Women In Security Magazine Issue 4 by source2create

AIN T E R

P82

EVELO

FINDING CYBER TALENT- WHAT’S IN THE SECRET SAUCE?

SOLVING THE PIPELINE PROBLEM

-D

C A T R T -

SEPTEMBER • OCTOBER

THRIVING IN A POST-PANDEMIC FLEXIBLE WORKING ENVIRONMENT P60

P46

MAKE YOUR COMPANY A TALENT MAGNET TO ATTRACT THE RIGHT METTLE P18

STUDENT IN SECURITY SPOTLIGHT P99

W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M

FROM THE PUBLISHER Past is prologue. Building a more equal future is up to us.

ell yes it needs to be

anxiety about remote working, financial pressure,

addressed, and where better

increasing responsibilities such as home learning,

to do so than my regular

and general anxiety about the future – all while

magazine intro – a place

physically contained within the confines of a home.

where I can poke the bear and will always be forgiven!

hasn’t been enough to extract many people from

So the question I pose to you is: Can we leave the

the stresses of the workplace – with many workers

inequality of the pre-COVID world behind us for

reporting cyber bullying continues to extend from the

good?

workplace to the home.

Pick up just about any piece of research discussing

You don’t have to see your coworkers face-to-face,

the impact of Covid-19 on gender equality, and you’ll

after all, to bully and harass them – and many people

hear that we appear to be going backwards again

may find it easier because the physical distance often

– just when we had started making headway.

makes abusers more disinhibited.

There are many reasons for this: even with the whole

This issue, we are looking at issues such as OH&S –

family working from home, women are still taking on

which has, thanks to the pandemic, been extended

the largest share of care and unpaid household work.

to workers’ own homes. This puts new expectations

Social-distancing measures have had a large impact on industries with high female employment, in industries skewed heavily towards women at risk of job losses or reductions in working hours. If we’re not able to get gender equality right in lockdown, then, is there hope for getting gender equality in the new – and hopefully better – normal? This new normal must offer men and women equal opportunities to remote work; find new ways to overcome work/family tensions; and address issues such as occupational health and safety, domestic violence, and health and wellbeing – all of which have suffered during the pandemic. Teleworking is at least partly to blame, since cramped living situations have forced many people to deal with

Even the seeming distance of remote working

WOMEN IN SECURITY MAGAZINE

on employers to ensure that they build and maintain diverse, equal and harassment-free workplaces – even though so much everyday collaboration is taking place online, in private Zoom and Teams meetings where supervisors often aren’t present. It doesn’t matter what city, state, or country you are reading this from. COVID-19 has shown us all that strong resilient leadership, and a continued dialogue with all parties concerned, are crucial to ensure that decisions made are inclusive – and effective. Ensuring diversity within that leadership is equally important – although the statistics suggest that we still have a way to go on that count. The COVID-19 task force, for example, is comprised of just 25% women and their absence from top-level decision-making positions was obvious.

Abigail Swabey

Sadly, this is in line with overall trends – with women

Employers should consider these and other factors

still comprising just 28% of managers and leaders.

when revisiting workforce recruitment and retention

A recent review found just 20% of healthcare

strategies that have been dramatically altered by

organisations had achieved gender parity on their

the pandemic. Many employees, shut out of careers

boards, with men still outnumbering women in

they have dedicated their whole lives to, may be ripe

positions of influence in most organisations. Things

for luring into cybersecurity – but we need to make

are even worse in high-level roles, with women

sure we are constantly offering job retraining

accounting for just 25% of Parliamentarians and 10%

or “upskilling” to prepare them for a applying their

of heads of state.

talents in the digitized and automated post-pandemic

Those decision-makers are shaping the post-COVID

future.

response in Australia and around the world – so

There is little about our daily lives that the pandemic

after the pandemic, it is incumbent that they avoid

has not changed – but it is up to us to change our

falling into the old traps that perpetuated such glaring

lives, and the lives of those around us, for the better.

gender inequality before the pandemic.

Let’s stand up and choose to challenge inequality, and

Some businesses have already managed to break free

make it a thing of the past – if not for you, then for

of the shackles of inequality, while others are trying

the future generations that are itching to escape from

hard to do so. Yet others are, sadly, still all talk and no

lockdown and look forward to a better, brighter future.

action. Previous issues of Women in Security Magazine have explored the reasons for this – and possible solutions for it – from many angles. As we have seen time and time again, the solutions are there for the taking, but cultural change is hard and takes time. Thankfully, the disruption of our current situation

I’m going to do everything I can to support this mission. Will you join me? #choosetochallenge

Abigail Swabey

means we all have time to consider how we

PUBLISHER, Owner & CEO of Source2Create

can contribute to making our workplaces more

aby@source2create.com.au

welcoming, and more equal. Think about how you can better support the women you work with or live with; to watch out for signs of domestic violence or other tragic repercussions of challenging new living situations; demand equal pay for equal work; and how you can support female-led initiatives delivering on the mission of gender equality.

CONTENTS

CAREER PERSPECTIVES

PUBLISHER’S LETTER

Why I plan to get more women into the industry— by leaving it

How to get an entry-level cybersecurity job in 2021

HOW TO MAKE RECRUITMENT MORE EQUAL

INDUSTRY PERSPECTIVES

FEATURE Towards a more

Five steps to accelerating consumer

respectful cybersecurity community

Pwc australia gets cyber partners

pandemic 58 working environment

Pipelines 64

Finding cyber talent:

Owning the unknown: studying and

what’s in the secret sauce?

security and data use trust during a Thriving in a post-pandemic flexible

four new female

working in the field of cybersecurity

and software engineering

Taking fearless secure development education to the world

I got 99 problems but a vuln ain’ t one 74 Why technical proficiency won’t take you to the top in today’s world

18 MAKE YOUR COMPANY A TALENT MAGNET TO ATTRACT THE RIGHT METTLE

Narelle Devine

Helen Sultana

Megan Haas

Carol Chris

Christie Wilson

WHAT’S HER JOURNEY?

Addressing workplace culture in the cybersecurity sector

Startup or large corporation?

How companies can keep women in cyber engaged and motivated in 2021 86

120 Olivia & Jack get a Gamestation

SEPTEMBER • OCTOBER 2021

TECHNOLOGY PERSPECTIVES In an orchestra the whole is greater than

SOLVING THE PIPELINE PROBLEM

the sum of the parts

FOUNDER & EDITOR

Abigail Swabey

Ransomware is rife how will we win?

ADVERTISING

Abigail Swabey Charlie-Mae Baker

Vasudha Arora JOURNALISTS David Braue Stuart Corner

COLUMN SEO poisoning

SUB-EDITOR Stuart Corner

Setting boundaries on teen’s device use

DESIGNER 54

Jihee Park

step one - be prepared

Women in Security Magazine is published by Source2Create

The Big Bad Wolf

ABN 25 638 094 863

Surviving a breach:

www.womeninsecuritymagazine.com contact@source2create.com.au

OFF THE SHELF

Victoria Cheng

103

Jacynta Grigson

104

Aarati Pradhananga

107

Kavika Singhal

108

Karen Hobson

109

Shahnaz Ali

110

Jocasta Norman

111

Abby Zhang

114

Emma Seaman

116

Tiana Inman

117

Caitlin Sauza

118

TURN IT UP

126

SEPTEMBER

SURFING THE NET

136

-R

FINDING CYBER TALENTWH IN TH E SE AT ’S SA UC E? CR ET

P46

ETAIN

• OCTOBE R

SOLVING THE PIP EL IN E PR OB LE M

EVEL

113

AWSN is the official partner of Women in Security Magazine

-D

Maeesha Lohani

130

ATTRACT

102

RACT

Pooja Shankar

Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com).

100

Kathy Nguyen

STUDENT IN SECURITY SPOTLIGHT

THRIVING IN A POST PA NDEMIC FL EX IBL E

P82

SUBSCRIBE TO OUR MAGAZINE Never miss an edition! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content

SUBSCRIBE NOW

RACT T T

P46

P82

EVELO

FINDING CYBER TALENT- WHAT’S IN THE SECRET SAUCE?

SOLVING THE PIPELINE PROBLEM

-D

AIN T E R

ATTRACT

SEPTEMBER • OCTOBER

THRIVING IN A POST PANDEMIC FLEXIBLE WORKING ENVIRONMENT P60

Connecting - Supporting - Inspiring

AS A FORMAL NETWORK MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD A STRONGER FUTURE

With an affordable annual fee, AWSN members will have access to discounts on programs and industry events, the membership Slack space, post or share job opportunities, and receive our monthly and any special edition newsletters.

Memberships are now a 12-month cycle Corporate packages available Learn more at www.awsn.org.au/members/join/

HOW TO MAKE RECRUITMENT MORE EQUAL by David Braue

DOES MORE DATA MAKE RECRUITMENT MORE EQUAL? With AI stumbling and HR tech currently CIOs’ lowest priority, progress is slow

mazon’s early failures testing artificial

characteristics that made for a

intelligence (AI) to automatically

good Amazon employee. The

rank job applicants have become

problem: the underlying gender

a cautionary tale about blindly

imbalance in Amazon’s workforce

entrusting AI with shaping our workforce. Yet as CIOs all but

ignore HR tech and diversity leaders worry that AI amplifies gender inequality rather than fixing it, will we ever be able to tap data to help build more diverse companies? There was early hope, of course, that increasingly automated HR administrative systems would provide a goldmine of employee-related data for AI engines such as Amazon’s experiment – which trained an AI engine to automatically evaluate and rank dozens of

meant most of the CVs fed into the AI were males – causing the algorithm to conclude that being male was highly correlated with being a better worker. ‘Black box’ AI solutions have proven problematic in situations where probity and gender equality are important, since they tend to amplify gender bias in the data they’ve been trained on. Companies with existing gender imbalances must therefore avoid relying on their existing HR data – or intentionally

job applicants’ CVs.

compensate for it – to create real change.

By training the AI on the CVs of existing workers,

While CVs can be scraped to have gender-specific

the theory went, the AI would be able to identify the

names removed, other attributes – such as hobbies,

WOMEN IN SECURITY MAGAZINE

F E AT U R E

sports, previous roles and the like – often have implicit gender affiliations that skew the AI model’s results in ways that aren’t always obvious. “There’s a real risk with relying on technology that just scrapes in anything it can to figure out whether you’re a fit,” Barb Hyman, CEO of interview automation firm PredictiveHire, said during a Melbourne Business School webinar.

“ Companies need to double down to ensure they have authentic substance and measurable impact, not just signalling on social media.... Critical to this is helping them structure the way they hire so that they are hitting the numbers that matter in recruitment.”

“It’s very easy to amplify an existing gender bias using those attributes, even if it’s blind,” she said, calling CV data “pretty gameable” and video interviews showing “a big risk of being biased.” The importance of explainability – the ability to better monitor and control how AI algorithms are reaching their results – has become critical for the technology to be used in recruitment, where algorithms can have life-changing consequences for everyday people, and for the cultural composition of the company. “Explainability is critical in a world where a lot of AI is governed by deep learning modules,” Hyman said. “As a candidate, you don’t really know what [AI is] drawing on to make a decision about you.... and we’ve consciously chosen not to use those because you can’t explain the outcome.” Five years after Amazon’s experiments, a recent Melbourne University study highlighted the persistence of this issue, with a recruitment panel blinded to the gender of particular applicants for data analyst, finance officer, and recruitment officer

WOMEN IN SECURITY MAGAZINE

positions – jobs that are male-skewed, gender-equal,

millions of dollars pursuing HR efficiency without

and female-skewed, respectively.

fulfilling the promises made to the business....

The panel still picked males as being most qualified

Progress has not been made where it counts.”

for all three roles, admitting that they are largely

This issue has been exacerbated during the COVID-19

looking for signs of relevant experience, education,

pandemic, where the rapid and dramatic workforce

and keywords that testify to their skills – but did not

changes of the past 18 months pushed HR into a

factor in statements about explanatory factors such

period of rapid change.

as maternity leave.

Gartner last year advised HR leaders to embrace a

When an AI algorithm was coded to the same

focused pandemic management plan to compensate,

process, it came to the same conclusion – with men

but recently reported that even the best planning

evaluated as having more relevant experience but

hasn’t avoided significant workforce challenges.

women better at matching particular keywords.

In the context of disruption so dramatic that three-

The results “mean there is something distinct about

quarters of HR leaders say their employees are

men’s resumes that made our panel rank them higher,

hesitant to come back to the office, once-ennobled

beyond experience, qualification and education,” said

goals like gender equality can easily take a back seat

study author Associate Professor Leah Ruppanner,

to fighting for operational continuity.

co-director of The Policy Lab at the University of Melbourne, warning that the AI algorithm “reinforces and amplifies unconscious gender bias in recruiting.”

Yet now is the time to double down on core values, Deloitte noted in its latest report advising the prioritisation of the worker-employer relationship

“This forms the most alarming dimension of gender

during the pandemic: “to survive when this

bias, as we are not capturing what gives men the

relationship is founded on purpose, an organisation

edge in these positions.”

needs to live and breathe purpose,” the firm’s analysts

“The algorithm isn’t thinking about experience, it’s just

note.

finding associations [and] you have to say to it ‘don’t’

Yet while two-thirds of the executives Deloitte

penalise women for parental leave’. It has to be coded

surveyed said they would evolve their organisational

in.”

metrics in coming years to address issues like societal goals and diversity and inclusion (D&I), fully

PURPOSE IN A TIME OF DISRUPTION

80% said their leadership still wasn’t ready for this

AI experts are working across every business and

change.

technology discipline to improve explainability,

That was a problem for every type of company –

figuring out how to teach AI to skew itself towards policy-driven outcomes that may not necessarily be reflected in existing data. Yet HR organisations continue to struggle to find a clear, effective and explainable way to apply AI in a way that matches corporate gender-equality objectives. Yet AI isn’t the culprit here, so much as a canary highlighting the ongoing cultural problems that created gender imbalances in the first place. “The promise of HR transformation has not played out,” Dave Weisbeck, chief strategy officer with workforce-analytics firm Visier, recently wrote. “Instead, we’ve seen organisations spending multiple

WOMEN IN SECURITY MAGAZINE

which, Deloitte advised, must “integrate purpose into all that it is and everything it does... make sure purpose is reflected in the organisation’s core talent programs to make sure its values come clearly through in the way workers are treated.”

CHANGE BY THE NUMBERS Yet even if business leaders do push HR staffers to improve workforce diversity using data-driven analytics, those efforts are likely to be hamstrung by competing priorities. HR was ranked dead last in a recent survey of 500 CIOs’ investment priorities by digital-transformation firm Genpact, which found that 76% of Australian

F E AT U R E

CIOs believe their company is unprepared for another

and allowing companies to tap new sources of skilled

major business disruption.

staff that have become more accessible in today’s

Just 22% of CIOs were ranked as ‘pilots’ driving

remote-work environment.

transformation strategically across core business

The pandemic “had a disproportionate impact on

functions, Genpact found – suggesting that no matter

underrepresented groups in the workplace,” said

how much they recognise data to be important to HR

Tom Dyson, head of product at recruitment-software

reinvention, CIOs ultimately defer to line-of-business

developed JobAdder, “and you have a situation

leaders who have more immediate priorities than

that has forced companies to re-evaluate their D&I

teaching AI to be less discriminatory.

agenda.” “Companies need to double down to ensure they have authentic substance and

“Explainability is critical in a world where a lot of AI is governed by deep learning module. As a candidate, you don’t really know what [AI is ] drawing on to make a decision about you.... “

measurable impact, not just signalling on social media.... Critical to this is helping them structure the way they hire so that they are hitting the numbers that matter in recruitment.” As a disruptive platform for workforce recruitment, Dyson said, JobAdder has built-in features such as a D&I dashboard to help companies establish hiring processes that “match the desired goals they have as a business of which the leading companies

“Organisations have often been guilty of looking in the wrong place for the wrong people with the wrong skills,” David Gregory, senior director and analyst with Gartner, said during a recent webinar on the outlook

have D&I metrics baked into their DNA.” Ultimately, the evolution of innovative recruitment tools will help companies build and maintain momentum for change. PredictiveHire, for one, has

for security staff.

targeted the issue of AI bias by ensuring it does

“Patchy” success rates in traditional recruitment

create bias – then using the third-party Namsor

processes, exacerbated by “the demand for instant results” as leaders react rather than plan longterm, had mired HR tech in organisational inertia exacerbated by a disconnect with other siloed business functions. “All of our data suggests that this is a trend that will continue,” Gregory added. “There are underlying problems that are holding organisations back from getting the right people. We rely on the same recruitment process, even though this is never a guarantee that we end up with the right candidate.” With AI far from the panacea some had hoped, the right solution will seemingly come from a combination of new technologies and an overhaul of old policies, hopefully breaking the cycle of sameness

not collect information about candidates that could platform, which uses candidate names to determine gender and ethnicity, to ensure the AI’s results are appropriately gender-diverse. By building continual checking into the process, says Hyman, AI can be used to support human-driven recruitment rather than replacing it – potentially identifying the human bias that has allowed D&I imbalances to fester in the past. “It’s very hard to sit around a table with your colleagues and debate whether a person should be hired in the absence of any data,” she said. “And if AI is saying that a person is a really strong match and no one in the team is recognising that, it invokes a conversation about whether we are missing something – or we are biased in our own decisions.”

WOMEN IN SECURITY MAGAZINE

TOWARDS A MORE RESPECTFUL CYBERSECURITY COMMUNITY by Stuart Corner

A new initiative has been formed in the UK to combat all forms of harassment in the industry

ave you, as a cybersecurity

INDUSTRY PLEDGES SOUGHT

professional, suffered harassment

Its main aim, says cofounder Marc Avery, is to elicit

either online or in person, through your work?

that they will counter harassment and be transparent

If so, you are not alone. It’s

about their processes for reporting and dealing with

surprisingly common. A recent

incidents.

survey by research firm Sapio, which polled 302 cybersecurity professionals found 32 percent had been harassed online, 35 percent in person. And there was little difference in percentages between those identifying as male, female or non-binary. Cybersecurity professionals aren’t unique in this respect, but now, they do have a new initiative dedicated to addressing the issue: Respect in Security. It’s been set up by a handful of cybersecurity specialists in the UK to fight harassment of all kinds,

“That pledge compels organisations to publicly commit that they will, in the event of any report to them about one of their employees being involved in this kind of unacceptable behaviour, take action and support that individual.” Avery is also cofounder of Cyber House Party, a UK based not-for-profit set up in 2020 to create a community for cybersecurity professionals and raise money for charity.

in person and online.

He adds: “Organisations should be doing this as a

Respect in Security is not a counselling service or a

internal policies for harassment, and good behaviour

legal channel through which to file complaints against an individual or organisation. The founders say it will be a resource guiding individuals to organisations that provide such services.

commitments from organisations in the industry

WOMEN IN SECURITY MAGAZINE

de facto standard. We all know that companies have and ethics. But actually, are these transparent and published? Do they make it known that anybody can

F E AT U R E

whistle-blow or report one of their employees for

Avery says the genesis of Respect in Security was a

misbehaviour?”

Cyber House Party event in April 2021 that included

He says more than 50 organisations have already signed the pledge, and there are more in the pipeline.

a panel session on online harassment, at which Forte revealed her own experience of harassment.

The current list also includes global players in

Describing this in a blog post, cofounder Rik Ferguson

cybersecurity, such as Trend Micro and BT and Avery

— Vice President of Security Research at Trend Micro

expects other larger companies to respond over the

— said: “It wasn’t until I listened to Lisa Forte speaking

coming months.

on a panel at a Cyber House Party event about just

“We have some really big organisations, and some really small organisations across different geographic locations, including Canada, the US and Australia. The power of social media and online activity has really enabled us to get a big reach.

some of the abuse to which she has been subjected that the penny really dropped. … Afterwards, I chatted with Marc Avery. … We had both been equally taken aback and decided that we had to do something.” Following that realisation the trio got together to talk about the issues and develop a suitable approach

ONLINE COMMUNITIES ENCOURAGING HARASSMENT

to raise awareness. “As we started we heard more

While there’s no hard evidence that cyber has a poorer

across various different platforms, which was quite

track record on harassment than any other industry, Respect in Security cofounder Lisa Forte — also cofounder of cybersecurity training and consultancy Red Goat Cyber — suggests the industry’s environment is conducive to harassment. “We are an industry that has a very heavy online presence: we communicate extensively remotely. Often people have never met in person and they are

and more stories affecting both females and males surprising to us,” Avery says. “It’s something we feel isn’t talked about enough in the industry. And we’re hoping to change that.”

CURBING THE TWITTER STORMS Forte says one of the group’s first objectives is to mitigate the flood of postings that are often precipitated on social media by online harassment.

talking and befriending each other. I don’t think a

“We want to provide a way for victims to hold

lot of other industries have that same sort of global

people accountable, or to take action against bad

online community.”

behaviour, without causing a mass pile-on on Twitter,

WOMEN IN SECURITY MAGAZINE

or on another platform. Often when someone does

harassment. And we also don’t want it to be a sort

something they shouldn’t they are called out on

of women’s protection group. It’s for everybody:

Twitter, and then loads of people come to the victim’s

harassment from anybody towards anybody is

aid, pile in with abuse towards the abuser, and it

completely unacceptable.”

spirals.

However, Respect in Security has no plans to be

“We were very clear from the start that we wanted

an action group, trying to engineer some kind of

to provide a way for people to do this the right way.

retribution for offenders.

That might be through lawyers, it might be through the police, it might be through the employer. It isn’t through Twitter.”

“We know from experience, doing that is troublesome, and not very easy,” says Avery. What we can do as an organisation is to talk about it, highlight some of

With COVID-19 limiting face-to-face communications,

the issues we’ve heard about anonymously and then

things are getting worse. “In the last year, both the

encourage organisations to step up to the pledge.”

“We are an industry that has a very heavy online presence: we communicate extensively remotely. Often people have never met in person and they are talking and befriending each other. I don’t think a lot of other industries have that same sort of global online community.”

A HARASSMENT SUPPORT RESOURCE Forte says: “The website will have a wealth of resources to signpost people to the correct place to go and seek some help and advice. We’re not looking to reinvent the wheel. There are many charities that have done a lot of this legwork, and with some fabulous psychologists and others involved.” One of Respect in Security’s partners and organisations

amount and the severity has increased exponentially,” says Forte. “I think there’s a sentiment in the industry that it’s become almost intolerable on certain platforms. I have taken a break from Twitter as a result of observing some of the stuff that’s going on. I know a lot of other people have felt the need to do the same.” She adds: “I’ve had many people message me, mainly women, but not exclusively, who have said, ‘Thank you for starting this because I was genuinely considering leaving the industry’.” While sexual harassment of women might have the highest profile, Forte says Respect in Security will guide anyone who has been the victim of any kind of harassment to get the right support. “We don’t want this to be specifically about sexual

WOMEN IN SECURITY MAGAZINE

it guides victims of harassment to, is The Cyber Helpline, a UK charity that helps victims of online harassment, stalking and other kinds of online criminal activity. Forte says: “We plan to have guidance on signposting people to the correct way of doing things, including information that has been put together by partner organisations on things like collecting evidence and making sure that you can prove what has happened. “If a company has signed the pledge, then this will be published on their website, including information on where you go to report a member of staff for something you think they shouldn’t have done.” She says victims of harassment are not the only ones needing support. “The perpetrator may have been going through something horrific, and this could have been why their behaviour manifested the way it did.

F E AT U R E

We’ve seen people who are going through horrible divorces and other things who have lashed out very nastily on social media.”

A WORK IN PROGRESS Respect in Security is presently relying on the voluntary contributions of its founders and others, and is still taking shape. “For the first few months, we are planning to facilitate some sessions to listen and learn,” says Avery. “We may not get everything right the first time. There are some conflicting views that we’re seeing already about different ways to tackle these things. And there may never be a right or wrong answer.” The future direction of the initiative is still fluid, says Avery. “In the future we may change our approach and start to provide some services. We’re not pre-empting, whether or not that’s going to happen.” The initiative is not limiting its ambitions to the UK. “Our aim is to have representatives in other countries who can replicate what we have done in the UK and apply it to their jurisdiction,” says Forte. “But there’s a sticking point that’s a little bit difficult. Law enforcement is different, so we need a local perspective.” The founders plan to set up an advisory board to help it develop its future direction, to undertake research into harassment issues and produce an annual report on its findings. “We have had an overwhelmingly positive response since launch and it seems that people were almost waiting for an initiative like this to come along”, said Avery. “It’s something that everybody jumped on, because they feel it’s something that’s really pertinent. Maybe it wasn’t being talked about enough. Now is a good opportunity to raise awareness.” www.linkedin.com/company/respect-in-security

twitter.com/respectinsec www.respectinsecurity.org

WOMEN IN SECURITY MAGAZINE

AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

C O L U M N

SEO poisoning Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe. Criminals do their research, know how to optimise

infected page. As soon as they click on that link the

search engine results, and will use any trending

infected page will drop malware onto their system in

topic available to ensure people fall victim to

what is known as a drive by download.

their campaigns. One of their baits exploits people’s interest in employee pay and conditions and enterprise bargaining. Criminals will either compromise a legitimate site or create their own,

WHAT CAN WE DO TO PROTECT OURSELVES? • Before you click a link in a search result,

and use search engine optimisation (SEO) poisoning

make sure it will take you to the site you were

techniques to ensure their pages are at the top of

intending to access.

search engine results for queries on these topics. SEO poisoning is where the compromised or malicious sites use keywords associated with trending topics so their pages are seen first in searches for information on those topics. One current trending topic is enterprise bargaining. Criminals are infecting unpatched WordPress sites related to enterprise bargaining with malware droppers, and then ensure the infected pages reach the top of search results. Anyone using ‘enterprise bargaining’ in a search will be shown a link to the

• Keep your browser up to date. • Take care when downloading files from websites. • Keep your operating system and software patched. • Use only official legitimate sources to download software. • Use reputable and up-to-date anti-virus software. If you have been impacted by cybercrime, in Australia you can report this via www.cyber.gov.au/acsc/ report. In other countries, report it to your local police or through the relevant cybercrime reporting mechanism. SEO poisoning is big business – stay safe. www.demystifycyber.com.au/

Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!

charlie@source2create.com.au

aby@source2create.com.au

www.source2create.com.au

MAKE YOUR COMPANY A TALENT MAGNET TO ATTRACT THE RIGHT METTLE by David Braue

It’s all about culture – but will yours make them want to stay?

very company tries to paint itself as a

nightmare scenario that not only threatens

paragon of equality but few would be

immediate consequences, but can taint the

ready to handle the firestorm created

company’s ability to attract the best and

at video-game giant Activision Blizzard

brightest in its industry.

– whose executives recently faced a mass staff walkout after longstanding

accusations of a ‘frat boy’ culture where harassment and discrimination against women were all in a day’s work.

With cybersecurity expertise in high demand and skilled staff able to basically name their terms, management in all kinds of industries face similar issues as they work

The day-long strike, which saw hundreds of the

to close longstanding cybersecurity skills gaps by

company’s 9500 employees walk off the job and led

building a corporate culture that can serve as a

to a lawsuit by California state authorities, echoed a

magnet to attract top cybersecurity expertise of all

similar walkout at rival Riot Games two years earlier

genders.

that was also intended to shine a light on endemic Duty studio Activision Blizzard, just 1 in 5 employees

COME FOR THE TECH, STAY FOR THE CULTURE

is female.

A recent survey by recruitment firm Contino, entitled

For corporate officers, the public airing of the

The Voice of Talent 2021, offered some guidance as

discrimination across an industry where, as at Call of

company’s dirty laundry – including allegations

to what such a corporate culture should include –

that women are discriminated against, blocked

and much of it will come as no surprise.

from promotions, paid less and fired faster – is a

The traits that make a company the most appealing

WOMEN IN SECURITY MAGAZINE

F E AT U R E

get offered new roles on a weekly basis,” she said, “it’s important that your employees are happy and you are not giving them a reason to look elsewhere.” Interestingly, the presence of a progressive diversity and inclusion (D&I) program was ranked as the tenth highest priority for workers, out of ten. In the context of Activision Blizzard’s employee-relations disaster, this finding suggests that workers don’t come into a job looking for a diverse and inclusive environment – but if it’s not there, they simply won’t stand for it.

“People do their best work at companies when they are supported and they feel that they can be themselves. The lack of psychological safety that comes from being a marginalised person in a monoculture is a powerful reason to look for a more supportive work environment.” That can create real problems for employers counting on their company culture to attract skilled cybersecurity staff – particularly from underrepresented groups, and even more particularly given the exacerbation of the talent drought by the COVID-19 pandemic. “With the Australian borders locked down minimising inbound tech talent, there is a finite talent pool,” to work for, the 178 Australian respondents said, include the opportunity to work with modern

Contino APAC managing director Craig Howe said as the figures were released.

technology and practices, a competitive salary

“Compounding the situation, we have seen a

package, great work flexibility, a great manager or

significant increase in large enterprises embarking

leadership team, and a great company culture.

on digital transformation projects to increase

“For me personally, a good company culture is a culture where people can innovate, where the norm

velocity, agility and cost reduction… [which has] made recruiting the right tech talent all the more difficult.”

can be challenged and leaders are not afraid of taking

As with every magnet, however, for every positive

the path less travelled,” said Dr Denis Bauer, head of

aspect of company culture there is an equal and

cloud computing in bioinformatics with CSIRO.

opposite repelling force that will, if present, push them

“In a competitive talent market where technologists

away – and they have nothing to do with the tech.

WOMEN IN SECURITY MAGAZINE

Having a bad manager or leadership team was

the COVID-19 pandemic to ensure that staff were

the number-one reason for leaving a company,

taking time for themselves.

with others citing company politics, a lack of work flexibility, and a lack of career progression as key issues.

thing of the past, Mayne said, because it has pushed staff to organise the rest of their weeks far more

Interestingly, men were more likely to leave due to

efficiently: meetings get done on Mondays through

a lack of work flexibility than women, who were

Thursdays, leaving Friday mornings for mopping up

more likely to cite a lack of career development

any additional administration time.

opportunities as a key issue. Significantly, the survey also broke out the priorities of non-binary respondents – who ranked the presence of a D&I program as their top attracting factor and were far more likely to leave a job if the company lacked diversity.

That sort of positive attitude is not only beneficial for employees, but can help a company stand out in the minds of specialised cybersecurity recruiters who often serve as front-line filters – and may choose to not work with companies that don’t have cultures where they would feel comfortable placing new

“Diverse teams tend to have diverse opinions and

recruits.

this makes for a culture where people can challenge

“There are definitely companies that I know have a

each other respectfully,” said Dawn Collett, a DevOps engineer with Dubber Corporation. “People do their best work at companies when they are supported and they feel that they can be themselves. The lack of psychological safety that comes from being a marginalised person in a monoculture is a powerful reason to look for a more supportive work environment.”

bad culture,” said Mayne, who flagged two key areas where companies should focus to make sure they end up on the right end of the cultural lens. Diversity and inclusion, she explained, is a major element of a good corporate culture, as is a focus on mental health – especially within cyber, where chronically high-stress jobs are well-known for exacting a significant toll on many workers.

