09
JULY • AUGUST
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
FROM THE PUBLISHER You have been presented with two choices: EVOLVE or REPEAT
I’
d like to make a difference while I am here
Women in Security Awards, complement Women in
on earth. If that means making someone
Security Magazine – a resource that remains free to
smile, making your life easier, helping you
all, with over 140 pages per issue featuring articles,
find a job, introducing you to the right
how-tos, career and industry perspectives and real-
people, and giving up my time, I will do so. I
life journeys for readers to learn from and be inspired
want to be generous as far as my resources
– we are giving back to the industry every day.
will allow. And if that means that one day, someone somewhere will say “You made a difference to me” –
Over the years I have had constant conversations
it will all be worth it.
with people in the industry – generally, minorities and women who feel hindered by career growth and don’t
I didn’t start my business to make money, I started
believe there are jobs out there for them, and who
my business to make a difference. After a few
feel they lack the skill sets job descriptions require.
bumps, bruises and triumphs the company is finally
So every week I gather jobs from my Linkedin feed
in the place where I truly believe that what we do
and push out notifications on social media to my
makes a difference (and if we make a little money
networks about what jobs are available now. I am not
then that’s OK too).
a recruiter, but I nonetheless want to help those that have felt hindered in their career growth and just don’t
After watching for 18 years as women were
see these jobs in their feeds.
overlooked for industry roles, event organisers neglected to provide a diverse speaker lineup,
With estimates suggesting there are 3.5 million
organisations failed to change their D&I policies, and
vacant cybersecurity jobs this year, the global
market stats kept highlighting the lack of women
cybersecurity workforce needs to grow at a
in security – along with the lack of educational
staggering rate of 145% each year just to meet the
capabilities and programs to nurture young women
shortage. So I truly believe that to solve the skills
into the security industry – I decided that what I
shortage we need to take action.
wanted to do was to help make a difference here. It’s not an easy space though and clearly, my work is cut
I believe the solution to resolving the security
out for me.
industry’s skills shortage lies in hiring a diverse workforce, nurturing and training women and other
As the CEO of Source2Create, my passion for making
minorities, rather than expecting to bring them in fully
a difference for women in the security industry is
qualified.
evident. Programs such as the Australian Women in Security Awards, and now the New Zealand
In many ways, we have created a skills shortage, with women only making up 20 to 28% of the cybersecurity workforce (and even less in protective security). Blame our own narrow-mindedness and the requirement to have ‘hit the ground running’
2
WOMEN IN SECURITY MAGAZINE
28.06.2022
Abigail Swabey
candidates. Think about the effect when we fail to encourage young women to pursue these careers at an early age.
9.
Support one another.
10. Speak up, whether you’re talking to your friends and family, or engaging with an advocacy organisation, the most important way to be an
Consider that even when a woman is actually hired within a business, retaining them is a whole different ball game: without an inclusive environment, an equal wages playing field, and mentors to look up to – they
advocate is speaking up. By raising your voice for women’s rights and gender equality, you can spread awareness and break down barriers. 11. Sponsor teachers to attend cybersecurity courses
are more likely to go find an environment that can tick
or earn certificates so that they are equipped with
those boxes rather than stick around.
the latest information to teach students. Make resources about coding clubs and cybersecurity
We owe it to ourselves to our nation to decrease the gender gap, make security more inclusive for women, and build a truly diverse workforce capable of addressing the security skills shortage. We also owe it to the industry to remove the stigma that security is a gender-based field. These perceptions are only hurting us and stopping all of us from making the difference that we want to.
camps available to students, too. 12. Turn a real-world community problem into a cybersecurity competition. This encourages students to explore the link between technology, its impact on people’s lives, and the ability to be creative. Give prizes to students who win intramural programs, or work with existing programs (for example, eCybermission) to compete with teams from other schools.
Here are a few ways you can help make a difference: 1.
Mentor a woman you know.
2.
If you are a parent, encourage your kids to be involved in STEM to make sure they have an interest from an early age.
3.
Address how you could foster a more inclusive environment in your team.
4.
13. Consider making changes to systems, processes, and environments to foster a greater sense of belonging and to reduce the negative impact of internalized stereotypes among girls and women. 14. Shift your hiring focus. Instead of evaluating job applications for specific qualifications like degrees, look for applications that show evidence of quick learners, competency, and motivation.
Recognise and celebrate women in the industry so we have more representation (Hell, even nominate them for the Women in Security Awards!)
5.
Hire a graduate into your team and upskill them.
6.
Engage more men to support you on gender
Abigail Swabey PUBLISHER, and CEO of Source2Create www.linkedin.com/in/abigail-swabey-95145312/
equality and D&I. 7.
Engage with more women to create an equal
aby@source2create.com.au
voice in all discussions and meetings. 8.
Volunteer for events that include STEM education for kids and young women wanting to get into security.
28.06.2022
WOMEN IN SECURITY MAGAZINE
3
CONTENTS
2 PUBLISHER’S LETTER
CAREER PERSPECTIVES Navigating a career transition into cyber security
54
Why Mentors are essential to
WHY YOU SHOULD LOOK PAST CERTIFICATIONS WHEN HIRING SECURITY STAFF
10
your career’s success
COLUMN
56
Deepfake technology: the good, the bad, the criminal 14 What is the office of the eSafety Commissioner and what does it do?
70
Progress not perfection might just be the key
103
Failure to induce change
126
INDUSTRY PERSPECTIVES Security dance party: four lessons from a diverse and inclusive team
78
We’re wrestling with the wrong problem 82 Ten elements that make a difference in security
TALENT 46 BOARD
WHAT’S HER JOURNEY?
REACH OUT NOW
Amplifying the diverse voices of cyber security
86
Educating and Empowering Children
90
The Tangible Uplift Program cross-cultural intelligence as part
20
Zoe Edmeades
22
Sarah Iannantuono
26
Georgeina Whelan AM, CSC and Bar
30
Sonomi Miyazaki
32
Domiziana Foti
34
CyberShikshaa: getting Indian
Michelle Ribeiro
36
women into Cyber and Privacy
Lesley Honeyman
40
Shamane Tan
42
Gina Mihajlovska
45
of an organisation’s DNA
APPLY NOW
60
172 THE LEARNING HUB VISIT HERE
100
The importance of diplomacy and
Tash Bettridge
JOB BOARD
84
104
In cyber, language is the weapon of choice
108
Cyber security: the issues and the challenges
110
A woman’s passion to lead
112 114
Overcoming obstacles with the brain in mind
118
Little Butterflies flying high
124
JULY • AUGUST 2022
AUSCERT2022 FEATURE The Illicit Economy – Exposed
16
The three ‘Rs’ of cybercrime fighting:
74
rethink, reskill, reboot
WOMEN-LED SUPPORT NETWORKS ARE EXTENDING A HAND TO THE NEXT GENERATION
Lukasz Gogolkiewicz wins the inaugural
ADVERTISING
Kyle Maher Award at AusCERT 2022 58
Abigail Swabey
When First Nations culture met cyber security
69
Cognitive bias: it’s corroding cyber security
Charlie-Mae Baker Vasudha Arora
94
TECHNOLOGY PERSPECTIVES
publisher named AusCERT
Why is the current threat of Cyber
to cyber security
JOURNALISTS David Braue
Diversity & Inclusion Champion
96
Stuart Corner
The head-in-the-sand approach 132
116
is Zero Trust Architecture? (ZTA)
136
Secure by Design
140
An effective approach to transform a 144
The Evolution of Investment Scams 146 Intelligence Making a Difference in Security
148
Think Right-Shift Left-DevSecOps
150
SUB-EDITOR
Uncovering the Invisible World of ICS Cybersecurity
Computers learning to trust? What
legacy SOC into a modern SOC
Abigail Swabey
50
Women in Security Magazine
Extortion so persistent?
FOUNDER & EDITOR
142
OUTREACH IS PUTTING DIVERSITY AT THE HEART OF CYBERSECURITY’S CULTURE
Stuart Corner
DESIGNER Jihee Park
128
TURN IT UP
174
Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine
STUDENT IN SECURITY SPOTLIGHT Olivia Conlon
154
Dilara Cetiner
156
Sharini Arulkumaran
158
Malwa Bajwa
160
Paola Bianco Palomo
162
OFF THE SHELF
©Copyright 2021 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.
SURFING THE NET
164
176
178
ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE 07
08
MARCH • APRIL
MAY • JUNE
WHO RUNS
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79
20 22 WORLD IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97
YEAR OF THE SECURITY WORKER
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
the
OFFICIAL PARTNER
SUPPORTING ASSOCIATIONS
SUBSCRIBE TO OUR MAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content.
SUBSCRIBE NOW
WH RU O NS
M
AY •
08 JU
NE
EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2022 New Zealand Women in Security Awards. Register your interest today for various sponsorship opportunities.
I’M INTERESTED!
#2022WISAWARDS
www.womeninsecurityawards.co.nz
WHY YOU SHOULD LOOK PAST CERTIFICATIONS WHEN HIRING SECURITY STAFF by David Braue
As universities struggle to fill employer needs, it’s important to value other traits
J
averia Malik wasn’t looking for a career
whatever your skills are – you can very much use that
in security – her career path wended its
in your security work.”
way through medicine, law, and journalism before she landed in the security sector
Malik is one of the growing breeds of security
– but the Pakistan-based global security
professionals that have built careers not on the
advisor for human rights federation ActionAid
back of focused university education but based on
International wouldn’t have it any other way.
the assemblage of life experience and a big-picture understanding of the real issues at play in the
“You don’t find the career,” she explained. “The career
security environment.
finds you – and security just found me a decade ago.” It’s an unconventional career path for businesses long
10
Having seen how security issues manifest
accustomed to hiring based on which credentials a
themselves in different ways in a range of business
candidate can demonstrate – but across protective
contexts, Malik “realised that there’s such a strong
security and cybersecurity industries, a growing
correlation between different things and security,” she
number of companies are recognising the value of
said.
career trajectories like Malik’s.
“It’s not an isolated field – and whatever you’ve done
Particularly in industries with wide skills gaps like
in your past life, whatever your other passions are,
cybersecurity, rigid demands for specific skills
WOMEN IN SECURITY MAGAZINE
28.06.2022
F E AT U R E
ALL CERTIFICATIONS AND EXPERIENCE
PARTIAL CERTIFICATIONS AND EXPERIENCE
L OO P R BIGGE
NO CERTIFICATIONS BUT HAS EXPERIENCE
is getting employers nowhere fast: fully 55% of
Disrupting the narrative around cybersecurity being
respondents to ISACA’s recent State of Cybersecurity
a university-driven field of study, 73% of respondents
2022 study said fewer than half of applicants for their
named prior hands-on cybersecurity experience as
positions are well qualified, with 47% reporting that it
the primary factor in deciding whether a candidate is
takes 3 to 6 months to hire qualified candidates for
considered qualified.
open cybersecurity positions. Meanwhile, just 36% said that an applicant’s technical Some 60% of respondents reported trouble retaining
credentials are very important – and just 1 in 5 felt
staff, up from 53% last year – making the current
that university degrees are very important.
job market the toughest since 2019 as increasingly security-aware companies struggle to keep teams full
Indeed, ISACA found, that the largest cybersecurity
of the capabilities they need.
skills gap isn’t a cybersecurity skill at all: rather, 54% of respondents said the biggest deficiency amongst
With 62% of respondents saying their cybersecurity
today’s cybersecurity professionals was ‘soft skills’
team is understaffed – 15% of whom call the problem
like communication, leadership, and flexibility.
“significant” – many employers are reconsidering the way they vet and hire their employees, often
SIX DEGREES OF PREPARATION
abandoning conventional metrics like university
The results are a rebuff for a cybersecurity sector
degrees and technical qualifications.
that has spent years fighting to meet the surging and rapidly-changing demand for cybersecurity skills.
28.06.2022
WOMEN IN SECURITY MAGAZINE
11
Despite the explosion of cybersecurity certificates
The program “is helping to shape and develop the
and Master’s degrees, however, employers regularly
Academy’s curriculum with industry and government,”
report that university graduates simply aren’t learning
Deloitte financial advisory partner Theo Psychogios
the skills that the workforce needs.
said, “which includes supporting students so they can show their practical cyber security skills in a proactive
Only 5% of companies surveyed in a recent Australian
and gamified (but safe environment).”
Information Industry Association (AIIA) survey said graduates can commence ICT roles without any
“This lets us better match each student’s human
additional training, the AIIA found, while 49% found
characteristics and innate skills, with the technical
graduates unprepared to work without “significant
knowledge they can gain. We’re also developing an
further training”.
innovative recruitment model to make sure we have the best possible talent pipeline.”
“Innovative businesses and products are being held back, or worse still, sold overseas, because Australia
COMPANIES GO THEIR OWN WAY
doesn’t have the talent available to meet the demand,”
As new programs inevitably take some time to gain
AIIA CEO Ron Gauci said when the results were
traction, companies should consider pursuing their
released.
own initiatives to complement the work being done in the formal education sector, as well as improving
“No one measure will fix this, but a concerted push
diversity by targeting underrepresented groups that
to upskill Australians will provide our nation with the
often lack credentials but nonetheless have much to
capabilities to be a leading digital nation.”
offer cybersecurity.
Universities are experimenting with repositioning
The Amazon Web Services (AWS) She Builds
themselves not as fonts of cybersecurity knowledge,
chapter, for example, recently debuted a women-
but as facilitators of a collaborative process that also
focused program called AWS CloudUp – an 8-week,
includes on-the-job industry experience.
community-based program designed to help women gain formal certification, and leverage in securing
Deloitte’s new Cyber Academy program – launched
their next job, as an AWS Cloud Practitioner.
with the support of the NSW Government, University of Wollongong, Swinburne University of Technology,
As part of a global effort to upskill 29m people
and TAFE NSW – exemplifies the blended learning
globally to meet the demand for cloud skills that is
that could well become more commonplace over
expected to triple by 2025, CloudUp is set to reach
time.
over 150,000 women globally this year, said Donna Edwards, principal business development manager
Cyber Academy will next year see nearly 400
within the AWS Training and Certification team
students in Victoria and NSW each paid $40,000 as
and an ambassador for Women in Technology WA
they undertake a combined Bachelor of Computer
(WiTWA).
Science (Cyber Security) and Diploma of Information Technology (Cyber Security) – all while working 3
“It’s really a way for women to learn together as a
days at Deloitte, a NSW Government department, or
community in a safe space, building their confidence,
industry partner.
skills, and networks,” she explained. “I was driven by always being underestimated as a woman in the tech
By tempering university learning with on-the-job
industry, which made me even more determined to
experience, the program aims to produce job-
succeed – and now my drive is to make that path
ready students while supporting efforts to increase
easier for others.”
the representation of women, neurodiverse, and Indigenous employees.
By translating that internal drive into action, diversity leaders and champions are truly making a difference
F E AT U R E
– whether helping cybersecurity workers build
Edward Farrell, director of Canberra-based Mercury
up their base of certifications and experience, or
Information Security Services, cautions about the
engaging workers in other business lines about the
implications of the “big drive towards industry
myriad benefits of a cybersecurity career.
certifications and industry certifications, leveraging repeatable actions [believing] that we can quickly
Having particularly struggled to attract and retain skilled staff, governments around the world are trialling ways to rework recruiting strategies “not for social pressure, but honestly because we have a lack of talent,” said Paris, France-based Gabriela Vogel, senior director for leadership, culture, people, and DE&I with research firm Gartner.
It’s not an isolated field – and whatever you’ve done in your past life, whatever your other passions are, whatever your skills are – you can very much use that in your security work. - Javeria Malik, Global Security Advisor at ActionAid
“This is pushing organisations to really broaden” their approach to recruitment, she said in recently outlining eight talent-retention
indoctrinate someone within a matter of weeks and
strategies for government bodies that should,
suddenly create a cybersecurity professional.”
like private companies, ask themselves “are they really tapping into all of the talents in their country,
Such programs “can make individuals that are capable
organisation, and region?”
of knowledge,” he told a recent AusCERT conference, “but in terms of practice, and undertaking certain
Countries like Japan and South Korea, she added,
activities that we need them to, there’s a bit of a
have tried encouraging some public-service staff to
disconnect.”
pursue their ambitions in the private sector, and then bring back their learnings to the public service.
A more sustainable approach, Vogel said, is for employers to consider employee relationships in
To reduce its dependence on contractors, Gambia’s
the context of a broader employee value proposition
government has looked internally to build a ‘talent
(EVP) – “what your employees want versus what your
ecosystem’ including the University of Gambia “to
organisation expects from your employees”.
be able to identify and tap into talent, to upskill and reskill” their staff.
Australia’s public service has been particularly proactive in proceduralism of the EVP approach, she
Such programs normalise the idea that employees’
said, backing away from strict credential-based hiring
worth to an organisation is far more than just
criteria and reviewing its EVP with a more flexible
the certifications they bring – and that on-the-job
skills stream, improved marketing and promotion
experience can be as valuable as pushing workers
activities, and so on.
through training programs in an effort to tick the right boxes on their list of necessary skills.
“They’re implementing a value proposition for Australian technology that adapts specifically to the
A TWO-EDGED SWORD
needs of graduates,” Vogel noted. “This definition
Yet even as companies recruit staff with the
changes what benefits you give, what salaries you
goal of training them up for cybersecurity roles,
give, the training you give, and the culture you create.”
28.06.2022
WOMEN IN SECURITY MAGAZINE
13
AMANDA-JANE TURNER Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe.
C O L U M N
Deepfake technology: the good, the bad, the criminal Deepfake technology uses machine learning and
realistically superimposed on bodies in pornographic
artificial intelligence to manipulate audio and video
videos.
files to create convincing synthetic representations of real or fictional humans. Deepfake technology can be
Deepfake technology is impressive and has legitimate
used for both good and bad. Sometimes filmmakers
uses but like any technology, it can be used for
use the technology to recreate a character played by
crime. Here are some ways to avoid being caught by
an actor who has died or to show a character younger
deepfake-based cybercrime.
than the actor playing the role. The technology can •
Be cautious if you receive a phone
call from someone asking you for sensitive information or requesting you to make payments. Even if they sound legitimate, verify them in another way before acting on the request. •
Cyber based fraud is getting more
difficult to detect. Remember, not everything online is real. Verify news and other information using trusted sources. •
Beware of romance fraud, even
also be misused for the crime. Why should we as
if a reverse image search appears to verify
individuals care about deep fake technology used for
the profile of the person with whom you are
cybercrime?
communicating. Even if you see them in a video chat, that chat may be fraudulent. Be wary if your
Deepfake technology can be used to make social
online partner asks you to send money, requests
engineering-based fraud more believable, such as
help to pay for urgent medical treatment, or
a phone-based phishing scam (vishing) that uses
requests assistance accessing or moving their
the voice of a company’s CEO, or a romance scam
money.
where a reverse image search will not show anything untoward because the voice and video imagery of a
•
If you are Australian and subject to image-based
person have been synthesised. Videos that appear
abuse, such as revenge porn, you can report this
to be from political leaders may be deepfakes
to the eSafety Commissioner.
spreading disinformation to destabilise a nation and create distrust. Disenfranchised employees or
Cybercrime is big business. We need to work together
spurned lovers may create their version of revenge
to be safe from it.
porn with the faces of their colleagues or ex-partners www.demystifycyber.com.au/
14
WOMEN IN SECURITY MAGAZINE
28.06.2022
2022 WOMEN IN SECURITY AWARDS GIVEAWAY
Nominate 3 individuals/organisations/initiatives you know that are reshaping the future of the security industry and making a positive difference and enter to win: - 2 tickets to Australian Women in Security Awards or - 2 tickets to New Zealand Women in Security Awards or - 1 of 70 copies of Craig Ford’s book Foresight!
ENTER TO WIN NOW Giveaway ends 11 July 2022 9 am AEST
THE ILLICIT ECONOMY – EXPOSED by Stuart Corner
So she started digging and to her surprise was able
Bex Nitert Director, Digital Forensics & Incident Response @ ParaFlare | Supporting Women in Security @ AWSN
to uncover a great deal of information, including the criminal’s real name and physical address. She discovered he ran an outsourced phishing service offering templates for phishing attacks tailored to a particular victim interest area.
INTERNET CAFÉ WORKER GOES ROGUE It is rare indeed to become privy to the inner workings
She found evidence of his activity dating back to
of a cybercriminal’s operation: how much money
2015 when he was employed by an Internet café
they earn, who they earn it from and even where
operator. “He admitted to committing his first
they spend some of it. However, that is exactly what
cyberattack against one of their customers. And
Bex Nitert, director of digital forensics and incident
he was socialising with a lot of cybercriminals,
response at ParaFlare—an Australian company
a massive group, all engaged in various types of
specialising in managed detection and response
cybercrime.”
to cybersecurity incidents— was able to do. She revealed the details in her AusCert 2022 presentation, The Illicit Economy and Outsourced Crime Providers. Nitert, who admits to “casually spooring” (tracking the trail of an animal or person by their footprints) was investigating a phishing attack and was asked by the client to look beyond the nuts and bolts of the attack and see what she could discover about the perpetrator.
16
WOMEN IN SECURITY MAGAZINE
28.06.2022
A U S C E R T 2 0 2 2
F E AT U R E
In 2018 the criminal set up a cybercrime website making no attempt to hide it: it was fully accessible through Google. Nitert said the criminal was charging about $US2000 per month and delivering a very professional service. “He’d have the template. He’d have the websites. He’d send the emails. He’d collect the cred logs and he’d send them through to you at the end of the week. He got an accountant, hired a freelancer, and hired developers. He got people to help with the tax portion. It was run like a legitimate business. “He’s introduced automation so if phishing links go down, you can just log into a portal, click a button, it refreshes, spins up new phishing sites automatically and then you just go and send out more phishing emails. He does it better than some businesses.”
PROCEEDS OF CYBERCRIME REVEALED Nitert was able to calculate the criminal’s revenue over a 60 day period: the tidy sum of $US98k ($A142k) and discover much more. She found his invoices in an online file-sharing company and was able to see his customers’ aliases and the amounts they had spent. If the transaction had been completed through Bitcoin she got Bitcoin transaction IDs and the address they went to. She got ICQ addresses, Skype aliases, and Telegram aliases. “I’ve got hundreds of customers with their email addresses” Nitert said. And through Bitcoin transaction information she also got an indication of how the criminal was spending his ill-gotten gains. “There are several Bitcoin addresses which you can cluster into what is probably going to be the same wallet.” All in all, Nitert garnered information on some 10,000 users of the criminal’s illicit services. She discovered he is expanding, offering SMS phishing services. And she discovered some of his customers are children. “He’s making it really easy for kids to get involved. One of his highest-paying customers is 15 years old,” she said.
28.06.2022
WOMEN IN SECURITY MAGAZINE
17
Connecting - Supporting - Inspiring
AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY
Memberships are now a 12-month cycle Corporate packages available Learn more at awsn.org.au/members/join/
WHAT’S HER JOURNEY?
IT’S LONELY BEING A WOMAN IN CYBER “During my undergraduate study, I faced challenges of being one of a few women taking networking and cyber security classes,” she recalls. “I was curious to understand why there weren’t many women taking those subjects. This led to me completing my
Tash Bettridge Customer Success Account Manager (CSAM) at Microsoft
undergraduate study and moving towards a Master’s and focussing on increasing the representation of women in cybersecurity.” And Bettridge has not stopped studying. “I have about six Microsoft Cloud Certifications, Microsoft Certified Trainer Certification, CrowdStrike Administrator Certification, Splunk, Prosci Change Management
T
Certification and a few certifications in security from Google,” she says. he words of teachers can have a powerful impact on young people.
Looking back on her career journey Bettridge says,
Advice should be offered only with great
far from her creative arts degree being a diversion
caution.
from her career journey, it has stood her in good stead. “Because I came from a background that is
Tash Bettridge was one of the few girls
at her school opting for the computer hardware class,
not corporate the degree helped me learn skills that I could bring to a corporate tech role.”
but when Tash was 16 a teacher said to her, “You are too cute for this job and would suit a job in tourism,”
Throughout her career journey, Bettridge has had to
she took the advice and went into tourism, followed
cope with the challenges of being a single parent,
by early childhood education, and teaching primary
but she says her children have also been a great
school English.
motivator.
Today she has numerous computing certifications, is
“My children have been very influential for me and
a Customer Success Account Manager at Microsoft
definitely my rock throughout this journey. They gave
in New Zealand and cofounded the New Zealand
me the energy I needed to soldier on throughout the
Network for Women in Security.
process. They have been part of the process from when I did my career switch…When I was studying
She became interested in technology when teaching
my youngest was still in kindergarten and the other
overseas and teaching digital citizenship and cyber
had just started primary school. So they have been
safety. On her return to New Zealand, she wanted to
around computers, been part of tech events when I
learn about film and creative technologies so took
volunteered as a tech teacher and workshop lead and
a short stint with a production company working on
with OMGTech.”
the set of a local New Zealand TV show. This led her creative arts but she made a drastic shift and ended
IT’S CHALLENGING BEING A WOMAN IN CYBER
up enrolling for a Bachelor of Computing (networking
Bettridge has overcome many challenges to get
and cybersecurity).
where she is today, but she says one of the biggest
to contemplate studying for a bachelor’s degree in
was simply her gender.
20
WOMEN IN SECURITY MAGAZINE
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
“I was putting a lot of effort into trying to land my first
place like Microsoft. Microsoft is such an amazing
internship when I was at university. I remember when
company with a range of products and services. I am
I was applying for roles and the guys in my classes
always learning and growing.”
were getting snapped up for internships and there I was struggling to get an interview. It can really affect
For anyone attracted to a similar role, or indeed
your confidence at times.
any role a Microsoft, Bettridge’s advice is to have a growth mindset and to always learn and grow as an
“I felt like giving up but I realised one thing about me. I
individual. “This can be from learning new skills, or
do not give up that easily! I am hungry and dedicated.
hobbies, whether you want to upskill technically or
I was determined to get myself out there, taking on
just work on yourself,” she says.
volunteer work, giving back to the community, and building my GitHub with projects and my network so
STAY CURIOUS
people would know I work hard and have a lot to offer.
“Another important thing is to stay curious because
My personal circumstances were not a burden but
technology is always changing and developing. This
motivated me to succeed in the industry.”
also crosses over with a growth mindset.
In her role as a Customer Success Account Manager
“My advice for any school leaver interested in a role
(CSAM) at Microsoft Bettridge says her focus is on
in security is to reach out to people working in the
Microsoft’s business relationships with New Zealand
industry and to learn more about the industry. The
small and medium business customers and partners.
further I got into the degree the more I turned to YouTube to learn more about different tech roles and
“The CSAM role used to be known as a technical
to see what areas of tech caught my eye.”
account manager but Microsoft switched over to customer success account manager due to our
There are, she says, many roles in cyber security, not
obsession with empowering our customers and
all labelled as such. “The security industry has many
partners,” she says.
components and there are many roles, technical and non-technical. Just because someone does not have
“My role is always busy and I wear many hats on the
a security title doesn’t mean they are not working in
job because there are many different parts in the
the security industry.”
role I need to play on a day-to-day basis. The role is always exciting and the days are always different.
She urges anyone with an interest to investigate the
One day I could be working with C-level executives
option of a role in cyber security, especially women.
on their business and digital transformation strategy,
“We need diversity in the industry if we are to think
supporting our customer engineers in workshops,
from a threat actor perspective. Threat actors are
giving presentations and working to support
diverse and our teams need to be diverse in order to
escalations when there is a major incident.
tackle those challenges in security. The industry is growing and this is a global problem. In 2025 there
“The CSAM role suits me as I am someone who loves
will be about 3.5 million cyber security jobs open
challenges, loves the interaction with people and
globally. This is a 350 per cent increase over an eight-
stakeholder management as well as being involved
year period, according to a report by Cybersecurity
with the success of customers and partners through
Ventures.”
their transformation. “I am glad to be in this role. I am more of a generalist
www.linkedin.com/in/tashbettridge/
and get to learn a range of products, especially at a newzealandnetworkforwomeninsecurity.wordpress.com/
28.06.2022
WOMEN IN SECURITY MAGAZINE
21
FACING A COVID-INDUCED CRISIS
Zoe Edmeades Co-Owner and Managing Director, The Security Company (International) Limited
It was more than that, it was a baptism of fire because COVID was about to hit. “When the pandemic struck I had no choice but to reduce the team. This was necessary for our survival, but it was heartbreaking,” Edmeades says. “Between May and August 2020, I don’t think I slept more than three hours per night. “I learnt so much over the first 12 months about myself, my family, and the people I work with. How resilient, creative and agile we can be, how I can
Z
trust my team to work well from home, and how we communicate better now than we did when we oe Edmeades has worked for the
were in the office. It was an incredibly stressful time
UK based The Security Company
for every business and it’s not a time I would like to
(International) Limited (TSC) since
repeat, but we evolved fast and become stronger for
2007. She started as a project manager,
it.”
became head of projects in 2009 after
completing the Accelerated Talent Development
With the trials of COVID behind her, Edmeades says
Programme at Cranfield University and became
she loves being a business owner. “No two days are
managing director in 2012.
the same: from working with global organisations supporting their security culture journey to creating
TSC delivers behavioural change and security
business plans to ensuring we continue to grow, be
awareness programmes for some of the world’s
competitive and profitable.”
biggest companies and when the founders and owners wanted out, Zoe and her husband Tony
EARLY-STAGE CAREER ON STAGE
decided to buy the company.
Running a cyber security company is a very long way from Edmeades’ youthful aspirations and early career:
“I loved everything about what we did at The Security
on the stage. “From the age of eight, my whole life
Company and believed it was one of the best-kept
was dedicated to my dream to become an actress. I
secrets in the industry,” she says. “We needed
was accepted into drama school in 1993 and worked
investment to focus on expanding our profile and
professionally for several years,” she says.
brand awareness and I was determined to ensure
22
it achieved its full potential. So, when The Security
“My priorities changed when I had my first child.
Company’s founders stepped aside and offered
Suddenly the security of a job with regular hours
me the chance to buy the company, I leapt at the
and income became my key focus. Life has a way of
chance and began a whole new adventure with an
spinning you off in a completely different direction
extraordinary learning curve.”
and I am so glad it did.
WOMEN IN SECURITY MAGAZINE
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
“I wanted a career in an industry I could feel passionate about, where I could influence change and hopefully make a difference. Cyber security was growing into a behemoth, and I wanted to be at the forefront of it.” And some of Edmeades’ early interests are very germane
Find your passion and go for it but understand that your passions can change... as your enthusiasm remains, commit and follow through! Never sell yourself short, but be honest with yourself and assess the gaps in your abilities; we all have them. Where you can, seek training or mentorship, don’t be afraid to seek them out!
to what TSC aims to achieve for its clients: create a culture where employees are alert to security threats and empower them to be secure. “I
Edmeades sees the advent of Web 3.0 services
have always been fascinated by what drives human
and devices as providing yet another surface for
behaviours. The relationship between knowledge and
attacks and creating new potential for human error.
action and what motivates people to change,” she
“Those of us in security will once again be assessing,
says.
formulating and actioning new campaigns and programs in response to fresh attack vectors. Security
Cyber security awareness training is now recognised
is always evolving, and it won’t just be the next few
as essential for any business, but this was not the
years,” she says.
case when Edmeades joined TSC in 2007 and she credits its founder. Martin Smith with being one of the
“With the advent and exponential improvement
greatest influences on her career journey.
of Web 3.0 services and hardware – such as the Metaverse and AI machine learning – organisations
A PIONEER AND A MAJOR INFLUENCE
need to be on the lookout for sophisticated fraud
“He had a huge impact on my professional career, a
schemes. In the near future, deepfake audio, video,
passion for the sector and unwavering commitment
and even fake online avatars will be used to launch
to raising awareness about the importance of
cyberattacks. And once we have tackled the Web 3.0
addressing the human factor in security,” she says.
issue, do not be surprised when another platform
“The Security Company was ahead of its time and
rears its head in need of security intelligence.”
was established long before most of the businesses that are now crowding the market.”
GEOPOLITICAL THREATS Of more immediate concern, she says, is the
And she expects the need for cyber security
increased threat level resulting from geopolitical
awareness training to increase as deception-based
developments.
cyber threats become ever more sophisticated. “We are already seeing an increase in ransomware “The influence of human error will continue to be one
attacks as a result of the economic instability rooted
of the most significant issues facing security over
in Russia’s invasion of Ukraine. In fact, cybercriminals
the next few years. Humans will always be present
have been ramping up ransomware attacks and new
in technology at some point, whether intentionally
destructive malware (malware-as-a-service) in 2022
or unintentionally, and attackers will continue to
and it doesn’t look like they will be slowing down any
use social engineering techniques like phishing and
time soon. International advice has been provided to
business email compromise.”
organisations working with Ukraine and in nations
28.06.2022
WOMEN IN SECURITY MAGAZINE
23
prone to Russian attacks to help safeguard against these invasion-backing cyber-attacks. “We should also prepare for, and teach about, the damage supply chain attacks can cause, particularly due to the efficiency of one successful supply chain attack opening up access to hundreds of other organisations. This is a particular issue in 2022 and moving forward; remote working may present new vulnerabilities for IT security officers to manage and troubleshoot.”
A SMORGASBORD OF CAREER OPTIONS For school leavers contemplating a career in cyber Edmeades says: “There are many routes into a career in security. For instance, universities offer specialised security courses, but if academics is not your thing — it’s not for everyone — then there are excellent apprenticeship schemes available that can give you hands-on experience in a thriving industry. “One of the most appealing aspects of working in cyber security right now is that there is high demand and great salary potential. Furthermore, a career in security guarantees constant development. Threat vectors are constantly changing. No two days are the same. Therefore roles are varied and challenging. Also, one cannot ignore the fact that, because cybercrime affects so many aspects of our life, being a part of the solution is extremely fulfilling.” And given her own career trajectory, it’s perhaps no surprise she adds: “Find your passion and go for it but understand that your passions can change…as long as your enthusiasm remains, commit and follow through! Never sell yourself short, but be honest with yourself and assess the gaps in your abilities; we all have them. Where you can, seek training or mentorship, don’t be afraid to seek them out!”
www.linkedin.com/in/zoe-edmeades-information-securityawareness-behavioural-change-training-programmes/ www.linkedin.com/company/thesecurityco twitter.com/TheSecurityCo
24
WOMEN IN SECURITY MAGAZINE
28.06.2022
@wisms2c
@source2create
@womeninsecuritymagazine
@Source2C
DIGITAL womeninsecuritymagazine.com
Stay connected All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services.
There have been similar stories from many women who have shared their career journeys in these pages, and it was one of many for Iannantuono. “This was not my last such experience in the industry, but it taught me early on the value of speaking up and
Sarah Iannantuono APAC Cyber Security Strategy and Program Lead at SEEK
advocating for yourself, alongside how powerful a male champion can be,” she says. “It is with fondness I remember my manager saying, ‘Don’t look at me, talk to her’.” Iannantuono says she “caught the cyber bug” while studying for a master’s and spending six months as an intern at KPMG in its forensics
S
team conducting interviews with CISOs to gather qualitative and quantitative data on what they saw as arah Iannantuono has an impressive
the key security issues in the next 12 months. After
career record in cyber security. Today
graduating she joined KPMG Forensics to work on
she is APAC cyber security strategy
the Banking Royal Commission investigations and
and program lead at SEEK. She has
later transferred to cyber security governance, risk
a bachelor’s degree, dual Master’s in
and compliance in risk advisory to work on cyber
International Security and in Policing, Intelligence
maturity assessments, ISO27001 and PCI-DSS uplift
and Counter-Terrorism, multiple cyber security
and certification.
certifications and a CV spanning global banks, Big Four consulting firms and a Royal Commission.
