05
NOVEMBER • DECEMBER
W H AT S H O R TAG E
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
FROM THE PUBLISHER Australia’s security skills shortage is a lie Talent is not the problem – hiring companies are
W
e were inundated with
cyber security workers” and a talent pool half the size
nominations for this year’s
of the 14,000 cybersecurity job openings in the year
2021 Australian Women
to September 2020?
in Security Awards, with hundreds and hundreds of outstanding cybersecurity
and protective security professionals put forward to recognise their contributions to the ever-changing security industry. Judges had their hands full – but I was left wondering what the response would have been if each person on my LinkedIn network had shared my posts with others like Amanda Turner did or made an announcement about the awards within their own organisations as well. One day, perhaps.
Cybersecurity Professionals 2021 study, in which 76% of respondents said it was “extremely difficult” to recruit cybersecurity professionals, and 57% said their organisations had been affected by the global cybersecurity skills shortage. Cloud computing security, app security, and security analysis and investigations were named as the hardest skills to find, but – and here’s the kicker – 29% said their HR department doesn’t really understand cybersecurity skills and was probably excluding qualified candidates off the
The other thing I was left wondering was a little more
bat. Furthermore, 28% said that cybersecurity job
disruptive: with so many obviously qualified women
postings tend to be unrealistic, demanding too much
distinguishing themselves in security every day,
experience and way too many certifications.
does Australia really still have a cybersecurity skills shortage?
If you’re reading those comments and don’t immediately think about words like ‘internships’,
News flash: there is no shortage of women (and
‘graduate programs’ and ‘work experience initiatives’,
men) working to get jobs in IT security. Universities
it’s probably time to hang up your hat and go home.
are churning out graduates; workers are diving into
But if you did? That’s the first step towards closing
cybersecurity from other industries; and employers
the gap.
are plumbing new sources of talent by recruiting internally, and targeting gender-diverse and neurodiverse communities. In other words, from here in the captain’s chair it looks like the industry has heeded the call, pulling out all the stops to find the security professionals they require. So why is the media still talking, as the AFR did in August, about the “chronic shortage of skilled
2
What about the ISSA/ESG Group Life and Times of
WOMEN IN SECURITY MAGAZINE
What I can only conclude from these figures is that the media-hyped skills shortage has been false, misleading, and inaccurate. The problem isn’t that we don’t have enough skilled cybersecurity candidates; the problem is that we have a shortage of fully qualified, deeply-experienced professionals who are citizens or permanent residents within our industry.
Abigail Swabey
This perspective completely ignores the other pathways into cybersecurity, and the importance of understanding that your next cybersecurity superstar – and our next Women in Security Award winner – may well be a student who has blindly followed the advice, spent years getting trained, then graduated to find they cannot compete for jobs as currently described. Blind Freddy could see that if cybersecurity spending is expected to increase to $7.6 billion over the next few years, then this is the time to train these individuals to be our next generation of cybersecurity fighters – and to adjust our expectations so that we can stop crying about the supposed skills shortage. With international borders only tentatively opening, we will not be able to rely on the importation of certified, top-grade cybersecurity professionals for any time soon – so why aren’t Australian companies looking to tap the talent in their own backyards?
Here’s what I think we need to do: • The media need to report where the real shortage is • Universities and TAFEs could do better to promote cybersecurity professions, adding certifications and work experience to help graduates’ professional prospects • Companies should educate HR departments or recruitment agencies about cybersecurity roles and skill sets – and instruct them not to exclude candidates until they have been vetted by a senior CSO or similar • Managers should open up more entry-level roles, graduate programs, and internships • Executives should change company policies and culture to promote workforce inclusiveness and diversity • For students, I have just three words: network, network, and network • Connect with security professionals,
There are hundreds, if not thousands, of cybersecurity
associations, and mentors from different
and GRC graduates currently sitting at home and
disciplines who can help you improve your optics
doing very little because they can’t satisfy a potential
with HR and recruitment agencies
employer’s HR checklist or AI-powered CV screening tool. Instead of acting like they aren’t there and crying about the skills gap, why not invest a little time and money to level up their skill sets and experience with
As I’ve said, there is no point sitting around whingeing about the cybersecurity skills gap when a bit of lateral thinking will help us tap our massive pools of security talent. Without thinking differently, how will we as an industry ever catch up?
a decent training program? You have nothing to lose, and everything to gain – and so does an industry where we are chronically overlooking qualified potential employees in our search for the perfect candidate.
Abigail Swabey PUBLISHER, Owner & CEO of Source2Create aby@source2create.com.au
WOMEN IN SECURITY MAGAZINE
3
CONTENTS
2
COLUMN Holiday season brings seasonal scams
PUBLISHER’S LETTER
12
How parents can help to protect their teens from online predators
50
Board Speak versus Tech Speak: same-same-different (really different)
62
What do the “Women in Security” awards mean to you?
SKILLS SHORTAGE? WHAT SKILLS SHORTAGE?
68
INDUSTRY PERSPECTIVES
BIRDS OF A FEATHER
55
“A wise (wo)man will make more Opportunities than (s)he finds”
38
Have I arrived? Yes!
40
Equality means business: advocating women’s empowerment principles in the male-dominated security industry Applying the human factors analysis
08 PROTECTIVE SECURITY HAS A BIGGER GENDER PROBLEM THAN CYBER
14
42
Classification system (HFACS) to cybersecurity
44
AWSN is leading the way by offering female-only technical hands-on workshops via the security pathways program, sponsored by the australian
WHAT’S HER JOURNEY?
signals directorate (ASD)
48
Seeking out talented technology females, ready or not
52
Can we talk about this? Speak up for yourself!
58
My journal on sheLeadsTech melbourne: journey from 2017 to 2021 Marie Patane
20
Kylie McDevitt
23
Bex Nitert
26
Melanie Ninovic
28
Shenan O’Mahony
30
Sai Honig
32
Mariana Tellez
34
60
How to identify and survive a toxic workplace environment
64
NOVEMBER • DECEMBER 2021
TECHNOLOGY PERSPECTIVES A cybersecurity glass shoe
STUDENT IN SECURITY SPOTLIGHT
70
On the front foot with cyberresilience 72 The biggest lie ever told, and its impact on consumer privacy
74
The real reason there’s a shortage of women in security 76
FOUNDER & EDITOR Abigail Swabey
ADVERTISING
Elizabeth Mcburnie
86
Clariza Look
88
Crystal D’souza
90
Charlie-Mae Baker
Scott Cooper
91
Vasudha Arora
Abigail Swabey
Do your part. #becybersmart. 78 JOURNALISTS
Artificial Intelligence systems: building AI systems for
David Braue
resilience 80
Stuart Corner
Strategic security execution in the age of recovery and revitalisation 82
TURN IT UP SURFING THE NET
102
Stuart Corner DESIGNER Jihee Park
98
OFF THE SHELF
100
92
SUB-EDITOR
104 AUSTRALIAN WOMEN IN SECURITY AWARDS
2021
Women in Security Magazine is published by Source2Create ABN 25 638 094 863
Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine
©Copyright 2021 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.
O T E B I E R N I C Z S B A U G S A M R U O n ditio e n the iss a o m t r cribe Neve s b u n! S y for a d agai o n ine t z a es o t g a a d m e up v and i s s u t l n c e ex g ev n i m ong l o a c , p s u ssue i nt. e e r t u n t co fu nus o b with
04
EMB
OBER OCT ER •
THE ING SOLV IP E L IN E P LEM B O PR P82
CT A R T AT
SEPT
AI N -
SUB
SC
NO E B I R
W
DE
VELOP
A G IN IVIN THR ANDEMICE P L T IB S X PO F L E K IN G W O R E NT M N P60 IR O ENV
01
M AR
WW
W. W
EN OM
INS
ECU
RIT
YM
AGA
ZIN
E.C
OM
APR CH •
IL
02
MAY
N • JU
E
RE IN FUTU THE WOMEN FOR R IT Y IS U SEC NOW P16-1
THE ARE BEW LIANT R IT Y BRIL E R S E C U CYB JERK P16-1
8
OING ? WE D ARE ENOUGH 1 P50-5
9
’S A I L A ALE R T S AU FEM ITY R P6-1
0
FIN TA IN S
P
Connecting - Supporting - Inspiring
AS A FORMAL NETWORK MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD A STRONGER FUTURE
With an affordable annual fee, AWSN members will have access to discounts on programs and industry events, the membership Slack space, post or share job opportunities, and receive our monthly and any special edition newsletters. 04
EMB
OBER OCT ER •
THE ING SOLV IP E L IN E P B L E M82 PRO P
CT A R T AT
SEPT
DE
ACT - R R T
AI N ET
VELOP
A G IN IVIN THR ANDEMICE L TP POS F L E X IBIN G K W O R E NT M P60 IR O N ENV
AT
BER G CY ’S NDIN T- W H AT T ALENE S E C R E H T N C E? SAU
P46
IN ENT STUD R IT Y U S E C T L IG H T SPO P97
WW
O W. W
MEN
INS
ECU
RIT
YM
AGA
ZIN
E.C
OM
Memberships are now a 12-month cycle Corporate packages available Learn more at www.awsn.org.au/members/join/
SKILLS SHORTAGE? WHAT SKILLS SHORTAGE? by David Braue
The reason your company has so few women in cyber isn’t because they aren’t out there
E
ven with the best intentions, companies actively working to improve gender diversity often still get it wrong.
Scott gives credit to the company in question, which began actively looking for new recruits to its
As CEO of gender-diversity advocate The
senior management roles and even created a team
Human Collective and network director
specifically charged with improving diversity by
of the women-in-tech advocacy group Women Who
Code Melbourne, Gretchen Scott has heard all the stories – like the one about the well-intentioned Melbourne company that went all out to hire more talented women, then discovered they had fallen into a classic trap. “They did huge work around recruiting women into their tech teams,” Scott recounted during a webinar this year, “and then realised what they had inadvertently done was to hire a whole heap of junior women – which meant the culture was all men in leadership, and all women in junior roles.” “That was not their intent in any way, shape, or form – but that’s how it played out,” she continued. “And when they realised that women were leaving the organisation and asked them why, it was because they felt there was nowhere for them to go – because
8
there was no one like them in the upper echelon.”
WOMEN IN SECURITY MAGAZINE
overhauling the application process. For every company like that, however, there are surely dozens where women are, whether intentionally or accidentally, languishing in what they perceive as dead-end careers while the establishment perpetuates a managerial archetype that gives them little hope that things will change. Although widely-quoted (ISC)2 figures suggest women comprise around 24% of the cybersecurity workforce, this proportion drops off quickly in more senior positions – with Gartner noting that just 17% of senior vice presidents and 16% of C-suite roles are currently occupied by women. Company culture is a major reason for the gap, with fully 59% of respondents to a recent Gartner study indicating that company culture and bias are
F E AT U R E
a key reason women in technology roles can’t rise to
about…. [but] how do we reward a career track where
leadership positions.
you’re getting more and more depth, and less and less
Respondents recounted stories of companies
breadth?”
struggling with “a short-term view,” Gartner notes,
“We just have this massive gap in how we develop
“with an emphasis on tactical solutions that fall short
and retain that skill set – and if you add on top
of recognising the power of
the higher salaries, more flexible work schedules,
product leaders to overcome the systemic challenges that impact their tech pipeline, recruiting, and retention efforts.” “The question of overcoming the digital divide, hate for profit, diversity, inclusion and equity falls square in the hands of technology product leaders.”
BRIDGE THE GAP IF YOU WANT TO Defying the prognostications of industry watchers that suggest the skills gap is due
“They can take advantage where there are weaknesses [due to] that lack of diversity and lack of ability to think the way attackers do…. It’s almost better for somebody not to have become a defender in a standard way, but to come from a different angle to bring that diversity and perspective to the defence.” - Mary-Jo Schrade, assistant general counsel and regional lead with Microsoft’s Digital Crimes Unit.
to a lack of qualified women, a growing number of companies are realising that lingering inequality is more reflective of employment cultures where skilled women simply
telework and whatever else from commercial, it gets
aren’t being given the right opportunities.
really, really difficult to keep people.”
Such issues have contributed to “alarmingly high”
Keeping these dynamics in mind, companies can
attrition rates of 65% to 90% within the US Air Force’s DoD Platform One capability, chief operating officer Maj. Austen Bryen told a recent DevOps Institute webinar where he said exit interviews with departing
fix lingering inequality if they want to do so badly enough – as did Sydney-based scaleup Appen, which leans on a global base of 1125 employees and over 1 million contractors that work to continuously train the
staff highlighted the importance of “deliberate
company’s artificial intelligence (AI) platform.
development”.
The company set a target of 50/50 gender equality
“We’re really good at finding bright, young, talented
and ultimately beat its goal, now boasting 58%
people who want to be part of the mission,” he said – noting that the Platform One group had expanded from 20 people to 90 in the last two years alone – “but the mission only goes so far: if you want to focus on software, there’s not really a career track in the
women in its global workforce through a combination of initiatives – including embracing the gig economy and adopting project and outcome-based measurements of work that, Gartner noted in a recent global analysis of successful equality practices,
government for you.”
“allows its employees to work when, where and even
“People just want an opportunity to continue to
productive”.
develop, and to stay close to what they’re passionate
how they (and their environments) are optimally
WOMEN IN SECURITY MAGAZINE
9
Indeed, walking the talk is critical: although the
to the reality that there are plenty of skilled women
company provides up to 12 weeks of parental leave
out there – but they just aren’t responding to what
and family planning benefits, for example, executives
those companies are offering.
actively share their own time-off dates so that women don’t worry that exercising flexible-work options will make them seem less committed to their work than male colleagues. Many cloud-first companies are designing genderequal hiring policies that are showing real traction, said Jacqui Lostau, founder and executive manager of the Australian Women in Security Network (AWSN), who noted that startups with the right approach are
“We have triggers to make people behave in certain ways and we use them all the time,” Scott said, “so let’s use them to make our workforces diverse.”
THE RISKS OF FALLING SHORT – AND THE OPPORTUNITIES OF GOING LONG Hiring dynamics are likely to change dramatically as the global economy pivots away from the COVID-19 pandemic.
having no trouble finding skilled women. Within startups “there are a lot more discussions [about diversity] and embedding that from day one,” she said. “They really are trying to build that diverse team, not just with gender, but also for different backgrounds…. that’s really important that they have actually started that from starting out their company. That’s the kind of company that they wanted to build, and they’ve done it from the start.” Many less-proactive companies fall into another trap, Gartner notes, which is the tendency to leave women “overmentored and undersponsored” – meaning that too many executives are happy to share their experiences with aspiring women, but too few are willing to open doors for them by actively giving them new opportunities to distinguish themselves and advance their careers.
privilege, experience, or any of the myriad other ways we divide people – which means that as companies fight to reconstitute their workforce, they will be drawing on a pool of displaced workers
In other words: women may now be allowed into the
unprecedented in its diversity.
boys’ club, but in too many organisations they’re still
In the gold rush to secure the best talent, companies
expected to serve the drinks. Fortunately for talented women, word gets out – and companies with hostile or indifferent cultures will
have an unprecedented opportunity to repair the imbalances of the old world by proactively recruiting women into all kinds of positions, at all kinds of levels
ultimately get called out.
across the organisation.
And while their leaders may shrug and blame the
Concessions such as flexible working hours and
lingering skills gender gap, this will close their minds
10
Coronavirus knows nothing about gender, race,
WOMEN IN SECURITY MAGAZINE
remote-work capabilities are now table stakes in a
F E AT U R E
labour market where daily lives and work schedules are likely to remain in a state of flux for 2022 at least. Companies that fail to diversify – both vertically by giving women more accessible career paths, and horizontally by engaging them in a broader range of jobs – are creating new opportunities for cybercriminals targeting companies that have failed to diversify their defences. “Attackers are realising that they can spread
out their attack on thousands [of targets] and each
Orieji Iroha-Agwu, director of career development
one has an individual response to them,” explains
strategy and programs with Red Hat, “and mentoring
Mary-Jo Schrade, assistant general counsel and
and sponsoring have a huge role to play in making
regional lead with Microsoft’s Digital Crimes Unit.
that happen.”
“They can take advantage where there are
“We have to go beyond good intentions, and start to
weaknesses [due to] that lack of diversity and lack
make very conscious and meaningful efforts towards
of ability to think the way attackers do…. It’s almost
this focus,” she noted during a recent Red Hat Summit
better for somebody not to have become a defender
webinar.
in a standard way, but to come from a different angle to bring that diversity and perspective to the defence.”
“We need to go to where the talent is, and we need these opportunities when we go out there, start to
Ultimately, the most proactive leaders will be the ones
develop, mentor, and build this pipeline of diversity….
that aren’t afraid to take a long, hard look in the mirror.
Make sure that they’re engaged, and feel that they’re
“We still have a lot of work to do to have more representation in senior leadership positions,” says
making meaningful and valuable contributions to the industry.”
WOMEN IN SECURITY MAGAZINE
11
AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist
C O L U M N
Holiday season brings seasonal scams Cybercrime is big business thanks to technical advancements and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy-tounderstand manner, to help everyone become more cyber safe. Cybercrime is big business, and a great time for cybercrime business is the holiday season. As people go on vacation, buy seasonal gifts or look to give to charities, the opportunity for cybercrime is huge. Cybercrimes that exploit the holiday season may include: • Emails masquerading as well-known retailers
• Use strong unique passwords for each account/ site. • Be cautious of unsolicited emails containing links or attachments, even if they appear to be from a genuine retailer.
offering huge discounts on popular goods. The
• Use reputable and up to date anti-virus software.
emails may be phishing for log-in credentials,
• Use multi-factor-authentication wherever
trying to steal credit card details, or tricking the victim into downloading malware. • Advanced fee scams from fake online sellers offering in-demand, difficult to obtain products at a large discount. The victim pays the money but never sees the goods. • Fake parcel delivery notifications via text or email that either demand payment so goods can be delivered, or lure the recipient to a credential phishing site. • Fake charity collectors, where the criminals
possible. • When shopping online, be cautious of sellers who cannot be verified. • Routinely check bank statements for discrepancies. • Before donating to charity, check that the site and the organisation is genuine and uses secure payments. • If a work from home job opportunity sounds too good to be true, it probably is. If you have been impacted by cybercrime, in Australia
spoof well-known charitable organisations with
you can report this via www.cyber.gov.au/acsc/
fake websites, emails or social media posts, and
report. In other countries, report it to your local
solicit donations.
police or through the relevant cybercrime reporting
• Fake proposals offering opportunities to make easy money working from home with the aim of recruiting money mules to launder the proceeds of crime.
12
WHAT CAN WE DO TO PROTECT OURSELVES?
WOMEN IN SECURITY MAGAZINE
mechanism. Seasonal scams are big business – stay safe. www.demystifycyber.com.au/
Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!
charlie@source2create.com.au
aby@source2create.com.au
www.source2create.com.au
PROTECTIVE SECURITY HAS A BIGGER GENDER PROBLEM THAN CYBER by David Braue
I
As sectors blend together, women’s common experience highlights the need for change f you think cybersecurity firms are struggling
marketing person and sometimes it takes time to
to get a better gender balance, spare a thought
establish operational credibility. As a working mum, it
for the women of protective security – where
can be difficult to find flexible working conditions and
women comprise just 1 in ten employees and
therefore obtain the experience necessary to move on
the industry is running into even bigger hurdles
to more senior roles.”
as it fights to both improve equality and to
fundamentally transform itself in the process.
for organisations to be flexible,” she added, “this is
Just 10.1% of registered UK Security Industry
not backed by a true understanding of what that
Authority (SIA) license holders are women, according
means. Generally, a woman needs to prove herself as
to a recent FOI request that also showed that gender-
a trusted employee before a business would consider
equality needle had barely moved over the past five
flexible conditions.”
years.
It’s a common story across the protective security
The latest Security Industry Licensing Report 2021,
industry, where gender balance remains skewed and
from peak body the Australian Security Industry
the industry fumbles with strategies for dispelling
Association Limited (ASIAL), does not break out the
the perception that sheer strength is a key asset and
gender of Australia’s 153,256 security holders.
women still play a marginal role.
However, the agency noted in 2018, state regulator
Given the perception that the security industry
statistics suggested that women comprised around
is male-dominated and populated by police and
10% of security employees in NSW, the ACT and SA
Australian Defence Force (ADF) veterans – the ADF
and 14% in Tasmania and Queensland.
includes just 19.2% women, by its own count – the
Even then, said security-industry veteran Janine Hill, “women are often stereotyped as the admin/HR or
14
Although “there has been an increased willingness
WOMEN IN SECURITY MAGAZINE
industry has struggled to sell itself to women that bring important new perspectives around protective security.
F E AT U R E
“The main challenge to women lays in the
is so important,” says Kasia Hanson, a global Internet
stereotypical view of the security industry,” said
of Things (IoT) partner sales leader for physical
security consultant Rachell DeLuca, a more than 20-
security with Intel who was recently appointed as
year security industry expert, “that it is mainly male
the forum’s latest chair to, as she put it, “bring more
and filled with former law enforcement officers. This
women into the industry to create an amazing and
is not the case, however the stereotype does persist.”
safe future.”
“Any person entering the security industry now has
That’s a broad remit, but one that reflects the
more options than ever before,” she continued, “with
protective security industry’s reinvention over the past
an increased focus on security and risk services
few years – with principals fighting to overcome years
creating a whole new world of opportunities and
of gender imbalance and women pioneers sharing
career paths that were not available previously.
stories of careers built staring down conference
Dedicated and professional women are needed in the
rooms full of men, or being told that they flat-out
security industry to drive the changes we want for
couldn’t be hired because they were women.
security in the future.”
TRANSFORMING AN INDUSTRY Those kinds of stories likely sound all too familiar to women in cybersecurity, where efforts to improve gender equality are providing a model for similar initiatives in the physical security industry. It’s a global issue that has been tackled head-on by the likes of global security industry body the Security Industry Association (SIA), which founded its formal Women in Security Forum in 2018 and last year launched a scholarship program designed to support women pursuing professional development and training in the field. “Diversity of experience and inclusion of the
“Most of the time, I was underestimated by my male counterparts,” Condortech Services director of client success Fabiola Francisco recalls. “Some took pity on me; some were helpful and would share their perspective or their notes; others were curious and would challenge my knowledge. It felt like a game most of the time, the constant one-up during [sales] walkthroughs on a technical level.” The appointment of Hanson to lead the forum is no mistake: as a specialist in both physical security solutions and IoT ‘smart city’ technologies, her mixed skill set spans both protective security and cybersecurity. Convergence in these two industries is being
full community of security professionals
WOMEN IN SECURITY MAGAZINE
15
hastened by the government’s focus on critical
BE THE CHANGE YOU WANT TO SEE
infrastructure and the application of its Protective
Women in the security industry aren’t holding their
Security Policy Framework (PSPF), which takes a broad-brush approach to security.
networks for female employees who – as a minority
Security 2025, a foundational strategy document
in both sectors – report many of the same challenges
recently released by ASIAL, called out the increasing
being taken seriously and recognised for their work.
competition between ICT companies that “have
Those similarities in lived experience are bringing
cybersecurity experts [where] the security industry arguably does not.”
the sectors together: earlier this year, the Australian Women in Security Network (AWSN) integrated
“Although the differences between the industries
Women in Security and Resilience (WiSR), a like-
are blurring, the professional demarcation between
minded support group for women in the protective
disciplines appears to continue,” the report notes,
security industry.
“and what is a potential market share opportunity will
WiSR’s inclusion will, AWSN noted, “formally (and
subsequently remain as a threat if this current gap in capability is not addressed.”
more broadly) recognise all physical security membership by encouraging members in the security
A number of other key weaknesses continue to
industry across all its functions – protective security,
challenge the security industry, the report notes,
resilience, risk, business continuity, systems and
including a lack of clear career pathways, “poor
operations – to be a part of the AWSN”.
public perception” due to an outdated understanding
The merger follows a global trend in which protective-
of the industry, “slow and siloed” adoption of new technologies, industry fragmentation, and more.
security bodies are increasingly adding cybersecurity specialists to their remit, with global support from the
Interestingly, ASIAL has removed gender from the
Women in Security & Resilience Alliance (WISECRA)
discussion, with its Security 2025 strategy making no
highlighting the two industries’ convergence going
mention of women or gender nor setting an improved
forward.
gender balance amongst its strategic goals.
Ultimately, commonality of purpose and experience
Just two of ASIAL’s eight directors are women – and
will drive female security professionals along a
out of 17 speakers at the organisation’s Security 2021
similar path regardless of their particular specialty.
upcoming annual conference in November, just one
“The security industry is home for those who are
is female.
passionate about helping others, protecting our
Current president John Gellel addressed the issue
communities, and problem solving,” said Condortech’s
in ASIAL’s latest annual report, calling the issue of
Francisco, but “I still see very few women in
gender equality “long overdue” and flagging the
leadership roles within the security field; most women
opportunity “to update the industry’s image and make
are still found in support and administrative roles.”
ourselves more meaningful and more attractive in the
“I do believe there is opportunity to change if our
broader recruitment spectrum.”
industry is willing,” she continued – urging companies
“The traditional model of ‘big boys’ occupying security
to promote the benefits of the industry as a career
jobs does not have meaning any more in the 21st
choice, provide focused training and showcase the
century, considering the diversity and increasing
strengths of the security community “and how open
levels of technical sophistication in the industry…. But
and embracing we are.”
this is something that ASIAL cannot do alone. It will
“Every one of us plays a role in this,” she says. “As a
take an all-of-industry approach to deliver meaningful outcomes in the critically important recruitment space.”
16
breath, instead moving recently to strengthen support
WOMEN IN SECURITY MAGAZINE
group, we can achieve our industry efforts toward diversity, equity, and inclusion.”
Some women just want
The Gift of Safety this Christmas
Upstream Investigations are proud to support the Women in Security Magazine
in the prevention, education and intervention of Domestic and Family Violence
www.upstreaminvestigations.com.au
Source2Create Spotlight
Advertising The market is saturated, so how can you position your company’s product or service strategically to your audience to stand out from the clutter? At S2C, we position your creative and content across a mixture of media to generate more excitement and better engagement from your target audience. We explore a range of ideas with our clients to spread their message – the right way.
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
www.source2create.com.au
WHAT’S HER JOURNEY?
FROM HR TO CHANGE MANAGEMENT
Marie Patane Chief Security Officer, Sydney Metro
Her next step up was to join Qantas as a program office manager. This was followed by a move into change management. “At the time, change management and the part it played in successful project management were just starting to be understood by the private sector,” she says. “In that
A
role, my way of working changed completely. I was involved in the rollout of a new rostering system s a teenager, Marie Patane worked in a make-up shop and aspired to become a police officer, but wasn’t tall enough. So
‘above and below the wing’, which meant I worked in all aspects of operations, from check-in to baggage handling.”
she decided to stick with make-up and
To understand operations, drive change and bring
use her creativity to pursue a career as
staff on board, Patane spent several days ‘walking
a make-up artist doing special effects makeup. She
in the shoes’ of staff, understanding the terminology
is now the chief security officer for Sydney Metro,
and the time pressures they faced.
Australia’s biggest public transport project. It’s been an interesting journey.
“I undertook shift work to understand staff needs, and to learn about their roles and the implications of the
“Being a make-up artist was a great job for a young
proposed changes. This helped me, and I believe it
and carefree kid with no responsibilities,” she says.
helped the staff. Relationships were formed and I felt
“I travelled the road with production crews. I learnt
I was far more respected because I understood their
strong time management and organisational skills,
working environment. The result was a much greater
and I learnt to adapt to unexpected events. But life
acceptance of the change program.”
brings changes, and those drove my career choices.”
A couple of years later she changed roles again, after
Her next choice was to join the Royal Agricultural
being asked to apply for an emergency response
Society in 1998 when it had moved to the venue
role at Qantas by one of the senior managers. She
for the 2000 Olympic Games in what was then
suffered a baptism of fire.