BUT WHAT GOES INTO GOOD CULTURE?

High stress also contributes to high attrition –

So, employees value a good company culture and

meaning that proactively reducing stress can help

will recoil from management that makes it bad. This will surprise few, and offers little guidance about what specific things companies can do to make their

an employer hold onto the staff for a longer while, at the same time, saving themselves the headache of having to keep finding and hiring new cybersecurity

cultures more appealing to women, in particular, and

experts as often.

everyone in general.

Determining what aspects of company culture will

“People are more and more valuing the culture and

increase employee stickiness is also an individual

the level of care that employers provide their teams,”

matter: some “really see the value in certifications,”

Rachael Mayne, senior associate for cybersecurity

Mayne explained, “while for others it’s being able to

and GRC with recruitment firm u&u, told WiS

go from extremes” such as building pen-testing skills

Magazine. “It’s not even that there’s one right or wrong

one month, then moving into GRC or being a cloud-

way of doing things; people appreciate anything. As

security architect.

long as you are trying to do something, it goes quite a long way.”

He’s likely to continue the policy after lockdowns are a

“That’s just the nature of the people in cybersecurity,” she said. “They are very curious people who like the

One recent client, for example, had seen productivity

challenge, and they want to further their knowledge

“go through the roof” after giving all employees Friday

and experience – and I think that’s a huge selling

afternoons off – an initiative he implemented during

point for them.”

WOMEN IN SECURITY MAGAZINE

F E AT U R E

Rank

Why employees join a company… Work with modern technology and practices (public cloud, DevOps, agile, ML/AI)

Competitive salary package

Great work flexibility

4 5 6 7

8 9 10

Great manager or leadership team

Great company culture

Great career progression opportunities

And why they leave

Bad manager or leadership team

Company politics (bad company culture)

No work flexibility

Lack of career progression

Outdated tech stacks and delivery models

The salary package

Passionate about the direction

Disagree with the direction of

of the company and the

the company and the projects

projects you are working on

that you are working on

Talented team – the company is known for hiring great people

Not passionate about the team members you work with

Dedicated time and budget for

Lack of diversity in the

learning and development

company

A progressive diversity and

Lack of learning and

inclusion program

development time and budget

Source: Contino Voice of Work 2021

WOMEN IN SECURITY MAGAZINE

PWC AUSTRALIA GETS FOUR NEW FEMALE CYBER PARTNERS by Stuart Corner

or Australian women aspiring to a

We want to get to 40 percent of each over the coming

career in cybersecurity, role models are

years, and then 20 percent of the right mix across

important, and there are four new ones

diverse groups.”

in the upper echelons of PwC Australia’s Cybersecurity and Digital Trust practice. In July PwC appointed six new partners

in its mid-year partner intake. Four of the six are women; two, Mary Attard and Philippa Cogswell, are promotions. Pip Wyrdeman and Richa Arora are external hires.

and Digital Trust practice, Walsh says, creates role models for women in the lower ranks. “There’s a lot of stereotypes that go with this work. Having diversity paints a picture that there is a wide range of skills that make you suitable for the cyber environment. And greater gender diversity, particularly at the

Their appointments reflect PwC Australia’s policy

partner level, says this is a career women should be

on gender diversity. Head of People and Culture,

thinking about.

Catherine Walsh says the firm has already achieved overall gender parity, and has a goal to achieve this at partner level.

“Having those leaders is vital. Women need to see they can come with passion and an interest, and learn when they get here, and have an opportunity to work

“We have 32 percent women at the partner level,

with a broad range of people. If there is a challenge or

which we’re really proud of. It compares well to many

an experience they’re having, they can go and talk to

other professional services firms, as well as many

another woman about it.”

corporates, she says. “But there’s always more to do.

More women at senior levels of the Cybersecurity

WOMEN IN SECURITY MAGAZINE

F E AT U R E

BUSINESS SKILLS NEEDED IN CYBER

from a female leadership perspective: unconscious

For the Cybersecurity and Digital Trust practice, Walsh

bias, negotiating pay, connecting with other women

says business skills are needed as much as cyber

who have gone through similar career paths and

skills.

sharing their career stories.”

“Deep technical skill is important for some roles,

PwC is now looking to expand the program beyond

but people who bring critical thinking and great commercial experience across a broad range of areas can be really useful in cyber. Great leadership

its own staff. “We’re focussing on how we can partner with universities to share career stories with other girls that might be considering a career in cyber and

is important: good, clear and critical thinking, critical

technology,” Attard says.

stakeholder management, and being able to bring the

“And we’re also looking at how to network with

right team together to resolve and respond to issues.”

our clients: sharing career stories and creating a

COUNTERING GENDER BIAS

community of women to connect, find new jobs, the next career opportunity, like-minded individuals and

PwC also has a program that aims to counter bias or

someone to mentor.”

discrimination against women in the workplace: its

The program presently holds bimonthly internal

Inclusive Leadership program, being rolled out across the firm.

meetings but the plan is to include clients and to move to quarterly meetings. PwC also plans to extend

“It seeks to make people aware of those unconscious

activities to the wider community. “We are looking to

biases, which we all talk about,” Walsh says. “But

launch a number of additional programs, include a

more importantly, it’s in the art of the conversation:

careers fair later in the year, and we’ll connect with

how people work, their background and the skills

partners to launch that program,” Attard says.

they bring, their ways of working, the things that are

There are similar programs across the PwC global

important to them, and how they will all work together in a team. It seems simple, but it is very powerful.”

network and plans for a platform and website to support communication and collaboration between

The program brings teams together for two sessions,

them.

with support from the Diversity and Inclusion

NEW PARTNERS: MANY ROADS LED TO CYBER

team, for structured discussions around what is important to them and what they bring to the table, and how they are going to work together as a team. “Sometimes you can have a whole range of assumptions about someone’s background or their

The four new female partners in PwC Australia’s Cybersecurity and Digital Trust practice have very different career trajectories, none of which started in

experience or what they do,” Walsh says.

cyber. They demonstrate the range of skills needed

SUPPORTING WOMEN IN CYBER

world.

In addition to its company-wide diversity initiatives,

Pip Wyrdeman has a

PwC’s Cybersecurity and Digital Trust practice also

broad remit at PwC

has a Women in Cyber program that inspires women

covering “all things cyber

to pursue a career in cybersecurity. One of the new

in the government and

women partners, Mary Attard, heads this program.

public sector space, with

“It started out being for our internal cybersecurity team and we’ve extended it across all of our technology and cyber teams,” she says. “Its purpose is to create opportunities for all our women to connect

today to help businesses operate securely in a digital

a particular focus around the defence industry, and some of the home affairs areas as well,” she says.

and network and talk about things that are important

WOMEN IN SECURITY MAGAZINE

She has more than 15 years’ experience in ICT

all services that are digitally provided are secure

security policy and cyber security. She was formerly a

for both the provider and the receiver. With remote

senior cybersecurity policy adviser at the Department

work, and patient-centric healthcare services on the

of Prime Minister and Cabinet, and has held positions

rise, there’s a huge role for cyber to make sure these

in the Department of Defence covering roles in

services are safe and secure.”

ICT policy, architecture and business relationship management. Her most recent role prior to joining PwC Australia was with Providence Consulting.

She has a degree in electronics and communications engineering but after a short stint as a network engineer took on the job of developing an ERP

It’s a long way from her early career: a biotechnologist

solution to enable an American company to offer

who spent a decade as a patent examiner. “My

healthcare plans to its employees. She then took on

transition into cybersecurity started because one

more consulting roles in business analysis, program

of the talents for a patent examiner is the ability to

management and technology strategy.

translate very technical, complex information into language that is simple to understand,” she says.

Delivering a digital transformation project for a university sparked her interest in digital technology

“I was able to use that to do a change management

and cyber. “I thought digital was a cool space:

for the patent office back in the early 2000s, bringing

everything’s digital, and we’re moving into digital

a new patent solution into being. That allowed

transformation. But as I was looking for what to do

me to understand a key requirement of digital

next, an opportunity came up to work on delivering a

transformation: a good human connection. I wrote

cyber program.

a lot of policy and procedure around the safety and security of humans. That translated into the development of security policy later on.

“I really enjoyed all the challenges that came with it, and I learnt what cyber means for providing a safe and secure digital service. That’s where my

“My career since then has really been about

journey into cyber started. I feel like my job became

the development of policy, and defining the

the translator between the technical fork and the

rules, compliance regulations, and the strategic

business.”

vulnerabilities around ICT systems, and how they impact on the human systems. That’s how I got into cybersecurity.”

She does not have any formal cyber qualifications, but has recently acquired an executive MBA. “The technical side of cyber never worried me, because

Richa Arora leads PwC’s

I had the technical background,” she says, “But

cyber practice for the

the executive MBA is a very essential qualification

healthcare sector and

to delivering cyber. You get to understand that

works with leaders in

business is multifaceted, to know how to protect it,

other areas to bring

how to provide service, how to communicate with

cyber into all of the firm’s

stakeholders, how to get funding for your cyber

healthcare opportunities.

problems.”

She has more than 14 years of experience in technology consulting, leading digital transformations and cybersecurity programs supporting organisations in federal and state government, financial, healthcare and education sectors. Prior to joining PwC Australia she led the cybersecurity practice at Deloitte in Perth.

Philippa Cogswell is PwC’s national lead for defensive security and perhaps the only one of the four that fits the popular image of a cybersecurity expert.

She also works to grow PwC’s digital identity

She is responsible for

business in New South Wales. She says the two

incident response, threat

disciplines are closely linked. “We want to make sure

intelligence, digital forensics, security operations, and also cyber crisis management.

WOMEN IN SECURITY MAGAZINE

F E AT U R E

She is a CISSP and holds numerous cybersecurity

developed the passion for working with technology

qualifications, including a Masters in Information

and for bridging the gap between technology and

Systems Security, an ethical hacker certification and

business that led to her current role.

others in industrial and network security. She has been in the industry for 20 years.

“Working in financial services, I loved solving customer problems. So I spent time in process

However, she started out in a very different field:

improvement and technology implementations, and

studying environmental science at university. After

that’s where I developed a passion for being able to

building her first computer she decided she had a

work with technology and to bridge the gap between

passion for technology.

tech and the business,” she says.

“I started as a systems administrator, moved

“I did a number of Salesforce implementations and

on to become an operations manager then into

really found my home in that space. When I left

government. I worked for security agencies in

financial services, there was an opportunity to join

Australia and the UK. During that time, I helped around

PwC to lead the implementation of a digital identity

network security undertaking cyber investigations and

platform, and having a technology implementation

leading teams,” she says.

background rather than knowledge of cyber was

“From there I moved into industry and worked as a consultant, which took me globally performing

critical. That’s how I made the transition into the cyberspace.

things like threat hunting and incident response in all

“What’s really important in this space is

manner of organisations. I then went to work for a

experience from broader exposure. I’ve done tech

vendor, a machine learning and cybersecurity defence

implementations for over 10 years, worked in

company. It was fairly early days for them. I was

transformation and run a first line risk function. All

running the tech arm across Europe, the Middle East

that enabled me to talk to our clients from a business

and Africa working with a lot of companies to put

lens about what’s really critical in security, how to

defensive security in place.”

manage risk and how to implement technology and

Since joining PwC she has worked extensively on cyber risk management with clients across New

then bring in my technical colleagues to help build that for them.”

South Wales and nationally, and taken on PwC’s defensive security practice. “My key account focus is on New South Wales

Catherine Walsh www.linkedin.com/in/catherine-walsh-24068441/

Government clients, but given some of the work I’ve done formerly in the UK and globally, I also work with some of our clients who are linked to critical national infrastructure,” she says. Mary Attard has been a member of PwC’s Cybersecurity and

Mary Attard www.linkedin.com/in/maryattard/

Philippa Cogswell www.linkedin.com/in/philippa-cogswell-374b59214/

Digital Trust practice for almost four years and leads the Digital Identity team, focussing on the financial services market. She has an accounting background and before joining PwC she spent 12 years in the financial services industry, where she

Pip Wyrdeman www.linkedin.com/in/pip-wyrdeman/

Richa Arora www.linkedin.com/in/richaarora1/

WOMEN IN SECURITY MAGAZINE

Source2Create Spotlight

Advertising The market is saturated, so how can you position your companies product or service strategically to your audience to stand out from the clutter? At S2C, we position your creative and content across a mixture of media to generate more excitement and better engagement from your target audience. We explore a range of ideas with our clients to spread their message – the right way.

REACH OUT TODAY

charlie@source2create.com.au

aby@source2create.com.au

www.source2create.com.au

WHAT’S HER JOURNEY?

I have a wide-ranging role, from setting the vision of where we want to be in the future, to fronting the board and audit and risk committee, responding

Narelle Devine Chief Information Security Officer Asia Pacific, Telstra

to media queries, deep diving into an incident, formulating our strategy, reviewing budgets, talking technology solutions, signing off on a culture program or talking to customers. The ability to switch between hats is really important, and so is having a great team of people who can support the many different demands placed upon me. I ended up in cyber security by luck rather than good judgement. I think it chose me. It was something I found interest in through different postings in the military.

I jumped into the field relatively early. I would have ’m the CISO Asia Pacific for Telstra, leading Telstra’s cyber security capability. I’m also a member of the RSA Conference Advisory

loved to have embraced cybersecurity even earlier, but that career path did not exist when I left school. It has really become mainstream only in recent years.

Board and the Executive Advisory Board for the

I realised how interesting the area was when I started

Australian Information Security Association,

my first master’s degree, in computer science, but

a Fellow of the Australian Information Security

there were limited opportunities as a uniformed

Association, and an Adjunct Professor at Deakin

military officer.

University.

Since obtaining my master’s I’ve progressed my

I love our mission at Telstra: to enable a safer

career by embracing the education opportunities

connected experience for everyone. I love that we are

that abounded in the military, by finding great

able to make a difference, and I love that every day is

mentors, taking calculated risks and being open to

different: I never quite know what will happen each

opportunities.

day, no matter how well I plan it.

I was awarded a Conspicuous Service Medal in the

Everything we do impacts the lives of every Australian

Australia Day Honours List 2016 for “meritorious

in some way, whether we’re tackling scam calls and

achievement through… contribution to the

SMS messages, reducing the delivery of malware via

development of the emerging area of cyberspace

email, or making sure the Telstra network is secure so

operations in the Australian Defence Force”.

we can keep Australians connected.

I genuinely think the key to building confidence is

My big vision is to transform the way my team

continually pushing yourself out of your comfort

embeds security into everything we do at Telstra,

zone and making yourself do things that are not

and share what we do more broadly, so we can help

particularly easy. Over time, you get better and more

uplift the broader security posture of the Australian

confident – time is key. It’s not a special skill. it’s

community.

really just about seizing the opportunities presented

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

and being willing to take a risk, so you make a step

a technical perspective or from a people perspective.

forward when it’s not always comfortable to do so.

I’ve especially valued my mentors from outside

To anyone contemplating a career in cybersecurity, I say do it. Cybersecurity will continue to grow and

the sector because they have given me a different perspective on the art of the possible.

evolve. So we’ll always need a broad range of skills,

I’ve also had the privilege of working for some

knowledge and experience.

incredible leaders. Their support, trust and belief

You don’t need to be highly technical to achieve in cyber: some of my cleverest people aren’t deeply

— and sometimes the odd push — makes a huge difference.

technical, but they bring a way of thinking that adds immense value to solving a problem. You also need to keep an open mind. The roles and progression paths will change as the threat landscape shifts. If you remain flexible and are willing to have a go, you’ll be really successful. And we need diversity, of gender and more. Our industry and teams need people of different backgrounds, ages, ethnicity,

“My big vision is to transform the way my team embeds security into everything we do at Telstra, and share what we do more broadly, so we can help uplift the broader security posture of the Australian community.”

gender, culture… you name it. Our adversaries are diverse, and if we build the right mix of diverse teams, we’ll be able to think differently, anticipate the movements of our adversaries better and move more quickly as a team. Cybersecurity is not something you can do alone. It has many facets. It is a genuine team sport, both within an organisation and in the wider industry. Finding good people and surrounding myself with them has been an important part of my career. I truly value my team, the input of my peers in the industry, and my mentors. They are all critical to my success. I’ve had some excellent mentors along the way, and not necessarily all of them have been from a

If you’d asked me 10 years ago, I would never have thought I’d be in this role. I probably didn’t realise the potential I had. I needed a few people to push me to realise that potential. A great leader can also be a huge advocate and clear the way for you to get on with your mission and achieve results, and I’ve been lucky to work for some great leaders. I also think having a strategic goal and vision, and the ability to clearly articulate it is critical to success. This means the members of your team are all working in the same direction, and united in a common purpose.

cyber background. That variety has grounded me and given me a better

twitter.com/narelle_devine

view of the impact my decisions have: whether from

WOMEN IN SECURITY MAGAZINE

“In a stroke of luck, I soon realised that they were implementing a Cyber Safety behaviour change government-funded initiative in Victorian schools. I moved from being a volunteer to a paid role as an adviser working with whole school communities on best practise cyber safety approaches which would in turn upskill educators in cybersecurity practises and decrease cyberbullying. The approach looked like anything from encouraging cyber safety

Helen Sultana Manager, Cyber Security Education and Awareness

lessons in the classroom to including cybersecurity in school values and policies. At the time this was almost unheard of. Cybersafety was almost a taboo subject in schools and I am so proud to have been a pioneering professional in that space”. In taking this step Sultana was realising a long-held ambition. “I knew that a career in technology and in cyber is

what I wanted and that this was the perfect step to elen Sultana is Manager, Cyber Security Education & Influence at Australia Post, responsible for raising the awareness of cybersecurity in staff and customers and driving behavioural changes that

boost security. She is part of the Cyber Defence team at Australia Post. “Part of what I do is lead targeted campaigns and training across the organisation. I look for ways in which we can engage our people in security more broadly,” she says. “We also partner with government organisations to run cybersecurity campaigns across the year.” Her role in cyber is one Sultana has come to from a non-IT trained background. She considers her career in education a valuable foundation. Her career began as a primary, and then later a secondary school teacher in Victoria when, in 2015, she contacted the Alannah and Madeline Foundation—a charity focussed on keeping children safe from violence— offering her services. “I decided I wanted to transition out of a traditional school setting and hoped I could begin a career that would include technology”. she says. “I sent AMF an email offering my time and

transition out of a traditional school setting.” She says her time with the Alannah and Madeline Foundation shaped her subsequent career path because it involved building relationships and securing cooperation from many people in diverse roles: with the wellbeing teacher, the technology teacher, and the principal and the leadership team. “I quickly developed my own set of what would be now known as principles of influence.” “I now recognise those experiences as the building blocks of my cybersecurity awareness and influencing career. Teaching was something I had in common but I had to adapt. Sometimes I’d visit six schools in a day, and I’d very quickly have to build relationships to drive outcomes putting my principles of influence quickly into practice. I would sometimes have thirty minutes to influence the hearts and minds of the school leaders I was meeting.” Her involvement in the Alannah and Madeline Foundation led, through a contact, to her next role as National Project Manager – Education with the Girl Geek Academy, a global organisation founded in Australia in 2014 that aims to teach one million women technology skills by 2025.

thought a way to transition could to as a volunteer at

“[Girl Geek CEO] Sarah Moran wanted to introduce a

the children’s not-for-profit organisation.”

coding curriculum to primary school teachers. She

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

enlisted my skills and knowledge to build the online

“When I was working at my local primary school, the

curriculum, and then help the teachers train in this

principal one day took me over to a window to look

program,” Sultana says.

at the kids playing outside and said, ‘See every child

“That was quite a scary thing for teachers, particularly at the preparatory to year two-level because it was a new requirement in schools. Again, quickly building

out there? They’ve already developed their adult skills. They are all living and breathing adults. So treat them as individuals.’”

positive relationships and developing a learner-centric

“So I did. I treated them as individuals, all with

program. I found myself leveraging my relationships

complex personalities. I think my journey has been

and offering our curriculum to almost every teacher I

about putting the individual first and making sure

knew.”

anything I do drives the outcome for that individual.”

An obvious next step for Sultana was to move to

From NAB Sultana moved to the eSafety

impact the number of women in STEM (Science

Commissioner as an eSafety Education Advisor.

Technology Engineering and Mathematics) in

“Part of my role was to develop and host webinars

leadership roles. She took up an opportunity at

for schoolchildren and present them to parents. I

National Australia Bank as Girl Geek in Residence in

also develop cyber safety education material and

its Women in Technology Program.

resources,” she says.

“It was an internal program to increase the number

Sultana says the most satisfying aspect of her role is

of women in senior leadership roles. We built a

seeing the impact of her work.

community of like-minded people. My role was to take that program from good to great. ”

She believes the number of women embarking on careers in cybersecurity will snowball. “You can’t be

Sultana says there are some common themes

what you can’t see. If we continue to raise the profiles

running through her career. “I like to do things that

of women in security, we will have more girls and

are challenging, that involve people and cybersecurity

young women choosing careers in technology.”

education, and that makes a difference.”

However, she says teaching a belief in women that

And the variety of roles she has held have contributed

they can have careers in technology starts much

to her professional development. “Across all my roles I

earlier. “As the parent of a 6-month-old daughter, I’m

got to meet and learn from a lot of really great leaders

very conscious of the simple things I do in front of her

and was able to cherry-pick what kind of leader I am.”

in terms of technology and how I give it a go. I won’t

In an effort to raise the profile of women in security and to assist in engaging with the broader cybersecurity community she is an active member

pass my computer to my husband and say, ‘fix it’. I’ll sit with my daughter and offer her a broad range of experiences.”

of the Security, Influence and Trust Group. “I play an

“As a teacher who transitioned to a career in

active role as a member of the Security Influence

cybersecurity, I treat each individual learner as unique.

and Trust (SIT) leadership committee- leading a

I aim to create learning experiences that people

community of industry professionals working together

remember ensuring that the skills and knowledge

to build security-aware cultures. This is how I can

are retained over time. I aim to influence people so

engage with like-minded people across industries and

that they treat cyber just as they would their physical

knowledge share to further make a difference”.

security”.

She also attributes her success to having a growth mindset. And when asked to name the most

www.linkedin.com/in/helen-s-b22151b3

important piece of advice that guided her on her security journey, her answer is surprising: a primary school teacher, very early in her career.

WOMEN IN SECURITY MAGAZINE

My degree was in applied information systems, so I had the opportunity to do a year in the industry. This introduced me to PriceWaterhouse, and I spent the next 32 years there in various roles. After completing my degree I joined their ‘computer audit’ team and undertook an eight month secondment in the United Kingdom. I arrived in London in August 1989, knowing no-one but with a job, and a bed for two nights.

Megan Haas Non Executive Director, Tesserent

One year in London wasn’t enough, so I stayed for a couple more, followed by a total of nine years in Brussels and Paris before returning to Melbourne to rejoin PriceWaterhouse, which had become PricewaterhouseCoopers (PwC) following a merger with Coopers & Lybrand.

Working across Europe was a fantastic learning experience. I continued working in the information ’m a non-executive director (NED) of a portfolio of organisations. My board roles range across higher education (RMIT University), public sector (Development Victoria), ASX listed (Tesserent Ltd), startup (handdii), and advisory (Suburban Rail

Loop Authority and the Academic Centre of Cyber Security Excellence at the University of Melbourne). With so many different roles, each day brings a different experience. It’s a working style I’ve grown up with, and one I love. My various roles enable me to engage with people across all facets of an organisation and draw upon my experience to help guide and influence the design and operation of governance processes. It’s a plus when I can apply my security knowledge to advance cyber risk management. I have a dual role in my most recent appointment with Australia’s largest listed cybersecurity company, Tesserent. As a director at the board table I’m driving strategy and governance whilst being deeply knowledgeable about the cyber

also blended audit and advisory services across industries, cultures, and often languages. Moving from business to business, understanding their challenges and opportunities, working to implement systems and designing security controls all contributed to building an inventory of use cases to draw from when providing advice. Back in Australia with young children I rebuilt my brand and network one project at a time and started leading teams to deliver services. Over the years I’ve developed, and relish, the ability to engage with multiple and varied stakeholders. After joining the PwC Partnership and creating a solid client base, I focused on the next challenge. I’d worked in the West and in 2011 it was time to head East. So I joined PwC China, based in Hong Kong. For six years I worked with organisations doing business in Asia, assisting them to deliver ‘trust’ in their operations, people, systems, financial reporting,

ecosystem.

culture and ethics.

At university, I took a major in Information Systems

After returning to Australia in 2017 I started to

to complement my Bachelor of Business. This was in the mid-80s when mainframes were the order of the day, and I decided it would be beneficial to understand the electronic data processing environment. I thought being awarded “Best Female in Info Systems 1” was pretty special, given I was the only female undertaking the module!

systems risk management team at PwC, but

WOMEN IN SECURITY MAGAZINE

consider what the next chapter in my career could look like. I quickly determined that what I was seeking was the ability to leverage my career experience to date, by adding value whilst being valued. Company director is not a role to be taken lightly, so I invested time in researching the role of boards and thinking through my unique value proposition. I questioned my suitability for the role and consulted with my network.

W H AT ’ S

H E R

J O U R N E Y ?

I experienced the imposter syndrome: believing that

being given to other women. My advice to them is

you are not as competent as others perceive you to

to be open to constructive feedback, but to seek

be. I recall having lunch with a very experienced NED

less emotional adjectives in order to understand any

who responded very directly to me when I questioned

underlying messages. I will not apologise for having a

whether I had the requisite skills and experience to be

view and expressing it in a professional manner.

a director: plain words, delivered directly but which I needed to really hear. I was told to immediately reject such beliefs, that I demonstrably had more than sufficient experience to succeed in company director roles. I’m now established in this next chapter of my career and loving the variety and engagement it affords me. In parallel I have a number of individuals, female and male, who

“At university, I took a major in Information Systems to complement my Bachelor of Business. This was in the mid-80s when mainframes were the order of the day, and I decided it would be beneficial to understand the electronic data processing environment. I thought being awarded “Best Female in Info Systems 1” was pretty special, given I was the only female undertaking the module!”

I mentor from early in their careers to senior executive roles. They benefit from my experience working in Europe and the

I would encourage women to consider a board career

Asia Pacific.

when the time is right for them to move away from

It will come as no surprise to readers that I am accustomed to being the only female in the room. In France (1992) you are expected to speak French or stay silent. The upside of working in such an environment was that I honed my ability to listen and to read the subtle cues of body language. Rising

executive roles. There is a clear shortage of women with security and broader technology backgrounds in non-executive directorships. However, they must overcome the challenges of fulfilling directorial duties, and must be comfortable engaging with senior executives and other directors as equals.

to these challenges made me more resilient. And

My message for female leaders is to take advantage

working across different business environments

of any opportunity to network, be curious, engage

and teams has allowed me to develop capabilities in

with as many different stakeholders as you can,

problem-solving and leadership.

develop your presentation skills, and think about how

Over the years I’ve observed that leadership skills held in high regard when demonstrated by men are not always similarly perceived when displayed by women. I’ve been described more than once as ‘intimidating’

you can demonstrate your ‘human’ skills in addition to your technical capabilities. www.linkedin.com/in/megan-haas-a70b284/

or ‘aggressive’. I prefer to hear those descriptions as ‘candid’ and ‘direct’. When coaching I’ve often heard similar feedback

WOMEN IN SECURITY MAGAZINE

Carol Chris General Manager for Australia and New Zealand, GBG

right people in positions where they could thrive, taking a proactive approach to supporting staff, and generating a culture everyone could be proud of. After more than a decade at Optus, I held a range

of senior leadership roles across the technology industry, and the focus on people and culture these ’m the Regional General Manager for Australia and New Zealand for GBG, a global company specialising in digital identity. I’m responsible for running our team of 120 in the region to build and deliver products that help businesses

prevent fraud and meet complex compliance requirements. It’s been a 20+ year journey to this point and, hard as it may be to imagine, my career kicked off when Optus launched into the Australian market as a challenger to the merged former monopoly telcos, Telecom Australia and the Overseas

required has stayed with me. In each role, my approach to leadership and building businesses was centred on having a diverse team. Like most in the tech and security industries, I have seen first-hand the importance of attracting women into these fields, and then supporting and empowering them throughout their careers. Consequently, I have regularly mentored young women I work with. A common question I get asked by these women early in their careers is about managing situations when they are the sole woman in the room, or one of only a few.

Telecommunications Corporation (OTC), that became

My advice has been consistent throughout my career,

Telstra.

and still stands: be confident, be yourself.

Those early days of my career at Optus, when it was

It is easy to be overwhelmed by manifestations of the

effectively a startup, were pivotal to my professional

gender gap, whether those be the lack of women in

development. I learned how to work in lean teams

a meeting room, or the lack of female representation

and fast-moving environments, delivering complex

at the leadership level. But it’s important we in the

end-to-end programs and creating go to market

industry never feel the need to change who we are

strategies. The biggest challenge was differentiating

or change our own leadership style to suit others.

Optus’ products and brand from those already in

As women, one of the biggest assets we bring to

market, and trusted by most Australians.

our employers is our perspective. This includes our

It was a unique time to be exposed to new cutting edge technologies, new product development processes, and market testing in an organisation that completely disrupted the telco industry. I quickly

different approaches to leading teams, developing services, designing products, and asking questions. We need to maintain confidence in our competencies, our skills, and our ability to get the job done.

learned the importance of having the right hiring

Since the pandemic we’ve all been forced to take a

processes to attract the best talent, having the

step back and re-assess what work looks like, and how our careers and businesses are being impacted

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

by the ‘new normal’ of constant change. In my current

impossible for businesses to always be one step

position, there are two areas most impacted: my team

ahead of hackers and bad actors. Unfortunately, it’s

and my clients.

the fraudsters and cybercriminals who are working

The pandemic has changed my team’s interactions and ways of working in many ways. These changes go beyond working remotely, switching to video calls,

relentlessly to be one step ahead of enterprises, leaving them with little choice but to take proactive steps to counter the steady onslaught of attacks.

and needing to turn homes into office spaces. Meeting the evolving challenges to our team’s mental wellbeing has required constant focus and has reinforced the importance of communication, collaboration and support. More than ever, I’ve found myself talking regularly with staff about their mental wellbeing and the importance of not feeling guilty about finding

“Since the pandemic we’ve all been forced to take a step back and re-assess what work looks like, and how our careers and businesses are being impacted by the ‘new normal’ of constant change. In my current position, there are two areas most impacted: my team and my clients.”

a balance that works for them, including carving out time for themselves. Years ago, this may not have been considered part of a security leader’s typical working day, but I believe this will be an ongoing feature of all leaders’ roles, and particularly crucial to the success of businesses moving forward. Many impacts of the pandemic on our clients are without precedent, but there are learnings from past major industry disruptions that we can adopt and

This is particularly the case for organisations in the banking and financial services sector. The pandemic has produced many challenges over the past 18 months. Disruption and change have been a constant for security and tech leaders. I’m looking forward to whatever change and challenges the future brings up.

re-apply. The biggest learning for the security space is that attacks can come from anywhere and at any time; not just because of the ever-evolving nature of the security landscape, but also because it is

www.linkedin.com/in/carol-chris-80a4772/

www.gbgplc.com/apac/

WOMEN IN SECURITY MAGAZINE

WOMEN IN SECURITY NOMINATIONS & JUDGES The Annual Australian Women in Security Awards showcases the everyday heroes who are demonstrating real leadership and ambition in their ideas, passion and drive to combat some of the issues we face in the current security landscape. Our mission is to continue to inspire future generations to work in the IT security/cyber/protective security fields. And to elevate technical skills, impactful solutions, and commitment to giving back to the community. Honourees will be recognised on December 8th 2021 at the Annual Australian Women in Security Awards.