LURED BY A BIG FOUR ROLE After providing advice to public and private clients
Her biggest challenge when breaking into the
without having worked ‘in-house’ she joined the
industry? Gender bias, conscious or unconscious,
Bank of Tokyo-Mitsubishi to provide specialised
from male clients. “In my first role in the industry, I
information security risk advice in the operation risk
was empowered to lead a cyber security maturity
team, but the lure of the Big Four proved too strong
assessment for a client under the supervision of my
and after little more than a year she took a role
direct manager,” she recalls.
leading Deloitte Australia’s internal Confidentiality Office and as Deputy Confidentiality Officer for
“Leading each stage of this project saw me
Deloitte APAC.
collaborating with several individuals client side, from security and HR to the executive. Despite strong
“I had the pleasure to lead data governance initiatives,
collaboration across the business, meeting deadlines
the data loss prevention program, insider threat
and a comprehensive assessment, the client-side
program, confidentiality incidents and (co-lead)
assessment lead was non-collaborative with me; not
the security awareness program,” she says. “I was
my male boss, not my junior male colleague, just me.
encouraged to undertake further training and during
In a room full of men, talking about an assessment
this time I gained certification in Risk and Information
I had led, the client-side lead would look to my male
Systems Controls (CRISC) and became a Certified
colleagues for answers to his questions, and would
Data Privacy Solutions Engineer (CDPSE).”
clarify with my male colleagues that my responses were correct.”
26
WOMEN IN SECURITY MAGAZINE
From Deloitte, she moved to SEEK, drawn by a desire
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
to gain experience working at a tech company, and by
GAINING CROSS-CULTURAL EXPERIENCE
SEEK being voted the best technology workplace in
Innantuono also cites working at the Sydney branch
Australia in the AFR’s 2021 poll. Her initial role was as
of Bank of Tokyo Mitsubishi, mostly with Japanese
a security influencer leading initiatives across APAC
colleagues on secondment, as having been an
to reduce human risk and uplift security awareness
excellent experience in working and communicating
maturity across the Asia Pacific. While at SEEK she
cross-culturally, and one that had an immensely
became a Certified Information Security Manager
positive impact on her career.
(CISM) and was promoted into the role of security strategy and program lead, working to define SEEK’s
“This provided the opportunity to hone my skills
APAC security strategy and initiatives across APAC.
in cross-cultural communication and further foster a passion for working across regions. Every
COMMITMENT TO LIFE-LONG LEARNING
position I have undertaken since this role has had
In her time at both Deloitte and SEEK Iannantuono
an Australasian/Asia Pacific regional scope. These
has added to her list of cyber security certifications,
communication and stakeholder management skills
something she says reflects one of her core beliefs:
became increasingly valuable as I delved into data
“an enthusiastic commitment to life-long learning
breach incident management.”
and professional development as a deliberate and voluntary act.”
At SEEK, Iannantuono says she “leads, coordinates,
She adds: “Life-long learning is an invaluable skill, especially in cyber security, and applying knowledge and skills gained from experience in diverse fields helps me to be a more wellrounded security professional. The interests and aspirations that I’ve fostered over the course of my life have made me the person I am today.” However, she acknowledges numerous sponsors and
Not only does diversity drive better financial performance, the ability to secure and retain key talent and increased innovation, but it is also in the best interests of businesses from a strategic standpoint. Threat actors have varied backgrounds and experiences; security teams should reflect this diversity to better protect their organisations.
mentors as having “championed me, elevated me and provided amazing opportunities for growth,” saying, “These
communicates, integrates, and contributes to the
individuals have unlocked doors and encouraged me
success of the security portfolio, ensuring alignment
to step out of my comfort zone by moving from ‘silent
with SEEK and security priorities.”
achievement’ to ‘promote achievements’.” “A typical day at work consists of an alarming amount In particular, she singles out John Green and Nina
of coffee (on LinkedIn she describes herself as “an
Yiannopoulos at Deloitte, Brendan War at Bank of
espresso fuelled cyber security strategy and influence
Tokyo Mitsubishi, Chris McDonald and Helen Teixeira
leader”) flexing influencing and diplomacy skills in
at KPMG, and Deepa Bradley at SEEK. “Without these
workshops, working on pulling puzzles together and
supportive and inspiring sponsors, my career would
aligning Security across APAC.”
not have had the same trajectory.”
28.06.2022
WOMEN IN SECURITY MAGAZINE
27
Despite her triplet of ISACA certifications — Certified
standpoint. Threat actors have varied backgrounds
in Risk and Information Systems Controls (CRISC),
and experiences; security teams should reflect this
Certified in Data Privacy Solutions Engineering
diversity to better protect their organisations.”
(CDPSE), Certified Information Security Manager (CISM) — Iannantuono advises aspiring cyber security
BEWARE THE METAVERSE
professionals to focus first on their soft skills. “I
The industry will need every bit of diverse talent
believe, for entry-level roles in cyber security, the
it can muster if it is to successfully counter what
technical and role-specific skills can be learnt on the
Iannantuono personally sees as its biggest challenge:
job, but a great way to get your foot in the door is to
the Metaverse.
focus on developing soft skills. “The Metaverse is a fully immersive, hyper She says, despite their name, these skills are anything
spatiotemporal and self-sustaining virtual shared
but soft and she lists three key skills to focus on.
space for humans to work and socialise. It comes with a raft of security and privacy concerns.
• Adaptability: with exponential growth in technology and threat actors using creative and
“Whilst businesses and government have begun to
new ways to target organisations it is critical
take advantage of the topicality of the Metaverse,
for security professionals to be adaptable to
exploring opportunities to drive towards a greater
rapid changes. Priorities and technical skill
bottom line, it is important for security and privacy
requirements may shift and change, and so
by design to be embedded. Security and privacy
should you.
professionals should be involved in any Metaverse
• Business acumen and influence: security
opportunity exploration or discussion within their
should be an enabler of business. The ability to
organisations, to influence greater security and
identify business priorities, align security goals,
privacy.”
and communicate and influence are critical to career progression.
www.linkedin.com/in/sarahiannantuono/
• Curiosity: being curious, having a desire to deep dive, solve problems and see how things ‘tick’
medium.com/@protectyodata
will take you far in meeting the challenges set by an evolving cyber security landscape. Iannantuono reiterates a belief that, without exception, has been expressed by every woman sharing her journey in AWSN: diversity is paramount. “Cybersecurity needs diversity: diversity in perspectives, leadership and experience is a business multiplier. Providing an infrastructure that supports under-represented demographics (such as women) across the complete employee lifecycle is critical,” she says. “Not only does diversity drive better financial performance, the ability to secure and retain key talent and increased innovation, but it is also in the best interests of businesses from a strategic
28
WOMEN IN SECURITY MAGAZINE
28.06.2022
“If you want to go fast, go alone. If you want to go far, go together.”
Partner with us In today’s ever-competitive world, Source2Create understands that sometimes you have to perfect what you can and let others take care of the rest, which we see is the way of the future. No skill is too big or too small. Are you an amateur photographer interested in growing your portfolio? Do you enjoy Graphic Design in your spare time? Are you interested in growing your speaking range? Visit our partner portal to see all the ways you could partner with us and grow your potential or even open a side -hustle.
VISIT OUR PARTNER PORTAL TODAY
and, in 2016, the inaugural Chief of Staff of ADF Headquarters.
EXPERIENCE IN DISASTER RESPONSE Over the years she gained extensive experience
Georgeina Whelan AM, CSC and Bar Commissioner at ACT Emergency Services Agency
in planning and delivering disaster response and humanitarian aid, and in late 2017 took leave from the ADF to take up the role of Chief Officer for the ACT State Emergency Service. Six months later she transferred to the Army Reserve, stayed with ACT State Emergency Service and was promoted to her current role of Commissioner of the ACT Emergency
C
Services Agency in September 2019. ommissioner Georgeina Whelan,
“My role is to provide effective and cohesive
AM, CSC and Bar says she joined the
management of the four emergency services
Australian Army from school in 1985 “to
(Fire and Rescue, Ambulance, Rural Fire and State
escape”. Instead, she ended up being
Emergency Services) and the enabling services
‘captured’. Three years later she decided
that make up our agency, including the triple zero
to commit to a career in the Defence Force, applied
communication centre,” she says.
for selection to the Royal Military College to complete her officer training and went on to have a 30-year
Throughout her long career, Commissioner Whelan
career in the Australian Army.
has benefited from something that must be quite rare: 35 years of guidance from the same mentor. “He
At school, she aspired to be a high school history
has guided me in a most gracious and unobtrusive
teacher and only joined the army “because I was a
way. He is brutally honest with me when I need it and
little lost and was having trouble finding my way. I did
a supportive ear when I just need to recalibrate.”
not see it as a career initially.” Also pivotal, in a very practical way, has been her
30
Commissioner Whelan gained her officer training
husband. “He has taught me, coached me, lectured
not in Australia, but at New Zealand’s Officer Cadet
me, listened to me and totally backed me all the way,”
School as one of three in her year selected for
she says. “He assumed the primary role of raising
training as exchange students. “This was, without
our four beautiful children. With the support of our
doubt, the toughest year of my life,” she says. “The
extended family, this enabled me to make myself
experience allowed me to build resilience and tenacity
available for the opportunities that supported my
and it prepared me well for the future.”
career aspirations and progression.”
After completing her officer training in 1988 she
DISCOVERING THE JOY OF LEARNING
joined Army Health Operations and Administration
During her army career Commissioner Whelan
where she spent the rest of her military career,
completed studies at Defence Staff College and
serving in New Zealand, the USA, Canada and in two
the Centre for Defence and Strategic Studies and
operational deployments. Her career culminated in
obtained a Postgraduate Certificate in Business
her being appointed Director-General of Army Health
Administration and a Masters in Defence and
WOMEN IN SECURITY MAGAZINE
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
Strategic Studies, but says she regrets leaving
termed non-traditional security threats such as
attaining formal qualifications until the latter stages
environmental, climate, resources and pandemics are
of her career. “I discovered later in my professional
front of mind for Commissioner Whelan.
pathway the joy of learning. I would encourage regular professional development. I have discovered
“My role exposes me to the consequences of natural
it is never too late to learn.”
and human-made hazards and the consequences of not being adequately prepared to combat these
For others aspiring to an emergency services
emerging challenges,” she says. “For the past
management role, Commissioner Whelan recommends gaining formal qualifications in health management, emergency management or policy development, and early career roles in any government emergency services organisation such as a firefighter or paramedic (for which a degree is required).
The security industry draws upon a variety of skills ranging from STEM through to communications and policy development. Whether it is a role as a first responder, in a technical field, human resource management, analyst or in the policy area there is avariety of opportunities and career pathways.
And, just as with cyber security, Commissioner Whelan says emergency services would benefit from the greater
30 months, Australians have experienced the
diversity that increased representation of women
impact these threats will have on our society if left
would bring. “I would love to see more women in
unaddressed.
emergency services, particularly in leadership roles. Women are extremely underrepresented in middle
“The 2019-2020 Black Summer bushfires and storms
management and senior leadership positions
were a particularly confronting and challenging high-
across Australian emergency services. Our industry
risk weather season for our nation. The change in
is challenging and exciting and offers a plethora
our climate and the corresponding increase in the
of opportunities. It will only thrive if it continues
threat of natural hazards demands a rethinking of our
to be underpinned by the diversity of thought and
preparedness, the use of technology to enhance our
membership.
response options and research to better understand the steps we must take to preserve our environment.
“The security industry draws upon a variety of skills ranging from STEM through to communications
“Our health system is facing pressures, including
and policy development. Whether it is a role as a
rising costs driven by increasing incidence of chronic
first responder, in a technical field, human resource
diseases, an aging population, inequitable access to
management, analyst or in the policy area there is a
services and gaps in workforce and infrastructure. In
variety of opportunities and career pathways.”
addition, changing customer expectations are driving a need for more personalised, digital, seamless and
FACING MULTIPLE CHALLENGES
integrated care experiences.”
And from what she says, it is clear emergency services will need skills and diversity in spades if it is to respond effectively to the societal challenges they will be expected to deal with. What was previously
28.06.2022
www.linkedin.com/in/georgeina-whelan-b7959551/ www.facebook.com/people/ESA-CommissionerGeorgeina-Whelan/100027309564801/?_rdr
WOMEN IN SECURITY MAGAZINE
31
Sonomi Miyazaki Senior Information Security Consultant and Team Leader at Westpac
For almost a decade now, Miyazaki has been with Westpac, initially in Identity Access Management and now as a Senior Information Security Consultant and Team Leader. “My current role involves incident
L
response, creating playbooks, reviewing cases, project work, and managing my direct reports,” she ike many women who have shared their
says.
career journeys in these pages, Sonomi Miyazaki is someone whose career began a
“I am now in a people leadership position where I can
long way from Cyber Security.
learn from people who report to me and also help them develop their careers.”
A native of Japan, she held a variety of
human resources and executive assistant roles
AN AVID ONLINE LEARNER
but harboured a strong desire to transition into IT.
Much of Miyazaki’s learning has been on the job,
However, Cyber Security was not on her radar at the
but she has also made extensive use of the many
time, because she says it was not as important then
resources available online. “I follow security forums,
(2000) as it has now become.
participate in blue team CTF exercises, internal tabletop excises and attend conferences such as
She migrated to Australia because sideways
B-Sides when I can.”
career moves in Japan were not easy for women. She obtained a graduate diploma in Information
“There are lots of awesome courses available online
Technology in Multimedia from James Cook
these days such as Hack the Box, TryHackMe, and
University and started looking for a job in which she
Cyber Defender, where you can get a taste for cyber
could use her language and IT skills.
and develop your skills. There are also lots of free events and activities for red and blue team, such as
32
“My first role after university was in Identity Access
Splunk’s Boss of the SOC as well as meetups where
Management at an investment bank. I really enjoyed
you can meet industry insiders and others who share
the job, especially when required to investigate
your interests. If you have the financial capacity, I
problems; it was satisfying to determine the root
would also recommend gaining other certifications
cause,” she says. “After I assisted with some Security
or doing SANs courses as they are very valuable in
Operation Centre (SOC) incidents, I wanted to move
the industry. But I have found you don’t really learn
to an investigation and SOC role.”
without practical experience.”
WOMEN IN SECURITY MAGAZINE
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
However, Miyazaki says the most important attributes for her role are not technical skills but rather personality traits: a desire to learn and the curiosity to investigate. “People with backgrounds in other IT areas such as network engineering and development are in a strong position to transfer to Cyber Security.” And she adds: “Diversity and empathy are incredibly important in Cyber Security. A variety of employee backgrounds creates a space for innovative responses that you just won’t get if everyone has followed the same career path and has the same background.”
MULTIPLE CAREER OPTIONS “If you are inquisitive and enjoy problem-solving I would recommend you consider a career in cyber security. If I can do it, any woman can do it, as long as they have a passion for Cyber Security. As threat landscapes change and attacks become more sophisticated, more and more specialised roles have been developed in response. There are now lots more career options in cyber security.” “Women tend to be very tough on themselves and underestimate their true potential. But if you have an interest in Cyber Security you should go for it—you may surprise yourself.” She is keen to see more women take up roles in Cyber Security. “Often Incident Response requires coordination and communication with lots of stakeholders, and in my experience, women excel at this. I want more and more women to join me to protect organisations and societies. Cyber Security threats impact everyone, and a workforce representative of the community they protect is more likely to understand threats that a less diverse team may overlook.”
www.linkedin.com/in/sonomi-m-3414a64
28.06.2022
WOMEN IN SECURITY MAGAZINE
33
Domiziana Foti delved into new topics, the more inadequate she felt
Security Analyst | GRC at BIP
because she lacked a technical background, and the more she questioned if she was good enough, experiencing imposter syndrome. Foti wondered if there was a place for her in the cyber security world. “Overcoming the fear of not being good enough was a
A
very important step in my career,” she says. “You have to be ready to accept new challenges and embrace fter graduating in law, Domiziana Foti
uncertainty.
had no clear idea about her future. “After several internships and volunteer
LEAVING HER COMFORT ZONE
experiences I realised I had over-
“The desire to learn helped me to overcome the
idealised the legal profession and it was
feeling of inadequacy. There is nothing wrong with
not for me,” she says. “It was discouraging to realise
asking questions and not knowing everything all the
I would not be happy in the legal profession after
time. This means getting out of your comfort zone
studying so hard.”
and being open to learning new things. Stepping out of your comfort zone also involves experimenting
She grew up thinking she was unsuited to technical
with solutions and methodologies different from
jobs because she did not excel in maths and science. She thought such jobs were only for people with a special gift for scientific subjects. Despite her belief, various cyber security topics piqued her interest and she wanted to learn more.
Working in a male-dominated industry requires the ability to be determined. Company culture is key, finding colleagues and managers who can support and inspire you in your career path makes all the difference.
Foti let her curiosity guide her and enrolled in the Cisco course Introduction to Cybersecurity. After she started studying Foti felt energised and
what you are used to and looking at problems from a
realised she had finally found an industry that
different perspective.”
inspired and motivated her. Foti’s cyber journey has not been easy. She took
34
However, starting fresh in cyber security felt
some time to figure out which role was right for her
overwhelming and intimidating. The more she
skills, analysing which transferable skills she could
WOMEN IN SECURITY MAGAZINE
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
bring to her new journey. A breakthrough came when she realised technical roles are accessible to those without prior knowledge of the field.
GETTING STARTED IN CYBER “For someone who is a beginner and is starting to study the basics of cyber security, the amount of material and knowledge available online is overwhelming,” Foti says. “Navigating this sea of information is not simple and having a mentor and a community to ask for advice really helped me. One of the best suggestions I received was to try and identify a role I liked and start studying the main relevant topics, then being consistent and curious would do the rest.” After completing the Cisco course, Foti landed a position as a security analyst for an Italian consulting company. “Working in a male-dominated industry requires the ability to be determined. Company culture is key, finding colleagues and managers who can support and inspire you in your career path makes all the difference,” she says. “The skills required to be a consultant are not predefined, both extroverts and introverts can succeed. In fact, the key to problem-solving is diversity of thought. Working in consulting also means working with a lot of data and projects simultaneously and being able to develop an empathetic relationship with your clients. “Working in the cyber industry and being able to help organisations better protect themselves from various cyber threats is incredibly rewarding. I am really happy I found the courage to make this leap. No day is ever boring and every day there is a new challenge to tackle. The lesson I learned from the experience that could benefit other women: don’t be afraid of not being sufficiently qualified, there is definitely a role suitable for your skills.”
www.linkedin.com/in/domiziana-foti
28.06.2022
WOMEN IN SECURITY MAGAZINE
35
A SYMBIOTIC CYBER RELATIONSHIP
Michelle Ribeiro Executive Conference Producer at Corinium Global Intelligence
And it’s a two-way street. As well as tapping CISOs and others for their industry knowledge, Ribeiro offers them opportunities to share their expertise and raise their profiles. “That is my favourite part because it is how I give back to the cyber security community,” she says. “Speaking at events is an opportunity for them to share their successful experiences with their peers, strengthen their networks, learn from each other, improve their businesses practices and ultimately achieve their companies’ cyber security goals.”
M
Ribeiro is particularly proud of how she is able to ichelle Ribeiro is not a cyber security
raise the profile of women in cyber security. “I love to
professional per se, but probably
celebrate women’s achievements. Inviting them to be
knows more about what’s hot in
part of my events is only a small contribution to their
cyber security and what keeps
career path but one that makes me feel very proud
CISOs awake at night than most
of my job and very honoured to be able to offer some
CISOs. She is an executive conference producer with
support.
UK based market intelligence, advisory and events company, Corinium Global Intelligence and the main
“I love to be able to work with some of the most
producer responsible for its portfolio of CISO events
inspiring women in cyber security and have them
in the ANZ region.
speaking at my events. I love it when they share their invaluable experiences on how to overcome diversity
Her role involves in-depth research on the most
and inclusion challenges, which is one of the key
critical challenges facing cyber security executives,
issues facing the security industry. But I love it most
information she uses to shape the key themes and
when they get on the stage and talk about their most
discussion topics of the events she produces.
successful career achievements in security fields because that is when they are really proving women
“The events I organise are a platform for executives
can be as successful as men.”
to share ideas and showcase successful
36
achievements,” she says. “I work closely with a group
PRAISING WOMEN IN CYBER
of advisors made up of CISOs, senior InfoSec leaders
In fact, Ribeiro thinks women have the potential to be
and key industry players from some of Australia’s
incredibly successful as cyber security specialists.
and New Zealand’s largest organisations. They help
“In my opinion, a lot of the capabilities required
me validate my events’ content and ensure we are
for a security role are innate skills for women that
targeting what the industry really needs.”
can actually give them an advantage over men.
WOMEN IN SECURITY MAGAZINE
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
For example, women are generally very attentive to
She has been producing events for the past 15 years
details, which is a critical requirement of any security
across a variety of industry sectors, starting in her
role. Women are also very intuitive which helps
native Brazil. She has focussed on cyber security
us see what others usually wouldn’t. That is also a key advantage that will help us to be successful in a security role.” However, she thinks there is too much concern with security being a male-dominated industry and says the focus should shift to “doing a great job and delivering the outcomes expected by our organisations,” regardless of gender.
I love to be able to work with some of the most inspiring women in cyber security and have them speaking at my events ... I love it most when they get on the stage and talk about their most successful career achievements in security fields, because that is when they are really proving women can be as successful as men.
“I know discrimination and unconscious bias are real problems, but I believe the
since 2019 and loves it. “It is a very interesting area
best way to defeat them is by not giving emphasis to
that is always evolving, so there is so much to learn
them. Focus on the positive, focus on the success,
and explore,” she says. “No two days are the same,
focus on the outcome. Aspire to be successful
so I never get bored in my job. And the cyber security
because you CAN BE successful, not because you are
community is always willing to help and support each
a woman.
other. That is the best part of my job.”
“If you are aspiring for a career in security, start by
She says one of the key trends and challenges
acknowledging it is what you want. Don’t focus on
emerging from her discussions with the cyber security
the fact that it is a male-dominated industry. It is a
community is the convergence of physical and cyber
fast-growing, well-paid industry. There are a lot of
security. “Facilitating the convergence of physical and
opportunities and interesting areas you can explore.
cyber security is not an easy task when the teams
Go for it! You might be surprised by how much you
have different perspectives, but it is an important area
can love this environment.”
for organisations to focus on if they want to scale their businesses through technology innovation.”
A LONG CAREER IN EVENT PRODUCTION Communications and Publicity and Adverting, and a
ADVICE FOR ASPIRING CONFERENCE PRODUCERS
post-graduate degree in Marketing Strategy and got
For anyone thinking of a career in the events industry,
her first job as a conference producer while studying
she stresses that a conference production role is very
for that postgraduate degree.
different from event management. “The role requires
Ribeiro has a bachelor’s degree in Social
28.06.2022
WOMEN IN SECURITY MAGAZINE
37
you to do a lot of research on the key themes and
meeting her husband in 2013 she moved to Australia,
topics of the events. If you have strong analytical
fell in love with the country and is now an Australian
skills they will help you because you will use the
citizen.
content of your research to shape your event’s agenda.
PRAISING PARENTAL INFLUENCE She credits her parents with being the greatest
“You also must love writing, because creating relevant
influence on her career journey through their
content is a critical part of the role. As the conference
guidance and inspiration. “They worked very hard
producer, you are responsible for understanding the
to give me the best education they could. My dad
event’s themes and translating those into an agenda
always encouraged me to study a lot. He inspired me
that will make people want to attend it. You are also
to pursue my dreams on my own. He said I would
responsible for creating content pieces to support the
always get help along the way, but if at any point
marketing team promoting your event.
someone doesn’t believe in you or makes you doubt your own dreams, don’t listen to them. Keep trusting
“It is also important that you are sociable and enjoy
yourself and your dreams and aspirations. Don’t let
meeting new people because you will be managing
anyone or anything hold you back. Be persistent and
your speakers, sponsors and partners as well as all
keep chasing them and working hard for them.”
the people you connect with as part of your events. For any school leaver contemplating a cyber security “You must also be very organised and have the ability
career, Ribeiro says: “The most important thing is to
to multitask. You will be working on tight deadlines
identify your abilities and the things you like about
and managing many projects at the same time. If
security and use that knowledge to help you design
you have an active mind, like new challenges and
your career path. If you are a person who enjoys
like learning new things every day, then you will love
communicating and sharing your knowledge you
exploring a career as a conference producer.”
could aspire to a role in security training. If you like the more technical aspects of security you could
For aspiring conference producers, Ribeiro
search for qualifications to give you the technical
recommends fields of study such as events
background you need for a role in security. If you
management, journalism, marketing and
are a natural leader you could search for training to
communication, or research and development.
develop your leadership skills.”
“These are the most important areas you will be dealing with in your daily routine,” she says.
www.linkedin.com/in/michelle-r656e6/
Before taking a conference production role Ribeiro managed to realise an ambition to work abroad, scoring an internship in Bucharest after graduating. “Not only was I able to improve my English skills, but I also learned that no dream is too big. You just have to work hard and do all the right things at the right time, and in time everything will fall into place. Sooner or later, an opportunity will knock on your door. Then you just have to say yes.” Having seen much of Europe while based in Romania Ribeiro did not settle easily back in Brazil and after
38
WOMEN IN SECURITY MAGAZINE
28.06.2022
a strategic intelligence analyst with the NSW Police Force. She says she had “no idea what a strategic intelligence analyst did, but the role description did
Lesley Honeyman Director of Cyber Security Operations at Cyber Security NSW
outline the requirement to conduct crime modelling”.
TOP NSW GOV’T CYBER SECURITY ROLE Today, she is the Director of Cyber Security Operations at Cyber Security NSW, working with government agencies and councils to uplift their cyber security maturity and managing teams that provide a range of services to support these agencies and councils, including: intelligence, incident response, vulnerability management, security and infrastructure uplift, and an internal technological development capability.
F
Ms Honeyman cites her first intelligence analyst or many people, their career journey starts
job as monumental in her career progression.
with a university course they believe will
She was passionate about the role and one of her
prepare them for their chosen career.
earliest commanders, Assistant Commissioner Paul
Rather than choose a degree to further
McKinnon, was pivotal in shaping her future career.
any specific career ambitions, Lesley
Honeyman chose one that would leave her options
“Through his leadership, I was exposed to many
open: a Bachelor of Applied Science in Human
different opportunities and worked in many different
Geography at the University of NSW (UNSW).
roles in the organisation, some within the intelligence profession and others that enabled me to develop
“When I left school I was considering town planning.
new skills and capabilities,” she says.
I selected my course at university because it was not specifically targeted at one career path – there were
“He recognised the skills I had developed at university
many careers that I could consider,” she says.
and, although they were still raw, he capitalised on them to deliver important projects for the NSW Police
While UNSW no longer offers the course Ms
Force.”
Honeyman graduated from, human geography is “the study of people and place”, where “human
KEY ROLE IN 2000 SYDNEY OLYMPICS
geographers examine social and environmental
Aided by McKinnon’s leadership, Honeyman worked
problems in a holistic way and apply spatial thinking
on major Royal Commission reform projects and
to help resolve social conflicts and environmental
implemented critical technology that has since
crises”.
shaped the tasking and deployment of frontline resources, culminating in the delivery of the Olympic
40
Armed with her degree and an honours thesis in
Intelligence Centre for the Sydney 2000 Olympic
economic modelling, Ms Honeyman scored a job as
Games.
WOMEN IN SECURITY MAGAZINE
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
Over the course of her career, Ms Honeyman
etc. As we move into the future, this list of roles will
has gained extensive experience leading crisis
only expand and change to adapt to the environment.
management, including spearheading intelligence
The diversity of this work means you can find a role
resources during the Lindt Café siege.
you are passionate about, and each role contributes to making a difference to people every day.
Another mentor, Dr Maria Milosavljevic, the NSW Government’s first Chief Information Security Officer,
“It has been projected that almost 18,000 new cyber
helped set Honeyman’s career on a new path. “I was
security workers will be needed by 2026. This growth
at a career crossroads and had a pivotal meeting
provides plenty of opportunities for new entrants and
with Dr Maria Milosavljevic, where I paused to reflect
career-switchers to work in a fast-paced and ever-
on my career history and recognised my wealth
changing environment.”
of experience and how that was valuable to cyber security,” Ms Honeyman says. “She challenged me to
MORE WOMEN IN CYBER SECURITY
reconsider my internal voice about my skill match to
Ms Honeyman is keen to see more women enter the
an operational role in cyber security.”
profession, saying she has seen no evidence of a ‘glass ceiling’. “This profession is open to the transfer
Honeyman identifies the biggest challenge of her
of skills women may have developed in other roles.
career as establishing a cyber operations function for
The skills we have developed via training, previous
the NSW Government and ensuring it provided value
work experience and life often provide a different lens
to other NSW Government bodies.
that is important when considering the risks that are inherent in the digital world.
“In my current role, I have been fortunate to be able to build the team from the ground up and lucky to
Women are great at recognising the risk and
have colleagues who supported me in this journey.
communicating that to stakeholders who don’t have
My crisis management skills have enabled me to
exposure or in-depth knowledge. We have great
lead government agencies in responding to cyber
stakeholder management skills, great analytical skills
incidents.”
and great communication skills: lots of amazing talent that can be readily adapted to this profession.”
A SECURITY CAREER ADVOCATE In an industry facing a dire skills shortage, Ms
To women who doubt they have the requisite skills for
Honeyman is a powerful advocate for a career
a job in cyber security, Ms Honeyman says: “You do
in security. “If you like to work in a challenging
not need to make sure you have every capability in a
environment where you are learning every day, then
job advert to work in cyber. This industry recognises
consider this profession,” she says.
it is new and is willing to invest in the training and development of its profession. Seize this opportunity
“Cyber security has many roles and not all involve
to help shape and develop a new and exciting
hardcore technology experience. Working in this
profession.”
profession is not all about the images we see on the internet. It is not all about hacking. Cyber security encompasses training, awareness, governance, risk,
www.linkedin.com/in/lesley-honeyman-a4199562/
intelligence, audit, penetration testing, threat hunters,
28.06.2022
WOMEN IN SECURITY MAGAZINE
41
Tan and her team work collaboratively to enable organisations to strengthen their security posture and bridge resource gaps in their cyber security. “I have experienced experts conducting risk assessments, guiding organisations to their security certification,” she says.
Shamane Tan Chief Growth Officer at Sekuro
“I also collaborate with a team of ethical hackers whose job is to break into things and reveal their techniques so companies can become stronger. Another part of my role is around managing the human element, which is often dubbed the weakest link in security.”
F
However, she adds: “People can be our strongest first line of defence. So my role is to raise awareness or someone who describes herself as
within the community and change the culture and
having “always been passionate about
mindsets around cyber security.”
communicating well, building human relationships, bringing the community together and raising awareness on
FOUNDER OF AN INTERNATIONAL COMMUNITY
meaningful topics,” a bachelor’s degree course in
In addition to her role at Sekuro Tan is the founder
computer engineering might seem an odd choice.
of Cyber Risk Meetup, an international community of more than 4,000 members across Australia,
However, Shamane Tan says it was a good start
Singapore and Japan. And, as one of Sekuro’s brand
to her career. “My studies in computer engineering
evangelists, she often gives keynotes at global
were helpful in providing the technical foundation
conferences. She has also authored two books: Cyber
that helped me speak the language to the technical
Risk Leaders, compilations of her conversations with
audience and translate that to the business. Down
more than 70 CXOs from different industries around
the track, my career started to take shape as it was
the world, and Cyber Mayday and the Day After, a
a self-discovery journey of learning what I’m good at,
leader’s guide to preparing, managing, and recovering
building on my strengths and developing new skills.
from business disruptions, which she co-authored.
From there, I eventually found my way to my dream job.”
Tan got into cyber security from executive recruitment, where she helped CIOs building cyber
42
HER DREAM JOB
security hubs recruit their leadership teams. “Cyber
That dream job is chief growth officer at cyber
security was new back then and there was a huge
security and digital resiliency solutions provider,
need,” she says. The Australian Women in Security
Sekuro (formerly Privasec) where, she says, “I lead the
Network (AWSN) also influenced her shift into cyber
outreach strategy to help C-suite executives achieve
security. “I met with AWSN years ago and saw the
value preservation and business growth objectives
diversity of backgrounds there were in cyber security.
with cyber risk management. I bring the perspectives
Hearing their different stories gave me the courage
of both the technical and business worlds, and help
to go for a career change and specialise in cyber
executives bridge their cyber resilience gaps.”
security.”
WOMEN IN SECURITY MAGAZINE
28.06.2022
W H AT ’ S
H E R
J O U R N E Y ?
And people have had a huge influence on Tan’s career
advice to cyber security career aspirants is: “Invest
journey. “Growing up, I always had different dreams
time in developing your skills for networking and
and lists of aspirations. What triggered them into
invest time in networking! Surround yourself with
becoming a reality was the people I met throughout
mentors, and a community of healthy and positive-
my life, who inspired me and encouraged me to
minded people who will inspire you for greatness.”
pursue those aspirations.”
THE DANGER OF LIMITING BELIEFS A RICH COMMUNITY OF SUPPORTERS
She adds: “Don’t fall into the trap of expecting
Asked if colleagues and managers, mentors, family
perfection of yourselves, because if you do you may
and friends and partner(s) have been most influential,
limit yourself from trying new things or moving to new
Tan says: “I’ve been blessed to have great colleagues,
roles. A coach once told me the sky’s the limit, and it
leaders, mentors, friends and a wonderful family who
has stuck in my mind. Whenever my limiting beliefs
have supported me throughout. I have had incredible
start to rise within me, I just remind myself that it is
role models in my life, who paved the way forward
only I myself who can limit my own potential.”
and showed me how to navigate the cyber security industry to get to where I am today. These are the
However, Tan says women still face headwinds
people who challenge me and act as my sounding
because of their gender. “Despite the progress,
board where I can bounce ideas and gain new perspectives. She adds, “Take the Sekuro team as another example. They have always been vocally supportive and publicly affirming of my initiatives, ideas and the value I have brought to the company. They celebrated my successes, which really encouraged me to go further
We are up against cyber criminals and attackers who don’t discriminate amongst themselves or who they target. We on the defenders’ side, have to embrace contributors from diverse backgrounds to build a strong ecosystem.
knowing I have the backing and support of my company.” It’s hardly surprising then that Tan says she “believes in the power of building
we have made over the decades, I still notice the
strong, deep and authentic relationships.” And that
unconscious bias that exists if I step into a room full
these have “carried me really far and helped me
of ‘white hairs’ and I’m the only woman there. I’ve
navigate the corporate landscape.”
been in a room where the men think they know more than me, and their opinion is more important. They
In particular, “One of the key factors that accelerated
could listen, but they are not really hearing.”
my learning was investing my time in gleaning from the previous generation of leaders. I must have had
One example she relates is particularly telling. “One
more than a thousand coffees with different industry
time, I was invited to a meeting and I brought along a
leaders over the years.”
junior male colleague I was mentoring. The other men in the room assumed he was my boss and channelled
With this background it’s hardly surprising Tan’s
28.06.2022
WOMEN IN SECURITY MAGAZINE
43
all questions to him even after we exchanged
education and awareness, legal, policies, sales,
business cards.”
management and many more.