Homebush Bay. That led to a role as HR manager of catering staff during the games, which she describes
CRISIS AFTER CRISIS
as being, at the time, the steepest learning curve of
“Five days after starting in that role, with my
her career (but there were many others to follow). “I was responsible for the catering staff across six venues. Their ranks included 2500 casual staff in roles ranging from staffing coffee carts to serving in VIP sponsorship lounges. Adaptability, dealing with unions, delivering difficult communications. It was a role I had been thrown into, and a major step up.”
20
WOMEN IN SECURITY MAGAZINE
manager on an Alaskan cruise and beyond mobile phone coverage, Qantas had its worst incident.” In 2008 a plane on flight QF72 from Singapore to Perth malfunctioned and made multiple sudden, uncommanded downward movements, injuring passengers and crew. “I had not even finished reading the manuals about the work I was responsible for,” Patane says.
W H AT ’ S
H E R
J O U R N E Y ?
She assembled a team of 20 and headed to Perth to
in a foreign country,” she says. “I became house mum.
look after the injured passengers, their families, and
It all worked out, but understanding the parents’
the crew. She says the experience made her a better
concerns, dealing with children missing their mum,
person.
and those who saw the experience as freedom was challenging to say the least.
“I had never faced anything with so many complexities, not to mention having to keep the team motivated. I had to manifest empathy and humility at levels I never knew I was capable of.” Patane was plunged into an even more formative crisis in 2010 when a global cloud of ash from a volcano in Iceland disrupted air travel over
I undertook shift work to understand staff needs, and to learn about their roles and the implications of the proposed changes. This helped me, and I believe it helped the staff. Relationships were formed and I felt I was far more respected because I understood their working environment. The result was a much greater acceptance of the change program.
much of the world. She was deployed to Singapore and made responsible for all passengers grounded in South East Asian airports as well as Frankfurt and London – some 5,000 people stranded in foreign countries, with the number growing daily. In Singapore, a country not impacted by the volcanic ash, there were more than 2,500 people to be accommodated. Unfortunately, Singapore was hosting an international food and wine convention, so there was no accommodation available. “A contingency plan was devised under which all passengers were bussed to Malaysia – a logistical nightmare!” she says.
“There were also passengers who had run out of medication or colostomy bags, passengers who had missed weddings or birthdays, and some who had medical episodes because of stress. Juggling all these challenges was really tough. Five days seemed like five months. I would say dealing with the grounding of those flights had the biggest impact on my personal and professional growth.”
MANAGING THE AFTERMATH OF MH17 She later took on a business resilience role at Qantas that required her to learn about business continuity
Her responsibilities in this crisis ranged widely: from
and contingency planning. Crisis management
child-minding to handling stranded passengers’
remained part of that role, and she was involved
medical requirements.
in many other crises, but one was particularly
“I was requested to look after some of the children who had been travelling alone and were now stranded
memorable: assisting the Department of Foreign Affairs and Trade (DFAT) with its response to the
WOMEN IN SECURITY MAGAZINE
21
downing of Malaysian Airlines MH17 over Ukraine in
many industries and drive a stronger cyber resilience
2014. She spent six months working night and day
culture in many Australian businesses.
with a team spread around the world.
up call: COVID-19. “It has driven more organisations
a role in assisting those families,” she says. “The
to focus on resilience that is risk-driven, so all the
crisis taught me the importance of dignity, respect,
necessary controls are identified, monitored and
empathy and most of all, trust: trust in my team
maintained,” Patane says. “Resilience in its broadest
members scattered around the world, working
sense is now at the forefront of business operations
collectively in an extremely sensitive situation. It
for many executive leaders.”
required many highly skilled individuals who took this on in addition to their usual roles. I had an amazing team of people, and I was incredibly proud of them.”
MOVING INTO SECURITY Her move into security came after she left Qantas to take up a role with The Star Entertainment Group as General Manager Business Resilience to build its resilience capability in preparation for the 2018 Commonwealth Games. She was then encouraged to take on a group security role to drive consistency in process, incident notification and escalation protocols. This was followed by a Project Director role at The Star to implement a new system for reporting
She believes this has opened opportunities for those with experience. “Resilience professionals need to capitalise on its renewed importance with training, exercises and a full review across all aspects of their business to identify all their critical business processes. “There is now so much training available in this field that it may be overwhelming trying to work out where to begin and actual incidents can, on many occasions, render theory irrelevant. My advice would be to identify strong organisations in this area, or groups like AWSN, and seek out their recommendations.”
to regulators and ensuring compliance with multiple
And after years spent managing crises and
legislative requirements.
developing responses to risk, Patane’s advice
Now, with her many years of experience in crisis management, business resilience and regulatory compliance, Patane, has some valuable perspectives. She says many organisations are in catch-up mode when it comes to understanding and mitigating the threats posed by insufficient cyber resilience. She says the forthcoming changes to legislation designed to protect critical infrastructure will impact
22
Many organisations have already had such a wake-
“It was a huge task, and I am proud to have played
WOMEN IN SECURITY MAGAZINE
to individuals, as opposed to organisations is to embrace risk. “Own your personal brand and don’t wait for things to be done for you. Take risks and make impacts while staying true to yourself and your values.” www.linkedin.com/in/marie-patane/
sydneymetro.info
for people, and leading that change can be even more difficult.” She discussed the idea with her peers. “Some people
Kylie McDevitt
were supportive, and some said it was a stupid idea.
CEO InfoSect, founder BSides Canberra
this way’, ‘man is a generic term’, ‘it doesn’t make a
They made comments such as, ‘it’s always been difference whether we say man or person’ and even, ‘too many people rely on our documents and would have to change’. Ironically, that last argument was exactly why we needed to change.” Undeterred, she wrote a brief for the Australian
K
Cyber Security Centre (ACSC) senior leadership that included background, reasoning and an assessment ylie McDevitt is likely best-known among women in cybersecurity for her role in the BSides Canberra conference, which she co-founded in 2015 and at which she holds a female networking dinner
or gathering before the event so women can meet
of alternative wording. At the bottom was a decision box. “Once that ‘Agree’ option had been circled, the brief was filed into the document management tool and I sent the decision to the authors of our documentation for them to make the necessary changes,” she says.
without feeling they are in the minority.
EVERYONE CAN MAKE A DIFFERENCE
However, they have much else to thank her for. Until
All up, it took her only a couple of weeks working
she left in January 2021 to start up her own security business, InfoSect, with her husband Silvio Cesare she was Technical Director at the Australian Signals Directorate (ASD) where she played a pivotal role in making language in the Australian Government’s Information Security Manual gender-neutral. Since then, other organisations, both nationally and internationally have begun to follow suit. Achieving that, she says, was not without its challenges. “Mike Burgess, then Director-General of ASD had made a commitment to improve gender parity within ASD. There was already a mandate among the senior leadership to think of initiatives to improve gender equality in cybersecurity, so in a sense, I already had senior leadership support. However, that did not mean everyone in the organisation agreed with the change of wording. Change can be incredibly difficult
around her normal duties, and she says there’s a lesson there for everyone. “Sometimes we feel too small and unimportant to make a difference in the world - and that simply isn’t true. Everyone should be on the lookout for opportunities to make cybersecurity more inclusive, in whatever way they can. “That small effort produced a significant change for many people, and was a really important acknowledgement that our industry is inclusive. To the people who say terminology does not matter: it might not matter to you, but it may matter to someone else. And if it does not matter to you, why would you prevent a change that does matter to someone else?” McDevitt started her career as a radio engineer at Telstra after initially intending to become a lawyer,
WOMEN IN SECURITY MAGAZINE
23
a change of direction she attributes to a Women
OVERCOMING SELF-DOUBT
in Engineering workshop hosted by the Australian
For someone who has achieved so much in her
National University in 1994. “It was probably the most significant pivot point in my career, and one I will never forget. It convinced me to redirect my career aspirations from becoming a lawyer to studying engineering. It’s because of this pivot point that I will always support groups that encourage and support more women moving into STEM.”
FROM RADIO TO CYBER TO BUSINESS OWNER Her engineering career was interrupted in 2002 when
challenges as her self-doubt and insecurities. These, she says, have held her back many times. “In reflecting about my journey, I could have sponsored myself for many projects or opportunities but did not have the confidence to do so.” However, she adds: “In some ways, my self-doubt and insecurity pushed me to work harder, learn more and to always continue improving myself, which led to some great achievements.
she left Telstra and had three children. Her pivot
“There are many things in my career I’m proud of. But
into cybersecurity was largely unplanned. “I wanted
I think the thing I’m most proud of is allowing myself
to stay in my home town of Canberra to be close to
to come out of my shell, to embrace who I am as
my family, but my Telstra role was available only in
a person and to own my success. We should all be
major cities. I saw an advertisement for a role at the
proud of our achievements, whether they are big or
Australian Signals Directorate (ASD) and decided to
small.”
apply.”
She acknowledges she’s had some good support
She stayed for 12 years. When she left in early 2021
along the way, people she goes to for advice and
InfoSect had been in existence since 2017 as a
mentorship, people who have lifted me up, or opened
hackerspace in a warehouse she and her husband
doors when she has needed it most.
had bought in Fyshwick. “We were inspired by groups like the L0pht in the USA. We just wanted a place to
SUPPORT FROM MENTORS
hang out with other hackers and do cool research,”
Not surprisingly, her husband Silvio, co-owner and co-
she says. In early 2021 the pair turned InfoSect into a
founder of both BSides Canberra and InfoSect, tops
full-time business to build something that filled a gap
the list. “He brought me out of my introverted shell
in cybersecurity, and leave a legacy.
and has encouraged me to extend myself in every
She believes, with such a shortage of cybersecurity
way possible. Silvio has believed in me every step of
skills, there is too much focus on entry level training. “What I see lacking in cybersecurity in Australia are advanced and extended lines of training and work.
the way and has contributed more than anyone to my career growth and journey. He has published research in cybersecurity since the 90s and is one of the most
With InfoSect we want to create training offerings and
genuine, passionate people in cybersecurity I know.”
research output that extends us into specialist, niche
Another is journalist Patrick Gray, host of the
fields of cybersecurity.”
cybersecurity podcast Risky Biz. “He is my go-to
The response to BSides Canberra seems to confirm
advisor on business matters for both BSides Canberra
her view. “We have tried really hard with BSides
and InfoSect,” she says.
Canberra to create a forum to showcase the best
“Because my career has been almost exclusively in
of technical research in Australia, because we
government, I really needed someone with a different
thought that to be seriously lacking. Given the size
mindset and viewpoint. He has often reminded
and success of BSides Canberra (2,600 attendees
me to focus on my goals, but also to have fun and
in 2021), I think there is a real hunger in Australia for
to not take things too seriously. He’s been around
such events.”
24
career it’s surprising that McDevitt lists her biggest
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
cybersecurity for a long time, and as a long-time
Canberra. “InfoSect is a passion for Silvio and I, and
good friend to Silvio, he has extended his support and
an opportunity to use our passion to support the
friendship to me.”
community. I hope in five years to be still doing what
Other mentors include Chui Yong, head of corporate security for a Swiss bank and former assistant secretary for protect and assure at the ACSC, and Steven McLeod, a technical director at the ACSC and
we love, to have supported and grown a specialist security industry in Australia, and to have a great group of people working with us to achieve amazing things.
author of the Essential Eight and other cybersecurity
“I hope BSides Canberra has become self-sufficient
advice documentation.
and will continue to run indefinitely. I hope Silvio and
“Chui made a huge impact on my career when she recommended me for an acting promotion as a director,” McDevitt says. “This was a pivotal moment that propelled me from a long term (enjoyable) rut into significant career and personal growth. “Chui said to me that, although I had not been given an opportunity to prove my leadership skills at work, the skills I had shown running BSides Canberra were transferable. It is a lesson for everyone that volunteering and external work can have a big impact on your career.” McLeod mentored McDevitt at the ASD and helped her transition into her director role. “This transition was pivotal in my career because I moved from a mostly implementation role into strategic thinking, planning and managing multiple teams of people,” she says. “I still occasionally ask him to review some of
I will have more time to be strategic technical drivers and spend less time on day-to-day running of the business.”
STRIVING FOR A WORK LIFE BALANCE Like any small business owner, for McDevitt time is at a premium and striking a good work life balance a challenge. She confesses to not having used a gym membership she took out at the start of the year, but doesn’t get too hung up about this, saying work life balance is an aspiration as much as an achievement. “It’s something that needs to be consistently assessed, evaluated and, if needed, steered back on track. I definitely don’t have all the answers, and will admit to sometimes overworking and neglecting other areas of my life. “But acknowledging and being aware of your work
my work as a friend and mentor.”
life balance (or lack thereof) is the first step. The
TEACHING POSTGRADS
you don’t have to do everything alone, or perfectly for
In addition to her full time jobs, McDevitt also taught: postgraduate studies at UNSW Canberra for four years, and, through InfoSect at Blackhat, Hack in the
second step is to be kind to yourself and remember that matter. And lastly, your career spans many years, there is plenty of time to achieve everything you want to, so pause and remember to enjoy yourself.”
Box and other private training courses. Most of her classes were male-dominated, and she says there is a distinct difference in the way women
www.linkedin.com/in/kylie-mcdevitt-162b9a34/
learn. “The first time I taught a majority female class was in 2020 when I taught network security
twitter.com/kylieengineer
for women through 0xCC, a technical cyber security training conference for women, by women. Women
infosectcbr.com.au
are much less assertive and confrontational in their learning style. They are more collaborative and tend to help one another.”
bsidescbr.com.au
With InfoSect as a business barely a year old she’s looking forward to building it and BSides
WOMEN IN SECURITY MAGAZINE
25
Bex Nitert Managing Consulting, Digital Forensics and Incident Response at ParaFlare
B
ex Nitert has a career trajectory likely
“The second part involves helping organisations
to inspire any woman with the slightest
to make informed security and business decisions
interest to pursue a profession in
based on the findings of the investigative work
cybersecurity.
undertaken. This includes providing security
Today, she is Managing Consultant, Digital
Forensics and Incident Response at ParaFlare. During
guidance around actions to take during and after a cyberattack.”
her career in digital forensics and cybersecurity, she
But her role demands more than technical cyber
has assisted with the investigation of multimillion-
knowledge and skills, particularly when responding to
dollar fraud schemes, the sabotage of IT systems
ransomware attacks, where the victim organisation
by disgruntled employees, intellectual property theft,
is paralysed through lack of access to vital systems
unauthorised disclosure of information, and business
and data.
email compromise. Before joining ParaFlare in 2020, she held a similar role at DXC Technology, and before that was assistant manager forensic services in the Australian arm of global accountancy and financial advisory firm BDO. She holds a bachelor’s degree in Counter Terrorism, Security and Intelligence, with a major in Criminology. She describes her job as having two parts. “The first requires me to put my detective’s hat on and establish facts related to the cyber attack. This requires identifying, acquiring, and analysing digital evidence to construct a timeline of events and determine what has happened and how.
RANSOMWARE INCIDENT RESPONSE CAN BE REWARDING “That’s the toughest moment for clients because they’re dealing with not only the breach of security, but also the fact that they can’t operate,” she says. “In those circumstances our interpersonal skills are critical as we need to support the client’s leadership and employees through that stressful period while ensuring all necessary actions are undertaken to investigate how the threat actor gained access to their systems, what the threat actor did, as well as providing recommendations about how to get back to business as usual and avoid repeat attacks by improving security. The work is very challenging but also incredibly rewarding.”
26
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
And, she says, good communications skills can be
contract work for a company that had changed
essential to a proper investigation. “Early in my career
ownership several months prior to the detection
I wasn’t very assertive or effective in communicating
of irregularities in contract details stored in the
what I required to do my job. I was assisting a
company’s database.
government agency with a search warrant and the warrant holder wanted to allow the business to continue operating, including allowing staff to access computers and keeping servers connected to the internet.
“An unknown number of contract values and details had changed, which resulted in less money being charged to clients than agreed. This had a direct financial impact on the business. While it wasn’t my job to investigate, I discovered by chance that one of
“This approach did not align with my requirements to
the former director’s user accounts was actively being
preserve evidence and in fact resulted in attempts by
used and I suspected, but could not prove, they were
the person of interest to delete evidence from their
responsible for tampering with the contracts.
personal devices. While this was happening another person remotely accessed the server to unmount internal drives in an effort to make them invisible to an average person. “There were no adverse consequences from this as I was able to recover the data, but I realised I needed to make sure the chain of command fully understood the impact of their decisions on the digital forensic process going forward.”
CONSTANT LEARNING She learnt from that experience, and says there is a constant requirement to learn in her role, “especially as we may come across applications or technology that we have never worked with before. You have to get up to speed really quickly on how this thing works, how to obtain data from it and how to interpret that data so that it’s reliable.” In this regard Nitert says many software and hardware vendors are unhelpful. “Companies lack documentation around the logging available in their products and how to retrieve and interpret it. “So, some articles in the Women in Security Magazine dedicated to logging would be really exciting for me. I’m not sure they would appeal to a wider audience!”
“Unfortunately, the company’s IT provider had not disabled or deleted the former director’s accounts when they left the company and there were no logs to determine what actions had been undertaken.” This experience motivated her to pursue a career in cybersecurity and digital forensics “because I wanted to help prevent this from happening to others, and achieve justice for the victims.”
A TEENAGE CYBER-DABBLER Nitert says she has been “dabbling” in cybersecurity and digital forensics since she was a teenager, but “It took me a lot longer than I wish it had to learn about cybersecurity and digital forensics being a career option. Nobody ever told me ‘Hey, you can actually do this for a living’.” Hopefully things have changed since then thanks to various programs and initiatives aimed at raising the awareness of potential STEM careers among girls and young women. And like many women in the industry, she says cybersecurity needs the diversity of thinking that gender, and other diversity bring. “You need diversity in perspectives, thoughts and experiences to really have an effective work force.”
She was motivated to pursue her career after seeing firsthand some cyber shenanigans. She was doing
www.linkedin.com/in/bex-hirdman
WOMEN IN SECURITY MAGAZINE
27
security logs. Having two years of experience in Mandiant’s Incident Response team taught me to question everything when it comes to analysing an attacker’s every move.” After those jobs in much larger companies, Ninovic says working in a smaller organisation like Paraflare has some advantages.
Melanie Ninovic
“I’ve been able to contribute to the business in ways
Digital Forensics and Incident Response Consultant at ParaFlare
say in new process development and research. After
I’ve never had the opportunity to before, and I have a almost a year, I’m very happy with my decision, and I feel as though it’s given me the confidence that I’ve been looking for.”
A
Her role, she says, comes with a hefty job title, and fter only a couple of years in cybersecurity Melanie Ninovic was named The One to Watch in the 2019 AWSN Awards. It was, she says, by far her most significant achievement
to date, and one that spurred her to even greater achievement.
especially when you have a great team supporting you.”
DIGITAL FORENSICS DEFINED Digital Forensics she describes as the practice of investigating digital crimes or attacks. “It generally includes several components such as acquisition
“The trophy that sits on my bookshelf is a reminder
(taking an exact copy of a laptop or device, called a
each day of where I was and how I can continue to
forensic image), collection (gathering the relevant
push for greater things. Above all, my main objective
data or forensic artifacts), analysis (examining this
is to help organisations improve their security posture
data or set of artifacts), and reporting on what you’ve
and detect threats before it’s too late.”
identified.”
She is now doing just that as a digital forensics and
The analysis phase is pivotal, “where a DFIR
incident response consultant at ParaFlare, a company
consultant will try to answer important questions
that bills itself as “Australia’s number one in managed
such as what occurred on this device, when did the
detection and response,” and where “our people using
crime or attack happen, how did they gain access to
our knowledge are your best cyber weapon.”
the device, and potentially who is to blame.”
Before ParaFlare she gained a Bachelor of Computer
Incident Response Ninovic describes as being a
Science and Technology from the University of
much larger beast. “Where digital forensics provides
Sydney and a Master’s in Information Systems
a deep dive into activities on a single device, incident
Security from Charles Sturt University, was a graduate
response is the process of responding to a more
engineer at Ericsson, worked as a Security Operations
significant security incident that may impact an entire
Centre engineer at Macquarie Telecom and as an
organisation.
incident response consultant at Mandiant. She says all these roles helped prepare her for digital forensics.
LEARNING FROM EARLIER ROLES “Doing my master’s degree broadened my horizons into what was possible. Working in a security operations centre was crucial in teaching me core networking skills and working with/understanding
28
is “sometimes not easy, but almost always fun;
WOMEN IN SECURITY MAGAZINE
“This often includes analysing several hundreds or thousands of devices to determine if they have been compromised by the breach. Naturally, this requires more effort from an organisation than simply a DFIR consultant. An incident response can include the legal team, media, law enforcement, network operations, and of course the executive team.”
W H AT ’ S
H E R
J O U R N E Y ?
Wearing these two quite different ‘hats’ is something
‘entry level’ industry, there are still several barriers to
of a challenge. “My job requires me to be skilled in
entry. All too often we hear of entry level jobs where
both of these areas, which necessitates constant
the requirements match those of a professional who
education and keeping up to date with new
has worked in the industry for years. Job descriptions
techniques, both from an attacker and defensive
where they expect two university degrees and a CISSP
perspective.”
certification that requires five years of experience. This is highly off-putting to any candidate looking for
PERFECTIONISM AND CURIOSITY
new employment or a career change.
She lists the personal attributes that help her fulfil her
“It’s time that we create job descriptions with more
role as “having a natural curiosity” and “being a bit of a perfectionist”. Curiosity “helps during an investigation or analysis. While examining forensic artifacts, ask yourself, why has this happened, what activity would have
approachable language and less prerequisites. We need to encourage women to join, show them they have value, and provide them with the support needed to learn and upskill within the position. It’s time to support women when it comes to promotions and
resulted in these findings, or is this more evidence
cross-skilling.”
to corroborate what you’ve identified? This curiosity
And she believes the lack of women in cybersecurity
will uncover the full extent of the compromise or malicious activity that occurred on a device.” Perfectionism, being meticulous, helps in forensics, “to be confident that I’ve uncovered every finding but more importantly, to ensure the client has enough detail to know what systems to recover, what data was potentially lost, and how they can prevent this
is, in part at least, a problem of the industry’s own making. “Personally, I do not believe there is a shortage of skilled women. However, there is a shortage of organisations that are not willing to take a chance on creating a diverse culture and workforce. People from different backgrounds, education, and career paths, working together, will facilitate new
from happening in the future.”
solutions to complex problems.”
And once she has uncovered the full details of a
To any potential newcomers to the industry, Ninovic
compromise, she must be able to communicate these details effectively, which she says is one of the most important parts of her job. “It’s crucial to be able to write reports that are tailored to the reader, as it is often these reports that make their way to boards or senior management. Incident response or forensic reports often drive change in either security culture, new products or solutions, or
says, “I can’t stress networking enough. These relationships should form naturally but it is important to get out there and meet people. It’s up to you whether you feel like you need a formal structure in place when it comes to mentorship but having those connections in place helps to achieve this.” And when it comes to women finding their niche in cyber, she says there is no shortage of information
even hiring new staff. Being precise, accurate, and
available.
succinct in your report writing help to achieve this.”
“Find an area of interest, whether that be through
To others who think they have what it takes to do
your own research or through formal education, and
digital forensics, she says: “If you think you’d enjoy it too, start doing some research and reach out and connect to people within the field.” And she cautions aspiring investigators not to be deterred by the
keep on studying. This community has shared so much of its work publicly that all you need to do is a google search to start finding relevant information. Practice at home, read on a particular topic, reach out
requirements in job advertisements.
to authors or people within the field and ask for their
RECRUITERS’ UNREALISTIC EXPECTATIONS
to assist.”
“Whilst cybersecurity, and more specifically, digital
help. More often than not, they’ll be more than happy
www.linkedin.com/in/melanie-cybers/
forensics and incident response, isn’t necessarily an
WOMEN IN SECURITY MAGAZINE
29
Currently, I work for Securitas Security Services Ireland, part of a worldwide security company and I am on deployment at a major blue-chip client.
Shenan O’Mahony
I really enjoy my job. There are many different levels
Security Professional | Front of House Security Receptionist & Training and Development, Securitas Security Ireland
in the security industry, and a constantly changing environment. I am driven to upskill and continually develop and improve my skillset so I can contribute to a diverse and professional team.
L
I am very fortunate to have some great inspirational mentors to guide me in the areas I enjoy and in which ike many people, my career was disrupted by the COVID-19 pandemic. I went from being an early childcare practitioner and working part time at events and concerts to being a security guard. It’s a role
often stereotyped, and widely misunderstood.The stereotypical security guard is either a man patrolling
I want to develop my expertise. These are people who want to pay it forward and help ambitious people like me who are focussed on self-development. Career support is invaluable for achieving success, for keeping up to date on changes, and for continuous learning and professional development across the broad range of security services.
a site, a ‘bouncer’ providing door security, or a uniformed deterrent in a retail environment. However, the role of security guard is much more diverse, and has much to offer. Depending on the sector you work in it could mean responding to operational needs, communicating between different facets of the client base, being the point of contact for engineers, couriers, visitors,
Being a woman in security sometimes has its challenges, and employers need to do more than simply tick the diversity and inclusion box: they need to treat us as equals. Only six percent of the Irish security industry’s workforce is female. This really needs to change.
etc. Security is the common denominator. We are the go-to
30
people with the can-do approach: from customer
Networking within the industry is also vital. People
service to dealing with emergencies and life-
like security operative Tony O’Brien assist those
threatening situations. We in the security industry
reaching out for advice and support. Attending
strive to protect, serve and secure people’s lives and
webinars and courses has given me a hunger to learn
assets, 24/7, 365 days a year.
more and do more, and helped me choose areas I
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
would like to go into. I have shadowed trainer Sean
I recently worked with an amazing young lady,
Ryan at The National Security Academy of Ireland.
Saoirse. On her first night she showed she has
Securitas Ireland provides online learning programmes and development and has mentors like Paul J Leonard who support people on their development journey. I recently met Garry Bergin who introduced me to the International Foundation for Protection Officers (IFPO), and I was the first Irish woman to complete the IFPO’s first Certified Protection Officer (CPO) course in Ireland. This programme covers all aspects of the security industry, and gives participants
the personality to work at a very high standard. She displayed confidence, a friendly manner, good communication skills and a positive attitude. She remained alert and used her observation skills effectively. She is a model for up and coming women in the industry. Security is not just for boys. Knowledge and skills can be taught, but attitudes like the willingness to work hard, to acquire outstanding skills through effort and determination can’t be taught.
a broad understanding of the roles, duties and
According to the pioneer of research on cross-
responsibilities of the security officer.
cultural groups and organisations, Geert Hofstede,
Being a woman in security sometimes has its challenges, and employers need to do more than
masculinity or femininity is reflected in preferences for different goals.
simply tick the diversity and inclusion box: they need
Masculinity is manifested in a preference for
to treat us as equals. Only six percent of the Irish
achievement, heroism, assertiveness, and the material
security industry’s workforce is female. This really
rewards of success. Male society is more competitive.
needs to change. There are many areas within the industry that would benefit from the mindset of a more gender balanced workforce. I may have been the first Irish woman to complete the CPO course, but there are many amazing women who work in the industry: Alison Allen, Sheelagh Brady, Lorraine O’Donnell to name but a few. Mags Connolly and Jess O’Sullivan are very well known in the events industry in Ireland. Internationally there’s
Femininity is manifested in a preference for cooperation, modesty, caring for the weak, and for quality of life. Female society is more consensusoriented. In the business context the difference between masculinity and femininity is sometimes presented as “tough versus tender”. I feel these feminine qualities are needed in the security industry.
Sandi Davies, Alison Wakefield, Houdah Al-Hakim and Suzanna Alsayed and this list does not include those in Close protection (CP). Steffi Singh is a senior project manager in Securitas, and Businesswoman of the year. She started out as a secondary school teacher and wanted a change. While looking into careers in technology she came
www.linkedin.com/in/shenan-o-mahony-m-sec-i-icpo%C2%AE-191ab8b6/ Security Operative securityoperative.ie/ IPFO www.ifpo.org/about-ifpo/ireland/
across a job with Securitas, and has now relocated to Singapore as a project manager with Securitas.
