEFO Research student, Macquarie University

24. JOANNE WONG Vice president international marketing APAC and EMEA, LogRhythm

25. KIRSTIN MCINTOSH Head of Partnerships, CyRise

26. LAURA JIEW AWSN National Social Media & Marketing Lead Events, Marketing and Communications coordinator for AusCERT

27. JEFF JACOBS Executive General Manager, Corporate Security Group IAG

28. JOANNE COOPER CEO of ID Exchange Pty Ltd

29. WENDY THOMAS President, Secureworks

30. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

128

WOMEN IN SECURITY MAGAZINE

31. MEL MIGRIÑO group CISO of Meralco, co-founder, Women in Security Alliance, Philippines

32. JACQUELINE JAYNE Security Awareness Advocate, KnowBe4

33. GIULIA TRAVERSO PhD- Senior Consultant Cybersecurity, EY

34. MARISE ALPHONSO Information Security Lead at Infoxchange

35. CHIOMA CHIGOZE-OKWUM Spiritan University Nneochi, Abia State, Nigeria.

36. FARWA SAJJAD Journalist & Cybersecurity Blogger

37. HARPREET KAUR NAHAR 37

Student at Edith Cowan University

38. LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart, Amazon Bestseller

39. DEIKA ELMI Security Risk Manager

WOMEN IN SECURITY MAGAZINE

129

NEW

No#1 Best Selling Author of the "A Hacker I Am" Series, Craig Ford

HAVE YOU EVER DREAMED OF BEING A HACKER? Seemingly normal teenager Sam lives an exhilarating double life. Jump on board this twisting journey, take a swim through the deep dark corners of the hacker world and find out what this girl is made of. Does she have what it takes to survive or is she in over her head? Only time will tell but one thing we can be certain of is that the journey is going to be more challenging than she had ever imagined.

READ NOW

OTHER BOOKS BY THE AUTHOR

TURN IT UP

LOCAL AUSTRALIA PODCASTS

THE SECURITY COLLECTIVE By Claire Pales

CLICK TO LISTEN

CYBER IN BUSINESS

By Beverley Roche

By CTRL Group

CLICK TO LISTEN

The Security Collective, hosted by Claire Pales, is the podcast for all people who are interested in the foundations on which effective and robust cyber security is built on: people, process, data and technology.

Interested in staying safe online or a cyber security professional? Leading cyber security consultant and advisor, Beverley Roche talks to global experts, academics and researchers to provide insights on the issues impacting the cyber security profession and our connected life.

Cyber in Business, a platform where the best minds in cybersecurity share their insights with businesses. We operate on the belief that only a cyber secure business can outlast. This platform is all about information sharing and helping business leaders make more effective decisions.

OZCYBER UNLOCKED

GET WISE

By AustCyber

By WiseLaw

AFTERNOON CYBER TEA

CLICK TO LISTEN A podcast series aimed at helping Australians deepen their understanding of the local cyber security industry.

132

CYBER SECURITY CAFÉ

WOMEN IN SECURITY MAGAZINE

CLICK TO LISTEN Get Wise is a regular podcast organised by Principal - EJ Wise of the specialist cybelaw firm WiseLaw. Join us as we discuss emerging trends within the cybersecurity and legal landscapes, provide short snippets of advice on how you can boost your cyber resilience, and delve into the niche aspects of cyber law.

By PodcastOne

CLICK TO LISTEN Ann Johnson, Corporate Vice President, Business Development, Security, Compliance & Identity at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers.

KBKAST By KBI

CLICK TO LISTEN The Voice of Cyber - KBKast brings you interviews, discussions and presentations from global leaders across information security and emerging technology.

PRIVACY MATTERS WITH NICOLE STEPHENSEN By IoT Security Institute

CLICK TO LISTEN Privacy and the protection of personal data in the context of Internet of Things technologies. The Privacy Matters podcast, hosted by Nicole Stephensen is an initiative of the Internet of Things Security Institute (IoTSI).