GENDER BIAS IN ACTION
“We are up against cyber criminals and attackers who
Faced with such an overt display of what must, after
don’t discriminate amongst themselves or who they
an exchange of cards, rank as conscious bias, Tan
target. We on the defenders’ side, have to embrace
says: “I have learnt to pick my battles. In situations
contributors from diverse backgrounds to build a
like this, it is important to know your identity, and
strong ecosystem.”
what you have within you. I know my voice, and I speak (at the right time) with confidence, but I don’t
CYBER DEFENCE STARTS AT THE TOP
fight to be heard and speak just for the sake of
However, she says effective cyber defence starts at
speaking.”
the top. “Executive leaders must first and foremost take a proactive approach with their cyber risk
Fortunately, such experiences are not the norm.
strategy. As part of growth and security maturity, it
“There are many men supporting women, advocating
makes sense for businesses to start looking at an
for them, and many inspiring women who have
offensive strategy that will give them the foresight
also led the way and show us they can be really
to plan their next tactical move, as compared to just
successful in cyber as a career,” Tan says.
being at the backfoot playing defence.
“Cyber security is one of the more embracing sectors,
“If businesses start preparing for the inevitable
recognising the need for diversity, not just in genders,
cyber disruptions they will be looking at running
but in the background, experiences and culture. Cyber
more war room exercises and maturing their
security is a field that celebrates creativity and out of
business continuity processes as part of crisis
the box thinking because different perspectives and
management drills. Companies need to be talking to
experiences are what we need in raising our cyber
peers proactively, especially across industry sectors
resilience across the industry.
because information and experience exchange is invaluable in contributing to the growth of our
“Diversity brings a huge benefit for the security
ecosystem.”
industry because there is an urgent need for different talent and skills, from technical roles to governance, risk and compliance roles, forensics, research, cyber
44
WOMEN IN SECURITY MAGAZINE
www.linkedin.com/in/shamane/
28.06.2022
doors to vendor management in Telstra’s engineering and architecture.”
PIVOTAL INFLUENCES She credits another manager with also having a pivotal influence on her career. “They took me aside
Gina Mihajlovska Cyber Security Manager at EY
and said: ‘you need to do project management and learn every facet of technology that is going to influence our future. I know you can achieve this. Trust yourself.’” Throughout her career, she says a most important asset has been “Trusting my ability to learn new things and not being intimidated by the complexity of security, technology and process. I have learned
G
how complex security is and will be in the future. And I have learnt to listen, analyse and find the point of ina Mihajlovska is a Cyber Security
urgency to start the conversation at all levels: societal,
Manager at EY (formerly Ernst &
personal, governmental and educational.”
Young) where she works across the full spectrum of cyber security: assurance,
And for anyone aspiring to a career in cyber security
maturity assessments and program
she recommends an education that embraces data
work. However, she aspires to a more direct role in
science, criminology and social science, because
an organisation’s cyber security. “I am to proactively
“security is about people, institutions, humanity and
and inclusively lead the management and security
social relationships most of all.”
direction of an organisation,” she says. On a more technical level, Gina thinks zero trust, Gina has identified barriers to establishing security
systems thinking and DevSecOps will be important
leadership. “It has been challenging coming to terms
aspects of cyber security in the near term.
with how sparse the security knowledge of industry leaders can be and find ways to lift their appreciation
And, in common with every woman who has shared
of the criticality and importance of cyber.”
her cyber security journey, Mihajlovska is a strong advocate for more women in the industry.
She was introduced to cyber security in 2007 while working in information management for a
“Women lift economies, and they will lift security
local government organisation that wanted to use
due to their ability to see things from different
SharePoint as an electronic document management
perspectives. This allows for a better understanding
system (EDMS) and has worked in cyber security ever
of the problem and solution. Women are also good
since in various industries: financial services (banks
collaborators and engage with people to lead the way
and superfunds), telecommunications and education.
forward. These are useful skills when building cyber team resilience.”
However, she says her first real introduction to cyber security came in the early days of the internet while working at Telstra when a senior executive “opened
28.06.2022
www.linkedin.com/in/ginamihajlo/
WOMEN IN SECURITY MAGAZINE
45
TALENT BOARD Manavjeet Kaur WHAT POSITIONS ARE YOU LOOKING FOR? Full time/ Contract
PREFERRED STATE NSW( Sydney, or remote/ flexible)
WHAT KIND OF ROLE? Information security analyst/ Cyber Security Analyst, Security awareness training Specialist. Cyber Security Consultant.
WHAT'S YOUR EXPERTISE? Dynamic, resourceful, and engaging technical professional with solid knowledge of Programming languages/ Platforms including Java, Android, Python, Unity, C#, and C /C++, Data Visualisation, and Business Analysis. I have more than twenty years of leadership experience in process improvements, product lifecycle management, and building training/education programs from the ground up based on specific needs. I have designed and delivered Cyber Security awareness courses at Australia's university and RTO levels.
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? I have worked in various environments, from casual and laid-back to fast-paced agile. I believe in a collaborative environment, where the team members have a strong sense of camaraderie and a good work ethic, an environment that helps transfer knowledge into skills for individual and organisational growth.
DM ON LINKEDIN
Arthur Mapisa WHAT POSITIONS ARE YOU LOOKING FOR? Full-time, part-time or casual
PREFERRED STATE NSW ACT SA TAS VIC
WHAT KIND OF ROLE? Cybersecurity Consultant, Security Assurance Analyst, Penetration Tester, Cybersecurity Analyst, Cybersecurity architect or similar
WHAT’S YOUR EXPERTISE? Entry-level Vulnerability management, Medium-level Web security, Entry-level penetration testing, Entry-level IT Governance and Risk compliance
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? An environment where I can work well as part of a team and express my innovative skills
DM ON LINKEDIN
46
WOMEN IN SECURITY MAGAZINE
28.06.2022
EACH ISSUE WE WILL LET YOU KNOW WHO IS LOOKING FOR A NEW ROLE, WHAT KIND OF EXPERTISE SO THAT IF YOU HAVE SUCH A JOB OPENING AND LIKE ONE OF THESE CANDIDATES, YOU CAN CONTACT THEM.
Saber Attar Motlagh WHAT POSITIONS ARE YOU LOOKING FOR? Cyber Security Forensics, Information Security Analyst/Cyber Security Analyst
PREFERRED STATE New South Wales
WHAT KIND OF ROLE? I am interested in roles that are more on the investigative side of Cyber Security, for example, roles looking at attacks that happened or trying to analyse/predict future attack methods. However open to most roles in the cybersecurity world.
WHAT'S YOUR EXPERTISE? I have worked in the IT industry for 3 years now (despite only being 22). This includes time spent working in Level 2 support at a bank in Australia and working as a web designer/SQL developer for a small IT firm. However, I am more interested in Cyber Security and I graduated with a Bachelor of IT majoring in Cyber Security. I am in the process of studying Comptia's Security Plus.
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? An ideal work environment would be one that is expecting and pushes me to be my best, but also relaxed and not super rigid in structure. Room for growth is very important to me and hybrid work (home/office) is preferred but not essential. No specific benefits are required.
REACH OUT ON EMAIL
Grace Imani WHAT POSITIONS ARE YOU LOOKING FOR? Contract, Part-time and Full-time
PREFERRED STATE I love Perth however for the right position I will willingly relocate
WHAT KIND OF ROLE? Information security analyst, Risk management professional, SOC analyst (I have developed an interest in this area and I'm slowly upskilling) I am looking for a role that provides some guidance that coupled with my passion and determination will help me grow as a professional.
WHAT'S YOUR EXPERTISE? Cyber security, Analytics, Problem-solving, Machine learning, Project management, Customer service
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? An environment where you feel motivated to grow and improve. A place where everyone is welcome. A place where your superiors not only delegate, but also lead.
DM ON LINKEDIN 28.06.2022
WOMEN IN SECURITY MAGAZINE
47
TALENT BOARD Al Mamun Mahbub WHAT POSITIONS ARE YOU LOOKING FOR? Preferably mid-level. Full-time
PREFERRED STATE VIC
WHAT KIND OF ROLE? Any cybersecurity position, if relevant training is offered.
WHAT'S YOUR EXPERTISE? 13+ in IT, new to security
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Hybrid work environment
DM ON LINKEDIN
Priya Kaul WHAT POSITIONS ARE YOU LOOKING FOR? I’m looking for an entry-level role
PREFERRED STATE: Victoria
WHAT KIND OF ROLE? Blue team roles
WHAT’S YOUR EXPERTISE? I possess a high level of stakeholder management and analytical skills
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Flexible working environment and option to Work From Home.
DM ON LINKEDIN
48
WOMEN IN SECURITY MAGAZINE
28.06.2022
EACH ISSUE WE WILL LET YOU KNOW WHO IS LOOKING FOR A NEW ROLE, WHAT KIND OF EXPERTISE SO THAT IF YOU HAVE SUCH A JOB OPENING AND LIKE ONE OF THESE CANDIDATES, YOU CAN CONTACT THEM.
Liam Harmon WHAT POSITIONS ARE YOU LOOKING FOR? Full-time, Part-time or 1-2 days training / volunteer work a week.
PREFERRED STATE QLD
WHAT KIND OF ROLE? Open to anything, ideally cloud/cloud security.
WHAT’S YOUR EXPERTISE? Many years experience in customer service and print production/management. All my time in the print industry has refined my eye for detail and quality and has grown my interpersonal and relationship building skills.
WHAT’S YOUR IDEAL WORKPLACE ENVIRONMENT OR BENEFITS REQUIRED? My ideal work environment is where people are doing their best, passionate to improve and willing to help each other showing a good team spirit. Training and support from colleagues and employer, as well as some flexibility in the work structure.
DM ON LINKEDIN
ARE YOU LOOKING FOR A NEW ROLE IN SECURITY, CYBER, PROTECTIVE, RESILIENCE OR GRC? Contact us today and we can publish your details in the next issue of the magazine to help you find your next role.
aby@source2create.com.au
28.06.2022
REACH OUT
vasudha@source2create.com.au
WOMEN IN SECURITY MAGAZINE
49
THE THREE ‘RS’ OF CYBERCRIME FIGHTING: RETHINK, RESKILL, REBOOT by Stuart Corner
“The criminals are using advances in AI and machine learning to launch faster, more frequent and efficient
Mandy Turner
cyber attacks. We need to think about how we can
Cybercrime Specialist | Director & Co-Founder Demystify Cyber Consultants
recovery by using these advances.
increase the speed of detection, prevention and
“Criminals are getting a decentralised economy, According to Mandy Turner, the cybercrime fighting
using blockchain to make their cybercrime attacks
community is sclerotic in comparison to the
and campaigns more effective and making it really
cybercriminal community. It is doing things the way
hard to locate the offenders. We could use this stuff
they have been done for years while the crims are
ourselves. We could use this for the data integrity
constantly innovating, evaluating and exploiting
of our investigations. We could use it to get better
new technologies to further their endeavours,
collaboration.”
collaborating and co-operating on techniques and targets.
A CALL FOR COLLABORATION Even that most ubiquitous technology, the internet,
To combat the increasing volume and sophistication
could be better used to boost the capabilities of
of cyber attacks she argues cyber security needs
cybercrime fighters, Turner argued.
a complete overall. It needs to rethink, reskill and reboot, and the cybercrime fighting community needs
“We could use it to increase the speed of
to learn from, and emulate, its adversaries.
communication, collaboration and response. Think about how we can use technology to help us fight
In her AusCert 2022 presentation Cybercrime fighting
cybercrime and investigate cybercrime and analyse
2022 - the reboot, Mandy (Amanda-Jane) Turner,
cybercrime.
an adjunct lecturer in criminology for the University of Queensland, outlined what needs to be done to
“Criminals are thinking of this all the time. So let’s
achieve these three ‘Rs’ of cyber security reform.
reskill and rethink. I have seen in my darknet scrapes, criminals chatting to each other, telling each other
50
WOMEN IN SECURITY MAGAZINE
28.06.2022
A U S C E R T 2 0 2 2
F E AT U R E
‘This company pays ransoms. This company is an
“Criminals have huge business enterprises. They
easy target. For a little money, I’ll give you the way in.’
have recruiters, they have psychologists, they have
How about we make more use of communication for
accountants, linguists, etc. All these people are
the good guys?”
working together to commit cybercrime. So we need to harness the skills and the aptitudes of people to
A GENUINE USE FOR DEEP FAKES
make sure they become great cyber crime fighters.
Turner talked about how cybercriminals have
They don’t need a million certificates and degrees.
exploited deep fake technology to perpetrate
… We need to encourage and enable people who
cybercrimes, saying it had been used to embarrass
have an aptitude to reskill and become cyber crime
and steal, and suggested the same technology could
fighters. We need diversity in cybercrime fighting.
be used to fight cybercrime.
I’m not just talking about females, I’m talking about diversity of culture, diversity of thought, diversity of
“In 2017 a Reddit user called Deep Fakes began
language.”
using AI-generated videos to put the faces of female celebrities on the bodies of adult entertainers and
APTITUDE BEFORE SKILLS
post these as the celebrities. … In 2019 [a deep fake]
She argued it is wrong to seek technical skills as the
was used to socially engineer a victim and relieve
primary requirement for a cyber crime fighter. “It is
them of a large sum of money…. Maybe we could
old thinking that people with degrees and certificates
use it to do more memorable education and cyber
are best for the job and that only tech trained people
security.”
can fight cybercrime.
She also argued the criminal fraternity is far better
“[We need] people who are trustworthy and
than the security fraternity at exploiting diversity,
passionate, people who investigate and are curious,
drawing on people with different skills and different
people who look at cybercrime in different ways. We
aptitudes.
can teach you the tech, but your aptitude and innate behaviours are yours and yours alone, and you bring those diverse outlooks. Those are the people we want.”
HAVE YOU EVER DREAMED OF BEING A
"This technological thriller is the hacker world having such global impact to the unsuspecting world that it makes you very aware the power within the web…” - Trevor, indiebook reviewer
PRE-ORDER NOW
CAREER PERSPECTIVES
PRANJALI KARVE
NAVIGATING A CAREER TRANSITION INTO CYBER SECURITY by Pranjali Karve, Cybersecurity Intern at Telstra| Bachelor of Cybersecurity student at Deakin University I moved into cyber security after two decades in
desire to succeed. I knew what I wanted and why
building architecture, a completely unrelated field.
I wanted it. This might seem trivial, but was most
With the demand for people in cyber security growing
important, it would carry me through the rough
day by day, there will be more people from other
patches.
industries getting into cyber security as I have done. tips to people who want to transition, but with every
CONFIDENCE AND SINGLE-MINDED DETERMINATION.
passing year, life teaches me to be more humble.
A new career was a risk, so I decided to go for the
However, I would love to share what worked for me
free TAFE course. As well as studying I worked on
in this career transition in the hope it will be of some
other projects that helped feed my creativity. I started
help to others on the same track.
and worked on three businesses that kept me in
It would be presumptuous of me to give advice or
situations where I had to think on my feet, meet and To get the chance to build a new career late in life
negotiate with people and think big picture and detail
is a fantastic opportunity. When I decided to leave
at the same time. Little did I know then that these
architecture there was very little I could salvage from
skills are sought after in cyber security where they go
the wreckage, or so I thought at the time. As I later
by names like ‘stakeholder negotiation skills’, ‘ability
discovered, there were plenty of things that helped
to work under pressure’, ‘multitasking abilities’ and
me in my new journey.
‘creative problem solving’.
Here’s what helped me and perhaps could help you
A FIRM BELIEF I SHOULD SPEND AS MUCH TIME AS POSSIBLE PURSUING THINGS I LOVE.
too:
RISK-TAKING AND GETTING OUT OF MY COMFORT ZONE.
Not only do such pursuits keep the mind fresh and happy, they inevitably add transferrable skills.
When I started I made a list of what I did and did not
54
have. I did not have a job in hand, just responsibilities.
My approach to studying is very personal. When I
I had loads of confidence in myself. I had a burning
was studying Certificate IV in Cyber Security I went
WOMEN IN SECURITY MAGAZINE
28.06.2022
C A R E E R
P E R S P E C T I V E S
above and beyond the course resources because I
Long ago I was in a toxic job. One day I’d
was curious. Whatever topic was introduced in class
had enough and I stopped going to
I would research in my own time until the cows came
work. I told no one, I did not resign,
home.
and I did not hand over. Stupidly, I had worked the whole month and stopped going
For example, I found the introductory networking
days before payday. When I called the boss to
course content not enough for me so I bought the
ask for my pay he simply refused to pay me.
CCNA study guide and devoured it along with seven or
Nothing I said could change that. What I did
eight networking courses on Pluralsight. I was able to
not see at the time was how dependent he was
hold advanced discussions in class with the teacher
on me. I saw only my side of the situation. I was
as well as help my peers with their assignments. That
young and stupid.
teacher acted as a referee for me when I applied for a job and became a cheerleader who pushed me to
I learnt my
do even better. I did a similar additional study for all
lesson.
subjects.
No matter what, being
IF I WANT TO BE GOOD AT SOMETHING, I TOOK CHARGE AND FOUND WAYS TO ACHIEVE MY GOAL.
professional
Finding my way into the industry has been like a
only on what should and should not be done but on
treasure hunt. I attended a webinar that mentioned a
a genuine understanding of the business, you work
book. I read the book which helped me decide what I
for, your place in the big picture and empathy towards
wanted to do next. Then I met, or e-met, people who
people dependent on you. Professionalism is hard
were doing the same thing as I. One of these people
to maintain in the face of adversity. It needs to be
mentioned an opportunity that led to where I wanted
inculcated with strict discipline and practice until it
to be. That path led to success. However, there were
becomes second nature.
is the most important thing. Professional conduct should be based not
plenty of paths I took that led to dead ends. The thread common to them all was people. It is people
When I moved into another profession I thought I
not resumés, certifications or degrees that gain
was starting from ground zero but work experience,
you a job. Knowledge alone is not enough, knowing
new learning transferrable professional and life skills
someone is not enough. Being good at your work and
accumulated over the years made this transition easy.
letting people know what you know is most important. Last, but certainly not least, attitude is the captain of Nothing about professional networking should
your ship. Only a good, nay a great, the captain will
feel artificial or forced. Everyone — introverts and
steer your ship through choppy water and stormy
extroverts — can bring their whole authentic selves to
weather and get you and your precious cargo of
professional networking.
skills, knowledge, hard work and intelligence to your destination safe and sound.
READING, LISTENING, LEARNING FROM OTHERS, BEING PROACTIVE IN SEEKING OUT OPPORTUNITIES TO CONNECT WITH PEOPLE IN THE INDUSTRY, AND BEING ACTIVE ON LINKEDIN. People seldom talk about failures or bad experiences,
I hope sharing my story will help you in some way to achieve your dream career. I wish you all the best.
www.linkedin.com/in/pranjali-karve/
but they are just as important for success. Here is a failure story for you.
28.06.2022
WOMEN IN SECURITY MAGAZINE
55
SOPHIA PACE
WHY MENTORS ARE ESSENTIAL TO YOUR CAREER’S SUCCESS by Sophia Pace, Head of Community and Brand at Avertro Cybersecurity is a multifaceted and rapidly
in 2021 at Avertro, a Sydney-based venture-backed
evolving industry. So much so, there are many and
cyber security software company. Its flagship
ever-changing career pathways created by new
product, Avertro CyberHQ, is claimed to be the world’s
specialisations and new technologies. It’s hard,
first cyber management decision system. It “helps
especially for a newcomer, to plan and execute a
you manage, measure and report on the performance
career journey. Help is necessary.
of your cybersecurity function,” Avertro says.
Many women have shared their cyber security
Pace started at Avertro in strategic partnerships
journeys through the pages of Women in Security
and marketing and was recently appointed Head of
Magazine. And many have spoken of the important
Community & Brand.
role mentors played in those careers. However one of them, Sophia Pace, went beyond mentoring for
FROM JOURNALISM TO CYBER SECURITY
support and guidance in her career: she engaged a
It’s a role a long way from her aspirations when she
professional business coach, and it paid off.
left school: to be a journalist or an actor. To that end she studied journalism at Macleay College in Sydney
He was, she says, one of the pivotal influences in
and her first job was in an advertising agency, where
her career. “My business coach probably deserves
she says, “I was exposed to the realm of digital and
a page of thankyous. He taught me so much about
technology and loved it.”
myself. When I transitioned out of corporate to pursue a career more aligned with me and my values
After a couple of years with the agency and eager
I had no idea where to start. The work I did with him
to learn more she went to the UK and “landed some
uncovered it.”
dream jobs working for Sony, Formula One and Jaguar/Land Rover managing their digital strategies
She adds: “I feel it’s really important we normalise
and global product launches.”
asking for help. It’s so empowering.” Four years later and missing the sunshine she
56
The transition her business coach helped with took
returned to Australia and made a radical career shift:
place when Pace got her first role in cyber security
she started her own business running a coworking
WOMEN IN SECURITY MAGAZINE
28.06.2022
C A R E E R
P E R S P E C T I V E S
space. Then, missing the world of technology, she
“Also, choose a company you are proud of and what
took a role with Google followed by one with Westpac.
it’s offering to the world. When you’re proud you unlock new levels of creativity because you want to
It was while working in Westpac she came across the
make a difference, you genuinely care and your work
strategic partnerships and marketing role at Avertro
makes more of an impact.”
and applied, knowing there would be candidates who, on paper, looked more suitable. She speculates
IT’S GOOD TO SHARE
she got the gig “because of my experience, building
From the perspective of her role at Avertro, Pace says
my own company, understanding the issues Avertro
she sees there is a need for greater recognition of
solves and my drive to learn more about cyber
cyber security as a shared responsibility embracing all
security.”
levels in an organisation.
AN IMPORTANT PARENTAL MODEL
“The board in enterprise organisations needs to
Pace’s business coach played a key role in her career
be better educated on cyber security so they can
journey, but so too did several other people: her father
make more informed decisions about the safety
and her managers in earlier roles.
of the company. And cyber security needs to be aligned with the overall business strategy. It should
“When I was growing up my dad was always working.
not be considered an afterthought. Education and
He didn’t come from much and watching what he
translation are key. Without these, you’ll continue to
achieved and sacrificed for us gave me the work ethic
have the disconnect between departments (board and
I have today.
security) and struggle to have proper synergy.”
“My first boss encouraged me to move overseas
NEW CAREER PATHWAYS
knowing he would lose me as an employee. My
And Pace has identified developments that will see
second boss taught me my worth, how to fight for
new cyber security career pathways emerging. She
things you want and ask for the exchanges you
sees the biggest factors impacting cyber security
deserve.”
in the near future as being artificial intelligence and decentralised finance. It’s an emerging financial
For girls leaving school and contemplating a cyber
technology based on distributed ledgers similar
security career, Pace says we can create so many of
to those used by cryptocurrencies that removes
our own barriers.
the control banks and institutions have on money, financial products, and financial services.
CREATE YOUR OWN REALITY “Back yourself. You are in control of your life. What
“It will be interesting to see how organisations
you think creates your reality. Persistence can
continue to adopt these advancements and how they
outweigh talent. If you’re persistent at learning you
adapt their teams and risk management strategies to
can achieve anything. So don’t be afraid to try, and
protect themselves against new attacks,” she says.
ask questions. Cyber security is nothing like what a google image search returns. It’s interesting, emerging
www.linkedin.com/in/sophia-pace-29656530/
and diversifying both in people and roles.” www.avertro.com/
On a practical level Pace says: “Be curious and learn about the various roles within the industry. Talk to people working in jobs you’re interested in and ask about their experiences, what it’s like, what they do day-to-day and how they got into their role.
28.06.2022
WOMEN IN SECURITY MAGAZINE
57
LUKASZ GOGOLKIEWICZ WINS the inaugural Kyle Maher Award at AusCERT 2022 by Stuart Corner | Interview with Lukasz Gogolkiewicz and Danielle Rosenfeld Lovell
The annual AusCERT conference saw the addition of
strong cohort of female leaders to support the next
a new award in 2022. Honouring the work and legacy
generation of women entering the cyber workforce.
of the late Kyle Maher, the award in his name is given to recognise “a person that consistently leads with
“As a mentor, I work with mentees who are in cyber
empathy and shows a dedication and commitment
security or are looking to start a career in the
to mentoring the next generation of cybersecurity
industry,” he says. “The support I provide includes
professionals.”
advising on the different career paths available, connecting people with those in the industry and
Lukasz Gogolkiewicz, Head of Corporate Security
providing specific advice and support through the
at SEEK, was the inaugural recipient in recognition
recruitment process.”
of his role as a mentor in a new mentoring program created by the Australian Women in Security Network
Finding a pathway to get into cyber security can be
(AWSN), the Australian Signals Directorate (ASD),
confusing and daunting. “The industry isn’t great
and OK RDY. Lukasz and one of his mentees, Danielle
at defining what is required of graduates or those
Rosenfeld Lovell, share their experiences and advice
who are hoping to enter cyber security. As a result,
on mentoring.
many people are undertaking study or extra learning which doesn’t necessarily improve or generate job
Lukasz, who spent a decade as a security consultant
prospects.”
before joining SEEK, says teaching and supporting people throughout their cyber security careers has
In addition, “there can be a reluctance from those
long been a passion of his. He is grateful that early in
hiring to invest in supporting people to develop the
his career, a few people recognised something in him
skills required of the job. This results in companies
and pushed him in the direction he is going now, and
having high expectations of potential candidates,
he has always wanted to pay that forward.
which most are unable to meet. For those who are willing to upskill, the opportunities to do this often
Cognisant that women can feel discouraged from
aren’t available.”
entering, or staying, in the cyber security industry
58
Lukasz wanted to be a mentor in this AWSN
When it comes to women specifically Lukasz says,
initiative and help shift that narrative. He saw it as
“cyber security can be at times quite masculine and
an opportunity to play a part in helping to build a
the cultural progression in the industry has been slow,
WOMEN IN SECURITY MAGAZINE
28.06.2022
A U S C E R T 2 0 2 2
W I N N E R
F E AT U R E
the lack of female role models and decision-makers in working environments can be representative of an unsupportive environment.”
A MENTEE’S VIEW Mentee Danielle says the experience of being mentored has been invaluable. “My mentoring relationship with Lukasz kicked off almost a year ago at a time when I was feeling especially worn down by a mix of rolling lockdowns and juggling a professional job and study. What I particularly appreciated about the experience was that it helped me keep sight of my
can also be really helpful for keeping the relationship
medium to longer-term goals and to persist with the
goal-directed and using it to develop your career.
things I needed to do to make those goals feasible. “What I really valued in Lukasz as a mentor was “As time has gone on, I think part of the joy now is
that he’d had experiences in different areas of cyber
getting to reflect on how much things have changed
security in addition to being extremely encouraging
and how far we’ve both come in some ways. The
and supportive. I also found he was able to challenge
most obvious example of this is that I’ve now moved
in a friendly and constructive way some of the ideas
into the industry as a cyber security consultant.”
I might have had about what I was and was not capable of.
Applicants to join the mentoring program need to specify what they are looking for in a mentor, and
“The most important benefit is having had people in
Danielle offers some advice.
my corner who were willing to provide moral support when I’d encountered challenges during the transition
“I tried to be as open as possible to have a range
to industry. That’s invaluable when you’re building
of different industry mentors when I signed on
confidence in a new career.”
as a mentee. I personally wanted to meet people with a real diversity of experience who had varied
In terms of specific guidance, Danielle says being part
perspectives on what a career in cyber security might
of the mentoring program gave her access to insider
look like. My mindset was very much that I wasn’t
perspectives on how to approach her early career
completely fixated on one area in cyber, so I wanted
that she would not otherwise have considered. “I have
to get exposure to a range of ideas and to people’s
a much better understanding of the sorts of career
reflections on their career journeys.
options that exist than I would have without mentors to bounce ideas off.”
“And having someone who is kind and attentive was a really high priority for me. You are building what will
Lukasz’s mentoring produced a significant shift in her
hopefully be a lasting relationship with your mentor
planned career direction. “I’ve ended up starting my
and that tends to take consistent effort and time.
cyber career in an entry-level penetration testing role.
Mentors have opted into providing you with their
Before I applied, I honestly didn’t think anyone in that
time and attention and I think that’s a privilege that
space would consider my application seriously nor
shouldn’t be taken for granted. I’d aim to be as reliable
that I was necessarily cut out for that sort of work.
as possible with regard to meeting attendance and to
I was encouraged to re-evaluate some of the ideas I
make the effort to organise meetings.
had about how I might fit into that kind of role.”
“Finally, being present and attentive during your
www.linkedin.com/in/lukasz-gogolkiewicz-3420445/
meetings and coming with some questions, or potentially some goals to discuss with your mentor
28.06.2022
www.linkedin.com/in/danielle-rosenfeld-lovell/
WOMEN IN SECURITY MAGAZINE
59
JOB BOARD CYBER & INFORMATION SECURITY SPECIALIST | ASG GROUP BRISBANE, QUEENSLAND, AUSTRALIA HYBRID
FULL-TIME · MID-SENIOR LEVEL
MUST BE AN AUSTRALIAN CITIZEN
Do you have exceptional technical skills, customer focused performance & out of the box thinking? ASG is seeking expressions of interest from seasoned Cyber Security Specialists to join our team. In this role, you will have the opportunity to grow your career and work on some exciting projects. Your main responsibility will be to support security consulting, advisory and client delivery. WHAT’S IN IT FOR YOU? You’ll be rewarded with a career changing experience only consulting can provide. •
Unwavering focus on professional development
•
Diverse & challenging project work
•
Paid certifications
•
Flexibility to juggle what’s important to you with work
•
Committed health & wellbeing plan
•
Competitive salary packages
•
Corporate partnerships
APPLY NOW
CYBER THREAT RESPONDER | VISY AUSTRALIA MELBOURNE
FULL-TIME · MID-SENIOR LEVEL
ACCEPT APPLICANTS AUSTRALIA-WIDE AND OFFER WFH OPPORTUNITIES
Visy is an equal opportunity employer committed to providing a working environment that embraces & values diversity & inclusion. Joining the Visy Industrial & Enterprise Solutions team during what is an extremely lively time will challenge & engage the best of Cyber Threat Responders. We have set considerable, yet achievable growth targets under an ever evolving business model & this your chance to be part of this exciting journey! You will be tasked with assisting the Chief Information Security Officer search, contextualise and recommend mitigations against existing and emerging cyber security threats across the Information Technology and Operational Technology environments. IN ORDER TO BE QUALIFIED FOR THIS ROLE, THE INCUMBENT WILL NEED THE FOLLOWING SKILLSETS & EXPERIENCES: •
Proven experience in information security with an emphasis on security operations, incident response.
•
You have an analytical mindset and you like to develop creative solutions when solving problems.
•
You are a focused & self-motivated individual who can perform under pressure & thrives in a dynamic & fast paced environment.
•
You can work autonomously & can adhere to targets & deadlines.
Please contact Anna Mingal via anna.mingal@visy.com for a confidential discussion
APPLY NOW
60
WOMEN IN SECURITY MAGAZINE
28.06.2022
CYBER RESPONSE ANALYST | MACQUARIE GROUP SYDNEY, NEW SOUTH WALES, AUSTRALIA ON-SITE
FULL-TIME
In this role, you will lead end to end Cyber Incident coordination and logistics as well as handling cyber event preparations across our Cyber Incident Response team. You will be the outward voice of the program and work alongside cyber response as they handle firefights for the company. You will work alongside a diverse, global team responsible for identifying, triaging, and managing threats and risks in the cyber environment. You will act to ensure that Macquarie’s digital estate is protected from threats known and unknown. As a well-rounded technologist you will partner with the operations, defense, research, and hunting functions of the Cyber Threat team to provide world-class incident response to active threats in Macquarie’s digital environment. This key role demands a highly motivated individual with a strong background in technical project management or incident response, combined with a working knowledge of network and systems operations. Knowledge of cyber security platforms and operational theory is strongly preferred. You must be detail-oriented with a drive to constantly improve and evolve your environment and possess excellent communication skills to engage with all levels of our stakeholders. You must be able to maintain calm and continue to deliver in high-pressure situations – the cyber security environment is constantly changing so being able to quickly and willingly adapt is crucial.
APPLY NOW
SENIOR APPLICATION SECURITY ENGINEER | JUST EAT TAKEAWAY.COM UK- LONDON
FULL TIME
DIVERSITY, INCLUSION & BELONGING
REQUIRED •
Experience in identifying & addressing vulnerabilities throughout SDLC, with the ability to switch between defensive & offensive mindset
•
Experience working in agile environments and with Continuous Delivery / Continuous Integration (CI/CD)
•
Experience with automating security processes
•
Great communication skills, and proven stakeholder management both within and outside of technology departments
•
Experience in guiding and developing engineers on best practice
•
You will have a passion for learning, always looking to identify opportunities to develop your own security knowledge
•
Directly mentoring other AppSec Engineers
•
Passionate about open-source
•
Detailed knowledge of OWASP Top 10, and in relation how to design appropriate security controls
Do you believe passionately in protecting our products, as well as the data of our customers and employees? Do you love working with global Product & Technology teams to ensure the right security controls are implemented throughout the SDLC? Then look no further! We believe everyone should be responsible for security; a core component of every engagement will be education & awareness of our partners. The role requires a well-rounded and upbeat person who is passionate about making a positive impact to Just Eat Takeaway. com. They should be able to build collaborative relationships and drive lasting change to raise the bar of security in all our products and services.
APPLY NOW
28.06.2022
WOMEN IN SECURITY MAGAZINE
61
JOB BOARD HEAD OF ENTERPRISE SECURITY | AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY AUSTRALIA,SYDNEY, NEW SOUTH WALES
FULL-TIME · EXECUTIVE
IDEAL CANDIDATE: You will have extensive experience in developing organisational security plans, assessing security risks, including cost benefit analysis, and providing advice to senior executives. THE ROLE: A senior leadership opportunity is available to lead APRA’s Enterprise Security Management function. As APRA’s Chief Security Officer (CSO) it is a strategic role with strong external ties and emphasis on both policy setting, advice, assurance, and operational excellence. Reporting to the Chief Risk Officer you will maintain, improve, and manage APRA’s security in relation to its people, information, and assets such that APRA remains within its risk appetite. The role spans all four policy domains of the required Commonwealth Government Protective Security Policy Framework (PSPF) from both a policy setting and assurance perspective: Security Governance - pertaining to the management structures and responsibilities that determine how security decisions are made. Information Security - pertaining to classification and handling of official information to ensure confidentiality, integrity, and availability. Personnel Security - pertaining to how to screen and vet personnel and contractors to assess their eligibility and suitability. Physical Security - pertaining to physical security, control, and building construction measures to safeguard government resources and minimise or remove security risk.
APPLY NOW SENIOR ANALYST – MONITORING, DETECTION AND RESPONSE | DEFENCE AUSTRALIA AUSTRALIA, CANBERRA, AUSTRALIAN CAPITAL TERRITORY ON-SITE
THE ROLE: Within the ICT Security function an APS6 Monitoring Detection and Response (MDR) Senior Analyst is accountable under limited direction to perform and achieve complex information and cyber security work within an integrated workforce. An APS6 MDR Senior Analyst will exercise both initiative and judgement in the monitoring and triage of event and alerts, and identification of security incidents impacting Defence networks, and detailed technical, and professional advice in relation to complex cyber scenarios which contribute to the strategic posture of Defence’s networks. The APS6 MDR Senior Analyst will be responsible for leading a small team, setting work priorities, managing workflow and resources, building team capacity through coaching/feedback and reviewing the quality of work undertaken by others. They will exercise the associated people and resource responsibilities to achieve work unit outcomes. They will be accountable to contribute towards ongoing self-improvement and professional development. IDEAL CANDIDATE: •
Highly collegiate with experience managing a diverse range of personnel and tasking.
•
Possessing a background in/comprehensive understanding of Cyber Security Operations, Cyber Security Incident Response and/or protective security principals.
•
A confident and persuasive communicator with the ability to explain complex concepts in plain language.
•
Self-driven with a proven track record of managing competing priorities to a high standard of accuracy within allocated timeframes.