WOMEN IN SECURITY MAGAZINE
31
career I would have gained a computer science degree. Many jobs require a computer science degree regardless of experience, because most of
Sai Honig CISSP, CCSP, Co-founder - New Zealand Network for Women in Security
our profession does not see the value of various disciplines.” Cybersecurity recruiting seems to be more about poaching talent and not growing talent. Growing talent takes time and the ability to see beyond the narrow degree and certification requirements.
S
She rates her talent providing greatest value in her current role as being, “The ability to communicate and ai Honig describes herself on LinkedIn as a ‘multipotentialite’. That, according
be persuasive with both technical and non-technical people.”
to Wikipedia, is a person with strong
Communication, written and oral, are topics she
intellectual or artistic ability and the
would like to see covered more in Australian
potential to excel in at least two different
Women in Security, along with “Basics of cloud
fields. ‘Multipotentiality’ is “having many exceptional
technology including essential characteristics and
talents, any one or more of which could make for
service models and the risks and responsibilities
a great career for that person.” Multipotentialities
of each, deployment models, threat modelling and
“thrive on learning, exploring, and mastering new
DevSecOps—including continuous integration and
skills [and] are excellent at bringing disparate ideas
continuous delivery.”
together in creative ways.” Honig has certainly explored several potentialities.
AN AVID VOLUNTEER
Before embarking on her third career, in cyber
Honig hails from the US but now lives in New
security she had been an aerospace design engineer
Zealand where she fulfils a couple of voluntary roles
and a financial/operational auditor.
in cybersecurity: as cofounder of the New Zealand
“My ICT experience is in the governance, audit, supply chain, risk management and security,” she says. “My industrial experience includes manufacturing, healthcare, education, and financial services. “A few years ago, I decided to focus on cloud security. I wanted to work on understanding how to secure our systems. Through this process, I found I was teaching others about cloud technologies, threat modelling and DevSecOps.”
32
Network for Women in Security (NZNWS) and as an advisor on the Cloud Security Alliance’s Asia Pacific Research Advisory Council. For three years until the end of 2019 she held another voluntary position as a director of (ISC)2. Several years earlier she was volunteering for Grameen Foundation, an organisation providing microfinance to empower the poor around the world and help them improve their lives, their families and their communities. She helped Grameen develop its
Her views on job hunting have been expressed many
ICT, risk management and audit processes. For this
times in Women in Security Magazine: recruiters
work she received, in 2013, the President’s Volunteer
value IT qualifications over diverse experiences. “Had
Service Award from then US President Barack
I known that I would transition into a cybersecurity
Obama.
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
She has picked up other accolades in recent years.
of ransomware attacks be made mandatory? should
In 2020 she was recognised as one of 20 IFSEC
there be mandatory security standards for consumer
Global Influencers in Security and Fire, and won the
IoT devices.
consultant award in New Zealand’s Women in Security Awards Aotearoa. With such recognition, it’s perhaps surprising that she attributes her multiple careers, in part at least, to a lack of recognition. “Several times in my career my management failed to see the potential in me. So, I left the position and the company, and went on to better things.
Cybersecurity recruiting seems to be more about poaching talent and not growing talent. Growing talent takes time and the ability to see beyond the narrow degree and certification requirements.
Leaving previous positions has led me to cybersecurity.
TALENT UNRECOGNISED
Honig’s views on the first is ‘no’ and on the others,
“There was a time that I did not stand up for myself
‘yes’. “The risks of paying a ransom should be
or ask others to speak for me. Despite the work that I had done, the positive effect on improving systems, my position was eliminated. I have learned that I, and I alone, do need to stand up for myself. I have also learned that I need to be myself and not compromise who I am.” In contrast to many who have shared their career journeys in Australian Women in Security, Honig says she has not been helped by mentors. “I have had to figure out what I should do on my own. I did get advice and opinions. In the end, I had to figure out
understood. After payment has been made there is no guarantee that files/systems will be decrypted. Also, if making payment is intended to be the accepted process, then steps need to be taken before the ransomware attack. These steps include making sure that you have all processes and controls in place to prevent a ransomware attack. “Security standards for IoT devices should be reviewed and revised periodically. As with other devices, IoT devices should be created with these standards in place and, if necessary, updated.”
my own growth plans and was accountable only to myself.” However, Honig does mentor others: “I attempt to
www.linkedin.com/in/saihonig/
empower others to do their own investigation and think for themselves,” she says.
NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com
In addition to sharing their personal journeys into cybersecurity, we ask women to give us their views on some of the contentious topics in cyber: should ransomware payments be outlawed? should reporting
WOMEN IN SECURITY MAGAZINE
33
Mariana fell into recruitment by accident; it was never her end goal. Keen to move into IT, she began recruiting for technical roles when she moved to Australia, researching them meticulously. At Westpac,
Mariana Tellez
she had many coffee catchups with people in IT
Information Security Consultant at Westpac
and Risk to learn more about what they did. This background knowledge not only helped her to recruit the right candidates for roles but also enabled her to form close working relationships with people outside
I
of her team. A year after joining the bank, the function performed nformation Security Consultant Mariana Tellez
by Mariana’s team was outsourced and her role was
has always had a fascination with cybersecurity,
made redundant. While she had the option to join
particularly social engineering, catfishing and
the external provider, Mariana knew it was time to
hacktivism. In July 2020, that innate curiosity
move on and reached out to her internal network
helped land her a job in Westpac’s cybersecurity
about potential IT roles. Her efforts paid off. A senior
team even though she didn’t come from a tech
leader in information security architecture, who she
background and had no previous cyber experience.
got to know well while recruiting for his team and
Mariana’s career trajectory has taken lots of
supporting his workforce planning sessions, put her
interesting turns since she
forward for a role in Westpac’s cybersecurity front
graduated with a Science Degree majoring in Sustainable Development from a US university. A Mexican national, she couldn’t secure visa sponsorship to work in the US at the time of graduation. Keen to see the world, she headed to Japan to teach English and ended up in a recruitment role for the Robert Walters Tokyo office.
Getting into a completely different sector has been a huge learning curve and I spent my first year in the job doing lots of training courses – both formal, through work, and informal in my spare time. I found the cyber courses on Udemy and Pluralsight especially helpful.
After spending a few years recruiting for Japan’s financial sector and working gruelling hours, Mariana headed to Australia in 2015 in part because she could get a working visa here. Initially, she got a job with a local recruitment firm before joining Westpac’s Talent Acquisition team in 2019.
34
WOMEN IN SECURITY MAGAZINE
door team, which connects people within the bank to the right cyber resources. Mariana says she has found her calling in cybersecurity. “I find cybersecurity fascinating
W H AT ’ S
H E R
J O U R N E Y ?
because it’s embedded in everything we do,” she says.
and the variety – I can be doing completely different
“Getting into a completely different sector has been a
things from one week to the next.”
huge learning curve and I spent my first year in the job doing lots of training courses – both formal, through work, and informal in my spare time. I found the cyber courses on Udemy and Pluralsight especially helpful. “My undergraduate degree, which was geared to sociology rather than engineering, involved a lot of research and critical thinking, which also came in handy both in helping me get up to speed quickly and performing my current role.”
Mariana says her lack of IT credentials hasn’t held her back, although initially it might have made it easier to get a foot in the door. “I’ve always been on a journey somewhere,” she says. “My advice to women trying to transition into cybersecurity is to connect with as many people in the industry as you can, build up your knowledge through study and by asking lots of questions, and don’t be afraid to tell your contacts that you are seeking a role
After a year working as a relationship manager,
in cyber – so they keep you in mind for any roles that
Mariana was seconded to the Cybersecurity Strategy
come up. Eventually, your efforts will pay off. It’s a
team and has since joined them permanently. In
numbers game; the more people know and back you,
her current role, she performs different functions
the more opportunities you will find in front of you.”
as required, ranging from creating the Learning & Development plan for grads to vendor research and helping to assess the effectiveness of IT security controls for different teams within the bank.
To find out more about working at Westpac, visit their website. www.linkedin.com/in/mariana-tellez-3b168b34/
“What I love most about my job is the interesting subject matter, the people who are really supportive,
WOMEN IN SECURITY MAGAZINE
35
Security Pathways Program Providing technical hands-on workshops, specialised training, certifications, mentoring and career advice
Sponsored by
Learn more at www.awsn.org.au/initiatives/securitypathways-program/
Delivered by
INDUSTRY PERSPECTIVES
“A WISE (WO)MAN WILL MAKE MORE OPPORTUNITIES THAN (S)HE FINDS” by Marty Molloy, Events, Marketing and Communications Coordinator, AusCERT. Vishaka Wijekoon, Cyber Security Analyst, AusCERT.
T
represented in the industry. However
CAN YOU TELL ME HOW YOU PROGRESSED YOUR INTEREST INTO PARTICIPATION, AND PROVIDE AN INSIGHT INTO ANY CHALLENGES OR OBSTACLES YOU FACED?
there are opportunities for women in
I wanted to get into cybersecurity but did not know
he disparity between the number of men and women in cybersecurity conferences and at meetings is very obvious. Women are under-
the security industry if they are willing and able to, metaphorically, get a foot in the door.
manager in the Division of IT at the University of
Taking inspiration from 16th century philosopher
Queensland who offered me the guidance and
Francis Bacon’s quote, updated of course, I recently
support needed to step into the industry.
spoke with Vishaka Wijekoon about the career
I had been trained in a completely different field of IT,
trajectory she’s piloted to land her current role as Cybersecurity Analyst at AusCERT.
VISHAKA, WHAT FIRST INTERESTED YOU ABOUT (CYBER) SECURITY? What first interested me about cybersecurity were its growing demands and the abundant opportunities it offered for advancement. Further research helped me understand how rewarding, challenging and satisfying a job in cybersecurity could be.
38
how. So, I discussed my interest with a senior
WOMEN IN SECURITY MAGAZINE
so I had neither skills, experience nor knowledge in cybersecurity. At the start I found the work difficult and challenging. However, thanks to the amazingly supportive team and management at AusCERT, I was able to gradually build up the skills and knowledge required for the role. I would like to take this opportunity to thank everyone in my team at AusCERT for their continued support and guidance.
I N D U S T R Y
P E R S P E C T I V E S
YOU MENTIONED YOUR BIGGEST BARRIER BEING A SKILLS GAP, BUT DO YOU SEE ANY COMMON BARRIERS FOR WOMEN WHO WISH TO PURSUE A CAREER IN SECURITY? There can be a few barriers for a woman to get into security, gender stereotypes for one. Most women consider the work/family balance when making their career choices, and cybersecurity has never been perceived as a female-friendly option. Currently female participation in cybersecurity is higher than 10 years ago, and more women are pursuing
Gabriella Clare Marino (Unsplash)
higher education in cybersecurity, which is a good sign. In my opinion, female participation in the field is vital, because women can provide different perspectives on security and enhance the capabilities of cybersecurity teams.
DO YOU THINK ORGANISATIONS CAN DO MORE TO ASSIST WOMEN WANTING TO GET INTO SECURITY? For an organisation to be able to attract and retain female cybersecurity professionals they must understand how their existing organisational culture contributes to inequality, then pursue organisational change, improve recruiting strategies, and do what is needed to overcome deep-rooted stereotypes.
opportunities. I would like to take advantage of that support to sharpen my skills and enhance my knowledge in cybersecurity, because in five years’ time I would like to see myself in a role where I could influence others and make a real difference in the industry. Thank you Vishaka, for sharing your journey and insights. Marty Molloy www.linkedin.com/in/marty-molloy-14100932/ Vishaka Wijekoon www.linkedin.com/in/vishaka-wijekoon-264804217/
YOU’VE BEEN IN IT FOR 14 YEARS AND WITH AUSCERT FOR A LITTLE OVER 18 MONTHS; WHERE DO YOU SEE YOURSELF IN FIVE YEARS? AusCERT supports its employees’ professional development and provides them with advancement
WOMEN IN SECURITY MAGAZINE
39
MEGHAN JACQUOT
HAVE I ARRIVED? YES! by Meghan Jacquot, Associate Cyber Threat Intelligence Analyst with Recorded Future Pivoting or breaking into the cybersecurity industry is a process. There is usually no one thing alone that leads to a role in cybersecurity, instead there is a progression. Hence, it can be difficult to know when you have arrived. It can be easy to succumb to imposter syndrome and think that you are not in the industry even though you are contributing. This happened to me.
awareness is the reason I wanted to share this story. Women have to feel they belong, they are welcome, and they have arrived. There is no shortage of women willing to fill roles in cybersecurity. Sometimes we need to believe we can do so. Sometimes we need to hear it from others, and sometimes we need time. If you are entering the field either as a new professional or as a career pivoter like me, then know you can say
I was a guest on a panel with three others discussing
you have arrived. Also, know it may feel difficult to do
pathways into cybersecurity. I did not feel I could say
so, and know you may feel like an imposter. These
I was in the industry. I had been studying, I had an
are sentiments you have to push back against. It can
internship in risk assessment, I was mentoring others,
be helpful to be in a group and talk about imposter
I had spoken at conferences, I was on committees,
syndrome. Sometimes you just need to prove to
and was an independent contributor. Yet I did not feel
yourself you can do it. I recommend the following:
I had arrived. I felt I had to do more, and I felt I would be an imposter if I said I was in cybersecurity. What I did say was, “I’m still pivoting to the field. I’m not in cybersecurity yet.” The reaction of the host was immediate, he stopped me and said, “No, Meghan,
• Find a supportive group that will cheer you on. • Have mentors who encourage you. • Document and reflect on the work you are doing. • Acknowledge your feelings. • Know you belong.
you’ve arrived. You’ve already pivoted. You belong here.” I was enlightened hearing this from a seasoned industry professional. It made me pause, reflect, and
www.linkedin.com/in/meghan-jacquot-carpe-diem/
think, yes I have arrived. I want to be clear here, it was not that I needed someone else’s permission to believe I had arrived. It was more that I needed to take pause and build some awareness around why I was denying it. That
40
WOMEN IN SECURITY MAGAZINE
twitter.com/Carpe_Diem_Tech
SALIZA ABDULLAH
EQUALITY MEANS BUSINESS:
advocating women’s empowerment principles in the male-dominated security industry by Saliza Abdullah, Group CEO & Managing Director, BG Capital Holdings SB
The UN Women’s Empowerment Principles (WEPs)
conducive living and working environment without
offer guidance to businesses on how to promote
fear of being harmed.
gender equality and women’s empowerment in the workplace, marketplace and community. They were established by UN Global Compact and UN Women, are informed by international labour and human rights standards, and grounded in the recognition that businesses have a stake in, and a responsibility for, gender equality and women’s empowerment.
regardless of gender, age, race or nationality. The commercialisation of security, on the other hand, is a response of high-value individuals, governments and private institutions to protect their assets: the employment of professional security services. The result is deployment of private security services
WEPs are a primary vehicle for corporate delivery on
(protection services mainly), information security, and
the gender equality dimensions of the 2030 Agenda
cybersecurity (including surveillance systems, AI and
of the United Nations Sustainable Development
drones).
Goals. How can these principles be relevant and beneficial to the security industry?
42
Security is a basic necessity for everyone,
The security workforce worldwide, from management to security personnel, is dominated by men. For
In order to understand the link between the 2030
example, the industry’s workforce in Malaysia has
Agenda and cybersecurity, let’s talk about security
130,000 employees, according to the Malaysia
in its most basic form. What does the word security
Security Industry Association (PIKM), and only 10
mean to you? According to Oxford Languages’
percent are women. As of 2020, the Ministry of Home
online Oxford English Dictionary, security is defined
Affairs of Malaysia had issued 899 operating licenses
as “the state of being free from danger or threat.” It
to private security companies. Of these, less than one
describes the right of every person to be in a safe and
percent are women-owned or women-led.
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
the root causes if we want to grow and future-proof
3. COMMITMENT AT THE POLICY AND DECISION-MAKING LEVEL
the industry. Here is what needs to be done.
The Malaysia Security Industry Association (PIKM)
The gender gap is obvious, and we need to address
1. ELIMINATE GENDER STEREOTYPES
has seen the representation of women in the top nine executive positions increase from 11 percent in
Stereotyping is what often causes women to be
2014 to 33 percent in 2020. This illustrates PIKM’s
regarded as less competent or less willing to perform
commitment to promote diversity within its leadership
and excel in the industry. The misconception is that all
and management.
security personnel must be brawny, so they can fend off a dozen of bad guys, just like in the movies. The fact is, we have been conditioned or influenced by this stereotyping. In real life, Dwayne Douglas Johnson, aka The Rock, alone would have easily been beaten within minutes.
Women in the workforce as a whole are rather scarce: most women do not see security as an attractive career option because of the risks and the long working hours. However, thanks to technology the nature of security work is changing. A woman can safely work at night, monitoring an area via a remote
In general, men are physically stronger than women,
surveillance system from a centralised command
but security is more than mere muscle. Security
centre. A young university graduate can be trained
today is a hybrid of training and technology, and
to operate a drone for surveillance purposes, instead
requires brains. For example, people with intelligence,
of doing conventional, mundane guarding work.
confidence and wisdom are needed to understand
Working hours can be broken down into shorter shifts
and operate AI effectively for security purposes. To
and made flexible for women and men, to suit their
access the best resources, industry leaders need to
preferences.
change their mindset, and start treating all women and men fairly according to their capabilities, and not their gender.
2. PROMOTE DIVERSITY AND INCLUSIVITY IN TRAINING AND PROFESSIONAL DEVELOPMENT Your team will work more efficiently if you have diversity within it. Everyone has a different role to play, and all are important to ensure the success of the mission. An effective approach to security involves tactics,
With such adjustments the industry could attract younger and better qualified talent as security personnel, executives or managers. This would increase the professionalism and value of the industry. The UN Women Empowerment Principles (WEPs) offer guidance to businesses on how to promote gender equality and women’s empowerment in the workplace, marketplace and community. Such guidance, and the collective effort of all stakeholders is needed to help the industry achieve its full potential.
techniques and procedures, skilful planning and teamwork. The first line of defence in a commercial building will often be that friendly looking person at the entrance or reception counter. You might think their role is to welcome and register visitors, but they also have a responsibility to detect and assess potential threats.
www.linkedin.com/in/saliza-abdullah-8b47931b
www.bgcapital.com.my
www.facebook.com/bgcapitalholdings
A well-trained security professional should be able to sense if something is amiss, respond appropriately and call for assistance.
WOMEN IN SECURITY MAGAZINE
43
ROBIN LENNON BYLENGA
APPLYING THE HUMAN FACTORS ANALYSIS CLASSIFICATION SYSTEM (HFACS) TO CYBERSECURITY by Robin Lennon Bylenga, MHRD, MSc Information Security; Human Factors Performance Lead at Scoutbee
INTRODUCTION
to one where we begin with the examination of the
The information security industry is facing an
root cause, then continue through the levels of the
unprecedented growth of insider threats from human-
organisation to discover all the causal human factors
related causes. They can result in catastrophic losses
that contribute to an incident.
that encompass financial, reputational, customer
EXPLANATION OF HUMAN FACTORS IN CYBERSECURITY
personally identifiable information and productivity. Users have historically been blamed for breaches and labelled as the ‘weakest link’, with the focus being put onto ‘what’ caused the incident and ‘who’ was to blame rather (commonly referred to as root cause analysis – RCA) than the more significant issue of
Recently, I had the privilege of speaking with many IT managers and CISOs while undertaking research projects. I was often asked, “What exactly are human factors in cybersecurity?”
‘why’. Seeking the ‘why’ is the purposed of HFACS-
I propose this definition
Cyber.
Human factors refer to the environmental,
This article discusses why internal security breaches
organisational and work conditions, including human
be treated as an organisational problem rather than
and individual characteristics, that influence behaviour
a people problem. By changing the narrative and
at work and that can affect the information security
eliminating the culture of blame we change the way
management of assets.
we approach the investigation of internal breaches
In information security, the ultimate goal of our job, whatever our role, is to identify assets, manage
44
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
risk and protect the confidentiality, integrity and availability of those assets. The human factors definition of cybersecurity is an amalgamation of three components that should be considered: the person’s occupation, the person, and the organisation. In other words, human factors are concerned with what the person is being asked to do (their role and its facets), who does it (the individual and his/ her expertise) and where they are working (the organisation and its intricacies), all of which are influenced by local and international societal and cultural interests. Dr Stephen Covey wrote in his book 7 Habits of Highly Effective People, “Seek first to understand, then to be understood”. This statement is extremely powerful in the context of human factors in cybersecurity. Historically information security professionals have focused their spending on technology through
People, process and technology must be aligned and balanced for robust information security management. Organisations must also address the human factors of cybersecurity by cultivating an informed and proactive workforce. Researchers have proposed that better education within an organisation regarding security issues in conjunction with awareness training and removing the blame culture could assist in producing behavioural changes and contribute to achieving good security outcomes.
products and on processes such as policies and
INTRO TO HFACS
controls through ISO 27001 rather than usability for
Behavioural psychologists Dr Douglas Wiegmann
employees. But it does not matter how much we spend on all the newest technological developments, gadgets and processes if we do not equally invest in and focus on our people. Just this week I was in an identity management seminar from technological cyber industry leaders. According to those experts, cybersecurity operations are becoming increasingly technologically sophisticated and creating increased opportunities for human error.
and Dr Scott Shappell developed the for the US Navy and Marine Corps as an accident investigation and data analysis tool. It was adopted by the US Navy and Marine Corps and by the US Army, Air Force, Coast Guard and other civilian and military organisations around the world. Wiegmann and Shappell used Dr James Reason’s famous ‘swiss cheese’ model, also referred to as the “cumulative act effect” of incident causation to develop HFACS. Reason’s model takes a systems approach to incident investigations where the human is at the end of a chain of barriers designed to prevent unwanted events. This means people are not the cause of incidents, but rather a factor in the system designed to prevent accidents. Reason’s four causal categories of human error common to most organisations are: 1. organisational influences 2. unsafe supervision 3. preconditions 4. unsafe acts In the Reason model, the layers are hierarchical: each layer affects the layer following it. Failures in
Figure: IT Governance Blog WOMEN IN SECURITY MAGAZINE
45
one layer force the next layer to handle a hazard.
it manages people to get better results in security
If no layer prevents a hazard, then a loss, a breach,
with fewer breaches. This is the purpose of HFACS-
or an incident occurs. Therefore, the HFACS theory
Cyber. Additionally, the goal of HFACS-Cyber is to
states that, when an incident occurs, it is the result
provide an unbiased method of investigating the
of failures in every control layer, not just what the
human factors throughout an organisation, beginning
end-user did, and incident recurrence is a result of
with the root cause of a breach. This tool takes the
systemic weaknesses in these layers.
blame out of the equation and does not consider humans to be the weakest link, rather to be valuable assets
Human factors are concerned with what the person is being asked to do (their role and its facets), who does it (the individual and his/ her expertise) and where they are working (the organisation and its intricacies), all of which are influenced by local and international societal and cultural interests.
of an organisation. As an investigative tool, HFACS-Cyber helps you work systematically to identify, analyse and manage the behaviours leading to harm in your organisation. Additionally, it can help you identify and reinforce the behaviours promoting positive security outcomes, thus creating a proactive security culture. HFACS-Cyber ensures
HFACS has been applauded as the global standard
investigators consider all four levels of influence and
for investigating the human factors in accidents
causation, pay attention to organisational systems,
across many industrial sectors including aviation,
and resist assumptions that the person nearest to
nuclear power, rail, mining and healthcare for
the error in time or location is to blame. Use of the
incident investigations. As an evidence-based way
framework facilitates consistency in investigations,
to improve incident investigations, this framework
so you can get a comprehensive data-led
helps increase the organisational learning derived
understanding of system security. With HFACS-Cyber
from investigations and can also be used proactively
you can build a simple database that enables you
during risk assessment to evaluate a business’s
to view trends, compare departments, divisions and
security culture and management systems and the
sites, prioritise your information security efforts, and
likelihood of a breach, and to minimise the potential
monitor the effectiveness of your interventions. You
for loss.
can also use HFACS-Cyber proactively to assess risk.
ADAPTATION OF HFACS TO CYBERSECURITY
RECOMMENDATIONS
Those of us skilled in human factors in cyber believe information security is not just a technology issue, but an organisational issue. People are every bit as important as technology for keeping a company secure. It can be argued that people are the ONLY factor; technology either supports what people do, or people work to secure technology. That means information security is a human performance issue, a human factors issue. A company can improve how
46
WOMEN IN SECURITY MAGAZINE
• Build a positive security culture. Information security within your business should be taken just as seriously as safety regulations in a manufacturing facility, with the goal being to create a blame-free and positive environment where all staff from the board of directors to the interns embrace their responsibilities. • Envelope the ideas of others. Everyone throughout the organisation can bring a unique perspective and, potentially, some ingenious
I N D U S T R Y
P E R S P E C T I V E S
ideas as you grow your information security programme. • Create “cybersecurity ambassadors” within your organisation. • Choose your language carefully. As a human factor expert, I always struggle with the descriptive term “users” and prefer “people”. The only other industry I know of that refers to its clientele as users is the illegal drug trade. I recommend being careful with the vernacular when communicating with your people. When terms like ‘users’, ‘zero trust’, and numerous other tech-speak terms and acronyms are used in staff communication, meaning can be misconstrued leading to feelings of inadequacy, alienation and unnecessary confusion. • Make information security an organisational issue, rather than an IT departmental issue. In conclusion, I would like to leave you with words from Dr Calvin Nobles, a leading researcher in human factors and human performance in cybersecurity, a Harvard Cybersecurity Fellow, and the holder of many other credentials. “Most business organisations lack a human factors program and remain inattentive to human-centric issues and human-related problems that are leading to cybersecurity incidents, significant financial losses, reputational damage, and lost production. … The underappreciation and under-exploration of human factors in cybersecurity threatens the existence of every business. Cybersecurity operations are becoming increasingly abstruse and technologically sophisticated resulting in heightened opportunities for human errors. A human factors program can provide the foundation to address and mitigate human-centric issues, properly train the workforce, and integrate psychology-based professionals as stakeholders to remediate human factors-based problems.” Dr Nobles and I are working to develop a Global Human Factors in Cybersecurity working group to assist business organisations address human performance and human behavioural issues in cybersecurity. If anyone is interested in joining us or learning more about HFACS-Cyber, please feel free to reach out to me. I would love to chat. www.linkedin.com/in/robinlbylenga/
WOMEN IN SECURITY MAGAZINE
47
AWSN IS LEADING THE WAY BY OFFERING FEMALE-ONLY TECHNICAL HANDS-ON WORKSHOPS VIA THE SECURITY PATHWAYS PROGRAM, SPONSORED BY THE AUSTRALIAN SIGNALS DIRECTORATE (ASD) by Jacqui Loustau, Founder & Executive Manager, Australian Women in Security Network (AWSN)
T
here has been much discussion of a
appeal in part to its monthly workshop sessions.
skills gap in cybersecurity. At AWSN
Workshop topics range from “Hands-on malware
we are addressing this with our
reverse engineering tutorial” or “Pen-testing 101” to
AWSN Cadets Program, and in recent
topics such as “How to write a good CV”.
times we have introduced the pilot AWSN Security Pathways Program,
an extension and a natural evolution of the Cadets Program.
The Cadets Program was established in 2017 as an outreach initiative to connect, support and inspire female-identifying tertiary students, early career professionals and those wanting to transition into cybersecurity careers. It started in Melbourne and brought together students from La Trobe University, RMIT University, Victoria University, Box Hill Institute, Monash University, Melbourne University and Swinburne University of Technology. Over 300 women have joined this nationwide AWSN initiative in the past four years. The AWSN Cadets Program owes its success and
48
WOMEN IN SECURITY MAGAZINE
Through these workshops AWSN has found women in cybersecurity want access to: • A place where they can ask questions and practice their skills in a safe environment and not feel judged by their peers. • A place where they can meet others like themselves and share learnings. • Exposure to different areas within cybersecurity so they can decide whether a particular area of cybersecurity is for them. • Connections with women working in various cybersecurity roles. • Inside knowledge about the different job opportunities in the market. The demand for these AWSN Cadets Program workshops has grown rapidly, and positive feedback
I N D U S T R Y
P E R S P E C T I V E S
on the benefits of female-only cybersecurity training
training to make it accessible to 100 women across
has led to AWSN recognising the need to expand and
Australia.
scale its current suite of offerings.
