Women In Security Magazine 06 by source2create

JANUARY • FEBRUARY

Choose to Challenge

W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M

FROM THE PUBLISHER I choose to challenge... because you can definitely do better

elcome to the final issue

they use to determine the skills a job requires, and

for the year – the one that

how they evaluate the people that could actually do

will lead us into 2022, a

the job.

year where I think we are all hoping to see more than a

Here’s a checklist that you can use when arguing for

little bit of change.

change within your HR organisation:

After two years of unprecedented challenges and constant disruption, it’s going to be a year when we all take stock of how far we’ve come, and what we need to do next to reach our goals.

• Up-skill line leaders to remove bias and focus on core competencies in job design • Write job ads to be gender-inclusive and welcoming to all • Design your job ads with role flexibility as the

Personally, I’ll be watching progress in five key areas where I choose to challenge you to do better in making progress towards gender equality, diversity, and inclusion.

starting point which enables flexible working • Broaden the focus on technical skills, as most roles require this • Focus on the desired impact/ outcome of the role, not just the skills and experience that you

These include:

think are needed. • Engage individual hiring managers to help them

HR DEPARTMENTS AND RECRUITERS

understand that pure technical experience

Despite constant claims about cybersecurity

shouldn’t be the only screen for possible

skills gaps, companies continue to push out job

candidates

advertisements filled with laundry lists of esoteric

• Consider requesting gender-blind applications

skills that few candidates possess – convincing them

• Develop and execute a segmented employment

of their inadequacy before they even get a chance to plead their case.

brand aimed at target populations (such as women and other diverse groups) • Identify key female talent within your

Many potential candidates, women in particular

organisation and encourage them to apply

but also those from neurodiverse, gender diverse

(including any employees on parental leave)

and other backgrounds, report being intimidated by conventional recruitment processes.

• Resist ‘referral cultures’ that might unconsciously result in homogenous teams. Where employees are encouraged to make

Companies need to think more about how they are engaging with potential job-seekers, what processes

referrals, ensure there is rigour in the process • Invite potential recruits into your workplace so they can experience the working environment,

WOMEN IN SECURITY MAGAZINE

Abigail Swabey

meet future colleagues, and discuss any

If diversity truly matters to you,

questions or concerns about an advertised role

here is a checklist of things you

• Consider interview panel composition for

can do to help:

diversity and gender-balance, section or departmental diversity and/or external

• Listen.

perspective

• Attend a bias training to educate yourself

• Train interviewers to uncover nontechnical merit objectively instead of relying on gut instinct or ‘fit’ • Review pay offerings to eliminate like-for-like gender pay gaps in the salary offered to the candidate

on the systemic inequalities that exists so that you are better equipped to help • Make sure women’s ideas are heard. • Celebrate women’s accomplishments by maximising their visibility • Follow diverse voices

We need to start addressing the bias itself at its roots

• Encourage more women to go for it, be it change of

so that people actually make the right decision in the

roles, further upskilling, a job they wouldn’t usually

first instance.

go for, or moving into security. • Give direct feedback

Choose to challenge yourself. Try to understand

• Mentor women

where biases come from and how they affect your

• Choose individuals to help grow, enable, and

hiring decisions, so you can help your business take

develop within our industry

that next step towards discarding unconscious bias.

• Help educate these individuals on where the gaps

CHAMPIONS WHO AREN’T REALLY CHAMPIONING

• Sponsorship can open doors like nothing else.

are and what they need to do to improve Having someone to back you and put themselves

There are real champions for women in security and

out there for you can create opportunities that

a more diverse workplace – and then there are the

wouldn’t come about otherwise. Sponsors should

individuals and companies that like to talk about how

also help the individuals navigate the system, teach

they champion diversity and inclusion, but actually do

them how to read a room, and create connections

relatively little about it.

and opportunities for them.

Stop posting diversity memes on your socials and

Awareness is great, but it’s not going to get us across the

start considering how you can be a champion for

finish line. As Alan Armstrong put it:

women, and other marginalised groups, every day. How many individuals have you really helped get to the stage that have been recruited into a role they wanted, and offered guidance; supported; elevated; advocated for; given a job to? This isn’t about you, or what people think of you. I challenge you to walk the walk as well as talking the talk.

“Champions do not become champions when they win the event, but in the hours, weeks, months and years they spend preparing for it. The victorious performance itself is merely the demonstration of their championship character.” WOMEN IN SECURITY MAGAZINE

keeping their behaviour out of the limelight, they must have a spotlight shone right on them when you see it happen and call them out for what they are • If your company does nothing about those bullies and harassers, we will start industry registers across associations worldwide to get them involved and speak up when you can’t. Don’t rely on others to fix the problem. Truly courageous individuals call out behaviour from a place of kindness, encouraging bullies to appreciate

EVERYONE TO CALL OUT INAPPROPRIATE BEHAVIOUR

the impact their choice of behaviour has on you and

Toxic behaviour is everywhere, but women shouldn’t

open, everyone can deal with the behaviour and move

have to put up with it when at work trying to be their

on, openly and constructively.

on others. If you have those conversations out in the

best selves. So stop standing on the sidelines, and start intervening when you see toxic behaviour.

SENIOR LEADERS TO ELEVATE AND MENTOR It’s hard to overstate how important mentorship can

All organisations are made up of human beings, and

be to women – or to any employee, for that matter –

sometimes they behave in less than acceptable ways.

in helping them establish their careers and even their

Do you really want to keep looking the other way?

sense of themselves. The approval and support of senior staff is easy to provide and can make all the

Think about the last time you saw behaviour that

difference – so why aren’t you getting your mentor

made you uncomfortable. What did you do?

hat on?

Did you call out the offender on the spot? Did you talk

This year, I had the opportunity to mentor an

about it after the incident with your friends? Did you

individual outside of my organisation. Sometimes

report it to a manager? Go to HR?

it was fun and sometimes scary. I didn’t think I was ready – but I did it. I learned a lot about my mentee

It’s one thing to understand that toxic behaviour in the

and myself, and I ended up with a new friendship

workplace is wrong – but something else entirely to

and new insights into ways I can evolve and help my

fix it.

community more.

Here are a few things to remember:

Being a mentor is being a trusted advisor. It means making yourself available to support and advise

• Leadership isn’t about titles, but more about

someone when they need it, delivering that support in

actions and activities. By speaking up, you are

a way that makes sense to them, and always keeping

setting a new standard and redefining what

that person’s best interests in mind.

leadership is in your workplace. Call it when you see it • Your co-workers are looking for role models,

It’s a long-term commitment where you will come to know and understand your mentee’s personality,

and once the role models appear, the followers

learning style, and goals – which will help you offer

get onboard. Once that happens, we have a

richer, more relevant advice over time.

movement – and it will quickly become ‘the way we do things around here’ • Those who bully and harass are experts at

WOMEN IN SECURITY MAGAZINE

Here are a few tips for being an effective mentor:

• Approach each mentorship differently, everyone

complicating

is unique. It’s important to take the time to think

things

about what kind of commitment you want to

needlessly.

make.

They’re automating

• Set expectations in the beginning.

themselves into a corner

• Take a genuine interest in your mentee as a

by adopting AI to screen

person

resumes, disqualifying people

• Know when to wait before giving advice

before they even get a chance to

• Don’t assume - ask

argue their case.

• Be forthcoming about your own career mistakes as that helps build trust, gives them permission

Holding out for the perfect candidate is a

to share their own mistakes, and strengthens the

fool’s game these days. As Darryl Kerrigan

relationship

would say: tell ‘em they’re dreaming!

• Celebrate their achievements • Seek out classes or projects related to skills your

Companies need to learn to manage the risks of new

mentee wants to develop - to look for situations

hires rather than trying so hard to eliminate them that

- create situations - where mentees can get

they get caught in decision paralysis.

involved to learn some of the skills they’ve been hoping to learn.

And don’t get me started about companies that are

• Give them long-term guidance

looking past qualified visa holders just because they

• Lead by example

aren’t citizens. It doesn’t mean they are automatically going to run and take your training and development

Stop trying to manage and motivate employees with

dollars with them.

group emails and cute pictures of cats. Roll up your sleeves and lead from the front, so your employees

Is that really what is happening? Attrition can happen

know you are fighting for them every day, and you’ll be

with any candidate, so either way it’s a risk. But

amazed at what you can accomplish together.

maybe they will surprise you.

COMPANIES TO TAKE A CHANCE

I practise what I preach and have hired a full time

With the borders effectively closed for most of the

event and marketing specialist on a visa, as she was

past two years, Australian companies have had to get

the best person for the job. She knew my business

creative about the way we hire people. We need to

inside out, is exceptionally hard working and is a very

keep the businesses going, right?

valuable asset to my company.

Maybe, just maybe that person who shows great

Treat your employees right and they will become

promise, initiative, and potential will still be a valuable

valued members of your business, no matter what

employee even if they don’t have a laundry list of

boxes they tick or don’t tick. I’m a small business that

technical certifications that would let them hit the

managed to see past that bias – so why can’t you?

ground running. Yet many companies are still falling back on the old recruitment practices – posting long, complex job ads with demands for years of experience and capabilities

Abigail Swabey PUBLISHER, Owner & CEO of Source2Create

that very few people have, here or overseas. www.linkedin.com/in/abigail-swabey-95145312/

HR departments are overriding well-meaning managers that have simplified their job descriptions,

aby@source2create.com.au

WOMEN IN SECURITY MAGAZINE

CONTENTS

COLUMN New year — old cybercrime

PUBLISHER’S LETTER

Tracking apps for tweens’/teens’ devices

Financial services to cyber…. A journey has begun

REMEMBERING KYLE MAHER: A LIFE LIVED WELL AND TO THE FULL, BUT ALAS TOO SHORT | P10

Every CISO’s nightmare

I CHOOSE TO CHALLENGE… COMPANIES TO EXPAND YOUR THINKING

65 106

INDUSTRY PERSPECTIVES Why do I feel like a fraud? Imposter syndrome and cybersecurity — why they go hand in hand

Inspiring Girls

Data centric storytelling for cyber security

I CHALLENGE… HR DEPARTMENTS AND RECRUITERS

Friends, colleagues, red and blue teams, lend them your ears!

80 WHAT’S HER JOURNEY?

CAREER PERSPECTIVES

get more girls entering male-dominated industries

78 84

Cozmos: choosing to challenge a platform built with diversity and inclusion in mind

Cyber resilience is not a trend but a

Top 10 recruitment challenges to tackle in 2022

Diversity and inclusion

#IChooseToChallengeThere is 52

Five ways to ensure your recruitment process is gender neutral

How to win in the war for talent

Take a chance to find out the most suitable new talent

UNIQ You’s mission:

and they will come

space from a non-traditional cyber

Not One Path to Enter Cybersecurity

Build interest

How to join and contribute to the cyber background

necessity 90 Understanding the Dynamics

Nivedita (Nivi) Newar

Amy Hewson

of the Security Organization

Dr Alana Maurushat

The search of the criminology

Emily Hunt

in private sector in spain

Emily Baker

Top 5 trends and predictions

Bridget Mitchell

for Australian boards and

Wendy Thomas

company directors managing

Anita Siassios

cybersecurity risk in 2022

100

Rebecca Moonen

Choosing to challenge

103

Kelly Peck

92 98

JANUARY • FEBRUARY 2022

FEATURE I choose to challenge… Everyone to speak up

I choose to challenge... Mentors to step up

107

I choose to challenge... Champions who aren’t really championing

114

STUDENT IN SECURITY SPOTLIGHT Ritu Dahiya

126

Davinia Szetu

129

Yonitha Thava

132

FOUNDER & EDITOR Abigail Swabey

ADVERTISING Abigail Swabey Charlie-Mae Baker Vasudha Arora

JOURNALISTS

TECHNOLOGY PERSPECTIVES

David Braue Stuart Corner

Cyber security governance, risk and compliance and The Art of War

111

The link between corporate

SUB-EDITOR

134

Stuart Corner

governance and effective security governance

DESIGNER

118

Do Your Part. #BeCyberSmart.

120

150

Jihee Park

Women in Security Magazine is published by Source2Create

TURN IT UP

144 Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine

SURFING THE NET

148

OFF THE SHELF

146

O T E B I E R N I C Z S B A U G S A M R U O n ditio e n the iss a o m t r cribe Neve s b u n! S y for a d agai o n ine t z a es o t g a a d m e up v and i s s u t l n c e ex g ev n i m ong l o a c , p s u ssue i nt. e e r t u n t co fu nus o b with

EMB

OBER OCT ER •

THE ING SOLV IP E L IN E P LEM B O PR P82

CT A R T AT

SEPT

AI N -

SUB

NO E B I R

VELOP

A G IN IVIN THR ANDEMICE P L T IB S X PO F L E K IN G W O R E NT M N P60 IR O ENV

W. W

EN OM

INS

ECU

RIT

AGA

ZIN

E.C

MAY

THE ARE BEW LIANT R IT Y BRIL E R S E C U CYB JERK P16-1

N • JU

FIN TA IN S

Connecting - Supporting - Inspiring AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY

With an affordable annual fee, AWSN members will have access to discounts on programs and industry events, the membership Slack space, post or share job opportunities, and receive our monthly and any special edition newsletters. Memberships are now a 12-month cycle Corporate packages available Learn more at www.awsn.org.au/members/join/

EMB

OBER OCT ER •

THE ING SOLV IP E L IN E P B L E M82 PRO P

CT A R T AT

SEPT

ACT - R R T

AI N ET

VELOP

A G IN IVIN THR ANDEMICE L TP POS F L E X IBIN G K W O R E NT M P60 IR O N ENV

BER G CY ’S NDIN T- W H AT T ALENE S E C R E H T N C E? SAU

P46

IN ENT STUD R IT Y U S E C T L IG H T SPO P97

O W. W

MEN

INS

ECU

RIT

AGA

ZIN

E.C

Thank you to all our amazing sponsors for their generosity and for helping us to CONNECT, SUPPORT and INSPIRE our members https://www.awsn.org.au/s upport-us/sponsors/

REMEMBERING KYLE MAHER: A LIFE LIVED WELL AND TO THE FULL, BUT ALAS TOO SHORT by Amanda Turner and Cody Byrnes

ybercrime is evolving as fast as new

eclectic pursuits, he put his whole self into everything

technology emerges, and it takes

he did. He was tireless and driven to succeed, and to

concerted effort from committed

help others be their best.

and highly-skilled people to keep our communities, nations and world cyber

Kyle always had a cheeky grin, was always ready for

safe. The cybersecurity industry is in

some fun, and truly believed in his family and friends.

desperate need of passionate people who are driven

If you were his friend, you had the most loyal, loving,

to keep learning, to keep supporting others, and to

kind, highly intelligent and mischievous person at

keep being warriors for the good. We had the privilege

your side.

of knowing just such a person, and the honour of calling him our friend and brother. We have vowed to

Listing Kyle’s

ensure he is never forgotten and his legacy lives on.

achievements would take an entire page,

Kyle Maher (1989-2021) was a man of many

but still fail to quantify

achievements: scholar, Australian Defence Force

the impact he had

member, motorcycle champion, mentor, highly skilled

on people. A simple

cybersecurity professional, animal lover, family man,

example of this is how

friend.

Kyle knew Mandy loved cinnamon buns, and

Kyle was champion of all and to all. He was inclusive,

if she was tied up in a

kind, loving, passionate about helping his community,

meeting, he would take

new motorcyclists, his colleagues, his family and

photos of them at a cafe

his friends, in any way he could, and committed to

and send a photo saying

protecting businesses from cybercrime. With many

he had eaten them all.

WOMEN IN SECURITY MAGAZINE

T R I B U T E

He would then arrive with a coffee and a bun for

cybercrime against everyday people. Kyle showed

Mandy as she returned from her meeting.

Cody his method of protecting these companies, and on Tuesday 2 November 2021, Kyle and Cody agreed

Keen to help students and his friends, Kyle would

to start another company, BEST-Sec, to help better

happily help Mandy when she was lecturing university

protect everyday people against cybercrime.

students in criminology. She remembers with much amusement the time he popped his head around the

Kyle unexpectedly left us on that Friday.

door to greet her students, sidled up to her, gave her a quick hug, and whispered that the scene reminded

Losing him is tragic. He was a much-loved brother to

him of a ‘Harry Potter’ class. As he backed out of the

us, and we feel the loss every day, but we don’t want

room laughing he asked if she was going to teach

this to be sad. We want this to be a positive reflection

spells as well as cyber criminology. Then he closed

on a life well-lived, and we want to highlight how he

the door with a huge grin on his face, suggesting she

spent so much of his time helping other people. We

could open a cybersecurity wizarding school and he

want to inspire others to be the best they can be and

would be in charge of the ‘sorting hats’.

to do what they can to make the world a kinder, safer and more cyber-secure place.

To meet his commitment to helping his community,

Kyle has left a huge void in the world that we

Kyle had started a secure

all need to step up and fill. Let’s be kinder, more

development company

supportive people, and let’s ensure we all do our bit as

called BEST-Dev, aimed at

cybersecurity warriors. Help each other, protect each

helping small businesses

other, and stand up for what is right, not what is easy

secure IT in a way that would

– just as Kyle did.

otherwise be out of their price range. Combined with

Light up the darkness.

Mandy’s Demystify Cyber project, Kyle’s company contributed to combating

WOMEN IN SECURITY MAGAZINE

I CHALLENGE… HR DEPARTMENTS AND RECRUITERS by David Braue

How can we improve diversity if recruitment never changes?

oogle ‘HR DEI initiatives’ and you’ll

Consider the Commonwealth Bank of Australia, which

find millions of web pages purporting

has been in hiring overdrive over the past 18 months

to help you integrate diversity, equity,

to support its pandemic-era digitisation – quadrupling

and inclusion (DEI) initiatives into

its hiring to the point where it has been recruiting

your human resources processes.

around 100 software, analytics and other engineers per month.

Yet while the answers may be there

waiting for you, the fact that you’re still having to look

Some 53 percent of these were existing employees

it up begs yet another question.

who were reskilled through an 8 to 12-week program,

After more than a decade of open discussion about

with group executive for human resources Sian Lewis

the importance of gender equality, why are you still

recently relating the company’s efforts “to encourage,

having to figure out how to make your HR department

particularly, women and girls to look at STEM and

more diverse?

become excited about joining that line of education where the opportunities are great.”

Shouldn’t this issue have been resolved years ago?

Turns out that there’s a long way between knowing

“We’re building our own in a way that perhaps we

DEI is important and actually changing the world –

haven’t traditionally done as well,” she told Gartner

and HR departments are struggling to bridge that

VP research and advisory Aaron McEwan during the

gap, even though they know they should.

firm’s recent IT Symposium.

WOMEN IN SECURITY MAGAZINE

F E AT U R E

“We’re inching our way along” with programs for

said their number-one priority in 2022 will be building

indigenous trainees and other underrepresented

critical skills and competencies, fully 47 percent

groups, Lewis said.

admitted they don’t even know what skills their employees are lacking.

“We’re exploring different thinking styles that could be applied to technical areas, and there’s a lot of

That’s not exactly reassuring news from HR

thinking that the HR professional needs to do about

professionals who are, more often than not, still

job design, so that we can actually take advantage

in charge of managing recruitment for what – in

of different skills and find ways where they can

cybersecurity, analytics, AI and many other critical

contribute.”

areas – are often technical positions where an appreciation of relevant skills is more than just a nice-

WHERE ARE THE SKILLS GAPS?

to-have.

If one of Australia’s largest companies is still trying to figure out how to be more inclusive, what hope is

Indeed, where cybersecurity operations have already

there for the rest of us?

well recognised the growing need for gender diverse, ethnically diverse, neurodiverse workforce to match

Not as much as you’d like to believe, if the results of

the equally diverse skills of the cybercriminal

a recent Gartner TalentNeuron survey of HR leaders

gangs targeting them, many are finding themselves

are any indication. While 60 percent of respondents

stymied by HR departments that continue to manage

WOMEN IN SECURITY MAGAZINE

recruitment using the same old time-honoured

Despite their inability to paint the right image to

gatekeeping techniques as they have for many years.

attract female candidates, many companies do tell Burke that they do want women in the roles if

“Organisations have often been guilty of looking in

possible.

the wrong place for the wrong people with the wrong skills,” said Gartner research director David Gregory,

“We have conversations where companies say ‘we are

“and all of our data suggests that this is a trend that

looking for this person, and if they just happen to be

will continue.”

female, that would be perfect’,” he told a recent AISA Cyber Conference 2021 panel. “That happens six or

“There are underlying problems that are holding

seven times out of 10 – so there is a real and genuine

organisations back from getting the right people,” he

demand for attracting women into the industry.”

continued. “We rely on the same recruitment process,

Yet just being eager to hire women is only the

even though it is never guaranteed that we end up

beginning, with applicants getting tired of fighting

with the right candidate. And it’s fair to say that

entrenched, biased legacy recruitment systems – and

success rates have sometimes been patchy at best.”

ready to go elsewhere if they smell a rat.

Recruitment consultants report getting position descriptions and vacancy notices from companies

In one recent survey, fully half of the job candidates

asking for too many skills, the wrong skills, too much

said they would discontinue their application if they

experience – and describing roles using gendered

felt they had been biased against while interacting

language that can turn off potential applicants before

with hiring managers.

they’ve even submitted their CVs. Many times, technologists are trying to override the HR hegemony by rewriting job descriptions in a more accessible way: who better to know what the job entails, after all, than the people that perform it? Yet even where well-intentioned colleagues step in to improve the recruitment process, many times the HR departments override the changes – leaving changeminded departments struggling to attract qualified women and DEI-minded HR departments struggling to meet their self-imposed goals.

POWER TO THE PEOPLE Cybersecurity remains a sellers’ market – and in a market where Australians are increasingly prioritising jobs that pay well and give them purpose, companies need to implement a culture attractive enough to win over staff looking for a place where they will feel valued. “For attracting females or certain skill sets, companies are going to have to pay more and make it worthwhile,” said Ricki Burke, director and founder of recruitment firm Cybersec People, noting that new hires are generally looking for salary increases of around 20 percent when switching jobs.

WOMEN IN SECURITY MAGAZINE

F E AT U R E

PAVED WITH GOOD INTENTIONS

This could become problematic in the near future

Many companies do want to do away with entrenched

given “rising pressure to make progress on DEI,” Mark

institutional bias, Gartner TalentNeuron found,

Whittle, vice president of advisory within Gartner’s HR

although just 35 percent of survey respondents – one

practice, warned that “HR leaders need to determine

in three – said that DEI would be a top priority for their

which future of work trends have altered, and will

HR organisations in 2022.

alter, their organization’s strategic plans and what immediate and longer-term workforce adjustments

Worse still: with 48 percent focusing on organisational

are required as a result.”

design and change management, 45 percent set to focus on the leadership bench and 42 percent

For many valuable potential employees, DEI

focused on the future of work, many HR leaders

programs are becoming a key recruitment tool and

seem content to focus on these issues without also

their effectiveness will factor into decision-making

factoring DEI into their plans.

about which company is worth working for. Fully 90 percent of employees expect employers to engage

“There are underlying problems that are holding organisations back from getting the right people. We rely on the same recruitment process, even though it is never guaranteed that we end up with the right candidate. And it’s fair to say that success rates have sometimes been patchy at best.”

externally in DEI initiatives,

- Gartner research director David Gregory

company has stated its desire

McKinsey & Company recently reported – yet while 40 percent of companies reported increasing their investment in DEI initiatives, 86 percent reported challenges executing those strategies. However, explicitly your to improve DEI during 2022, resolving many of those challenges will be crucial to ensure that you remain

competitive in a labour market that is increasingly intolerant of inertia in HR. And because HR’s primacy in recruitment effectively makes it the custodian of company culture, efforts to fix lingering DEI obstructions should start there and rapidly expand across the company. The key is to try – and keep trying until you succeed, one way or another. “Now more than any other time, there is no right answer,” said CBA’s Lewis. “There are just judgement calls to be made, lessons to be learned and tacks to be changed if you find that you’ve gone off in the wrong direction.”

WOMEN IN SECURITY MAGAZINE

AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

C O L U M N

New year — old cybercrime Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe. A new year brings an old cybercrime campaign with

for a competition you did not enter.

the classic phishing scam. Criminals often look for a

• Keep your devices up to date. Keep your OS and

quick win, and nothing says quick win quite as much

software patched, maintain your antivirus, and

as a massive phishing campaign. So, while a new year may see new resolutions, criminals may decide

regularly check for updates. • Regularly check your accounts. Check your

to keep going with some old scams they know will be

financial accounts and other online accounts

successful.

regularly to ensure that changes have not been made without your knowledge.

Phishing scams are becoming increasingly

• When in doubt, don’t! If you are unsure about a

convincing, and the old tips of looking for incorrect

message, don’t open or respond to it, and don’t

spelling and bad grammar may not apply in all cases.

click on any attachment.

Phishing emails these day tend to be well-crafted and very convincing, often imitating official business

If you have been impacted by cybercrime in Australia,

messages right down to using the relevant logos and

you can report this via http://www.cyber.gov.au/

including warnings to ‘beware of scam emails’.

acsc/report. In other countries, report it to your local

Phishing attempts can trick even the most cyber

police or through the relevant cybercrime reporting

savvy among us, particularly if the email looks like

mechanism.

one you are expecting, and you receive it on a bad day!

Phishing scams are big business – stay safe.

Make a resolution to be vigilant with emails

This cybercrime column is dedicated to the memory of Kyle Maher (1989-2021).

• Check the sender’s email address, not just the sender’s name • Don’t share sensitive information • Don’t fall for URGENCY • Hover, but don’t click. Hover over URLs. If the hovered text does not match the display text, or if it seems strange, DO NOT click on it. • Attachments can be dangerous. If the file asks you to enable macros to view it, don’t. • Is it too good to be true? Prizes and money may be used as bait. Remember you can’t win a prize

WOMEN IN SECURITY MAGAZINE

www.demystifycyber.com.au/

Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY! www.source2create.com.au

charlie@source2create.com.au

aby@source2create.com.au

vasudha@source2create.com.au

Source2Create Spotlight

Advertising The market is saturated, so how can you position your company’s product or service strategically to your audience to stand out from the clutter? At S2C, we position your creative and content across a mixture of media to generate more excitement and better engagement from your target audience. We explore a range of ideas with our clients to spread their message – the right way.

REACH OUT TODAY www.source2create.com.au

charlie@source2create.com.au

aby@source2create.com.au

vasudha@source2create.com.au

WHAT’S HER JOURNEY?

position. “It is a very attractive role and has a broad set of responsibilities including cybersecurity strategy, governance, risk, compliance management,

Nivedita (Nivi) Newar Head of Cyber Security Strategy & Governance at UNSW

controls assurance, security awareness and enterprise security architecture,” she says. For anyone aspiring to a similar role, she has some advice. “You need to gain broad exposure and work experience in governance (policy, advisory, assessments), risk management and architecture. Ideally, you will need to be either a governance and

risk manager or an enterprise security architect with people management experience to be able to eing recognised as a high potential

naturally progress into a role like mine.”

employee after joining Vodafone as a Security Specialist reporting to the CISO,

However, out of all these skills, it was her people skills

was pivotal to the progress of Nivi’s career

that faced the biggest challenge: “influencing the right

in cybersecurity.

people to join the team.”

As a result of this recognition, management worked

In the face of elevated threat levels, she says

to fast-track her career progression. “I was mentored

“Management Boards are demanding that the

by the CIO in 2018 and 2019. Within a year of joining

timeframe to deliver security programs be cut in half:

Vodafone, I was promoted to the Enterprise Security

from three to five years down to two or less.”

Architect position,” she recalls. “The remit of the role later expanded to Technology Security Strategy

CHANGING SKILL REQUIREMENTS

and Architecture Lead (manager) with people

“This change is driving the demand for Australian

management responsibilities.”

permanent residents and citizens with niche cybersecurity qualifications, specific subject matter

After four years with Vodafone, Nivi joined UNSW

expertise and ample experience in delivering security

as an Enterprise Security Architect (cyber security

solutions within the specific industry.”

manager) at a time when the education industry was being hit hard by nation-state cyber threats, and by

And in addition to this requirement for ‘program’ team

COVID-19.

members, there are same demands from ‘business as usual’ teams. “The program team needs direction

RAPID PROMOTION TO LEADERSHIP

from the senior members of the business-as-usual

In adversity, she saw opportunity- an opportunity to

teams that will eventually own the service/product

make a positive difference when staff were leaving

after operational handover from the program team,”

to join the banks, telcos and other IT businesses

she explains. “Therefore, there is need for the same

flourishing because of the pandemic. Within five

set of hiring criteria for the senior BAU roles for the

months of joining UNSW, she was offered the acting

program to be delivered at the required pace.”

Head of Cyber Security Strategy and Governance

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

Nivi’s current appointment represented the fulfilment

CHOOSE YOUR BOSS CAREFULLY

of an ambition born when studying for an MBA in

In the light of this, it is perhaps not surprising her

IT specialising in networking and IT infrastructure

number one piece of advice for aspiring cybersecurity

and being introduced to cybersecurity during these

professionals — not always easy to follow — is to find

studies.

the right manager to work for. “You must choose a very accomplished, self-confident and genuine leader.

“I wanted to pursue a career in cyber, to solve the

Because only the person that has no insecurities and

many problems/challenges in an industry faced with

is truly confident of his/her own abilities, will happily

complexity, gender imbalance at senior management

promote you. When applying for a role, request

level, the rapid evolution of the threat landscape, and

informal catchup with the hiring manager to have a

skills shortage,” she explains.

free-flowing discussion.”

AUSTRALIAN RESIDENCY, AND MICROSOFT

And she has plenty more advice for aspiring

She studied for her MBA in her native India and after

cybersecurity professionals.

graduation moved to Dubai to take on an engineering role in the satellite communications industry. In 2015

First research about the full scope of cybersecurity

she was granted permanent Australian residency and

careers on https://cybersecurityguide.org/careers/.

joined Microsoft Australia as a Network, Infrastructure and Security specialist.

Identify those that interest you.

She has nothing but praise for her current boss

Reach out to experienced professionals in that

at UNSW, the CISO, describing him as “a rare mix

specific area via LinkedIn to walk you through what

of incredibly experienced in his craft as a CISO,

the day-to-day job in those roles looks like.

extremely talented, level-headed, calm, composed, competent, and the most-humble leader I have met in

Based on what stream you want to pursue, find a

my limited experience.”

mentor that can not only guide you but also showcase the relevant processes and technology.

“He has showcased immense faith in my abilities, admired me, recognised my talent, proactively sent

You must also seek opportunities to undertake

out recommendations, rewarded me, uplifted me,

internships or secondment to get a sense of whether

given me authority, charge, exposure, visibility, treated

you are passionate about that specific role within

me as an equal, and without asking has provided

cyber security.

me with opportunities he believes I deserve. I count myself very blessed. I continue to learn from him

“Once you are working with the cybersecurity

every day.”

team, you need to treat this like a once in a lifetime opportunity and do your best to explore every area

And it seems Nivi is not alone in her assessment. “His

of cybersecurity by requesting process and tool

leadership is such, when he joined UNSW, 11 staff

walkthroughs, so you can visualise it,” she says.

from his previous organisation followed him within a span of two to three months.”

“You will be surprised how willing team members are to educate and guide you in the right direction.

WOMEN IN SECURITY MAGAZINE

So never hesitate to ask. What’s the worst that can

she would otherwise have to deal with. If you want to

happen? Out of 10, two will be unwilling, two will

build your career around a specific role and you have

dodge you, but six will give you, their time. Remember,

these qualities, it will not be hard to create that role.”

if you take initiative, you always win.” And another valuable lesson is not to allow anyone or

NEVER SAY ‘NO’

anything to limit your progress.

“One rare advice that I would like to give you is never saying no to a new task, take initiative, say ‘yes’ when

“I spent four years in a previous role, waiting in

given an opportunity to demonstrate your abilities to

vain for company-sponsored cyber training and

an audience you have never been exposed to, go in

certification. It limited my marketability. One day, I

prepared, deliver and repeat.”

decided to stop waiting and take charge.”

“Take the opportunity to strike a meaningful

EDUCATION OVERLOAD, PLUS PARENTING

conversation with your cybersecurity senior leaders

“I was determined to take this situation as a challenge

from time to time when you cross paths around the

and undertake all career-relevant training in one go.

office kitchen area, printer areas, lifts etc. First find

With a six-month-old baby in my arms, I completed

out about what’s top of their minds, what keeps them

five of the most challenging industry certifications

up at night.”

in five months: CISSP, CISM, SABSA, AWS Cloud and CCSK. It’s hard to fathom how I managed this, but I

“Perform a SWOT analysis or request a cyber team

hope it inspires others: if you have the will, you have

member to walk you through the latest capability

a way.”

maturity assessment to understand the gaps. This is the time to seek advice from your mentors on what is

She wants to gain more knowledge in DevSecOps

relevant to the senior leaders in the bigger scheme of

Automation, Implementation of Zero Trust and SASE

things.”

architectures, nation state-sponsored cyber warfare, threat intelligence, cyber-attacks using personal

“At the next few encounters with the senior leader,

mobile devices and 5G powered IoT.

share your knowledge of the gaps in terms of risk and trigger a discussion about what leadership team

She believes, “AI in combination with machine

plans to do to buy down the risk. Subtly express your

learning has brought tremendous changes in

interest in permanently joining the team. Request

cybersecurity particularly to security orchestration,

for a meeting with the leader that has the decision

automation and response (SOAR) capabilities. But

making and hiring authority and go in with a proposed

more importantly, it is being used to develop smart

plan on what problems you would like to solve and

malware and attacks to bypass the latest security

how you would like to contribute.”

protocols in controlling data. I intend to gain more exposure to this technology.”

CREATE THE ROLE YOU ENVISAGE An overarching strategy, she advises, is that each individual should aim to create the role they want. “I have always believed in creating my next role. A manager always desires and relies most on staff that are proactive, responsive, aligned to the vision of the company and the team, do not have to be directed each time, can take ownership and run the show, because that relieves the manager of things he or

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/nivedita-newar/

W H AT ’ S

H E R

J O U R N E Y ?

“We researched, worked hard and refined our tender so that it would stand out amongst our competitors. We tenaciously held on to the belief that we had the skills, experience and integrity to be the leading company in the Australian security vetting industry. And it all paid off because we won the contract.”

A FAMILY BUSINESS MPS was founded by Hewson’s mother, Tracey

Amy Hewson CEO, Mitchell Personnel Solutions

Mitchell, and her business partner, Karen Bradley, in 2006. Being founded by women and run by women did not give the fledgling company a good start in the male-dominated security industry. “Initially we were not taken all that seriously. However,

we had a desire to succeed,” Hewson recalls. “We knew our strengths lay in our experience, expertise magine this. You are one of only 22 businesses providing a highly specialised service for which there is only one customer, the Federal Government. Then, one day that customer decides it is going to give 16 of you the flick, and award

future contracts to six only.

and willingness to seek professional advice to ensure the stability of the business. We also knew we had found a gap in a niche market that was big enough to ensure our growth.” She became CEO in 2011 after joining the company in 2007 in the newly-created role of security vetting

That, says Amy Hewson, CEO of Mitchell Personnel

officer trainer. Prior to that, she worked in a training

Services (MPS), was the scariest moment of her

position in the Public Service.

career. The high point? Being one of the six chosen. “As one of the first outsourced companies to provide MPS provides security vetting services for the Federal

security vetting, MPS decided to introduce mandatory

Government through the Department of Defence. “Our

vetting officer training,” Hewson says. “By doing so,

core activity is to assess an individual’s suitability to

we knew it would give the protective security industry

access nationally classified and sensitive information

a level of respect and provide confidence for our

and make a recommendation to either grant or deny a

client, the Federal Government, in the work we were

security clearance,” Hewson explains.

undertaking. This training was later adopted by the whole industry.”

“Through extensive background checks, interviews and fact gathering, we mitigate risks to ensure an

STAFF SUPPORT PARAMOUNT

individual is suitable, beyond a reasonable doubt, to

In MPS, Hewson says she has created a respectful

access and protect nationally sensitive information.”

environment where flexibility, family focus and support offered to staff are paramount, and key to its

When the Government decided to cull its providers

success.

of these services, Hewson says there were only three possible outcomes for MPS: win the next tender,

“I always wanted the respect we showed our staff

sub-contract to one of their competitors, or go out of

in the level of support we offered (and still offer) to

business.

create a stronger, adept and enthusiastic workforce who understand the importance of what we do and never lose passion for the daily work we all

WOMEN IN SECURITY MAGAZINE

undertake. I believe that is what makes MPS and

However, when your business and its competitors

myself stand out as a company.”

serve a single customer, those questions become particularly challenging.

She also acknowledges her debt to her mother and MPS’ other cofounder. “I had the privilege to learn

“My fear is based around having so many staff reliant

from them the values of the business, of leadership,

on us to provide a sustainable opportunity for them

and above all the importance of evolving and

and this is part of why I spend a lot of time with

championing change.

the board and team members and strategizing on projections, trends and capacity versus capability,

“I have been imbued with firm ethics, socially

to ensure I meet the magic sustainable number,”

conscious cultural beliefs and the importance of

Hewson says.

empowering our staff to continuously improve. They gave me a chance to expand my interest. They empowered me to find my own leadership style, and they trusted me with their company and their staff.” What they could not give her was something she sees as a great asset to the business: their partnership. “They grew and developed the company as a partnership, and it was nice to see that interaction and the benefits the two minds had by constantly bouncing off

“As one of the first outsourced companies to provide security vetting, MPS decided to introduce mandatory vetting officer training,” Hewson says. “By doing so, we knew it would give the protective security industry a level of respect and provide confidence for our client, the Federal Government, in the work we were undertaking. This training was later adopted by the whole industry.”

each other. I have had a similar opportunity and use both of them to bounce off, as well as others in my team, but it’s not quite the same. I

“It is challenging because I know my decisions have

would have liked to have had a ‘buddy CEO’ to grow

an impact on the industry, our one client, the Federal

with, laugh with and share the good and bad times

Government, the success of MPS as a security vetting

that are inherent in the roller coaster ride of running a

provider and of course, our most valued asset, our

business.”

employees. I am a strong believer in the importance of security vetting and its place as a frontline defence

RIDING THE BUSINESS ROLLERCOASTER

against threats to the security of both the Nation and

Many of those ups and downs would be familiar to

the Australian Government. This belief is evident in

any CEO. “What is the current demand? What about

every business decision I make.”

future demand? How will that impact our industry and

employees? How will I measure it effectively? How

DEFINING PROTECTIVE SECURITY

can I lead and communicate the change to ensure it

The services MPS provides fall within the, very broad

is smooth and effective? What new incentives can I

and ill-defined, category of ‘protective security’.

provide to ensure ongoing staff retention? These are

Hewson defines protective security as “the totality of

some of the daily challenges I embrace.”

all aspects of security protection for your business

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

assets/products, and ensuring operational plans

However, Hewson says there would be benefits in

are constantly imagined, managed and reassessed.

having a more widely accepted definition of protective

It is having your assets identified, identifying your

security, in particular to the Five Eyes partnership and

weaknesses/risks and having measures set in place

the new AUKUS alliance. “If we are working together

to mitigate and where possible eliminate those risks.”

towards a common goal, it makes sense to ensure our definition of protective security is one and the

She also likes the US Dept of Defense definition: “the

same. This would lead to the greater promotion of

organised system of defensive measures instituted

best practices in protective security.”

and maintained at all levels within an organisation with the aim of achieving and maintaining security,”

A REMARKABLE CAREER

saying this highlights individuals’ responsibilities.

Hewson has had a remarkable career: catapulted from the trainer — not usually a ‘preparation for

“This definition allows the general population to see

leadership’ role — to CEO, then fighting off multiple

not only the importance of having security measures

competitors when their common and only customer

in place, but also that all people, at each ‘point’ of the

reduced supplier numbers significantly.

protective measure, are responsible for the singular outcome, which is the protection of Information and

Her advice for other aspiring leaders matches that

Infrastructure.”

of many leaders who have shared their stories with Australian Women in Security Magazine: your team,

Hewson notes, in October 2018, the Attorney-General

and how you treat them are the keys to your success.

issued a new Protective Security Policy Framework.

“Surround yourself with experts in their own fields

She describes it as “a principles-based framework

and never be afraid to draw on the team. I believe the

designed to support a progressive protective

strength of a leader is based on the strength of the

security culture that understands and manages

team. Remember who stood before you and with you

risk, leading to robust security outcomes. There are

to get you to where you wanted to be.”

structured policies and guidelines which dictate our requirements to hold information at a variety of

www.linkedin.com/in/mpsrecruitment/

protective levels.” www.mpsolutions.com.au/

WOMEN IN SECURITY MAGAZINE

centre to help small businesses respond to cyber incidents such as ransomware, data breach and email payment invoice fraud. And it will have another purpose: it will train hundreds of students every year in cyber incident response. “It will help thousands of small businesses secure themselves and hopefully prevent bankruptcy and all

Dr Alana Maurushat Professor of Cybersecurity and Behaviour at Western Sydney University

of the emotional and physical harms that results from cyber attacks, which are never adequately discussed by the media,” Maurushat says. Her career in cyber got off to something of a false start. She was studying computer science as part of her undergraduate university course in the 1980s

learning Fortran and Cobol, but switched to media and communications, because she was one of only r Alana Maurushat is Professor of

two girls taking these subjects.

Cybersecurity and Behaviour at Western Sydney University where she holds a

She went on to gain a Masters and a PhD that were

joint position in the School of Computer

“highly interdisciplinary involving law, economics,

Science & Mathematics.

political science, security architecture, cybercrime investigations, information and communication

She is researching security activation, payment

technologies,” and then got into cybersecurity while

diversion fraud and ransomware, cryptocurrency

working at the University of Hong Kong, where her

tracing, cyber incident response optimization and

system was the target of many cyber attacks and

ethical hacking.

spyware.

Perhaps not surprisingly she says her biggest

“Throughout my university career I have always

challenge is a lack of time. “There is a paucity of

worked in advisory roles with industry and

senior cybersecurity people, who are spread very

government, and I’m still active in cybercrime

thin to train the next generation. We have a sufficient

investigations,” she says. “My first cybersecurity

supply of junior talent, an insufficient supply of

role was as a lecturer, and from there I played many

middle talent and an absolute scarcity of senior

different roles.”

talent. This curve will change over time as junior talent acquires more training, and middle people to

SPREADSHEETING DATA BREACH RULES

senior talent roles.”

Maurushat has worked on many research projects in cybersecurity and privacy but says her most

CAREER HIGH POINT

memorable — and one that brought her considerable

Despite her many and varied research interests she

kudos — was an Excel spreadsheet, to help

says her most meaningful research and the high point

organisations comply with newly-introduced data

of her career is something that seems more mundane

breach notification laws in 2004.

but extremely useful, for multiple reasons. It is the

Western Centre for Cybersecurity Aid and Community

“The laws were written in ways that were almost

Engagement (CACE), a new cyber incident response

impossible for someone working in the field to

centre at the University of Western Sydney. It is a call

understand,” she explains. “Different jurisdictions

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

were considering different models, and technology

“Trying to figure out what you are best suited to is a

companies have data and customers all over the

journey that never stops, no matter what you study or

world, which means it’s extremely difficult to handle

work at. You really only learn by trial and error, which

data and systems in a matter that is lawful under all

means your most important skill set is the ability

of the different legislation around the world.”

to make yourself do things you might not at first be comfortable with. It is only by doing that you really

“We broke down all of the different types of data that

see your potential.”

someone might have in their system and verified if that type of data was personal information, and

As to her own journey, Maurushat wishes she had

subject to data breach notification. We analysed

gained wider experience early in her career. “My

close to 32 different jurisdictions, 100 different types

cybersecurity journey has been interesting, but if

of data, and broke the notifications down so that a

there was one thing I could change I would have left

systems admin could comply with the law.”

law earlier to move into a more interdisciplinary role. I am now working with psychologists, criminologists,

That Excel spreadsheet has been downloaded tens

pen testers, forensics experts, economists and all of

of thousands of times. “It even got me a really good

the other areas that go into cybersecurity.”

keynote alongside the US President’s Head of Cyber,” Maurushat says.

And for anyone keen on pursuing a similar academic path, she says you need three attributes: a highly

RESEARCHING HUMAN FACTORS

interdisciplinary PhD, an obsessiveness to learn new

Her current research is focussed on the human

things, and a willingness to share.

factor in cybersecurity, what she calls ‘security activation’. “The specifics of how you move an

“I have the kind of passion that you only get by giving

individual or organisation from merely learning

your time and energy and sharing your skill set with

about cybersecurity to understanding its impact,

others.”

and empowering them to think they can implement appropriate changes.”

As for those who have influenced her careers and given to her, she names the late Professor Ian Kerr

While many organisations today devote considerable

formerly at the University of Ottawa, and Professor

resources to the human aspect of cybersecurity,

Graham Greenleaf, formerly at UNSW. “These two

Maurushat is not a big fan of these initiatives.

men were champions of women, always helped

“Awareness alone doesn’t work. Even phishing

others to nurture talent, and were two of the most

training doesn’t really work,” she says.

giving people I’ve known in my life.

Generally she believes the cybersecurity industry is overly focussed on the technical aspects, and this “is not an accurate reflection of the industry, its problems, and the skill sets required to deal with some of those problems.” Her advice for anyone in cybersecurity, or aspiring to join the industry, echoes that of many others who have shared their journeys with Australian Women in

www.linkedin.com/in/alana-maurushat-587116204/?ori ginalSubdomain=au alanacybersecurity.com/ www.westernsydney.edu.au/staff_profiles/WSU/ professor_alana_maurushat dymocks.com.au/book/ethical-hacking-by-alanamaurushat-9780776627939?fbclid=IwAR20dcyLz3Wr7l 8iDvDVjIuTwS0ZD004Yh6MjIQokfZiRCxBulnSJDj-HNc

Security Magazine: explore many possibilities, and do not be afraid to move out of your comfort zone.

WOMEN IN SECURITY MAGAZINE

The protective security industry was not her first career choice. “I decided to try out a security role before joining the Police. I’m approaching 15 years in the industry, so from ‘trying it out’ for a few years as a contractor to leading national risk and security operations, I think it’s fair to say I jumped in and never looked back.”