2021 CATEGORIES • Best Program for Young Women in Security

THE PROCESS

• Best Place to Work for Women in Security • Unsung Hero • The One to Watch in IT Security

This year we received 643 Nominations across 16 categories.

All nominations within each category have been submitted to the esteemed judging panel.

Finalists announced September 22nd 2021.

Winners announced Live and streamed virtually from the Crown Sydney, December 8th 5:30-10:30pm.

• IT Security Champion • Australia's Most Outstanding Woman in IT Security • Best Security Student • Best Volunteer • Male Champion of Change • The One to Watch in Protective Security • Protective Security Champion • Most Outstanding Career Contributor in Protective Security • Australia's Most Outstanding Woman in Protective Security • Best Female Secure Coder

INTRODUCTION TO OUR 2021 JUDGING PANEL MICHELLE PRICE

ANGIE MURRAY Transition Manager, Managed Security Services CyberCX

CATHERINE DOLLE-SAMUEL

CEO AustCyber

Business Continuity & Resilience Specialist UNSW

DUSHYANT SATTIRAJU

JACQUI LOUSTAU

Cyber SecOps Team Lead Deakin University

Founder AWSN

JANE FRANKLAND

TAMARA MARTIN

Owner & CEO Knewstart (UK)

Security Resilience AGL

RACHELL DE LUCA

NIGEL PHAIR

Chief Security Officer Department of Parliamentary Services

Director UNSW Canberra Cyber

RACHAEL LEIGHTON Cyber Strategy & Influence Telstra

JAMES NG

REBECCA WINFIELD Protective Security Operations & Delivery IAG

DR MARIE BODEN

GM- Security Operations AARNet

Outreach Officer Research Interaction Design University of Queensland

CATHERINE BUHLER

GAI BRODTMANN

CISO Energy Australia

Futures Council Member National Security College

SAMM MACLEOD

LIDIA GIULIANO

Information Security Consultant

Information Security Advisor ANZ

ANDREW DELL

MICK DUNNE

CISO QBE Insurance

CISO-CSO AustralianSuper

DR MARIA MILOSAVLJEVIC CISO Services Australia

IAN YIP CEO Avertro

challenging, but the training was incredibly useful to help frame my thinking about my company’s cyber

Christie Wilson Cyber Resilience Manager, UniSuper

resilience program — which I created from scratch — and how to communicate progress with stakeholders. It validated my approach to that program. Aside from gaining that qualification, I think my sense of curiosity and desire to continually learn have been really important in enabling me to fulfil not just this role, but all the roles I’ve held across my career.

Every day’s a school day. It’s impossible to keep up with everything security related, but it’s important to ’m a cyber resilience manager. I studied sociology

maintain a broad understanding of what’s happening

at university. And I think I began to use my

that could impact the industry sector I work in. I

university qualifications only after I moved into

spend a lot of time engaging with industry peers and

security.

colleagues to both share intelligence, and to keep

Sociology is the study of social life, social change,

and the social causes and consequences of human

Security is often a game of cat and mouse. Risk

behaviour. Many of the research techniques used in

management is our day-to-day work. Issues are

sociology are very applicable to cybersecurity.

going to arise, and our role is to be constantly alert to

For me, getting into cybersecurity was a leap of faith.

emerging threats, and to respond accordingly.

I was managing a governance, risk and compliance

I also try and read widely to keep across the way

team when my new manager asked if I could help

cybersecurity is presented in the media, and to gather

the network security team with an audit report.

ideas about how to present cybersecurity content to

Shortly afterwards, two amazingly talented and very

our people in ways that are engaging and meaningful.

experienced security professionals joined our team and we commenced an uplift program. I’ve now been enjoying the best role of my career for four years.

The most challenging aspect of my role is winning the hearts and minds of our people to build their cyber resilience. Cybersecurity might be the most

As a cyber resilience manager, my job is all about

exciting and important thing in the world to security

reinforcing and strengthening my organisation’s

people, but to others it’s not. So, it’s a constant

cybersecurity culture so our people understand and

balancing act to deliver cyber safety content and

respond to cybersecurity risks. I provide cybersecurity

messaging that strikes a chord with our people.

awareness, education and training to our employees, and reporting to our board and management.

I’m incredibly lucky to have a very progressive manager, and a quarter of our security team are

The training I provide covers compliance, phishing

women. Their diversity of thinking is critical for

and security incident response training, and I also

addressing security challenges. I work with a team

manage a cybersecurity champions group.

of incredibly experienced and talented security

I have one security qualification, the SANS Security Awareness Professional. Gaining that was quite

across emerging threats and emerging trends.

WOMEN IN SECURITY MAGAZINE

professionals, and I bring a completely different skill set to the team. I can honestly say that I’ve always

W H AT ’ S

H E R

J O U R N E Y ?

felt my contributions are valued and respected. I know

our security champions program while we were all

I’m very privileged to work with such a team.

working remotely.

Finding new ways to keep people interested and

And my most memorable security experience

engaged, to maintain momentum and keep the cyber

was creating a cybersecurity mascot, because I

safety conversation alive is a never ending challenge.

wanted the team to have a visual identity across

A big part of our cyber resilience program is giving

the organisation. He now has a life of his own and

our people constant nudges in the form of ongoing messaging, awareness and training. Sometimes, something happens that creates a real sense of achievement. One day I ran into a work colleague at my local shopping centre. He mentioned he’d reported the phishing drill I’d sent out a few days prior, based on a genuine phishing email. I was thrilled to learn that he was on high alert for unusual or suspicious emails. It told me that our training was working. This training became an even

The most challenging aspect of my role is winning the hearts and minds of our people to build their cyber resilience. Cybersecurity might be the most exciting and important thing in the world to security people, but to others it’s not. So, it’s a constant balancing act to deliver cyber safety content and messaging that strikes a chord with our people.

bigger challenge when, like most corporates, my company moved to a remote working model almost overnight in the early days of the pandemic. As a team, we spent a lot of time raising awareness and educating our people about the new security risks and threats that came with the pandemic. This included everything from raising awareness about covid-themed phishing attacks to guidance on how to work from home securely, and advice about the national COVID-Safe app. In addition, we had to continue the cyber resilience program for our people when the methods of engagement I’d previously used (like face-to-face

features in our training modules, presentation packs, cyber safety videos and email signatures. We’ve recently had challenge coins made featuring him as well, which is really exciting. I had not realised how much of an achievement this was until new people joining the team from other organisations commented on how hard it could be to get traction on ideas like mascots. www.linkedin.com/in/christie-wilson-9135317/

training, and lunch-and-learn meetups) were no longer possible. One of my proudest achievements over the last 12 months has been launching and embedding

WOMEN IN SECURITY MAGAZINE

Mentoring Pilot AWSN is pleased to launch the 2021 Australian Women in Security Network Mentoring Pilot.

Looking for ways to give back? We need you Learn more at awsn.org.au/initiatives/mentoring/ Sponsored by

WOMEN IN SECURITY MAGAZINE

CAREER PERSPECTIVES

BRIANNE HADLEY

RISKY, FEARLESS AND FIERCE:

WHY I PLAN TO GET MORE WOMEN INTO THE INDUSTRY— BY LEAVING IT by Brianne Hadley, Creative, connector and Knowledge vacuum

I have spent nearly 15 years working in the group

perspectives are important to the intelligence and

insurance industry. I spent most of those years

investigation cycles. We talk about how change in the

in investigative roles, focused on finding and

industry is essential to its health and effectiveness.

investigating fraud, identifying potential criminal

We talk about recruiting specialists from other

activity, and experimenting with intelligence-led

sectors, improving recruitment and graduation

policing models in the private sector. I love my job. I

rates in STEM fields. We talk about mentorship and

love the people I work with. I am proud to be in such

sponsorship, incorporating skills from the arts, and

a dynamic field with supremely talented women (and

breaking down both real and perceived barriers for

men).

women in security and related fields.

PASSION, ON ITS OWN, IS NOT ENOUGH. WE NEED PURPOSE.

TALK, ON ITS OWN, IS NOT ENOUGH. WE NEED ACTION.

In the past year, I have been actively involved in

When the world stopped in 2020, I was in

conversations about women and our roles in both

Mozambique on sabbatical. I had arranged to spend

private and public security. We talk about women

several weeks with a program called Project Purpose.

working in the security industry. We talk about how

This program works to fight all forms of sexual

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

injustice through, among other things, education and vocational training through its day centre programs. My first week was more or less business as usual, but it was not long before institutions (including the day centre) started to close due to the community spread of COVID-19. Fear started to spread in the community. The following week, the local hospital reached out to local non-profits, requesting

“While my social skills have improved, I am still often oblivious to basic social cues, especially from strangers. I usually rely on those I know around me to nudge me into propriety. I can (and will) turn small talk into a 30-minute lesson on the origin of olives in martinis, a discourse on an article I read about neural networks or a debate on species-appropriate diets for pets and livestock.”

non-medical face coverings for patients coming into the hospital. Medical protective

Passion and purpose, talk and action, space-making

equipment is difficult to obtain in these regions,

and skill-building. Each concept needs to be included

and the hospital wanted to reserve medical masks

and held in balance with its counterpart.

for health care workers and still provide protection for patients and their families. The hospital paid hobbyists to sew these masks and then distributed them at little or no cost to patients. I watched these women, who western society would call “rag-tag” (if they noticed them at all), go from sad and afraid to

I have come to realise that my approach was not in balance. I need to leverage my passion into a purpose, convert my talk into action, and focus my energies on helping others prepare for opportunities, rather than just creating them.

determined and empowered. Because they had the

For me, it means leaving security and intelligence for

skills and because others provided access to the

high school teaching.

equipment, they could take advantage of a lucrative

I wanted to be a teacher when I was in primary

business opportunity to create an independent stream of (potentially permanent) income for themselves and their families in an otherwise barren employment landscape.

CREATING OPPORTUNITIES (SPACE-MAKING), ON ITS OWN, IS NOT ENOUGH. WE NEED PEOPLE POSITIONED TO LEVERAGE THE OPPORTUNITIES WE CREATE (SKILLBUILDING).

school, and I have resisted becoming a teacher since high school. My experience in school was difficult. I excelled academically but failed socially. I graduated vowing never to enter a public school again. However, you cannot resist what is in you to do and to be. In every job I have had, training eventually became a key part of my day-to-day activities. In fact, the aspects of my life and personality that made high school hard are among the reasons I have done well in my investigative career and the reasons why I am making the switch.

WOMEN IN SECURITY MAGAZINE

I am a learner and a knowledge-sharer—a “nerd” if you

people who have the interest and are willing to pursue

will. My idea of “vacation reading” is one part Jane

the skillsets. However, for me, and I think for some

Austen, one part Miss Marple, and one part academic

others, it is time for a change.

journal. I binge-watch nearly as many documentaries as I do comedies and Korean dramas. I seek out opposite opinions and healthy debate. I learn (and share) about anything and everything. The curiosity and “jack-of-all-trades” pursuit of knowledge that has informed my investigative and intelligence practices have taught me how to consider problems from multiple perspectives, and find creative solutions. While my social skills have improved, I am still often oblivious to basic social cues, especially from strangers. I usually rely on those I know around me to nudge me into propriety. I can (and will) turn small talk into a 30-minute lesson on the origin of olives in martinis, a discourse on an article I read about neural networks or a debate on species-appropriate diets for pets and livestock. My former roommates, and many of my friends, will all attest to my tendency to “lecture” (I prefer to call it “information-sharing”) when some interesting topic comes up in our conversations. For a long time, I let those high school experiences and lack of social finesse dictate my choices. I let a fear of being “weird”, “different” and “awkward” shape my decisions, my plans, and my goals. I got out of

The women we are trying to recruit, the young women we are trying to nudge into post-secondary STEM degrees, and even the men trying to keep us away from the table, they all need to see examples of us as women being who we are. They need to see us pursuing what is important to us, individually, within our respective industries. They need to see us as risktakers. They need to see us as fearless. They need to see us as fierce. As you consider next steps in your career, consider my story. Most of you probably do not need to turn your life upside down and shake it up as I did. That said, small decisions and minor changes create big shifts over time. Maybe you just need to find that one idea “someone” should do, and do it. Maybe you need to take an art class, join Toastmasters, or learn to sail. Maybe you need to find a few “rules” to rethink. Maybe you need a long vacation. Whatever it is, find it; and if you are a people leader, encourage those you lead to do the same. Take risks. Be fearless. Be fierce. Above all, be you. More info on Project Purpose for those interested: https://www.projectpurposemz.org/

balance. I have had a fulfilling, rich and fun career. I would not change it, and I happily recommend it to

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/brihadley

FINDING CYBER TALENT: WHAT’S IN THE SECRET SAUCE? by David Braue

Cyber recruitment is a seller’s market – so how can you lure the best recruits?

‘Y

ou never get a second chance

the professionalisation of cybersecurity work – or

to make a first impression’, the

covert, such as failing to check their published job

saying goes, and when it comes

descriptions for gender-specific language with free

to cybersecurity recruitment it

tools like the Gender Bias Decoder.

couldn’t be more apt.

support for flexible work in every job description, can

in the way companies find and recruit employees, the

also add to a company’s appeal to potential recruits.

window to impress potential recruits is smaller than

So, too, is taking care to speak in abstractions

ever: once they click away from your website or job

about required technical skills rather than specifying

ad, they may never come back again – and they’ll tell

specific tools.

their friends.

Studies suggest this last point is crucial for engaging

Open job postings and targeted recruiter drives

women – who are, according to anecdotal evidence

have been complemented with the sometimes-

that was confirmed by Talent International’s recent

overwhelming process of sourcing staff via social-

Women in Tech study, often far too ready to judge

media – where many companies still struggle

themselves unworthy of an advertised job if they

to brand themselves and their jobs in ways that

don’t meet its laundry list of esoteric specifications.

will attract female, non-binary, minority and other traditionally-marginalised candidates.

Actively advertising lifestyle-related qualities, such as

Yet after years of seismic change

Technical skills can be learned on the job, of course, and most employers are willing to train the right

The needed changes can be overt – most companies

person if they have the other qualities to suit the

are, for example, running away from the stereotype

role. But with 38% of the 400 survey respondents

of the hoodie-wearing hacker as they promote

admitting they ‘de-select’ themselves because they

WOMEN IN SECURITY MAGAZINE

F E AT U R E

don’t meet 100% of a listed job’s criteria – the biggest single obstacle among respondents – it’s clear that many women aren’t even giving themselves the chance to make their case. And that, Hudson senior talent specialist for cybersecurity Anuj Sabharwal told Women in Security Magazine, is doubly a shame because many women have the soft skills that have become even more valuable than having a laundry list of technical certifications. “Soft skills are the secret sauce to being successful,” he explained. “Stakeholder management skills are the biggest one that we see as a massive gap: you have the most switched-on technical architects who can’t really articulate to a business why they’re spending $5m on security.” “Soft skills have always been important – but in the recent past, it’s much more so,” he said,

dangerous enough to speak to project managers,

noting that many companies were facing a steep

legal teams, HR teams, COOs. Those are literally like

learning and recruitment curve around cyber to meet

gold dust.”

governance, risk and compliance (GRC) requirements. “With the added regulations that we’re seeing from ASIC and APRA, you’re seeing all these ASX-listed businesses who have never really had a security person before, having to get an understanding of this,” he said. Recruiters work extensively with candidates to identify their strengths and potential fit for clients – and the goal, Sabharwal said, is to use a broader lens to identify the “cream of the crop” who have a bigger vision for their careers than just earning more money and gaining more responsibility. “The secret sauce is there,” he said, “when we find people who have that balance of being technically dangerous enough to have a conversation with technical stakeholders, but also being technically

EMPLOYERS NEED THE RIGHT SAUCE, TOO Challenges finding the right security staff are nothing new, Gartner managing vice president for security and risk management Beth Schumaecker said during a Gartner Security & Risk Management Summit session earlier this year. “For years, we’ve been talking about how really good security talent is hard to keep and find,” she said, noting recent research that found just one-third of companies report that hiring security professionals is easy. “I don’t know that I believe them,” she said, “but for everyone else it is a constant refrain to get the right people for certain security roles.”

WOMEN IN SECURITY MAGAZINE

Growing awareness of cybersecurity as a profession

believe they have been overlooked for promotions due

had delivered a growing number of entry-level

to their gender; and 35% say they have been excluded

workers but advanced skills remain chronically

from decision-making conversations.

difficult: “we need to recognise that when we look across our portfolio or out in the hiring market, what we need is unlikely to exist in one person,” Schumaecker explained, reiterating the importance of sourcing talent internally as well as looking for it in the market. Yet however well a company portrays itself to recruiters or on LinkedIn position descriptions, people already working within the organisation aren’t going to be so easily won over.

“As women climb up the corporate ladder,” the report notes, “salary negotiations and cultural fit become increasingly larger hurdles to overcome while across the board, self-deselecting is the most prevalent challenge.” Even informal processes can taint the experience for qualified women, with Project F CEO and founder Emma Jones noting that failing to fit in with social cliques – “normally centred around drinking, sporting, gaming” – mean that women “miss out on informal

In this context, conversations about deepening their

involvement and introductions to people who can

commitment to the company may quickly turn into

help you in your career.”

diatribes about many of the well-worn obstacles to diversity that continue to plague women in today’s workforce. Fully 56% of the Talent International survey respondents, for example, believe their career prospects are unclear at their current employer; 45% believe they aren’t paid the same as males; 44%

“This really does affect women’s ability to progress and creates favouritism.” Such reports from the coalface provide a to-do list for companies seeking to make themselves more appealing for technical staff – ensuring they have the ‘secret sauce’ that will win over candidates who themselves have what it takes.

WHAT HAS BEEN THE BIGGEST HURDLE YOU HAVE FACED IN THE HIRING PROCESS? Self-deselecting based on feeling that you don’t meet 100% of the criteria

Negotiating a salary worthy of your experience

Difficulty articulating / selling achievements

Perceived ‘culture fit’ with a predominantly male team Interviewer bias / discrimination

Biased wording of job ad

Other

WOMEN IN SECURITY MAGAZINE

14%

10% 17%

38%

F E AT U R E

Ensuring the company has female representation at all levels, for example, will go a long way towards convincing the best candidates that you’re not just another festering boy’s club – and, given the visibility into your management structure that LinkedIn provides, you’re not going to be able to hide it if you are. “There are companies wanting

“Soft skills are the secret sauce to being successful,” he explained. “Stakeholder management skills are the biggest one that we see as a massive gap: you have the most switched-on technical architects who can’t really articulate to a business why they’re spending $5m on security.”

a diverse workforce because they think it looks good, and they think it’s a selling point, and they have a quota to hit,” said Rachael Mayne, senior associated for cyber security and GRC with u&u Recruitment Partners. “But they are never going to have the right sort of culture.

a hard one because manager and senior-level salaries aren’t going up the same amount. Companies don’t have unlimited funds, so they need to figure out how they manage that – because they obviously need the team.”

MONEY CAN’T BUY YOU LOVE

While it’s important, however, salary alone isn’t the

Just as employers value ‘soft skills’ that bridge

secret sauce that it used to be.

technical and business domains, savvy recruits are

A recent survey by recruitment firm Contino, entitled

looking for a workplace where they will feel both valued and empowered – but that doesn’t mean they’re willing to work on the cheap. Particularly in the year since COVID-19 put the world’s entire business community on a fast-track for digital transformation, demand for cybersecurity expertise has grown significantly – as have salary expectations.

The Voice of Talent 2021, found that while salary was the highest priority for women and second highest for men when choosing a job, it was only the sixth highest reason for leaving. This suggests that a high salary is important to get someone in the door – but that many employees will be willing to put up with a less-than-stellar wage in return for softer benefits such as the intellectual

A cybersecurity employee with one or two years’

stimulation of modern technology stacks, promises

experience will typically be demanding more than

of career progression, work flexibility, and a good

$10,000 higher salaries than they would have before

company culture.

the pandemic, said Mayne. That could push entry-level salaries from around $80,000 or $90,000, up to the $100,000 to $120,000 range, she said – and skilled recruits are proving quite happy to walk away if employers don’t come to the table.

“The competition for top talent has never been more aggressive,” said Gerhard Schweinitz, Director of Talent, APAC at Contino. “Any organisation who wishes to attract and retain the right people must understand how people view the workplace now. Our research shows that as businesses begin their

“Companies that are refusing to pay it aren’t finding

journey towards recovery, they need strong leadership

the people that they’re looking for,” she said. “But it’s

to chart the way forward to success.”

WOMEN IN SECURITY MAGAZINE

IAN YIP

HOW TO GET AN ENTRY-LEVEL CYBERSECURITY JOB IN 2021 by Ian Yip, CEO of Avertro

Ian Yip is the CEO of Avertro, a venture-backed cybersecurity software company. There is no shortage of people wanting to break into the industry, so how do you stand out?

THE UNICORN A few years ago, I hired someone into our team at one of my previous employers. Despite having zero commercial cybersecurity experience yet wanting to break into the industry, they weren’t sure they wanted the job. Today, they are still at that company, but in a different team doing the role they ultimately wanted. At the time, their day job wasn’t fulfilling. But it paid the bills. The most interesting thing, however, was they maintained a blog purely focused on cybersecurity. And they wrote about all the things they’d experimented with, learned, and achieved as part of their hobby.

WOMEN IN SECURITY MAGAZINE

This person wasn’t actively looking for a job. They didn’t even know I existed. But I’d seen enough: “I have to hire this person.” I sent them a message introducing myself and asked if they were open to speaking with me about a potential role in cybersecurity. They agreed, but could only be available during lunchtime because their workplace at the time kept employees on very short leashes; they were only “allowed out or could speak with people during lunch”. I took this person to lunch, spending the first half finding out about them and what made them tick. I spent the second half pitching them on why they needed to join our team. The stumbling block in their mind despite wanting to break into the industry was that they wanted to be a pentester. The role we were offering wasn’t exactly

C A R E E R

P E R S P E C T I V E S

what they’d envisioned. My pitch was essentially this: “It’s great that you want to be a pentester. I believe you have the attitude, hunger, and intelligence to get there. And you should take the role we have on offer as a way to get there. It will provide a foundational experience in cybersecurity that you’ll benefit greatly from.” They thought about it and a few weeks later, they joined our team. Today, that person is a pentester, and I am extremely proud of them.

PROVE, DON’T JUST TELL We’re kidding ourselves if we think the majority of cybersecurity professionals are in the industry because of their passion for it. Many are in the industry because it pays well.

Truth be told, most people aren’t passionate about their line of work in the same way they are about something they truly love. This is not to say there aren’t people who love cybersecurity. When we try to ascertain someone’s “passion” for cybersecurity, we’re really trying to figure out if they have the curiosity, conviction, and persistence to solve problems and get the right outcomes. Everyone trying to get an entry-level role in cybersecurity says they are passionate about the topic. So ask yourself: “How am I proving that I’m truly passionate about cybersecurity?” You’ve probably completed some courses or certifications. You might even have a university degree with the word “cybersecurity” in the title. This does not differentiate you. Studying doesn’t prove to

WOMEN IN SECURITY MAGAZINE

the world that you are passionate about something. It shows that you found the topic interesting enough for your own personal reasons to spend some time learning about it. Ideally, you will come up with your own unique ways to prove that you want a cybersecurity career for the right reasons. Here are some examples: • Write blog posts. • Start your own cybersecurity project to build on your foundational education. • Share articles (via social media) you’ve read that you find interesting, including what you learned. • Attend events or webinars and tell people on social media what you learned or found interesting about each. • Join industry associations or groups and actively participate. Most importantly, do these things regularly.

I WANT TO BE A PEN TESTER OR SOC ANALYST That’s great, but so does everyone else trying to get an entry-level role in cybersecurity. The reality of it is, most will not get one of these roles as the “foot in the door”. The industry needs pen testers and SOC analysts. But we usually need them to be experienced and effective. Every now and then, a larger company will want to hire an entry-level pen tester or SOC analyst and be willing to train them. For every one of those roles advertised externally, there are 100+ people who apply for them. It’s a very long queue. Organisations are more likely to train someone internally into one of those roles. They likely already have entry-level people learning on-the-job about other aspects of cybersecurity and it makes more sense for them to find their new trainee pen tester or SOC analyst from the internal pool of junior team members. In addition, a large proportion of these roles aren’t advertised. They are sourced internally, or via one’s own network. I get these calls all the time from people I trust, and who trust me. Nothing ever gets advertised, and the roles still get filled.

WOMEN IN SECURITY MAGAZINE

Cybersecurity is more than just pen testing and SOC analysis. Other types of roles you can look at include: Awareness and Education; Communications; Identity and Access Management; Security Governance; Risk Management; Regulatory Compliance; Privacy, Application Security; Cloud Security; Vulnerability Management; Third-Party Supply Chain Risk; Data Protection; Business Continuity; Incident Respons; Digital Forensics; Policies, Standards, and Guidelines; Business Intelligence and Reporting; Quality Assurance and Testing; Program/Project Management; Business Analysis. This is not an exhaustive list, but I hope this makes it clear how many other avenues you have into an entry-level cybersecurity role.

THE WORLD IS BUILT ON RELATIONSHIPS You should already know this; it’s especially true in a crowded field of entrylevel candidates. Learn to network a little, even if it doesn’t come naturally to you. You don’t need to be a social butterfly. But as someone looking to get into cybersecurity, it does help to get to know some of the folks already in the industry. Given the relevance of cybersecurity today, there will inevitably be a number of industry groups, meetups, events, and conferences in your location. Make it a point to learn what’s available. Of course, in a post-COVID world, there aren’t nearly as many opportunities for industry events. But they haven’t disappeared completely. In-person or virtual, quite a number are free to attend; target these in the first instance. For example, in our region, the Cyber Risk Meetups are excellent. The Australian Women in Security Network (AWSN) is another great initiative to get involved with.

C A R E E R

P E R S P E C T I V E S

Another way to stand out is to be referred by a mutual connection. For example, a mutual connection reached out last week and told me we would be doing ourselves a disservice by not speaking with a candidate. So I interviewed them and was subsequently glad that I did. The aforementioned person is now on our shortlist of candidates for one of our open roles. I understand that when one is trying to break into an industry, you likely don’t have very many connections. So how do you get them? There’s no easy way to do it. You just have to start. Look for all the people you respect and think you could learn something from. Follow them on social media. Try to figure out if you have a mutual connection. If you do, ask your mutual connection for an introduction. If not, then at least follow them for some time and understand what they care about and are interested in before reaching out to ask for a conversation. If they agree, spend the time learning and asking for advice. Don’t expect anything back. You should definitely not try to sell them anything, or ask for a job. If they are a genuine person, they will likely try to find out what your aspirations are, which is your permission to tell them. Even then, talk about your goals at a high level. Don’t say: “I’d like a job at your company.”

SO YOU GOT AN INTERVIEW Congratulations! Getting an interview is difficult, particularly if you are trying to get an entry-level position. We’re currently hiring for an entry-level cybersecurity role at Avertro. It’s not a pen-testing or SOC analyst role. There were 80 applicants, and we’ve shortlisted 15. I interviewed all 15 people. 20% of them did not make it past the first 10 minutes of the interview with me because they failed the most important question. Even if you fail the interview early, how you react means a great deal. One of the candidates spent the rest of the interview thanking me for the feedback and explaining how they intended to improve and that they would love to have an opportunity in the future to prove it to me. You know what, I’d likely speak to them again for a future role if they show they’ve learned their lesson. Another hung up on me immediately before I had the chance to thank them for their time. All that did was prove I made the right decision. I will likely never speak with this person again. The other 80% made it all the way through the 30-minute interview, and we’ve shortlisted three. Why did these people make our final shortlist? Because they exhibited the common traits many interviewers are looking for in their top candidates.

KEY TAKEAWAYS • If you’re truly passionate about cybersecurity, differentiate yourself by proving it. • There is so much more to cybersecurity than being a pen tester or SOC analyst. • Relationships and networks matter, even at entry-level. • Learn how to interview well: there are literally guides on how to do it right.

www.linkedin.com/in/ianyip/

www.avertro.com/

WOMEN IN SECURITY MAGAZINE

NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

Setting boundaries on teen’s device use Teens might think they know everything (just ask them!) but the reality is they need their parents to set boundaries and guidelines: guidelines for schoolwork and homework; guidelines for social outings with their friends; guidelines for helping with chores in the home. Use of technology is no different: it too needs guidelines

Where can devices be used in the home? The aim is to have devices used in a common area where other family members are constantly walking through and can hear what is on the device. This might be a lounge room or family room. It is advisable to make sure that bedrooms don’t have TVs or gaming

Boundaries and guidelines for tech use are designed to help keep your teen safe when they are online. These will look similar for most families but will not necessarily be exactly the same. They will depend on the children’s ages and on their parents’ beliefs, family values and morals.

consoles in them. This is not going to be an easy sell. Older teens like their privacy, and this is only natural. By setting the boundaries recommended in this article, it is probably OK to allow your teen a little privacy with their phone. However, you will need to be hyper-aware that this opens the door to dangers, and

In a perfect world, it would be ideal to implement tech

you will have to be constantly on the lookout for any

boundaries and guidelines for children from a young

changes in their behaviour that might signal an issue.

age, tweaking them when necessary, so by the time they enter their teenage years, these practices are well embedded.