‘THE OTHER SIDE OF CYBER’

THE AZURE SECURITY PODCAST

By Jacqueline Jayne and co-host James Azar

By Michael Howard, Sarah Young, Gladys Rodriguez and Mark Simos

CLICK TO LISTEN From both sides of the world, it’s The Other Side of Cyber. Join your hosts James Azar and Jacqueline Jayne (JJ) as they go beyond the crime and explore the aftermath of the human element and the price we pay.

CLICK TO LISTEN A twice-monthly podcast dedicated to all things relating to Security, Privacy, Compliance and Reliability on the Microsoft Cloud Platform. Hosted by Microsoft security experts, Michael Howard, Sarah Young, Gladys Rodriguez and Mark Simos. https://azsecuritypodcast.net/

THE NATIONAL SECURITY PODCAST By Policy Forum - ANU National Security College

CLICK TO LISTEN Chris Farnham and Katherine Mansted bring you expert analysis, insights and opinion on Australia and the region’s national security challenges in this pod from Policy Forum and the ANU National Security College.

ISACA PODCAST By ISACA

CLICK TO LISTEN The ISACA Podcast gives you insight into the latest regulations, trends and threats experienced by information systems auditors and governance and security professionals. Whether you are beginning your career or have decades of experience, the ISACA Podcast can help you be better equipped to address industry challenges and embrace opportunities. WOMEN IN SECURITY MAGAZINE

133

TURN IT UP

GLOBAL PODCASTS

WOMEN IN SECURITY PODCAST By Lifen Tan

CLICK TO LISTEN This podcast is devoted to the world of information & cyber security and the great women who make it turn. In each episode, I sit down with a guest speaker to discuss their experiences and touch on some of the lesser known aspects of the industry.

By Monica Verma

CLICK TO LISTEN A technology podcast and an engaging platform for discussions and expert opinions on All Things Cyber. The podcast series is hosted by Monica Verma, a leading spokesperson for digitalization, cloud computing, innovation and information security in support of technology and business.

HUMAN FACTOR SECURITY By Jenny Radcliffe

CLICK TO LISTEN Jenny Radcliffe interviews experts about human behaviour, social engineering, business, security and life.Podcast.

WE HACK PURPLE

THE CYBER JUNGLE

SMASHING SECURITY

By Tanya Janca

By Ira Victor and Samantha Stone

By Graham Cluley, Carole Theriault

CLICK TO LISTEN The We Hack Purple Podcast will help you find your career in Information Security via interviews with our host, Tanya Janca, and our guests from all different backgrounds and experiences. From CISOs and security architects, to incident responders and CEOs of security companies, we have it all. Learn how they got to where they are today! www.WeHackPurple.com

134

WE TALK CYBER

WOMEN IN SECURITY MAGAZINE

CLICK TO LISTEN The CyberJungle is the nation’s first news talk show on security, privacy and the law. Featuring digital forensics and infosec specialist Ira Victor and award-winning journalist Samantha Stone. The show is fastpaced and includes hard hitting news analysis. Formerly The Data Security Podcast.

CLICK TO LISTEN A helpful and hilarious take on the week’s tech SNAFUs. Computer security industry veterans Graham Cluley and Carole Theriault chat with guests about cybercrime, hacking, and online privacy. It’s not your typical cybersecurity podcast...

on the couch WITH VANNESSA MCCAMLEY WWW.WOMENINSECURITYMAGAZINE.COM

OFF THE SHELF

FORESIGHT: HAVE YOU EVER DREAMED OF BEING A HACKER? Author // Craig Ford Dive into the life of a spunky, charismatic girl next door with Sam (Samantha), she is an only child of a broken family and has a truly devoted father who has raised her from a very young age. She is smart, kind, pretty and has that spark that you just can’t pin down. To anyone who meets her, she is just a good-hearted teenager who just wants to finish school and go to college. She does well at school, has a couple of close friends and is far from what you would call the popular girls. She truly fits the average girl next door stereotype. If you are looking at the fake life she lets the world see you would be right in thinking that was the case. However, she has a secret life. She has spent years living two lives, one as Sam for the world to see and one as Foresight, to Sam this is her true life where she is a truly gifted hacker. She has never found a system she could not bend to her will if she put her mind to it. She is the essence of a true hacker, a true magician of sorts in these dark recesses of the web not many dares to enter. Jump on board this twisting journey, take a swim through the deep dark corners of the hacker world and find out what this girl is made of. Foresight is book one of the hacker fantasy series. Book two will follow in 2021-22.