Emily Hunt National Risk and Security Operations Manager, Scentre Group

HER SCARIEST MOMENT Taking on her current role she sees it as being the scariest moment in her career. “This was a big jump in scale and scope — moving from leading executive and commercial security teams to leading the national risk and security operations across Scentre Group’s portfolio.

“Our centres see over 450 million customer visits a year and play an integral role in the community. mily Hunt is National Risk & Security

Knowing I would have a guiding role in keeping

Operations Manager with Scentre Group.

thousands safe every day was daunting.

Scentre Group owns and operates 42 Westfield Living Centres across Australia

“Our industry is essential to keeping people safe, but

and New Zealand.

often it’s only seen when things go wrong. We have a job to do to show the value of the security. Much of

The company was established in 2014 through

this is about changing its image: making our industry

the merger of Westfield Retail Trust and Westfield

a desirable profession to a wider group of people”

Group’s Australian and New Zealand management business.

Today, she says it is not security per se that is the most challenging, and rewarding, aspect of the role:

Hunt had worked for Westfield in security since

it’s the people aspects.

the early 2000s and moved across to Scentre Group when it was created, but her association

“The most rewarding point of my career has been

with Westfield goes back even further. Her first job

in my current role working with our teams and the

in security was with a private security contractor

broader community around mental health. This has

that specialises in handling dogs used for drug and

two parts: first how we equip our people to recognise

explosive detection.

and handle mental health-related challenges as part of their frontline roles. This included bespoke training,

“One of my first contracts was supporting Westfield

where the feedback we received from teams was

assets. This led to opportunities to work directly

amazing. The second is the work we have done in our

for Westfield and the executives in their Corporate

business that’s focused on our teams’ welfare and

Security division” she recalls.

psychological safety.”

“These were the years after the September 11 attacks

And Hunt says her role in risk identification and risk

and protective and physical security were front of

management is more about people management than

mind.”

security

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

CREATING A SECURITY CULTURE

protective security industry, to clearly communicate

“It’s about building a strong safety and security

its role and value.

culture as the foundation, leveraging the expertise of our team, building their capacity to identify risks and

“Much of our protective security framework is built, or

creating a space where they are empowered to call

informed by, government frameworks. The Australian

those risks out

Government publishes a strong framework around protective security. Although intended for Australian

“I don’t assume to be an expert in the specific security

Government entities, it has principles that any

risks of every asset we operate. It’s the teams at each asset that have the detailed knowledge. It’s my job to ensure they have the support, resources and tools to identify risks, and that the systems are there to elevate important areas to national attention.” The importance of a team focus, she says, is a lesson she learnt the hard way when her first child was born, and she struggled to maintain personal discipline and set boundaries between work and home. “If I could do it over, I would ensure I had the right balance.

“The most rewarding point of my career has been in my current role working with our teams and the broader community around mental health. This has two parts: first how we equip our people to recognise and handle mental health-related challenges as part of their frontline roles. This included bespoke training, where the feedback we received from teams was amazing. The second is the work we have done in our business that’s focused on our teams’ welfare and psychological safety.”

It highlighted to me the importance of spending more quality time skilling up your team. This includes carving out the time to have

organisation or security practitioner can understand

important career and development discussions.

and apply.

Prioritise these, don’t let those discussions slip, because you need to rely on your team and their

“In every industry, there will be a spectrum of

capability.”

performance when it comes to protective security and how organisations apply their security

PONDERING PROTECTIVE SECURITY

frameworks. This spectrum will range from thought

Despite its importance, protective security seems to

leaders to those in the early steps of their maturity

lack any clearly delineated industry. It’s hard to find

journey.

any certifications in ‘protective security’, or industry associations dedicated to it.

“There is consistency in certain areas of the industry, for example, standards and requirements around

Hunt says, in her experience, the term is not

emergency management, or Australia’s strategy for

commonly used outside the risk and security fields,

protecting crowded places. There is still work to

and there is a need to improve the visibility of the

be done, but these broader pieces of work and the

WOMEN IN SECURITY MAGAZINE

growth of public-private partnerships in protective

“You need to empower not only your security teams,

security are very encouraging.”

but every person in our organisation to practice security. It must become an instinctive part of

BEST PROTECTIVE PRACTICE

employee culture, so it becomes a natural practice

Hunt is clear on what implementing best practice

people fulfil as part of their day-to-day roles.”

protective security for an organisation requires. Hunt has come a long way in security since her first “It starts with a framework that captures security

job, intended only as an interlude on her planned

governance; policies that cover roles and

career journey. The two biggest influences on her

responsibilities, that set out how to plan, manage,

career, she says, have been Scentre Group’s Director

monitor and report, and that require activities to be

of Security, John Yates and Scentre Group consultant

rehearsed…Testing is critical to building resilience.

and Proton Security Owner, Adam Ickowicz.

Prevention is always preferred but testing plans so your teams know how to respond and recover

“John’s depth of experience and background in

from an incident is essential to being a responsible,

security is almost unmatched. He is a never-ending

sustainable organisation.

source of knowledge and advice when I need it. Importantly, I have learned about leadership from

“Central aims for me — beyond having the framework

him; his approach to people and how to create a

— are to have senior executive buy-in and support to

psychologically safe workplace.”

ensure the program is supported and accountable, and to use these to embed a culture of security.

Of Ickowicz she says: “Everyone needs someone who always has their back. Whenever I felt I couldn’t

“For me, ensuring a protective security program is

work through a challenge, he was there to help me

ultimately being focused on enabling my people. The

break down problems. Equally important, he has been

idea of ‘securing an organisation’ cannot solely be the

my biggest champion since I met him, consistently

responsibility of a security department. It’s a common

encouraging, reminding me I could do anything.”

mantra in my current organisation that ‘Security is everyone’s responsibility’, be it physical, cyber or personnel security.

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

unfounded. “What I did have was an appetite for learning, curiosity and a give-it-a-go attitude. It turns out that’s all you really need. STEM fields in general are more about your attitude and desire to learn. The cybersecurity industry is a relatively young industry compared to others, so everyone is still learning, everyone is trying to work it out as they go.” Her lack of cyber experience did not hold her back and in 2019, she won the ARN Women in ICT Rising Star Award. This, she says, gave her a platform

Emily Baker Regional Alliances Manager ANZ at CrowdStrike

from which to campaign for diversity. “Winning the award triggered an action plan and series of internal conversations about how we could be reaching, and appealing to, potential candidates who may not have previously considered such roles.”

CHAMPIONING DIVERSITY Despite all the progress made on diversity, Baker

believes more needs to be done. “At CrowdStrike, we are mindful of using more inclusive language in our bachelor’s degree in biochemistry and human physiology followed by a graduate certificate in nutrition hardly seem like suitable precursors for a career in cybersecurity, but they did not stop Emily

job descriptions for instance. This may seem like an easy fix, but many large enterprises still struggle with changing global descriptors. Workforce flexibility is also key in attracting younger people who are looking for a new challenge, but one that doesn’t conflict with

Baker, now Regional Alliances Manager at CrowdStrike.

their personal lives and commitments.”

However, she does acknowledge making the leap into

And it is not only on diversity where Baker sees the

cyber as one of the scariest moments in her career.

cybersecurity industry failing to communicate to

“I had so many doubts as to whether I would be able

potential recruits. “The industry as a whole needs to

to do my job. I had no cybersecurity background or

do a better job of promoting the cybersecurity field

traditional experience,” she recalls.

and breaking down the misconception that we are all working in programming or DevOps. There are so

“With a strong background in statistics and data analysis,

many different areas of cybersecurity to explore like

cybersecurity was still a leap after graduating, but I saw

partnerships, sales, marketing, communications and

there were some really interesting roles on offer. What

legal.”

nutrition and science were lacking in terms of pace of change, I discovered quickly in cybersecurity.”

A CYBER CAREER PROMOTER Having transitioned from nutrition into cybersecurity

Her first job was as an inside channel account manager.

herself, Baker is now keen to see other women

“I was fortunate to be in this role for only a couple of

make a career change. “I’d really encourage the

months before being promoted to account manager and

next generation of strong female talent to consider

then into a distribution account manager position,” Baker

this exciting field as a career. It is rewarding, both

recalls.

financially and intellectually,” she says.

TAKING THE PLUNGE INTO CYBER

“The industry moves at an incredible pace too and

Baker’s career-defining moment occurred in 2017

because of this, you will always be learning on the

when she joined a large cybersecurity vendor with

job. If you’re thinking about pursuing a career in

zero cyber experience. She says her fears were

cybersecurity but are uncertain, my advice is to just

WOMEN IN SECURITY MAGAZINE

give it a go. It might turn out to be the best decision you’ve ever made.” That certainly seems to have been the case for Baker, who says, “My cybersecurity journey has made me who I am today so I wouldn’t set about changing any of it.” To others contemplating a cybersecurity journey she offers this advice: “Never be afraid to ask questions, ask for help and learn from others around

“I would also reiterate the importance of persistence and perseverance. It doesn’t matter how many times you are told no, you can always keep trying until you get a yes, no matter how long that may take.”

you. Diversity of thought drives innovation and that couldn’t be truer than in the world of cybersecurity where knowledge sharing is key. “I would also reiterate the importance of persistence and perseverance. It doesn’t matter how many times you are told no, you can always keep trying until you get a yes, no matter how long that may take.” Of the many specialisations in cybersecurity, it is threat intelligence that piques Baker’s interest. “These individuals peek into the minds of adversaries, speak multiple languages, and try to understand and predict others’ motivations, tactics and techniques in order to stop attacks from happening. It seems to me a combination of psychology, technology and linguistics which is fascinating!” www.linkedin.com/in/emily-baker-0a304627/

www.crowdstrike.com.au/ www.crowdstrike.com/blog/five-questions-with-emilybaker/

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

is important for your business so you understand why your role is important and valued. Secondly, never talk in technical terms to the business or they will stop listening.”

MENTORED INTO SECURITY Bridget says mentors have played significant roles in her career, including being instrumental in her transition from mainframes into security.

Bridget Mitchell Executive Manager of Security Operations at nbn

“I won a high-performance award from the CIO after designing, developing and implementing a company directory on the mainframe in my spare time, which enabled staff across Australia and Asia to find and communicate with anyone in the company.

“It was the early 90s and very innovative at the time. ridget Mitchell, a finalist for the IT Security Champion award, is Executive Manager of Security Operations at nbn. She confesses to having worked in security for “a very long time”. Her career started with Ansett

Airlines, which ceased flying in 2002.

My mentor was leading the mainframe security team. He made security sound so exciting and asked me to join the team. I needed a new challenge, so I made the move.” Since then Bridget says she has had the good fortune to “connect with some incredible mentors who helped to grow my strengths and develop my weaknesses,”

Her initial role was looking after ‘network and

who were “instrumental in providing opportunities to

infrastructure’, known then simply as ‘voice and data’.

develop as a leader, enabling me to head up security

And she moved from there into mainframe security.

across a number of companies.”

While the technology she worked on might be long

SILO BREAKER

gone, Bridget says what she learnt about security is

Bridget’s award citation credits her with “breaking

just as relevant today.

down barriers between teams that remain siloed in many businesses.” To achieve this she first set up a

“I learned early the importance of security for a

monthly awareness session between the teams.

business, and why system security plays such a major role in managing risk when you are dealing

“It was like a ‘show and tell’,” she says. “This soon

with the people’s safety. The integrity of the systems,

grew to many other IT functions. This transparency

the accuracy and availability of information and the

not only informed teams about capabilities, it

confidentiality of information were critical just to

importantly generated a high degree of collaboration.

enable a plane to take off. This included weather

This has enabled a faster response for cyber defence.

information, data about the weight loading of the plane, the confidentiality of passenger manifests etc,

“We have a catch cry in security that ‘Security is

just to name a few.”

everyone’s responsibility’. However, we often then keep information about security to ourselves or only

And she adds, “My number one piece of advice,

share it with management. This makes it appear that

especially for technical people, is to understand what

security is a secret society and not transparent.

WOMEN IN SECURITY MAGAZINE

“An effective way to break down barriers is to

BEING A LISTENER

show metrics, particularly if they relate to business

“What I learnt from the beginning is that you need

objectives and KPIs. This can immediately show

to understand your company’s core business first

the business the value being delivered. Seek

and what is important. Talk to people, engage

understanding by listening to different points of view

everyone you come across, ask questions, and

and considering your past experiences. Don’t assume

LISTEN! Understand ‘why’ it is important to protect

that the audience is aware of the complexities and

the company’s core assets. The messaging must

challenges in trying to achieve an outcome.”

be provided from this business lens and in terms your business stakeholders understand, quantifying

The award criteria also describe a champion as

the risk wherever possible, otherwise, it is all just

someone who has mastered the art of engaging

blah, blah, blah. Listen when speaking with the IT

people with the IT security message. Bridget does not

engineers, this is still relevant because you are

believe she has yet achieved that but says listening

explaining why their role is important to the business.”

rather than being proactive is a major contributor to effective engagement. www.nbnco.com.au/

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

concerns with respect to their race, veteran status, sexual orientation, etc,” Thomas says. “It’s a very real, but not obvious, impediment to highly qualified people accepting stretch roles that could accelerate their career path and personal development.” Thomas identifies her transition from finance to

Wendy Thomas President and CEO of Secureworks

product management at Secureworks, after working on a strategic plan for the company, as an example of one such stretch role.

BEYOND HER COMFORT ZONE “Stepping out of my comfort zone in finance into an area where I lacked deep functional expertise forced me to leverage my unique strengths, while giving the

team an opportunity to be their best selves leveraging theirs. So, the shift out of the finance track was a endy Thomas is President and CEO of Atlanta-based Secureworks, a NASDAQ listed security company she joined in 2015 as Executive Director,

Finance. The company has been recognised by IDC and Gartner as a leader in managed security services.

great opportunity to learn from the team, to get creative, do things differently, and build something new together – which was incredibly rewarding in unexpected ways. Opportunities like that are a privilege that shouldn’t be dismissed out of fear of failure.” Regarding Secureworks evolving strategic direction, Thomas says: “It was clear the security industry

Thomas was appointed to her current role in

– and the underlying technologies responsible for

September 2021 after serving in a diverse set of

keeping secure – were evolving quickly. Our historic

roles across the company, including VP Finance, VP

approach of having great security experts work

Strategy, Chief Product Officer, and most recently,

across rapidly changing technologies and security

President of Customer Success.

products was not going to scale in the new future, and we were going to have to ‘data science the heck

So it’s perhaps no surprise she cites her “willingness

out of security’ – as one of our leaders at the time

to take on stretch roles where I might not be wildly,

often said.

perfectly successful” as a contributor to her success “We obtained the board’s support to invest in our However, this willingness once came with an

vision for changing the industry, and we made major

interesting reservation: a concern, especially later

changes to our team, technology and business

in her career, that her failure in a ‘stretch role’

model. Fast forward two years after launching a new

would make it harder for other women and ‘non-

platform and product portfolio, we hit $US100m in

traditional’ candidates to get a shot at a similar senior

annual recurring revenue.”

opportunity.

KEEPING THE TEAM INFORMED “That was an unfair burden to accept, and I often

One important lesson Thomas learnt from this

talk about that now with mentees who have similar

process was: “you cannot over-communicate with

WOMEN IN SECURITY MAGAZINE

your team, particularly during times of evolution and

including SolarWinds, Hafnium, and ongoing activity

growth. … While the team has delivered amazing

from Russian, Chinese, Iranian and North Korean

outcomes, looking back, I know I could have done a

threat actors persisting throughout 2021, for most

better job communicating and celebrating more often,

organisations ransomware, rather than cyber

in more ways, all along the journey.

espionage, remains by far the biggest cyber threat.

“Not only do teammates need to hear from leadership

“The ransomware-as-a-service affiliate model has

multiple times, consistently, about any initiative or

lowered the barrier to entry and helped ransomware

area of significant change, they need to hear it all

groups rapidly scale their activities. Fortunately,

along the journey. Sometimes, leaders hesitate to

mitigating against ransomware attacks with good

communicate at all when there are many unknowns,

security basics stands you in good stead against

but not communicating until you have ‘all the answers’

cyberespionage attacks too.

is a sure-fire way to send a message that people should assume the worst. Rather, leaders have to

“Threat actors of all kinds like the easy life. They

communicate what they do know, be open about what

aren’t going to burn complicated zero-day attacks on

they’re still working to answer, and demonstrate a

victims that still haven’t patched vulnerabilities dating

commitment to transparency throughout – even when

back five years. So our message is, get the basics

it’s uncomfortable.”

right. Patch promptly, according to your risk profile. Implement multifactor authentication. Lockdown

So, it’s perhaps no surprise when asked to describe

internet-facing systems and remote working

her role, Thomas says, “My number one focus as

solutions. And monitor. The faster you detect a threat

President and CEO is to support my Secureworks

actor on your system, the better your chances of

teammates in the realisation of our purpose, to secure

preventing the attack from escalating.”

human progress, and to set our strategy for achieving that purpose.”

MAKING THE CASE FOR CYBER LITERACY She also advocates for broader technology and

Rather than pick one decision or event as the most

security literacy across society at large to enable

significant in shaping her cybersecurity career, she

people to take better preventive care of their digital

flags her ongoing interaction with customers.

lives and thereby make cybercrime less rewarding and less damaging.

CUSTOMER INTERACTION TOP PRIORITY “Understanding their purpose, their ways of

Her view is informed by her, somewhat unusual,

working, seeing first-hand the people and assets

experience as a teenager. “Before I could drive the

we’re responsible for securing — it’s irreplaceable.

family car, my dad made me learn about how the car

That understanding makes us a better partner to

worked and how to do basic repairs — change a tyre,

our customers, inspires our team, and fuels the

check the belts for wear and tear, check oil and fluid

improvements we make to our technology to solve

levels. Despite a good bit of eye-rolling at the time,

our customers’ evolving security challenges.

what he taught me ensured I took better care of my future cars, and more importantly gave me confidence

“And, as someone who enjoys learning something

in dealing with sudden car trouble.

from everyone I meet, I’m grateful for the inspiring ideas I often pick up around how to build a better

“Our lives are so dominated by technology and digital

business or become a better leader. The best journey

information that, as global citizens, we should all

is one that doesn’t end.”

understand more about how the technology we use works for us, and sometimes against us.”

In Secureworks’ experience, she says, despite the high profile of nation-state sponsored cyber attacks,

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

“Stepping out of my comfort zone in finance into an area where I lacked deep functional expertise forced me to leverage my unique strengths, while giving the team an opportunity to be their best selves leveraging theirs. So, the shift out of the finance track was a great opportunity to learn from the team, to get creative, do things differently, and build something new together – which was incredibly rewarding in unexpected ways. Opportunities like that are a privilege that shouldn’t be dismissed out of fear of failure.”

Mentoring has loomed large in the career of almost

and ultimately can positively influence your career

every woman profiled in Australian Women in Security,

success.”

and Thomas says, “having someone challenge your thinking and encourage you to be your best self is a

Thomas says she has both benefited from being

powerful way to grow.”

mentored by “some amazing people” and helped others to become amazing leaders in their own right.

Her advice is to “seek out mentors proactively, with intentionality around what you’re looking to address.

“To quote from the show, Ted Lasso, [a TV show

Because the kind of mentorship you need changes

about a fictional, small-time American football coach

over the course of your life and career, seek out

who is hired to coach a professional soccer club

mentors proactively, with intentionality around what

in England, despite having no experience coaching

you’re looking to address.

soccer] ‘A good mentor hopes you’ll move on, a great mentor knows you will.’”

“Keep in mind that a great mentor is also seeking knowledge, so be equally thoughtful about what

“To have had the opportunity to not only work with

you bring to the relationship as you are about what

those amazing individuals but also to do meaningful

you hope to gain. While it may be intimidating, I

work in a field that does so much good, have

encourage you to seek real feedback from your

been deeply important to me. My teammates at

mentors. Go into each conversation with an

Secureworks are collectively helping to make the

open mind. Making people who care about you

world a safer place, providing the kind of effective

comfortable enough to share their observations and

security that enables businesses, schools, hospitals

feedback will help you be more aware of how you’re

and so many others to fulfil their mission. I couldn’t

perceived and enable you to grow beyond measure.”

ask for a more satisfying career than that.”

SPEAKING OF SPONSORS And Thomas offers another piece of valuable advice:

www.linkedin.com/company/secureworks/

don’t confuse mentors with sponsors. “Mentors are important for learning and new perspectives, but careers rarely progress without a strong sponsor inside your organisation. Sponsors are the seniorlevel people within the organisation who advocate for you, promote your work, champion your projects,

twitter.com/secureworks www.facebook.com/secureworks

www.secureworks.com/

WOMEN IN SECURITY MAGAZINE

Melbourne Network, a local affiliate of the non profit Customer Experience Professionals Association, founded in 2011. Since then she has been instrumental in the creation of another non-profit organisation, the Australian affiliate of Women in CyberSecurity (WiCyS), in 2020, and in 2021 was a founding member of the World

Anita Siassios Managing Director at ManagingCX

Experience Organization. Its mission is “to connect, serve, inspire, and provoke the pioneers of the experience economy.” She says the inspiration for WiCyS came from “a mentorship, established via the Financial Executive

Women’s Organisation which at that time was led by the inspiring Judith Beck, author of ‘No Sex at Work”. nita Siassios is the managing director of ManagingCX, an organisation she founded in 2018, describing the move as “the greatest achievement in my career.” ManagingCX offers training, coaching

Beck had started a membership organisation, Financial Executive Women, in 2012 and Anita was providing mentoring services under its mentorship program. “I was privileged to be assigned to a mentee,

and certification in customer experience skills. Anita

a successful IT executive passionate about

describes it as “a company whose purpose is to

cybersecurity, who was seeking to build their global

empower individuals with holistic skills and career

network. So the first thing I recommended was to

guidance to succeed in the customer experience

join an association and to network with likeminded

management discipline and profession.”

individuals,” she recounts.

It was the first CX training organisation in Australia

“I started my research to find the right global

to offer the Customer Experience Professionals

association and finally came across Women in

Association (CXPA) authorised training program

CyberSecurity inspired by the founder Dr Ambereen

across Australia, and came into being when Anita

Siraj, who’s hypothesis for establishing WiCyS was ‘If

took a parenting break from corporate life.

women saw more like them, then more of them would follow’. Having established the CXPA Melbourne

“I very quickly had to wear the hat of a marketer,

Network, I knew exactly what it would entail: passion

business development, finance, legal and HR

to serve others, and lots of voluntary time!”

manager,” she says. “This experience was personally

transformational, taking me out of my comfort zone,

Anita’s first job was supportingbanking mainframe

accelerating my professional and business skills in

systems in 1989 and she progressed to managing

a way that could not have been achieved in such a

the implementation of large hardware and banking

short period if I had remained in my corporate role.”

systems across the globe.

FOUNDER OF MULTIPLE ORGANISATIONS Anita might rank the creation of ManagingCX has

CYBERSECURITY INTEREST PIQUED BY A BREACH

her greatest career achievement, but it was not her

Her interest in cybersecurity was sparked when she

first such initiative. In 2016 she founded the CXPA

was tasked with leading the establishment of a global

WOMEN IN SECURITY MAGAZINE

W H AT ’ S

H E R

J O U R N E Y ?

privacy office for a major bank in Australia that was

“READ SHAREHOLDER REPORTS”

striving to adapt to changing regulatory and privacy

She has some useful, and perhaps non-intuitive,

regulations. However cybersecurity became a passion

advice for cybersecurity professionals aspiring to

only when the bank suffered a major privacy breach

leadership positions: read shareholder reports as a

that impacted thousands of customers.

means of learning to think strategically and learning the executive language. “Some of the most inspiring

“Despite the disappointment of such an event, the

shareholder reports I have read are Jeff Bezos last

learning and understanding on how important the

shareholder letter in 2020 and Warren Buffet’s letters

cybersecurity industry is profoundly impacted my

since 1965,” she reveals.

drive to make a difference through the mission of WiCyS Australia,” she says. She’s taken on the role of

“Reading shareholder reports helped me refine my

vice president for 2022.

language and presentations to executives. I have found this to be the most successful and fundamental

Her interest in customer experience comes from

discipline, and I incorporate it into my coaching and

much earlier in her life: growing up in the 70s in a

training of CX professionals.”

family that ran a small business. She learnt “how important customers were for a business to survive.”

Anita lists several factors that she believes have contributed to her career success: believing in

But it only really took hold of her life in 2012: “very

yourself, building trusted and positive relationships;

early one Monday morning following a long technical

bringing out the best in others.

implementation weekend that had gone horribly wrong impacting thousands of customers and their

And the one piece of advice she did not follow: don’t

businesses.” That experience led directly to her

stay in a role for more than two or three years. “I was

founding CXPA Melbourne.

in one of Australia’s largest banks for close to 30 years. Yes I climbed my way up and expanded my

Asked how she would describe the role of

experience by pushing myself and learning by taking

‘customer experience professional’ to a young

on roles in various departments but what it didn’t

person contemplating a choice of career, she says

allow me was to expand my business network. … If

the defining characteristic is someone who acts

there’s anything I’d like the reader to take away from

as a catalyst, who benefits their organisation by

this interview is the importance of networking.”

“understanding, designing, and improving experiences across the entire customer relationship.” And she offers a list of key activities the CX professional

www.linkedin.com/ in/anitasiassios/

should undertake. www.managingcx.com/

1. Drive a culture of customer-centricity where every aspect of the corporate culture – from the top down is focused on the customer. 2. Inspire and unite every department and employee in the quest for customer experience excellence. 3. Ensure every customer experience gain contributes to positive business performance outcomes. 4. Focus on customer needs and engagement where every thought and action is meaningful, making customers’ lives better and showing you care.

WOMEN IN SECURITY MAGAZINE

Rebecca Moonen

operating table while being anaesthetised. “Before

Security and Privacy Influence and Cyber Safety Outreach Manager at nbn

with you about your work,” Beck recalls. “Never one to

miss an opportunity, I started to preach about scams. The doctors said I continued to chatter on about scammer tactics well beyond a reasonable timeframe

inalist in the Best Volunteer category

for the anaesthetic to have taken effect... proof that

Rebecca Moonen’s day job is Security

I’ll take any chance I can get to help spread the word!”

and Privacy Influence and Cyber Safety

VOLUNTEERING OVERSEAS

Outreach Manager at nbn. As part of that role, Beck’s had the

opportunity to work with Port Adelaide Football Club’s Aboriginal Programs Coordinator, Jasmine Miller to create a cyber safety module for students in remote indigenous schools. Alongside nbn’s CSO Darren Kane, and with the support from manager Kate Monckton, Beck joined the Port Adelaide Football Club’s ‘WillPOWER’ team on the road to assist in delivering the module to six remote schools in the Barkly Region of the Northern Territory. The project reached 500 students across 27 remote communities in the Anangu Pitjantjatjara Yankunytjatjara (APY) and Maralinga Lands of South Australia and the NT and, says Beck, “kicked off my love of making sure every Australian knew how to access the nbn™ network safely.” Since then, after dealing with yet another scam campaign exploiting the nbn brand, Beck decided to drive awareness about the increasing frequency and risk of scammers impersonating nbn, and to help educate the community on how to identify scammers so they could take action to protect themselves.

COUNTERING SCAMS Partnering with multiple teams within nbn, Beck developed a scam awareness and education campaign for nbn and worked with the team at the ACCC’s Scamwatch to create presentation packs and deliver these to the community at a grass-roots level to reach some of the most vulnerable people in the

Combating scams is far from being Beck’s only volunteer role. “I’m an enthusiastic supporter of Kiva microloans, supporting 22 countries in sectors like education, health and housing,” she says. “I’m a passionate fundraiser for the Tabitha Foundation in Cambodia, and the Tumaini Children’s Home in Tanzania, both locations where I’ve travelled on volunteering missions and kept in contact with the communities I’ve visited.” Beck has also been a wish granter for the Starlight Foundation. Beck has enjoyed support in her volunteering activities through nbn’s Corporate Social Responsibility program. “It provides opportunities for our people to go beyond their day jobs to help create positive social, environmental and economic impact,” she says. “The company provides paid volunteer leave each year, and our flexible working policy means engaging with communities through volunteering doesn’t have to be squashed into any particular timeslot outside of business hours.” Her direct manager, Anthony Cohen, has received award recognition for his volunteering. He has been named a finalist for NSW’s Local Hero in the 2022 Australian of the Year Awards for his charity Project Displaced, a free support service to help those who lost their job because of COVID-19. “I couldn’t do what I do without the support of Ant and the Security Influence team, and Ant couldn’t do his amazing work without his manager having his back also,” Beck says.

community, with help from the Council of the Aged

“The leadership team in the Security Group really

(COTA) and the Australian Seniors Computer Clubs

live by nbn’s ‘we care’ value - and their support and

Association (ASCCA). “It was a labour of love that

encouragement for the team extends beyond what

often filled up my nights and weekends,” she says.

we do from nine to five.”

Her passion for raising scam awareness is impressive, even extending to preaching from the

the anaesthetist does their job they make chit-chat

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/rebeccamoonen/

Security Pathways Program Providing technical hands-on workshops, specialised training, certifications, mentoring and career advice Applications for Cohort 4 NOW OPEN Sponsored by Learn more at www.awsn.org.au/initiatives/securitypathways-program/

In retrospect, Peck says she would have chosen a different path into the industry. She gained no new skills from her TAFE course, describing it as “giving a very simplistic overview of both relevant and irrelevant topics,” but she did acquire a new supportive network in her cohort.

Kelly Peck Associate Consultant | GRC at Cyber CX

“Instead of TAFE, I would use that time to study industry recognised qualifications like Network+ and Security+. I would also combine this with attending networking events, listening to podcasts, and learning from the multitude of free resources that can be

found on the internet.” elly Peck has degrees in Russian,

And she adds: “From networking with hiring

German, and linguistics and a list of

managers and recruiters, I have come to understand

volunteering activities as long as your

that doing the qualification was not a necessity.” She

arm. They include animal welfare,

has now embarked on what she expects will be a long

disaster relief, mentoring, poverty

program gaining relevant qualifications: CISM, and

alleviation, and youth work. She has volunteered in

because of her GRC role, studies in ISO27001, and

Australia, the Philippines, and Germany.

NIST.

Despite this background, she was struggling to find

Despite the well-publicised shortage of cyber security

work. During this time, she found her way to cyber

professionals, Peck believes entry level jobs are rare.

security, “I started networking with people who work

However, she was lucky and applied for three, got

in the cyber security space and knew straight away

three interviews and two job offers.

that this was the right path for me.” So she embarked on a Certificate IV in Cyber Security

THE IMPORTANCE OF COMMUNITY ENGAGEMENT

from TAFE Queensland, started applying for cyber

“The three companies I applied for were very different

security jobs while studying, and is now an associate

from each other. However, I noticed all three found

consultant in governance, risk, and compliance (GRC)

it important that I showed a lot of passion for the

with CyberCX.

industry. Additionally, they wanted me to show the ways in which I am active in the community, through

Having decided to pursue a career in cyber security,

networking events, memberships, and listening to

Peck says the biggest decision was whether to go for

podcasts, etc.”

a technical or non-technical role. She believed she would have more opportunities if she chose technical

Peck’s cyber security career has got off to a good

but was interested in GRC.

start and her experience provides useful guidance for others contemplating a similar path, but perhaps the

COMMUNICATIONS SKILLS AND EMPATHY

most important lesson is the value of a good mentor.

“I thoroughly believe my experience in linguistics and procurement helps me in my role as a GRC associate

“I reached out to a friend who is a security analyst

consultant,” she says. “It allows me to have a deeper

and she gladly became my mentor,” Peck says. “In

understanding of what a client wants, whether that

return, I offered her lessons in linguistics. I benefited

comes from body language, the words they speak, or

greatly from her guidance - she helped me make

written communication. It is important to have good

connections in the field, advised on my career

communication skills and empathy for the client’s

pathway, and ultimately led me to the position I am in

situation.”

now.” www.linkedin.com/in/peckkelly

WOMEN IN SECURITY MAGAZINE

CAREER PERSPECTIVES

ANU KUKAR

AKIRA SINGH

HOW TO JOIN AND CONTRIBUTE

to the cyber space from a nontraditional cyber background by Akira Singh, Associate Cyber Security Consultant at IBM A/NZ and Anu Kukar, Associate Partner, Cyber Security Strategy, Risk & Compliance at IBM A/NZ

Given cyber criminals are constantly thinking of

background in either field. After finishing my degree I

new ways to attack organisations, shouldn’t we be

worked in a legal technology start-up as a consultant.

thinking differently by bringing in people with diverse backgrounds to help respond to attacks and protect

There I learnt about legal services, the ways in which

organisations?

they are delivered, and how they have changed

Here are stories of people entering the cyber world

drastically in the past few years. Legal, and other

from completely different professions:

important services such as accounting, banking

• A law graduate joining and starting her career as a cyber graduate.

and education are beginning to innovate in how they interact with clients, leveraging the rapidly changing

• An accountant and risk professional with 20+

online environment. I developed a particular interest

years of experience transitioning into cyber.

in how these changes would impact businesses and their users, especially in relation to security.

AKIRA Starting my career in law

Moving to cyber

Six years ago, when I first made the decision to study

I jumped at the opportunity to apply for a graduate

law, I would never have guessed I would be working in

program as a cybersecurity consultant, not knowing

cybersecurity today.

the value my legal background would have in the role. Almost four months into the program my perspective

I never considered cyber or technology as a

on cybersecurity has changed completely. I have

viable route for me because I had no educational

not only learnt a great deal about the technology

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

and cyber space, but I have also been able to apply

will enhance your capabilities, build your network,

my legal knowledge in various aspects of my role:

and provide you with invaluable experiences.

everything from client meetings and proposals to

There are always people to guide and support

social eminence opportunities.

your growth.

Three things I wish I knew earlier in my career

In the short time I’ve been in the cyber industry I’ve

1. The cyber space needs individuals and

been able to participate in market eminence activities

perspectives from different industries and

by speaking in a webinar as a cybersecurity expert on

fields, not just technology. There are many

the SOCI Amendment Bill, working on a point of view

different areas within cyber that value a wide

submission on cyber resilience, and co-authoring a

range of backgrounds, such as law, psychology,

publication.

intelligence, social studies, and more. 2. Education does not stop after your degree. With

I have had the pleasure of working in a supportive,

advancing technologies and an emerging threat

female-led team, and I can see the legal perspective

landscape, upskilling and further education are

I bring to my role is greatly valued. I can also see the

ongoing requirements. Staying relevant is a major

direct impact my work is having on our clients and the

factor for success, and is greatly valued within

cyber world as a whole as we continue to bring new

the cyber industry.

ideas and insights to the table.

3. It is a mistake to shy away from tasks and opportunities that are outside your comfort zone or repertoire. Saying yes to as much as possible

WOMEN IN SECURITY MAGAZINE

ANU

Stage 3: Make the transition into cyber?

Career advice to anyone with experience wanting to

There were three things I did, and I would advise

move into cyber.

anyone wanting to upskill/transition into cyber to do

An accountant and risk professional with 20+ years’

the same.

experience transitioning into cyber.

1. Self-study and upskill – take online selflearning, courses and certifications focused on

I call it the ‘C to C’ in 20 years

understanding NIST frameworks, cybersecurity

Chartered accountant to cyber professional. I started

end-to-end and how-to-do work activities.

my career as a tax accountant and upskilled myself

2. Join associations – by joining security

continuously to learn, grow and stay relevant. That

associations such as ISACA, AISA and AWSN

has seen me transition into roles such as internal

you will have access to the latest jobs, thought

auditing, strategy, risk, compliance, governance,

leadership, webinars and to conferences where

regulation, third-party risk, risk innovation, data and

you can network and meet others in the cyber

technology risk.

profession. 3. Social eminence – share your views and ideas

It has been tough to continuously learn and upskill,

for the cyber profession. Start building your voice

but very rewarding because it gave me an opportunity

and contributing whilst also creating your brand

to try different roles. So, if after five, 10 or 15+ years

in the cyber profession.

of working you have decided you want to be a cyber professional, and are wondering how to do that, my

CONCLUSION

three key stages of advice would be:

As you have probably gathered by now, cyber is a profession that needs, and greatly values, the

Stage 1: Be clear on your purpose

perspectives, ideas and experiences of individuals

Be clear and ask yourself why you want to be a cyber

from various fields of work. It can be an incredibly

professional.

rewarding career, especially if you are interested in contributing to the security of Australia.

For me, it was about making a difference, and being drawn to the purpose of cybersecurity – protecting

Whether you have just finished school and are

and securing critical infrastructure for Australia. I had

deciding on your degree or have years of experience

a reason and purpose. It is this clear purpose that

and are ready for a career change, consider joining

helps you when the going gets tough.

the cyber community.

Stage 2: Understand what you can contribute

If you have any questions about taking the leap and

Reflect on your career experience to date, talk to

joining a cybersecurity team, feel free to reach out to

others, and learn how you can contribute.

either of us.

I saw I could contribute my accounting, risk and

Anu Kukar

compliance, and third-party risk experiences to the cybersecurity industry, and provide support for things

www.linkedin.com/in/anukukar

such as: costings and business cases Akira Singh

• Cyber strategy and cyber program development • Cyber risk posture measurement and management • Cyber governance and reporting • Compliance and regulations for cybersecurity • Cyber third-party management.

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/akira-singh/

CHELSEY COSTELLO

TOP 10 RECRUITMENT CHALLENGES TO TACKLE IN 2022 by Chelsey Costello, Principal Information Security Recruitment Consultant at Talenza

The last two years we have seen our industry change

the industry, the positive news is that strides are

dramatically. Many agency recruiters took internal

been made to move the needle. In the period July

jobs amid fears the market would not recover.

2020 – June 2021, unconscious bias training was the third most registered course on LinkedIn Learning,

Earlier this year we saw the cybersecurity job market

according to the most recent Talent Trends Report

pick up in a big way, and there is now a shortage of

from LinkedIn.

people in agencies to fill job. The market shifts have been interesting to watch. Now, as the nation opens

Several interventions can be made at each step of the

up, it’s very much a wait and see situation. However,

recruitment process to attract more female talent into

it would be naive of the private sector to fail to

security roles. These range from using gender neutral

anticipate market needs for the coming year. Below I

language in job ads to making sure there is balanced

share some insights into where we are now and what

gender representation across the business and the

we have to tackle in 2022.

hiring process. So put these on your priority list for 2022, if you have not done so already.

1. GENDER DIVERSITY IN SECURITY Diversity, equity and inclusion is a big topic but when

2. UNICORNS AREN’T REAL

it comes to hiring cyber skills, we are seeing a lack of

Recruiters are often given a long list of job criteria

female representation across the board. According to

regarded as essential by the employer, but most of the

McAfee, the Australian cybersecurity industry is still

time the successful candidate meets only 50 percent

sitting at 25 percent female. Unconscious bias can

of these. At times we are seeing the terms ‘CISO’ and

creep into recruitment, a challenge we will continue

‘security administration’ in the same job description.

to face in 2022. While I do note this as a threat to

This is a recipe for burnout for anyone hired into such

WOMEN IN SECURITY MAGAZINE

a role, and providing an exhaustive list of essential

enterprises have had to hire GRC professionals to

specific skills and experience is detrimental to the

comply with new regulations. Things like the Cyber

chances of attracting great talent. When writing an

Operational Resilience Intelligence-led Exercises

advert companies should focus on what they really

(CORIE) Framework have led to more demand for

need.

red teamers. As companies continue to digitise the cybersecurity industry must evolve, creating more

For example, do you really need 10+ years’ experience

vacancies across the board.

in your advertised role or could you hire on potential? Do you really need a degree and certifications, or

5. LACK OF JUNIOR OPPORTUNITIES

would industry experience suffice? And do you really

In June 2021 we undertook some market research

need Splunk, or could your candidate have worked

to understand the fastest-growing roles. It became

with a similar SIEM solution?

apparent there is real demand for senior level roles, and few junior roles being advertised. Most graduate

It’s the job of recruiters to really educate clients on

and entry level programs were halted during COVID.

industry best practice. We aren’t unicorn hunters.

As the needs of businesses become more complex

Our role is more about providing education and

and more specialist skills are needed, people who

consultation.

have held junior and mid-level roles over the past two years are stepping up. Unless the graduate uptake

3. SKILLS SHORTAGE

increases significantly, the impact of this will be felt

There is still a skills shortage across the industry,

in years to come.

particularly at senior levels. Whilst the skills pipeline take time to close the gap at senior levels. There

6. ACCELERATION OF SALARIES AND CAREERS

are several companies creating development

We have seen a significant increase in salaries,

opportunities in government areas where they will

particularly for junior and mid-level candidates. To

also reap the benefits of tax incentives. Accenture is

address skills gaps, junior security professionals are

one example. It is working with the SA Government to

being quickly promoted into senior roles, sometimes

set up Advanced Technology Centres of Excellence in

doubling their salaries. I can recall several candidates

Adelaide with a focus on defence and cybersecurity.

who have been offered

Programs like this will also partner with local

a salary of $120k after

universities to create more entry level jobs and

a year or two in an

develop talent to address the skills shortages.

entry-level role paying

has grown rapidly over the last few years, it will

$60/70k. Similarly, companies like CyberCX, NCC Group, Deloitte, PwC, EY, Safer Internet Project and Merimetso, to name a few, have developed excellent graduate and associate training programs to address the skills gap. If you are looking to break into the industry, I would recommend keeping an eye on these companies.

4. GROWING WORKFORCE DEMAND According to AustCyber, 7000 additional security jobs will be added to the Australian workforce by 2024. At present, there are more jobs being advertised than there are active candidates, and many positions remain vacant. Small to medium

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

7. MIGRATION

time to be a candidate, because salaries are higher

Typically, Australia has had the luxury of handpicking

than previously. However, these higher salaries often

great talent from overseas. The laid-back lifestyle and thriving economy make Australia an incredibly desirable place to make a new start. The borders have now been closed for almost two years and skilled migrant visas have been in steady decline since 2015 from around 128,550 to 79,620 visas approved in 2020. It will be interesting to see how these numbers track over the next 12 months as borders begin to re-open. Pre-COVID many of our clients were happy to consider visa sponsorship, but most are too apprehensive now to try, putting further pressure on limited candidate pools.

come with expectations of elevated performance levels. In a market with limited candidates, where candidates are in the driving seat, employers must work harder to ‘sell’ the benefits of working in their organisation. Candidates hold all the aces, and in some ways are choosing employers based on their experience in the interview processes.

10. ELUSIVE CANDIDATES Cybersecurity candidates generally do not want to be found. Many choose not to share details of their employer or their role, because doing so could

8. LOCATION AGNOSTIC ROLES

create risk for their company. This makes it hard

The rise of remote working has opened up the talent

for recruiters to find suitable candidates. Those

pool dramatically. Not too long ago, a company hiring

candidates that can be found are being approached

security professionals on the Sunshine Coast would

multiple times a day by recruiters and companies

have been limited to that area. Now, it can tap into

alike. Therefore, capturing their attention is harder

talent across the country. This has had two effects.

than ever. At Talenza we use our existing database,

Salaries have been driven up to be almost the same

networks and referrals in addition to headhunting to

across the country, and many companies now have

attract the best in the industry.

access to a nationwide talent pool. This has created more opportunity for workers in Queensland in

The cybersecurity industry is not slowing down

particular, and there is more competition for highly

anytime soon

skilled candidates. With global tech companies like Google

Times are tough for companies not listening to

and Facebook, and leading security

candidates, but those adapting to the times are

companies like CrowdStrike and

outperforming those that are not. As specialist

FireEye hiring 100 percent remote

recruiters in cybersecurity we make it easier for our

talent and offering competitive

customers to navigate the space by providing advice

remuneration packages, Australian businesses are finding it hard to compete.

and guidance on market trends. Through our sector expertise and our extensive networks we are able to have 85 percent of our CVs turn to interviews and then placements. We place strong emphasis on

9.CANDIDATE DRIVEN MARKET In a candidate-led market

diversity, equity and inclusion in our interview process, and I am proud that 44 percent of my placements this year were female. If you would like to chat

like today’s we are seeing

confidentially about recruitment, or you are looking

candidates receiving

for a new job, please reach out to me on chelsey@

multiple offers and often

talenza.com.au.

counter-offers to stay in their current role. There

www.linkedin.com/in/chelseycostello

has never been a better www.talenza.com.au

WOMEN IN SECURITY MAGAZINE

KELLY RAZLOG

DIVERSITY AND INCLUSION by Kelly Razlog, Head of Emerging Technology | InfoSec | Cyber Security

Here at Randstad, we pride ourselves on diversity and

people may not understand the effects of inclusion

inclusion in the workplace.

and its importance. Just as an organisation should conduct security awareness training to protect its

Research has shown having a broad and equal

employees and the business as a whole, it should do

representation of genders in your business can make

the same for gender inclusion.

your business more innovative, financially successful and attractive to talented job seekers.

INVOLVE BOTH GENDERS IN THE INTERVIEW PROCESS

As such, if you’re looking to build a strong employer

By having both genders in the interview process

brand and assemble a workforce that will drive

from the get-go an organisation can minimise the

your organisation to new levels of profitability

risk of the panel being biased. Obviously, you should

and success, diversity and inclusion should be an

be hiring based on skills and not gender, but there

absolute priority.

are still employers where unconscious bias may be present. By starting with a diverse hiring team

Today, I want to touch on five ways to ensure your

and moving towards a more structured interview

recruitment process is gender-neutral and talk you

approach you can help ensure this bias does not

through our human-forward approach to recruitment.

undermine the process.

So, how do you ensure your recruitment process is

WORK OFF SELECTION CRITERIA DURING THE INTERVIEW

inclusive?

Using selection criteria you are able to focus more on

PROVIDE ORGANISATIONAL TRAINING AROUND INCLUSION AND DIVERSITY

skills, identifying where each candidate’s strengths

This is an important aspect of any organisation.

If you use this as a guide, the best candidates soon

Awareness and training are key, because some

stand out.

WOMEN IN SECURITY MAGAZINE

and weaknesses are based on their technical abilities.

C A R E E R

P E R S P E C T I V E S

DEVELOP A DATA-DRIVEN APPROACH

be, and there is now a much greater focus on ‘woman

By relying on data you can develop consistent and

in tech’ that has been great to see. This year alone

actionable initiatives that lead to real, long-term

we have seen a spike in the number of females being

sustainable change. An effective inclusion program,

hired, and many more companies are making this a

integrated with diversity goals and a company’s

preference to bring diversity into their teams.

corporate values, can produce higher retention, greater productivity, stronger Net Promoter Scores

By integrating these five measures into the recruiting

and more. Part of this data collection process is an

process, organisations increase the likelihood of

integrated effort to identify the relevant insights that

attracting the very best talent available, which in turn

need to be considered.

helps them retain staff and increase profits. Doing so will ensure you create the kind of inclusive, dynamic

REMEMBER THE HUMAN-FORWARD APPROACH

workplaces of the future that I believe we would all agree are exactly where everyone wants to work.

