Women In Security Magazine Issue 3

Page 1

03

JULY • AUGUST

TALENT HAS NO GENDER: WHY COMPANIES NEED TO WORK HARDER TO BUILD MORE DIVERSE WORKFORCES P12

CHANGING THE WORLD, ONE ORGANISATION AT A TIME P8

MEET LISA HARVEY-SMITH: FIGHTING FOR WOMEN IN STEM P76

WHY FEMALELED STARTUPS NEED MORE SUPPORT P25

CULTURE & BELONGING W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M


FROM THE PUBLISHER Diversity + Inclusion +Culture = Real Value

I

n issue 2 of Women in Security Magazine we

In Issue 2, Melanie Ninovic discussed how “you must

talked a lot about diversity and inclusion in our

be the change you want to see in this world”, and

workforces. However, this is just the start for

outlined what people within different roles can do to

organisations – unless, of course, you’re only in it

make the workplace safer and more welcoming for

so you can tick a box and include a page on your

women.

website.

shows that it falls on everyone – the student, the

belonging are the next steps in your journey.

recruiter, the analysts, engineers, managers, directors,

As a wise person once said: “Let every voice be heard regardless of title, tenure, and background”. This means not only listening to your people, but creating environments where they will feel free to speak out. It means not only talking about diversity, but engaging with your employees to build a culture that is more inclusive, and creates a sense of belonging for all.

and executives – to be the change that we all want to see.. In that same issue Jinan Budge, who has studied toxic company culture extensively, argues that complacency, lack of diversity, and a focus of technologies over people are threats to any business. Security leaders, she says, must invest in professional development and growth for themselves and their staff to create a positive team culture and

Executed well, cultural improvements will help get the

environment.

best out of your employees – and lead your business

So either remove or acknowledge that there are

on the path to real value.

brilliant jerks in your business who are creating these

Yet the burden to build this journey shouldn’t just

toxic cultures – and stop them in their paths.

fall on the shoulders of individual employees –

Businesses, senior leadership teams should never

particularly those who are already struggling with the challenges created by cultural disenfranchisement.

tolerate bad behaviour. If you have been doing so and have only now come to realise it, now is the time to

For change to happen – and stick – the imperative to

do something about it.

create that truly inclusive and innovative workplace

Constantly check in on your teams to solicit ongoing

needs to come from the company’s senior leadership. This is not done by putting Band-Aids on existing policies; it is only possible by looking at the company from the inside and making that change.

2

There is some great advice within that, as it clearly

Assuming you are in it for the long haul, culture and

WOMEN IN SECURITY MAGAZINE

feedback about inclusivity within teams, on projects, or even with senior leadership. And develop strategies for training programs and for upskilling, to ensure there are no roadblocks to progress.


Abigail Swabey

Employee experience is everything – and, as you’ll read later in this issue, improving it by removing ‘micro-aggressions’ can increase productivity, innovation, and ultimately a sense of belonging that sometimes can be a better motivator than money alone. If your employees have that feeling of belonging, they will feel more comfortable expressing themselves, working more productively with colleagues to make extremely valuable contributions to the business. Becoming a truly inclusive company is a process rather than a goal. There aren’t quick fixes or compliance checklists that can get you there. These and other tips are just steps in a long journey of conversation and strategies; follow them, and you can create long lasting change within your organisation.

Abigail Swabey PUBLISHER, Owner & CEO of Source2Create aby@source2create.com.au


CONTENTS Talent has no gender: why companies need to work harder to build more diverse workforces

12

PUBLISHER’S LETTER

What’s the ART to creating an authentic culture in organisations?

2

CAREER PERSPECTIVES How to make a midcareer move into cybersecurity 58 Could inclusivity expand the

22

cybersecurity talent pool

A Tuesday in the life of

in australia?

a Regional Technical Support Manager

60

62

CHANGING THE WORLD, ONE ORGANISATION AT A TIME

08

FEATURE How to create a culture of belonging — and why it matters

18

Meet Lisa Harvey-Smith: fighting for women in STEM

76

AusCERT plenary panel

96

Back to basics

99

Take me to cuba

111

Whose afraid of Zero Day

114

Surviving a crisis a view from the trenches

120

Lessons learned from a year of security podcasts

WHAT’S HER JOURNEY?

4

WOMEN IN SECURITY MAGAZINE

Daniella Traino

30

Anna Leibel

32

Jo Stewart-Rattray

34

Giulia Traverso

37

Shelly Mills

38

Dr Lesley Seebeck

40

Amy Roberts

42

Gergana Winzer

46

Christina Keing

50

Noushin Shabab

52

Lisa Jiggetts

54

124

WHY FEMALE-LED STARTUPS NEED MORE SUPPORT 25


JULY • AUGUST 2021

INDUSTRY PERSPECTIVES

TECHNOLOGY PERSPECTIVES

Diversity 66 Creating a cybersecurity culture

68

How SiteMinder’s product and technology teams stayed motivated and innovative during the pandemic, while servicing the traditional hotel industry

72

Abigail Swabey

Linking data privacy to security

ADVERTISING

106

Abigail Swabey Charlie-Mae Baker

How to embrace the coming technology revolution

Vasudha Arora

108

Are you doing enough to protect

JOURNALISTS David Braue Stuart Corner SUB-EDITOR

82

COLUMN

90

Beware of ransomware

Factors threatening effective partnerships in crisis situations

102

80

Does privacy even matter? (Spoiler: yes)

transforms cybersecurity

your organisation’s IT security? 118

Building relationships in the security and risk suite and why it matters

FOUNDER & EDITOR

How artificial intelligence

Promoting Diversity vs Supporting

Stuart Corner DESIGNER

16

Jihee Park

Top 5 digital parenting tips for parents with teens

64

Ten top tips to secure your website you think they are

around Australia

84

Celebrating information security excellence in 2021

ABN 25 638 094 863

74

Hackers are not who

AWSN returning to in-person events

Women in Security Magazine is published by Source2Create

www.womeninsecuritymagazine.com

91

contact@source2create.com.au

OFF THE SHELF

136

Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine

86

TURN IT UP

134

©Copyright 2021 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.

03

JULY • AUG UST

CHANGIN G THE WORLD, ON E OR GA NI SA AT A TIM TIO N E P8

WHY FEMA LED STAR LENEED MO TUPS SU PP OR RE T

P25

TA LE NT HA S WHY COMPNO GE ND ER : TO WORK ANIES NEED BUILD MO HARDER TO RE DIVER WORKFO SE RCES P12

ME ET LIS A HA RV EY -S MI FIGHTING TH: FOR WOMEN IN STEM P76


SUBSCRIBE TO OUR MAGAZINE Never miss an edition! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content

SUBSCRIBE NOW

03

JULY • AUGUST

TALENT HAS NO GENDER: WHY COMPANIES NEED TO WORK HARDER TO BUILD MORE DIVERSE WORKFORCES P12

CHANGING THE WORLD, ONE ORGANISATION AT A TIME P8

MEET LISA HARVEY-SMITH: FIGHTING FOR WOMEN IN STEM P76

WHY FEMALELED STARTUPS NEED MORE SUPPORT P25


CONNECTING - SUPPORTING - INSPIRING

AWSN Membership Benefits: Mentoring Community Support

Education Careers Events

Visit awsn.org.au for information about exclusive events, programs, and content. Join Australia's largest community of women in cyber and physical security.


CHANGING THE WORLD, ONE ORGANISATION AT A TIME by David Braue

T

Long-lasting cultural change is hard – but here’s how they did it

oday’s business cultures owe much to a series of organisational and technological movements that changed the way we work and collaborate – for example, automation in the Seventies, competition in the Eighties, organisational development in the Nineties, information-led globalisation in the Naughties, and digital reinvention in the Teens. Just as each of those decades had its transformative trends, the current decade will be defined by how well businesses translate broad ideals of equality into workplaces where diversity is more than just a poster on the staff-room wall – but a workplace

8

WOMEN IN SECURITY MAGAZINE

where employees actively support each other, their differences, and their capabilities. The benefits of diversity-minded organisational development are more than just ideological: teams in enthusiastically diverse workplaces, study after study has found, are more flexible, more welcoming, better at innovation, more resilient, and benefit from a much broader range of perspectives than those of the homogeneous management organisations of yesteryear. These qualities are all consistent with a company culture where employees feel individually valued and collectively empowered – and analyses consistently


F E AT U R E

show that feeling translates into real business benefits. One widely-cited McKinsey & Co study, for example, found that companies with market-leading gender diversity among executives were 21% more likely to enjoy higher-than-average profitability, while those with low diversity were 29% more likely to suffer lower profitability than average. Despite offering so many benefits – cultural and financial – one Harvard Business Review (HBR) study warns that increases in productivity are only observed “in context where gender diversity is viewed as ‘normatively’ accepted… [meaning] a widespread cultural belief that gender diversity is important.” “In other words,” the analysis notes, “beliefs about gender diversity create a self-fulfilling cycle. Countries and industries that view gender diversity as important capture benefits from it. Those that don’t, don’t.” Market indicators suggest that, over the past five years, companies have made slow and steady progress in increasing the representation of women in executive positions – one possible marker of progress in the metrics of equality. Yet despite the positive change over the past five years, a recent McKinsey analysis warned, the wake of COVID’s disruption has left many companies at risk of losing the “only modest signs of progress” made to date around the representation of women in corporate positions. With 1 in 4 women considering downshifting their careers or leaving the workforce completely, McKinsey warns, companies “risk losing women in leadership – and future women leaders – and unwinding years of painstaking progress toward gender diversity.”

EXTENDING A HELPING HAND Needless to say, diversity’s fragile gains to date need anything but to be diluted by the pandemic. This means that while companies many recognise the value of gender equality as a high-level value, it often falls to individuals within those companies to make it an enduring part of the company culture. Executives need to be proactive about seeding change in their organisations, Karen Townsend, a

senior application developer with infrastructure giant Red Hat, noted during a recent panel discussion on diversity strategies. As at many companies, Red Hat employees participate in a broad range of internal shared-interest groups, one of which was created to promote the cause of allyship – engaging the support of mentors or business leaders who can help women overcome vestigial internal blockers. “We started a grassroots effort on the backs of a couple of build leaders, and to create a space to talk about what it is to be an ally,” Townsend explained, “which is that it’s not necessarily who you are, it’s about the work that you do.” “There’s a need that there are people in the places of power who can make decisions that will make a difference,” she said, “especially for the women at Red Hat. There are so many opportunities for you to be intentional about it.” The key is for leaders to take initiative, Townsend said, by not waiting for the culture to improve on its own. “There’s no point saying ‘Well, I hope it happens’ or ‘I hope the diversity on our team can grow’,” she added: “It has to be an intentional effort, and you have to put the work behind your intentions.” That “work” is all about “advocating for equality from what is often the position of power,” noted Elaine Kwok, partner success engagement lead with Intel and a co-founder of diversity advocacy group Women in Big Data (WiBD). “Often times,” she said, “that is typically a male who is advocating as a sponsor for another woman, to open up more opportunities. I’ve been fortunate to have many male and female sponsors and supports and mentors, who have helped open up many career opportunities – and it wouldn’t have been possible without them.” Elevating gender diversity to become a ‘normative’ force for change, as HBR put it, is crucial to building the internal momentum that can turn a company into a force for progress. It doesn’t always have to be a major individual effort, Red Hat chief architect Emily Brand added, noting that “becoming a sponsor of someone doesn’t require that much work besides saying ‘wow, this person is

WOMEN IN SECURITY MAGAZINE

9


so good that I’m going to put her name in the hat for these big opportunities’.” “This sponsorship takes almost no effort from you, except for putting your reputation out there a little bit – and reaching out to ask if there is someone who is up and coming and needs a mentor.”

DIVERSITY AS A KPI For all the value of executives embracing mentorship and allyship programs, many successful organisations have used more conventional, prescriptive approaches to improve the gender balance within their organisations. BHP Billiton, for one, set a corporate target in 2016 that half of its workforce would be women by 2025 – and created an executive performance goal of increasing women’s representation each year. The Victorian Government, for its part, saw significant success from a 2015 mandate that women would comprise half of all new court and government board appointments in the state. Within two years, 49% of public-service executives were women. Engineering firm Aurecon has also been working hard to improve representation of women in recent years, with its global CEO and ANZ managing director kicking off a major effort that was implemented in a range of ways. The initiative included, for example, universal flexibleworking policies and a review of company policies to ensure they use gender neutral language and are explicitly inclusive. Parental leave, domestic and family violence leave were all put in place, although the company also found that their presence alone wasn’t enough. Leaders needed to normalise the use of such leave by using it themselves as well – and they did, with the percentage of family leave completed by men increasing from 7% to 40% in the years after the new policy was introduced. “The way leaders and team members interact day-today, the language the use, and the way leaders make decisions and share their time and attention also affects equal or unequal treatment and access to opportunities,” a Workplace Gender Equality Agency (WGEA) analysis noted.

10

WOMEN IN SECURITY MAGAZINE

Clearly, in the right settings top-down mandates can improve gender diversity by modifying recruitment and hiring practices – yet building a culture of inclusion, recent Diversity Council Australia (DCA) research suggests, is still elusive in many workplaces. Inclusion, in the DCA’s mind, “occurs when a diversity of people are respected, connected, progressing and contributing to organisational success” – a state that is necessary for company culture to actually benefit from the achievement of gender diversity. Yet many industries still suffer a yawning gap between intention and action: while 67% of manufacturing-industry respondents to the DCA survey said they supported the organisation’s action to create a diverse and inclusive workplace, for example, only 36% said their organisation was actually taking action to make it so. This gap suggests many companies’ cultures remain out of step with their employees’ ideological position – yet other figures suggest that a gender gap could be exacerbating the discrepancy. While 49% of women said they strongly support action to improve diversity and inclusion in their workplaces, just 38% of men said the same thing – with 22% of men saying they neither support nor oppose such initiatives, well above the 15% of women that are sitting on the fence. These figures suggest that, while not actively opposing the ideas of diversity and inclusion, many men are still disinterested in embracing them. They don’t really care either way – and that dismissiveness, says Cloudflare community manager Gretchen Scott, is no longer good enough. “There’s so much information now about the business case for good diversity and inclusion programs,” she told a recent Stone & Chalk panel session, “that anyone not on board with that is probably remiss in their duties of running a business.” “One of the biggest changes actually has to come from anyone in any leadership position,” she continued, “whether that means your job title has ‘management’ in it or not. You have a responsibility to make sure that people on your team are heard, and respected, and supported.


F E AT U R E

Despite broad support for diversity and inclusion initiatives, Diversity Council Australia’s latest Inclusion@Work survey showed how much the level of commitment to change varies dramatically between industries.

“I strongly support my organisation taking action to create a diverse and inclusive workplace”

Healthcare & Social Assistance

86%

Accommodation & Food Services

86%

Administrative & Support Services

84%

Financial and insurance

83%

Public Administration & Safety

82%

Education & Training

81%

Retail Trade

80%

Professional, Scientific & Technical Services

77%

Information Media & Telecommunications

76%

Construction 75% Manufacturing 67% Transport, Postal & Warehousing

66%

“My organisation is taking action to create a diverse and inclusive workplace”

Financial and insurance

73%

Public Administration & Safety

71%

Information Media & Telecommunications

62%

Healthcare & Social Assistance

59%

Education & Training

56%

Retail Trade

54%

Transport, Postal & Warehousing

54%

Professional, Scientific & Technical Services 50% Accommodation & Food Services

49%

Construction 48% Administrative & Support Services

48%

Manufacturing 36%

WOMEN IN SECURITY MAGAZINE

11


TALENT HAS NO GENDER: WHY COMPANIES NEED TO WORK HARDER TO BUILD MORE DIVERSE WORKFORCES by Julian Ranger

Julian Ranger, Executive President and Founder of personal data platform digi.me, explains why increasing diversity and inclusion build more rounded teams, better placed to change with the times and with tech advances.

W

e were delighted to see our

Australia lacks legislation—which exists in some

Australian partner Joanne

countries such as the UK—requiring employers to

Cooper, CEO of Australian

discriminate in favour of women. So male dominance

Data Exchange and an all-

in engineering continues, and there is no obvious

round corporate powerhouse,

route to change this.

featured in the May – June

2021 edition of Women in Security magazine.

EVOLVING FOR EXCELLENCE

Not just because it’s entirely deserved—very few

Yet change we must, not least because we know

people work harder or with more passion—but because, as a great female leader at the top of her profession, she is one of a rare breed. It is no secret that the pipeline of talent for jobs in engineering and technology is both male-dominated and insufficient. This leaves firms in a quandary. They all, naturally, want to recruit the best. And they often have urgent requirements to fill specific roles, which means they need to pick from the pool of available talent.

12

WOMEN IN SECURITY MAGAZINE

the most diverse and inclusive teams are those that produce the most rounded products and services. Many heads and many diverse life experiences ensure solutions are fully thought out, applicable and relevant to as many people and circumstances as possible. So, the question becomes: how do we best ensure as many voices as possible are at the table. The answer will get women, from an early age, perceiving technology and engineering as valid and desirable professions.


I have long had a passion for building opportunity, for getting more people into engineering, and future

“There are many young people who would have had a different career or found a new path if someone had assured them it was truly within their reach. We all need to work together to ensure as many young people as possible discover their full potential.”

proofing the profession. Technology is now at the heart of much of what we do, and want to do, as a society. We need a large workforce skilled in all aspects of technology to support today’s technology, and develop tomorrow’s. That workforce must be diverse and inclusive. Role models like Joanne Cooper play a significant role in promoting diversity and inclusiveness. People can see in her someone they want to emulate, and a career to envy. Jo grew up with a fantastically talented and driven tech mentor: her father, Australian IT pioneer Tom Cooper. He was a prominent figure in the 1980s PC era, and inspired and encouraged his daughter to follow in his footsteps.

WOMEN IN SECURITY MAGAZINE

13


THE NEW NORMAL Much hinges on how companies and industry leaders work to inspire and encourage the next generation, regardless of gender, colour, etc. Back in 2008 my educational foundation Ranger Engineering Education Foundation (REEF) was grappling with the challenge of getting more students into engineering, to study subjects and disciplines that would best set them up for success. This is not an issue to be solved overnight, but that does not mean we should do nothing. We must keep inching forward, step by step, towards creating the more diverse and inclusive teams we all want to see. We can seek inspiration from organisations that have achieved diversity, such as the UK’s armed forces, whose compelling and engaging recruitment campaigns normalise women in every role imaginable, and promote the idea that there is a role for everyone. Both these messages are important as we seek to widen what young people see as the range of career pathways available to them. Small firms are limited in what they can achieve, but we all have a part to play in driving change and working towards greater diversity, in individual companies, and in society as a whole. And we need to educate and inspire children before they become teenagers, make science more interesting, and show them role models they can aspire to, people like them in jobs they could do. Many organisations are male dominated, but there is no reason female participation cannot be increased. We all need to take more concrete steps and expand our ambition to achieve greater diversity.

14

WOMEN IN SECURITY MAGAZINE

We need to show rather than tell, to offer up role models and positive reasons to change, even as we accept that, in the short term, progress will be slow. Positively influencing six-year-olds now will not result in change for perhaps twenty years. But every step towards a better, more inclusive future is a worthy one. There are many young people who would have had a different career or found a new path if someone had assured them it was truly within their reach. We all need to work together to ensure as many young people as possible discover their full potential. Julian welcomes discussions around how to increase diversity and inclusion, and can be found on Twitter @rangerj. www.digi.me twitter.com/rangerj


Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!

charlie@source2create.com.au

aby@source2create.com.au

www.source2create.com.au


AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

C O L U M N

Beware of ransomware Technical advancement and interconnectivity are creating more opportunities for cybercrime; it’s big business. This regular column will explore various aspects of cybercrime in an easy to understand manner to help everyone become more cyber-safe. Ransomware is a type of cybercrime that often makes the news, and for good reason. A ransomware incident can cripple a business, disrupt healthcare, destroy years of research and, take a lot of time and money to recover from. In 2020 a patient at a hospital in Germany lost their life when ransomware disrupted the emergency care. The investigation found the ransomware did not cause the death, but the fact that ransomware can cripple critical care systems is alarming. A type of ransomware known as Ryuk, which has been around since at least 2018, recently caused the loss of a week’s COVID-19 research data at a European institute, and also disrupted healthcare

WHAT CAN YOU DO TO PROTECT YOURSELF FROM RANSOMWARE? • Ensure you keep up-to-date offline backups of your important files. • Take care not to open attachments in unsolicited emails or those that prompt you to run macros to view them. • Do not click on links in unsolicited emails. • Keep your operating system and software patched. • Use only official legitimate sources to download software. • Use a reputable and up-to-date anti-virus software.

at two US medical facilities. In May 2021 a fuel

If you have been impacted by cybercrime in Australia

pipeline in the US was disrupted by ransomware, in

you can report this via https://www.cyber.gov.au/

an incident attributed to a group called Darkside.

acsc/report. In other countries, report it to your local

Ransomware can impact large and small businesses,

police or through the relevant cybercrime reporting

charities and individuals, directly and indirectly.

mechanism. Ransomware is big business – stay safe.

16

WOMEN IN SECURITY MAGAZINE


Source2Create Spotlight

Events

Finding the right way to reach and approach your audience is key to success, that’s why we’re shining a light on our events. Our event services are readily available and used to deliver seamless experiences for both you and your audience. Our ‘Events-As-A-Service’ module allows you to break your event into modules and hand across the work you simply don’t have time to coordinate, or simply just want off your plate. S2C can do it all. We invest the time and energy into developing this strategy and plan, driven by data-based assumptions, to make your event a success. What are you waiting for?

REACH OUT TODAY

charlie@source2create.com.au

aby@source2create.com.au

www.source2create.com.au


HOW TO CREATE A CULTURE OF BELONGING — AND WHY IT MATTERS by David Braue

Pervasive ‘micro-aggressions’ feed a toxic culture that can stymie equality efforts

A

ustralia’s federal government wasted no time highlighting the positive findings of its second STEM Equity Monitor upon its release in May,

continue, STEM industries won’t reach gender parity until the middle of the 2040s – by which time many of the women in this year’s study will be ready to retire.

suggesting that women were slowly

To compensate for that natural attrition, the skills-

but steadily increasing their presence

development pipeline needs to grow at a much

in STEM-industry jobs and management positions. The proportion of “key management personnel and senior managers who are women”, the report noted,

healthier rate – but there are few encouraging signs that Australia’s pipeline of incoming female talent is anywhere near mature enough to compensate.

has increased steadily from 18% in 2016, to 23% last

The proportion of women in university STEM degrees

year. And, overall, 28% of women in STEM-qualified

increased by just 2% between 2015 and 2019, for

industries are women – up from 24% in 2016.

example, with women comprising just 22% of VET

While the current workforce figures suggest that

18

lies an uncomfortable truth: if current growth trends

and university enrolments.

slow and steady change in workforce culture is

Furthermore, many of those students won’t persist

providing new opportunities for women in STEM

long enough to secure the management positions

industries, behind the numbers’ plodding growth

they would need to keep the STEM Equity Monitor

WOMEN IN SECURITY MAGAZINE


F E AT U R E

graph on its present trajectory. Indeed, the report

messaging – many companies are still riddled with

found, men were 1.8 times more likely than women to

the lingering “micro-aggressions” that, she says, can

still be in a STEM job five years after graduating.

compromise corporate culture by tainting everyday

For cybersecurity – a STEM industry that has an even

office interactions.

more pressing skills gap than most – the realities

“Much of these bad behaviours come down to micro-

painted by the report mean that companies simply

aggressions, or more minor and subtle behaviours

cannot depend on Australia’s schools and universities

and comments around inclusive and exclusive

to supply enough trained female STEM graduates to

behaviour,” Lai explained.

close the gap for them.

“I don’t think it’s malicious,” she said, “but I think there

Consequentially, companies that recognise the value

are just people out there who genuinely have lived

of gender equality are going to have to take matters

experiences that don’t make them aware of these

into their own hands – and as women continue to

types of biases and these types of behaviours.”

shout from the rooftops, fixing hostile or just plain unhelpful company culture is a good place to start.

CULTURE CLUB Building the right culture often makes the difference between wanting to be diverse and actually becoming that way. Although some companies have made tremendous strides in the right direction, many others are still struggling to translate the desire for diversity into action. Just 27% of attendees at a recent Stone & Chalk webinar on gender equality, for example, said a diverse culture was embedded within their organisation – with 18% reporting that their organisation was engaging with stakeholders and 45% saying their companies have yet to get past the ‘awareness’ stage. Asked about the biggest challenges to gender diversity in their workplaces, just one-quarter of the audience said their organisations were “all over it”. More worryingly, 38% said employees aren’t reporting “bad cultural behaviours”, 25% don’t understand the business impact if gender diversity is ignored, and 13% still don’t take the idea of gender diversity seriously. Those figures don’t surprise Linda Lai, a full-stack developer with Zendesk who believes that – behind the veneer of equality messaging and feel-good

Fixing corporate culture is beyond the capacity of any one individual, Lai said, and it’s important not to try to fight battle all on your own. “It’s very difficult to take on the emotional labour and burden of having to monitor these behaviours,” she said, “and to be in a situation where you see or hear these behaviours.” “I don’t believe it’s up to the person who’s part of that minority group to always speak up,” she added. “It really is a shared responsibility to speak up about this – and it’s important to learn to manage your own sanity, and to choose when and where you want to bring those things up.” “It’s totally OK to say ‘I’m not prepared to have this fight today’.”

DRAW THE LINE – OR ERASE IT Michelle Price, CEO of cybersecurity industry development firm AustCyber, has experienced the insidious challenges of exclusive culture first-hand over years working in the Australian public service (APS). “There were times when, being a senior person within national security, where not only are you challenged emotionally,” she said during a recent National Press Club appearance, “but being a woman in those circumstances is held against you.” “There is a cultural dynamic here that doesn’t match

WOMEN IN SECURITY MAGAZINE

19


what we hold true to our values in broader society –

Recalling a situation where she was sitting on an

and it’s a very, very strange thing to put your finger on

expert conference panel – and was approached

because it’s not just one thing.”

afterwards by a man who asked why she felt she was

Yet even an organisation as large and inertial as the APS is slowly pushing in the right direction: “there have been huge amounts of concerted, focused effort put into changing this,” she said, citing the steady climb in representation within the

qualified to be on the panel – Scott said many women fight the same issues in struggling to be taken seriously in environments where corporate culture still has not accepted them. “When those things happen time and time again,

cybersecurity industry. Just five years ago, Price said, just 4% of cybersecurity industry jobs were held by women – and that had increased to 29% now.

“We’re estimating that with the graduates that will come out over the next couple of years, we’re going to get pretty close to 40% within the next five years,” she said. “But whether or not we can retain women within these fields is a completely different thing – and it comes back to culture.” Although many women have become used to shrugging off divisive language and microaggressions, as Cloudflare community manager Gretchen Scott put it, “having to qualify yourself, day in and day out, is just exhausting.”

20

WOMEN IN SECURITY MAGAZINE

what you’re actually hearing is ‘you don’t belong here’,” she says, “and ‘what you’re saying is not worth me hearing’. And you start to internalise that a little because it’s just tiresome.” While changing co-workers’ behaviour can feel overwhelming, technology can play a small part in changing company culture. One regular Slack group that Scott uses, for example, has been set up with a bot that automatically flags exclusive language and raises an alert. “If anyone writes ‘guys’ in it, it pops up with a link that says ‘we don’t use that [word]’,” she explains. “It takes


F E AT U R E

all the emotional labour off the people around you

perfect time to be having this shift in the paradigm

– and you’re just sent off without feeling like you’ve

[and] what it means to truly be an ally – and stand up

been told off by someone. You’re just educated.”

for those that are being oppressed?”

Small wins like that may seem like spitting in the

Women shouldn’t have to feel like they are fighting

winds of cultural inertia, but it’s all part of shifting

the gender diversity war by themselves – and it is

left when it comes to diversity – changing culture by

incumbent on leaders to remove that mantle so those

embedding diversity-positive behaviours right across the organisation.

policies and decisions, to

“When those things happen time and time again, what you’re actually hearing is ‘you dont belong here. And what you’re saying is not worth me hearing’. And you start to internalise that a little because it’s just tiresome.”

proactively soliciting feedback

-Gretchen Scott, Cloudflare community manager

Leader advocacy NationSwell offers suggestions for making this happen – ranging from rotating representation on corporate committees and encouraging the active questioning of corporate

from younger employees and developing a shared terminology that “accurately reflects your organisation’s values and goals

and allows your team to align around language”. Another transformative force is allyship, in which executives proactively engage with affinity groups and employee networks, giving them the resources and support to help them become a natural element of the company culture – rather than an oppositional force that is seen to be challenging it. COVID-era disruption has created the perfect environment for allyship to thrive, Terell Sterling, CEO of entrepreneurship firm Go Paladin, said during a panel session at the recent Databricks Data+AI Summit. “It’s interesting how the conversation has changed,” he said. “We have constantly put it on people of colour, women, and the other group to level the playing field – but we need to figure out a better way, where we’re

talented women can focus on developing their own skills and just doing their jobs as well as they can. Although the measurement of industry inputs encapsulated in the STEM Equity Monitor suggests the situation is slowly getting better, women shouldn’t need to wait over 20 more years before they are represented equally in cybersecurity and other STEM fields. Companies that succeed in creating a welcoming and supportive culture – now – will reap the benefits from decreased employee conflict and more widespread positive engagement. That’s most easily accomplished through proactive executive involvement, which will be crucial to driving the kind of cultural change necessary to realise major changes in attitude.

not putting it on the backs of the people that are

To truly succeed, those changes must not be

feeling oppressed.”

ephemeral: ultimately, the success of companies’

“We’re putting the onus on the executives to come to the table with something that can actually work for their teams, and for their corporation. And it’s the

efforts during this transformative time will determine the speed at which they can move the needle towards gender equality – and whether they can keep it there.

WOMEN IN SECURITY MAGAZINE

21


WHAT’S THE ART TO CREATING AN AUTHENTIC CULTURE IN ORGANISATIONS? by Ian Yip, CEO Priyal Bhosale, Product Manger Sophia Pace, Strategic Partnerships & Marketing Manager

I

n a startup team members often have multiple

high standards each team member will be held to.

responsibilities, despite having a core set of

Values articulate what the organisation stands for

accountabilities. The right organisational culture,

and set expectations that everyone can identify with.

one that creates a sense of belonging, is crucial

If an individual’s values do not align with those of the

for people to thrive and grow in such a dynamic

organisation they will never become a comfortable fit

environment. It provides every member with a

in that organisation.

‘why,’ drives motivation to achieve company goals, and drives commitment to staying around for the journey ahead.

Values form the foundations of the culture that will make an organisation unique and successful. More importantly, these foundations, built on the right

Avertro is nearly two years old. We’ve more than

core values, strengthen an organisation in times of

tripled in size and continue to evolve daily. We

adversity.

wouldn’t have been able to grow at this pace sustainably without the right culture from day one.

ACCOUNTABILITY

As with most meaningful endeavours, we’ve learnt

You will, unfortunately, hear that many people have

some lessons, and it hasn’t always been easy. An organisation’s culture, positive or negative, starts with its leaders, and these are the core areas we focus on to ensure we maintain our culture.

VALUES The authoring of Avertro’s organisational values pre-dates the formation of the company. Before we started, we were very clear about our goals and the culture that would get us there. Those values remain the same to this day.

22

worked for large corporations where the culture and its formal values were primarily about virtue signalling and managing perception. Management in these companies never holds itself to the values it has set, yet expects everyone else to follow its directives. Any team member working in an organisation like this will testify that it creates friction. It’s hard to believe in an organisation that may speak its values but does not act according to them. It creates distrust and a facade that no team member will buy into,

The point is not to outline what they are. What

jeopardising loyalty, productivity, and achievement of

matters is that having formal values clarifies the

goals.