Additionally, the company delivering the workshop
In 2021 AWSN has grown its capability through a
element of the training, Cybermerc, uses the latest
range of female-only technical hands-on workshops
Australian cyber threat intelligence and adversary
and through the AWSN Security Pathways Program,
tactics to inform its modules. AWSN is confident
launched in September. The program will provide a
participants will get the most up to date and practical
combination of certifications, specialised training,
information possible.
career advice, mentorships and internships. It will benefit those: • Currently studying security, whether at TAFE, university, through certification, or otherwise. • Who have just started their security career. • Returning to work after a career break. • Coming from a non-technical role and seeking a better understanding of security basics. • Looking to transition into cybersecurity and
“We are proud to be supporting AWSN’s mission to deliver the Security Pathways Program to its members. Supporting women’s career progression or transition into cybersecurity is critical, and our learning environment has removed a lot of the traditional barriers to participation. It is a small but crucial step towards creating an inclusive and diverse cybersecurity workforce.” - Cybermerc Managing Director and CEO, Matthew Nevin.
wanting to see if they like it. • Currently in cybersecurity and wanting a refresher, or wanting to enhance their skills.
“The pathways program provides a comfortable, accessible environment for women to learn and build
It is AWSN’s goal for the program to provide context
connections in what is a traditionally male-dominated
to demonstrate the importance of cybersecurity, and
industry.”
help to make practical hands-on training accessible to
- AWSN Chair, Professor Jill Slay.
a female-only audience. The objectives of the Security Pathways Program are: • Upskilling - to strengthen the knowledge and skillsets of women in security to ensure they want to stay in the industry, and thrive in it. • Practicing - to create a safe and accessible platform for women to learn and practice their skills. • Certifying - to prepare women for different
AWSN is pleased to announce the first cohort intake sold out overnight, which shows there is real demand. Thanks to the ASD, AWSN will also see 100 women trained as part of the upcoming Women in Leadership Program. This includes leadership training, mentoring and senior leadership forums. Stay tuned to find out more!
cybersecurity roles. • Connecting - to build a network of peers and industry connections with like-minded individuals and mentors. • Retaining - to help build pathways into different areas of security, and job opportunities in those areas, so women stay in the industry.
Jacqui Loustau www.linkedin.com/in/jacquiloustau/ AWSN www.linkedin.com/company/australian-women-insecurity-network-awsn twitter.com/awsn_au
The Program is being sponsored by the Australian Signals Directorate (ASD), which is subsidising the
WOMEN IN SECURITY MAGAZINE
49
NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
How parents can help to protect their teens from online predators “My child would never fall for that.” If only that statement could be 100 percent true. Online predators are experts at what they do. They ‘play’ where tweens and teens go online. They feel around for the kids most likely to continue contact with them. They are ‘tech savvy’ and ‘teen savvy’ and understand the social needs of tweens/teens: connection, affection, belonging and recognition. So, how can parents protect their tween/teen from online predators?
TALKING TO YOUR CHILD ABOUT ONLINE PREDATORS There is no way to sugar-coat the message, but it is also important not to create too much fear. Our tweens/teens need to understand that, in the online world just as in the real world, there are people who do not have their best interests at heart. Online predators approach their victims in all manner of ways: through social media, online gaming, chat forums, blogs, instant-messaging and emails. A predator aims to convince a child to believe the predator cares more for them than do parents or family. Having gained the trust of the child, they will ask to be sent an inappropriate picture, and will later use this to blackmail their victim, threatening to send the picture to the victim’s family and friends unless the child continues to send inappropriate images of themself.
DISCUSSING RISKY ONLINE BEHAVIOUR AND CHOICES Unlike most adults, tweens and teens are still developing the skills required to assess a situation and make a safe choice. When they are being lured by an expert, using their device where no-one can
50
WOMEN IN SECURITY MAGAZINE
see them and maybe feeling a little lonely, these developing skills can desert them all together. Helping them to see situations for what they are, the signs to look out for, and teaching them to slow down when online, can help them avoid getting into a dangerous situation immediately and to instead bring the online issue to you to ‘talk out’.
ONLINE AND OFFLINE SAFETY RULES There are many safety skills you have likely already taught your tween/teen they can apply to stay safe online. Think about the ‘stranger danger’ messages you teach them from an early age: don’t talk to strangers, don’t accept lollies from strangers, don’t tell them your name or where you live, and reach out to someone who can help you as soon as possible. These very same messages apply online.
PRIVACY SETTINGS Now that you have spoken to your tween/teen about online predators, sit down with them and their device(s) and together go through the privacy settings. Most social media platforms and online games have privacy settings. Help them to consider something other than a picture of themselves for their profile picture, and to use a name that is not immediately identifiable as their own. Teach them to protect their most important asset – their identity.
PARENTAL CONTROLS Once your child has access to a social media platform, an online game with chat or an app with a chat function, they become a target for an online predator. Parental controls can assist with managing
C O L U M N
what your child has access to on the internet and the apps they can see and download onto their device. These controls can be particularly helpful for tweens/ teens who might try to visit adult sites and download dating apps out of curiosity about romance. Look out for signs your child is being groomed online: • They become secretive. • They become sad and withdrawn but won’t say why. • They seem more distracted than usual. • They have sudden moods swings. • They seem unable to switch off from their phone/device or social media. • They have new and unexplained gifts. Head to esafety.gov.au for information and processes, and contact your local police if you discover your child is being groomed by an online predator. Nicolle Embra – cyber safety expert, The Cyber Safety Tech Mum
www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum
www.pinterest.com.au/thetechmum
WOMEN IN SECURITY MAGAZINE
51
SEEKING OUT TALENTED TECHNOLOGY FEMALES, READY OR NOT by Joanne Cooper, CEO & Founder, Australian Data Exchange
R
ecently I found myself observing
technology touches the lives of everyone, more so
young children playing a game of
than ever in this data-driven era.
hide-and-seek at home, a popular game that many of us played as children, where several players conceal themselves to try and avoid being
found by the nominated seeker.
different: to alter or modify. When I think of a modern version of hide and seek my mind turns to Pokémon Go. Change is our one constant and something that is either resisted or embraced. In today’s digital era,
The nominated seeker counts to a predetermined
change has become more rapid and more intrusive,
number with eyes closed while the other players
penetrating every aspect of modern life.
race to hide. After reaching the agreed number, the seeker calls out loudly “Ready or not, here I come!” or “Coming, ready or not!” and then attempts to locate all concealed players.
So, what are the roles and the opportunities for females in technology, in security, privacy, identity and regulatory technology? Are employers still having to seek out female technology talent hiding in the
In today’s digital era children’s games are quite
corners of government and business organisations?
different. Even young children tend to be entranced
Or is it simply time to acknowledge the roles females
by a mobile device. Whilst it is good to see some
perform today and for them to step up and become
games have retained their original format, we also
more prominent and more vocal?
must acknowledge that science and technology are essential ingredients of modern life, and that
52
Change means to make someone or something
WOMEN IN SECURITY MAGAZINE
Females can be found in all technology sectors, working away as quiet achievers in various roles.
I N D U S T R Y
P E R S P E C T I V E S
Females can close the gender gap in the tech sector at a time where digital transformation is accelerating. I for one am in awe of the outstanding CISOs, regulatory experts, identity architects, policy setters, systems administrators, project managers, designers, and the vast variety of so called “girl geeks” I encounter in my role as a tech company founder. Policy and governance frameworks will dictate how today’s digital technologies are legislated. If they are not to be divisive, culturally selective or gender specific, the female perspective will be critical. For example, the design of data, fraud and identity protection systems needs to take account of user needs from the get-go. Take a Fitbit watch for example. It may have a strap colour or a face design to suit a particular market, but what about the functionality of the watch and the applications it supports? Are females consulted or involved in the design processes and specifications development so as to effectively capture the female market? Females do not need to be part of a coding team to specify key functionality and other aspects of the finished product. When you start to deconstruct mainstream products and services you realise how important female touchpoints are in product and service development, and in post-sales support. With digital transformation creating a tectonic shift across all sectors, females must step forward to play leadership roles in addressing social and ethical aspects. So stop hiding ladies, let’s start to demystify the roles females play in technology, seek acclaim and recognition for the brilliant work we are doing, and inspire others to follow.
www.linkedin.com/in/joanne-cooper-50369734/ www.linkedin.com/company/idexchange/
twitter.com/idexchange_me idexchange.me/
WOMEN IN SECURITY MAGAZINE
53
A PROGRAM THAT CONNECTS, SUPPORTS AND INSPIRES FEMALEIDENTIFYING TERTIARY STUDENTS AND EARLY CAREER PROFESSIONALS.
CAREER PERSPECTIVES
CADETS WILL BE ABLE TO ACCESS MONTHLY WORKSHOPS, MENTORING OPPORTUNITIES AND INDUSTRY CONNECTIONS
"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Cadets program today!" - Liz B, Co-Founder Studying or an Early Career Professional in information security? Learn more at awsn.org.au/initiatives/awsn-cadets/ 54
WOMEN IN SECURITY MAGAZINE
F E AT U R E
BIRDS OF A FEATHER by David Braue
Supportive communities are guiding women through COVID-era challenges of workplace inequality
W
hen she founded what would
“I knew that jobs in technology paid really well and
become the world’s largest
that you could do incredible things with them,” she
advocacy group for women in
added, “and so we needed girls and young women
technology, Reshma Saujani
in this industry. I wasn’t thinking ‘I’m going to build a
was a career lawyer and
movement today’; I found 20 girls and put them in a
one-time US Congressional
conference room, and taught them how to code.”
candidate who knew nothing about coding – but she did know about inequality. And she was determined to do her part to help. During her unsuccessful 2010 Congressional run, she told a recent Nutanix webinar, “I would go into computer science classes and I would see lines and lines of boys learning how to code and building robotics, and I was thinking ‘where are the girls?’”
The movement she started has continued to gain momentum, giving many girls and young women the confidence to pursue technology careers that may have felt out of reach in the past. Yet, Saujani said, many graduates of the program still report having trouble securing internships with companies despite having perfect grades from prestigious institutions – highlighting just how
That train of thought led to the 2012 founding of Girls
much work still needs to be done to improve gender
Who Code, an advocacy and networking organisation
equality.
that has since expanded to encompass nearly 2500 local clubs across three continents.
“My mission was to build the largest pipeline of female tech talent so that everyone could hire exactly
The group has taught more than 450,000 girls to code
who they wanted to hire,” she said, adding that “I do
and touched nearly half a billion people in some way,
believe in this idea of sisterhood.”
said Raujani, who credits her unsuccessful campaign with “[giving] me the courage to start Girls Who Code, an organisation to teach girls to code, when I didn’t even code – and I didn’t bother to learn.”
“We have got to do our part in lifting women up – but sometimes we are the ones who stand in our own way because we have that voice in our head that tells
WOMEN IN SECURITY MAGAZINE
55
us we’re not ready yet, and that we need to get more
(WiCyS), Women in Security and Privacy (WISP),
prepared. And life just passes you by.”
Women in Security & Resilience Alilance (WISECRA),
“If you want to sit on a board seat, write a book or build a blog, tell somebody. Articulate your ambition all the time – and really set your sights at
Women in International Security, the New Zealand Network for Women in Security (NZNWS), and myriad others.
the beginning on something that you think you can
Reflecting its growing scope, earlier this year
actually achieve, so it doesn’t terrify you.”
AWSN merged with protective-security organisation Women in Security and Resilience (WiSR) – which
FROM LITTLE THINGS, BIG THINGS GROW
represented women in an industry that is increasingly
Nearly a decade later, the support network Saujani
“We’re trying to get more women into this really
fostered has been replicated many times over, fuelled by the explosion of social media and widespread growth in awareness about the challenges that women face in today’s workplaces.
amazing industry, and also to stay,” explains AWSN founder Jacqui Lostau, who began that nearly 3000-strong organisation five years ago as an amalgam of events, mentorships, targeted programs
Those challenges were exacerbated by the difficulties
and training.
of the COVID-19 pandemic, which pushed women
Broader-based tech groups like Women in
of all walks online for support as they navigated the challenges of maintaining their push towards gender equality while working from home. And while remote work meant women weren’t fighting
Technology and Tech Ladies offer safe spaces for women to meet and collaborate, while others have nurtured formal mentorship partnerships with industry figures to help actualise their members’
for equality in physical offices swarming with male
career ambitions.
co-workers, the old power dynamics manifested
Some were established specifically to focus on
in similar ways through the lens of endless Zoom meetings and Smartsheet timelines. Yet widespread support networks mean being in a marginalised demographic isn’t necessarily the
finding and recruiting capable women: the US government-backed TechWomen, for example, connects Silicon Valley tech firms with degreequalified tech professionals across Africa, Central
isolating experience it used to be. Solidarity is out
and South Asia, and the Middle East.
there, Zendesk software engineer Linda Lai, who
Many groups concentrate on particular industry
is chapter lead for women-in-tech group group MusesCodeJS, told a webinar this year. “Because you’re so outnumbered, it really fosters a sense of sisterhood” to reach out to other women
segments, with the likes of Women in Data UK, Women in DevOps, and Women in Big Data Canberra running forums, events, and networking activities to support women working across a range of tech
in tech, she explained. “There is so much support
fields.
available, whether it’s tangible support in terms of
Following in the vein of Girls Who Code, specialised
resources, emotional support, advice, or a sounding board – all of that is out there.” Support networks have been particularly important for women in cybersecurity, where women still
coding groups for women are particularly focused on training and support, with MusesCodeJS joining groups like Code Like a Girl and She Codes to put a local accent on global communities like Girl Develop
comprise less than 1 in 4 employees and even lower
It.
percentages at the management level.
Whether as independent efforts
Security-focused groups like the Australian Women in
or fuelled by the intrinsic
Security Network (AWSN) play in a global community of female-focused cybersecurity communities including the likes of Women in CyberSecurity
56
blurring the lines between physical and cybersecurity.
WOMEN IN SECURITY MAGAZINE
networking capabilities of LinkedIn, such groups are
F E AT U R E
proving transformative for women who may have felt
“Training for both
disenfranchised in the past.
our technical and
“With social media and your networks, you can easily get in touch with people, and people who know people, and there will be the cost of a coffee and some of your time,” notes Gretchen Scott, director of Women Who Code Melbourne – the local arm of a global body with over 290,000 members worldwide including engineers, executives, data science specialists, designers, managers, and other technology roles. The support of community groups is an antidote for often corrosive corporate cultures in which women often feel forced to justify their presence or qualifications. “You start to internalise that because it is just tiresome,” Scott explains, “and the community groups you can become a part of can support you and help you assess what was going on. They can give you ways of mitigating the impact on you, but also implementing change outwards.”
FOSTERING INTERNAL COMMUNITIES For all the value that external groups provide, it’s important to remember the level of change that is also possible through internal community-building and education programs such as the AWS Skills Guild recently established within the Bendigo and Adelaide Bank. Designed to fast-track the development of cloud application development capabilities – of which cybersecurity is necessarily a significant part – the program trained more than half of the bank’s developers on foundational and intermediate cloud
non-technical staff is crucial, because it facilitates collaboration between technical and business teams, and creates a common understanding of cloud,” said Bendigo and Adelaide Bank cloud community lead Lauren Benedict. “With cloud-fluent business professionals, we can collaborate effectively and contribute to our organisational objectives.” Substitute the word ‘diversity’ for ‘cloud’ and it’s clear how models for intensive business transformation can be delivered by building and reinforcing internal communities of interest. Although the program isn’t targeted directly at diversity, its design is similar to the gender diversity programs in place at many companies, where similar efforts to shape corporate culture are directed by the continuous reinforcement of team dynamics, a sense of common purpose, and a collaborative effort to overcome overt and covert organisational blockers. This commonality of purpose, and an associated sense of support, echo the same goals that Saujani had in founding Girls Who Code all those years ago – and they continue to drive the online community building that will continue to support women as the world pivots away from the challenges of the pandemic. For those that find themselves floundering in new jobs – or questioning their attachment to old ones – reaching out to any of the many online communities
topics.
for women offers a powerful support.
By providing models of focused collaboration, such
“I know that it’s incredibly difficult to put yourself out
internally designed and delivered community efforts
there,” Lai said, “particularly when you’re in that early
also seek to unify employees around a common
career stage.”
cause – and to foster the team dynamics necessary
“But there is so much out there, and you’ll get a really
to support an ongoing culture of learning. This included the appointment of 15 cloud champions, who were called upon to host a dozen
good sense of where are the good places to work, who is doing good things, and who are creating safe spaces that you would actually want to invest your
informal events over the course of the six-month
time in.”
program.
“The tech industry needs you more than you need them, honestly, in so many different ways.”
WOMEN IN SECURITY MAGAZINE
57
SAI HONIG
CAN WE TALK ABOUT THIS? SPEAK UP FOR YOURSELF! by Sai Honig, Co-Founder – New Zealand Network for Women in Security Speaking up is not something women are always
power?” Range and power are not the same thing.
comfortable doing. Growing up, I was told to stay
Range is dynamic. It expands or narrows based on
quiet, proceed with caution, err on the side of
context. Whether you are one in a group of two or two
politeness, be concerned about how others may
hundred, your range can change.
react, and apologise for anything and everything. I have spoken to many women who have experienced
as offering alternatives in negotiations. When it
similar things growing up. So it’s no wonder women in
comes to work, power may be in the form of selecting
cybersecurity are often unseen or unknown, because
or managing assignments. It may be speaking at a
they are unheard.
panel and expressing a viewpoint that is not aligned
Truth be told, you are your own best advocate. I think
with the views of other panellists.
Steve Howe, EY’s managing partner for the Americas,
Power and range are intertwined. When we lack
put it best: “In all aspects of life, I believe that
power, our range narrows and we have little leeway
speaking up for yourself determines the difference
to make changes. When we lack range, our power
between success and stagnation. Outstanding
to influence is limited. When our range narrows, it
women performers often want to trust the system —
produces the low-power double bind. This effectively
but they also have to stand up for themselves. Don’t
means if we don’t speak up, we could go unnoticed. If
assume that all of the right things happen. Don’t trust
we do speak up, we could get punished.
that your performance speaks for itself. Lean in and I believe that if you’re surrounded by the right people, they’ll do the same for you.”
58
Power comes in many forms. We often think of power
When this happens, range needs to be expanded. How do we expand our range? There are two things that really matter: power in your own eyes and
So, how to start speaking up for yourself? Start by
power in the eyes of others. When you feel powerful,
asking yourself “What is my range and what is my
confidence flows, and range is expanded. When
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
others see power in you they often grant you a wider
these fixations, we’re usually wrong. We start fixating
range.
more on how those judgments might destroy our
A Harvard Law School study found “Hesitation to negotiate on one’s own behalf may hold back female negotiators”. There is a stereotype of women as being selfless. In this study, evaluators perceived women who negotiated for higher compensation to be “significantly more demanding” than those who did
interactions. We become scattered, worrying that we are underprepared, and obsessing about what we should be doing. In the end, we spend more time mentally reviewing what we said earlier and worrying about what people think of us and what that will mean for us tomorrow.
not negotiate. As a result the evaluators were “less
So, how to move from this mental state? Know and
inclined to work with the women who negotiated”.
understand and facts about the situation. Objectivity
This persistence of a stereotype has a social cost that
and data are everything. Analysis of the facts, and
is substantially greater for women than for men.
conclusions identified, can be used to support your
There are some techniques women, or anyone, can use to increase their power and range. Advocating for others when negotiating for improved conditions is one technique. It is sometimes called the “mama bear effect”. The idea is that when you advocate for
cause. Logic, data and research are some of the best weapons for alleviating imposter syndrome. If you know what you’re doing and have the facts to support what you’re talking about, then you can support your place at the table.
conditions that benefit others more than yourself,
It’s often been said that mentors are crucial in
it is not considered a selfish act. It expands range
cybersecurity but that is true for any profession.
in yourself and in the minds of others. When you
I have found mentors in relationships I have built
advocate for others, you can discover your own
through activities outside work and through work-
power.
related networking and professional groups. I have
Another technique is to signal that you are flexible usually by offering alternatives. Flexibility shows the other person you are open to other ideas. Doing so can reduce other peoples’ resistance to your cause. Confidence can come from our ability to share what we know. That ability can be seen as expertise. Having expertise gives us credibility. In a high power situation, credibility is usually a given. In this case, we still need good
joined a Lean In Circle. If you can, find people within your organisation who will proactively promote you because they see your capabilities. Lastly, if you have a fear of public speaking, then speaking up for yourself is even more difficult. It also makes the low power double bind even harder to break. I have encouraged those I have mentored to work on their public speaking skills. There may be a need to speak without preparation. You can practice prepared and unprepared speeches by working through programs at Toastmasters International.
evidence. In a low
There are few precedents for women in a male-
power situation,
dominated field. Breaking through the social
credibility may
expectations put on women can be difficult. Speaking
not be a given.
up for yourself can improve not only your position but
In this situation,
also the positions of others.
we need excellent evidence. This leads me to a discussion
www.linkedin.com/in/saihonig/
about imposter syndrome —- doubting your abilities and feeling like a fraud. This mental state makes
newzealandnetworkforwomeninsecurity.wordpress.com/
us fixate on how we think others are judging us. In
WOMEN IN SECURITY MAGAZINE
59
MY JOURNAL ON SHELEADSTECH MELBOURNE: JOURNEY FROM 2017 TO 2021 by Natalie Perez, CISA, CRISC, CRMA; SheLeadsTech Coordinator, ISACA Melbourne Chapter
M
y father once told me hindsight
lot of groundwork required so SheLeadsTech could
can be better than foresight.
reach out to ISACA women in technology, and to men
When I was approached to write
championing women and the program.
this article on SheLeadsTech, I decided I would share my recollections on why and how I
got into SheLeadsTech.
Director, and I decided to continue setting up the SheLeadsTech program in Melbourne. We had our first on-site event with AWSN and Microsoft, with
It was in September 2017 when I attended a
Mitra Minai representing SheLeadsTech Melbourne
presentation by one of ISACA’s global directors, Jo
to present the results of ISACA’s 2017 Women in
Stewart-Rattray, on the poor representation of women
Technology survey published as The Future Tech
in technology professions. From my observation
Workforce: Breaking Gender Barriers. The work
and experience, I was aware technology professions
continued in 2019, and we took the opportunity to
were male-dominated and there were technical roles
build the audience for SheLeadsTech Melbourne via
labelled as male roles or female roles. Similarly, there
LinkedIn. When the pandemic hit in March 2020 we
were leadership roles mostly dedicated to men, and
had 33 members, today we have more than 500.
my male colleagues in those roles had a higher takehome pay than my female colleagues.
COVID-19 has had no adverse effect on the SheLeadsTech community: we have seen an increase
In July 2019 I signed up to be a volunteer for
in demand and interest from members and followers.
SheLeadsTech. I attended a few meetings of a sub-
We recruited additional SheLeadsTech ambassadors
committee in the ISACA Melbourne Chapter to set
for Melbourne, including university students and
up the SheLeadsTech initiative in Melbourne. As with
experienced professionals.
most new organisations or programs, there was a
60
In late 2019 Reshma Devi, now the Diversity
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
At the global level, ISACA has established a not-for-
LinkedIn had grown to 515 by late September. This
profit organisation OneInTech. SheLeadsTech is
demonstrates the value the community places on the
one of three key programs. SheLeadsTech’s mission
programs offered by SheLeadsTech.
is to increase the representation of women in technology leadership roles and the tech work force. SheLeadsTech has three pillars:
SheLeadsTech Melbourne would not have been possible without the leadership and guidance of our previous SheLeadsTech coordinator, Reshma Devi,
a) Raising Awareness - We will work to educate
now the board member and diversity director for the
employees, allies and engaged professionals so we
ISACA Melbourne Chapter, and the support we receive
can overcome unconscious bias.
from the ISACA Melbourne Chapter, SheLeadsTech
b) Preparing to Lead - Our training and skills development program will prepare current and upcoming female leaders for the digital future. c) Building Global Alliances - Through strategic partnerships we will amplify our impact beyond the ISACA network and support our chapters as each tackles the unique challenges of its region.
ambassadors, the speakers/presenters, and partnerships/sponsorships. For me, all this started with a morning ISACA Melbourne Professional Development session I attended in September 2017. Now, I am looking forward to doing bigger and greater things in 2022 for the SheLeadsTech community.
OneInTech has two other initiatives: WeLeadTech and YoungLeadersInTech. With the three pillars of SheLeadsTech front of mind, SheLeadsTech Melbourne’s strategy and programs include partnerships and collaboration with
Natalie Perez www.linkedin.com/in/natalie-perez-74298436/ SheLeadsTech Melbourne www.linkedin.com/company/sheleadstech-melbourne
organisations such as AWSN, VIC ICT for Women and Work180 to empower women in the technology industry. Further to this, SheLeadsTech continues to sponsor and participate in programs that offer awareness sessions, scholarships, recognition and awards such as International Women’s Day 2021, Go Girl Go For IT, CyberEdition and the Australian Women in Security Awards. Since February 2021, SheLeadsTech Melbourne has delivered free virtual events with subject matter experts on key topics such as human skills, volunteering, meditation and mindfulness, unconscious bias, resilience and authentic leadership. Many more are planned for the rest of 2021. The SheLeadsTech ambassadors have been present in virtual events as moderators, panellists, technical assistants and Q&A support. The number of followers on the SheLeadsTech Melbourne page on
WOMEN IN SECURITY MAGAZINE
61
KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group who works with SMEs to protect and grow their business, by demystifying the technical and helping them to identify and address cybersecurity and governance risk gaps. Karen has recently graduated from both the TechReady Woman Accelerator graduate and CLP program with the Cyber Leadership Institute in 2021.
C O L U M N
Board Speak versus Tech Speak: same-same-different (really different) Cyber risk is a key concern for boards today. They
Compliance You mean the business’s digital
usually come at it from a non-technical background,
security requirements and practices, be they legal
and only a few IT professionals speak the language
requirements, a security standard, or a framework.
of business. So, we find ourselves at an impasse, or do we?
They hear industry specific requirements with possible fines or worse. For example, Australian
Things are made more confusing by the fact there are
Financial Services licensees have a multitude of legal
some terms with multiple meanings depending on the
obligations they must adhere to that cover everything
context, or even the industry the business operates
from monitoring and supervising authorised
in. To get you started, here are my top four terms you
representatives to complaints, compliance with
need to be mindful of. There are many more.
the Anti-Money Laundering and Counter-Terrorism
Asset Register You mean technology assets:
Financing Act, training, appropriate advice, mandated
business owned information systems or hardware.
They hear depreciation schedule and company assets: things the business owns and/or controls and uses.
Asset management You mean an inventory of all technology assets and tracking all “devices” that
client reporting, and more. So, next time you address a board or have that meeting with the accounting department to get financing for your new cyber resilience program, remember what you are saying may not be what they are hearing. It is up to us to change that.
interact with your business and the internet to help you understand your attack surface.
They hear investment management, and they expect a focus on increasing the wealth of the business by acquiring or selling and/or managing investment assets.
Audit You mean a process that is part of (IT) asset management, or perhaps privileged asset management, or understanding what assets the business has, who has access to each asset, and why.
They hear (and possibly fear) financial audit and/ or Australian Financial Services Audit, or a visit from the Australian Taxation Office for an ATO audit. Their interpretation will be industry specific.
62
WOMEN IN SECURITY MAGAZINE
www.linkedin.com/in/karen-stephens-bcyber/ www.bcyber.com.au karen@bcyber.com.au twitter.com/bcyber2 youtube.bcyber.com.au/2mux
For more details, connect with SheLeadsTech Melbourne:
https://oneintech.org/our-programs/sheleadstech/ https://www.linkedin.com/company/sheleadstech-melbourne sheleadstech@isaca-melbourne.org.au
Feel free to connect also with your local ISACA chapter.