At the end of the day, it’s important to remember you are placing people - not just filling jobs. Gender-based

www.linkedin.com/in/kellyraz/

hiring is definitely not as serious an issue as it used to

WOMEN IN SECURITY MAGAZINE

MEGHAN JACQUOT

#IChooseToChallenge THERE IS NOT ONE PATH TO ENTER CYBERSECURITY by Meghan Jacquot, Associate Cybersecurity Threat Intelligence Analyst, Recorded Future You need to do this…

technology classes. In fact, I was teaching English.

You need to study that…

Then I moved to a small school in Silicon Valley. I was

You have to get these certifications or this degree…

able to combine my joy of teaching, learning, science

No, emphatically no! There is no one path into this

and technology, and start teaching these topics.

industry and there is no one way that is the “right” way.

I always evaluated my situation. Am I doing what I want to be doing? In 2017, I started taking a closer

I was a teacher before I pivoted and became a threat

look at bringing technology into the classes I was

intelligence analyst. During my studies for my first

teaching. I was already doing IT technician work for

degree I never took a programming class. I never

my school, so it was a natural progression. I started

coded. I liked to understand how things worked and

programming more and thought about teaching a

help people. So I studied history, secondary education

computer science class.

(teaching teenagers), and teaching English language learners.

In 2018, my father unexpectedly passed away. He was a database analyst and programmer. As a kid, I

I struggled to decide at the age of 17 what exactly

was always encouraged to think critically, be curious,

I wanted to do when I grew up. At first I thought

and not follow every single rule. He shared his love

I wanted to be a veterinarian. I worked in animal

of technology with me. I know he would love to hear

hospitals and enjoyed my science classes. However,

what I’m up to today.

taking a genetics class as a first year university

As I continued to evaluate my options over the years

student helped me realise it was not what I wanted.

I kept taking classes, learning and sharing what I

I changed. I still enjoyed science, but for the first

learned in formal and informal ways. As a teacher,

few years as a teacher I did not teach any science or

I created introductory and advanced engineering

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

I was a teacher before I pivoted and became a threat intelligence analyst. During my studies for my first degree I never took a programming class. I never coded. I liked to understand how things worked and help people. So I studied history, secondary education (teaching teenagers), and teaching English language learners. classes, an advanced computer science class, and

Cybersecurity and WiCyS, to help break down barriers

a maker lab. I worked on python and c++ coding.

to entry. Anyone who wants to enter this industry

I decided to enrol in a formal learning program. I

should be able to do so. Sometimes gates are placed

went back to school for a second bachelor’s degree

across the paths into cybersecurity, but there is no

in cybersecurity with a focus on network systems. I

one path to enter the field and there is no single set of

graduated in August 2021.

skills essential for success.

I started an internship in risk assessment with the

Formal education may not be for you, or it may

Cybersecurity Future Foundation in March 2021. I

be exactly what you need to excel. Whatever your

stopped formal teaching in June 2021 and started in

preferences, there is a path into security for you.

cyber threat intelligence as an analyst with Recorded Future in September 2021.

You may love to program, or you may hate it. You may have a love/hate relationship with it. You may even

What was my path? It meandered. I evaluated and

fear it. There is still a path into security for you.

iterated what I wanted to do. I knew I enjoyed, and learned more from, formal learning experiences,

Certifications may give you structure and a goal

whether those experiences were conferences or

to work towards or could be necessary for certain

studying for a degree. But I knew I needed more

government positions. Or certifications could be

structure.

completely unnecessary for your role. There is still a path into security for you.

As early as 2015 or 2016, I knew I wanted to shift to a field within technology. Then I narrowed that field to

You may start in cybersecurity as your first career, or

cybersecurity. Our industry is broad. As a technology

pivot as I did. You may be in cybersecurity and change

lover and, initially, an industry outsider, it was at first

your role. Evaluate and iterate along the way.

overwhelming to determine what I wanted to do within cybersecurity. I started broad and, over time,

The better you know yourself and your preferences,

narrowed to a few areas of interest in cybersecurity.

the easier it will be to find your path. As you learn other people’s stories you will see there has been no

A lot of my narrowing happened through involvement

one path and there is no one set of skills, degrees,

with cybersecurity organisations. At the start of my

or certifications needed for success. Explore your

information security journey, I would ask people I had

path, take note of its meanders, and appreciate its

recently networked with what had been their path

particular idiosyncrasies - no one else will have the

into security. One thing all those conversations had in

exact same path.

common was the variety of routes people had taken into security.

www.linkedin.com/in/meghan-jacquot-carpe-diem/

Breaking down barriers in security also means breaking down the gates the gatekeepers put up. I

twitter.com/CarpeDiemT3ch

work with two different groups, Breaking Barriers in

WOMEN IN SECURITY MAGAZINE

RACHEL MAYNE

FIVE WAYS TO ENSURE YOUR RECRUITMENT PROCESS IS GENDER NEUTRAL by Rachel Mayne, Senior Associate, Cyber Security at u&u Recruitment Partners Over the years we have seen a big drive to improve

A job description is often the first impression (aside

diversity in the workplace as research continues

from word of mouth – I’ll get onto this later) a

to reveal the benefits of a diverse, multicultural

candidate will get of the company’s culture. Words

workforce. Gender equality has been a big focus and

such as ‘competitive’ and ‘dominant’ tends to paint a

often the starting point for gender diversity is the

picture of a male-dominated environment.

recruitment process. They can often turn off women who may have Companies are offering higher salaries, altering their

otherwise considered the role, whereas words such

hiring processes, and asking the question “how can

as ‘collaborative’ and ‘cooperative’ suggest a more

we attract women to join our business?” So, what

supportive culture, gender neutrality, and less of a

more can be done?

‘Wolf of Wall Street’ type company.

When my clients ask my advice on how to get a more

Using a mix of language, or replacing/removing

diverse pool of candidates applying for their roles,

certain words, is a quick and simple change

I always refer to a few points research has shown

companies looking to attract a wider pool of

make a significant difference.

candidates can make.

These include:

Luckily, women are feeling increasingly confident, sufficiently so to apply for roles looking for a ‘strong

1. WORDING IN THE JOB DESCRIPTION

leader’. It could be that we have reached a turning

Studies have shown certain language to be more

point and will not need to avoid such language in the

gender neutral and more appealing to female job

future. It will become not only acceptable, but normal

seekers.

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

for women to apply for roles advertised in such

important. The cybersecurity community is quite

language.

small. A company’s reputation for how it treats and values women will be a massive factor when female

2. REVIEWING OF CVS

candidates decide whether to apply for a role.

One of the best ways to prevent unconscious bias is to eliminate any data/information that refers to

Progress starts from the top. You cannot fix a

personal attributes of the candidate.

diversity problem simply by adding more women to the team: you need to make the workplace a female-

This means removing from resumes name, gender,

friendly environment.

country of origin, and anything that specifies more than the experience, skills and qualifications of the

5. MORE THAN JUST THE JOB ITSELF

candidate. This will help minimise bias and result in a

Throughout the hiring process, it’s important to

more objective candidate selection decision.

promote the benefits of joining the company in addition to the benefits of the advertised role.

3. HIRING PROCESS Ultimately, it’s impossible to completely remove

Things such as flexible work arrangements, return

our unconscious bias, so a business should focus

to work programmes and partnerships (such as

on equipping its employees with processes (as

with charities who support women getting back into

mentioned above), training and tools that reduce bias

the workforce) show a deeper investment in gender

as much as possible.

equality than a tick in the diversity box.

There’s a lot of material to help train hiring managers on how to acknowledge their biases. This heightened

IS UNCONSCIOUS BIAS STILL PRESENT WHEN RECRUITING WOMEN?

awareness will contribute to eliminating bias in the

It is difficult to eradicate unconscious bias throughout

hiring process.

a business, so there will probably always be a degree of bias against minority groups in the workforce.

Additionally, a more structured interview process with set questions and technical tests, where appropriate,

The market is taking large steps to reduce

will also help to identify the candidate whose skills

unconscious bias, although there is still some way to

and experience alone make them the best fit for a

go. One benefit of the recent lockdowns is that the

role, rather than their gender or perceived cultural fit.

stereotype of the woman looking for work/life balance is disappearing. Everyone is demanding a better

Finally, when conducting an interview, think about who

balance. Hopefully unconscious biases will dimmish

is present and how that will look to the candidate. If

as a result.

there is a panel or an interview process dominated by middle-aged Anglo-Saxon males, it will not shout

It is important to realise that a company cannot

‘diverse culture’ to a female applicant.

achieve gender diversity overnight. It requires a shift in culture, a willingness to make changes, and

4. INTERNAL CULTURE CHECK

numerous steps to be taken. Once organisations

There is no easy way to change internal culture, and

acknowledge the challenges we have a much better

the process can be very confronting. Simply deciding

chance of creating cultures that welcome all genders,

to be a more diverse company and hiring more

ethnicities and minority groups.

women will not change the intrinsic culture. www.linkedin.com/in/rachael-mayne/

These days, most candidates will check Glassdoor and company reviews and ask friends before applying

www.uandu.com/team/rachael-mayne

for a role. This is where word of mouth is really

WOMEN IN SECURITY MAGAZINE

ASMITA GOVIND

HOW TO WIN IN THE WAR FOR TALENT by Asmita Govind, Account Manager for Technology Recruitment at Sirius Technology

Over the last few weeks, I have had many

IT professionals are exposed to multiple news articles

conversations with clients and candidates about the

about how hiring is on the rise, about the shortage in

‘Great Resignation’ and the ‘Demand for Talent’. The

tech talent, etc.

pandemic has definitely changed and challenged the way we all work, and many of our responses have

They receive recurring calls and LinkedIn Inmail

been reactive.

messages from recruiters. All these communications make it harder for anyone to remain happy in their

A new challenge in the war for talent is coming. Are

current role. Curiosity will eventually make them say

you ready for it?

“I’m not really looking, but I am happy to hear what you have open.”

Pre-pandemic it was tough to find talent for certain technology specialisations. There were never

Over the last 12 months, I have found staff retention

sufficient candidates with the right skills for the

and talent attraction the toughest challenges

number of positions to be filled.

organisations have had to deal with. I am sorry to say, it is only going to get worse.

Companies were able to attract top talent by offering:

• More money

What can you do as a leader to help minimise the

• Benefits like the option to work remotely

number of staff leaving your team in an environment

• A great team culture

where it is already very hard to find talent? Here are

• Training and progression plans

some suggestions.

• Sponsorships for overseas candidates

However, over the last year with all the restrictions

ENSURE EACH MEMBER OF YOUR TEAM HAS A TRAINING/PROGRESSION PLAN ALIGNED TO THEM

that have been imposed, many of these tactics have

The pandemic has changed business priorities as

become redundant.

well as personal priorities. It is natural these priorities

• Days off for birthdays • Wellness programs

WOMEN IN SECURITY MAGAZINE

C A R E E R

P E R S P E C T I V E S

include what people want for their futures and their

or free financial advice/health insurance etc. It is

careers. Whether your company has sidelined training

easy for these to be forgotten when they are not

and growth plans to focus on keeping the doors open,

immediately needed.

or has put staff reviews on hold, it is worth having a conversation to discuss the relevance of these

INTRODUCE TEAM BUILDING ACTIVITIES

initiatives in the current climate.

This one can sound like something for the too-hard basket, or a bad idea because no one wants to spend

Your team needs to feel you are investing in their

more time with co-workers. However, team activities

growth and development. The best way to do this is

help create connections between team members and

to have a scheduled meeting specifically to discuss

these help build loyalty.

these issues. Is there a goal you can help them meet? Is there some mentoring required? Is there some

These do not need to be big-budget productions. Even

training that can be booked?

something as simple as Friday lunch out of the office or even something as simple as a virtual trivia game

HAVE THAT UNCOMFORTABLE CONVERSATION ABOUT SALARY

can be fun.

People find it difficult to ask for a pay rise. Most will

Is your company cancelling its Christmas function

go to all the effort of updating their resumé, applying

this year because of pandemic rules? Is there an

for roles, preparing for interviews and getting a

alternative you can look to, such as a New Year party?

job offer before admitting they just wanted to feel

Many people feel they have been cheated out of these

appreciated with a pay rise. For some reason, many

events, and that is having an adverse impact on team

technology companies do not seem to have a practice

spirit.

of conducting regular salary reviews.

PROMOTE INTERNALLY WHEN POSSIBLE If a pay rise is something that cannot be offered,

Companies that promote internally have the best

or the team member needs to hit some more goals

stories to tell. Internal promotion signals to team

to get one, it is good to work on those issues early,

members that their employer believes in them and is

rather than having a rushed conversation when

willing to invest in them. Someone who is promoted

someone hands in their resignation. At this point, they

will always be more engaged than someone who

have already decided to move on. If they do stay, they

has chosen the role over other offers. It also helps

will usually move on in less than six months after

with retention as there is a career path with your

being persuaded to remain.

organisation.

RECONSIDER WHAT FLEXIBLE WORK MEANS?

EMPLOYEE RECOGNITION

These days remote working, or working from home,

Sixty percent of the workforce want and enjoy

is just expected. The question is no longer “Can I

recognition for the work they do every day, that is

occasionally work from home?” It is “What hours

more than half your team.

are now core hours?” People like the office and the

96 percent of the workforce actually do better in their

interaction with their teams, but they also like going to

roles when they are recognised, whether they want

the gym, or picking up their kids after school. It’s now

recognition or not. A happier and more productive

more about what hours of the day are required.

team leads to higher retention and is attractive to new hires.

REMIND YOUR TEAM REGULARLY ABOUT COMPANY BENEFITS

Before you say “That all costs money we don’t have”

Many companies offer attractive employee benefits,

some of the best recognition initiatives are achieved

for example, access to novated leases for a car,

with little cost. Personally, some of my favourites

WOMEN IN SECURITY MAGAZINE

from my previous managers have been: • An instant scratchy (part of a running joke of winning big) • A handwritten thank-you note

interview process for potential hires a good one. We are all busy, but a strong recruitment process can tell a candidate a lot about a company. It will give them a taste of what is to come when they join.

• Celebratory hot chocolate for hitting personal milestones • A genuine LinkedIn post appreciating the work the team had done to deliver a project

In a market where candidates have multiple job opportunities, you need to sell your company and the roles on offer as best you can. Money will be a driver,

• A special mention at a team meeting

but we are all emotional beings: most of us will also

• An early finish for a job well done

consider how we felt during the process.

• An additional day off Have a clear job description that shows the candidate There are probably many more ideas. The key is to

you know what you need.

start implementing them but more importantly doing

Know your company benefits and why people want

so regularly.

to join. Ensure feedback is provided in a timely manner after

Sometimes you can do everything right, but people

the interview.

will still move on. It is a fact of life. But there is one

Ensure the next steps are known to everyone

thing I know: the world is a very small place. So,

attending.

when people do choose to leave, remember it is not

Remove any steps that are not adding value to the

personal, and you will cross paths again.

process. Be able to explain clearly what progression for this

And that leads on to: what things can we do now to

role would look like.

attract top talent to our teams and organisations? Traditionally skills gaps were filled by experienced

BE OPEN TO OPTIONS THAT WILL ALLOW YOU TO WIDEN THE TALENT POOL

migrants and by international students who looked to

A job description usually has a list of everything an

secure work after graduation. However, with borders

ideal candidate will have. But the best candidate may

closed and people wanting to be closer to family, this

be the one missing some of those requirements.

has stopped. We will not know the longer-term effects

They have something to grow into, something to

of this for a while.

learn and something to challenge them. Understand clearly what attributes you can do without initially,

The best we can to find the right people for our teams

and possibly support the person to get, and those you

from the pool of people available.

really must-have.

DO YOUR RESEARCH

As an example, you may require experience with a

Speak to people in your network who may be hiring

particular tool, can you consider someone who has

similar roles, connect with recruiters and ask them

used a similar tool and have your team help get this

what salaries look like today, and what talent is

person skilled up on the tool you use?

available. Over the last few months, salaries and daily rates have changed considerably.

REVISIT YOUR COMPANY BENEFITS Working from home is no longer seen as a benefit.

REFINE AND TAILOR YOUR RECRUITMENT PROCESS

Post pandemic. The questions are now: can you be

Change is coming and coming fast. Partner with

changes to the times’ meetings are held to allow

your HR and internal recruitment teams to make the

people to start and finish early?

WOMEN IN SECURITY MAGAZINE

flexible with hours? Is there an option to make some

C A R E E R

P E R S P E C T I V E S

shared coffee, tea, fruit etc. See where that money

CONSIDER BUILDING TALENT RATHER THAN BUYING

can now be spent: lunch vouchers, compensated

Have you considered looking at students or people

messages, etc all go a long way.

who need sponsorship? So many companies eschew

With a large remote workforce, you will be saving on

these options because people can take time to get up

BRAND YOURSELF, AND YOUR COMPANY ON LINKEDIN AND OTHER PLATFORMS

to speed. However, depending on the role, graduates

Before meeting anyone new, or attending an interview,

of diversity to the team. Their experiences can add to

most of us will do a quick LinkedIn stalk. Use this free

your team in ways you might not expect.

and people on sponsorships can bring a different kind

tool to help you attract great staff. I am not talking only about writing a post that says you are looking for

Alternatively, you can consider people in other job

staff – although that is highly recommended.

types with transferable skills that may make them suitable candidates. For example, a business Project

Post things about your team, relevant things about

Manager who has gained a Cybersecurity certificate

the company that could excite people. Even things like

could be a potential candidate if you are looking for a

volunteer work, or events you attend, will help people

Project Manager for a Cybersecurity project.

connect to you as a manager.

HAVE A GOOD REFERRAL PROGRAM A candidate will be choosing to work with you just

Many times I have had clients refer candidates to me

as much as they are choosing to work with your

for a role within their own company, purely because

company, so sharing your professional personality will

they do not have an internal referral process and

help top talent connect with you.

the application will get lost. Internal candidates are usually an excellent cultural fit. Who does not like to

PARTNER WITH YOUR TALENT TEAM AND EXTERNAL AGENCIES

work with their friends?

Have you ever walked into an electronics shop and

The next few months are going to be tough for

come across a salesperson who does not know the

leaders in technology. People management will

product they are selling? You are very likely to walk

demand a greater focus. I hope you are up for the

out without buying something, even though you have

challenge.

done all the research yourself at home. When you come across a salesperson who owns

www.linkedin.com/in/asmitagovind/

or uses the product you are interested in, you will likely leave with that product, and also a bunch of accessories you did not know you needed.

twitter.com/asmitagovind instagram.com/asmita.govind

Your recruitment agency or internal talent team is that salesperson. Take the time to help them understand the role, benefits and where you can and cannot be flexible. Tell them about the wider team and strategy so they can convey this information to potential candidates.

WOMEN IN SECURITY MAGAZINE

SKYE WU

TAKE A CHANCE TO FIND OUT THE MOST SUITABLE NEW TALENT by Skye Wu, Cyber Security Investigator, Speaker, Mentor & Champion for Diversity

“I feel like I’m stuck in a loop. I need experience to

Candidates with lots of potential are not offered roles

apply for entry level jobs after I graduate, but how can

because they lack role-specific experience.

I get experience if no one will give me a chance?” Sometimes I also hear the argument that it is unwise “It’s so difficult to find a suitable candidate to fill our

to recruit people who will require training, because

roles.”

they will move on once trained. I can understand that point of view: there is always a risk someone will

The experience of someone wanting to join the

leave. For some high-pressure teams the resources

security industry and the experience of recruiters can

available to help train and develop new team

appear like twin train tracks: running alongside one

members may also be scarce.

another but never intersecting. In addition, certain roles may require a very specific Having been both a student wanting to get my start

set of skills.

in the industry and a person recruiting suitable candidates for job roles, the solution has always

However, I want to share what happens when a

been clear to me: recruit talent based on aptitude,

beginner keen to develop the hands-on skills not

motivation and potential, and help them grow.

taught in books and the classroom is given a chance to join a team of specialists in a high-pressure team.

But when I talk to the people doing the recruiting, I often find myself on the losing end of the argument.

WOMEN IN SECURITY MAGAZINE

What if I told you that, many years ago, a detective

C A R E E R

P E R S P E C T I V E S

senior sergeant took a chance and hired for the

When I recruit today, I focus on the spirit in which I

computer crime squad a young woman (me) straight

was offered my first opportunity. I know technical

out of university with no hands-on experience

aptitude is important. If a person possesses the core

in digital forensics? I got lucky. It was a highly

skills, we can teach them the day-to-day tasks. If we

specialised role where the outcome of my work

fail to recognise and act on this knowledge, we may

had significant legal ramifications for people: their

miss out on a great asset to our team, or, worse, drive

freedom or their incarceration.

someone from our industry.

On my first day on the job the detective senior

The same spirit drives me to work with Australian

sergeant said to me: “I want you to know, I hired

Women in Security Network (AWSN) in my spare time.

you because you impressed me with how you

AWSN supports women in the industry as well as

communicate and how you think. You can articulate

those wanting to join. In their ranks are some of the

and explain yourself so well. This is what I want. You

brightest minds I have encountered. Many would be a

will learn the hands-on skills required to be a digital

great asset to any team.

forensic analyst.” What followed was a whirlwind of observing and learning from some of the best minds

My only request is, when you next recruit for your

around.

team, particularly at the entry level, please think about how you word your job description, how you

Not long into the role, I was showing investigators

state the role requirements and how you prepare

compiling evidence to present in court, writing

your interviewers. Give yourself the chance to find the

statements and stepping up to testify in the witness

most suitable new talent.

box in the Supreme Court. (Silently reminding myself “don’t trip on the steps”). I realised I was living up to the detective senior sergeant’s expectations when, after giving my testimony, a judge thanked me for helping him understand complicated electronic

www.linkedin.com/in/skye-wu-ba390919/ www.skyewu.com/

evidence, and victims thanked me for my work.

WOMEN IN SECURITY MAGAZINE

NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

Tracking apps for tweens’/teens’ devices The debate rages over whether you should or should

leaked. The privacy safeguards in some apps are

not track your tween’s/teen’s location via their phone.

not very strong.

Some parents feel this to be spying and wish to instill trust in their teens whilst others prefer the peace of

• You could raise trust issues with your tween/ teen.

mind that comes from being able to pinpoint their tween’s/teen’s location at any time of the day.

HOW CAN YOU TRACK YOUR TWEEN’S/TEEN’S LOCATION VIA THEIR DEVICE?

Which view is right?

Apple Family Sharing – Location Sharing. A family ‘organiser’ will set up location sharing in the Family

I don’t know. All I know is, as parents, we all make

Sharing app’s settings. Then family members can

what we think is the right decision for our kids at any

choose to share their location. You can lock location

particular point in time.

services (under the privacy settings) so your child cannot toggle location services on and off when it

WHAT ARE SOME OF THE REASONS YOU MIGHT CONSIDER TRACKING YOUR TWEEN’S/ TEEN’S LOCATION USING THEIR DEVICE? • You may need to know your tween/teen has

suits them. To turn on location sharing in Family Sharing, do the following:

arrived at school safely after walking or taking

1. Settings > [your name] >

public transport.

2. Tap Family Sharing > location sharing.

• You won’t be home from work after school, so it’s good to know your teen has arrived home. • Your tween/teen has sports or hobbies at school or on the weekend. • Your tween/teen has a hectic social life, and you

device to view their location on a map. You can set up frequently visited places, like home, school, sports, etc, so you can see their location at a glance. This

feel much more relaxed when you can actually

feature is only available if you have a Microsoft 365

see where they are.

subscription. It works for iOS and Android. However,

• Knowing your tween’s/teen’s location could alert you to them meeting an online predator. • If you have a teen who drives, some apps will allow you to track the speed at which they are driving.

WHAT ARE SOME OF THE REASONS YOU SHOULD NOT KEEP TRACK OF YOUR TWEEN’S/ TEEN’S LOCATION? • Some companies have profit in mind and NOT your child’s safety. They are more interested in collecting your child’s data to sell to third parties. • Your tween’s/teen’s data is at risk of being

Microsoft Family Safety app — Use your teen’s

WOMEN IN SECURITY MAGAZINE

you may not have access to all features on all device types and operating systems.

C O L U M N

Family Link app — Family Link by Google allows you to turn on location for your teen’s device from within the settings. This feature is turned off by default so you will have to toggle it on if you wish to use it. Location will only work if your teen’s device is turned on and signed in (with their child account). It will not work if the battery in the device is flat. Family Link works best on Android devices. Life360 — This is a very popular location sharing app that many families use. They can see where family members are on a private map and receive alerts when family members arrive or leave school and work. It has a private chat where you can share photos and text messages. You can view location history, receive information about driving safety, and track phones. Life360 can be downloaded on both Apple and Android devices. You can take out a paid subscription for more features. www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum

www.pinterest.com.au/thetechmum www.linkedin.com/company/the-cyber-safety-tech-mum/

WOMEN IN SECURITY MAGAZINE

INDUSTRY PERSPECTIVES

KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group who works with SMEs to protect and grow their business, by demystifying the technical and helping them to identify and address cybersecurity and governance risk gaps. Karen has recently graduated from both the TechReady Woman Accelerator graduate and CLP program with the Cyber Leadership Institute in 2021.

C O L U M N

Financial services to cyber…. A journey has begun After over 20 years in big financial services corporations I made the move into cybersecurity. You’re probably thinking “Why?” or “Are you stark raving crazy?” or “Maybe I can do it too.” The answer to the first question is “Why not?” Business skills are transferable, and a (relatively) new and definitely exciting industry beckoned. The jury is still out on question two, and the answer to the final question is “Yes, yes, you can.” You just have to want to do it. With the exponential connectivity growth brought about by COVID and the rise of data breaches, it does not take a genius to work out there is a need for cybersecurity professionals. But cybersecurity is a broad church embracing very technical people (e.g. engineers) and the non-technical. All have the potential to make a positive contribution. I am just getting started, but I have learnt a few things on my journey so far. No two days are the same. Every day you will learn something new - so you need to be comfortable with change. Read like your life depends on it. I read anything and everything cyber-related, from white papers to technical briefings. Nothing is safe from my prying eyes. Education is queen. Self-education is important, and while it would be great to go back to university or do another postgraduate course, sometimes it is just not possible. Learning through microcourses is one way you can build your knowledge quickly and meet a great cohort of new people (I’ve just completed the AWSN Security Pathways Program and can highly recommend it). Technical terms do not always translate between industries. After accepting an invitation to an asset management meeting and expecting a fund manager but getting a CISO (sad, but true), I have made it a

personal mission to ensure I translate cyber into the language of business. Your experience is transferable. Build on what you already know. In my previous work I specialised in SME risk management, compliance and business growth. Cybersecurity is vital across all these areas, and yet is often overlooked. Reality versus expectations. Many people believe cybersecurity is all about hunting down threat actors and searching the Deep and Dark Web on The Onion Router, just like in the movies. For some, perhaps, but for the majority of us cybersecurity is about working with clients to harden their cyber resilience programs, putting in place workable frameworks and well-practiced incident response plans to deal with the inevitable breach. It takes a village. My move into cybersecurity was made easier by finding a mentor and joining like-minded groups (another shoutout to the AWSN). To date everyone I have met has been very generous with their time and knowledge. The hard part is asking for help. So, if you’re given the chance to join the amazing and fast-moving world of cybersecurity, jump in with both feet. After all, is it not better to give something a red hot go rather than to die wondering?

www.linkedin.com/in/karen-stephens-bcyber/ www.bcyber.com.au karen@bcyber.com.au twitter.com/bcyber2 youtube.bcyber.com.au/2mux

WOMEN IN SECURITY MAGAZINE

SAI HONIG

WHY DO I FEEL LIKE A FRAUD?

Imposter syndrome and cybersecurity — why they go hand in hand by Sai Honig, CISSP, CCSP, Co-founder New Zealand Network for Women in Security

It can happen anywhere. It may happen during

their status, position or others’ positive perceptions.

conversations around the office. It may happen when receiving an award (such as the Australian Women

For a long time, imposter syndrome was not taken

in Security Awards). It may happen when going on

seriously. It was classified as simple anxiety, self-

errands. It is a sense of complete unworthiness.

loathing or self-doubt. But much research has been conducted on this topic.

It comes on suddenly. The mind may go blank. In extreme situations, breathing becomes laboured

There are five types of imposter syndrome. Briefly,

or the heart rate increases. You may even start

they are:

clenching your fists tightly. The need to flee may

• Perfectionist – The focus is on “how” something

arise. These are some of the sympathetic nervous

is done. The perfectionist focuses on the

system responses to — IMPOSTER SYNDROME.

minor flaws without focusing on the overall accomplishment.

Imposter syndrome was first described by psychologists Pauline Rose Clance and Suzanne Ament Imes to “designate an internal experience of

• Expert – The focus is on “how much” is known or done. The expert sees minor lack of knowledge of a topic as weakness.

intellectual phoniness”.

• Soloist – The focus is on “who” does something.

Imposter syndrome is the term used when a person,

• Natural Genius – The focus is on “when”

The soloist sees needing help as a weakness. despite their objective successes, has persistent self-

accomplishment happens. The natural genius

doubt. There is anxiety about being exposed as an

focusses on competence measured in terms of

“imposter”. The prevalent belief is “unworthiness” of

ease and speed.

WOMEN IN SECURITY MAGAZINE

• Superwoman/Superman – The focus is on “how

Some may have a fear of loss of income, employment

many” roles can be excelled in. The superwoman

or specific relationships: losses that can have

or man sees falling short in any role as a

devastating consequences. However, their capabilities

weakness.

are never acknowledged.

In all cases, weakness is associated with shame: the

Cybersecurity, by its very dynamic nature, encourages

person believes there is something fundamentally

cases of impostor syndrome.

wrong with them. • Career paths in cybersecurity are unclear or Imposter syndrome is more prevalent among women,

uncertain. There are no defined entry points

and there is a higher rate among women of colour

or measures of expertise. Most come into

than among white women to develop this mindset.

cybersecurity from related fields like IT. Career changers or those with completely unrelated

For those who cannot understand why someone with

backgrounds are encouraged to join the ranks of

accomplishments would react with self-loathing,

cybersecurity professionals. Success is difficult

consider this: how did you feel when someone

to define, and benchmarks difficult to establish,

pointed out your shortcomings? Did you feel small

adding to the uncertainty

or vulnerable? There are social conditions that make some more susceptible to imposter syndrome than others.

• There is ambiguity, and environments are dynamic Cybersecurity professionals are continually trying to identify and eliminate

Reactions to the fear of “not being good enough”

vulnerabilities and block attack vectors. It

can vary. An individual with imposter syndrome may

is difficult to feel a sense of mastery when

shy away from volunteering for projects that could

scrambling to deal with new threats. What may

showcase or increase their capabilities. They don’t

be known today may be obsolete tomorrow, next

want to draw attention to themselves.

week, next month or next year.

They may fear failure. These individuals may not

• The skills required are evolving constantly. After

apply for other roles and stay sequestered in the

spending time learning new skills cybersecurity

same position. By doing work they are familiar with

professionals are faced with situations that

and have done before, there is no chance of failure.

demand learning more skills. After several years

However, there may also be no chance for growth.

into a cybersecurity career, they may feel they are starting over repeatedly. Having to grapple

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

with their newly acquired advanced skills that become outdated in just a few years can leave a person constantly feeling like a beginner. Enjoyment in accomplishments can be shortlived.

P E R S P E C T I V E S

happens. • Acknowledging what imposter syndrome does to your body. • Acknowledging what imposter syndrome does to your mental state. • Acknowledging what you can do to overcome

• The breadth of knowledge required is huge.

the effects.

Cybersecurity Body of Knowledge has indicated there are 19 “Knowledge Areas”, not

There is no single remedy for imposter syndrome.

including the different technologies that fall

Talking about it with understanding and accepting

under each of them. It would be difficult to

colleagues often helps. You might find others in your

have mastery of multiple areas, let alone all of

professional circles having the same thoughts.

them. Acknowledging a lack of mastery isn’t a confidence booster.

For some, consulting with mental health professionals is necessary. There should be no

• There is a high failure rate. Attackers only have

shame in reaching out when you need help.

to get it right once. As defenders, we have to be right 100 percent of the time and are called

Sometimes writing about it can reduce the anxiety

out when we fail even once. The best defences

one feels. Writing this article certainly helped me.

will fail. Cybersecurity professionals need to

Whatever you need to do, do it.

acknowledge their failures without losing their sense of accomplishment and self-worth.

The world needs cybersecurity professionals. We

On top of all this, there are not enough of us. We are

cannot let our anxieties prevent us from keeping our

often working longer and harder just to keep up. It

world safe – online and off.

can feel overwhelming at times. It is easy to see how imposter syndrome can creep in. Ultimately, self-acknowledgement is the key to overcoming imposter syndrome.

www.linkedin.com/in/saihonig/

NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com

• Acknowledging that imposter syndrome

WOMEN IN SECURITY MAGAZINE

JESSICA ROBERTS

INSPIRING GIRLS by Jessica Roberts, Social Media and Content Creator volunteer, Inspiring Girls Australia

You might have seen the hashtag #ThisLittleGirlIsMe

their feeds with positive content. So, we thought a

popping up all over social media as women

great way to help girls find their passion would be to

around the world share stories of their careers and

connect them to female role models on social media.

personal journeys. This social media campaign for

By tapping into these inspiring women they can see

‘International Day of the Girl’ was started by the

what could be, be empowered to reach for the stars,

global charity, Inspiring Girls.

and realise their potential.

Inspiring Girls is on a mission to break down gender stereotypes so young girls can reach their full

HOW DID YOU PROMOTE IT? WHAT REACH HAS IT ACHIEVED?

potential and have the confidence to follow their

We reached out to as many inspiring women as we

dreams. The charity connects young girls with female

could, asking them to share their stories with the

role models through school workshops, inspiring the

young girls of today. The response was extremely

girls to aim high and believe anything is possible.

positive, with women embracing the campaign and calling on others to take part. We had some incredible

Jessie Li, Chair of Inspiring Girls Australia, tells

women join in, including Melinda Gates, Billie Jean

Australian Women in Security Magazine how Inspiring

King, Arianna Huffington and Sheryl Sandberg. We

Girls started the #ThisLittleGirlIsMe campaign, why

ended up with thousands of posts from women all

it is important to raise the aspirations of young girls,

over the world. They included a wealth of women from

and offers advice for professional women who would

different backgrounds and careers. We had scientists,

like to be an Inspiring Girls role model.

athletes, entrepreneurs, journalists, activists, film directors, authors, doctors, musicians – the list was

TELL US ABOUT THE #ThisLittleGirlIsMe CAMPAIGN. HOW DID YOU COME TO START IT?

endless.

We started #ThisLittleGirlIsMe to broaden young girls’

profile women, we were also inspired by the number

exposure to a wide range of roles they may never

of local women who got involved. I think this is what

have considered before. With young teens spending

helped #ThisLittleGirlIsMe become the campaign

a lot of time on their phones it’s important to fill

that generated the most buzz ever on LinkedIn –

WOMEN IN SECURITY MAGAZINE

And while we heard incredible stories from high

I N D U S T R Y

P E R S P E C T I V E S

something we are so proud of. As our founder, Miriam Gonzales Durantez, said, “It doesn’t matter if you’re a CEO or an intern, we all have a story to share and we can all do our part to support each other”. And it will be local women in their communities who will generally be the ones to provide mentorship and support to young girls.

WHY DO YOU THINK THIS CAMPAIGN RESONATED WITH SO MANY PEOPLE? Every woman was once a little girl with dreams. Some of them have been able to fulfil those dreams, and some of them are still working on achieving their dreams. So, it’s a process of women empowering other women and girls by sharing their experiences and life journeys, describing how they realised their ambitions. Those are very powerful messages for other women or girls who want to do something similar in a particular field.

I SEE INSPIRING GIRLS STARTED IN AUSTRALIA ONLY IN 2021. HOW DID THAT COME ABOUT? I first came across Inspiring Girls when I was in Hong Kong last year. They asked me to join as one of their role models because they loved my career journey. I had spent about a decade in investment banking before leaving when I realised my true passion lay

“For those considering becoming a role model, my advice would be to take the leap and do it. Young girls may not know much about cyber and protective security, and a role model could provide the inspiration that helps someone find their passion in this space”. - Jessie Li, Chair of Inspiring Girls Australia

in empowering and supporting women. experience of working in those fields gave them a Visiting different schools to deliver speeches for

little bit more certainty and confidence to pursue that

Inspiring Girls Hong Kong, I saw how much it meant

kind of career.

to the girls to have female role models. This was especially the case for those wanting to pursue a

So, I reached out to the headquarters with a proposal

career in a male-dominant field and not knowing what

to start a new chapter of Inspiring Girls in Australia.

to expect. Having someone in their life to share the

I’m hoping to create an environment for girls to

WOMEN IN SECURITY MAGAZINE

discover their passions at an early age, and also help

journeys. We don’t want women to shy away from

to boost their confidence.

filming a video or being role models because everyone has the potential to help and inspire others.

DO YOU HAVE LOCAL PARTNERS, SPONSORS, ROLE MODELS YET?

Also, this is not just about women empowering young

Julia Gillard is one of the role models on our video

girls. There might be women in other industries or

hub. She is someone who knows all too well what

sectors who are thinking about joining STEM, and this

working in a male-dominated industry is like, and

is a great opportunity to inspire them. Our video hub

the strength it takes to push past those barriers to

is open to all ages and backgrounds – an inspiration

achieve your dreams. We hope her words encourage

destination for all. I invite your readers to head to our

young girls to aim high and seek positions of

website and follow the links to put a video on the hub.

leadership.

We would love to hear their stories.

We are also working with local councils on some

WHAT ELSE DO YOU THINK NEEDS TO BE DONE TO RAISE THE ASPIRATIONS OF YOUNG GIRLS AND INCREASE THE VISIBILITY OF FEMALE ROLE MODELS?

exciting events next year, so stay tuned.

OUR MAGAZINE IS AIMED AT WOMEN WORKING IN CYBER AND PROTECTIVE SECURITY. WHAT ADVICE WOULD YOU GIVE TO ANYONE READING THIS WHO MIGHT THINK OF BECOMING A ROLE MODEL FOR INSPIRING GIRLS?

I think it’s something that should be cultivated at a very young age. By exposing girls earlier to a variety of opportunities, they can take the necessary steps and be more prepared to pursue certain sectors. That’s what Inspiring Girls aims to do – open these young

STEM is definitely a top focus for us. We would love

girls’ eyes, empower them to follow their passion, and

to invite more girls to think outside the box and go

ultimately create diversity in the corporate world. To

for roles in cybersecurity. We would absolutely love

achieve this, we need to stick together and support

to invite role models to come to the schools to speak

each other as much as we can.

about what it is like in their everyday working life in cyber and protective securities and what inspired them to pursue a career in the industry.

www.linkedin.com/company/inspiring-girls-australia

For those considering becoming a role model, my

www.inspiring-girls.com.au/

advice would be to take the leap and do it. Young girls may not know much about cyber and protective security, and a role model could provide the inspiration that helps someone find their passion in this space.

YOU HAVE A FEW AUSTRALIAN WOMEN FEATURED ON YOUR YOUTUBE CHANNEL. WHAT WOULD YOU SAY TO ANY OF OUR READERS WHO MIGHT BE INTERESTED IN FEATURING IN A VIDEO TO PROMOTE STEM ROLES, AND SECURITY ROLES IN PARTICULAR, TO YOUNG WOMEN? The video hub is not just for high profile women, we are calling for all women with interesting and inspiring

WOMEN IN SECURITY MAGAZINE

Volunteer application form airtable.com/shrODXT0dq3qvzEW3 www.instagram.com/inspiringgirlsaus/

SARAH IANNANTUONO

DEEPA BRADLEY

DATA CENTRIC STORYTELLING FOR CYBER SECURITY by Sarah Iannantuono and Deepa Bradley

“The most amazing thing for me is that every single person who sees a movie, not necessarily one of my movies, brings a whole set of unique experiences, but through careful manipulation and good storytelling, you can get everybody to clap at the same time, to hopefully laugh at the same time, and to be afraid at the same time.”

- Steven Spielberg

From the cave art of 30,000 BC, the fairy tales of

now has a prominent seat at the table and executives

the Brothers Grimm in the 19 century, to modern

are now required to communicate on cybersecurity

interactive videogames, stories have been used to

with authority.

entertain, educate, inspire and influence. It comes as no surprise that modern research has

BASEMENT HOODIE-HACKERS AND EXECUTIVE INFLUENCERS

shown one of the best ways to engage an audience,

While there is a concentrated effort to change certain

ensure your content is memorable, and build a

stereotypes in cyber security, there are still many

relationship is through the process of storytelling1. In

who perceive those within the field to be basement-

an enterprise context, storytelling is an effective tool

dwelling hoodie-hackers; great technically but perhaps

that can be used to influence stakeholders, inform

lacking in soft skills.

strategy and shape agendas. To drive an organization-wide cyber security program The last decade saw the profile and importance of

it has never been more important to brush up on

cyber security elevated to board level. Cyber security

soft skills and ensure there is a strong strategic

Sundin, A., Andersson, K. & Watt, R. Rethinking communication: integrating storytelling for increased stakeholder engagement in environmental evidence synthesis. Environ Evid 7, 6 (2018). https://doi.org/10.1186/s13750-018-0116-4

WOMEN IN SECURITY MAGAZINE

NARRATIVE + DATA = EXPLAIN VISUAL + DATA = ENLIGHTEN NARRATIVE +VISUALS =ENGAGE Source: Forbes

business capability within the cybersecurity team

insights targeted to your audience. For example, as

to translate the technical story into meaningful

part of a presentation to a hypothetical board ‘audit

business outcomes. Cybersecurity should be seen as

and risk committee’, you might focus on the status of

an enabler and market differentiator, supporting the

remediations for the firm’s IS0270001 audit, instead

business to meet enterprise objectives.

of looking at new vulnerabilities discovered and remediated.

Leaders should think of the ‘cybersecurity team’ as a trusted partner to enable the business, rather than the

Shifting the focus to the remediations of IS0270001

‘NO police’ stopping innovation and progress. When

can draw attention to the potential payoffs for the

communicating to C-suite or executive stakeholders,

business through the completion of the project. In the

it is critical to highlight the broader business risks and

case of IS0270001, achieving this certification will

opportunities through storytelling, and focus less on

facilitate the greater expansion of the client base in

pure technical security and compliance.

line with enterprise strategic goals.

“An effective way to harness storytelling for executive

It is therefore important that metrics are carefully

stakeholders is to combine your narrative, your visual

selected based on the key concerns of the executive,

and your data to influence and drive change.”

with the additional context of how the selected metrics will achieve business objectives.

THREE STEPS TO DRIVE IMPACT IN YOUR STORYTELLING

Two: influence through visuals Visuals can be used to convey meaning, allow

One: provide context through data

your audience to see patterns, and identify issues

Rich metrics can be harnessed to show a maturity journey that identifies the areas in which the cyber security team is meeting key business objectives. It is important to interpret and display data in such a way that it provides key, contextualised

WOMEN IN SECURITY MAGAZINE

Fun Fact: having an effective cybersecurity strategy mapped to business priorities can take a lot of the guesswork out of metric program development.

I N D U S T R Y

P E R S P E C T I V E S

that otherwise could not be seen without charts

non-technical audiences and leaders. Focusing on

or graphs. Visuals need to be carefully crafted to

knowledge sharing and raising awareness at all

clearly demonstrate interesting patterns, outliers or

levels, she delivers updates as a factual snapshot,

discussion objectives within the data.

with clear recommendations aligned to good practice examples. Sarah’s background in intelligence and risk

For example, you may use a graph to highlight

management is evident in her presentation style that

instances of data exfiltration by staff for each

takes complex topics, distils insights and presents

business area and month. You might also include

succinctly. Each presentation is tailored to the

scatter plot circles with colours based on periods of

audience, and it is not uncommon to see a little dash

high exfiltration and map these through storytelling

of humour in the presentation.

to what has been happening in the business. Narrative can engage and entertain an audience while BAM: Human Resources executives have identified

simultaneously explaining the why.

that a new initiative was not well-received by a team and can hypothesise, based on ‘time of data

SEEK is a market leader in online employment

exfiltration’, ‘team’ and ‘data taken’, that some people

marketplaces with deep and rich insights into the

may be gearing up to leave/considering leaving the

future of work. The SEEKurity team is on a journey

organisation.

to engage and ignite powerful storytelling to bring SEEKers together on a secure and seamless journey

An additional element of harnessing your data

to marketplace unification across its Asia-Pacific

visually is the considered use of presentation

platforms. Over the coming months, it will hone its

images and colours, which may be chosen to elicit a

executive storytelling skills to bring the firm on a

particular feeling in your audience.

unified security journey.

Three: unleash narrative

Key Takeaway - Every year billions of dollars are spent

The final step is to unleash the narrative that has

on books and movies, allowing us to escape into

been bolstered by the addition of data and visual

stories. Let’s make board meetings fun by making

elements. Centring the narrative around the notion

cyber security a trusted partner, using data, visuals

that “security is a trusted partner working to ensure

and narrative to craft stories to inform, influence and

the business meets objectives” will enable targeted

inspire.

and meaningful presentations to executives. Deepa

While incident recaps and war stories can be effective www.linkedin.com/in/deepa-bradley/

ways to communicate, there must be a balance to ensure cyber security is not seen as the proverbial ‘storm in a teacup’. Know your audience, business objectives and company ‘crown jewels,’ then target your presentation accordingly. Authenticity is important in storytelling so it’s important to make sure your narrative is true to you. When presenting to the executive, Deepa Bradley’s

Sarah www.linkedin.com/in/sarahiannantuono/

www.instagram.com/protectyodata/ medium.com/@protectyodata

background as a business turnaround director helps illustrate cybersecurity portfolio health and defines approaches required to uplift capabilities. Through regular executive reporting, she engages

WOMEN IN SECURITY MAGAZINE

JESS DODSON

MARTY MOLLOY

FRIENDS, COLLEAGUES, RED AND BLUE TEAMS, LEND THEM YOUR EARS! by Marty Molloy, Events, Marketing and Communications Coordinator, AusCERT and Jess Dodson, Senior Customer Engineer in Security & Identity, Microsoft As a member-focused organisation, AusCERT has a strong focus on relationships and on reinforcing the

security, I’ve slipped over from being pure “operations” into being “security operations”. My formal title is

strength of our community.