•
Dynamic, able to switch priorities without losing focus of overarching strategic goals.
•
Have demonstrated ability in the development/usage of frameworks, governance, and workflows.
•
Able to deliver high-quality outcomes – including ensuring the generation of high quality and timely situational awareness and reporting, generated from data, processes and tooling.
•
These are shift work positions - Applicants must be able to commit to shift work.
For further information please review the job information pack, reference CIOG/03321/
APPLY NOW
SPECIALIST, ARTIFICIAL INTELLIGENCE & MACHINE LEARNING | WORLD ECONOMIC FORUM US SAN FRANCISCO
The World Economic Forum (“the Forum”), committed to improving the state of the world, is the international organization for publicprivate cooperation. The Forum engages the foremost political, business and other leaders of society to shape global, regional and industry agendas. Why we are Recruiting The World Economic Forum Centre for the Fourth Industrial Revolution Network (C4IR) is looking for a Specialist to join a high-profile team of experts working to shape the trajectory of emerging technologies, maximizing their benefit to society while reducing potential risks. REPORTING LINES & INTERACTIONS The Specialist will work in partnership with the Head of AI & Machine Learning and teams across the Forum, to help drive project delivery, community building, and engaging constituents in the development of new globally oriented policy and governance frameworks. QUALIFICATIONS AND SKILLS •
Master’s degree in relevant domain with 2-3 years relevant professional experience.
•
Self-starting, customer-driven team player with strong organization and time-management skills.
•
Excellent communication skills and English fluency, both spoken and verbal; fluency in another language is a plus.
•
Strong grasp of Microsoft Office (PowerPoint, Excel, Word); experience with Salesforce would be a big advantage.
•
Ability to simultaneously manage multiple complex projects in a highly collaborative environment and thrive in situations of high ambiguity.
•
Some knowledge of and demonstrated interest in AI and technology policy
APPLY NOW
GRC CANDIDATES REQUIRED ACROSS AUSTRALIA | ALL LEVELS Interested reach out to Aby aby@source2create.com.au
APPLY NOW
PRINCIPLE IS GRC | DEPARTMENT OF CHILDREN YOUTH JUSTICE & MULTICULTURAL DEPARTMENT AUSTRALIA, BRISBANE BASED
Looking for anyone interested in transitioning into security
APPLY NOW
28.06.2022
WOMEN IN SECURITY MAGAZINE
63
JOB BOARD PROTECTIVE SECURITY OFFICER | QUEENSLAND GOVERNMENT AUSTRALIA, BRISBANE, QUEENSLAND
ON-SITE
FULL-TIME
ABOUT THE JOB Do you want to help make Queensland a safer place by protecting important government buildings? Do you hate the 9-5 grind where every day feels the same? Don’t let that thought worry you, because in the Protective Services Group, every day is different, with varying start times, new locations and a range of clients. Are you passionate about providing exceptional security services and maintaining a high level of professionalism for clients? If so, then this is the job for you! Exciting opportunities are available to become a part of the Protective Services Group(PSG). PSG is within the Queensland Police Service under the Security and Counter Terrorism Command. Attractive public holiday, weekend and overtime rates with plenty of overtime and extra shifts which include special tasks/duties available! For 8-hour shifts, Monday to Friday, you can accrue an additional Rostered Day Off every 28 day period KEY DUTIES INCLUDE •
Conducting observations of the interior and exterior of Government buildings and facilities. This also includes general inspection duties and special duties relating to the demands of businesses within Protective Services to ensure a high level of security is maintained.
•
Operating specialised security equipment and, when required, exercising the powers authorised under the State Buildings Protective Security Act 1983.
•
Providing back-up assistance to other Protective Services officers, particularly in critical incident situations.
•
Controlling the entering of personnel and parking of vehicles in Government and designated property in accordance with policies and procedures.
•
Detecting and reporting fires and other building hazards and assisting in the emergency evacuation of Government buildings
•
Ensuring the quality of all communications with clients and members of the public are maintained at a high standard
APPLY NOW
AUSTRALIAN SIGNALS DIRECTORATE AUSTRALIA
Exciting career opportunities are now open! Never worked in cybersecurity before? We are looking for a diverse range of skillsets, no matter your background. Take our quiz to find out what ASD career suits you.
APPLY NOW GM SECURITY ENGINEERING | XERO FLEXIBLE ON LOCATION - COULD BE IN ANZ OR EVEN WEST COAST US
IDEAL CANDIDATE: •
Multiple years in a manager of managers role (eg Head of or ideally GM)
•
Engineering background (eg has managed an engineering team)
•
Security experience
•
Also must be a champion of diversity!
APPLY NOW 64
WOMEN IN SECURITY MAGAZINE
28.06.2022
AFP PROTECTIVE SERVICE OFFICER ENTRY LEVEL RECRUIT PROGRAM | AUSTRALIAN FEDERAL POLICE AUSTRALIA, SYDNEY, NEW SOUTH WALES
ON-SITE
TEMPORARY · ENTRY LEVEL
*Applications are now open for 2023 Entry Level Recruit Programs.* •
Do you want to make a difference in the community?
•
Do you want a challenging and highly rewarding career in law enforcement?
• Are you a fit, healthy, resilient individual looking for a diverse, inclusive and supportive organisation? *If you answered ‘yes’ to the above, take the first steps to join the AFP today. * At the AFP you will have a career that delivers variety, a collaborative and inclusive culture, unique challenges and the reward of protecting Australians and Australia’s interests from serious crime. Your AFP career will commence as an entry level recruit with world leading training at the AFP College and you will commence earning a salary at the start of your recruit course. Following graduation, you will commence an exciting career as a Police Officer or Protective Service Officer (PSO), enabling you to make a difference in the community by combatting crime and protecting others. At the AFP we value the different perspectives, approaches and lived experiences of our people, and recognise our collective intelligence and diversity is what makes us stronger. We encourage applications from people from all walks of life, including culturally and linguistically diverse, First Nations people and women. Want a career as a Protective Service Officer?* Protective Service Officer (PSO) opportunities exist nationally within Commonwealth assets and critical infrastructure across Australia, including Parliament House and key Defence locations across Australia. PSOs are trained to deny, detect, deter and disrupt any criminal activity and respond to criminal and national security threats. As a PSO, protecting sites of interest is critical to AFP operations where a proactive and intelligence based approach is taken to ensure the AFP can outsmart crime. PSOs perform a range of high visibility vehicle, foot and bike patrols and static protection and are trained in counter terrorism first response capabilities. There are great opportunities to work in our remote locations such as Pine Gap, Geraldton and Exmouth. Those willing to deploy to required locations will potentially be selected for courses more quickly. You are not guaranteed your preferred location and if you are successful in receiving an offer, the deployment location will be based on the operational requirements of the AFP and the Australian community. TO APPLY FOR ENTRY LEVEL RECRUIT ROLES, YOU MUST •
be an Australian citizen
•
be 18 years of age or older
•
have a minimum Year 10 Certificate with Cert IV/Diploma or Trade level qualification/Certificate – year 12 Certificate and University level qualifications are welcomed
•
hold a valid Australian driver’s licence (P Plates are accepted however, if you have a learners licence please apply once you have your provisional licence). In addition to the above before you are offered a position, you will also need to provide evidence you can swim 100 metres freestyle, have First Aid and CPR certifications. HOW TO APPLY To submit your interest, visit AFP Police and Protective Service Officer Entry Level Recruit Program at jobs.afp.gov.au. Please note: *By submitting your interest in 2022, any offers into an Entry Level Program are likely to be offered for 2023 courses. To obtain more information about the position, please call 02 5127 2555. Applications close: * 11:59pm (AEDT) Thursday 30 June 2022
APPLY NOW
28.06.2022
WOMEN IN SECURITY MAGAZINE
65
JOB BOARD APPLICATIONS SPECIALIST | AFFORD AUSTRALIA, SYDNEY, PARRAMATTA & WESTERN SUBURBS
THE ROLE AFFORD is experiencing an exciting period of technology transformation and transition. You’ll be right at the heart of this transformation! Reporting to the Enterprise Applications Manager, you’ll support business processes through the provision of proactive technical support and management of AFFORD’s enterprise business applications. The role will be a combination of L2 / L3 application support and 50% working with business SME’s to improve application performance and requirements. You’ll ensure application support and management processes are improved and IT Services are delivered to a high quality. For more information or a confidential discussion please call Steven Fulop at u&u Greater Western Sydney on 0418 994 446 quoting Job Reference 28127
APPLY NOW IDENTITY & ACCESS OPERATIONS ANALYST | ORIGIN ENERGY AUSTRALIA, SYDNEY, MELBOURNE, BRISBANE OR ADELAIDE BASED
ABOUT THE JOB Support the day-to-day technical operations of the IAM technology stack Outstanding career opportunity to develop your knowledge and expertise. Can be Sydney, Melbourne, Brisbane or Adelaide based Working for us At Origin we have a strong purpose and values that challenge us to find the answers to the big energy questions. Every person that works with us helps us reach that goal. If you bring good energy to Origin, you’ll get it in return. A challenging career. An exciting industry. And the support to grow and explore your potential. THE ROLE There are a number of business trends within Origin and in the energy industry that create the need for increased focus on effective identity and access management. Online services – 4.3m retail customers interacting through a number of online channels with Origin. Cloud and DevOps - Increased adoption of Cloud-based services and agile and DevOps based product delivery. Digitisation – every business process in Origin is being digitised and transformed. Convergence – convergence of technologies (IT, ICS, OT, IoT) creates new opportunities and emerging risks. Regulatory – regulatory intervention to protect critical energy infrastructure from cyber-attacks. Ready to join an innovative energy company and a progressive cyber security team a strong focus on diversity, flexibility, workplace culture and developing you? Origin Energy was a finalist in the Best Place to Work at the 2021 Australian Women in Security Awards. This role sits within the Cyber Security Team and is part of the support team for Identity and Access Management function. IS THIS YOU? You are an organised individual, a self-starter and are outcomes orientated. You have a Bachelor’s degree in a technical IT field or equivalent work or educational experience. More importantly you have a genuine interest in IT and Cyber security concepts and how they apply in a corporate environment. Origin - Where good change happens
APPLY NOW
HEAD OF CYBER SECURITY | NANO DIGITAL HOME LOANS AUSTRALIA, SYDNEY
FULL-TIME
Nano is a Fintech company focused on delivering outstanding digital home loans. Innovation, fairness and clarity are at the heart of everything we do. WHAT WE ARE LOOKING FOR IN YOU •
A passion for teamwork and collaboration
•
A willingness to challenge the status quo with a customer lens
•
Have a ‘whatever it takes to get the job done right’ attitude
•
To thrive and grow in a fast-paced Agile environment
•
A hands-on approach. This is not a Visio/PowerPoint style role.
•
The successful candidate will be equally adept at both architecture/design but also personally implementing and maintaining Nano’s cyber security environment.
In this role you will join our Cyber Security team. You will be driving outcomes for Nano’s security posture across the cloud, networks systems and applications. You will be reporting to the Chief Technology Officer (CTO) and will have opportunities in supporting the security of all of Nano’s systems as well as deploying and managing new systems. You will be exposed to work with Fortinet, Azure, AWS, Salesforce, Heroku, O365 and many other leading cloud, end-user and SAAS products. You will be supported and mentored by the CTO to help you grow in your career.
APPLY NOW ANALYST, CYBER REMEDIATION | NAB AUSTRALIA, MELBOURNE
DIVERSE AND INCLUSIVE WORKPLACE
HYBRID WORKING, LOTS OF HANDS-ON LEARNING OPPORTUNITIES
ABOUT THE JOB The Analyst, Cyber Remediation will be joining Group Security’s newest team that has been setup to lead remediation efforts on impactful and complex cyber security exposures and controls gaps. The ideal candidate will bring a strong enthusiasm for making a difference along with critical and logical thinking. Use this role to grow your cyber security career - attitude and aptitude are more important than experience! This role includes a combination of these responsibilities: •
Support remediation of impactful and complex cyber security exposures and control gaps
•
Work with respective control/process/asset owners to mitigate exposure
•
Support management and prioritisation of remediation backlog.
•
Support initiatives in periodic remediation campaigns
•
Contribute to internal root cause analysis and support remediation to prevent recurrence
•
Support regular reporting on progress
•
Participate in deep dive reviews to identify potential exposures
•
Help coordinate end to end functional reporting from across cyber security teams
•
Ensure respective policy, standards, process and controls meet regulator and compliance expectations
•
If you think this role is the right fit for you, we invite you to apply. Let’s explore who you are and what drives you. We’d love to share our vision for the future of banking.
To be eligible to apply, you must have Australian or New Zealand citizenship or permanent residency status.
APPLY NOW
28.06.2022
WOMEN IN SECURITY MAGAZINE
67
WHEN FIRST NATIONS CULTURE MET CYBER SECURITY by Stuart Corner
The most intriguingly titled presentation at AusCERT
“I also think it would be beneficial because you can
2022 must surely have been Applying Indigenous
examine all the elements of a cyber threat and how
(Australian) Philosophy to Cyber Security Strategies.
that threat fits into the ecosystem. It can also provide
It begs the question: what could a 65,000-year-old
the local context of situations and problems we face
culture that evolved in isolation possibly have to
as an industry.”
say relevant to the two millennia of technological advances that have delivered computer chips and the
Woolley invoked Aristotle—once described as “the
challenges of cyber security?
first genuine scientist in history”—quoting him as saying “the whole is greater than the sum of the
Plenty, according to presenter Jasmine Woolley.
parts,” and saying multiple ‘parts’ needed to be
She is a Torres Strait Islander and is writing a
identified and incorporated to produce a national
thesis on the topic as part of a Master’s of National
cyber security strategy that was “robust, executable,
Security Policy at ANU majoring in cyber warfare and
outcomes-focused, and defendable.”
counterterrorism. She plans to follow her master’s thesis with a PhD on the topic.
THREE PILLARS OF INDIGENOUS CULTURE Woolley said indigenous philosophies were unique to
“Indigenous culture of 65,000 years understands
each tribe but all combined knowledge and cultural
space, understands how everything interconnects
practices with three common features: autonomous
and interrelates,” Woolley said. “I believe it would be
regard, ethics and moral wisdom, and adaptability.
advantageous for this knowledge to be harnessed
She went on to explain how each of these attributes
because it can create alternative solutions to threats,
has value in cyber security.
assist in tackling capability gaps and concerns, and combine worldviews to create new strategies.”
Autonomous regard and ethical and moral wisdom underpin the rules, obligations and systems that are
A MEETING OF CULTURES
at the heart of indigenous beliefs. They constitute
Woolley saw the potential for synergies between this
indigenous people’s ‘lore’ passed down from
ancient culture and the much younger philosophies
generation to generation for the past 65,000 years.
underpinning western societies. “These worldviews
“Lore outlines our relationship to place and all things
could include a combination approach where we
in our place. It also shows that First Nations people
harness what we have learned under western
have a responsibility to look after the world we live in,”
philosophies as well as what we have learned as part
Woolley said.
of indigenous philosophy,” she said.
68
WOMEN IN SECURITY MAGAZINE
28.06.2022
A U S C E R T 2 0 2 2
F E AT U R E
She said all these concepts were interrelated and
There is respect for the sovereignty and the rights of
interconnected and constitute an ecosystem, like
others, everyone is treated with respect, and diversity
cyber security which is an ecosystem comprising
conflicts and tensions are managed.
trade policy, disaster and emergency response, social wellbeing and healthcare; all interrelated and
Autonomous regard in relation to cyber security
interconnected in some way, shape or form.
“means we have a responsibility for regional partnerships, we have to consider our role as an
“The things we do in cyber have direct implications for
industry in the bigger picture of the ecosystem.”
other policy areas. In turn, this impacts our diplomatic relations with countries. We need everything to
Ethical and moral wisdom in First Nations philosophy
function at optimal efficiency or our diplomatic
“means the individual holds the ability to predict the
standing and operational efficiency can be placed at
impacts of a threat before it occurs. There is a focus
risk.”
on the need for collaboration between communities to ensure you abide by cultural morals, and ethics
The way Woolley described adaptability in First
passed down from generation to generation.”
Nations culture will resonate with anyone familiar with the desirable attributes of a cyber security specialist.
Woolley said: “Cyber threats need nonlinear thinking.
“[Adaptability] is non-linear thinking and is used to
We are in a rapidly evolving industry. The threats we
get to the root cause of the issue at hand. There is an
face might not be the threats we face in a month’s
inherent adaptability and ingenuity that stems from
time. We have to think critically and have a solutions-
the spiritual and physical realms of our lives. It can
based approach to address new capability gaps.”
harness indirect management strategies and strong analysis capabilities to help create holistic outcomes.
And in cyber security, “If we heed the ethical and
All factors are taken into consideration.”
moral wisdom, then, as an industry, we have a better chance of acting with integrity and fighting the bad
NONLINEAR THINKING NEEDED
guys. … Cyber needs to work together as a team,
Autonomous regard in First Nations culture, she said,
adopt the village mentality thinks smarter, and not
meant that the value of relationships is paramount.
harder, and enable good management.”
28.06.2022
WOMEN IN SECURITY MAGAZINE
69
NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
What is the office of the eSafety Commissioner and what does it do? Digital Australians are lucky. Let me tell you why.
(eg if it enables them to be contacted by strangers).
Australia is the first country to have a government
Ask questions while you play, like: “what do you think
agency dedicated to keeping people safe online. The
you would do if someone you didn’t know sent you a
eSafety Commissioner, established in 2015, is led by
message?”
Julie Inman Grant and a team of professionals who work together continuously to provide a safer online
HELPING PARENTS EDUCATE THEMSELVES
experience for Australians.
The eSafety Commissioner website provides a mountain of easy to find and easy to read content for
The work the eSafety Commissioner does and the
parents and carers:
resources it provides are invaluable to me as a cyber
• Talking about big issues
safety parent educator. The office of the eSafety
• Skills and advice such as creating family tech
Commissioner provides many functions. This article
agreements
outlines those of most assistance to parents and
• Healthy digital habits and online safety basics
carers of children who use internet-enabled devices.
• Videos, books, info sheets, etc • Webinar series
TALKING TO YOUR CHILDREN ABOUT ONLINE SAFETY
There is no way parents and carers can know and
The eSafety Commissioner website helps parents talk
stay on top of everything in the digital world. What
to their children about the hard stuff: pornography,
they can do is become familiar with their children’s
sexting, cyberbullying and online grooming, to name
devices. What model device do they have? How are
only a few.
they using it? What apps have they downloaded?
It’s not easy to start these conversations with children to do so. It lists the types of questions you can ask
PROVIDING RESOURCES FOR PARENTS WHO DON’T KNOW WHERE TO GO OR WHAT TO DO ABOUT A DIGITAL DILEMMA
your child and where to find further support if you
Don’t be fooled into thinking your child will not be
need it.
groomed online or cyberbullied. Sadly, it can and
and the eSafety Commissioner helps with tips on how
does happen to many children regardless of their You can use other people’s experiences (positive and
education or upbringing.
negative) to talk to your children about online safety.
70
By showing interest in what your child is doing online
When it happens, it is overwhelming. There have been
and how they like to use their device you can open up
too many teen suicides in Australia that might have
opportunities to start conversations. Ask them about
been avoided if their families and support networks
the game they are playing, get them to teach you
knew about the work the office of the eSafety
how to play and spend time playing it with them. This
Commissioner does. Its staff have been granted
gives you an insight into the functionality of the game
special powers that allow them to have harmful
WOMEN IN SECURITY MAGAZINE
28.06.2022
C O L U M N
content removed, issue notices and fines and order further legal action. You can report certain activities and be guided through every step of the process to deal with these. Serious online abuse: cyberbullying including imagebased abuse (Sharing intimate images or videos without the consent of the person shown). Illegal and restricted online content such as images and videos showing the sexual abuse of children or acts of terrorism and content which should not be accessible to children. This is one website that you need to bookmark immediately – www.esafety.gov.au www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum
www.pinterest.com.au/thetechmum www.linkedin.com/company/the-cyber-safety-tech-mum/
28.06.2022
WOMEN IN SECURITY MAGAZINE
71
A unique offering for our Victorian (AU) based readers! A specialist program dedicated to those wanting to get into cybersecurity. This 1-year program includes: Specialised security training (Threat Intelligence and Hunting, Structured Analysis Techniques) ISC2 SSCP training and certification Mentoring CV and Career Advice AWSN membership
An exclusive program for women in security with leadership potential. This 1-year program includes: Women in Leadership Development Powerful Presenting Training CISM training and certification Mentoring Leadership Forum with peers AWSN membership
Only 13 spots available in each program stream Program fees will be charged at a heavily discounted price Applications now open | To find out more visit awsn.org.au
INDUSTRY PERSPECTIVES
WOMEN-LED SUPPORT NETWORKS ARE EXTENDING A HAND TO THE NEXT GENERATION by David Braue
Diversity advocates are laying a foundation of equality to inspire future women in security
A
fter she started working at SAP’s small Nigeria sales office, it didn’t take long for Yemi Keri to realise that there was an opportunity to build a full-fledged regional office staffed with locals, rather than shipping
overseas staff as in the past.
“It was a new industry for me and a new role,” Keri said during a recent webinar, recalling how she often found herself as “the only female in the room”. “I had to self learn to understand my environment, and the technology industry, with no support structure whatsoever.”
Yet even as she successfully pitched the idea to SAP management, the newly-promoted regional
She recalled admonishment from a manager who
manager for West Africa recognised that the move
demanded she apologises after triggering a male
offered opportunities to increase the representation
colleague who asked him “’are you going to let this
of local women who, like her, had entered the industry
small girl come and start telling us what to do here?’”
looking for a sense of purpose and belonging – and
74
encountered the reality of regional industry where just
“I knew I was up against all sorts of biases,” Keri
9% of cybersecurity professionals are women.
explained, “and I didn’t want to let down any other
WOMEN IN SECURITY MAGAZINE
28.06.2022
F E AT U R E
woman that would want to come and take off in this
heading ICT for the government of her native Edo
type of world.”
State, managing IT strategy for the National Pension Commission, and eventually as CEO of business and
“But you have to have a certain level of
ICT consultancy Heckerbella.
confidence when you’re doing your work as a woman in technology – and to have
Throughout, she has continued to nurture the same
that confidence, you must acquire the
philosophy that led her to push herself to build a
requisite knowledge and skill sets.”
career in ICT – and engages with the next generation of workers through decades-long involvement with
And that she did. Over the course of a 20-year career,
industry-development groups like the Lagos Angel
Keri
Network, Nigerian Economic Summit Group, and
has progressed through a range of roles including
women angel investor network Rising Tide Africa.
“By addressing this growing gender gap in technology, we’re empowering our young women to seek out the thriving, exciting careers of the future – the ones that are going to actually offer them the improved quality of life and upward mobility that a career in tech can provide.” - Dr. Tarika Barrett, CEO at Girls Who Code
28.06.2022
WOMEN IN SECURITY MAGAZINE
75
“I was a female from Edo state,” she said,
special interest groups,” said Kate Bright, UK-based
“and I was ready to ensure that I left a
CEO and founder of global security consultancy firm
legacy so that whenever they saw the next
UMBRA International.
girl coming, they would give her some level of “Senior leaders and people within the industry are
respect.”
more inclined now to ask how you are – and ask it in
LOOK INWARDS TO LOOK OUT
a way that is actually meaningful.”
From Africa to Amsterdam, China to Canada, women in similar situations
With genuine enquiries backed by real action, she
are leveraging their own career
continued, “I’ve never known a time when there’s
experiences to build the support
a networking group for every interest and group
systems that Yeri lacked – and
across the industry – and there has never been
they’re doing it by building
a time when there has been more places for
industry groups that foster
people to try out their skills, and map them over
the experiences of like-minded
the industry. We can all look out for each other by
women.
looking out for ourselves.”
Whether for moral support, building professional networks or out of a sense of creating structures that will make it easier for the
FOR THE NEXT GENERATION Like many women, Dr Tarika Barrett has also drawn on her early influences for inspiration as
next generation of women to realise their
she navigated a career supporting disadvantaged
potential, the creation of women-focused
students that in 2016 led to her appointment as CEO
advocacy groups has exploded in recent years.
of Girls Who Code, a now-global organisation that has engaged over half a million girls, women and non-binary individuals through coding camps and
There are dozens of groups and programs like
clubs.
CyberHeroines, Girls4Tech, She Secures and the Australian Women in Security Network (AWSN)
The organisation’s goal – to address the IT
advocating for women in cybersecurity – and the
industry’s lingering gender gap – gelled with her own
number pushes into the hundreds by the time you
experience going to an all-girls’ high school.
add specialised groups focused on areas like AI, data analytics, and development, where women are being
“While there, I saw firsthand the transformative
empowered by organisations like Code Like a Girl,
impact that all-girls learning spaces can have,” she
TechGirls Movement, GoGirl, Go for IT, and more.
said as she joined Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterley to
Many have been aided by the global reach of video
announce a new partnership intended to provide
collaboration tools adopted en masse during the
awareness, training, and pathways into cybersecurity
pandemic era, where locked-down and home-working
careers.
women turned online to channel their introspection and self-development as they honed their own
Thanks to her exposure to technology during high
resilience and the ways they can tap it to benefit the
school, Barrett said, “I also got bitten by the tech bug
broader cause of women in security.
and saw how hard it was to make that school open to any kid who wanted to [pursue tech].”
“The pandemic has, in some ways, unified that sense of personal resilience, and the idea of community and
76
WOMEN IN SECURITY MAGAZINE
28.06.2022
F E AT U R E
“By addressing this growing gender gap in technology,
THE GEN Z DIFFERENCE
we’re empowering our young women to seek out the
Every woman working in the tech industry likely has a
thriving, exciting careers of the future – the ones that
not-dissimilar story to share – and with many drawing
are going to actually offer them the improved quality
from their initial apprehension of the challenge ahead
of life and upward mobility that a career in tech can
as inspiration to make a difference, the collective
provide.”
support structure available to today’s women is bigger, more diverse, and more available than ever
Increasing the visibility of cybersecurity careers can
before.
be instrumental for many Gen Z students finishing their studies and wondering which way to take their
Such organisations promise a far more nurturing
emerging careers.
environment for Gen Z workers that are emerging from university to find their own way in the world –
Cybersecurity offers opportunities even for those
and already feeling empowered to make a difference.
that haven’t pursued technical subjects through high school and university – and it’s often just a case of
“I wouldn’t be here today if there wasn’t something
connecting an eager young woman with the support
that I thought we could do better in the industry or
network and mentorship to help her find her feet.
something that we need to improve upon,” secondyear cybersecurity university student and Gen Z
Just ask Megan West, a cybersecurity incident
activist Kyla Guru noted during a recent Sophos
response consultant with IBM X-Force who
webinar.
completed a bachelor’s degree in political science and government in 2017 before learning about the
An active advocate for young people interested in
university’s new cybersecurity master’s degree.
cybersecurity, Guru has already engaged with a range of security teams and flagged “the huge issue that
“I knew it was an intriguing, up and coming field, and
young people weren’t discussing cybersecurity, and
I had always loved playing around with computers,”
that the whole industry was talking about the future of
she said during a recent International Women’s Day
cybersecurity – but that the future wasn’t in the room
webinar. “So I applied and was accepted.”
to represent themselves.”
While working on the cloud migration team at
That sense of disenfranchisement is steadily
integrator TD SYNNEX, West saw a position open for
dissipating thanks to concerted efforts to provide
an associate cybersecurity analyst and “randomly
the kind of direct support and encouragement that
applied for it, having no experience, no formal
the likes of Keri found so lacking early on – and that,
education, no certifications.”
Guru said, looks set to reinforce the Gen Z philosophy to create unprecedented opportunities for women in
With the encouragement of “number one supporter”
cybersecurity.
CISO Dan Lasher – who “knew I was shy in the beginning but saw something in me,” West said, she
“This generation is all about young people impacting
pressed her case for the new role.
and affecting other young people, and inspiring them to make a change in their lives,” she said,
“Honestly, just because of my proficiency, and being
noting increasing awareness as the next generation
able to communicate and explain why I was the best
“understand the changes that need to happen in our
fit for the role while working harder than anyone else
world to move forward into a better future.”
that was applying, they chose me for it – and my career launched from there.”
28.06.2022
“And I think cybersecurity is one of those changes.”
WOMEN IN SECURITY MAGAZINE
77
SECURITY DANCE PARTY: FOUR LESSONS FROM A DIVERSE AND INCLUSIVE TEAM by Sarah Innantuono, APAC Cyber Security Strategy and Program Lead Deepa Bradley, Global Transformation Executive - Cybersecurity Specialist Adam Hallyburton, IT Security Program Project Manager Hashim Khan, Digital, CyberSecurity and Agile Enthusiast
“Diversity is being invited to the party. Inclusion is being asked to dance.” - Verna Myers (inclusion strategist)
For diversity to be truly impactful and sustainable in
Microsoft estimates the well-known Solar Winds
an organisation it needs to be built on a foundation of
Hack took at least 1,000 engineers to create. Among
inclusion.
these, there would certainly be individuals with different life experiences, genders, religious beliefs,
Business thrives on diverse experiences and
cultural backgrounds and more. Imagine trying to
perspectives. Numerous studies have found a
combat this diversity of thought with a small team of
strong focus on diversity and inclusion can deliver
clones.
key benefits including better financial performance, increased creativity and innovation, greater employee
Cybercriminals come from all backgrounds and work
satisfaction, lower absenteeism and stronger talent
in a borderless environment. Security should too.
retention. Every area of a business can work to build diversity
FOUR LESSONS TO EMBED DIVERSITY AND FOSTER INCLUSION
and inclusion. However, fostering diversity and
The members of our newly formed Security Strategy,
embedding inclusion within cyber security is
Governance and Portfolio team represent diverse
increasingly critical because the richness of
cultural backgrounds, ethnicities, gender identities
experience helps solve complex problems for
and ages. We discuss our varied experiences of
businesses and their customers.
diversity and inclusion in the workplace. Reflecting on our individual career journeys, we found four key
78
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
practices conducive to creating a diverse team and
them as individuals about their goals, their pain points
fostering inclusion.
and their gaps in knowledge. They welcomed the approach because it demonstrated their value to the
ENSURE EQUALITY OF OPPORTUNITY
program. I reviewed the skills people brought to the
Diversity and inclusion should be supported by
table and then looked at any gaps as opportunities to
policies and processes that ensure equality in a
uplift our capabilities to collaboratively deliver success.
business. Fundamentally, diversity and inclusion are aspects of equality and should be embedded
“Anyone who knows me knows I have zero tolerance
in all stages of the employee lifecycle. This may be
for harmful behaviours and remain observant of
through the use of “blind hiring” practices to mitigate
non-verbal cues that are indicative of unfair or unjust
underlying and inherent bias in recruitment processes,
practices within the workplace. I encourage teams to
or by employing defined and transparent processes
be open, authentic and considered in their approach.
for promotions and pay rises (and the criteria behind
I soon saw a positive change in the mood of the team
them).
as I listened and addressed pain points. It came to light that a team member who had previously been feeling
“In 2014 a young lad who desperately wanted an
vulnerable in the workplace because she had been
opportunity in the Middle East failed our technical
judged negatively due to her ‘accent’ finally felt safe.
interview even after completing an exceptional
I found out because she was courageous enough to
technical writeup test. I was curious to speak to the
share her experience with me and I was able to help
candidate since his technical test was brilliant, and
her regain her self-worth and confidence by offering
during the re-interview, I learned he had difficulty
her a genuine seat at the table with the visibility we all
explaining himself in English, not being his native
deserve and by showing her respect and appreciation
language. So, I comforted his nervousness by
for her brilliant contributions. I leveraged support
switching to Hindi and he was brilliant after that.
from the HR director to create safe conversation
Although my colleague rejected him after his interview,
forums and a poster campaign to encourage people
I still ended up hiring him. He helped us deliver some of
to speak up and raise awareness of what unkind and
the biggest initiatives back then, took the opportunity
unacceptable behaviours look like. This all resulted in
to improve his communication and today he is married,
a more harmonious and productive environment and
living with his family there in a well-settled senior role
highlighted that D&I is a right, not a privilege and is
which is paying four times more.” – Hashim Khan
about making sure none of us feels we have to walk alone.” – Deepa
MAKE LEADERSHIP ACCOUNTABLE AND EMPOWERED It is important for security teams to cultivate inclusive
EMBRACE AUTHENTICITY AND CHAMPION OTHERS
leadership traits and ensure accountability for driving
The phrase ‘bring their authentic self into the
a diverse and inclusive culture and not relying solely
workplace’ is common when discussing diversity
on the human resources department. Importantly, it
and inclusion. Research has highlighted that being
is the responsibility of leaders to create infrastructure
authentic can drive greater personal connections
and processes that foster cultural norms, attitudes
leading to greater fulfilment in the workplace,
and behaviours and that craft a sense of belonging.
improved job performance and career success. Teams whose members communicate and visibly
“Fifteen years ago I was leading a transformation
embrace and champion this commitment can truly
program and inherited a PMO team who were capable
embed diversity.
and focused but seemed a little quiet and guarded. I believe in setting clear expectations and leading with
“I’ve lost count of the number of times throughout
kindness and respect so I met with each member of
my career I’ve witnessed the emergence of a
my new team to clarify objectives and I also asked
bad culture that does not empower others to be
28.06.2022
WOMEN IN SECURITY MAGAZINE
79
authentic. Micromanaging and preventing employees or colleagues from championing others or being championed themselves, failing to create a safe space in which employees can speak up, withholding
• Who feels safe producing ideas and do they get credit for them? • Are there any microaggressions? (red flag, discuss with HR)
vital information, and treating some employees different from others: all these practices lead to a
“If you see any ‘red flags’ have a confidential chat with
lack of diversity and a non-inclusive culture. Trusting
a leader you trust around actions to foster inclusion
individuals to do their job, creating a positive work
and work towards diversity.” -Sarah
environment in which individuals can flourish, actively listening and being empathetic because everyone’s
INVITATION TO THE SECURITY DANCE PARTY
situation is different: all these are critical to fostering a
Bringing in diverse talent with complementary
good culture. All of these and more are fantastic traits
skills, and ensuring an inclusive culture spanning
of a great leader and colleague.
behaviours and attitudes can go a long way towards bridging the global shortage of cyber security workers
“I recently moved into a newly established team
and retaining key talent.
with a new leader and I can honestly say I thought I knew what an amazing authentic leader was who
Our challenge to you is to embrace the four lessons
championed and embraced all aspects of myself and
identified above in your respective careers and craft
others, but in my current role I have had the privilege
a diverse and inclusive culture. Let’s work towards a
of working for the most empathetic, authentic and
security dance party!
passionate leader who has gone above and beyond to champion myself and colleagues and has given us the tools to be our authentic selves and has created a safe space in which we are able to talk about anything, whether it be work-related or a personal matter.” Adam Hallyburton
MAKE DIVERSITY AND INCLUSION EVERYONE’S RESPONSIBILITY Just as security is everyone’s responsibility, so are diversity and inclusion. No one wants to dance alone. It is critical we all regularly check behaviours and attitudes within our teams and get comfortable speaking up when diversity and inclusion are not considered.