MANAL-AL SHARIF
HOW TO IDENTIFY AND SURVIVE A TOXIC WORKPLACE ENVIRONMENT by Manal-al Sharif, Author of Daring to Drive | Founder, The Ethical Technologists Society
Toxic relationships abound, and a workplace environment is no different. To break the cycle of toxicity you must first identify it. This is true whether you are an interviewee, manager, or employee. Here, I will discuss how to identify, navigate, survive and, if necessary, leave a toxic workplace environment. After all, your wellbeing should always be your top priority.
IDENTIFYING TOXICITY AS AN INTERVIEWEE As an interviewee you have the opportunity to spot toxicity before becoming part of any work environment. Unfortunately, many poeple are unaware of what to look for. For example, I have made it a point to ask every interviewee I encounter what the signs of an unhealthy work environment are and what can be done to remedy it. Surprisingly, many simply cannot answer that question. If you are an interviewee, here are ten ways to identify toxicity:
64
WOMEN IN SECURITY MAGAZINE
1. The individual(s) conducting the interview look and act stressed. 2. There is a high turnover rate. 3. Interviewers’ language signals superiority, and employees are referred to as working “under” them. 4. The position you are applying for has not been filled for months. 5. The person whose job you are interviewing for resigned suddenly. 6. There is a high turnover in management positions. 7. Most employees you encountered on your way to the interview looked miserable. 8. You called a former employee and they told you the workplace was toxic. 9. The recruiter admits the employer has a bad reputation.
I N D U S T R Y
P E R S P E C T I V E S
10. They want you to be a “jack of all trades” and fill
9. Are your team members well-connected with each other, with you, and with the business? Are
many roles simultaneously. If you are an interviewee and any of these ten signs appear, it is probably best to pass a job offer up. It is
there venues set up to facilitate this connection? 10. Would you be willing to admit you made a mistake and apologise?
simply not worth it.
ASSESSING THE SPREAD OF TOXICITY AS A MANAGER
CREATING GRASSROOTS CHANGE IN A TOXIC WORKPLACE ENVIRONMENT
Nobody likes to admit they may have been affected by
What do you do if you determine you are in a toxic
a toxic workplace, but when toxicity is unchallenged,
environment? Is there a way to create grassroots
it finds its way into every nook and cranny. There may
change and begin weeding out the toxicity? It is
be times when, as managers, we have been affected
possible. However, whether you are an employee or a
by the spread of toxicity, and some of our behaviours
manager, several steps need to be taken. Here is my
have become toxic. If you are a manager, here are
third list of ten recommendations.
ten questions you can ask yourself to discover if you have been affected by, or are contributing to, a toxic workplace environment. All answers should be yes.
1. Start by weeding out the bullies and team members contributing to toxicity.
1. Do you prioritise your mental and emotional health? 2. Are you able to clearly set and communicate goals and expectations? 3. Do you check on your team members frequently? Do they have career plans? 4. Would you rather have employees who show
Any toxicity that goes unaddressed will simply spread. I cannot emphasise this point sufficiently. You are never alone, and no one should ever be too afraid to advocate for change or to accept feedback when needed. However, it is crucial to speak up in a respectful way.
their commitment through results than through facetime? 5. Are employees shown appreciation and given opportunities for visibility? 6. Have you cultivated a safe environment where individuals can express opinions that may be contrary to yours? Are your team members shown the same respect you expect them to show you? 7. Do you refrain from talking negatively about other team members when they are not present? 8. Do you resolve conflicts that arise between team members in a timely and healthy manner?
2. Clearly communicate your concerns through the proper channels. People will become defensive if they were unaware of the situation, or were contributing to the problem. 3. Listen to what others have to say and hold confidential feedback meetings. 4. Eliminate all work that is time-consuming or meaningless (some managers love to see people busy even after the work is done: they just cannot abide seeing someone taking a break between assignments or projects).
WOMEN IN SECURITY MAGAZINE
65
5. Set firm boundaries with others and provide clear directions. 6. Address toxic behaviours in one-on-one meetings. Toxicity not addressed immediately will spread. 7. Cultivate a safe environment where others feel seen, heard, understood and valued. 8. Encourage healthy attitudes by openly rewarding them. 9. Express genuine interest in the wellbeing, needs and aspirations of your team members. 10. Refuse to allow or participate in gossip. While grassroots change may be difficult, it is possible. As someone who grew up under a monarchy, I have seen firsthand the power of grassroots change movements. Speaking up can be intimidating, if not terrifying, but it is the first step to change. For example, it is difficult to call out the chair of a meeting for acting in an unprofessional manner, especially if they are your line manager. There are many situations in which standing up may make you stand out, but it is essential to be true to your values and ethics. Again, any toxicity that goes unaddressed will simply spread. I cannot emphasise this point sufficiently. You are never alone, and no one should ever be too afraid to advocate for change or to accept feedback when needed. However, it is crucial to speak up in a
I realise this is easier said than done, but I do not
respectful way.
recommend anything I have not had to practice. I have experienced the emotions of rage, pain, betrayal
SPEAKING UP WITH LOVE In addressing toxicity in the workplace, I have had the opportunity to listen to stories from both sides. Often, both parties are genuine and might be venting
66
and even hate stemming from toxic situations. Yet, through these experiences, I have learned the only way to let go and grow is to forgive and to speak and act with love.
the same negative feelings about the other person.
When words and actions are not motivated by love,
However, neither seems to realise they contributed
we become closed off and insecure. We are numb,
to the creation of the problem. Perception is key,
argumentative and disconnected from those around
and speaking up with love will help individuals be
us. Love is a foundational element of every healthy
receptive rather than closed off to what you have
workplace. Without it there is no psychological safety
to say. Speaking up with love inspires empathy and
net. There is no safe space for individuals to truly
heartfelt discussion, and helps facilitate change.
express themselves.
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
Much like being in a toxic relationship, your confidence may be undermined. You may feel unworthy, or suffer imposter syndrome. However, some workplaces can be just too toxic. In which case, you need to leave, especially if there is a lack of direction, structure, boundaries, transparency and collaboration. The first thing to remember is that quitting requires the right mindset. You will need a strong will, a supportive network, and perhaps even a career coach or therapist. Here are five tips to help you successfully and gracefully exit the cycle of toxicity. 1. Journal how you feel before and after work. Check your entries to identify any patterns and to remind yourself of the reality of the situation. 2. Confide in close friends who will offer you their unbiased opinions. 3. Talk to a career coach or therapist about how you are feeling and what you are going through. 4. Do not pressure yourself to find another job immediately. Taking a break, healing and resetting are necessary during this time. 5. Remind yourself daily that you are worth much more.
KEY TAKEAWAYS To change a toxic workplace environment, employees and employers must first be able to recognise More specifically, workplaces that create and protect the psychological safety of those working there are typically healthy and productive, and the workers blossom. Eventually, the workplace atmosphere will be positive and immune to toxicity.
WHEN TOXIC BECOMES TOO TOXIC While change is entirely possible, there are times when it is no longer appropriate to stay in a toxic workplace. The thought of leaving may be
behaviours and actions that are toxic. They must then speak up with love to promote empathy, help facilitate true and open discussions, and ultimately create change. Although toxic situations can be persistent, grassroots change remains entirely possible. Once we understand where the other party is coming from, we can successfully craft an action plan to navigate, survive and shift a toxic workplace environment to one that is positive and promotes psychological safety.
simultaneously relieving and daunting. You may enjoy the idea of exiting the cycle of toxicity but for a myriad of reasons feel you cannot leave. You may believe you
www.linkedin.com/in/manal-alsharif/
must have another job lined up before leaving the one you are in.
www.manal-alsharif.com/
WOMEN IN SECURITY MAGAZINE
67
CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2
C O L U M N
What do the “Women in Security” awards mean to you? It is understandable that awards such as WIS mean
careers, and will encourage all young girls (and boys)
different things to different people. As a man I am
to consider a career in ICT security/cybersecurity in
lucky enough to have been nominated for this year’s
the years to come.
Australian Women in Security Male Champion of Change award. I don’t know who nominated me, but I struggle for the right words to explain how much it means to me. (Considering I am both a freelance journalist and a published author of multiple books, that will be funny to some).
I loved being able to provide my time as a member of this industry to support such an initiative. I would encourage anyone to do the same. Even reviewing the nominations is rewarding. This year I am a nominee for Male Champion of Change. Essentially, I agree with the label because I am a very vocal advocate
I am a huge believer in diversity, gender diversity
for change. However, as a human being and a father
and beyond. I feel, as a society and an industry (ICT
of both sexes, I feel I must show how we should
security), we need true diversity of thought: strong
all behave. So, although I am proud to have been
diversity in gender, religion, background, education
nominated, and am humbled by those who thought me
and heritage. All will make us better equipped as an
deserving, I will always continue to do what is right.
industry to find real solutions to the avalanche of problems we face. We all need to think differently and look at things in our individual unique ways.
I am a proud supporter of both the Women in Security Magazine and the Australian Women in Security Awards. So, men (and women) let’s all get behind
What I feel to be the right path could sound
both these amazing initiatives. You don’t have to do
completely wrong to you, and that is good.
anything extravagant, or flamboyant: just do what is
Disagreement is no bad thing. If we can look at the
right, all year round. Speak up when you see something
world from different perspectives, we will all grow.
is not right, take that extra step to encourage diversity,
We need to set aside our personal interests and
stand proud together, and one day lack of diversity will
consider the opinions of others. Is what they suggest
be a thing of the past.
a better solution than our own? It might be, it might not be, but we need diversity in thought to really have an open and a constructive industry, rather than an industry that continues to do the same things over and over again, producing the same results. We can do better. I digressed a little, but that needed to be said. In my opinion the awards are part of the solution, part of how we can work towards achieving diversity. I participated in the Australian Women in Security awards 2020 as a judge. It was a tough call. There are so many talented women in our industry, and the
Just take that road less travelled, you won’t regret it. Finally, congratulations to the nominees in all the categories. I wish you could all win. For those of you lucky enough to win: congratulations, stand tall and be a beacon for future members of our industry. It is changing, and we are all part of that change. www.linkedin.com/in/craig-ford-cybersecurity www.amazon.com/Craig-Ford/e/B07XNMMV8R www.facebook.com/pg/AHackerIam/
awards help shine a light on these amazing people. They encourage them to forge stronger, bolder
68
WOMEN IN SECURITY MAGAZINE
twitter.com/CraigFord_Cyber
TECHNOLOGY PERSPECTIVES
QUEEN A AIGBEFO
A CYBERSECURITY GLASS SHOE by Queen A Aigbefo, Research student, Macquarie University
Cinderella loses her slipper, or glass shoe depending
A Google search for job advertisements in
on which version your recall of the well-known story,
cybersecurity-related fields will return hits with
popularised by Disney. A prince sends a scout to
well-defined, poorly-defined and downright ugly jobs
search the land for the person whose foot is the
descriptions.
perfect fit for the glass shoe (or slipper), and he discovers that foot belongs to Cinderella.
THE PUNCH LIST
Landing a job in cybersecurity feels almost like a
The industry punch list can put candidates off by
Cinderella experience. Although I am neither recruiter nor human resource professional, I have many shared experiences with candidates who are ‘open to work’. The views expressed here are drawn from those experiences. There are more people hoping to land cyber-related roles than roles available. Yet, despite the multitude of candidates applying for the available vacancies, some organisations struggle to fill open positions in cybersecurity-related fields. This begs the question: is there really a talent shortage in cybersecurity? The answer is, it depends. It depends on what skills an organisation is looking for. There may be a shortage of experienced cybersecurity team leads or managers, but the industry’s skills gaps may be selfinflicted.
70
WOMEN IN SECURITY MAGAZINE
asking for 10+ years of experience in XYZ technology when the technology in question in less than five years old. Job seekers may read a job advert and, not having all the fancy badges or flags required, decide not to apply, leaving the position unfilled for months. Even an experienced security professional would find it challenging to ‘tick all the boxes’ in these unrealistic job advertisements. Perhaps the industry needs to reduce the strings of acronyms it uses to describe the perfect candidate. Spoiler alert, there is no perfect candidate.
THE UNICORN Little kids love unicorns, yet they do not exist. The punch list sets out to find a unicorn. A security practitioner familiar with how an organisation works
T E C H N O L O G Y
P E R S P E C T I V E S
may, with experience, become that organisation’s
be adaptable and check the right boxes but will
unicorn and take on multiple roles, tasks and
experience burnout if working conditions are toxic and
responsibilities over time. It is unrealistic to expect
expectations unrealistic. When talented individuals
the same from a new hire who will need time to
leave jobs, their roles may be difficult to fill. These
understand the context, culture and people in the new
individuals tend to have intellectual resources
environment. What then should organisations do to fill
accumulated from years of hard work.
their job openings?
TRANSFERRABLE SKILLS
The cybersecurity glass shoe is not comfortable, and there is no ‘perfect candidate’. The industry can remove its self-inflicted talent shortage by finding
Some experienced security professionals do not
people with the right mindset rather than only those
have a degree in computer science, engineering, or
possessing all the desired bells and whistles.
a security-related qualification Some do have other useful skills: philosophical thinking, problem-solving, inquisitiveness, curiosity, a passion for learning. The list goes on. Working in cybersecurity requires more than technical expertise. Technology moves fast and continual learning is required. Nowadays, the industry strives for inclusion and diversity, yet this striving is not always reflected in the candidate selection process. The industry must change its approach to
Cybersecurity is about people, and about securing the people and assets within an organisation. Roles outside the core of cybersecurity can help us to better understand how security works. The industry should accept into security teams people from multiple disciplines with transferable skills to improve our understanding and our thought processes, and make security more relatable.
recruitment and how it considers candidates with transferrable skills.
ADAPTABILITY As a security practitioner you may be putting out fires
www.linkedin.com/in/queenaigbefo/ twitter.com/queenaigbefo
almost every day or learning about new a technology, depending on your role and your expertise. Working conditions can change rather quickly in cybersecurity, even in the course of a day. A successful cyber professional needs to be adaptable, but principled. In the Cinderella story, the shoe fitted only ‘the one’. The cybersecurity glass shoe should fit candidates who demonstrate passion, attitude, aptitude, and adaptability.
BURNOUT IS REAL Working in cybersecurity presents many daily challenges. Candidates do not need the added pressure of unrealistic expectations. Perhaps this is another reason why the industry has roles that remain vacant. A candidate may have transferrable skills,
WOMEN IN SECURITY MAGAZINE
71
ANAFRID BENNET
ON THE FRONT FOOT WITH CYBER RESILIENCE by Anafrid Bennet, Cyber Security Enthusiast and Leader. Manager, IT & Security Operations at Greater Western Water
Cybercriminals prey on human complacency. So now,
The consequences could have been worse. If these
when the world is reshaping itself in alignment with
criminals had wanted to they could have endangered
the fourth industrial revolution, more than ever we
human life and safety. As a staff member of a water
must be on the front foot with cyber resilience.
and waste service provider to the western region of
Cybersecurity risks have been trending on the World Economic Forum’s website for several years. In a world of automation, robots, autonomous vehicles, blockchain, data policy, drones and internet of things, human complacency is a top underlying cause of
unpacking these recent attacks to help forestall similar ones. There were multiple theories as to how these recent attacks could have been executed. Potential intrusion methods include:
cybersecurity failure.
• An unpatched vulnerability in the system.
The good news is we have security measures that
• A phishing email that fooled an employee.
can protect business, government and household infrastructure. The bad news is that these measures are close to obsolete, due to the ever-changing nature of threats and ever more sophisticated attacks. I did some research into two recent attacks on food and oil pipeline companies. In both these cases there were impacts in addition to the cost of paying the ransom, and the loss of productivity. There were supply chain disruptions, there was panic, people lost their wages, there were surges in the prices of these commodities, and general social unrest.
72
Melbourne, Victoria, this concerns me, and I started
WOMEN IN SECURITY MAGAZINE
• Stolen credentials that were either purchased or leaked. • A remote access facility with no multifactor authentication that made it easier for cyber criminals to gain entry. I also discovered that, even after paying multimillion dollar ransoms, it took days for these organisations to restore their data and their systems. This shows both a lack of readiness to respond to these types of attacks, and a degree of desperation: in short, unwarranted complacency. This is exactly what the criminals thrive on.
T E C H N O L O G Y
There is a wise saying: ‘know your enemy’. We need to
P E R S P E C T I V E S
4. It is a myth that technology alone can solve the
understand our opponents to understand and play the
problem. Reimagine awareness campaigns – use
game. As with any game, in cybersecurity you need a
the same tactics criminals use to tap into human
balance of offensive and defensive techniques to win.
minds.
We have focussed long enough on honing our defensive game plan with various techniques, what we call ‘layers of defence’. It is time to shift our thinking and reimagine our game: to pivot into playing a different game, an offensive game.
5. Train human minds to spot deception and compromises. 6. Invest in teaching younger generation staff offensive techniques and tactics, so they can perform continuous scanning and sniffing to
There are several stages to a successful attack. First, the attackers identify and understand the target, then they prepare their infrastructure,
identify, control and safeguard vulnerable targets. 7. Invest in professionals to perform forensics
deceive using a weakness, and achieve their objective. We can use the same tactics and techniques to our advantage: by having a good understanding of our attack surface, and the operating environment, by hunting for and analysing the attack vectors in the environment to identify hidden threats, and
Cyber criminals prey on human complacency. So now, when the world is reshaping itself in alignment with the fourth industrial revolution, more than ever we must be on the front foot with cyber resilience.
by using cognitive techniques to reinforce the right security behaviour. There is nothing to stop us reverse engineering the attacker’s processes. They, like us, are only human! Here is how we can play this game and take our cyber strategy to the next level. 1. We need to redesign and train our best security people and implement the best technologies available to identify vulnerable targets and protect them and, if necessary, take down the threats. 2. To do this, our security solutions should employ similar tactics, and many are now using predictive intelligence and behaviour analytics. 3. Attackers mix and match techniques. So we should mix and match machine learning security technologies with user awareness.
and uncover hidden tracks to bring down these players. We need more cyber strategists, leaders, behavioural analysts, researchers, technologists and engineers to be on top of this game. We need to be mature in our offensive strategies while optimising our defensive techniques. Our journey to cyber resilience is a continuous process. We need to keep innovating and staying alert, because the criminals are constantly innovating. We are all in this together. Disclaimer – this article represents my personal views and not the views of Greater Western Water. www.linkedin.com/in/anafrid-bennet-b081a441/
WOMEN IN SECURITY MAGAZINE
73
BROCK RODERICK
THE BIGGEST LIE EVER TOLD, AND ITS IMPACT ON CONSUMER PRIVACY by Brock Roderick, Founder of Education Arcade
‘I HAVE READ THE TERMS AND CONDITIONS’…
General Data Protection Regulation (GDPR). It has
This declaration has been made dozens of times
give individuals control over their personal data.
by the 4.5 billion people connected to the internet. I myself have never read the 50-100 pages of size six font that usually constitute these terms and conditions. Is it because I trust the company? No. It’s because my need for the service or device outweighs the time it would take to read and understand the legal jargon these T&Cs are written in.
In New Zealand the Privacy Act controls how New Zealand agencies collect, use, disclose, store and give access to personal information. However, these policies tend to overlook a common cause of consumer privacy issues.
TAKE A STEP BACK… As a consumer, do you really know what you’re
For decades it has been acceptable for companies to
signing up for when you buy that new cellphone at
obscure their intentions in this way. The declaration
your local shopping centre?
itself is often used to give them the authority to gather your information and do with it as they please, without incurring any liability whatsoever. In recent years though, consumers and companies have woken up to privacy, and governments are stepping up with polices designed to put the power back into consumers’ hands.
74
been in force since 2018, and its primary aim is to
Who has spent $1,500 on a new cellphone, only to return it the next day after being uncomfortable with the terms and conditions they were asked to agree to on setup? Short answer: No-one. So, how can we empower the consumer to make privacy a consideration when making a purchase? We can give the consumer the information prior to
Over 80 countries have now adopted comprehensive
purchase, and in a format that is simple and easily
data protection laws. The European Union has the
digestible.
WOMEN IN SECURITY MAGAZINE
T E C H N O L O G Y
P E R S P E C T I V E S
How can companies use ‘privacy by default’ as a marketing tool for selling their products or services? They can use a calculator designed to highlight privacy concerns that will rate their
with today’s privacy concerns: obscure technical
products or services against the
information, often hidden in small font on the back of
competition. If any of this is starting to sound familiar, then you are probably the person in your household who buys healthier food options when you go to the supermarket. You may also be the sort of person who will pay more to buy an energy efficient appliance. How are you empowered to make these decisions? You probably saw the front-of-pack labelling systems
packaging. Would adoption of a front-of-pack privacy labelling system help consumers understand the technology they purchase, the amount of personal information they need to provide, how that information is used and how much it invades their privacy? The evidence suggests it would. Consumers would
used by the food and white goods industries.
make conscious decisions about privacy when
LET’S MAKE A CHANGE!
driven to make privacy a marketable feature.
purchasing technology, and manufacturers would be
Health star ratings have been used in New Zealand and Australia since 2014 and provide a quick and easy way for shoppers to choose healthier packaged foods. Energy rating labels have been in use since 2002 and provide
Who has spent $1,500 on a new cellphone, only to return it the next day after being uncomfortable with the terms and conditions?
consumers with information that helps them save money long term, and reduce their environmental impact. Both these systems were implemented to solve large scale societal problems: child obesity and conservation of energy. You may be wondering if these labelling systems actually help a consumer make better choices. The Obesity Policy Coalition examined the history of the health star rating system and found it had created behaviour changes and was increasingly being used by consumers to make healthier choices when shopping. It deemed the health star rating system to be effective overall, but noted that mandatory labelling and a refined rating algorithm could make the scheme more effective. Prior to the introduction of the labelling system, the obesity problem shared an uncanny similarity
Could we extend this to online services like Facebook or eBay? Websites like these are in the data business and typically hold more personal data than ever before - a privacy rating on their sign-up pages would certainly be appropriate. We don’t need to reinvent the wheel to improve consumer privacy. We can simply borrow from the tried and tested vehicles in the food and white goods industries. Brock Roderick www.linkedin.com/in/brock-roderick-17a92a108/ Education Arcade www.linkedin.com/company/education-arcade Reference Source: Obesity Policy Coalition , Consumer NZ, Ministry of Primary Industries
WOMEN IN SECURITY MAGAZINE
75
DEIKA ELMI
THE REAL REASON THERE’S A SHORTAGE OF WOMEN IN SECURITY by Deika Elmi, CISM, Security Writer and Educator. Dreams of a safe and more equitable world for everyone Culture is the key reason there’s a shortage of
That kind of marketing is pervasive. And it turns
women in security professions. Women with the
women away from applying. As one anonymous
necessary talents opt for other jobs — some early
professional put it, “Everything is not young white
on, some in the middle of promising careers. Two
guys at a black and green screen. There are other
ways to combat the shortage include altering how
parts that can be highlighted, such as geopolitical,
security professionals recruit talent, and putting more
social, investigative, and the human element.”
emphasis on the human element. Recruiters can hire more skilled women by tweaking job descriptions to read more like they are looking for helpful people and less like they are trying to cast an action movie.
YOU DON’T NEED A “WORK WARRIOR IN A FAST-PACED ENVIRONMENT” It’s no secret that fewer women than men enter security professions. One reason is an inaccurate impression of what the job is all about. In even the
Women who stay in cybersecurity often start out feeling alienated and out of place before realising they do belong and do have the necessary skills. A 2021 study that interviewed 16 C-suite women executives in cybersecurity found one common experience: “The pivotal moment was the relationship of a mentor or sponsor who then validated their ability to do that role, giving them the confidence to push past those feelings of being an imposter.”
most physically challenging environment, you will
Women who do enter cybersecurity may not stay. In
certainly spend more time watching and talking to
2014, Dr Jane LeClair estimated 80 percent of men
people than you will spend in fistfights. This is not
who take up careers in cybersecurity stay, while only
the impression you get from many job descriptions.
60 percent of women do. Skilled mid-career women
Physically pulling a plug is the most action you can
often love the work itself, but get fed up with an
expect to see in a cybersecurity role. But .
“expectations gap” and a poor work culture. A 2008 Harvard Business Review report found 41 percent of
76
WOMEN IN SECURITY MAGAZINE
T E C H N O L O G Y
women entering the tech industry leave – compared to just 17 percent of men. A recent McKinsey report found only 37 percent of entry-level jobs in tech were held by women compared to 47 percent in other industries. McKinsey also found the percentage of women decreased with seniority. They hold 30 percent of managerial roles, 25 percent of senior manager/ director roles, 20 percent of VP roles, and 15 percent of C-suite roles).
P E R S P E C T I V E S
CHANGE THE CULTURE, SAVE THE WORLD Companies intentionally or unintentionally alienate women during sourcing and recruitment. Whiz-bang technical details and a warrior ethos are not the heart of security work. Security professions are about helping people and keeping them safe. You need patience much more often than you need shuriken.
EMPHASISE THE HUMAN ELEMENT
Women aren’t rare in security. As of 2017, about
People skills are very, very important in security.
were women, and about 24 percent of people in the
Cybersecurity experts love to talk about extremely technical attack techniques like watching LEDs with a drone or decrypting RSA keys from the whir of a hard drive. Yet for every highly technical attack there are many more that could have been stopped by educating people
Everything is not young white guys at a black and green screen. There are other parts that can be highlighted, such as geopolitical, social, investigative, and the human element.
to update their passwords and to not download suspicious attachments. Bravery and geeky brilliance have their place, but far more of the day-to-day work of cybersecurity is . That may tie into the “STEM shortage” more generally. Amanda Diekman, a professor of psychology at Indiana University, led a study in which “one important
investigations and security services sector were women. That number is growing. An extrapolation from census data estimates . One in four is far from parity, but it’s progress we can build on.
reason for [gender] discrepancy is that STEM careers are perceived as less likely than careers in other fields to fulfil communal goals (eg, working with
www.linkedin.com/in/deikaelmi/
or helping other people). Such perceptions might disproportionately affect women’s career decisions, because women tend to endorse communal goals more than men.” Tragically, women’s desire to help people is not
twitter.com/DeikaE deikaelmi.medium.com/ www.deikaelmi.com
helping themsucceed in cybersecurity. Furthermore, this is the very talent cybersecurity needs to attract if it is to successfully combat most cybersecurity attacks.
WOMEN IN SECURITY MAGAZINE
77
JACQUELINE JAYNE
DO YOUR PART. #BECYBERSMART. by Jacqueline Jayne, Security Awareness Advocate - APAC, KnowBe4 October is Cybersecurity Awareness Month in the US. It was launched back in 2003 by the US Department of Homeland Security and the National Cyber Security, and known as National Cybersecurity Awareness Month until this year. The theme for 2021 is “Do Your Part. #BeCyberSmart”, and the event aims to help empower individuals and organisations to own their role in protecting their part of cyberspace. You will see a few US-related links and references in this piece. My intent is not to ignore the resources we have in Australia, rather to highlight what we all could be doing in October to foster a global approach to fighting cybercrime. Cybersecurity is everyone’s responsibility. The entire cybersecurity community should collaborate to raise awareness. The majority of successful cyberattacks (including scams) are the result of human error and/or lack of knowledge. I challenge all organisations to consider whether they are investing sufficient of their cyber budget in an ongoing, engaging and relevant security awareness program to reduce risk and empower their people to make the right decisions to keep safe online. Back to Cybersecurity Awareness Month. We are not seeing a lot of Australian organisations get behind it, and I have a few thoughts I will come back to on that topic. The focus for this year’s Cybersecurity Awareness Month will change each week: Week of October 4 (Week 1): Be Cyber Smart. Taking simple actions to keep our digital lives secure.