‘Senior Customer Engineer in Security, Compliance,

One such endeavour has been the annual AusCERT

I just call myself a ‘SecOps Witch’.

Conference. Since the inaugural event in 2001, our

My job involves helping organisations of all sizes

focus has been on profiling leading members of

and from all industries better understand the threat

the cyber community as keynote speakers, and on

landscape, better protect themselves and their

connecting industry professionals.

infrastructure, and better use the Microsoft tools they

Identity & Management’, but that’s a bit of a mouthful.

have at their disposal. Providing a platform for women in the industry to showcase their insights, skills and experience at

As for why, I like helping. I feel being part of the

the conference also helps to defeat the “imposter

“blue team” fits with that ethos of wanting to do

syndrome” that many in the industry experience.

the right thing and help where I can. I love passing

Showcasing the best representatives of our ever-

on information, and I love it when a customer or

growing and evolving industry also helps us to

organisation no longer needs me, because it means

continue the forward momentum we strive for.

I’ve passed on all the information I can, and they’re comfortable and confident to go it alone. I’m rather

One such person is Jess Dodson (a.k.a. Girl Germs)

prolific on Twitter as well (@girlgerms), ranting a fair

who I chatted with recently about how she’s been able

bit about basic security because I feel it’s something

to find her voice, and have it heard.

we see time and time again being the cause for major outages or breaches. I really want to help

Hi Jess, can you tell me a little about yourself (what you do, why, etc.)?

organisations get those basics right. In my (non-existent) downtime I’m a Lego addict. I

With close to 20 years of experience in systems

spend far too much money on it and proudly display

administration, identity management, and now

it in all my Microsoft Teams meetings. My latest Lego

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

creation is a QR code URL - which actually works! I’m

I want to get things DONE. I want to fix things. I know

a video gamer (when I have the time) and I’ve been a

that to get things fixed, to make changes, to see

Blizzard tragic for many years. I’m currently hoping

things improved, someone has to champion causes

to get some time over the holidays to play Diablo II

and be the loud voice saying, “We need to do this!”

Resurrected, because Diablo II is one of my all-time

And that’s me. I think that’s what drives me to keep

top five games. I am also a mum to a small human, an

going. Someone needs to be that voice.

incredibly intelligent, stubborn and cheeky four year personality...

How can cyber organisations, and the cyber community in general, help individuals like yourself find a voice and have it heard?

How did you come to be involved with AusCERT?

I’ve spoken about this extensively as part of a talk I

I knew about AusCERT from way back when I

gave at CrikeyCon in 2019 (CrikeyCon 2019 - Jess

first started in IT. I worked for the University of

Dodson - Women’s Stories from the Tech Trenches

Queensland, so had some knowledge of AusCERT

- YouTube). There’s so much that can be done, but I

activities back then, as well as receiving threat

think the biggest point is for organisations to listen

intelligence from it. As time went on, I became friends

when women members speak up about something.

with AusCERT employees, and I’ve kept in touch since.

Call out colleagues when they say sexist, racist,

I most recently came to be involved with AusCERT

homophobic, transphobic, or ableist things. Change

through submitting a talk for their 2021 conference

hiring practices so that women feel more included

and was incredibly thrilled when my talk was picked.

and see roles being presented are being for them.

old - don’t know who she could take after with that

There is so much organisations and the community What opportunities and/or advantages do you think you’ve had by being a speaker and panellist at AusCERT conferences?

can do, and I hope we can move the needle a bit further on this so the next generation is not living our realities.

The chance to be seen as a security technologist, finally. Previously, I’ve been known as an identity

What would you like from Santa this year?

person or a Windows sysadmin. Speaking at AusCERT

I wish I wasn’t a slave to my capitalist masters and

and being privileged and honoured to be invited to

I could say “nothing”, but in truth, I would absolutely

be on the keynote panel meant I was finally seen as

love the new Lego Star Wars UCS AT-AT recently

being part of the security community. That has been

announced. At 62cms high and 69cms long, I have no

an advantage. It has allowed me to put my foot in the

idea where I’d put it, but I don’t care...I really want it!

door with this community, as well as being a huge

Thanks so much for your insights and time Jess and,

opportunity for me. I was invited, off the back of my

may you continue to educate, innovate and build

AusCERT presentations, to give a keynote for the

Lego.

Australasian Higher Education Cybersecurity Service (AHECS), which took place on 10 November. I am truly

Jess

grateful to AusCERT for taking a chance on me and www.linkedin.com/in/jrdodson/

letting me speak not once, not twice, but THREE times as part of AusCERT 2021.

girl-germs.com/

How do you maintain a positive outlook and/or defeat the negativity that can creep in?

Marty

I have the same level of cynicism and snark as anyone in the industry, but deep down I am a perpetual

www.linkedin.com/in/marty-molloy-14100932/

optimist when it comes to security. I think that comes from feeling someone has to be that way, or else

www.auscert.org.au/

nothing is going to get done. I’m stubborn and strongwilled and obnoxious to the point of being annoying.

WOMEN IN SECURITY MAGAZINE

UNIQ YOU’S MISSION: GET MORE GIRLS ENTERING MALEDOMINATED INDUSTRIES by Stuart Corner

A new service, UNIQ You, launched in Queensland in

One of the partners, Skedulo, a Brisbane based

November, aims to get more girls entering industries

developer of scheduling software and software for

where women are presently underrepresented by

mobile workforce management, will provide the

building a more robust understanding of these

software to manage the relationship between girls

industries and the roles within them.

and their advisors, including scheduling of their virtual meetings.

UNIQ You will connect high school girls and their guidance and career officers with female advisors

UNIQ You is the brainchild of Tanya Meessmann,

drawn from industries where women are under-

founder of Girl Shaped Flames: a service that

represented.

connects high school girls with role models to help them build confidence.

Thirteen corporate foundation partners from industries that have less than 40 percent

She said, by connecting girls with relatable,

representation of women have signed on for the

inspirational female role models across a diverse

program: Aurecon, BMD, Boeing, Hutchinson Builders,

spectrum of industries, UNIQ You would “address

Origin, Oz Minerals (SA), Seqwater, Shell’s QGC

their exact queries, concerns and curiosity around

Business, Skedulo, Tesserent (VIC), Urban Utilities,

what these career pathways can offer.”

Ventia and Yurika. Female advisors from these thirteen corporate partners will give their time to provide industry insights to grade 9 to 12 high school girls from 30 schools in Queensland through personalised one-onone video calls. In its first year UNIQ You aims to connect more than 600 girls with 100 female advisors across 10 industries. Many of the sponsor organisations are national or multinational and the plan is to secure further funding and take the program national if the Queensland pilot proves successful.

WOMEN IN SECURITY MAGAZINE

For more details, connect with SheLeadsTech Melbourne:

https://oneintech.org/our-programs/sheleadstech/ https://www.linkedin.com/company/sheleadstech-melbourne sheleadstech@isaca-melbourne.org.au

Feel free to connect also with your local ISACA chapter.

I CHOOSE TO CHALLENGE… COMPANIES TO EXPAND YOUR THINKING by David Braue

A DEI mission statement doesn’t make you diverse

ince 2014, McKinsey & Company’s

Yet no matter how much we all understand that

studies into the financial benefits

diversity is beneficial to the business, companies

of diversity have become a rallying

are still terrible at implementing it, with a recent

cry for diversity, equity and inclusion

Dream Collective survey finding that 61 percent of

(DEI) advocates – and sage advice

respondents had not seen any significant change to

for business leaders struggling to

their working environment.

progress pursue dramatic transformation initiatives due to problematic staffing shortages.

And, despite a similar percentage of men reporting that they are both aware of and willing to participate

In case you’ve been sleeping, McKinsey’s conclusion

in DEI programs, 48 percent of respondents said they

was clear in 2014, and has only gotten stronger in

are feeling fatigued by discussions around diversity –

two subsequent reviews: companies with highly

with a third of respondents reporting that the diversity

gender diverse executive teams are 25 percent more

programs led by their companies’ HR departments

likely to outperform their less-diverse peers, with an

are “not at all motivating or engaging”.

even stronger improvement – 36 percent – correlated with high rates of ethnic diversity.

Maybe there’s more to improving DEI than PowerPoints and sweeping corporate visions. Maybe

Can you think of any other initiative that promises

the way to live the McKinsey dream is to actually do

such striking benefits for so little effort?

something about diversity – and let everyone know why it’s the best course of action.

We can’t, either. All you have to do is to be fair. Hire

and promote more women and non-white people.

HERE’S SOMETHING THAT DID WORK

Embrace diversity and everyone will be happier, more

Since many managers struggle to think in ways

productive, and better off.

that aren’t financially related, one approach that has

WOMEN IN SECURITY MAGAZINE

F E AT U R E

proven successful is for managers to simply accept

where staff can go for prayer, quiet time, or to put

that diversity will help the business both socially and

on provided noise-cancelling headphones to reduce

financially – and then listen to the people that it most

stimulus that may cause them distress in the normal

directly affects.

working environment.

This approach has worked well for Aussie Broadband,

“Almost every single thing, every single outcome

the Internet service provider whose work around DEI

or action that we’ve done, every single program

helped it win the Diversity and Inclusion category

that we’ve run, has been staff-led – raised by staff

of the recent ACOMM telecommunications industry

because they feel comfortable to do so,” community

awards.

impact manager Caroline Kennon told WiS, noting that the company’s leadership team “have always

The company’s Pride Committee, for example, has more than 100 people in it – a massive number considering

of physical spaces within

Everyone is incredibly different, and needs different things out of their workplaces. It comes from that real focus that staff should always feel like they can bring their whole selves to work. And if you work with that fundamental, then you have to recognise all the different things that make staff, as opposed to targets that really silo them into a single group.

the company’s office as low-

- Caroline Kennon, Community Impact Manager Aussie Broadband

that the entire company has just 700 employees. Other working groups include Reconciliation Action Plan, Inclusion and Diversity, and a newly formed Neurodiverse group. Committees are only one part of the company’s DEI work: the recent allocation

stimulus, low-lighting Room of Any Requirement (ROAR) rooms

WOMEN IN SECURITY MAGAZINE

had a real focus on diversity and inclusion being their responsibility to thrive and be a part of.” The guidance of the special-interest groups has not only empowered the workforce to advocate for workplaces changes to support employees while in the office, but is also being tapped to rework operational processes that may have been

women grow to 32 per cent of the workforce in a few

inadvertently marginalising of diverse workers.

years.

Members of the neurodiverse working group, for

Kennon believes this growth has come because the

example, worked with HR to address some aspects

company has avoided tokenistic, binary approaches

of the recruitment process that can often put off

to equality and instead has implemented policies that

potential neurodiverse applicants.

understand that men, women, and gender-diverse employees can’t be defined simply on those criteria.

This means, for example, decluttering the layout of job ads, providing questions before the interview

“Everyone is incredibly different, and needs different

to provide time to prepare, or offering remote video

things out of their workplaces,” she explained. “It

interviews because “they might be able to manage

comes from that real focus that staff should always

their anxiety a bit more from home just for the

feel like they can bring their whole selves to work.

interview”.

And if you work with that fundamental, then you have to recognise all the different things that make staff,

“People with anxiety or ADHD will respond in really

as opposed to targets that really silo them into a

different ways to a traditional interview situation

single group.”

when thrown questions that they haven’t been able to prepare for, or where they may talk about things

TIME TO EXPAND YOUR THINKING

that are a bit divergent from what the question was,

This, then, is the hidden caveat behind McKinsey’s

because that’s the angle their brain takes.”

analysis: just balancing gender numbers won’t give you the kind of diversity that you need.

“That doesn’t mean they’re not suitable for the role,” Kennon said. “It just means that in that situation,

In a business climate where the so-called

it was incredibly difficult for them to engage in the

‘great resignation’ is pushing employees to

way that we had already put into this very structured,

reinvent themselves – and to not be afraid to

traditional framework.”

take radical steps to distance themselves from unaccommodating workplaces – business survival

Aussie Broadband’s experiences in improving

will depend on the ability to meet employees on their

diversity have produced a workforce that is both

own turf.

engaged and proactive, garnering the company an 86 percent positive Great Place To Work rating

And if you’re one of the companies that has been

– compared to the median of 55 per cent across

crowing about adding women to your board or C-suite

typical Australia-based companies – that ranked it

as though it magically makes you diverse enough,

the country’s 16 best workplace for medium-sized

please stop right now.

companies. This is one area where walking the walk is way more

Significantly, the company did not set specific targets

important than talking the talk – and even the oft-

for gender diversity – yet has seen representation of

cited checklist of family-friendly items, like extended

WOMEN IN SECURITY MAGAZINE

F E AT U R E

to them, their organisation, and their success,” they said. “These

Just because you have DEI metrics doesn’t mean that you have DEI ownership. Sharing high-level goals that are cascaded down to your IT leaders tends to create only a vague path forward.

comments and questions aren’t necessarily new – but what is new is that we’re starting to see the demand for demonstrated, measurable results.” Delivering those results has been challenging, Justice added, given that DEI initiatives have conventionally been top-down mandates with little supporting

maternity leave and paternity leave, just doesn’t cut it

tools for tracing or ensuring accountability.

anymore. “Just because you have DEI metrics doesn’t mean that “That’s all standard now,” said Kennon. “Why are you

you have DEI ownership,” they said. “Sharing high-level

congratulating anyone who’s doing that stuff? That’s

goals that are cascaded down to your IT leaders tends

the baseline expectation. It’s nothing groundbreaking,

to create only a vague path forward.”

it’s narrow-minded, and it’s certainly not diverse when you just look at gender.”

“Simply seeing the numbers doesn’t create the personal ownership that we need, especially if leaders

A recent WILEY survey of tech workers confirmed

aren’t being held individually responsible.”

that potential workers are already evaluating your company culture long before they’ve signed on.

“It’s overwhelming for the leaders that we are expecting to take action,” they added, “and the stress

Fully 64 percent of survey respondents said,

of all this is falling on the shoulders of IT leaders who

for example, that they believe technology hiring

really don’t know what to do.”

discriminates against people from minority backgrounds and half of young tech workers reported

Existing dynamics had made it hard to establish

leaving, or wanting to leave, a tech job because they

consequential accountability for driving real

felt uncomfortable or unwelcome.

change through companies’ recruitment programs, operational policies, and everyday employee support

The onus is on companies to fix this – not only to

and engagement mechanisms – but regular and

add gender diversity to the hiring process, but to add

ongoing engagement can help change all of that.

transparency and adapt processes to ensure they don’t disadvantage employees that would otherwise

Conventional diversity metrics “can often bring

be a significant asset for the company.

resentment from other groups,” noted Aussie Broadband’s Kennon, reiterating the importance of

“People want to see the identities and voices that

executive guidance and engagement at every level.

organisations are bringing to the table,” noted LJ Justice, research principal with Gartner, who noted

“We know that trickles down,” said Aussie Broadband’s

that executives “are all feeling mounting pressure

Kennon. “When staff see [executives] being there,

when it comes to moving the needle on DEI.”

they understand that that’s part of what we do at Aussie Broadband. And we’re seeing results from that

“Employees are asking CEOs and their IT leaders to

strategy.”

set aside time and space to discuss what DEI means

WOMEN IN SECURITY MAGAZINE

NICOLE STEPHENSEN

BUILD INTEREST AND THEY WILL COME by Nicole Stephensen, Privacy expert and Director of boutique privacy firm, Ground Up Consulting

Over the past few months, through campaigns

100 percent, possibly! But please, let’s not pigeonhole.

such as #ThisLittleGirlIsMe, I’ve read tremendous

After all, I am in cyber. I’m a crossover. I’m principle-

stories — uplifting, poignant and deeply moving

based decision-making meets follow-the-rules. I

recollections of getting from ‘there’ to ‘here’ — from

focus on personal information as a subset of all the

women all over the world in a variety of sectors,

data cyber folks are tasked with protecting.

disciplines and leadership positions. The idea behind #ThisLittleGirlIsMe is that girls and women cannot

STEM refers to science, technology, engineering

aspire to be what they cannot see.

and mathematics. It’s a grouping of disciplines we often see referenced in the context of education

In addition to inspiring others, these stories felt to

policy and the building of school curricula that

me like a fabric whose threads were the outreach

will orient young minds to the challenges and

of thousands of authentic selves — rather than any

possibilities of their future lives. A strong foundation

perceived sameness of experience — connecting and

in STEM subjects, plus the development of soft

interconnecting women.

skills like communication and leadership, can lead to diverse career paths where those core technical

This brings me to a recent conversation about

competencies shine through.

encouraging more women to start (or shift into) a career in cyber. I had been expressing my need to

And there are so many women whose contributions

find a skilled junior consultant to join my privacy firm,

to their fields — and to humanity — have inspired the

and expounding my view that the privacy discipline

generations who followed them. An online search

had become naturally (wonderfully) entwined with the

for ‘famous women in STEM’ will fill your afternoon

likes of risk management, public policy, information

with the stories of Marie Curie, Ada Lovelace, Grace

security and, increasingly, cyber. But then I heard a

Hopper, Chien-Shiung Wu, Jane Goodall and Annie

comment that put my nose out of joint: ‘A greater

Easley, to name a few.

focus on STEM will mean more women in cyber careers’.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

I don’t fit into the STEM camp. I’m Arts all the way. They lost me at fractions in primary school, and I have a passing, and probably inaccurate, remembrance of the Periodic Table of Elements (Ask me about the cool Periodic Table of Privacy published by Calligo, though, and I could teach a course on it). I attended university on an honours English scholarship, and was a creative writing major — for the uninitiated, that’s poetry and playwriting —and was deeply moved

abuse and want to prevent this insidious behaviour

by courses in Holocaust literature and the frankness,

from impacting others.

and fearlessness, of authors like Jerzy Kosinski (The Painted Bird) and Elie Wiesel (Night). It was these

Some have policing backgrounds and have moved

that led me, ultimately, to political science. I know, I

into online policing roles, focused on areas such as

know, poli sci has aspects like international relations

fraud prevention and detection and the elimination

theory and game theory (e.g. the Prisoner’s Dilemma)

of child exploitation. Some are educators who see

that push it into the realm of soft science (ahem,

employees as an organisation’s greatest line of

STEM), but in the main my concern was always with

defence. A few are military veterans whose aptitude

the writing, the connecting, the understanding, the

for threat hunting extends to the deep, dark corners of

illustration and treating of the wicked problems facing

cyberspace.

humanity. Some are public policy makers keen to see improved I suppose if you add an ‘A’ to STEM (to get STEAM),

legislative safeguards for personal information (and

the problem of where an arts person fits in the cyber

other data), aged care advocates tired of watching

career pathway is dealt with. But is it really? If the

elderly friends and family fall victim to scams, and

nature of our disciplines, rather than the nature of us

volunteers ready to lend a hand with identity recovery.

— who we are as women, what motivates us — is the

All of these women — the whole complicated, diverse,

key to defining our career, aren’t we missing the point?

engaged, clever, motivated, multitalented melee — have found their way to cyber.

Of the women I know in cyber, only a few actively pursued their career path purely as an off-shoot of

What do I think brought them here? Interest.

a STEM discipline. I know some who don’t have a formal discipline, but rather ‘a calling’ to serve the community. Some are keen to do work that directly

www.linkedin.com/in/nicole-stephensen-privacymaven

protects their kids in online environments. Others have witnessed or experienced technology-facilitated

www.groundupprivacy.com.au

WOMEN IN SECURITY MAGAZINE

COZMOS: CHOOSING TO CHALLENGE A PLATFORM BUILT WITH DIVERSITY AND INCLUSION IN MIND by Laura Jiew, External Engagement at UQ ITEE

The University of Queensland’s School of Information Technology and Electrical Engineering (UQ ITEE) has been hosting its annual Innovation Showcase event since 2012. It is a cornerstone faculty event that gives students the opportunity to highlight the range of their end-of-year and capstone student projects.

This year a new prize category was introduced: Best Diversity & Inclusion Application Project, specifically targeting student projects with a strong gender diversity and female representation. The inaugural winners of this prize category were Vanessa Ackermann, Sophie Bates, Cassandra Carse,

Students who take part in the event are eligible to

Cassia Gulley, Ashleigh-Rae O’Neill and Brooke Powell

win $1,000 in prize money, thanks to the generous

with a project titled Cozmos; a neurodivergence-

sponsorship of various industry organisations. Entries

friendly chrome extension and web application

this year fell within the broad areas of electrical

designed to facilitate and encourage a safe and

engineering, information technology, computer

engaging online community for people with autism

science, software engineering, design computing,

spectrum disorder (ASD).

multimedia design and cybersecurity. Cozmos is a social platform designed to ease social On the evening of Thursday 4 November 2021

difficulties among autistic adults by encouraging

more than 100 students participated making 45

connection through shared interests.

submissions in more than a dozen prize categories

Technology designed for an autistic audience has

to showcase their end-of-year projects to industry

often focused on suppressing ‘undesirable’ traits.

sponsors and guests, VIPs and the wider university

Cozmos takes a different approach, providing a

community.

space for users to express themselves, and forge meaningful connections with like-minded people.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

Best Diversity & Inclusion Application Project by Blackbook.ai _ Team Cozmos

that sets students the task of designing a social or Cozmos is a social mobile-computing project created

mobile technology to address the needs of a specific

as a product of thorough UX research, qualitative

domain – specifically, the various ways that social

inquiries and literature study. The platform, a

awareness can be built into technology features.

prototype, has been designed to accommodate the needs of participants and encourage them to focus

Whilst it is a compulsory course for UQ’s Bachelor

on their strengths and individuality.

of Information Technology (User Experience) and Master of Interaction Design students; it is also taken

A Blackbook.ai representative who attended the

as a popular elective course by students enrolled

Showcase event as a judge and industry sponsor

in the Bachelor of Software Engineering, Bachelor

for the Best Diversity & Inclusion Application Project

of Computer Science and Master of Information

category was blown away by all the entrants, but the

Technology students as well.

winning team from project Cozmos, was an absolute standout.

In this course, students are encouraged to form a team with fellow students who share similar interests.

“Team Cozmos has put much work into the user

Luckily, all six of the project’s team members were

research and interaction design of their product,

interested in mental health and accessibility. Some

and I’m so excited to see this hard work continue to

team members have family members with autism

pay off.”

or are neurodivergent themselves — hence the

- Brooke Jamieson, Head of Enablement AI/ML and Data, Blackbook.ai

motivation to address this issue. The team wanted to design something positive, something that celebrated autistic traits instead

Cozmos was developed as part of DECO3500, a

of trying to hide them. With that goal Cozmos was

university course on social and mobile computing

conceptualised.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

“Being neurodivergent myself and having been involved in online autistic communities in the past, I have witnessed and experienced the frustration with research being mainly curative-focused and mostly aimed at young autistic males.

especially Brooke from Blackbook.ai was incredibly

“This has left autistic adults — particularly women

inspiring, and our team is more driven than ever to

and non-binary or ‘assigned female at birth’

get this project to the next stage. We are aiming to

also known as AFAB folks — with little access to

finish developing the site over the summer holidays

resources.”

and work with UQ to deploy it early next year.”

- Cassandra Carse, currently pursuing a Master of Information Technology with a focus on web and software development.

- Team Cozmos

Women’s role in technology and STEM has always Vanessa, Sophie, Cassandra, Cassia, Ashleigh-Rae

been integral, from Ada Lovelace, known as the

and Brooke are all students of interaction design,

first computer programmer, to brilliant women like

software engineering and information technology

Katherine Johnson working on computers at NASA.

and are passionate about encouraging more girls and women to pursue STEM and computing based

Don’t let anyone make you feel you do not belong.

studies. When asked to describe their feelings after

Continue supporting each other and be confident

winning this inaugural prize category, the team had

about what you have to offer. The tech industry needs

this to say:

more diverse perspectives to grow, and would not

“Regardless of whether we won the award or not,

exist without women. Keep choosing to challenge!

the team knew our project could be impactful for

- Team Cozmos

autistic adults and we had planned to continue developing it after the semester finished. However,

www.linkedin.com/company/uq-itee

winning the award has been SO encouraging. “Being able to talk to industry representatives,

WOMEN IN SECURITY MAGAZINE

twitter.com/UQSchoolITEE

The big picture! We look after the marketing and content as add-on modules for your business so you can get on with what you do best - running your business

As-A-Service our products are Customised Client Programming we are

Strong Unbeatable

www.source2create.com.au PA S S I O N A T E - I N N O V A T I V E - C R E A T I V E - T R U S T W O R T H Y - I N S P I R I N G - Q U A L I T Y S O L U T I O N S

BAYA LONQUEUX

CYBER RESILIENCE IS NOT A TREND BUT A NECESSITY by Baya Lonqueux, CEO at Reciproc-it

The health crisis we have just experienced was

This recourse to digital solutions was opportunistic,

undeniably an unforeseeable shock that highlighted

generally unanticipated, and therefore poorly

our vulnerability. Our habits and our daily lives have

organised. It made companies more vulnerable, more

been stress tested during these past two years. We

exposed to cyber-attacks. We saw an explosion in the

had to react quickly and face this unexpected event

number of cyber-attacks, and many public and private

as best as we could.

companies suffered the consequences.

Emergency measures were taken worldwide to

The primary lesson from this crisis is that we need

contain the epidemic. Biotechnology and research

to strengthen our resilience to improve our ability

were mobilised to find a cure and strengthen our

to recover from adverse health events, as well as

immunity and resilience.

adverse technological events.

Containment measures were applied to limit the

The digital world is a revolution without limits for our

spread of the virus. Other measures were required to

emancipation, a godsend with strong advantages,

ensure the continuity of our economic activities and

but only if the risks that accompany this revolution

guarantee the survival of our companies.

are anticipated and simulated, and measures put in place to counter them. And also, not to neglect the

Recourse to telecommuting was one solution

prevention and anticipation, two determining factors

implemented (often at short notice) by a good

to reinforce our resilience.

number of companies. Digital technology allowed us

to run our companies and enabled the virtualisation

This new period of disruption, of positive

of the world of work.

transformation, of “working differently” has brought

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

benefits and efficiency. But the dangers and threats

We need mature approaches to counter cyber risks,

are constantly multiplying, demanding increased

whatever the size and activities of our organisations.

vigilance from all users.

To achieve this maturity, we must encourage collaboration and cooperation between companies.

We need to assess the level of maturity we have

This is the only way we can expect to improve global

reached in managing the security of our information

security.

systems, and our relationship with cybersecurity. It is more than urgent to break the taboos of “the • Are we all ready to face the cybersecurity risks in a homogeneous way?

attacked victim is not reliable” and of “the victim denial”

• Have we done everything to protect ourselves, our companies, our assets, our data, etc? • Do we know enough about our risks to anticipate, manage, and control them? • Is our technology analysed and simulated to

We are all equal in front of cybercriminals: no one is safe from a cyber-attack. Feedback on a cyber-attack is a valuable asset, data on which we can build our cyber resilience.

identify vulnerabilities and flaws, to determine our exposure to cyber-attacks?

Let’s enrich our knowledge of cyber threats and our cybersecurity culture to help our companies and

The answers to these questions are a prerequisite to

organisations be resilient.

countering these new threats. There needs to be a more global approach to the

Reciproc-it www.linkedin.com/company/reciproc-it/

challenges of cyber threats that considers the context to protect, its components the strengths,

www.linkedin.com/in/bayalonqueux/

and weaknesses of the entire ecosystem. This approach must be coordinated and collective to

https://twitter.com/reciproc_it

create resilience and implement remediation of vulnerabilities without major consequences.

reciproc-it.com/en/blog/

WOMEN IN SECURITY MAGAZINE

MEL MIGRIÑO

UNDERSTANDING THE DYNAMICS OF THE SECURITY ORGANIZATION by Mel Migriño, VP and Group CISO of Meralco, Chairman of Women in Security Alliance Philippines

There is no such thing as a perfect model for

must look at the “best fit” structure that reflects the

cybersecurity organisations, or a one-size-fits-all

reality of their organisation and should continually

structure that will deliver robust cybersecurity.

assess the effectiveness of their security teams and

Cybersecurity and risk management leaders in every

recalibrate as needed.

organisation must develop their own model taking into consideration the organisation’s risk appetite,

Leaders need to also be aware of macro trends that

available resources and the challenges of digital

impact the evolution of an organisational structure.

transformation.

Examples of such trends are digital transformation and customer centricity.

There are several factors that influence the design of an optimal cybersecurity team. This task is made

These macro trends increase the rate of change

more challenging by the global skills shortage, which

and complexity in digital adoption. They in turn

makes organisations more dependent on consultants

require constant change in security processes and

and managed security service providers.

capabilities, and potentially lead to the emergence of new security roles such as security champions,

Cybersecurity and risk management leaders should

vanguard security architects and digital risk officers:

consider a broad range of factors when designing

new and exciting roles in the evolving digital

their security organisations, among these are

ecosystem.

maturity, governance, size, culture and budget. Persistent security skills shortages have forced Perfection is impossible. Instead, security leaders

WOMEN IN SECURITY MAGAZINE

security leaders to explore new ways of obtaining

I N D U S T R Y

P E R S P E C T I V E S

and managing security capabilities. Managed security

conflict of interest and a cultural disconnect

services and contracting have been the standard

between security and the business, because

staff augmentation solutions, but more creative

every organisation has unique needs and a

approaches should be adopted. Possible options

distinct risk appetite to be managed.

include the appointment of security champions at the business level and the creation of logical cyber fusion

While these guiding principles are crucial to the

teams for faster analysis, investigation and resolution

successful design of the security and risk teams,

of security issues and incidents.

there are other factors that influence the design of the security and risk teams.

However, changing the security organisation structure just for the sake of doing so should be avoided There are guiding principles that should be considered.

• The risk appetite of the organisation — that is, the level to which it will proactively invest in security strategies to mitigate risk.

1. Assess which security capabilities are required (e.g., application security, cyber resiliency) and broadly define the processes that the capabilities will be based on, including

• The strength of governance exercised by the board and top management. • The industry vertical that the organisation operates in.

high-level process flows and the responsible,

• The traction of the information security activities

accountable, consulted and informed (RACI)

and behaviours with the business and corporate

matrix.

risk management and compliance functions. • The corporate culture — the level to which

2. Aim for a separation of oversight and

federation and decentralisation fit the cultural

execution that is logical and ensures these

and governance makeup of the organisation.

two functions are independent. A key objective

• The exercise of authority, power and influence

of security organisation design is to achieve

by the CIO. The level of support the CIO extends

appropriate levels of separation between cyber

affects the independence and success of the

defence, IT operations and IT delivery teams. For

security team.

example, the network security team may process requests and approve changes to firewall rules while the security administration team reviews

• The regulatory compliance requirements the enterprise is subject to. • The convergence of IT and operational

and implements the changes. This separation is

technology and where cybersecurity and risk

one of the main drivers for moving the reporting

priorities are positioned.

line of the CISO out of the IT organisation. It is important to note that a structure may be optimal 3. Don’t aim for perfection. You will never

for a specific organisation only at a specific time. As a

achieve it. Given the number of factors that

result, cybersecurity and risk leaders need to assess

influence the design of a security team there is

the triggers that may influence various choices

little chance that the first attempt at structuring

and decisions. These include changes in regulatory

the team will be anywhere near perfect. The best

landscape, business requirements, and an increase

approach is to implement a new design and then

in security’s scope of work. Review and calibration

refine it through practical experience. Strive for

of teams’ capabilities vis-a-vis overall business

measurable continuous improvement.

objectives should be undertaken often.

4. Do not be overly reliant on industry recommendations or company comparisons. Such practices will inevitably lead to possible

WiSAP www.linkedin.com/company/wisap-women-in-securityalliance-philippines www.linkedin.com/in/mel-migri%C3%B1o-b5464151/

WOMEN IN SECURITY MAGAZINE

I CHOOSE TO CHALLENGE… EVERYONE TO SPEAK UP by David Braue

There are other reasons many women prefer to work from home

fter two years of working from home,

“A lot of them were saying that they had to look for

managers eagerly awaiting the return

other places where they weren’t being flexible,” AWSN

of employees to the office have been

founder and CEO Jacqui Lostau said during the

in for a rude shock: fully 57 percent of

recent Australian Cyber Conference. “There are a lot

Australian workers want to work three

of women that have left the industry, and we’re going

or days remotely each week going

to have a lot of work over the next few years to try

forward, according to one recent survey, and 14 per

and bring that back.”

cent want to work exclusively from home. Winning those women back will require more than The news has been eye-opening for many managers

just a big office refurbishment. For many workers, the

who assumed their employees were as eager to get

problems lie not just in questions of whether they are

back into the office as they were. Yet employees’

more effective working at home or in the office, but

motivations are often different, with concerning

whether they feel comfortable going to an office now

figures suggesting that many women found the shift

that they no longer have to.

to remote working to be a relief. Problems with workplace culture are everywhere Women in particular were reporting work flexibility

– as outlined in excruciating detail in the recent

to be crucial for their needs, with many members of

Jenkins report, which examined the culture at

the Australian Women in Security Network (AWSN)

Parliament House in Canberra and found 51 percent

reporting that they had become burnt out during the

of people working in Australia’s 228 Commonwealth

pandemic and had found it “really, really difficult” if

parliamentary workplaces had experienced bulling,

companies didn’t offer part-time or flexible work.

sexual harassment, or actual or attempted sexual assault.

WOMEN IN SECURITY MAGAZINE

F E AT U R E

More than 1700 individual submissions outlined a degrading, distressing culture where women face daily harassment and unwanted sexual advances – with Sex Discrimination Commissioner Kate Jenkins reporting that “current systems and reward structures encourage, tolerate and enable misconduct and processes that are not equipped to prevent or address the consequences of that behaviour.” If you think the Parliamentary situation is an extreme situation, and that nothing like that could ever happen in your workplace –

“We’ve got to make sure that leaders and managers of business units understand what our employees want, and appreciate and offer them that environment. You’ve got to understand each of your employees and what makes them tick, and what works best for them – and if you haven’t got that attitude, you’re really going to struggle.” - Darren Kane, Chief Security Officer, nbn

think again. Fully 51 percent of women who

FIXING WORKPLACE ATTITUDES

weren’t working remotely before the pandemic say

With employees resoundingly less likely to rate the

their safety has increased since they were forced

in-office work experience as positive – just 52 percent

home by the pandemic, according to an extensive

of in-office workers did so, compared with 64 percent

Gartner analysis that found 39 percent of knowledge

of hybrid workers and 66 percent of remote workers

workers might well leave if their managers insist on a

– companies need to fix this culture quickly as the

‘hard return’ to working fully onsite.

business world repositions itself for whatever new kind of normal awaits us in 2022.

Many managers found it had to accept that employees might feel more productive at home; to

As the Jenkins report highlighted, fixing such issues

hear so many women to suggest that they feel unsafe

is hard when they are not being openly discussed

in the workplace will be confronting for many.

in any meaningful way; rather, in Parliament and in many private workplaces, toxic culture tends to

So, too, will reports that knowledge workers with a

fester, unrecognised and unfixed, until the bombshell

disability are also finding workplace culture to be

moment when it goes completely out of control.

destructive to their well-being: 81 percent say they feel respected in a hybrid or remote working environment,

In an ideal workplace, employees would call out toxic

compared to just 56 percent when working onsite.

behaviour when they see it, escalating to managers who would act swiftly and decisively to shut it down.

Also concerning is the finding that 82 percent of employees believe they work in an unfair working

There are signs that men at least recognise the

environment – citing factors such as a lack of

importance of shutting down derogatory gender-

acknowledgment, little information, poor support, and

based comments, with a recent Dream Collective

feeling like they are considered by managers.

study finding that 65 percent of Australian men

WOMEN IN SECURITY MAGAZINE

believe that gendered stereotypes and inappropriate

male archetypes – each with varying senses of their

comments have a negative effect on the workplace.

impact on others, and the importance of men in achieving gender equality.

Stunningly, one in eight respondents believes such situations have a positive effect in the workplace.

Just 17 percent of men are likely to be true ‘allies’ for gender equality, the report found, with 41 percent

Putting that worrying finding aside for a moment,

likely to be difficult to engage because they consider

however, the study also suggested that 70 percent of

themselves as having a minor impact on what others

men would feel comfortable about speaking up when

think, and believe that men have little or no role to

they saw such behaviour.

play in gender equality.

Yet, the study noted, “’reporting’ behaviour like this is

For managers wondering where to start, a good

most likely to be informal. Men are most comfortable

target is the 37 percent of men who believe men are

speaking to another colleague, and least comfortable

critical to gender equality but consider themselves as

speaking to HR or other staff management.”

having only a minor impact on what others think.

How would it work in your own environment? Would

Senior managers are most likely to consider

staff tell a manager about inappropriate comments

themselves as having the ‘ally’ archetype while lower-

so they can be actioned? Or would they just tell a co-

grade workers are most likely to need empowerment,

worker over morning tea, shake their heads, and get

through direct advocacy and engagement, to help

on with their day?

reinforce the idea that gendered, confrontational behaviour is unacceptable – and that everyone in the

Attitudes towards speaking up about degrading or

workplace should be doing something about it.

marginalising conduct are tied closely to notions of allyship, with The Dream Collective identifying four

Tellingly, younger workers may be most successful in this regard, since they were by far the most optimistic

WOMEN IN SECURITY MAGAZINE

F E AT U R E

about their ability to impact the attitudes and actions

traditional office environments – and how their

of their colleagues.

working arrangements can be adjusted accordingly.

BUILDING THE NURTURING OFFICE

“Things have changed, but people are blaming COVID

Two years of hybrid and at-home work have cemented

as the trigger for the change,” said Darren Kane, chief

the value of workplace flexibility, with fully 34 per cent

security officer with NBN Co, who noted that the

of Australian workers saying that they had been more

network’s original goal of enabling work flexibility was

productive since the pandemic began – including

accelerated dramatically by the pandemic.

42 per cent who attribute this to flexible work hours and 23 per cent saying they enjoyed their new work

“The whole concept of what we’ve now got is

spaces or found it less distracting socialising with

flexibility,” said Kane – who was recognised as a

coworkers.

Male Champion of Change in the 2020 Women in Security Awards – noting that the office can no longer

Yet revelations that many employees want work-from-

be treated as the ipso facto best place to work for

home and hybrid working arrangements not because

everyone.

they are convenient or efficient – but because they feel safer at home – must be an eye-opener for every

“The office has to create the environment that actually

employee, in every business.

creates great collaboration, strong productivity, and great performance,” he explained.

“A fully on-site return to work is actually a risk to DEI,” Gartner warns. “The imperative is to facilitate

“We’ve got to make sure that leaders and managers of

flexibility while ensuring that all employees have an

business units understand what our employees want,

equal opportunity to participate.”

and appreciate and offer them that environment. You’ve got to understand each of your employees and

For all the talk about diversity, equity and inclusion

what makes them tick, and what works best for them

(DEI) in businesses, it will remain just talk unless

– and if you haven’t got that attitude, you’re really

companies can figure out who is being failed by

going to struggle.”

WOMEN IN SECURITY MAGAZINE

BEGOÑA ROMERO

THE SEARCH OF THE CRIMINOLOGY IN PRIVATE SECTOR IN SPAIN by Begoña Romero, Criminologist specialist in Corporate Security

Everything began when I was sixteen and read the

In 2010 I got lucky. The Bachelor’s Degree of

short story by Fredric Brown Don’t Look Behind You. It

Criminology was born, so I did not have to gain a

is the story of how a kindly man becomes a murderer,

degree before I could study criminology. However, I

influenced by the crimes of his so-called friends.

studied for two bachelor’s degrees simultaneously:

When I finished it, I started to ask myself “Why this

Law and Criminology. About halfway through my

transformation? How is it possible a kindly person

studies, I finally found the answer I was looking for.

could kill without regret and keep doing it?” While studying in Italy under the Erasmus+ program, In those years I was of an age to be making decisions

I decided I wanted an international career in

about my professional and academic future. I

criminology in the private sector. I also knew what I

decided to study for a career that could help me

did not want: to be a lawyer, or for law to be the focus

understand that change of mind. After long research

of my career. However, I did not want to neglect the

and listening to the advice of other people, I decided

skills the law degree had given me.

to study criminology. However, at the time there was no bachelor’s degree in criminology, it was a

I faced a significant barrier to achieving my aims. In

specialisation in other degree courses. I would first

Spain, criminology is undertaken in the public sector,

have to study law, psychology, medicine or social

not the private sector. None of my professors knew

work and then criminology. It would have taken me

how I could work in criminology except by becoming

almost six years of study to understand my Why.

a detective. I did not like the idea of being a detective. I wanted to live my own life, not the life of others.

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

In the year after my Erasmus+ study, I felt stuck because I could not see the way to achieving my career goals. After an unexpected encounter with a stranger, I saw the light. I told him about my frustration with trying to find a job in criminology and the current situation of the profession. He said to me “Go to Mexico, and maybe you will find what you are looking for.” I said to myself, “Why not?” So, I had a new target, discovering how criminology was applied in the private sector in Mexico. I saved money for two years and prepared everything to request another exchange through my university, Camilo Jose Cela University, with Anahuac’s University because it was the easiest way to get temporary residence, and if I wanted to work, it was the fastest way to get a labour certificate. That stranger was right. I found what I was looking for. I started work as a loss prevention specialist with Amazon. That job led me to investigate other aspects of criminology and their application in the private sector. My stay in Mexico over, I came back to Spain where I am spreading this knowledge and experience through my blog https://criminologiaempresarial.blog/. My search helped me discover aspects of security I could never have imagined, and I have helped other people understand how criminology can help to improve security and reduce the cost of investment in security.

www.linkedin.com/in/mbegonacriminology crimcorp@hotmail.com criminologiaempresarial.blog/ www.youtube.com/c/CriminologiaEmpresarial

WOMEN IN SECURITY MAGAZINE

TOP 5 TRENDS AND PREDICTIONS

for Australian boards and company directors managing cybersecurity risk in 2022 By Anna Leibel and Claire Pales, co-authors of The Secure Board Book and directors of The Secure Board advisory service.

BEING INSURED FOR A CYBER EVENT WILL BE CHALLENGING • Boards and leadership teams need to be aware that not all cyber insurance policies are made

cyber insurance policy, chances are the cyber event has taken hold of your business which could mean months of restoration and ongoing financial and reputational impacts.

equal and organisations must ensure they completely understand what they are covered

CHANGES TO LAWS WILL BECOME A REALITY

for. Exclusions/special conditions in the fine print aren’t always understood and can include

Critical Infrastructure Bill

ransomware co-payments or no payments,

With the Security Legislation Amendment (Critical

no coverage for out of support software and

Infrastructure Bill) 2020, currently under review in

hardware and little to no funding to repair

Federal Parliament, 2022 will provide clarity about

reputation damage.

what would trigger liability for company directors and

• Cyber insurance is not a cyber strategy – organisations and their boards who believe that

what would make the government intervene in an organisations cyber incident.

purchasing insurance are the only investment they need are putting their organisation at

For organisations in scope for the revised legislation

risk. Management must build the activation

and coming from a low base, prioritisation of

of their insurance into a robust, well-rehearsed

investment and allocation of resources will be critical

incident response plan that reflects how the

to achieving the compliance requirements.

organisation plans to respond in a crisis. This includes whether the cyber event can be quickly

The revisions to the act propose to hold company

contained through to an enterprise-wide system

directors in 2022 accountable for a cyber

shut down.

breach. This will require boards to understand

• Being prepared for a cyber incident is key. If you

the consequences of a cyber attack, contribute to

are in a position where you need to call on your

establishing a risk appetite for cybersecurity and prioritise funding and resourcing accordingly.

100

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

with the objective to be secure, not only achieve

WITH 91% OF CYBER INCIDENTS CAUSED BY A PHISHING EMAIL, THE HUMAN ELEMENT IS CRITICAL TO NOT OVERLOOK

compliance.

An organisation’s employees/partners/volunteers

The application of the Bill needs to be balanced with a broader, enterprise-wide cybersecurity strategy

are a critical asset in keeping the organisation safe. Ransomware Action Plan

Awareness is not enough and has failed to the extent

• The government’s new Ransomware Action Plan

that what we have been doing for more than a decade

proposes mandatory reporting by organisations

hasn’t worked. Communications in 2022 must involve

with a turnover of more than $10 million. The

influencing behaviours and getting staff to have a

reporting regime looks to better understand the

healthy sense of paranoia when working through their

ransomware threat and enable better support to

overflowing inbox.

victims of ransomware attacks. • Company directors and executives will need

High completion rates of annual compliance

to begin preparing for this action plan to come

training might seem like a good metric but it doesn’t

into effect and be clear on what it means to

guarantee staff will use that knowledge. What

their organisation, including the board’s role in

we want to see is action – a better metric is high

decision making and how they would be kept

reporting rates of phishing emails and spam.

informed in the event of an incident.

The risk of a third party causing a cyber breach

• Directors will need to ensure that there is an agreed position on ransomware payments at the

through phishing that has a flow on effect on business is very real.

Board level given the plan’s decisive stance on the payment of ransoms, making it clear this is

To be on the front foot, organisations need to ensure

not condoned.

a clear agreement with third parties on how cyber incidents will be handled, when you will be alerted to

WOMEN IN SECURITY MAGAZINE

101

an incident and what your rights are to ensure your data is protected. Examine how your contracts are set up if a contractor or third party causes a phishing risk to affect your organisation.