Be sure to come up with some Tech Free Zones such as the dinner table and the car. Tech Free Zones create opportunities to engage in conversation with

It can be difficult, but not impossible, to introduce tech guidelines for teens.

your teen. When can devices be used? This guideline will look

Some teens are actually grateful to have boundaries

very different in every family. It might be agreed

around their tech use. They know, left to do their

that devices can be used once chores are done or

own thing, their device use will likely be excessive.

homework is completed. You might decide that your

Boundaries can also give teens an ‘out’ when their

teen can use their device for homework between

friends are communicating via

4pm-6pm and then 7-7.30pm for personal use. The

social media or group chat

decisions you make around when your teen can use

and they would prefer to

their device will be based on their age, school and

remove themselves. “I’m

sporting commitments, hobbies, daily routines and

not allowed to use social

your parenting methods and beliefs.

media/chat after 9pm” is the perfect way a teen can take themselves out of a situation they don’t want to be in. To get started, parents should map out their own ideas on how the boundaries

Here are the areas to address:

How can devices be used? Talk to your teen about how they are using their device. Devices can be used actively for educational purposes such as learning, reading, creating digital art, or passively such as to watch movies or YouTube. It is important to help your teen understand the different uses so they can begin

for tech use are going to look in their

to make positive choices about how they are using

home.

their device.

WOMEN IN SECURITY MAGAZINE

C O L U M N

Devices should not be used and charged in

face in this pandemic, it could be damaging to block

bedrooms overnight. This is a non-negotiable rule.

them from social engagement.

Make sure you have a central charging station in your home where all devices sleep at night. Chargers should ‘live’ here and should be placed there at an agreed time every evening. Keeping devices out of bedrooms increases the quality of sleep. There is no chance of phone notifications disturbing sleep, no opportunity for social media use during the night to increase the chances of cyber bullying, and no opportunity to take and share inappropriate images, or talk to strangers. Teens using devices for homework often causes tension in the home. We want our kids using their devices in a common area of the home, but everyone doing homework in the lounge room or the dining room during the afternoon and evening (sometimes

Now that you have mapped out how you would like the boundaries to work in your home, go back over them and decide what your lowest limit is for each. Why? Because when you ‘meet’ with your teen to get their input, the first thing they are going to want to do is negotiate. So, you need to give yourself some wiggle room and start high. You would be crazy to create these boundaries, write or print them out and present them to your teen thinking they will happily agree to them. I recommend grabbing a whiteboard, explaining that you are happy for them to use their phones, iPads and gaming consoles but that their safety is your number one priority, and you would like their input in coming

until late for older teens) just isn’t an option. This

up with some ways to keep them safe.

is where an agreement that homework is done at

A tip here is to have yourself (and your partner)

their desk with the bedroom door open and without headphones on is helpful, as well as using a cyber safety solution to limit their access (think Netflix and YouTube) during homework time. If your teen has social media accounts, you can make it a rule to sit together and set the available privacy settings in those accounts. When setting boundaries with your teen, you need to agree in advance what the consequences will be if they don’t stick to the rules. There are predominately two schools of thought here. The first is to remove the device from the teen altogether and the second

willing to agree to these rules as well. Setting ‘family boundaries’ that everyone has to follow is much easier for your teen to accept than having boundaries dumped on them alone. Now pull out your best boardroom negotiation skills and work that whiteboard with them until it matches the map you created. Take a pic on your phone and share it around so everybody is on the same page. If the boundaries stop working for you for some reason (new school commitments etc) then take a minute to get together as a family to review and amend them.

is to allow them to use the device, but take away a different privilege such as allowing them to attend the movies with their mates that weekend. I’m not going to tell you which one you should use. Because you know your teen best and probably have a particular parenting style, you will most likely already have a preference as to what type of consequence will be most effective for your teen. It is

www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum

www.pinterest.com.au/thetechmum

important to remind you that teens use their phones to communicate with their friends — phones are very much part of their social life. With the challenges we

WOMEN IN SECURITY MAGAZINE

A PROGRAM THAT CONNECTS, SUPPORTS AND INSPIRES FEMALEIDENTIFYING TERTIARY STUDENTS AND EARLY CAREER PROFESSIONALS.

"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Cadets program today!" - Liz B, Co-Founder

Studying or an Early Career Professional in information security? Learn more at awsn.org.au/initiatives/awsn-cadets/ 56

WOMEN IN SECURITY MAGAZINE

INDUSTRY PERSPECTIVES

FIVE STEPS TO ACCELERATING CONSUMER SECURITY AND DATA USE TRUST DURING A PANDEMIC by Julian Ranger, Executive President, and Founder at Digi.me | Australian Data Exchange, A/NZ Representative of Digi.me

here is a long-held maxim about the virtues of simplicity. For years sectors and entities, from the navy to newspapers, to designers have adhered to the KISS principle: Keep It Simple, Stupid.

It reflects the premise that most systems work best if kept straightforward, rather than being made unnecessarily complex. And it holds true for technology as much as for anything else. The desire to make products and services stand out from the crowd can too often translate, mistakenly, into making them the biggest and the best, and then putting a cherry on top. But, designing something that actually does what it says on the tin, and delivers an outstanding user experience, is a far better route to success. And the more transparent a service is about what it does, what data it collects, and for what purpose, the more easily will trust in it be built, and the larger the user base will grow.

WOMEN IN SECURITY MAGAZINE

As the world navigates through the COVID-19 pandemic, and as the lines between information and misinformation become ever more blurred, this has never been truer. Happily, there are some core ways that technologists and evangelists advocating for a more personalised and data-driven future, one built on full user consent, can draw on their experience to help increase consumer trust. Let’s explore some of their key insights. 1) Do what you say. This is the most important principle, and the simplest. Tell people what your app or service does, and then ensure it does nothing more, and nothing less. No dark patterns, nothing that is at all unclear, just the information required so

I N D U S T R Y

P E R S P E C T I V E S

that explicit and informed consent, as required by

5) Allow users to disappear. Putting individuals at

the EU’s GDPR data protection regulations and other

the centre of their data, and in control about what is

laws around the world, can be given whenever users

shared and with whom allows them to be forgotten,

choose to share their data. Key to this is ensuring that

if they so choose. This ability to withdraw consent

everything is clear and transparent so users actually

at any time is a legislated requirement in some

understand what they are agreeing to at every stage.

jurisdictions. While this isn’t possible in every single

Following this principle consistently and tracking

situation — some legacy data must be kept by law — it

back to it with every new feature or design tweak will

is an important consideration and should be built in

ensure you don’t go far wrong.

where possible.

2) Be transparent about data provenance and data flows. To build trust in data-sharing services it is essential to be transparent about how and where data is shared, and to enable individuals to retain control of the data they provide. Such transparency

KEEP IT SIMPLE, STUPID Going back to what I said at the beginning, the common thread running through all these steps is simplicity, which builds transparency, which morphs

is crucial to enable the proper functioning of services

into trust.

such as Covid health passes. It is also important to

There are, of course, other steps that can be taken:

have robust security measures in place to protect individuals’ data, and to be transparent about these. Individuals need to be convinced they have nothing to fear, and worthwhile benefits to gain, by sharing their data. 3) Build in positive actions. It is possible to build into an app or service functionality that makes users feel they are in control of what the app does, and more connected to it. A swipe, for example, is a more considered action than a button push, but still simple and straightforward to initiate and to understand. Certain situations — such as needing proof of Covid

data minimisation, not asking for data before it’s relevant, not asking for data unless there is a benefit for the user will help grow consumer trust in the security of data and in data sharing. But, fundamentally, it’s about putting in place a solid foundation of trust and building onto those foundation relationships that bring benefits for both sides. Getting the gathering, consent and flow of data right and keeping the associated processes simple and transparent will build consumer trust. So don’t be stupid — it really is just about keeping it simple.

vaccination or a negative PCR test to be able to board a flight — will push users in the direction of consent, but each individual must be able to withhold consent to the sharing of their data. 4) Be human-centric. In a nutshell, this means putting individuals at the centre of every aspect of their digital lives, including individual apps and

Digi.me www.linkedin.com/company/digime

www.digi.me twitter.com/digime

services. In Australia, the government is already moving in this direction, with a tender out for a

www.instagram.com/digidotme/

personal health data wallet that would enable individuals to hold their own data. Digi.me, for example, allows people to control and chose who they share it with, with explicit consent. This is critical. It keeps users connected to the service, and confident they are in control, which in turn builds trust and willingness to engage in data-sharing more broadly.

Australian Data Exchange/ID Exchange www.linkedin.com/company/australian-data-exchange/

www.australiandataexchange.com.au twitter.com/idexchange_me

WOMEN IN SECURITY MAGAZINE

SASENKA ABEYSOORIYA

THRIVING IN A POST-PANDEMIC FLEXIBLE WORKING ENVIRONMENT by Sasenka Abeysooriya, Senior Strategic Adviser at The University of Queensland (UQ)

At the start of the COVID-19 pandemic, no one knew

technology in place was arguably the easiest part of

what to expect. We were plunged into uncertainty,

implementing this new way of working.

borders were closing, social distancing was imposed, and toilet paper became a valuable asset. Forget about the Melbourne Cup, an address by Prime Minister Scott Morrison was what stopped the nation. In March 2020 lockdowns were progressively implemented by the Australian federal and state governments to restrict the movement of citizens and slow the spread of the novel coronavirus. Governments also mandated the closure of all ‘nonessential’ workplaces. Suddenly, if you still had a job, you were most likely working from home.

successful when people and process are at the forefront of planning. People are an organisation’s most important asset, and with any change people should be considered first. As medical experts work hard to keep us safe, leaders, managers and employees are having to adjust and learn new ways to work and live. There is a lot to process when work and living conditions are changing daily. Given the increased isolation in an uncertain world, it is equally important to recognise

While some organisations had offered the ability

that many of the risks for psychological injury will also

to work from home as a perk, it became the

be heightened during these times.

‘new normal’. However, getting there was not straightforward for many organisations. 2020 saw some incredible digital transformations to ensure everyone could safely connect to work environments and continue meeting online. This was an enormous change for most organisations, but getting the

I strongly believe any planned change will be most

WOMEN IN SECURITY MAGAZINE

Now, more than a year into the pandemic, leaders have another decision to make. Some organisations have moved back to the office at scale, some have opted for flexible working conditions, and some are still working from home.

I N D U S T R Y

P E R S P E C T I V E S

RESPONDING TO THE NEW NORMAL

especially during the pandemic whilst most of us

Some workplaces are starting to see a push to bring

were working from home.

employees back to the office, whether that be full time

Below are some factors I believe helped my team,

or in a hybrid remote/office mode. Before considering

and continue to help us thrive in a flexible work

a full-scale transition back to the office, it is essential

environment.

for leaders to understand the mental state of their changed efficiency and outcomes.

COMMUNICATION AND TRANSPARENCY

At the start of the pandemic, when faced with the

Trust and transparency have become popular

complexities and challenges associated with the

workplace expectations. Studies have shown

sudden shift to working from home, not all people

that genuine transparency strengthens working

were keen to leave the office environment. Now, more

relationships. Workplace transparency is not only

than a year later, some will be enthusiastic about

about sharing information; it has an enormous effect

returning to the office while, for various reasons,

on the overall morale of the environment, and how

others will not want to do so.

teams relate to the organisation.

Since mid to late 2020, staff in my organisation

We want to know what is happening around us. It is

have started to return to the office. I have adopted

important to communicate and share the good news,

a flexible work environment—and intend to maintain

the bad news, and the challenges ahead; especially

this moving forward—where my team come in a day

in times of uncertainty. Transparency is important to

or two each week and work from home the rest of the

maintain trust, to ensure rumours do not circulate,

week if they wish.

and to minimise anxiety. In our daily morning huddle

people, and reflect on how working from home has

Whilst the pandemic was challenging, it also highlighted how we could do better as a team. During the lockdown, my team transitioned to working

I take the opportunity to check in on the progress of our work and to give the team an update on the state of affairs.

completely from home, and put some major runs on

When leaders foster a culture of openness and

the board. Given the circumstances, morale was high

sharing, others will feel encouraged to share. After

and productivity was excellent.

all, communication isn’t a one-way street. Asking

Our organisation’s proactive approach to planning for the pandemic also included budget cuts. Our team responded by coming up with new and creative ideas to ensure we could still deliver maximum value for the organisation, with limited funding. An example of this was the launch of https://data.uq.edu.au, a website focusing on data and data literacy. It provides guidance on how to appropriately access and store data and make it easily accessible. The analytics showed this website to have been in high demand,

questions is a great way to encourage others to speak up and it demonstrates your humility: that you recognise your need to improve and learn. Asking questions could lead to process improvement opportunities and empower others to share new and innovative ideas.

FOCUS ON OUTCOMES, NOT ACTIVITIES I am obsessed with focusing on outcomes. My experience in running my own business has led

WOMEN IN SECURITY MAGAZINE

me to appreciate the time it takes to achieve an

happy marriage, employees will take care of you if you

outcome, and how this is more valuable than focusing

take care of them.

on outputs (or volume). It has been shown that organisations see positive results when their people are empowered to find ways to deliver value that suits them as individuals. This is not achieved through the micromanagement of people, which can lead to poor performances. We’ve seen a focus on outputs from some organisations during the pandemic, for example implementing monitoring software to track team activity. The process for achieving outcomes may take different forms. On one day this process might be boardroom negotiations that take hours; the next day it might be discussions over lunch and a beer. However, the outcomes of these different processes might be equally valuable.

Working remotely can bring isolation and create collaboration and communication challenges, if you are not proactively addressing the risk it creates. One way of maintaining engagement is through frequent one-on-one meetings. These check-in meetings have always been important, but should be prioritised when staff are working from home. My fortnightly catchups with my direct reports are open-ended conversations. Unlike status reports, they are times to connect, coach and, most importantly, opportunities to vent. I like to know if my staff are still enjoying work, what frustrates them, and if I can help them in any way. I don’t feel I have to hold these catchups in a meeting room. If we aren’t working from home, they tend to happen at the pub next door.

If teams are not focused on outcomes (value) but instead are focused on activities or outputs (volume),

FINAL THOUGHTS

they are spending time fulfilling the wrong metric.

These new working arrangements have afforded us

To me, when teams focus on activities, they are keeping busy, rather than maximising value to the organisation. In my daily huddles, I am generally concerned only with progress towards outcomes, and what I can do to support it. The key to staying focussed on outcomes is a shared vision, an understanding of the desired direction. To complement this vision, teams should be given

benefits we didn’t have before the pandemic. These include opportunities to hire staff from interstate without asking them to relocate, a previously difficult proposition. Flexible workers can be more effective. Employees who have opportunities to work flexibly have been shown to have greater job satisfaction and to be more engaged. This increases both their productivity and their sense of loyalty to the

structure in the form of parameters to operate within.

organisation.

These can include quality standards, operating

I am incredibly proud of my team, and I am very

practices and principles.

KEEPING YOUR TEAM ENGAGED AND MOTIVATED

grateful for their hard work, and how they have responded to much change. www.linkedin.com/in/sasenkaabeysooriya/

Whether a team is in the office or working remotely, it is important for it to be motivated and engaged.

twitter.com/sasenka89

Engaged employees are productive, not afraid to suggest ideas, and often end up exceeding expectations. The reason employees are engaged and motivated is very simple: they want to be. If they are inspired by the work they do, and if they believe in the organisation, they buy into the vision the organisation has set out. To keep teams and employees engaged and motivated, identify their pain points, issues and challenges. Enable employees by providing them with the tools and resources they need to succeed in their roles. Invest in their personal development and recognise them for their hard work. Like a partner in a

WOMEN IN SECURITY MAGAZINE

www.instagram.com/sasenkaabeysooriya/ www.sasenka.com s.abeysooriya@uq.edu.au

SAI K. HONIG

PIPELINES by Sai K. Honig, CISSP, CCSP Co-founder - New Zealand Network for Women in Security

In May this year, the cybersecurity world’s attention

Workforce Study, “data suggests that employment

focused on a pipeline in the US that had fallen victim

in the field now needs to grow by approximately 41

to a ransomware attack. The Colonial Pipeline is

percent in the US and by 89 percent worldwide in

8,850 kilometres long and can carry three million

order to fill the talent gap”. The challenge is to identify

barrels of fuel per day between Texas and New York.

and implement actions to fill that talent gap.

Colonial Pipeline confirmed it had paid a US$4.4M ransom to the cyber-criminal gang responsible for taking its pipeline offline. (It was later reported that $2.3M had been subsequently recovered by the FBI.) While we have learned much from this incident, we will probably be discussing how to prevent such attacks for a long time. However, there seems to be one pipeline that is rarely

There are some relatively easy steps that can be taken to bridge this gap. Many of these steps have been discussed at length, tools have been created and helpful groups formed to assist. Some of these steps are: •

they are inclusive.

discussed in cybersecurity: the staffing pipeline.

•

Look beyond computer science degrees for staff.

There is a lot of press about a global shortage of

•

Establish programs to assist parents returning to

cybersecurity professionals, but very little about building a pipeline of staff within organisations. By “pipeline” for cybersecurity, I mean graded levels of staff from entry level to senior level. Such a pipeline may even include students as interns. It provides a career pathway for cybersecurity professionals while encouraging them to remain within the organisation, and in cybersecurity careers. An effective career

the workforce. •

Have flexible working arrangements.

•

Look for people interested in changing careers.

•

Look for returning veterans.

•

Train or mentor early or mid-career professionals.

•

Consider partnering with organisations that train people outside of “traditional” schooling.

pipeline also builds cybersecurity knowledge within the cybersecurity team and within the organisation.

•

There is a worldwide shortage of cybersecurity

These are some suggestions, and the links are to

professionals. According to the (ISC)2 2020

Review job postings and hiring practices to see if

WOMEN IN SECURITY MAGAZINE

Hire graduate students/ interns.

organisations/resources that can help implement

I N D U S T R Y

P E R S P E C T I V E S

that may have an interest in cybersecurity, and include them in current and ongoing projects. Hiring is a process that often involves groups outside of cybersecurity, such as human resources. Individuals in such groups may need to be educated to look beyond the job description (or may even need help in creating job descriptions). I once spoke with a human resources director who was seeking an early-career cybersecurity professional (two years or less) who was also a Certified Information Systems Security Professional (CISSP). I had to inform her that a person requires a minimum of five years’ experience to become a CISSP.

them. Any of these actions can be used to build a pipeline, but success requires effort and commitment from the entire organisation, because these changes have to be implemented by the organisation. We have seen organisations build staffing pipelines for their product development teams. A similar approach should be applied to cybersecurity teams.

I was able to move into cybersecurity while working as a financial/operational auditor. A chance opportunity came up to look at implementing new IT systems. At first, I was unsure whether this was a good opportunity for me. But the further I progressed, the further I wanted to go. I was also encouraged by

Below is an example of one way to structure pipelines

hiring managers being willing to overlook the fact

within security. The idea being that there are levels

that I did not have a technical (eg computer science)

of security staff. Having levels would also encourage

background.

staff in other areas of the organisation to consider

At a time when more organisations find themselves,

working in security, knowing they would have a mentor to teach them the tools and processes. Levels would also encourage cross-training among security staff. In an organisation with multiple technology stacks staff could rotate between technology stacks to gain

victims of cybercrime, can we afford to limit options for hiring? Creating pipelines can help organisations do more in security and create a “security mindset”. Otherwise, like Colonial Pipeline, they may find themselves having to shut down.

further knowledge and experience. Technology stacks also provide a career path for those wanting to stay in cybersecurity. Many smaller organisations may not be able to implement a cybersecurity staffing pipeline. However,

www.linkedin.com/in/saihonig/

newzealandnetworkforwomeninsecurity.wordpress.com

there are simple ways to build an unofficial pipeline. Organisations can look to hiring interns for short term assignments. They can consider current staff

WOMEN IN SECURITY MAGAZINE

OWNING THE UNKNOWN: STUDYING AND WORKING IN THE FIELD OF CYBERSECURITY AND SOFTWARE ENGINEERING. by Laura Jiew, External Engagement at the School of Information Technology and Electrical Engineering, The University of Queensland.

Tomorrow’s female leaders in cybersecurity will start in the unlikeliest of places. Below is a story of three very different paths undertaken by femaleidentifying professionals from The University of Queensland (UQ). CURRENT STUDENT, MASTER OF INFORMATION TECHNOLOGY

a two-year work placement program at a local IT

Lynore Close is a proud

Missing home and family, Lynore decided to move

Wakka Wakka woman from

back to Brisbane in 2018 and continue her IT career.

Northern Queensland. Lynore chose to move to South Australia in her late teens after finishing high school early so she could travel and find herself. She landed a job as a farmworker in regional SA in the cold harsh winter, realised it wasn’t for her, and changed her direction. As luck would have it, a colleague had approached her about enrolling in an ICT traineeship program

company based in South Australia.

Shortly after moving, Lynore stumbled across a LinkedIn post on the partnership between Baidam Solutions and UQ. It inspired her to reach out to the CEO of Baidam Solutions, Phillip “Pip” Jenkinson. Lynore’s conversation with Pip eventually led her to securing a UQ and Baidam Solutions’ SANS Institute scholarship, and she is currently studying for a Master of Information Technology. Can you tell us more about Baidam Solutions and the role you have as a staff member there?

aimed at First Nations youth offered via TAFE SA.

I am Baidam’s first technical recruit and work as a

After completing this, Lynore was accepted into

Security Systems Engineer. The team at Baidam has

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

been incredibly flexible by allowing me to pursue my

and robotics well into eleventh and twelfth grades

postgraduate studies and work at the same time.

when she enrolled in the International Baccalaureate

Although my role is technical, I have been encouraged

program, pursued the sciences, and cultivated her

by many of my colleagues at Baidam to cultivate my

research skills in the Theory of Knowledge component

leadership skills. I am particularly grateful to Pip and

of the program.

Craig Ford who have both been wonderful role models and mentors in the cybersecurity industry.

You’ve done some amazing stuff as a UQ student and recent alumnus. You were a Dean’s Global

Any advice you’d like to give to First Nations school

Scholarship recipient, a student ambassador, you

leavers and mature-aged students about pursuing a

tutor undergraduate students and you’ve been

higher degree in information technology?

involved with TEDxUQ, etc. Tell us what motivates

Reach out and don’t be afraid to develop a network. LinkedIn is a great place to start. Often, I’ve found that one opportunity leads to another. Another tip is to Google “ATSI” for any tertiary education institutions you may be interested in. Often you’ll find resources and opportunities tailored to First Nations students and prospective students.

you to be involved and a conscious contributor in your field of study? My parents always encouraged creativity when I was growing up and were always supportive of me pursuing new avenues and areas of interest. I have always been conscious about pushing myself: new challenges excite me.

Remember to maintain your connection to the

Because I had moved around frequently with my

country. Members of minority communities are more

family while growing up, trying new things was a

likely to aspire to a role if they can see someone like

coping mechanism, and I realised very early on that

themselves in that role. I hope to inspire the next

such a mindset opens new doors and leads to many

generation of First Nations women to take up roles in

new opportunities.

cybersecurity and be a good role model for them.

ALUMNUS, BACHELOR OF COMPUTER SOFTWARE ENGINEERING (HONOURS) Nandini Jain is a recent graduate and alumnus in Software Engineering. Originally from India, Nandini was a transfer

For example, being a scholar gave me the opportunity to apply for a student ambassadorship, which then gave me the opportunity to network and tutor current undergraduate UQ students. I’m always excited to take on new challenges. What are your long-term career aspirations? Any key takeaways from recently graduating and completing your degree?

student through The

In the long term, I’d love to be a tech entrepreneur and

Manipal Academy of Higher

have a personal interest in exploring user interfaces

Education (MAHE), which

and user experience. The idea of leveraging my

has strong links to the Faculty of Engineering and IT

software engineering background and applying it to

at UQ.

the digital transformation age excites me. Imparting

As a child, Nandini was adept and resilient to change

knowledge is something I’ve always enjoyed doing.

because her family had to move often owing to the

My biggest takeaway would be the value of

nature of her father’s work. In her teens, Nandini

continuous learning. Software engineering, and the

would often dream of studying abroad and her

STEM study areas in general, involve a lot of hard

interest was piqued in eighth grade when she was

work and may often feel like a hard slog, but with love

exposed to a Carnegie Mellon robotics program.

and genuine passion and an open mind, the sky’s the

With strong parental influence and encouragement,

limit.

Nandini continued to cultivate her interest in STEM

WOMEN IN SECURITY MAGAZINE

Any advice you’d like to give to school leavers,

service (DDoS) attacks on large-scale networks.

especially female-identifying ones, about pursuing

In early 2021, she took up her current fellowship

a higher degree in information technology or

position on-site at UQ, after a slight delay due to the

software engineering?

Covid-19 pandemic. She looks forward to the next

Head into it with a genuine passion, interest and

chapter of her career in Brisbane, Queensland.

understanding of the subject areas. Whenever the

Can you tell us more about why you chose the

going gets tough, take the time to reflect and realise

cybersecurity and software engineering pathway?

that you will learn much from the challenges you will come across.

To be honest, I landed in the field by accident when I was offered a place to study computer science after

Reach out and build a good support network. There’s

finishing high school. I soon discovered I had a knack

always so much you can learn from your peers. Never

for it. I was extremely fortunate that I had amazing

give up.

lecturers at university who inspired me to do well in my degree course.

STAFF, UQ CYBER SECURITY Dr Abigail Koay is a staff member at UQ and a research fellow in cybersecurity. Abigail hails from Malaysia and grew up in the state of Penang, known in British colonial times as “The Pearl of the

researcher, a cancer researcher to be specific. These days I often think that, even though I’m not directly involved in saving lives, cybersecurity is so pervasive I’m still able to make an indirect contribution. I think of it this way: the work I do contributes to the “health” of hospital equipment rather than the health of a person, and it matters.

Orient”. Growing up, she was mostly interested in

Your PhD research focused on the detection of

biology and chemistry and wanted to be a cancer or

distributed denial of service (DDoS) attacks on

medical research scientist.

large-scale networks. Tell us what motivated you to

After completing her high school education, Abigail

pursue this topic?

was offered a place in the Bachelor of Computer

At the time, DDoS was extremely topical in the

Science program at The University of Malaysia

information technology and computer science

Pahang (UMP) where she had an amazing course

community. Most folks will be familiar with the

lecturer in her undergraduate course. The experience

incident which knocked Spamhaus offline. The Xbox

reinforced her passion and interest in information

Live and Playstation attacks also made waves in the

technology and computer science. Another valuable

media.

feature of her undergraduate course at UMP was the incorporation of a Cisco CCNA certification as part of its Bachelor of Computer Science program. A CCNA certification validates skills and knowledge in computer networking fundamentals, IP connectivity and services, cybersecurity fundamentals, and automation and programmability. After working for a couple of years in Malaysia for well-known commercial entities including IBM and Vinx, Abigail went on to obtain a PhD in Engineering (Network Security) from Victoria University of Wellington in New Zealand. Her PhD research focused on the detection of distributed denial of

When I was young I wanted to be a medical

WOMEN IN SECURITY MAGAZINE

In addition to this, my primary supervisor’s expertise was in security while my PhD co-supervisor’s expertise was in AI. So combining both fields and my undergraduate background in networking for my PhD research topic made a lot of sense. What are your long-term career aspirations? Any key takeaways you’d like to impart to undergraduate and postgraduate students in the field? Like most early career researchers, I’d love to cultivate my research strength and help develop human application tools at the same time.

I N D U S T R Y

P E R S P E C T I V E S

To those who are new to the cybersecurity journey, my advice is: never give up and look for mentors and allies. Cybersecurity is such an integral part of current technology that opportunities will be boundless. Try and get involved in student societies or events that will allow you to develop and hone your technical skills. I highly recommend participating in capturing the flag challenges whenever the opportunity arises. Regardless of which aspect of cybersecurity you’re interested in, whether it be the technical or the compliance and governance side, cultivate your interests, keep going and don’t give up.

www.itee.uq.edu.au/cyber-security

twitter.com/UQSchoolITEE

Lynore www.linkedin.com/in/lyn-close/

Nandini www.linkedin.com/in/nandini-jain-23159a192/

Abigail www.linkedin.com/in/abigailkoay/

WOMEN IN SECURITY MAGAZINE

TAKING FEARLESS SECURE DEVELOPMENT EDUCATION TO THE WORLD by Kirstin McIntosh, Head of Partnerships at Cyrise

aura Bell is a founder in cohort 5

fast-moving, fast-growing organisations around the

of CyRise, the APAC cybersecurity

world. I also co-authored a book with O’Reilly, Agile

accelerator program funded by NTT

Application Security, and we established a good

Limited and Deakin University. Her

reputation.”

startup, SafeStack Academy, is the first NZ company in the CyRise portfolio.

hit in April. “Our customers, who were generally

SafeStack is a successful global cybersecurity

small and agile, went back into their shells and tried

education platform she runs from her home in

to preserve cash-flow,” Bell says. “We dropped 94

New Zealand, a home she shares with two young

percent of our revenue overnight. We’d always talked

daughters.

about reaching a wider audience, so we decided we

“I sort of accidentally got into software development at 16,” Bell says. “I needed a job and stumbled into an apprenticeship as a software developer.” She went on to gain a degree in computer science and artificial intelligence from the University of Wales, then to work for CERN in Switzerland on the Large Hadron Collider, and for the UK Government in counter-terrorism. She then moved to New Zealand and worked as a penetration tester for five years before starting her own company. “SafeStack originally started as a consultancy in 2014,” she says. “We were focused on helping

Things were going really well until 2020 when Covid

WOMEN IN SECURITY MAGAZINE

had a chance to do something bold.”

THE BIG PIVOT That bold move was to turn the SafeStack consultancy into a training provider. It did not happen overnight, but the business adapted rapidly. “We developed the first half of the product — security awareness training — and had a soft launch in July so we could iron out any kinks. Then launched the SafeStack Academy, which is specific training for development teams, in September,” Bell says.

I N D U S T R Y

P E R S P E C T I V E S

Through SafeStack, teams can get extra help without having extra specialists join them.” She says SafeStack has been overwhelmed by the positive customer response. It now has 44 customers in five countries, representing 1000 engineers and more than 5,000 learners. Today, SafeStack provides a community-centric online education platform that gives developers, testers and other roles in a business security training covering every stage of the software development lifecycle.

“Demand is high. People usually come for developer training, our core product, but once they see our style and approach, it gives us the opportunity to draw in more people to our security awareness training. This

“We bring together really high-quality, easy-to-navigate

enables us to raise security awareness for everyone,

learning paths alongside hands-on labs that allow

not just certain roles.”

learners to explore concepts they’re learning in fun, experimental ways.” Bell says.

A SAFER PLACE

She says SafeStack has developed a unique

The success of this more equitable approach to

community approach to cybersecurity training.

security training is underpinned by Bell’s worldview.

“SafeStack is a safe place. Development teams from

“I genuinely believe that everyone has the right to

all around the world can feel safe to say, ‘This is hard. What have you done, so we can learn from each other?’” SafeStack connects people with others unknown to them, Bell says. “A team’s problems are never unique. They’re shared by many teams across companies.

be safe online, no matter how big their budget is, or where they’re located,” she says. “Being safe online is a fundamental need. I’m on a mission to make that happen in a way that’s as accessible and suitable to as many different organisations and roles as possible.”