78
WOMEN IN SECURITY MAGAZINE
Week of October 11 (Week 2): Phight the Phish! Learning how to spot and report phishing attempts to prevent ransomware and other malware attacks. Week of October 18 (Week 3): Explore. Experience. Share. – Cybersecurity Career Awareness Week Highlighting Cybersecurity Career Awareness Week led by the National Initiative for Cybersecurity Education (NICE) Week of October 25 (Week 4): Cybersecurity First Exploring how cybersecurity and staying safe online are increasingly important as we continue to operate virtually in both our work and personal lives. Cybercrime has no borders, so it stands to reason a global approach to fighting it is required. If you are reading this during or after October that is OK because you can roll out your own Cybersecurity Awareness Month at a time that suits you and your organisation. Also, please make a note in your calendar for late August 2022 to start the planning for Cybersecurity Awareness Month 2022. As promised, here are my thoughts on why we are not seeing a lot of Australian organisations get behind this initiative. 1. Someone in the IT department is responsible for cybersecurity and they have more than enough on their plate without the additional effort required to plan, deploy and manage such a program. 2. The business departments that should be collaborating with IT to roll out a cybersecurity
T E C H N O L O G Y
P E R S P E C T I V E S
program (such as HR, Training, Marketing or Communications) are unaware Cybersecurity Awareness Month exists. 3. Boards and executive teams are also unaware of the importance of an organisation-wide approach to security awareness and education for their people, so a month dedicated to such is not on their radar. These three points might appear overly negative, but in every organisation there are competing initiatives, requirements and focus areas. Over the years I have seen ah-ha moments occur when there is realisation of how educating people is just as important as securing infrastructure, systems and networks. What can you do to start the conversation? If you are in IT, then create a team with people from other areas of your organisation to talk about cybersecurity. The same goes for those not in IT. The greatest success will come from cross-collaboration and top-down support. Discuss how cybersecurity relates to the entire organisation, prepare and plan to make a difference. You can read more about the why and how to approach these conversations in part two in the next edition of Women in Security Magazine. Until then, #BeCyberSmart. www.linkedin.com/in/jacquelinejayne/ clubhub.site/@jacquelinejayne jacquelinej@knowbe4.com twitter.com/JakkiJayne
For further information, please visit these resources to support the ongoing education and awareness of your people.
Sources https://www.knowbe4.com/cybersecurity-awareness-monthresource-kit https://www.cisa.gov/cybersecurity-awareness-month https://www.nist.gov/itl/applied-cybersecurity/nice/events/ cybersecurity-career-awareness-week/discovering-cybersecurity https://staysafeonline.org/cybersecurity-awareness-month/
WOMEN IN SECURITY MAGAZINE
79
PAMELA GUPTA
ARTIFICIAL INTELLIGENCE SYSTEMS: BUILDING AI SYSTEMS FOR RESILIENCE by Pamela Gupta, Cybersecurity & Responsible AI Strategist. Founder of “Advancing Trust in AI” Artificial intelligence (AI) and machine learning (ML)
There are AI failures, algorithmic failures and system
systems are ubiquitous and increasing in scope
failures. There is the challenge of building trust in AI.
and impact. They are integrated into a wide array of
AI can affect the selection processes for jobs and
business and military operational environments. Their
education. It can impact financial systems, credit
scope is wide and their impact significant. Therefore
ratings, surveillance systems and numerous other
understanding the risks they pose and building
applications.
resilience are critical.
regulations: a technology and governance view on
intelligence report calls AI the engine of innovation,
algorithmic failures in our world now and how to put
and highlights several applications in healthcare and
guardrails around AI.
defence. Healthcare applications include averting cardiovascular disease and stroke, assisting the visually impaired, and robotic telehealth.
Algorithms are commonly used in healthcare to rank patients by risk level in an effort to distribute care and resources more equitably. But the more variables
In defence, the NSC report says, “The best human
considered, the harder it is to assess whether the
operator cannot defend against multiple machines
calculations might be flawed.
making thousands of manoeuvres per second, potentially moving at hypersonic speeds and orchestrated by AI across domains. Humans cannot be everywhere at once, but software can.”
More and more companies are using AI-based hiring tools to manage the flood of applications they receive — especially now there are roughly twice as many jobless workers in the US than before the pandemic.
Is there a problem? Yes, there is. There are no
There are 30 such tools currently, and the number is
effective guardrails to ensure AI systems are built
growing.
with security, privacy and transparency.
80
You will find details on my LinkedIn video: AI
The National Security Commission’s (NSC), artificial
WOMEN IN SECURITY MAGAZINE
T E C H N O L O G Y
P E R S P E C T I V E S
As with other AI applications, researchers have found some hiring tools produce biased results, favouring men, or favouring people from certain socioeconomic backgrounds, for example. Many people are now advocating for greater transparency and more regulation. One solution in particular is proposed repeatedly: AI audits. That is not a solution. At best, audits give an incomplete picture. At worst, they could help companies hide problematic or controversial practices behind an auditor’s stamp of approval. Also, audits are not undertaken before rolling out a
ML systems are often black boxes. Current
service or product so could not prevent the rollout
assessments presume people are responsible for
of a flawed AI application. Is there a solution? What
making decisions that may affect resilience. ML
is the solution? When do we implement it? Who will
systems do not lend themselves to such methods. A
implement it?
different approach is required. ML systems do not operate like qualified staff who have been
“The best human operator cannot defend against multiple machines making thousands of manouvres per second, potentially moving at hypersonic speeds and orchestrated by AI across domains. Humans cannot be everywhere at once, but software can.” -NSC Report
assigned to perform planned activities. Instead, they are trained with terabytes of data. Without full validation of this data, bias can creep in. Current methods and frameworks are not adequate to build resilient large scale AI systems. As SEI’s Alexander Petrilli and Shing-hon Lau state,”The overarching goal of the CERTRMM and its derivative tools … [is] to allow an organisation to
AI systems — and in this article I want to focus on machine learning — pose a unique challenge to traditional resilience management techniques such as the Carnegie SEI CERT Resilience Management Model (CERT-RMM).
have a measurable and repeatable level of confidence in the resilience of a system by identifying, defining, and understanding the policies, procedures, and practices that affect its resilience.” www.linkedin.com/in/ cybersecurityprivacyforbuildingtrustholistically/
WOMEN IN SECURITY MAGAZINE
81
ALEX NIXON
STRATEGIC SECURITY EXECUTION IN THE AGE OF RECOVERY AND REVITALISATION by Alex Nixon, Vice President of Cyber Risk, Kroll | Virtual CISO When workforces around the world were sent
informed, fear-based investment decisions designed
home with hastily-configured laptops last year, the
to protect an organisation from as yet unrealised
boundaries of the workplace were redrawn – I believe
security threats. Our audiences have lived through
permanently. Our security environment suddenly
two years of decision-making amidst fear of the
encompassed people’s living rooms, dining tables
unknown, and they are tired of it. The CISO of
and bedrooms, imposing a substantial change, in
today must be adept at interfacing with business
particular for traditional organisations. Much useful
stakeholders throughout an organisation, and must
advice has been published by learned colleagues
act as an intermediary, translating security concepts
regarding the tactical security response to this shift,
into relevant business language, and vice versa, but
but in this article, I wish to draw your attention to the
always with the organisational strategy and end user
strategic challenge facing us in the coming months
in mind.
and years. Pandemic fatigue is not a new term, but never has
organisations have seen a change in the way they do
it applied to so many people simultaneously. The
business. Some have struggled to stay afloat, and
Australian workforce has been asked to display
many have had to adapt to survive. But it is the shift
ongoing resilience and adaptability in a hitherto
to a hybrid working approach that seems to be the
uncharted environment. Every organisation has gone
most universal change. Now, as we move from the
through a period of hardship and collective trauma,
resilience stage of the pandemic towards recovery
and has been fundamentally changed. Looking to
and revitalisation, there is a need for CISOs to act as
2022, as executives across all parts of organisations,
security evangelists.
we would be remiss if we did not acknowledge this trauma and recognise that we must adapt if hardfought security gains are to remain in place.
82
Complicating the CISO’s role is the fact that many
Authentic leadership is an expression more commonplace than when I started my career in security – and what a relief that is! Development of
So, what does this mean for our industry? It is not
an appropriate security strategy in a post-pandemic
enough to mandate compliance and drive poorly-
world involves not only an understanding of the
WOMEN IN SECURITY MAGAZINE
T E C H N O L O G Y
P E R S P E C T I V E S
organisational strategy, but also an ability to build trust-based relationships. A CISO who exercise this ability will be granted an all-access pass that enables them to really understand the security practices around the organisation. In a world where we cannot simply go around the office checking that everyone’s desktop is locked, this trust is vital if we are to understand where we are today, and therefore where we can go tomorrow. This is why the concept of authentic leadership is so vital to successfully communicate and execute an information security strategy. Without a truly holistic understanding of the organisation today, a strategic security roadmap is less likely to receive executive buy-in and will be almost impossible
Effective information security is a business enabler,
to execute effectively.
and consequently the CISO must act as another
I suggest we look to the advice given by Sue Langley,
more CISOs report into, or have a seat on, the board
CEO and founder of the Langley Group, at the CMO Momentum conference in Sydney in 2019. She explained that lasting behavioural change is driven by high levels of dopamine in the brain. Negative messaging is perceived as a threat, causing adrenaline levels to surge and dopamine levels to fall. This creates a neural environment that is not conducive to change. If we are to successfully build and execute security strategies, we need an employee base that is willing to traverse the change curve with us. Consequently, we must frame our communication with employees in terms of the ‘dos’ of security, rather
executive managing a business line. As more and of the organisation, they must switch gear. They must change from having a technology-first mindset to having a focus on maximising value for shareholders, certainly when they operate in the private sector. As I have witnessed first-hand, a security strategy that does not support the corporate agenda is not only doomed to fail, it will not even pass GO. In those organisations that have struggled to adapt in the past two years, we can expect budgets to be heavily scrutinised for maximum return on investment. We cannot simply rely on fear of an as
than the ‘do nots’.
yet unrealised security threat to open the corporate
And communication is vital when the workforce is
strategy to the organisation if it is to be approved.
to remain geographically disparate. Perhaps you are familiar with organisations where the security strategy was kept under lock and key, deemed relevant only for the security function itself, and perhaps for the technology team. That mindset may be behind us, but a dusty document sat on the intranet has almost as few benefits. CISOs should look to examples of CEOs who communicate effectively, and often publicly, with their employees as a measure of how to communicate to all employees the ‘dos’ of a security strategy in positive, businessfocused language. I use the suggestion of how a CEO interacts with employees very deliberately, because I believe we are in the middle of a shift in the role of the CISO.
coffers; boards must understand the value of our For the CISO who finds the corporate landscape somewhat unfamiliar territory, the best allies are to be found in the Risk, Strategy and Finance departments. These allies can provide the knowledge of how to best translate our world into the language of executive decision-making. And what does a successful security strategy looks like? You will not find the answer in this article — the pandemic has affected every organisation in a different way. However, I am confident that, as we collectively tip-toe our way towards revitalisation, the era of the business-minded CISO has arrived. www.linkedin.com/in/alexlnixon
WOMEN IN SECURITY MAGAZINE
83
SPONSORSHIP OPPORTUNITIES
Make a difference and help us create and maintain a supportive and inspiring security community for women Please reach out to sponsorship@awsn.org.au to discuss in more detail
A very big thank you to our sponsors so far:
STUDENT IN SECURITY SPOTLIGHT
Elizabeth (Liz) McBurnie is studying for a Bachelor of Cyber Security at the Burwood Campus of Deakin University in Victoria as one of the recipients of the 2021 CyberCX Women in Cyber scholarship. She grew up in Australia in the outer eastern suburbs of Melbourne, Victoria.
ELIZABETH MCBURNIE
Bachelor of Cyber Security student, Deakin University |Intern (STA) and Women in Cyber scholar, CyberCX
Why did you choose to study security? I have been fascinated by computers since I was a teenager, but back in the 80s and early 90s no one I knew had a computer at home, and my high school (secondary school) had only twelve PCs for students. It taught only one computer systems class, and numbers were limited. I applied for the class, but all the places seemed to be taken by male students. My high school also ran a work placement program for students where the student chose an industry that interested them, and the school arranged a two-week work placement in that field. I, of course, chose computers but was allocated clerical. When I explained the error to my careers advisor I was dismissed with the line, “Computers, clerical it’s all the same thing”. So, while my male classmates undertook
I took it, believing my career in IT was over before it had even started. It turned out my parents’ ‘computer expert’ was a guy who sold calculators, and I didn’t need physics to be accepted into university, only maths and English. But the damage had been done, and I left school after Year 11. However, my interest in computers never diminished. I was always reading PC magazines and helping to troubleshoot IT issues at work. I married a programmer and he taught me a great deal about computer systems. Together we opened a computer consulting business where I started to get some real hands-on IT experience. I built systems for customers and helped install and troubleshoot hardware and software issues.
their work placement in a server room at a prestigious
When I became pregnant, I decided it was an excellent
Melbourne university, I was opening mail for a gas
opportunity to go back to school as a mature-age
company.
student and finally study computer systems. I
This ‘Comedy of Errors’ continued to plague me when I expressed a desire to attend university to study computer systems. My family was not poor, closer to lower middle-class, but no one, nor any of our friends,
completed my first year and then intended to have a short break while my son was born, but my life and my family circumstances changed and I was unable to return to university to complete my degree.
had ever attended university. So we knew nothing
Over the following years I had some programming
about the process, and university study was not
and database work and some IT troubleshooting
really encouraged at school: they considered it a ‘win’
work. By then I was a single mother with young
if students completed Year 10. My parents, in their
children. I primarily wanted part-time work, but this
effort to try to help, invited an acquaintance who they
was extremely rare in IT at the time. So I returned to
thought was a computer expert to dinner at our house
administration and bookkeeping until the kids had
to give me some advice on which subjects I would
grown up and completed their education.
need to study to be accepted into a computer course at university.
Once the kids had left school and university, I decided it was time to follow my passion and finally do what
He told me I would need high marks in maths, English
I loved. I looked around for available IT courses and
and physics if I was even thinking of applying. So, with
discovered the government had a program offering
that advice in mind, I chose physics as one of my Year
free TAFE courses. One of the courses on offer was
11 subjects. I already had very high grades in English
Certificate IV in Cyber Security. I couldn’t believe what
and maths but had never had any interest in physics.
a great opportunity this was. I had always felt there
It proved to be a disaster and became the only subject
was insufficient emphasis put on securing digital
I ever failed. With that failure, my dreams of working
assets. I applied and was accepted for the program.
in the computer industry were dashed, and I believed I would never be accepted into a computer course at university.
86
When I was offered a job at a credit union as a teller,
WOMEN IN SECURITY MAGAZINE
I studied Certificate IV at Chisholm Institute and loved it, so I followed that by obtaining my Advanced
Diploma in Cyber Security, and I am now mid-way
the opportunity has passed you by. If you have a
through my Bachelor of Cyber Security at Deakin
passion for something, keep persevering, keep
University.
that flame alive, and take advantage of every
The more I learned about cyber security, the more passionate I became. I feel there are tremendous opportunities in this field, and something for everyone:
opportunity that comes your way. Persistence and passion will help keep you motivated, and motivation will keep you moving forward.
security education, threat intelligence, governance,
Make sure you keep enhancing your skillset,
risk assessment, security architecture, security
even in your trimester breaks. There is a plethora
operations, security testing, digital forensics, sales
of free online training: vlogs, podcasts, labs and
and admin and even physical security. We need both
activities you can be involved in. Don’t limit your
technical and non-technical people. With more people
education to what you learn in your Uni/TAFE
now working online, and this trend continuing to grow,
course.
cybersecurity is now more critical than ever, from both a personal and a business perspective, and there are not enough people to fill the expanding demand. What inspires you? I am inspired whenever I read or hear about, or see, a woman succeeding in cybersecurity. I love how progressive companies are promoting and supporting programs for women in the industry. I was fortunate enough to be chosen for one of the 2021 CyberCX Women in Cyber Scholarships. This inspired me to continue my studies just when I was considering quitting. I am enormously grateful to CyberCX and the inspirational woman, Melanie Truscott, who heads up its Women in Cyber program. That program confirmed all my hard work and perseverance had been worthwhile.
Network! Join associations like AWSN and attend conferences, tech talks, CTFs, etc. where you can talk with other like-minded people. The cybersecurity field is diverse, and it can be challenging to decide where to focus. Interacting with others in the industry can help you identify areas that interest you and give you a more realistic understanding of what the job entails. It can also provide you with opportunities to interact with people already employed in cybersecurity, leading to job opportunities. Where do you want to work or see yourself working? I am currently interning in the Security, Testing and Assurance (STA) division of CyberCX and enjoying it immensely. I want to work in this field after completing my degree. I enjoy the challenge of searching for and investigating vulnerabilities, and
What skills do you think a person needs to succeed
the satisfaction of providing mitigation strategies,
in the cyber field?
knowing I have helped create a safer environment for
Passion and desire. You must be passionate about
my client.
cybersecurity, and you must have the desire to
What do you care about when it comes to choosing
succeed. Technical skills can be learned, but you
a place of work?
will never succeed without the passion to continue learning and the desire to overcome obstacles. Cybersecurity is an ever-changing, ever-evolving industry, and you need to remain informed and abreast of all the latest news and trends. So you always need to keep learning and enhancing your skills. What advice would you give to current or future
I would love to work for a smaller company, like a startup, to be involved in the growth of the company. It has a more personal, caring feel about it that would make me want to come to work. I would like a workplace that provides opportunities for all and cares about people and our environment, one that shows this by having programs to promote its core values.
security students? Never give up! Don’t ever think you are too old or that
www.linkedin.com/in/elizabethmcburnie
WOMEN IN SECURITY MAGAZINE
87
Clariza Look is studying for a Master of Information Technology at the University of Western Australia. She grew up in Basilan, a small island in the southernmost part of the Philippines but has spent most of her professional life in Cebu City on the Philippines mainland.
CLARIZA LOOK
Master of IT Student at UWA, Women in Tech Advocate
Why did you choose to study security?
Where do you want to work or see yourself working?
Out of curiosity about this untapped job market. Despite the rapid rise of cyber-attacks, few companies, especially small and medium sized companies, are really making information security a priority across the organisation. This means there is a lack of awareness of cyber threats and cyber risk, and a lack of risk mitigation planning.
I would like to work for one of the large cloud technology companies such as Microsoft or AWS, or for a consulting organisation like Accenture or Deloitte that offers security solutions to clients. I am also open to roles in start-ups or small-sized companies, but I am not sure how much they invest in training entry level cybersecurity employees like me.
So, as a person planning to enter the industry, I expect to have many opportunities. Also, women are not well represented in cybersecurity, and I want to be an advocate for women in tech.
What do you care about when it comes to choosing a place of work?
As a student of information technology I had many specialisations to choose from, but I chose to learn security. I think at this point of time it is a skill that can make a big impact on any organisation, because there is a shortage of cybersecurity practitioners.
Honestly, I don’t think there’s a perfect company, regardless of whether it be a big name or a start-up. What I am looking for is a company that gives me the opportunity to grow, one that offers support for personal and career growth; a company that values diversity in teams and offers an opportunity to give back to the community.
What inspires you?
Are you part of any groups, associations or have
I find inspiration in the variety of people and experiences. But having mentors takes me to a whole new level because they become my role models. I am truly inspired by how much they are willingly to give of themselves and share what they have learned.
been mentored? How has that helped you?
I was inspired to study cybersecurity because few organisations and people are aware of cyber threats. I wanted to be part of the group that will educate them and help them improve their security strategies. What advice would you give to current or future security students? Talk to practitioners in the field, network (attend/ join cybersecurity groups), look for mentors (not just one, but as many as possible) in the field you want to specialise in and ask them sensible questions, then research these topics online. Aside from learning at university, it is also good to gain certifications. (The market is tough, especially for entry level roles). Don’t be afraid to invest in certifications or workshops: they can help you get ahead of your competition.
Yes. I am a member of the UWA University Career Mentorship Program for Students. My mentor is a senior cybersecurity practitioner who worked for PWC Perth as an IT risk and compliance specialist and in cybersecurity for many other companies in Perth. I am also a member of the AWS She Builds career mentorship program (July 2021 intake). My mentor is a senior solutions architect specialising in infrastructure and telecommunications at AWS. And I am a Microsoft Learn Student Ambassador. The program hosts a variety of educational online community groups that discuss specific topics like cloud computing, AI/ML, data/analytics, online workshops. The program is also supported by the Microsoft Perth team which conducts local traineeship workshops and offers a mentorship program for student ambassadors. I think mentorship is crucial for anyone seeking to enter a specific industry or wanting to progress their career. Mentors have helped me in many ways. Universities teach a mixture of the foundational concepts and practical knowledge needed to be
88
WOMEN IN SECURITY MAGAZINE
an ICT professional. Mentors provide perspective on what working in a specific field is really like. Additionally, they give me ideas about different specialisations within the organisations they work with. I get to know what they do as specialists in their field of expertise. They pave the way for me by opening my mind to new ideas and opportunities. Coming as I do from a non-tech background they help me improve my confidence to enter the tech industry. They give me tips to improve my employability by taking certificates and doing workshops. They even help with soft skills like how to handle rejections. Who would you like to be mentored by? At present I know few people working in cybersecurity here in Perth except for Caitriona Forde. I meet her at WitWA where she talked about her experience in cybersecurity. Since then, I have followed her on LinkedIn and on a Discord group called West Coast Cyber. It would be my pleasure to be her mentee. Do you listen to any security podcasts or read any security book that you would recommend? Not regularly, because I am already consuming a lot of information from my studies. What do you wish you knew about the security industry? I am currently taking a unit on “introduction to cybersecurity” and it talks generally about cryptography, networking, cyber law, forensics, pen test basics, general concepts of vulnerabilities and threats. I am still exploring the security industry, which means there is much I need to learn. The one thing I would really like is to have practical experience in cybersecurity. www.linkedin.com/in/clarizalook
WOMEN IN SECURITY MAGAZINE
89
Crystal Fay D’Souza has enrolled for a Masters of Cybersecurity at Monash University, Melbourne, Australia. She was born in India but moved to Doha, Qatar aged four. She has lived mostly in India and Qatar and is looking forward to studying in Melbourne.
CRYSTAL D’SOUZA
First Year Master of Cybersecurity student, Monash University
Why did you choose to study security? I am passionate about IT and therefore pursued a Bachelors Degree in Computer Science. During my bachelors there was a unit on cybersecurity, which I thoroughly enjoyed. That sparked my interest and
Be open to learning new things and find yourself a mentor who can put you on the right path. Lastly, work on your communication skills in addition to your technical skills. They can take you a long way.
curiosity in security. I started researching online,
Are you part of any groups, associations or have been mentored? How has that helped you?
watching YouTube videos and consuming lots of
I am currently a member of several organisations,
security-related content. I realised how important and pervasive was cybersecurity. I loved the subject and it really resonated with me. I discovered the skills needed to succeed in security were aligned with my personality. However, I wanted to train myself technically and professionally. To achieve this, I enrolled for a masters in cybersecurity.
What inspires you?
including Empow(H)er Cybersecurity and Women in Cybersecurity (WiCyS). These organisations are led by awesome women in security. They host multiple workshops, seminars and mentorship programs and are great platforms to connect with people in security and with industry experts. I found my mentor through a mentorship program managed by Empow(H)er Cybersecurity. I have had
I love challenges and I love learning something
multiple mentors throughout my life and all have been
new each day. Not being bored is awesome! I draw
phenomenal. They have pushed me to excel, and I
inspiration from reading and watching interviews
draw inspiration continually from their professional
with top leaders in security. All the successful women
journeys. Mentorship has made me more confident,
in technology, particularly those in cybersecurity,
and given me a community I can connect with, which I
inspire me. I would love to see many more women
truly appreciate.
take leadership roles in security. I think women bring fresh perspectives to the table and work with sincerity and commitment. The impact each of us can make is immense, and absolutely gratifying. We also have an active community of security professionals always willing to guide, help and advise. All my mentors have been very helpful and have inspired me to do better.
Do you listen to any security podcasts or read any security book that you would recommend? There is much information available online that one can make good use of for self-study. I follow a couple of YouTube channels: Simply Cyber by Gerald Auger and Professor Messer. Messer is great for networks and security related certifications and concepts
What advice would you give to current or future security students?
in general. An interesting book I read recently was
My advice to students would be to immerse
fantastic read.
Countdown to Zero Day by Kim Zetter. It was a
themselves in learning, to enjoy the journey and trust the process. Never doubt your skills or capabilities and seize opportunities that come your way. Having an up-to-date LinkedIn profile and engaging with the cybersecurity community is key. I have gained access to many significant opportunities through LinkedIn. Never shy away from seeking help or advice, and do not hesitate to reach out to people.
90
WOMEN IN SECURITY MAGAZINE
www.linkedin.com/in/crystalfay/
Scott Cooper recently completed a Cybersecurity Bootcamp run by the University of Sydney and Trilogy. He grew up on the North Coast of NSW and on Norfolk Island. He and his friends, keen gamers, exploited lax security to use others’ internet accounts. He did not anticipate a career in cybersecurity.
SCOTT COOPER
Technical Support Officer, Brain Train Co | Graduate Cyber Security, The University of Sydney and PostGraduate, Network and Systems Administration, Charles Sturt University.
Why did you choose to study security? After completing a Postgraduate Certificate in Networking and Systems Administration in 2020, cybersecurity seemed a natural progression because
Being mentored was extremely beneficial to me, as was receiving assistance with writing my resumé, as you need to be able to stand out from the crowd when applying for jobs.
cyber-attacks target systems and networks.
Where do you want to work, or see yourself
Cybersecurity is becoming increasingly important as
working?
attacks on government and business organisations become more frequent and severe, manifesting as ransomware attacks and disrupting normal services. I saw a growing need for cybersecurity and assumed it would be an interesting field to work in with plenty of job opportunities.
I would like to work in either networking or cybersecurity in the future. I recently received two job offers. Neither was in these disciplines, but both provided opportunities to gain skills that employers seek.For me these were customer service, helpdesk ticketing systems/programs, IT service management
What inspires you?
tools and data analysis.
I am inspired by technology and believe technology
With the entry-level jobs I would be applying for in
can enhance all our lives if used for good. I am
the future, I chose the one that would provide me
inspired by the opportunity to work all day and every
with Help Desk experience and would be more likely
day with like-minded people in a field I am passionate
to advance my career in the field I eventually want
about.
to work in. However, it was really hard choosing
What skills do you think a person needs to succeed in the cyber field? An understanding of security across various platforms, and an aptitude for technology. You need a mixture of ‘hard skills’ and ‘soft skills’: networking, scripting, administration, problem solving, attention to detail, communication, creative thinking, listening, and a desire to continue to learn and work as part of a team. What advice would you give to current or future security students? It’s important to choose your courses carefully and wisely because they come at a significant financial cost. I found both networking and cybersecurity courses really enjoyable. The University of Sydney’s intensive cybersecurity bootcamp had an excellent hands-on component that suited my learning style. I would advise future security students to check out the electives and core subjects at different universities to see which offer the best subject units for them.
between the two workplaces. I wrote the positives and negatives of each job offer, and agonised over the choice. I had to go through a number of applications and interviews before receiving those job offers. I considered these to be practise. I also looked into graduate IT jobs and am hoping to hear back from some of those interviews. What’s important to you when it comes to choosing a workplace? I want a workplace that is inclusive, supportive, has a positive culture, and where cross-team knowledge sharing and mentoring are encouraged. The place I now work at has all those. It is a small site of a company with branches in several states. I like that the IT team is small, and I can get to know the team well. The team manager is self-taught in IT. She has grown into the role with the company. She demonstrates what interest and passion can achieve. www.linkedin.com/in/scott-j-cooper/
WOMEN IN SECURITY MAGAZINE
91
LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
Olivia’s mom doesn’t need a cape or a uniform to fight crime; she does it in her regular clothes because she’s a superhero people don’t see Olivia loves maths and science at school and especially enjoys her technology class. Ms Brightspark, Olivia’s technology teacher, does really cool things like showing the class how to code games and even what hacking means. Ms Brightspark says Olivia has a curious personality, and she encourages Olivia to learn more about the world. The annual Careers Day at Olivia’s school is next week. All the kids are planning to dress up and talk about what they want to be when they grow up. There’s always a large bunch who will dress up as superheroes, police officers, fire fighters, pilots, farmers, doctors and nurses. However, Olivia is planning to go dressed as her mom, who works in cybersecurity. Olivia’s mom doesn’t need a cape or a uniform to fight crime; she does it in her regular clothes because she’s a superhero people don’t see. Olivia decided to wear her nicest polka dot dress to school, borrowed her mom’s scarf, and planned to tell her teacher and class about what working in cybersecurity meant. Olivia was excited to tell the class her mom helped stop bad people from attacking online systems and stealing important things from people and companies. She helps lots of people and organisations be safer, and sometimes has to work very late to fix big cybersecurity problems. Olivia was proud to tell everyone her mom has such an important job protecting and helping many people to be safe online, defending them and protecting them against bad things. Olivia’s mom didn’t always know she would be a
92
WOMEN IN SECURITY MAGAZINE
cybersecurity hero. When she started working in technology she read ‘A Hacker I Am’, written by cybersecurity hero Craig Ford. She felt so inspired she decided she too would specialise in cybersecurity. Olivia also told her teacher and classmates there was a special program for young women and girls to learn about cybersecurity at her mom’s work. Olivia’s mom said, “Next year, you can come to my work for a whole day and learn more about cybersecurity and some cool hacking and coding tips.” She excitedly told all the other girls at school that, just like her mom, they also could learn how to protect people online when they grow up. Olivia can’t wait to learn more about what her mom does, and maybe become a cybersecurity hero herself one day.