COMPANY DIRECTORS WILL BE HELD PERSONALLY LIABLE IN 2022 - THEY URGENTLY NEED TO UPLIFT THEIR UNDERSTANDING OF CYBER RISK • There is a growing trend for directors insurance,

BASED ON GLOBAL TRENDS, WE MUST BE PREPARED FOR A SIGNIFICANT CYBER ATTACK WITHIN AUSTRALIA • The sophistication and frequency of cyber attacks is on the rise – globally and locally and this will accelerate further in 2022. • Over the past 12 months, an increasing

but a key prerequisite is that the organisation also has a cyber insurance policy in place. Refer to #1 – insurance is becoming harder to come by. • The governance landscape is constantly evolving with new and challenging issues. The pandemic, increase in frequency, maturity and

number of Australian businesses have had

severity of cyber attacks and rise of high profile

their operations impacted by a cyber event:

sexual harassment complaints, are examples

JBS Meats, Eastern Health, my Budget. The

of the ongoing shift in the role of a company

increase in volume of cybercrime reported to

director.

the Australian Cyber Security Centre equates

• Company directors cannot gain confidence in

to one report of a cyber attack every 8 minutes

the cybersecurity protections of their business

compared to one every 10 minutes last financial

by undertaking a short course or by inviting

year.

an annual deep dive on cyber. Continuous

• More than half of the Australian businesses hit

learning is imperative to contend with new and

by ransomware attacks paid their attackers, but

challenging risks and issues. Education and

only a quarter of those actually got their data

development can be explored in informal and

returned in the past 12 months.

formal ways – from podcasts, articles, briefings,

• In 2022, all company directors must fully

workshops and training.

understand the consequences of a cyber attack on the organisation and management must have

www.linkedin.com/company/the-secure-board

plans in place to identify, contain and recover, and also outline the board’s role during an attack.

102

WOMEN IN SECURITY MAGAZINE

twitter.com/TheSecureBoard www.thesecureboard.com/

RYAN JANOSEVIC

MIKE BARBER

LAURA JIEW

CHOOSING TO CHALLENGE By Ryan Janosevic, co-founder and COO of Retrospect Labs, Mike Barber, CEO of the Australian Cyber Collaboration Centre (A3C) and Laura Jiew (AWSN)

Retrospect Labs, a start-up specialising in

Each team had a broad range of participants, with

cybersecurity exercises founded by former Australian

diverse cyber skillsets and a range of experience

Cyber Security Centre incident responders, partnered

levels. To reflect the make-up of real-world teams,

with the Australian Cyber Collaboration Centre (A3C)

some possessed greater working knowledge of

and the Australian Women in Security Network

incident response frameworks and methodologies

(AWSN) to provide the first ever competition-style

than others.

incident response exercise for women working in, or interested in breaking into, the information and

We were excited to offer an event like this exclusively

cybersecurity sector.

for females wanting to get hands-on incident response experience in Australia. The event ran for

This event kicked off on 8 December and

a week to give participants the time and space to

culminated in an event held at Stone & Chalk in

research and strategise.

the Lot Fourteen precinct where A3C is located, sponsored by Commonwealth Bank – on 15

The exercises in this incident response competition

December 2021.

included forensic artefacts, with participants playing the role of incident responders who had to analyse

Incident response in the context of information and

to understand what malicious activities had occurred

cybersecurity is not an easy domain. It is super

and how the adversaries undertook those activities

challenging. The adversaries who incident responders

i.e., their tactics, threats and procedures used.

deal with are usually highly motivated and highly skilled. A hands-on competition style event like this

“We’re pretty big on the importance of diversity

gave participants the opportunity to practice how

when it comes to our sector. We need diverse

they would respond to an incident before it happens.

people to bring their different skills to face the

WOMEN IN SECURITY MAGAZINE

103

threats. That’s why we focus not just on technical

compromise (IOCs), providing mitigation/remediation

skills, but also the socio-technical skills.

recommendations, and assisting media and/or legal teams.

“For example, working with the media team, talking to senior executives, or thinking about the

Throughout the competition, teams undertook certain

regulatory and compliance aspects of an incident.

tasks common to incident response activities, such as

We all know that information and cybersecurity can

briefings for senior executives, or answering technical

often be seen as the domain of a bunch of guys

questions related to the malicious activity that had

wearing hoodies doing their thing in a dark room.

occurred on the victim’s network.

“We want to smash that stereotype and help bridge

A panel of judges, each of whom is an expert in their

the gap between techies and non-techies, and build

field, evaluated the performance of each team, and

the level of understanding on both sides. We need

announced the winners - WrongEmail, UnderTheHood

a rich and diverse skillset of people to tackle the

and 0ddSocs - during a panel discussion at an event

challenges of information and cybersecurity. We

hosted at the A3C premises.

need them today and we’ll need more of them well into the future.”

“The Australian Cyber Collaboration Centre (A3C) is

- Ryan Janosevic, co-founder and COO of Retrospect Labs

pleased to be working with Retrospect Labs and the AWSN on this interesting and important challenge

104

As participants worked their way through these

as we progress our mission to support women in

scenarios, teams had to undertake standard incident

cyber security.”

response activities, such as identifying indicators of

- Mike Barber, CEO, A3C

WOMEN IN SECURITY MAGAZINE

I N D U S T R Y

P E R S P E C T I V E S

As most folks are aware, adversaries are constantly

www.retrospectlabs.com

coming up with new and devious ways to try and compromise networks. The need to stay on top and ahead of their tactics is why AWSN was happy to

AWSN

partner with the teams from Retrospect Labs and

www.linkedin.com/company/australian-women-insecurity-network-awsn/

A3C to enable this event, providing over 20 teams with the opportunity to get involved and turn theory

twitter.com/awsn_au

into practice in a hands-on way. Congratulations to the winning teams WrongEmail, UnderTheHood and 0ddSocs. Thank you also to CBA who came in as an

Laura Jiew

additional sponsor of the event.

www.linkedin.com/in/laurajiew/

We know diversity of thought processes is required to address the diversity of online threats. This is where our network thrives, by choosing to challenge.

A3C www.linkedin.com/company/a3cyber

Ryan www.linkedin.com/in/ryan-janosevic Retrospect Labs

twitter.com/A3Cyber

www.cybercollaboration.org.au/

www.linkedin.com/company/retrospectlabs

WOMEN IN SECURITY MAGAZINE

105

CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

C O L U M N

Every CISO’s nightmare It’s 3:00 am and I hear my phone burst into life. I turn

right to help us recover from the inevitable 3:00 am

over to look at the number displayed on the screen:

call.

“SOC – Afterhours”. This can’t be good. I lean over and grab the phone off the charger and hit the green

I have said this many times, but you need to at least

button to accept the call. I take a breath and lift the

do the following.

phone to my ear. “Hello”.

• Ensure your backups work. Make sure they are running, make sure they restore and make sure

The next few moments are almost unbearable while

they are isolated from your primary network with

I wait for a response from the other end. Suddenly I

strongly controlled access to prevent them from

hear Jenny’s voice come over the speaker in a rushed,

getting encrypted by ransomware.

panicked tone. “We have been hacked. They have

• Do your security patching now. Get it tested and

access to everything. The entire system is encrypting

pushed out as soon as you can. Malicious actors

as we speak and we can’t stop it. It’s everywhere. It’s

will more than likely use old exploits for which

on everything. You need to come in.”

patches were issued months ago. Sometimes this isn’t the case, but prompt patching will help

The phone call drops off. She has hung up. Oh crap!

reduce your attack risks.

I always tell people it’s not if but when they will be

• Train your staff, and do it without all the jargon.

hacked. It looks like today is our day. I get up and

Teach them how to be better protected online,

head to the office. When I arrive there is chaos.

and ensure they all feel comfortable reaching

Everyone looks stressed and I can see a ransomware

out to ask for help when something happens.

message is displayed on all the monitors. I see Jenny

That last part alone could help reduce, or even

coming towards me. “The backups are all down.

prevent, a ransomware attack from becoming a

They haven’t worked in weeks. All the systems are

reality.

encrypted. We have nothing to restore from. What are we going to do?”

There is much more you need to do to keep systems safe and prevent your nightmare from coming to

I jolt awake, a bead of sweat across my forehead. My

reality, but don’t forget the basics. They are most

heart is pounding in my chest. I look over at the clock

important to minimise the likelihood of an incident

and it takes me a few moments to clear my thoughts

and ensure you survive when one occurs.

and realise that I was just dreaming. The nightmare

Do yourself a favour. Get your basics in order TODAY.

isn’t true, at least not today.

You can thank me later.

This is a nightmare many in the security industry would find terrifying. Some might find it exciting, but mostly it would be in the nightmare realm. Sadly, such a situation is becoming the new normal. It’s happening so often it is only a matter of time before it is your turn. Are we all prepared for this? NO, I don’t think most of us are. We have still not got the basics

106

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/craig-ford-cybersecurity www.amazon.com/Craig-Ford/e/B07XNMMV8R www.facebook.com/pg/AHackerIam/ twitter.com/CraigFord_Cyber

F E AT U R E

I CHOOSE TO CHALLENGE... MENTORS TO STEP UP by David Braue

omen in Australia’s STEM

This will come as little surprise to many women

industries have a real

in cybersecurity, where the pandemic’s disruption

problem. Despite years of

has fragmented whatever support networks were

supposed progress towards

available in the past.

gender equality, a recent Professionals Australia review

Just 17.8 percent of women responding to the

found that women across the STEM workforce are

Professionals Australia survey said they had engaged

still underpaid, underrepresented, and unsupported.

in formal mentoring activities over the previous 12 months, with 38.4 percent confirming they had

Women represent only 29 percent of the university-

engaged in informal mentoring – something that

qualified STEM workforce and 13 percent of

often took place after hours and was difficult to

executives in STEM industries, the report Women

access due to their other commitments.

Staying in the STEM Workforce, found, and face a pay gap of 22 percent compared with their male

“Having no senior women as role models and

colleagues.

mentors makes it harder to map out a career path and gain the networks required for advancement,”

With women affected more severely by the COVID-19

said one respondent.

pandemic than men, Professionals Australia CEO Jill McCabe warned of a looming surge in attrition of

“Lack of mentors and a network to call upon has cast

women and called for “urgent organisational changes

me adrift,” agreed another, “especially now when I

to ensure the retention of women in STEM fields.”

want to get back into the workforce.”

“Being part-time cuts you off from a lot of

YOU CAN’T SEE WHAT YOU CAN’T SEE

progression opportunities,” she continued. “This

It’s not 1985 anymore. With women actively

creates a vicious cycle where fewer women make it

participating in cyber and other STEM industries

into senior, hiring positions and, as a results, fewer

that are desperate to engage skilled professionals,

women in the workforce have access to professional

widespread reports of a chronic lack of mentorship

development or are promoted to more senior roles.”

are simply embarrassing.

WOMEN IN SECURITY MAGAZINE

107

make it difficult for underrepresented talent to ascend to more senior positions.” Hybrid work environments can boost inclusion by 24 percent if they’re managed properly, Gartner notes. “Inclusion may be compromised in a hybrid work environment due to lack of visibility,” explained Ingrid Laman, vice president of advisory within Gartner’s HR practice. “In a hybrid work environment, unfair treatment may go unchecked as employees have less visibility into how others are treated; trust can erode Fully 51.7 percent of survey respondents said the lack

due to a lack of transparency.”

of networks had significantly or moderately impacted their career advancement, with many lamenting the

Gartner recommends firms address this lack of

lack of access to “everyday hallway discussions” and

visibility with four key initiatives including training

“very limited social interaction with colleagues” due to

employees to identify and address ‘microaggressions’

a lack of female peers.

– “verbal, behavioural or environmental indignities that insult traditionally marginalised groups” as well

Now more than ever, women and other marginalised

as financial and physical well-being programs and

groups need your support and guidance as they work

better reporting on diversity metrics.

to figure out how to resume or redirect their career progression in the wake of the pandemic’s massive

The fourth critical action is to support diversity

disruption.

mentorship programs, through which employers can provide a “viable networking infrastructure that

“Lack of consultation on a directed career path

enables underrepresented talent to build growth-

became a barrier when seeking other opportunities

focused networks”.

within the business,” one respondent said, “as it was deemed I was fixed along a particular pathway which

“At the office it’s easy to introduce yourself to a senior

I had little knowledge and no buy-in.”

colleague when you bump into them,” said Laman, “but in the hybrid world, organisations must ease the

“This had been agreed by others as a succession

effort required to participate in networking programs

plan which I had no part or agreement in. I was also

and help facilitate connections.”

advised to avoid making application for roles due to my lack of experience.”

BE THE DIFFERENCE YOU WANT TO SEE Formal mentorship support can make all the

Lack of mentorship and guidance is having a

difference for women who are struggling to get on the

corrosive effect on women’s long-term career

same footing as their male colleagues.

planning and sense of self – and the even bigger problem is that the issue is so very easy to fix. All you

“I don’t think people understand how difficult it is for a

have to do is take the initiative to reach out, and let

female to build the same support networks as it is for

talented women know they are not alone.

a male,” Toni McAllister, founder of Women in AV, told a recent panel at the ASIAL Security + Integrate 2021

Lack of visibility is a chronic problem,with Gartner

conference.

recently noting that “the most pervasive challenges

108

to increasing diversity are organisational in nature....

“That’s where women need to champion each other

Lack of transparency on career paths, next steps

as well, and make sure that we’re providing that

to promotion and lack of mentors/ careers support

support,” she continued. “For me, having a really good

WOMEN IN SECURITY MAGAZINE

F E AT U R E

male and female mentor gives you that balance, and

“People’s expectations of me, based on either their

the ability to build the networks. You just can’t do it in

experiences or what they would think my experience

isolation either way.”

should be, were the theme that I was just fighting. I wanted more responsibility, but I wasn’t necessarily

Some women are finding formal programs invaluable

given the space to grow. I got a lot more work, btu I

in focusing otherwise vague commitments to improve

made my boss look really good.”

mentorship and engagement. “Luckily, I had some amazing sponsors and mentors Programs like STEM Returners Australia have helped

who made sure my place was full, then hit me up to

support women’s efforts to relaunch their careers,

this next level. But it was not a smooth process for

while internal efforts like the Amazon Web Services

the first half of my career.”

She Builds program have proven to be an important source of motivation and support as the company

Here are a few ways you can support a culture of

pushes towards gender parity.

inclusion, to ensure that women don’t fall through the cracks.

Formal mentorship programs can be a lifeline for women who know how soul-defeating it can be to be

• Address inequality in the workplace

working hard without recognition or support – and

• Educate all about security and provide further

it provide crucial support for employees who are increasingly being hired based on their capabilities and potential.

upskilling programs • Listen to people’s experiences, implement processes with purpose, and regularly inspect metrics and decisions to ensure they are fair and

Fully 82 percent of Australian employers have hired candidates who did not met all the technical

equitable. • Support talent in senior roles or male-dominated

requirements for the role, according to a recent

teams. It is not enough to simply appoint a

Robert Half study that found 43 percent of those hires

woman to a senior role in a traditionally male-

reached their full potential as quickly as an employee

dominated organisation or in a male-dominated

who held all the technical requirements of the role.

part of the business and let her ‘sink or swim’. • If you want women to thrive and succeed –

The key to progression, then, is not only having

especially in traditionally male-dominated areas

the skills – but having the organisational support

– you need to elevate the unique capabilities that

and encouragement for women to reach their full

they bring to your teams and create a cohort of

potential, free of the arbitrary and difficult obstacles

diversity.

they have faced in the past.

• Personally and visibly sponsor women both within and outside the business

With the right support, anything is possible – but even today’s senior executives have been there too.

• Personally back senior women to succeed by providing ongoing support and sponsorship into their next role and actively responding to

“In the early part of my career, I would get stellar reviews,” recalls Merrie Williamson, a 20-year Microsoft veteran who now manages a multi-billion dollar revenue line as corporate vice president of Azure Infra.

backlash • Host or sponsor connection sessions with men and women on parental or other forms of longterm leave • Make succession planning transparent with checks in place to ensure diverse candidates are

“I had this very interesting balance of ‘you’ve done great and you are a high performer, but not yet...

considered. • Ensure the organisation is tapping into diverse

you might be too ambitious,” she said during a panel

referrals and networks; discourage ‘referral

session at the company’s recent Ignite conference.

culture’ that just results in ‘more of the same’.

WOMEN IN SECURITY MAGAZINE

109

TECHNOLOGY PERSPECTIVES

LUKE ZILLMAN

CYBER SECURITY GOVERNANCE, RISK AND COMPLIANCE AND THE ART OF WAR by Luke Zillman, Manager, Information Security, B.IT(DC,IS), GradCert IT(IS), MCSE, CISA, CISM, CISSP, ISO 27001 LA

It was the December 2019 Christmas holidays. As

the Australian Signals Directorate’s Essential Eight

I lay in my backyard hammock on a warm summer

strategies to mitigate cybersecurity incidents.

evening, I took the time to look back over the previous 18 months, working as an information security

I have always read for relaxation. So, as I lay there, I

manager for a large organisation. I reflected on how

picked up the book I was reading, which happened to

proud I was, and on the sense of achievement our

be Sun Tzu’s The Art of War. Sun Tzu was a Chinese

team had experienced with the work undertaken. I

general, military strategist, writer and philosopher

also acknowledged the large body of work that lay

who lived around 500 BC. The Art of War is an

ahead of us to get where we needed to be.

influential work of military strategy that has been read for hundreds of years by just about every military

In mid-2018 the government brought in sweeping

strategist worth their salt.

changes to the way we were required to manage cybersecurity. By early 2019 we were in the process

As I continued reading, I read a quote that instantly

of planning and operationalising an information

resonated with me: “If you know the enemy and know

security management system (ISMS) that conformed

yourself, you need not fear the result of a hundred

to the requirements of both ISO/IEC27001:2013 and

battles. If you know yourself but not the enemy, for

WOMEN IN SECURITY MAGAZINE

111

every victory gained, you will also suffer a defeat. If

Continuing to channel the advice of Sun Tzu I asked

you know neither the enemy nor yourself, you will

myself:

succumb in every battle.” The idea of applying this concept to cybersecurity

HOW DO ORGANISATIONS TRULY KNOW THEIR ENEMIES?

intrigued me. I went back inside the house and

Understanding the cybersecurity threat landscape

grabbed a notepad and pen (I am old school), and

is crucial to understanding who (or what) might

started jotting down questions and ideas as follows:

intentionally or unintentionally target your organisation. Examples include nation states, cyber

HOW DO ORGANISATIONS TRULY KNOW THEMSELVES?

criminals, hacktivists, script kiddies, accidents and natural disasters.

Having worked in cybersecurity for 15+ years, I understood the importance of having a modern and

Modern and robust cybersecurity threat and risk

robust cybersecurity governance structure. Having

management processes are required to identify

a cybersecurity governance committee is essential

the likelihood of an adversary or natural disaster

to governing and protecting large and medium-sized

impacting the confidentiality, integrity, or availability

organisations (including government agencies) from

of one or more organisational systems, the efficacy of

adversaries. Back in my hammock, I once more put

the control environment in place, and the impact on

pen to paper and set about drafting modifications to

the business if the risk were to eventuate. Establishing

my organisation’s cybersecurity governance structure

such processes was exactly what we did.

to further strengthen and enhance it. In 2020 we mapped out and operationalised new Cybersecurity has touchpoints in just about every area

processes to identify and security-classify our

of an organisation, so it is critical the committee’s

systems and our control environment, and we

membership reflects the organisation’s diversity.

undertook detailed information security risk analysis of our core infrastructure and systems.

As an example, the committee might include

One final question remained unanswered:

executive members such as the CEO, CIO, CISO, (to name just a few). Information security roles

HOW DO ORGANISATIONS TRULY KNOW THEMSELVES AND THEIR SUPPLIERS?

and responsibilities need to be clearly defined

It was now a Sunday afternoon in January 2021.

and understood by each committee member.

A little over a year since my initial reflection in the

The committee will generally be responsible for

hammock, and just over two years since we started

determining the organisation’s risk appetite and

our ISMS journey. The Christmas holidays were once

tolerance levels, monitoring cybersecurity risks,

again coming to an end, and I was due to return to

establishing asset identification and classification

work the following day.

CFO, COO, CHRO, CPO, and corporate legal counsel

processes, and for ensuring organisational-wide information security policies, standards and similar

As an organisation we had undertaken a lot of work

artifacts are in place.

over the previous couple of years to really strengthen and modernise our cybersecurity governance, risk and

Governance is the foundation of any organisation’s

compliance functions, and I knew our cybersecurity

cybersecurity program. Without it, you won’t

controls and processes needed to extend to our

truly know yourself, including your organisation’s

suppliers.

information assets and the systems that need protecting, or the controls that are (or should) be in

Our suppliers are arguably an extension of our

place to protect them.

organisation because they transact much of our classified information and data. Cybersecurity

112

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

management of its supply chain is a key focus area

of turning ideas into action not only exists but is

for many organisations, and our organisation was no

applauded.

different. Had I not worked in such an environment, all my I started to think of ways to strengthen our

ideas and concepts would have remained just that –

organisation’s supply chain. I knew we already

ideas and concepts. I am very fortunate to experience

included information security requirements in our

fantastic support and encouragement from my

supplier agreements, but implementing these is

immediate team and senior executive team. Without

a time-consuming exercise for everyone involved,

their championing of all that is required to operate a

including information security, procurement and

successful ISMS, we as an organisation would not

project management teams. To solve this I came up with the idea/concept of the Cyber Security Conditions Catalogue (CSCC). The CSCC is a tool to generate information security requirements that can be included in contracts, invitations-to-offer and similar agreements between our organisation and our suppliers. The information security requirements are filtered

I read a quote that instantly resonated with me: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

based on the commensurate information security classification of the information or system being procured. The CSCC provides the

have been able to go from strength to strength and

organisation with greater assurance that appropriate

progressively mature our cybersecurity defences.

security provisions are included in supplier agreements, provides consistent and standardised

So, as another year passes and I look forward to my

contract terminology to key stakeholders, and

upcoming Christmas break, I will be enjoying some

reduces the time spent on repetitive tasks.

relaxation time in my hammock and my mind will no doubt again wander to what the future will bring and

The CSCC has now been implemented, initially as a

what opportunities will present themselves in 2022. I

proof of concept, and has generated considerable

can’t wait.

interest across both our organisation and public and private sectors as a high value, easy-to-use tool that has great potential to both improve security posture and reduce time and effort. One of the key differences between implementing a successful ISMS or experiencing failure is having executive support and backing. I am extremely fortunate to work within a progressive and supportive organisation where innovation and the opportunity

WOMEN IN SECURITY MAGAZINE

113

I CHOOSE TO CHALLENGE... CHAMPIONS WHO AREN’T REALLY CHAMPIONING by David Braue

hen it comes to promoting

Fully 30 percent say that DEI isn’t really their

the cause of women in

responsibility – and 26 percent actually had the

security, there are champions

temerity to argue that men and women aren’t support

and there are champions.

to be equal.

But based on one recent report about Australian men’s

Within the context of these rather disappointing

attitudes towards diversity, equity and inclusion (DEI),

results, 61 percent of surveyed men said that while

you can consider yourself lucky if you’re supported by

they work hard to meet targets for women’s career

either type.

advancement, they do it primarily because they are obligated to – rather than any strong personal

Although 61 percent of men told The Dream

convictions.

Collective’s recent survey that they are willing to engage around DEI issues, fully 48 percent said

These figures don’t really offer the kind of resounding

they feel fatigued by the DEI discussion – and 52

support that one would hope for after years in which

percent believe that a focus on DEI has led to reverse

women have been struggling for equal recognition.

discrimination. Neither were the responses gauging interest in DEI

114

Around 45 percent of men believe that men and

training: just 12 percent of men said they were willing

women are already treated equally – and that if

to lead the charge towards such training and 25

women fall behind, the problem may be due to

percent were willing to be first movers in driving such

women’s lack of drive or motivation.

an initiative.

WOMEN IN SECURITY MAGAZINE

F E AT U R E

Fully 13 per cent of top managers were classified as ‘rejectors’ who would offer little support for DEI initiatives, while just 48 percent of respondents said they would participate in GEI training because they would be greatly motivated to support their female colleagues. The results are a blow to women’s expectations that they can rely on the men they work with to be enthusiastic champions of diversity – and they’re pushing analysts to recommend that business leaders take a firmer hand than they have in the past. Indeed, a recent Gartner survey of more than 200 HR leaders found, 36 percent reported problems holding business leaders accountable for DEI outcomes. And while many leaders are doing the right thing by championing the cause of diversity, 1 in 3 are still failing to promote the cause in a meaningful enough way to positively influence corporate culture. The progression of underrepresented talent, Gartner noted, stalls in mid-level and senior positions “as these employees experience slower rates of promotion and worse perception of leadership potential”. Given the results of The Dream Collective’s survey, this is hardly a surprise. So much for relying on the goodwill of diversity champions.

PUSHING BACK AGAINST APATHY If leaders can’t necessarily be trusted to promote the cause due to their own personal convictions, Gartner recommends an alternative approach called consequential accountability – based on driving equitable talent decisions, enabling leaders to execute DEI goals, and requiring leaders to demonstrate progress against DEI goals before they can advance within the organisation. It’s a bold change of strategy that will, the firm believes, make still predominately-male leaders sit

WOMEN IN SECURITY MAGAZINE

115

up and take notice if efforts to champion DEI are

“Allyship is a huge part of how we’re going to

spinning their wheels.

advance and solve these gaps and have these tough conversations,” she said. “I know a lot of people want

Their support, Nutanix director of corporate social

to be allies, and they want to help out – and there’s

responsibility and DEI Caity Curtis noted during a

always that piece that holds people back.

recent webinar, is essential to drive real change. “They don’t want to say the wrong thing, or they don’t know the right way to champion someone on their team who deserves this but may be an introvert.” Progressive action is crucial to encouraging champions to make a real difference – and to putting weight behind women’s not-unreasonable expectation that the men they work with will support their right to equal treatment. “Despite all of the DEI programs and initiatives that you put in place, progress is still coming down to the day to day activities of your IT leaders and your direct reports,” notes LJ Justice, principal for pride research with Gartner. “We’re expecting them to be our stewards and champions of an inclusive culture,” they continued. “We’re finding that when IT leaders actually do want to engage in DEI efforts on their own time, they’re coming up against so many other competing priorities and time pressures.” “That’s why simply seeing the numbers doesn’t create the personal ownership that we need – especially if leaders aren’t being held individually responsible.”

“Allyship is a huge part of how we’re going to advance and solve these gaps and have these tough conversations. I know a lot of people want to be allies, and they want to help out – and there’s always that piece that holds people back. They don’t want to say the wrong thing, or they don’t know the right way to champion someone on their team who deserves this but may be an introvert.””. - Caity Curtis , Nutanix director of corporate social responsibility and DEI

116

WOMEN IN SECURITY MAGAZINE

F E AT U R E

EATING THE BREAKFAST OF CHAMPIONS

“It is as important to ensure that you maintain that

Ultimately, the cause of championing women’s

diversity and that you maintain those really good skills

advancement and recognition may benefit from the

in the people you bring into the team.”

broader discussion around executives’ increased obligations around cybersecurity as a corporate

“You’ve got to make sure you have the right plans as

target.

well as the right support structure in place to ensure that they can get that.”

If male leaders promote and champion the capabilities of women in the same breath as their conversations around cybersecurity risk, NBN Co chief security officer Darren Kane noted during a recent AISA Cyber Australia 2021 panel session, the increasing awareness may reinforce the importance

HERE ARE SOME TIPS FOR FOSTERING CHAMPIONS – AND DEI ACCOUNTABILITY: • Change your recruitment, policies, systems that will ensure a broad talent pool is considered in every recruitment or promotion decision.

of DEI.

• Implement opportunities for job shares, parental

“Security risk is one of the most senior business

• Provide a safe & inclusive environment

operational risks any organisation, agency,

• Aim for the 50:50 rule to help uncover systemic

leave or both men and women

government department or small business will

and entrenched bosses in policies and

face,” Kane explained, “and to actually have your

processes. And the best ratio is 40% women and

security workforce hidden away and only have one

40% men, with 20% open, will also deliver real

spokesperson, or a communications full of acronyms

benefits.

that very little people understand, is a problem.”

• Make sure within your organisations board there

“We’ve actually got to stop promoting that image,” he

• Increase the diversity in your executive teams to

is at least one woman if not more. continued. “We’ve got to be up front and help people understand that what we’re dealing with here in this

increase the representation from within. • Be transparent when it comes to systemic biases

industry is a significant issue that takes a senior

and regularly review. Transparency is key. It

business executive in the organisation, to manage

builds confidence in our employees and it helps

and to communicate to the C suite.”

to hold everyone to account for the delivery. • Support all employees to succeed, particularly

If there’s anything that will motivate male leaders

when they may be a minority in their new team.

apathetic to the actual cause of DEI, it’s the potential

This includes ensuring readiness for new team

for censure by their senior managers.

members who are outside the status quo. • Champion succession planning as a key

For this reason, stronger senior-level support and will inevitably trickle down whether those indifferent managers are enthusiastic champions or begrudging accomplices.

management priority • Challenge your team to rewrite job descriptions regularly and ‘de-construct’ requirements • Ask line managers what they have done to identify a pool of candidates that is gender

“It’s really about focusing on what the goal is and what the aim is,” said Eshan Dissayanake, head of digital security with Coles Group, who recruited nearly 15 people into his team last year and achieved a

balanced, including where they have looked and who they have encouraged to apply • Challenge decisions that are inconsistent with building a diverse team

gender diversity of more than 50 percent.

• Establish expectations for top teams to visibly

“There’s one thing about attracting diversity into your

• Don’t just fill the quota for the sake of it.

sponsor women into their next roles organisation and then into your team,” he added.

WOMEN IN SECURITY MAGAZINE

117

MARISE ALPHONSO

THE LINK BETWEEN CORPORATE GOVERNANCE AND EFFECTIVE SECURITY GOVERNANCE by Marise Alphonso, Information Security Lead at Infoxchange

Security governance has increasingly become a

The pervasiveness of ‘cyber’ in practically every

necessary component of , the mechanism that forms

organisation’s business processes requires the

the basis for the operations of an organisation.

organisation to review how the ‘information/cyber security’ interface is managed.

It includes the need for senior stakeholders to evaluate, direct and monitor the performance of

This can be achieved by the establishment

an organisation. One of the key components of

and implementation of an Information Security

corporate governance is risk management.

Management Framework (ISMF). The ISMF consists of policies, standards and practices that, at a high

It requires an organisation to assess and treat

level, include requirements for meeting the needs

risks posed to the operations of the organisation

and expectations of stakeholders and facilitating

in the context of its internal and external operating

operational performance of the organisation.

environment. In practice the ISMF might call for security to be Information security management activities and

embedded in business processes improvements,

practices within an organisation are based on the

for risks to be optimally managed, for internal and

need to manage information and cybersecurity risks

external compliance obligations to be met, and for

to acceptable levels.

a security culture to be reflected in the values and behaviours of employees.

118

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

The requirements stated above are broad and can

— depending upon the processes and technology in

be extensive depending upon the organisation’s

place.

operating environment. As with any aspect of corporate governance, the key elements to ensure

Learning and development are foundational for

the successful implementation, operation and

continuous improvement of security practices and

maintenance of information security practices

can contribute positively to security culture. Initiatives

outlined in the framework are organisational

could include: learning how shifts in the threat

leadership, change management, communication,

landscape can impact the organisation; exploring

learning and development, and measurement.

new technologies or automation processes that could be leveraged; undertaking post-incident reviews to

Leadership in the information security space is an

understand what should be implemented to prevent

interesting topic of discussion and one where top-

future incidents of a similar type.

down and bottom-up leadership approaches are required to improve information security practices.

Measurement and metrics are important to understand whether the ISMF is creating value for

‘Security is everyone’s responsibility’ is a mantra often

the organisation. Understanding the expectations of

used to reinforce the message that all employees in

internal and external stakeholders will help to define

an organisation have a role to play, whether they be

the elements of the framework that are important to

governance committee members participating in a

measure. For example, answering the questions “How

risk management discussion and deciding how risks

many data breaches have resulted in the unauthorised

are to be treated or employees reporting a security

access of customer information?” or “What

incident.

percentage of findings from the last penetration test of a key application were rated as ‘high’?” would

Employees throughout the organisation should feel

provide an indication of the effectiveness of the

empowered to uphold security practices with specific

security measures in place, and whether they limit risk

roles and responsibilities laid out in the ISMF.

to an acceptable level.

Change management and communication are

Aligning these elements in a plan-do-check-act

essential, to ensure security practices are sustained,

cycle will support an organisation’s information/

internal and external stakeholders understand the

cybersecurity practices, ensure effective security

organisation’s stance on information/cyber security

governance and achievement of an organisation’s

practices, and there is clarity on expectations. Various

objectives.

communication formats and media can be used — for example, an intranet post or monthly newsletter email

www.linkedin.com/in/marise-alphonso/

WOMEN IN SECURITY MAGAZINE

119

JACQULINE JAYNE

DO YOUR PART. #BECYBERSMART. by Jacqueline Jayne, Security Awareness Advocate - APAC, KnowBe4

A QUICK RECAP FROM PART ONE IN THE PREVIOUS EDITION OF AUSTRALIAN WOMEN IN SECURITY MAGAZINE WHERE I ENDED WITH: “Over the years, I have seen the a-ha moments occur when there is a realisation of how educating your people is just as important as securing your infrastructure, systems, and networks”.

WHAT CAN YOU DO TO START THE CONVERSATION?

Throughout this process, you will need to have many

If you are in IT, then create a team with people

outcome will be.

conversations, and the more you have, the better the

from other areas of the organisation to talk about cybersecurity. The same goes for those of you who aren’t in IT. The greatest success will come from cross collaboration and top-down support. Discuss

OBSERVATIONS • Training people on cybersecurity once a year will not work

how cybersecurity relates to the entire organisation

• Changing behaviour takes time and effort

and prepare and plan to make a difference.”

• Knowledge or awareness is no longer enough • There is a need to make cybersecurity personal

As promised in part one, I will share in this article a real-life example of how to build a successful cybersecurity education and awareness program.

a culture of cybersecurity to develop • Changing behaviour is akin to integrity, where

The following information is not designed as a

people do the right thing even though no one is

one-size-fits-all model, rather an outline of things to

watching

consider. However, I can tell you that it does work.

120

to everyone for any real change to occur and for

WOMEN IN SECURITY MAGAZINE

T E C H N O L O G Y

P E R S P E C T I V E S

PROGRAM DEVELOPMENT

someone in IT to create a communications plan, or to

In many instances, a program such as this starts

expect someone in HR to understand the cyberthreat

off with a board directive or identified need to ‘do

landscape.

something’ to upskill employees in cybersecurity. Whilst the preparation is multi-tiered, the result is

HR (generally) will have created a business partnering

a robust framework for a successful cybersecurity

relationship with business units and have a clear view

education and awareness program.

of the culture of the business. Change Management principals are also required, and these traditionally sit

Remember, training people once a year will not

within HR.

work. The goal is to create a human firewall with your people ready for battle and armed with the

IT (generally) has a lot of knowledge of the cyber

appropriate tools and knowledge to protect your

space, the technical jargon and the compliance

organisation from cyberattacks.

requirements. IT employees get frustrated and don’t quite ‘get it’ when people continue to click on

Your people are your last line of defence, and creating

malicious links in emails and fall for scams.

human firewalls takes time.

STEP 1: RESEARCH AND PREPARATION In step one below, research and preparation will

Create a program team that compromises one person

require time (one-three months) with considerable

from HR such as from Learning and Development

stakeholder engagement and collaboration.

or Organisational Development - to take the lead, an Executive sponsor, and someone from IT with subject

The end goal is to obtain (if applicable) Board and

matter expertise on the subject.

Executive sign off. Step one should be treated as a project and Without an agreement to the plan, the program will

transitioned to business as usual after launch which

not succeed.

will require a minimum of one dedicated employee to provide the ongoing management that it requires.

WHO SHOULD PARTICIPATE IN A CYBERSECURITY EDUCATION AND AWARENESS PROGRAM? A successful program requires people from HR and IT working together. It is unreasonable to expect

PROGRAM PREPARATION Start by asking yourself these questions • What is the program intent? (Change or create a culture of cybersecurity awareness, reduce risk,

WOMEN IN SECURITY MAGAZINE

121

lift the cyber knowledge of our people etc.) • What are the program’s objectives? (Educate, change the culture, stop people clicking, comply

tailgating, dumpster diving etc. - Reporting monthly with previous monthly training and SSE results

with regulatory requirements, etc.) • What are the program’s measures? (Observable

Then, consider these program elements:

behaviour, simulated phishing reports, audits, completed training, assessments, etc.) • What are the key messages? (Cybersecurity

• Research best practice for a cybersecurity training and simulated social engineering

is everyone’s responsibility, our patients need

platforms to underpin your program.

you to keep them cyber safe, we protect your

• Develop a timeline for your program

personal information – help us keep our

(Demonstrate all the steps involved and highlight

networks and systems safe, etc.)

milestones linked to measurements for success)

• How will you know your program has worked?

• Engage other business units such as Marketing

(Measurements such as increased knowledge, a

and Communications to ensure the program

reduction of people clicking simulated phishing

complies with requirements (Look and feel,

emails, people are demonstrating they care

design a logo, phrases, imagery, position

about protecting our data, etc.) • How will you align your business strategy, risk

statement, etc.) • Plan for baseline activities such as simulated

policies, and related compliance and regulatory

phishing exercises, cybersecurity knowledge

requirements? (PCI-DSS, GDPR, etc.)

checks and security culture and behaviour

• What kind of reports will you prepare, how often, and why are you providing the data? • What impact will a program like this have on your organisation resources and what time commitments will it require? • Will there be a need for budgetary items?

measures. • Create a communication plan (Type, frequency, intent, content, templates, emails, reporting, intranet, visual aids, etc.) • Define what the ongoing training and education content will be (Engaging and relevant videos,

(Resourcing, licensing costs, marketing

eLearning, posters, infographics, games,

engagement materials, target free time for

informal F2F sessions throughout the year, etc.)

training, rostering needs, etc.) • What does a month look like for employees? For example: - Monthly Training – between 5 and 15 minutes - Ongoing simulated social engineering (SSE) – phishing, smishing, vishing, USB,

122

WOMEN IN SECURITY MAGAZINE

WHAT ABOUT THE PEOPLE? • What are the expectations for employees? (Compulsory monthly training, reporting of suspicious emails, participation with simulated social engineering, observable change in behaviours, etc.)

T E C H N O L O G Y

• What are leaders’ and managers’ expectations

P E R S P E C T I V E S

STEP 2: PROGRAM SIGN OFF

(Leading by example, supporting the program,

Once you have compiled all the above, it’s time to

etc.

present your plan to the executive team for discussion

• What will be the roles and responsibilities in the organisation related to cybersecurity? (This

and sign-off. Their support and buy-in are critical to the program’s success.

assists with identifying low, medium and highrisk roles when it comes to cybersecurity) • Will you include any elements of the program

You are now ready to launch your program. NB: Without this step, your program is doomed to fail.

into existing key performance indicators for performance reviews? (Such as training

STEP 3: LAUNCH THE PROGRAM

completion for individuals and an overall

Yep – launch the program!

decrease when it comes to engaging with simulated phishing emails, etc) • Will you add a cybersecurity education module for your new starters?

STEP 4: MANAGE THE ONGOING PROGRAM The success of a program such as this for an organisation relies on ongoing management and, in an ideal world, a full-time employee with skills in

ENGAGEMENT (ACTIVITIES TO SUPPORT AWARENESS) • Implement a formal team of Cybersecurity Safety

stakeholder management, learning and development, communication and change management as well as support of one or two cyber people from IT to

Officers (CSSOs). Think along the lines of first

serve as a subject matter expert. This is, of course,

aid officers, Work Health Safety Representatives,

dependant on the size of your organisation.

Mental Health Officer etc.) • Engaging people in a subject such as

STILL HERE?

cybersecurity is not easy. Identifying the WIIFT

Congratulations if you are still reading. There is

(What’s-In-It-For-Them) for your employees will

indeed a lot of information to digest, and if you

increase the chances of a successful program.

are still with me, you are taking the education and

(Link your program to personal activities outside

awareness of those in your organisation seriously.

of work, family, kids, travel, the elderly, etc.) • Develop a rewards scheme for observable

Whether you are at the beginning of your journey or in

behaviour change (gamification, leader boards,

the middle of your program, I am always here to help

awards, make it fun, etc.)

and welcome the opportunity to discuss it with you.

OTHER CONSIDERATIONS

Until then, #BeCyberSmart.

• Never punish human error (Use it as a learning opportunity).

www.linkedin.com/in/jacquelinejayne/

• Develop a cyber-related newsletter or page on your intranet.

clubhub.site/@jacquelinejayne

• Provide useful tools for employees to share with their families.

jacquelinej@knowbe4.com

• Demonstrate live hacks so the ‘a-ha’ moment takes place.

twitter.com/JakkiJayne

• Provide full transparency on any near misses or actual cyber-attacks on the organisation. • Look at the data you hold and understand and communicate its real value. • Focus on the data you have on each employee: when they realise it is not only customers data at risk their level of care increases.

WOMEN IN SECURITY MAGAZINE

123

Women in Leadership Program

WE UNDERSTAND THAT LEADERS COME FROM VARIOUS BACKGROUNDS

THE AWSN WOMEN IN LEADERSHIP PROGRAM HAS SOMETHING FOR EVERYONE - NO MATTER WHERE YOU ARE IN YOUR LEADERSHIP JOURNEY

Applications are now open for our 2022 Women in Leadership Programs for:

Emerging Leaders Aspiring Senior Leaders Aspiring Global Leaders Leaders wanting to increase their technical knowledge Leaders wanting to increase the impact of their presenting

Sponsored by

To find out more, visit: https://www.awsn.org.au/initiatives/women-in-leadership/

STUDENT IN SECURITY SPOTLIGHT

Ritu Dahiya obtained a masters in cybersecurity from La Trobe University in 2020. She grew up in India where she obtained a master’s in computer applications from the Maharshi Dayanand University in Haryana, and is now learning cloud computing by pursuing AWS certifications. She is already an AWS Certified Cloud Practitioner.

RITU DAHIYA

Founder, Cyber Manch | Ambassador, ISACA She Leads Tech | Cybersecurity Graduate, La Trobe University

What subject(s) do you find most interesting and/or likely to be most useful?

What does your ideal workplace entail?

The subjects of most interest to me are:

diversity, believes in gender equality, is flexible,

Digital forensics and cyber law These helped me to

and offers equal opportunity. I would also like the

audit several devices and generate reports. This may

opportunity to do volunteering alongside my job,

be because I very much like crime series such as

because I believe what I receive (help, support,

NCIS and Special Law Force.

resources, opportunities) should be passed on to

Incident and crisis management I am a public

others who need it. I would love to see what is being

speaker and love to learn how to deal with a cyber-

done to make a change. I want to keep my passion for

attacks, handling the incident and saving the

spreading awareness and promoting women in STEM

reputation of the organisation. It is very important

throughout my journey.

My ideal workplace would be one that respects

to have proper knowledge of risk management acknowledgement.

Do you have any advice for current or future security students?

Project management I have learnt several

Yes, I would highly recommend students to connect

methodologies for handling a project. Implementing

with relevant organisations that can help them grow

these in my personal life helps me manage my time

in their career.

across my many commitments. Project management

Networking Everyone says networking is important,

helps me achieve my goals and meet deadlines, and

and that’s so true. Networking can help you get advice

adds more skills to my profile.

from professionals. You can have greater awareness

and to handle the situation calmly with proper

of potential job opportunities and resources, and find

What aspect of cybersecurity do you think you would like to focus on after graduating? (or) are there further security qualifications you are thinking of pursuing?

mentors and role models who are more than happy to

I want to start my career as a cybersecurity analyst in

because these enable you to find resources, training

the risk and compliance domain. I am learning cloud

and potential opportunities at the right time. It is no

computing with AWS certifications and planning to

secret the internet is overflowing with free learning

become a CISM. There is much more I want to learn,

resources and options for training that can add good

and more certifications I want to gain, but I want to

skills to your profile.

help and assist you at any point in your life. Research I think it is vital to have research skills

start my journey with these. To be honest, I get so excited about learnings new

Pro tip Whenever you see someone on LinkedIn

things that many times I try to explore other areas.

sharing their certifications or training details, make

I joined a hackathon recently to test my ability

sure to check if that resource is still available. Trust

and understanding of new startups. Another time

me, no one is aware of all the free resources or

I participated in a capture the flag exercise run by

programs, but with smart moves you can easily

WiCyS to check my knowledge of penetration testing.

discover some of them.

The beauty of cybersecurity is that all roles seem so interesting that I want to try my hand everywhere.

126

WOMEN IN SECURITY MAGAZINE

I look at the bigger picture. I like to invest in the

S T U D E N T

S E C U R I T Y

S P O T L I G H T

membership of several organisations, groups and

to develop your circle with healthy relationships, not

associations instead of spending time on individual

just with multiple connections. It takes time, so be

learning. These offer much better options for

proactive as much as you can.

training and learning, and to grow professionally. As a student, you have the best opportunity to get

I think using all these skills helped me to become

services free, or at very low prices. It is the best time

a finalist for Best Security Student in the AWSN

to develop your skills, be they technical, leadership

Awards 2021.

or interpersonal skills. You’ll never have a better time

What qualities do you believe are required to succeed in the security industry?

Are you involved with any groups, associations or have you been mentored? Has that helped you? Who would you like to be mentored by?

The crucial qualities are:

I am involved with many organisations, associations

Learning You need to continuously and consistently

and groups that help aspirants to grow in

learn and upgrade yourself in line with the latest

cybersecurity. Some key groups are:

demands of industry.

ISACA She Leads Tech I started as a secretary of

Choosing the right mentors It is very important

the ISACA student chapter at La Trobe University in

who you look for as mentor or coach. Make sure he

2019. After my graduation I decided to keep going

or she is someone who you see yourself emulating

with ISACA and become an Ambassador of ISACA

one day. I am not saying other professionals are less

SheLeadsTech, which helps female students develop

important, but such mentors will make your journey

leadership skills.

easier.

AWSN Cadet I became a cadet of AWSN in 2020

Volunteering I love to invest my free time

and I am still an active member. I joined this

volunteering in causes that are important to me.

organisation to develop my network of students and

These activities may not all be related to security, but

other cybersecurity aspirants. I was part of the Grad

they help me to learn new skills and help me grow

Girls program and actively participated in monthly

as a person. I can say, wherever I stand today, it all

discussions with representatives from different

started from volunteering. Everything is connected.

organisations to see what they were looking for in a

One thing will lead to another eventually.

candidate, and to identify any potential opportunities

My involvement in student programs, volunteering

for myself. AWSN also helped me with technical

during the orientation phase and on other occasions,

training through bootcamps. It helped me gain

helped me to become a project officer at La

confidence in my technical skillset.