References: S. Dixon-Fyle, K. Dolan, V. Hunt & S. Prince, Diversity Wins: How inclusion Matters, 2022, website: https://www.mckinsey.com/ featured-insights/diversity-and-inclusion/diversity-wins-howinclusion-matters National Cyber Security Centre, Decrypting Diversity, 2021, https:// www.ncsc.gov.uk/files/Decrypting-Diversity-v1.pdf J. P. Mello JR. 700K more cybersecurity workers, but still a talent shortage, TechBeacon, 2021, https://techbeacon.com/security/700kmore-cybersecurity-workers-still-talent-shortage L. Tung, Microsoft: SolarWinds attack took more than 1,000 engineers to create, ZDNet, 2021, https://hbr.org/2021/02/howmuch-of-your-authentic-self-should-you-really-bring-to-work P. Muncaster, Women in Cyber: Workplace equality will take a decade, InfoSecurity Magazine, 2020, https://www.infosecurity-magazine. com/news/women-cyber-workplace-equality/
“There have been times in my career when I have witnessed behaviour contrary to the cultivation of a diverse and inclusive workplace. It is important to regularly review your team and not wait for bad behaviour to escalate and shift culture. Next time you are in a meeting, look around the table or Zoom call and ask: • Is it a diverse group? • Who is doing all the talking? • Do people interrupt and talk over others?
Deepa: linkedin.com/in/deepa-bradley
Sarah: www.linkedin.com/in/sarahiannantuono/
medium.com/@protectyodata
Adam: www.linkedin.com/in/adam-hallyburton-307a6516/
Hashim: www.linkedin.com/in/hashimkhan86/
• Are people reluctant to speak up?
80
WOMEN IN SECURITY MAGAZINE
28.06.2022
SIMON CARABETTA
WE’RE WRESTLING WITH THE WRONG PROBLEM By Simon Carabetta, Cyber Communications Specialist
In September 2001 I stood outside the old, since
The referee they found was me. I got the call and
demolished, Perth Entertainment Centre waiting in a
learnt I would be in the ring with some big names
very long queue hoping to meet a childhood idol of
from the industry. I was a newbie. I had refereed only
mine, none other than Bret ‘The Hitman’ Hart.
a few matches for my local group and had no idea what I was doing. But I was it. No one else in Perth
Yes, I admit, I grew up watching and loving
had my experience, nor were they willing to step up.
professional wrestling, and I’ll never make
So I said yes.
any apologies for that. Whether it was World Championship Wrestling (WCW) Nitro on Friday
I also said yes to a career in cyber security in much
nights or World Wrestling Entertainment’s (WWE)
the same way after teaching for almost 13 years. This
Monday Night Raw, I could not get enough of the
is why I am now able to make the very roundabout
action in the ring. Looking back on those days, I can
connection you readers have all been waiting for,
draw a lot of parallels between my entertainment of
much as I did in my two previous articles.
choice and the industry I see myself working in today. It’s all about the training. For me as a referee, Funnily enough, the highlight of that day back in
navigating the sometimes questionable, and yes
2001 was not only meeting the Hitman, it was also
wholly scripted, world of professional wrestling, there
bumping into a group of misfits much like myself
was far too much learning and too many moving
who said they were starting their own local wrestling
pieces to consider. Firstly, it’s not a sport in which
association. So I did the logical thing: I joined them.
you officiate. I wasn’t officiating at all. I was acting. Now don’t get me wrong, what happened in the ring
82
Fast forward nine months and I’m now standing
certainly wasn’t fake. A wrestler got hit in the face
inside a ring in the stadium I had been standing
with a chair, then they really got hit in the face with a
outside the previous September. The World Wrestling
chair. But there’s an art to doing it without inflicting
Allstars are touring Australia and, prior to their
too much damage. Wrestlers will bleed real blood,
touchdown in Perth, they had been wondering where
cop real bruises and break bones in the same way as
on earth they would find a referee.
any athlete.
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
It’s all about the training. When you throw someone from the proverbial frying pan into the fire, there will be one of two outcomes. Either they will fly or they will fail. When we’re set up to fail, the outcome tends to lean more towards the latter. However, setting people up to fail is exactly what many organisations in our sector are doing. We see universities and TAFEs churning out large numbers of students with cyber qualifications but without the right tools, the necessary experience or the information they need to survive their first year in the industry. Collectively, we are setting up our cyber talent to fail and fall: to fall hard on the mat as they
more confusing, leaving both students and teachers
would if they had just received a body slam.
with the wrong impression of our industry.
Don’t get me wrong, there are also organisations
What we really need are clear university and TAFE
doing it the right way. CyberCX has proven itself in
pathways including more vocational education and
the graduate space, giving staff room to grow, and
training (VET) programs in schools teaching cyber
offering on-the-job support and a plethora of the right
security to older secondary school pupils and full
tools to enable early-career professionals to quickly
integration of cyber security into the curriculum.
find their feet and flourish. Bunnings here in Western Australia has a very good cyber security team and
What we really need is an education program that will
provides the right amount of support. In fact, if you
hit the gym, build some serious muscle and choke
look closely there are many heroes of the industry
slam the issues causing these talent and skills gaps.
ensuring our new wave of cyber soldiers is wellequipped and getting the right experiences.
What we really need is to have better engagement with schools and to stop talking about cyber security
The problem is, that we’re wrestling with the wrong
as a future industry and instead as a fact of life and
issue. Creating traineeships, graduate programs and
an essential skill that everyone needs. Digital literacy
excellent initiatives like the ADF Cyber Gap Program
is just as important as literacy and numeracy. This is
is all well and good, but what are we doing to address
the message that needs to strike hard, pin down the
cyber security at the grassroots level?
cyber gap, and nail it for the count of three.
If we are still projecting a shortfall of 16,000 security
If we continue setting up our future talent to fail with
workers by 2026, where do we envision them
short term visions and solutions that do not fix the
coming from? Borders have only just opened and
underlying issues we set up our entire industry to
while Australia may now seem more attractive than
fail. Just as with wrestling, the ring we find ourselves
ever, international students and new arrivals will
in can be extremely dangerous when we find our
not be drawn in numbers sufficient to fill that gap.
opponent, the cyber criminal, to be much more adept
We need to look within our own borders to students
and experienced than ourselves.
sitting in classrooms hungry for knowledge of future industries. Cyber security simply isn’t getting into our
www.linkedin.com/in/simoncarabetta/
schools to the extent it should and sadly when it is spoken about in classrooms, the conflation of cyber
twitter.com/carabettasimon
safety with cyber security makes cyber security even
28.06.2022
WOMEN IN SECURITY MAGAZINE
83
MARISE ALPHONSO
TEN ELEMENTS THAT MAKE A DIFFERENCE IN SECURITY By Marise Alphonso, Information Security Lead at Infoxchange
The most basic premise of security is the
play a pivotal role in providing guidance, threat
requirement to uphold the confidentiality, integrity and
intelligence and advice on cyber threats and security
availability of information. The practices, toolsets and
improvement practices for individuals, organisations
initiatives that assist our organisations and society at
of various sizes and governments.
large to achieve this are vast and diverse, in no small part due to our ever-expanding use of ever-advancing
2. Standards, frameworks and methodologies.
technology and the increasing digitisation of our lives.
These include: NIST CSF, the ISO/IEC27000 family
We need a range of tools to combat threat actors
of standards, ISO31000, FAIR, COBIT2019, ISM, PCI
and address the multifaceted challenges of the
DSS, OWASP Top 10, MITRE ATT&CK and CVSS.
information and cyber security arena.
They offer broad and industry-specific guidance and good practice. Some include components and
My top ten list of elements that contribute to making
methods that can be used to ascertain a baseline
a concrete difference in security, directly or indirectly
of practice and then determine which information
and in no particular order, are:
security efforts should be prioritised to maintain the risk appetite of an organisation within acceptable
1. The government cyber bodies around the world.
levels. Others are more technically focused, providing
The Australian Cyber Security Centre (ACSC),
guidance on how to address technical vulnerabilities.
the UK National Cyber Security Centre (NCSC),
84
the US CyberSecurity and Infrastructure Security
3. Security researchers and industry reports.
Agency (CISA) and other government cyber bodies
With the complexity of digital infrastructure and
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
technology, security researchers play an extremely
Having this capability greatly assists an organisation
important role. They use their expertise to understand
to identify and notify anomalous or suspect activity.
vulnerabilities and the attack surfaces these could present. Reports such as the Verizon Data Breach
7. Legislative and regulatory requirements. CPS234,
Investigations Report (DBIR) are valuable sources of
the SLACIP Act, the Privacy Act (including the NDB
information on global trends in security incidents and
scheme) and VPDSS are some of these requirements
data breaches.
in Australia. They aim to ensure the protection of information, secure business operations and protect
4. Security awareness initiatives. Awareness is the
the digital economy. They drive information and
first step towards driving change. For individuals
cyber security practices across various sectors of the
and organisations awareness and education on the
economy.
behaviours needed to uphold secure practices are key. Such initiatives run the gamut from spreading
8. Open source software security initiatives. The US
awareness of current threats such as phishing and
White House Security Council, the Linux Foundation
business email compromise to cyber safety for
and the Open Source Software Security Foundation
children and families. Campaigns to educate the
(OpenSSF) have held two summits this year aimed
public about the dangers of excessive sun exposure
at bringing key organisations together to collectively
(slip-slop-slap) and the urgent need for recycling
address issues associated with open source software
(Remade in Australia) served to increase awareness
security. Following the Log4j vulnerability in late
in these areas. In a similar way, various bodies such
2021 their efforts are required to safeguard systems
as the eSafety Commissioner and the Office of the
powered by open source software.
Australian Information Commissioner (OAIC) run annual campaigns during Safer Internet Day and
9. Security news (journalists and podcasters). Not
Privacy Awareness Week to educate and inform the
a day goes by without there being something to
public about the need for data protection.
report on in the security world. Security professionals rely on trusted sources of information to provide
5. Password managers and multi-factor
insight and advice on incidents and events impacting
authentication (MFA) mechanisms. Password
organisations and individuals. Some of my favourites
compromise has been a leading cause of security
in this space are Brian Krebs, Kim Zetter and Risky.biz.
incidents and data breaches over recent years according to the 2021 Verizon DBIR. Password
10. Security industry bodies. Industry bodies such
managers and MFA have raised the bar in protection
as AWSN, AISA, ISACA and ISC2 provide information
of access to IT systems and services. Microsoft,
security professionals with access to professional
Google and Apple have recently committed to
networks, events and conferences to share
implementing passwordless authentication on their
knowledge. They also provide the opportunity for
platforms (mobile device, browser and operating
skills certification against knowledge in the security,
system), but until that happens we must continue to
risk, audit and privacy domains.
use the products and technology that keep system access secure.
Those are just ten elements. There are plenty other elements making a difference, particularly the daily
6. Security Operations Centres (SOCs). The recent
efforts of all the individuals working in the security
ACSC Cyber Threat Report (September 2021) says
industry to keep their organisations secure.
the 2020-21 financial year saw rapid growth in the exploitation of security vulnerabilities. SOCs which
www.linkedin.com/in/marise-alphonso/
operate continuously are a centralised function for monitoring an organisation’s technical environment.
28.06.2022
WOMEN IN SECURITY MAGAZINE
85
AMPLIFYING THE DIVERSE VOICES OF CYBER SECURITY By Kavika Singhal, Western Sydney University, Final Year Student Emily Goodman, Cyber Security Consultant at EY Michelle Gatsi, Cyber Security Consultant at EY Shinesa Cambric, Principal Product Manager, Microsoft Intelligent Protections Emerging Identity at Microsoft Jay Hira, Director of Cyber Transformation at EY
86
Diversity in the cyber security workforce is slowly but
this is a major challenge for industry and society.
steadily shifting from being merely a tick box exercise
Every role in cyber is significant and I believe the field
to being led authentically. Diversity can be defined in
should accommodate the needs of individuals from
many ways, but at its core is about embracing people
diverse professional and academic backgrounds. I
not only for the value they bring, but also for how
am also passionate about cyber awareness and the
they present. As cyber security practitioners from
importance of effective communication on healthy
various walks of life we got together as a group to
cyber practices. I believe it is important for us to build
share who we are, what excites us, what challenges
a more secure online world by protecting the most
us about working in cyber security and what making a
vulnerable in the community, such as children and the
difference in cyber security means to us.
elderly.
RESPONSES FROM CONTRIBUTORS
Emily: My name is Emily Goodman and I am
Kavika: My name is Kavika Singhal and I identify as
passionate about learning and continuing to broaden
an inquisitive learner – I learn by asking questions.
my knowledge. Originally, I studied accounting and
Curious by nature, my deep passion for cyber
marketing at university. However, I felt I was not
security stems from my interest in crime novels and
fulfilling my purpose whilst working in my previous
technology since the tender age of eight. The quest
roles. I decided to pursue postgraduate studies in
to gain the best of both worlds led me to pursue my
cyber security because of my curiosity and desire to
degree in Cybersecurity and Behaviour at Western
learn. I was also inspired to enter the field following
Sydney University. During my academic journey,
the great shift and uncertainty that came with the
I worked in various roles with several remarkable
COVID-19 pandemic. Growing up, I loved to create
organisations. My fascination with technology and
obstacle courses. I view cyber security in a similar
how it influences and shapes human behaviour, (ie,
way, as a big obstacle course. It presents many
human-computer interaction) continues to motivate
challenges that require analytical thinking and
me to know more.
problem solving to overcome.
My understanding of cyber security is constantly
My time working in cyber has been brief. However, I
evolving. I have learned that cyber security is not
have enjoyed every minute of it. Cyber security has
just about staying ahead of criminals but also about
helped shape the perspectives of my everyday life
holding strong together to stay ahead. Unfortunately,
and I have learned a lot in the process. I am also
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
surrounded by supportive and motivating colleagues
One area of cyber security I am excited to see
who encourage me every step of the way.
improving is diversity and inclusion. I am encouraged to see a diverse mix of people thriving in leadership
Initially, I was quite intimidated when joining cyber
positions and in the industry as a whole. We are
because I did not have robust IT experience, so I think it is important the cyber industry accepts a wide variety of career backgrounds. It is an industry that encourages people with different perspectives and views, and I am grateful for the opportunities I have been offered to get involved with cyber initiatives. I am proud to be a part of a cyber industry that is continually growing and welcoming people with diverse experiences.
“Cyber security has managed to gain a seat at the board table. The next goal is the dinner table. We need to start educating a new generation of cyber heroes, as young as five, on the good and bad actors of cyberspace. We need to inform and empower them with tips on protecting their identity and staying safe online.” - Jay Hira, Director of Cyber Transformation at EY
Michelle: My name is MichelleRutendo Gatsi and I consider myself an ambitious learner. I was born in Zimbabwe and raised mostly in Australia.
problem solvers and I cannot think of a more effective
My academic background is in social science,
way to solve a problem than to leverage as many
criminology and cyber security risk management.
different perspectives as possible to achieve a common goal. These different perspectives result
I like to think of the cyber security industry as one
from diversity in culture, gender, age and experience:
big house with many ‘rooms’ in which we can
everyone brings something valuable to the table
choose to spend our time, from incident response
through their personal experiences.
to vulnerability management. Also, I really enjoy the collaborative nature of the industry. There is a
Shinesa: My name is Shinesa Cambric. When I
truckload of resources available, but sometimes
was in middle school I had a teacher tell me I love
I get swept up by the never-ending whirlwind of
challenges, and in my cyber security career journey,
information. So, I try to remind myself I don’t need to
I’ve continuously faced new challenges that required
know everything from the outset, that learning is part
me to stand up or stand out. I believe my love of
of the journey.
these challenges has drawn me to cyber security
28.06.2022
WOMEN IN SECURITY MAGAZINE
87
and is the reason I continue to stay, currently as a
all my energy into pursuing my passion for cyber
Principal Product Manager and leading the Intelligent
security.
Protection of Emerging Identities team at Microsoft. For me, cyber security is a dynamic puzzle with layers Embracing challenges has often led me into
of complexity. As soon as we get closer to solving the
environments where I was the only person of colour,
puzzle the coordinates change and the complexity
or the only woman, in the room. Championing the
evolves, making the puzzle more difficult to solve.
need for different perspectives helped me build a
This means practitioners need to continuously learn
career that combined in-depth knowledge of identity
and adapt, which is the best thing about working in
and access management and GRC well before these
cyber security.
began to rise in popularity. Today, I’ve learned to use my voice as a strategic thinker, problem-solver and
It is in an industry that abounds in numbers and
advocate for diversity in tech, but I wish I had found
statistics. If I were to wish for one thing it would be
the courage to do so much sooner.
that we make more use of analogies and stories to convey our messages instead of scaremongering
Diverse candidates continue to be under-represented
with statistics.
in cyber security, and with the shortage of workers throughout the cyber security industry embracing
Cyber security has managed to gain a seat at the
diverse candidates could make all the difference
board table. The next goal is the dinner table. We
to creating safer companies and safer societies.
need to start educating a new generation of cyber
My passion for diversity and my understanding
heroes, as young as five, on the good and bad actors
of security architecture, identity and access
of cyberspace. We need to inform and empower them
management and GRC have led me to embrace a
with tips on protecting their identity and staying safe
concept I call ‘identity in-depth’, where identity is
online while dealing with cyber villains such as bullies,
thought of as having multiple layers.
scammers and fakers.
For me, identity is not just the way a person looks,
SUMMARY
but also the background and viewpoints they bring to
Cyber security is complex. To develop an effective
problem-solving. We need to secure digital identities
and sustainable solution to this complex problem
using a similar perspective. Both diversity and strong
we as cyber practitioners must come together and
identity management controls are necessary to
build a more inclusive industry that welcomes diverse
address the challenges of building resilient cyber
perspectives, experiences, personalities and cultures
security programs that will be the key competitive
that creates a safe and inclusive environment.
differentiators between good and great companies in
Together, we can make a difference by educating the
the digital world.
next generation of cyber heroes, focusing on cyber resilience, embracing diversity and sharing stories
Jay: My name is Jay Hira and I consider myself
and analogies.
a lifelong learner. When I was young I was very competitive and focused on being number one. I
www.linkedin.com/in/kavika-singhal
soon got hit with a dose of humility that changed my perspective and the course of my career. The need
www.linkedin.com/in/emily-goodman-b9a023144/
to be the best was replaced with a strong desire to collaborate, share, learn and grow with the team to
www.linkedin.com/in/michellegatsi/
achieve collective wins. As I grew older (and wiser — at least I’d like to believe so) I became clearer about my purpose and who I wanted to be, and I channelled
www.linkedin.com/in/shinesa-cambric-cissp-ccspcisa%C2%AE-0480685/ www.linkedin.com/in/jayhira/
88
WOMEN IN SECURITY MAGAZINE
28.06.2022
Contact us today to find out how you can become an industry contributor, no matter the level of experience. reach out now www.womeninsecuritymagazine.com
KAYELENE KERR
EDUCATING AND EMPOWERING CHILDREN Interview with Kayelene Kerr, Body Safety, Cyber Safety and Pornography Education Specialist |Child Safety Advocate | Founder eSafeKids
This is a public health crisis we can no longer afford to ignore. Children’s unrestricted access to pornography can and must be addressed. Perhaps this is the child protection issue of our time. Kayelene is recognised as one of Western Australia’s
We interviewed her to learn more about her
most experienced specialist providers of protective
organisation and her services to protect children.
behaviours, body safety, cyber safety, digital wellness and pornography education workshops. She has dedicated her working life to protecting and serving the community, in both the government and not-for-
What first piqued your interest in working to counter children’s access to pornography and its impact on them?
profit sector. The internet and technology have transformed the She is passionate about the prevention of child
way we learn, create, connect and are entertained. It
abuse, sexual exploitation and sexual violence
has given our children access to the world but has
and draws on over 25 years’ experience in study
also given the world access to our children.
and law enforcement, investigating sexual crimes, including technology-facilitated crimes. Kayelene
Whilst our children gain immense benefits from
believes protecting children from harm is a shared
being online there are also risks. I observed the
responsibility and she aims to inspire the trusted
increase in the number of children online and saw
adults in children’s lives to tackle sometimes
a corresponding upward trend in cases of online
challenging topics.
grooming, child sexual abuse and exploitation, sextortion, youth-produced sexual content, imagebased abuse and exposure to pornography.
90
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
Portable electronic devices in particular changed the way pornography is accessed and how pornography accesses children. Whilst pornography is not new, the nature and accessibility of pornography have changed considerably.
At what ages do you see child access to pornography becoming an issue? Do you think most parents understand the extent to which pornography has become part of children’s online experience, especially very young children?
Knowing that children are growing up in a world where it’s impossible to avoid sexualised media and
It’s not a matter of ‘if’ children will see pornography
pornography I’ve worked tirelessly since 2015 to
but ‘when’ and the when is getting earlier and earlier
develop and deliver workshops to address the harmful
in their lives. In Australia, the age of first exposure
effects of pornography on children and young people.
is reported as being between eight and 10. Prepubescent exposure to pornography is particularly
Knowing that many parents, carers, educators
problematic.
and other professionals working with children and young people often struggle to start much-needed
I think parents are largely unaware of the nature and
conversations and education I’ve developed and
prevalence of online pornography. This is concerning
delivered practical, strategy-rich workshops to
given we know exposure and access to pornography
educate, equip, empower and support people who live
can have a negative impact on children’s health, well-
and work with children and young people.
being and safety.
The main purpose of your website seems to be to offer your services. There’s a limit to what one person can achieve. Do you find demand for your services outstripping supply and do you plan to expand?
Pornography’s effect on children and young people is amplified by the absence of adequate education and conversation in the home, school and wider community. Many parents and carers are unaware of how readily available pornography is. Pornography is the primary, and in many cases, the only education
I spent 21 years working in a government organisation
children and young people receive about relationships
and seven years working in the not-for-profit sector.
and sexuality.
At this point in time, I don’t plan to expand eSafeKids. I believe in collaboration over competition and
Concerningly, a significant portion of pornography
continue to work with a number of organisations and
children view either accidentally or intentionally
individuals across Australia to address this public
contains violent images and themes. Research
health crisis.
has found exposure to pornography can result in; children displaying harmful and problematic sexual
You have some informational/instructional videos on eSafeKids. Any plans to develop interactive online training for parents and/or people who work with children?
behaviours, child-on-child sexual abuse, sexual
This year I plan to develop online training for parents,
Studies also suggest frequent viewing of pornography
carers, educators and other professionals. I will also
may reinforce harmful gender stereotypes, contribute
continue to develop and source free and accessible
to young men forming unhealthy and sexist views of
content to support the trusted adults in children’s
women and sex, condoning violence against women
lives.
and developing sexually coercive behaviours.
28.06.2022
aggression and violence, sexism, objectification, risky sexual behaviours and poor mental health and wellbeing.
WOMEN IN SECURITY MAGAZINE
91
The Third Action Plan of the National Plan to Reduce
that anticompetitive behaviour from a handful of
Violence against Women and their Children had a
major tech companies is preventing parents from
focus on “better understanding and countering the
adequately protecting their children online.
impact of pornography given increasing evidence showing a correlation between exposure to online
Big tech companies have clearly demonstrated
pornography and the sexual objectification of women
they are unwilling or unable to self-regulate. Sadly,
and girls, the development of rape cultures and the
and with devastating consequences, children’s
proliferation of sexual assault.” There may also be
fundamental human rights are not prioritised. Big
other impacts, on things such as body image, mental
tech is exploiting its market dominance at the
health, academic performance, addiction and erectile
expense of children and families. At the moment for
function.
the most part parents and carers are the first and last line of defence.
Where are children getting most of their access to porn today: from dedicated porn sites, or from social media services like Facebook, TikTok etc?
Until big tech does more to safeguard children from pornography and other illegal, harmful and hurtful content, the responsibility rests with us, the trusted adults in children’s lives. This is a public health
Children with access to the internet on any device
crisis we can no longer afford to ignore. Children’s
at home, at a friend’s place, at school or in any of
unrestricted access to pornography can and must be
our community spaces are at risk of exposure.
addressed. Perhaps this is the child protection issue
Pornography is readily available through most online
of our time.
sites and services our children use. It is now harder to avoid pornography than see it. Online services, apps and platforms frequently contain illegal, hurtful and harmful content. For many children, it’s too
The Protecting the age of innocence report, to which you made a submission, came out in 2020 with six recommendations.
much, too soon. Many pornography sites are not age-gated and the gating on those that are is often
•
response?
ineffective because users self-certify their age. The most common ways children are exposed to pornography are; being shown it/sent it by someone,
Do you feel they represented an adequate
•
What is your view on actions, if any, that have been taken to implement those?
googling sexual terms and unintentional exposure – advertising, pop-ups etc.
Australia ratified the United Nations Convention on the Rights of the Child in 1990, which means
Do you think the major social media platforms should do more to protect children from pornography and if so, what?
Australia has a duty to protect children from harm. There is a substantial body of national and international research that demonstrates children are being harmed.
The Strengthening Online Safety: Empowering
92
Australian Parents To Keep Their Children Safe
The Protecting the age of innocence report made a
Online report, to which I contributed, highlighted
number of recommendations. One of which was for
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
the creation of the eSafety Commissioner to lead
the opportunities for child sex offenders and other
the development of an implementation roadmap
financially motivated criminals to sexually exploit
for a mandatory age verification scheme for online
children will continue to increase. This has created
pornography. Extensive consultation and research
an ideal criminogenic environment because there are
are being undertaken to identify what proportionate,
abundant opportunities for crimes to be committed,
effective and feasible age verification and
highly motivated offenders, a lack of coordinated
infrastructure would look like. Whilst this is a positive
and effective regulation and an absence of adequate
step forward to safeguard children it will not be a
parental supervision, education and conversation.
silver bullet and will not be without challenges. Even young people from being exposed to pornography.
ESAFEKIDS WORKSHOPS, TRAINING AND RESOURCES
This means accurate, comprehensive, inclusive,
In the absence of adequate education in the home,
shame-free relationships and sexuality education is
school and wider community, pornography is the
essential.
primary and in many cases, the only education
the most robust controls will not prevent children and
children and young people receive about relationships
What do you see for the future? The latest thing seems to be virtual reality porn, which, according to one article, “transforms users from passive observers of sexual fantasies on screens into active participants in immersive erotic experiences.”
and sexuality. Kayelene strives to reduce and prevent harm through proactive and preventative education, supporting and inspiring parents, carers, educators and other professionals to talk with children, young people and vulnerable adults about pornography.
•
•
Is it going to be possible through formal and informal education, technology, parental
eSafeKids provides evidence-based Reducing
guidance, etc to stem the tide?
the Harm: Talking About Pornography workshops
What do you see as the consequences if we fail
throughout metropolitan and regional Australia and
to do so?
internationally. These workshops can be delivered face-to-face at your location or online as a webinar.
VR pornography is already here and with the Metaverse on the horizon the need to protect children
eSafeKids also provides books and resources to teach
has never been greater. A recent large-scale study
children about social and emotional intelligence,
of 150,000 pornographic videos demonstrated that
respectful relationships, diversity, resilience, empathy,
one in eight titles advertised to first-time users of
gender equality, consent, body safety, protective
the top three porn sites described sexually violent,
behaviours, cyber safety, digital wellness, media
coercive and non-consensual content. This is what
literacy, puberty and pornography.
our young people are seeing. This is what our children are seeing. It is fair to say pornography is playing a
www.linkedin.com/in/kayelene-kerr-a2aa1b197/
key role in creating a climate in which sexual violence and coercive and non-consensual behaviours are
www.esafekids.com.au/
normalised and eroticised. If we fail to act the consequences for our children and future generations will be devastating. The internet poses a particular challenge because those seeking to victimise children take advantage of
www.youtube.com/channel/UCHWmjg_v53YaDt6U0Mik8EQ www.instagram.com/esafekids www.facebook.com/eSafeKids
the relative anonymity that online interaction provides. As the internet and technology continue to advance,
28.06.2022
WOMEN IN SECURITY MAGAZINE
93
COGNITIVE BIAS: IT’S CORRODING CYBER SECURITY by Stuart Corner
Shanna Daly Cyber Security, Incident Response, Digital Forensics. Advisor, Speaker, Streamer, & Master of Shenanigans.
And under the pressure of responding to a security breach, cognitive biases can really come into play. The definition continues: “Biases are unconscious and automatic processes designed to make decisionmaking quicker and more efficient.” So what is to be done about it? Individually not a
Cognitive, or implicit biases. We all have them, from
lot, Daly said. “It’s a bit difficult to notice our own
simple things like choosing to buy coffee from a café
biases. It becomes challenging to recognise and
with an Italian-looking barista believing Italians to be
acknowledge these behaviours in ourselves. But
better baristas, to always want the same seat on a
when we become aware of our shortcomings we
bus.
can use what we have discovered in ourselves to help our leadership style, correct or potentially stop
Those were just two examples Shanna Daly, former
discriminatory behaviour in ourselves and in others.”
Chief Trust Officer at Paraflare (now Principal Consultant at Cosive), cited in her AusCert 2022
DEFEATING BIAS WITH DIVERSITY
talk, Overcoming cognitive bias. What’s cognitive, or
In cyber security the solution, she said, is to build
implicit, bias got to do with cyber security? A lot, Daly argued. “If implicit bias affects the decisions made by individuals in security teams, then that will affect security and, potentially, the security of the entire organisation.” If you take this definition of cognitive bias, from a
94
diverse teams because people from different backgrounds, people with different experiences, and different outlooks have different cognitive biases, which are likely to counteract each other. “Diverse teams are more likely to constantly re-examine the facts and remain objective.”
psychology website, it’s easy to see why. “A cognitive
And there are many biases that should be considered
bias is a subconscious error in thinking that leads you
when trying to craft a diverse team. Daly went on
to misinterpret information from the world around
to discuss how other inherent behaviours: authority
you and affects the rationality and accuracy of
bias and automation bias can compromise the
decisions and judgments.”
performance of cyber security specialists.
WOMEN IN SECURITY MAGAZINE
28.06.2022
A U S C E R T 2 0 2 2
F E AT U R E
Authority bias is the tendency to attribute greater accuracy to the opinion of an authority figure and to be more influenced by that opinion. She talked of the Power Distance Index (PDI), a measure applied to nations that rates, in general, its people’s respect for authority. An individual from a high PDI country would be less likely to question an email purporting to come from the CEO or CFO that asks for changes to be made to the bank account for payment. “It is something to consider when you’re hiring a team and you’re looking at people’s backgrounds,” Daly said. “And a woman from one of those countries is probably going to have double the challenge when it comes to their ability to talk up.”
BEWARE AUTOMATION BIAS Automation bias is likely to be particularly dangerous in a cyber security specialist. It is the tendency to over-rely on automation. Someone with automation bias is likely to over accept computer output as a heuristic replacement for vigilant information seeking and processing, Daly said. Summing up, she said building a diverse team was far from easy. “You need to go out of your way to make it happen. It’s critical to evaluate individuals and team members holistically when you’re building out security teams, particularly those charged with protecting organisations and or conducting investigations. “Avoid trying to hire someone for culture fit. Don’t use it as a hiring metric. Look for those people who are going to make a contribution to the computing community. If you build the right team, the culture will come.” www.linkedin.com/in/shannadaly/
28.06.2022
WOMEN IN SECURITY MAGAZINE
95
WOMEN IN SECURITY MAGAZINE PUBLISHER NAMED AUSCERT DIVERSITY & INCLUSION CHAMPION by Stuart Corner
took on the task of reviving the neglected CSO (Chief
Abigail Swabey PUBLISHER, and CEO of Source2Create
Security Officer) brand, encompassing a magazine and events, and giving it an Australian focus. “I could see huge potential for it and at that stage, I was really trying to find a way to break into a different market, one where there was exponential growth,
In the criteria for its Diversity and Inclusion Champion
and security was it,” she says. While pursuing that
award, AusCERT cites the Diversity Council of
challenge she became aware of concerns about the
Australia’s definition of a diversity and inclusion
lack of women in the industry and the challenges the
champion as “someone who plays both a symbolic
few female participants faced.
and an active strategic role.” This year’s winner, Abigail Swabey, publisher of the Women in Security
“I read articles about how women in security were
Magazine and producer of the Australian Women in
sparse, research reports where the numbers were so
Security Awards and their New Zealand counterpart,
skewed you thought it must have been wrong, blogs
plays a role in diversity that goes well beyond being
on how to retain the small number of women already
merely symbolic or simply strategic: it is eminently
in security, requests for female mentors or career
practical and tactical.
advice, and social posts on how to not be the only female in the room.”
In her own words, the magazine and the awards “give me a platform to scream and shout to try and make a
As a parent of teenage girls, Swabey was also well
difference for the greater good.”
aware of the challenges girls with any aspirations in STEM face. “They were growing up in a school
96
Her introduction to the world of cyber security, and
system where tech subjects were not cool, STEM
the challenges women face being a part of it, came
didn’t get much of a mention and IT was led by a
15 years ago when, as an account director at IDG
nerdy uncool teacher. Why would teen girls even go
Communications in search of a new challenge, she
for this?”
WOMEN IN SECURITY MAGAZINE
28.06.2022
A U S C E R T 2 0 2 2
W I N N E R
F E AT U R E
AMBITIOUS GOALS Wanting to “do something that would help, or at least push other parties to come forward and do something,” Swabey started looking around and found the Australian Women in Security Network (AWSN) and its founder Jacqui Loustau. From that meeting grew a long friendship and a professional relationship, and Swabey’s determination to “do something” for women in cyber security. She set herself some ambitious goals. “I thought I would make it my job to try and change the way females are seen within security, to increase the numbers of females in security, to show females a career path in security they may or may not have known they had, to elevate those females already within security so everybody would know who they
LAUNCHING WOMEN IN SECURITY MAGAZINE
are and what they do, and deliver a platform for
In comparison to the blood, sweat and tears
females to use within security.”
Swabey shed launching the awards, launching the magazine was a walk in the park. “I didn’t really
Her first major initiative to achieve these lofty goals
have any challenges. I guess the only challenge was
was the Australian Women in Security Awards, which
how I would pay for it. I quickly did some numbers
debuted in 2020. They did not have an easy birth.
and decided I wasn’t going to fret about that. My company would pay until people want to promote
“No one in the industry really wanted to support
their organisations in it. I’m not going to kill myself
them, no one wanted to put money behind them, and
trying to sell it. If organisations don’t see the value in
hardly anyone wanted to nominate. So, basically, all
putting dollars behind it then so be it. It’s easier for
I had was a great idea and nothing else. That soon
me to get the magazine out there to see if it works.
changed with a bit of blood, sweat and a lot of tears,
If I decide later on that revenue needs to be a priority
and a ton of social media nagging.”
I will change tack, but that’s definitely not the case right now.”
The awards now pay for themselves and Swabey’s aim is to acknowledge more women in the industry.
That company is Source2Create, a boutique media
“I want to try and recognise as many individuals,
and marketing house, Swabey founded in 2020
companies, volunteers, mentors, champions and
after almost 14 years with IDG Communications
programs as I possibly can, and then I want to shout
(now named Foundry). Source2Create, she says has
about them so that everyone knows about them.
enabled her to “build on my passions: the Women
That’s where my growth from these awards will
in Security Magazine and the Women in Security
come.
Awards. Those passions give me a platform to scream and shout to try and make a difference for
“Some say I’m short-sighted in what my growth
the greater good.”
potential for these awards is or I am crazy not to use them as a revenue spinner, but I didn’t start this
She’s come a long way from her childhood spent in a
project to make money. I did it to make a difference,
small town in the UK when she aspired, first, to be an
and if that means it’s one state at a time, or one
English teacher and then a sports teacher, because
country, so be it, but I will make a difference and
“I didn’t love my English teacher so I struggled to
overcome every challenge put in my way.”
remain passionate and focused the majority of my time and efforts on sports.”
28.06.2022
WOMEN IN SECURITY MAGAZINE
97
Swabey came to Australia to help her father clear up
promote diversity in the industry giving her “a louder
her grandfather’s estate. “The travelling bug took over
voice, one to be taken more seriously when it comes
and all I then wanted to do was travel, and Australia
to diversity and inclusion.”
seemed a big enough place to do that in.” And she says the movement to increase the number She credits Loustau and Mandy (Amanda-Jane)
of women in cyber security has, to some extent,
Turner, today an adjunct lecturer in criminology
become a victim of its own success. “I can see
for the University of Queensland, as being two key
businesses going out of their way now to hire women,
influences on her journey into cyber security, along
but is it for the right reasons? Is it because they are
with Matt Tett founder and managing director of
women, or because they are also the best candidate?