WOMEN IN SECURITY MAGAZINE

CULTURE FIRST AND TECHNOLOGY SECOND

If you’d like to see Laura Bell in action, she will be

In line with this approach the business tries to

Tuesday 17th August.

be gender-neutral. “We use mascots — animated

Tickets - live and livestream - are available on

characters — on the platform. None of them have an

Eventbrite https://www.eventbrite.com.au/e/cyrise-

identifiable gender. You can’t tell the genders apart.

demo-day-august-2021-tickets-154176168069

pitching at the CyRise Demo Day in Melbourne on

Everyone is equal.” Eight of SafeStack’s nine team members are women. “Our job adverts are intentionally inclusive, and

Laura Bell

structured to not exclude people who only hit 90

www.linkedin.com/in/lauradbell/

percent of the role requirements,” Bell says. twitter.com/lady_nerd

“We found that with really long role descriptions, incredible people self-select out, and don’t apply, because they think the one thing they can’t do means

SafeStack Academy

they can’t do the job.” www.linkedin.com/company/safestack/

SafeStack interviews, she says, speak to culture first and technology second. “We encourage self-reflection

twitter.com/safestack

at the interview, too.” The approach has helped the business create a

academy.safestack.io/

supportive environment and a team that is conscious about what it means to work in a diverse group, and

CyRise

able to communicate with a wide range of people. This, says Bell, is part of her vision for the company. “I like that we’re coming with a different voice, and creating opportunities for diverse groups and role models. Leading SafeStack is the hardest thing I’ve ever done, but in the process, I’ve also found strengths I didn’t know I had.”

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/company/cyrise/

twitter.com/cyriseco www.linkedin.com/company/cyrise/

For more details, connect with SheLeadsTech Melbourne: https://oneintech.org/our-programs/sheleadstech/ https://www.linkedin.com/company/sheleadstech-melbourne For more details, connect with SheLeadsTech Melbourne: sheleadstech@isaca-melbourne.org.au https://oneintech.org/our-programs/sheleadstech/ Feel free to connect also with your local ISACA chapter. https://www.linkedin.com/company/sheleadstech-melbourne sheleadstech@isaca-melbourne.org.au

For more details, connect with SheLeadsTech Melbourne:

https://oneintech.org/our-programs/sheleadstech/

https://www.linkedin.com/company/sheleadstech-melbourne

sheleadstech@isaca-melbourne.org.au sheleadstech@isaca-melbourne.org.au

Feel free to connect chapter. Feel free to connect alsoalso withwith youryour local local ISACAISACA chapter.

S M E L B O R P 9 9 T I GO N L U V A BUT E N O T ’ AIN by By Laura Jiew and Sean McIntyre from AusCERT

Ninety-nine problems but a vuln ain’t one

people understand that a cyber criminal and victim

If you’re having cyber problems, I feel bad for your

could look like anyone, including you and me?

SOC I got ninety-nine problems but a vuln ain’t one, hit us!

friends, neighbours even — about how cyber crime

Cheesy (revised) lyrics aside, I caught up with my

isn’t discriminatory and can happen to anyone.

colleague Sean McIntyre — information security

It’s great that the media draws attention to cyber-

analyst at AusCERT — to discuss our shared

related incidents and helps bring the topic to the

thoughts on the common misconception that

mainstream. People relate to examples like Nine

cyber criminals are “hooded/masked baddies”. We

Network or domain.com.au. However, I do think we

outlined some ways in which AusCERT, as a not-for-

can do better at the grassroots level. We should

profit security group, can help our members and the

start talking about cybersecurity with kids in schools

general public avoid falling victim to a cybercrime

and other groups, and avoid making “cyber” a scary

and/or incident.

topic. I think organisations like eSafety do some

Sean, it isn’t unusual for our community to think of

I think it is really important to talk to folks — family,

good work in this space.

cybersecurity in terms of tired cliches and common

You’ve been working at AusCERT for close

tropes. In your opinion, what can we do to help

to 18 months. In your opinion, and from your

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

observations, what cybersecurity challenges are most often faced by our members, and how would you advise them to respond? My top three observed challenges, and my suggested responses, are as follows. •

Staying on top of the countless advisories, vulnerabilities and CVEs that come through daily. Identify all your infrastructure: systems, operating systems, patch levels, appliances, applications. This may sound elementary, but sometimes the concept of going back to basics is a great starting point. Jess Dodson, one of our keynote speakers at the AusCERT2021 conference, does a great job of this through

•

Domain impersonation or squatting, and brand protection. This one is particularly challenging. AusCERT would love to help members affected. However, we can get websites taken down only if they are used for malicious activity such as phishing or malware delivery. In cases where a brand is being impersonated, registrars and website hosts will request that the owner of the trademark contact them directly. Website contacts responsible for dealing with abuse issues can generally be found in the ‘whois’ info of a domain. Members can always reach out to the AusCERT team for assistance. We are happy to walk through the necessary steps with them.

her personal website. It’s definitely worth

You and I presented a case study on the AusCERT

checking out. When they have completed this

incident management service at the end of 2020.

audit AusCERT members can subscribe to the

Can you reiterate the key take-aways for our

appropriate AusCERT security bulletins through

readers?

the member portal function.

If you have not read the piece we did together on

Identifying business email compromise (BEC)

incident management, check it out on the AusCERT

attempts from what can be extremely confusing email headers, and taking appropriate action. BECs are a common scam. The ACCC recently

website. If you’re an AusCERT member, use our 24/7 incident hotline or email us at auscert@auscert.org.au for any

reported that payment redirection scams, also

cyber-related incidents.

known as business email compromise (BEC)

Where possible, implement the “Essential Eight”

scams, resulted in $128 million of losses in

as outlined by the Australian Cyber Security Centre

2020. The AusCERT team is always happy to

(ACSC). This protocol provides a baseline for

assist members with the analysis of phishing

cybersecurity incident mitigation. Implementing

email attempts and headers and will contact and

these strategies makes it much harder for

assist affected member organisations where

adversaries to compromise systems.

a BEC has occurred. Public agencies such as Scamwatch can also assist.

Thanks so much for the chat Sean!

AusCERT is a cyber emergency response team (CERT) based in Australia. We help members prevent, detect, respond to and mitigate cyber-based attacks. As a not-for-profit security group based at the University of Queensland, Australia, we deliver 24/7 service to members alongside a range of comprehensive tools to strengthen their cybersecurity strategy and posture. To find out more about our services, visit auscert.org.au

Resources https://www.esafety.gov.au/kids https://girl-germs.com/?p=2324 https://www.accc.gov.au/media-release/scammers-capitalise-on-pandemic-as-australians-lose-record-851-million-to-scams https://www.scamwatch.gov.au/types-of-scams https://www.auscert.org.au/blog/2020-11-06-case-study-incident-management https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained

WOMEN IN SECURITY MAGAZINE

CAROLYN CRANDALL

WHY TECHNICAL PROFICIENCY WON’T TAKE YOU TO THE TOP IN TODAY’S WORLD by Carolyn Crandall, CMO at Attivo Networks

Have you achieved career success in the

CHECK YOUR TECH THINKING

cybersecurity sphere and feel confident you could

That’s the good news. The less good news is that

handle more responsibility and a leadership position? Last year’s COVID crisis forced organisations to get

you up the career ladder.

serious about two things: digitally transforming their

Vital though it is for many operational roles, expert

operations to enable them to weather lockdowns and supply chain disruption; and protecting critical systems and sensitive data against the wave of malicious cyber activity that came hot on the heels of

knowledge is not what business leaders seek when determining who to tap on the shoulder for a higher position.

the coronavirus.

Rather, they’re looking for individuals who are capable

As enterprises evaluated their security postures and

decision makers from across the organisation.

sought reassurance they were not about to become the next ransomware statistic, the importance of

of discussing value and business benefits with other Being able to do so was less necessary in the past,

having stellar talent on staff became apparent.

when ICT and cybersecurity were seen as operational

With security now top of mind for businesses and

advantage they have become. Back in the day,

organisations in the Asia Pacific and around the world, there’s never been a better time for cyber professionals to step out of the shadows and into the spotlight.

technical proficiency alone won’t be enough to push

WOMEN IN SECURITY MAGAZINE

technologies, rather than the enablers of competitive business leaders would outline why they wanted something done and the techie types in the back office would handle the ‘how’.

I N D U S T R Y

P E R S P E C T I V E S

No longer. Today, ICT and security professionals

Close ties with the public relations team are also

who hope to move up the ranks need to be able to

essential, because, in the event of a serious cyber

talk about business outcomes. That means being

incident, public relations will play a vital role in

able to articulate the benefits that may result from

managing the messaging while you get on with

the adoption of recommended strategies and

running triage on the incident.

technologies, and the risks that will arise if action is not taken.

If you’re not willing to open a dialogue with your colleagues from sales, marketing, finance, operations

Admittedly, that can be somewhat challenging

and human resources, you’ll likely be elbowed aside

for aspiring CISO types, because investing in

by someone who is, even if their technical prowess is

cybersecurity products and practices does not always

less impressive than your own.

confer a direct business advantage. However, there are many benefits from running a secure enterprise,

BUILDING YOUR BRAND

and potentially, serious consequences from a data

Being in the running for senior positions also means

breach or malware attack. Technical leaders who can go beyond simply understanding industry benchmarks and risk profiles and articulate how innovation can be used to maximise service delivery, improve brand recognition

being visible. Public speaking is anathema for many women (and men), but putting your hand up for public speaking opportunities such as internal and customer presentations will raise your profile, and ensure you’re seen as a credible candidate when a key project or

and ensure customer satisfaction will elevate their

opportunity to advance arises.

value to their business and stand out from the crowd.

In the digital era, it’s easy to build your personal brand

CREATING CONNECTIONS ACROSS THE ENTERPRISE Strong communication skills are also a must-have for security stars on the rise. Introverts who prefer to sit in their offices, waiting to be consulted on matters pertinent to their sphere of influence might fulfil essential technical roles very competently, but they

via self-publishing. If you know your stuff and have interesting, well-founded opinions, making a video, blog or podcast is a great way to share them. Such initiatives will also give you something to talk about at that next performance review or job interview, when you’re selling your skills, or making your case for promotion.

are ill-suited to senior roles in 2021.

STEPPING UP

If you’re one such, it may be time to move forward.

In today’s digitally-driven commercial world there are

Given that cybersecurity now has an impact on every aspect of operations, the ability to interact with stakeholders, both internal and external, is essential. Fostering those connections allows you to be proactive. Being close to the marketing department,

opportunities aplenty for individuals who bring both technical skills and business acumen to the table. If you’re a woman in security with aspirations to advance, brushing up your business skills is likely to prove a very smart move.

for example, may enable you to highlight the risk of a privacy breach when shadow IT, in the form of an untested SaaS marketing program, is used to run the latest campaign.

www.linkedin.com/in/cacrandall/

twitter.com/ctcrandall

WOMEN IN SECURITY MAGAZINE

ADDRESSING WORKPLACE CULTURE IN THE CYBERSECURITY SECTOR by Laura Jiew, AWSN National Marketing & Social Media Lead

ost readers will know that AWSN is proud to be part of the CyberShift Alliance, a

industry? Workshop 2. What does workplace toxicity look like?

collaboration between ISACA

Workshop 3. What is the impact of toxicity on security

SheLeadsTech, FITT, CISO Lens,

teams, security posture, people’s careers and mental

AustCyber, the Australian Signals

health?

Directorate (ASD), (ISC)², the Australian Information Security Association (AISA), Day of the Month Club

Workshop 4. Should you speak out about toxicity? Why

(DOTM), EY Australia and Forrester Research. Its

and why not?

mission is to address culture change in the security

Workshop 5. What does a great security team culture

sector. The Alliance was born from two events: an International Women’s Day run jointly by AWSN and ISACA earlier this year titled “Don’t reward the brilliant jerk”, and the AustCyber “Culture Shock” event held during the 2020 Australian Cyber Week. In late July this year, the CyberShift Alliance hosted another, fully virtual event on “Toxic Workplace Cultures”, attended by more than two hundred people. Participants were divided into ten workshops, each covering a specific topic. Workshop 1. What do you see as the causes for toxicity in cybersecurity? Why is this an issue in our

look like? Workshop 6. How do you speak out about toxicity? What language, processes and other tools do you use? Workshop 7. What is the impact of toxicity on underrepresented minority groups? Workshop 8. How do you determine if it’s a toxic environment, imposter syndrome or a systematic business issue? Workshop 9. What is your responsibility to act when it’s a toxic situation? Workshop 10. What can you do about toxicity in security as an individual / leader / organisation? Below is a summary of the key take-aways from the

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

“Toxic Workplace Cultures” event.

whether the organisation is worthy of such employees.

THE INABILITY TO SPEAK OUT ABOUT BAD BEHAVIOUR IN THE CYBERSECURITY INDUSTRY, AND THE FEAR OF DOING SO.

WHAT CAN BE DONE TO RESOLVE THE ISSUE?

Lead presenter, Jinan Budge, principal analyst serving security and risk professionals at Forrester Research, surveyed her professional network and found 65 percent of respondents agreeing that speaking out was “career suicide”. Most people are afraid to speak up about workplace-related problems, highlighting a fear of potential disciplinary action(s) if they do so.

POOR WORKPLACE CULTURE.

ORGANISATIONS Protect and value employees by having a code of ethics. Enforce mandatory leadership training covering topics such as bullying in the workplace, sexual harassment and misconduct, and set aside a budget to manage employees’ mental health and wellbeing. LEADERS Budge and her fellow panel members, Laura Lees, Jacqui Kernot and James Turner, provided some blunt advice for CISOs and security leaders who may have

This endemic problem in the cybersecurity sector

a toxic culture in their organisation: start by simply

[see “Beware the Brilliant Cybersecurity Jerk” article in

recognising the issue and naming it publicly instead

Edition 2 of the magazine] is preventing a sizeable pool

of ignoring it. “Empathy is about listening more than

of capable talent from joining the industry. It is also

speaking.“

causing a retention problem and hindering Australia from tackling cyber threats in the most inclusive, collab-

INDIVIDUALS

orative and, therefore, optimal way.

Listen harder and actively and try to embrace the ideas of fellow colleagues, especially if they differ from yours.

RECRUITING FOR FIT AND FOR PURPOSE.

At a bare minimum, be kind and choose to challenge if

When recruiting, employers should consider the skill-

The discussion around what toxic culture looks like in

sets of potential employees and whether they are the right fit for the organisation’s workplace culture, and

a situation feels uncomfortable or unjust.

practice and how individuals, leaders and organisations can address it was incredibly valuable. We hope everyone who joined in benefitted from it.

WOMEN IN SECURITY MAGAZINE

SOPHIA PACE

STARTUP OR LARGE CORPORATION? by Sophia Pace, Marketing Manager at Avertro

Fast-paced environment. Close-knit teams.

SME would have already implemented that decision

Uncertainty of what each day will bring. There are

and refined it based on results because they tend to

many factors potential candidates consider before

have fewer steps in the approval process. Such rapid

deciding to work for a startup or SME. But what gets

progress can motivate employees because they can

them over the line and keeps them working there?

witness their direct contribution to the organisation’s

We surveyed our staff and those at fellow startups to uncover the key factors determining such decisions.

LARGER IMPACT, LARGER CONTRIBUTION The lean nature of a startup team creates an environment where individual employees can often make a significant contribution to the business. In contrast to larger, more established companies, startups tend to have less structure and flatter

CAREER ADVANCEMENT OPPORTUNITIES The promise of career advancement in a startup is a compelling incentive for new hires and current employees. There tend to be many opportunities, both vertically and horizontally. Employees gain experience across different roles instead of sticking to one specialisation.

hierarchies. This means each employee is highly

Self-starters are likely to be more attracted to

visible, and the impact of their work is more readily

the greater autonomy, responsibility and scope

apparent than if they were in a more specialised

of experiences available in a short time than to a

position.

single job role spanning several years in a larger

Because the organisation is leaner and more agile,

organisation.

employees can adapt and respond to new learnings

If startups want to attract and hold on to skilled

faster than in a large organisation, where bureaucracy

employees, they must give them opportunities to

can delay changes. In the time it typically takes a

grow.

large organisation to reach a decision, a startup or an

success.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

Here at Avertro, many of our employees are hired in one role but grow into others. Working for a small business often means employees can forge their own unique path to advancement. This tends to be more attractive for highly motivated self-starters than the prescribed, uniform, constrained way to advance seniority within a larger organisation.

“The promise of career advancement in a startup is a compelling incentive for new hires and current employees. There tend to be many opportunities, both vertically and horizontally. Employees gain experience across different roles instead of sticking to one specialisation.”

OPPORTUNITIES TO GROW AND GAIN EXPERTISE

the norm because they want to change things for

Many startups will give their employees much more

employees can align themselves with gives their role

responsibility than more established companies. This

a purpose.

is because startups often cannot afford to hire several employees and give each a different and finite set of responsibilities within a department. Startups often hire their employees based on a core skillset and give each person a more prominent role because they have fewer employees than large organisations. This can be a significant benefit, especially for new professionals, because it offers them ample opportunity to learn things they would likely not be exposed to in a corporate or more established organisation.

SMALLER TEAMS AND CLOSER CONNECTION TO LEADERS Founders and employees of startups often work together, which means employees have direct access to the people behind the organisation and will be able to learn from them every step of the way.

SHARED VALUES

the better. Having a clear organisational vision that

Startup employees typically earn less base salary than workers at big companies, and they may have to work harder. But the intangible benefits can be more rewarding in the long term. Many startup companies have very flexible and casual workplace cultures. Best of all, if the organisation becomes successful, employees can reap the benefits directly. Being instrumental to the success of a startup could lead to an executive position and employee stock options, allowing an employee to own a piece of the company. Beyond the personal satisfaction of helping build something great, being core to the success of a company’s journey helps establish an employee’s professional legacy; something very few people will ever be able to achieve at the typical large, established organisation.

Avertro

Employees attracted to working for startups and www.linkedin.com/company/avertro/

SMEs are increasingly driven by their desire to align themselves with brands that share their values. These

twitter.com/AvertroSecurity

individuals want to know their work matters and aligns with their values.

www.avertro.com/

A startup begins with an idea for a solution to a set of problems. But it takes a team of motivated, talented

Sophia

individuals to harness that idea and build it into a sustainable business. Successful startups challenge

www.linkedin.com/in/sophia-pace-29656530/

WOMEN IN SECURITY MAGAZINE

SOLVING THE PIPELINE PROBLEM by David Braue

A STRONG PIPELINE OF CYBER SKILLS HAS NEVER BEEN MORE IMPORTANT But with students nonplussed about cyber, it’s up to CSOs to get creative

espite years of effort to improve

and mathematics – all traditional pathways to

the representation of women in

computer science and cybersecurity careers.

STEM areas, declining participation has serious implications for the cybersecurity industry’s ability to build and sustain a pipeline of talent to

meet rising demand. That decline – as measured by the 2021 STEM Equity Monitor – noted the number of women in STEMrelated occupations had dropped by 1% between 2019 and 2020, while the number of men increased by 1% during the same time.

weren’t interested in STEM subjects, while 53% said STEM subjects were too hard for them and 48% and 47% said they weren’t very good at maths or science, respectively. Particularly concerning for the cybersecurity pipeline was the finding that 74% of girls believe STEM subjects are not related to the career they want – suggesting that STEM in general, and cybersecurity in particular, simply have not managed to click with

Complementary numbers, obtained during

girls in the way that gender-equality advocates have

YouthSight’s 2019-2020 Youth in STEM survey,

hoped.

highlighted the even bigger problem: Australian school-age girls, it seems, are simply less interested than boys in areas including technology, engineering,

Fully 68% of girls aged 12 to 25 said they simply

WOMEN IN SECURITY MAGAZINE

The only STEM area where girls showed similar interest to boys was in the study of science – and this, it turns out, may be the secret to bringing

F E AT U R E

equality to the cybersecurity pipeline through far less direct means. Conversion of people in other fields has become a rallying cry for cybersecurity recruiters, who are getting creative as they seek a way to work around cyber’s failure to launch among school children.

“I was in biotechnology, because I’ve always been fascinated with the future – and so it was something that attracted me quite a lot. I got very interested in how we could potentially genetically engineer ourselves into the future.” - Pip Wyrdeman, PwC Australia

Having graduated from university with a Bachelor of Applied Science in biotechnology and administration and a graduate diploma in management science, Pip Wyrdeman knows what it’s like to enter cybersecurity from the outside – and she’s encouraging others to take the plunge. Having recently joined PwC Australia’s Cybersecurity and Digital Trust team, Wyrdeman is building on a career that includes roles in Department of Defence ICT policy and as a senior cybersecurity policy advisor within the Department of the Prime Minister and Cabinet – but she did not, she is quick to point out, initially train in cyber. “I was in biotechnology,” she told WiSM, “because I’ve always been fascinated with the future – and so it was something that attracted me quite a lot. I got very interested in how we could potentially genetically engineer ourselves into the future.” Over the course of years of consulting and policy work – and some deep dives into digital transformations – Wyrdeman’s interest refocused on

WOMEN IN SECURITY MAGAZINE

the intersection between what she called “what it is to be human and our frantic drive to digitize and virtualize our world”. “That’s what’s really exciting about cybersecurity at

(ACCSE) program – aiming to bring students and postgraduates into cyber – and the P-TECH public-private partnership for students, and there is no lack of opportunities for students that are interested in cyber.

the moment,” she said, “is that it is the fundamental

Students aren’t the only ones getting targeted

thing that allows us to have a future that is digitally

support to stimulate their interest in cybersecurity,

driven. It gives us the opportunity to grow ourselves

however: programs like WithYouWithMe and the

and our systems into the future.”

ADF Cyber Gap Program are creating new links between cyber careers and military service, while

DEMAND-SIDE SUPPLY VS SUPPLYSIDE DEMAND

private-sector programs are welcoming interested

For Wyrdeman and the many other successful women

Yet such programs will only do so much to improve

who have built successful and rewarding careers in cyber, continuing difficulties in engaging with schoolage girls represent a bugbear for efforts to bolster the industry’s pipeline. It’s not for lack of trying. Programs such as the Schools Cyber Security Challenges work to raise awareness by gamifying cybersecurity challenges, while the Australian Signals Directorate (ASD) has launched a range of initiatives including ASD apprenticeships, the ASD CyberExp incidentresponse program, ICT Masterclass for Year 11 and 12 students, and networks such as the Girls’ Programming Network (GPN) for year 4 to 12 girls. Industry-development organisation AustCyber has been working to raise awareness of the varied paths into the industry – offering practical tips for students with PwC, in-school career presentations and speed-networking events with Data61’s Ribit while pushing the message that an IT background is not a prerequisite for a career in cybersecurity. Cyber, the firm is telling all who will listen, offers “diverse and rewarding” career paths available for anyone who is a persistent, perceptive, inquisitive, continuous learner with good communication skills – a point echoed as organisations like Optus and Services Australia joined the clarion call with programs to reach out to Year 12 students. Throw in the support of government initiatives like the Academic Centres of Cyber Security Excellence

WOMEN IN SECURITY MAGAZINE

people from all manner of other careers. the diversity of skills and candidates coming down the cyber pipeline, warned Dr Ronda Zelezny-Green, co-founder and director of consulting firm Panoply Digital. “One of the main reasons we are not realizing a faster pace of change in this area is because too much of the activity surrounding gender equality in IT focuses on one-off gimmicks and bandaid solutions that can be spotlighted in the press,” she said, “instead of focusing attention on female employees and the actions that will truly make a sustained difference in their professional lives.” Facing a long-running drought of cyber skills, Gartner research director David Gregory, advises CSOs to “expand recruiting to non-traditional sources” in an effort to boost numbers – with underrepresented groups representing a “potentially massive pool of untapped talent”. Reaching this pool requires looking outside of conventional recruitment processes, he advises, “tapping hidden pipelines” by perusing personal LinkedIn networks or promoting employee referrals. Consider how jobs are being advertised, particularly in terms of whether a particular role actually requires particular certifications. And map out clear career plans for the different roles within your cyber organisation, so that you can have clear and productive discussions with candidates about the

F E AT U R E

long-term opportunities a job with your company will provide. “Know and think about which functions are most important to your organisation,” Gregory said, “so they can match the skills you require.”

CONSIDER ALL THE ANGLES PwC’s Wyrdeman agreed, noting that there are two broad groups of employees that must be catered

deep physical, engineering and mathematics skills “who comprehend at that really deep scientific level how systems work, how data works, how information works.” Many of those potential cyber experts are women working in other fields – and many of them are quite happy where they are. But as the cyber industry continues to push its messaging hard, efforts to build a more flexible and extensive pipeline will necessarily involve greater representation of women with non-cyber and non-IT qualifications. The latest Women in Tech report from security firm

for within the cybersecurity pipeline. These include technical staff – who have specific degrees or certifications that are required to perform a required security function – and “everybody else”, as she puts it. “This includes quite a lot of people,” she explained, including people who are playing in the risk space and look at digital risk management; people in the data space who consider data, trust and privacy; and people weighing in on the legal and regulatory issues around cybersecurity. “The upside of cyber being a team sport is for any given problem, you need to approach it from multiple different angles,” Wyrdeman said. “Outside of targeting specific technical skill sets, one of the ways [to fill the pipeline] is to go out and start looking for people who have the right mindset – without actually

Kaspersky highlighted the magnitude of the problem – and the promise of better opportunities for women moving forward. Fully 56% of female respondents said that gender equality has improved in their organisation within the past two years, COVID-era remote working proving particularly beneficial for women who have been able to engage with cyber careers better than they could in the past. Time will tell whether initiatives targeted at students eventually gain more traction, or whether girls who are uninterested in STEM as students only end up coming into the industry through more circuitous paths, as so many have done. As CSOs face up to the need to continue developing a skills pipeline from both inside and outside the organisation, the key to success is, ultimately,

asking for cyber-specific anything.”

flexibility.

“There are a lot of people out there who wouldn’t see

“It comes back to this balance piece,” PwC’s

themselves as having capabilities that fit into what somebody might need to help them do in a job,” she added. Yet filling the pipeline isn’t only about luring nontechnical people: noting the increasing threat posed by hard-sciences fields like quantum computing, Wyrdeman said, there is also a role for people with

Wyrdeman said. “There are so many different skill sets and so many different ways that we need to think about this problem, depending on what you’re trying to achieve and where in the balance you sit.” “We’re at one of those moments in history where there is no better time to get involved. “There are so many opportunities of so many different kinds.”

WOMEN IN SECURITY MAGAZINE

DEEPTHI BHUSHAN

HOW COMPANIES CAN KEEP WOMEN IN CYBER ENGAGED AND MOTIVATED IN 2021 by Deepthi Bhushan, R&D Program Manager, FirstWave Cloud Technology

Only a couple of months ago many Australians were

to enable more flexible ways of working, with large

talking about the pandemic being ‘over’ and planning

portions of the workforce willing to leave their jobs if

how to continue doing business and running their

working from home was not offered as an ongoing

lives in the ‘new normal’.

option.

Today, we know this to be far from the truth. There

This pressure is still on employers, but during some

remain many unknowns: how the coronavirus is

lockdowns employers would have been dealt a

mutating; how vaccines can be rolled out across the

$10,000 fine from the government if a work from

country and all demographics; how government-led

home arrangement for staff was not delivered. And

decisions such as lockdowns will impact jobs and the

we have seen employees from a broad range of

economy. However, there are a few things we know

industries only too willing to report their employers

for sure after almost two years of the pandemic.

to the authorities if they were not following the new

We know there has been a permanent shift in how

regulations.

employees engage with their work and how they are

These drastic shifts led to thousands of Australians

motivated by their employers. We know there has

re-defining what a good workplace meant to them,

been a consequent transformation in how companies

and the result was what some are calling The Great

hire, engage and retain their staff. This time last year,

Resignation, where employees in droves left their jobs

businesses were under workforce-driven pressure

or changed employers for better working conditions.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

We know such seismic changes in workplaces can

them in their jobs, while a US study found 71 percent

have significant cultural, financial and operational

of IT decision-makers believe communication and

impacts, and that these have driven more workplaces

collaboration tools have made work more complex.

to re-assess the perks they offer.

This is on top of Zoom fatigue and the virtual

But for women in the cybersecurity sector, what really matters?

exhaustion experienced by everyone who has had to work remotely. Clearly, we can’t revert to pre-pandemic ways of

REDEFINING COLLABORATION AND TEAMWORK

working, nor can we simply throw technology at the

There is a range of seemingly conflicting challenges

the coming months. There needs to be an employee-

for employers investing in creating collaborative and team-oriented environments. Most business leaders are aware that the right mix of minds and ideas can lead to real innovation and creativity. However, we

challenge of keeping staff on board and engaged in centred approach to team building activities. Rather than creating blanket rules and initiatives for all staff, employers need to ensure they are truly listening to what employees want when it comes to team get-

have also learned from the pandemic that returning to

togethers online and offline.

the office, or re-creating an office environment, can be

Furthermore, when new tools and technologies are

harmful and produce further barriers to realising these outcomes. Open-plan offices, in particular, have been found to increase stress levels. And noise around a workstation can create significant distractions and frustrations. Furthermore, technology has been called out as a double-edged sword for driving effective

introduced, rather than simply investing in these to increase efficiency, employers need to consider the training, growth and learning opportunities. Many cyber and tech experts are leaving jobs for opportunities that enable them to explore new field. So companies need to take a proactive approach to offering these opportunities as part of employees’

collaboration. On the one hand, 68 percent of

day-to-day experiences rather than as one-offs.

Australian workers believe greater technology will help

Upskilling staff internally not only keeps them

WOMEN IN SECURITY MAGAZINE

engaged and more likely to stick with their current employer, but also means they can apply their skills and capabilities immediately to the same company, rather than taking these to a competitor.