Trobe University. Those roles led me to become

AISA Student Member AISA offers free membership

an emerging leader, student representative of the

to students. I joined AISA in 2019 and since them

Science, Health and Engineering College at La Trobe,

I have attended the AISA conference every year. I

and to further achievements. Volunteering offers you

am looking forward to this year’s virtual AISACON

the opportunity to learn new skills and to challenge

as well, thanks to AWSN, which offered free tickets.

yourself without any expectations. To me it is the

AISACON is a great event where you can attend

best way to develop myself as a person and as a

topics of your choice and meet role models. It is a

professional.

wonderful opportunity to build your network.

Networking There is no need to mention the benefits

WiCyS (Women in Cybersecurity) I joined WiCyS

one can gain through networking. Profiles are not

in 2020 and attended the CTF in 2021. It is an

built in a day. Profile building is a process. You need

international platform where you can network with

than this.

WOMEN IN SECURITY MAGAZINE

127

S T U D E N T

S E C U R I T Y

S P O T L I G H T

other female aspirants in cybersecurity. We can learn

for themselves but shown the way for upcoming

and grow together.

generations in beautiful ways. However, I like to follow

There are many other programs in which I participate,

good ideas from anyone.

such as She Dares, the La Trobe Industry Mentoring and bootcamps.

What do you wish you had known about security before beginning your studies?

These programs have helped me a lot. I got access

I am not one to dwell on the past. I only dream about

to one-to-one mentoring programs through these

my future. I accept whatever has happened. I gave

programs that helped me narrow my choices, and

my best at the time, and I am happy with my journey.

helped me develop a clear vision for my career.

I have explored many skills and technologies. If I were

Program, Study Melbourne Events, CTFs, conferences

aware of even more, I might not have approached

Do you have any security heroes/heroes, people in the industry who you really admire for their roles or achievements? If so, who, and why?

the ones I did discover with the same passion and enthusiasm.

There are many people I look up to in the security

Do you listen to any security podcasts or read any security book that you would recommend?

industry and the IT industry, such as Indra Nooyi,

Books I can recommend to female students are:

Sudha Murthy, Sheryl Sandberg, Ambareen Siraj, Sir

Lean In - by Sheryl Sandberg

Ratan Tata, Ajim Premji. The list goes on. I look up

Being (Choosing to be at the top because the bottom

to them because they have not only created paths

is too crowded) by Veronica Rose.

www.linkedin.com/in/dahiya-ritu/

twitter.com/RituDahiya24 cybermanch.org/

128

WOMEN IN SECURITY MAGAZINE

Davinia Szetu is a recent graduate of La Trobe University, Melbourne in Master of Cybersecurity (Computer Science). She was born in Papua New Guinea but spent most of her childhood in the Solomon Islands.

DAVINIA SZETU

Cyber Enthusiast

Why did you choose to study security?

In fact, such challenges have driven me to push

During my high school days, IT was not part of the

boundaries and work extra hard to prove my worth

school curriculum, so I never envisioned pursuing

and have got me where I am today. However, I would

it as a career, because I had no idea what it was.

not have been able to do so without the support of

At that time, society’s expectations were that a

male colleagues. So, I have a lot of respect for male

successful young Solomon Islander would go on to

champions who support, encourage and advocate for

a career in medicine, law, accounting, or

more females to enter this male-dominated field by

aviation.

Initially, I opted for medical school but as fate would

studying and taking up a career in IT or Cybersecurity.

have it, I pursued IT instead. Besides, the degree program sounded modern and appealing andby 2009

On the other hand, most of our schools are yet to

I graduated with a bachelor’s degree in computing

introduce

science and information systems.

lack internet and computer resources. Seeing

IT into their curriculum, and many

our young female students indicate interests in Two years later I entered the Solomon Island’s

IT or cybersecurity also inspires me to continue

Government workforce as an entry-level desktop

being a role model they can look to for advice and

support technician and after four and a half years, I

guidance. I love helping people and volunteering my

began managing my own

time to encourage more girls and women in IT and

helpdesk and desktop

support team. As time progressed, the interactions

cybersecurity.

I had with clients every day in relation to virus/ for cybersecurity. Besides the eminent arrival of our

What skills do you think a person needs to succeed in the cyber field?

first undersea cable in 2019 that promised improved

I think anybody from any background regardless

telecommunications and economic growthI also

can enter the cybersecurity as it is a multifaceted

noticed a lack of qualified cybersecurity professionals

field itself. In any profession, it is important to

in our region. So, I began involving myself in

have a good combination of hard and soft skills..

cybersecurity-related workshops and trainings and my

For cyber, it would be advantageous to have an

interest in this new domain grew. After a considerable

adequate understanding of technical skills (hardware,

number of years on helpdesk, I felt it was time

networking, programming, etc), a good eye for detail,

for me to pursue a new career pathwayhence, my

analytical and problem-solving skills, the ability to

decision to undertake further education in Australia in

communicate and collaborate effectively, and the

cybersecurity.

desire to learn.

What inspires you? I have been inspired by women who succeed in IT and

What advice would you give to current or future security students?

cybersecurity careers, including those from non-IT

I believe passion and dedication are the key

and cybersecurity backgrounds. What particularly

ingredients for success in cybersecurity. You should

drives my motivation is when I am being challenged

set your goals and work consistently towards

into thinking I am not a fit for a task or role I want

achieving them. You can do this by pursuing relevant

to pursue because of my gender. One of the most

certifications (depending on your area of interest

difficult challenges I faced when I started working

in cyber) to build and enhance your skills and

as the only technical female was being stereotyped

capabilities, by staying up to date on technology and

as incapable of resolving IT issues because I was

news and trends, networking with like-minded people

female.

and experienced professionals via LinkedIn, and

malware incidents made me realise the growing need

WOMEN IN SECURITY MAGAZINE

129

Network (AWSN), the Australian Information Security

Are you part of any groups, associations or have been mentored? How has that helped you?

Association (AISA) or the Australian Computer

I took part in the Cisco MentorMe program that ran

Society (ACS).

for nine weeks and concluded in October 2021. I

by becoming an affiliated member of professional groups such as the Australian Women in Security

was very fortunate to be mentored by Andy Burke Build your profile by taking part in mentoring

from Cisco who gave me professional support and

programs, online cybersecurity internships, capture-

guidance and enabled me to network with other

the-flag (CTF) events and volunteering in cyber

professionals in the tech/cybersecurity industry.

initiatives. There is also a plethora of free self-paced

This program was very rewarding because it also

cybersecurity training platforms and resources such

gave me the opportunity to network with other

as TryHackMe, HacktheBox, Cisco, Fortinet, Cybrary,

mentees and build my connections, and I was

Mosse Cyber Security Institute (MCSI), videos, free

inspired by speakers with diverse backgrounds who

webinars, and cybersecurity blogs online that you can

shared their experiences, advice and insights on the

invest your time in. I have also found having a circle

endless possibilities of technology.

of friends and study buddies with whom you can discuss, share and study with is just as

important

to support your education and learning journey.

I am also a co-founder of the Women in IT Solomon Islands (WITSI) and I volunteer my time every year to take part in the ITU Girls in ICT Day in the Solomon

Be sure to seize any opportunity that comes your way

Islands. In May this year, we hosted the program

and

virtually for the first time in our country with girls

do not be afraid to reach out and network with

people. Work hard and believe in yourselfand do not

participating from the remote islands. I participated

be afraid to challenge yourself to new heights.

by presenting a cyber safety awareness session to young girls.

Where do you want to work, or see yourself working?

In August this year I also volunteered as a Go Girl

It has always been my desire to venture out of my

Guide for the Australian VIC ICT for Women by

comfort zone, to work abroad and gain a wealth

facilitating virtual sessions that engaged young

of experience and skills at a global level that can

females (Year 5-12) in workshops, careers expo and

help my country. My dream has always been to join

webinars in a one-day virtual conference.

reputable companies such as Google, Microsoft, Cisco, etc, or humanitarian organisations, because

I recently become a Get Safe Online Ambassador

I like helping people. I hope one day I can become a

and I look forward to volunteering my time to

qualified cybersecurity professional.

provide awareness sessions on online safety to local communities in my country and region.

What do you care about when it comes to choosing a place of work?

I am also currently a member of the following

I love organisations that have a great organisational

professional groups: Australian Women in Security

culture that embrace diversity, equity and inclusion,

Network (AWSN), Australian Information Security

and foster a welcoming, safe and respectful

Association (AISA), Australian Computer Society

environment for personal development and growth.

(ACS), Pacific Island Chapter of the Internet Society

I believe workplaces with a people-first company

(PICIS), Information Technology Society Solomon

culture, good leadership and good work ethics

Islands (ITSSI) and Women in IT Solomon Islands

can build strong relationships that can help the

(WITSI).

organisation thrive. I would look for companies offering excellent graduate/ internship/ mentorship

www.linkedin.com/in/davinia-szetu/

programs that will equip me with sought-after practical skills and that are looking to retain talent.

www.facebook.com/WomenInITSolomonIslands

www.getsafeonline.org.sb

130

WOMEN IN SECURITY MAGAZINE

MARCH

TURE THE FU MEN IN FOR WO Y IS SE CU RIT NO W

• APRIL

STAY CONNECTED

DOING ARE WE OUGH? EN -51 P50

P16-19

S RALIAAL’ E AUSTF M E ITY SECUERERS PION P6-10

ST THE BE IES COMPAN FOR N TO WO ME IN WO RK Y CU SE RIT P106-10

WWW

.WOM

ENIN

SECU

RITY

MAGA

ZINE

All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services.

.COM

FACEBOOK

INSTAGRAM

@wisms2c

@source2create

@womeninsecuritymagazine

TWITTER

DIGITAL

@Source2C

womeninsecuritymagazine.com

JUNE MAY •

womeninsecuritymagazine.com THE BEWARE T BRILLIANEC UR ITY CY BE RS JE RK P16-18

GENDER Y EQUALIT WORK WONT T THE WITHOU T OF SU PP OR O ME N, TO

ITY

DIVERS

P76-79

BER ERSE CYCU RIT Y T A DIV SE WITHOU RCE, YO UR HA SN ’T N WORKFO OR MATIO CE P08-11 TR AN SF CH AN A T GO

WWW

.WOM

ENIN

SECU

RITY

MAGA

ZINE

.COM

Ritu Dahiya obtained a masters in cybersecurity from La Trobe Yonitha Thavayogaraja (Thava) grew up in Sri Lanka and gained a bachelor of computer science from the University of Ruhuna before coming to Australia and studying for a master of information technology at Deakin University, focussing on cybersecurity and software development. She is currently doing a professional year program from Monash University.

YONITHA THAVA

AWSN Cadet Member and Volunteer at Go Girl,Go for IT

What drew you to security in the first place? Have you always wished to pursue that field of study?

told. Now, I have decided to take some certificate

I was very passionate about learning IT in grade 10

job.

but I did not satisfy the requirements for the class,

I wish companies would not leave candidates to wait

which had a limit of 25 students. After finishing year

two or three months before telling them they have

12 I chose to pursue a Bachelor of Computer Science

been unsuccessful. As an international student, I

via the Z-score system in Sri Lanka. I then decided to

waited two months from each company to receive the

study for a master’s degree at Deakin University.

result of my interview.

Initially I was majoring in software development, but I changed after I researched more about cybersecurity.

Do you have any advice for current or future security students?

I realised cybersecurity was a growing industry. So

Do not wait until you have finished your studies to

I added a second major in cybersecurity. I started

search for an internship or a job. It is better to prepare

to attend lectures and practical sessions to help me

yourself for the job market while you are pursuing

understand the basics. I would spend days reading

your studies. Be active on LinkedIn, Go Girl Go for IT,

research papers and journals to understand security.

AWSN groups, or Discord. Make connections with

courses on LinkedIn, CompTIA Security+ and CompTIACySA+, to increase my chances of getting a

people and ask about their career paths, get tips I had an internship with Digital Fortress Services

and initiate small talk. Don’t take rejections and lack

in Melbourne during my master’s degree which

of replies personally. In the past, I took everything

helped confirm my passion. I thought, eventually,

personally and felt hard done by. As an international

I would embark on a career in cybersecurity. I am

student on a temporary visa it is hard to land your first

still searching for that. I am a good learner but less

job.

confident about my abilities until someone recognises my work.

What qualities do you believe are required to succeed in the security industry?

What subject(s) do you find most interesting and/or likely to be most useful?

Don’t pretend you know everything in interviews, be

Cybersecurity management, advanced topics in digital

are open to learn and improve yourself, as well keen

security, advanced digital forensics.

to work for the company’s betterment. The job market

honest, be confident, and show the interviewer you

is getting more competitive, so undertaking certificate

What aspect of cybersecurity do you think you would like to focus on after graduating? (or) are there further security qualifications you are thinking of pursuing?

initiative.

development, applying for jobs and preparing myself

Are you involved with any groups, associations or have been mentored? Has that helped you? Who would you like to be mentored by?

for interviews. I had a few interviews, but I could not

I have been mentored by:

get a job because of budget constraints, or so I was

Saad Ayad - CEO- Digital Fortress Pty Ltd

I graduated in 2020. I focused on professional

132

courses will improve your employability and show

WOMEN IN SECURITY MAGAZINE

S T U D E N T

S E C U R I T Y

S P O T L I G H T

Daniel Jones- Security DevOps Manager, Telstra Abigail Swabey – CEO, Source2Create Joshua Pender – Senior Customer Support Manager, Mimecast I have met many people on my career journey since graduation. These people have mentored me and helped me understand the job market, how to prepare for interviews, and introduced me to different networks to support my career. They are still supporting me. I am a member of AWSN, Go Girl Go for IT, and Discord channel. I missed a few sessions hosted by AWSN because of my temporary visa and haven’t really attended many since however I would love to do it again, but I like to read the articles shared via all channels.

What do you wish you had known about security before beginning your studies? I knew nothing about cybersecurity, only IT basics, antivirus software and some coding knowledge before I started my bachelor’s degree back in Sri Lanka.

Do you listen to any security podcasts or read any security book that you would recommend? https://darknetdiaries.com/. It helps me learn new issues related to security as well as improve my analytical and communication skills.

www.linkedin.com/in/yonitha-thava/

WOMEN IN SECURITY MAGAZINE

133

LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller

Olivia chooses to challenge gender stereotype Meet Olivia. Olivia loves technology and coding, and really enjoys the challenge of creating online games. Recently, Olivia spent the day at her mom’s work learning how to code and spot anomalies in security logs. You see, Olivia’s mom works in cybersecurity, and Olivia very much admires her mom, because the work she does is just like a superhero; protecting good people from the bad people trying to commit cyber-attacks. At school, Olivia pursues her interest in technology and all things cyber by being part of a coding club. Each week she looks forward to joining with other kids, learning how to solve problems in new ways, and creating fun and interactive online games. Olivia’s technology teacher, Ms Brightspark says she has a very structured and logical way of thinking, which gives her a natural talent for coding. Olivia always has lots of fun debugging her code and creating games for her friends to enjoy. Howver, not many of Olivia’s friends come to coding club. So one day she asked her best friend Bianca to join. Bianca has an aptitude for coding similar to Olivia’s, but was hesitant to come along. Olivia asked why Bianca didn’t want to come and she replied, “Coding club is mainly for boys, I don’t think girls are allowed.”

134

WOMEN IN SECURITY MAGAZINE

Olivia was surprised to hear Bianca say this and thought about it. Olivia realised there were many more boys than girls in coding club. Olivia wasn’t sure why, because when she visited her mom’s work, she saw lots of women working in cybersecurity and technology. Maybe this was something that needed to change? In that moment Olivia chose to challenge that coding was just for boys! Olivia said to Bianca “Us girls can code just as well as the boys can. My mom works in cybersecurity with lots of boys and girls. The main thing to focus on is learning and enjoying technology, not whether you’re a boy or girl”. Bianca wasn’t so sure, saying: “I actually wanted to join coding club last year. My friend said I should join the drama club with her. But I don’t like acting!” This made Olivia sad, because she could see Bianca wanted to join coding club but was too afraid.

Ms Brightspark told all the kids in coding club there was a competition coming up where they could create a game, and the winner would go on to compete against other schools in the finals. Olivia was excited to take part in the competition and planned to come up with a great idea for a game. Olivia thought and thought, and came up with an idea of creating a game to teach kids about cyber safety. She called her game Cyberheroes. Olivia was excited about Cyberheroes and hoped Bianca would be curious and excited to see what she had created. Bianca was very interested but was also upset about missing out on learning how to code. She still did not want to go to drama club.

www.linkedin.com/in/lisarothfield-kirschner/

www.linkedin.com/company/how-we-got-cyber-smart/ howwegotcybersmart.com/ twitter.com/howwegotcybers1

www.facebook.com/howwegotcybersmart

www.youtube.com/channel/UCezvgdYKEc7IXwVdiotQUUA www.instagram.com/howwegotcybersmart/

After school Olivia spoke to her mom. “Mom, I think Bianca should join me at coding club. She’s very interested in learning how to code, and it will be nice to have another friend to code with”. Olivia’s mom agreed because she was a champion of girls and women working in cybersecurity and technology. Olivia’s mom spoke to Ms Brightspark and offered to go to Olivia’s school to talk to all the students about why they should learn about technology, coding and cybersecurity. When she spoke to the kids there were lots of questions, especially from the girls. Olivia’s mom explained why she liked coding and cybersecurity, making Olivia burst with pride. Olivia turned to Bianca and said “See, coding is for everyone, not just the boys”. As soon as the talk was over, Bianca went to Ms Brightspark and asked if she could join coding club. Ms Brightspark said, “You’re absolutely welcome to join Bianca, but what changed your mind?” Bianca replied, “Olivia and her mom showed me I can do whatever I want, and I want to code!” Olivia and her mom smiled at each other and then did a big high five.

WOMEN IN SECURITY MAGAZINE

135

Recom mend ed by F amily zone

How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.

READ NOW

Some women just want

The Gift of Safety this Christmas

Upstream Investigations are proud to support the Women in Security Magazine

in the prevention, education and intervention of Domestic and Family Violence

www.upstreaminvestigations.com.au

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01

1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

2. CODY BYRNES Director Demystify Cyber | Manager Cyber Security Australian Taxation Office

3. NIVEDITA (NIVI) NEWAR Head of Cyber Security Strategy & Governance at UNSW

4. AMY HEWSON CEO, Mitchell Personnel Solutions

5. DR ALANA MAURUSHAT Professor of Cybersecurity and Behaviour at Western Sydney University

6. EMILY HUNT National Risk and Security Operations Manager, Scentre Group

7. EMILY BAKER Regional Alliances Manager ANZ at CrowdStrike

8. BRIDGET MITCHELL Executive Manager of Security Operations at nbn

9. WENDY THOMAS President and CEO of Secureworks

10. ANITA SIASSIOS Managing Director at ManagingCX

138

WOMEN IN SECURITY MAGAZINE

11. REBECCA MOONEN Security and Privacy Influence and Cyber Safety Outreach Manager at nbn

12. KELLY PECK Associate Consultant | GRC at Cyber CX

13. AKIRA SINGH Associate Cyber Security Consultant at IBM A/NZ

14. ANU KUKAR Associate Partner, Cyber Security Strategy, Risk & Compliance at IBM A/NZ

15. CHELSEY COSTELLO 15

16 Principal Information Security Recruitment Consultant at Talenza

16. KELLY RAZLOG Head of Emerging Technology | InfoSec | Cyber Security

17. MEGHAN JACQUOT Associate Cybersecurity Threat Intelligence Analyst, Recorded Future

18. RACHEL MAYNE 19

Senior Associate, Cyber Security at u&u Recruitment Partners

19. ASMITA GOVIND Account Manager for Technology Recruitment at Sirius Technology

20. SKYE WU Cyber Security Investigator, Speaker, Mentor & Champion for Diversity

WOMEN IN SECURITY MAGAZINE

139

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 21

21. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

22. KAREN STEPHENS Karen is CEO and co-founder of BCyber

23. SAI HONIG 23

CISSP, CCSP, Co-founder New Zealand Network for Women in Security

24. JESSICA ROBERTS Social Media and Content Creator volunteer, Inspiring Girls Australia

25. SARAH IANNANTUONO 25

Security Influencer at SEEK APAC

26. DEEPA BRADLEY Cyber Security Expert at SEEK

27. MARTY MOLLOY 27

Events, Marketing and Communications Coordinator, AusCERT

28. JESS DODSON Senior Customer Engineer in Security & Identity, Microsoft

29. NICOLE STEPHENSEN 29

Privacy expert and Director of boutique privacy firm, Ground Up Consulting

30. LAURA JIEW AWSN National Social Media & Marketing Lead Events, Marketing and Communications coordinator for AusCERT

140

WOMEN IN SECURITY MAGAZINE

31. BAYA LONQUEUX CEO at Reciproc-it

32. MEL MIGRIÑO VP and Group CISO of Meralco, Chairman of Women in Security Alliance Philippines

33. BEGOÑA ROMERO Criminologist specialist in Corporate Security

34. ANNA LEIBEL Co-author of The Secure Board Book | Director of The Secure Board advisory service

35. CLAIRE PALES 35

Co-author of The Secure Board Book | Director of The Secure Board advisory service

36. RYAN JANOSEVIC Co-founder and COO of Retrospect Labs

37. MIKE BARBER 37

CEO of the Australian Cyber Collaboration Centre (A3C)

38. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2

39. LUKE ZILLMAN 39

Manager, Information Security, B.IT(DC,IS), GradCert IT(IS), MCSE, CISA, CISM, CISSP, ISO 27001 LA

40. MARISE ALPHONSO Information Security Lead at Infoxchange

WOMEN IN SECURITY MAGAZINE

141

WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 41

41. JACQUELINE JAYNE Security Awareness Advocate - APAC, KnowBe4

42. RITU DAHIYA Founder, Cyber Manch | Ambassador, ISACA She Leads Tech | Cybersecurity Graduate, La Trobe University

43. DAVINIA SZETU Cyber Enthusiast

44. YONITHA THAVA AWSN Cadet Member and Volunteer at Go Girl,Go for IT

45. LISA ROTHFIELD-KIRSCHNER 45

46 Author of How We Got Cyber Smart | Amazon Bestseller

46. YASMIN LONDON Igniting social change & digital wellbeing for global audiences

47. ANGELA FOX Senior Vice President and Managing Director, Dell Technologies Australia and New Zealand

48. MOUFIDA RIMA Vulnerabilty Management Specialist, IAG

49. RESHMA DEVI Associate Director Enterprise Data and Analytics Risk, NAB

50. ALISON LEE Director of Logistics, Penten

142

WOMEN IN SECURITY MAGAZINE

51. SARAH HOSEY General Manager Security and Privacy Assurance, Risk and Consulting at nbn™ Australia

52. PIP RAE Founder and Activist at Upstream Investigations

53. KAVIKA SINGHAL Information Technology Intern @ Google

54. KATE MONCKTON General Manager Security and Privacy Assurance, Risk and Consulting at nbn™ Australia

55. MARIE PATANE 55

Chief Security Officer at Sydney Metro

56. SIMON CARABETTA Cyber Communications Specialist

57. LAURA BRANDON 57

Technical Lead & Senior Fullstack Engineer at Trend Micro

WOMEN IN SECURITY MAGAZINE

143

TURN IT UP

HUMANS OF INFOSEC PODCAST

THE SECURITY PODCASTS

CYBERSECURITY TODAY

By Caroline Wong

By Security

By ITWC

CLICK TO LISTEN

A podcast that explores the stories of real people, their work, and their impact on the information security industry. Join security expert Caroline Wong as she focuses on the human side of security.

The Security Podcasts from Security helps you stay informed on:

YOUR CYBER PATH: HOW TO GET YOUR DREAM CYBERSECURITY JOB

THE GLOBAL REALITIES OF CYBERSECURITY

THE TRIPWIRE CYBERSECURITY PODCAST

By PwC

By Tripwire

By Kip Boyle

CLICK TO LISTEN Find out what it takes to get your dream cybersecurity job (from the hiring managers’ perspective).

144

CLICK TO LISTEN

WOMEN IN SECURITY MAGAZINE

Cybersecurity and Geopolitical issues affecting global enterprises. Security trends and technologies for risk mitigation. Advice and tips from physical security and cybersecurity thought leaders

CLICK TO LISTEN The world of Cybersecurity is evolving constantly, from increasing legislation to a changing threat landscape. PwC experts discuss the challenges and opportunities facing global organisations and share insights on how to build a resilient organisation and drive secure growth.

Updates on the latest cybersecurity threats to businesses, data breach disclosures, and how you can secure your firm in an increasingly risky time.

CLICK TO LISTEN Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices.

HAK5 By Darren Kitchen and Shannon Morse

CLICK TO LISTEN Hak 5 is the longest-running award-winning show on YouTube. They cover online threats, internet freedom, hardware tests, tips for faster and better working, set-up and configuration hacks, and explainers to delight those who live to code.

RECORDED FUTURE - INSIDE SECURITY INTELLIGENCE By Recorded Future

CLICK TO LISTEN Recorded Future takes you inside the world of security intelligence. They share stories from the trenches and the operations floor as well as giving you the skinny on established and emerging adversaries. They also talk about current events, technical tradecraft, and offer up insights on the big picture issues in our industry.

ANONYMOUS WAS A WOMAN PODCAST

FUTURE WOMEN LEADERSHIP SERIES

By Future Women and Hachette Australia

By PodcastOne Australia

CLICK TO LISTEN Anonymous Was A Woman with Jamila Rizvi and Astrid Edwards is a conversation on books by, and about, women.

CLICK TO LISTEN Leadership takes courage and resilience. Host and founder of Future Women, Helen McCabe shares insights from some of the most influential women on the sometimes complex challenges faced by women on the path to senior leadership.

BREACH By Bob Sullivan and Alia Tavakolian

CLICK TO LISTEN What really happens when a hacker snatches all your data? Hosted by journalist Bob Sullivan and producer Alia Tavakolian, Breach digs into the who, why and how of history’s most notorious data breaches.

ORDINARILY EXTRAORDINARY CONVERSATIONS WITH WOMEN IN STEM By Kathy Nelson

CLICK TO LISTEN The podcast features women working in different STEM fields, at different career phases, and brings their unique perspectives and stories.

WOMEN IN SECURITY MAGAZINE

145

OFF THE SHELF

DARE TO LEAD: BRAVE WORK. TOUGH CONVERSATIONS. WHOLE HEARTS

RADICAL CANDOR: BE A KICK-ASS BOSS WITHOUT LOSING YOUR HUMANITY

Author // Brené Brown

Author // Kim Scott

How do you cultivate braver, more daring leaders, and how do you embed the value of courage in your culture?

Radical Candor is the sweet spot between managers who are obnoxiously aggressive on the one side and ruinously empathetic on the other. It is about providing guidance, which involves a mix of praise as well as criticism, delivered to produce better results and help employees develop their skills and boundaries of success. Great bosses have a strong relationship with their employees, and Kim Scott Malone has identified three simple principles for building better relationships with your employees: make it personal, get stuff done, and understand why it matters. Radical Candor offers a guide to those bewildered or exhausted by management, written for bosses and those who manage bosses. Drawing on years of firsthand experience, and distilled clearly to give actionable lessons to the reader, Radical Candor shows how to be successful while retaining your integrity and humanity. Radical Candor is the perfect handbook for those who are looking to find meaning in their job and create an environment where people both love their work, their colleagues and are motivated to strive to ever greater success.

In this new book, Brown uses research, stories, and examples to answer these questions in the no-BS style that millions of readers have come to expect and love. Brown writes, “One of the most important findings of my career is that daring leadership is a collection of four skill sets that are 100 percent teachable, observable, and measurable. It’s learning and unlearning that requires brave work, tough conversations, and showing up with your whole heart. Easy? No. Because choosing courage over comfort is not always our default. Worth it? Always. We want to be brave with our lives and our work. It’s why we’re here.” Whether you’ve read Daring Greatly and Rising Strong or you’re new to Brené Brown’s work, this book is for anyone who wants to step up and into brave leadership.

BUY THE BOOK HERE

146

WOMEN IN SECURITY MAGAZINE

CYBER RISK LEADERS: GLOBAL C-SUITE INSIGHTS - LEADERSHIP & INFLUENCE IN THE CYBER AGE Author // Shamane Tan Cyber Risk Leaders: Global C-Suite Insights – Leadership and Influence in the Cyber Age’, by Shamane Tan – explores the art of communicating with executives, tips on navigating through corporate challenges, and reveals what the C-Suite looks for in professional partners. For those who are interested in learning from top industry leaders, or an aspiring or current CISO, this book is gold for your career. It’s the go-to book and your CISO kit for the season.

BUY THE BOOK HERE

BLINDSPOT: HIDDEN BIASES OF GOOD PEOPLE Author // Mahzarin R. Banaji and Anthony G. Greenwald “Blindspot” is the authors’ metaphor for the portion of the mind that houses hidden biases. Writing with simplicity and verve, Banaji and Greenwald question the extent to which our perceptions of social groups—without our awareness or conscious control— shape our likes and dislikes and our judgments about people’s character, abilities, and potential. In Blindspot, the authors reveal hidden biases based on their experience with the Implicit Association Test, a method that has revolutionized the way scientists learn about the human mind and that gives us a glimpse into what lies within the metaphoric blindspot. The title’s “good people” are those of us who strive to align our behavior with our intentions. The aim of Blindspot is to explain the science in plain enough language to help well-intentioned people achieve that alignment. By gaining awareness, we can adapt beliefs and behavior and “outsmart the machine” in our heads so we can be fairer to those around us. Venturing into this book is an invitation to understand our own minds.

SUBTLE ACTS OF EXCLUSION: HOW TO UNDERSTAND, IDENTIFY, AND STOP MICROAGGRESSIONS Author // Tiffany Jana and Michael Baran Our workplaces and society are growing more diverse, but are we supporting inclusive cultures? While overt racism, sexism, ableism, and other forms of discrimination are relatively easy to spot, we cannot neglect the subtler everyday actions that normalize exclusion. The book offers a clearer, more accessible term, subtle acts of exclusion, or SAEs, to emphasize the purpose and effects of these actions. After all, people generally aren’t trying to be aggressive--usually, they’re trying to say something nice, learn more about a person, be funny, or build closeness. But whether in the form of exaggerated stereotypes, backhanded compliments, unfounded assumptions, or objectification, SAE are damaging to our coworkers, friends, and acquaintances. They give simple and clear tools to identify and address such acts, offering scripts and action plans for everybody involved. Knowing how to have these conversations in an openminded, honest way will help us build trust and create stronger workplaces and healthier, happier people and communities.

BRAVE, NOT PERFECT: FEAR LESS, FAIL MORE, AND LIVE BOLDER Author // Reshma Saujani (CEO and Founder of Girls Who Code) ‘We are raising our boys to be brave, but our girls to be perfect. And this is holding us back.’ Imagine if you lived without the fear of failure, without the fear of not measuring up. If you no longer felt the need to stifle your thoughts and swallow what you really want to say in order to please and appease others. If you could stop berating yourself mercilessly for human mistakes, let go of the guilt and the strangling pressure to be perfect, and just breathe. What if, in every decision you faced, you made the brave choice or took the bolder path. Would you be happier? Would you impact the world in the ways you dream you can? In Brave, Not Perfect, Saujani shares powerful insights and practices to help us let go of our need for perfection and make bravery a lifelong habit. By being brave, not perfect, we can all become the authors of our best and most joyful life.

BUY THE BOOK HERE

BUY THE BOOK HERE BUY THE BOOK HERE

WOMEN IN SECURITY MAGAZINE

147

SURFING THE NET

WOMEN IN INTERNATIONAL SECURITY(WIIS) BLOG Women In International Security (WIIS) is the premier organization in the world dedicated to advancing the leadership and professional development of women in the field of international peace and security. The WIIS blog posts in the form of op-eds, analytical essays or shorter commentary cover a wide variety of subjects including; traditional security issues, international peace and security issues, as well as emerging security challenges and the women, peace and security agenda.

READ BLOG

CISCO BLOGS: WOMEN IN CYBERSECURITY Cisco’s women in cybersecurity blog section is focused on empowering and supporting women in cybersecurity, and helping to boost their careers. It features inspirational stories and information on how to advance in cybersecurity as well various resources women can use to network in the industry, acquire new skills and get a start in their career.

READ BLOG

STEM WOMEN STEM Women’s journey began in 2016 when they were asked to act as a gender balanced recruitment agency for a renowned graduate recruiter. They run free events for female students and graduates studying STEM subjects to network with the top STEM employers and hear from inspiring female STEM role models. Their blog features inspirational stories, recruitment tips, opportunities for women, career paths, industry research, etc.

READ BLOG

148

WOMEN IN SECURITY MAGAZINE

WOMEN IN STEM LEADERSHIP Women in STEM Leadership (WISL) aims at empowering women with the support, resources and tools needed for elevating their career and becoming an agent of change in the STEM industry. They are a network of like-minded women who are genuinely invested in helping women reach their potential. Their mission is to close the gender gap and create a more diverse and inclusive workforce.

READ BLOG

STEM LIKE A GIRL STEM Like a Girl ’s blog series, ‘Wednesday’s Women in STEM’ features different women who have or are making a difference in the fields of science, technology, engineering, and math. Their goal is to showcase the amazing accomplishments of women, both past and present. They encourage people to share these with young girls so they can learn about all the ways women help shape STEM and be inspired to discover their own STEM identity and interests!

TYNKER: WOMEN IN STEM Tynker believes that the ability to code allows children to make their ideas a reality. Tynker’s mission is to provide every child with solid foundations in Computer Science, programming, and critical thinking skills to prepare them to become better architects of their future world. Their Women in Stem blog series is aimed to increase representation and create role models for young girls

READ BLOG

WOMEN CYBERSECURITY SOCIETY BLOG The Women CyberSecurity Society Inc. (WCSS) is a registered nonprofit community providing support, resources, mentorship, guidance and training to women, girls and minorities interested in advancing a career in cybersecurity. Their mission is to empower and support women and girls interested in a career in cybersecurity by removing roadblocks and obstacles. They enable women to continue the journey to become strong, confident leaders within cybersecurity of the future.

READ BLOG

THREATQUOTIENT BLOG

CYBER LEADERSHIP INSTITUTE BLOGS

CYBER SECURITY WORKS BLOG

ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations with a platform that accelerates and simplifies investigations and collaboration within and across teams and tools. Their blog posts includes experts sharing their cyber threat intelligence insights and expereinces. They also share inspirational stories for women in cybersecurity to inspire young girls and women to choose cybersecurity and advance in the field.

Cyber security is rapidly changing, cyber leadership institute blog aims to keep users up-to-date with the threats, strategies and tips from their cyber security blogs at the Cyber Leadership Institute. Their mission is to empower cyber leaders to embrace the technological revolution and improve the way we all live, work and interact.

CSW is a US Department of Homeland Security–sponsored CVE Numbering Authority and a leader in Attack Surface Management. Their mission is to make security services affordable to all. Their blog covers a wide range of topics including risk management, security management, exposure management, and compliance services, etc. You can read about the latest news and updates from the cybersecurity ecosystem by checking their blog.

READ BLOG

WOMEN IN SECURITY MAGAZINE

149

NETWORKING SPONSOR

P R OT E CT I V E S E C U R IT Y SPONSOR

S I LV E R S P O N S O R

BRONZE SPONSORS

S U P P O RT I N G S P O N S O R S

M E R C H A N D I S E PA RT N E R S

THE AUSTRALIAN WOMEN IN SECURITY AWARDS 2021 by David Braue

Recognising 650 nominated women who are Breaking the Pattern

rom the moment ySafe executive

to do great things,” Source2Create CEO and publisher

director and host for the evening’s

of Women in Security Magazine Abigail Swabey said

ceremonies Yasmin London hit the

in welcoming guests to the ceremony.

stage, the atmosphere at the third annual Australian Women in Security

Supporting the cause of women in security is “one of

Awards (WISA) was electric. “Is it good

my key missions in life,” she said, “and partnering with

to be back or what?!” she exclaimed, channeling the

the AWSN and in particular [AWSN founder and CEO]

mood of everyone in attendance.

Jacqui Loustau helps me achieve that.”

Over the course of an evening filled with excitement,

“There is something very unifying about the cheers,

renewed friendships – and, of course, more than a

the claps, the pats on the back as your friend or

bit of glam and dapper – the evening proved to be

colleague makes there way to the stage to be

everything that attendees had missed out on through

recognised. Even the food will taste better under the

nearly two years of the pandemic.

lights here tonight.”

Spread across 13 different categories, the awards –

Source2Create received 650 nominations across the

themed Breaking the Pattern – recognised security

13 categories, with 21 industry judges paring down

leaders, workers, pioneers, and innovators who have

the entries to a list of 65 finalists who were gathered

helped guide the cybersecurity and protective security

in person and online to join the event.

industries through some of the toughest years in memory.

The awards wouldn’t have been possible without the strong support of CyberCX, Okta, Everbridge,

Run and produced by Source2Create and partnering

AusCERT, Netskope, Dell Technologies, Sekuro,

with the Australian Women in Security Network

Tesserent, and Trend Micro as well as merchandise

(AWSN), the awards – which were simultaneously

partners Bsides Canberra, SheLeadsTech Melbourne,

held in person and broadcast online – are designed

and Cynch Security.

“to honour our friends and inspire the next generation

152

WOMEN IN SECURITY MAGAZINE

The winners represented an eclectic range of roles

TED Talk and recently joined the executive of the

across public and private-sector organisations,

National Child Protection Alliance.

with judges recognising their excellence, initiative, competence, and commitment.

Greater Western Water was recognised as the best place to work for women in security, based on

IAG’s Moufida Rima, for example, saw in a previous

its success in reaching gender parity in its board

role that the company lacked a patch management

of directors, key leadership roles, and across its

system and single-handedly developed one –

workforce. Women head the physical, environmental,

convincing the CEO to resource the project and put

and technology security functions in the company,

her in charge of a five-member team to implement it.

whose staff have worked tirelessly to provide career lifecycle support, redesigned facilities to create

Alison Lee of Penten was the company’s first female

family-friendly spaces for staff health and wellbeing

employee and has helped boost women to 26

and overhauled its recruitment advertising to ensure a

percent of the workforce as she tirelessly pursues a

50:50 balance on job shortlists and interview panels.

50:50 gender split – proactively recruiting women, speaking and advising attendees at career expos, and

The awards also recognised pipeline development

mentoring a dozen women inside and outside of the

organisations like the AWSN Cadets program,

company.

which under the guidance of Elizabeth Bonny has expanded from a localised Melbourne pilot to a

Anu Kukar, Associate Partner – Cyber Security

national community within three years; passionate

Strategy, Risk & Compliance for ANZ with IBM, was

volunteers like Reshma Devi of NAB, who actively

recognised for creating awareness about security at

works as a mentor and organiser with AWSN, ISACA,

a global level as an enthusiastic advisor and advocate

and SheLeadsTech; highly engaged and motivated

who has spoken at 49 keynote and panel conferences

cybersecurity students like Kavika Singhal of Western

on cyber issues, AI/ML, upskilling, and lifelong

Sydney University; and technical experts such as

learning.

Trend Micro Technical Lead Laura Brandon, who deftly planned and led a complex integration project

Simon Carabetta, Project and Engagement

combining Sydney-based cloud security startup Cloud

Coordinator with the WA AustCyber Innovation

Conformity with Trend Micro’s systems.

Hub, responded to the education system’s lack of engagement with young women by championing

Last but not least, this year’s Most Outstanding

equality through panel presentations, partnering with

Woman awards went to Marie Patane – a

industry and academic institutions, and creating

consummate professional who has built a far-

Australia’s first ever mentee-to-mentor platform.

reaching, highly effective 60-strong security team from the ground up at Sydney Metro – and Kate

Sarah Hosey, Joint General Manager of nbn Australia’s

Monckton, a “true leader” whose role leading nbn

Privacy and Security Assurance, Risk and Consulting

Australia’s security, privacy assurance, risk and

team, was recognised for bringing her extensive

consulting operations has seen her coaching,

commercial and media law, privacy and customer

mentoring, leading diversity and equity initiatives, as

experiences to a role where she has challenged the

well as leading the company’s Great Place to Work

status quo and brought a customer-centric approach

initiative.

to security and privacy. To these extremely capable women, and in fact to Revolutionising the protective security industry is Pip

everyone who was nominated for the Australian

Rae, Founder and Lead Investigator with Upstream

Women in Security Awards 2021 – congratulations on

Investigations, which investigates family violence

your exemplary work as advocates, mentors, experts,

cases and provides support to victims. She is an

facilitators, educators, presenters, and the many other

active speaker at women’s events, domestic violence

ways that you contribute.

awareness evenings, and men’s mental health and change behaviour studies. She recently gave her first

WOMEN IN SECURITY MAGAZINE

153

You truly are, as the awards suggested, breaking the

Manager, Avertro

pattern – and that’s just what the security industry

FINALISTS: Candice Bowditch (Google), Jennifer

needs if we are going to help bring new capabilities,

Gorman (Entrust), Divya Saxena (DXC Technology),

new experience, and new perspectives to these

Chloe Sevil (Clyde & Co)

extremely critical industries. Keep up the good work!  The One To Watch in Protective Security. Please save the date for the 2022 event, to be held

Recognises the ‘rising star’ of the Protective

on 13 October 2022. We look forward to seeing you

security industry that’s already making a

there!

significant contribution to the protective security

AWARD CATEGORIES, WINNERS, AND FINALISTS

landscape. It applauds the individual’s proven excellence and innovation in the protective security arena, highlighting their unique capabilities and

 Unsung Hero. Unsung heroes give back to

contributions as they continue to grow in stature and

the cybersecurity community and demonstrate

gain increasing recognition.

excellence in all pursuits and endeavours. It could be

WINNER: Pip Rae, Founder and Lead Investigator,

through mentoring women in the security industry

Upstream Investigations

by tirelessly supporting, encouraging and promoting

FINALISTS: Lauren Wiggins (Penten), Sarah Wood

their professional and personal development. Or they

(AustralianSuper)

go above and beyond the call of duty to protect their organisations from cyber threats by either initiating a

 IT Security Champion. Recognises the individual

cyber risk awareness campaign or being a superstar

who effectively acts as the voice of security in any

advocate for the security industry.

given product or team. It applauds the person who’s

WINNER: Moufida Rima, Vulnerability Tools and

mastered the art of engaging people with the IT

Assessment Specialist, IAG

security message – and is more aware and better

HIGHLY COMMENDED: Fatema Hashmi, Senior

equipped to deal with the ever-evolving IT security

Security Consultant, Telstra Purple

threats.

HIGHLY COMMENDED: Katrina Avila, Director for

WINNER: Anu Kukar, Associate Partner – Cyber

Cyber Security, EY

Security Strategy, Risk & Compliance ANZ, IBM

FINALISTS: Lara Hemmaty (Optus), Alana Maurushat

HIGHLY COMMENDED: Jennifer Firbank, Cyber

(Western Sydney University), Laura O’Neill

Strategy and Influence Team Leader, Telstra

(Trustwave), Louisa Partridge (OSINT Combine),

HIGHLY COMMENDED: Joss Howard, Cybersecurity

Lisa Rothfield-Kirschner (How We Got Cyber Smart),

Partner, McgrathNicol

Louisa Vogelenzang (WomenSpeakCyber)

FINALISTS: Caitriona Forde (CyberCX & Western Power), Bridget Mitchell (nbn Australia), Duyen Tran

 The One to Watch in IT Security. Recognises the

(AustraliaSuper)

exceptional talents of an individual whose journey in IT security has shown consistent dedication and

 Protective Security Champion. Recognises the

commitment to excellence. An individual with a

‘change champion’ that’s working diligently across the

unique and personalised approach, and who will act

protective security industry to support and empower

as a role model for others.

women, either through mentorship or through

WINNER: Sarah Hosey, Joint General Manager,

collaborative work efforts and impactful leadership.

Privacy and Security Assurance, Risk and

Applauds the individual who’s made outstanding

Consulting, nbn Australia

contributions to improve the status and lives of

HIGHLY COMMENDED: Anafrid Bennet, Manager of IT

women in the protective security industry.

and Security Operations, Greater Western Water

WINNER: Alison Lee, Director of Logistics, Penten

HIGHLY COMMENDED: Irene Giantsos, Technical

FINALISTS: Fiona Byrnes (IBM), Pam La Motta

Cyber Response, NAB

(IAG)

HIGHLY COMMENDED: Archana Puri, Information

154

Security Assurance Manager, Harvey Norman

 Best Program for Young Women in Security.

SPECIAL RECOGNITION: Priyal Bhosale, Product

Recognises programs that have effectively used the

WOMEN IN SECURITY MAGAZINE

power of learning – either through teaching, lecturing

trenches – with sleeves rolled up – and contributing

or training activities – to educate and inspire young

to the field by demonstrating the qualities of a great

ladies entering security.

security leader.

WINNER: AWSN Cadets (accepted by Elizabeth

WINNER: Kavika Singhal, Western Sydney

Bonny)

University

FINALISTS: AustCyber CaDop Programs,

SPECIAL RECOGNITION: Gabriela Guiu-Sorsa, TAFE

SheLeadsTech Melbourne

Queensland FINALISTS: Victoria Cheng (UTS), Ritu Dahiya (La

 Best Place for Women to Work in Security.

Trobe University), Erika Salmon (Charles Sturt

Recognises the workplace that has adopted practices

University)

that create and foster an environment that supports, validates and encourages women to achieve their full

 Best Female Secure Coder. Recognises a

potential.

superhero coder who’s mastered the art of developing

WINNER: Greater Western Water (accepted by

computer software or programs that guard against

Anafrid, Jennifer and Louise)

security vulnerabilities.

HIGHLY COMMENDED: Xero (accepted by Charlotte

WINNER: Laura Brandon, Technical Lead, Trend

Wylie)

Micro

FINALISTS: Origin Energy, Telstra, Trustwave

HIGHLY COMMENDED: Dorien Koelemeijer, Cloud Security Engineer, Afterpay

 Male Champion of Change. Individuals

FINALISTS: Jenny Lim (IAG), Yan Liu (Retrospect

working to shift entrenched gender disparities and

Labs)

championing for more equality in the IT security industry. They demonstrate a genuine commitment

 Australia’s Most Outstanding Woman in IT

by utilising their time, investment and innovation to

Security. This award recognises female innovators

improve the issue in the industry.

leading the way in IT security – talented women at the

WINNER: Simon Carabetta, Project and Engagement

forefront of the industry demonstrating a vast array

Coordinator, WA AustCyber Innovation Hub

of inspirational work…. reshaping the security industry

HIGHLY COMMENDED: Steve Schupp, Executive

and leaving an indelible mark.