ENEX TestLab.
Is it to increase your diversity ratio so you get to tick that box?
MAJOR INFLUENCES Key influences on her overall life journey have been
DIVERSITY CHALLENGES REMAIN
“dear friend Reshma Shetty for giving me the courage
Swabey is being coy about her next steps. “We have
to go after what I want, and my husband Scott
some projects we are working on right now for 2023,
Swabey for always pushing me to believe in myself,
so watch this space, because they are very exciting.
telling me always I am capable of doing anything
They are still within the women in the security realm.
when I put my mind to it.” For her role at IDG, her
I’m sticking to what I know!”
former boss Davy Adams gets the credit “for letting me just get on with running a brand the way I wanted
Maybe there is a clue in her comments on how the
without having to constantly be held back and for
industry is approaching diversity. “I see the huge
allowing me to trust myself enough to build and use a
challenge of our industry being stuck in this never-
team that I handpicked to come on that journey with
ending loop of ‘we have a skills shortage but we only
me.”
accept experience blah, blah, blah’. Honestly, take a risk on the graduates, bring them in at entry-level
One achievement she gives no one but herself
and train them up for what you ultimately want. That
credit for is launching a security magazine. “I love
would be more effective rather than where we are at
magazines,” she says. “Every time someone said to
right now in a stalemate with ourselves.”
me in my career ‘print is dead’ I would snap back that they were wrong and that there will always be a place
“I see a market trying to work out the diversity
for print—digital or physical—in the world, same as
element within their workforces for men, women,
books.
non-binary identity individuals etc, but not thinking of the next step of inclusion, belonging and culture.
“So I launched a magazine to prove everyone wrong,
I would love to play devil’s advocate and have
and lo and behold the subscribers came and loved
businesses start running the blind recruit concept,
it and with every issue that subscriber base just
where the gender or the name is not disclosed, just
keeps growing and growing. So there is a clear want
the qualifications and experience. It’s an easy route to
and need for the magazine in the industry. It’s not a
reducing biases.”
money-making tool for me. It was, is and will always be my passion project: a platform I can use alongside
www.linkedin.com/in/abigail-swabey-95145312/
the awards to be able to give something back to the industry and that I am delivering on without question.”
aby@source2create.com.au
Swabey says she was shocked to receive the AusCERT Diversity award, unaware she had been nominated. She hopes it will strengthen her ability to
98
WOMEN IN SECURITY MAGAZINE
28.06.2022
Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!
charlie@source2create.com.au
aby@source2create.com.au
vasudha@source2create.com.au
NIVI NEWAR
THE TANGIBLE UPLIFT PROGRAM By Nivi Newar, Head of Cyber Security Strategy & Governance at UNSW
There’s a shift underway in the level of skills and
reduce cyber risk exposure to an acceptable level.
experience sought for cyber security positions and
Strategic program timeframes are now 18 to 24
it’s not helping women, says Nivedita (Nivi) Newar. So
months instead of three to five years.
she decided to do something about it.
GROWING DEMAND FOR SPECIALISTS Nivi, whose ‘day job’ is Head of Cyber Security
“This change is driving the demand for professionals
Strategy & Governance at UNSW, with a couple of
with niche cyber security qualifications, specific
others, has founded the Tangible Uplift Program-
subject matter expertise and significant experience in
Women in Cyber Security Leadership program. Its
delivering security solutions within specific industry
aim: to train and assist 50 women across Australia
types. Therefore, the barriers to entry into cyber
to pass the CISM written exam in 2022 and increase
security have never been higher. This demand has
their cyber security skills and knowledge, uplift their
made it harder for women to penetrate the industry.
credibility and marketability and assist them with job
However, the industry has not yet fully recognised the
readiness.
new challenge.
Nivi says she was moved to start the program by
“There is already an extremely low percentage of
what she saw as a seismic shift in the cyber security
capable female leaders under 40 years of age in
landscape and a consequent shift in the skills sought
cyber security senior leadership positions. In addition
which disadvantaged women looking to enter cyber
to that, the percentage of women applying for cyber
security or advance their careers.
leadership and managerial roles is incredibly low.”
“Cyber security threats are growing rapidly because of
Nivi says this trend has the potential to become
complex, sophisticated and well-funded nation-state
a vicious circle. “Women need examples of other
attacks resulting in catastrophic impacts that have
successful female role models or influencers in
the potential to drive organisations to extinction,” she
sustained and upward trending leadership roles to be
says. “As a result, the delivery timeframes of cyber
able to visualise themselves in one.”
security programs are being shortened by half to
100
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
On a more positive note, she says the prospects for
To develop the program Nivi worked for several
women seeking entry-level roles are better. “There is
months with colleagues, industry peers and external
some flexibility at the mid to junior level roles where
partners including ISACA Sydney Chapter, ISACA
mentoring and training can be afforded.”
International, IT Masters (CSU), CAUDIT, Cyber Risk Meetup, Cyan, Australian Information Security
A HEFTY COMMITMENT
Association (AISA).
Interest in the program suggests Nivi was spot on with the idea. All 50 positions were filled within days
Nivi’s ambitions extend well beyond this initial
of launch, despite the fact it requires late evening
program. She envisages it as precipitating a global
participation over four months, and preregistration for
movement that will give women who aspire to be
the ISACA CISM exam at a cost of $US575 for ISACA
leaders in cyber security a “tangible uplift” to their
members and $US760 for non-members.
careers.
The Tangible Uplift Program includes online training
She hopes to create momentum for the program by
and preparation for the CISM exam. Nivi says much
getting at least one of the participants to give back to
research went into choosing this particular exam
the program when they have benefited from it, and for
as “the most suitable and credible certification for
the program to be adopted by thought leaders in other
management roles in cyber security” for women
countries.
aspiring to senior roles. The majority of applications came from more experienced women, contrary to Nivi’s initial expectations. She suggests there may have been a lack of awareness of government funding and tax offsets for the cost among more junior women. Only 36 per cent of
“Women need examples of other successful female role models or influencers in sustained and upward trending leadership roles to be able to visualise themselves in one.”
applications claimed to be aware they could claim the cost of training and certification against income tax. Nivi says statistics from the 2021 Certified Information Security Manager (CISM) Salary in Australia | PayScale seem to show a correlation between the percentage of women in leadership positions and the percentage of female CISM certification holders in Australia.
MEDIA PARTNERS To raise awareness of the program and create a sustainable model, Nivi has partnered with MySecurity Media and Australian Cyber Security Magazine to highlight its impact on participants and hopefully encourage more women to apply.
28.06.2022
WOMEN IN SECURITY MAGAZINE
101
WHAT’S ON OFFER
and showcase the technologies and processes they
Participants in the program get: free one-year AISA
use in their jobs.
membership and free four weeks of online CISM training: CAUDIT offers participants the free short
The program will also give participants a unique
course Certified Information Security Manager
opportunity to hear from industry leaders (CISOs of
(CISM) Prep, in collaboration with IT Masters. This
reputable organisations) about the significance of
technical course guides participants through the rich,
cyber security certifications in the hiring process and
but sometimes long and mystical, CISM material in
other factors taken into account when considering an
preparation for the exam. The course webinars have
applicant for a management or leadership role.
been recorded and are available to participants on demand.
REWARD FOR TOP FIVE CISM EXAM SCORERS The top five CISM exam scorers passing the exam by
Each participant will also receive a 20 per cent
1 December 2022 will receive a pass to attend AISA
discount voucher (sponsored by the ISACA Sydney
Cybercon in 2023, worth $770. All participants who
Chapter) to register for the CISM exam before training
pass the exam by 1 December 2022 will receive up to
commencement and a free course completion
70 per cent off the cost of the full range of CompTIA
certificate from IT Masters.
exam vouchers and courses to help them uplift their technical capabilities.
Qualified and experienced cyber security professionals will assist participants with exam
Participants will be able to learn and study together
preparation. This preparation will include gamified
and motivate one another to get certified. They will
quizzes and ISACA practice exam questions and
also have the opportunity to meet and collaborate
publicly available free practice quiz which includes
with other participants in a dedicated collaboration
questions from ISACA’s test preparation exercise that
forum.
are the level of difficulty as those in ISACA’s official CISM exam.
www.linkedin.com/in/nivedita-newar/
Successful and influential security professionals in
www.tangibleuplift.wixsite.com/tangibleuplift
various roles associated with each CISM domain will deliver a day-in-the-life online session about their role
102
WOMEN IN SECURITY MAGAZINE
www.australiancybersecuritymagazine.com.au/tangibleuplift-mentoring-program-for-women-in-security/
28.06.2022
KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group who works with SMEs to protect and grow their business, by demystifying the technical and helping them to identify and address cybersecurity and governance risk gaps. Karen has recently graduated from both the TechReady Woman Accelerator graduate and CLP program with the Cyber Leadership Institute in 2021.
C O L U M N
Progress not perfection might just be the key There are many people making a difference in cyber security and how it is viewed by our clients, but I would like to draw attention to a Federal Court ruling in May of this year when, for the very first time, an Australian Financial Services Licensee (AFSL) was found to have failed to adequately manage its cyber security risks (the ruling). The message that cyber security should be top of mind for all businesses (especially those in the advice space) was clearly spelt out by her honour Justice Rofe when she stated “Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not
response measures adequately support the size and complexity of their business and the sensitivity of the
possible to reduce the cyber security risk to zero, but
information they hold.”
it is possible to materially reduce cyber security risk
Three key responses are needed:
through adequate cyber security documentation and controls to an acceptable level.” This translates to: while nothing is 100 per cent perfect, progress and not perfection is key. The cyber security pathway for AFSLs is now clearer with the Australian Securities and Investments Commission (ASIC) advising they: “Should be aware of the potential consumer harms that arise from cyber security shortcomings.”
Cyber education should be a key foundation of risk mitigation programs. They should be ongoing and not a one-off “set and forget.” Cyber should be included in a business’ overall risk mitigation programs and policies. As we have said before, cyber risk is a business risk not just a technology problem. Cyber programs and policies should be dynamic, practiced and able to be evidenced. A static “tick the
“Should adopt good cyber security risk management
box” checklist is no longer the best of the breed.
practices to reduce potential harm to consumers.
There is much more to unpack with the ruling, but
… [Practice] active management of cyber risks and continuous cyber security improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans.” Are expected “to act quickly in the event of a cyber incident to minimise the risk of ongoing harm … [and all] … should regularly reassess their cyber risks and ensure their detection, mitigation and
I hope this gives you a flavour of what has been happening in the world of financial advice. www.linkedin.com/in/karen-stephens-bcyber/ www.bcyber.com.au karen@bcyber.com.au twitter.com/bcyber2 youtube.bcyber.com.au/2mux
28.06.2022
WOMEN IN SECURITY MAGAZINE
103
VERONIKA LAPUSHNIANU
THE IMPORTANCE OF DIPLOMACY AND CROSS-CULTURAL INTELLIGENCE AS PART OF AN ORGANISATION’S DNA by Veronika Lapushnianu, International Business Communications Trainer, Founder of GroupEtiq
It is everyone’s responsibility to make cyber security
consultant in international diplomatic protocol. There
one of the most attractive workplaces if we are
is so much to love about working in cyber security:
to build a safer future. Technology is evolving at
constant learning; keeping up with new technologies
an unprecedented speed and bringing together
and global trends; the fascinating stories of real-life
international teams with one common goal:
cases; exposure to different business cultures; the
fighting cybercrime. Highly skilled cyber security
opportunity to help organisations and citizens stay
professionals from all over the world, proudly
safe.
representing governments and private businesses, collaborate in order to strengthen the ‘defence power’
However, a role in cyber security is not without its
of organisations and protect citizens. More than ever
challenges, many of which have been raised in this
there is a need for diversity and inclusion.
magazine. Some are the result of mismanagement, and some result from toxic behaviour. Any cyber
104
I am a female expatriate with a bachelor’s degree
security organisation that promises the best culture
in management, who has worked for multinational
finds itself fighting HR complaints and, if these are
IT and cyber security companies in business
not addressed, uncontrollable attrition. Promoting a
development and marketing roles and am a certified
company’s values, setting policies, and enforcing a
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
code of conduct will only do a part of the job. It is very
A higher-ranked individual should be the first to offer
difficult to change an individual’s value system, habits
a handshake. Cultural traditions and religion must
and communication style.
be respected. In Japan bowing is an alternative to a handshake. One must know the acceptable
The underlining reasons for miscommunication are
rules of greeting, correct forms of address, seating
complex. We all come from different backgrounds,
arrangements, and communication style, for
with an established value system, education levels,
negotiations to take place. The same principle applies
culture, perception of what good and bad are, and
when managing diverse teams.
understanding of power.
PRINCIPLE OF GENDER EQUALITY How do we create a safe corporate culture in which
According to international standards, communication
any professional, regardless of gender, education, or
in business happens between ranks, and not between
cultural background can realise their full potential and
genders. This answers many questions, such as
inspire the next generation of workers?
should a man open the door for a lady or pay the bill for a lunch meeting; should men and women shake
To create an inclusive and diverse culture with
hands or kiss on a cheek.
healthy communication in this interconnected global community we need people who exhibit cultural
Formal business attire helps to create the right
intelligence and personal diplomacy.
professional image and avoid misunderstandings such as “sending the wrong message”. This is a form
MUTUAL TRUST AND RESPECT
of non-verbal communication, a way of sending a
Dr Ichak Adizes, the author of the Adizes Methodology
signal about one’s status and business intentions.
implemented by organisations around the globe, says “mutual trust and respect”, a culture of cooperation
When a diplomat attempts to raise a topic that
and collaboration are essential if organisations are
is taboo in another country the reputation of that
to survive each stage of their corporate lifecycle. He
diplomat’s country is diminished. In business,
argues that respect exists when trust is established.
expressing political views publicly could cost an executive their job and inflict financial damage on
Trust is without doubt the key currency today. But
their employer.
how do we establish trust? By using a dominant tone of voice a leader projects
DIPLOMACY AND CROSS-CULTURAL INTELLIGENCE
power and confidence in the USA but could miss a
Formal communication between government officials
Keeping the voice low, or not expressing an opinion
and corporations’ executives is formalised according
during a meeting, can be interpreted as a sign of
to international diplomatic protocol and etiquette,
weakness or lack of knowledge in some cultural
a set of rules and recommendations that specifies
contexts. It can also indicate that the person is shy,
acceptable verbal and non-verbal communication
introverted or simply avoids confrontation. Politeness
between the parties. The founding principles have
does not equate to weakness.
business opportunity by doing the same in Japan.
been set to ensure that all signs of respect are read equally in a multicultural, multifaith environment in
PERSONAL SPACE
order to establish and maintain mutual trust and
Hugging in Latin America is a sign of friendship
facilitate cooperation.
and trust but can be seen as a sign of intrusion into personal space in Germany. Keeping your distance
PRINCIPLE OF HIERARCHY
means respecting another’s personal space in
One rule of international protocol specifies the order
Australia.
of communication between people of unequal status.
28.06.2022
WOMEN IN SECURITY MAGAZINE 105 womeninsecurityawards.co.nz
MANNERS
A NOTE TO NEXT-GENERATION LEADERS
Crossing one’s legs are considered bad in Japanese
I’d like to highlight the importance of choosing
culture. Doing so and exposing the soles of one’s
supportive, experienced leaders wisely, especially
feet to another person shows extreme disrespect in
early in the career as this is what shapes one’s
the Arab world. Knowledge of these cultural taboos
future. If I could briefly summarise, based on my own
is essential for anyone speaking on panels in a
professional experience, a great leader is culturally
multinational, multireligious audience.
aware, respectful, encourages and motivated to
THE NEED FOR A ‘COMMUNICATION FRAMEWORK’ IN CYBER SECURITY “Culture eats strategy for breakfast” is a famous quote from management consultant Peter Drucker.
To create an inclusive and diverse culture with healthy communication in this interconnected global community we need people who exhibit cultural intelligence and personal diplomacy.
Creating and maintaining a good corporate culture is a team effort guided by team leaders. Leaders who are great experts in their field are trained
achieve new horizons, studies your full potential and
to manage and lead others according to theory as
contributes to your career path, defends in complex
well as modern best practices. By implementing a
situations, generously shares knowledge, provides
communication framework based on internationally
equal opportunities to team members, acknowledges
accepted business protocol standards, organisations
everyone’s contribution and achievements, leads with
significantly improve the quality of internal and
integrity.
external communications. I strongly believe that cross-cultural intelligence, understanding of different
A great way to develop personal diplomacy is by
business practices, negotiations and management
analysing one’s own culture and value system first, as
styles are essential for leaders in cyber security.
well as habits, and traits. Then observe how others respond and understand where the “borders” are and
Simple ways of maintaining trust and respect
what makes others want to interact and collaborate.
are: accepting people for who they are; treating
The next step would be to learn about people in a
professionals based on expertise vs. gender;
workplace, their background, education, experience,
learning to ‘agree to disagree’ without losing face;
traditions, hobbies, behaviour, and taboos and
understanding traditions and taboos; giving feedback
understand what makes everyone different. This helps
with dignity; avoiding labelling and stereotyping;
to create a baseline for cross-cultural awareness that
listening to understand, rather than listening to
can be then applied to a corporate communication
respond; adjusting negotiation styles as needed;
framework and code of conduct.
rewarding based on experience and achievements vs. gender; applying relevant management and
www.linkedin.com/in/veronika-lapushnianu/
communication styles when leading diverse teams.
106
WOMEN IN SECURITY MAGAZINE
28.06.2022
Source2Create Spotlight
Media The media landscape used to be easy and simple to navigate, now not so much which is why we are spotlighting our Media services. Delivering to your target audience the right message, through relevant media platforms and formats, with the right content, at the right time of their journeys to achieve maximum results is complex. At S2C, we can help you build a multi-touch decision making journey to your customer persona, taking the complexity out of your hands. What are you waiting for?
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
vasudha@source2create.com.au
ANGELINA LIU
IN CYBER, LANGUAGE IS THE WEAPON OF CHOICE by Angelina Liu, Account Executive at Barracuda
Celebrate your differences and you’ll send a signal
Well-meaning associates and advisers told me it
to other folks they are free to do the same, writes
would be wise for me to do so: that I should consider
Barracuda account executive, Angelina Liu.
growing my hair and applying some makeup if I hoped to have a chance of scoring a job in my chosen
I’m delighted to say, in my experience, the world in
field.
general and the ICT world, in particular, have become significantly more open-minded and accepting than
Back then graduate opportunities were scarce as
they were a decade or two ago.
hen’s teeth, even for individuals who had graduated at the top of their class, never mind those who
Why do I think so? Because for quite a while I’ve been
had finished up somewhere in the middle as I, no
proudly behaving true to myself, no holds barred: a
hardcore swot, had done.
gay woman of Asian heritage with a personality that might be best described as quirky. And I’m regularly
While the makeup was and remains a deal-breaker,
applauded for bringing my whole self to work, even by
I took the hair growing advice to heart but felt
Barracuda customers and partners with a decidedly
uncomfortable and miserable with my slightly longer
conservative bent.
locks.
FALLING INTO LINE
The relief I experienced upon cutting them off made
This was not always the case. Back in the day —
me realise I was unlikely to ever succeed in the
the day being 2009 when I emerged from Monash
workplace by pretending to be anyone other than my
University as a fresh-faced graduate clutching a
authentic self.
bachelor’s degree in biochemistry — I felt some pressure to fit in, to appear and present as a more
CONCENTRATING ON WHAT COUNTS
conventional woman.
Fast forward 12 years and I feel challenged and fulfilled in a job I love, working as a cyber security account executive whose beat encompasses
108
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
three southern states: Victoria, South Australia and
I’d like to see my baby daughter grow up in a world
Tasmania. I have the privilege of engaging with more
where discrimination and bias, both conscious and
than 20 channel partners, several of them kicking big
unconscious, are not the barriers to success they
goals in the mid-market and enterprise space.
were for many people from minority backgrounds in
All have committed to working with Barracuda as a preferred supplier, in part I like to think, because of the good ‘channel karma’ I’ve endeavoured to foster
Celebrate your differences and you’ll send a signal to other folks they are free to do the same
since stepping into an account executive role four years ago. Our partners know they can count on me to behave transparently and ethically, that
the not so distant past: a world where businesses and
I won’t over promise and under deliver and that I’ll
organisations are happy to hire people who look and
back them to the hilt when they’re bidding for new
think differently and support them to do their best
business.
work.
And they’ve learned to evaluate me, not on my
That’s why I strive to do whatever I can to make a
appearance, my sexuality or my personality but on my
difference in my workaday world — sharing my story,
character and the work I do, how well I take care of
advocating for education and training initiatives that
them and how effectively I advance their interests.
raise people’s awareness of the issues, and mentoring younger people to pursue rewarding career pathways
That’s just as it should be. And it’s just as it will be
without having to pretend to be something they’re not.
for the next generation if they’re able to be true to themselves, to feel comfortable about standing out
I count myself deeply fortunate to work for a
rather than fitting in as I felt compelled to do back in
company whose staff, partners and customers have
the day.
encouraged me to do just that. What a beautiful world it will be when that’s the norm for each and every one
TAKING THE LEAD
of us.
Leading by example, showing young people who are still finding their feet in the world of work that
www.linkedin.com/in/angelinaxl/
differences are to be celebrated rather than minimised is something I’m passionate about, and doubly so having recently become a parent myself for the first time.
28.06.2022
WOMEN IN SECURITY MAGAZINE
109
ASOU AMINNEZHAD
RINA MADLANI
CYBER SECURITY: THE ISSUES AND THE CHALLENGES by Asou Aminnezhad, Security Evangelist and Rina Madlani, Cloud Advocate The 21st century is characterised by many
and centre, especially if you handle client or customer
innovations: industrial, mechanical, technological,
data. Something as simple as an email address
transport and in communication. The innovation
can be used to distribute viruses, and a credit card
represented by the internet has played a significant
or social security number could enable a hacker to
role in improving communication, making it easier
get unauthorised loans and leave the victim with
for people to send messages to and from all corners
massive debt. If your client information falls into the
of the globe. Access to data-rich applications and
wrong hands your business could suffer irreversible
platforms has made the world feel small.
reputational damage. A focus of cyber security is the protection of critical information. The provision of
In today’s society, every person is connected to the
data security, mobile security and network security
global web giving hackers abundant opportunity
are all considered key components of an effective
to hack people, including those who do not have
cyber security strategy, along with planning around
social media accounts. So, w is this happening? It is
disaster recovery and identity management.
happening because personal information is stored on multiple personal devices, commercial websites and
A single cybercrime could destroy your business. This
in the cloud.
is why companies need to develop and implement robust and appropriate cyber security practices.
Another significant development that exposes
Start by creating a disaster recovery plan. Having
enterprises to security vulnerabilities has been the
this in place can help your teams identify all potential
growth of the work-from-home culture triggered by
harmful events in order of probability; everything from
the COVID-19 pandemic. Enterprises that have yet to
a malware infestation to a terrorist attack.
establish a zero-trust framework have struggled to secure remote access to their systems.
A disaster recovery plan makes your teams think deeply about risk management. Every single person
110
IMPORTANCE OF CYBER SECURITY
in your business is responsible for cyber security and
Constant technological evolution has made it
they should take preventive measures during each
essential that your business puts cyber security front
workday to reduce risk.
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
Having a culture of cyber security awareness can
security professionals must engage with everyone,
make a huge difference to your cyber posture. Steps
from marketing, facilities and business operations to
to create such a culture include:
the executive committee. This requirement creates extremely varied and rewarding career opportunities
• Getting the board on board (leadership support)
for cyber security professionals.
• Leveraging soft skills. • Investing in technology and building a resilient cyber security culture. • Fostering diversity and inclusion in your cyber security team. • Making cyber security a priority and allocating
According to the (ISC)² 2021 Cyber Workforce Report, the global cyber security workforce needs to grow 65 per cent if it is to effectively defend organisations’ critical assets. The number of professionals needed to fill the gap has decreased from 3.12 million down
sufficient budget to implement a proactive cyber
to 2.72 million in the past year, but there remains a
security program.
massive shortage. Multiple industry reports highlight
• Developing a cyber security awareness/ education/ certificate program.
the risks organisations will continue to face from the lack of cyber security skills.
• Recruiting security ambassadors for thought leadership. • Leveraging the cyber security framework and implementing a zero-trust methodology. • Focussing on the security of the cloud transformation journey. • Managing the adoption of shadow IT by a remote workforce.
WHAT CAN BUSINESSES DO TO OVERCOME MALWARE AND RANSOMWARE? Cyber security is no longer the responsibility of IT professionals alone, it has become everyone’s responsibility. Organisations need to implement cyber security solutions and educate their employees on best practices.
CYBER SECURITY INDUSTRY ISSUES
There are myriad complex cyber security solutions
I would like to address two significant issues facing
available in the market and no universal solution,
the cyber security industry: the lack of gender
organisations must, therefore:
diversity and the significant skills gap. • understand regulatory requirements relevant to
DIVERSITY AND INCLUSION MATTER Working in security means being surrounded by brilliant people from different backgrounds and with different experiences and perspectives, all with a common purpose to protect people online. Attracting more women to the security sector is critical to combating the ever-growing wave of cybercrime.
their business. • implement a framework to prevent, protect, monitor and recover. • identify the cyber security solution best suited to their requirements. • educate employees about cyber security awareness
Cybercriminals have a variety of backgrounds making it imperative our cyber workforce matches this
In summary, we can all make a huge difference to our
diversity to ensure we can defend our organisations
personal and professional security posture by being
and ourselves from their attacks.
aware of cyber threats. The ripple effect of everyone taking ownership can have a massive impact on our
THE WAR FOR TALENT
personal and professional cyber safety.
Cyber security is a board-level concern, and a lack of proper cyber security management can be
www.linkedin.com/in/asouaminnezhad/
disastrous for an organisation. Everyone in every type of organisation needs an understanding of
www.linkedin.com/in/rina-madlani-mba-b6608810/
cyber security appropriate to their role and must adopt secure behaviours. To achieve this, cyber
28.06.2022
WOMEN IN SECURITY MAGAZINE
111
MEL MIGRINO
A WOMAN’S PASSION TO LEAD by Mel Migrino, Chairman and President, Women in Security Alliance Philippines and Group CISO, Meralco
Thinking like an adversary to outsmart them has
real-time threat intelligence in a robust and trusted
been our strategy for a long time. While this remains
platform that provides an early warning system about
true in certain organisations, it is no longer sufficient
potential risks and attacks. Organisations that build
to combat cybercrime. According to Cybersecurity
such a model to counter cyber attacks will see a
Ventures, the global cost of cyber threats is projected
difference.
to reach $US10.5 trillion by 2025, driven by several factors. Intelligent techniques, tactics and procedures
As a seasoned cyber security practitioner and
tend to bypass current cyber protection platforms
a concerned citizen, I felt the need to continue
and result in cyber teams hitting their panic buttons.
this quest and at the same time help bridge the
Adding to their challenges is the global shortage of
cyber security talent gap, especially the under-
cyber security employees, estimated to be 3.5 million
representation of women in this field.
in 2021. With much excitement and a little anxiety, I
112
The way forward is to adopt collective defence,
established the Women in Security Alliance
which requires converging private and public sectors,
Philippines (WiSAP). Its mission is to nurture women
vendors, regulators and supply chains to share
security leaders and make contributions to society
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
while promoting gender inclusivity. WiSAP aims to promote awareness and best practices in governance and technology across security and risk disciplines and to build a community where men and women coexist. WiSAP aims to: • Empower women in the practice of cyber security, risk, physical security and related disciplines. • Promote gender equality, recognising that women and men have equal rights and opportunities. • Encourage sharing of information on security and threat intelligence among its members. • Promote skills and talents among women in security through recognition. • Encourage collaboration among various security groups to scout for resources for cyber security, physical security and related disciplines. • Support strategic measures to safeguard supply chains. WiSAP aims to be a partner, resource, mentor and coach. Developing and growing with its members and the rest of the society is a key imperative. WiSAP believes a priority for any organisation should be to give value to career aspirations and promote a nurturing culture, and, with the shortage in cyber security skills, this should be a critical focus. Fostering more inclusive, hybrid work environments is crucial for employee satisfaction. Organisations should train all employees about true inclusiveness and tolerate nothing less. Lastly, WiSAP aims to establish policies and plans to foster diversity. An organisation that engages women to manage its crises achieves better outcomes. Women’s power and ability to influence enable them to succeed in the digital society.
www.linkedin.com/in/mel-migri%C3%B1o-b5464151/ www.linkedin.com/company/wisap-women-in-securityalliance-philippines/
28.06.2022
WOMEN IN SECURITY MAGAZINE
113
CYBERSHIKSHAA: GETTING INDIAN WOMEN INTO CYBER AND PRIVACY by Stuart Corner
A multiparty initiative in India aimed at getting more
covering theory, case studies and practical hands-on
women into cyber security and privacy has already
projects. On successful completion of the training,
delivered cyber security and privacy training to 900+
participants receive a certificate and assistance with
female candidates from engineering and other
placement in a cyber security role.
disciplines. There are seven cyber security focussed modules, The program, CyberShikshaa, is an initiative of
plus soft skills and aptitude sessions.
Microsoft India and the Data Security Council of India (DSCI) with support from Information Security
• System fundamentals
Education and Awareness (ISEA), an initiative of the
• Introduction to cyber security
Ministry of Electronics & IT (MeitY), Government of
• Cryptography
India/GoI.
• Network security and countermeasures • Web server and application security
According to its website, the primary objective of the
• Security auditing
program is “to connect with women candidates from
• Cyber forensics
tier 2, tier 3 cities and rural areas and to align a career path for them in cyber security.” The site says there
This program is offered to new engineering
has been a steep rise in demand for skilled cyber
graduates. The training is provided by two other arms
security workers, but women have been insufficiently
of MeitY, the Centre for Development of Advanced
represented compared to their representation in the
Computing (C-DAC) and the National Institute of
wider IT industry.
Electronics & Information Technology (NIELIT), a body created to undertake human resource
CyberShikshaa intends to bridge the gap between
development and related activities in information
the demand and supply of talented professionals
technology, electronics and communications
and increase the number of women working in cyber
technology.
security and privacy. Additionally, there is another privacy module for The cyber security program offers a course
experienced women professionals who have taken
comprising four months of interactive training
a career break and a short introductory course, CyberShikshaa for Beginners, for college students.
114
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
According to the privacy module program, skilled
CyberShikshaa was launched in 2018 providing
privacy professionals are in high demand and
face-to-face cyber security training and had delivered
the privacy module training is aligned with DSCI’s
training to 22 cohorts in 12 cities when COVID
Certified Privacy Professional (DCPP) certification,
forced a move to online training. To date, more than
which is what employers are looking for. It describes
800 women from 100 cities across India have been
the program as “a pioneer credentialing program
trained under the cyber security program. Under
which empowers you with knowledge and equips you
the privacy module, around 100 ‘women on break
with necessary skills to advance your career in the
candidates’ from 30 different cities with an average
field of data privacy.”
career break of 3-4 years have been trained. Among the trained, more than 450 candidates have been
Microsoft has provided funding for CyberShikshaa
placed in various organisations including corporates,
and has been instrumental in raising awareness of it
law enforcement agencies and start-ups.
and garnering support from various stakeholders. The CyberShikshaa curriculum has also benefitted from feedback from major employers who have taken on graduates from the program.
www.linkedin.com/company/data-security-council-ofindia/ twitter.com/dsci_connect youtube.com/playlist?list=PLYZb8VYygIYicNHXrtCqZfB_ gFu0vgYBd
28.06.2022
WOMEN IN SECURITY MAGAZINE
115
THE HEAD-IN-THESAND APPROACH TO CYBER SECURITY by Stuart Corner
“And there is an agenda: what you can or you cannot
Virginia Calegare Founding Director - CISOaaS - DPOaaS - CISSP LGPD Expert, ISO27001 LI & LA - SABSA - CCNA SecOps I & II
discuss. And even when the message the CISO is conveying is accepted, it is not something for today. Because everything else comes with RoI. They have a new product to launch. They want to merge and acquire other companies.
CYBER SECURITY DOES NOT GROW A BUSINESS When it comes to cyber security, Virginia Calegare
“[They say] ‘cyber security is not bringing us any
says there are plenty of ostriches. In her AusCert
money. We have new strategies. We have new plans.
2022 presentation, No. Ostriches are not great
We are growing. Everyone is invited to the table. Let’s
strategists! Calegare, founding director of cyber
talk about finance. Let’s talk about the new market,
security advisor RightSec, said a head-in-the-sand
compelling innovation, and transformation. And we
attitude to cyber security was rife in the boards of
don’t need someone that will come and hinder our
Australian organisations.
ability to grow.’”
Through RightSec Calegare is the virtual CISO
This top-level attitude to cyber security, Calegare said,
for large enterprises. She does not portray it as a
then percolates through the organisation making
rewarding experience. “I’ve been doing this for a
the CISO’s job difficult. “When the CISO attempts to
long time. I arrive [at a board meeting] having the
build relationships and get people to implement the
opportunity to present and talk, but it’s not always the
controls he [or she] has identified, he [or she] has no
reality,” she said.
success, because the time needs to be set from the top and is not there. Cybersecurity is not a priority
“When we have board meetings everyone gets a
for the board of directors. It is not a priority for the C
window of time, 40 minutes, 30 minutes, and then the
suite. It is not a priority for anyone.”
CISO gets about five minutes. And they are advised
116
in advance: ‘We want to hear about the things we
There was, she said, one sure-fire remedy for this
are doing well. Don’t be a fear monger. This is not
state of affairs, but not one that any CISO would
relevant for us.’
welcome.
WOMEN IN SECURITY MAGAZINE
28.06.2022
A U S C E R T 2 0 2 2
F E AT U R E
“It takes a disaster before many companies give
“When I work with my clients we define a roadmap.
cyber security the priority it deserves. If you want
We prioritise projects and tasks and we cover the
to know the most secure companies, go and look
cost of having processes in place, having people and
to the ones that were hacked two months ago, because they will have the people, they will have the money, they will have everything else, but by then they have a damaged reputation and financial loss.”
QUANTIFYING APPROPRIATE CYBER SECURITY Whilst it might be difficult to
When we have board meetings everyone gets a window of time, 40 minutes, 30 minutes, and then the CISO gets about five minutes. And they are advised in advance: ‘We want to hear about the things wea re doing well. Don’t be a fear monger. This is not relevant for us.
get boards and the C suite to qualitatively assign the appropriate priority, and following that the resources, to cyber security, Calegare said a simple formula could
buying technology. From 0.3 to 0.5 per cent of their
be used: percentage of revenue, percentage of IT
annual revenue goes on cybersecurity.”
budget, or percentage of IT expenditure per employee. There were also, she said, ways to raise board and She cited figures from Deloitte that put the
leadership awareness of the risks associated with
appropriate cyber security budget at 0.34 – 0.48 per
inadequate investment in cyber security.
cent of annual revenue or 10.9 per cent of the annual IT budget.
“The Australian Cybersecurity Centre has specific material for executive leadership. If you call them they will even come in deliver presentations or provide webinars. And she suggested a book: The Secure Board. “If they’re going to invest their time in reading a book, this is a good one. I call it strategic reading that connects the points.”