WOMEN IN SECURITY MAGAZINE


SAFETY

COMMUNICATION

If leaders want employees to tell them what they

The core of any great relationship is effective

really think, there needs to be trust that there will

communication. The need to communicate effectively

be no negative consequences. Leaders must not be

seems so obvious that leaders often forget to create

afraid of candour and the truth.

an environment that is conducive to it.

Leaders are responsible for setting the tone,

A team that does not communicate cannot be

cultivating a safe space, and listening objectively,

effective. The real connections between people within

empathetically and without judgement. They must

an organisation form the fabric that holds its culture

allow teams to solve problems together. Leaders who

together. An abundance of these connections creates

do not do these things will simply be told what they

a rich, strong tapestry that wraps itself around the

want to hear, and none of the systemic issues in an

organisation and keeps everything together.

organisation will ever be addressed. Creating an environment where everyone feels safe to speak up allows teams to perform effectively and gives them the confidence to fulfil their responsibilities. A leader’s blind spots can only be illuminated by the

DIVERSITY Diversity and inclusion are critical. Unfortunately, some organisations are using the narrative to virtuesignal how they are “great places to work” because of their diversity, without being able to back this up.

trust the team they work with places in them.

WOMEN IN SECURITY MAGAZINE

23


It is often a challenge to figure out if an organisation

context, hierarchies should be secondary to a team

truly embodies the principles that lead to diversity

culture that recognises all are working together for

and inclusion, or is simply saying the right things

mutual benefit to achieve a shared outcome.

because it is trendy to do so. This connects back to safety. Organisations must allow people to be their true selves. We must acknowledge that we grow as individuals by working alongside others who are different from us, who we might sometimes not agree with, but who will make us better by challenging and expanding our

“If leaders want employees to tell them what they really think, there needs to be trust that there will be no negative consequences. Leaders must not be afraid of candour and the truth.”

perspectives on life, on work, and on how we think things should be done. Leaders need to understand that building diverse teams and nurturing a sense of belonging starts at the beginning of any organisation’s journey and must always be front of mind; not when it’s convenient, or “when the organisation is ready”.

EMPOWERMENT Many would be familiar with the advice to always “hire people more intelligent than yourself’. In reality, this is nearly impossible to do. The more realistic way to approach this is for leaders to build teams where everyone can make full use of their individual skills. When employees are better than their leaders at a particular task, the best thing a leader can do is move out of their way. Empowering people to do their jobs and to make the decisions they are best placed to make fosters a better overall culture. Empowered people are valued, confident, and secure.

CULTURE IS ART Fostering a positive culture takes effort and conviction. Sometimes, business decisions seem at odds with what appears to be the right course of action. There are many ineffective leaders. Most are happy to talk the talk. Very few will walk the walk. This is because ineffective leaders are often the last ones to suffer from a hostile culture. They are typically insulated in their “executive bubble” until the organisation is about to crash, at which point they conveniently deploy their golden parachute to safety, unscathed and move on to a new role where they repeat the same mistakes. An organisation can put all the right things in place to create a positive culture. But none of that matters if the leaders do not behave in an Authentic, Respectful and Transparent manner. Therein lies the ART of truly enriching the culture of any organisation.

IDENTITY No one should ever feel they are being treated like a number. Everyone deserves to be treated as a unique individual.

www.linkedin.com/company/avertro/

www.avertro.com

The healthiest organisational cultures acknowledge that people perform functions within hierarchies and chains of command. However, except in a military

24

WOMEN IN SECURITY MAGAZINE

twitter.com/AvertroSecurity


F E AT U R E

WHY FEMALE-LED STARTUPS NEED MORE SUPPORT by David Braue

S

VCs talk diversity but the numbers tell a different story pread as it will be between dozens

female entrepreneurs, who have struggled to achieve

of companies, the $10m allocated in

equitable representation in the startup community.

LaunchVic’s new Alice Anderson Fund won’t breed unicorns overnight. But the money carries one specific condition that makes it significant indeed.

The three-year sidecar investment fund – named after the woman who founded Australia’s first allwomen motor garage in 1919 – will only be available to startups that are either 50 per cent owned by at least one woman, or have at least a 30 per cent ownership stake by women, including one woman in an executive role. The fund – which will provide between $50,000 and $300,000 to each startup – is an explicit effort to tap the innovation in the state’s community of

In 2019, LaunchVic reports, just 19 woman-founded startups received angel or VC investment, out of a total of 104 companies receiving funding. And CrunchBase, for its part, lists 334 Australian startups with female founders. “At all stages of the startup life cycle, women-founded firms are a significant minority,” Victorian Minister for Innovation, Medical Research and the Digital Economy Jaala Pulford said in launching the new fund – applications for which open on 1 July. “This is a pivotal time to support women entrepreneurs to drive economic growth and create new jobs.” With the government taking 85% of its contribution as equity and private-sector investors matching the

WOMEN IN SECURITY MAGAZINE

25


government’s contribution by a minimum of 3:1, the

Accelerator SheStarts has tapped support from the

fund has been designed to encourage investment

likes of MYOB, Microsoft, and Herbert Smith Freehills

funds to help promising women-led startups give

to back 20 women-led tech startups since it was

their ideas a red hot go.

founded in 2016.

OPENING THE TAP The Alice Anderson Fund is the latest in a flood of new grants and investment initiatives designed to help women entrepreneurs overcome the challenges of realising their visions – and an explicit recognition that Australia’s startup community has been languishing in a state of gender inequality for far too long. Recent initiatives like the government’s $26.5m Cyber Security Skills Partnership Innovation Fund (CSSPIF) are gender-blind, but programs such as the federal government’s $52.2m Boosting Female Founders (BFF) initiative have specifically targeted women – with the $11.6m round 2 of the program recently closing after a raft of submissions from companies vying for awards of between $25,000 and $480,000.

fund for ventures such as Code Like a Girl, a womenin-tech startup that tapped the funding to scale up its programs during the COVID-19 pandemic – and, founder Ally Watson said, support the firm’s socialchange objectives. “We’ve got a mission for social change, and whilst many of the programs we’ve participated in definitely set you up for commercialisation or fundraising, they don’t combine it with social impact,” she explained. “There’s a real combination of business savviness, freedom and a social focus which is rare and ultimately what it came down to for us.”

TAKING WOMEN’S VC INTO THE MAINSTREAM Supporting women-led startups isn’t purely a

BFF is explicitly designed to support startup

choice for social good, however, with relatively new

businesses wanting to expand into new domestic and

accelerator Working Theory Angels founder Rachael

international markets, providing funding for up to 50%

Neumann noting that women-led firms tend to deliver

of “eligible project costs” as well as expert mentoring

better returns than those where women are under-

and advice for recipients.

represented.

Round 1 saw funds awarded to 51 women-led

“One of the things we don’t talk about is that

businesses working in areas such as digital

sometimes small businesses can have a better

skills startup Indigital, social-demographics firm

financial outcome for the founder than a large

Neighbourlytics, ICT consultancy STLP Consulting,

business, where that founder has been diluted by

and employee-giving firm Catalyser.

selling off equity in the company.”

“The road from business idea to global product is

When evaluating a startup for potential investment,

already a tough one,” former Minister for Industry,

Neumann says, she looks for principals that can

Science and Technology Karen Andrews said in

“deeply and clearly articulate” the customer problem

announcing the recipients of the first-round funding

they are trying to solve; have expertise or personal

last December, “but we know female-founded

experience of the space they’re operating in; are

startups face even greater challenges in getting the

playing in a large and growing market; can be a

finance needed to reach their full potential.”

“magnet for talent... [who can] convince anyone

“If we don’t capitalise on great business ideas from half of the population,” she added, “Australia’s startup

to work on this problem with you”; and wants to constantly invest in customers.

and innovation ecosystems will only be half as good

Yet the balance of these and other factors varies

as they could be.”

significantly depending on the company and the

Private-sector entities have also gotten in on the

leaders running it.

game, with mature firms like SBE Australia having

“In the same way that not every company is VC

raised over $600m in capital for 72 women-led

backable,” she writes, “not every founder has those

companies over the past decade.

26

And SheEO, for its part, provides a perpetual loan

WOMEN IN SECURITY MAGAZINE


F E AT U R E

types of aspirations and wants to grow in that way, at that speed, and use money as an accelerant for growth.”

Chalk panel session. “I’m finding that now that I’m in startup land, that there are a lot more discussions and they are all

Those that do, however, are finding the going to be a

making subconscious decisions about recruitment,

mixed bag.

and embedding that from day one, when they’re

Reports of strong returns to overseas funds have

actually building their startup,” she said.

fuelled a swell of attention on women-led startups

Cynch has a 50/50 gender ratio and has also been

– which, one BCG report found, deliver twice as

building “for different backgrounds,” Lostau explained,

much revenue per dollar invested as their male-run

noting that the engagement of young people has

counterparts.

helped drive that commitment to equality.

Yet getting funding dollars into their companies

“That’s the kind of company that they wanted to build

– which requires the broader support of similar-

and they’ve done it from the start,” she said, “which is

minded people – remains a universal struggle: female

great.”

received just 2.8% of all startup funding in the US during 2019, with Crunchbase last year reporting that adding in funding for companies with both men and women only bumps this up to 9% of all funding. Another study of Nordic companies found that all-female startup founding teams got just 1.3% of available capital in 2019.

Such attitudes help shape diverse startups from Day 1 but they also, pointed out Go Paladin CEO Terrel Sterling, are crucial in reversing the persistent gap between VCs’ stated goals and the ultimate composition of the companies they support. “When you look at the majority of venture funds that have gotten returns, they’re sourcing in the same

Last year actually saw this trend slide backwards,

areas that they’ve always sourced,” says Sterling,

with total funding to whole or partially women-led

whose firm is focused on improving access to VC

companies declining from $41b ($US32b) to $32b

funds by women and minorities. “They say they want

($US25b) – pushing the available pool of funds back

to increase or invest more in women or people of

to 2017 levels.

colour, but when you actually look at their cap tables, it doesn’t match up.”

CLAWING BACK THE PROGRESS “While we have come a long way in making the startup world more open than ever,” writes Rachel Sheppard, director of global marketing at the Founder Institute and co-founder of the Female Founder Initiative, “its makeup and culture often represent hurdles for women to overcome. And bias and outright discrimination continue to hamper our progress.” These ongoing frustrations increasingly clash with a startup culture that is, itself, well apprised of the promise of women-led ventures – and increasingly wants to work with like-minded investors. That’s an increasingly common understanding, says Jacqui Lostau, whose experiences founding cybersecurity startup Cynch Security and building the Australian Women in Security Network (AWSN) have given her firsthand experience with the improving gender balance in the startup community. “We’re past that point of people understanding what

“This is significant because these founders are internalising and saying ‘I don’t feel like I’m worthy enough to raise capital; I don’t think anyone’s going to invest in my idea, and I see that this other person can raise all the funds because they happen to know the right people.’” Go Paladin has already helped around 220 startups raise around $65m from VCs who walk the walk as well as talking the talk. By using money as a lever to reward companies that are actually delivering on their diversity goals, Sterling says, the investment sector can drive real change to harness the enthusiasm of many startups to create a more diverse, equitable ecosystem. “We need to put more funding into the ecosystem players who are trying to really change, and go further upstream to really change the conversations that are taking place,” he said. “It is so important in our current times that we have to be intentional.”

the benefits are of diversity,” she told a recent Stone & WOMEN IN SECURITY MAGAZINE

27


It’s almost that time of the year! The Australian Women in Security Awards are back for 2021! If you’d like to join us in person, grab your ticket today! We’ll even throw in a discount for magazine subscribers, click the button to reveal your exclusive code. Valid until 16th August 2021, single use code.

Interested in booking a table? Reach out to charlie@source2create.com.au for more information and availability. Tickets are priced at $200.00 AUD Date: 13th October, 5pm-10pm AEDT Venue: Crown Sydney, Barangaroo, Sydney DISCOUNT CODE

BOOK YOUR TICKET TODAY!

MAGSUB15


WHAT’S HER JOURNEY?


these are material or impact more than one business. Working with each business’ cyber teams is fun. They are talented and passionate about their business and about ‘defending production’. It’s a challenging role, so I am energised working with them, helping them succeed, and supporting their teams. I got into cybersecurity by chance based on my

Daniella Traino CISO for Wesfarmers vCISO

I

had no idea there was a career behind it, what that path looked like, or what the economic value of those skills and experiences would be. I studied computer science and accounting (commerce) at the University of Sydney. I loved mathematics, business and technology, and wasn’t

am a virtual chief information security officer with an ASX listed company, and the group chief information security officer (GCISO) at Wesfarmers. A virtual CISO is essentially a cybersecurity

sure where my interests would take me, job-wise. My career progress has not been the result of good or solid planning. I just wanted to be in environments where people were mission-focussed, continuously improving and not seeing tech/cybersecurity

executive who is engaged with client(s) on a part-

only as a ‘keep the lights on’ benefit. I looked for

time/project basis rather than full-time. A group

opportunities to work across many complex and

CISO is accountable for CISO-level functions and

growing businesses and industry types where I could

capabilities, but typically for more than one business

develop management skills to help me navigate the

area or company within a group. The role exists

complexity, and influence strategy.

in large enterprises/conglomerates where there are several businesses owned by the same parent organisation. It is less common in Australia than in many other countries.

My first employer was a management consulting/ big four accountancy firm. That job gave me opportunities in financial and IT audit and general IT and risk consulting. It was there I was introduced to

As Wesfarmers GCISO I work closely with the

a small team being paid to test the security of client

cyber teams across the corporate office and our

systems and recommend how to design/harden

retail, chemical, industrial and safety divisions. I’m

them. I was hooked! It was a great team, and we

accountable for group-level strategy and architecture,

worked on a good range of IT and cyber engagements

cyber risk management and assurance, and cyber

in different industries. I invested in my own learning in

defence.

parallel (Hacking Exposed was a great handbook) and

My GCISO role at Wesfarmers is that of a change

my cybersecurity interest grew from there.

agent, building a sense of community and

I think, to be successful in cybersecurity, you need

collaboration across all cybersecurity teams, and

to have a passion for the domain and for learning.

particular practitioner groups such as Cyber Defence

The threats and the technology innovation to counter

and Architects. I identify strategic opportunities

them are evolving rapidly in parallel. Being curious is

to uplift/innovate and have executive and board

a must.

responsibilities to measure and monitor cyber risk and opportunity across all businesses. This includes coordinating incident response and cyber defence efforts across all businesses where

30

interest in it, and the challenges and fun it offered. I

WOMEN IN SECURITY MAGAZINE

I’ve had several memorable experiences in my career, mostly centred around the incredible people I’ve been fortunate to work alongside. I’ve tried to learn from their successes as much


W H AT ’ S

H E R

J O U R N E Y ?

as from my own, and also from things that did not

but it was fun to talk to many of Australia’s incredible

work well. The best advice I was given was: don’t

research, engineering and science professionals.

expect someone else to know your worth/brand/

Countless reports show Australia to be a creative

achievement. Speak up, and whatever opportunity

country, but if we could collaborate meaningfully, and

to stretch yourself comes along, say yes and figure

work through the commercialisation hurdles, Australia

it out along the way. Sometimes we females are

would punch above its weight, and contribute to the

conditioned to think we cannot be assertive or

cyber ecosystem more than it does today.

confident. That’s utter rubbish.

We’ve been able to come together as a fintech

Being female in cybersecurity can be challenging.

ecosystem (Fintech Australia and others have made

When I started there were few mentors or successes

amazing inroads). Together with existing industry

to point to. It’s quite the opposite now. I found I was

participants, Australia has contributed significant

constantly being challenged to show I “knew my

economic opportunities and revenue growth in a

stuff” or was sufficiently “technical” compared to

very short time. Imagine if we replicated that with

colleagues. Thankfully, I had a thick skin.

cybersecurity.

Since my early days in cybersecurity, it’s been

We have many cyber security pioneers here. Jo

fantastic to see many female trailblazers emerge,

Cooper @ IDExchange, Vaughan Shanks @ Cydarm,

creating opportunities for more women in the

Mohan Koo @ DTex, Sam Crowther @ Kasada, Pieter

profession. However I’ve had more male colleagues

Danhieux and Fatemah Beydoun @ Secure Code

that were supportive than not, and more should be

Warrior, Casey Ellis @ Bugcrowd, Alan Sharp-Paul

done to raise their profile as champions of change.

and team @ Upguard, Daniel Potts and team @ Cog

I had the opportunity to work with an incredible Australian cybersecurity research team that was pioneering formal methods, software verification

Systems, Vikram Sharma @ Quintessence Labs and Tony Smales @ Forticode. And cybersecurity has received only limited investment and support.

and proof engineering: techniques that would

The role of artificial intelligence (AI) in cybersecurity

fundamentally improve software trust and change

is one area where more investment is needed. AI has

software vulnerability management, or remove the

a significant role in cybersecurity, for good and bad. It

category entirely.

can improve defence and protective mechanisms, and

This was a joint team from the Defence Science and Technology Group and Data61 (a CSIRO business unit). We went on to win two national and three state (SA) iAwards for a cyber product we developed

risk and governance frameworks. On the nefarious side, it presents a growing challenge as threat actors use AI tools to build better evasion techniques against both human and technical defences.

that successfully kicked off a partnership through

The ‘defender’s deficit’ is widening. I think AI

the Defence Innovation Hub. I learnt a lot from this

techniques can help close the gap, but we need to be

combined team.

able to assess trustworthiness: ensure the outcomes

A few years ago my colleague and I developed a

are transparent and provable.

cyber R&D commercialisation strategy, an Australian

Unfortunately AI solutions can be very ‘black box’, so

first. We also codeveloped the design and model

there is also the challenge for cybersecurity teams to

for the Oceania Cyber Security Centre, which went

develop the skills and knowledge to assess AI for its

on to become a regional research and deployment

advantages and determine where it can be misused.

partner of the Global Cyber Security Capacity Centre

Global initiatives for trustworthy AI frameworks and

at the University of Oxford for the Cybersecurity

assurances will help, but will not be sufficient if we

Capacity Maturity Model for Nations. The centre was

do not invest in upskilling cybersecurity talent, and

subsequently operationalised by a different team.

increase the diversity in cybersecurity teams.

It was challenging to ideate and develop these plans,

www.linkedin.com/in/daniellatraino/

WOMEN IN SECURITY MAGAZINE

31


Anna Leibel Director of The Secure Board

lots of loud voices. Questions were often asked, and

I

opinions shared. I wouldn’t speak up for fear of being laughed at. But after a few months of staying silent I think IT chose me for a career rather than me choosing IT. I taught myself how to code when I was only eight years ago, and started my own IT consulting business when I was still in high school, in Year 12.

I have now relished working in IT for nearly 30 years across a variety of technology domains and in management consulting roles where I have worked alongside the security department. After school I did not take the usual career path to university, but I’ve focussed on continuous learning throughout my career, including taking two courses at the Massachusetts Institute of Technology in the USA, and becoming a graduate of the Australian Institute of Company Directors. My focus on continuous learning means I always try to develop the skills required for the next one to two steps in my career. If I am not familiar with something I set about learning more about it. I can then talk about it authentically, which builds my confidence.

similar to my own. That increased my confidence to share my ideas and opinions, which had a big impact on my corporate career. I have worked in many IT departments, established new enterprise global sales streams, worked in management consulting, and most recently as a CIO and board member. I’ve always said yes to every opportunity, taking myself out of my comfort zone, which has driven my continuous learning. But there’s good and bad in always saying yes. On the good side, it has been instrumental in my career success. On the downside, it has sometimes landed me in situations where I lacked the skills and experience to perform effectively. One example was when I offered to speak at a conference in 2012 to a room of 800 people. I was so nervous I learnt my presentation by heart. After my presentation I asked a sponsor/advocate for feedback. He said I had done well, but much better in the Q&A because I was more comfortable and

Continuous learning does not necessarily mean

confident. His feedback spurred me to develop my

formal learning. I am a huge fan of learning by

public speaking skills. That’s something I continue to

observing others, and by reading and listening to

do today, and will always do, because I think there is

podcasts. It’s important to be open, to enrich your

always more to learn.

understanding and perspective.

32

realised other people were sharing perspectives very

Another example was accepting a six-month

My early years in IT were with Telstra, where there

secondment into an enterprise sales role. I didn’t

was always a large number of people in the room, and

know anyone in the team and was not familiar with

WOMEN IN SECURITY MAGAZINE


W H AT ’ S

H E R

J O U R N E Y ?

the lingo. I acknowledged this quickly and started

I love the diversity and unpredictability of my current

working with a coach, the former CEO of a global food

role. Most weeks are spent attending board meetings.

retailer who had significant sales experience.

Claire and I also spend a lot of time meeting with

Over the past few years, I have been transitioning to a portfolio career, focusing on a range of consulting and advisory work. I find it very rewarding to be

boards and chief executives, providing advice and sharing best practice. I also undertake interim CIO work and coach other CIOs and CEOs.

contributing more broadly across different sectors

In my most recent role, with UniSuper, the information

and businesses.

and cybersecurity team reported into me as chief delivery and information officer. As security has shifted from being

“I have worked in many IT departments, established new enterprise global sales streams, worked in management consulting, and most recently as a CIO and board member. I’ve always said yes to every opportunity, taking myself out of my comfort zone, which has driven my continuous learning.”

perceived to be an IT function to an enterprisewide risk, I am motivated by how the business and third-party vendors work with IT collectively to keep organisations safe. And I would advise anyone, whether they are working in security or in IT, to take a customer and business perspective to their work if they want to progress their career. It’s a great way

I also had the wonderful opportunity to co-author a

for IT to be valued by stakeholders and gives IT the

book, The Secure Board with Claire Pales. It provides

opportunity to make a difference.

important advice for boards and senior leadership teams on why cybersecurity is a business risk, not just an IT problem.

And for IT to be most effective in making a difference, you need diversity across gender and age. In security it contributes to critical thinking on strategy,

The Secure Board is also the name of an advisory

prevention, preparedness and culture. In business it

service of which I am a director. I am also the

supports critical thinking in customer retention and

founder and director of another advisory service,

attraction strategies.

110% Consulting, and a non-executive director of Ambulance Victoria. 110% Consulting advises on strategies to grow

www.linkedin.com/in/annaleibel/

businesses, transform the experience for customers and deliver operational efficiencies to free-up funds

www.thesecureboard.com

for strategic investment.

WOMEN IN SECURITY MAGAZINE

33


tech workforce generally, and in security, in particular. According to a Petersen Institute research initiative this amount could be as much as $US12 trillion per annum. So, inequality is costing everyone. Lack of gender diversity, and of diversity of thinking, will have an impact on capability, without question. However, simply employing more women is not the

Jo Stewart-Rattray Director of Technology & Security Assurance for BRM Advisory

answer. They must be given the same opportunities at the same rate of pay as their male peers. Inclusion is exceptionally important as part of this journey toward equality. In circumstances where I need to keep the permanent full- time headcount low I like to use appropriately credentialled and experienced external resources. As I have been in the game long enough I have developed a strong, but small network of trusted advisers who I

I

work with. I have developed a strong collaboration with my head a South Australia based advisory practice,

colleagues in Facilities, Risk and Privacy across

BRM Advisory, focussed on technology

security and infrastructure, and we work closely on a

and security, but since 2019 I have been on

number of fronts.

secondment as chief security officer to Silver Chain Group, a provider of in-home health and

aged care services with over 100,000 clients across Western Australia, South Australia, New South Wales, Victoria and Queensland. and I’m responsible for all things security across the organisation. I report regularly to the board’s audit & risk committee and I work very closely with the head of risk and assurance to make sure that cyber is captured as part of operational risk, given that it can easily be material in nature. Silver Chain is big, complex and national. We have nursing stations in some very remote locations in rural, regional and remote Australia. One such nursing station is three hours by boat from the mainland. Connectivity is an issue, to say the very least. Filling roles in cybersecurity is always a challenge, as is finding the right person for each role, particularly because I want a good cultural fit as well as a strong skill set.

34

We have approximately 2000 staff members permanently on the road using nothing but mobile devices. So the pandemic did not really affect that part of the operation, but we did have a challenge to move our two 24x7x365 call centres off site and into people’s homes! Technology is essential to what those 2000 mobile staff members do, but it’s not a core part of what they do. So the human factor and education is very important for cybersecurity. We also need to remember that in organisations where technology is not the core of the business special attention must be given to the human factor and education must be appropriate and delivered using multiple modalities to ensure that we reach everyone. But it’s not only those field workers who need to be security-conscious. We need to ensure that, from the top of the org chart all the way down, appropriate education and awareness raising activities are in

Also, we know that organisations are leaving $$$s on

place. This is particularly important given the evolving

the table by not employing more women across the

nature of the threats we face in the cyber world.

WOMEN IN SECURITY MAGAZINE


W H AT ’ S

H E R

It is always the wetware – the human factor that is a continuous component that needs to be addressed. We’re turning those weak links into human firewalls and we’re seeing the organisation slowly move to a security-first approach. It’s one of most satisfying aspects of my role.

J O U R N E Y ?

I have gained a number of security qualifications in the course of my career. I am a Certified Information Security Auditor, Certified Information Security Manager, certified in the Governance of Enterprise IT, certified in Risk in Information Systems and a Certified Professional (Cyber Security). Those qualifications were all challenging to obtain, in different ways and for

“Lack of gender diversity, and of diversity of thinking, will have an impact on capability, without question. However, simply employing more women is not the answer. They must be given the same opportunities at the same rate of pay as their male peers. Inclusion is exceptionally important as part of this journey toward equality.”

different reasons. A couple of the certifications I was ‘grandfathered’ into, which is a recognition of prior learning in this part of the world. But as it turned out, with the amount of work required to prove compliance it would have been just as easy to do the exam! I don’t see any of those qualifications as being a waste of time, and I believe they have enhanced my effectiveness as a security professional. However, I believe career

I work closely with colleagues from HR, Privacy/ Legal and Risk to build up a holistic approach using a multimodal methodology to deliver cybersecurity

progression is a combination of factors: credentials/ qualifications, experience and your own will to achieve.

training. And of course, let’s not forget the need to

Having a natural curiosity, willingness to research

include friendly phishing campaigns that have an

new methods, and psychology — which I have studied

educational component too.

— have also been extremely helpful in informing my

I started my career in infrastructure, became a CIO and then took a decision to move into security. I’d advise anyone embarking on a career in cybersecurity to join a professional body, network, take advantage of professional development opportunities afforded by professional bodies, and get involved with advisory groups and the like to give back

practice. Also, I don’t believe you can do this job without continual learning, reading and researching, and keeping abreast of trends locally and across the globe. I spend a lot of time reading white papers, the tech press, talking with compatriots, and keeping abreast of legislative changes.

to the profession. It has led me to a seat on the board of directors of an international not-for-profit organisation with annual revenues of $US100million, to being involved with a number of publications, to setting standards, developing frameworks and being the volunteer founder of a global women in technology initiative.

www.linkedin.com/in/jo-stewart-rattray-cism-cgeitcisa-crisc-cp-4991a12/ twitter.com/jo_sr01

www.youtube.com/results?search_query=Jo+stewart-rattray

WOMEN IN SECURITY MAGAZINE

35


A PROGRAM THAT CONNECTS, SUPPORTS AND INSPIRES FEMALEIDENTIFYING TERTIARY STUDENTS AND EARLY CAREER PROFESSIONALS.

"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Cadets program today!" - Liz B, Co-Founder

Studying or an Early Career Professional in information security? Learn more at awsn.org.au/initiatives/awsn-cadets/


W H AT ’ S

H E R

J O U R N E Y ?

part!) of cybersecurity, the technology that protects our secrets and communications in our daily life.

Giulia Traverso PhD- Senior Consultant Cybersecurity, EY

By becoming a cryptographer I (finally) officially became part of the cybersecurity workforce. However, this took a few more years. After my master’s degree, I did not feel ready for a job in the industry. I wanted to explore cryptography more deeply, and contribute to it. So I decided to do a PhD in cryptography.

H

Armed with a PhD I had two main options to become part of the cybersecurity workforce: pursue a career ow do you become a “cybersecurity

in academia and become a professor or move into

expert”? The journey that would lead me

the industry. Those who decide to stay in academia

into working in this field started more

are at the forefront of innovation. They are the folks

than fifteen years ago, when nobody

inventing new primitives, proving the security of these,

was taking about cybersecurity. I wasn’t

and equipping them with more and more desirable

aware of it either. I stumbled upon cybersecurity by

and sophisticated features. Those who move into the

chance.

industry implement cryptography in to protect real

My journey began fifteen years ago when, after middle

data and processes.

school, I had to choose what type of high school to

I belong to the latter group. After my PhD, I joined a

attend. A school with a strong scientific or technical

cybersecurity startup to manage its R&D projects,

background, you might think. Well, no. Unbelievable

adding security to embedded technologies, such

as it may sound, I opted for the so-called “Classic

as IoT and AI. At the time of writing, I am about

Lyceum”. In Italy, where I was raised, a Classic Lyceum

to join a Big Four consulting firm where I will be

is a high school with a strong focus on literature,

dealing with compliance to cybersecurity standards

ancient Greek, Latin, philosophy and history, and

and regulations for major banks and insurance

only five hours per week of mathematics, physics

companies.

and science. After completing my five year stint at the school I knew that “cryptography” came from the Greek root “crypt-”, which means to hide, and that “cybersecurity” came from the Greek root “cyber-“, which means to govern, to pilot. At age nineteen, that was all I knew about cybersecurity. My journey towards my current field of expertise started slowly and unconsciously when I decided to enrol for a bachelor’s degree in mathematics at the university. At least I was in the STEM field and one of the (supposedly) few women in STEM. In fact, half the students in the mathematics faculty were women. My interest started to shift to cybersecurity when I decided to study for a master’s degree in

My career path shows there are many ways to becoming a cybersecurity expert. So I hope I’ve shown you there is much more to working in cybersecurity than hacking and programming all day long. There are theoretical and strategic roles. Cybersecurity is a discipline where knowledge and competence count for more than degrees and certificates, and where career progression is not closely tied to specific study paths. Therefore, if you’re passionate about cybersecurity or simply interested in it, please just go for it! Study on your own, take online classes, read books, ask people on LinkedIn. A career in cybersecurity is closer than you can imagine.

mathematics for cryptography. Studying for my bachelor’s degree I had found subjects like number theory, finite fields, and algebra very interesting. Those are the mathematical foundations of cryptography, the core (and the best

www.linkedin.com/in/giulia-traverso-phd-13a749150/

www.breakingthirty.com

WOMEN IN SECURITY MAGAZINE

37


I work with the most brilliant team and a supportive manger. My boss, Sasenka Abeysooriya, has written a great article explaining how data governance is essential to cybersecurity. I am supported and encouraged to take every opportunity I can to build new skills and grow professionally. Since taking this role: I have started presenting to staff at UQ on cybersecurity awareness along with our cybersecurity manager; managed our data and cybersecurity awareness campaign;

Shelly Mills Program Coordinator & Business Analyst The University of Queensland

assisted in conducting a comprehensive threat analysis on UQ’s data and information, which in turn informed UQ’s data handling procedure. All these activities have been enabled by the work I am leading in the information security classifications space. At the time I started at UQ, Mandy Turner also joined as CSOC manager. She is a true champion of diversity, and a brilliant, talented mind. She always encourages you to think creatively, approaches

I

scenarios from different angles, and empowers people to use their strengths in their roles. I have ’m a business analyst and program coordinator

seen our CSOC really strengthen under her leadership,

in the data strategy and governance team at

and she provides an environment where our amazing

the University of Queensland. That at least is

analysts are supported to make full use of their

my title. In reality, my role is much wider. I do a

abilities.

bit of everything: project management, change

management, communications and business analysis activities to develop practices and processes concerning the formal governance and management of UQ’s data assets, and maturing UQ’s information management capabilities. This includes: privacy and consent management, data accessibility, metadata management, data ethics, data security, data literacy, and providing operational advice and support as a data governance subject matter expert as the field of data governance continues to mature. I also run our data security and cybersecurity awareness campaign, manage a project to roll out Office 365 Sensitivity Labels, and have recently begun assisting our information architect with data modelling. We work with the Cybersecurity Operations Centre (CSOC) to complement our respective areas of work and goals.