Director WA, CyberCX

WINNER: Kate Monckton, General Manager Security

SPECIAL RECOGNITION: Craig Ford, Senior Security

and Privacy Assurance, Risk and Consulting, nbn

Architect, Baidam Solutions

Australia

FINALISTS: Brendan Caughey (EY), Dan Goldberg

HIGHLY COMMENDED: Daniella Pittis, CISO, Flight

(Cybza), David Watts (IAG)

Centre Travel Group HIGHLY COMMENDED: Rachael Greaves, CEO,

 Best Volunteer. This award recognises the

Castlepoint Systems

volunteer that’s advancing the cybersecurity and safety of the Australian public, as well as businesses

 Australia’s Most Outstanding Woman in the

and governments in Australia. They are going

Protective Security Industry. Recognises the

‘above and beyond’ to raise awareness of the risks

‘all-star’ individual that’s demonstrating excellence,

and dangers of cyberattacks and data thefts in the

innovation and leadership in protective security. The

Australian community.

individual recognises that the range of threats that

WINNER: Reshma Devi, Associate Director

businesses and governments face continues to evolve

Enterprise Data and Analytics Risk, NAB

– and, therefore, works collaboratively at all levels of

HIGHLY COMMENDED: Laura Lees, Citi

the organisation or department to instil a culture of

FINALISTS: Rebecca Moonen (nbn Australia), Anita

security.

Siassios (WiCyS Australia)

WINNER: Maria Patane, Chief Security Officer, Sydney Metro

 Best Student Security Leader. Recognises an

FINALISTS: Amy Hewson (Mitchell Personnel

exceptional student who’s already making a difference

Solutions), Emily Hunt (Scentre Group)

to the security industry – a young gun superstar in the

WOMEN IN SECURITY MAGAZINE

155

THE POWERHOUSE AWARDS HOST

Interview with Yasmin London, Igniting social change & digital wellbeing for global audiences By Stuart Corner

Today she is the Executive Director of ySafe,

prepare her for post-race interviews. This piqued her

Australia’s largest provider of cyber safety education.

interest in journalism, but after graduating she ended

She oversees a team that has provided online safety

up in TV production. A work trip to Canada led to an

education to 500,000 children, 100,000 parents and

introduction to the Royal Canadian Mounted Police.

50,000 school staff on multiple aspects of digital

She was allowed to share a shift with an officer in a

wellbeing and online safety.

police car, an experience she describes as “The best fun I had ever had.” So, on her return to Australia she

While in the police force she was also cofounder and

signed on with the NSW Police and stayed for 13

president of REELise, a movement by young people to

years.

create a safe space online. It was formed in 2013 in response to local police concerns about the impact of

IT’S THE JOURNEY, NOT THE DESTINATION

cyberbullying on youth mental health.

Summing up her career path she says “I feel like the price of achieving greatness or success is

As a teenage athlete she was given media training to

156

WOMEN IN SECURITY MAGAZINE

often feeling overwhelmed, but that’s OK. One of

the greatest skills we can learn in life is getting

Once I realised that, I knew the cybersecurity space

comfortable being uncomfortable. Deciding to

even had room for someone like me to play a role in

live a life where the journey is valued over a single

protecting others.”

destination is something I prioritise.” And she says her police and journalism background In the NSW Police her media background saw her

prepared her well for this next stage in her

supervising the delivery of TV for the corporate

career, teaching her about anticipating people’s

communications department before moving into

needs, adaptability, strategic thinking, effective

community and school liaison roles and youth

communication, situational awareness and the ability

advocacy.

to read social and emotional behaviours well.

She was lured away from NSW Police for a year to

THE SKILLS THAT REALLY MATTER

work for TV production company Freehand where an

“Depth and experience in these skills are incredibly

on screen role for a show, CyberShack, introduced her

important in cybersafety and cybersecurity roles,

to the world of technology.

especially as we often don’t have the benefit of the extra communicative information that comes from

However, what really drew her into the world of

body language and tone if we are communicating

cybersecurity was working with youth through NSW

online,” she says.

Police. “As a youth liaison officer I had to deal with a couple of cyber-related incidents that happened to

Her interest in youth cybersafety led her, in 2013,

kids in our area,” she explains.

to co-founding REELise. It was born from her idea that the mobile phone could be turned into a tool of

“The first was a paedophile ring that had infiltrated a

empowerment.

group of year five and six students at a local primary school, and then I had the suicide negotiation of a 14

“Often as a police officer I saw this device being

year old girl over a cyberbullying incident. There were

used to harm others, and wanted to turn the tables

other cases, but these definitely piqued my interest in

on it. With the help of a few passionate community

the cyber safety space.”

members REELise became a not-for-profit for youth, and by youth, a movement that understands how

TECH SKILLS NOT NECESSARY

essential it is to listen to the voices of our young

London confesses to being “one of the least tech

people and ensure their online and offline experiences

savvy people ever” but says her other skills were more

are validated and learned from,” she says.

important to dealing with cyberbullying and youth cyber safety.

“Nobody wants a dictatorship and as adults we often fall into the ‘we know best’ modality when things go

“Understanding human behaviour is imperative in

awry for our kids.”

dealing with negative incidents that occur online, and the more you delve into cybersecurity, the more

GETTING INTO CYBER EDUCATION

you realise that success as a cybercriminal comes

She stepped back from REELise after taking up

down to effective social engineering and proficiency

the role of executive director of ySafe in 2018. It

in understanding and exploiting human predictability.

does much work providing cyber education through WOMEN IN SECURITY MAGAZINE

157

schools, but Yasmin believes more education about

need the depth of education that truly reflects and

cybersafety, and the online world in general, should

supports our existence within it.

be included in school curricula. “The most important factors schools need to “The recent anti vax movement, fake news and

consider are that there is regular education on the

political agendas have really shown how critical it

relevant cyber safety topics, that there are diverse

is that we teach upcoming generations true media

voices delivering the messages, that the discussion is delivered with a pro technology ethos, and that their policies and procedures reflect the

“The business case for diversity in industries like this is obvious. However for true buy-in, and to attract female talent we need to show the ‘why’ and ‘how’ behind the meaningful work conversation in this industry. We need to promote and showcase the flexible work practices that women are attracted to so they can map out potential family life, and also celebrate the wins and the fun that are part of this industry.”

current nature of the cyber safety landscape.”

PROMOTING PARENT EMPOWERMENT Parents, of course, have a significant role to play in children’s cybersafety and cyber education. To enable parents to fulfill this role London says the key is to empower them to take control of their child’s online activity and proactively support their child’s role in digital environments. “Empowerment starts with

literacy, and the ability to think critically to sort fact

education and realistic, practical strategies they

from fiction when it comes to the information they

can use in their day-to-day activities. It’s in helping

are allowing to influence their young minds.”

them find pockets of time for communication, and accessible and reliable information amongst the

She is calling for “strategies to effectively manage

noise and fear mongering out there to make sensible

and mitigate harms in depth, and that cover the

choices for their kids.”

nuanced behaviours and relationships people have online,” saying these are vital.

The Government, meanwhile, is trying to increase cyber safety with its Online Safety Bill 2021, passed

“Understanding where to seek help, and what

amid considerable controversy in June and due to

legislation is there to support people when things go

come into force early in 2022.

wrong is critical. When we live in a digital world, we

158

WOMEN IN SECURITY MAGAZINE

London believes it falls far short of what is needed.

- the trailblazers, the change makers, the young guns

“This legislation is excellent but sadly only really

and the advocates and allies that will make our digital

addresses those who are experiencing significant

world a safer and richer experience for all.”

harm. People can still be deeply affected by negative online experiences, yet not reach the benchmark for

And she says events like the awards are what is

action under this act, so we need resources that can

needed to get more girls and women into security.

effectively and positively impact those middle ground

“We need more visibility, celebration and profiling of

cases. They are certainly not ‘low level’ for the victims.

women in this industry, and also the promotion of the skills, expertise and experiences of those here that

SAFETY BY DESIGN NEEDED

aren’t traditionally technical.

“Safety by design also needs to be genuinely and proactively introduced by platforms in meaningful

“The business case for diversity in industries like this

ways, rather than retrospectively. We have the

is obvious. However for true buy-in, and to attract

technology and now need to implement ways we

female talent we need to show the ‘why’ and ‘how’

can anticipate, detect and eliminate online harms

behind the meaningful work conversation in this

before they occur, and prioritise user safety as well as

industry. We need to promote and showcase the

experience (especially when it involves young people).

flexible work practices that women are attracted to so they can map out potential family life, and also

“Regulation needs to happen, and we all need to get

celebrate the wins and the fun that are part of this

behind those creating awareness and holding to

industry.”

account those organisations who favour profits over protection.”

After almost two years of movement restrictions, the Australian Women in Security Awards event is

After a very varied career spanning two decades

particularly welcome. “When we get to throw on a

London is not sure what comes next but believes, by

ball gown after two years of an activewear wardrobe

being open to all possibilities, the right opportunity

mullet and kick up our heels - what’s not to love?

will appear. “I know I love being with people, educating, informing

www.linkedin.com/in/yasmin-london-she-her-hers92a3622b/

and empowering others. I love being in an evolving and exciting industry, and am incredibly passionate about advancing women and gender equality and unashamedly advocating for the potential that can bring if we focus on a life with that lens.”

AWARDS ADVOCATE Meanwhile, she’s very happy to be hosting the Australian Women in Security Awards. “These awards showcase and promote everything that I am passionate about and that is important in this industry

WOMEN IN SECURITY MAGAZINE

159

HOW DELL TECHNOLOGIES DOES DIVERSITY

Interview with Angela Fox, Senior Vice President and Managing Director, Dell Technologies Australia and New Zealand. By Stuart Corner

Creating a diverse workforce, by gender and

Dell Technologies does not disclose how it is tracking

ethnicity, at every level of an organisation is no easy

its gender diversity goals or equivalent ethnic diversity

task. Biases, prejudices and a shortage of suitable

goals in different regions. However, Angela Fox,

candidates all add to the challenge.

Senior Vice President and Managing Director, Dell Technologies Australia and New Zealand, says: “Rest

Perhaps it’s no wonder then that Dell Technologies

assured we have aligned with that [ethnic diversity]

calls its global diversity targets its ‘Moonshot Goals’.

goal and driving initiatives locally to achieve our

Specifically: “By 2030, our goal is for 50 percent of our

Moonshot Goal together with the global organisation.”

global workforce and 40 percent of our global people leaders to identify as women.”

She says Dell Technologies is looking at how it can translate the global ethnic diversity goal into

For the US workforce, there is another, ethnic diversity

something meaningful with Australia’s and New

goal: to have 25 percent of the workforce and 15

Zealand’s indigenous people.

percent of people leaders identifying as Black/African American or Hispanic/Latino.

To achieve its goals, Dell Technologies globally has at least a dozen programs or initiatives, not all of

160

WOMEN IN SECURITY MAGAZINE

which are replicated locally. For example, in the US

including some from overseas. “We’re continuing

the Dell Legal Diversity Award “recognises law firms

to evolve and change the content of that program

for diverse staffing on Dell matters, overall attorney

to meet the needs of what is clearly a changing

demographics at the firm, leadership opportunities

landscape within the public sector around the digital

provided to diverse attorneys, engagement of

skills and the digital professions required,” Fox says.

diverse vendors, and the creation of an inclusive environment.”

“In addition to the usual launch, mid-term event and graduation where we bring the mentors and mentees

HOMEGROWN DIVERSITY INITIATIVE

together, we have also introduced an additional six

However, Dell Technologies in ANZ has created its

events – one for mentors and five for mentees. The

own diversity initiatives that have been adopted

mentee events are designed to help build the skills

elsewhere. Dell’s Women in IT Executive Mentoring

of mentees and allow for additional networking

(WITEM) program was founded by Dell Australia in

opportunities so the cohort can leverage this powerful

2005 with the aim of accelerating the development of

group of women. Topics include building your brand,

leadership skills of women within the IT industry.

networking and career planning.”

Fox explains, it is focused on the public sector.

MANDATORY DIVERSITY TRAINING

“Individual departments identify women as having

Internally, Dell Technologies has a couple of

high potential and they come together to undertake

initiatives to eliminate gender bias from its own

a mentoring and coaching program over several

workforce. There is an online on-demand training

months. We’re proud of the fact we have been able to

and testing module, called ‘Be the Change’, designed

sustain that program for over 13 years, and more than

to deepen understanding about unconscious bias,

400 women have participated.”

intersectionality, in-groups and out-groups, equity and microaggressions, and how these can show up in the

The program pairs the participants as mentees with

workplace. The company’s goal is that all employees

senior women mentors in the public service. Each

will complete the Be the Change Essentials program

year it has around 30 participants.

in FY22.

“We spend a lot of time thinking about the matching

There is classroom training designed to identify

of those individuals to actually get the most out

and remove unconscious bias where small groups

of those pairings,” Fox says. “A real advantage of

get together to workshop situations, role play and

the program is having individuals from different

discuss.

departments engaging with other individuals at senior levels. There’s cross pollination of knowledge and

Another significant global program is Dell

growth networks around those people.

Technologies’ Employee Resource Groups. More than 54,000 employees participate in 13 ERGs in more than

“It’s been a very powerful program over many years,

74 countries.

and we’re really proud of the fact that we’ve seen a number of women who have been part of this

“These groups include a diverse set of interests

program promoted through the public sector.”

relating to various topics such asdiversity and inclusion,” Fox says. “We have an employee resource

The event was run virtually in 2021 and will in future

group focused on females, we have a group focused

be run as a hybrid program, with external speakers

on youth, we have an employee resource focused on WOMEN IN SECURITY MAGAZINE

161

faith, we have an employee resource focused on the

Pride – works to enrich the experience of global

environment. We have a MentorConnect program that

LGBTW team members and Dell’s allies and help

brings together female team members from across

them grow and be successful. Dell Technologies ANZ

Dell Technologies’ functions.”

sponsors the Pride in Diversity CEO Summit as one of its local commitments to the Pride ERG.

ENTERPRISE RESOURCE GROUPS Dell Technologies ANZ has seven ERGs, six of which

GenNext – fosters the growth and success of new

promote diversity: Mosaic, Connexus, Women in

hires and young professionals through engagement,

Action, Pride, GenNext and True Ability.

professional development and community involvement.

Mosaic – connects team members from diverse cultures and backgrounds and builds an environment

True Ability – is a group that works on developing

that values and is influenced by multicultural

best practices, awareness and solutions to empower

perspectives.

team members and allies impacted by physical or intellectual disabilities.

Connexus - focuses on technologies, best practices

HELPING WOMEN REACH THEIR GOALS

“I’m really passionate about continuing to do that myself, with my leadership team and, importantly, with the team, so that every day a person’s experience in the workplace is connected to our values and what we believe.”

Locally, Dell Technologies operates the Goal Program, a development program for senior females that focuses on their career progression to executive levels. “There’s coaching, mentoring, job shadowing, all of those things that we see as critical to helping women in their career journey and

and innovative ways of flexible working that integrate

their own professional development” Fox says.

people regardless of where they are. “Another one is ‘Releasing Your Potential’. It’s a Women in Action (WIA) – works to build an

development program that’s designed to support and

inclusive community that provides development,

enhance the advancement of women. It identifies

leadership and networking opportunities designed

specific gaps and focuses on those. These could be

to empower, retain and attract women. The group

confidence or self-awareness. They do team project

leads MentorConnect, a program that mentors female

work and training.”

talent through a structured six-month program

162

focused on managing change, leading teams,

Another global program very active locally is Dell

networking, career planning, influencing, executive

Women’s Entrepreneurship Network (DWEN) that

presence and leadership.

helps entrepreneurial women share best practices,

WOMEN IN SECURITY MAGAZINE

build business opportunities, access new resources

“Our aim for these programs is to mentor STEM

and technologies to empower their businesses.

University students who may be considering a career in IT once they complete their degree,” Fox says. “We

There are approximately 560+ female entrepreneurs

want to ensure they have a network and connection to

from ANZ in the global program. Dell Technologies

some of our team members. We have seen success

ANZ is running a Dream Tech Contest that

where UTS graduates have gone on to be working

encourages DWEN members to share their stories

full time at Dell Technologies, so it’s great to see the

and win up to $40K worth of Dell products.

focus on students is helping attract our future female talent.”

“The contest closes mid-January so I would encourage female entrepreneurs and aspiring

A WHISPER WITH THE POWER OF A ROAR

entrepreneurs to join DWEN and this contest,” Fox

The commitment to diversity at Dell Technologies,

says.

Fox says, comes from the top. “We’re extremely fortunate to have an incredibly committed leader in

“We’ve also partnered with Kochie’s Business Builders

Michael Dell. He has an expectation, and we have it in

and local female entrepreneurs to share their key

our culture that as leaders we need to be leading from

learnings and success stories.”

the front.

FOSTER DIVERSITY IN EDUCATION

“I heard an expression yesterday at the Pride in

Dell Technologies also has a number of initiatives

Diversity CEO Summit I attended: ‘A whisper at the top

in ANZ reaching out to the education sector, from

is more powerful than a roar from the bottom’. And I

primary school to university. These aim to attract

really do think that we as leaders set the tone.

more female talent into STEM. Dell Technologies hosts regular virtual STEM workshops targeting

“I’m really passionate about continuing to do that

primary and high school students and profiling

myself, with my leadership team and, importantly,

young female STEM ambassadors. Ambassadors

with the team, so that every day a person’s experience

have included Matilda McAleenan from McLaren and

in the workplace is connected to our values and what

Jessica D’Ali from Animal Logic.

we believe.”

Dell Technologies participates in the Univative program that brings together diverse groups of students from Australian universities across

www.linkedin.com/in/angelaefox/

multiple disciplines to devise innovative solutions for challenges posed by industries and communities.

twitter.com/angelaefox

They are designed to develop students beyond the classroom and help them gain experience for future career and job opportunities. Dell Technologies is one of the official partners of

Dell Technologies ANZ Blog: www.delltechnologies.com/en-au/blog/

the Lucy Mentoring Program that connects women studying engineering or technology at the University of Technology Sydney (UTS) to industry professionals for one-on-one mentoring.

Dell Technologies ANZ Website: www.delltechnologies.com/en-au/index.htm

WOMEN IN SECURITY MAGAZINE

163

2021 AUSTRALIAN WOMEN IN SECURITY AWARDS WINNERS IT SECURITY CHAMPION

THE ONE TO WATCH IN IT SECURITY

HIGHLY COMMENDED

Jennifer Firbank Joss Howard

Irene Giantsos Archana Puri Anafrid Bennet

WINNER

Anu Kukar

Sarah Hosey

BEST FEMALE SECURE CODER

BEST VOLUNTEER

HIGHLY COMMENDED

Dorien Koelemeijer

Laura Lees

WINNER Reshma Devi

Laura Brandon

MALE CHAMPION OF CHANGE

PROTECTIVE SECURITY CHAMPION

HIGHLY COMMENDED

Steve Schupp

Joss Howard Jennifer Firbank

SPECIAL RECOGNITION

Simon Carabetta

Priyal Bhosale

HIGHLY COMMENDED

WINNER

SPECIAL RECOGNITION

Craig Ford

WINNER Alison Lee

BEST SECURITY STUDENT

HIGHLY COMMENDED Gabriela Sorsa

WINNER Kavika Singhal

BEST PLACE TO WORK FOR WOMEN IN SECURITY

THE ONE TO WATCH IN PROTECTIVE SECURITY

HIGHLY COMMENDED Xero

WINNER

Greater Western WaterWater

Pip Rae

UNSUNG HERO

BEST PROGRAM FOR YOUNG WOMEN IN SECURITY

HIGHLY COMMENDED Fatema Hashmi Katrina Avila

WINNER

Moufida Rima

AWSN Cadets

AUSTRALIA’S MOST OUTSTANDING WOMAN IN IT SECURITY

AUSTRALIA’S MOST OUTSTANDING WOMAN IN PROTECTIVE SECURITY

HIGHLY COMMENDED Rachael Greaves Daniella Pittis

WINNER Kate Monckton

WINNER Marie Patane

UNSUNG HERO WINNER

MOUFIDA RIMA Vulnerability Management Specialist at IAG

HIGHLY COMMENDED FATEMA HASHMI Senior Security Consultant at Telstra purple

Fatema is an IT and security expert who sees many challenges remaining to overcome unconscious biases standing in the way of inclusion and gender diversity in the industry. She has been in the IT industry for nine years and in security for four and takes part in various inclusion and diversity events and anything she can do to promote women in security. She also mentors females and work with variety of organsiations to raise IT security awareness among schoolgirls.

KATRINA AVILA Director - Cyber Security at EY

Katrina is the only EY director who sits on the diversity and inclusion council, and has identified many barriers to overseas EY staff working effectively. She goes the extra mile to promote inclusivity and understand the lived experience of offshore teams. Her ability to lead and include diverse team saw her hit the top slot in her promotion cohort across EY’s technology and business consulting teams.

166

WOMEN IN SECURITY MAGAZINE

FINALISTS

MOUFIDA RIMA

ALANA MAURUSHAT

LARA HEMMATY

LAURA O’NEILL

Vulnerability Management Specialist at IAG

Professor of Cybersecurity and Behaviour at Western Sydney University

Workplace Solutions Specialist | Solutions & Cloud | Optus Enterprise

Manager at MF & Associates

FATEMA HASHMI Senior Security Consultant at Telstra purple

LISA ROTHFIELDKIRSCHNER Membership Manager at PWN ande Author of “How We Got Cyber Smart”

LOUISA PARTRIDGE Head of Marketing and Partnerships at OSINT Combine

LOUISA VOGELENZANG Head of Cybersecurity APJ | Co-founder & Director of @ WomenSpeakCyber

KATRINA AVILA Director - Cyber Security at EY

NOMINEES

ADELINE MARTIN

CORIEN VERMAAK

LI CHING LIEW

MELISSA SMELT

ALANA MAURUSHAT

FATEMA HASHMI

LIOU LIU

MINA ZAKI

ANAFRID BENNET

FFRANCES LAWES

LISA ROTHFIELD-

MOUFIDA RIMA

ANNA HARRIS

HOMATAJ (HOMA) VAFA

KIRSCHNER

NATALIE PEREZ

ANNELIESE MCDOWELL

JACQUELINE UNG

LOUISA PARTRIDGE

RESHMA DEVI

ANTONELLA ANCONA

KATRINA AVILA

LOUISA VOGELENZANG

SABINA STREATFEILD

ASHLEY MILLER

KYLIE BREHENY

MAL PARKINSON

SARAH BOX

BARBARA LIMA

KYLIE SOLUM

MANDY TURNER

SARAH CAMPBELL

CAROLYN BOLLING

LARA HEMMATY

MARIANA PAUN

TRACY COLLINS

CHELSEY COSTELLO

LAURA O'NEILL

MELISSA MCGREEVEY-

VERONICA TURNER

CHRISTINA ROSE

LELAN QUACH

WISSE

VIVIENNE MUTEMBWA WOMEN IN SECURITY MAGAZINE

167

UNSUNG HERO WINNER

Moufida Rima Vulnerabilty Management Specialist, IAG

The challenge faced by Moufida Rima in one of her

one which was heavily male-dominated, to one which

past workplaces as a minority of one will be familiar

welcomed and celebrated women.”

to many women working in cybersecurity, and in many other roles.

How did she do it? “I decided to pursue training in my own time on cyber certifications and while doing my

It was, she says, the biggest challenge of her career. “I

usual day-to-day work, I looked into creating a new

was being pushed around and my contributions were

service for the organisation, the patch management

not listened to whenever I had put them forward.”

service, as this was one of the service gaps the cybersecurity team had,” she explains. “I worked

Many women might have tolerated this treatment,

countless hours both at work and outside of work to

found another job, or made tentative steps to initiate

create everything.”

change. Moufida’s response was much more drastic,

168

and highly effective. As the winner of this year’s

‘Everything’ included not only the service itself but

Unsung Hero award, she is credited with “single-

staff and customer training materials, end-to-end

handedly transforming the workplace culture, from

documentation, and even estimates of potential

WOMEN IN SECURITY MAGAZINE

revenues available by offering patch management as

And, despite all the progress on gender

an add-on to existing customer services. She pitched

equality: “The other common problem

the idea to the CEO. It was accepted and implemented

which I have also experienced myself

by a new five-member team, headed by Moufida.

is the culture community and how that puts pressure on females,” Moufida says.

And her efforts created a more female-friendly

“For example, the expectation that women

organisation. “The work I had done echoed across the

should not work, but get married, have children,

company and I found the culture began to change.

cook and clean.”

More women were employed across different teams including the cyber teams. I was taken more seriously,

She urges every woman to help change these

and my contributions were adhered to,” she says.

attitudes. “Shifting the culture of a workplace can simply start from your colleagues you work with.

Today Moufida is a Vulnerability Tools and

Form a workplace bond with them, even among

Assessment Specialist at IAG, protecting the

males. They will be able to assist in changing the

organisation from potential threats and vulnerabilities

culture of the organisation. This will then begin to

in its cloud and on-premises resources, and she

spread and grow. It will be slow and at times, you

fills multiple voluntary roles, many focussed on

feel like you’re not going anywhere but with patience

supporting and promoting women in cyber roles.

comes change eventually.”

She is a mentor for the UNSW BITSA industry

One consequence of winning an award for ‘Unsung

mentoring program and the 2021 AWSN mentor

Hero’ is that it brings recognition: the winner

program. In both roles, she mentors women who are

immediately ceases to be unsung. Moufida says

new to cybersecurity. She is also a mentor within IAG

she will welcome the recognition. “I want people to

where she helps new female interns progress and

hear about me, my story and know that anything is

excel in their careers, and talks to them from her own

possible if you set your mind to it, never give up and

experience about the obstacles they may face.

accept that there will be obstacles along the way that will shape you to be the better person than you are

She has also done much voluntary work outside the

today.

industry. She ran a fundraiser for a close friend’s son who has multiple sclerosis. It raised $10,000 and

“I am trying to shape the future for females looking to

enabled his family to modify their house to cater for

get into the cyber field or even inspire fellow females

his needs, including providing wheelchair access. She

currently in the cyber field. I want current and future

also participates in cooking competitions through

generations to look back and read about me, to be

which she raised $5,000 for less fortunate families.

motivated and inspired to do the same or more. If I can make even the smallest impact in a young

Despite the progress made in recent years on gender

woman’s life, then I have achieved my goal.”

equality, changing attitudes in the workplace and the aspirations of women themselves, Moufida says

And, despite all she has achieved, she feels she will

much remains to be achieved. Common among the

benefit personally from the recognition. “Despite the

women she mentors is self-doubt.

experience I have in the cyber field, I still feel I am seen as an amateur by some people. Having that

“The most common phrases I hear are ‘I’m not good

recognition will help with phasing that away.”

enough’ or ‘I don’t know how to be better’. These statements come from bright, young women who have so much doubt in their minds.”

www.linkedin.com/in/moufida-rima-5941a892

WOMEN IN SECURITY MAGAZINE

169

BEST VOLUNTEER WINNER

RESHMA DEVI Associate Director Enterprise Data and Analytics Risk from NAB

HIGHLY COMMENDED LAURA LEES Country BISO ANZ aqt Citi

Laura is a passionate security advocate who has been involved in the security industry since 2002. She is the Vice President of ISACA Sydney Chapter, Co-Chapter lead for AWSN Australian Women in Security Network, and is a member of the FAIR Institute and Australian Information Security Association (AISA) Sydney chapters. She has been and continues to be an active mentor to many people, in particular through One In Tech, an ISACA Foundation, and SheLeadsTech Melbourne. Laura is the person who “finds the time,” even if it means early in the morning or in the evening, to make sure she gives her all to the people she mentors.

FINALISTS

LAURA LEES Country BISO ANZ aqt Citi

NOMINEES 170

RESHMA DEVI

REBECCA MOONEN

ANITA SIASSIOS

Associate Director Enterprise Data and Analytics Risk from NAB

Security & Privacy Influence and Cyber Safety Outreach Manager at nbn™ Australia

Founder & Managing Director at ManagingCX

AMANDA TURNER

JILLIAN TAYLOR

NOUSHIN

REBECCA

ANITA SIASSIOS

LAURA JIEW

IRANZADI

MOONEN

HOLLY WRIGHT

LAURA LEES

RESHMA DEVI

SONAL AGRAWAL

WOMEN IN SECURITY MAGAZINE

Committed to creating, promoting and growing cyber security careers for all women.

cybercx.com.au/careers

BEST VOLUNTEER WINNER

Reshma Devi Associate Director Enterprise Data and Analytics Risk, NAB

172

WOMEN IN SECURITY MAGAZINE

Reshma Devi’s day job is Associate Director

For ISACA she assists with Personal

Enterprise Data and Analytics Risk at NAB but

Development sessions, oversees the

it’s what she does as a volunteer that got her an

activities of SheLeadsTech, started and

Australian Women in Security Award for Best

assists the diversity subcommittees, and

Volunteer.

leads programs such as the International Women’s Day 2020 and 2021, and Go Girl

She’s an experienced data, security and technology

Go For IT with VIC ICT. She has also assisted

risk specialist with a Master’s in Information

with ISACA’s Melbourne webinars on security, risk,

Technology, and 20 years of experience in the

governance, privacy, data and audit.

banking and financial sector working in Australia and New Zealand. She loves anything that involves data

And most of this work is undertaken in her own time:

and is passionate about data security and emerging

her employer NAB gives her two days per year for

data challenges, and it’s her passion for supporting

voluntary work, which she dedicates to her roles with

women in cyber that scored her the award.

ISACA and AWSN.

She’s a tireless advocate for the advancement of

However, she says volunteering to support women

women in security. She leads the Women in Leadership Program at the Australian Women in Security Network (AWSN), is the AWSN Chapter Lead for Melbourne and is a mentor in the AWSN mentoring program. She’s also the Diversity Director for ISACA’s Melbourne Chapter and oversees SheLeadsTech Melbourne. She recently also judged the 2021 Techgirls

I do it because I love helping women and the pleasure I get is way more than any other philanthropy work I do. The joy of giving back to the community is unmeasurable. I do it because I genuinely want to help and give back to the community, and I will continue doing this as long as I can!

movement’s competition. These are no small tasks. Between AWSN and ISACA, Reshma works with four

in cybersecurity, empowering them to progress at

subcommittees, guiding and overseeing the activities

work and in personal life is reward enough for her

of 10 other volunteers, and is also on the ISACA

volunteering efforts.

Melbourne board. “I do it because I love helping women and the She hosts and moderates AWSN security events,

pleasure I get is way more than any other philanthropy

organises and conducts networking sessions, is

work I do. The joy of giving back to the community

a mentor for AWSN, and was a member of the

is unmeasurable. I do it because I genuinely want

selection panel awarding scholarships to women on

to help and give back to the community, and I will

a leadership course offered by the Cyber Leadership

continue doing this as long as I can!”

Institute. www.linkedin.com/in/reshma-devi-04235925/

WOMEN IN SECURITY MAGAZINE

173

PROTECTIVE SECURITY CHAMPION WINNER

ALISON LEE Director Of Logistics at Penten

FINALISTS

ALISON LEE

FIONA BYRNES

PAM LA MOTTA

Director Of Logistics at Penten

Asia Pacific & Japan Client Services Executive at IBM || President WiCyS Australia

Group Protective Security at IAG

NOMINEES ALISON LEE CHRISTINA ROSE FIONA BYRNES JO SAM NICOLE STEPHENSEN PAM LA MOTTA SARAH CARNEY

174

WOMEN IN SECURITY MAGAZINE

Keeping People Safe And Organisations Running. Faster. What Everbridge Does During public safety threats such as bushfires, earthquakes, terrorist attacks, a global pandemic, or severe weather conditions, as well as critical business events including IT outages, cyber-attacks, supply chain interruptions, all levels of government rely on Everbridge’s SaaS-based Critical Event Management platform.

Everbridge’s Critical Event Management Solutions: Ҵ Business Operations: keeping departments and operations running, faster Ҵ Digital Operations: protecting brand and reputation while providing resilience for IT systems Ҵ People Resilience: fulfilling duty of care for residents, remote and onsite employees, travelers, and field workers Ҵ Public Safety: Everbridge. Everywhere. Every time. Public Safety for every Australian Ҵ Supply Chain Risk: managing and optimising for risk to supply chains Ҵ Smart Security: smart automation, secure IoT management, big data, and advanced analytics

L E A R N M O R E AT

Everbridge.com

PROTECTIVE SECURITY CHAMPION PROFILE WINNER

Alison Lee Director of Logistics Penten

176

WOMEN IN SECURITY MAGAZINE

As the winner of this year’s Protective Security

“The role has a strong focus on supply

Champion award Alison Lee, Director Logistics at

chain management and security,

Penten — an Australian cyber security company

particularly with respect to our

focused on secure mobility, artificial intelligence and

government clients and the equipment

tactical communications — sees working in a male-

we provide,” Alison says. “I also focus on

dominated industry as an opportunity rather than a

maintaining a good general awareness of

barrier to career advancement.

security within the organisation.”

She says the imbalance creates an opportunity to

And it makes her particularly well placed to

demonstrate the abilities and benefits women can

promote security throughout the organisation.

bring to their roles. And, coming to security from a career in the Army, she is certainly no stranger to

“Having been a member of the Australian Defence

male-majority workplaces.

Force, I am able to provide people with a unique perspective into why always maintaining an

She encourages women to explore the employment

awareness of protective security, even in a seemingly

possibilities offered by protective security, saying

unrelated area such as finance, can have an impact

there are many such roles not traditionally thought

on the capability outcomes to our clients, and

of as being protective security roles. “There is a lot of support for women involved in the cyber and protective security industries and the numbers are growing,” she says. “Seeking out a mentor or a trusted advisor (either female or

“Seeking out a mentor or a trusted advisor (either female or male) within the industry can be a great way of getting a foot in the door and gaining a greater understanding of the industry and how your particular skills can contribute.”

male) within the industry can be a great way of getting a foot in the door and gaining a greater understanding of the industry and how your particular skills can contribute.”

ultimately to the personnel who may be operating in dangerous areas of the world.”

She uses her former Army role to boost female participation in the security industry by offering

She says the recognition of being named protective

mentoring for veterans transitioning from the military

security champion will further enhance her ability

to the corporate environment.

to champion protective security across Penten, by putting the spotlight on her non-traditional security

She says being Director Logistics puts her in a

role in logistics and the work she does to increase

unique position: she interacts with all facets of

protective security within the organisation.

the organisation because her role crosses over all aspects of the business: engineering, project management, accounting etc.

www.linkedin.com/in/alison-lee04897650/?originalSubdomain=au

WOMEN IN SECURITY MAGAZINE

177

THE ONE TO WATCH IN IT SECURITY WINNER

SARAH HOSEY Vulnerability Management Specialist at IAG General Manager Security and Privacy Assurance, Risk and Consulting at nbn™ Australia

HIGHLY COMMENDED IRENE GIANTSOS Cyber Response Analyst at NAB

Irene is in a technical Cyber Response role at National Australia Bank (NAB). She completed a Bachelor of Cyber Security at Deakin University while working full time at NAB. She was a key force in driving and contributing to NAB’s partnership in the Australian Computer Academy’s (now Grok Academy’s) Schools Cyber Challenges. Irene has volunteered at countless events, including helping to coordinate and deliver the Security Industry and Trust Summits.

ARCHANA PURI Cyber Response Analyst at NAB

Archana is a cyber security expert who has helped many organisations in India, the Middle East, Europe and Australia establish effective cybersecurity, and has been instrumental in leading and driving these projects from conception to closure. She presented learnings from one such project at the 2021 Diana Initiative, a conference committed to helping all those underrepresented in Information Security.

178

WOMEN IN SECURITY MAGAZINE

ANAFRID BENNET Manager, IT & Security Operations at Greater Western Water

Anafrid is one of very few female security leaders in Critical Infrastructure - working to lift the security of operational technology. She contributed to the new critical infrastructure bill and raised the need for an OT security standard. Anafrid was also instrumental in making City West Water a leader in micro segmentation and embedded digital wellbeing initiatives into its employee wellbeing plan.

PRIYAL BHOSALE

SPECIAL RECOGNITION

Product Manager at Avertro

Priyal is passionate about strategising and designing tailored and innovative cyber and digital solutions for organisations. She played an instrumental role in Xinja’s development of a mature approach to cyber governance risk and compliance in a highly regulated environment. Part of the Averto platform that solve real cybersecurity problems for organisations of all sizes exist only because of her creativity.

FINALISTS

SARAH HOSEY Vulnerability Management Specialist at IAG General Manager Security and Privacy Assurance, Risk and Consulting at nbn™ Australia

CANDICE BOWDITCH Security Engineer at Google University

IRENE GIANTSOS

ARCHANA PURI

Cyber Response Analyst at NAB

CHLOE SEVIL

DIVYA SAXENA

Senior Associate at Clyde & Co

Practice Partner Technical at DXC Technology

ANAFRID BENNET Manager, IT & Security Operations at Greater Western Water

PRIYAL BHOSALE Product Manager at Avertro

JENNIFER GORMAN Business Development Manager at Entrust

NOMINEES AARATI PRADHANANGA AKANSHA PANDEY ALEXANDRA JURMANN AMANDA SMITH AMIE DSOUZA ANA-GABRIELA HERNANDEZ ANAFRID BENNET ANGELICA DUNGO ANUBHA SINHA ARCHANA PURI

ASHLEIGH MORGAN BINITHA SUDHEER BREARNA LEOPOLD BRONWYN MERCER CAITLIN MIKHEAL CANDICE BOWDITCH CELIA YAP CHLOE SEVIL CLAIRE COLLINS DANIELA FERNANDEZ DIVYA SAXENA

ELA OZDEMIR ELKE DUNN FIONA LONG GEMI KULANGARA GEORGIA TURNHAM IRENE GIANTSOS JACQUELINE SPAILE JENNIFER GORMAN JESSICA WILLIAMS KAREN STEPHENS KATIE DEAKIN-SHARPE KAVITA THOMAS

KHUSHBOO GUPTA LAURA DAVIS LAUREN KOCH LI CHING LIEW LINA LAU LOUISE MARTINEZ MEHRNAZ AKBARI ROUMANI NICOLE DOUEK OLIVIA VAN DER WAGEN POOJA SHANKAR

PRAMITI BHATNAGAR PRIYAL BHOSALE RAMAN GILL REBECCA WILLIAMS SAMANTHA LENGYEL SANDRA RAUB SARAH HOSEY SITA BHAT STEFANIE LUHRS TORY LANE ZOË HASSETT

THE ONE TO WATCH IN IT SECURITY WINNER

Sarah Hosey General Manager Security and Privacy Assurance, Risk and Consulting at nbn™ Australia

Sarah Hosey, the winner of The One to Watch in IT

since.

Security award, is General Manager Security and Privacy Assurance, Risk and Consulting at nbn.

She has a legal, regulatory and commercial background and confesses to experiencing some

180

The award recognises “a master problem solver, a

imposter syndrome on being nominated, but counters

technological wizard with superior communication

this by saying “I guess the award category isn’t one of

and security skills, or a powerhouse security

reflection, it is one looking to the future, so that made

specialist that’s slated for continual distinction.”

me more comfortable being nominated.”

Nearly three years ago Sarah made the move into

She describes her role as “leading five brilliant teams

a leadership role in Security and hasn’t looked back

who provide line two guidance and support for both

WOMEN IN SECURITY MAGAZINE

security and privacy across nbn.” This role extends from consulting in the early stages of projects or new

Sarah explains. “After my 12 months was

product launches to being involved from a security

up, I had the opportunity to stay on in the

and privacy by design perspective, including supplier

Security Group in a general manager role.

assessments.

The rest is history.”

“We advise on security and privacy risks and controls,

Her own career journey perhaps explains

through to technical and strategic assurance and

the advice she offers to young women

controls testing. I’m also nbn’s Privacy Officer,” she

aspiring to a career in cybersecurity.

says. “There is no typical security professional anymore.

TEAM EMPOWERMENT

You don’t necessarily need a strong technical

And she says her favourite part of the job is

background to be successful in this space. And don’t

empowering her team, either by getting out of the way

let your lack of technical background prevent you

or asking a lot of questions.

from taking risks and hunting down opportunities for a career in security.

“I often find that helps the team or stakeholders clarify for themselves what we’re trying to achieve and the

MANY ROADS LEAD TO SECURITY

best way of doing that. I’ve learnt there’s no such

“It’s more and more important for businesses to have

thing as a dumb question. Often, you’ll ask questions

a diverse and inclusive security team, with everyone

that others have been too afraid to ask. The trick

bringing different skill sets to the table. I’d also say

is to ask questions in a non-threatening way that

that security is a fantastic speciality to come to

encourages debate and ultimately gets a team to the

after you’ve had experience in different professions.

best outcome.”

Enthusiasm, curiosity, strong communications skills and an appetite to learn and listen are incredibly

She joined nbn as a lawyer and spent time in private

valuable skills required in security.”

practice and in-house at British Sky Broadcasting in the UK, but her natural inquisitiveness led her to her

She hopes winning the award will help promote this

current role.

message and persuade more women to pursue careers in cybersecurity.

FROM LAW TO CUSTOMER EXPERIENCE “I found myself naturally becoming more and more

“This award provides a platform to demonstrate

interested in the business strategy behind particular

that there are many different paths into the security

decisions, offering non-legal opinions and probably

industry – including for women who might be keen

becoming a very annoying lawyer. So, when I had an

to move into a security career, but doubt they could

opportunity to go on secondment into nbn’s newly-

be successful because they don’t have the ‘right’

formed customer experience team, I jumped at the

technical or professional skills/qualifications. I was

chance.

one of those women.”

Her transition into cybersecurity occurred when she stood in, after being prompted to do so by a colleague, as General Manager of Privacy Engagement and Security Influence in the Security Group while the

www.linkedin.com/in/sarah-hosey896a194a/?originalSubdomain=au

incumbent took maternity leave. “I found security to be a natural home for me, given the balance of law, policy, regulation, communications, influence, strategy and commercial decision-making,” WOMEN IN SECURITY MAGAZINE

181

THE ONE TO WATCH IN PRTOECTIVE SECURITY WINNER

PIP RAE Founder and Activist at Upstream Investigations

FINALISTS

PIP RAE

SARAH WOOD

LAUREN WIGGINS

Founder and Activist at Upstream Investigations

Manager, Security Intelligence aqt AustralianSuper

Lead engineer in the Tactical Communications Security (TCS) unit at Penten

NOMINEES ALISON HOWE

182

ASHLEIGH LITTLE

JENNIFER ELLIOTT

LAUREN WIGGINS

SARAH WOOD

CLAUDIA MULLER

VESNA ERGARAC

HOLLY WRIGHT

VICTORIA ZHONG

VERONICA TURNER

PIP RAE

FIONA LONG

WOMEN IN SECURITY MAGAZINE

L E A R N M O R E AT

Everbridge.com

THE ONE TO WATCH IN PROTECTIVE SECURITY WINNER

Pip Rae Founder and Activist at Upstream Investigations

184

WOMEN IN SECURITY MAGAZINE

Pip Rae is the founder and lead investigator of

when “I saw the missing piece:

Upstream Investigations, an organisation that

investigations that identify the issues and

investigates family violence cases and provides

concerns and the help victims need to

support to victims. It aims to fill a gap between

develop a language they understand that

courts, police and lawyers and provide expertise for

describes what they have been subjected

NGOs and charities that support victims escaping

to.”

domestic violence. She spent two decades in the NSW Police Force, leaving in 2011 to undergo

She explains: “In NSW, a person in need of

treatment for chronic PTSD.

protection must apply themselves to a court and that’s daunting. So Upstream Investigations formed a

In her role at Upstream Investigations Rae now has

team of experienced and passionate advocates with

a very active role in combating domestic violence.

trauma-informed specialisation. It was a very serious

She has spoken at international women’s day events,

big picture chat that resulted in one of those ‘let’s

financial independence seminars, domestic violence

solve this problem of the world’s conversations’.”

awareness evenings and has been active in men’s mental health and change behaviour studies.

Upstream also provides evidence gathering strategies using technology and statement preparation as well

In January she’ll give her first Ted Talk, on post-

as private interventions and document services

traumatic growth, and has been elected as Vice-

for civil and family matters. It has also recruited

Chair of the National Child Protection Alliance. She

an international child trafficking investigator and

works closely with housing services and wellness

life story work counsellor who works closely with

practitioners.

clients to identify risks and opportunities for conflict resolution.

She describes Upstream as “a female-led collective of family and domestic violence specialists with a

PROTECTING CHILDREN FROM VIOLENCE

vision to fill the gap between the courts, the police

Rae was recently elected to the executive of the

and lawyers as well as providing expertise for those

National Child Protection Alliance, to help the voice

NGOs and charities who provide support and manage

of children be heard in high conflict situations, make

victims escaping violence.”

submissions regarding the investigation of child abuse to state and federal government, and deliver

It owes its name to a quote from South African cleric

education to a number of domestic violence support

Desmond Tutu, “We need to stop just pulling people

services about apprehended violence orders and

out of the river. We need to go upstream and find

evidence relating to crimes under the Family and

out why they’re falling in.” Its focus is on protecting

Domestic Violence Act 2007 and related legislation.

children from trauma and mother’s from further abuse, providing physical safety strategies and

Rae feels she is part of “a lifetime campaign to

instilling emotional resilience into the disempowered.

change the hearts and minds of a society resistant to creating equity for women and equality between the

FOCUSSED ON WOMEN’S WELLNESS

sexes.”

Rae says Upstream is “about prioritising wellness over legals, looking at options and opportunities,

She says there is a growing demand for the services

giving women the confidence to communicate during

Upstream provides and the organisation is moving

conflict and setting boundaries that respect their right

to establish numerous local female-led investigation

to live free from fear.”

agencies across Australia to meet demand.

She was watching changes to how the Queensland

Being entrepreneurial is nothing new for Rae. Prior to

Courts and Victorian Police treat domestic violence

joining NSW Police, she was a fitness instructor and WOMEN IN SECURITY MAGAZINE

185

sports massage therapist, because she had health

“Men’s violence against women and other men is a

issues as a teenager and her recovery required her to

national crisis, robbing children of healthy and happy

focus on her health.

mothers because they can’t process their jealous rage, rejection or anger in a healthy way,” she says.