Recom mend ed by F amily zone
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.
READ NOW
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01
02
1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist
2. MARIE PATANE Marie Patane, Chief Security Officer, Sydney Metro
03
04 3. KYLIE MCDEVITT CEO InfoSect, founder BSides Canberra
4. BEX NITERT Managing Consulting, Digital Forensics and Incident Response at ParaFlare
05
06
5. MELANIE NINOVIC Digital Forensics and Incident Response Consultant at ParaFlare
6. SHENAN O’MAHONY Security Professional | Front of House Security Receptionist & Training and Development, Securitas Security Ireland
07
08 7. SAI HONIG CISSP, CCSP, Co-founder - New Zealand Network for Women in Security
8. MARIANA TELLEZ Information Security Consultant at Westpac
09
10
9. MARTY MOLLOY Events, Marketing and Communications Coordinator, AusCERT
10. VISHAKA WIJEKOON Cyber Security Analyst, AusCERT
94
WOMEN IN SECURITY MAGAZINE
11
12
11. MEGHAN JACQUOT Associate Cyber Threat Intelligence Analyst with Recorded Future
12. SALIZA ABDULLAH Group CEO & Managing Director, BG Capital Holdings SB
13. ROBIN LENNON BYLENGA 13
14
MHRD, MSc Information Security; Human Factors Performance Lead at Scoutbee
14. JACQUI LOUSTAU Founder & Executive Manager, Australian Women in Security Network (AWSN)
15. NICOLLE EMBRA 15
16
Cyber Safety Expert, The Cyber Safety Tech Mum
16. JOANNE COOPER CEO & Founder, Australian Data Exchange
17. NATALIE PEREZ CISA, CRISC, CRMA; SheLeadsTech Coordinator, ISACA Melbourne Chapter
17
18
18. KAREN STEPHENS CEO and co-founder of BCyber
19. MANAL-AL SHARIF Author of Daring to Drive | Founder, The Ethical Technologists Society
19
20
20. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2
WOMEN IN SECURITY MAGAZINE
95
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 21
22
21. QUEEN A AIGBEFO Research student, Macquarie University
22. ANAFRID BENNET Cyber Security Enthusiast and Leader. Manager, IT & Security Operations at Greater Western Water
23. BROCK RODERICK 23
24
Founder of Education Arcade
24. DEIKA ELMI CISM, Security Writer and Educator. Dreams of a safe and more equitable world for everyone
25. JACQUELINE JAYNE 25
26
Security Awareness Advocate - APAC, KnowBe4
26. PAMELA GUPTA Cybersecurity & Responsible AI Strategist. Founder of “Advancing Trust in AI”
27. ALEX NIXON Vice President of Cyber Risk, Kroll | Virtual CISO
27
28 28. ELIZABETH MCBURNIE Bachelor of Cyber Security student, Deakin University | Intern (STA) and Women in Cyber scholar, CyberCX
29. CLARIZA LOOK Master of IT Student at UWA, Women in Tech Advocate
29
30 30. CRYSTAL D’SOUZA First Year Master of Cybersecurity student, Monash University
96
WOMEN IN SECURITY MAGAZINE
31
32
31. SCOTT COOPER Technical Support Officer, Brain Train Co | Graduate Cyber Security, The University of Sydney and PostGraduate, Network and Systems Administration, Charles Sturt University
32.LISA ROTHFIELD-KIRSCHNER
33
34
Author of How We Got Cyber Smart, Amazon Bestseller
33. KATHERINE MANSTED Director of Cyber Intelligence and Public Policy at CyberCX
34. BEK CHEB 35
Business Manager at AusCERT
35. ASHLEY WATKINS Vice President Trend Micro ANZ Commercial
WOMEN IN SECURITY MAGAZINE
97
TURN IT UP
TECH4EVIL PODCAST By Manal al-Sharif and Reinhardt Sosin
CLICK TO LISTEN Tech4Evil podcast explores the impact of Big Tech on our minds, the environment, and our liberties. They also reveal what Big Tech doesn’t want you to know, as well as what you can do about it.
CYBER By VICE
CLICK TO LISTEN Host Ben Makuch talks every week to Motherboard reporters Lorenzo Franceschi-Bicchierai and Joseph Cox about the stories they’re breaking and to the industry’s most famous hackers and researchers about the biggest news in cybersecurity.
98
WOMEN IN SECURITY MAGAZINE
A PODCAST OF ONE’S OWN WITH JULIA GILLARD
SECURITY. CRYPTOGRAPHY. WHATEVER.
By Julia Gillard
By Deirdre Connolly, Thomas Ptacek, David Adrian
CLICK TO LISTEN One’s Own with Julia Gillard, features thought-provoking yet entertaining discussions with well-known female (and some male) leaders from various industries to provide insight into what needs to be done to enable more women to lead.
CYBER SECURITY INTERVIEWS By Douglas A. Brush | Weekly Interviews w/ InfoSec Pros
CLICK TO LISTEN This weekly podcast delves into the minds of industry influencers, thought leaders, and individuals. Listeners can learn from the experts’ stories and gain insight into what works (and does not work) in cyber security.
CLICK TO LISTEN This educational and entertaining podcast features cryptography and security experts discussing security, cryptography, and whatever else is going on in the world.
WE’RE IN! By Synack | Bella Deshantz-Cook and Jeremiah Roe
CLICK TO LISTEN The podcast features newsmakers, hackers, big thinkers, innovators, and pioneers from all over the world who are working tirelessly to solve today’s cybersecurity crisis. They discuss their strategies, tactics, and solutions for difficult problems.
TECH DIRECTIONS By EY Microsoft
CLICK TO LISTEN The podcast explores the technological challenges that impact executives today and the benefits of accelerating digital transformation and how technologies can be utilised to improve customer, employee, and stakeholder experiences while enhancing shareholder return on investment.
OMDIA DIGITAL LEADERS PODCAST By Hansa Iyengar and Terry White
CLICK TO LISTEN The Omdia Digital Leaders Podcast delves into issues concerning leadership in the digital age. Listen to Omdia experts and industry leaders talk about the things that can make or break your digital success story.
SHE SAID PRIVACY/HE SAID SECURITY
THE CTO ADVISOR PODCAST
By Jodi Daniels and Justin Daniels
By The CTO Advisor
CLICK TO LISTEN
CLICK TO LISTEN
The She Said Privacy / He Said Security podcast, hosted by Jodi and Justin Daniels, investigates how privacy and security affect businesses in the twenty-first century.
The podcast is geared toward the CTO or Infrastructure Architect. The show’s topics focus on future technologies and keeping today’s infrastructure in-line with business requirements.
HACKWERK
HER SUCCESS STORY
By Tyler Cohen Wood and Mirko Ross
By Ivy Slater
CLICK TO LISTEN Tyler Cohen Wood is a former US Government Cybersecurity Professional, and Mirko Ross was a hacker. They engage with guests about today’s most relevant and urgent Cybersecurity issues.
CLICK TO LISTEN Ivy Slater interviews fearless businesswomen from various professions as they share their success stories.
WOMEN IN SECURITY MAGAZINE
99
OFF THE SHELF
CYBERSECURITY: THE INSIGHTS YOU NEED FROM HARVARD BUSINESS REVIEW (HBR INSIGHTS) KINDLE EDITION Author // Harvard Business Review Cybersecurity: The Insights You Need from Harvard Business Review brings you today’s most essential thinking on cybersecurity, from outlining the challenges to exploring the solutions, and provides you with the critical inform ation you need to prepare your company for the inevitable hack. The lessons in this book will help you get everyone in your organization on the same page when it comes to protecting your most valuable assets. The book features HBR’s smartest thinking on fast-moving issues-blockchain, cybersecurity, AI, and more--each book provides the foundational introduction and practical case studies your organization needs to compete today and collects the best research, interviews, and analysis to get it ready for tomorrow. The Insights You Need series will help you grasp these critical ideas--and prepare you and your company for the future.
BUY THE BOOK HERE
100
WOMEN IN SECURITY MAGAZINE
MANIPULATED: INSIDE THE CYBERWAR TO HIJACK ELECTIONS AND DISTORT THE TRUTH Author // Theresa Payton Cybersecurity expert Theresa Payton tells battlefront stories from the global war being conducted through clicks, swipes, internet access, technical backdoors and massive espionage schemes. She investigates the cyberwarriors who are planning tomorrow’s attacks, weaving a fascinating yet bone-chilling tale of Artificial Intelligent mutations carrying out attacks without human intervention, “deep fake” videos that look real to the naked eye, and chatbots that beget other chatbots. The book also reveals how digital voting machines, voting online, and automatic registration may boost turnout but make us more vulnerable to cyberattacks. Finally, Payton offers readers telltale signs that their most fundamental beliefs are being meddled with and actions they can take or demand that corporations and elected officials must take before it is too late.
BUY THE BOOK HERE
SOCIAL ENGINEERING: THE SCIENCE OF HUMAN HACKING Author // Christopher Hadnagy Social Engineering: The Science of Human Hacking reveals the craftier side of the hacker’s repertoire—why hack into something when you could just ask for access? Undetectable by firewalls and antivirus software, social engineering relies on human fault to gain access to sensitive spaces; in this book, renowned expert Christopher Hadnagy explains the most commonly-used techniques that fool even the most robust security personnel, and shows you how these techniques have been used in the past. The way that we make decisions as humans affect everything from our emotions to our security. Hackers, since the beginning of time, have figured out ways to exploit that decision-making process and get you to take action, not in your best interest. By working from the social engineer’s playbook, you gain the advantage of foresight that can help you protect yourself and others from even their best efforts. Social Engineering gives you the inside information you need to mount an unshakeable defence.
BUY THE BOOK HERE
MODERN CRYPTOGRAPHY FOR CYBERSECURITY PROFESSIONALS: LEARN HOW YOU CAN LEVERAGE ENCRYPTION TO BETTER SECURE YOUR ORGANIZATION’S DATA Author // Lisa Block In today’s world, it is important to have confidence in your data storage and transmission strategy. Cryptography can provide you with this confidentiality, integrity, authentication, and non-repudiation. But are you aware of just what exactly is involved in using cryptographic techniques? Modern Cryptography for Cybersecurity Professionals helps you to gain a better understanding of the cryptographic elements necessary to secure your data. The book begins by helping you to understand why we need to secure data and how encryption can provide protection, whether it be in motion or at rest. You’ll then delve into symmetric and asymmetric encryption and discover how a hash is used. As you advance, you’ll see how the public key infrastructure (PKI) and certificates build trust between parties, so that we can confidently encrypt and exchange data. Finally, you’ll explore the practical applications of cryptographic techniques, including passwords, email, and blockchain technology, along with securely transmitting data using a virtual private network (VPN).
DEFENSIVE SECURITY HANDBOOK: BEST PRACTICES FOR SECURING INFRASTRUCTURE Author // Lee Brotherston and Amanda Berlin Despite the increase of highprofile hacks, record-breaking data leaks, and ransomware attacks, many organizations don’t have the budget to establish or outsource an information security (InfoSec) program, forcing them to learn on the job. For companies obliged to improvise, this pragmatic guide provides a security-101 handbook with steps, tools, processes, and ideas to help you drive maximumsecurity improvement at little or no cost. Each chapter in this book provides step-by-step instructions for dealing with a specific issue, including breaches and disasters, compliance, network infrastructure and password management, vulnerability scanning, and penetration testing, among others.
BUY THE BOOK HERE
CONTAINER SECURITY: FUNDAMENTAL TECHNOLOGY CONCEPTS THAT PROTECT CONTAINERIZED APPLICATIONS Author // Liz Rice To facilitate scalability and resilience, many organizations now run applications in cloud-native environments using containers and orchestration. But how do you know if the deployment is secure? This practical book examines key underlying technologies to help developers, operators, and security professionals assess security risks and determine appropriate solutions. Author Liz Rice, Chief Open Source Officer at Isovalent, looks at how the building blocks commonly used in container-based systems are constructed in Linux. You’ll understand what’s happening when you deploy containers and learn how to assess potential security risks that could affect your deployments. If you run container applications with kubectl or docker and use Linux command-line tools such as ps and grep, you’re ready to get started.
BUY THE BOOK HERE
BUY THE BOOK HERE WOMEN IN SECURITY MAGAZINE
101
SURFING THE NET
IMPERVA BLOG Imperva is a cybersecurity company with a mission to protect data and all paths to it. Read Imperva’s news, articles, and insights about the latest trends and updates on data security, application security, and much more.
READ BLOG
CYBER REVOLUTION BLOG
TRUSTWAVE SPIDERLABS BLOG
Cyber Revolution was founded with the aim of closing the widening cyber security skills gap, through the education and placement of skilled professionals. As a result, making Australia digitally safer.
Trustwave is one of the leading cybersecurity and managed security services providers focused on threat detection and response. They have two blogs, Trustwave blog and SpiderLabs. The Trustwave Blog enables information security professionals to reach new heights by providing expert insight on hot topics, trends, and challenges, as well as defining best practices. The SpiderLabs Blog is the goto destination for technical breakdowns of the latest threats, critical vulnerability disclosures, and cutting-edge research in the security community.
Their blog focuses on educating people and assisting them in becoming more cyber secure, as well as covering the most recent threats and trends in cyber security, among other things.
READ BLOG
READ BLOG 102
WOMEN IN SECURITY MAGAZINE
DARK READING Dark Reading is a well-known online community for security professionals. Their posts cover a wide range of topics, such as new cyber threats, vulnerabilities, technology trends, threat intelligence, potential defences against the most recent attacks, and key technologies and practices that may help protect their most sensitive data in the future. Their primary goal is to educate community members and spark thought-provoking discussions.
READ BLOG
CybHER BLOG CybHER’s mission is to empower, motivate, educate, and change the perception of girls and women in cybersecurity. By providing resources for girls from middle school through collegiate programs and into professional careers, CybHER allows women to foster positive and encouraging relationships within this industry through original and curated content that educates and motivates women. Their goal is to increase diversity by introducing more girls to cybersecurity, who will then transition to women in collegiate programs, and finally highly trained professionals.
ELIE’S CYBERSECURITY BLOG - ELIE BURSZTEIN Elie Bursztein leads Google’s Cybersecurity Research Team, which invents transformative security and anti-abuse solutions that help protect users against online threats. Elie’s Cybersecurity Blog covers a wide range of topics, including applied cryptography, machine learning for security, protecting vulnerable users, and web security. The blog’s goal is to raise cyber awareness and teach users how to stay safe online.
READ BLOG
VIRUS BULLETIN BLOG Virus Bulletin is a security information portal, testing and certification body with a formidable reputation for providing users with independent intelligence about the latest developments in the global threat landscape. Their blog covers a wide range of topics, including online security news, new developments and techniques in the security landscape, and opinion pieces from some of the world’s leading IT security experts.
READ BLOG
READ BLOG
WELIVESECURITY
THREATPOST
WeLiveSecurity comes from the brains at ESET – experienced researchers with in-depth knowledge of the latest threats and security trends. It’s an editorial outlet for internet security news, views and insight, covering the latest, breaking security news, alongside video tutorials, in-depth features, and podcasts.
Threatpost is a long-running, independent source of news and analysis about the cybersecurity landscape, covering breaking news and threat research, malware and vulnerability analysis, long-term trends and everything in-between.
The posts cater for all skill levels, from battle-hardened coders to people just looking for advice on how to secure their data effectively.
READ BLOG
They feature news on the gamut of cybersecurity and related topics. They don’t limit themselves to online news articles; they have videos, podcasts, eBooks, webinars, feature reports, and more.
READ BLOG
WORK LIFE BY ATLASSIAN Atlassian is an Australian software company that builds tools to help teams across the world become more nimble, creative, and aligned. Their blog Work Life contains advice, stories, and expertise about today’s work life. They are divided into four categories: teamwork, productivity, leadership, and technology. The posts range from discussing how teams can be more productive and collaborative to discussing the most recent industry trends and practises to assist professionals in staying ahead of the curve.
READ BLOG WOMEN IN SECURITY MAGAZINE
103
AUSTRALIAN WOMEN IN SECURITY AWARDS
NETWORKING SPONSOR
S I LV E R S P O N S O R
BRONZE SPONSORS
2021 S U P P O RT I N G S P O N S O R S
M E R C H A N D I S E PA RT N E R S
AWSN 2020 AWARD WINNERS: ONE YEAR ON by Stuart Corner
T
he annual Australian Women in
Executive Manager, Cyber Outreach at the
Security Awards celebrate and
Commonwealth Bank, says recognition in the Awards
raise the profile of the Australian
helped them grow their programs.
IT security, cyber, and protective security industries. They inspire young women and men to consider
a career in the sector by recognising and honouring the accomplishments of those who have made particularly significant contributions. On the big night each winner is announced, walks onto the podium, receives their award and welldeserved applause. That at least was the plan, but thanks to COVID the entire ceremony was online in 2020.
“We’ve been successful in obtaining additional funding from the Cyber Security Skills Partnership Innovation Fund. We’re continuing to build on the success of the Schools Cyber Security Challenges with additional challenges and activities coming out in 2021 and 2022. “We’ve worked hard to make the Schools Cyber Security Challenges inclusive for all learners. The Challenges might be the first time students taking part have heard about the cyber security industry and the exciting careers within it, so it’s important to
Then what happens to the winners after their ‘five
show the diversity of roles and individuals within the
minutes of fame’ and their moment in the spotlight?
industry.”
In the run up to the Australian Women in Security Awards 2021, to be held in-person and live on 8
INCREASED RECOGNITION
December, we asked some of the 2020 winners what
The awards have brought increased recognition
their award had meant to them. Being named Best Higher Education Program for Young Ladies in Security produced very tangible benefits for the Schools Cyber Security Challenge, Australia’s only curriculum-aligned security skills program targeting schools. Nicola O’Brien, Lead Educator at the Grok Academy who worked on the project with Martha McKeen,
and new opportunities to individual winners. Catherine Dolle-Samuel, Business Continuity, Risk and Resilience Lead in the Division of Planning and Assurance at the University of NSW, shared the award for Acts of Bravery & Courage with Christina Rose, Aviation Services Manager for Canberra Airport and Albury Airport. She says the award raised her profile both within her organisation and in the industry.
“The award has certainly made a difference in approaches from professionals and recruiters via LinkedIn. It also contributed to supporting internal awareness of the depth of work I had been undertaking, especially given I was nominated by people external to my organisation.” Rose was also named Most Outstanding Woman in Protective Security/Resilience. She says she greatly appreciated the peer recognition it brought. “Peer recognition is very meaningful because those in the same industry understand and appreciate the work undertaken and outcomes delivered.” Being recognised as Security Champion had a big impact on Elaine Muir, Manager, Security Education and Awareness, Cyber and Protective Services at IAG. She says it gave her a renewed sense of purpose, and opened additional opportunities to share her experiences and knowledge and help others in the industry. “I now feel more confident and have embraced formal and informal speaking and media opportunities, in the hope that I can inspire someone else and give them the encouragement they might need.” She is co-lead of the Sydney Chapter of AWSN, but since winning the award has been appointed ViceChair for AWSN. “I see this step up to a board level appointment as the most important step in my security industry journey,” she says.
MULTIPLE WINS FOR IAG IAG was a standout performer in the awards. In addition to Muir’s recognition, Chen Yu, a Specialist Engineer in the Adaptive, Response and Engineering Team at IAG, was named Best Female Secure Coder; Rebecca Winfield Manager of Group Protective Security Operations and Delivery, was named Best Champion of Women in Protective Security/Resilience; and IAG won what might be the most important award for the wider women in security community: Best Place for Women to Work in Security. That award had a real impact, says Jeff Jacobs, Executive General Manager, Cyber and Protective Services at IAG. “The award has definitely resulted in recognition for IAG as a good place for women to work in both cyber and protective security. Personally
I received many compliments and congratulations, and the same can be said for many in the Cyber and Protective Services team who were nominated as finalists or won on the night. People from other organisations have been asking what they can do to create equally great places for all people to work.” IAG’s recognition also extended beyond the security community. “A number of female candidates who have been interviewed for roles at IAG post the awards referred to IAG winning the best place for women in security,” Jacobs says. “And the award also helped us with our internal conversation on diversity and received a lot of airplay. I am certain it has inspired other divisions in IAG to strive for something similar.”
A SPUR TO SELF-IMPROVEMENT Yu says being nominated for, and winning, the award had widened her network and spurred her to focus on self-improvement. “I was very happy to get to know other nominees and to find out there are so many talented women in the industry, or wanting to enter the industry. The award made me want to improve
myself. It gave me encouragement to be a better me.” Winfield says the recognition she gained from winning was useful in two ways: it helped her raise the profile of women in risk and protective security at IAG, and, being the first year in which women in protective security had been included in the awards, boosted her networking confidence ahead of the smaller Women in Security and Resilience (WiSR) group being absorbed into AWSN, in March 2021. The Best Place for Women to Work
nbn, he says, is working on achieving gender equality.
in Security was one of two awards for institutions.
“We reached 33 percent female representation in
The other, Best Security Certification Provider, went
management roles on 30 June 2021, and remain
to (ISC)2. CEO Clar Rosso says the award helped
committed to … achieving at least 40 per cent female
(ISC)2 raise awareness of its certifications, and of
representation in our company’s management by
its initiatives that support organisations such as the
2025.”
AWSN. “We have seen strong interest from AWSN members
RECOGNITION FOR VOLUNTEERING
and non-members alike in learning more about
In addition to awards recognising individuals for
opportunities in cybersecurity and embracing
achievement in their professional roles there was
professional cybersecurity accreditations issued
the Best Volunteer or Not-for-Profit award. Winner in
by (ISC) which include the CISSP, SSCP and CCSP
2020 was Gladys Rouissi, whose day job is Head of
certifications.”
Financial Governance at Zurich Financial Services
2
Since winning award, (ISC)2 has launched a Diversity, Equity and Inclusion initiative. “It’s
Australia, for her role as ISACA SheLeadsTech Ambassador for the Sydney Chapter of ISACA.
focused on attracting and developing a more
For her, the award provided motivation, and support
diverse talent pipeline, accelerating more inclusive
in her primary role. “The award has had a positive
and equitable workplace policies and cultures,
impact on my current role. It’s been a very challenging
and supporting full and equal participation in
year with the COVID restrictions. This award created
cybersecurity education, training and employment at
and strengthened valuable connections as part of
all career levels,” Rosso says.
a growing network of support,” she says. “To be
Another institution that came up as a good employer of women was nbn whose Chief Security Officer, Darren Kane, was named Male Champion of Change, but he says the award really represents recognition of nbn. “It’s important to recognise that in any individual acknowledgement, you need to also recognise those who have supported you to allow for good things to happen. I felt incredibly proud of the nbn team. … I am proud that this award recognises my values and those of nbn.”
considered part of a group of inspirational women and men was a total high and is encouragement to push further ahead.”
RECOGNITION FOR STUDYING For Skye Wu, a Cybersecurity Investigator at Telstra, winning the Best Student Security Leader award for her role assisting with developing the AWSN Cadets over years brought recognition from on high: a congratulatory email from Telstra CEO Andy Penn.
And it spurred a good deal of interest from potential
She says she does not “go around tooting my own
future cyber women.
horn,” and the award was “recognition of all the things
“A number of young women looking to enter the industry and more mature women looking to change industries or return to work have reached out via LinkedIn and other platforms to seek advice and
I do in the background to help individuals secure their digital lives, and protect and defend my clients’ systems and infrastructure, and an affirmation that what I do is extremely valuable and helpful.”
mentorship,” she says. “I have heard back from at least one young woman who has started volunteering at a local small business to gain experience while studying. Another woman who was being discouraged by her family and friends from switching careers paths to cybersecurity is looking at training and courses to help re-educate her for a career in cybersecurity.”
“It’s important to recognise that in any individual acknowledgement, you need to also recognise those who have supported you to allow for good things to happen.” -Darren Kane, nbn
HEIGHTENING A HIGH PROFILE There are few women in cybersecurity in Australia with a higher profile than Michelle Price, CEO of Australia’s peak cybersecurity body, AustCyber, who won the AWSN 2020 Award, which “recognises the accomplishments and contributions of an individual or company that is making a real difference and reshaping the security landscape.” Price acknowledges she is already well-known, but says the award has given her increased recognition where it’s needed “Absolutely the award has given me increased profile - in particular to the dozens and dozens of young women now coming into the profession, which has been fantastic and hugely rewarding.”
Several winners noted the impact they believe the awards make to the industry. Kane says: “It’s great to see these awards recognised across the industry as a valuable and important contribution to increasing the profile of women and encouraging more women to join the industry. It shows the flexibility within the industry to increase our focus on diversity and to have people acknowledge that this is really important.” For some winners, like Price, one result of winning was an invitation to help judge the Australian Women in Security Awards 2021. She anticipates some outstanding winners. “The brilliance of [people] in the nominations is a fantastic reflection of the growth in our industry - and the tireless work of Source2Create
In sharp contrast to high profile Price is Gyle dela
and partner AWSN in delivering the awards. The
Cruze, a home-based cyber threat analyst with Cyber
quality of the process and the awards event is truly
Research NZ who was named Unsung Hero. She
admirable. Not all industries do this well. … It shows a
volunteers to causes such as promoting cybersecurity
better way to other industries.”
as a career, supports the Kids SecuriDay group and volunteers as a judge for events organised by Trace Labs, a non-profit helping trace missing persons and train others in its techniques.
If you haven’t secured your seat at the 2021 Gala dinner it may be too late, but you can always join via the live stream. Just register today to secure your spot.
Committed to creating, promoting and growing cyber security careers for all women.
cybercx.com.au/careers
SPONSOR SPOTLIGHT: CYBERCX Interview with Katherine Mansted, Direct of Cyber Intelligence and Public Policy By Stuart Corner
As director of intelligence and director of public
necessarily get to see, because we are working with
policy at CyberCX, Katherine Mansted has a unique
and alongside so many Australian enterprises, and
perspective on the cybersecurity landscape in
understanding intimately their operations, and the
Australia and New Zealand.
cyber threat landscape that they face.”
Although just two years old CyberCX is already
A DYNAMIC ENVIRONMENT
Australia and New Zealand’s largest cybersecurity company with almost 1000 staff. Mansted says her intelligence team is like a nerve centre at CyberCX. “We work on a tactical, day-to-day level, to understand what the bad guys are doing, and how to thwart them, right up to a more strategic level where we try to anticipate what the cyber threat landscape will look like in the future, and what steps organisations can take now to protect themselves. “We are able to look into and across all the activities that happen around CyberCX, which is an endto-end firm. So we’ve got teams governance, risk and compliance and strategy and consulting. But we’ve also got a very operational ‘coalface’ side of the business as well, with teams doing: managed security, security research or pen testing, and digital forensics and investigations,” she explains. “The cyber intelligence team is able to look across all of those practices and draw tactical insights to understand what the Australia and New Zealand threat landscape looks like. Thanks to CyberCX’s reach, my team is able to see, in some respects, things that even government intelligence outfits don’t
Like most women in cybersecurity who have shared their journey with us, Mansted says there is no typical day, but most days display some common features, or ‘milestones’. “I think, in any cybersecurity job, it is rare to have a standard day, particularly in my area because the threat landscape is dynamic, clients’ needs are dynamic, and the regulatory landscape is in a state of flux. “Our cyber intelligence team normally spends the morning collecting intelligence, looking at what has come in overnight, what we think the issues of the day are going to be, and then disseminating that intelligence out to our clients and across the organisation.” And every day, says Mansted, there is the virtual equivalent of a water cooler conversation with “someone who blows my mind.” This might be “a security researcher explaining something really interesting they have found in their research,” or “one of our incident response people talking me through an ongoing case where they’re skirmishing with an attacker inside a network to defend it.”