28.06.2022
WOMEN IN SECURITY MAGAZINE
117
VANNESSA MCCAMLEY
OVERCOMING OBSTACLES WITH THE BRAIN IN MIND By Vannessa McCamley, Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker
Obstacles are part of life. They come in many forms:
Sometimes obstacles can be bypassed by a
a large tree blocking the road when you’re driving to
change of thought or action. Sometimes they will
your holiday destination; working remotely during a
slow progress until a workaround can be found.
global pandemic; losing incorrectly saved data files;
Sometimes they will reduce progress to a standstill
losing a big client or experiencing a health crisis.
until they can be removed or bypassed.
Sometimes obstacles appear insurmountable yet they must be overcome.
Have you noticed that the more we resist life’s obstacles the more stressed we feel? It seems so
The aim of this article is to explain brain-friendly
counterintuitive. Yet when things are beyond our
models of thinking and options that enable you to
control, we can control only the way we react to them.
overcome obstacles without draining your precious
Often we regret things that have already happened or
energy and time.
resist things that may happen and these responses keep us stuck, holding on to what might have been or
LET’S DEFINE AN OBSTACLE
what we wish would be.
The dictionary defines an obstacle as “something that stands in the way or that obstructs progress, a
Humans are time travellers. We can go back in time
hindrance, impediment, or obstruction.” Obstacles can
through memories and forward to imagined future
be conceptualised as interfering forces that impede
events. Our brain is a prediction machine that craves
the standard course of action and must be removed
certainty, and the best way to predict the future is to
or otherwise dealt with if one wishes to reach the
create it. How we perceive and label life’s experiences
desired end-state.
impacts how we store them in our brain’s filing system. Faced with the current overwhelming volume
118
Obstacles come in many shapes: physical; social;
of information, fewer resources and reduced budgets,
mental. They can appear in a variety of settings (eg,
we tend to primarily use our short-term memory. This
organisational, private, clinical).
means we are typically not creating sufficient long-
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
term memories to draw upon for innovation, problem-
Emotions are like the weather: you get to decide each
solving and decision-making.
day whether you are bringing the sunshine, clouds, rain or lightning.
EMOTIONS ARE CONTAGIOUS Emotional contagion is the process by which an
Research indicates that leaders of high-performance
observable behavioural change in one person
workplaces and teams make their people laugh and
prompts the reflexive production of the same
smile three times more than those in low performing
behaviour by others in close proximity with the
workplaces. Leaders in high-performance workplaces
likely result of emotional convergence (Panksepp
create an environment where people feel more
and Lahvis, 2011). Our ability to regulate emotions
rewarded by being valued, proud and cheerful.
contributes to how we bounce back from obstacles, hardship, disappointments, uncertainty and unexpected change.
RESILIENCE STRATEGIES FOR OVERCOMING OBSTACLES When I worked for an IT security organisation the
How you show up every day and respond to life and
company offered clients a fantastic service called
work challenges affects those around you. You can
an incident response plan (I am sure this is familiar
affect the performance and productivity of those
to many of you). This is a set of instructions to help
around you if you’re in a bad mood or sending out
clients mitigate any potential IT security risks and
negative energy. The reverse is also true; if you are
breaches, and so reduce the chances of cybercrime,
happy, joyous, positive and calm you can lift the
data loss and service outages that threaten daily
performance and productivity of those around you.
work.
In our current frenetic world being calm is critical to creating ideas and solutions and making sound
We sometimes have great processes like this in place
decisions. I recommend not making important
for our professional lives, but not when dealing with
decisions when your emotions are heightened: it can
our day-to-day challenges. We don’t have a resilience
result in more challenges than you bargained for.
plan as we do for our response to a fire in the workplace.
A RESILIENCE PLAN APPROACH FOR WORK SITUATIONS This is for when things don’t go to plan, or when you’re dealing with the unknown. I recommend answering these questions in a calm state before an incident, obstacle or threat state manifests.
28.06.2022
WOMEN IN SECURITY MAGAZINE
119
Introducing the PIR Model to prime the brain for
idea may be the best option. For others allowing time
obstacles
to dig into long term memories to evaluate options is better. By creating a plan with evaluation options
Proactive protection – What can you do every day to
whilst calm, you are prepared when the storm or
prevent known and unknown issues from interfering
lightning hits.
with your plan, goal or intention? Examples: exercising, taking brain breaks, protecting your deep
Obstacles come in all shapes and sizes that every
thinking time, prioritising tasks, scheduling time in
human being must deal with regardless of who they
your diary for the unknown and reflecting on what is
are and where they come from. How you perceive
and isn’t working.
and approach an obstacle is key to the choices you make and the outcomes of your decisions. In my
Identify your threat and reward triggers. What is
experience it is not what happens to you that is most
in your circle of influence? What do you spend
important, it is how you respond.
significant time thinking about, even though you have no control or influence over the outcome? What can
ABOUT VANNESSA MCCAMLEY
you do to mitigate or reduce the risk?
Vannessa McCamley is a leadership and performance expert specialising in neuroscience
Incident response – Consider the steps, processes
practices that help individuals and businesses grow
and options at your disposal. Identify people who can
in meaningful ways whilst delivering measurable
provide advice on the obstacle or incident. Consider
results in healthy ways.
creating a communication plan that incorporates internal and external stakeholders. Check that your
She has a passion for helping
‘go-to’ people are happy to be on call and know how
people and businesses to
best to reach them.
overcome obstacles and enabling them to reach their
Tip - Have some draft communications prepared
strategic goals. She brings
ahead of time so all you need do is fill in the detail/
a strong background in IT
blanks of your particular challenge. What are some
security and more than 20
of the goal posts you can move closer? Feeling you
years of business experience
have accomplished even a small task will keep you
in working extensively with
motivated. Feeling ‘on purpose’ in your work is a key
individuals at all levels and
contributor to positive emotional wellbeing.
from several industries.
Remediation – What is your plan for applying the
She is the author of
key learnings and removing the issue, challenge or
REWIRE for SUCCESS – an easy guide
obstacle when you next face a similar challenge? Aim
to using neuroscience to improve choices for work,
not only to quarantine the problem but prevent it from
life and wellbeing.
recurring. It’s time to get off the roundabout of doing the same thing repeatedly and expecting a different outcome (the definition of insanity). When it comes to generating ideas, identifying options or finding solutions to problems our brain is like a filing cabinet. In busy situations, we tend to
www.linkedin.com/in/vannessa-mccamley/ linksuccess.com.au/contact-us/ linksuccess.com.au/rewire-for-success/
use the first drawer in the cabinet (our short-term memory) for our initial ideas, especially if we feel under pressure to deliver. For some people the first
120
WOMEN IN SECURITY MAGAZINE
28.06.2022
How to Create Your Circle of Influence With Helen Robinett A Hybrid Event @EY Melbourne Date and Time: 20 July 2022 at 5:30PM Venue (onsite with networking): EY Melbourne, 8 Exhibition St, Melbourne Available also virtually via ZOOM ABSTRACT Here’s where you get to really think about who is in your direct circle of influence in your life. It’s a bit of an audit. We take a look at who you currently have there, and we will also create a new desired circle of influence for you. This is all about getting you closer to your goal. By now you know that it is not so much about what you know in life but who you are connected to. That is what will have massive impact on your career success. It is easy to play nice and be connected with all the nice people. But they are not the ones to further your cause, are they? Let Helen take you on a journey of specifically who you need and how to assess them so that you are well placed to be influential!
ABOUT HELEN ROBINETT Helen is an expert in Reputation Management and a Super Connector. Founder of Get A Seat on a Board - a practical, hands-on step-by-step program specifically designed to help smart accomplished leaders manage their own reputation for the next stage of their career.
REGISTER HERE
New pilot program launched to increase the number of Victorian women in cyber security THE AUSTRALIAN WOMEN IN SECURITY NETWORK (AWSN) IS PROUD TO ANNOUNCE THE LAUNCH OF A NEW INITIATIVE TO INCREASE THE NUMBER OF WOMEN IN TECHNICAL CYBER SECURITY ROLES AND IN SECURITY LEADERSHIP ROLES ACROSS VICTORIA.
“Cyber security is a rapidly growing industry and we’re thrilled to support more women to take up new jobs and new careers in cyber. We’re investing in Victoria’s cyber security industry so businesses and other organisations can stay ahead of existing and emerging cyber attack tactics.” – Jaala Pulford, Minister for Innovation, Medical Research and the Digital Economy.
“Diverse workforces are stronger workforces and our Cyber Strategy 2021 is supporting programs that deliver on diversity, bringing more women into crucial roles to build a more robust and representative cyber industry.” – Danny Pearson, Minister for Government Services.
“I hear about women in IT roles wanting to get into cyber. Many years ago, when I was in an IT helpdesk role, I got the opportunity to retrain networking and information security through my work. I think it’s great to be able to give back and provide these types of opportunities that offer more talented women pathways into this industry. We need more skilled professionals and what better way than to reskill those who already have years of work experience in another field.” – Jacqui Loustau, AWSN Executive Director and founder.
“As a woman, a lawyer, and a security professional with over 20 years of experience, I can vouch first-hand for the benefits of education. Victoria is known as the ‘Education State’ - having built an education system that produces excellence and reduces the impact of disadvantage. Personally, and as an executive of the AWSN, I am thrilled to be associated with the Victorian Government in this new initiative that will open career pathways and produce leaders in this essential field of study and practice.” - Helaine Leggat, AWSN Co-Chair
Twenty-six women will be selected to participate in
• Eight sessions of Women in Leadership Coaching.
these two pilot programs.
• Powerful presenter training.
AWSN is the nationally recognised association for women in security and these pilot programs will help address the predicted 18,000 national skills shortage* in the cyber security sector by attracting, retaining and developing women. The initiative is supported by the Victorian Government and is for women in IT and security who are interested in learning and building their confidence and skills in cyber security. The Women in Leadership pilot program is for security professionals wanting to step into a leadership position. This program includes: • An AWSN welcome session with face-to-face networking. • Four-day in-person ISACA Certified Information Security Manager (CISM) training. • ISACA CISM Certification.
• AWSN Women in Leadership Forums. • Mentoring.. • AWSN membership The Security Pathways pilot program is for IT or intelligence professionals looking to cross-skill and move into cyber security. This program includes: • An AWSN welcome session with face-to-face networking. • A two-day in-person specialised security workshop that provides hands-on training in structured analysis, threat intelligence and threat hunting. • Four days in-person Certified Systems Security Certified Professional (SSCP) training. • ISC2 SSCP certification. • A career advice and CV guidance session. • Access to the AWSN mentoring program and platform. • AWSN membership for one year.
TO FIND OUT MORE, PLEASE VISIT HTTPS://WWW.AWSN.ORG.AU/ FOR FURTHER INFORMATION
LITTLE BUTTERFLIES FLYING HIGH by Stuart Corner | Interview with Little Butterflies Team
The Tech Girls Movement Foundation has a vision:
It won the 2019 Junior Student category in the AIIA
to create a society in which girls confidently lead
NSW iAwards. Another app, AI Interpreter of Auslan,
in STEM entrepreneurship and contribute to their
won the 2021 AIIA NSW Education & Student Solution
community and the economy.
of the Year award. This gave the team its name: butterflies are deaf and ‘hear’ through their feet.
One way it seeks to achieve this is through its annual Techgirls competition in which girls from seven to 17
GOOGLE TRANSLATE FOR AUSLAN
are required to demonstrate “problem-solving through
They describe the AI Interpreter for Auslan as the
a social, business and technical lens, producing high-
Google Translate of Auslan. “It allows two [hearing
quality business plans, pitch videos and working app
impaired] individuals to have a conversation
prototypes.”
regardless of the language barriers. Currently, this does not exist, despite language translation programs
Highly commended in the Secondary School Regional
being available in almost every other language.
category in the 2021 Techgirls competition was
Using existing technologies of artificial intelligence
Little Butterflies, a team of four girls from the same
and machine learning the program will be taught to
family. The team’s entry was HackR, an online game
recognise hand gestures, body language and facial
designed to teach children cyber safety skills.
expressions to interpret the intended message. … Ultimately, we are combining several pre-existing
HackR is set in a world of whitehat and blackhat
technologies to enhance the life of deaf Auslan first
hackers in which the user plays the whitehat hacker
language users.”
helping people who have been hacked and teaching them how they can protect themselves from being
Talk to the Hand – My Buckets’ full “addresses the
hacked again.
issue of sensory processing disorder, a condition in which the brain has difficulty processing information
Little Butterflies’ team members — Amelia, Addison,
from our seven senses. … It aims to provide
Isabelle and Eden — have all been home-schooled in
individuals with a sensory diet approach that will
the Munday Family Home School. Amelia (17) and
minimise states of stress, ie their bucket overflowing,
Addison (13) are teenagers studying at university
and be a preventative measure to maintain an
(Yes, Addison is only 13 and already in the first year
individual’s optimal state.”
of a Bachelor of International Business Studies at the
124
University of Adelaide). Isabelle (10) and Eden (9) are
They have entered HackR for the 2022 AIIA IAwards
still in primary school They formed Little Butterflies
and are now working on their next project for the
in 2017 and came up with their first app: Talk to the
2022 Techgirls competition. And there is more: they
Hand – My bucket’s Full.
are also competing in the First Lego League as TEAM
WOMEN IN SECURITY MAGAZINE
28.06.2022
I N D U S T R Y
P E R S P E C T I V E S
Apollo and in the First Australia robotics competition
when they sign their children up for online accounts,”
as members of the Thunder Down Under team.
they say. “Unfortunately, we have had no luck getting any telecom companies to even reply to our emails or
They say their goal in developing HackR was to
return phone calls for us to pitch our idea.”
provide kids with online self-defence skills. “We realised a lot of the information available is aimed at
They used the code.org app lab to develop the
parents and teachers. While a lot of the information
working prototype of HackR and Adobe Illustrator
explained the threats and how they occurred, there
to develop its visual content. An early version was
was little about what skills we need to know to
road-tested on a cohort of 20 children and adults
prevent the risks.’
aged from six to 23 years. The also included a text-tospeech feature for children already using technology
HackR teaches children about creating safe
but with poor reading skills.
passwords, accessing safe websites, online information sharing, secure websites for online
Little Butterflies has also developed a workshop for
payments, what a cyberbully is and what to do in
children based on the app that can be run in schools
a cyber bully situation, social etiquette of online
or holiday programs. “Feedback from our first-holiday
communication, etc.
program run in April 2022 suggests the participants really enjoyed the learning and many said the app
Their goal is to have the app available through Google
games made it interesting to learn,” the team said.
Play and Apple Store by the end of 2022. They would
“They loved the challenge of being white hat hackers
like also to partner with state education departments
and beating the bad guys. Gamification of learning
to implement the program in schools as part of the
was the key.”
cyber awareness curriculum.
TELCO PARTNERS WANTED “We would also love to partner with telecom companies to have them provide the app to families
28.06.2022
www.facebook.com/FullS.T.E.A.M.Ahead.technology/
www.fullsteamahead.technology
WOMEN IN SECURITY MAGAZINE
125
CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
C O L U M N
Failure to induce change I want to admit to something in this piece, something
We can examine the problem in-depth and, as an
that many of you, if you were being honest, would
industry, think about what we are doing, find a way
also admit to. I have been writing articles, books and
together to get the message across and drive change
doing podcast interviews for several years since I
in the companies and clients we all work with.
stepped forward to try and produce change in our industry. I wanted to tell it like it is, to share what I learn in the ditches every day, and to really encourage change from within.
I see many of you trying to spread the same message as I. We all want the same thing. We just need to figure out how best to show its importance, show that those who invest their time and effort will get
I think I have failed. I think we have all failed to produce real change.
a return. These people eschew the new shiny toys, the ones with all the fancy blinking lights that their
Why? Every day organisations are destroyed because of cyber incidents, many of which are preventable. Organisations are still not implementing basic security measures correctly. Backups are not being checked and maintained. Updates are not being installed promptly (if you have updates that were released more than 30 days
company just bought because they were flavour of the month but which no one understands or knows how to set up; the ones that swallowed half the annual budget. Let’s stop, start a dialogue with each other, map purchases to problems. If something does not solve a problem, don’t buy it, no matter how convincing the sales pitch. It’s simple really. Secondly — and I know it is boring and probably not what you want to fix or even focus on — let’s get the basics sorted. I really don’t want to be sitting here writing about failure again in 2023 (I promise you, I will if I need to, but I would prefer not to).
ago, you have an issue). Yes, I
www.linkedin.com/in/craig-ford-cybersecurity
know some things can’t be patched and some patching is risky, but where there is a will, there is a way. It is all a matter of priorities.
www.amazon.com/Craig-Ford/e/B07XNMMV8R www.facebook.com/pg/AHackerIam/ twitter.com/CraigFord_Cyber
I have been banging on about security basics for three or four years. Nothing has changed. That is a failure. Don’t get me wrong. I think we are doing a little better than we were, but security breaches still happen every day. However, we can learn from these failures. If the approach we are taking to security is not working we can step back and try something different.
126
WOMEN IN SECURITY MAGAZINE
28.06.2022
TECHNOLOGY PERSPECTIVES
OUTREACH IS PUTTING DIVERSITY AT THE HEART OF CYBERSECURITY’S CULTURE by David Braue
Targeted engagement is tapping the strengths of previously disenfranchised communities
A
recent university graduate with a Bachelor’s degree in International Relations and majoring in language and culture, Jasmine Woolley had already developed a novel worldview long before she even contemplated
working in cybersecurity. Yet as she builds her career as a governance, risk
that Australia’s Aboriginal and Torres Strait Islander communities have long used to work together on problem-solving. In cybersecurity as in remote villages, Woolley explained, “we need to adapt, leave our egos at the door, and work as a team” to collectively address the challenges that face the group.
and compliance security advisor with security firm Trustwave, Woolley believes many of the challenges
“There has been a socio-political order in pace for the
facing the cybersecurity industry resonate with
past 65,000 years, and throughout that time the value
attributes of the First Nations cultures that have
of relationships has been paramount,” she said.
honed ideas around resilience, security, and continuity for thousands of years.
Similarly, that mentality “is part of a robust, defendable, adaptable cyber security strategy… We
128
“Australia uses conventional thinking to solve non-
respect the sovereignty and the rights of others, and
conventional problems,” she said in a recent address
we treat all with respect. We manage the diversity
to the AusCERT security conference in which she
between cultures and any conflicts and tensions that
highlighted the core elements of the ‘village mentality’
have previously occurred.”
WOMEN IN SECURITY MAGAZINE
28.06.2022
F E AT U R E
A range of other concepts have strong parallels
disadvantaged groups are still struggling to get a look
between the First Nations mindset and cybersecurity
in.
problem-solving, Woolley said, noting the value of ‘autonomous regard’ – in which problems are
The latest findings of the regular Digital Inclusion
solved by weighing and scaling all factors to develop
Index support her assertion, with 11% of Australia’s
solutions that benefit the whole – as well as ethical
population rated as being ‘highly excluded’ from
frameworks and concepts of moral wisdom and
Australia’s increasingly digital community, and a
adaptability.
persistent gap linked to education and affordability despite a steady national increase.
“It’s an ecosystem,” she said, “in which all of these concepts interrelate and interconnect. We need
Although Australians’ digital inclusion scores are
everything to function at optimal efficiency, or else our
increasing across the board, they decline noticeably
diplomatic standing and best interests can be placed
with age – highlighting the limited opportunities for
at risk.”
older Australians to participate in digital industries and communities.
REACHING ACROSS THE DIVIDE Woolley is currently pursuing a Master’s degree in
First Nations Australians suffer an equally
national security policy studies, with a major in cyber
problematic digital inclusion gap, with one in four
warfare and counterterrorism – and she believes that
homes still lacking access to suitable connectivity
while the industry is expanding its inclusion, many
despite evidence suggesting those who can get
28.06.2022
WOMEN IN SECURITY MAGAZINE
129
access to the Internet tend to warm rapidly to its
“We want to build diversity amongst women and
possibilities.
identify the challenges that women of colour face, looking at carers in tech and building their networks
“Unfortunately not all Australians have the same
to help them develop their skills into leadership,” she
access to digital technologies,” said AWS partner
said, noting that the AWS She Builds chapter she
solutions architect and head of Aboriginal affairs
founded has engaged with over 90,000 women since
Michael Hill, noting that this shortfall limits the ability
2018.
of groups like First Nations Australians “to benefit from the opportunities that come from that.” “One way we can work at this,” he said, “is to attract more Aboriginal and Torres Strait Islander peoples into the growing tech sector to become the leaders of today and tomorrow…. It is in all of our sphere of influence, and
“Certifications and skills in this example (indiviuals on neurodiverse spectrum) are not relevant; we are harnessing a different thought process. If we can accept that as an industry, then let’s introduce cultural knowledge as well.” - Jasmine Woolley, Recent International Relations Graduate
our interests, to have a positive impact on digital inclusion.” “We want to encourage and build more awareness After years of relative indifference, the cybersecurity
and look at how we can become better female role
industry’s chronic skills shortage has driven
models for women across all skill levels,” Bonilla said,
cybersecurity industry organisations to actively
“and we want to debunk those preconceived notions
engage with marginalised groups that have new
on biases within the tech industry.”
perspectives – and, in many cases, well-established skills – to contribute to the cause of cybersecurity.
“We want to amplify their voices, and we hope that we can enable our future leaders of tomorrow and
First Nations-owned technology companies like
provide them with mentorship as well.”
Yirigaa, Willyama, Goanna Solutions and Baidam –
130
which helped place Woolley with Trustwave – are
BUILDING A STRONGER CYBER DEFENCE
finding strong success in creating opportunities
Other underrepresented groups are also coming
for First Nations people who, many cybersecurity
into focus, thanks to the efforts of diversity-minded
managers are coming to realise, often bring new
entrepreneurs that have enjoyed significant success
cognitive perspectives and problem-solving thought
engaging with neurodivergent communities, military
processes frequently backed by the logical structures
veterans and other groups to increase the diversity of
of highly multilingual brains.
their employee bases.
Such capabilities can be found in a whole range of
The Australian Defence Force’s ADF Cyber Gap
cultural groups: having recognised that Latina women
Program, for example, provides extensive online
comprise just 2% of the IT sector, Kim Bonilla – AWS
learning to complement tertiary study as well as a
go-to-market growth lead for SaaS – set herself to
range of networking and mentorship opportunities to
increasing the representation of women of colour.
help participants step into a cybersecurity career.
WOMEN IN SECURITY MAGAZINE
28.06.2022
F E AT U R E
Just as many First Nations people’s cultural attributes provide new angles on cybersecurity challenges, so too have organisations warmed to the problemsolving, teamwork and other skills that ADF veterans develop during their tours of duty. That has made them hot property within the cybersecurity community, which has embraced the large pool of military veterans whose skill sets are often well aligned with those necessary for cybersecurity success. It’s a program that has traditionally been difficult to access: whereas 71% of companies in security firm Fortinet’s recent Global 2022 Cybersecurity Skills Gap Report said they had programs in place to recruit new university graduates, for example, just 53% said the same about recruiting veterans. Such programs were only marginally more common in the recruitment of minorities (for which 61% of companies had formal structures in place) and women, for which 70% of companies have developed formal recruitment structures. Although those figures suggest more companies are working to engage minority groups, Fortinet – which
skills training to help veterans and neurodivergent
maintains its own veteran recruitment program
workers transition into cybersecurity careers.
through its Education Outreach training arm – notes that “hiring from these populations is a top-three
Woolley, for one, is inspired by the success of such
challenge for organisations… the challenge isn’t just
programs – and believes they show how well a
hiring more people but also building more capable
broader understanding of diverse mindsets can help
and more diverse teams.”
the industry capitalise on the natural talents of diverse cultures and occupations.
Corporate programs in large businesses like IBM, PwC, and Lockheed Martin are increasingly tapping
“As an industry,” she said, “we understand that some
veteran communities to fill out their cybersecurity
individuals on the neurodiverse spectrum are better
ranks, while independent organisations like Soldier
than others at solving complex coding problems,
On and WithYouWithMe are doubling down after
finding vulnerability problems embedded in code
enjoying significant success in rehoming veterans in
much more efficiently than those that are not on the
cybersecurity careers.
spectrum.”
WithYouWithMe, for its part, has provided jobs and
“Certifications and skills in this example are not
training to over 20,000 people and this year expanded
relevant; we are harnessing a different thought
globally on the back of a $34m contract with the UK
process. If we can accept that as an industry, then
Ministry of Defence that will see it delivering digital
let’s introduce cultural knowledge as well.”
28.06.2022
WOMEN IN SECURITY MAGAZINE
131
DIANA SELCK-PAULSSON
CHARL VAN DER WALT
WHY IS THE CURRENT THREAT OF CYBER EXTORTION SO PERSISTENT? by Diana Selck-Paulsson, Lead Security Researcher and Charl van der Walt, Global Head of Security Research at Orange Cyberdefense
Ransomware has featured frequently in the news in
Double extortion surfaces several issues. First, it
recent years. In a classic ransomware attack, threat
raises the question of whether the term ‘ransomware’
actors gain unauthorised access to an individual’s or
is still appropriate. We no longer always see malware
business organisation’s network. Files and systems
deployed in these attacks. Instead, several other
are encrypted and the availability of said files and
extortion techniques are applied, such as the threat of
systems is threatened. A ransom is demanded in
a denial of service (DoS) attack, the threat to sell the
exchange for the decryption key. This is a well-
victim’s data to competitors, or the threat to inform
understood and frequently-described form of crime.
local data regulation agencies about the breach. These techniques often serve the primary goal of
One thing has changed in this story. There has been
extorting payment, and some threat actor groups
a major evolution from a ‘classic’ ransomware attack.
have publicly announced they no longer see the
Since 2019 we have observed threat actors creating
need for encryption. Consequently, we prefer to call
a ‘website’ on the dark web, often referred to as a
this form of crime “cyber extortion” because it better
‘ransomware leak site’, where they post their victim’s
captures both the essence and the technical diversity
details and thus name and shame them. This is often
of the crime.
called ‘double extortion’. Money is extorted from victims not only to regain access to their files and
Secondly, we need to move away from looking at
systems but also to have their previously-stolen data
cyber extortion as a purely technical problem and
returned.
take a more high-level, multi-disciplinary approach that views cyber extortion as a phenomenon impacting not only individual networks but also
132
WOMEN IN SECURITY MAGAZINE
28.06.2022
T E C H N O L O G Y
P E R S P E C T I V E S
important services and functions of society. It is
and understanding the current cyber extortion threat
particularly useful to shift from a malware-focused
from a criminological point of view.
approach to a criminological approach that examines this, we hope to get a better understanding of how
APPLYING ROUTINE ACTIVITY THEORY TO CYBER EXTORTION
cyber extortion works, explore some ideas on why it’s
Routine Activity Theory requires three components to
so persistent and learn how we can disrupt it.
be present at the same time and in the same space
these phenomena as crimes of extortion. By doing
for a crime to be likely to occur. These components In criminology, there are many different approaches to
are:
the study of crime and patterns of crime. One, classic,
• A motivated offender
theoretical framework is the Routine Activity Theory
• A suitable victim
(RAT), developed in 1979 by researchers Cohen and
• Lack of a capable guardian
Felson at a time when cybercrime was not a problem. Cohen and Felson were trying to understand why crime rates were high when unemployment rates had decreased and levels of education had increased. They found changes in structural patterns of people’s daily routines were impacting crime patterns. More specifically, they found women were starting to participate in the labour market, leaving houses and property unprotected and attracting more offenders. At the
Figure 1: Routine Activity Theory applied to cyber extortion, Image: Security Navigator 2022
same time developments such as the growing number of small, lightweight electronic home appliances in the average household presented
If we apply this framework to the crime of cyber
thieves with something valuable and easy to steal.
extortion we see all the components are present, which helps us understand why this threat is so
These societal changes can be seen as an analogy
persistent. To begin with, we observe motivated
for the persistence of today’s cyber extortion threats.
offenders. The offenders in this form of crime can be:
First, cyberspace has grown exponentially and has been left largely unprotected. This is of course due
• the Initial Access Brokers (IAB) who gain
to the challenge of having ‘guardians’ everywhere at
unauthorised access and sell this access to
all times. Secondly, the digital assets being stolen
ransomware operators.
for extortion have the same characteristics as electronic home appliances had in the 1970s. They
• affiliates who help distribute malware and/or apply extortion techniques to their victims.
are small, without much weight and have a high value.
• the ransomware operators themselves who
Interestingly, Cohen and Felson considered a crime as
develop the code, coordinate the criminal
opportunistic, which again is a close parallel to cyber
organisation and maintain the leak sites and
extortion. In our research we observe cyber extortion
negotiation chats.
attacks to be opportunistic rather than targeted, making the RAT framework a perfect tool for studying
28.06.2022
WOMEN IN SECURITY MAGAZINE
133
The motivation for the majority of these players is
they cannot be everywhere at all times. In general,
financial gain.
therefore, we lack the capable guardianship needed to deter cyber extortion effectively.
The second component, a suitable victim, we can identify as any entity impacted by this threat, such as
Clearly, a motivated offender, a suitable victim and
a business.
the lack of a capable guardian can explain why cyber extortion is so successful and so persistent today.
Lastly, a capable guardian in this case could be an object or a person. In cyber this could mean firewalls,
So what can we do about it? The Routine Activity
IDS/IPS or other technical security controls, or it
Theory suggests that if we manage to disrupt one of
could mean people such as cyber security analysts
the three components the likelihood of crime to occur
monitoring a potential victim’s network.
decreases. Let’s consider some ideas and strategies for disrupting all three components. Bear in mind
The availability of these guardians, which influences
that disrupting one of these factors is sufficient to
the likelihood of a crime occurring, can vary greatly.
effectively disrupt cyber extortion.
Only those who are willing or able to invest in them may be able to prevent this form of crime. Even then
Let’s start with disrupting motivated offenders.
there are limitations. One limitation is that, while
We would have to address their motivation to
technical guardians such as hardware and software
earn money from their criminal activities. If victim
security controls have the potential to be effective,
organisations continue to pay cyber extortion groups
they can also introduce additional vulnerabilities
the motivation remains and the threat will persist.
by adding more technologies to a technological
One way to disrupt this pillar is to evolve the role of
problem. Social guardians such as security analysts
cyber insurers from potential ‘facilitators of ransom
have limitations of scale similar to law enforcement:
payments’, as they have been seen in the past, to
Figure 2: Disrupting Cyber Extortion through RAT, Image: Security Navigator 2022
134
WOMEN IN SECURITY MAGAZINE
28.06.2022
T E C H N O L O G Y
P E R S P E C T I V E S
being enablers of security best practices. Additionally,
Accessibility: The less time the threat actor has in
we need to have a more collective focus on limiting
the victim’s network to discover and exfiltrate digital
the flow of funds to criminals through actions like
assets, the less data the attacker can steal and
sanctioning, which law enforcement and other
leverage for ransom.
regulators have attempted in the past. Lastly, we need to recognise that threat actors have spun their
Finally, we need to have more effective guardians
own narratives on their websites and in interviews
in place. We could look at adding more technical
to justify their criminal activities, describing these as
guardians such as detection and monitoring
‘conducting business’ and negotiating with ‘clients’.
systems but they introduce challenges and potential
In criminology, this technique is called ‘neutralisation’.
vulnerabilities that would increase the second
In order to demotivate offenders, we, therefore, need
component — the victim variable ‘vulnerability’.
to counter the language and narrative they use when justifying their different forms of crime, whether
An alternative approach that has not yet been
these be unauthorised access to networks, data
considered extensively is the power of community or
theft, deploying malicious software or extorting their
a community-led approach. Back in 1979 Cohen and
victims for money.
Felson argued that guardianship through a person such as law enforcement had already been widely
The second component we could try to decrease
studied, but there was a lack of social guardianship
is the attractiveness or suitability of the victim.
in the form of ordinary citizens going about their daily
To achieve this, we need to address five victim
routine in a way that could potentially disrupt crime.
attributes. We refer to these variables as ‘VVIVA’, and
Their example was a community-led approach such
they are as follows:
as a neighbourhood watch whose members could organise themselves, ‘watch’ the space and thus
Visibility: To reduce the likelihood of a business
deter crime. A community-led approach in cyberspace
becoming a victim its attack surface and thus
could be partnerships between the private and public
‘visibility’ to threat actors needs to be decreased. The
sector and could also include security providers,
less visible, the less likely is the business to be seen
law enforcement and government agencies as well
and thus compromised.
as academia to collectively help ‘guard’ a space that is otherwise largely unprotected and provides
Vulnerability: For a business to be less likely to be
opportunities for crime to occur.
victimised, security practices need to be in place that addresses known vulnerabilities before they are exploited by threat actors. The fewer vulnerabilities exist, the less likely the victim will be exploited and thus compromised. Inertia: To reduce the chances of a victim being compromised its data needs to be harder to steal. One way to do this is to add ‘weight’ and thus make it harder or noisier to steal data, eg by using encryption
www.linkedin.com/in/charl-van-der-walt/
twitter.com/charlvdwalt www.linkedin.com/in/diana-selck-paulsson%F0%9F%8C%BB-41494754/ twitter.com/DianaSelck
or honey tokens etc. The ‘heavier’ the data asset is, the harder it becomes to steal, and the less attractive it becomes to the threat actor. Value: The less value the digital asset holds for the victim (value does not mean financial value in this case), the less incentive the threat actor has to extort money for it.
28.06.2022
WOMEN IN SECURITY MAGAZINE
135
SAI HONIG
COMPUTERS LEARNING TO TRUST? WHAT IS ZERO TRUST ARCHITECTURE? (ZTA) by Sai Honig, CISSP, CCSP, Co-founder New Zealand Network for Women in Security
Have you ever had a system you trusted fail you in
Marsh described “a clarification of trust”. He also
some way? Your options may be to:
stated: “present a formalism for trust” and “[this] formalism is implementable: it can be embedded in
1.
Never use that system again.
2.
Revise the system.
3.
Revise your own processes, continue to work
construct) can be mathematically modelled and
with the system and minimise disruption to your
implemented in a technological world. Computers
own processes.
can be taught how to trust.
an artificial agent, enabling the agent to make trustbased decisions.” In other words, trust (a human concept and
Option one may not be viable because you may be
Many of our systems operate on a “trust but verify”
required to use that system. Option two may not be
model. “When identity is verified, trust is assumed
viable because the system may not be available for
and access is granted.” Once access is granted,
you to revise.
trust is maintained and generally not verified again. However, in a world where digital identities can be
136
You are then left with option three. Zero trust could
misused or misappropriated at any time and where
make that option more palatable.
environments are changing, can we continue to trust?
Zero trust is not a new concept. It was first described
This is where the concept of zero trust comes in.
by Stephen Paul Marsh in 1994 in his doctoral thesis.
According to NIST Special Publication 800-207 Zero
WOMEN IN SECURITY MAGAZINE
28.06.2022
T E C H N O L O G Y
P E R S P E C T I V E S
Trust Architecture, “Zero trust assumes there is no
on a per-session basis”. This means access is to be
implicit trust granted to assets or user accounts
evaluated each and every time a session is initiated.
based solely on their physical or network location (ie,
Tenet 4 states access is “determined by the dynamic
local area networks versus the internet) or based on
policy and other behavioural and environmental
asset ownership (enterprise or personally owned).”
attributes.” This means policy changes are dynamic and based on changing behaviours and changing
The NIST publication also states: “Zero trust focuses
environment – not solely on predefined grants of
on protecting resources (assets, services, workflows,
access.
network accounts, etc), not network segments, as the network location is no longer seen as the prime
This architectural model does require monitoring and
component to the security posture of the resource.”
measuring of assets as stated in tenet 5. This means the “integrity and security posture” of each asset must
Cloud Security Alliance has portrayed NIST’s has
be known and revised in a changing environment.
seven tenets for Zero Trust architectures: These concepts of trusting nothing and evaluating While these tenets may be simple, implementing
each and every access attempt to each and every
them requires a shift in how access is evaluated
resource and constantly evaluating the environment
and determined. Tenet 3 states access is “granted
are not easy to implement completely, or immediately.