38

WOMEN IN SECURITY MAGAZINE

I would describe the culture of my team as supportive, hard-working with balance, innovative, friendly. In a word: great. I would say my team is an exemplar of gender equality and my boss certainly drives and champions this. I think diversity in every form will always bring benefits in terms of new ideas, perspectives and approaches. So, in that sense I certainly believe closing the gender gap will bring positive improvements. I’d love to see all areas embodying true gender equality and diversity. I think we face the same cybersecurity challenges as many workplaces, primarily; culture and awareness, and budget for cybersecurity staff and tools. A key concern for me is security around IoT devices. I took my current role after leaving my previous job in cybersecurity projects, which included a focus on cybersecurity awareness. When I started in that


W H AT ’ S

H E R

earlier role, I saw it as my “dream job”. Unfortunately— and I think this is often the experience of women—as a female I faced some particular challenges with the culture. I have a Bachelor of Science in Ecology and Conservation Biology, Honours in Aquatic Ecology, and a Grad Dip in Business (Public Relations), but no security qualifications. It would have been beneficial to have studied IT at university. I’m not super technical, but I know I have the potential to be, and would love to have spent time developing those skills earlier rather than undertaking study in a separate field. Studying PR has definitely helped with the communications and awareness aspect of my role, and studying in general has helped me develop my analytical and report writing skills. These are so important in security, but severely underrated, as are soft skills. During my career in cybersecurity, I have found Twitter and LinkedIn have also contributed greatly to my career in cybersecurity. They are great places to network. I’ve met so many people in cybersecurity through these platforms. Now, I am lucky to be in an environment where I am supported and encouraged to grow my skills. Most

J O U R N E Y ?

more information you store, the greater the risk of a data breach. It’s a tough balancing act. It’s generally believed that COVID-19 created significant challenges for IT, and for IT security, but for me it has had some positive outcomes. My role is program-funded, and we lost a significant amount of our program funding as a result of COVID. We were in the final stages of procurement for a data governance tool which was halted, and our team was reduced to two: my manager and myself. I approached this challenge from the angle of “what can we do, with just the funding we have, that will still enable us to make a positive impact?” I put forward proposals to create a data.uq.edu.au website and rollout Office 365 Sensitivity Labels, both of which were approved, and I am now managing a small project team to implement those. I easily build rapport and positive working relationships with colleagues, and I have found those skills to be extremely valuable. For example, being able to chat directly with a contact rather than having to submit a service ticket, when I need information or something done. As I progress in my career and my time becomes scarcer, I still try to make time to engage with colleagues and take genuine interest in how they are going, in order to maintain these

recently I’ve started doing data modelling, learning to

relationships.

use Oxygen XML and loving it. To keep up with current

However, I do find office politics to be challenging. I

and emerging issues, I subscribe to a plethora of security newsletters and try and attend webinars and conferences.

tend to assume the best motives off the bat, so can be naive to underlying agendas. I need to balance being able to remain positive and trusting with being

At the moment I’m working to increase my leadership

aware of business motives.

skills. I have undertaken courses, said “yes” to

UQ has also adopted a hybrid work environment,

opportunities to present and speak publicly, and am now responsible for managing a staff member who has joined our team. I’ve also joined the Australian Information Security Association as a member of its Brisbane executive committee.

which means our team was able to hire an amazing information architect based in Melbourne. They would not have been able to work with us otherwise, and they have brought us much value.

One of the biggest challenges of my role is legislation and balancing the collection of information with its retention and protection, and with the right to be

www.linkedin.com/in/shelly-mills/

forgotten. Organisations, and especially marketing departments, love to store information. However, the

WOMEN IN SECURITY MAGAZINE

39


Defence before the end of the Cold War, and I recall looking at reports of Soviet fishing vessels and their activities in the waters around Australia. Somewhat later in my career—after working in intelligence, central policy, a couple of universities and the private sector—I joined the Department of Finance heading the area responsible for the defence and national security budgets. I wasn’t an expert—I knew Defence, for example, but had no idea about

Dr Lesley Seebeck

how the Budget worked—and so I learnt to trust and

Honorary Professor at The Australian National University

a culture of trust and candour, and you can’t do that

Founder and CEO of Cyber21

without integrity and empathy.

work through the team. Further, it’s important to build

I joined the Bureau of Meteorology in 2014, where

T

as Chief Information Officer I lead the response to their security issues. That experience reinforced here’s a story about former British prime minister, Harold MacMillan: when

systems, and demonstrated how technology systems

asked what his biggest challenge was,

left to their own devices will evolve organically.

he is said to have responded, “Events,

One of the most important things I’ve learnt in my

dear boy, events.” That rings true in

cybersecurity. It is full of constant movement, noise and magic, or on a dark day, fear, uncertainty and doubt. And it’s easy to get lost in that noise. The biggest challenge is finding the space to think and act more strategically rather than responding continuously to events. That space is to be found at intersection of the social, the business and the technology. We—as a community, society, and those of us on the hook—are slowly building the conceptual tools to think about the problems at hand, help people understand the challenges and resolve the organising principles that help them shape effective responses. I think this will mean that cybersecurity—and security more generally—slowly become much more integrated with the general business and work of organisations, not seen as ‘that techie problem’ over on the side. I’m the founder and CEO of Cyber21, and Honorary Professor of Cybersecurity at the Australian National University, where until late 2020 I headed the Cyber Institute. When MacMillan was Britain’s PM one of his biggest challenges would have been the Cold War, and one my most memorable security experiences dates from those days. I joined the Department of

40

the importance of people, culture and organisation

WOMEN IN SECURITY MAGAZINE

career is to find good people to work for and with, and build a team that challenges you, in all the good ways. I don’t have any specific security credentials. My job has been to set parameters, understand and translate the big picture, set priorities, build capability and enable others to do the jobs they need to do, and to both challenge and support them. My first degree was in physics and my PhD in IT. So I have enough knowledge to understand concepts, ask good questions and learn, continuously learn. I have a masters in defence studies and an MBA. Those, and my work experience, round out my capabilities from an organisational and strategic/threat environment perspective. I think I did reasonably well, given the environment at the time. I probably could have paid more attention, and become more practiced and confident in coding, and kept up-to-date, for example. If offered the choice, I’d like to go back to maths. I don’t think maths is positioned, or taught, as well as it should be. It took me a long time before I realised how creative it could be. But the humanities are important, as well. I do worry that the drive to value STEM above and at the cost of the humanities is bad policy, and bad for good policy-making and security.


W H AT ’ S

H E R

J O U R N E Y ?

STEM will generally tell you what and how, while the

Both these point to having diversity as a means

humanities will tell you what and why. So we need a

of building trust with users and with others in the

mix of both: in policy, in security and for how we think

organisation. It’s always useful to have people on your

about and manage all our technologies.

team who talk the language of business, of users,

Should I have some gained some security qualifications? There’s no doubt they would add to what I know and give me some specific cred I may

of finance, of leadership. That sort of rapport and understanding goes a long to building trust in the organisation.

lack. But there is a constant calculation: where do

My career journey has been more the cumulative

I best add value; where is my time best spent; and

result of small steps, coincidences and opportunities.

where are my own strengths best placed?

I’ve always been interested in strategy and systems,

There are others who are better placed and with more knowledge than I have. I would prefer to build a great team rather than attempt everything myself. And being in a team that works really well together, that gets things done, that gets the best out of everyone: that’s a feeling that once you’ve experienced it, you are always looking to replicate. Working with great people is hard to beat: working with and talking to people who challenge you, in good ways, and who have a sense of fun, and watching them grow and develop. And I like ideas, insights, different ways of looking at and solving problems. Also, diversity of thinking is important to understanding threats and to assess responses. The literature shows better decisions emerge from a diverse group. However, a diverse group may make an outcome more difficult to achieve. People may feel uncomfortable having their views tested. But ease, speed and comfort are not guarantors of a good decision, regardless of how good we may feel about it. There are many things in life and in policy where ease and convenience work against good outcomes, particularly at a societal level. The second reason why diversity is important is that we are all users of technology. Increasingly, cybersecurity issues are shaping how technology is accessed, how it is used, and what it is used for. Just as we have security by design, and privacy by design,

in the intersection between technology and organisations, in defence and national security. But because I take opportunities where I see them and am not afraid to try new things, I’ve built a career that lets me bridge policy, technology, finance, systems, strategy, management, etc. I’m interested in all the things that can make prioritisation difficult. I read widely. In particular, I look for things that help me think about how problems are structured, and for threads that, if pulled, can yield useful insights. I have a few sources I visit on a reasonably regular basis, often because they will point me in interesting directions rather than necessarily give me immediate answers. Writing helps me process issues and refine arguments. I believe the personal attributes/skills that have been most important in my various roles have been my ability to think strategically, to set a direction and motivate people to that end. It’s not enough to identify a problem, respond to issues, and make sure things are working. The question is always going to be—or should be—what do we want to look like in five, ten, even 50 years, why, and how are we going to get there? And secondly, communication. People will not hear you unless you say things in ways they will listen to, and even then, only after the first 100 or 200 times. And they are more likely to listen to people they trust.

we need to have users at the centre of that design. If

I learnt and developed my skills slowly, by asking

we don’t, and we ignore them, users will look to break

questions, through bitter experience and by having

systems, and in so doing undermine organisational

a few trusted advisers who will tell me what works,

security settings.

what doesn’t and what I can do better.

One of the best ways to understand users is to have diversity: diversity of experiences, of knowledge and

www.linkedin.com/in/lesley-seebeck-346542a/

of power balances represented on teams, especially those setting policy and shaping systems.

WOMEN IN SECURITY MAGAZINE

41


the industry was only 11% and my boss and creator of the program, had a vision to showcase role models and let girls and women ‘see what they could be’. Cyber has long had a reputation for being a heavily

Amy Roberts

male dominated industry and often unwelcoming

Assistant Director Induction, Diversity and Inclusion at Australian Signals Directorate (ASD)

knew this had to change. That first mentor-matching

AWSN Canberra Chapter Lead

first year, to over a hundred women being matched

for women and other diverse communities, and we program was a hit and grew from 14 women in the with industry mentors in following years. In 2019,

I

our team moved across to the Australian Cyber Security Centre, where I continued to work with can’t remember a time when I wasn’t fighting for women’s voices to be heard, or for social equity and equality generally, so it makes complete sense I’ve ended up where I am today. In my role within the Corporate and Capability

Group of the Australian Signals Directorate (ASD), I am responsible for the Women in Cyber program aimed at increasing the presence of women in the cyber workforce through mentoring and coaching initiatives. I’ve been in the cyber security industry for over a decade now and specifically focussing on women and diversity for seven years. And even though many of us have been talking about the barriers to women entering and staying in the cyber workforce

and workplace practices were representative and considerate of the diversity we have in our society. Like many people that have been in cyber for over a decade, and having come from a mix of tourism, business, motorcycle franchisee, graphic design, and project management backgrounds, I didn’t have any formal security qualifications – I was just passionate about helping people protect themselves online and had plenty of experience running businesses, managing community projects, collaborating with industry organisations and wasn’t shy talking in front of a crowd! I am however a certified organisational coach and have a Cert IV in Training and Assessment, on top of bucket loads of life experience, which are all invaluable skills for working with girls and women in a

for some time, we are just beginning to see the

coaching and mentoring capacity.

recognition for significant investment by government

Some of my most memorable experiences over

and industry, in creating a diverse workforce. It’s now time for organisations and leaders to have the tough conversations about attraction and retention of women, and I’m proud to be a part of this movement. After working on the Federal Government’s Stay Smart Online campaign for a few years, I joined the Department of Prime Minister and Cabinet in 2016 to run a brand-new women in cyber mentoring program. It was a small but successful initiative to match female STEM university students with senior women in the industry for a 12-month mentoring connection. The aim of the program was to encourage women to stick with their technical studies, and to help them see the wide range of exciting career opportunities in cyber. At that time, the participation rate of women in

42

industry partners to ensure messaging, recruitment

WOMEN IN SECURITY MAGAZINE

the last few years have been witnessing the ‘ahhah’ moments when women I’ve been working with realise all the possible security careers their studies could lead them to, and that they’re not alone. When someone sees a successful person, who started out just like them, it’s like a shot in the arm to keep striving to reach their goals. This is why role models are key! I know that as a leader when I step up and be visible, it’s not about me – it’s about what I represent to those women watching; the possibilities of a satisfying future in the cyber workforce. If not everyone is equally visible, how can we possibly expect women to be attracted to the workforce let alone be inspired to stay? With close to 50 per cent of the global population being female, that means nearly half of consumers of


W H AT ’ S

H E R

J O U R N E Y ?

technology are female - yet the majority of technology

worlds. This feeds unconscious bias, which leads

is developed by a predominantly male workforce.

to bias hiring practices and unfair reward and

Therefore, it stands to reason that bias is being

recognition of the contributions of women to the

applied unconsciously to design, development, testing

technology sector.

and delivery of technology.

Now, as the Women in Cyber lead within the

If we address the gender gap, we address diversity

Australian Signals Directorate, I take great satisfaction

of thought. Without diversity of thinking, we miss

in knowing the programs that ASD sponsors are

the mark on strategic policy development, diverse

supporting more women to find their voices and

problem solving and innovative product delivery. It

succeed in their chosen security careers. We are

simply makes good economic and social sense!

helping them to have meaningful mentor relationships

My favourite quote, that drives me every day, is by former Verizon CIO, Judith Spitz. At an innovation

and trying to break down barriers to women succeeding in the industry.

conference in 2016, she commented on futurist Ray Kurzweil’s observation, that ‘technology is the evolution of human biology’: “We are hurtling towards a time when our biology will be equal parts technology and physiology,” Spitz said. “Think about the implications for the human race if technology is destined to be the essence of who we are as a species, and it’s being developed largely under the leadership and guidance of a

“We are hurtling towards a time when our biology will be equal parts technology and physiology,” Spitz said. “Think about the implications for the human race if technology is destined to be the essence of who we are as a species, and it’s being developed largely under the leadership and guidance of a single gender.”

single gender.” This captures it perfectly for me. Another important reason for diversity in the design of technology is the development of Artificial Intelligence, and the teams providing the basis of its learning: again predominantly one gender. For example, why are Siri, Alexa and Cortana femalesounding digital assistants? Other than HAL 9000 in Kubrick’s 2001: A Space Odyssey, most of the voices we associate with faceless AI are female. Arguably (according to the developers) female voices give

Compassion, empathy and deep listening are key to working with people who don’t have the confidence and self-belief to make brave and bold career moves, and my training to coach others has really helped me to develop this. My career has been built on relationships, along with a thirst for learning on the job and from those around me. But most of all, life experiences have provided me with a wonderful education, and I encourage employers to not discount

the impression these digital assistants are ‘helpful,

this over a university qualification where possible.

supportive and trustworthy’: like a good assistant

I love what I do. But most of all, I love human

should be. This is supported by research. However, the research does not acknowledge that inferring implied simplicity

connection. I would also love to change the culture of our industry overnight, but that may take some time, so I’m here for the long haul.

or compliance may reinforce people’s belief that women are passive players in the AI and security

www.linkedin.com/in/amy-roberts2600/

twitter.com/amy12amy

WOMEN IN SECURITY MAGAZINE

43


WOMEN IN SECURITY NOMINATIONS & JUDGES NOMINATIONS NOW OPEN. The Annual Australian Women in Security Awards showcases the everyday heroes who are demonstrating real leadership and ambition in their ideas, passion and drive to combat some of the issues we face in the current cyber landscape. Our mission is to continue to inspire future generations to work in the IT security/cyber/protective security fields. And to elevate technical skills, impactful solutions, and commitment to giving back to the community. Honourees will be recognised in October 2021 at the Annual Australian Women in Security Awards.

2021 CATEGORIES • Best Program for Young Women in Security • Best Place to Work for Women in Security • Unsung Hero • The One to Watch in IT Security • IT Security Champion • Australia's Most Outstanding Woman in IT Security • Best Security Student

WHY NOMINATE •

To identify rockstars

To celebrate ‘hidden’ security superstars

To lift and empower the entire company

To express admiration for fellow co-workers

To pause and express your gratitude

To pay it forward - and give back to the community

NOMINATIONS CLOSE ON THE 31ST OF JULY

THE NOMINATION PROCESS IS 4 EASY STEPS AWAY

• Best Volunteer • Male Champion of Change • The One to Watch in Protective Security • Protective Security Champion • Most Outstanding Career Contributor in Protective Security • Australia's Most Outstanding Woman in Protective Security • Best Female Secure Coder

1

2

3

4

Your details

Details of the nominated individual, team, or company

Choose award category

Submit personal nomination & answer relevant questions

(if not your own)

(Multiple award nominations need to be done individually)

NOMINATE TODAY


INTRODUCTION TO OUR 2021 JUDGING PANEL MICHELLE PRICE

ANGIE MURRAY Transition Manager, Managed Security Services CyberCX

CATHERINE DOLLE-SAMUEL

CEO AustCyber

Business Continuity & Resilience Specialist UNSW

DUSHYANT SATTIRAJU

JACQUI LOUSTAU

Cyber SecOps Team Lead Deakin University

Founder AWSN

JANE FRANKLAND

TAMARA MARTIN

Owner & CEO Knewstart (UK)

Security Resilience AGL

RACHELL DE LUCA

NIGEL PHAIR

Global Security Leader Aurecon

Director UNSW Canberra Cyber

RACHAEL LEIGHTON

REBECCA WINFIELD

Principle Advisor Cyber Strategy & Awareness Department of Premier and Cabinet (Vic)

Protective Security Operations & Delivery IAG

JAMES NG

DR MARIE BODEN

GM- Security Operations AARNet

Outreach Officer Research Interaction Design University of Queensland

CATHERINE BUHLER

GAI BRODTMANN

CISO Energy Australia

Futures Council Member National Security College

SAMM MACLEOD

LIDIA GIULIANO

Information Security Consultant

Information Security Advisor ANZ

ANDREW DELL

MICK DUNNE

CISO QBE Insurance

CISO-CSO AustralianSuper

DR MARIA MILOSAVLJEVIC CISO Services Australia

IAN YIP CEO Avertro


Gergana Winzer Industry Director CyberSecurity APAC for Unisys responsibility: because some of the most

I

important problems you will face will not be technology related, they will be interpersonal. The more real we get about who we are, the ’m the Industry Director CyberSecurity APAC at

more we learn how to communicate with

Unisys,and I I report to the global Vice president

others and really understand them. Take into

of Security who is based out of California in the

consideration who your team is and their

US.

commitment!

Unisys is a systems integrator and a technology and services company, so cyber risk has a very

high priority. However, I am not responsible for the security of my organisation but for providing meaningful cybersecurity solutions to our clients. I really enjoy my role, and I would love to have more decision making power in order to deliver the outcomes I know the business wants me to. I however realise that this is a process and I am willing to work hard in order to get there. In my role I get to see the many issues our clients have to deal with on an ongoing basis and be able to keep up with it all in order to be cyber resilient and compliant. Based on my experience, this is how I advise them to deal with those challenges.

Eventually: Every organisation needs to adopt a mindset that acknowledges the growing risk from cyber threats and factors these into its risk assessment. Threat x Vulnerability = Risk. In my role as a cyber professional I see, more than ever, the need to proactively and precisely evaluate threats and vulnerabilities and make appropriate decisions. Being able to calculate the risks in actual dollar value will have a massive impact on the way organisations make decisions on cybersecurity budgets. Unisys has an analytics tool that allows me to predict the impact in dollars of a data breach on my customers and I can see how this type of thinking will elevate us above cyber threats and allow for proactive defence and informed risk mitigation and data based

• Get the basics nonnegotiable: For example, if you can’t always patch find a way to implement other measures and apply them, negotiate internally and make it happen! • Think strategically: Will your strategy be relevant in the next 18 months? If not include a long-term addendum and think long-term impacts. • Communicate, be authentic and take

46

WOMEN IN SECURITY MAGAZINE

decisions. My role is becoming increasingly relevant. I am eager to assist my clients in co-creating solutions that enable them to constantly improve their cybersecurity posture and build further confidence in the measures they are taking. This industry is amazing because it offers so much novelty. I am excited about the new solutions my


W H AT ’ S

H E R

team and I have come up with that enable us to be relevant, and to really make a difference.

J O U R N E Y ?

surprise in their voices. I would see them becoming uncomfortable in meetings simply because it was

Understanding my clients’ problems and being able

not top of mind, but was seen as something IT had

to provide solutions that work and make their lives

to do. It’s become much more important today and

easier is one of the most satisfying aspects of my job.

is getting much more attention, although still not

Another is fostering a high performance supportive

sufficient in my opinion.

culture in my team.

One of the early pieces of advice I received was

Like every organisation, we faced challenges when

in how to motivate people to pay attention to

COVID-19 hit. My role is client and partner facing so

cybersecurity: become a good storyteller while telling

was impacted when I was unable to meet people

the truth. Another important lesson I learnt was: play

face to face. However, I found it easy to transition to

a team game. I will never be primarily a technologist,

remote working because the technology was there to

but I always surrounded myself with bright colleagues

support me. Our CISO is a trained psychologist who

who have exceptional technical skills I can learn from

has always put culture first. That approach enabled us

and complement.

to ensure our team, in region and around the world, to

Cybersecurity is a team game. The teams I have

remain effective.

worked with in every company throughout my career

Some of our clients had major issues with scaling

have been amazing. I had the privilege of working

and securing remote working and I saw the impact

with some memorable people, and I cherish those

on their organisations. I was able to help in some

experiences.

instances but found it hard in others because

Other memorable experiences have been: getting

people at the beginning were very much afraid of the economic consequences and did not want to purchase the solutions that would have made thing easier and more cost-effective in the long run.

my first PCI DSS training; becoming an ISACA board member; being a panel moderator to some of the most accomplished C-level executives and professionals in the region; MCing for Victor

I think getting into cybersecurity was one of the

Dominello in 2015—then NSW Minister for Innovation

best decisions I ever made. It shifted my whole

and Better Regulation—in my role as ICT chapter

life, allowing me to learn and become passionate

chair for the Australian Indian Business Council;

about something very important but, at the time

and of course being nominated at the awards of the

underestimated and little understood.

Australian Women in Security Awards in 2020.

My first employer in cybersecurity was Australian

The Payment Card Industry Data Security Standard

cybersecurity consultancy Stickman. I would make

(PCI DSS) training I undertook covered the security

calls to executives of T1 and T2 organisations,

controls and the structure behind them for the

speak with them about cybersecurity and hear the

standard, which aims to enhance security for

WOMEN IN SECURITY MAGAZINE

47


consumers by setting guidelines for any company

creating that experience has been my own lack in

that accepts, stores, processes, or transmits credit

being able to communicate and be firm and direct.

card information. I thoroughly enjoyed it.

Only when I learnt (and I am still learning!) how to do

I also recently completed the Cyber Leadership

that was I able to negotiate with and contribute to my

Institute’s Cyber Leadership program, an executive

team while allowing them to contribute to my agenda.

level program for cyber leaders who want to develop

I’ve also found it important to be clear about my intentions, and to speak up. These things do not always come naturally. There can be

“Cybersecurity is a team game. The teams I have worked with in every company throughout my career have been amazing. I had the privilege of working with some memorable people, and I cherish those experiences.”

many barriers: culture, family education, etiquette. But unless we make the effort nothing will change. An organisation’s cybersecurity posture can depend on how women in cybersecurity communicate. If we have to be assertive to make a point or if we have to be straight to raise awareness, it is our responsibility to do so, and to

their executive skills, c-suite stakeholder and board

be accountable for our actions.

engagement, and become a leading CISO.

Unless there is a clash of egos or toxic culture,

It teaches you how to communicate in the language

but most organisations today will enable us to

of your executive team to ensure they understand

step up and express ourselves while fulfilling our

cybersecurity risk and can make appropriate

cybersecurity roles for the good of the organisation.

decisions. Guess whose responsibility it is if your

I have seen more and more organisations becoming

board is not giving you the money needed to protect your organisation or elevate its resilience? Yours! Both these courses were important to help me assist my clients with their decisions and their responsibilities, and helped my career progress. Anything you learn will be useful if you know how to apply it. I made sure I applied what I learnt.

gender diverse. At Unisys we have a great support from that standpoint and I feel my previous employers also gave me more than fair chances. So, as long as we can maintain this momentum, we should be able to grow, and for that to happen, we need to exercise our power and be responsible for our own contributions. Responsibility equals power.

Other women who have told me their cybersecurity career journeys have spoken of being undervalued because of their gender. For me, the only thing

48

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/gergana-kiryakova-winzer-0939937/


EXPRESSION OF INTEREST SPONSORSHIP Source2Create is thrilled to announce the 2021 Australian Women in Security Awards. This hybrid event will be a glamorous Gala Awards evening based in Sydney. We will be welcoming our guests in person as well as via live stream. To be a part of this energetic initiative register your interest today for sponsorship opportunities.

Deadline for sponsorships: 20th July

I’M INTERESTED!

JOIN OUR SPONSORS


Christina Keing

I am really passionate about technology and the

National Lead Director Cloud Security for Deloitte

context, and I think the best advice I was given was to

threats and opportunities it presents in a security stay curious and enjoy learning. I obtained a Certified Information Systems Security Professional (CISSP) qualification. It established a solid foundation for my whole security journey and enabled me to become a trusted security architect. The exam to achieve the qualification was six hours long! So long that we had to pack our lunch to eat while we were taking it. I wish I had also gained the

I

AWS (Amazon Web Services) Solution Architect qualification so that I could have started my cyber am a director in Deloitte Australia’s Cyber team, a

cloud journey earlier.

strategic cyber leader enabling rapid and secure

One of my most memorable experiences was

delivery of digital innovations under a cloud-first and agile strategy. I work with clients as their trusted cybersecurity

partner to solve complex security problems, drive progress in a dynamic and digital world, and build more confident futures. I started my career in cybersecurity 15 years ago when it was still a new thing. I decided to take up a role as the first head of security for the organisation I worked for at that time. Today, the most challenging aspect of my role is staying at least a few steps ahead of cyberattacks. It requires a comprehensive, proactive, risk-based approach to preventing, detecting and responding to cyber threats. I help my clients to become secure, vigilant and resilient organisations with solid defences, expansive threat awareness, and strong response and recovery capabilities that enable them to operate safely in today’s hyperconnected business environment.

50

WOMEN IN SECURITY MAGAZINE

providing advice to a client company on how to respond to a ransom request. If you want to know more, take a look at “subdomain takeover on S3”. Traditional security training is an important component of a cybersecurity program, but on its own is not enough. A policy manual alone will not prepare people to take the right action. Active learning scenarios that deepen understanding of the impact of day-to-day activities on the organisation’s cyber risk posture are required, along with reinforcing the right behaviour through programs that reward speaking up and raising questions. These activities are absolutely critical to achieving cybersecurity program objectives. The rapid adoption of emerging technologies is greatly increasing efficiency, and creating dynamic cybersecurity challenges for organisations. Cyberattacks have moved beyond identity theft and online account hacks. They threaten our codeenabled physical world—our homes, our cities, our infrastructure, and even the medical devices in our bodies.


W H AT ’ S

H E R

J O U R N E Y ?

A host of digital technologies, such as AI, automated

According to a Forbes report, Microsoft detected

botnets, Internet of Things (IoT), and cloud computing

nearly one million COVID-19 themed attacks per day

facilitate attacks at a scale, speed and level of

during the first week of March 2020. And government

sophistication never seen before. New types of

and other organisations have been processing

malware, such as automated phishing tools and

tremendous amounts of health data this year, putting

crypto mining software, combined with emerging

a spotlight on privacy, making it mission-critical to

technologies, are expanding the cyber risk landscape. Organisations must continuously revisit their cybersecurity measures to defend against the onslaught. Cybersecurity has to be a mission-critical priority for organisations, but the cybersecurity profession continues to face a major challenge: a substantial talent

“Today, the most challenging aspect of my role is staying at least a few steps ahead of cyberattacks. It requires a comprehensive, proactive, risk-based approach to preventing, detecting and responding to cyber threats.”

gap. There are not enough qualified individuals to fill the millions of open positions globally. A 2019 (ISC)2 study estimated the cybersecurity skills gap to be almost four million job openings. That same study reported the population of cyber workers would have to grow 145 per cent to meet global demand. These are staggering numbers, and there is no immediate solution. Closing the cyber talent gap is important, but will take time. By taking proactive steps to create an attractive, inclusive and sustainable cyber culture, organisations can be magnets for attracting top talent. The cybersecurity industry has experienced a spike in attack activity since COVID-19 hit, with threat actors taking advantage of the pandemic and companies transforming overnight into “work from home”

business operations and creating new challenges for privacy professionals in particular. At Deloitte, we view diversity and inclusion as central to our ability to execute on strategy and solve problems. Cybersecurity is a complex, multidisciplinary and ecosystem challenge globally. Through extensive research conducted by Deloitte’s Human Capital Consulting business, we know that, at the intersection of diversity and inclusion, lies an area rich with fresh, innovative ideas and creativity, which drives a better employee experience and, ultimately, better outcomes for our clients. www.linkedin.com/in/keing/

enterprises.

WOMEN IN SECURITY MAGAZINE

51


And I think the most important advice that’s steered

Noushin Shabab

my career was to keep learning. I believe it’s never too

Senior Security Researcher (GReAT)

learn. I believe it’s the only way to be successful in

Kaspersky

cybersecurity.

late to learn something new, so I constantly strive to

At university I took courses that helped me build a deep understanding of computer system fundamentals. I believe those have also helped me

I

greatly in my career. ’m a Senior Security Researcher at Kaspersky ANZ, which means I have to keep across the latest advances in malware and attack techniques, solve the puzzle of a new cyber threat and share the knowledge gained from my investigation with

In general, I don’t believe having certificates has a direct impact on career progress. However, if a qualification or certificate is chosen wisely, what you learn from it can be quite useful in your journey, rather than the certificate itself.

others. It’s challenging, but it’s what I love the most

I prefer to read books, learn from the extensive

about my job.

resources available on various platforms and gain

Being able to communicate technical topics in a language appropriate to the audience is, I believe, just as important as technical skills. That audience could be other security experts, media representatives, or even a general audience with

hands-on experience in the topics that interest me rather than gaining new qualifications and certificates. I constantly improve my skills through these avenues, and through communication with others.

no cybersecurity knowledge. In each case a different approach and a different language is needed. As I have gained more experience in cybersecurity I have had opportunities to move into management roles, but decided to stay in a technical role and improve and expand my technical skills. I think that was my most important career decision.

52

WOMEN IN SECURITY MAGAZINE

“There is plenty of scope for getting more women into cybersecurity, and everyone has a role: academia, government and the industry. One my most memorable career experiences was discovering I had played a part.”


W H AT ’ S

H E R

The culture of my workplace accepts and encourages innovation, new ideas, thinking outside the box. It welcomes new perspectives and gives equal opportunities to people despite their background and their differences. For a long time, I was the only women in our team, but was never made to feel I did not belong. I think collaboration and knowledge sharing are essential to help us all as a community to move forward in this fast-paced industry. I would like to see more social events (virtual or in-person) as well as public blog posts and webinars to help build this collaboration. I’ve attended many security conferences and events in the past few years. The quality varied greatly, across the topics, the peripheral activities and the overall organisation. When I looked at the organising team, I was not surprised to see the better ones had a better gender balance. We’re a long way from achieving a gender balance across the cybersecurity industry, but we’re moving in the right direction, as some research undertaken by Kaspersky shows. Earlier this year we released a Women in tech report: Where are we now? Understanding the evolution of women in technology. It followed similar research undertaken two years earlier, and between those two studies we’ve had COVID-enforced remote working. Forty six per cent of women surveyed, globally, believed gender equality had been improved by teams working remotely. In the

J O U R N E Y ?

can also be used against gender equality. Stalkerware is software that can be installed on a mobile phone or a tablet to spy on the user’s activities without their consent. In 2019, Kaspersky came together with a group of partners and founded the Coalition against Stalkerware. I’m playing a small role in this initiative and help wherever my technical skills are needed. Earlier in the year I gave a presentation and joined a panel discussion at PauseFest with the CEO of the Women’s Services Network, WESNET, Australia’s peak body for specialist women’s domestic and family violence services, about the issues related to the abuse of technology to facilitate domestic violence. There is plenty of scope for getting more women into cybersecurity, and everyone has a role: academia, government and the industry. One my most memorable career experiences was discovering I had played a part. In 2016, I delivered a malware analysis workshop to a group of university students from the Australian Women in Security Network’s cadets program A few months later, when I was presenting at the Ruxcon Conference, I saw some of the girls from that workshop sitting in the front row and taking notes. At the same event a year earlier I had struggled to find many women among the conference attendees. It was wonderful to realise I had encouraged those girls to be more active in the community.