FLEXIBILITY, CONTROL AND INCLUSION NEED TO BE FOUNDATIONAL Too often, tech companies are claiming flexible work schedules, control over career, and inclusive teams as ‘perks’ of the job. In 2021, women — particularly women in the fast-changing and high-demand cybersecurity sector — want and expect more. Rather than being additional benefits, these aspects of a job should today be the foundations of a company’s culture. To genuinely boost motivation and engagement levels, companies need to do much more to stand out, including: • Childcare: Companies need to start putting their money where their mouth is when it comes to supporting working mothers. As well as creating supportive work environments for mums who may have different schedules or last-minute changes to availability, there should also be parental support in the form of allowing mothers to visit their children for feeding, and financial support for childcare, medical and dental care for families. • Merit that matters: We all know the stats around unconscious bias and how this bias impacts career paths, despite many executives’ beliefs that they are acting, promoting and hiring based on ‘merit’. Unfortunately, unconscious bias training programs aren’t the solution, and could in fact be making pre-existing inequalities worse. To drive real change, workplaces need a complete shake-up. We need to give women the power to dictate their own career paths. We need to ensure they are consulted and heard in meetings, and invited to meetings where product design is debated so they can bring different perspectives. And we need to recruit and promote women who can do the job rather than only those who seem able to ‘fit in’. The cyber and tech skills shortages, combined with the ongoing challenges of accessing international

WOMEN IN SECURITY MAGAZINE

talent pools as a result of travel restrictions, will continue to put a strain on companies looking for the best talent, and on those wanting to keep that talent from moving to a competitor. This year employers need to wake up to the very real consequences they could face from droves of employees — particularly women who we know are in high demand, though often in short supply — leaving their businesses during times of ongoing change when innovative thinking is necessary. Now is the time to abandon the rule book and reliance on traditional methods for pumping up workplace motivation, and start writing a new directory for genuinely getting the most out of employees, and empowering them to get the most out of their work and workplaces. www.linkedin.com/in/deepthibn

www.firstwavecloud.com/ www.instagram.com/deepthibn/ www.facebook.com/deepthibn

“If you want to go fast, go alone. If you want to go far, go together.”

Partner with us In today’s ever-competitive world, Source2Create understands that sometimes you have to perfect what you can and let others take care of the rest, which we see is the way of the future. No skill is too big or too small. Are you an amateur photographer interested in growing your portfolio? Do you enjoy Graphic Design in your spare time? Are you interested in growing your speaking range? Visit our partner portal to see all the ways you could partner with us and grow your potential or even open a side-hustle.

VISIT OUR PARTNER PORTAL TODAY

KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile innovative group who works with SMEs to protect and grow their business by addressing their cybersecurity and governance risk gaps by demystifying the technical.

C O L U M N

Surviving a breach: step one - be prepared “We’ve been hacked” are not words you want to

or legal advice? If the answer is yes, are they

hear on Christmas Eve or the last day before a long

on a retainer? And do you have all their contact

weekend, or ever (it’s called strategic timing). And

details?

with your files being encrypted at between 6,000 and 10,000 files per minute, time is not on your side.

4. Communication: How do you plan to communicate to the team, your staff and your

The time to plan how you react to a ransomware

clients if all your systems are down, ie there is no

attack is not after it has happened, but beforehand.

VoIP, email, Teams, website, etc?

People need time to think, brainstorm ideas and agree on actions and roles. These are not activities you want to undertake mid ransomware attack. You need a controlled, practiced response, and you can mount such a response only if you have time: time to plan, implement and practice. Here are six ideas to get you started when you are planning your attack response. NOTE: this is not an exhaustive list, I am sure you can come up with many more ideas.

5. The Insurer: One of the first calls should be to your insurer (if you have insurance). Do you know who to call? And who is going to be doing the calling? Does your breach response plan meet the requirements set out in your insurance policy? 6. Desktop Exercise: Have you practiced what you will do in the event of a breach? Have you had everyone in the same room (or teleconference) and walked through your breach action plan with them?

1. The Dream Team: Who is going to be involved in spearheading the response? If you’re an SME it will be a combination of internal and external people. Do all team members know their roles and do you have the contact details of all members? Who is to lead and coordinate your response? 2. Important Documents: How do you intend to access your Disaster Recovery Plans, your Continuity or Contingency Plans when all your systems are down? And are they accessible by all team members all the time? 3. External Support: Many SMEs have limited internal technology support so, outsource their technology to external providers. Do you know what support they provide? Does it need to be supplemented by specialist support and/

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/karen-stephens-bcyber/ www.bcyber.com.au karen@bcyber.com.au twitter.com/bcyber2 youtube.bcyber.com.au/2mux

EXPRESSION OF INTEREST SPONSORSHIP Source2Create is thrilled to announce the 2021 Australian Women in Security Awards. This hybrid event will be a glamorous Gala Awards evening based in Sydney. We will be welcoming our guests in person as well as via live stream. To be a part of this energetic initiative register your interest today for sponsorship opportunities.

Deadline for sponsorships: 20th October

I’M INTERESTED!

JOIN OUR SPONSORS

TECHNOLOGY PERSPECTIVES

CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

C O L U M N

The Big Bad Wolf Cybersecurity is a complicated topic. Many people,

So along came our big bad wolf, our malicious actor.

including myself, try to explain it in many different

He looked and he tested. He poked and prodded.

ways, but fail to get the message across. Would it

This one wouldn’t be easy to break but he huffed

be easier to use age-old nursery rhymes or classic

and he puffed. He huffed and he puffed. He huffed

children’s stories to help explain cybersecurity? Let’s

and he puffed but he could not get in. The three little

give it a try.

pigs together had built a strong system, but it was

The story Three Little Pigs and the Big Bad Wolf is a perfect fit for cybersecurity. Think about it for a

not perfect and there was a chance the big bad wolf would still be able to get in.

moment. We have the three little security pigs and

However, they are prepared. They have tested and

the big bad wolf who is our malicious actor. The

simulated all types of scenarios. They are ready for

first little pig built a house from straw: a very basic

the day the wolf does get in, and until then they will

network with no antivirus, no firewall and just an

update and test. They will train and improve. If Lady

open network. The big bad wolf came along and he

Luck is on their side they will be able to fight off the

huffed and he puffed and he blew the walls in on this

attacks and live to keep fighting for another glorious

very unprotected network, owning and encrypting the

day.

systems with just a few minutes work.

I know it’s an interesting adaption of the good old

The second little pig built his home out of timber: a

classic, but I think you can all see what I am getting

nice strong firewall, some basic antivirus and some

at here: cover the basics and never stop testing and

occasional updates with a basic backup plan. He

improving. That is the key to success in this digital

didn’t monitor the network, test his backups or do

war. We may not win every battle. We may even lose

patching. He didn’t do any staff training or any of

the war, but we can make it hard for that big bad wolf.

what he called fancy stuff. Along came the big bad

And, with luck, we can even come out the other side

wolf (our malicious actor). He huffed and he puffed:

stronger than before.

no movement. He huffed and he puffed. He huffed and he puffed. With one big puff he hacked right

The End…

through little pig’s protections, and gained ownership of his network. He held the little pig’s data to ransom, but the poor little pig could not pay and had to shut

www.linkedin.com/in/craig-ford-cybersecurity

down his timber business. Now the third little pig, he was a smart fella. He put in firewalls, advanced endpoint detection and response,

www.amazon.com/Craig-Ford/e/B07XNMMV8R www.facebook.com/pg/AHackerIam/

along with the latest monitoring, patching and backup systems. He tested and improved any time he could.

twitter.com/CraigFord_Cyber

He also hired the other two little pigs. Together they trained and learnt from the previous events to ensure they would be as prepared for an attack as any good pig could be.

WOMEN IN SECURITY MAGAZINE

QUEEN A AIGBEFO

IN AN ORCHESTRA THE WHOLE IS GREATER THAN THE SUM OF THE PARTS by Queen A Aigbefo, Research student, Macquarie University

An orchestra is a group of instrumentalists, but more

and objectives. Enter the Chief Information Security

specifically, a group that includes string, woodwind,

Officer (CISO), aka the conductor.

brass and percussion sections, playing classical music in perfect unison and harmony. However, one individual binds this group of musicians together: The Conductor.

of principals - the lead instrumentalists of each section - to carry the information they receive and put it in the context of their sections. In a business, the

The conductor interprets the music score,

CISO needs principals to help decode the strategies,

communicates with the musicians in each section,

policies, and procedures into biteable chunks to

and inspires them to perform their best work using

enable employees to defend the organisation’s

specific signals: eye contacts and standardised hand

information assets.

gestures, often with a baton.

Unfortunately, in the security context, there are some

Why do we need a conductor? After all, 18th

unrealistic expectations imposed on the office of

century orchestras were led by composers or

the CISO. The assumption may be that the CISO

concertmasters. Today’s orchestra is sometimes

is “superhuman” and by virtue of the

made up of 100+ musicians. While it may be relatively

title, can solve the business security

easy for a group of 20 musicians to play in harmony

problems. (But I digress.)

without a conductor, this may not be possible with a larger diverse group of instrumentalists.

What makes the orchestra tick? Short answer: different instruments playing

Let us recreate this picture in the context of security.

in tune and in harmony to make

The orchestra is the organisation with its various

beautiful music.

units and departments, all functioning to serve clients and customers and achieve the business’ goals

In an orchestra, the conductor requires the assistance

WOMEN IN SECURITY MAGAZINE

The equivalent components needed for successful security were

T E C H N O L O G Y

P E R S P E C T I V E S

identified in the publisher’s foreword to issue three of

comes to ensuring the security of organisational

Women in Security: “diversity + inclusion + culture =

information assets. A malicious attacker only needs

real value”.

to be successful once to compromise the entire

Diversity is what makes security tick. Decades ago, information technology (IT) departments often housed many like-minded folks with somewhat similar skills or training in the implementation of security countermeasures: like firefighters either constantly putting out security fires or defending the network from malicious attackers. Today’s security practitioners know their effort could fail if a single

organisation.

PLAY TO YOUR STRENGTHS. The orchestra is strategically arranged such that each instrument complements the others. Imagine a bass trombone right in front of the conductor. Not only would the conductor develop a headache before the end of the concert, but the trombone would also

user is socially engineered to open the proverbial

drown out the other instruments in the orchestra.

“front door” and let an attacker into the network. A

The balance between all the instruments in the

much more diverse set of skills is needed to educate users and counter such threats.

DIVERSITY REMAINS A CRUCIAL COMPONENT. The conductor may have the skill to direct the

orchestra plays a big role and is evident in the final output. In implementing security countermeasures, organisations need to play to their strengths. A onesize-fits-all approach to security, such as off-the-shelf security measures, will not suffice in the current threat landscape and post-pandemic hybrid workplace.

orchestra and the understanding and knowledge to interpret the score and deliver a memorable

MAURICE RAVEL’S BOLÉRO.

performance. However, without the orchestra, a

I love classical music. One piece of music that helps

conductor would be like a mime performer: making hand gestures, expressions and movements in total silence.

illustrate my point is Maurice Ravel’s Boléro. Boléro was written for a large orchestra but starts with a single instrument. More instruments are gradually

The CISO needs support from all members of a diverse ‘orchestra’: the Board and, most notably, the buy-in and cooperation of the various departments and employees, irrespective of their technical or non-

added, and the work slowly builds to its cacophonous climax while the percussionist maintains an unwavering tempo throughout the piece. A perfect example of how diversity and close cooperation create

technical expertise, with varying levels of education

something awesome.

and skill performing numerous tasks.

In an orchestra, the conductor has a strong influence

Just as the principal of each section in an orchestra oversees the instrumentalists in that section, the CISO will require “section principals” to translate for employees the complexities and ambiguities found in security processes and procedures

and needs an excellent ear to detect even minimal differences in the instrumentalists’ playing. The CISO may be one individual but needs to strategically understand, harness, and tap into the strength of diversity to make the whole greater than the sum of the parts.

to employees. No one department or section is greater than the other when it

www.linkedin.com/in/queenaigbefo/ twitter.com/queenaigbefo

WOMEN IN SECURITY MAGAZINE

MARISE ALPHONSO

RANSOMWARE IS RIFE HOW WILL WE WIN? by Marise Alphonso, Information Security Lead at Infoxchange Ransomware, a malicious software that encrypts

JBS Foods paid $14.2 million9 to end the cyber attack

data and prevents access until a ransom is paid, is

that impacted its operations around the world. It is

a growing cybercrime business model: the cost of

unknown whether a ransom was paid in the other

ransomware attacks in Australia in 2019 was around

cases.10

$1billion.1 Ransomware was the third most common data breach in those analysed for the 2021 Verizon Data Breach Investigations Report,2 and the report said threat actors exfiltrated data prior to encrypting it. Exfiltration provides an alternate revenue stream for these actors: they threaten to publish data if ransoms are not paid. This could cause reputational damage or loss of competitive advantage to an organisation, depending upon the data acquired.

can do to protect themselves from ransomware has been well publicised,11 12 and discussed at length in the security community, but probably not at senior leadership and board level within organisations. While this advice advocates extremely important security measures—such as ensuring systems and software are kept up to date, data backups are performed and tested, and employees are trained on how to

According to the Australian Cyber Security Centre

recognise phishing emails—these are far from being

(ACSC), ransomware attacks against Australian

the comprehensive solution needed to counter

entities have increased significantly since the 2017

ransomware attacks.

WannaCry incident3 4. 2021 incidents include:

There are calls in Australia13 and other countries

March: Nine Network unable to televise news and

such as the US14 for government intervention

produce newspapers.5

at a national and international level to combat

April: Uniting Care Queensland hospitals resorted to paper-based processes due to systems being inaccessible.6 June: JBS Foods, the world’s largest meat supplier, had the operations of 47 facilities in Australia affected.7 July: Kaseya, a provider of remote monitoring

this threat. In late 2020, the US Office of Foreign Assets Control (OFAC) advised15 that ransomware payments made to malicious cyber actors on its list of sanctioned persons and entities could be used to fund activities that could compromise the national security and foreign policy objectives of the US.16 OFAC recommended victims of ransomware contact government agencies for assistance rather than

and management software, had its software

paying the ransom.

compromised, impacting the operations of 1500

In Australia, the ACSC advice is not to pay the

organisations using the software.8

The cybersecurity advice on what organisations

WOMEN IN SECURITY MAGAZINE

ransom because such payouts could be used to

T E C H N O L O G Y

P E R S P E C T I V E S

propagate further attacks, but the full extent of incidents and ransoms paid is not known. The results of an April 2021 survey of 1000 Australian adults on ‘understanding ransomware’, conducted by the Cyber Security Cooperative Research Centre, demonstrated that the community requires more understanding and education around ransomware.17 The Ransomware Payments Bill 2021 introduced into Federal Parliament in June 202118 proposes mandatory notification of ransomware payments by most organisations. If it becomes law, it will mandate some organisations to notify the ACSC about a ransomware incident and payment. This is an important first step to gaining visibility of ransomware and providing threat intelligence that may protect other Australian organisations. The US government has advanced work in this space. After the Colonial Pipeline attack in May 2021, which caused panic buying and led to fuel shortages in some parts of the US,19 it gave ransomware attacks priority similar to that afforded terrorism. The CyberSecurity and Infrastructure Security Agency (CISA) established a Stop Ransomware website20 in mid-July 2021 to serve as a clearinghouse for resources to help organisations protect their networks.21 Cryptocurrency payment schemes that enable anonymous transactions greatly facilitate the success of ransomware attacks. The ransom paid for the US Colonial Pipeline attack was partly recovered by the FBI,22 a positive step that demonstrated one way of dismantling a link in the ransomware chain. The cyber insurance industry is also taking steps to respond to ransomware. With ransomware now accounting for 75 percent of claims,23 leading global cyber insurance companies have joined forces to enhance cyber risk mitigation efforts, provide value to policyholders, and ensure a competitive cyber insurance market.24 The answer to the question “How will we win against ransomware?” will not be easy to find. It will require a collaborative effort between government, information security agencies and organisations, the private, public and not-for-profit sectors of the economy, and cyber insurers. www.linkedin.com/in/marise-alphonso/

WOMEN IN SECURITY MAGAZINE

SPONSORSHIP OPPORTUNITIES

Make a difference and help us create and maintain a supportive and inspiring security community for women Please reach out to sponsorship@awsn.org.au to discuss in more detail

A very big thank you to our sponsors so far:

STUDENT IN SECURITY SPOTLIGHT

Kathy Nguyen is a Master of Information Technology student majoring in Cybersecurity and Networks from the Queensland University of Technology. She grew up in Vietnam and came to Australia when she was sixteen. KATHY NGUYEN

Intern (GRC) and Women in Cyber Scholar, CyberCX

WHY DID YOU CHOOSE TO STUDY SECURITY?

Whether or not your job has a customer-facing

I chose to study security because of my passion

many different situations. If you are a penetration

for privacy and data protection, which are closely connected to cybersecurity. Before I started my Masters, I worked in privacy law and got to see first-hand the detrimental effects of cyberattacks on individuals and organisations. This inspired me to undertake further education to gain fundamental technical skills in cybersecurity and pursue a career in this constantly evolving industry. Because I am motivated most by the gratification of solving problems and learning, cybersecurity is the ideal field where I can learn new things every day and make a positive impact on people’s online safety.

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD?

tester, you need to have written communication skills so you can write a report that makes sense to the customer: one without too much technical jargon. If you work in cyber awareness and training, you need excellent oral presentation skills to deliver engaging workshops to audiences who have different backgrounds. No matter what your job is, it is more than likely you will work in a team and need to communicate with others. At the very least, as an aspiring cyber professional, good communication skills enable you to build rapport with interviewers and demonstrate your capabilities effectively. Finally: creativity. Creativity might be the last word you think of in relation to cybersecurity. However, cybersecurity is not about black versus white. As technology evolves and threat actors become more

While technical skills are in high demand and will

innovative and creative in their attacks, many areas

perhaps always be important in certain areas, I think a

of cybersecurity will require creativity and innovative

person wishing to succeed in this industry also needs

solutions.

to have excellent soft skills such as critical thinking,

I would encourage them to start networking as

communication, and creativity.

soon as possible. While they may dread the saying

At its core, critical thinking means to question the

“it’s who you know, not what you know” with its

information you receive, considering it from different

negative connotations, it often rings true. The right

perspectives, and challenging biases or assumptions

connections can make all the difference. Networking

before drawing conclusions and making decisions.

can help students make meaningful professional

The importance of applying critical thinking to

relationships, explore the routes to cyber roles, and

cybersecurity cannot be overstated. Cybersecurity is

discover the skill set required to succeed as a cyber

a constantly evolving field. With each new wave of

professional. Networking helped me to understand

technology, new challenges and risks are created.

that cybersecurity is not only about penetration

The ability to think critically is key to mitigating cyber risks because it enables cybersecurity professionals to: • consider cyber threats more holistically, • break down a complex event into its essential elements to identify the root cause, and • consider all relevant stakeholders’ views and objectives.

100

aspect, good communication skills are essential in

WOMEN IN SECURITY MAGAZINE

testing or hacking, and certainly not like in Hollywood movies. It has also allowed me to connect with others in the industry and discover professional opportunities.

WHERE DO YOU WANT TO WORK, OR SEE YOURSELF WORKING? I want to work in governance, risk and compliance. I am passionate about helping organisations achieve

their security and compliance objectives in a way that also aligns with their business goals. I believe my legal background and passion for privacy will be helpful in this area.

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK? I value diversity and culture when choosing a place of work. It is perhaps odd to feel a sense of belonging in a group of individuals who are so fundamentally different from each other, whether in their gender, age, ethnicity, professional background, or life experience, but that is exactly how diversity makes me feel. Coming from a non-English-speaking country and being a woman who seeks to enter a maledominated industry, I am attracted to workplaces that clearly demonstrate commitments to improving diversity and inclusion. This is not only because I know I will feel welcomed, but also because I know there will be lots I can learn from my co-workers. Diversity is closely tied to culture. Culture is important to me because I believe that a supportive, positive and collaborative culture can foster great relationships, retain talent, and help employees and organisations thrive.

DO YOU LISTEN TO ANY SECURITY PODCASTS OR READ ANY SECURITY BOOK THAT YOU WOULD RECOMMEND? I like listening to OzCyber Unlocked by AustCyber, which is a series of podcasts that explain cybersecurity in simple terms. I think this podcast is a great starting point for anyone who does not have a background in cybersecurity but wants to learn more about this exciting industry. I also enjoy the Women in Security Podcast by Lifen Tan, which is devoted to telling the stories of great women in the world of information and cybersecurity. www.linkedin.com/in/kathy-tht-nguyen/

WOMEN IN SECURITY MAGAZINE

101

POOJA SHANKAR

Pooja Shankar is a final year Bachelor of Information Technology student at Monash University, majoring in networks and security and minoring in IT for business. She spent most of her childhood in Melbourne, before that she lived in Kuwait. Final year Bachelor of IT student, Monash University | Intern, CyberCX

WHY DID YOU CHOOSE TO STUDY SECURITY?

People face conflict and hardship every day. Thus

I was made aware of the prevalence of technology

providing real-world solutions for some of the biggest

and its impact on our lives at a young age. I have realised that almost nothing today is possible without technology, whether it’s how we order our food or how we move from A to B. Thus I understand it’s crucial to tackle the need for privacy and the security of digital

I hope to work for an organisation that invests in challenges our world faces today, in their careers and personal lives. Knowing I was part of something important—an organisation that makes an impact on society, whether it’s fighting climate change or reducing unemployment, — would provide me with a

information.

sense of pride and satisfaction.

Increasing dependence on technology has made it

WHAT DO YOU WISH YOU KNEW ABOUT THE SECURITY INDUSTRY?

easier for us to become a target for malicious actors. I started learning at an early age about various ways cyber-attacks occur and my interest in cybersecurity increased. I wanted to make a difference and chose cybersecurity as my career. I find it exciting because cyber-attacks are only going to increase.

WHERE DO YOU WANT TO WORK, OR SEE YOURSELF WORKING? I see myself being drawn to security integration or operations team because these represent the “immune system” or backbone of security of any organisation; constantly monitoring, protecting the business, preventing attacks and incursions into the

Before expanding my knowledge about the industry, I had a false perception that security and cyber-attacks, required focus only when an incident occurred. Also, I realised that privacy and digital safety are not issues for the workplace alone. They are an essential part of everyone’s life. I believe there is no such thing as perimeter security because every device can connect to the internet, so we need to focus on security endto-end: from the home to the workplace. I wish I was more knowledgeable about various aspects of security, and the opportunities they present for career progression. Upon discovering how

IT systems.

diverse cybersecurity is in an organisation, I realised

For such a team every day would be different. So, I

based on specific interests.

believe working in such a team would be exciting and a great place for me to acquire strong fundamental

it presents many opportunities to carve out a career

I also hope to learn security architecture and strategy

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD?

and help my employer develop cyber resilience.

Personally, I think it is perseverance and

security skills.

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK?

determination. The industry is growing rapidly, which makes it a very challenging career pathway. Constant learning and knowledge building are crucial since experts have to work with different technologies and

I strongly believe in being part of an organisation that

tools. Furthermore, a committed attitude and good

not only provides excellent cybersecurity services

communication skills are essential non-technical

but also makes an impact on a larger scale. As a

skills a person needs to cope with the challenges of

graduate, I would be drawn towards an organisation

working in cybersecurity.

that values employee satisfaction, encourages strong work culture and promotes inclusivity and diversity.

102

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/pooja-shankar-633a96181/

Victoria Cheng is studying for a Bachelor of Business (Finance) and Science in Information Technology (Networking and Cybersecurity) from the University of Technology Sydney. VICTORIA CHENG

Penultimate Business and IT student, Secretary at UTS Cyber Security Society

WHY DID YOU CHOOSE TO STUDY SECURITY? At the beginning of year 12, I attended a five-day program run by a university society. Before the workshop, I wanted to study something related to technology at university but was unsure exactly what. I was introduced to cybersecurity in that program, heard from a penetration tester, and decided it was what I wanted to do. Now I know more about the industry, I understand penetration testing is only a small component of cybersecurity, and there are many other fields within cyber, besides penetration testing. Even though I knew I wanted to study cybersecurity at university, I didn’t know a lot about the industry back then. I knew it was a rapidly expanding field and that I would be faced with different challenges every day.

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS? While I am not a security expert here are some things I wish I knew earlier as a student. To all current and future security students, my advice is: take advantage of the number of resources available online. Platforms such as Try Hack Me and PentesterLab provide theoretical and practical components ranging from beginner to advanced. You’ll be surprised how much you can apply what you learn from these platforms to Capture the Flag (CTF) challenges. Another piece of advice: enter CTF competitions. I’ve learnt a new skill or a new tool in every CTF competition I’ve entered. Even though there were times when I couldn’t solve the challenge, I learned something new every time from my attempts. And if you solve a challenge, that’s something to be proud of. As you solve these challenges, write notes on how you solved the challenge so you can look back on them. For challenges you were unable to solve, reading the official write-ups released by the organisers is another way to learn.

Lastly, join infosec communities, whether the security societies at university or larger ones like the Australian Women in Security Network (AWSN). You will get to chat with like-minded people and pick the brains of experienced people who are happy to share knowledge.

WHERE DO YOU WANT TO WORK, OR SEE YOURSELF WORKING? I’m open to working anywhere right now because I think that you can learn different things from different companies. Whether you are working in a company’s infosec department or for a security-based company, you will be exposed to dynamic environments and types of work.

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK? Team culture and the type of work. Team culture is important because I would be working with my team for hours and I’d want to be surrounded by people who could bring out the best in me, and vice versa. As the saying goes, ‘teamwork makes the dream work’. The type of work is also important because I’d want to work in a company that gave me exposure to different kinds of work.

ARE YOU PART OF ANY GROUPS, ASSOCIATIONS OR HAVE YOU BEEN MENTORED? HOW HAS THAT HELPED YOU? I am currently an executive in the Cyber Security Society at UTS (CSEC). I joined last August, and meeting with like-minded people and learning from executives already in the industry has been amazing. CSEC community is incredibly supportive and always willing to help beginners. I hope to facilitate that same inclusive environment and help organise educational workshops for our members. CSEC continues to have a significant impact on my journey. www.linkedin.com/in/victoria-cheng371

utscyber.org/

WOMEN IN SECURITY MAGAZINE

103

JACYNTA GRIGSON

Jacynta Grigson is studying Bachelor of Science (Cybersecurity) from Edith Cowan University. She grew up in Western Australia and has lived in the state her whole life. She moved around a bit as a kid and lived in small country towns until she was 10 and her family settled in the southern suburbs of Perth. Penultimate year Bachelor of Science (Cybersecurity) student, Edith Cowan University

WHY DID YOU CHOOSE TO STUDY SECURITY?

enough. Make a schedule and stick to it. It will help

When I first heard about the Stuxnet attack I became

your grades by ensuring you do not fall behind.

curious as to how it had been executed and how it could be prevented. I also became fascinated by the dark web and how organised crime functions anonymously on it. I chose cybersecurity because of these interests, but I also knew it would be a challenging, dynamic career where I could make a

WHERE DO YOU WANT TO WORK, OR SEE YOURSELF WORKING? I see myself working in cyber threat intelligence. Ideally, I would love to work in government or the defence force to help protect my country from cyber

difference and help protect people from cyber-crime.

threats. However, I also feel the opportunities are

WHAT INSPIRES YOU?

to see where the future leads me.

I love a good challenge. Whether it be completing a crossword or setting goals and achieving them. I feel there is nothing more rewarding than fulfilling a difficult task. I suppose that’s why I hugely enjoy studying. I am also highly motivated by my future prospects. I look forward to having a rewarding career in which I can help people.

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD?

endless with new ones arising every day, so I am keen

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK? Community. When I choose a new workplace, I want somewhere I will feel welcome and encouraged. I believe a well-functioning team needs a strong sense of community, and that encouragement is a huge motivator.

I believe the most important skill needed to succeed

ARE YOU PART OF ANY GROUPS OR ASSOCIATIONS, OR HAVE YOU BEEN MENTORED? HOW HAS THAT HELPED YOU?

in cybersecurity is the passion to learn. Technology

I am a member of the Australian Information

is constantly changing, so a willingness to keep up is vital.

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS?

Security Association (AISA) and was provided with a membership of the Australian Computer Society (ACS) with my Cyber Security Cooperative Research Centre scholarship. I have also just become a member of the Australian Women in Security Network (AWSN) and have applied for its cadet program. I have

Immerse yourself in the industry by joining groups

found my membership of these associations an asset

and associations, and keep up to date with related

during my studies, providing numerous opportunities

news and topics. Get out there and network. Take

to network, attend seminars and receive industry-

advantage of the free courses or certifications that

specific news.

apply to your chosen field. They look great on your resume and will help enhance your skills. Finally, time management is your friend. I cannot stress this

104

give you study/life balance, reduce stress and improve

WOMEN IN SECURITY MAGAZINE

I am also a member of the Edith Cowan University Computing and Security Students group on LinkedIn,

which has also provided me with opportunities to network, along with links to scholarship and internship opportunities.

WHO WOULD YOU LIKE TO BE MENTORED BY? I would love to be mentored by someone who has cybersecurity interests similar to my own, such as cyber intelligence, the dark web and cyber-physical attacks.

DO YOU LISTEN TO ANY SECURITY PODCASTS, OR READ ANY SECURITY BOOK THAT YOU WOULD RECOMMEND? Craig Ford’s “A hacker I am” is a great read. I found it gave me industry insights, and he wrote in a way that wasn’t too technical for someone starting their cyber journey. I am yet to read volume two, but I am very eager to do so. My recommendation for students is Computer Security Principles and Practice by William Stallings and Lawrie Brown. It was required for one of my firstyear units and has now become my go-to text for any unit because it covers a broad range of topics. While I don’t listen to any podcasts, I have benefitted from keeping up to date with security news from Krebbs and ACS’s Information Age.

WHAT DO YOU WISH YOU KNEW ABOUT THE SECURITY INDUSTRY? When I was sixteen I left high school and applied to study at TAFE. I put art as my first choice on my application and IT as my second. If I had known then that cybersecurity would become such a booming industry, and that I would enjoy it enormously, I would have picked it as my first choice. www.linkedin.com/in/jacynta-grigson-a350681aa

WOMEN IN SECURITY MAGAZINE

105

DO YOU WANT YOUR VOICE TO BE HEARD?

REACH OUT NOW

Aarati Pradhananga is studying for a Master of Information Technology and Systems from the University of Canberra, and specialising in cybersecurity. She moved to Canberra from Nepal and is grateful to have experienced the best of both worlds. AARATI PRADHANANGA

Final year Master of IT & Systems student, University of Canberra

WHY DID YOU CHOOSE TO STUDY SECURITY? affects everyone throughout their daily lives. I chose

ARE YOU PART OF ANY GROUPS OR ASSOCIATIONS, OR HAVE YOU BEEN MENTORED? HOW HAS THAT HELPED YOU?

to study it because I wanted to learn technical

I am a member of the Australian Women in Security

knowledge so I could mitigate the impacts of threats,

Network and Australian Defence Force Cyber Gap

and educate people the importance of being cyber

program. I’ve been fortunate that my mentors from

safe. A security qualification opens the door to

these associations have helped me guide on my

exciting jobs in an ever-growing industry from which I

journey, learn from them and widen my network.

can gain core knowledge.

Having someone in the field who is willing to

With everything digitized in today’s world, security

provide their learnings is really valuable. I strongly

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS? “The man who moves a mountain begins by carrying away small stones.”- Confucius It’s easier to look at others and feel incompetent. Always remember your competition is your past, not the people around you. Work on yourself daily by making small habit changes and celebrating them. Most importantly, reward yourself and celebrate the small victories.