“I then started a business called Athletes Advantage with a fitness program for young women called, ’Fit

Rae describes Upstream as an idea a long time

for a Bride’ to help them get fit and feel fab on their

in gestation, and one born in part from her own

wedding day. I even made it into the pages of Vogue

experience of being in an abusive relationship, and

Magazine with some amazing wedding industry leaders,” she recalls.

COMBATTING PTSD Before she left the police she was diagnosed with chronic post-traumatic stress disorder. “I had developed a slate of coping strategies like most police, but my cup was full,” she says. “It was playing out physically in my health, emotionally and psychologically, in my

In NSW, a person in need of protection must apply themselves to a court and that’s daunting. So Upstream Investigations formed a team of experienced and passionate advocates with trauma-informed specialisation. It was a very serious big picture chat that resulted in one of those ‘let’s solve this problem of the world’s conversations’.”

relationships and impacting on my self-worth. The focus for helping people was overridden by achieving a statistical output of arrests and

trying to leave it.

convictions and that didn’t sit well with me.”

AN ABUSIVE RELATIONSHIP This came after being on the front line of domestic

“I’d been given advice by doctors and counsellors

violence since the age of 19, when attitudes were

to leave the relationship and it took me to travel to

very different and a diagnosis of mental illness was

New York with my children for a month to realise just

career-ending.

how dangerous and unhappy my home had become. I didn’t even recognise myself, or love the life I had

“I’ve seen an enormous shift from domestic violence

created,” she recalls.

being a private matter to becoming a public issue that requires a community response. I remember when

“So when I came back I asked for a separation, and

I first started policing, I couldn’t believe that police

that’s when I got scared. He didn’t cope with the

would turn up to a family home where the wife had

rejection very well and struggled with mental health.

been punched and be told ‘we don’t get involved, it’s a

Even as an expert trained in domestic violence I did

private matter’.”

everything ‘they’ tell you to do and I was still unsure of how bad it had to get, who to go to and what to

She’s seen the impact of violence on children, and

say - especially because I knew the consequences of

had to tell them their mother has been injured or

reporting it to police.

murdered by their father. “That’s when I saw there was this massive gap

186

WOMEN IN SECURITY MAGAZINE

between telling your story to get the advice you need and what is relevant in the law to stop the abuse.” Prior to this she had been studying journalism and doing research into coercive control and following the Royal Commission into Family Violence in Victoria. “We discussed how all these people were ending up in the pool of desperately seeking information in a time of crisis along with some form of validation of their experience or a way out. They also needed to know how they got there and what to do about it, so it doesn’t happen again.

www.linkedin.com/in/pip-raedio76b555179/?originalSubdomain=au www.facebook.com/upstreaminvestigations www.facebook.com/giftofsafety

instagram.com/upstream_investigations

instagram.com/pipraedio

www.upstreaminvestigations.com.au/the-gift-of-safety

www.upstreaminvestigations.com.au/

“Now we advocate for victims and misidentified offenders, help them to decide on the path that works for them, connect to the right people and prepare the information for government agencies and the courts system if they need it.”

A LONG ROAD TO RECOVERY Where Rae is today is a long way from when she left the NSW Police, describing herself as “broken”, saying she never expected to recover. “I never thought the endless days of being triggered would stop and that my frazzled nervous system and anger would be something I’d have to manage forever. It was exhausting. “It took loads of therapy, a lot of unlearning, rewiring and study to get to the other side of PTSD. But this PTSD growth experience helped me understand what victims of domestic violence need. For me, it took an apology from a former work colleague to let go of the pain of feeling like I failed. Just that acknowledgement of suffering is healing and allows you to accept that you did your best and that was enough. “I now balance my world with fun and invest in friendships. And whilst I’m proud of my career, I love my life now. I feel like I’m really helping people.”

WOMEN IN SECURITY MAGAZINE

187

IT SECURITY CHAMPION WINNER

ANU KUKAR Associate Partner - Cyber Security Strategy, Risk & Compliance Australia and NZ at IBM

HIGHLY COMMENDED JENNIFER FIRBANK Cyber Security Strategy & Influence Principal at Telstra

Highly commended as an IT Security Champion is Jennifer Firbank who leads the cyber strategy and influence team at Telstra. For her vision and ability to turn the most complex technical discussion into a narrative that is easily understood and interesting for her target audience. She has demonstrated motivation, dedication, commitment and attitude to continually boosting cybersecurity in Telstra and in the wider community.

JOSS HOWARD Cybersecurity Partner at McGrathNicol

Joss was named winner of the Cyber Leadership Institute’s strategy competition, the core of an intensive eight week program reinforcing critical skills around strategy design, leadership, stakeholder engagement, board communication and persuasion. She volunteers as an advisory board member of InfoSecAssure, a Sydney based start-up helping businesses get the right security controls.

188

WOMEN IN SECURITY MAGAZINE

FINALISTS

ANU KUKAR Associate Partner - Cyber Security Strategy, Risk & Compliance Australia and NZ at IBM

JENNIFER FIRBANK

JOSS HOWARD

Cyber Security Strategy & Influence Principal at Telstra

Cybersecurity Partner at McGrathNicol

DUYEN TRAN

CAITRIONA FORDE

BRIDGET MITCHELL

Senior Manager, Information Security Assurance at AustralianSuper

Cyber Security Communication & Training Program Manager at Western Power

Executive Manager of Security Operations at nbn™ Australia

NOMINEES ANU KUKAR

JENNIFER FIRBANK

ANUBHA SINHA

JESSICA ADAMS

BARBARA COOK

JOSS HOWARD

BRIDGET MITCHELL

KARISSA BREEN

CAITRIONA FORDE

KAY MESINA

CAROLINE CUI

LOUISE HANNA

CATH WISE

NIKKI MEHTA

DUYEN TRAN

RASHMI RANI

FERESHTEH ZAMANI

SAM FARIBORZ

FIONA BRYNES

SARAH IANNANTUONO

GERGANA (KIRYAKOVA) WINZER

SHELLY MILLS

HANNAH O’NEIL

TANVI BALI

IVANA KVESIC

WOMEN IN SECURITY MAGAZINE

189

IT SECURITY CHAMPION WINNER

Anu Kukar Associate Partner - Cyber Security Strategy, Risk & Compliance for A/NZ with IBM and Director at Arascina. 190

WOMEN IN SECURITY MAGAZINE

Winning the award, she says, has given her “An

emerging technology. Anu says she took

opportunity to continue encouraging women to join

on the role to help address the global

or switch into a career in security, inspiring future

cybersecurity skills shortage.

leaders and supporting upcoming talent.”

“I am passionate about upskilling myself and my teams. It is critical for all

She says her name reflects her role:

professionals to stay relevant by upskilling. Arascina upskills in emerging technology,

• Advise - help clients solve problems.

which resonates with this passion.”

• Nurture talent - coach, mentor and support

DRIVING DIVERSITY IN CYBER AND TECH

professionals’ careers. • Untangle - cyber, data, emerging tech and thirdparty risks.

Anu says “Professionals from diverse background outside of cyber and tech have just as much to offer and contribute.” It is recognising that cyber criminals

SNAPSHOT

are constantly thinking differently. To be ahead of the

For the past six years she has shared industry knowledge and insights to other professionals through over 60 keynotes and panels at conferences/ webinars, publications and podcasts globally. This has included the USA, Denmark, Dubai, Singapore, India, Malaysia, Thailand, New Zealand and

Professionals from diverse background outside of cyber and tech have just as much to offer and contribute.

Australia. She has boosted awareness predominantly of security, emerging technology and data risk at an international level. Her

game, cybersecurity and tech professionals need to

topics have ranged across the spectrum including

think differently as well and as such, diverse teams

upskilling and life-long learning to reduce talent gaps,

become essential.

emerging technology risks in artificial intelligence and machine learning, cybersecurity risk, compliance

BOOSTING RISK MATURITY

and governance, third-party risk and data protection

As a risk advisor to business units, her focus has

across cloud and third-parties.

been on lifting enterprise risk maturity. She has led risk advisory functions to support the Chief

She is passionate about:

Information Security Officer, Chief Data Officer and Chief Technology Officer.

• Driving diversity in cyber and technology; and • Upskilling professionals in cyber.

By using the risk lens, her unique ability to collaborate with these leaders and involve security as part of

No surprise then, that she gave every attendee at the

the risk conversation has led to immense mindset

AWSN 2021 Gala Awards night the challenge to help

changes on projects. These influential techniques

upskill two professionals in cyber by the time the

have seen Anu aid security discussions to be held

2022 event is on. This way, everybody can collectively

at the beginning and throughout organisational

work to reduce the cyber talent shortage.

initiatives such as digital transformations and strategic changes.

UPSKILL PROFESSIONALS IN CYBER She has recently become a director of Arascina, an

https://www.linkedin.com/in/anukukar/

organisation dedicated to helping people upskill in WOMEN IN SECURITY MAGAZINE

191

BEST STUDENT SECURITY LEADER WINNER

KAVIKA SINGHAL Information Technology Intern at Google

SPECIAL RECOGNITION GABRIELA GUIU-SORSA Systems and Security Adviser at Siren Smoke Alarms

Gabriela is one exceptional and inspirational woman who has used her own lived experience and personal and professional challenges to launch what promises to be a stellar and changemaking career in cyber security. After being hacked and losing her life savings, she was mobilised to teach herself cyber security. After losing her job during COVID, she decided to pursue cybersecurity study. She is a volunteer, connector, teacher and mentor, who is driven by a strong desire to give to her community, help those doing it tough and empower women.

FINALISTS

KAVIKA SINGHAL Information Technology Intern @ Google

GABRIELA GUIUSORSA Systems and Security Adviser at Siren Smoke Alarms

VICTORIA CHENG Forensic Technology Vacationer at Deloitte

RITU DAHIYA

ERIKA SALMON

Assistant Project Manager at TechOps Release and Incident Green Solutions Australia Manager at Nano Digital Home Loans

NOMINEES ALAINA LAWSON

GABRIELA GUIU-SORSA

KAVIKA SINGHAL

RITU DAHIYA

AMBER SPENCE

GEORGIA PROUT

LARA HEMMATY

SELIM KANG

ELOISE ROBERTSON

HANNAH RICE

MELINA JONES

VICTORIA CHENG

EMMA SEAMAN

HARSH KAUR

MIRANDA RAFFAELE

ERIKA SALMON

JACYNTA GRIGSON

NIEVEDHA P KARTHIKEYAN

BEST STUDENT SECURITY LEADER WINNER

Kavika Singhal Information Technology Intern at Google

Kavika Singhal is studying for a Bachelor of

workshops on Blockchain technology and Open

Cybersecurity and Behaviour at Western Sydney

Source Intelligence (OSINT) aimed at introducing

University where she has consistently produced high

introducing the cyber world using OSINT to high

distinctions in her units and is on the Dean’s Merit

school students, STEM aspirants and NSW STEM

List for her outstanding performance in 2019 and

teachers.

2020. These achievements enabled her to become a member of the Academy at WSU and the Golden Key

She launched the Cyber Security Association to

International Honour Society.

create a cybersecurity community within WSU. It started as a Facebook group, which later grew to

However, it is as much for her extracurricular

over 200 members and initiated multiple activities:

activities as her academic achievements that she has

networking events for university students, CV writing

gained the accolade of Best Security Student.

session, capture the flag sessions, and practical workshops on offensive security and on identity and

She led the STEM programme, a collaboration

access management.

between WSU and NSW high schools to attract girls to the stem program as part of AustCyber’s Cyber

MICROSOFT STUDENT ACCELERATOR

Ambassadors Program. In addition, she also held

She is leading the Microsoft Student Accelerator Program for 2021, which is training over 1500

194

WOMEN IN SECURITY MAGAZINE

university students across Australia in subjects such

“The program made me realise how

as Azure fundamentals, Artificial Intelligence and

culture and diversity are huge contributing

Internet of Things. Among those they had over 450

factors in education and awareness. In

girls this year using Microsoft technologies such

2019 (offline) and 2020 (virtual), I ran a

as Azure Machine Learning Studio, Git & Github

series of digital literacy workshops for

workshops.

seven days in three different languages — Hindi, English and Punjabi — where I

As President of the Cyber Security Student

used real-life case studies to educate the

Association at WSU, she introduced the first

elderly about credit card fraud, investment and

professional chats with industry and government

superannuation fraud, phishing, and vishing scams,”

for her peers and new students to accelerate their

she says.

careers through industry and student interaction, career development and the development of

“I expected the initiative to be a teaching session.

communication and networking skills.

However, it turned into an insightful conversation on online safety and security as numerous stories and

She volunteers in Wentworthville with the Digital

instances were shared. I learned so much in those

Literacy (Cyber Safety) Program at the Indian Support

sessions.”

Centre where she runs sessions for both the elderly and the young teaching cyber safety.

When she completes her studies, Singhal says she envisions creating a significant human impact

She was the winner of Kaspersky Australia’s Secur’IT

through technology.

Cup Hackathon, and Australian representative for the Kaspersky International IT Cup in 2020. Her

“Cybersecurity is growing each day but the

team developed Vigilant which aims at teaching

implementation of it at the ground level is highly

fundamental cybersecurity and cyber safety through

necessary because that is how we as a community

gamification particularly for primary and middle

can grow together. Hence, I wish in the coming years

school children. Currently, she is using this experience

each person, old and young, regardless of economic

to create a user-friendly cybersecurity education

background, has the basic knowledge of cyber safety

guide for non-profit organisations, small businesses

and security. I will continue to work towards that.

and schools. “I also wish to work more towards a more diverse and She has been a runner-up in WSU’s Global Scope

inclusive environment for women in STEM, especially

program and Interchange program. Global Scope

cybersecurity, and create more opportunities for

empowers first year students to get firsthand

employment and skill development for international

industry experience. Interchange is an entrepreneurial

students.”

hackathon, a platform to solve sustainability and workplace challenges. Singhal is the ambassador for

And, given her commitment to cybersecurity

both programs and mentors and guides incoming

education, it’s hardly surprising Singhal says

students to the programs.

next year’s Australian Women in Security Awards should include one for Most Innovative Educator in

PROTECTING SENIOR CITIZENS

Cybersecurity. “I believe educators and professionals

Of all her volunteering initiatives she says her work

who aim at empowering individuals through

with Be Connected, an Australian government

innovative ideas should be awarded.”

initiative — imparting knowledge of basic cyber safety measures to senior citizens — is closest to her heart.

https://www.linkedin.com/in/kavika-s-b60969192/

WOMEN IN SECURITY MAGAZINE

195

BEST PLACE TO WORK WINNER

GREATER WESTERN WATER

HIGHLY COMMENDED Xero is truly making a mark in the industry, with 75% of its security leadership team female. The Xero board is 43% female, and its executive leadership team is 40%female. All people leaders in Xero are required to undertake training in diversity and inclusion and ‘Ally Skills’ training, to understand what it means to be an ally for women across the company. Their #xerotech and #womenofxero meeting places for women seeking mentors, promoting roles, sharing events of interest and generally supporting each other in the industry.

FINALISTS

GREATER WESTERN WATER

XERO

TRUSTWAVE

ORIGIN ENERGY LTD

TELSTRA

NOMINEES AKAMAI TECHNOLOGIES

196

GREATER WESTERN

NAB

TREND MICRO

ATLASSIAN

WATER

NBN

TRUSTWAVE

CITI GROUP

HEALTHSCOPE

ORIGIN ENERGY LTD

XERO

CYNCH SECURITY

IONIZE

PRIVASEC

DATA ZOO

KPMG AUSTRALIA

TELSTRA

WOMEN IN SECURITY MAGAZINE

BEST PLACE TO WORK WINNER Greater Western Water (GWW), winner of this year’s

combined cost avoidance of $3m+ through risk

Best Place to Work for Women in Security award,

mitigation, new technology implementation and skills

boasts a female managing director, a female CIO, a

and capability uplift.

female senior manager of technology and security, and a female enterprise security lead. And its security team is 80 percent female.

Numbers aside, GWW has several initiatives to support and uplift its female staff members. The IT&D leadership team have undertaken the Women in

GWW CIO, Jennifer Rebeiro says the award

Leadership Development (WILD) program, which aims

recognises the whole security team — female and

to create community empowerment and address

male members — for their hard work and dedication,

gender disparity across the STEM sector. GWW’s

and inspires all women across the

emerging leaders also participate in

organisation, the public sector, and

the VIC ICT for Women mentoring

the IT industry by recognising its

program that aims to attract young

commitment to a sustainable and

women into STEAM careers.

equitable future.

Ms Rebeiro says the combination

“Being recognised as a leading

of these programs alongside

organisation for women in security

internal mentoring and leadership

will assist our vision of being an

development initiatives, inspires

employer of choice for women

women leaders to think strategically,

and one that increases women’s

influence with impact, provide thought

participation in IT&D through

leadership, and support others

providing role models, removing

through change.

unconscious biases and discrimination,

Greater Western Water

and creating a unique, welcoming and flexible workplace for women,” Ms Rebeiro says. Overall, the company says its workforce reflects the gender and ethnic diversity of Australian society: a recent staff survey indicates 47 percent of its workforce is female, and 43 percent of the staff speak a language other than English at home. The benefits of this diversity are real. “It enables true diversity in thought and experience, which is invaluable in developing positive outcomes and solutions,” Ms Rebeiro says. “And having different perspectives helps gain an understanding of what is possible.” The female-led security team has delivered some

GWW is also developing a talent pipeline through

partnerships with Victoria University and Wyndham Tech School to encourage women to pursue careers in technology and security. “We are focused and committed to providing opportunities for women so they can build a range of leadership skills such as self-awareness, resilience and emotional intelligence,” Ms Rebeiro says. “At GWW, we promote an inclusive working environment that supports women to express confidence and tenacity. Through celebrating female empowerment, we are creating a culture where all employees, both men and women, can freely provide constructive feedback, have difficult conversations, voice innovative ideas and engage in genuine collaboration and respect”.

very quantifiable benefits. Under the guidance of CIO, Jennifer Rebeiro and IT & Security Operations

www.linkedin.com/company/greater-western-water

Manager, Anafrid Bennet, GWW delivered a three-year security uplift program and achieved an estimated

www.gww.com.au/

AUSTRALIA’S MOST OUTSTANDING WOMAN IN IT SECURITY WINNER

KATE MONCKTON General Manager Security and Privacy Assurance, Risk and Consulting at nbn™ Australia

HIGHLY COMMENDED RACHAEL GREAVES Chief Executive Officer at Castlepoint Systems

Rachael’s a female innovator leading the way in IT security. She saw traditional information control systems failing, sometimes disastrously and worked with state and federal governments to change policy. She influenced a revolution in Australian government records management models. Her solution, Castlepoint Systems has been adopted across federal, state and local government, and regulated organisations in Australia and New Zealand. It has won major awards including; Australian Technology Competition for Cyber, AustCyber Sky’s the Limit, and Global CyberTech 100.

DANIELLA PITTIS Group Chief Information Security Officer at Flight Centre Travel Group

Daniella Pittis is an inspirational leader with a unique leadership style centred on empathy, humility, vulnerability and inclusiveness. She puts 100% of effort into developing her team, supporting initiatives and delivering outcomes. As a member of the LGBTQIA+ community, she uses her visibility and voice as a leader to encourage other members of the community to push for greater diversity, inclusion and equity through speaking engagements and mentoring and advisory roles.

198

WOMEN IN SECURITY MAGAZINE

FINALISTS

KATE MONCKTON General Manager Security and Privacy Assurance, Risk and Consulting at nbn™ Australia

ADRIENNE MAXTED

Partner at Deloitte

RACHAEL GREAVES

DANIELLA PITTIS

Chief Executive Officer at Castlepoint Systems

Group Chief Information Security Officer at Flight Centre Travel Group

NIVEDITA NEWAR

DANIELLA TRAINO

Head of Cyber Security Strategy & Governance at UNSW

CISO at Wesfarmers

SHAMANE TAN Chief Groth Officer at Sekuro

NOMINEES ADRIENNE MAXTED

DIVYA SAXENA

JINAN BUDGE

PAULA OLIVER

ALISON O’HARE

DR JOANNA DALTON

KATE MONCKTON

RACHAEL GREAVES

AMANDA SMITH

ELENA SCIFLEET

KATRINA AVILA

REBECCA GIBBONS

AMY ORMROD

FERESHTEH ZAMANI

LAURA LEES

SHAMANE TAN

ANKITA SAXENA

FIONA BYRNES

LINDA CAVANAGH

SHYVONE FORSTER

ANUBHA SINHA

FIONA LONG

MANDY TURNER

STEPHANIE CROWE

ASOU AMINNEZHAD

GABRIELA SORSA

MANISHA BAJPAI

SUSHEELA GUPTA

AUDREY JACQUEMART

GERGANA WINZER

MELANIE TRUSCOTT

SUSIE JONES

BETHANY COOPER

HALANA DEMAREST

MELISSA NGUYEN

TABITHA BAUER

CAIRO MALET

IRENE GIANTSOS

MITRA MINAI

THIRI HTAY VIRGINIA CALEGARE

CONNIE MCINTOSH

JEN JOHANSON

NADIA TAGGART

DANIELLA PITTIS

JENNIFER FRANCES

NIVEDITA NEWAR

DANIELLA TRAINO

JENNIFER WAUGH

PALLAVI GARG WOMEN IN SECURITY MAGAZINE

199

AUSTRALIA’S MOST OUTSTANDING WOMAN IN IT SECURITY WINNER

Kate Monckton General Manager Security and Privacy Assurance, Risk and Consulting at nbn™ Australia Kate Monckton, winner of the Most Outstanding

The genesis of her cybersecurity career was her role

Woman in IT Security award is General Manager

in management consulting in the UK with McAfee as

Security and Privacy Assurance, Risk and Consulting

a client. “I really loved the work I did with them, and

at NBN, Kate is currently nearing the end of her

that experience opened my eyes to the non-technical

second parental leave over the last three years.

opportunities in cybersecurity,” she recalls.

It’s a long way from one of her early roles. In the UK

Kate has been described as “a true leader,” a “female

she was occasionally a guest ‘technology expert’ on

frontrunner,” somebody to “have in the boardroom, be

the UK and German shopping channels.

part of steering initiatives, meeting new employees, delivering company policies, shaking clients’ hands,

200

WOMEN IN SECURITY MAGAZINE

and delivering roadmaps for a longer, stronger, diverse

and mentored an Aboriginal student who

workplace.”

won a nbn sponsored scholarship. During the lockdown, she set up ‘Security Group

Her award citation credits her with being successful

Coffee Chat Roulette’. “I made sure to

in warning people about scams leveraging the profile

group people together who otherwise

of nbn. However, she says the hard work was done by

would have been unlikely to cross paths,”

the Security Influence team she managed for many

she says.

years. Staff also complete a survey twice a year run

STOPPING SCAMMERS

by a third party that works with thousands of

The campaign was certainly successful: reported

organisations globally to provide feedback on

monthly losses fell 75 percent from $21,000 to

all areas of engagement. The results are then

$5,000, and Kate says the charity IDCare played a

benchmarked against the global averages.

significant role in this achievement. “Each year we work together to identify what’s going “I’ve worked with IDCare for many years to understand

well and what needs improvement and put together a

the details of the scams and new tools and

series of key initiatives that we deliver against. These

techniques being used. The work David Lacey and

are reported monthly up to our executive committee

his team do to help people who have fallen victim to

so there’s huge accountability and visibility,” Kate

identity theft and scams are brilliant.”

says.

One achievement she is particularly proud of is

HUMANISING CYBERSECURITY

leading and implementing the “Great Place to Work’

Kate was also a founding member of the Security

initiative that helped achieve an outstanding employee

Influence and Trust (SIT) Group whose members

engagement score for her team, putting it in the top

include representatives from a number of Australia’s

three percent globally and contributing towards nbn

major companies.

receiving the Highly Commended in the Best Place for Women to Work Award in 2020

“There were about six of us, co-founders, from big companies like Australia Post and NAB who drove it

FOCUS ON EMPLOYEE ENGAGEMENT

from the start and along the way many, many more

Kate is passionate about team engagement and

people have joined us from industry, government, and

has taken numerous initiatives at nbn outside staff

education,” Kate says.

members’ work roles to boost engagement. “The SIT Group is dedicated to humanising For the past five years, she has partnered with

cybersecurity. We support cybersecurity professionals

another general manager to run an annual health and

to develop and deliver impactful awareness and

wellbeing month. “We focus each week on a different

influence programs to mitigate people and process

aspect: fitness, mental health, nutrition, friends and

cyber risk in Australasian organisations —programs

family. These have been really great and culminate in

that influence behaviours and decisions and produce

inviting friends and family into nbn for a tour of the

positive security outcomes. We are also a conduit

nbn Discovery Centre and to get to know each other.”

for the Australian Government to engage industry stakeholders for alignment and amplification of cyber

Kate has organised many engagement activities such

security messages.”

as Christmas in July “where alongside sharing some classic English Christmas things, people shared food

Each year the group puts on a series of informal

and traditions from their own cultures and religions,”

in-person and virtual events and an annual one-day

run company-wide events with indigenous speakers

summit. “The summit is always free for attendees WOMEN IN SECURITY MAGAZINE

201

and volunteers come together from SIT member

iapp events. I quickly met some wonderful and smart

companies to help plan the line-up and execute the

people, mostly lawyers,” Kate recalls.

event,” Kate says. “There is next to zero budget. We rely on the goodwill of the member companies to provide a venue, catering, audio-visual, etc.”

“At that time privacy was largely the responsibility of lawyers and record managers but it was slowly starting to change. I struggled to find the content at

Kate chaired the virtual 2020 event, “Thanks to the hard work of Paul De

events or online that really helped from a practical perspective, so I decided to get more involved and

Araujo from nbn and the rest of

help to shape the discussion we were having here in

the committee from companies

Australia.

across the country, the summit was a huge success and had over

“I’d like to think I helped to produce events and

300 people attended from more than

content that was much about how to really ‘do’

130 corporate, government and SMB organisations.” She says the organisation welcomes new members. “There is no membership fee or

privacy risk management and not just focused on the ins and outs of legislation. “When I was elected president I worked really hard to put more rigour around how the board was run,

commitments to join. Reach out to the SIT

for example by working with everyone to set annual

Group on LinkedIn if you’d like to be involved.”

goals and a plan on how we would achieve them by breaking into smaller sub-committees. I’d also like to

A SIGNIFICANT PRIVACY ROLE

think I helped create a welcoming vibe to newcomers

Kate spent five years on the board of the International

to the industry where they could feel safe asking for

Association of Privacy Professionals Australia and

help from others.”

New Zealand (iappANZ), including two as president, before stepping down in October 2017. She was the first non-lawyer to be elected to the board of iappANZ and one of only two presidents in the organisation’s history to be asked by the board to hold the position for multiple terms. She wrote and implemented the first three-year strategic plan for the organisation, which increased membership and reduced operating costs within a year, allowing extra investment in member benefits such as industry events and the development of local certifications. Her involvement with iappANZ stemmed from being asked to become nbn’s privacy officer — she was security awareness lead at the time and had been with nbn for only five months. “I’d never built a privacy program from scratch and was looking for some help so started to attend the

202

WOMEN IN SECURITY MAGAZINE

www.linkedin.com/in/kate-monckton-b412114/

AUSTRALIA’S MOST OUTSTANDING WOMAN IN PROTECTIVE SECURITY WINNER

MARIE PATANE Chief Security Officer at Sydney Metro

FINALISTS

AMY HEWSON

MARIE PATANE

EMILY HUNT

CEO MPS

Chief Security Officer at Sydney Metro

National Risk and Security Operations Manager at SCentre Group

NOMINEES AMY HEWSON

FIONA LONG

MEMOONA J.ANWAR

AMY ORMROD

HOLLY WRIGHT

NICOLE STEPHENSEN

BHAVANA

JODIE VLASSIS

SITA BHAT

MALLIKARJUNAIAH

LI ZHAO

EMILY HUNT

MARIE PATANE WOMEN IN SECURITY MAGAZINE

203

AUSTRALIA’S MOST OUTSTANDING WOMAN IN PROTECTIVE SECURITY WINNER

Marie Patane Chief Security Officer at Sydney Metro Marie Patane, winner of this year’s Most Outstanding

The key to creating a strong and effective team,

Woman in Protective Security award, was nominated,

Patane says, is to have a mix of capabilities and

unbeknownst to her, by her team at Sydney Metro

skills that all complement each other. “Over the past

where she is Chief Security Officer. The fact the team

16 months the team has driven security governance

did this, she says, is testament to her team-building

across all aspects of the project life cycle at Sydney

capabilities.

Metro.”

“I have worked in diverse and challenging roles across

And she adds: “As someone who has experienced

my career, building high-performing teams and

bullying, gender discrimination and really poor

leading complex projects and initiatives from start to

management at times in my career, I am truly

finish. If anything, recruiting the incredibly talented

committed and motivated to nurturing my team and

and strong team at Sydney Metro, who coordinated

watching them grow.

this nomination for me shows I know how to build an award-winning team!”

“The old adage rings true; you are only as good as your people. So I ensure I invest as much time as I can in developing them and providing them

204

WOMEN IN SECURITY MAGAZINE

opportunities to speak at the executive forums and

She says Sydney Metro has engaged security

present to the board. Watching them progress in their

professionals to undertake significant security

careers also motivates me.”

assurance activities in the design stages of its projects.

TEAM NOMINATED, TWICE This is not the first time a team led by Patane has

“If we consider the broader sub-contractor

nominated her for an award. In 2019 when she

engagement by our delivery partners, that number

was General Manager Business Resilience at The

would likely be in the hundreds. Engaging so many

Star Entertainment Group, she was nominated

practitioners across all security domains — cyber,

for, and won, the Business Continuity Institute

counter-terrorism, crime prevention — has provided

(BCI) Australasian Award for Most Outstanding

us a unique opportunity to drive consistent results

Professional in the Private Sector.

across a significant proportion of the security

“That award was based on a critical business

providers in NSW and more broadly in Australia.”

analysis program which I developed and led across the organisation resulting in the understanding and

Projects in Sydney Metro cannot proceed from design

implementation of controls for the critical processes

to construction, or from construction to operation,

that would impact the organisation and business

without demonstrating that security has been

continuity thresholds if not addressed within six

considered every step of the way.

hours,” Patane says. “Because security has this elevated position in Sydney Metro is presently Australia’s largest

the project management methodology, security

infrastructure project. Patane says it has drawn on all

practitioners have more influence to ensure the

her career experiences and pushed her to learn new

infrastructure being delivered to the public is as safe

skills, with her role encompassing cybersecurity.

and secure as it can be.”

SYDNEY METRO A SECURITY LEADER

WHERE MAKEUP MEETS SECURITY

She hopes winning the award will raise both her own

Patane has come a long way from her first job — she

profile and that of Sydney Metro and highlight the

was a makeup artist. She attributes her success

importance of building security into major projects

to a combination of resilience, adaptability, self-

from the get-go. She believes Sydney Metro has a

confidence and time management, and says there are

significant role in influencing the professionalism and

commonalities between that role and what she does

capacity of the Australian security industry.

today.

“I would love the opportunity to speak to the broader

“I have always enjoyed focussing on how I can help

industry about the importance of building security

and protect people. This gives me a real sense of

processes and systems early in the project lifecycle,”

pride in what I do. I have felt this throughout my

Patane says.

career. When I was a makeup artist, being able to help someone feel more confident about themselves or

“I hope it also broadens people’s understanding

cover a scar was equally as important as assisting

of how security fits into these large infrastructure

someone in their greatest time of need or protecting

projects. I think there is an opportunity to formalise

them from the threats of the world. This is without a

the security discipline in the engineering and

doubt one of my motivations.”

construction industry akin to how safety as a profession has emerged as an integrated partner

www.linkedin.com/in/marie-patane/

in delivering projects of any scale. This could be done in partnership with industry bodies to raise the professional standing of security amongst the broader engineering community.” WOMEN IN SECURITY MAGAZINE

205

MALE CHAMPION OF CHANGE WINNER

SIMON CARABETTA Cyber Communications Specialist

HIGHLY COMMENDED STEVE SCHUPP Executive Director – CyberCX WA Branch | Founder of Asterisk Information Security - a CyberCX Company

CyberCX CEO Steve Schupp is committed to promoting gender diversity and opportunities for women in the cyber security industry. He sees primary school and high school students as future cyber professionals and is keen to challenge stereotypes when it comes to perceptions about a career in cyber. He has created many internship and work experience opportunities for young women wanting to embark on cybersecurity careers.

SPECIAL RECOGNITION CRAIG FORD Senior Security Architect at Baidam Solutions Pty Ltd | Author of A Hacker I Am & Foresight

Craig ford is a champion of women through the Australian Information Security Association, seeking out, inviting and encouraging female security professionals to present at its conferences and workshops. His latest book, Foresight, is a work of fiction about a gifted young female hacker - he wrote it to help young women believe in the possibilities of a cybersecurity career.

206

WOMEN IN SECURITY MAGAZINE

FINALISTS

SIMON CARABETTA Cyber Communications Specialist

STEVE SCHUPP

CRAIG FORD

Executive Director – CyberCX WA Branch | Founder of Asterisk Information Security - a CyberCX Company

Senior Security Architect at Baidam Solutions Pty Ltd | Author of A Hacker I Am & Foresight

BRENDAN CAUGHEY

DAN GOLDBERG

DAVID WATTS

Senior Cybersecurity Consultant at EY

CEO and Principal Partner Cybersecurity at Cybza

Group CRO at IAG

NOMINEES ANANDH MAISTRY

ELLIOT DELLYS

ASHLEY WATKINS

GARRY BARNES

PHILLIP JENKINSON

ASHWIN PAL

GREG JANKY

PRASHANT HALDANKAR

BLAIR ADAMSON

GREG SAWYER

RAY KANTOR

BRENDAN CAUGHEY

HANK CLARK

SASENKA ABEYSOORIYA

BRETT WINN

JOHN BORCHI

SIMON CARABETTA

CAITY RANDALL

JONATHAN DEAN

SIMON STAHN

PAULL DUNDON

CHATHURA ABEYDEERA

KAIF AHSAN

STEVE SCHUPP

CRAIG FORD

MARK CAREY-SMITH

THEODORE PANAGACOS

DAN GOLDBERG

MASSEH HAIDARY

WAYNE VICKERS

DAVID WATTS

MICHAEL SIMKOVIC

DION DEVOW

NICK ELLSMORE WOMEN IN SECURITY MAGAZINE

207

MALE CHAMPION OF CHANGE WINNER

Simon Carabetta Cyber Communications Specialist

208

WOMEN IN SECURITY MAGAZINE

Simon Carabetta is a project and engagement

ethnicity and cultural backgrounds, and

coordinator with the WA AustCyber Innovation Hub.

copped flak from male cybersecurity

As a former high school media studies teacher, he’s

experts for doing so!

seen how little the secondary education system does to inspire young women to pursue STEM careers.

“I was confronted a number of times by male experts within cybersecurity asking

“If our own education systems across Australia are

why I had not chosen them, often with their

paying lip-service and doing little to actually engage

arguments implying that I had preferenced others

with young women about viable IT careers, then it’s

over them based on gender,” Carabetta says.

time someone else began doing something,” he says. “Dealing with this was not new. However it became Now, he’s able to use AustCyber’s resources, contacts

apparent this was the common discourse amongst

and industry partners to create opportunities for

many men in the IT security industry.”

young women.” He made no apologies in his replies. “I simply said

SPEAKING UP AND SPEAKING OUT

their argument was completely wrong and that we

And, as a public relations and communications

were simply organising speakers who were engaging,

professional, Carabetta has no trouble calling out

extremely knowledgeable, and able to speak about

any problems he sees around diversity and gender.

cybersecurity in a non-technical and simple-to-

“I have no issue with speaking up, speaking out, and

understand manner.”

speaking clearly about what it means to be a male champion for change in cybersecurity,” he says.

BRINGING MENTORS AND MENTEES TOGETHER

Carabetta expects to have his work cut out. He says

Through the WA AustCyber Hub Carabetta is

a bottom-up, grass roots approach is needed to build

creating the first ever mentee-to-mentor platform

a more equitable industry from the ground up. “Let’s

in Australia aimed exclusively at women. He says

be completely honest here. The status quo, including

creating mentor platforms, linking up aspiring IT

those who make the key decisions, are not willing,

professionals, graduates and those transitioning

able or aware enough to accept that a complete

their careers into IT with the right mentors will guide,

overhaul of corporate culture in Australia needs to

advise, inspire and help develop young women in the

happen.

industry.

“The hardest thing l find is convincing other men

“Partnering with industry, associations and academic

who do not see the importance in more equality for

institutions including universities and TAFE’s in WA,

women. I feel, in Australia, we still have a very strong

we will pilot this program by October and look at

patriarchal overarching culture that dictates much

ways we can sustain the platform for years to come

of the discourse and commentary around gender

with the ultimate goal of creating a 50/50 gender

equality in the workplace.”

balance in Cyber security within WA by 2030.”

COPPING FLAK FOR SUPPORTING WOMEN

twitter.com/carabettasimon

Now, Carabetta creates opportunities for young women and elevates female colleagues, students

www.westcoastcyber.org/

and others at every opportunity. He organised a panel on the under-representation of women at the recent

www.linkedin.com/in/simoncarabetta/

Cyber West Summit, which he also organised. He made sure the speaker cohort was diverse in gender, WOMEN IN SECURITY MAGAZINE

209

BEST FEMALE SECURE CODER WINNER

LAURA BRANDON Technical Lead & Senior Fullstack Engineer at Trend Micro

HIGHLY COMMENDED DORIEN KOELEMEIJER Cloud Security Engineer at AfterPay

Dorien is a cloud security engineer at Afterpay, where she has made a significant impact on many projects, in particular, building an automated identity and access management in Amazon Web Services (AWS), named ‘Cloud Cover,’ and according to Afterpay will be a key piece of enabling infrastructure for its AWS environment, delivering “one of the fastest available onboarding experiences for new staff.” Dorien’s work has laid the ultimate foundation to ensure Afterpay can continue to grow and scale at a rocket ship pace.

FINALISTS

LAURA BRANDON Technical Lead & Senior Fullstack Engineer at Trend Micro

DORIEN KOELEMEIJER

Cloud Security Engineer at AfterPay

YAN LIU

JENNY LIM

Lead Software Engineer at Retrospect Labs

Specialist Developer at IAG

NOMINEES

210

AVNEET KAUR

KATHY ZHU

SNEHA PARAMASIVAN

DORIEN KOELEMEIJER

LAURA BRANDON

TANVI BALI

JENNY LIM

LI CHING LIEW

YAN LIU

WOMEN IN SECURITY MAGAZINE

Source2Create Spotlight

Media The media landscape used to be easy and simple to navigate, now not so much. Delivering to your target audience the right message, through relevant media platforms and formats, with the right content, at the right time of their journeys to achieve maximum results is complex. At S2C, we can help you build a multi-touch decision making the journey to your customer persona, taking the complexity out of your hands.

REACH OUT TODAY www.source2create.com.au

charlie@source2create.com.au

aby@source2create.com.au

vasudha@source2create.com.au

BEST FEMALE SECURE CODER WINNER

Laura Brandon Technical Lead & Senior Fullstack Engineer at Trend Micro

212

WOMEN IN SECURITY MAGAZINE

It’s often said that dogs resemble their owners. And

services, and Brandon and the team at

in the age of facial recognition technology perhaps

Trend Micro are working to add support

it’s possible to verify this. That’s exactly what Laura

for other cloud services.

Brandon, winner of this year’s Best Female Secure Coder award did while working as a research and development engineer for NEC New Zealand a few years back. She developed a human-to-dog facial matching Android application for celebrity dog trainer Cesar Milan. Today she’s engaged in rather more serious work, as Technical Lead with Trend Micro in Sydney. She joined the company in 2020, shortly after it acquired Cloud Conformity, a cloud security startup founded in 2016 that had developed a cloud security tool to protect cloud users against cloud misconfigurations and malicious actors and give them improved visibility of their workloads. Brandon led Trend Micro’s initiative to integrate the tool into Trend Micro’s own cloud security product, Cloud One, and add support for Google Cloud Platform to the tool, now known as Cloud One Conformity. It already supported AWS and Azure cloud services. Her award nomination says she tirelessly and efficiently planned for the integration, developed the most sensitive parts of identity and access control integration and led the final delivery “like a champion”.

Brandon also leads Trend Micro ANZ’s R&D Architecture Guild, a team of cloud architecture experts and enthusiasts that provides the development team with guidance on best practices.

CAN YOU HACK A COMPUTER THROUGH A PRINTER? She says her interest in cybersecurity started in 2008 when she overheard someone bragging they could hack into a computer through a printer. “I was taken aback at the possibility of this being real, and wanted to find out more,” she recalls. “By trawling through hacker forums, I formed a community online of like-minded, security-apt people. I learned how to crack passwords, use Cain & Abel [a password recovery tool Windows] to monitor my router’s traffic, detect insecure protocols such as POP3, and write bash scripts such as opening CD-ROM drives sporadically simply to annoy my sister.” As her skills grew, so too did her awareness of the importance of security within the apps she was building. “I noticed how development teams treated security as a single layer on top of applications, often retrospectively, and handled by an external team,” she

A SOFTWARE ENGINEERING ROLE MODEL

says.

Her work, the citation says, “has been exemplary and

CHALLENGING THE STATUS QUO

turned her into a role model for software engineering in the Trend Micro research and development division… This is a success story on a business and technological level, and an example of a developer successfully leading a mission-critical initiative across the enterprise.” It adds: “Her expertise in high quality and secure software development and her passion for architecture and design has uplifted our team. Laura is a great team player and always fosters a culture of inclusion and open communication. Her teammates look up to her and everyone loves working with her.” Google Cloud Platform support in Cloud One Conformity has enabled Trend Micro to secure more customers, particularly those using multiple cloud

“Interactions with the said external team were avoided and considered a nuisance to delivering software. Many organisations still operate like this, and it is the responsibility of everyone, including myself to challenge that way of thinking.” Brandon says she loves being kept on her feet, constantly learning to keep up with the industry. “A day in my life is never boring. By helping shift our mindset towards security, I hope that my actions, as small as they maybe, contribute towards a safer, more secure society.” But she still has not figured out if you can hack someone through a printer. www.linkedin.com/in/lbrandon/

WOMEN IN SECURITY MAGAZINE

213

BEST PROGRAM FOR YOUNG WOMEN IN SECURITY WINNER

AWSN CADETS

FINALISTS

AUSTCYBER CADOP PROGRAMS

SHELEADSTECH MELBOURNE

NOMINEES AUSTCYBER CADOP PROGRAMS SHELEADSTECH MELBOURNE AWSN CADETS

214

WOMEN IN SECURITY MAGAZINE

AWSN CADETS

BEST PROGRAM FOR YOUNG WOMEN IN SECURITY WINNER

AWSN Cadets The winner of this year’s Best Program for Young

AWSN Cadets supports young women in security

Women in Security, AWSN Cadets, was co-founded in

by providing them with a safe and welcoming space

2017 by Liz Bonny, Diane Loi and Jacqui Loustau.

in which to develop their skills and professional networks. It helps women overcome their fears and

216

It is an outreach program run by the Australian

challenges, to express their opinions, be vulnerable,

Women in Security Network (AWSN) that connects,

and learn from others. A strict code of conduct

supports and inspires female-identifying tertiary

is enforced to regulate behaviour and ensure all

students and early career professionals: those with

members feel safe enough to fully benefit from the

zero to three years of cyber experience.

program.

WOMEN IN SECURITY MAGAZINE

The program includes workshops and mentoring

Despite being constrained by COVID,

opportunities in fields including but not limited

AWSN Cadets has nevertheless managed

to penetration testing (a form of ethical hacking),

to organise virtual fortnightly cadet

malware reverse engineering, GRC (governance

workshops for the past 18 months, with

risk and compliance), and digital forensics used to

support from volunteers.

uncover computer crime. Says co-founder Elizabeth Bonny [Source The Victorian Connection]

“We have a fantastic set of coaches and volunteers who give up their time to present

SAFETY FIRST

sessions to AWSN Cadets’ members,” says “Mallory

A guiding principle of the organisation is that

Vallianos, one of the National Program Managers”.

psychological safety is the foundation of personal and

“We have had security company founders,

professional growth: if someone does not feel safe,

governance, risk and compliance specialists, AWS

they will find it so much more difficult to achieve any

training, and training in the Open Web Application

kind of higher-level enlightenment.

Security Project (OWASP) given over the last 18 months, to name a few.” Says Akansha Pandey,

The program uses the OK RDY mentoring app

another of the National Program Managers.

to match mentors and mentees on both their professional and personal interests. There is also a

With COVID restrictions now eased, the organisation

Cadets-specific workspace on the AWSN Slack forum.

is looking to start holding in-person Cadet sessions around the country, and is looking for additional

AWSN Cadets runs a series of free workshops and

committee members, coaches and volunteers to help

lectures for Cadets members throughout the year, to

it do so. Winning the award will raise awareness of

inspire them to pursue a career in security through

AWSN Cadets, and demand for its services.

exposure to a wide variety of security topics. There is also a members-only jobs portal through which the

“We have even more exciting things planned for the

Cadets can access potential future employers.

AWSN cadets in the future which we look forward to sharing with our community soon” says Skye Wu.

Volunteers for the program also make themselves

Anyone interested in becoming either a Cadet or a

available for members to address Cadets’ queries or

coach can find more information here.

concerns, creating an ‘instant community’ for new members to connect with.

LOCAL CHAPTERS Members are also introduced to their local AWSN chapters when they first join. Through this governance

www.linkedin.com/company/australian-women-insecurity-network-awsn/ www.awsn.org.au/

model, the Cadets program helps women overcome the challenges of ongoing gender discrimination outside the Cadets program, by giving them support and reminding them they are not alone. However, the real value of the AWSN Cadets program lies in the strength and quality of relationships created. Women have formed deep and lasting professional relationships with each other and with the cybersecurity community as a whole though the Cadets program. WOMEN IN SECURITY MAGAZINE

217

Congratulations to all

Winners Highly Commended Special Recognition

& Nominees

Don ’t m lar ges iss Au t se stra aw cur lia’ ard i t s y s of the yea r

THE 2022 AUSTRALIAN WOMEN IN SECURITY AWARDS

Want to be part of it? Register your interest today by contacting aby@source2create.com.au