APAC region the figure was 58 per cent. Flexible working fosters gender equality, and

twitter.com/NoushinShbb

technology supports flexible working but technology

WOMEN IN SECURITY MAGAZINE

53


WSC is a non-profit whose mission is to advance women and girls in cybersecurity. We have affordable membership for women (those that identify as women or nonbinary), veteran/military and men. We

Lisa Jiggetts Founder, Women’s Society of Cyberjutsu

are an inclusive organisation that aims to level the playing field and increase diversity in cybersecurity. We do that by hosting a variety of mostly hands-on workshops, webinars, conferences, hacking events, study groups, and—my favourite—happy hour/ networking events. Many of us have become family and close friends

I

and I like to believe that’s what differentiates and drives WSC. We just want be a support platform—one ’m a pentester, aka an ethical hacker. I assess an

I did not have when getting started—to help women

organisation’s system/network to find and exploit

get into cybersecurity and advance their careers in

vulnerabilities for the purpose of identifying any

cybersecurity.

weak spots that malicious attackers could take advantage of.

valued equally with men’s. We’re getting there, but I

I enjoy the hunt, and the challenge of finding

think it’s a mindset that will take years to change. And

misconfigurations and vulnerabilities: knowing I am

diversity is more than simply having equal numbers

directly helping a customer secure their environment

of men and women, it’s about having diverse people.

gives me great satisfaction.

At the end of the day it boosts the bottom line. You’re

The great thing about pentesting is that it can be

going to get a variety of inputs when developing

done remotely full-time. If anything positive can be

solutions.

said about the pandemic, it is that it opened people’s

And I think there will be even greater demand for

eyes and presented opportunities to implement

pentesters. As we’ve seen very recently with the

change in how we communicate securely, as well

attacks on infrastructure and government systems,

as how to co-ordinate recovery from a serious

companies are changing their tune to become more

compromise when staff are in multiple locations.

proactive rather than reactive, which should include

I’m also the founder of the Women’s Society of

regular pentesting. Having pentesters on deck

Cyberjutsu (WSC). I started it in 2012 because, at the

ensures they keep up with the latest attacks and

time, there wasn’t a space where I felt comfortable

countermeasures.

and safe learning, in an area typically seen as a “guys

The most challenging aspect of being a pentester

thing”. I wanted to be able to geek out and do some

is keeping up with all the things you need to know.

hacking, or build a new lab, but such a space just

You have to know a little bit of many things, but

wasn’t there, so I created one. I also wanted to share

alot of a few things.. With new technologies being

my knowledge of pentesting with other women with

implemented, on top of the breaches, trying to keep

the hope of getting more qualified women into the

up with everything and have a decent work life

pentesting workforce. I believe seeing more women in

balance is, for me, the most challenging aspect of my

atypical roles encourages upcomers, especially young

role.

women and girls, to aspire to those roles.

54

I don’t think, in general, women’s contributions are

WOMEN IN SECURITY MAGAZINE


W H AT ’ S

H E R

J O U R N E Y ?

Staying involved in the security community helps. You

because we’re doing a lot of Kubernetes pentesting

may have all the skills in the world and have no issues

in cloud environments. I’ve also been able to leverage

finding a new job, for example, but there are times

some great research and talks available online to

when you’ll need to inquire with someone, whether

identify some serious findings. Showing those to the

it’s a technical thing or personal/job related thing.

customer and helping them has been really fulfilling.

Networking and building relationships is priceless.

I think, as the cloud space grows, there’ll be a lot more

However, for me, being able to mingle and

usage of container orchestration tools. So it’s a no-

communicate with my peers at events or building my

brainer to have these skills in my toolbox, which will in

relationships for networking is always a work in progress. I’d rather stay in the background and just be a fly on the wall but that’s not realistic, so I put myself in situations to “practice”. I’m competitive by nature in many aspects of my life, so I’m constantly challenging myself to do and be better. Many times I have put myself

“The most challenging aspect of being a pentester is keeping up with all the things you need to know. You have to know a little bit of many things, but alot of a few things.”

in positions to take on security work that, at the time, wasn’t my primary duty. Fear can make us turn down new opportunities. I believe I have got to where I am today by overcoming my fear and throwing myself into new opportunities. I’ve recently become a Certified Kubernetes Administrator (CKA). It was really challenging, because Kubernetes was brand new to me. I decided to buckle down and spend some time studying and learning it. The exam is practical, so you have to know the concepts as well as the commands to get through it. I ended up passing the second time, and

turn help with progressing my career as a pentester. However, I feel I still need to acquire some coding skills to be a well-rounded pentester. I wish I had stayed the course and gained a good foundation in coding when I was enrolled in a computer science degree program back in the day, but I was terrified of all the math and programming courses, so I took the easy way out and did an IT degree.

this certification has been for me the most fulfilling to date: I went from knowing nothing to becoming really comfortable in the space. I’m planning on taking the Certified Kubernetes Security Specialist (CKS) program next. For me, it’s the natural progression to getting the skills and credibility for pentesting Kubernetes.

www.linkedin.com/in/wsccyberjin

womenscyberjutsu.org cyberjutsugirls.org

Kubernetes knowledge has been extremely useful,

WOMEN IN SECURITY MAGAZINE

55


Mentoring Pilot AWSN is pleased to launch the 2021 Australian Women in Security Network Mentoring Pilot.

Looking for ways to give back? We need you Learn more at awsn.org.au/initiatives/mentoring/ Sponsored by

Powered by


CAREER PERSPECTIVES


SOFIA MERIDA

HOW TO MAKE A MIDCAREER MOVE INTO CYBERSECURITY by Sofia Merida, Zscaler’s ANZ Sales Engineer

Is it possible to switch from telecommunications engineering to cybersecurity on the fly? Yes, if you’re prepared to step out of your comfort zone, says Zscaler’s ANZ Sales Engineer, Sofia Merida.

Once the ugly duckling of the ICT sector,

sustained shortage of personnel. Here in Australia

cybersecurity has risen to prominence in recent

we’ll need an additional 17,000 cybersecurity workers

times. Highly publicised phishing and ransomware

by 2026, according to AustCyber. With the COVID

attacks have raised public awareness about the

pandemic keeping the borders effectively sealed

importance of securing systems and data. Business

to skilled migrants in all but a handful of areas for

leaders have collectively come to the realisation tools

the foreseeable future, plugging the skills gap with

and technologies that improve their organisations’

imported talent is not an option. Higher education

cybersecurity posture aren’t just a ‘nice to have’, and

institutions are doing their bit to create a talent

shouldn’t be seen as a grudge purchase.

pipeline—recent years have seen the launch of a

As a result, cybersecurity is finally enjoying some long overdue time in the sun. The market is buoyant and, perhaps not surprisingly, it’s suffering from a

58

WOMEN IN SECURITY MAGAZINE

string of certificates, diplomas and qualifications—but job openings look set to outnumber applicants, for the next few years, at least.


C A R E E R

P E R S P E C T I V E S

MAKING THE SWITCH All of which means there’s never been a better time for women with interest and aptitude to enter the cybersecurity sector. That’s what I did last year and I couldn’t be happier. Prior to taking the plunge, I’d clocked up a decade of experience in ICT proper. I’d worked in customer support, pre-sales and technical sales for major vendors and service providers, in my native Venezuela and in Spain, before segueing into business and project analyst roles. Then I moved to Australia, where I was surprised and delighted by the range of high-tech opportunities on offer for individuals—women and men—who were prepared to take a deep dive into the technical nitty gritty. A pre-sales engineer role with well-regarded telecommunications managed services provider, Enablis, exposed me to Zscaler’s cloud security technology, and when a sales engineering role came up with that vendor, I decided I was up for the challenge. Has it been an easy transition? Let’s just say there’s been quite a lot to learn, starting with the ubiquitous acronyms. They’re an enduring feature of the ICT industry but in the cybersecurity space, they have a

to minimise their vulnerability and mitigate risk, in

full suite of their own!

an increasingly hostile world, and one in which the

Then there are technical standards and frameworks,

cost of remediating and recovering from a significant

like the Australian Privacy Principles, to get your

cyber-attack or data breach continues to soar.

head around, along with the troubleshooting and

Going to work each day knowing that’s my remit, and

integration challenges that are part and parcel of

the remit of our entire organisation, has inspired me

working with any suite of complex products.

to learn and grow professionally in my new role. So

Formal training, by way of a cybersecurity diploma

has the thriving community of women working in the

or postgraduate qualification, would no doubt have provided some of the answers to my many questions in the early days. In its absence, unfailingly supportive and helpful colleagues, and plenty of reading and research after hours, helped me fill in the blanks and upskill quickly, so I could begin adding value for our partners and resellers in Australia and New Zealand.

SUPPORTING CUSTOMERS, AND ONE ANOTHER

cyber sector. Networking events, online and in real life, and groups like the Australian Women in Security Network allow newbies like me to connect with peers, share experiences and seek advice and support from other women forging meaningful and successful careers for themselves in this exciting and dynamic sector. If you’re a woman with some ICT skills under your belt and you’re looking for a new challenge, I’d encourage you to join the club!

At the end of the day, that’s what working in cyber is all about: helping customers of all stripes and sizes www.linkedin.com/in/sofia-merida-pellicer-2530b496/

WOMEN IN SECURITY MAGAZINE

59


ANGELINA LIU

COULD INCLUSIVITY EXPAND THE CYBERSECURITY TALENT POOL IN AUSTRALIA? by Angelina Liu

Making individuals from all backgrounds feel welcome will encourage more women to pursue a career in cybersecurity, argues Barracuda Territory Account Executive, Angelina Liu. That large organisations have begun casting the

doing their bit to funnel fresh blood into the sector

cybersecurity recruitment net wider comes as little

via a range of certificate, diploma and postgraduate

surprise to those of us who have the privilege of

qualifications, but whether supply will meet demand

working in the sector. Australia has been short on

is open to question.

qualified personnel for years, even before COVID slammed the gate shut on skilled migrants who, historically, were able to plug some of the gaps. Exactly when those migrants will be able to return en masse remains unknown, although recent announcements from the federal government seem to suggest it’s unlikely to be before mid-2022.

60

Meanwhile, the past year has seen the threat level rise, in Australia and globally. Household name organisations, including beverage giant Lion Nathan and transport and logistics behemoth Toll Group, have seen systems crippled and operations disrupted by ransomware. Across the country, businesses of all sizes and stripes are looking over their shoulders

According to AustCyber, Australia will need an

and opening the coffers to invest in technology to

additional 17,000 cybersecurity workers by 2026

boost their capacity to prevent, detect, neutralise

to meet the demands of government and industry.

and remediate attacks. And they are hiring skilled

Universities and vocational education providers are

personnel to help them implement and manage it.

WOMEN IN SECURITY MAGAZINE


C A R E E R

P E R S P E C T I V E S

HIRING DIFFERENTLY

diversity and inclusion, and in promoting our sector as

Hence, we’re seeing a growing number of large

a welcoming and inclusive one in which to work.

organisations getting proactive and creative in

One of the ways I’ve found to do this is to list my

their cyber hiring policies. A recent Australian

personal pronouns, she and her, in my LinkedIn profile.

Financial Review article highlighted the fact that

This has prompted questions from connections in

large employers, including Commonwealth Bank

my network, including contacts with whom I deal

and Macquarie Telecom Group, are now prepared to

regularly in my role as a territory account executive.

consider individuals who don’t have qualifications or experience in ICT or cybersecurity, if they can demonstrate aptitude in other areas, such as problem-solving and communication.

While the tone of the enquiries has frequently been jocular, they’ve been conversation starters nonetheless, and have allowed me to share my rationale for making a public show of solidarity with

That’s sensible and smart and will do much for

people who don’t identify as cisgender. Feeling and

diversity of thinking within our sector. So too would

identifying as different from the norm takes courage,

the adoption of holistic diversity and inclusion

particularly for those who are new to an industry,

programs to make the cybersecurity sphere more

or to the workplace. The presence of allies can

attractive to individuals—men and women—from a

provide these individuals with the courage to bring

wider range of backgrounds.

their authentic selves to work, and do so with the

For example, my employer, Barracuda, has created

confidence that they will be supported rather than

the Belong at Barracuda Council. It comprises a panel of employees who are charged with finding ways

judged.

proposing programs that help all of our colleagues

TOWARDS A STRONGER, SAFER FUTURE

feel heard, respected and valued. It’s opened the

Ours is an industry in growth mode. As the

door to some valuable discussions and helped us

economy continues to automate and digitise, strong

implement initiatives to celebrate our differences and

cybersecurity will be essential for the wellbeing

bring us closer together as a team.

and prosperity of Australian businesses and for

to improve diversity across the organisation and

each and every one of us who calls Australia home.

PLAYING YOUR PART

Encouraging more people from all backgrounds and

But organisations should not bear sole responsibility

walks of life to make a career in the sector will see

for increasing diversity. As individuals working in cybersecurity, we can all play a part: in educating customers and partners about the importance of

us better placed to address the challenges the future holds in store www.linkedin.com/in/angelinaxl/

WOMEN IN SECURITY MAGAZINE

61


A Tuesday in the life of a Regional Technical Support Manager Our team supports around 1500 customers across various industry verticals including banking,

Harini Sudarshan

healthcare, retail, auto and insurance. We assist

APAC Technical Support Manager for Ping Identity

sign-on, directory, cloud-based authentication and

W

authorisation solutions as well as multi-factor hat exactly does a regional

authentication products.

technical support manager’s

Our support team plays a major role in addressing

role entail? For me, it’s always been about customer advocacy, ensuring the ongoing success

of the business the team serves, whilst striving to provide it with a delightful support experience. Without an expert product support team, it’s impossible for a software vendor to deliver effective solutions to customers, no matter how cutting edge their products may be. The software vendor I work for, Ping Identity, has support centres strategically located in Denver, Melbourne and London; a configuration that allows us to deliver follow-the-sun (24x7) support. What I love most about my job is leading a team of talented engineers and assisting our customers with their identity and access management (IAM) challenges. As a technical support manager, I have to be always abreast of all new product releases and the

integration with third party products such as Google, Facebook and AWS using our out-of-the-box integration kits. The majority of our customers are large enterprises, and maintaining 100 per cent uptime and minimising security breaches of their applications is crucial to their business. Also, enabling them to roll out applications rapidly and securely in turn improves their agility and productivity. It’s challenging to describe a typical day in support because there just isn’t one! Every day is unique and interesting. Every support case we receive is different and presents an opportunity for learning and skills development. My day starts at 5.30am, when I get ready to attend a (virtual) meeting where I connect with the other regional managers.

enhancements they contain. My role encompasses

During the day, I manage all aspects of day-to-

staying on top of global support operations, being

day operations for my team of 10 engineers. That

across low to high severity issues reported by

includes identifying trends, and analysing and

customers, and collaborating and communicating

reporting on our approaches to support cases. This

with cross-functional teams including product,

data influences the continuous development of our

engineering and account management to ensure

processes, ensures we provide the highest standards

alignment.

62

our customers with the implementation of single

WOMEN IN SECURITY MAGAZINE


A

D A Y

I N

T H E

L I F E

of customer support, and exceed our service

Regular exercise and healthy eating help me to stay

level agreement and target metrics. In my team

consistent with my routine. I’m fortunate to live in

management role I facilitate customer meetings, set

a suburb surrounded by beautiful walking trails,

priorities for the team, convene a daily huddle, hold

and I love to use them. It is important to me not to

1:1 meetings with team members, coach engineers,

compromise on spending quality time with family. I

and plan professional development.

talk with my parents and sister almost every day and

I follow Steven’s Covey’s Third Principle, ‘First things first’, to plan my days and weeks and that’s worked

unwind by watching sitcoms with my husband for at least 30 minutes a day.

well for me over the past few years. Planning

Effective self-development doesn’t occur by accident.

helps me stay focused and allows me to tackle

Every Tuesday I attend a review meeting with my life

unpredictable situations. I rarely miss preparing for

coach and members of her professional community.

the next day’s management meeting, which assists

Like me, are all eager to learn and grow. We share our

me immensely in those early morning meetings.

successes from the previous week and talk about a gamut of engaging topics.

fee ation. I’m not a tea or cof with a 10-minute medit day the rt sta I d an off goes I take a few minutes  5:30am: The alarm me stay focused. Then ps hel t tha d an , ng rni m of water in the mo pending action items fro person, but I drink a lot planner and checking on ily da my gh ou thr ing Go ad. to think about the day ahe omplished that day. important tasks to be acc the lise ua vis me ps the previous day hel ial updates from my ching up with the essent cat , ails em my on g stage. desk and startin my daily planner at this  6:00am: I’m at my al tasks gets added to ion dit ad of ck sta A a. eric UK. colleagues in North Am gues in the US and the first meeting with collea my join I Then, at 6.30am, out the day, which help eral mini-breaks through sev of t firs the It’s . ast quick breakf  8:00am: Time for a se. me restart and re-energi the rk. To begin, I go through rt on the day-to-day wo sta we d an , line on es an other regions, d assign  8:30am: My team com and handovers from the es cas rt po sup ty ori ess the pri s. support case queue, ass on process improvement el, I am always working rall pa In . ers ine eng to work technology, trends and practices in lf abreast of the latest rse you p g, kee to nt rta meetings. It’s motivatin  12:00pm: It’s impo ining video between my tra rt sho a in e eez squ nt on lls. I try to leadership and soft ski f of my day is usually spe improve. The second hal to m roo ays alw re’s and a reminder that the and customers. meetings with my team meetings. huddle and a few other  1:00pm: Daily team then go tching the latest news, fresh juice and eat it wa h wit ch lun t ligh a ke e. I ma  2:00pm: Break tim . the for a walk or a run to write a summary of t means it’s time for me tha d an e tim off cktowards kno work we’ve  3:30pm: It’s getting a final overview of the the next one. I conduct for n pla d an rnt lea I’ve day, to reflect on what leagues in London. sive handover for our col hen pre com a te ple finalised and com mbers. We share our and other community me ch coa my h wit l cal a ay I attend set by the coach  5:00pm: Every Tuesd me for the discussion, the a ally usu ’s ere Th als for the next week. wins and discuss our go each month. cuisines and I love My family loves different e! tim ef Ch r ste Ma it’s ron and tching light  6:00pm: I don my ap life. We end the day wa tion from work to home nsi tra to y wa at gre a cooking for them. It’s pm. heading to bed at 10:00 comedy on Netflix before


NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

C O L U M N

Top 5 digital parenting tips for parents with teens When we become parents, we tend to gravitate towards following the parenting methods our own parents used. This means we are not embarking on our new adventure in the dark. But today, digital parenting has become a necessary tool in our parenting toolkit, and most of us are starting from scratch.

Tip #3 - Talk to your teens A LOT about being kind online, safe online, and about their online privacy. Keep the conversations going. You can’t just sit a teen down and announce you are going to have a discussion about online safety. I can guarantee the only input they’ll have is an eye roll. Instead, keep an ear/eye out for articles in the media about online

Here are my top five digital parenting tips for parents

safety. For example, if you see an ad for a news

with teenagers.

show that will be talking to a parent whose child was groomed online, then use that to open up a

Tip #1 - Create a family technology contract

conversation with your teen about communicating

Children (especially teens) need boundaries,

with strangers online. Chances are your teen can

and those boundaries should cover their use of technology. Together with your partner, decide what you would like your family technology contract to look like, and what limits it should impose. As a minimum it should include where, when and how devices can be used. Then grab your teen/teens, a whiteboard

tell you a story about a ‘friend of a friend’ who was groomed online. Use that story to ask what your teen would do if approached online by a stranger. Tip #4 - Use parental controls to filter content and manage your teen’s screen time.

and bring your best negotiating skills. You want your

Teens are still learning how to manage their time.

teen’s input so they are onboard, but you shouldn’t

Having unlimited access to the internet can lead to all

relax the limits you’ve already decided on. Get

sorts of issues. If your teen is using social media then

everyone to sign the whiteboard, take a picture and

make sure you sit with them and set the available

send it to family members.

privacy settings.

Tip #2 - Educate yourself about the apps on your teen’s device.

Tip #5 - Find a trusted resource for yourself, because you’ll have questions, lots of them, during your digital parenting journey!

There is no way you can be across every single available app, but you can pick up your teen’s devices and see what has been downloaded. This is not an invasion of privacy, it is a matter of safety. Find out

I recommend eSafety.gov.au and commonsensemedia.org. And I recommend downloading the Beacon app.

whether the apps allow the teen to connect with strangers, share images, see nudity, share their location or read bad language.

www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum

www.pinterest.com.au/thetechmum

64

WOMEN IN SECURITY MAGAZINE


INDUSTRY PERSPECTIVES


SAI K. HONIG

PROMOTING DIVERSITY VS SUPPORTING DIVERSITY (Yes, there is a difference!) by Sai K. Honig, CISSP, CCSP Co-founder - New Zealand Network for Women in Security Board Member – Black Cybersecurity Association There has been a lot of press about promoting

evaluated in terms of an employee’s longevity with a

diversity in cybersecurity, but not much about

company But even this is problematic. Circumstances

supporting diversity in cybersecurity. Promoting

can force individuals (including women and those

diversity and supporting diversity are the same thing

from minorities) to stay with a company even if the

– right? Not really.

environment is not good for them. They simply “put

One definition of promote is “to advance in station, rank, or honour”. One definition of support is “to

Companies can play the diversity game by specifically

promote the interests or causes”.

hiring women and minorities. But once hired, there

‘Promotion’ is often identified with increase in numbers or value – such as the number of women or minorities in a particular job function, or in an industry. Companies are often reluctant to share these numbers publicly because low numbers can reflect badly on their public image. (ISC)2 publishes cybersecurity workforce details through its annual workforce studies, based on surveys of its membership. According to its 2019 “Women in Cybersecurity” report, women account for 24 percent of the cybersecurity workforce. ‘Support’ is a little more difficult to quantify. How do you capture the “promotion of interests or causes” of individuals in a work setting? Sometimes, support is

66

up and shut up”.

WOMEN IN SECURITY MAGAZINE

may be an expectation that these employees “fall into line” with the company’s ways of working. Cohesion is expected and dissent is not tolerated. This suppresses diversity of thought. An outsider may not “fit in” with the company’s expressed and unexpressed culture. I have heard many stories of toxic environments where employees (men and women, minorities and non-minorities) were forced out because they spoke up or spoke out. The initial tolerance of someone new and different can wear off after a short while. This is where support often fails. Without diversity of thought, there can be little diversity of action. In a field that is changing daily or even hourly), can we afford to lose that diversity of thought?


I N D U S T R Y

P E R S P E C T I V E S

Even hiring systems and processes can fail to

reaches an intolerable level, the victimised employee

support diversity of thought. We have seen entry level

reports to a senior manager who then speaks to the

positions advertised that required years of experience,

workers responsible. Is that meaningful resolution?

certifications, knowledge of tools or languages, and

Does it actually solve the problem? After the

degrees. While all of this may be useful for senior

discussion with the senior manager, those employees

positions, it is hardly necessary for an entry level position, and discourages someone just starting out. I still question why a degree in computer science or information technology is required for a job in cybersecurity. These degrees are worthwhile and useful to those who can obtain them.But rejecting applicants with other useful qualifications, limits the

“Supporting diversity of thought goes beyond diversity in hiring. It means creating a culture and atmosphere where all people feel safe and supported. It requires work at all levels of the organisation.”

diversity of thought. There are articles and blogs identifying non-technical degrees that are useful for cybersecurity. Which brings me back to how to support diversity. There are several ways to consider this question, but it does require work. In meetings everyone should be given a chance to speak. It pays to take time to go around the table (or video) and ask each individual to give their thoughts, even if they say only “I have nothing to offer.” The team should evaluate each idea, so no one feels left out.

would continue to victimise their co-worker, creating an even more toxic environment. In some companies there are individuals who are given additional training to act as intermediaries. These individuals, generally not in the line of management, can support individual employees when they feel there is no one they can turn to. These intermediaries can go to management and express concerns without naming the individual concerned. Thus they can provide support without

When working on a project, presentations are often

further shaming the victim, or making those involved

very important, especially to stakeholders. Get

defensive.

input from the entire team and discuss, as a team, each idea on its merits. Instead of having one or two people give presentations, rotate who gives the presentations. It also helps if someone who is not comfortable presenting works with someone who is. Conflict is inevitable and requires meaningful

Supporting diversity of thought goes beyond diversity in hiring. It means creating a culture and atmosphere where all people feel safe and supported. It requires work at all levels of the organisation. It requires work individually, and also collectively. And collectively, we can make the world safer online and off.

resolution. This does not mean conflict should be avoided at all costs, or that the one person who cries foul is called out. It also does not mean simply paying lip service to resolution by “following the process”. An example would be when an employee is singled out for expressing an opinion contrary to the rest of the team. Co-workers begin harassing this employee as a way to make the employee “fall in line” with the

www.linkedin.com/in/saihonig/ NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com BCA www.blackcybersecurityassociation.org

current ways of doing things. After the harassment

WOMEN IN SECURITY MAGAZINE

67


MELISSA CROZIER

CREATING A CYBERSECURITY CULTURE The human element and building resilience in the threat landscape

by Melissa Crozier, Information Security Advocate, Business Development Manager for Cybersecurity at BSI New Zealand WHAT IS A CYBERSECURITY CULTURE? Cybersecurity culture is the shared attitudes and subsequent actions towards information security policies to increase security in an organization. Creating and embedding a good cybersecurity culture is essential, because every person in an organization plays a role in managing data. The active engagement and ongoing vigilance of an organization’s entire team, top-down and bottom-up, will contribute to the fight against cybercrime. If you solely rely on technology and security software to protect your organization, you may have a false sense of security.

WHY IS CREATING A CYBERSECURITY CULTURE IMPORTANT? More than 99 percent of the cyber-attacks we observe require human interaction to succeed, according to Proofpoint’s 2019 Human Factor report. Too often, we hear that cybersecurity is the information technology (IT) department’s problem. Of course, this is not true. Ensuring information resilience is an enterprise-wide concern. In today’s

68

WOMEN IN SECURITY MAGAZINE

digital world, most business functions are online, and customer data or intellectual property is likely to be accessed by employees remotely. Even with the best technology, all employees should think of themselves as “human firewalls” if organizations are to combat cybercrime. In any system, humans are often the weakest leak. Hackers routinely seek to exploit individuals, rather than systems. They understand how effective social engineering techniques are on people who might not have cybersecurity front of mind. Wombat Security’s Beyond the Phish 2017 report revealed that almost a quarter (24 percent) of respondents answered questions relating to identifying phishing threats incorrectly. This statistic highlights the significant opportunity for those looking to steal data and identities by manipulating a lack of awareness. Employees are the first line of defence and that line needs to be strengthened to play an essential part in building resilience in the face of cybersecurity threats.


I N D U S T R Y

P E R S P E C T I V E S

A lack of security awareness can take a significant toll on organizations. For example, as a global estimate, banks lost more than US$31bn in 2018. The FBI estimated that business email compromise — in which fraudsters pose as company executives or suppliers to trick employees into transferring payments to attacker-controlled bank accounts — cost USD$12.5bn+ between 2013 and 2018. (Treasurers.org). Encouragingly, business leaders are slowly recognize that cybersecurity is no longer a cost centre but a business enabler. Forty percent of organizations claim that cybersecurity is, and will remain in the next 12 months, the top priority driving their technology spending. A recent Information Systems Audit and Control Association (ISACA) Cybersecurity Culture Report found organizations that have established an influential cybersecurity culture have employees who: • Recognize their role in cybersecurity • Participate in regular training programs • Actively engage with the behaviours and habits outlined by their cybersecurity program As a result, these organizations experience benefits such as:

security, privacy and business continuity at BSI, says ISO/IEC 27001 Information Security Management addresses the need for an organization to ensure individuals have the necessary competency and awareness. Therefore, achieving certification to ISO 27001 will provide a governance structure for an organization’s information security management system, and cybersecurity culture is an integral part of this. BSI regularly convenes meetings, committees and working groups that bring together governments and stakeholders responsible for critical infrastructure to develop and maintain international best practices harmoniously. The ISO/IEC 27000 family of standards was created for this purpose. Having such processes and controls in place and using these frameworks means that, when cyber-attacks occur, an organization can respond resiliently, either by thwarting the attack or speeding up the organization’s response and recovery cycle. In order to effectively and sustainably change security culture an organization must look beyond technology and blend its approaches by leveraging people, process and technology. Training should be provided so employees can understand the benefits.

• Increased visibility into potential threats

A parallel is the traditional ten rules of safety in oil

• Reduced cyber incidents

and gas organizations globally. Safety is so important

• Post-attack resilience to resume operations

that every meeting traditionally starts with a safety

• Increased capacity to engage in new business

moment. We should be looking at cybersecurity in the

• Consumer trust in their brand offerings

same light: short but frequent training and targeting

HOW DO ORGANIZATIONS EMBED A CYBERSECURITY CULTURE? How can we embed security awareness and behaviours t into everyone’s daily operations seamlessly? Culture, whether cybersecurity culture or any other, is not something that grows positively organically. Organizations must invest in it. A sustainable security culture transforms security from a one-time event into a lifecycle that generates security returns forever. (Chris Romeo, Security Journey)

employees with consistent content. (Mark Brown, Global MD, Cybersecurity & Information Resilience, BSI) A fundamental behaviour change is also vital to create a culture of involvement. Giving people the chance to provide feedback and make suggestions increases their engagement and creates the motivation to do the right thing. Should an individual click on a suspicious link and then recognize the mistake, the organization should encourage the employee to report it, rather than punish them for the mistake. The earlier the incident is noted and addressed, the

A standards-based approach is one of the most

better, because the situation can then be contained.

effective ways of mitigating internal and external

Organizations should ensure they create a safe space

threats. Willibert Fabritius, global head for information

for honest feedback and transparency.

WOMEN IN SECURITY MAGAZINE

69


Additionally, Kristin Demoranville, head cyber, risk and

every function. Legal and privacy departments can

advisory, Americas at BSI, suggests, “Give people a

help an organization keep abreast of international,

reason to care about cybersecurity. Make it personal

and national regulations and align behaviour

to them because enterprise security awareness

monitoring with workplace privacy laws.

training can also be used at home. Password management, Wi-Fi security, and IoT devices are all things we deal with in our daily lives, and not just at work.”

The marketing team can help educate employees and promote policies through in-house channels, emails, tip sheets, posters, webinars and the organization’s intranet. A cross-functional cybersecurity team can

Establishing a cybersecurity culture team is another

facilitate information sharing and analysis, and

way to embed a good security culture. Leadership

ensure sound security processes are embedded

needs to be engaged and should actively promote

throughout the organization.

cybersecurity as a standing agenda item at board meetings, assign adequate resources, and address

FINAL THOUGHTS

conflicts when security concerns and business

A well-designed security awareness program will

objectives are not aligned. Appointing ‘security champions’ in various teams can ensure behaviours are embedded. The IT department plays a vital role in providing adequate technology infrastructure. Also, up-to-date technical measures are needed to collect data for cybersecurity analysis and reporting. The human resources department can leverage its capacity for training, workshops

promote a healthy culture of cybersecurity and will help to improve organizational resilience and business continuity within your organization. The human factor may be the weakest link in security practices, but you can increase your chances of countering cyber threats by investing in your employees and making that weakest link your strongest asset.

or games, along with its insight on employee roles, processes and behaviour. It may even consider adding cybersecurity elements to job descriptions for

70

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/melissa-crozier-782bba23/


It’s almost that time of the year! The Australian Women in Security Awards are back for 2021! If you’d like to join us in person, grab your ticket today! We’ll even throw in a discount for magazine subscribers, click the button to reveal your exclusive code. Valid until 16th August 2021, single use code.