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK? I care about having a team that wants to build and grow together.

recommend anyone new to find a mentor from any of the numerous organisations that offer this.

DO YOU LISTEN TO ANY SECURITY PODCASTS, OR READ ANY SECURITY BOOK THAT YOU WOULD RECOMMEND? I’d highly recommend: Darknet Diaries, Malicious Life by Cybereason, OzCyber Unlocked, Smashing Security and Hackable.

WHAT DO YOU WISH YOU KNEW ABOUT THE SECURITY INDUSTRY? I wish I knew how easy it was to get started. If you are looking at entering this field, search online and you will find plenty of resources to get you started. My recommended websites are tryhackme.com and ine.com. Also, create a LinkedIn account and connect with people within the industry and with influencers/

Having worked in a few roles in various industries,

experts. This will keep you updated with the latest

including cyber, I have realised that people are the

cybersecurity news, allow you to expand your

most important factor when choosing a workplace.

network, and provide you with career opportunities.

You spend more time with your colleagues than you do with your loved ones. It’s important to be surrounded by people who motivate, empower, push you, and, ultimately, celebrate with you. Throughout my career, I have surrounded myself with great colleagues who have provided me with guidance to help me learn, and the opportunity to grow from their mistakes and experiences.

Soft skills matter in this field. You need to be able to translate technical matters for other individuals who may not have the relevant background. The ability to adapt and change your terminology depending on your audience is a crucial skill. Having communication skills allows you to express yourself clearly and efficiently. www.linkedin.com/in/aarati-pradhananga/

instagram.com/cyberwithaarati

WOMEN IN SECURITY MAGAZINE

107

Kavika Singhal is studying for a Bachelor of Cyber Security and Behaviour from Western Sydney University. She has a diverse background and has lived and studied in several countries: India, United States, UK, and now Australia. KAVIKA SINGHAL

Final Year Cybersecurity Student, Western Sydney University

WHY DID YOU CHOOSE TO STUDY SECURITY? My passion for cybersecurity stems from my interest in mystery novels and crime shows I’ve had since I was eight. I enjoyed the process of unravelling the unidentified.

People and ethics are also important. Each workplace operates to gain profits. It needs money to sustain itself. Ethics in business dealings and client relationships make for a good working environment and strengthen interpersonal relationships.

As I commenced my university course, I became more passionate about cybersecurity. I realised my passion had ignited the desire to challenge myself, to become a warrior in the virtual world while making a difference in the real world.

ARE YOU PART OF ANY GROUPS, ASSOCIATIONS, OR HAVE YOU BEEN MENTORED? HOW HAS THAT HELPED YOU?

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD? Success in cybersecurity is defined by one’s goals. I don’t think there is a common measure of success in any field, because everyone’s journey is different. Some might aim to work as cyber intelligence analysts, others might aim to become CISOs. Consistency and resilience complement hard work. People need to crave knowledge each day they show up at work: the industry demands it. Someone once told me, “Cyber people never sleep.” Does this not mean cybersecurity is packed with zombies? No, it’s an expression of how passionate cybersecurity professionals are. So, for me, the key to success is “always be curious.”

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS? If they have a strong will to know more and strive to be better each day, they will never lose.

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK? I realised in my first internship the wide gap between education and industry. There’s pros and cons for both environments, but from my perspective, the university offers unlimited freedom to innovate, explore, and fail. I would love to work in an environment where my vision and goals match my

108

employer’s, and where I have the freedom to innovate.

WOMEN IN SECURITY MAGAZINE

Yes, I am a member of the Australian Women in Security Network (AWSN)—an organisation led by and consisting of the most awe-inspiring women in the industry—of the Australian Computing Society (ACS) and the Australian Information Security Association (AISA). I am President of the WSU Cyber Security Association (a cybersecurity club in my university). These industry associations are my greatest motivator. The experiences and the deep insights of members challenge me to aim higher and strive to achieve. I apply these learnings in my student association to empower my peers to take the initiative and lead. The cybersecurity community is extremely helpful, and I am grateful to all its members.

WHO WOULD YOU LIKE TO BE MENTORED BY? The list is too long and would be unfair to name just a handful. The cybersecurity community has is very diverse. It would be interesting to see the industry from some different perspectives. For example, I would like to view the cyber world through the lens of a bioinformatics scientist, a mathematician, a social media influencer, etc.

DO YOU LISTEN TO ANY SECURITY PODCASTS, OR READ ANY SECURITY BOOK THAT YOU WOULD RECOMMEND? I listen to Darknet Diaries, Hacking into Security, and KBKast quite often. www.linkedin.com/in/kavika-s-b60969192/

Karen Hobson is studying for an Advanced Diploma of Cyber Security at South Metropolitan TAFE, Murdoch Campus, WA. She grew up in East Gippsland, Victoria. KAREN HOBSON

Advanced Diploma of Cyber Security Student, South Metropolitan TAFE, Murdoch WA

WHY DID YOU CHOOSE TO STUDY SECURITY?

are the areas that I have been drawn to while studying

I am studying to expand my skills and achieve

to people and companies to become more cyber safe

a career transition where I can transfer some of my existing IT skills into the growth industry of cybersecurity. Cybersecurity is highly diverse. There are many areas to learn about, the cyber landscape is always changing, and I love a challenge.

WHAT INSPIRES YOU? We are bombarded with cyber-attacks, phishing emails and smishing texts every day. People become victims of cybercrimes every day. It’s not just big businesses being attacked, but small businesses and individuals. We cannot, and should not, have to pay for these attacks on our personal computers, our accounts, and even our individual identities. I want to help my community and my country harden their defences, be more cyber aware, and stop becoming victims of cyber-crime.

and I believe these areas can make a real difference in our digital world. The more secure we can make our networks, the safer our online interactions will be.

ARE YOU PART OF ANY GROUPS, ASSOCIATIONS OR HAVE YOU BEEN MENTORED? HOW HAS THAT HELPED YOU? I have memberships with the Australian Information Security Association (AISA), the Australian Women in Security Network (AWSN) and Women in Technology, Western Australia (WiTWA). All of these organisations provide great insightful and educational information to their members through their websites, events and newsletters. The cybersecurity community here in Perth is awesome. Everyone I have met is very welcoming, always willing to answer questions or help out where they can. I volunteer as a tutor for the Girls Programming

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD?

Network (GPN). I enjoy their events. It’s great to

IT skills are definitely needed, along with hands-

as a great opportunity for the students and myself

on networking skills, problem-solving, creativity, teamwork, communication and organisation skills.

spend time with like-minded volunteers and mentors, to help kids achieve their coding goals. I see this because it is a proactive way to inspire girls into ITrelated fields and to keep up my python programming

It also helps to be curious and want to know how

skills.

things work and why they work the way they do.

I have completed two internships at the Department

Cybersecurity or any IT specialists should enjoy learning because all areas of IT require continuous learning, especially cybersecurity where the landscape can change daily.

WHERE DO YOU WANT TO WORK, OR SEE YOURSELF WORKING?

of Premier and Cabinet’s Cyber Security Unit whilst studying for my Advanced Diploma. I have had the opportunity to gain knowledge and work with most of the people in the cyber unit who have all been wonderful mentors to me. Internships are immensely helpful to students to gain real-world experience and to put what is learnt in the classroom to use in a work

There are so many interesting areas within

environment. They are also a great way to see exactly

cybersecurity to chose from. I could see myself

what the job/s you are training for are actually like.

working in Security Testing and Assurance doing Vulnerability Assessments and Testing, Application

www.linkedin.com/in/karen-hobson-81949136/

Security or Governance, Risk and Compliance. These

WOMEN IN SECURITY MAGAZINE

109

Shahnaz Ali grew up in India and is studying Certificate IV in Cyber Security from Box Hill Institute, Melbourne, Australia. SHAHNAZ ALI

Cert IV Cyber Security Student, Box Hill Institute

WHY DID YOU CHOOSE TO STUDY SECURITY?

WHERE DO YOU WANT TO WORK OR SEE YOURSELF WORKING?

I have an accounting background and switching from

I would love to work under a mentor who could direct

accounting to IT was a big decision for me. I chose

me to chase my dream.

cybersecurity because I wanted to learn something different and challenging. I wanted to expand my knowledge horizon, learn programming, networking and working with VMs. All these topics excite me. I really want to contribute something to mankind: to help and protect the world from cybercrime. Though I have my own challenges, because I knew nothing about IT when I started in cybersecurity. The more I learn and the more familiar I become with the cyber world, the more interesting I find it.

WHAT INSPIRES YOU? The constantly changing, dynamic nature of IT. There are new surprises every day. Juggling multiple tasks keeps me motivated.

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD? One should have a positive outlook, be hardworking, sincere, honest, open to change, and open to learning new things. One should be well versed in networking and programming.

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS? Learn, learn and learn. Just get started, be it in networking, programming, or anything else.

110

WOMEN IN SECURITY MAGAZINE

After becoming sufficiently learned and sufficiently experienced, I would love to have my own venture so I can help people and society at large.

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK? If given the opportunity I would definitely choose a workplace that could motivate me in ways I did not know exist, a workplace that could help me to explore my own strengths, and gives me room to fly: a workplace where the people help each other, are open-minded, grounded and honest. www.linkedin.com/in/shahnaz-ali-b3a699200/

Jocasta is studying Master of Business (Business Information Systems) from RMIT University, a master’s by research. Her research questions are in cybersecurity supply chain risk management. She grew up in New Zealand, travelled 43 countries and now lives in Australia. JOCASTA NORMAN

Masters by Research Student (Cyber Security Supply Chain Risk), RMIT University

WHY DID YOU CHOOSE TO STUDY SECURITY? I was feeling unhappy and unfulfilled in the work I was

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS?

doing and decided it was time for a change. I love

I think it’s really important to network, volunteer for

learning and knew I wanted to go back to University

organisations and networking groups, and to talk to

and study. I looked at my skill set and personality, and

people. There are usually student memberships or

at what was in demand, and landed on cybersecurity.

student rates for conferences and events. Anyone

I love problem-solving, learning, the dynamic nature

aspiring to a career in cybersecurity should take

of the industry, and the idea of contributing to a field

advantage of these to meet people. It’s also great

that protects people from harm. There is always

to talk to others about their careers and how they

something to learn and there are so many facets to it

progressed, especially to inform your decisions

I can’t see myself ever getting bored.

around the qualifications you might want to acquire.

I started a coursework Master of Cyber Security at

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK?

La Trobe University in 2019. However, I soon realised I would rather focus on one area and research that in-depth. So I exited that course with a Graduate Certificate and last year moved to undertake a Masters by research. Combining my undergraduate degree in logistics I decided on supply chain cybersecurity.

WHAT INSPIRES YOU? I get really inspired by giving back and contributing to keeping people and organisations safer. I’m also incredibly inspired when people find creative solutions to complex and challenging problems.

As a mum, and someone who has worked for myself for over a decade, one of my most important considerations is flexibility, work from home options, and a general acceptance of the cadence of life with young kids. I don’t like being micromanaged, I prefer to be trusted to get the work done and that I will ask if I’m not sure about something. I also care about the mission and vision of the organisation. I want to align with organisations that are people-focussed and have products or services that are for the greater good.

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD?

ARE YOU PART OF ANY GROUPS, ASSOCIATIONS OR HAVE YOU BEEN MENTORED? HOW HAS THAT HELPED YOU?

I think a person needs to be willing to learn, be

I have been part of the Australian Women in Security

flexible, and be able to pivot and deal with the dynamic nature of the cyber field. Things are always changing. I think communication skills are key, along with a love of learning, critical thinking and problem-solving. They also need the ability to work both independently and as part of a team, because collaboration is key.

Network (AWSN) for a couple of years. I joined as a cadet and recently started volunteering to help with events management. I am also a student member of ISACA and of the Australian Information Security Association (AISA).

WHO WOULD YOU LIKE TO BE MENTORED BY? This is a hard one, there are so many fabulous people. I’m really happy to be part of the AWSN Mentoring

WOMEN IN SECURITY MAGAZINE

111

Program and have been able to speak to some great people through that. I’m currently working part-time at Healthscope under the amazing leadership of CISO Mitra Minai, I’m very grateful for the opportunity to see how she leads. My hat goes off to AWSN founder Jacqui Loustau for all her guidance and support, and for everything she does for everyone who benefits from the AWSN.

DO YOU LISTEN TO ANY SECURITY PODCASTS, OR READ ANY SECURITY BOOK THAT YOU WOULD RECOMMEND? Definitely, I love podcasts and have found them to be very useful. I discovered the AWSN through a podcast when I heard Jacqui Loustau being interviewed on Cyber Security Weekly. These are some of my other favourites: The Security Collective, ISACA Podcast, The Get Cyber Resilient Show, Cyber Security Interviews, The Social-Engineer Podcast, Great Women in Compliance, Darknet Diaries, The New CISO with Steve Moore and AusCERT’s Share Today Save Tomorrow.

WHAT DO YOU WISH YOU KNEW ABOUT THE SECURITY INDUSTRY? I wish I knew exactly what I wanted to do, or that I could clone myself so I could do more things simultaneously. There are so many amazing opportunities and so many different areas that look enticing. I’m currently working in cybersecurity education and influence, which is great. It plays well to my strengths in marketing and communication. I also really enjoy my research on the supply chain risk side, and if I had time I would like to try more technical aspects, do some Capture the Flag events and learn more about ethical hacking. In high school, I wanted to be a forensic scientist, so I keep thinking I’d love to learn more about computer forensics too. It certainly now holds more appeal than dealing with dead bodies and crime scenes! www.linkedin.com/in/jocasta-norman

112

WOMEN IN SECURITY MAGAZINE

Maeesha is a Security Consultant at Cyber Risk and is studying computer science (majoring in cybersecurity) at Swinburne University of Technology. Her extensive travelling has allowed her to embrace different cultures, consequently shaping her personality and empathizing ability. MAEESHA LOHANI

Security Consultant, Cyber Risk and Final Year Bachelor of Computer Science, Swinburne University of Technology

WHY DID YOU CHOOSE TO STUDY SECURITY?

WHERE DO YOU WANT TO WORK, OR SEE YOURSELF WORKING?

Cybersecurity is a rapidly growing industry that

I aspire to be a penetration tester and an exploit

provides passionate individuals with unique

developer who can uncover complex vulnerabilities

opportunities. Because the industry is so young, there

and exploit chains within established software.

is ample scope for growth and research, allowing

myself, in a way that helps future generations as well

DO YOU LISTEN TO ANY SECURITY PODCASTS, OR READ ANY SECURITY BOOK THAT YOU WOULD RECOMMEND?

as my own.

If you are interested in web application penetration

each of us to make a mark and shape the future. I would like to contribute to something bigger than

WHAT INSPIRES YOU?

testing I recommend reading the Tangled Web and the Web Application Hacker’s Handbook (WAHH).

My aspirations stem from multiple individuals who

The Tangled Web provides a good foundation for

I’ve seen in action and analysed closely. These

understanding web technology, and WAHH provides

individuals include my mother, Jacqui Loustau, Jill

an in-depth account of multiple attack vectors.

Taylor and my brother Sajeeb. My mother showed me a business and bringing up kids without neglecting

WHAT DO YOU WISH YOU KNEW ABOUT THE SECURITY INDUSTRY?

either. As strong women in this industry, both Jacqui

I wish I knew how willing and open the community is

and Jill have shown me there are no bounds to what

to help a newcomer. I started off being quite nervous

you can achieve, provided you are able to put in the

when I did not need to be.

it is possible to be an organised individual, managing

effort required.

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD? I believe it is important to have good communication and socialisation skills because communication is required when dealing with clients and fellow employees. Networking is a major part of growth. It creates the opportunities you need to expand your skillset.

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS? Listen and learn from the stories told by people in the industry. It’s a great way to make friends, but also an easy way to avoid mistakes.

www.linkedin.com/in/maeesha-lohani-643733170

twitter.com/0ddInput

Abby Zhang grew up in China and recently graduated from the Unitec Institute of Technology in Auckland with a Graduate diploma in computing (Network and Cybersecurity). ABBY ZHANG

SheLeadsTech Liaison and Ambassador, ISACA Auckland Chapter

WHY DID YOU CHOOSE TO STUDY SECURITY? Personal interest and hobby. I am a marathon

HOW WELL DID YOUR EDUCATION AND UNIVERSITY EXPERIENCE HELP YOU PREPARE FOR A JOB?

runner and I love that it challenges me and makes

Unitec changed my life and my future. It opened my

me happier. In some ways, cybersecurity has been

eyes, gave me security skills and knowledge: great

the same for me which is why I chose to study

advantages for a job. If I had not studied in Unitec, I

cybersecurity.

would not be as confident and comfortable to work in the industry.

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD? There are abundant resources people can find online

WHAT ARE SOME THINGS YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK?

to gain technical knowledge and skills, important to

The team environment, the company culture, the

succeed in the cyber field. From my experience, the

career development opportunities and the career path

following personal attributes are the most important

are my main concerns when choosing a job.

factors to achieve success: • Be yourself and learn what you really, not what other people expect. • “Stay hungry, stay foolish”. • Never give up. • Try harder and make it happen. • Be kind, thankful, confident, positive, and strong. • Be open to any opportunity. • Focus on every small step, not just the big picture.

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS? Network with diverse professionals in the cyber industry and attend different security events to identify your own security domain and direction. The meetup app has a lot of good workshops or events.

WHAT DOES YOUR TYPICAL DAY LOOK LIKE?

WERE YOU PART OF ANY GROUPS, ASSOCIATIONS OR HAD YOU BEEN MENTORED? HOW DID THAT HELP YOU? I am a volunteer on the ISACA China community and Auckland Chapter. This has helped me to meet professional people and gain amazing technical knowledge and skills. For example, I was not sufficiently confident to follow my dream: a lot of people told me I should give up. ISACA SheLeadsTech event speaker Jo Stewart-Rattray shared her career story and that event inspired me greatly. I am running similar ISACA SheLeadsTech events in the ISACA Auckland Chapter.

DO YOU LISTEN TO ANY SECURITY PODCASTS OR READ ANY SECURITY BOOK THAT YOU WOULD RECOMMEND? The Official Offensive Security Podcast (offensivesecurity.com) is a good podcast.

I usually spend most time studying for OSCP and also learn new security skills or knowledge in my spare time. I believe continuous learning is very important for career progression and growth. Every day can get tiring, but I am also happy to see myself growing.

114

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/abby-%F0%9F%98%81-28bb5581/

Cyber Security Security Cyber

# TO TO PWOM PWOM ENI ENI NS NS ECURITYASE ECURITYASE AN AN # WO MENINSECURI MENINSECURI TYASEANRE TYASEANRE G G ION ION .. COM COM WO

AWARDS CEREMONY - 5:00pmCLOSE SGT | TUESDAY | 31 AUGUST 2021 NOMINATIONS 30 MAY 2021

his his initiative initiative has has been been established established to to recognize recognize women women who have have advanced advanced the the security security industry industry within within the the ten ten who countries of of the the Association Association of of Southeast Southeast Asia Asia Nations Nations countries (ASEAN). (ASEAN). The Top Women Security ASEAN followMarch Nominations wereinscheduled to openawards on Monday similar initiatives in India, as well as Africa, Europe and 8, 2021, coordinating with International Women’s Day. Canada and form part of a global campaign by the Women Security Resilience Alliance (WISECRA). The Top in Women in &Security ASEAN awards follow This initiative is open to all ASEAN countries following similar initiatives in India, as well as Africa, Europe and very successful Top Women in Security Awards held Canada and form part of a global campaign by the during in Singapore, Malaysia and Philippines. Women2020 in Security & Resilience Alliance (WISECRA). This initiative is open to all ASEAN countries following very successful Top Women in Security Awards held during 2020 in Singapore, Malaysia and Philippines.

O RGA RGA N N II S S ERS ERS O

ME D D II A A PA PA RT RT NE NE R RS S ME

We We have have gathered gathered unique unique industry industry partnership partnership arrangements, bringing bringing together together key key chapters chapters of of premier, premier, arrangements, global security security industry industry associations associations and and professional professional global women in in security security groups groups in in Singapore. Singapore. Malaysia, Malaysia, women Indonesia, Philippines, Philippines, Thailand Thailand and and including including the the ASEAN ASEAN Indonesia, Region Women in Security Network. We thank them Region Women in Security Network. We thank them for for their their support. support. The awards will take a Nominations close 30place May, at 2021. virtual ceremony at 5:00pm The awards will take place in July SGT,2021. Tuesday, 31 August 2021. Please nominate at your earliest register opportunity. Please to attend the

awards.

SU PPO PPO RT RT II N NG G PA PA RT RT N NE ER RS S & & ASSO ASSO C C II AT AT II O ON NS S SU

ASEAN REGION ASEAN REGION

WOMEN IN SECURITY NETWORK WOMEN IN SECURITY NETWORK

Emma Seaman grew up in Sydney and is studying for a Master of Cyber Security Analysis and Master of Intelligence from Macquarie University. EMMA SEAMAN

Master of Cyber Security Analysis and Master of Intelligence student (part-time), Macquarie University

WHY DID YOU CHOOSE TO STUDY SECURITY?

program and the LEAD program and completed the

I always knew I didn’t want to study for a traditional

WSU. All these programs provided me with ongoing

IT degree. I got drawn to the security field when I

citizen scholar award as part of The Academy at opportunities and encouraged me to continue to

found the Bachelor of Cyber Security and Behaviour

challenge myself.

from Western Sydney University (WSU). It was unlike

During my final year as an undergraduate, I became

any typical course and I liked how it incorporated IT,

an NSW Cyber Security Ambassador, which has

security, criminology, and psychology. That’s where it

allowed me to participate in a number of industry

all started.

events over the past two years. Recently, I was a

WHAT INSPIRES YOU? People who are willing to take a risk, or be brave.

member of the panel at the launch of the NSW Cyber Security Strategy. This is something I would not have imagined myself doing before participating in any of these programs.

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD?

WHO WOULD YOU LIKE TO BE MENTORED BY?

Adaptability. Being able to adapt to change will give

I would love to be mentored by someone who has

them the ability to adjust and grow with the changes

been successful within the industry, or someone who

in the cyber industry. It requires you to continuously

may not have followed the standard job progression.

develop your skills and knowledge to keep relevant.

It would be great to see how someone had decided

You must continue to learn if you want to be

to take a risk in their career, or even developed a

successful in this industry.

business. I am still unsure where my career is headed,

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS?

would be a great learning opportunity.

I would suggest future or current students look into

WHAT DO YOU WISH YOU KNEW ABOUT THE SECURITY INDUSTRY?

the opportunities available in the industry, both at

I wish I knew about the variety of roles in the industry.

their university and externally, from as early in their

When I was studying for my undergraduate degree

studies as possible. They should not say no to an

the true scope of work was not widely discussed

opportunity just because they feel it is going to be too

amongst the students, the majority of whom had a

challenging. Every challenge is part of the journey.

similar career goal in mind. This is something I would

ARE YOU PART OF ANY GROUPS, ASSOCIATIONS, OR HAVE YOU BEEN MENTORED? HOW HAS THAT HELPED YOU? When I was studying for my undergraduate degree, I participated in the Women in STEM Education (WiSE)

116

and being able to discuss the endless possibilities

WOMEN IN SECURITY MAGAZINE

suggest current and future students should explore. They should not be afraid to push the boundaries and look for opportunities that are not obvious. www.linkedin.com/in/emmaseaman/

Tiana Inman is in her penultimate year studying cybersecurity and business information systems at Murdoch University. She took a combined degree course as it encourages her to view cybersecurity from both a business and technical perspective. TIANA INMAN

Tiana Inman, Intern and Cyber Security Student

WHY DID YOU CHOOSE TO STUDY SECURITY?

Being a female cybersecurity student has inspired me

I have always possessed a passion for knowledge.

to continue to promote careers in security for other

I am easily excited about learning new things, and

women, and to try and bridge the gender gap that

there is nothing more exciting than technology. In

exists in STEM. I also work as an IT support officer

two decades it has transformed and enhanced our

at a school in Perth where I volunteered to run a girl

day-to-day lives. I marvel at technology’s trajectory to

coding club for high school students in Years 4-10.

the future. I always knew the IT industry was the path

It has been inspiring to see passion and curiosity

for me.

ignite in young girls through this club, and I intend

I was introduced to cybersecurity at high school when I heard about the devastating effects of worldwide

WHAT INSPIRES YOU?

to continue to promote cybersecurity as a career to women and students of all ages.

cyberattacks. I became curious about the implications

Similarly, to unite women studying STEM at university,

of a lack of cybersecurity. I wanted to learn more, and

I have recently founded the Women in STEM (WIS)

ultimately to make a difference in a world that has

Society at Murdoch University. It aims to celebrate

seen massive technology-enabled societal change,

and unite women in STEM and will focus on

especially for my generation. The opportunities and

networking and developing a sense of community

challenges associated with increased reliance on

among its members.

technology drew me to study security and commit to a career path dedicated to making technology safe for use by all members of society.

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK?

ARE YOU PART OF ANY GROUPS, ASSOCIATIONS OR HAVE YOU BEEN MENTORED? HOW HAS THAT HELPED YOU?

A company that celebrates inclusivity and diversity

One of my main values outside my studies is

to create an amazing culture and spark ideas and

inclusivity. Being a member of various networks — the

innovation.

is high on my list. Having a diverse team consisting of all genders, sexualities and backgrounds allow the company to leverage these differences in perspective

Australian Women in Security Network (AWSN); the introduced me to people who continuously remind

WHERE DO YOU WANT TO WORK OR SEE YOURSELF WORKING?

me of the importance and beauty of diversity in

While I am eager to explore multiple avenues in

Westpac100 Group; the Murdoch IT Society — has

the industry. I have been lucky to be one of two WA recipients of the CyberCX Women in Cyber Scholarship. Through this amazing opportunity, I have recently commenced a six-month internship where I am currently working with the Governance, Risk and Compliance team.

the cybersecurity industry, I’d love to work for a consultancy company such as CyberCX. They are sponsors of AWSN and various other security events and organisations, and they are renowned for having an amazing workplace culture and passion for customer satisfaction. www.linkedin.com/in/tiana-inman-6752521a6/

WOMEN IN SECURITY MAGAZINE

117

Caitlin Sauza is studying for a Bachelor of Cyber Security from Deakin University. She grew up in Melbourne’s Western Suburbs. CAITLIN SAUZA

Final Year Bachelor of Cyber Security Student, Deakin University

WHY DID YOU CHOOSE TO STUDY SECURITY?

don’t be afraid to express your interests. There may

Growing up, I was always interested in the IT space.

someone’s mind when something does come up, and

I had inspiring personal mentors to look up to, such as my uncle who has been working as a computer scientist for almost two decades. He was a huge influence on me. He introduced me to all things tech and pop culture. When I first started looking into studying for my bachelor’s, Deakin was the only institution offering it. I found this particularly

that is most important.

WHERE DO YOU WANT TO WORK, OR SEE YOURSELF WORKING? I had a taste of different parts of the industry in the years studying for my degree, but I am not currently drawn to any particular sector of cyber. If I had to pick

interesting, piquing my interest in the field further.

something, physical penetration testing seems really

WHAT INSPIRES YOU?

testers, and some of the stories they have told me

Having an impact on others and knowing I am doing good in this world. That has become my main goal in life. I love interacting with others, learning and experiencing new things every day. Studying cybersecurity is not my only interest. I’m an avid volunteer and currently work multiple jobs, which I

intriguing. I know a few people who are physical penwere extremely interesting.

WHAT DO YOU CARE ABOUT WHEN IT COMES TO CHOOSING A PLACE OF WORK? The people and the culture. If I do not mesh in a

love.

workplace, I know I will not be happy or succeed. I

WHAT SKILLS DO YOU THINK A PERSON NEEDS TO SUCCEED IN THE CYBER FIELD?

committed to a workplace because I loved what I was

It takes more than technical skills to succeed in the cyber field. Networking and interpersonal skills would be two of my top skills. The need for these is preached to students constantly, but the message sinks in only when they experience the impact networking can have on their future career path. Also, LinkedIn will be their friend, it’s an awesome way to maintain those connections.

WHAT ADVICE WOULD YOU GIVE TO CURRENT OR FUTURE SECURITY STUDENTS? Get yourself out there, and don’t wait until the final year to make connections. Attend events, connect to people on LinkedIn, maintain those connections. Also,

118

not be a spot open now, but you will be in the back of

WOMEN IN SECURITY MAGAZINE

have had situations in the past where I wanted to stay doing. But staying committed is hard when the people surrounding you are nothing but unpleasant. That is when you have to make the decision to stay with what you are doing, or leave for your mental health. I choose mental health above all else.

ARE YOU PART OF ANY GROUPS, ASSOCIATIONS, OR HAVE BEEN MENTORED? HOW HAS THAT HELPED YOU? I have been President of the Deakin Information Security Club (DISC) and a committee member of the Australian Women in Security Network (AWSN). I represented DISC at the 2019 Australian Cyber Security Conference. I chatted to almost every representative at every stall at the conference in order to develop rapport and to get the DISC name out to cybersecurity professionals. We were also on the

lookout for some awesome guest speakers, and I was definitely able to find some there. My role at DISC got my name out, despite the fact that I had not yet graduated. It also challenged me personally. I grew up introverted, and the switch I see in myself now from how I used to be is a complete 180. The role exposed me to experiences I may never have had if I had focused solely on studying and finishing my degree.

WHO WOULD YOU LIKE TO BE MENTORED BY? People who are making an impact on the masses, people who are putting in the hard yards behind the scenes to develop the industry, and who are regularly discovering and solving cybersecurity issues.

DO YOU LISTEN TO ANY SECURITY PODCASTS, OR READ ANY SECURITY BOOK THAT YOU WOULD RECOMMEND? Yes. One podcast I can highly recommend is Darknet Diaries by Jack Rhysider. He discusses stories of cybersecurity incidents in such a fascinating way. Give it a listen and you’ll be hooked.