BUY THE BOOK HERE

A HACKER I AM

THE SECURE BOARD

Author // Craig Ford

How To Be Confident That Your Organisation Is Cyber Safe

A Hacker, I Am is not your normal cyber security book, it explains topics in stories, scenarios, without all the Jargon. Its fun, educational and you can read any chapter you want in any order you want. This book has been created to help everyone, not just the technical folk understand cybersecurity and the associated risks.

BUY THE BOOK HERE

A HACKER I AM VOL.2 Author // Craig Ford The book as you would have probably guessed it by now is all about Cyber Security but it’s not written to be overly technical, it’s written so that it can be understood by anyone who wants to learn more about how to better protect themselves. This book will be great at helping introduce individuals to the cybersecurity and help them get a better understanding of what to look out for, what problems we are all going to face in the future but also have a bit of fun while we are at it. .

136

WOMEN IN SECURITY MAGAZINE

BUY THE BOOK HERE

Author // Claire Pales, Anna Leibel With the collective global spend on cyber security projected to reach $433bn by 2030, the impact of cyber risk - be it reputational, financial or regulatory - must now be front of mind for all Directors. Written for current and aspiring Board members, The Secure Board provides the insights you need to ask the right questions, to give you the confidence your organisation is cyber-safe. Designed to be read either in its entirety or as a reference for a specific cyber security topic on your upcoming board agenda, The Secure Board sets aside the jargon in a practical, informative guide for Directors. “I recommend The Secure Board as essential reading for all leaders. It will equip you with the knowledge and foresight to protect your information and your people.” - David Thodey AO, Chair of CSIRO “[This book] will challenge you to stop, to reflect and then re-set some of your governance thinking. Anna and Claire, you have made a great contribution to the development of all Directors who choose to pick up this book.” - Ken Lay AO APM FAICD, Lieutenant-Governor of Victoria

BUY THE BOOK HERE

SECURITY FOR EVERYONE

SOCIAL ENGINEERING

Author // Authors Laura Bell and Erica Anderson

Author // Chris Hadnagy

Do you keep personal information and sensitive business documents on your laptop? Do you and your team use passwords, security keys, or credentials to protect your software and data in the cloud? Have you imagined the damage to your life and your business if these were revealed, exploited, or lost? No matter the size of your organisation, security affects us all. Large companies know the importance — and pay trained security specialists to work on security full time. But what about the rest of us? It’s time there was a comprehensive resource that helps any of us, no matter our role or the size of our business, keep our people, systems, and data secure. Securing your business can be daunting, especially when you’re small. That’s why Security for Everyone focuses on practical, flexible, step-by-step, affordable approaches that can scale to suit your situation and needs, in language non-technical folks can understand.

BUY THE BOOK HERE

The Art of Human Hacking

The first book to reveal and dissect the technical aspect of many social engineering maneuvers From elicitation, pretexting, influence and manipulation all aspects of social engineering are picked apart, discussed and explained by using real world examples, personal experience and the science behind them to unraveled the mystery in social engineering. Kevin Mitnick, one of the most famous social engineers in the world-popularized the term social engineering.He explained that it is much easier to trick someone into revealing a password for a system than to exert the effort of hacking into the system. Mitnick claims that this social engineering tactic was the single-most effective method in his arsenal. This indispensable book examines a variety of maneuvers that are aimed at deceiving unsuspecting victims, while it also addresses ways to prevent social engineering threats.