Interested in booking a table? Reach out to charlie@source2create.com.au for more information and availability. Tickets are priced at $200.00 AUD Date: 13th October, 5pm-10pm AEDT Venue: Crown Sydney, Barangaroo, Sydney DISCOUNT CODE

BOOK YOUR TICKET TODAY!

MAGSUB15


INGA LATHAM

HOW SITEMINDER’S PRODUCT AND TECHNOLOGY TEAMS STAYED MOTIVATED AND INNOVATIVE DURING THE PANDEMIC, WHILE SERVICING THE TRADITIONAL HOTEL INDUSTRY by Inga Latham, Chief Product Officer at SiteMinder Leading a growing team of product and technology

environments that suited their needs. We also

professionals comes with the excitement of

introduced Social SiteMinder, whereby all managers

collaborating with the best talent to build industry-

were given their own budget to organise team events,

leading services. However, keeping everyone aligned

rather than being dictated to by executive or global

on both the long-term strategy and the immediate

mandates.

requirements is a daily challenge. Throughout the pandemic, these aspects of my job at SiteMinder were heightened, as we doubled down on the drive to develop products that would help our hotel customers succeed when the impacts of limited travel abated. At the same time an almost overnight shift to company-wide remote working forced us to redefine what successful collaboration (a process that usually involved a lot of face-to-face interaction and whiteboards) should look like.

Post-it notes were digitised overnight. We explored new tools allowing us to mimic our typical physical whiteboarding sessions, and we found we needed many more alignment meetings than usual to ensure everyone was on the same page. When you don’t have everyone in the same room, it’s harder to gauge how actively people are listening and you can’t see the body language to understand how well something has landed.

While there were many potential distractions and

At the same time, we took the opportunity to step

temptations during the pandemic to pivot our

up our customer research capability and testing

business towards, what was critical for motivation

efforts to ensure we had the evolving needs of

and confidence was maintaining our focus on the

our customers at the forefront of our product

strategic programs of work we knew would surprise

development. Team members now have much more

and delight our customers; alongside delivering a

empathy for our customers’ context and needs, and

couple of tactical initiatives to alleviate COVID-driven

it helps us all to focus on real people and real needs

customer needs. We then turned our focus to our

versus “highfalutin” ideas.

ways of working.

REALIGNING OUR WORK HABITS New initiatives like Open Working @ SiteMinder, which allow staff to choose how and when they work remotely or from the office, provided everyone with the autonomy to consciously choose working

72

Collaboration sessions that had involved lots of

WOMEN IN SECURITY MAGAZINE

Once we were allowed to return to the office, it was a good time to run regular small group events to keep the spirit and culture of SiteMinder alive and integrate new team members. People need to feel a sense of team, start forming the relationships required to get their jobs done, and create a connection with the organisation. Communication has always been


important, but working remotely puts additional

industry has a history of being highly susceptible to

emphasis on this and it takes much more effort and

cybersecurity attacks, and the pandemic introduced

energy to be engaging on Zoom or Hangouts than it

new levels of vulnerability and threats among hotels

does in person.

for scammers to take advantage of.

In more personal settings, whether in one-on-one

Keeping our customers’ ambitions top of mind,

meetings or small groups, I make sure I check in at

balanced with what they could realistically manage

the start to see where people are at. I always ask,

amid the pandemic, we quickly introduced features,

“What’s your number out of 10?” and then something

capabilities and technologies behind the scenes to

more personal like, “What’s the best thing that

set them up for success when facing their guests

happened to you today?” or “What’s challenging you

in the real world. This included enforcing two-factor

this week?” This helps to understand where people’s

authentication to reduce the risk of successful

energy is at and how much effort I need to put in, as

phishing attacks, introducing a new security

well as giving me and the rest of the group an insight

monitoring platform that identifies more advanced

into what’s going on for everyone.

threats, and enhancing our anti-fraud controls and

Even so, keeping spirits high and maintaining

processes.

innovative mindsets during a pandemic is easier

During the pandemic hotels were also under severe

said than done. Boston Consulting Group (BCG)

pressure to upgrade their online presence and

recently found that three-quarters of companies are

capabilities to meet the changing needs of travellers.

prioritising innovation in 2021, though only 20 percent

There was a sudden shift from corporate to leisure

of businesses are ready and equipped to innovate.

travel, from international to domestic holidays, and

Meanwhile, healthtech and medtech companies were

from long-term planning around seasons to short-

standout innovators in 2020, accelerating the pace of

term opportunistic trips. We saw many rural hotels

capabilities like vaccine readiness to unprecedented

thrive with a change in customer base, hotels on state

levels. Australia also experienced a spike in new

borders rapidly transition to catering for interstate

science and medtech startups to reflect the boost

travellers by car, and many city-based hotels pivot to

in consumer interest in tech-led health and science

being quarantine stations.

innovations.

Once we understood our customers’ challenges

These seemingly contrasting findings could be

and needs during the pandemic, which was and

explained by organisational psychologist Dr Amantha

continues to be an ongoing exercise in customer

Imber’s theory: that creativity thrives on constraint

communications, data analysis, and feedback loops,

and that “constraints can be a catalyst for activating

we could then direct where our motivation, creativity,

and harnessing new and better ideas”. Consequently,

and innovation should go.

when industries such as healthcare and medicine were under enormous pressure to deliver specific outcomes within tight timeframes, they were actually better positioned to thrive than companies or industries working from a blank canvas.

DRAWING INNOVATION FROM OUR CUSTOMERS ‘CONSTRAINTS’

It is through this lens that we are planning for the future across our product, security, and technology teams. Our new ways of working are designed for the long-term, but remain flexible with the expectation that there will be ongoing changes to our economy throughout and following the rollout of the vaccine. Most importantly, our focus on hoteliers and their changing needs continues to be at the forefront of

Hotels have been trying for years to catch up with

our business and technology strategies – the more

the tech-driven appetite of their guests, who are

focused our efforts, the greater the innovations that

increasingly expecting everything from booking,

can be delivered to them.

checking in, entering their room, ordering service, checking out, and leaving a review to be a seamless

www.linkedin.com/in/inga-latham-7651171/

and intuitive digital experience. Furthermore, the www.siteminder.com/

WOMEN IN SECURITY MAGAZINE

73


KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile innovative group who works with SMEs to protect and grow their business by addressing their cybersecurity and governance risk gaps by demystifying the technical.

Ten top tips to secure your website In May this year Domain.com.au advised that a cyber-

3. Implement least-privilege access. Limit people’s

attack had resulted in an unauthorised third party

access to the lowest level they need to do their

gaining access to users’ personal information and

job. Not everyone needs full admin access. And

deposit details. Yet, when you mention cybersecurity

limit external parties’ access and timeframes.

most people automatically think of antivirus, the

There is no need to have umpteen administrators.

Deep and Dark Web, Ransomware as a Service, and

People with unnecessary access can result in

possibly the need for a cyber awareness program or

unwanted website security incidents and when

endpoint protection. Few people, if any, have website

a staff member leaves, check that their website

security top of mind.

accesses are removed.

Website attack is very popular with the

4. Deploy a secure sockets layer (SSL) certificate.

cybercriminals. Some estimates put attack

Buy an SSL certificate. With that little lock

numbers as high as 50,000 websites per day. The

showing in the top left corner of your website

cybercriminals tend to adopt a “spray and pray”

you boost your SEO rankings and ensure any

approach, using programs that detect websites with

data your visitors send to your site is using an

accessible vulnerabilities, only a small minority target

encrypted channel, so cybercriminals cannot

specific sites. Cybercriminals do not necessarily

see it while it’s in transit. You may even wish

want your data. They may want to use your server as

to consider upgrading to TLS (Transport Layer

an email relay for spam or set up a temporary web

Security) a more recent version of SSL.

server for nefarious purposes, plant malware, redirect traffic to another site to name but a few objectives.

5. Update early, update often, update everything. Websites use tools to run effectively: content

You can implement a few small, but powerful

management systems, plugins, WordPress, Java

measures to protect your website.

scripts and the like. Updates not only fix “bugs

1. Review your site security. Have a formalised scanning and review program covering access levels, patching, updating protocols and the like. 2. Take ownership of security. Do not leave the security of the site in the hands of the wrong people, for example marketing or web designers. They may be great at what they do, but would you let your interior decorator recommend, implement, and monitor your back-to-base alarm?

and glitches”, but they also often provide security enhancements. Updating immediately means you are closing a vulnerability and remaining one step ahead of the cybercriminals. 6. Have a website backup strategy. A regular backup program will help you recover more quickly from a site hack (or human error or an update problem). Ideally you should have the backup stored on a server other than the one hosting your website. You do not want to lose your website only to find your backup has been infected as well, because that would mean a full site rebuild.

74

WOMEN IN SECURITY MAGAZINE


C O L U M N

7. Practice good password hygiene. Keep your admin passwords safe and choose complex passwords with at least 12 (some say 16) random characters, including upper and lower case letters, numbers, and symbols. Never reuse

Remember BCyber. Be cyber safe.

passwords. Never share passwords, and never use any personal details in your passwords (social media is a fount of information for the cybercriminal). 8. Change default settings. This includes even those without an obvious security focus. Do not allow the cybercriminal into your settings so they

If anyone would like a little website security help they can book a meeting with us (Book a meeting with BCyber) and we can run a security and marketing review report for them and discuss how they can harden their websites..

can leave the gift of malware. Some settings you may wish to consider changing include user controls, file permissions, comments settings.

www.linkedin.com/in/karen-stephens-bcyber/

And please customise the WordPress admin login URL. 9. Do not make it easy for the cybercriminal. Never use admin, or test, or backup, or your site’s name as the username for your administrator

www.bcyber.com.au karen@bcyber.com.au twitter.com/bcyber2

account. 10. Invest in and install web security tools. Plugins

youtube.bcyber.com.au/2mux

and Web Application Firewalls (WAFs) are easy to source and not that expensive. They harden your site security posture and can monitor for malware and viruses.

WOMEN IN SECURITY MAGAZINE

75


Meet Lisa Harvey-Smith:

FIGHTING FOR WOMEN IN STEM by Stuart Corner

O

released the STEM Equity Monitor

TEN YEAR ROADMAP TO GENDER EQUALITY

2021, its second national data report

Office of the Women in STEM Ambassador is hosted

on girls’ and women’s participation in

by the University of NSW where Harvey-Smith is also

science, technology, engineering and

a Professor of Practice. The work of her office is

mathematics (STEM).

underpinned by the Women in STEM Decadal Plan

n Monday 3 May the Government

It showed signs of progress. The proportion of women enrolled in undergraduate and postgraduate STEM courses at universities increased from 34 percent in 2015 to 36 percent in 2019. The proportion of women working across all STEM-qualified industries increased from 24 percent in 2016 to 28 percent in 2020. However, much more must be done, the Government said. “Significantly more change is needed to achieve our joint vision for gender equity in STEM in Australia by 2030.” One woman plays a key role in efforts to achieve that change: Professor Lisa Harvey-Smith. She is Australia’s inaugural Women in STEM Ambassador, appointed for two years in 2018, re-appointed in 2020 and charged with “advocating for girls and women in

76

and the Government’s Advancing Women in STEM strategy, announced in April 2019. The Decadal Plan was developed by the Australian Academy of Science in partnership with the Australian Academy of Technology and Engineering, and launched in April 2019. Harvey-Smith told Women in Security that, useful as the STEM Equity Monitor is, she is trying to gather more data to evaluate Australia’s progress on getting more women into STEM. “There are more than 300 women in STEM programs trying to get girls engaged in STEM across Australia, but only two of those more than 300 programs are actually being evaluated, tested and with evaluation results publicly posted somewhere. So we are scrambling to find out what’s working.”

STEM education and careers, raising awareness and

To remedy this her team has developed an evaluation

driving cultural and social change for gender equity.”

guide for women in STEM programs designed to

WOMEN IN SECURITY MAGAZINE


F E AT U R E

determine how these initiatives are progressing and whether they are meeting their targets and their goals. “Then we will be able to share best practice,” she says. “We’re driving that very strongly.” She is also working to tackle the lack of women in STEM at its source: genderbased attitudes, beliefs and role models that are inculcated in children from their earliest years. “I’ve spoken to more than

They are just specialties that people can learn. They

11,000 teachers across Australia in the last two years

are not associated with fear or dread.”

about gender equity in the classroom, and how to break down social stereotypes because young people are so affected by our social stereotypes,” she says. “Kids are given different signals, depending on gender. It’s no wonder they go down different paths. So we’re trying to get young people, the parents and teachers engaged as well.”

TACKLING GENDER BIAS AT ITS SOURCE To this end she’s been given $1.5m by the government for the Future You initiative: a web-based awareness raising campaign, featuring cartoons and animated characters in STEM roles. “These are STEM professions that kids can aspire to be and they are diverse. We’ve tried to represent some really exciting future careers so that young people can understand that careers like cybersecurity, robotics engineer, Moon to Mars Mission director are real jobs they can actually get in Australia.

While getting women into STEM might well be a challenge that starts in kindergarten, there’s another challenge in the workplace, says Harvey-Smith: keeping them there and advancing them. She says more educational programs are needed, and while progress has been made in the public sector and large organisations, much remains to be done in the SME space.

CHANGING WORKPLACE ATTITUDES “Attitudinal change has to come through education. There needs to be a lot more educational programs in workplaces. When I joined CSIRO 12 years ago, there was very little discussion and acknowledgement of these issues in the workplace. “When I left people were discussing these things in their team meetings: how to create inclusive environments, how rules had changed to be more flexible, making parental leave equal between the genders. We need to make those conversations

There is not yet a Future You character with a

part of our corporate environment, even in small

cybersecurity role, but she says one is on the cards,

businesses. That’s really important.”

and the program is aimed not just at children but at their parents and teachers.

She acknowledges small business cannot have resources dedicated to gender equality, but is

“A lot of people would be scared by words like

encouraged that the Workplace Gender Equality

cybersecurity, programming, supercomputing. But,

Agency — an agency created by the Workplace

once you get into them, they’re not that complicated.

Gender Equality Act 2012 charged with promoting

WOMEN IN SECURITY MAGAZINE

77


and improving gender equality in Australian workplaces — has opened up to allow businesses with fewer than 100 employees to report their gender equality data (reporting is mandatory for businesses with more than 100 people). She is also working with employers and with government “to try and pull policy levers and change systems that are failing, women’s progression into

“I’ve spoken to more than 11,000 teachers across Australia in the last two years about gender equity in the classroom, and how to break down social stereotypes because young people are so affected by our social stereotypes, kids are given different signals, depending on gender. It’s no wonder they go down different paths.”

leadership.”

EVALUATING GENDER EQUITY INITIATIVES One of the Office of Women Stem’s main initiatives

78

$250,000 for projects that increase women’s and girls’ participation in STEM and entrepreneurship.

is its National Evaluation Guide for STEM Gender

“Organisations that apply for those grants, and

Equity Programs. Harvey-Smith says it is now being

are successful, use the evaluation guide to plan

used to evaluate applications for government funding

and evaluate their programs. Then will take those

under Women in STEM and entrepreneurship grant

evaluations and share them with the community and

program that provides grants between $5,000 and

figure out what works. So in the next round of the

WOMEN IN SECURITY MAGAZINE


F E AT U R E

same funding program, we can support the ones that

“We’re working with CSIRO, ANSTO and some of

have proved to be most effective.”

the major scientific organisations across Australia

Harvey-Smith is no stranger to the challenges facing women in a male-dominated workplace. She’s achieved her career goals in a majority male environment. She’s a leading astronomer and astrophysicist, a realisation of her childhood goal, and the culmination of a career path that started with her joining her local astronomical society as a teenager. “I was the only young woman in my local astronomical society. I was almost the only woman doing my degree,” she says. “There were young men sitting there in my maths classes and my physics classes, and just a handful of women. In physics and astrophysics I was often the only woman in the room. “I did encounter overt sexism, and people commenting about women’s capabilities, ‘joking’, of course, in quotes. I was selected for my University Challenge team at my PhD Institute. One colleague, a young man who failed to get on the team, told me in no uncertain terms, I only got on the team because I was a woman, even though we just sat a test together

who have scientific facilities like telescopes, the synchrotron, supercomputers. We’ve asked them to remove the names from applications for funding to use their facilities. “We’re doing a two-year study to compare the results before and after that change was made to see if there is any unconscious bias.”

WHAT INDIVIDUAL WOMEN CAN DO No matter how successful these programs are, it will be a long time, if ever, before women in the workplace cease to face sexism and gender-based discrimination, and Harvey-Smith offers some advice for women working in STEM. “It’s important to look after yourself emotionally and realise that it’s not a deficiency in you, it’s a deficiency in the system,” she says. “Once you are senior enough you can you have enough privilege in a position like mine to be finally able to actually tackle the system. But if you are very junior, early in their career, and try to do that, it’s very

to get on the team and I clearly had outranked him.”

debilitating.

When studying for her PhD, Harvey-Smith had a

“So I would say fighting for what you see as justice,

picture behind her desk of women astronomers at Harvard University. “One of my cohort when I was away from my desk, wrote ‘get back in the kitchen’ across it.”

UNCOVERING UNCONSCIOUS BIAS

fighting for a better system is great, but don’t let it take everything away from you emotionally. That’s a very common thing that happens. And people drop out because they get very alienated from the system. “We can take steps as individuals to improve our workplaces, our sphere of influence, and to fight

Probably most women in STEM have similar stories

against some of those systems. You’ve just got to

of overt sexism, but the Office of Women in Stem is

read the Women in STEM Decadal Plan and see what

working to understand if there are more subtle, and

needs changing and pick one thing. Taking action is

potentially career-limiting biases against women: in

really empowering.”

the assessment of applications for funding for STEM projects, or applications to use facilities. HarveySmith says overseas research suggests this could

womeninstem.org.au/

result in a bias of 10-15 percent against female applicants. “There’s a lot of research about this. We can definitely see from international data the bias is there, but we’re

www.womeninstem.org.au/futureyou/

womeninstem.org.au/national-evaluation-guide/

going to do an Australian study so we can prove exactly what’s happening. And then make changes so that everyone gets a fair go.

WOMEN IN SECURITY MAGAZINE

79


MEL MIGRINO

BUILDING RELATIONSHIPS IN THE SECURITY AND RISK SUITE AND WHY IT MATTERS by Mel Migrino, VP and Group CISO, MERALCO Group Chairperson and President of Women in Security Alliance Philippines

Looking back on my first leadership role in security and risk, I was young and lacked experience in managing a complex workplace. I simply focused on what I do best and ensured that my team was equipped to identify and treat security risks. I thought that would be sufficient to enable me to thrive as a leader. At the end of the day I thought I was running an independent team where callouts are made regardless of whether or not teams follow. In this challenging time where we juggle the demands of IT and risk management, there are teams that view risk through a different lens, perhaps deprioritising security initiatives by adopting a ‘wait and see’ mindset, leading to potential significant risk exposure. Change is unavoidable. The network we are

80

WOMEN IN SECURITY MAGAZINE

accustomed to protecting is no longer fixed, it has extended outside the perimeter defences bringing more valuable services and better experience to end users. Many organisations will need to adopt agile and continuous delivery business models to bring value in this era of innovation and transformation. This bring significant new challenges as well as opportunities for security and risk leaders. Security and risk teams need to adapt to the rapidly evolving digital organisation, which means they need to develop a partnership approach to the development of policies and standards. They need to show technology teams they are part of a collaborative group that is ready to listen and provide workable solutions to ensure the protection of assets. The security and risk leader needs to be working in a hyper-collaborative mode with other business leaders


I N D U S T R Y

P E R S P E C T I V E S

to ensure the security and reliability of products and services. Hence it is paramount to understand the desired outcomes of an effective security and risk leader.

1. A C-suite influencer. Security and risk leaders regularly interact not only with the IT leaders but with the other business leaders and executives in the organisation to ensure they are aware of how security can help support business objectives. Among these leaders are the chief finance officer, chief data officer, heads of marketing and sales, product, and even executives of third parties providing products and services to the organisation. Such interaction is essential to enable security and risk leaders to keep up with rapidly changing demands.

in these areas for training and guidance and developing a succession plan for security and risk leaders at all levels and in all domains. 4. A leader who can balance a stressful work environment and personal endeavours. Fatigue is real, but security and risk leaders should be able to define boundaries between working and nonworking hours. They should be able to identify their responsibilities from the onset of their work and regularly evaluate whether the initiatives they are involved in are within the scope of their role. Demonstrating effectiveness is crucial, but there

“Security and risk teams need to adapt to the rapidly evolving digital organisation, which means they need to develop a partnership approach to the development of policies and standards.”

2. A risk manager with a futuristic view. Security leaders position risk management at the heart of business processes and technology implementation. Information risk management is treated as an accelerator to drive better digital changes in business operations. Security leaders look at AI and threat intelligence as tools to identify, correlate and mitigate risks that affect core assets.

3. A leader who focuses on talent strategy and development. One of the key challenges for security and risk leaders is recruiting and retaining the right talent. With the huge demand on security and risk across the globe, it is difficult to keep high performers for a long time. A reward and recognition plan developed with the compensation and benefits team should be rolled out and effectively communicated. In addition, a well-documented succession plan for the executive leader should be in place to ensure the overall security and risk strategy remains intact despite unforeseen challenges. Talent strategy should focus on upskilling security and risk resources, considering resources with an interest

is also no exact formula for this. Leaders need understanding and the ability to balance priorities to influence others and get the job done.

Security and risk leaders must leverage their personal strengths if they are to be effective in their roles, which continue to expand as organisations become increasingly digital. Their roles are moving into unchartered territory; thus they must focus on the things they can control and employ the right set of resources to plan for uncertainties. Security and risk leaders who can blend these behaviours over time will be highly effective.

www.linkedin.com/in/mel-migriño-b5464151/

WOMEN IN SECURITY MAGAZINE

81


NICOLA O’BRIEN

DOES PRIVACY EVEN MATTER? (SPOILER: YES)

by Nicola O’Brien, Author of Ready Set Code | CS and Coding Education Outreach | Founder of Code Rangers | Cybersecurity Outreach BRINGING CYBERSECURITY TO SCHOOLS

minutes and face palms later they sat down and

Last week as I worked from home, a conversation on

message that had just originated from their account.

my local radio station made me stop and listen. There was a discussion about passwords. It’s a hassle signing into online accounts, and listeners questioned why they need credentials to access a free online streaming service. One caller mentioned they use the same password everywhere, and I quietly rejoiced as the presenter pointed out that this was problematic. But just as quickly, the caller said “Mate, if those hackers want to steal my identity, they’re welcome to it. I’m so boring

I could tell there was a real sense of embarrassment from this event. Speak to anyone who has been hacked or fallen for a scam, and they will tell you it’s a very emotional experience. It’s not just about the inconvenience of changing passwords or deleting accounts. The personal impact of a security breach, and the general apathy amongst people who haven’t been hacked, has been on my mind at work. My team has been developing a new set of resources to introduce

they’d probably give it back to me in a few weeks

cybersecurity to high schoolers.

anyway.” Everyone laughed. It became the soundbite

In late May, Grok Academy launched a 45-minute

of that segment, and I was left pondering again: why

online activity for students, Grok Cyber Comp,

are people so unconcerned about protecting their

to increase their cyber security awareness and

digital identity?

challenge them to think about choosing secure

In the same week, a work colleague, whose identity

passwords, password reuse, oversharing, scams

I’ll keep to myself, confided they’d logged onto Steam for the first time in a while. There was a message from someone they hadn’t heard from in a few years, asking them to vote for something. Friendly person that they are, they said: “Cool, happy to help.” A few

82

messaged all their contacts apologising for the spam

WOMEN IN SECURITY MAGAZINE

and phishing, along with other important aspects of cybersecurity. The competition was available for two weeks only, and thousands of students took part. It was one of several new cyber competitions being staged by Grok Academy in 2021 to encourage students to engage with cybersecurity.


I N D U S T R Y

P E R S P E C T I V E S

We really wanted students to see cybersecurity in an environment that’s realistic. So we developed a fake mobile phone loaded with our fictitious apps Fistbump, Flashtag, and WhatEvs (our messaging app), and filled them with real conversations and images from teenagers. Students explored the phone and messages to see how a photo of a birthday cake, pictures with a favourite pet, and snaps with their sports team might leave them exposed. Browserbased activities on the phone explored cookies. Our scam annotator let students highlight parts of emails which indicated that the message and its sender could not be trusted. The Grok Cyber Comp competition may be over, but all of the features described above are part of Grok Academy’s larger set of resources available free of charge year round for school students: the Schools Cyber Security Challenges. These challenges have

Reminding them that their future twenty-something

been recognised for their impact on girls, and are the

self might not thank them for online photos sounds

recipient of the AWSN Best Higher Education Program

good, but is too hypothetical to resonate with most

for Young Ladies in Security in both 2019 and 2020.

students. Try something closer to home: “Do you

We’re proud to have these challenges well-used by

want grandma seeing those pictures?” or “What will

girls and boys alike, with girls accounting for between

you think about those pictures 12 months from now?”

40 per cent and 50 percent of participants.

Fashions, friends and fads change fast in the teenage

We think it’s important to make cybersecurity accessible to everyone. This has two benefits. Firstly, we know the human factor is a huge part of building cyber-secure organisations, so we want students

years. The teenagers in my life think whatever they did a year ago is highly embarrassing now. It’s a great way to get them thinking before sharing their daily life with the world!

to be aware of cybersecurity from a young age.

Grok Academy is an education not-for-profit, based

Secondly, awareness about cybersecurity as a career

in Sydney, whose mission is to educate all learners

is very limited in schools. Our resources include some

in transformative computing skills, knowledge

cryptography, and snooping through cookie files

and dispositions, empowering them to meet the

and HTML to discover information. We’re hopeful

challenges and seize the opportunities of the future.

these will spark an interest in some of the thousands

Nicola O’Brien is a senior educator. The Schools

of students who took part in Grok Cyber Comp.

Cyber Security Challenges and Grok Cyber Comp have

Opportunities in the cybersecurity industry need to

been developed with the support of partners Amazon

be made more visible to the thousands of students

Web Services, ANZ Bank, the Australian Signals

we know have the skills to thrive, but don’t yet know

Directorate, British Telecom (BT), Commonwealth

what’s out there for them.

Bank, National Australia Bank (NAB) and Westpac.

The next event for the year is Grok Cyber Pursuit: a

Details of all of Grok Academy’s cyber security

capture the flag series of challenges that will be rolled

activities can be found at aca.edu.au/cyber

out from July until September. Follow Grok Academy for updates and encourage the high school students

www.linkedin.com/in/nicolaaobrien/

in your life to get involved. And if you are talking to students about why privacy

twitter.com/NicolaO_B

matters, you need to take the right approach.

WOMEN IN SECURITY MAGAZINE

83


AWSN RETURNING TO IN-PERSON EVENTS AROUND AUSTRALIA by Laura Jiew, AWSN National Social Media & Marketing Lead

May 2021 saw members of the Australian Women in Security Network (AWSN) doing a “happy dance” around several parts of the country as we returned to hosting chapter events in-person. Below is a snapshot of the many activities conducted around Australia. 

QUEENSLAND

AWSN was proudly represented at the AusCERT2021

opportunity to chat with the many conference delegates who attended, and promote AWSN as a

conference held at The Star Gold Coast from 11 to 14

membership organisation.

May.

Last but not least, congratulations to Stefanie

First and foremost, kudos and massive

Luhrs, Jess Dodson, Virginia Matos Calegare and

congratulations for our network’s founder and executive manager, Jacqui Loustau, on winning

Daisy Wong for their workshops, presentations and speed debate involvement.

the prestigious AusCERT Individual Excellence in Information Security Award for 2021 (past winners have included Michelle Price, Mandy Turner and Troy Hunt). Jacqui was deservingly recognised for her tireless work in building the AWSN community to be where it is today. Thank you also to our wonderful members Adeline Martin, Chelsey Costello, Sarah Gurry, Kelsy Luengen, Stefanie Luhrs and Daisy Wong for helping at the AWSN trade booth, kindly donated by the AusCERT team, for which special thanks to Bek Cheb. The booth was consistently busy and gave us an amazing

84

rry and AusCERT, Sarah Gu WOMEN IN SECURITY MAGAZINE

Daisy Wong


P E R S P E C T I V E S

Romina

Carfi

I N D U S T R Y

CANBERRA

On 25 May our Canberra chapter leads hosted the highly-anticipated return of their ever-popular Canberra networking breakfast event. Those who braved the morning chill and fog (classic Heather Cardew

Canberra) were treated to an excellent welcome from Jill Slay, our newly-elected AWSN board president, and from Stephanie Males, PwC Australia managing partner, Canberra. The breakfast was certainly an awesome way for our Canberra community to catch up with fellow network members, old and new.

SYDNEY

The Sydney chapter, in conjunction with the folks from Secure Code Warrior, hosted a session on the topic of “Secure DevOps: Why is it still important in 2021?” at their brand-new HQ premises in Chippendale, Sydney

MELBOURNE

On the same date, but over in Melbourne, our chapter leads hosted a lunchtime career panel and networking session on the topic of “Security Education and

on 19 May.

Security Influence”.

A note from Heather Cardew, a Sydney chapter lead

The event featured panellists Jasmin Krapft from

below: “Thank you to Stefania Chaplin, a solutions architect at Secure Code Warrior, for your very entertaining presentation on how security needs to become part of

Bupa, Catherine Wise from Afterpay, Erica Hardinge and Fiona An from ANZ, and Daisy Wong from the Department of Premier and Cabinet, Victoria. Sharing a lovely quote from one of our attendees

the DevOps cycle and not an afterthought.

below:

“Thank you also to panellists Kasvi Luthra, Svitlana

“Hearing from some absolute champions in the industry

Vyshnivetska, Nelly Sattari and George Abuzo. It was

that succeeding without a technical background is

fantastic to hear how we can tackle this issue from

achievable gave me a little pep in my step!”

a diverse range of perspectives. It was encouraging

- Camille Kennedy, currently pursuing cybersecurity studies at Victoria University.

to hear we are moving in the right direction. And we greatly appreciated your insights on how we can better collaborate and integrate security within DevOps.” Many thanks to Laura Lees, a fellow Sydney chapter lead for moderating the above panel and of course, a BIG thank you to Secure Code Warrior for hosting us and for sharing your beautiful

Nimish

a a Bhatt

new headquarters.

WOMEN IN SECURITY MAGAZINE

85


CELEBRATING INFORMATION SECURITY EXCELLENCE IN 2021 by Laura Jiew, AWSN National Social Media & Marketing Lead

Congratulations to AWSN founder and executive manager, Jacqui Loustau, on her AusCERT2021 “Information Security Excellence” award. The AusCERT team recently had a chat with her to learn more about her role as executive manager at AWSN, her vision for the network, and for the cybersecurity industry in general. Tell us a little about your professional career

was pretty much how my security career journey

My interest in technology started when I worked on a

I then worked as a security consultant on multiple

help desk at Australia Post, and in PC support at an

large scale projects in a variety of roles, including

insolvency company while studying at university for a

implementing antivirus, delivering public key

Bachelor of Information Systems.

infrastructure solutions, performing risk assessments

I then graduated and became a Unix administrator for a few years before deciding I wanted to travel and see the world. When I was backpacking in Europe I ran out of money (as you do) and got a job working on the helpdesk

86

began.

and technical assessments, writing policy, and basically anything that was thrown at me. I ended up spending seven years in London and seven years in Paris as a consultant working on many interesting projects, which I loved.

at Schlumberger, where I was given the opportunity

When I came back to Australia, I continued to consult

to retrain to be a technical consultant. They put me

on different projects before moving to the in-house

through some intensive technical networking and

security team at ANZ. I started in their Identity and

security training, and at the end asked me what I

Access Management (IAM) team, then moved on

wanted to do. I thought security interesting, and that

to designing the cybercrime controls for ANZ’s

WOMEN IN SECURITY MAGAZINE


institutional banking arm, and finally moved to head

hand-on workshops, training, mentoring and speaking

the Security Education and Influence team in a job

engagements with community groups, universities

share role.

and high schools.