WHAT DO YOU WISH YOU KNEW ABOUT THE SECURITY INDUSTRY? I wish I knew how big the industry was going to grow, it continues to develop day by day. www.linkedin.com/in/csauza

WOMEN IN SECURITY MAGAZINE

119

LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller

Olivia & Jack get a Gamestation Olivia and Jack are twins and have been in lockdown for what seemed like forever. They missed seeing their friends and teachers at school. Remote learning wasn’t as much fun as learning with everyone at school. Olivia missed her favourite teacher at coding club and feeding the chickens at school, while Jack missed hanging out with his friends and his favourite teacher in gardening club. Olivia and Jack had been asking their parents for a gaming console throughout lockdown so they could play with their friends online. They were convinced they were the only kids in their school not to have one (it wasn’t true!) and desperately wanted one to play Basketball Boomers. To their surprise, one afternoon a delivery driver came to the door with a big parcel. Olivia and Jack were so excited and ripped open the box. Inside was the latest Gamestation console, “Woo hoo!”. Their Mom and Dad explained that “We have decided to buy you a special gift to cheer you up as we know lockdown and remote learning has been very hard for you. We know you have missed your friends and teachers and being able to run around in the school yard.” Olivia and Jack wanted to start playing on it straight away, but their Mom said, “First, let’s set up the Gamestation in the lounge room so we can see and hear what’s going on. Then we need to set up the parental controls on the Cyberlock

family app to keep you safe while you play on the Gamestation. Cyberlock will help to keep you safe from bad people online because it has settings that we can choose to make sure that you only play with people we allow and with games that are age-appropriate. Their Mom and Dad explained that “We have rules about using the Gamestation and will set specific times and days that you can use it. There will be set times for the weekends and school holidays. We think that you should have limits on how much you use it so you won’t be able to use it on school days so it doesn’t become a habit you can’t control”. We don’t want you playing so much that you stop playing outside and with other things . We will also set your age in the Cyberlock app so that only certain games can be played that are recommended for your age. When you try to download a new game, a notification will be sent to us to approve, so we will know exactly what games you try to download. If you disagree with the settings we can discuss it and we will do our own research and make a decision. We know you might not like our decision but we’re the adults and we want to keep you safe whilst you are gaming. Olivia and Jack already knew about cyberbullying and bad people online and that if anything strange ever happened they needed to tell a trusted adult so they could help. Soon, Olivia and Jack were having so much fun playing Basketball Boomers on the Gamestation, and were excited to share the news about their new console with all their friends.

120

WOMEN IN SECURITY MAGAZINE

Recom mend ed by F amily zone

How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.

READ NOW

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01

1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

2. NARELLE DEVINE Chief Information Security Officer Asia Pacific, Telstra

3. HELEN SULTANA Manager, Cyber Security Education and Awareness

4. MEGAN HAAS Non Executive Director, Tesserent

5. CAROL CHRIS 05

Carol Chris, General Manager for Australia and New Zealand, GBG

6. CHRISTIE WILSON Cyber Resilience Manager, UniSuper

7. BRIANNE HADLEY Creative, connector and Knowledge vacuum

8. IAN YIP CEO of Avertro

9. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

10. JULIAN RANGER Executive President, and Founder at Digi.me

122

WOMEN IN SECURITY MAGAZINE

11. SASENKA ABEYSOORIYA Senior Strategic Adviser at The University of Queensland (UQ)

12. SAI K. HONIG CISSP, CCSP, Co-founder - New Zealand Network for Women in Security

13. LAURA JIEW AWSN National Social Media & Marketing Lead Events, Marketing and Communications coordinator for AusCERT

14. KIRSTIN MCINTOSH Head of Partnerships at Cyrise

15. SEAN MCINTYRE Security Analyst at AusCERT

16. CAROLYN CRANDALL CMO at Attivo Networks

17. SOPHIA PACE 17

Marketing Manager, Avertro

18. DEEPTHI BHUSHAN R&D Program Manager, FirstWave Cloud Technology

19. KAREN STEPHENS CEO and co-founder BCyber

20. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

WOMEN IN SECURITY MAGAZINE

123

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 21

21. QUEEN A AIGBEFO Research student, Macquarie University

22. MARISE ALPHONSO Information Security Lead at Infoxchange

23. KATHY NGUYEN 23

Intern (GRC) and Women in Cyber Scholar, CyberCX

24. POOJA SHANKAR Final year Bachelor of IT student, Monash University | Intern, CyberCX

25. VICTORIA CHENG Penultimate Business and IT student, Secretary at UTS Cyber Security Society

26. JACYNTA GRIGSON Penultimate year Bachelor of Science (Cybersecurity) student, Edith Cowan University

27. AARATI PRADHANANGA Final year Master of IT & Systems student, University of Canberra

28. KAVIKA SINGHAL Final Year Cybersecurity Student, Western Sydney University

29. KAREN HOBSON Advanced Diploma of Cyber Security Student, South Metropolitan TAFE, Murdoch WA

30. SHAHNAZ ALI Cert IV Cyber Security Student, Box Hill Institute

124

WOMEN IN SECURITY MAGAZINE

31. JOCASTA NORMAN Masters by Research Student (Cyber Security Supply Chain Risk), RMIT University

32. MAEESHA LOHANI Security Consultant, Cyber Risk and Final Year Bachelor of Computer Science, Swinburne University of Technology

33. ABBY ZHANG SheLeadsTech Liaison and Ambassador, ISACA Auckland Chapter

34. EMMA SEAMAN Master of Cyber Security Analysis and Master of Intelligence student (part-time), Macquarie University

35. TIANA INMAN Tiana Inman, Intern and Cyber Security Student

36. CAITLIN SAUZA Final Year Bachelor of Cyber Security Student, Deakin University

37.LISA ROTHFIELD-KIRSCHNER 37 Author of How We Got Cyber Smart, Amazon Bestseller

WOMEN IN SECURITY MAGAZINE

125

TURN IT UP

ASIAL SECURITY INSIDER By Australian Security Industry Association Limited

CLICK TO LISTEN

By Dominique West

CLICK TO LISTEN

YOUR EVERYDAY CYBER PODCAST By Limor Kessem and Diana Kelly

CLICK TO LISTEN

Whether you are a cybersecurity enthusiast or just interested in how to keep your digital identity safe, join the Security in Color Podcast as your host, Dominique, takes you through the latest cyber and cloud security news.

Using internet-based services is part of our everyday lives. Nowadays, that’s also known as ‘cyber’. But do we know enough about living in it securely?

BREAKING INTO CYBERSECURITY

CANDID CYBERSEC PODCAST

SECURITYMETRICS PODCAST

By Renee Small and Christophe Foulon

By Vandana Sharma

By Jen Stone

The ASIAL Security Insider Podcast Series has been designed to help engage with the wider security community and industry to help gain key insights on specific topics with guest speakers and discussions.

CLICK TO LISTEN This webinar series was created to share stories of how the most recent cybersecurity professionals are breaking into the industry. We hope this helps you in your quest to break into cybersecurity as well.

126

SECURITY IN COLOR

WOMEN IN SECURITY MAGAZINE

CLICK TO LISTEN A podcast about what we work on, The podcast showcases guests’ unique ‘human factor’ while exploring the many facets of cybersecurity.

CLICK TO LISTEN The SecurityMetrics Podcast, hosted by Jen Stone (Principal Security Analyst, QSA, CISSP, CISA), will help you understand current data security and compliance trends. Each episode will feature a different security professional offering tips and security best practices.

CYBER FOR WOMAN PODCAST By Palo Alto Networks

CLICK TO LISTEN The “Cyber for Women” podcast was created to talk about how women can build successful careers in cybersecurity, giving fresh perspectives on this ever-changing industry.

NEUROSEC PODCAST

LET’S TALK CYBER

By Nathan Chung

By Ankita Dhakar

CLICK TO LISTEN Uniting people and organizations to support and advance Neurodiverse people in Cybersecurity.

PATHS UNCOVERED PODCAST

AFTERNOON CYBER TEA

By Akanksha Malik

By Ann Johnson

CLICK TO LISTEN Paths Uncovered is a podcast run by @akankshamalik96 where we chat with people in the tech world and uncover their journeys to how they got to where they are.

CLICK TO LISTEN Ann Johnson, Corporate Vice President, Business Development, Security, Compliance & Identity at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers.

CLICK TO LISTEN Let’s talk Cyber is a platform where it aims to connect and talk with people passionate about IT security. Ankita believes education should be free! And by talking to industry experts we can educate and make more people aware about the things happening in cyberspace.

OPEN WEB APPLICATION SECURITY PROJECT (OWASP) By OWASP PORTLAND, OREGON CHAPTER

CLICK TO LISTEN OWASP) mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies, and other organizations worldwide.

TURN IT UP

NAB SECURITY PODCAST

CLOUD SECURITY PODCAST

THE SECURITY COLLECTIVE PODCAST

By Tara McCarthy

By Cloud Security Podcast Team

By Claire Pales

CLICK TO LISTEN

Want to stay up to date on the latest security insights? In this series, Tara McCarthy from NAB discusses the cyber security and fraud issues that may impact customers, and talks with subject matter experts about insights and practical tips on how users can keep their business safe.

Learn Cloud Security in Public Cloud the unbiased way from CyberSecurity Experts solving challenges at Cloud Scale. They focus on being honest and aim to make the community learn

The Security Collective is the podcast for leaders tasked with, and interested in, securing technology, people, processes and data for the protection of all.

WEST COAST CYBER PODCAST

RANSOMWARE BATTLEGROUND PODCAST

TO THE POINTCYBERSECURITY

By Simon Carabetta, Caitriona Forde and Ben Aylett

CLICK TO LISTEN Hosted by WA AustCyber Innovation Hub project and engagement coordinator, Simon Carabetta, along with a special guest from within the cyber security industry each month, this podcast will discuss topics related specifically to the cyber security industry in WA.

128

CLICK TO LISTEN

WOMEN IN SECURITY MAGAZINE

By Syya Yasotornrat and Poul Frederiksen

CLICK TO LISTEN Ransomware Battleground hosts, Syya Yasotornrat and Poul Frederiksen investigate the highly topical attacks that Ransomware and its ilk are ravaging organizations big and small today.

Join best-selling author Claire Pales, together with industry thought leaders who answer your questions.

By Carolyn Ford and Eric Trexler

CLICK TO LISTEN Forcepoint’s To The Point Cybersecurity Podcast covers the latest cyber news, threats, and trends impacting the federal government.

Committed to creating, promoting and growing cyber security careers for all women.

cybercx.com.au/careers

OFF THE SHELF

LURKING: HOW A PERSON BECAME A USER Author // Joanne McNeil A concise but wide-ranging personal history of the internet from―for the first time―the point of view of the user In a shockingly short amount of time, the internet has bound people around the world together and torn us apart and changed not just the way we communicate but who we are and who we can be. It has created a new, unprecedented cultural space that we are all a part of―even if we don’t participate, that is how we participate―but by which we’re continually surprised, betrayed, enriched, befuddled. We have churned through platforms and technologies and in turn been churned by them. And yet, the internet is us and always has been. In Lurking, Joanne McNeil digs deep and identifies the primary (if sometimes contradictory) concerns of people online: searching, safety, privacy, identity, community, anonymity, and visibility.

BUY THE BOOK HERE

LISTENING IN CYBERSECURITY IN AN INSECURE AGE Author // Susan Landau A cybersecurity expert and former Google privacy analyst’s urgent call to protect devices and networks against malicious hackers New technologies have provided both incredible convenience and new threats. The same kinds of digital networks that allow you to hail a ride using your smartphone let power grid operators control a country’s electricity—and these personal, corporate, and government systems are all vulnerable. In Ukraine, unknown hackers shut off electricity to nearly 230,000 people for six hours. North Korean hackers destroyed networks at Sony Pictures in retaliation for a film that mocked Kim Jong-un. And Russian cyberattackers leaked Democratic National Committee emails in an attempt to sway a U.S. presidential election. And yet despite such documented risks, government agencies, whose investigations and surveillance are stymied by encryption, push for a weakening of protections. In this accessible and riveting read, Susan Landau makes a compelling case for the need to secure our data, explaining how we must maintain cybersecurity in an insecure age.

BUY THE BOOK HERE

130

WOMEN IN SECURITY MAGAZINE

TRIBE OF HACKERS RED TEAM: TRIBAL KNOWLEDGE FROM THE BEST IN OFFENSIVE CYBERSECURITY Author // Marcus J. Carey and Jennifer Jin Want Red Team offensive advice from the biggest cybersecurity names in the industry? The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more.

BUY THE BOOK HERE

YOU’LL SEE THIS MESSAGE WHEN IT IS TOO LATE: THE LEGAL AND ECONOMIC AFTERMATH OF CYBERSECURITY BREACHES Author // Josephine Wolff What we can learn from the aftermath of cybersecurity breaches and how we can do a better job protecting online data. Cybersecurity incidents make the news with startling regularity. Each breach―the theft of 145.5 million Americans’ information from Equifax, for example, or the Russian government’s theft of National Security Agency documents, or the Sony Pictures data dump―makes headlines, inspires panic, instigates lawsuits, and is then forgotten. The cycle of alarm and amnesia continues with the next attack, and the one after that. In this book, cybersecurity expert Josephine Wolff argues that we shouldn’t forget about these incidents, we should investigate their trajectory, from technology flaws to reparations for harm done to their impact on future security measures. We can learn valuable lessons in the aftermath of cybersecurity breaches.

BUY THE BOOK HERE

IMPLEMENTING CYBERSECURITY: A GUIDE TO THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY RISK MANAGEMENT FRAMEWORK Author // Anne Kohnke, Ken E. Sigler, Dan Shoemaker The book provides the complete strategic understanding requisite to allow a person to create and use the RMF process recommendations for risk management. This will be the case both for applications of the RMF in corporate training situations, as well as for any individual who wants to obtain specialized knowledge in organizational risk management. It is an all-purpose roadmap of sorts aimed at the practical understanding and implementation of the risk management process as a standard entity. It will enable an “application” of the risk management process as well as the fundamental elements of control formulation within an applied context.

CYBER MINDS: INSIGHTS ON CYBERSECURITY ACROSS THE CLOUD, DATA, ARTIFICIAL INTELLIGENCE, BLOCKCHAIN, AND IOT TO KEEP YOU CYBER SAFE Author // Shira Rubinoffr With new technology threats, rising international tensions, and state-sponsored cyber attacks, cybersecurity is more important than ever. Cyber Minds serves as a strategic briefing on cybersecurity and data safety, collecting expert insights from sector security leaders. What you will learn •

The threats and opportunities presented by AI

•

How to mitigate social engineering and other human threats

•

Developing cybersecurity strategies for the cloud

•

Major data breaches, their causes, consequences, and key takeaways

•

Blockchain applications for cybersecurity

•

Implications of IoT and how to secure IoT services

•

The role of security in cyberterrorism and statesponsored cyber attacks

BUY THE BOOK HERE

WOMEN IN SECURITY MAGAZINE

131

OFF THE SHELF

CYBERSECURITY IN OUR DIGITAL LIVES (PROTECTING OUR FUTURE BOOK 2)

THE ART OF EMAIL SECURITY: CYBERSECURITY IN SIMPLE TERMS

Author // Jane LeClair, Gregory Keeley, John Ashcroft

Author // Evgen Verzun

Did you know your car can be hacked? Your medical device? Your employer’s HVAC system? Are you aware that bringing your own device to work may have security implications? Consumers of digital technology are often familiar with headlinemaking hacks and breaches, but lack a complete understanding of how and why they happen, or if they have been professionally or personally compromised. In Cybersecurity in Our Digital Lives, twelve experts provide much-needed clarification on the technology behind our daily digital interactions. They explain such things as supply chain, Internet of Things, social media, cloud computing, mobile devices, the C-Suite, social engineering, and legal confidentiality. Then, they discuss very real vulnerabilities, make suggestions about what can be done to enhance security, and offer recommendations for best practices. An ideal resource for students, practitioners, employers, and the general consumer of digital products and services.

BUY THE BOOK HERE

132

WOMEN IN SECURITY MAGAZINE

“The Art of Email Security” presents hard evidence of email committing high treason against your privacy, explains what makes you a possible target in the eyes of the attacker and shows what you can learn from online criminals to become more secure. To bring some spotlight on the importance of digital awareness in our tech-obsessed world, StealthMail Team launched the project and was later joined in this mission by leading cybersecurity experts across the globe. Chief information security officers that have worked for companies like Amazon, IBM, HBO, Gartner, UNICEF, DHL, Verizon, Capital One and many more were kind enough to share their knowledge and offer their unique insights, fueled by years of experience, and feedbackfrom-the-ground on email matters worth talking about. The material provided within the book allows privacy-oriented users of different Internet proficiency to get familiar with best practices of email security, learn about the most popular cyberattacks targeted at email, and find out why email is used so heavily by the most decorated hacking groups in the world.

BUY THE BOOK HERE

EVERYDAY CYBERSECURITY: A PRACTICAL APPROACH TO UNDERSTANDING CYBERSECURITY, SECURITY AWARENESS, AND PROTECTING YOUR PERSONAL INFORMATION AND IDENTITY. Author // Christopher Cox You are the target. Whether you’re a multi-millionaire, CEO, or work for minimum wage and don’t even have a bank account, you are a target of cybercriminals. Other than financial assets, your personal information, contacts, and computing devices all have value. We use computing devices everywhere, and most people don’t even consider the personal informational hazards their actions, or lack of action, can pose. There is a shortage of good cybersecurity awareness resources focusing on non-technical users, and a deficiency in resources teaching people how to better protect their personal information, and what to do if their information is compromised. There is a need for a more practical, easier-to-understand approach to cybersecurity for the common person.

BUY THE BOOK HERE

CONFIDENT CYBER SECURITY: HOW TO GET STARTED IN CYBER SECURITY AND FUTUREPROOF YOUR CAREER (CONFIDENT SERIES) Author // Jessica Barker Confident Cyber Security is here to help. This jargon-busting guide will give you a clear overview of the world of cyber security. Exploring everything from the human side to the technical and physical implications, this book takes you through the fundamentals: how to keep secrets safe, how to stop people being manipulated and how to protect people, businesses and countries from those who wish to do harm. Featuring real-world case studies from Disney, the NHS, Taylor Swift and Frank Abagnale, as well as social media influencers and the entertainment and other industries, this book is packed with clear explanations, sound advice and practical exercises to help you understand and apply the principles of cyber security. Let Confident Cyber Security give you that cutting-edge career boost you seek. About the Confident series... From coding and web design to data, digital content and cyber security, the Confident books are the perfect beginner’s resource for enhancing your professional life, whatever your career path.

CLICK HERE TO KILL EVERYBODY: SECURITY AND SURVIVAL IN A HYPER-CONNECTED WORLD Author // Bruce Schneier A world of “smart” devices means the Internet can kill people. We need to act. Now. Everything is a computer. Ovens are computers that make things hot; refrigerators are computers that keep things cold. These computers―from home thermostats to chemical plants―are all online. The Internet, once a virtual abstraction, can now sense and touch the physical world. As we open our lives to this future, often called the Internet of Things, we are beginning to see its enormous potential in ideas like driverless cars, smart cities, and personal agents equipped with their own behavioral algorithms. But every knife cuts two ways. All computers can be hacked. And Internet-connected computers are the most vulnerable. Forget data theft: cutting-edge digital attackers can now crash your car, your pacemaker, and the nation’s power grid. In Click Here to Kill Everybody, renowned expert and best-selling author Bruce Schneier examines the hidden risks of this new reality.

BUY THE BOOK HERE

HACKER, HOAXER, WHISTLEBLOWER, SPY: THE MANY FACES OF ANONYMOUS Author // Gabriella Coleman Here is the ultimate book on the worldwide movement of hackers, pranksters, and activists that operates under the non-name Anonymous, by the writer the Huffington Post says “knows all of Anonymous’ deepest, darkest secrets.” Half a dozen years ago, anthropologist Gabriella Coleman set out to study the rise of this global phenomenon just as some of its members were turning to political protest and dangerous disruption (before Anonymous shot to fame as a key player in the battles over WikiLeaks, the Arab Spring, and Occupy Wall Street). She ended up becoming so closely connected to Anonymous that the tricky story of her inside–outside status as Anon confidante, interpreter, and erstwhile mouthpiece forms one of the themes of this witty and entirely engrossing book. The narrative brims with details unearthed from within a notoriously mysterious subculture, whose semilegendary tricksters—such as Topiary, tflow, Anachaos, and Sabu—emerge as complex, diverse, politically and culturally sophisticated people.

BUY THE BOOK HERE

BUY THE BOOK HERE WOMEN IN SECURITY MAGAZINE

133

OFF THE SHELF

THIS IS HOW THEY TELL ME THE WORLD ENDS: THE CYBERWEAPONS ARMS RACE Author // Nicole Perlroth From The New York Times cybersecurity reporter Nicole Perlroth, the untold story of the cyberweapons market-the most secretive, invisible, governmentbacked market on earth-and a terrifying first look at a new kind of global warfare. Zero day: a software bug that allows a hacker to break into your devices and move around undetected. One of the most coveted tools in a spy’s arsenal, a zero day has the power to silently spy on your iPhone, dismantle the safety controls at a chemical plant, alter an election, and shut down the electric grid (just ask Ukraine). For decades, under cover of classification levels and nondisclosure agreements, the United States government became the world’s dominant hoarder of zero days. U.S. government agents paid top dollar-first thousands, and later millions of dollars- to hackers willing to sell their lock-picking code and their silence. Then the United States lost control of its hoard and the market.

BUY THE BOOK HERE

BROAD BAND: THE UNTOLD STORY OF THE WOMEN WHO MADE THE INTERNET Author // Claire L. Evans If you loved Hidden Figures or The Rise of the Rocket Girls, you’ll love Claire Evans’ breakthrough book on the women who brought you the internet--written out of history, until now. “This is a radically important, timely work,” says Miranda July, filmmaker and author of The First Bad Man. The history of technology you probably know is one of men and machines, garages and riches, alpha nerds and brogrammers--but from Ada Lovelace, who wrote the first computer program in the Victorian Age, to the cyberpunk Web designers of the 1990s, female visionaries have always been at the vanguard of technology and innovation. In fact, women turn up at the very beginning of every important wave in technology. They may have been hidden in plain sight, their inventions and contributions touching our lives in ways we don’t even realize, but they have always been part of the story. VICE reporter and YACHT lead singer Claire L. Evans finally gives these unsung female heroes their due with her insightful social history of the Broad Band, the women who made the internet what it is today.

BUY THE BOOK HERE

134

WOMEN IN SECURITY MAGAZINE

THE SMARTEST PERSON IN THE ROOM: THE ROOT CAUSE AND NEW SOLUTION FOR CYBERSECURITY Author // Christian Espinosa Cyberattack—an ominous word that strikes fear in the hearts of nearly everyone, especially business owners, CEOs, and executives. With cyberattacks resulting in often devastating results, it’s no wonder executives hire the best and brightest of the IT world for protection. But are you doing enough? Do you understand your risks? What if the brightest aren’t always the best choice for your company? In The Smartest Person in the Room, Christian Espinosa shows you how to leverage your company’s smartest minds to your benefit and theirs. Learn from Christian’s own journey from cybersecurity engineer to company CEO. He describes why a high IQ is a lost superpower when effective communication, true intelligence, and self-confidence are not embraced. With his seven-step methodology and stories from the field, Christian helps you develop your team’s technical minds so they become better humans and strong leaders who excel in every role. This book provides you with an enlightening perspective of how to turn your biggest unknown weakness into your strongest defense.

BUY THE BOOK HERE

INVISIBLE WOMEN: DATA BIAS IN A WORLD DESIGNED FOR MEN

THE INSIDER THREAT: ASSESSMENT AND MITIGATION OF RISKS

Author // Caroline Criado Perez

Author // Eleanor E. Thompson

Winner of the 2019 Financial Times and McKinsey Business Book of the Year Award

This book provides emergent knowledge relating to physical, cyber, and human risk mitigation in a practical and readable approach for the corporate environment. It presents and discusses practical applications of risk management techniques along with usable practical policy change options. This practical organizational security management approach examines multiple aspects of security to protect against physical, cyber, and human risk. A practical more tactical focus includes managing vulnerabilities and applying countermeasures. The book guides readers to a greater depth of understanding and action-oriented options.

Winner of the 2019 Royal Society Science Book Prize Data is fundamental to the modern world. From economic development, to healthcare, to education and public policy, we rely on numbers to allocate resources and make crucial decisions. But because so much data fails to take into account gender, because it treats men as the default and women as atypical, bias and discrimination are baked into our systems. And women pay tremendous costs for this bias, in time, money, and often with their lives. Celebrated feminist advocate Caroline Criado Perez investigates the shocking root cause of gender inequality and research in Invisible Women, diving into women’s lives at home, the workplace, the public square, the doctor’s office, and more. Built on hundreds of studies in the US, the UK, and around the world, and written with energy, wit, and sparkling intelligence, this is a groundbreaking, unforgettable exposé that will change the way you look at the world.

BUY THE BOOK HERE

ETHICAL HACKING Author // Alana Maurushat How will governments and courts protect civil liberties in this new era of hacktivism? Ethical Hacking discusses the attendant moral and legal issues. The first part of the 21st century will likely go down in history as the era when ethical hackers opened governments and the line of transparency moved by force. One need only read the motto “we open governments” on the Twitter page for Wikileaks to gain a sense of the sea change that has occurred. Ethical hacking is the non-violent use of a technology in pursuit of a cause—political or otherwise— which is often legally and morally ambiguous. Hacktivists believe in two general but spirited principles: respect for human rights and fundamental freedoms, including freedom of expression and personal privacy; and the responsibility of government to be open, transparent and fully accountable to the public. How courts and governments will deal with hacking attempts which operate in a grey zone of the law and where different ethical views collide remains to be seen. What is undisputed is that Ethical Hacking presents a fundamental discussion of key societal questions. A fundamental discussion of key societal questions.

BUY THE BOOK HERE

WOMEN IN SECURITY MAGAZINE

135

SURFING THE NET

IDEASPIES With so much misinformation available, it’s getting harder (and more time-consuming) to sift through the rubble of daily content. But the right ideas and stories have the power to change our world for the better – if we know where to look for them. IdeaSpies takes the hard work out of finding and sharing good. They are an open innovation platform for clever ideas, new discoveries and original thinkers. Featuring simply written posts of 100 words or less, their stories aim to expand the mind and spark the imagination of all readers. Their blog covers a range of topics including data privacy, data science, Artificial intelligence, climate, finTech, new research, governance, healthcare, diversity, inclusion, startup, wellbeing, etc. They have got something for everyone!

READ BLOG

THE CYBER WOMAN The Cyber Woman was created to address the lack of female representation in the cybersecurity industry by sharing authentic stories of women who cyber. Cybersecurity is one of the fastestgrowing technology sectors but it only employs less than 10% of women. How can we ensure that we solve essential security problems, build great companies and products for everyone when such a significant part of the population isn’t a part of it? Here you will find insights and tips from the awesome 10%, the creative and influential women who rock in cyberspace.

READ BLOG

DEMYSTIFY CYBER Demystify Cyber’s aim is to demystify all things ‘cyber’ to support everyone to be safer online and when using technology. The website was started by Amanda-Jane Turner who first came across the idea in 2018 when she was lecturing a group of criminology students. What she thought everyone knew, about online safety and cybercrime, was not as common knowledge as she had presumed. Realising that increased interconnectivity and other advances in technology will also lead to an increase in crime opportunities, she was concerned that so many users of technology do not have the basic knowledge they need to keep themselves safe online. She started the Demystify Cyber project with the goal to help users of technology to better understand cybersecurity and stay safer from cybercrime.

READ BLOG

THE WOMEN IN CYBERSECURITY SOCIETY The Women CyberSecurity Society Inc. (WCSS) is a registered nonprofit community providing support, resources, mentorship, guidance and training to women, girls and minorities interested in advancing a career in cybersecurity. Their mission is to empower and support women and girls interested in a career in cybersecurity by removing roadblocks and obstacles. They enable women to continue the journey to become strong, confident leaders within cybersecurity of the future. They not only focus on empowering women but also focus on advancing their careers to the next level. You can learn from industry experts in-depth details about the cybersecurity industry.

READ BLOG 136

WOMEN IN SECURITY MAGAZINE

ARCHITECT SECURITY April C. Wright runs the Architect Security blog. She is a hacker, author, teacher, and community leader who has been breaking, making, fixing, and defending the security of global critical communications and connections for over 25 years. She is an international speaker and trainer, educating and advising on matters of privacy and information security with the goal of safeguarding the digital components we rely on every day. April has held roles on defensive, operational, adversarial, and development teams throughout her career and is currently a Senior Application Security Architect. Her blog is focused on “protective security” and is aimed at educating people (whether high executives or users) on how they can use simple techniques to be more cyber safe.

READ BLOG

WOMEN IN IDENTITY

PHISHING FOR ANSWERS Phishing for Answers is a blog site that provides information about cyber news, technology policy, and information security management. This blog is intended to inform every type of reader, from experienced professionals to career starters to people with a general interest in cybersecurity. Because online data protection is first and foremost a human problem, Phishing for Answers strives to publish content that can be consumed by everyone.

READ BLOG

Women in Identity (WiD) is a registered non-proﬁt membership organisation, run by volunteers whose purpose it is to promote parity with respect to opportunity, reward, recognition and professional mobility in relation to gender, intersectionality, race, ability, ethnicity, sexual orientation/identity, creed, age or social status. They have an open forum for women in the identity sector to bounce ideas off each other, collaborate, and provide mentorship. They focus on supporting each other in gaining confidence to speak up - and speak out - at work, at conferences and in the media. Identity is all about recognising the individual human behind a transaction or interaction so they champion that systems designed FOR everyone should be designed BY everyone.

READ BLOG

FORRESTER Forrester is one of the most influential research and advisory firms in the world. They help business and technology leaders use customer obsession to accelerate growth by putting their customers at the center of their leadership, strategy, and operations. Their unique insights and blog posts are grounded in annual surveys of more than 675,000 consumers, business leaders, and technology leaders worldwide; rigorous and objective methodologies, including Forrester Wave™ evaluations; over 52 million real-time feedback votes; and the shared wisdom of our clients.

READ BLOG

SHECANCODE

ZD NET

DIGI.ME

SheCanCode started as a woman in tech blog and have evolved and grown their platform into an active women-in-tech support hub, providing tools and resources for women who are in careers in tech or are considering entering or transitioning into a career in tech. They have a community of over 130,000 users worldwide and see that increasing every day.

ZDNet brings together global news coverage and analysis on local and global IT Security industry trends and opportunities, to support IT Security Professionals and Decision Makers in their IT Security Buying Cycle process.

The Cyber Woman was created to address the lack of female representation in the cybersecurity industry by sharing authentic stories of women who cyber.

Their aim is to empower women to enter and remain in the tech industry as well as create a world wherein there is equal opportunity in the tech industry and gender does not need to be a conversation.

READ BLOG

Whether you want to follow hot topics or emerging trends or keep up to date with the latest news and events, ZDNet is the destination for professionals seeking to research technology-related issues and solve business technology problems.

READ BLOG

Cybersecurity is one of the fastestgrowing technology sectors but it only employs less than 10% of women. How can we ensure that we solve essential security problems, build great companies and products for everyone when such a significant part of the population isn’t a part of it? Here you will find insights and tips from the awesome 10%, the creative and influential women who rock in cyberspace.

READ BLOG

WOMEN IN SECURITY MAGAZINE

137

Save the date

The Australian Women in Security Awards are back for 2021. Join us in-person or via live stream to celebrate our community of Women in Security.

December 8th 5:30-10:30pm MORE INFO