CYBERSECURITY FOR EVERYONE Author // Amanda-Jane Turner Cybercrime is big business. As the use of technology increases, so does the opportunity for crime. There is no solely technical solution to stopping cybercrime, which is why it is important for all users of technology, regardless of age, race, education or job, to understand how to keep themselves safer online. To help all users of technology gain a better understanding of some cybersecurity basics, this book presents easy to understand information, with the added, and possibly dubious, bonus of entertainment in the form of limericks and cartoons. Stay informed and stay safe.

BUY THE BOOK HERE

Social Engineering: The Art of Human Hacking does its part to prepare you against nefarious hackers.

BUY THE BOOK HERE

WOMEN IN SECURITY MAGAZINE

137

OFF THE SHELF

HACKABLE How to Do Application Security Right Author // Ted Harrington If you don’t fix your security vulnerabilities, attackers will exploit them. It’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too. Whether you’re a technology executive, developer, or security professional, you are responsible for securing your application. However, you may be uncertain about what works, what doesn’t, how hackers exploit applications, or how much to spend. Or maybe you think you do know, but don’t realize what you’re doing wrong. To defend against attackers, you must think like them. As a leader of ethical hackers, Ted Harrington helps the world’s foremost companies secure their technology. Hackable teaches you exactly how. You’ll learn how to eradicate security vulnerabilities, establish a threat model, and build security into the development process. You’ll build better, more secure products. You’ll gain a competitive edge, earn trust, and win sales.

BUY THE BOOK HERE

SECURITY RISK MANAGEMENT BODY OF KNOWLEDGE

INFOSEC ROCK STAR

Wiley Series in Systems Engineering and Management

Author // Ted Demopoulos

Author // Julian Talbot, Miles Jakeman A framework for formalising risk management thinking in today’s complex business environment Security Risk Management Body of Knowledge details the security risk management process in a format that can easily be applied by executive managers and security risk management practitioners. Integrating knowledge, competencies, methodologies, and applications, it demonstrates how to document and incorporate bestpractice concepts from a range of complementary disciplines. This is an indispensable resource for risk and security professionals, students, executive management, and line managers with security responsibilities.

BUY THE BOOK HERE

How to Accelerate Your Career Because Geek Will Only Get You So Far

Have you noticed that some people in infosec simply have more success than others, however they may define success? Some people are simply more listened too, more prominent, make more of a difference, have more flexibility with work, more freedom, choices of the best projects, and yes, make more money. They are not just lucky. They make their luck. The most successful are not necessarily the most technical, although technical or “geek” skills are essential. They are an absolute must, and we naturally build technical skills through experience. They are essential, but not for Rock Star level success. The most successful, the Infosec Rock Stars, have a slew of other equally valuable skills, ones most people never develop nor even understand. They include skills such as self direction, communication, business understanding, leadership, time management, project management, influence, negotiation, results orientation, and lots more . . . Infosec Rock Star will start you on your journey of mastering these skills and the journey of moving toward Rock Star status and all its benefits.

BUY THE BOOK HERE

138

WOMEN IN SECURITY MAGAZINE

CYBERSECURITY ABCS Delivering awareness, behaviours and culture change Author // Jessica Barker, Adrian Davis, Bruce Hallas, Ciarán Mc Mahon Cybersecurity issues, problems and incidents don’t always relate to technological faults. Many can be avoided or mitigated through improved (A) cybersecurity awareness (B) behaviour (C) and culture change These ABCs are key components of the overall security status of an organisation.

GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS

A Hands-On Guide for Total Beginners Author // Sam Grubb

Author // Bill Nelson Updated with the latest advances from the field, GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS, Fifth Edition combines allencompassing topic coverage, authoritative information from seasoned experts, and real-world applications to deliver the most comprehensive forensics resource available.

This book guides organisations looking to create an enhanced security culture through improved understanding and practice of cybersecurity at an individual level.