I then decided I really wanted to help small

the folks at Cynch, a cybersecurity company focussed

Congratulations on winning the Information Security Excellence award! What does this award mean to you?

on small businesses.

It was an absolute honour to receive this award.

businesses, which I saw being affected by cybercrime, and I ended up spending a year in start-up land with

You’re the founder of AWSN. Can you tell us more about how AWSN was born and what your mission is? The idea for AWSN came to me when I returned from my 14-year stint overseas and returned to Melbourne. I walked into a security event and was overwhelmed by being the only female in the room. It was something I had gotten used to in Europe, but seeing and experiencing it really hit me, especially when I didn’t know anyone in the room. I met one other female participant and she took me under her wing and introduced me to some people. We then brought together a number of female colleagues for casual breakfasts and started meeting up before security conferences. We spoke about how much we enjoyed working in security, and some talked about the challenges they faced being the only females in their teams. After a while, I started thinking there might be other women out there feeling alone, so I started a LinkedIn group. This grew organically, and soon local state-based

This means so very much to me, and I sometimes still pinch myself with disbelief. I believe that this is a community recognition award, as the AWSN couldn’t have got to where it is today without all the volunteers, sponsors, donors, mentors, coaches, speakers, writers and all the people supporting us over the years. Receiving this award means the information security industry in Australia recognises that what AWSN is doing is important and meaningful work, And that we are on the right track with what we are trying to achieve. It means all the hard work and hours I and all our volunteers put in to make AWSN what it is today are worthwhile. Thank you to everyone who has contributed to our cause, you know who you are.

What do you see as some of the main cyber threats in today’s society, and what are their accompanying risks? Are you seeing any particular threats becoming more common?

chapters started to pop up across Australia. These

Good question!

then grew into more formal bodies, and now our

There are many, and I could probably talk for hours

community consists of around 2500 people. The AWSN is an open network of people aiming to grow the number of women in the security

on this topic. But if I were to choose two that we as a society/community need to work together on a lot more, they would be application vulnerabilities and

community. We support, inspire and act as role

supply chain risks.

models. We connect women in the industry, and those

As we continue to use technology and build systems,

looking to enter the field, with the tools, knowledge, network and platforms needed to build confidence and interest. As a network, we know the diverse nature of online threats requires diversity of thought if those threats are to be effectively addressed, and this is where our network thrives. We operate mainly through events,

apps and software faster than ever, security is often something considered at the last minute, or sometimes never. We shouldn’t expect the users of our systems or apps to know what to look out for when it comes to a security breach. Hence, it is my personal belief that technology should adopt a “secure-by-design” philosophy and make it easy

WOMEN IN SECURITY MAGAZINE

87


for users to apply security updates when they are

budgets. Therefore we need everyone on our side and

required.

we need to show that we are open to listen and help.

When it comes to supply chain risk, some of

As a community, I think we need to communicate

the cyber threat issues stem from the fact that

better, prioritise (based on known risks) and provide

small businesses (which ) often cannot afford

easy and accessible information, solutions and

expensive security services and products, or

advice, so as not to confuse the general public

security consultants, to help them implement secure

further.

processes and protect their company assets.

impacts on large corporations, critical infrastructure

What’s one common challenge you find women and female-identifying professionals facing in the cybersecurity industry, and how can organisations continue to support them?

and government agencies, because it is very likely

A common challenge I’ve personally found with

These businesses are particularly vulnerable to threats such as business email compromise (BEC), ransomware or data breaches that are becoming increasingly common. These can have downstream

these smaller businesses are part of their supply chains. It’s a cliché, but cybersecurity really IS in everyone’s interest—no matter the size of your workplace.

If you could give one piece of advice for organisations and IT/cybersecurity professionals, what would that be? To stay humble and keep an open mind. Remember that most in our society don’t know what we know, so no question should be considered a silly question. I don’t think there is anyone in our sector who knows absolutely everything about security, so we shouldn’t treat/blame users for not having known better in the wake of a breach or an incident. There are many people out there (they could be your grandparents, friends, family members and colleagues) who are confused and overwhelmed by the topic of cybersecurity. It is the belief that cybersecurity is difficult and tricky that often makes security departments feared or perceived as unapproachable. Therefore, we as a community, have a responsibility to show others we

dominated teams is that they feel they are not heard or not given the same opportunities as their male counterparts. They are often questioned as to why they are there, and instead of being consulted as subject matter experts, they are asked to refer a query to a male counterpart, because the questioner assumes they don’t know the answer, or don’t have anything to contribute on a particular security topic. Everyone should be given an equal opportunity to contribute. By this I don’t mean only females, but also young/elderly males, people of different ethnicities, people of different backgrounds, all of whom need a voice. Organisations must address this better; it needs to be a fundamental part of all teams, or we will continue to lose good talent. And when good talent is lost, it makes it hard for upcoming new talent to see people like themselves in a career path in security, and we absolutely need this new talent in order to fight the new security and technology challenges ahead.

are keen to help them learn and have them join us on

The following excerpt was read out at the

this journey.

AusCERT2021 Gala Dinner awards ceremony on the

We cannot fight this battle with just technology

13th of May:

and largely rely on humans to report things that are suspicious, to consult with us before they are about to go live with a system and to sign off on our

88

women and female-identifying professionals in male-

WOMEN IN SECURITY MAGAZINE

Jacqui is Founder and Executive Manager of the Australian Women in Security Network (AWSN) which aims to connect, support and inspire more


people, in particular, women and female-identifying

Today, AWSN is a national group of close to 2500

professionals to pursue a career in security. She is

members across Australia with linkages to a number

also co-author of the international book ‘Women in

of prominent sponsors. It is an open network of

the security profession’.

people aiming to grow the number of women and

Having studied Information Systems at University, Jacqui Loustau thought she would pursue a career in

female-identifying professionals in the cyber security community.

computing. That career saw Jacqui leave Australia in

AWSN’s mission is to support, inspire, and connect

the early 2000s to pursue an exciting opportunity in

women and female-identifying professionals in the

London. The next 14 years would see Jacqui working

industry and those looking to enter the field with the

across London and Paris, working on various high-

tools, knowledge, a connected network and platforms

profile projects within the European Commission, UK

they’ll need in order to build their confidence and

government, NHS and the financial sectors - before

cultivate their interest.

returning to Australia in 2014 to take on a senior role with the ANZ bank.

Kudos to Jacqui for her tireless work in building the AWSN to where it is today, and with that - it is with

It was through her role at ANZ, which involved

great honour that we invite her up to the stage to

attending and speaking at numerous industry events,

receive the award for Information Security Excellence

that Jacqui first noticed the distinct lack of women

in 2021.

working in the cybersecurity industry.

Jacqui will also appear on the AusCERT “Share

In April 2021, Jacqui decided to take a leap of faith

today, save tomorrow” podcast in an episode titled

and is now devoting 100 per cent of her time to

“Passion led us here” in July 2021. Please look out

building the AWSN as a not-for-profit organisation. In

for this via Spotify, Google and Apple podcasts.

short, AWSN has been Jacqui’s “passion project” for close to seven years.

WOMEN IN SECURITY MAGAZINE

89


CHIOMA CHIGOZIE-OKWUM

FACTORS THREATENING EFFECTIVE PARTNERSHIPS IN CRISIS SITUATIONS by Chioma Chigozie-Okwum, Spiritan University Nneochi, Abia State, Nigeria. Crises can impact individuals, families, communities,

to crisis management. In the face of a crisis, a

countries, or the whole world. The recent COVID-19

partnership allows big players to partner with

pandemic is an example of a global crisis: its waves

medium and small players to ensure the cushioning

created widespread fear, panic and uncertainty

resulting from crisis management trickles down to

for people regardless of nationality, race, class

the most vulnerable members of the population.

or religion. For individuals, crises can create fear, depression, and other mental health problems, and produce suicidal thoughts. Crisis management includes frameworks, decisions, and actions taken to respond to crisis situations. It is imperative to develop a strategy and action plan on how to respond to a crisis situation. Crisis management may not completely eliminate the crisis, but seeks to cushion its impact and provide support to those impacted. Crisis situations can range from

players to be combined with the local structures of the medium and small scale players to achieve effective crisis management. However, partnerships in crisis management only achieve their aim when there is proper monitoring to identify and counter aspects of the partnership that can compromise its effectiveness. These factors include, but are not limited to:

violence orchestrated by terrorists and militia to

• Poor communication between partners.

drought, flooding, fire, tribal wars, civil unrest, and

• Lack of integrity in any of the partners.

even police brutality.

• Lack of transparency in dealings.

Crises can be micro or macro managed. Macro management approaches crisis management from a broad perspective. Micro management pays attention to every single detail. In managing a crisis, it is imperative to consider the size of the crisis to determine the most appropriate management approach. Whether a crisis is micro or macro managed, a partnership can be helpful. Partnering in crisis management promotes a shared responsibility. Partnership adopts a top-down cascading approach

90

Partnering enables the large resources of the major

WOMEN IN SECURITY MAGAZINE

• Trust issues. • Corrupt intents and purposes. Hence partners in crisis management should seek ways to build trust, create effective communication channels, be transparent and prevent corruption, to ensure all work towards the goal of ameliorating the impacts of the crisis in the short and long term. www.linkedin.com/in/chioma-chigozie-okwum-376793122 www.facebook.com/chioma.chinakachigookwum


CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

C O L U M N

Hackers are not who you think they are We all know what hackers are, right? Those hooded mysterious creatures of the night who hang out in dark rooms doing ungodly things to poor unsuspecting victims, with what looks like matrix code running down their screens. They are all bad people who should be hunted down and rounded up, shouldn’t they? That whole picture is completely wrong, and it has been my aim for many years to try and remove that stigma. Hackers are not the bad guys, they are not

I know I am making fun of this whole situation, but I

criminals. Many of them are the good guys trying

want to make a real point here. Hackers are not the

to stop the cyberwar from spilling over into the

bad guys. In fact, they are more likely to be the good

mainstream for all to see. Your neighbour could be

guys and girls trying to save your bacon. So if you can

a hacker. Someone in your family could be a hacker.

help change their image in your organisation, do it.

You could be a hacker.

Change the narrative, help me get the idea of hacker

I am a hacker. I am also called a cybersecurity professional, pentester, or sometimes just Craig. I don’t wear a hoodie, but on many occasions you will

as criminal eradicated, and call out the real criminals. Whether on the internet or in the real world, crime is still a crime. Go dispel the mystique surrounding hackers, and reveal them for what they really are.

see me in a business suit, or some form of business attire. I work for Baidam (an indigenous cybersecurity solutions provider), so you might even see me getting around in some cool company-branded polos with

www.linkedin.com/in/craig-ford-cybersecurity www.amazon.com/Craig-Ford/e/B07XNMMV8R

amazing indigenous artwork on them, but never a hoodie.

www.facebook.com/pg/AHackerIam/

I, like many hackers, never hang out in those dingy

twitter.com/CraigFord_Cyber

rooms, honestly. I wear glasses while working on the computer most of the time these days. My eyes certainly aren’t as good as they used to be and I don’t think working in the dark with the damaging blue light from the screens would do anything good for them. WOMEN IN SECURITY MAGAZINE

91


NOMINAT


TE TODAY

NOMINATIONS CLOSE 31ST OF JULY


Committed to creating, promoting and growing cyber security careers for all women.

cybercx.com.au/careers


TECHNOLOGY PERSPECTIVES


AUSCERT PLENARY PANEL by Stuart Corner

What does a security transformation strategy look like and how can SOAR help AUSCERT2021 SOARS ON THE GOLD COAST

program kicked off with a panel session: What does

SOAR (security orchestration automation and

can SOAR help, comprising: Jess Dodson, customer

a security transformation strategy look like and how

response) refers to technologies that enable organisations to collect inputs normally monitored by the security operations team and then leverage a combination of human and machine power to help define, prioritise and drive standardised incident response activities. According to Gartner, SOAR tools allow an organisation to define incident analysis and response procedures in a digital workflow format.

engineer at Microsoft; Casey Ellis, founder and CTO of Bugcrowd; Tony Kitzelmann, CIO of AirServices Australia; and James Young, global security specialist at Splunk.

AUTOMATION NOT A JOB KILLER Dodson was quick to dispel any notion that automation enabled by SOAR might replace cybersecurity specialists. “You want to be doing cool stuff and focusing on things that are actually

Gartner says SOAR tools are steadily gaining traction

important rather than boring day-to-day work, … doing

in real-world use to improve security operations,

proactive work rather than purely reactive.”

and: “Security and risk management leaders should evaluate how these solutions can support and optimise their broader security operations capabilities.”

Kitzelmann took this further, suggesting that, without technologies to automate the routine tasks of cybersecurity, skilled people were likely to leave the industry.

So, SOAR was a timely theme for this year’s AusCERT annual conference, Aust2021 its 20th, held at the Star Hotel on the Gold Coast and online.. “Security Orchestration, Automation, and Response will see us SOARing with cyber … as we focus on improving efficiencies and making security a more self-operating function within our organisations,” AusCert said. In line with the theme the conference

96

WOMEN IN SECURITY MAGAZINE

“So doing something and getting started is going to put you in a better position straightaway rather than just going ‘it’s too hard. I can’t deal with it. I can’t get it perfect straightaway. So I’m not going to bother’.”


F E AT U R E

A FILLIP FOR THE MSP INDUSTRY However many smaller organisations cannot afford the luxury of staff dedicated to cybersecurity tasks, boring or otherwise. So SOAR holds the potential of enabling them to significantly boost their cybersecurity posture without the cost of human resources. Not surprisingly one of the first questions put to the panel was “How could SOAR help a small to medium business?” Kitzelmann said SOAR definitely offered the potential for cost effective cybersecurity for SMEs, but they should draw on the expertise of a security service provider to implement and support it. “With an MSP using something like the SOAR framework, this becomes a commodity product.” He said this would mean a more competitive market for MSP services. “I know a lot of people are thinking

AusCERT plenary panel

‘oh, we’re just going to push people towards an MSP’. But so what? MSPs are there to “If we don’t bring an orchestration automation process into our thinking around managing SOCs and security intelligence centres, we run the bigger risk of losing our good people because they’re going to be

provide a service and the more people that consume those services drives competitiveness in the market. This will become a cost effective solution.”

dealing with rubbish day-in and day-out. And smart

DIVE IN IF YOU WANT TO SOAR

people do not stay in organisations where they cannot

In response to another question from the audience —

grow and evolve.”

“Is there a base level of maturity that an organisation

He said simply trying to recruit and train more cybersecurity specialists was no solution. “We

needs to be able to effectively implement SOAR?” Dodson said she did not believe so.

need to teach our technologists to deliver better

“You’re better off doing something than nothing.

technology. We need to take advantage of tooling and

You’re not going to get it perfect straightaway. SOAR

orchestration, bring all of the technologies together.

or any of the automation pieces are not going to be

“The average console operator is probably sitting in front of six or seven interfaces, jumping from one environment to another to work out what’s going on.

set-and-forget. You are going to be constantly tuning them and constantly monitoring them, and making tweaks.

SOAR brings all that together and give them the ability

“So doing something and getting started is going to

to take a systematic approach to that data. That’s

put you in a better position straightaway rather than

where they get to grow and evolve.”

WOMEN IN SECURITY MAGAZINE

97


counter with SOAR: the nature of the threat and its countermeasures are the same regardless of the size of the target business. “emails are all traditionally the same type of thing. You can feed those into the automation engine and run through a standard process to investigate and make a determination if it is likely to be a phishing exercise or not, and then determine what to do after that, maybe pass it to a human. That’s a really fantastic place to start.” just going ‘it’s too hard. I can’t deal with it. I can’t get it perfect straightaway. So I’m not going to bother’.”

However introducing automation begs the questions, asked of the panel, “What is the creativity? What are

Young agreed. “Customers I speak to commonly say,

the ‘wicked problems’? “What’s the sweet spot that

‘I’m not mature enough to look at technologies like

humans do so much better than automation, and how

that’. I think it’s, the opposite. SOAR could be a tool

do we make sure that creativity and the human side

that can help you to build maturity faster. One of

remains active in the system?”

the first things when you’re looking at building out a SOAR capability is understanding the process. “And quite often we don’t understand the process. We

Kitzelmann said: “with automation, you get the volume crime off the table, leaving the analysts to deal with the wicked problems.

haven’t defined what that process needs to be. And is building a mind map of what that process looks

“WICKED PROBLEMS” FOR THE ANALYSTS

like and understanding how it works, looking for the

“Orchestration tools will enable them to move quickly

the first step, if you’re looking to automate something

opportunities to build that automation. “Part of many of the SOAR tools out there is what could be called a case template: what are the steps I should follow for a particular type of incident that I might need to investigate or respond to? All the SOAR tools I’ve seen offer that capability. Defining

to look at the lessons learned from previous ways that orchestration was brought to bear. For example, who is the person who solved this particular type of challenge out of the SOC team? And how can I go and leverage from them? And what unique skills did that

that as the first step and then looking for avenues or

person have?

areas that you can automate once you understand

“AI is just around the corner, and machine learning

what that process is offers the opportunity to build maturity.”

PHISHING A GOOD PLACE TO START WITH SOAR

98

and more agilely, and will also give them the ability

will be there every day. But it’s never going to take out of the equation the need for a smart analyst who can look at the problem and the tradecraft that the individual brings to bear. … We can deal with today’s problem, but it’s the next attack and the next

He suggested phishing emails represented an

tradecraft evolution that we need to be working

ideal threat that businesses of all sizes could

towards.”

WOMEN IN SECURITY MAGAZINE


F E AT U R E

BACK TO BASICS by Stuart Corner

Why can’t we get this stuff right?

A LITANY OF CYBERSECURITY FAILURES The title of Jess Dodson’s presentation at AusCERT2021, held in the Star Hotel on Queensland’s Gold Coast and online, was framed as a question: “Back to Basics - why can’t we get this stuff right?” She didn’t answer it. What she did was deliver an impassioned speech detailing the multiple failures in basic security practice and policy — yes even keeping

Dodson then presented a comprehensive list of failures in security practice and policy, broken down according to the categories in the NIST Cybersecurity Framework: identify, protect, detect, respond, recover. A summary of the basic security measures she described can be found on her blog. Here’s some of what she had to say.

username and password as ‘admin’ and ‘admin’ (more

IDENTIFY

of that later) — she has seen time and time again in

You can’t protect what you don’t know you have. “I

her 15 years as a Windows system administrator.

am yet to go into an organisation that has an asset

“I’m pretty miffed about some of the stuff I keep seeing when I’m going into organisations and businesses and companies,” Dodson said. “I feel like a lot of this is very much common sense. But if it is

system and an audit system that is up to date, and they know all of their inventory. Without having that inventory, without knowing what you’ve got, it’s incredibly difficult for you to protect your systems.”

common sense, and why isn’t it being done.” Good

Beware the single source of truth. “One person who

question.

knows everything and is the single point and source

Suspecting that many in her audience were likely guilty of the sins she was about to reveal, she warned them: “There are going to be things in here that will make you squirm. And I’m very sorry about that. But that is my intention. Think of this more as teaching you to reaffirm those beliefs that you have about

of truth for everything is not a good place to be. … But on the flip side, if everyone is responsible, then no one is responsible. So you need to make sure that your business owners and your system owners are actually owning their own risk and owning the risk of their systems.”

the things that you should be doing properly in your

Have a risk register. “Business owners will take risks

organisation.”

and they will accept those risks until things go wrong.

WOMEN IN SECURITY MAGAZINE

99


Back to Basics by Jess Dodson

So make sure that you have written down the risks to those systems. You need to understand why those risks are in place. A risk register is your friend. You then have evidence as to ‘this is the risk’, and ‘this is who I told’, and they’re the ones who said, ‘absolutely go ahead’.”

Allow password managers. “Please don’t block the use of password managers. The number of organisations that I see who block these. All you’re doing is forcing users to create insecure passwords.” Enforce role-based access permissions. “Make sure that you are fine-tuning access rights based on what

PROTECT

your users need. Have identity audits performed.

Avoid default and non-expiring passwords. “Stop

Make sure that you are doing some form of privileged

setting ‘’password does not expire on your C level accounts. I don’t want to see CIOs and CEOs and CISOs with ‘password never expires’. They are in my eyes VIP sensitive users. They should have just as

make sure that when a user changes roles you review all of their permissions.”

much restriction on their accounts as administrative

DETECT

accounts have.”

Look to your logs. “Please make sure that you are

Avoid simple passwords. “I really didn’t think this needed to be said, but it is public knowledge. Back in 2018, an Australian government agency had a penetration test done. They were popped within 10 minutes, because all of their appliances had the

100

access management, so you can go through and

grabbing all the right logs. You don’t know what you can’t see. So you can’t track it back if you don’t have access to it. … Make sure you are putting them somewhere that you can look at them, and you can understand what’s going on in your systems.”

default username and password of admin and admin

Beware of insider threats. “You need to have

set.”

monitoring over your SIEM and SOAR tools. You

WOMEN IN SECURITY MAGAZINE


F E AT U R E

need to make sure that any changes being made in

to make sure that you understand who you need to

those systems are logged so that you can actually

speak to, what systems are critical, remembering you

determine what has happened. We do have very

identified everything. You have an asset system that’s

smart attackers that will know the easiest way to

up to date, and make sure that you’re following that

avoid detection is to disrupt your security systems. So

plan and also make improvements and updates to

make sure you are monitoring them in a way that you

that plan as needed and necessary. Because a plan

can actually see when they are tampered with.”

that was functional five years ago is likely not going to

Fine tune your monitoring systems. “This is one of my big bugbears. There is no use alerting for everything. You will drown in noise. You will not see anything of value if you are not actually tuning your systems. You need to make sure that what is being sent and what is being seen is legitimate, is actionable, is something that’s actually important, and that you’re seeing as few false and benign positives as possible. And you understand the difference between a false and a

be functional now. For starters, there’s a good chance most of the people that you need to contact may not still be there. Perform tabletop exercises.”

AND WHEN THINGS FALL APART… “It is okay to screw up. Everyone does. It is inevitable. You will screw up at some point. So own your own mistakes. Don’t hide them. Don’t minimise them. Own up to them. Help fix them. It’s going to make you more

benign positive.”

trustworthy, and prove that you are part of a team

RESPOND & RECOVER

“The big one for that though is organisations that

Backup basics. “You need to test your backups.

play the blame game. So you want to make sure that

Your backup is useless unless we can successfully

managers aren’t playing the blame game when things

restore it. So please make sure that you’re testing

go wrong. You need to foster a level of accountability

your restores. We are seeing ransomware and crypto

in your staff so they know they are not going to have

still out there. So we need to make sure that we are

their head roll if something goes wrong.”

more than if you were to try and hide it.

checking our backups.” You need a plan. “Have a plan, any kind of plan. And just like backups, please test that plan. You need

WOMEN IN SECURITY MAGAZINE

101


LINA YAO

HOW ARTIFICIAL INTELLIGENCE TRANSFORMS CYBERSECURITY by Lina Yao, Scientia Associate Professor at UNSW

As cyberattacks grow in volume and complexity,

Governments and businesses are making every

artificial intelligence (AI) is helping under-resourced

effort to protect themselves, but the volume of

security operations analysts stay ahead of threats.

attacks can be overwhelming for security analysts

By curating threat intelligence from millions of research papers, blogs and news stories, AI can provide instant insights to help cut through the noise of thousands of daily alerts, drastically reducing response times and mis/dis information on the

and unforeseen attacks and threats, such as the notorious ransomware attacks of the past two years that paralysed countless computers and even IoT devices.

internet, etc. The latest advancements in AI can

A security paradigm that is purely responsive will fail

take cybersecurity to a new level, and boost relevant

to provide adequate protection. It can resolve issues

research and application development.

only after they have been discovered, by which time,

According to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report July 2019 to June 2020, in Australia alone there are, on average, more than six cyberattack incidents every single day, and most of them have moderate or substantial impacts. ACSC says it received 59,806 cybercrime reports in the 12 months to June 2020, almost one every 10 minutes. It says the true figure is probably much larger, because cybercrime in Australia is underreported. Notably, the attacks were mostly targeted at large organisations.

102

and professionals. And there will always be new

WOMEN IN SECURITY MAGAZINE

damage is likely to have already been done.[1] Without long-term vision, only identified and confirmed threats can be dealt with. New ones will not be addressed.

MACHINE LEARNING IS HOT Machine learning is a hot topic in artificial intelligence, and is capable of extracting valuable insights from existing knowledge, such as recordings of experiences, and identified threats or attacks. Machine learning has proved to be very effective in detecting variants of existing malware, attacks and


T E C H N O L O G Y

P E R S P E C T I V E S

threats, no matter how deep the malicious code or

only collected externally. Furthermore, there are

attack patterns are hidden.

also applications to make fine-grain predictions that

Data-driven machine learning powered by deep neural networks can learn the activity patterns or tendencies of individuals in an organisation. Given sufficient time or sufficient data it can develop an understanding of

identify the risk associated with specific business information. This would enable a business to adjust resource allocation and prioritise protection so as to minimise the impact of an attack.

patterns and tendencies that may be too complicated

However, many solutions assume the input data

or subtle for human cognition.

fed into their algorithms are clean with no noise

This enables machine learning to respond rapidly to threats, such as a link in a phishing email, a malware payload, or attacking network traffic. A system powered by machine learning is able to continuously monitor an entire system and provide a real-time threat response. Some of the most successful applications of AI to cybersecurity have been to provide predictive protection. For example, modern malware

“A security paradigm that is purely responsive will fail to provide adequate protection. It can resolve issues only after they have been discovered, by which time, damage is likely to have already been done. [1] Without long-term vision, only identified and confirmed threats can be dealt with. New ones will not be addressed.”

may be hard to detect solely by examining its code and its behaviour. [2] In recent years, few shot and lifelong machine learnings are attracting increasing attention, which equips AI with human-like ability of Learning to Learn and enables the AI systems to quickly learn

or errors. Such assumptions can be exploited by attackers, who may poison the input by providing counterfeit malicious incident reports, or creating a

and generalize to new tasks from very limited data.

fake honeypot network for the algorithm, which can

ANTICIPATING ATTACKS WITH AI

is referred to as adversarial machine learning. It is

An AI-based malware detection system [3] has been

mislead its predictors and sabotage its learning. This critical that it be addressed.

able to detect malware while it is downloading, and so

Work is also underway to develop adversarial machine

prevent it from being installed and executing on the

learning that will provide security to the machine

target system.

learning itself.[5][8][9] This is key to successfully applying

Another example is data breach prediction with AI. Liu et al [3] modelled this as a binary prediction problem, based on historical data and observations, to determine whether a system is likely to face such

machine learning to cybersecurity.

MACHINE LEARNING UNDER ATTACK In general, there are two common types of attacks

an attack in the near future.

on machine learning: poisoning attacks which attack

What’s fascinating is that this was done with no

which attack the inferencing stage of the machine

access to the client’s internal networks: data were

the learning during the training, and evasion attacks learning process.

WOMEN IN SECURITY MAGAZINE

103


There is another kind of attack called model stealing.

and this could be the subject of future research.

This either tries to figure out the internal structure of

This may also lead to another research topic. A

the machine learning model or to extract the sensitive

standalone security recommendation powered by

data the model has been trained on.

comprehensive recommender systems, especially on

Another major research project we are conducting aims to develop robust predictive machine learning models that will detect and defend against false/ misinformation spread over the Web via social media. Such techniques are initially being developed against disinformation like fake news, fake reviews and clickbait, which can be used for cyberattacks, nefarious business operations and political subversion, creating social tension.[4] [5] [10] Also, AI-powered false information can be even harder to distinguish from legitimate information than false information created by humans. Researchers need to develop methods to alleviate and address such misuse of AI technologies.

critical services, can sometimes be hard to trust.[8] [12] An explainable system that differs from explainable AI, is preferable. It should provide explanations and visualised reasoning processes for intermediate risks and explain why the actions it suggests can minimise such risks, and at what costs. Also, some reports suggest that, just as developments in AI technology can be applied for security, they can also be weaponised for malware and attacks, making these harder or even impossible to detect. It may not be possible to prevent AI being used for nefarious activities, but it should be possible to prevent its impacts.

Much of the current work on proactive AI for cybersecurity is providing results that are too ambiguous, so few developments are finding practical application.

www.linayao.com/ insdata.org/beta/

More detailed security recommendations with specific actions are needed for practical applications,

References [1] B. Morel, “ Artificial intelligence and the future of cybersecurity,” in The 4th ACM workshop on Security and artificial intelligence (AISec ‘11), Chicago, Illinois, USA, 2011. [2] Sun, Nan, Jun Zhang, Paul Rimba, Shang Gao, Leo Yu Zhang, and Yang Xiang, “Data-driven cybersecurity incident prediction: A survey.,” IEEE communications surveys & tutorials, vol. 2, no. 21, pp. 1744-1772, 2018. [3] B. J. Kwon, J. Mondal, J. Jang, L. Bilge, and T. Dumitras, “The Dropper Effect: Insights into Malware Distribution with Downloader Graph Analytics,” in The 22nd ACM Conference on Computer and Communications Security (CCS’15), Denver, Colorado, USA., 2015. [4] Yang Liu, Armin Sarabi, Jing Zhang, and Parinaz Naghizadeh, Manish Karir, Michael Bailey, Mingyan Liu, “Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents,” in The 24th USENIX Security Symposium (USENIX Security ‘15), Washington, D.C., USA, 2015. [5] Abraham, Tamas, Olivier de Vel, and Paul Montague, “Adversarial Machine Learning for Cyber-Security: NGTF Project Scoping Study,” Defence Science and Technology Group, Australia, 2018. [6] Xianzhi Wang, Quan Z. Sheng, Lina Yao, Xue Li, Xiu Susie Fang, Xiaofei Xu and Boualem Benatallah, “Truth Discovery via Exploiting Implications from Multi-Source Data,” in The 25th ACM Conference on Information and Knowledge Management ( CIKM 2016), Indianapolis, USA, 2016. [7] Dong, Manqing, Lina Yao, Xianzhi Wang, Boualem Benatallah, Chaoran Huang, and Xiaodong Ning, “Opinion fraud detection via neural autoencoder decision forest,” Pattern Recognition Letters, no. 132 , pp. 21-29, 2020. [8] Yuanjiang Cao, Xiaocong Chen, Lina Yao, Xianzhi Wang and Wei Emma Zhang. Adversarial Attack and Detection on Reinforcement Learning based Recommendation System. The 43rd Annual ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR 2020). Xi’an, China, July 25-30, 2020. [9] Zhe Liu, Lina Yao, Lei Bai, Xianzhi Wang and Can Wang. Spectrum-Guided Adversarial Disparity Learning. The 26th ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD 2020). Research Track. (KDD 2020), San Diego, CA, USA, August 23 - 27, 2020. [10] Zhe Liu, Lina Yao, Xianzhi Wang, Lei Bai and Jake An. Are You a Risk Taker? Adversarial Learning of Asymmetric Cross-Domain Alignment for Risk Tolerance Prediction. International Joint Conference on Neural Networks (IJCNN 2020), Glasgow, UK, July 19 - 24, 2020 [11] Bin Guo, Yasan Ding, Lina Yao, Yunji Liang and Zhiwen Yu, The Future of Misinformation Detection: New Perspectives and Trends ACM Computing Surveys (CUSR) , 2020 [12] Shuai Zhang, Lina Yao, Aixin Sun, and Yi Tay. . Deep Learning based Recommender System: A Survey and New Perspectives ACM Computing Surveys (CUSR) , 2019

104

WOMEN IN SECURITY MAGAZINE


“If you want to go fast, go alone. If you want to go far, go together.”