TEAMWORK, WITH AUTOMATED ASSISTANCE She says one of the biggest challenges of her role is wrapping her head around a huge volume of information. “But with a highly attuned team, and a
decade now, without having a really close awareness
combination of both human analysts and automated
and engagement with cybersecurity.
analysis, that’s something that can be managed, if not
“It is constantly changing and evolving, so you never
solved. Once that information has been gathered and analysed, it needs to be translated into actionable advice. “We have to figure out from that deluge of
face a routine day. There is always something new in the news cycle. There’s always something new in my inbox. That is exciting and it also feels really meaningful and connected to what’s happening in the
information what matters most and how to prioritise
world.”
addressing it, and then how to disseminate it in a way
Before joining CyberCX Mansted worked at the
that influences people’s actions and behaviours, so that they’re able to make better decisions.” Her “number one joy” is being able to directly help a client with a piece of timely information or intelligence. Mansted started her professional life as a lawyer, moved into public policy and then into national security. She believes it is today not possible to fill roles in those areas without getting involved in cybersecurity. “I don’t think you can focus on public policy and national security, as I have for almost a
Australian National University’s National Security College. “It does executive education for government officials, and also works on public policy related to national security more broadly” she says. She still maintains a role there, as a senior fellow, teaching classes in the evening. Prior to that, she worked in financial services law, and sees her journey through the three roles as a natural progression. “I think a lot of people study a law degree because they are interested in understanding how the world works, and in some way working to improve it. Then,
rewarding field to transition into. So I developed that interest in the US and brought it back with me to Australia.” She describes her experience in the US as “really formative”, when she travelled the country to help states secure their election systems ahead of the 2018 midterm elections. “We were trying to help states understand their cybersecurity vulnerabilities, who might be targeting them and how they could improve. That completely real-world connection to real people, often with limited resources, solving one of the most pressing national working in public policy,
security issues of the decade, influenced what I
you’re not just trying to
wanted to do next, and where I thought we needed,
uphold the system as it is,
frankly, more people in Australia.”
you’re trying to shape and change that system. It’s the same with cybersecurity. It’s all about understanding the world around you, and then trying to shape it and change it for the betterment of the national interest, or the communities you’re working with.”
FROM LAW TO CYBER, VIA THE USA Mansted was introduced to the world of cybersecurity while studying for a master’s in public policy at the Harvard Kennedy School at Harvard University, to which she had gained a scholarship from the General
“Cybersecurity is so diverse and so interesting. It cuts across everything no matter what policy set you’re working on, whether you’re thinking about submarines, or social media, and citizens, cybersecurity is there.”
TRANSLATING TECH TALK FOR BOARDS Mansted does not have technical cybersecurity skills and says her role is to act as a bridge between technical specialists, analysts and company boards.
Sir John Monash Foundation. While there she did
“If we go back to what my day looks like, in the
some work for the school’s Belfer Center for Science
morning I might be being briefed by my team of
and International Affairs.
intelligence analysts who in turn work really closely
“I was there in 2016 around the time of Russia’s interference in US politics, using cyber means. I was there as the US was grappling with what concepts like fake news meant, with what election security and election cybersecurity might mean. And as
with very technical people. Then I might pivot to engaging with, or briefing, a board. So I need to be able to speak multiple languages and translate between those languages to have meaningful and useful conversations with both stakeholder sets.”
someone who is fascinated by how the world works,
She adds, “The beauty of our industry is the bringing
cybersecurity seemed like a really important and
together of people with really deep technical skills — the developers, the coders, the pen testers, the security researchers — and matching them with different skills in analysis, writing and intelligence gathering to produce really good cybersecurity outcomes.” www.linkedin.com/in/katherine-mansted/
cybercx.com.au/
FINALISTS Australia’s Most Outstanding Woman in Protective Security NOMINEES Amy Hewson Bhavana Mallikarjunaiah
Marie Patane
Amy Hewson
Chief Security Officer Sydney Metro
CEO Mitchell Personnel Solutions
Fiona Long Holly Wright Jodie Vlassis Li Zhao Marie Patane Memoona J.Anwar Sita Bhat Emily Hunt Nicole Stephensen
Emily Hunt Head of Risk and Security Scentre Group
FINALISTS Best Program for Young Women in Security
NOMINEES AustCyber CaDop Programs SheLeadsTech Melbourne AWSN Cadets
AustCyber CaDop Programs
SheLeadsTech Melbourne
AWSN Cadets
Source2Create Spotlight
Media The media landscape used to be easy and simple to navigate, now not so much. Delivering to your target audience the right message, through relevant media platforms and formats, with the right content, at the right time of their journeys to achieve maximum results is complex. At S2C, we can help you build a multi-touch decision making the journey to your customer persona, taking the complexity out of your hands.
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
www.source2create.com.au
FINALISTS Australia’s Most Outstanding Woman in IT Security NOMINEES Kate Monckton
Rachael Greaves
General Manager Security and Privacy Assurance, Risk and Consulting
CEO Castlepoint Systems
nbn™ Australia
Daniella Pittis
Shamane Tan
Group CISO
Chief Groth Officer
Flight Centre Travel Group
Sekuro
Adrienne Maxted
Nivedita Newar
Cyber Risk Specialist | Partner
Head of Cyber Security Strategy & Governance (Acting)
Deloitte Australia
UNSW
Daniella Traino Group CISO Wesfarmers
Susheela Gupta
Stephanie Crowe
Divya Saxena
Elena Scifleet
Fereshteh Zamani
Mandy Turner
Katrina Avila
Melanie Truscott
Ankita Saxena
Nadia Taggart
Rebecca Gibbons
Susie Jones
Gergana Winzer
Fiona Byrnes
Jinan Budge
Tabitha Bauer
Amanda Smith
Dr Joanna Dalton
Manisha Bajpai
Shyvone Forster
Amy Ormrod
Laura Lees
Pallavi Garg
Virginia Calegare
Alison O’Hare
Fiona Long
Bethany Cooper
Kate Monckton
Paula Oliver
Rachael Greaves
Anubha Sinha
Daniella Pittis
Asou Aminnezhad
Shamane Tan
Mitra Minai
Adrienne Maxted
Cairo Malet
Nivedita Newar
Linda Cavanagh
Daniella Traino
Irene Giantsos
Angelica Dungo
Jennifer Waugh
Bianca Wirth
Connie McIntosh
Erika Chin
Jen Johanson
Kimberley Julien
Jennifer Frances
Kylie Watson
Halana Demarest
Lalitha Ponnudurai
Melissa Nguyen
Libby Klein
Audrey Jacquemart
Thiri Htay
FINALISTS Best Female Secure Coder
NOMINEES Laura Brandon
Dorien Koelemeijer
Technical Lead
Security Engineer
Trend Micro
Afterpay
Avneet Kaur Dorien Koelemeijer Jenny Lim Kathy Zhu Laura Brandon Li Ching Liew Sneha Paramasivan Tanvi Bali Yan Liu
Yan Liu
Jenny Lim
Lead Software Engineer
Specialist Developer
Retrospect Labs
IAG
FINALISTS Best Place to Work for Women in Security
NOMINEES
Greater Western Water
Xero
Akamai Atlassian Citi Group Cynch Security Data Zoo Greater Western Water Healthscope Ionize KPMG Australia
Trustwave
NAB nbn Australia Origin Energy Privasec Telstra Trend Micro Trustwave Xero
Telstra
Origin Energy
SOLVE THE INDUSTRY’S BIGGEST CLOUD SECURITY CHALLENGES How a local Sydney R&D team are shaping Trend Micro’s cloud vision by developing innovative security software used by Fortune Global 500 and top global automotive, banking, telecommunications, and petroleum companies.
T
rend Micro has been a global cybersecurity leader with 30 years’ experience in the field. Operating with a truly global footprint the company has research and development hubs across AMEA, Europe and the US and since the acquisition of Cloud Conformity, a local start-up success story, the company has been building their local R&D team. The company is passionate about making the world safer for exchanging digital information with core values focused on innovation, integrity, and making the world a better place. Led by CEO Eva Chen, named one of the top 100 women in cybersecurity in 2020, the company’s mission to provide a diverse and inclusive environment, culture and workplace based on dignity and
118
WOMEN IN SECURITY MAGAZINE
respect “It’s my mission to ensure we encourage even more women to consider careers in cybersecurity going forward”. The ANZ team live these values through a belief that diversity at all levels is an enabler of an innovative culture and promote an environment where opinions are shared openly, transparently and collaboratively across the whole team with healthy work-life balance and flexible working arrangements which are considerate of employee needs. The Sydney based R&D team’s focus is entirely on cloud security software with contributions to the Trend Micro Cloud One platform, a solution which connects Trend Micro’s cloud solutions into a single unified customer experience, as well as ownership of two of the platforms core solutions. These solutions
include an industry-leading cloud security posture management (CSPM) tool protecting AWS, Azure and GCP accounts with automated scanning and monitoring of misconfigurations, and infrastructure-as-code scanning capabilities identifying misconfigurations within Cloud Formation and Terraform templates so that they can be corrected prior to being used to provision cloud resources. The team is driven by innovations that are grounded on research, deliver productled growth experiences using cloud-native architecture practices and are developed using a modern agile DevOps culture.
Life at Trend Micro > Explore career opportunities at Trend Micro >
Surya Mary Sam Quality Assurance Manager, Trend Micro ANZ
It is a privilege being part of such a super talented team here at Trend. I attribute the high productivity to the open, supportive and immensely flexible company culture, that enthuses each one of us to be the best version of ourselves each day everyday! www.linkedin.com/in/surya-sam19a57691/?originalSubdomain=au
Laura Brandon
Deepika Raipuria
Technical Lead, Trend Micro ANZ
Customer Sucess Engineer,Trend Micro ANZ
Trend is always iterating - striving towards building better products and better selves. Trend creates a space where I can do this safely without fear of failure so I can learn from my mistakes in order to grow into my full potential.
Trend Micro has given me the perfect work place that I was looking for. It has fulfilled one of my key requirements, work-life balance and that has helped me to achieve job satisfaction. www.linkedin.com/in/deepika-raipuria-9961b06/
www.linkedin.com/in/lbrandon/
WOMEN IN SECURITY MAGAZINE
119
FINALISTS Unsung Hero
Moufida Rima
Fatema Hashmi
Vulnerabilty Management Specialist
Senior Security Consultant
IAG
Telstra Purple
Katrina Avila
Alana Maurushat
Director - Cyber Security
Professor of Cybersecurity and Behaviour
EY
Western Sydney University
NOMINEES Mina Zaki
Amanda-Jane Turner
Alana Maurushat
Antonella Ancona
Lisa Rothfield-Kirschner
Christina Rose
Laura O’Neill
Vivienne Mutembwa
Louisa Partridge
Melissa McGreevey-Wisse
Lara Hemmaty
Adeline Martin
Fatema Hashmi
Jacqueline Ung
Louisa Vogelenzang
Liou Liu
Katrina Avila
Tracy Collins
Moufida Rima
Anna Harris Ashley Miller Natalie Perez Reshma Devi Sabina Streatfeild Li Ching Liew Melissa Smelt Mariana Paun Ffrances Lawes Kylie Breheny
Lisa RothfieldKirschner Author -How We Got Cyber Smart
Laura O’Neill Principal Security Consultant Trustwave
Anafrid Bennet Barbara Lima Chelsey Costello Lelan Quach Sarah Campbell Anneliese McDowell Mal Parkinson Sarah Box Carolyn Bolling Kylie Solum Homataj (Homa) Vafa Corien Vermaak
Louisa Partridge
Lara Hemmaty
Head of Marketing and Partnerships
Workplace Solutions Specialist
OSINT Combine
Louisa Vogelenzang Director and Co-Founder WomenSpeakCyber
Optus
FINALISTS The One to Watch in Protective Security NOMINEES Pip Rae
Sarah Wood
Founder
Security Operations Lead AustralianSuper
Upstream Investigations
Alison Howe Ashleigh Little Claudia Muller Holly Wright Jennifer Elliott Lauren Wiggins Pip Rae Sarah Wood Veronica Turner Victoria Zhong
Lauren Wiggins Lead Engineer Tactical Communications Security (TCS) unit Penten
FINALISTS Protective Security Champion
NOMINEES Alison Lee Christina Rose Fiona Byrnes Jo Sam
Alison Lee
Pam La Motta
Director of Logistics Penten
Specialist, Security Operations Group Protective Security IAG
Pam La Motta Sarah Carney Belinda Edwards Nicole Murdoch
Fiona Byrnes Asia Pacific & Japan Client Services Executive, Managed Security Services IBM
ACHIEVING GENDER BALANCE THE AusCERT WAY Interview with Bek Cheb, Business Manager at AusCERT By Stuart Corner
AusCERT has been staging its annual conference
University of Queensland (UQ). Today it is part of UQ
since 2002, making it Australia’s longest running
and also part of the worldwide network of CERTs:
security conference. AusCERT2021 was staged live
computer security incident response and security
on the Gold Coast after a COVID-induced hiatus
teams.
forced AusCERT2020 online. Business Manager Bek Cheb doesn’t have exact figures on the gender balance at AusCERT2021, but says female representation was strong, about 40 percent. It’s a far cry from the early days. “I’ve been involved with the conference for 16 years and in those days you would not see a woman in the audience, which really surprised me,” she says.
It is working on several fronts to improve gender balance, and diversity in general, across the industry, says Cheb. “We like to align with many organisations, and support a lot of people to make sure they understand they have the option to create diversity.” Being part of UQ helps. “Last week, UQ had a Girls Do Cyber event where high school students came in to understand what cybersecurity is. We could answer
AusCERT was founded in 1993 by Queensland
their questions and have them understand what our
University of Technology, Griffith University and the
industry does.”
PROMOTING DIVERSITY THROUGH COLLABORATION
AusCERT is working to provide that encouragement,
AusCERT has only a small team, so Cheb says most
are a lot of ‘rockstar’ women in our industry who
of its efforts to boost diversity involve working with other, larger organisations. “We have the established brand and the large network, so we can partner
and Cheb hopes more women will step up. “There are great, but a lot of people don’t want to put their hand up. So for us it’s all about being encouraging, focussing on getting the cream of the crop, no matter
with others and give them an understanding of the
who that person is.”
industry and show them there is longevity and growth
AusCERT2022 is scheduled to be held on the Gold
for people in cyber.
Coast 10-13 May and Cheb hopes to get more women
“Although we are part of UQ, every university in
presenting and participating on panels. “Over the next
Australia is an AusCERT member. There’s a lot of sharing and collaboration with universities. Everyone
three or four months as we do the for call for papers we will be really trying to get people to put their hands
is trying to work for the greater good and achieve
up. There’s nothing scary about joining us.”
things together, which is great.”
In a bid to overcome any reluctance women in
Cheb says her favourite collaboration is one that aims
cybersecurity have towards public speaking, AusCERT
to increase the presence of Australia’s indigenous people in cybersecurity. It is with Brisbane based Baidam Solutions, an indigenous supplier of network
is encouraging them to start small and work up: present to smaller audiences until they feel brave to take the stage at Australia’s premier cybersecurity
security and application security expertise.
conference in front of, potentially, 1000 people.
“We’ve worked a lot with them on getting indigenous
“We are working with our local AISA [Australian
students into the industry. They also have an in perpetuity UQ scholarship to encourage greater participation in information technology and other STEM related studies.”
GETTING WOMEN ON THE CONFERENCE STAGE While women might be well represented in the audience at the AusCERT conference, Cheb says they are less well represented on stage. “We’re getting better, but there is definitely an imbalance that is really hard to overcome. I think men have always been quite open to putting their hand up and feeling really good about their contribution. Women have tended to step back. They need more encouragement.”
Information Security Association] branch. It’s a smaller audience. People can try presenting there in front of their community, people they work with all the time. That’s a safe place to start. It’s all about giving people the support they need to give speaking a try.”
SPONSORING WOMEN IN SECURITY AWARDS In another initiative to promote women in cybersecurity, AusCERT is a sponsor of the 2021 Australian Women in Security Awards. “It’s really important to put our support where we think it’s needed,” Cheb says. “So for me, it was a no-brainer. When I saw they were looking for support, we just knew we had to be there. We’re all part of this community. So if you’re not willing to put your hand in and contribute, then you are part of problem.”
www.linkedin.com/in/bek-cheb-39546554/
www.auscert.org.au/
Safeguard your information With Australia’s Pioneer Cyber Emergency Response Team
Incident Management Phishing Take-Down Security Bulletins Security Incident Notifications Sensitive Information Alert
AusCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, AusCERT delivers 24/7 service to members alongside a range of comprehensive tools to strengthen your cyber security strategy.
Become a Member Today +61 (0)7 3365 4417 membership@auscert.org.au
Early Warning SMS Malicious URL Feed
auscert.org.au
FINALISTS Male Champion of Change
NOMINEES Anandh Maistry
Simon Carabetta
David Watts
Project and Engagement Coordinator
Chief Risk Officer
WA AustCyber Innovation Hub
IAG
Ashley Watkins Ashwin Pal Blair Adamson Brendan Caughey Brett Winn Chathura Abeydeera Craig Ford Dan Goldberg David Watts Dion Devow Elliot Dellys Garry Barnes
Steve Schupp
Dan Goldberg
Executive Director - WA Branch
CEO and Principal Partner Cybersecurity
CyberCX
Cybza
Greg Janky Greg Sawyer Hank Clark John Borchi Jonathan Dean Kaif Ahsan Mark Carey-Smith Masseh Haidary Michael Simkovic Nick Ellsmore Paull Dundon
Brendan Caughey Senior Cybersecurity Consultant EY
Phillip Jenkinson Prashant Haldankar Ray Kantor Saeed Tasbihsazan Sasenka Abeysooriya Simon Carabetta Steve Schupp Simon Stahn Theodore Panagacos Wayne Vickers
FINALISTS Best Security Student
NOMINEES Alaina Lawson
Kavika Singhal
Victoria Cheng
Cyber Security and Behaviour Student
Business Finance and Science in IT (Networking & Cybersecurity)
Western Sydney University
University Technology Sydney
Amber Spence Eloise Robertson Emma Seaman Erika Salmon Gabriela Guiu-Sorsa Georgia Prout Hannah Rice Harsh Kaur Jacynta Grigson Kavika Singhal Lara Hemmaty
Gabriela Guiu-Sorsa
Ritu Dahiya
Cyber-Security and Incident Response Cert IV, Cyber /Computer Forensics and Incident Response Management
Master of Cyber Security
Melina Jones
Erika Salmon Graduate Certificate in Cyber Security
La Trobe University
Miranda Raffaele Nievedha P Karthikeyan Ritu Dahiya
Charles Sturt University
Selim Kang Victoria Cheng
TAFE Queensland
Amy Ormrod
FINALISTS Best Volunteer
NOMINEES
Reshma Devi
Laura Lees
Amanda-Jane Turner
Associate Director Enterprise Data and Analytics Risk
Anita Siassios
NAB
Country BISO Australia/New Zealand at Citi and Sydney Co-Chapter Lead
Holly Wright
AWSN
Jillian Taylor Laura Jiew Laura Lees Noushin Iranzadi Rebecca Moonen Reshma Devi Sonal Agrawal
Rebecca Moonen
Anita Siassios
Security & Privacy Influence and Cyber Safety Outreach Manager
Founder & Manging Director, ManagingCX and Founder & Board Member WiCyS Australia
nbn™ Australia
Stay Current Stay Connected Follow us on Instagram to keep up to date with industry news, job postings, issue releases, articles, women in security awards, our event and marketing services, plus much more!
@s
ou
rce
2c
rea
tep
tyl
td
www.source2create.com.au
TREND MICRO: TACKLING DIVERSITY ON MULTIPLE FRONTS Interview with Ashley Watkins, Vice President Trend Micro ANZ Commercial By Stuart Corner Global cybersecurity company Trend Micro takes
people an opportunity to sit in and be part of decision
gender balance seriously. “Whenever we build a
making, to see how those things are done.”
team for a project, any council, we are aiming to have fifty-fifty [gender] balance,” says Trend Micro Vice President Trend Micro ANZ Commercial, Ashley Watkins. It wasn’t always this way. “This is now normal, but it was definitely a shift we consciously made as we identified we had our own gap in diversity,” he says,
The company’s aim for gender balance extends to its annual conference, CLOUDSEC. “It’s in its tenth year and we’ve always strived for achieving 50/50 diversity of our on-stage panellists presenting.” There is, he says, still prejudice against women in tech roles and these 50:50 male/female teams are not always viewed favourably. “The reality is, when I
And this striving for balance extends beyond gender.
speak to some of the magnificent women we have in
“We then tend to look also for an experience balance.
the business, they highlight very clearly it’s still a long
We try to ensure we don’t just have the eight most
way from being accepted in the market.
senior people in the room. We try to have younger people that haven’t had exposure to opportunities, because that is part of what you do for diversity: give
“I think it’s critically important those who have an opportunity to influence the situation take that responsibility upon themselves, because it needs everyone pulling their weight to get this change.”
A GLOBAL DIVERSITY PROGRAM
Micro uses it “to team people up with their opposite,
Watkins says Trend Micro Australia has been running
so they are a stronger version of themselves.”
its diversity program for the past five years, and
Trend Micro also participates in a number of external
three years ago it became a global initiative. “That’s a
organisations that aim to build gender equality.
much tougher thing to get a whole company of 7000
“Members of Trend Micro globally mentor for Girls
employees on board, but there were many like-minded
in Tech,” says Watkins. It is a non-profit organisation
people running their own programs internally, and
dedicated to eliminating the gender gap in tech with
then it just gained momentum.”
more than 60,000 members in 50+ chapters around
He attributes Trend Micro’s focus on diversity in part
the world.
to its long history of female leadership. “We were
“Additionally, we have engaged in initiatives such
founded 33 years ago by a woman, and she is still our
as Females in IT and Telecommunications, and for
guiding light. There were not many women starting
the past three years Trend Micro Australia has been
tech companies in the eighties. I think has made
supporting a charity, Women and Girls Emergency
diversity easier for Trend Micro, it doesn’t feel like
Center (WAGEC), for mothers and children who have
we’re breaking down boundaries from day one, we are
had to flee a dangerous environment, often in the
continuing a vision.”
middle of the night.”
DIVERSITY STARTS WITH ONBOARDING
INTERNSHIP PROGRAM COMING
Diversity, gender and other kinds, is about much more
Internally Trend Micro runs its Certification Program
than number balances: it’s also individual attitudes
in IT Security (CPITS), this gives participants the
and behaviours, and at Trend Micro this starts at day
technical and soft skills required to be successful
one. “The first thing we run with everyone we onboard
in cybersecurity. Watkins says Trend Micro will be
is a program called HBDI, which is all about looking
offering this in Australia from 2022.
at the balance of how we use all four facets of our minds and how we apply that logic towards others,” Watkins says.
“We go to areas where people haven’t had an opportunity to get into university due to cultural or background challenges, and we give them an
HBDI is the Herrmann Brain Dominance Instrument, a
opportunity to be part of a training program in
system to measure and describe thinking preferences
technology and walk away with some certification in
in people. It identifies four modes of thinking:
IT, cloud awareness and cybersecurity awareness.
analytical, sequential, interpersonal and imaginative. It is applied using 116 questions designed to determine the individual’s degree of preference for each of these four styles of thinking. One testimonial on the website of Herrmann International says: “It really allowed our team to embrace diversity of thought and as an organisation unlock the difference in thinking.” Watkins says Trend
“We tend to onboard at least one third of them, and we try and place others through our partners. We are trying to do different things to give people every opportunity to get into this industry. And we’re trying to get those who are not the obvious ones.” The program has trained some 300 people globally over the three years it has been running, and Watkins is looking to have 10 to 20 in the first Australian intake. Anyone can apply and he wants to promote the program as widely as possible. “You’ll see a large campaign that will run in the first part of the year. I’m hoping for an overwhelming response.” www.linkedin.com/in/ashleywatkins/
www.trendmicro.com/en_au/business.html
FINALISTS The One to Watch in IT Security
Sarah Hosey
Irene Giantsos
General Manager Security and Privacy Assurance, Risk and Consulting nbn™ Australia
Cyber Response Analyst
Archana Puri Information Security Assurance Manager Harvey Norman
NAB
Anafrid Bennet Manager, IT & Security Operations Great Western Water
Priyal Bhosale
Jennifer Gorman
Product Manager
ECS Business Development & Account Manager | A/NZ
Avertro
Entrust
NOMINEES Jessica Williams
Aarati Pradhananga
Karen Byrne
Akansha Pandey
Karen Stephens
Alanah O’Neill
Katie Deakin-Sharpe
Alexandra Jurmann
Kavita Thomas
Amanda Smith
Khushboo Gupta
Amie Dsouza
Kimberley Julien
Ana-Gabriela Hernandez
Laura Davis
Anafrid Bennet
Lauren Koch
Angelica Dungo
Li Ching Liew
Ankita Dhakar
Lina Lau
Ankita Saxena
Louise Martinez
Anubha Sinha
Mehrnaz Akbari Roumani
Archana Puri
Nicole Douek
Ashleigh Morgan
Olivia Van Der Wagen
Bailey Dowe
Pooja Shankar
Binitha Sudheer
Pramiti Bhatnagar
Brearna Leopold
Priyal Bhosale
Bronwyn Mercer
Raman Gill
Caitlin Mikheal
Rebecca Williams
Candice Bowditch
Samantha Lengyel
Celia Yap
Sandra Lee
Chloe Sevil
Sandra Raub
Claire Collins
Sarah Hosey
Daniela Fernandez
Sarah Wood
Divya Saxena
Sita Bhatt
Ela Ozdemir
Stefanie Luhrs
Elke Dunn
Susheela Gupta
Fariha Uddin
Tory Lane
Fiona Long
Zoë Hassett
Gemi Kulangara Georgia Turnham
Chloe Sevil
Candice Bowditch
Senior Associate
Security Engineer
Clyde & Co
Divya Saxena Practice Partner Technical DXC technology
Irene Giantsos Jacqueline Spaile Jennifer Gorman
FINALISTS IT Security Champion
NOMINEES Amit Avraham
Anu Kukar
Jennifer
Firbank
Associate Partner Cyber Security Strategy, Risk & Compliance ANZ
Cyber Security Strategy & Influence Principal Telstra
IBM
Amritha Shetty Ana cecuk Angelica Dungo Anu Kukar Anubha Sinha Barbara Cook Caitriona Forde Caroline Cui Duyen Tran Fereshteh Zamani Fiona Brynes Gergana (Kiryakova) Winzer Hannah O’Neil
Joss Howard
Bridget Mitchell
Cyber Security Advisor
National Manager Cyber Defence nbn™ Australia
Ivana Kvesic Jennifer Firbank Jessica Adams Joss Howard Karissa Breen Kay Mesina Louise Hanna Maryam Bayat Nikki Mehta Rashmi Rani
Caitriona Forde
Duyen Tran
Security Consultant at CyberCX and Cyber Security Communication & Training Program Manager at Western Power
Manager Security Governance and Assurance AustralianSuper
Sam Fariborz Sarah Iannantuono Shelly Mills Tanvi Bali
Save the date
The Australian Women in Security Awards are back for 2021. Join us in-person or via live stream to celebrate our community of Women in Security.
December 8th 5:30-10:30pm MORE INFO