This proven author team’s wide ranging areas of expertise mirror the breadth of coverage provided in the book, which focuses on techniques and practices for gathering and analyzing evidence used to solve crimes involving computers.

Crucial awareness, behaviour and culture concepts are covered from the ground up alongside practical tips and examples, providing a key resource for those looking to create lasting cybersecurity awareness, behavioural and culture change initiatives.

While other books offer more of an overview of the field, this hands-on learning text provides clear instruction on the tools and techniques of the trade, introducing readers to every step of the computer forensics investigation-from lab setup to testifying in court.

BUY THE BOOK HERE

HOW CYBERSECURITY REALLY WORKS

It also details step-by-step guidance on how to use current forensics software and provides free demo downloads. Appropriate for learners new to the field, it is also an excellent refresher and technology update for professionals in law enforcement, investigations, or computer security.

You don’t need a technical background to understand core cybersecurity concepts and their practical applications – all you need is this book. Each chapter tackles a new topic from the ground up, such as malware or social engineering, with easy-tograsp explanations of the technology at play and relatable, real-world examples. Hands-on exercises then turn the conceptual knowledge you’ve gained into cyber-savvy skills that will make you safer at work and at home. You’ll explore various types of authentication (and how they can be broken), ways to prevent infections from different types of malware, like worms and viruses, and methods for protecting your cloud accounts from adversaries who target web apps. In addition, you’ll get an inside look at the roles and responsibilities of security professionals, see how an attack works from a cybercriminal’s viewpoint, and get first-hand experience implementing sophisticated cybersecurity measures on your own devices.

BUY THE BOOK HERE

BUY THE BOOK HERE WOMEN IN SECURITY MAGAZINE

139

OFF THE SHELF

MALWARE DATA SCIENCE Attack Detection and Attribution Author // Joshua Saxe with Hillary Sanders “For those looking to become a security data scientist, or just wanting to get a comprehensive understanding of how to use data science to deal with malicious software, Malware Data Science: Attack Detection and Attribution is a superb reference to help you get there.” —Ben Rothke, RSA Conference Security has become a “big data” problem. The growth rate of malware has accelerated to tens of millions of new files per year while our networks generate an ever-larger flood of security-relevant data each day. In order to defend against these advanced attacks, you’ll need to know how to think like a data scientist. In Malware Data Science, security data scientist Joshua Saxe introduces machine learning, statistics, social network analysis, and data visualization, and shows you how to apply these methods to malware detection and analysis. Whether you’re a malware analyst looking to add skills to your existing arsenal, or a data scientist interested in attack detection and threat intelligence, Malware Data Science will help you stay ahead of the curve.

BUY THE BOOK HERE

140

WOMEN IN SECURITY MAGAZINE

SMART GIRL’S GUIDE TO PRIVACY

CYBERSECURITY LEADERSHIP:

Practical Tips for Staying Safe Online

Powering the Modern Organization 3rd Edition

Author // Violet Blue “The Smart Girl’s Guide to Privacy is a straight-forward how-to for protecting your privacy and undermining the social media settings that want you to share potentially intimate details with the world...I found the book alarmingly handy.” —Bitch Magazine “For girls and women in the technological age, this guide to Internet safety is a must-read. It’s a young woman’s invaluable guide to empowerment, addressing not only the why of keeping strong boundaries but the how.” —Foreword Reviews The whirlwind of social media, online dating, and mobile apps can make life a dream—or a nightmare. For every trustworthy website, there are countless jerks, bullies, and scam artists who want to harvest your personal information for their own purposes. But you can fight back, right now. In The Smart Girl’s Guide to Privacy, Violet Blue shows you how women are targeted online and how to keep yourself safe. Even if your privacy has already been compromised, don’t panic. It’s not too late to take control. Let The Smart Girl’s Guide to Privacy help you cut through the confusion and start protecting your online life.