Partner with us In today’s ever-competitive world, Source2Create understands that sometimes you have to perfect what you can and let others take care of the rest, which we see is the way of the future. No skill is too big or too small. Are you an amateur photographer interested in growing your portfolio? Do you enjoy Graphic Design in your spare time? Are you interested in growing your speaking range? Visit our partner portal to see all the ways you could partner with us and grow your potential or even open a side -hustle.

VISIT OUR PARTNER PORTAL TODAY


MARISE ALPHONSO

LINKING DATA PRIVACY TO SECURITY by Marise Alphonso, Information Security Lead at Infoxchange

Privacy is a fundamental human right1, and security

a privacy impact assessment7 to identify the risk

is essential to the maintenance of that right. Those

of that personal information being compromised,

who work in the fields of data privacy and information

and thereafter determine safeguards that should be

security have a duty of care to protect personal

implemented to address potential privacy impacts. A

information, build trust and ensure transparency “with

key step of this assessment is consideration of how

consumers” of organisational products and services.

personal information flows through the information

By fulfilling this duty, they will facilitate innovation

lifecycle of collection, storage, use, retention and

and societal growth, and operate within the guardrails

disposal.

provided by legal and regulatory frameworks2. In early May, Privacy Awareness Week3 was

government agencies and organisations (entities)

celebrated in Australia with the theme of ‘Make

with turnover greater than $3 million, consists of

privacy a priority’. The Office of the Australian

13 Australian Privacy Principles (APPs). APP No 11,

Information Commissioner (OAIC) facilitated several

security of personal information, refers to “reasonable

events to shine a spotlight on how we can improve

steps to protect personal information an entity

personal information privacy practices within our

holds from misuse, interference and loss, as well as

homes and workplaces5 6.

unauthorised access, modification or disclosure.”

4

When personal information is provided to an organisation by a member of the public to obtain a product or service, the expectation is that it will be used for that and nothing more. Prior to offering a product or service, an organisation must perform

106

The Privacy Act (1988)8, which applies to Australian

WOMEN IN SECURITY MAGAZINE

“Reasonable steps”9 here refers to elements of an information security program including governance, policies and procedures, staff training and awareness, technical security measures, physical security, third party assurance practices and incident response.


T E C H N O L O G Y

P E R S P E C T I V E S

Information security practices play a pivotal role in protecting personal information entrusted to an organisation. Examples where the privacy of individuals has been compromised due to gaps in organisational security practices include: •

Vastaamo, a company that owns a number of psychotherapy clinics in Finland, experienced a data breach that exfiltrated personal information and

“In early May, Privacy Awareness Week3 was celebrated in Australia with the theme of ‘Make privacy a priority’. The Office of the Australian Information Commissioner (OAIC)4 facilitated several events to shine a spotlight on how we can improve personal information privacy practices within our homes and workplaces ”

notes from patient therapy sessions. The company disclosed that this incident occurred in 2018, but it was only in September 202010 that the attackers contacted Vastaamo with ransom demands. The company did not pay. Since then, a stolen database of Vastaamo patient data has been found published on the dark web, and attackers have contacted Vastaamo patients directly, threatening to publish their highly sensitive information unless they make a payment. The impact on those who used services provided by Vastaamo has been highly disturbing, ranging

the result of security failures on a number of fronts14: an unpatched vulnerability on a website framework—Apache struts—used by the company, lack of network segmentation, lax cryptography practices and delayed notification of the breach to affected parties. In early 2020, the US government charged those responsible for this data breach, calling it the largest ever theft of personal information by state-sponsored attackers15.

from discomfort about extremely personal details

Security practices are key to managing information

being publicised to concerns about identity

security risks, protecting organisational data, and

theft.12 It is not clear how the Vastaamo data was

maintaining confidentiality, integrity and availability.

exfiltrated, but indications point to the patient

However, these practices are of paramount

record system being accessible online via simple

importance when required to protect individuals’ right

credentials.

to privacy.

11

people being compromised. The incident was

Equifax, the American credit bureau, experienced a massive data breach in September 201713 that resulted in the personal information—

www.linkedin.com/in/marise-alphonso/

mostly names, addresses, birth dates, Social Security Numbers—of roughly 150 million

WOMEN IN SECURITY MAGAZINE

107


DEIKA ELMI

HOW TO EMBRACE THE COMING TECHNOLOGY REVOLUTION by Deika Elmi, Security communicator and educator. Currently a Cybersecurity Risk Manager and Certified ISO27001 Lead Auditor.

THE “TECH COMPANY” POWDER KEG Every company wants to call itself a tech company.

THE “FOURTH INDUSTRIAL REVOLUTION”

DoorDash delivers food, but it calls itself a tech

The first industrial revolution used water and steam

company. Uber delivers passengers, but it calls itself

power. The second used electricity. The third used

a tech company. Why do companies do this? Because

electronics and information technology. The fourth is

software scales easier than physical infrastructure. A

a fusion of the physical and digital worlds. People are

company that makes and moves software can grow

already talking about the fifth industrial revolution as

faster than a company that relies on making and

being driven by synergy and collaboration between

moving stuff. Electrons move faster than croissants.

humans and intelligent machines.

This will remain true even if you get exceptionally good at delivering croissants.

The term “Fourth Industrial Revolution” (4IR) sounds like it involves hoverboards, lasers, and lots more

When these companies call themselves tech

chrome. But it’s not future technology. We’re in the

companies, they aren’t wrong! They do scale up far

4IR now.

faster than traditional competitors. They use software to coordinate widely dispersed work. The spread of distributed software, tightly tied to distributed work in the physical world, is set to trigger an explosive revolution.

Some definitions of the 4IR amount to shuffling Wikipedia’s List of emerging technologies and throwing these at the reader. But the 4IR isn’t just a list of things people are trying to make, for the same reason the digital revolution wasn’t just a list of chip designs and software paradigms.

108

WOMEN IN SECURITY MAGAZINE


T E C H N O L O G Y

P E R S P E C T I V E S

Other definitions of the 4IR rhapsodise about

toilet paper instead of flying all the way to Quilton’s

connecting people, machines, and their environment.

headquarters. Sometimes, it’s better to be local.

That sounded “futuristic” when people promised the same thing in the 1970s. Retro futurism. Those promises were realised. Showing your location with a map on your phone is the kind of effortless human-machine interaction the “cyberneticists” of the 1950s-1970s dreamed about.

HOW TO EMBRACE THE 4IR The 4IR builds on what the digital revolution gave us. It has many technological components, one of which is edge computing: decentralised nodes

Edge cloud computing is a way to optimise efficiency by distributing the right work locally and the right work on the cloud. This is especially useful in processes that are widely distributed, where the latency of sending data to and from the cloud matters. Many mobile applications and Internet of Things applications can benefit from edge cloud. Plus, it’s gaining traction. Forty three percent of respondents to an Automation World Survey have already implemented edge computing.

that communicate with each other and with central

2. Replace things one at a time

monitoring and control.

Every organisation has tons of obsolete code, legacy

1. Be edgy: use the edge cloud You probably know about cloud computing. For those who don’t, it’s not Heaven’s IT department. Cloud computing is computing and data storage on many distant distributed servers, instead of in-house. Cloud computing has been called a 4IR technology. Edge cloud computing is just that - edgy. Edge cloud architecture consists of some computing and storage closer to where it’s being used. It’s like using the corner store when you need just one roll of

processes and superfluous infrastructure. A lot of it can, and should, be replaced. Adopting new tech is like getting new clothes. It’s usually smart to replace a few things at a time, not your entire wardrobe. And it’s usually most costeffective to buy it, not sew it yourself: Software built in-house, for example, requires constant maintenance. Otherwise, you might end up with machines that haven’t downloaded a patch since flip phones were all the rage. Have you ever fumbled for something in the back of

WOMEN IN SECURITY MAGAZINE

109


your closet, and accidentally ripped a load-bearing column right out of the wall? No, you have not. But when you’re replacing old legacy processes, it’s possible to take out something you can’t replace. Communicate with others to check what does and does not need to stay intact. 3. Labor specialists: my kingdom for an HR manager New technology makes it easier for people to swap in and out of tasks and roles. Sometimes, you urgently need very specific expertise. Just-in-time experts can be appropriate, especially outside your organisation’s core areas of business. Sometimes you just need to quickly parachute in an expert with very specific knowledge. With the right tools, discovering and calling in a specialist from outside or from another sector of your organisation can be the quickest way to solve problems. This is especially true with services your team is unfamiliar with; for example Azure, if your team spends all day looking at AWS.

NEW TECH IS SOMETHING TO LEARN, NOT A TERRIFYING ALIEN MONSTER New technology is an opportunity, not a threat. Okay, sometimes it’s both – especially in the hands of unfamiliar users. But you can make it an opportunity. Integrating unfamiliar tech is often daunting. It’s easy to stick to linearly improving familiar processes. Even if you’re prepared to make changes, everyday crises pull your attention away from plans that could stop those crises before they materialise. But every one of us is shaping the future, with the choices we make each day. You have more control than you think. Carve out time to explore new technologies. Or delegate a few people to explore them for you. You’ll find new technology makes it easier to delegate tasks like researching new technology and implementing lessons from brilliant articles and blog posts. www.linkedin.com/in/deikaelmi/

twitter.com/DeikaE

110

WOMEN IN SECURITY MAGAZINE


F E AT U R E

TAKE ME TO CUBA by Stuart Corner

OF CUBA, CARS … AND CYBERSECURITY

screening of passengers or anyone before you got on

Are you old enough, and fortunate enough, to have

“And you could take whatever you wanted in your

experienced air travel in the 1960s and 1970s? It was,

hand luggage. In 1976 my mother actually packed

Kendra Ross told the AusCERT2021 conference, “The

her vegetable knives because she said those in

golden age of flying … a glorious time, for those who

the motels were too blunt. Security was all about

the flight,” Ross said.

could afford it.” What’s this got to do with cybersecurity? In a presentation titled Take Me To Cuba, Ross and her co-presenter, Mike Seddon, drew parallels between cybersecurity and the history of airline security, along with parallels between cybersecurity and vehicle, building and worker safety.

“In the 1950s the Ford Motor company made available an upgrade called the Lifeguard Package. It included lap belts in the front seat, a padded dashboard and safety glass. It didn’t sell well, customers didn’t demand it.”

Their most important conclusion was that, in many industries, effective regulation is rarely pre-emptive and comes only after a major event or when safety failures reach epidemic levels; and that we are on verge of one, or possibly both, of

protecting you on the ground from pickpockets, and from thieves.”

these in cybersecurity.

Air travel security changed for ever after 9/11 but in

In the halcyon early days of airline travel, security was

up, in the US at least, after hijacking became an

non-existent. “You could just rock on up and grab a ticket before your flight because there was no pre-

the eighties and nineties was progressively ramped almost daily occurrence, perpetrated by people

WOMEN IN SECURITY MAGAZINE

111


wanting to go to Cuba. Hence the title of their

dumping his body onto the tarmac. The world’s press

presentation.

were watching. Under pressure, then US president

“Between 1968 to 1972 there were 326 hijackings around the world. One hundred and thirty of those

Richard Nixon mandated that all airports install X-Ray machines and metal detectors.

were in the US alone, and of those 91 went to Cuba,”

Fast forward to 2001. In the intervening years there

Ross said. “People would actually get on the plane

were few hijackings, and security had become lax,

and say to the hostess ‘Take me to Cuba’.”

Ross said, such that the 9/11 hijackers “actually set off the metal detectors, and subsequent photos

HAVE A HIJACK HOLIDAY IN CUBA

and images showed they were carrying box cutters

Rather than being a terrifying ordeal for passengers,

and small knives. However, those were allowed

Ross said these experiences were rather good fun, for passengers at least. “The airlines were footing the bill. Flight staff were trained to comply with all the

have proper ID, but they were allowed onto the plane.”

hijackers’ wishes. Pilots, no matter where they flew

PUTTING PROFIT BEFORE SAFETY

the US, carried maps of Havana Airport. Once there,

More telling were the systemic failures in airport

passengers and crew were put up in five star hotels.

security. “Perhaps the biggest failing was that aviation

There were endless cocktails, beautiful food and

security had been outsourced to private companies.

exotic entertainment.

It had become an increasingly competitive landscape,

“Castro built quite a little empire off the back of this, because he would charge the airlines and the US government for releasing the planes. Usually within 24 hours the planes were back in the air and returning to US soil. … During that period, over 1000 Americans went to Cuba unexpectedly.” Of course, it didn’t last. By the early 1970s, some US flights carried armed air marshals. One shot and killed a hijacker. The pilot decided to make a statement by

112

domestically at the time. Some of the hijackers didn’t

WOMEN IN SECURITY MAGAZINE

and often the lowest bidders won. It was simple economics. There was little investment and staff training. They paid minimum wages so they didn’t attract the best of the best. Their equipment was old and outdated.” The US Government took control over aviation security “because they could see that private enterprise was about returning a profit to shareholders.”


F E AT U R E

Seddon then took the AusCERT2021 audience—

of the reasons is that boards of directors and CEOs

online and at the Star Hotel on Queensland’s Gold

are personally liable, which has resulted in health

Coast—through the history of buildin, worker health

and safety featuring on the agenda of every board

and safety and motor vehicle standards: the latter not

meeting.”

always welcomed by customers. “In the 1950s the Ford Motor company made available an upgrade called the Lifeguard Package. It included lap belts in the front seat, a padded dashboard and safety glass. It didn’t sell well,

THE HUMAN FACTOR STAYS THE SAME Safety in all these industries might seem to have little in common with cyber safety, but Seddon said there were some things in common. “One of those is

customers didn’t demand it.”

people; why they do what they do, or don’t do what

SENDING THE WRONG SAFETY MESSAGE

generally act the same. Those within that industry

And manufacturers worried that any promotion of safety might backfire. “The car manufacturers were scared. They were fearful that, if they offered a safety

they should. Every industry may be unique, but people may understand the problem and how to fix it, but without understanding the issues, those outside the industry don’t know what controls are for until it affects them personally.

upgrade, their customers might think their cars were

“So people are resistant to change until they

unsafe when compared to competitors’ vehicles when

understand the benefits. Being more transparent

those competitors weren’t offering a safety upgrade.”

about safety controls will allow the consumer of a

That started to change in the 1970s when independent crash testing enabled customers to understand the safety features and flaws of different models. “That safety rating has evolved. We all know it now as the NCAP five star safety rating that consumers can now use to compare apples with apples,” he said. “They are looking at a simple metric, and are able to pick a safer car over on less safe car. Insurance companies have also been able to incentivise customers to buy safer vehicles by reducing the premiums for those that have a five star safety rating.” In the case of building safety, regulatory intervention is centuries old. “The Great Fire of London resulted in building and urban planning standards that didn’t exist before,” Seddon said. “Similar catastrophic events, in those days often fires, in other countries evolved into building standards.” In the case of worker health and safety, regulation has been effective in reducing death and injury. “New Zealand’s Health and Safety at Work Act was introduced in 2015 …. As it came into effect the number of fatalities dropped to about 50 to 70 percent of what they been in previous years. … One

product or service to make a more informed choice. And as people see companies valuing their data and privacy, they are increasingly turning this into a competitive advantage.”

ANTICIPATING A CYBERSECURITY CATASTROPHE A more important lesson from these industries, Ross suggested, was that “We’ve seen that terrible events have been the catalyst for governments and regulatory bodies becoming involved. We believe, on the infosec side, we’re on that pathway now. “A common theme across all of those industries was that they did well when there were global standards that could be deployed at a local level. We can take really good local standards and take them out to a global level. We need to do it at speed. And our legislation and regulation needs to keep up because we’ve done five years of digitisation and transformation in the last nine months. “We’re heading down the track of a pandemic or epidemic level, of cyber incidents. And we’re hoping this conversation has created some new thinking and provoked a conversation around some of the lessons and ideas we can bring in.”

WOMEN IN SECURITY MAGAZINE

113


WHOSE AFRAID OF ZERO DAY by Stuart Corner

WHO’S AFRAID OF ZERO DAY? We fear the unknown. And zero day exploits are scary unknowns. They are vulnerabilities in software and devices that only attackers know about. So there’s no patch you can apply to protect your systems. There’s no antivirus signatures that will alert you about the attack. But there is Google Project Zero, a team of security analysts employed by Google and tasked with finding zero-day vulnerabilities and researching and publicly documenting how they can be exploited.

114

the AusCERT2021 conference, sought to allay fears about zero day attacks, dispel the myth of the zero day attacker as supersmart, to present a realistic assessment of the dangers of zero day attacks, and describe progress being made to counter them. “The mission of my work is to learn from zero days exploited in the wild in order to make zero day hard. I do technical analyses of vulnerabilities and their exploits, perform variant analysis and patch analysis to make sure things are actually fixed,” she told

Maddie Stone, a security researcher from Project

the AusCERT2021 audience in the Star Hotel on

Zero, in a presentation, A World where 0day is Hard, at

Queensland’s Gold Coast, and online.

WOMEN IN SECURITY MAGAZINE


T E C H N O L O G Y

P E R S P E C T I V E S

MAKING ZERO DAY HARD The motto of Project Zero is ‘make zero day hard’,

means you need more exploits in a chain to go from

but Stone said this concept was not well understood.

remote to root … some exploit mitigations introduced

“I think we can break ‘make zero hard’ into two

that require additional and novel exploit techniques to

categories. First, we want to increase the cost per

be developed … [and] a much more mature software

exploit. And second, we want to increase the number

development lifecycle, which often means that fewer

of exploits required for a functional capability.”

bugs make it into production devices, which also

As an example she said, for an attacker to gain root

would increase the cost per exploit.”

equivalent privileges on a cellphone via a website using zero day vulnerabilities, would require them to

PATCHING FAR FROM PERFECT

successfully exploit a chain of three vulnerabilities.

However, Stone said there was a much easier way

Reducing the time taken to detect and mitigate zero day vulnerabilities would greatly increase the number of exploits an attacker would need to have available in order to maintain their capability.

to make zero day hard: good patching practice. “In 2020 25 percent of the zero days known to have been exploited in the wild were closely related to previously publicly-disclosed vulnerabilities. … So one out of every four zero days detected in 2020 could

And Stone was able to demonstrate that the efforts of

potentially have been avoided with better patching

Project Zero and others in recent years have achieved

practices.”

considerable success in making zero day harder, at least for Android attackers.

THE $2.5M ZERO DAY EXPLOIT Zerodium bills itself as “The world’s leading exploit acquisition platform for premium zero-days and advanced cybersecurity capabilities.” It pays substantial bounties to security researchers to acquire their original and previously unreported zero-

She said these exploits were either variants of previously public disclosed vulnerabilities, or the result of inadequate patching. “Maybe the same bug pattern was copied to another place in the code, or the previous vulnerability was not actually fixed, so the attacker could just change a few lines of code and have another functioning zero day capability.” She has posted on the topic, on the Project Zero blog.

day research.

Effective patching, Stone said was not easy,

“In 2016, Zerodium would pay up to $[US]1.5 million

incentivised,” and needed to improve. “Tech really

for a full chain capability for an iPhone, and for Android up to $[US]200,000,” Stone said. “In 2091 Zerodium upped their prices for iPhone full chain capability from $1.5 million to $2 million, and for

“especially with how teams are currently set up and needs to do better, Customers and users deserve to have vendors correctly and comprehensively patch vulnerabilities they know about.”

Android from $200,000 to $2.5 million.”

Greater transparency also offers another opportunity

She attributed the 1000 percent plus increase in the

argument that releasing details of a vulnerability prior

price Zerodium was willing to pay for an Android vulnerability in part to steps taken to make exploiting Android much more difficult, but with the caveat that “Things like demand from attackers, more folks wanting to get into exploitation game can also raise a price without us as defenders ever making it harder.”

to combat zero day attacks, she said, rejecting the to a patch becoming available would only increase the danger.

MAKE ZERO DAY PUBLIC “With information about exploitation, folks can assess their own personal threat models, whether

She listed the steps that have been taken to make

that’s at the individual or the organisational level. And

zero day harder for Android attackers as being

even if there is no technical solution to mitigate the

“regular security updates, which decrease the life of

vulnerability, they still have the power to mitigate the

a vulnerability … and the application sandbox, which

effect.

WOMEN IN SECURITY MAGAZINE

115


“They can stop using the device or software. They can immediately disconnect from all networks, and begin the process of assuming that all their data or info has been compromised and start whatever response that might look like. “When we provide information, even if it’s just that there’s an active exploit in the wild in a product, I think we’re respecting users and their safety and their autonomy to keep themselves or whatever entity they’re responsible for, safe.” She added: “Having the facts, the technical details and the context about exploits in the

“The mission of my work is to learn from zero days exploited in the wild in order to make zero day hard. I do technical analyses of vulnerabilities and their exploits, perform variant analysis and patch analysis to make sure things are actually fixed.”

wild, allows more defenders to work on the problem from the many different perspectives we have in this industry.” Another sign of progress in combating zero day attacks, at least on cellphones, is a change in policy last November by both Apple and Android to start annotating their security advisories on new vulnerabilities to indicate that they may have been exploited. Having this information, Stone said, enabled patching to be prioritised, antivirus developers to work on detecting signatures and

used. Instead, I believe that we’re finally detecting and learning about the exploits that have been used.”

ZERO DAY INFO ON GITHUB Another initiative to increase transparency about zero day exploits Stone is working on is a public repository of technical information maintained by Project Zero on GitHub of zero days exploits in the wild.

software researchers to look more closely at patching

“The goal of this is that, ultimately, there will be RCAs

for specific vulnerabilities.

[resolved component analyses] up and technical

She said this information was leading to a significant increase in zero day detection. Extrapolating the current number for 2021 to year end gives a total of 67, compared to 25 in the whole of 2020. “That might seem ominous and terrifying,” Stone said. “But

116

I don’t believe there are suddenly more exploits being

WOMEN IN SECURITY MAGAZINE

information about every in-the-wild zero day. Not only does it provide technical details on the vulnerability and the exploit method, but hopefully people can use that data to brainstorm ideas for system improvements, and new zero day detections and stuff like that.”


Cyber Security

# TOPWOMENINSE C U R I T YAS E A N WO M E N I NSECURITYASEAN R E G I ON .C OM

# TO PWOM ENI NS ECURITYASE AN WO MENINSECURI TYASEANRE G ION . COM

REGISTER TO ATTEND AWARDS CEREMONY – JULY 2021

TT

NOMINATIONS CLOSE 30 MAY 2021

his initiative has been established to recognize We have gathered unique industry partnership women who have advanced the security industry arrangements, bringing together key chapters We have gathered unique industry partnership his initiative has been established to recognize women within theadvanced ten countries of theindustry Association of ten arrangements, of premier, global associations bringingsecurity togetherindustry key chapters of premier, who have the security within the global security industry associations and professional countriesAsia of the Association of Southeast Asia Nations Southeast Nations (ASEAN). and professional women in security groups in women in security groups in Singapore. Malaysia, (ASEAN). Singapore. Malaysia, Indonesia, Philippines, Indonesia, Philippines, Thailand and including the ASEAN The Top Women Security Thailand andinincluding the ASEAN Region Nominations were in scheduled to ASEAN open on awards Monday follow March Region Women Security Network. We thank themWomen similar initiatives in India, as well as Africa, Europe Security Network. We thank them 8, 2021, coordinating with International Women’s Day. forintheir support. and Canada and form part of a global campaign for their support. The Top Women in Security ASEAN awards follow Nominations close 30 May, 2021. by the Women in Security & Resilience Alliance similar initiatives in India, as well as Africa, Europe and The awards will take place in (WISECRA). This initiative is open to all ASEAN The awards will take place Canada and form part of a global campaign by the July 2021. NOMINATE Women infollowing Security & very Resilience AllianceTop (WISECRA). countries successful WomenThis in in July 2021. REGISTER HERE initiative is open to all ASEAN countries following very Please nominate at your Security Awards held during 2020 in Singapore, HERE successful Top Women in Security Awards held during earliest opportunity. Malaysia and Philippines. Please Register to attend 2020 in Singapore, Malaysia and Philippines. the awards. O RGA N I S ERS

ME D I A PA RT NE R S

SU PPO RT I N G PA RT N E R S & ASSO C I AT I O N S

O R GA N I S E R S

ASEAN REGION

WOMEN IN SECURITY NETWORK

W IS E C R A - WO ME N I N S ECURIT Y & R E S I L IE N C E A L L IA NCE

MY SECURIT Y MA RK E TPLACE


HARPREET KAUR

ARE YOU DOING ENOUGH TO PROTECT YOUR ORGANISATION’S IT SECURITY? by Harpreet Kaur, Student at Edith Cowan University

Checklist to secure your organisation from security breaches We all know people represent the weakest link in an

also have appropriate password guidelines and

organisation’s cybersecurity. They are, unintentionally,

ensure they are followed by all staff members when

responsible for most security breaches. They might

choosing passwords for devices and applications

accidentally click on a link that introduces malware,

used within the organisation.

or fall for a cybercriminal’s deception. These employee-oriented breaches can be minimised with appropriate cybersecurity policies and practices. Here are some suggestions to create a secure

Protecting customers’ confidential information is

environment.

essential: sharing customers’ sensitive information

FOLLOW CLEAR IT SECURITY POLICIES

such as financial loss, or as a result of the

Every organisation has terms and conditions covering the use of services and applications. These policies must also include a security policy and a privacy policy that each employee must be aware of and must adhere to strictly. The organisation should

118

PROTECTING PRIVACY AND CONFIDENTIAL INFORMATION

WOMEN IN SECURITY MAGAZINE

could have serious consequences for customers, information being used for illegal purposes. Privacy protection measures should cover both digital and hard copy customer information. The latter should be kept safe in a locker that can be accessed only by authorised staff.


T E C H N O L O G Y

P E R S P E C T I V E S

NETWORK SECURITY

PERIODIC AUDITING

Internet and other connected networks should be kept

An audit will reveal any shortcomings in security

secure and protected by firewalls. Remote access to

policies and should be undertaken every half year.

the organisation’s website should be over a virtual private network. Intrusion detection systems should

TIMELY DATA BACKUP

be enabled on all the network systems. Wireless

Data security is essential. Daily backups should

access connections and modems used by staff must be secure.

DESKTOP SECURITY All desktop hardware and software on desktop

be taken and stored off-site, and all data should be assessed for its importance, and to determine whether it must be immediately accessible or can be archived.

devices should be checked regularly. All computers

EDUCATING STAFF

should have anti-virus software installed. There

Cybersecurity training should be provided sufficiently

should be security policies covering the use of new software, such that only software approved by the organisation is installed.

frequently to ensure all staff members are up to date with the information they need and the practices they must follow to maintain the security of the

Password controls should be in place to ensure

organisation.

sufficient password strength: minimum length,

Following this checklist will strengthen the IT security

inclusion of non-alphanumeric characters, etc. Password changes should be enforced every 60 or 90 days.

of your organisation and reduce the chances of a security breach.

All computers should be patched promptly when updates are released. Patches remove vulnerabilities

http://www.linkedin.com/in/harpreet-kaur-nahar/

that can be exploited by attackers. Unused open ports should be closed.

WOMEN IN SECURITY MAGAZINE

119


SURVIVING A CRISIS A VIEW FROM THE TRENCHES by Stuart Corner

BIRTH AND DEATH OF A CRISIS—AND THE BITS IN BETWEEN

but not so often that everyone gets fatigued and

If you’re in the throes of a cybersecurity crisis, you’d

Friday night.”

certainly be aware of it. But pinpointing the start of

Nor, he says, is the endpoint of a crisis always clear,

a crisis and, just as important, the end of it, is not so

and failure to recognise this can also have serious

easy, according to Eric Pinkerton, aka ‘Pinky’.

consequences. “I’ve been in crisis situations that have

For his presentation at AusCERT2021, he was

dragged on for weeks and weeks because nobody

jaded by getting constant phone calls at 2am on a

introduced as “Eric Pinkerton from Trustwave.” His

wanted to make the call that it was over.

LinkedIn profile is rather more colourful. “Eric of

“It proved very costly for the organisation to have

House Trustwave, Breaker of blockchain, King of the

people sitting around, not just financially, but in terms

memes, Lord of the Files, Counter of Monte Carlo,

of having very senior people constantly checking in

Raider of the lost Archives, Father of PAE-PAL-PFU,

on meetings. They can’t go and do what they normally

Douser of trash fires, Speaker of unpleasant truths.”

would be doing. They’re very senior executive people.

And there were unpleasant truths aplenty in his

So that has an impact on the organisation.”

presentation. On identifying the start of a crisis, and ”You don’t want to rely on Jerry on the help desk

NK, YK,TK, EK: THE FOUR PHASES OF A CRISIS

having a funny feeling about this. Because if Jerry

Pinkerton identified four phases to a crisis: NK, YK,TK,

isn’t working on that particular day, someone else

EK. “Nobody knows, you know, they know, everybody

might look at it more subjectively. You want to try to

knows. … Number three, ‘they know’, is where you

nail down the point at which the crisis management

have to go and talk to the people affected, or your

team has to be convened. You want that to happen

partners, or a wider circle. Step four, ‘everybody

as soon as it’s possible to say, ‘this is a serious thing,’

knows’, is when you have journalists phoning you for

triggering a crisis management plan, Pinkerton said:

a comment. That is what you’re trying to avoid.”

120

WOMEN IN SECURITY MAGAZINE


F E AT U R E

A key to successful crisis management, is to resolve

confident that the attacker they’re trying to evict from

the crisis, bypassing stage four, but then, he said there

the network is not across their communications.”

are two other, usually inevitable stages: the blame game and the postmortem, and a further important stage, often not implemented. “The blame game typically happens before the postmortem. People will speculate before you have a position on exactly what went wrong,” he said. “And then the final piece, which I think is the most commonly overlooked piece, is what I call

• Have cyber insurance and knowing what it covers. “I was working with an organisation that got hit by ransomware. They were having a dialogue with the attackers, and said, ‘We can’t possibly afford to pay this ransom.’ The attacker said, ‘yes, you can. You can just claim on your insurance.’ And they said, ‘No, our insurance won’t cover this’. So the attacker

‘executing on lessons learned’: making sure the findings and recommendations from the postmortem are followed through. “Otherwise you will find yourself having déjà vu. You will find yourself in a meeting going ‘hang on a minute, this happened before. I’m sure we should have solved this problem’. But nobody followed through or nobody checked that

“It proved very costly for the organisation to have people sitting around, not just financially, but in terms of having very senior people constantly checking in on meetings. They can’t go and do what they normally would be doing. They’re very senior executive people. So that has an impact on the organisation.”

it was done.” This aspect of crisis response and management was one of many pieces of sound advice offered by Pinkerton in his presentation. Many might seem like crisis management 101. But as was

sent a copy of the insurance certificate that they has exfiltrated from this organisation, highlighted, saying ‘yes, you’re covered, don’t worry’.”

demonstrated by the case study he presented, of a

Pinkerton said attackers had been known to take this

very high profile crisis management fail by global IT

strategy even further: hacking the insurer, identifying

company; just because they are basic does not mean

clients that were appropriately insured against

they are followed.

ransomware, working their way through these and,

Here are some aspects of crisis management he presented that are perhaps most likely to be overlooked.

finally, targeting the insurer. • Make sure the crisis response is fully documented “Organisations, unless they’re very disciplined, will

• Set up an ‘out of band’ communications channel

not naturally start scribing what is happening. That is

for those identified as being part of the crisis

absolutely critical, because after every crisis there will

management team, such as a WhatsApp group, or

be questions asked: ‘why did that decision get made?’.

gmail accounts.

