6 minute read
Daniella Traino
CISO for Wesfarmers vCISO
Iam a virtual chief information security officer with an ASX listed company, and the group chief information security officer (GCISO) at Wesfarmers. A virtual CISO is essentially a cybersecurity executive who is engaged with client(s) on a parttime/project basis rather than full-time. A group
CISO is accountable for CISO-level functions and capabilities, but typically for more than one business area or company within a group. The role exists in large enterprises/conglomerates where there are several businesses owned by the same parent organisation. It is less common in Australia than in many other countries.
As Wesfarmers GCISO I work closely with the cyber teams across the corporate office and our retail, chemical, industrial and safety divisions. I’m accountable for group-level strategy and architecture, cyber risk management and assurance, and cyber defence.
My GCISO role at Wesfarmers is that of a change agent, building a sense of community and collaboration across all cybersecurity teams, and particular practitioner groups such as Cyber Defence and Architects. I identify strategic opportunities to uplift/innovate and have executive and board responsibilities to measure and monitor cyber risk and opportunity across all businesses.
This includes coordinating incident response and cyber defence efforts across all businesses where these are material or impact more than one business. Working with each business’ cyber teams is fun. They are talented and passionate about their business and about ‘defending production’. It’s a challenging role, so I am energised working with them, helping them succeed, and supporting their teams.
I got into cybersecurity by chance based on my interest in it, and the challenges and fun it offered. I had no idea there was a career behind it, what that path looked like, or what the economic value of those skills and experiences would be.
I studied computer science and accounting (commerce) at the University of Sydney. I loved mathematics, business and technology, and wasn’t sure where my interests would take me, job-wise.
My career progress has not been the result of good or solid planning. I just wanted to be in environments where people were mission-focussed, continuously improving and not seeing tech/cybersecurity only as a ‘keep the lights on’ benefit. I looked for opportunities to work across many complex and growing businesses and industry types where I could develop management skills to help me navigate the complexity, and influence strategy.
My first employer was a management consulting/ big four accountancy firm. That job gave me opportunities in financial and IT audit and general IT and risk consulting. It was there I was introduced to a small team being paid to test the security of client systems and recommend how to design/harden them. I was hooked! It was a great team, and we worked on a good range of IT and cyber engagements in different industries. I invested in my own learning in parallel (Hacking Exposed was a great handbook) and my cybersecurity interest grew from there.
I think, to be successful in cybersecurity, you need to have a passion for the domain and for learning. The threats and the technology innovation to counter them are evolving rapidly in parallel. Being curious is a must.
I’ve had several memorable experiences in my career, mostly centred around the incredible people I’ve been fortunate to work alongside.
I’ve tried to learn from their successes as much
as from my own, and also from things that did not work well. The best advice I was given was: don’t expect someone else to know your worth/brand/ achievement. Speak up, and whatever opportunity to stretch yourself comes along, say yes and figure it out along the way. Sometimes we females are conditioned to think we cannot be assertive or confident. That’s utter rubbish.
Being female in cybersecurity can be challenging. When I started there were few mentors or successes to point to. It’s quite the opposite now. I found I was constantly being challenged to show I “knew my stuff” or was sufficiently “technical” compared to colleagues. Thankfully, I had a thick skin.
Since my early days in cybersecurity, it’s been fantastic to see many female trailblazers emerge, creating opportunities for more women in the profession. However I’ve had more male colleagues that were supportive than not, and more should be done to raise their profile as champions of change.
I had the opportunity to work with an incredible Australian cybersecurity research team that was pioneering formal methods, software verification and proof engineering: techniques that would fundamentally improve software trust and change software vulnerability management, or remove the category entirely.
This was a joint team from the Defence Science and Technology Group and Data61 (a CSIRO business unit). We went on to win two national and three state (SA) iAwards for a cyber product we developed that successfully kicked off a partnership through the Defence Innovation Hub. I learnt a lot from this combined team.
A few years ago my colleague and I developed a cyber R&D commercialisation strategy, an Australian first. We also codeveloped the design and model for the Oceania Cyber Security Centre, which went on to become a regional research and deployment partner of the Global Cyber Security Capacity Centre at the University of Oxford for the Cybersecurity Capacity Maturity Model for Nations. The centre was subsequently operationalised by a different team.
It was challenging to ideate and develop these plans, but it was fun to talk to many of Australia’s incredible research, engineering and science professionals. Countless reports show Australia to be a creative country, but if we could collaborate meaningfully, and work through the commercialisation hurdles, Australia would punch above its weight, and contribute to the cyber ecosystem more than it does today.
We’ve been able to come together as a fintech ecosystem (Fintech Australia and others have made amazing inroads). Together with existing industry participants, Australia has contributed significant economic opportunities and revenue growth in a very short time. Imagine if we replicated that with cybersecurity.
We have many cyber security pioneers here. Jo Cooper @ IDExchange, Vaughan Shanks @ Cydarm, Mohan Koo @ DTex, Sam Crowther @ Kasada, Pieter Danhieux and Fatemah Beydoun @ Secure Code Warrior, Casey Ellis @ Bugcrowd, Alan Sharp-Paul and team @ Upguard, Daniel Potts and team @ Cog Systems, Vikram Sharma @ Quintessence Labs and Tony Smales @ Forticode. And cybersecurity has received only limited investment and support.
The role of artificial intelligence (AI) in cybersecurity is one area where more investment is needed. AI has a significant role in cybersecurity, for good and bad. It can improve defence and protective mechanisms, and risk and governance frameworks. On the nefarious side, it presents a growing challenge as threat actors use AI tools to build better evasion techniques against both human and technical defences.
The ‘defender’s deficit’ is widening. I think AI techniques can help close the gap, but we need to be able to assess trustworthiness: ensure the outcomes are transparent and provable.
Unfortunately AI solutions can be very ‘black box’, so there is also the challenge for cybersecurity teams to develop the skills and knowledge to assess AI for its advantages and determine where it can be misused. Global initiatives for trustworthy AI frameworks and assurances will help, but will not be sufficient if we do not invest in upskilling cybersecurity talent, and increase the diversity in cybersecurity teams.
www.linkedin.com/in/daniellatraino/