BUY THE BOOK HERE

Author // Mansur Hasib Widely acclaimed and cited by practitioners and scholars alike as the definitive book on cybersecurity leadership and governance. Listed among the best selling cybersecurity books of all time and authored by Multiple Global Award Winner: 2017 People’s Choice Award in Cybersecurity; 2017 Information Governance Expert of the Year; 2017 (ISC)2 Americas ISLA Award for Graduate Cybersecurity Technology Program at UMUC “The book defines cybersecurity ... It also continues to expand on the three key tenets of people, policy and technology. Hasib does well at describing such complex topics as the seven essential functions of a CIO, the challenges that occur when organizations place the CIO as a direct report to the CFO, and why the CIO and CISO must have a mutually supportive relationship. ...” - - excerpt from review by DaMon Ross.

BUY THE BOOK HERE

UNMASKING THE HACKER:

THE RISE OF THE CYBER WOMEN:

Demystifying Cybercrime

Volume One: Inspirational stories from women who are taking the cyber security industry by storm

Volume 2: Inspirational stories from the women who are taking the cyber security industry by storm Kindle Edition

Author // Amanda-Jane Turner Do you use computers, smart phones and the internet? If you do, please read this book and help protect yourself from cybercrime.There is no solely technical solution to fight cybercrime and neither is there a solely human solution. That is why everyone who uses technology and the internet need to have at least a basic understanding of what they can do to help protect themselves in cyberspace. The stereotype that cybercrime is committed by mysterious hoodywearing hackers is harmful. It encourages a feeling of hopelessness about how to protect ourselves and our information. How can we fight these mysterious hidden figures? This book provides easy to understand information to demystify cybercrime and make cyber security more understandable and accessible to all. As technology has evolved exponentially since the advent of the Internet, and because each subsequent generation does not know a time without being connected via smart phones, social media and emails, this book also provides a brief history of computing and the Internet, hacking, social engineering and cybercrime.

BUY THE BOOK HERE

Author // Lisa Ventura, Lauren Zink, Goonjeta Malhotra, Liz Banbury, Cheryl Torano, Celine Rowan Pypaert, Annie Jamshed, Lucy McGrother, Dr Semire Yekta, Stephanie Luangraj “The Rise of the Cyber Women” is a compilation of inspiring stories from women in the cyber security industry from all over the world who are pioneers and leading the way in helping to protect the world from the growing cyber threat. Those who are included and featured in this book shared not only their stories but also their hints, tips and advice to women who are looking to pursue a career in cyber security or change their career path into cyber security. Their tenacity and commitment to their careers in the cyber security industry is very impressive indeed. If you are a woman who is looking to make the move into the cyber security industry, you need to read this book. If you feel that you are not good enough for a career in cyber security, you need to read this book. If you suffer from “impostor syndrome” which is holding you back from a career in cyber security, you need to read this book.

BUY THE BOOK HERE

Author // Compiled by Lisa Ventura, Lianne Potter, Andrea Manning, Pooja Agrawalla, Caroline Ndege, Sai Honig, Yatia Hopkins, Vina Ta, Federica Vitale, Gyle dela Cruz Staying safe online has never been more important with cyber-attacks happening to organisations large and small all over the world daily. Yet there is a huge cyber skills gap shortage, with those who do enter the profession tending to be men. Few women pursue careers in cyber security, but those who do are shattering the glass ceiling and contributing to the safety and security of the internet, our critical national infrastructure (CNI) and our day to day lives. Shockingly, the most recent Global Information Security Workforce study by (ISC)2 found that women in the cyber security profession represent only 10% of the workforce. It is clear that much more needs to be done to attract women to enter the cyber security industry and take up STEM careers in general.“The Rise of the Cyber Women: Volume 2” is a compilation of inspiring stories and interviews with women in the cyber security industry who are pioneers and leading the way in helping to protect the world from the growing cyber threat.

BUY THE BOOK HERE

WOMEN IN SECURITY MAGAZINE

141

Save the date

The Australian Women in Security Awards are back for 2021. Join us in-person or via live stream to celebrate our community of Women in Security.

October 13th 5:30-10:30pm MORE INFO