In hindsight, it’s very easy to say, ‘well, that was the

“I’ve worked with organisations that have had reason to question the integrity of the communication platforms they’re using, because the hypothesis is that there might be a state-based actor active within their [Microsoft] Exchange, and they cannot be

wrong decision’. But if you document the rationale for that decision: ‘what we knew, what we didn’t know, at that particular time was this, and that’s why we all agreed to do that’. If that is recorded in black and white, then your covered.”

WOMEN IN SECURITY MAGAZINE

121


Surviving a crisis by Kylie Watson

• Line up external crisis response partners “If you need to engage an incident response or

no real incident response process, and they did the whole thing on the fly and ad hoc .

forensic partner, or external legal counsel, get those

“Support mechanisms weren’t linked to the process.

ducks in a row before you need to. Because when you

So they didn’t have the phone numbers they could

phone an incident response company, or a lawyer, at

ring, or a process where they had a team ready and

6pm,on a Friday, which will always be when this stuff

waiting ready to go. Escalation thresholds were not

happens, and start trying to negotiate commercials

clear. So the point at which somebody needed to

and rates and sign NDAs, you will lose hours if not

call a minister or someone needed to give someone

days, and it will cost you a fortune.”

an update were lost in the fog of war. The DDoS

Pinkerton finished his presentation with some case studies of crisis management failures, the bestknown likely being the failure of Australia’s 2016 online census, delivered by IBM.

protections obviously were deemed inadequate. The DDoS attack itself was very, very low volume and should not have caused a problem had they been doing the right thing. “Crisis communications were absolutely shocking.

HEADLESS CHICKENS IN CRISIS

They were very, very after the fact, and were very

“It went live, there was a denial of service attack.

short and terse. IBM had employed a subcontractor

It resulted in IBM running around like headless chickens. There was a 43 hour outage during the

when [prime minister] Malcolm [Turnbull] threw IBM

period you were supposed to do your census. …

under the bus. It was a massive, massive mess.

The lessons learned were that IBM had mountains

“Had they done a tabletop exercise or a crisis

of playbooks, but they were completely untested, and they were completely impractical. The ABS had

122

which they ended up trying to throw under the bus

WOMEN IN SECURITY MAGAZINE

simulation many of those things could have been picked up before they were a problem.”


SPONSORS IP OPPORTUNITIES AWSN is still accepting new sponsors! Make a difference and help us create and maintain a supportive and inspiring security community for women Please reach out to sponsorship@awsn.org.au to discuss in more detail

Welcome to our sponsors so far: CyberCX ASD CISO Lens Afterpay IAG Amazon AGL Westpac Cybermerc


LESSONS LEARNED FROM A YEAR OF SECURITY PODCASTS by Stuart Corner

CYBER WISDOM, DELIVERED BY PODCAST

Lesson number one: It might not be your systems

“Get Cyber Resilient”. It’s an exhortation we would all

big time. Accountant Laura Jeffery and her husband,

be wise to heed. It’s also the title of a podcast, the Get Cyber Resilient Show, “brought to you by Mimecast. … The perfect way to stay up-to-date with the latest cyber developments across Australia and New Zealand.” Over the past year, hosts Garrett O’Hara, Principal Technical Consultant at Mimecast and Amy Holden, Senior Marketing Manager Enterprise at Mimecast, have interviewed CISOs, authors, academics, psychologists, CEOs, change managers and security practitioners seeking insights into key themes and

who will feature in an upcoming podcast, thought they were paying their contractors $65,000 for home renovations, but the contractor’s email had been compromised and the hackers were , and waiting for the appropriate time to send their fake bill, for payment to a bank account they controlled. Lesson number two: you have no recourse: to the contractor, or your bank, and there’s almost no chance law enforcement will help you. “In our case, the money we deposited into the scam artists’ account went to South Australia and then was

lessons for cyber resilience.

transferred to Victoria before it ultimately ended up

They distilled the collective wisdom of their

jurisdictions that it’s crossed. And every time it does,

interviewees into a presentation at AusCERT2021, held at the Star Hotel on Queensland’s Gold Coast, and online.

124

that get hacked, but you could be the one to suffer:

WOMEN IN SECURITY MAGAZINE

in Nigeria,” Jeffery said. “That’s, three different police that it’s basically ‘case closed’.” Here are some more of the insightful lessons O’Hara and Holden presented.


F E AT U R E

CUT-THROUGH IS CRITICAL – DO WHATEVER IT TAKES “The big lesson is that cut-through is the most

NOTICES THE SIGNS OF BURNOUT AND STRESS EARLY (AND CHANGE ACCORDINGLY)

important thing when it comes to cybersecurity

“Burnout probably applies to so many roles within

awareness training and messaging,” O’Hara said.

cybersecurity, because of the pressures people feel

“Move away from boring, technical emails that are information heavy towards this sort of behaviour

every single day. The distinction for me was what burnout actually is,” O’Hara said.

change mentality, learning from things like the

“It isn’t long hours and feeling tired, because you

advertising industry. Use whatever it takes—videos,

can have both of those things and be really into it,

funny posters, engaging in-person training with

living life and engaged in what you’re doing. Burnout

qualified trainers—to get the messaging through and

is where you start to feel cynical, you start to feel

produce actionable behaviour change.”

hopeless. There’s a whole lot of negative emotions that go along with true burnout. You need to spot that

SECURITY NEEDS ADVOCATES

pretty early on so you can make the changes needed

“Many of the guests talked about how they built trust

to protect yourself.”

and relationships. They would go play basketball, go have lunch with people, build relationships and trust over time, doing it authentically, O’Hara said. “Then, when they needed to get buy-in for a program or a change, they got buy-in from people who knew and trusted the security leaders. That was a really big kind of learning.”

BOARD COMMUNICATIONS AND TRUST IN CYBER ARE CRITICAL “What we’re talking about here is not promising the sun, moon and the stars, and then potentially failing to deliver when reality kicks in, but being conservative in terms of security outcomes and programs,” O’Hara said. “Then, when you deliver on those, what you immediately do is build trust within the organisation. Then the next time around, as you increase your maturity, when it comes to security, you’ll get better buy-in and people wil trust that you’ll actually deliver on what you’ve said you will.”

PUT YOUR OWN OXYGEN MASK ON BEFORE YOU HELP OTHERS “On a plane, if you’re the person who’s trying to frantically help other people, and you pass out, you’re now a liability. The same thing applies when it comes to mental health and performance within your role.”

MENTAL HEALTH IMPACTS PERFORMANCE, WHICH IMPACTS CYBERSECURITY. “If you’re not mentally healthy you’re not performing and executing as well as you could, or making decisions as well as you could, or as quickly as you could. There’s a real impact on the organisation.”

AUTOMATION IS VERY CLOSE TO BEING MANDATORY “From the conversations over the year, I’m at a point where I feel like automation is not even a cool thing to do,” O’Hara said. “It’s actually starting to feel mandatory to get good security outcomes, purely because of the volume of stuff we have to deal with. And the speed at which organisations are expecting security practitioners to deal with incidents.”

REALITY VERSUS ASPIRATION “Putting in a SOAR is not going to happen in a week or a day. It’s something you need to look at it in terms of longer term outputs, well documented, well defined processes. I don’t think we’re ever going to get to the point soon where it’s fully automated, because if you get it wrong, you’ve maybe automated an incident response that causes bigger problems and the incident would have. So I think it’s going to be very largely decision support for now and good collaboration through automation.”

WOMEN IN SECURITY MAGAZINE

125


CISOS, VENDORS, GOVERNMENT AND PRIVATE SECTOR ALL WORKING TOGETHER “Throughout the year, we heard time and time again, that we’re all in this together, and that we’re all fighting for the same cause against cybercrime and the baddies. This is in vendor land and across competitors,” Holden said. “It’s become clear that it’s not a competitive race. … It’s amazing to see how CISOs willing to come together and to share the challenges and help one another.”

CYBER HAS REALLY JUMPED INTO THE MAINSTREAM “Organisations are really starting to get this stuff because they see brands they know, respect and

from scratch and were able to build an advanced

trust being popped and the impact that is having to

digital society very, very easily, even more easily

their businesses. So they’re asking questions around

than an established country like Australia or a longer

cybersecurity, which is good,” O’Hara said.

established country. So what you see there is, you can build cyber resilience at a national level, which I

ACTUARIAL DATA ON THE IMPACT OF CYBER-ATTACKS WITH THE INCREASING NEED FOR CYBER ASSURANCE

found absolutely fascinating.”

“We’re seeing the build-up of actuarial data. So

”When I was doing the research for this episode, I

boards are now asking questions around ‘are we

spent time watching the vox pop interviews with

covered? and ‘what’s the role of cyber insurance?’

Estonian citizens, and they absolutely trust digital

What’s apparent from conversations is that it’s now

much more than they trust paper, which makes

table stakes to do business,” O’Hara said.

sense, if you think about it.

LEADERS ARE MATURING AND BUSINESS IS GETTING THE ‘WHY’

CITIZENS CAN TRUST DIGITAL MORE THAN ANALOGUE

“The idea that somebody in a government department could open a filing cabinet and look at paper, there’s no accountability there, and there’s no

“I’ve been in cybersecurity for six years and I know

integrity, there’s no confidentiality. So they have fully

people have been doing this for decades, but I’ve seen

bought into this idea of digital.”

a maturing of the industry in terms of our status, our role as a business function within organisations. That was really apparent through the interviews over the course of the year, and also that businesses are really starting to understand why this stuff is so important.”

CYBER RESILIENCE CAN HAPPEN AT A NATIONAL LEVEL

126

DATA EMBASSIES ARE A THING “If you look at resilience at a national level, what happens if their data centres get popped? They might have data replication and geo separation, but if there’s a land based attack, and the tanks start rolling, they are still in a lot of trouble. So they set up data centres in other countries, gave them embassy or sovereign

“In the early 90s, Estonia went through some stuff,

rights. I thought that was a really elegant approach to

which meant they had to basically almost start

national level cyber resilience.”

WOMEN IN SECURITY MAGAZINE


HAVE YOU EVER DREAMED OF BEING A HACKER? Seemingly normal teenager Sam lives an exhilarating double life. Jump on board this twisting journey, take a swim through the deep dark corners of the hacker world

NEW

and find out what this girl is made of. Does she have what it takes to survive or is she in over her head? Only time will tell but one thing we can be certain of is that the journey is going to be more challenging than she had ever imagined.

READ NOW

OTHER BOOKS BY THE AUTHOR

No#1 Best Selling Author of the "A Hacker I Am" Series, Craig Ford


WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01

02

1. JULIAN RANGER Executive President and Founder of personal data platform digi.me,

2. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

03

04

3. IAN YIP CEO

4. PRIYAL BHOSALE Product Manger

05

06

5. SOPHIA PACE Strategic Partnerships & Marketing Manager

6. DANIELLA TRAINO CISO for Wesfarmers, vCISO

7. ANNA LEIBEL Director of The Secure Board

07

08 8. JO STEWART-RATTRAY Director of Technology & Security Assurance for BRM Advisory

9. GIULIA TRAVERSO PhD- Senior Consultant Cybersecurity, EY

09

10

10. SHELLY MILLS Program Coordinator & Business Analyst The University of Queensland

128

WOMEN IN SECURITY MAGAZINE


11

12

11. DR LESLEY SEEBECK Honorary Professor at The Australian National University, Founder and CEO of Cyber21

12. AMY ROBERTS Assistant Director Induction, Diversity and Inclusion at Australian Signals Directorate (ASD)AWSN Canberra Chapter Lead

13

14

13. GERGANA WINZER Industry Director CyberSecurity APAC for Unisys

14. CHRISTINA KEING National Lead Director Cloud Security for Deloitte

15

16

15. NOUSHIN SHABAB Senior Security Researcher (GReAT) Kaspersky

16. LISA JIGGETTS Founder, Women’s Society of Cyberjutsu

17. SOFIA MERIDA 17

18

Zscaler’s ANZ Sales Engineer

18. ANGELINA LIU Barracuda Territory Account Executive

19. HARINI SUDARSHAN APAC Technical Support Manager for Ping Identity

19

20

20. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

WOMEN IN SECURITY MAGAZINE

129


WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 21

22

21. SAI K HONIG CISSP, CCSP, Co-founder - New Zealand Network for Women in Security Board Member – Black Cybersecurity Association NSNWS BCA

23

24

22. MELISSA CROZIER Information Security Advocate, Business Development Manager for Cybersecurity at BSI New Zealand

23. INGA LATHAM Chief Product Officer at SiteMinder

24. KAREN STEPHENS 25

26

CEO and co-founder BCyber

25. MEL MIGRIÑO group CISO of Meralco, co-founder, Women in Security Alliance, Philippines

26. NICOLA O’BRIEN 27

28

Author of Ready Set Code | CS and Coding Education Outreach | Founder of Code Rangers | Cybersecurity Outreach

27. LAURA JIEW AWSN National Social Media & Marketing Lead Events, Marketing and Communications coordinator for AusCERT

28. CHIOMA CHIGOZE-OKWUM 29

30

Spiritan University Nneochi, Abia State, Nigeria.

29. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

30. LINA YAO Scientia Associate Professor at UNSW

130

WOMEN IN SECURITY MAGAZINE


31

32

31. MARISE ALPHONSO Information Security Lead at Infoxchange

32. DEIKA ELMI Security Risk Manager

33

34

33. HARPREET KAUR Student at Edith Cowan University

34. LISA ROTHFIELD-KIRSCHNER

Author of How We Got Cyber Smart, Amazon Bestseller

WOMEN IN SECURITY MAGAZINE

131


LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller

Jack doesn’t have a smart phone, but some of his friends do. Here’s how he got Cyber Smart. Meet Jack. Jack has a twin sister Olivia and loves learning art and music at school. He is a very keen drawer and likes experimenting with making cool pictures on his tablet. He is a little bit shy and sometime likes to play practical jokes because he loves to make people laugh. He also enjoys being outdoors playing basketball with his friends and teammates and riding his bike at the park. Last year Jack’s grandparents bought him and Oliva their own tablet to share for their birthday and they play games on the tablet at home. Jack knows that being safe online is very important and that his parents want him to wait until he is older before he gets his own device. Some of Jack’s friends have a smart phone, but are only allowed to use it after the school day. Sometimes however, his friends ‘forget’ to hand their phones in to the teacher at the beginning of the day which is against the school rules. Some of the boys in Jack’s year level have set up chat groups on their smart phones and play games against each other. Jack feels left out because he doesn’t have a smart phone. That night at dinner, Jack was upset and told his Mom and Dad “It’s not fair that I’m the only kid without a smart phone, all the other boys have one”. His Dad understood what Jack was feeling and reassured him that “We know you sometimes feel left out when other kids use their phones but you’re not the only kid who doesn’t have a smart phone yet. We’ve spoken with some other parents and we all think kids need to learn and play with each other in person, not on a device. There are things that kids do online that they

132

WOMEN IN SECURITY MAGAZINE

would never do in real life, like being mean or excluding others. Maybe they think it’s a bit of fun at first, but it soon gets out of hand and can really hurt people. Our decision is definitely not forever, and you’ll have a smart phone when we think you’re responsible and resilient enough to manage all the good and not so good things about them.” Jack’s dad went on to suggest “How about we catch up with your friends at the park for a game of basketball and then have everybody over for home-made pizza afterwards? We don’t need smart phones to have fun with our friends – we can do that by playing fun games in real life instead!” That suggestion made Jack feel much better and he was excited to play basketball at the park and then have his friends over for pizza – yummy! Jack felt happy that he spoke to his parents about feeling left out, they helped him feel better and came up with a fun idea. He knew that not having a smart phone was not forever and was happy to spend time with his friends playing outside. Jack’s mum said “When you’re older we’ll talk about buying you your own phone and teaching you about how to use it responsibly and safely. We know devices can be fun, but we think that sharing a tablet with Olivia is enough for now. We want you to only use a device when me, Dad or a trusted adult is supervising you to keep you safe online. We know that it can be upsetting to feel left out of some games and chats but it’s not forever and we will always help you find other fun games and activities to play with your friends.”


Recom mend ed by F amily zone

How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.

READ NOW


TURN IT UP

IN MACHINES WE TRUST Jennifer Strong

CLICK TO LISTEN A podcast about the automation of everything. Host Jennifer Strong and the team at MIT Technology Review look at what it means to entrust artificial intelligence with our most sensitive decisions.

WOMEN IN TECH By Espree Devora

CLICK TO LISTEN The #womenintech Podcast is hosted by WeAreLATech’s Espree Devora and features inspiring Women in Tech from Engineers, Female Founders, Investors, UX and UI Designers, Journalists all sharing their story how they got to where they are today. The purpose of the show is for every listener to walk away feeling ‘If She Can Do It So Can I’. I call it “actionable empowerment”.

134

WOMEN IN SECURITY MAGAZINE

THE CYBERWIRE DAILY By CyberWire, Inc.

CLICK TO LISTEN The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.

RECORDED FUTURE - INSIDE SECURITY INTELLIGENCE By Recorded Future

CLICK TO LISTEN Recorded Future takes you inside the world of security intelligence. We’re sharing stories from the trenches and the operations floor as well as giving you the skinny on established and emerging adversaries.

THE WOMEN IN TECH SHOW: A TECHNICAL PODCAST

SECURITY INTELLIGENCE PODCAST

By Edaena Salinas

By Pam Cobb and David Moulton

CLICK TO LISTEN A podcast about what we work on, not what it feels like to be a woman in tech. Hosted by Edaena Salinas, Software Engineer at Microsoft. Website: wit.fm

CLICK TO LISTEN Welcome to the Security Intelligence Podcast, where we discuss cyber security industry analysis, tips and success stories. Join co-hosts Pam Cobb and David Moulton, security thought leaders and industry professionals as they discuss their experiences and expertise on the latest trends and developments in enterprise security.


BRAKEING DOWN SECURITY PODCAST

COMMAND LINE HEROES

By Bryan Brake, Amanda Berlin, Brian Boettcher

By Saron Yitbarek

CLICK TO LISTEN A podcast all about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today’s workplace. With cohosts Bryan Brake, Brian Boettcher, and Amanda Berlin or refresh the memories of seasoned veterans.

BASE.CS PODCAST By Vaidehi Joshi

CLICK TO LISTEN Beginner-friendly computer science lessons based on Vaidehi Joshi’s base.cs blog series, produced by CodeNewbie.

CLICK TO LISTEN

CODENEWBIE By Policy Forum - ANU National Security College

CLICK TO LISTEN

Hear the epic true tales of how developers, programmers, hackers, geeks, and open source rebels are revolutionizing the technology landscape. Command Line Heroes is an award-winning podcast hosted by Saron Yitbarek and produced by Red Hat.

Stories and interviews from people on their coding journey.

CYBER TALES - STORY BEHIND CYBER SECURITY STORIES

GIRLS IN TECH

By Mansi Kapoor

CLICK TO LISTEN Listen to a weekly round up of interesting cyber security stories from across the globe. Each podcast delves deeper into a particular story revealing insights and the often unheard story to listeners. The show is hosted by Mansi Kapur, business journalist with Fortune and Jose Varghese, cyber security entrepreneur and geek with Paladion.

By Zuzy Martin-Aly

CLICK TO LISTEN Big problems require big thinking — the kind of thinking that tech brings to the table. Tune in to The Girls in Tech Podcast for insightful conversations and stories about the evolution of tech — and how you can be a part of what’s next.

WOMEN IN SECURITY MAGAZINE

135


OFF THE SHELF

BEING: CHOOSING TO BE AT THE TOP BECAUSE THE BOTTOM IS TOO CROWDED Author // Veronica Rose “Are you hidden in the crowd? Are you tired of being at the bottom? Do you have a growth mindset? Do you feel stuck? Do you have a new vision? What is holding you back? This book is to remind you; never to apologize for asking questions, being career smart, voicing your opinion, coming up with new ideas, being a game-changer, trusting your instincts, standing up for the people and great causes you care about, taking an extra mile to outwork the known experts, creating space / run-way for yourself and people around you, being passionate about your profession, empowering others, having positive contagious energy and most importantly for BEING you. In most of your endeavors, aim at being at the TOP because the bottom is too crowded, too ignored, too low, not valued, and non-critical. This book is for you all. I hope you find value in the content so as to bear visions that are worth living for.”

BUY THE BOOK HERE

HACKING: THE ART OF EXPLOITATION Author // Jon Erickson Rather than merely showing how to run existing exploits, author Jon Erickson explains how arcane hacking techniques actually work. To share the art and science of hacking in a way that is accessible to everyone, Hacking- The Art of Exploitation, 2nd Edition introduces the fundamentals of C programming from a hacker’s perspective. This book will teach you how to- Program computers using C, assembly language, and shell scripts - Corrupt system memory to run arbitrary code using buffer overflows and format strings - Inspect processor registers and system memory with a debugger to gain a real understanding of what is happening - Outsmart common security measures like nonexecutable stacks and intrusion detection systems - Gain access to a remote server using port-binding or connect-back shellcode, and alter a server’s logging behavior to hide your presence - Redirect network traffic, conceal open ports, and hijack TCP connections - Crack encrypted wireless traffic using the FMS attack, and speed up brute-force attacks using a password probability matrix.

BUY THE BOOK HERE

JOURNAL THE JOURNEYWOMEN IN TECH Author // Amanda-Jane Turner A part of the Women in Tech series, this book combines an undated diary with a guided work book. It is an ideal gift for any women in tech, students, mentorees, or as a great gift for yourself. It provides pages for career planning, reflection, and goal setting, it has snippets about some women in tech role models and includes illustrations by the author. This book encourages you to think out your interests, passions and goals, plan out your projects, and nurture your wellbeing. Physically writing things down plays an important part in cementing goals and plans, and in recalling information. In the digital age with reliance on virtual documents, the art and benefits of actually writing and doodling is being lost. Why not buy this book and create your path in the tech world? There is a push for greater gender diversity in both technology and cyber security roles where women are underrepresented. There was a time however when women played a large part in the enhancement, invention and development of coding, software, science, and computers. Supporting women to pursue these roles, overcome challenges and find a path for themselves in a tech career of their passion plays an integral part in closing the gender gaps in these roles.

BUY THE BOOK HERE 136

WOMEN IN SECURITY MAGAZINE


THE CYBER EFFECT Author // Dr. Mary Aiken “A must-read for this moment in time.”—Steven D. Levitt, co-author of Freakonomics • One of the best books of the year—Nature Mary Aiken, the world’s leading expert in forensic cyberpsychology, offers a starting point for all future conversations about how the Internet is shaping development and behavior, societal norms and values, children, safety, privacy, and our perception of the world. Drawing on her own research and extensive experience with law enforcement, Aiken covers a wide range of subjects, from the impact of screens on the developing child to the explosion of teen sexting and the acceleration of compulsive and addictive behaviors online. Aiken provides surprising statistics and incredible-but-true case studies of hidden trends that are shaping our culture and raising troubling questions about where the digital revolution is taking us.

BUY THE BOOK HERE

HOODED: A BLACK GIRL’S GUIDE TO THE PH.D. Author // Malaika Grayson Hooded: A Black Girl’s Guide to the Ph.D. explores the unexamined experiences of Black women in higher education. From racism and navigating feelings of self-doubt to confronting microaggressions, Black women face an uphill battle as they earn advanced degrees in majoritywhite institutions and departments. Having a voice means facing retaliation or dismissal while staying silent becomes a heavy burden all its own. In Hooded, Dr. Malika Grayson offers an account of surviving and thriving as a doctoral candidate in STEM. Written for those who have never seen themselves represented in their chosen career, Hooded provides practical survival strategies, mental health tips, and ideas for creating community and leaving a lasting legacy. With this essential resource, you won’t feel quite as alone--and you might even become your own unexpected hero.

BUY THE BOOK HERE

THE COMPLETE GUIDE TO CYBERSECURITY RISKS AND CONTROLS (INTERNAL AUDIT AND IT AUDIT) Author // Anne Kohnke, Dan Shoemaker and Ken E. Sigler The Complete Guide to Cybersecurity Risks and Controls presents the fundamental concepts of information and communication technology (ICT) governance and control. In this book, you will learn how to create a working, practical control structure that will ensure the ongoing, day-today trustworthiness of ICT systems and data. The book explains how to establish systematic control functions and timely reporting procedures within a standard organizational framework and how to build auditable trust into the routine assurance of ICT operations. The book is based on the belief that ICT operation is a strategic governance issue rather than a technical concern. With the exponential growth of security breaches and the increasing dependency on external business partners to achieve organizational success, the effective use of ICT governance and enterprisewide frameworks to guide the implementation of integrated security controls are critical in order to mitigate data theft. Surprisingly, many organizations do not have formal processes or policies to protect their assets from internal or external threats.

BUY THE BOOK HERE WOMEN IN SECURITY MAGAZINE

137


OFF THE SHELF

HAVE YOU EVER DREAMED OF BEING A HACKER? Author // Craig Ford Dive into the life of a spunky, charismatic girl next door with Sam (Samantha), she is an only child of a broken family and has a truly devoted father who has raised her from a very young age. She is smart, kind, pretty and has that spark that you just can’t pin down. To anyone who meets her, she is just a good-hearted teenager who just wants to finish school and go to college. She does well at school, has a couple of close friends and is far from what you would call the popular girls. She truly fits the average girl next door stereotype. If you are looking at the fake life she lets the world see you would be right in thinking that was the case. However, she has a secret life. She has spent years living two lives, one as Sam for the world to see and one as Foresight, to Sam this is her true life where she is a truly gifted hacker. She has never found a system she could not bend to her will if she put her mind to it. She is the essence of a true hacker, a true magician of sorts in these dark recesses of the web not many dares to enter.

THE CYBERSECURITY PLAYBOOK: HOW EVERY LEADER AND EMPLOYEE CAN CONTRIBUTE TO A CULTURE OF SECURITY Author // Allison Cerra Many books discuss the technical underpinnings and complex configurations necessary for cybersecurity—but they fail to address the everyday steps that boards, managers, and employees can take to prevent attacks. The Cybersecurity Playbook is the stepby-step guide to protecting your organization from unknown threats and integrating good security habits into everyday business situations. This book provides clear guidance on how to identify weaknesses, assess possible threats, and implement effective policies. Recognizing that an organization’s security is only as strong as its weakest link, this book offers specific strategies for employees at every level. This book will help you: •

Deploy cybersecurity measures using easy-to-follow methods and proven techniques

Develop a practical security plan tailor-made for your specific needs

Incorporate vital security practices into your everyday workflow quickly and efficiently.

BUY THE BOOK HERE

BUY THE BOOK HERE

138

WOMEN IN SECURITY MAGAZINE

ALICE AND BOB LEARN APPLICATION SECURITY Author // Tanya Janca Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects. Topics include: •

Secure requirements, design, coding, and deployment

Security Testing (all forms)

Common Pitfalls

Application Security Programs

Securing Modern Applications

Software Developer Security Hygiene.

BUY THE BOOK HERE


CONFIDENT CYBER SECURITY: HOW TO GET STARTED IN CYBER SECURITY AND FUTUREPROOF YOUR CAREER (CONFIDENT SERIES) Author // Jessica Barker Confident Cyber Security is here to help. This jargon-busting guide will give you a clear overview of the world of cyber security. Exploring everything from the human side to the technical and physical implications, this book takes you through the fundamentals: how to keep secrets safe, how to stop people being manipulated and how to protect people, businesses and countries from those who wish to do harm. Featuring real-world case studies from Disney, the NHS, Taylor Swift and Frank Abagnale, as well as social media influencers and the entertainment and other industries, this book is packed with clear explanations, sound advice and practical exercises to help you understand and apply the principles of cyber security. Let Confident Cyber Security give you that cutting-edge career boost you seek. About the Confident series... From coding and web design to data, digital content and cyber security, the Confident books are the perfect beginner’s resource for enhancing your professional life, whatever your career path.

BUY THE BOOK HERE

ECHOES Author // Laura Tisdall “There is truth to be shared. Let us begin...” Mallory Park is living two lives. In one, she is trying to survive senior year, balancing OCD and social anxiety with looking after her troubled family. In the other, she spends her nights glued to her laptop, breaking into some of the world’s most secure systems as the legendary hacker Echo Six. As part of a hacktivist group known as the Forum, Mallory is far more at ease among the codes and hidden identities of her online world than she has ever been in the real one ― but when other hackers suddenly begin to go missing, that online world starts to feel a lot less safe... When anyone can be a name on a screen, how do you know who to trust? “A really unique story. This is a book that I recommend you to read.” - The Guardian “A startlingly original book... cleverly constructed and extremely exciting.” - The International Rubery Book Award “I found myself unable to put this down. I swear to you someone told me, “Seriously, stop reading. You need to eat.”” - YA Books Central

BUY THE BOOK HERE

HOW TO MEASURE ANYTHING IN CYBERSECURITY RISK Author // Douglas W. Hubbard and Richard Seiersen How to Measure Anything in Cybersecurity Risk exposes the shortcomings of current “risk management” practices, and offers a series of improvement techniques that help you fill the holes and ramp up security. In his bestselling book How to Measure Anything, author Douglas W. Hubbard opened the business world’s eyes to the critical need for better measurement. This book expands upon that premise and draws from The Failure of Risk Management to sound the alarm in the cybersecurity realm. Some of the field’s premier risk management approaches actually create more risk than they mitigate, and questionable methods have been duplicated across industries and embedded in the products accepted as gospel. This book sheds light on these blatant risks, and provides alternate techniques that can help improve your current situation. You’ll also learn which approaches are too risky to save, and are actually more damaging than a total lack of any security. Dangerous risk management methods abound; there is no industry more critically in need of solutions than cybersecurity. This book provides solutions where they exist, and advises when to change tracks entirely.

BUY THE BOOK HERE WOMEN IN SECURITY MAGAZINE

139


Save the date

The Australian Women in Security Awards are back for 2021. Join us in-person or via live stream to celebrate our community of Women in Security.

October 13th 5:30-10:30pm MORE INFO


Turn static files into dynamic content formats.

Create a flipbook

Articles inside

Surviving a crisis - a view from the trenches

6min
pages 120-123

Are you doing enough to protect your organisation’s IT security?

2min
pages 118-119

Take me to cuba

6min
pages 111-113

Whose afraid of Zero Day

6min
pages 114-117

How to embrace the coming technology revolution

4min
pages 108-110

Linking data privacy to security

3min
pages 106-107

transforms cybersecurity

8min
pages 102-105

Back to basics

6min
pages 99-101

AusCERT plenary panel

6min
pages 96-98

Hackers are not who you think they are

2min
pages 91-95

Celebrating information security excellence in 2021

9min
pages 86-89

Factors threatening effective partnerships in crisis situations

2min
page 90

AWSN returning to in-person events around Australia

3min
pages 84-85

Building relationships in the security and risk suite and why it matters

4min
pages 80-81

fighting for women in STEM

8min
pages 76-79

Ten top tips to secure your website

3min
pages 74-75

How SiteMinder’s product and technology teams stayed motivated and innovative during the pandemic, while servicing the traditional hotel industry

5min
pages 72-73

Top 5 digital parenting tips for parents with teens

2min
pages 64-65

Lisa Jiggetts

5min
pages 54-57

Could inclusivity expand the cybersecurity talent pool in australia?

3min
pages 60-61

A Tuesday in the life of a Regional Technical Support Manager

5min
pages 62-63

How to make a midcareer move into cybersecurity

3min
pages 58-59

Gergana Winzer

7min
pages 46-49

Noushin Shabab

4min
pages 52-53

Christina Keing

4min
pages 50-51

Dr Lesley Seebeck

6min
pages 40-41

Anna Liebel

4min
pages 32-33

Jo Stewart-Rattray

5min
pages 34-36

Daniella Traino

6min
pages 30-31

Giulia Traverso

3min
page 37

Shelly Mills

5min
pages 38-39

How to create a culture of belonging and why it matters

8min
pages 18-21

Beware of ransomware

2min
pages 16-17

more diverse workforces

4min
pages 12-15
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.