28.06.2022
WOMEN IN SECURITY MAGAZINE
137
Computing environments are changing from being
and ‘data’. This model expands traditional ideas of
solely on-premise to being hybrid and cloud-based.
what is to be protected, and how.
Devices are both corporate-owned and personally owned, as well as being located in physical corporate
Ultimately, zero trust is about how to trust. It is a
spaces and widely distributed in IoT environments.
change from the traditional approach of simply “trust
There are no boundaries for environments or for
but verify”. It can be thought of as constantly verifying
devices.
before trusting. It also requires an understanding that the perimeter is more porous and that identity varies.
Implementation of a zero-trust architecture must be
In the end, a full zero trust architecture may not be
considered with the needs of the enterprise in mind,
something you can implement but it may be possible
including compliance and regulatory requirements.
to implement some aspects of zero trust.
The best place to start is with an understanding of the organisation’s maturity with regard to zero trust.
For more information, check out Cloud Security Alliance Zero Trust Advancement Center https://
CISA has released a capability maturity model
cloudsecurityalliance.org/zt/. You can learn about
for zero trust and the Cloud Security Alliance has
tools and resources to learn more about zero trust
represented this model as five components (pillars)
and guide implementation.
of zero trust. The value of this model is that it broadens the concepts of ‘identity’, ‘device’, ‘networks’, ‘applications’
138
WOMEN IN SECURITY MAGAZINE
www.linkedin.com/in/saihonig/
NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com
28.06.2022
PALLAVI PHUTANE
SECURE BY DESIGN By Pallavi Phutane, Senior Consultant at KPMG Canada Software, systems and technology are the backbone
development world to attack software supply
of every digital business and industry. To support
chains. The recent exploitation of a vulnerability in
digital businesses, software development processes
a popular open software Java logging library, Log4j,
have evolved from simply producing functional
is one example. Millions of software applications
software to taking an iterative approach that better
using Log4j were impacted, spreading alarm among
meets user needs and automating development and
organisations and businesses around the globe.
operations for faster lead times and optimal product delivery.
The Log4j exploitation served as a wake-up call for companies to take new security initiatives and
An increasing number of organisations are
strengthen their security. Given the magnitude and
recognising the benefits of Agile and DevOps
sophistication of cyber attacks, the need for secure
software development methodologies for
software development practices has never been
accelerating software delivery and business
greater. Embedding security into software early in
innovation. However, there are often few or
the development life cycle is critical to safeguard
zero security considerations at any step in
against sophisticated cyber attacks and maintain the
these processes. Only after a cyber attack has
confidentiality, integrity and availability of information
compromised vulnerable software do secure
and systems.
software development practices become a priority for many organisations.
A typical product development cycle includes requirements, design, development, testing and
Poorly designed, maintained and configured software
maintenance. A secure by design approach, also
is one of the main avenues through which cyber
known as a “shift-left” approach, means embedding
criminals gain access to systems and data. Such
security at the early stages of software development,
software often contains decade-old vulnerabilities
when requirements are being formalised rather than
still being exploited by cybercriminals to distribute
considering security as an afterthought, with the aim
malware such as ransomware and to conduct other
being to minimise the avenues available for cyber
cyber attacks. Enterprises fail to apply vendors’
attack. It is often much less expensive to implement
security patches for known vulnerabilities making
a secure workflow process than to suffer the cost of
their software susceptible to a multitude of attacks
data breaches and penalties for non-compliance.
and breaches. So, how to become secure by design? A good first
140
Cybercriminals are also exploiting the popularity
step is documenting security best practices and
of open-source software (OSS) in the software
guidelines as part of a secure software development
WOMEN IN SECURITY MAGAZINE
28.06.2022
T E C H N O L O G Y
P E R S P E C T I V E S
policy. Such a policy should define security requirements and guidelines for every stage of the software development lifecycle, as outlined below. Planning and requirements gathering: roles and responsibilities, change management, development tools, security training and awareness, compliance requirements, privacy assessment. Design: threat modelling, patch management, vulnerability
Framework (SSDF) can be used as references to
management, data security requirements such
develop and structure the secure development policy.
as encryption, security architecture including
Reviewing this document at least annually will keep
infrastructure security requirements, inventory of
software development aligned with well-established
third-party and open-source components.
secure development frameworks and help developers stay up to date with the latest software vulnerabilities
Development and deployment: secure coding
and security controls.
guidelines, unit testing, static application security testing (SAST) requirements and scanning tools,
Software development is the enabler of digital
vulnerability scanning.
transformation, and the quality and security of software products are critical to successful
Testing: dynamic application security testing (DAST)
transformation. The increased adoption of digital
tools and techniques, functional testing, internal
transformation and emerging technologies such
penetration testing.
as blockchain, cloud computing, machine learning and IoT are changing the security threat landscape
Release and maintenance: bug bounty programs,
significantly. Cyber attacks are becoming increasingly
external pen testing, security assessments.
complex and unpredictable. Cloud-based application development and blockchain development are no
Security requirements may vary based on factors
longer future possibilities but things businesses have
such as the development methodology being used,
started to embrace to stay competitive and deliver
product type (purpose-built, internal, commercial
value to customers. Cyber security is an important
off-the-shelf), infrastructure and development
part of the SDLC and a secure by design approach
technologies. A secure by design approach facilitates
helps reduce cost by detecting security issues early
increased cross-functional collaboration by creating a
in the development process and minimising the risk
software development methodology best suited to an
of cyber attacks. Implementing a “shift-left” approach
organisation’s needs for efficient and secure software
that integrates security early in the development
delivery. Prebuilt secure development frameworks and
process is essential if the software is to be secure
guidelines, such as secure coding practices developed
against new threats resulting from the unprecedented
by the Open Web Application Security Project
speed at which the cyber threat landscape is evolving.
(OWASP) or the National Institute of Standards and Technology’s Secure Software Development
28.06.2022
www.linkedin.com/in/pallaviphutane
WOMEN IN SECURITY MAGAZINE
141
UNCOVERING THE INVISIBLE WORLD OF ICS CYBERSECURITY by Stuart Corner
Lesley Carhart Director of ICS Cybersecurity Incident Response
an actuator. In an industrial facility, these process loops are much more complex. There are multiple, interacting loops and therefore much greater potential for damage and disaster. They have evolved into supervisory control and data acquisition
Have you ever walked into an automatic revolving
(SCADA) systems which Wikipedia describes as “a
door? You would not be alone. Many people have
control system architecture comprising computers,
had unintended encounters with this particular piece
networked data communications and graphical user
of technology, either through inattention, error or
interfaces for high-level supervision of machines and
machine malfunction.
processes.”
An automatic revolving door is an everyday example
TACKLING THE COMPLEXITY OF SCADA
of something now widespread and embedded in
Today, Carhart said, SCADA is “super complex”. It
industries of all kinds: technology that uses a variety
involves controlling multiple process loops, getting
of external sensors to control its operation and,
feedback from them and coordinating their efforts,
importantly, prevent it from injuring people who
perhaps over a very large geographic area. “There’s
interact with it.
a bunch of sub-processes with different devices, different sensors, different actuators and they have to
Like any such technology, it can be vulnerable to
work together,” she said. “So that means a bunch of
cyber-attacks. Automatic revolving doors are unlikely
protocols and things.”
to be top of any cyber criminal’s target list, but as something many people use frequently, they provided
At this point, Carhart introduced the Purdue Model,
a good foundation for Lesley Carhart, Director of
formally the Purdue Enterprise Reference Architecture
Incident Response for North America at industrial
(PERA). It is a structural model for industrial control
cyber security company Dragos, in her AusCert 2022
system (ICS) security, developed in the 1990s by
keynote presentation Uncovering the Invisible World of
Theodore J Williams and members of the Purdue
ICS [industrial control system] Cybersecurity.
University Consortium for computer integrated manufacturing. It defines the different levels of
142
Every such system, Carhart said, represents a
critical infrastructure used in production lines and
process loop comprising a sensor, a controller and
how to secure them.
WOMEN IN SECURITY MAGAZINE
28.06.2022
A U S C E R T 2 0 2 2
F E AT U R E
According to this description, PERA was ahead of
another? Have you established in advance out-of-
its time and, implemented correctly, could have
band communications, document sharing, resource
addressed many of the cyber security headaches
sharing, etc? How are you going to call one another in
faced by organisations employing ICS today. It
a call tree etc if something goes wrong?
specifies the need for an air gap between industrial control systems (ICS) or operational technology (OT)
“How do you even do OT forensics; we’re talking about
and IT systems.
PLCs and things? What are you going to do if you have a potentially compromised PLC? And you need
MEET THE PURDUE MODEL
to know if the firmware has been tampered with? Who
Anyone responsible for the security of ICS is likely
are you going to call?
familiar with the Purdue model and the major security headaches created by interconnected ICS and IT.
A DIFFERENT WORLD OF FORENSICS
Carhart’s message was that everyone with a role in
It was, she said, “a different world of forensics,” and
an organisation’s cyber security needs to know about
“there’s a bunch of different concerns that go into the
it.
OT incident response planning,” highlighting issues likely not to be considered by the average IT security
“I’m here to tell you that you do probably have
specialist.
industrial control systems in your environment. They’re all over the place. Not just in manufacturing,
“How are you going to cut things off in an emergency,
not just in transportation,” she said.
if ransomware is spreading through your ICS environment? And there are safety concerns and
“We do a lot of ICS research on trains and aircraft, but
requirements. You’re talking about hazardous
also things like your building automation and control.
environments. Do you need PPE? Do you need to be
We respond to a lot of incidents in data centres
wearing a hard hat?
around the world where there’s been an intrusion on the fire suppression system, or the heating and
“You need to know what data you have available to do
cooling. We are surrounded by industrial control and
analysis and monitoring and incident response in your
the Internet of Things, devices that control these
OT environment. How long is it retained? You might
process loops. And they do important things that we
know this well for your enterprise environment but
often don’t notice until they fail.”
we’re talking about an entirely different environment with entirely different concerns.”
Carhart argued few organisations are ready to handle such failures. “I’ve seen it go catastrophically wrong a
To help IT security people answer these questions
ton of different times,” she said, rattling off a long list
Carhart recommended the US Department of Energy’s
of questions that need to be answered.
Cybersecurity Capability Maturity (C2M2) Model, a self-survey that enables an organisation to rate itself
“When is an OT incident declared? What are your
on the maturity of the cyber security implementation
declaration thresholds? Who will do what when?
and management practices associated with its IT
How do you involve both your cyber security people
and OT assets and the environments in which they
and your OT people? They both must be part of
operate.
this response effort. How will they contact one
28.06.2022
WOMEN IN SECURITY MAGAZINE
143
NEHA DHYANI
AN EFFECTIVE APPROACH TO TRANSFORM A LEGACY SOC INTO A MODERN SOC By Neha Dhyani, Cyber Security Leader (CISSP, CCSP, CISM, MITRE ATT&CK Certified Defender) Senior Security Consultant at Nokia Solutions & Networks
The latest Verizon Business 2022 Data Breach
lasting more than 200 days at $US4.87 million. So
Investigations Report (DBIR) indicates enterprises
every second counts.
are mostly compromised using four techniques: stolen credentials, phishing, exploiting vulnerabilities
Challenges such as a large number of false positives,
and botnets. All four are pervasive throughout the
huge alert volumes and poor investigation workflows
DBIR and it is evident no organisation is safe without
combined with the adoption of hybrid and multi-cloud
a plan to handle each of them. Needless to say,
architectures and the proliferation of devices and
security threats are evolving faster than security tools
endpoints can overwhelm an SOC team struggling to
and technologies so it is essential to strengthen an
identify, manage and remediate critical threats.
organisation’s security posture and transform its security operation centre (SOC).
Listed below are essential steps towards modernising and transforming an SOC.
According to IBM’s cost of data breach report 2021, it and contain a data breach, more than seven months
AUDIT YOUR ENVIRONMENT TO ESTABLISH HOLISTIC AND CENTRALISED VISIBILITY.
to detect a malicious attack and another 81 days to
You cannot secure what you cannot see. This is why
contain it. The report put the average cost of a breach
a lack of visibility into the attack surface is the top
takes organisations, on average, 287 days to identify
144
WOMEN IN SECURITY MAGAZINE
28.06.2022
T E C H N O L O G Y
P E R S P E C T I V E S
needs protecting: critical ‘crown jewels’, customer
AUGMENT THREAT INTELLIGENCE WITH ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING.
personal information, etc. By identifying as much as
The most important weapon in a threat hunter’s
possible, whether software or physical assets, an
arsenal is threat intelligence. Another key component
organisation can better prioritise protection of high-
of a modern SOC transformation is to ensure security
value and high-risk data.
teams are leveraging machine learning to its full
reason for SOC ineffectiveness. Thus the first step for an organisation is to identify precisely what most
potential to augment and complement humans in Having complete visibility across network
security. Advanced analytics and AI can significantly
infrastructure and operational environments,
reduce the number of time teams spend processing
including the cloud — from both within and outside
massive amounts of data in the enterprise to come
of the organisation — is the first step to ensuring
up with critical security insights. Machine learning
effective security of critical infrastructure and
aids in speeding investigations and removing blind
information against internal and external threats.
spots in the enterprise by automatically detecting
Once an organisation has a clear understanding
anomalous patterns across multiple data sources
of what is being protected, a logical next step is to
and automatically providing alerts with context. This
identify solutions that can help ensure maximum
auto enrichment improves operational efficiency and
protection.
frees analysts to apply their expert knowledge to intelligently detect attacks, perform alert triage and
LEVERAGING THE POWER OF AUTOMATED WORKFLOWS.
move to investigation quickly and decisively.
Automating elements of the SOC workflow significantly reduces the noise created by too many
OPTIMISE THE SOC TEAM TO ACHIEVE MAXIMUM EFFICACY.
alerts and frees the SOC team to apply its skills and
Beyond investing in security solutions and tools, the
experience to actively investigate and hunt threats.
most important factor in any successful SOC will
It also helps reduce burnout by relieving analysts of
remain the human element. While machine learning
tedious and repetitive work. Giving analysts the right
and automation will certainly improve outcomes like
set of SOC tools like security information and event
response times, accuracy and remediation overall—
management (SIEM) enables them to quickly test
especially for low-level, repetitive tasks—continuously
investigation hypotheses and deliver key benefits.
training and retaining security personnel, threat
For example, if an alert fires and an analyst sees a
hunters and architects need to be baked into SOC
malicious domain has been accessed the analyst
transformation strategy. By optimising this human
can, with a single click, immediately become a threat
element, organisations can be more efficient at
hunter and search for that indicator of compromise
securing the business.
(IOC) across all data sources. The analyst can then automatically integrate their findings into the
An organisation following this approach will transform
investigation. This streamlined workflow boosts
its SOC into a modern SOC and enable its SOC team
analyst productivity makes their work more fulfilling,
to detect, investigate and respond to threats with a
and dramatically reduces alert fatigue. Finally, you
higher degree of confidence.
can leverage the capabilities of security orchestration, automation and response (SOAR) solution to further
www.linkedin.com/in/neha-dhyani-7274941/
automate the management of, and response to, threats. To get the maximum benefit from SOAR,
twitter.com/Neha_dhyani1
it’s critical to ensure its integration with the SIEM solution and with other security tools in place.
28.06.2022
WOMEN IN SECURITY MAGAZINE
145
BROCK RODERICK
THE EVOLUTION OF INVESTMENT SCAMS by Brock Roderick, Creator of Education Arcade
Putting lipstick on the investment scam pig
QWERTYIOUP. This was reported to have been the
A rug pull in this context occurs when a scammer
phrase Ray Tomlinson typed into his keyboard when
uses blockchain technology to fraudulently raise
he sent the world’s very first email message back in
money for personal gain. This type of scam is
1971. You may be wondering what the phrase means
nothing new, but the magnifying power of social
or why it was all in capitals. We may never know.
media enables it to grow very rapidly and generate a large return in a short time. This in turn enables
Not too long after the ground-breaking, world-
the fraudster to cash out early. Also, by requesting
changing technology that was ‘email’ made its debut,
payment in cryptocurrency, the fraudster reduces the
scammers realised it presented an opportunity to
likelihood they will be caught. In 2021 alone a variety
move away from paper-based fraud and scale up at
of rug pulls raked in $2.8 billion, or nearly 40 per cent
speed. Fast forward 50 years and we can confidently
of all cryptocurrency scam revenue.
say their scaling operation was successful. In response, an entire industry has been created to
Something must be done, and threats like these are
protect people from cyber-attacks and email scams
reasons I created Education Arcade. The mission of
with tools that specifically identify and block these
Education Arcade is to create safe online spaces for
threats. Most businesses train their employees to
people. I felt we could do something to help educate
recognise these threats by simulating malicious
and protect the public from these short-lived, high
scam emails.
impact investment scams. Having seen the success of phishing email simulations we decided to make
With blockchain technology hitting the mainstream
our own NFT rug pull simulation to show people how
over the past five years we have seen history
to identify these new-age investment scams. Here is
repeating itself and scammers adapting to the new
an abridged version of how we made the world’s first
opportunities this technology offers. Instead of falling
NFT rug pull simulator.
for a scam ‘investment opportunity’ in an email, people are being drawn into the world of non-fungible
STEP 1: LET’S PARTICIPATE!
tokens (NFTs) and an investment scam known as an
To really understand all aspects of this scam I
‘NFT rug pull’.
146
WOMEN IN SECURITY MAGAZINE
28.06.2022
T E C H N O L O G Y
P E R S P E C T I V E S
embedded myself in communities of NFT traders and scammers on Twitter, Discord and Instagram. To build an end-to-end picture I needed to learn the terminology, tools and marketplaces and, most importantly, observe the behaviour of players in the community. I had thousands of interactions with people, used art generation and NFT minting tools, dodged hundreds of direct scam attempts and critically reviewed hundreds of upcoming NFT investment projects. When I finally left the space I felt sad and disappointed, primarily because the two things I absolutely love—art and games—were being
Education Arcade’s NFT Rug Pull Simulator
abused repeatedly by these investment scams.
STEP 2: LET’S SIMULATE!
‘Rainbow Rug Pull’ tokens that directed people
To simulate I decided to emulate, and the best place
through to the scam simulator, and the educational
to find something to emulate was NFT Calendar,
material on the Education Arcade website.
a website commonly used by NFT rug pullers to promote their scams. I picked the most scammy
To reach the vulnerable people most in need of
looking project I could find, called ‘Embers’, and
training in spam awareness we identified those
created an over-the-top, exaggerated version
active in the NFT marketplaces, social media and
of its webpage. I decided to call my simulation
community groups. We ‘airdropped’ one of our tokens
the ‘Rainbow Rug Pull Warriors Club’ and made
containing a link to our website and we monitored
each claim wilder and more unbelievable than its
their interactions with our educational resources. This
predecessor.
was a unique and by far the most interesting, way in which we provided free security awareness education
Peppered throughout the simulation is a trusted
to people.
character, affectionately named Eddie, who analyses each claim, explains the scam tactics used to hook
Using a range of methods our NFT investment scam
people, and provides some helpful guidance on how
education reached over 200,000 people, and with
to think critically.
24 per cent of engagements to date being positive we hope Rainbow Rug Pull will continue to make a
I was ready to launch our simulator when an
difference to the personal security of people in these
interesting piece of news hit my inbox. The creators
online spaces.
of the NFT project ‘Embers’ had been arrested and charged with conspiracy to commit wire fraud and money laundering for repeated NFT scams. We had picked the right project to emulate!
STEP 3: LET’S EDUCATE! It was paramount to get this website in front of people new to the NFT marketplace. These are the
www.linkedin.com/in/brock-roderick-17a92a108/
www.linkedin.com/company/education-arcade
www.educationarcade.co.nz/
people unknowingly stepping into a scam minefield. Using what I had learned, I created a range of
28.06.2022
WOMEN IN SECURITY MAGAZINE
147
MEGHAN JACQUOT
INTELLIGENCE MAKING A DIFFERENCE IN SECURITY By Meghan Jacquot, Cyber Threat Intelligence Professional
There’s data everywhere and the amount of data
SBOMs will help with software asset management,
will only continue to increase. Cyber security
but organisations have technical assets other than
professionals can easily become overwhelmed with
software. Another crucial component of asset
alert fatigue and at times some professionals can be
management is a deep understanding of how an
uncertain about how to prioritise their findings.
organisation’s network works: what is connected to what, what protocols are used, where the endpoints
That is why cyber threat intelligence (CTI) is crucial.
are and what they comprise. Additionally, there
In our world of data, where data is sometimes
should be plans for dealing with end-of-life of data,
referred to as liquid currency, understanding the
systems and software, both in-house and third-party.
context of data in this flood of information can help
Once those pieces are in place an organisation can
drive decisions.
move to the next step.
GETTING STARTED WITH INTELLIGENCE: ASSET MANAGEMENT
VULNERABILITY MANAGEMENT There will always be new vulnerabilities and as a
How does an organisation go about building CTI into
security team becomes more robust it will need
its existing cyber practices? It is difficult to protect
a vulnerability management program. 2021 was
a system when that system is a mystery. So one of
identified by Google’s Project Zero as the year with
the first steps is to determine what that organisation
the most zero-day vulnerabilities found in the wild. A
has within its network, to establish a software bill of
vulnerability management program should include
materials (SBOM) and keep this up to date. The US
ways to prioritise new vulnerabilities including those
Cybersecurity and Infrastructure Security Agency
newly disclosed, zero-days and previously known, but
(CISA) defines an SBOM as: “a nested inventory, a list
updated and actively exploited vulnerabilities. Most
of ingredients that make up software components.”
vulnerability management programs are unable to
CISA provides resources for establishing an SBOM
patch 100 per cent of disclosed vulnerabilities and
program.
148
WOMEN IN SECURITY MAGAZINE
28.06.2022
T E C H N O L O G Y
P E R S P E C T I V E S
often it is not possible to patch immediately because comparative studies need to be undertaken. Patching a vulnerability could break other systems in a network, so a patch must be tested and verified, and patch applications must be prioritised. This can be achieved using systems like the ratings from the National Vulnerability Database (NVD), incorporating
Figure 1: Google’s Project Zero graph of zero-days by year (Source: Project Zero)
criticality levels and analysing the complexity of an exploit. Additionally, having the above-mentioned knowledge of software and networks will help to assign priorities to patches.
Threat modelling can be a powerful way to apply intelligence. The diamond model of threat modelling is frequently used to model threat actor activity. It
DATA LOSS PREVENTION
can identify adversaries, infrastructure, capabilities
After establishing an asset management program and
and victims. Diamond models can be stand-alone or
a vulnerability program a team needs to verify how
multiple models can be combined to demonstrate the
it protects data. There might already be a data loss
lateral movement of threat actors and collaborative
prevention (DLP) program but using threat modelling
associations between groups. Additionally, if there
to test the program can help identify vulnerabilities or
is an information operation approach instead of an
single points of failure. ISACA provides details about
intrusion approach, misinformation, disinformation
DLP programs and how to start one. Hopefully, your
and bad information can be analysed.
organisation never experiences a ransomware attack, an attack that leads to downtime, or a malware wiper
To close out, as a cyber security program matures
attack. However, these attacks do happen and will
adding in threat intelligence can aid prioritisation and
continue, so it is critical to have practiced plans for
actionable outcomes and provide relief from alert
data recovery.
fatigue.
LAYERING IN INTELLIGENCE
As any program grows and iterates there will be a
Intelligence can be layered in at any of the above
need for resources. Therefore, here are a variety of
levels. Intelligence can help an organisation analyse
CTI resources.
its assets, prioritise vulnerabilities and validate DLP plans. Intelligence helps layer in context when
www.linkedin.com/in/meghan-jacquot-carpe-diem/
cyber security professionals analyse all the data. The intelligence system can be provided with alerts,
twitter.com/CarpeDiemT3ch
intelligence reports, information sharing and analysis centres (ISACs), industry sector comparisons,
www.youtube.com/c/CarpeDiemT3ch
malware analysis/reverse engineering, hunting packages with YARA, STIX, and Sigma rules, etc.
28.06.2022
WOMEN IN SECURITY MAGAZINE
149
MADHURI NANDI
THINK RIGHTSHIFT LEFTDEVSECOPS by Madhuri Nandi, IT Security Manager at Till Payments | Creator of - ITSA
is an approach to software development that makes
DEVSECOPS SLOWS DOWN THE DEVELOPMENT PROCESS
security a shared responsibility throughout the
This is not true. Consider the following scenario: you
software development lifecycle. Properly applied,
have produced a product and you, or your security
DevSecOps will result in software with robust
team, has received an email detailing its security
security.
weaknesses and your development team has no
DevSecOps (development, security and operations)
idea how to mitigate these. You will have to discuss Traditionally security checks have always been made
the problem with your risk teams or search for ways
in the final stages of the software development
to implement compensation controls to reduce risk
life cycle (SDLC). Security was deemed to be less
levels to match your risk appetite.
important than other stages. But when security teams detect any issues at this final stage, it can be
DEVSECOPS DOES NOT SUIT AGILE WORKING
almost impossible for developers to remediate them.
Many companies have discovered that agile working
So, security became merely a patch fix or a search for
methods are more efficient because they allow teams
other means of dealing with the problem.
to engage and contribute during sprints rather than waiting for feedback at the end. DevSecOps is a great
150
But why has DevSecOps not taken off as it should?
complement to agile working methods. When you
There are a few reasons: naive DevOps thinking, a
include security in every level of your development
lack of real agile working practices, senior leadership
you will get immediate feedback on what needs to
teams focusing on faster application releases, and
be improved. This helps teams break siloed working
having security as an afterthought.
habits and increases collaboration and production.
When security is considered throughout the
DEVSECOPS IS EXPENSIVE
development process the resulting software is
Implementing proper security is never an
secure. So, adopting a DevSecOps approach
unnecessary expense. You must protect your most
is an excellent idea. However, there are several
valuable assets from attack. DevSecOps aids in
misconceptions about DevSecOps.
the identification of security issues, better enabling
WOMEN IN SECURITY MAGAZINE
28.06.2022
T E C H N O L O G Y
P E R S P E C T I V E S
the necessary protection against threats to be implemented. Traditional organisations’ views of security as a checkbox, combined with the myths mentioned above have slowed the adoption of DevSecOps. So, how is this reluctance to be overcome? A team approach is required.
PLANNING The journey should always begin with a top management level strategy for implementing DevSecOps. Some of the questions to be discussed are: How many separate teams will have to work together at the same time? How do we ensure the right people are responsible, accountable, consulted, and informed (RACI)? How do we create process maps? How do we set benchmarks? What are our criteria for success?
AUTOMATION Automation is essential. Automation plays a critical role at every stage of the DevSecOps process in lowering risk exposure and overhead expenses and reducing the time needed to resolve issues.
INDIVIDUALS Finding the right skill set is always a challenge for senior leadership. It helps to have a good mix of different levels of experience combined with finetuned procedures and the right resources that enable people to perform at their highest efficiency.
TECHNOLOGY Even teams with the right skill set and strategy would achieve very little if they did not have the technology necessary to support them.
DATA-DRIVEN APPROACH Always assess your progress and achievements with analytics. This helps with administration and helps employees understand what they have accomplished and how they are progressing.
www.linkedin.com/in/madhurinandi/ www.itsecurityawareness.com/
28.06.2022
WOMEN IN SECURITY MAGAZINE
151
Connecting - Supporting - Inspiring
THANK YOU TO ALL OUR AMAZING SPONSORS FOR THEIR GENEROSITY AND FOR HELPING US TO CONNECT, SUPPORT AND INSPIRE OUR MEMBERS
For further sponsorship opportunities in 2022, please get in touch: awsn.org.au/support-us/sponsors/
STUDENT IN SECURITY SPOTLIGHT
Olivia Conlon recently graduated with a bachelor’s degree in Cyber Security and Criminology from Deakin University in Melbourne after four years of study, two of which were completed online during COVID. She grew up in the Western Suburbs of Melbourne.
OLIVIA CONLON
Cyber Security and Criminology Graduate at Deakin University
What first piqued your interest in security?
criminal justice system as it relates to cybercrime,
I first heard about cyber security and considered it
such as the intricacies of policing the ‘dark web’
a possible career choice from a career councillor outside my high school. Nearing the end of high school, I felt my career options were limited and I was
across national and transnational jurisdictions. Overall, I found the courses studied helped me
searching for something that excited me.
develop my ability to think critically about topics and
My visit to the career councillor involved a long survey
now apply those critical thinking skills in my everyday
where I explained my interests and my personality
life.
issues I had not previously been exposed to. And I
type. At the end of the session, she suggested I look into cyber security. Following that suggestion, I did my own research into studying cyber security and what a cyber security career might look like. The information I gathered from reading and watching “Day in my Life as a Cyber Security Professional” videos on YouTube convinced me it was a profession I would be interested in pursuing. It was most important for me to find a career path
• most challenging or unsatisfying about your course? I found some of my more technical classes quite intimidating especially when I was the only woman in the laboratory. I would avoid asking for help and usually try to fix any problems I came across on my own. I gained a sense of accomplishment when I was able to do so.
As technology progresses and becomes more
What is your approach to studying (time management, etc)? Any tips for other students?
intertwined with everyday life, cyber security will have
I kept a planner to help me organise my time and
in a field that would be ever-changing and would provide me with opportunities for continuous learning.
to evolve. I was interested in being part of this.
Can you briefly summarise your security career to date: how did you get into your current study program? I applied for a double degree in Cyber Security and Criminology at Deakin University during high school and was offered a place after my year 12 exams. I currently work remotely from my home in Melbourne
prepare things ahead of the dates they were due. The demands from university, my part-time job and my personal life often left me feeling overwhelmed and meant I had to prioritise what was most important to me. Having everything written out helped me from feeling overwhelmed by approaching deadlines. Another important thing I realised in the latter half of my degree course was the importance of maintaining
at a cyber security start-up company based in Sydney.
a balance between study and my social life, and not
What did you find:
being interviewed for an internship in my third year
feeling guilty about going out with my friends. When I was asked what I liked to do outside of studying
• most rewarding or fulfilling about your course?
and working. I found this the most difficult question of the interview and from that point on I made sure I
I enjoyed the flexibility in some of my subjects where
maintained a good work/study/life balance.
I could choose my own research topics, especially criminology. For example being able to research the
154
WOMEN IN SECURITY MAGAZINE
What subject(s) do you find most interesting and/or do you expect to be most helpful?
28.06.2022
S T U D E N T
S E C U R I T Y
S P O T L I G H T
I liked the subjects where the teachers made an effort
For me, it is important to work in an organisation
to make the lessons interactive and encouraged a
where I am surrounded by other passionate and
“learn by doing” approach. For example, in one of my
motivated people who inspire me to keep learning
digital forensic subjects, an assignment required me
and to bring value to my role in the team.
to find and analyse ‘evidence’ in a virtual machine, create a report and present the findings to a panel.
How do you gain general information about the security industry?
Subjects such as this allowed me to visualise myself in a particular role and determine if that path in cyber
• From your university?
security would be something I could explore.
• From friends and colleagues? • From mentor(s)?
If you could spend a day with a security expert to learn about their role, what role would you choose?
LinkedIn has proved to be a great tool to keep up
I would choose someone who works in a digital
people’s career paths and the many different jobs
forensics role in the Australian Federal Police (AFP).
available in the industry.
I would be interested in their methodologies and how they deal mentally with such an important and demanding job. Also, I would like to learn how they separate themselves from that role when they are at
• Online sources? with cyber security professionals, by looking at other
At my current company, I am lucky enough to be surrounded by co-workers who have experience in various roles and I am always learning through their
home.
stories, tips and our internal ‘Industry News’ Slack
What involvement do you have in security outside your course?
I also like to search for online sources I can relate
During my fourth year, I completed an internship with
to such as ‘Stereotype Breakers’ which is a Discord
a cyber security startup, Avertro, and was offered a position as a junior cyber security analyst, which I hold today. Since finishing my degrees, I have completed some short courses on LinkedIn and security forums in areas I find interesting, such as
channel.
community for women in STEM around the world. I have been comforted hearing discussions on topics such as imposter syndrome and other people’s stories, especially those of women who have years of experience or are just starting out in industries that
governance risk and compliance (GRC) and Python.
are usually male-dominated.
What are your aspirations when you graduate?
What are your longer-term — five or 10 year — career aspirations?
• What roles(s) would you like to take? During my study, I developed an interest in cyber security management and I am lucky enough to be involved in this with my current job, providing a tool to help security teams track and report on their cyber resilience to both technical and non-technical audiences.
Over the next 10 years I would like to gain as much experience as possible in as many areas of security as I can with the aim of gaining a good foundation in cyber security, and then aspire to specialise in an area that takes my interest. www.linkedin.com/in/olivia-conlon-1975121a4
• What kind of organisation would you most like to work for?
28.06.2022
WOMEN IN SECURITY MAGAZINE
155
Dilara Cetiner is in the final year of a Bachelor of Forensic Science majoring in Digital Forensics at the University of Technology Sydney. She spent her pre-teen years in Melbourne, but her high school years were spent in Sydney, where she lives today with her family.
DILARA CETINER
Digital Forensics Student at the University of Technology Sydney
What first piqued your interest in security?
fall into place too quickly. You can get involved in the security industry through online learning platforms
I have always wanted to provide security in some
that are mostly free, and there’s a wide community of
manner. I had aspirations of becoming a police officer
like-minded people who can lend you a hand. I went
when I was a child. I became interested in cyber
from science to IT. It’s possible if you want it.
security when I was exposed to attacks surfacing online, ie the data breaches. I lost track of how many passwords I had to keep changing!
Were you doing something else before you started studying security?
Can you briefly summarise your security career to date: how did you get into your current study program? I am still studying full-time and have been for the last five years, almost three of those years have been
I was studying crime scene investigation as my major
spent on my aspirational security career. Nothing too
for my Forensic Science degree. I truly believed I
glamorous, I just went straight from HSC to university
would become a lab technician or a forensic scientist.
and transferred to security before I graduated with a
I changed my mind when my degree was nearing its
science degree.
last year of study. It was a bold move, and I wasn’t sure if it was too late for me to switch my major to digital forensics. Thankfully, my request was
To what extent have (a) the course and (b) the institution met your expectations?
approved. I spent the next two years studying cyber security, network and programming fundamentals,
• What do you like most?
and anything IT. It was a complete 180-degree shift
• What would you like to see done differently?
from science, but it was a welcome change. I wanted a career that would keep me adapting to the trends,
My course has met all my expectations. I do wish my
and cyber security does just that.
university had offered a bachelor’s degree in cyber security when I was still fresh-faced, but my university
Technology is ever-evolving and, as scary as that
provides this degree. So least the younger portion of
is, it’s also extremely exciting. I think of all the
my generation now has access to such a degree from
opportunities open to us now, and the opportunities
a stellar university. I am undertaking many relevant
that will come. Cyber security is an industry that will
projects and gaining practical experience I know I will
push you to grow instead of remaining stagnant.
use in the real world.
My previous study brought me many skills I remain
I love the intelligent and enthusiastic teachers, the
thankful for. Forensic science is all about teamwork
practical experiences and the resources/tools I have
and time management. Those are vital skills I carried
access to. However, I would like to see course content
with me into cyber security in my digital forensics
updated bi-yearly because cyber security is evolving
major.
rapidly.
I advise anyone who wants to make a leap into the
What do you find
security industry to just barrel into it as soon as they’re ready. Don’t feel disheartened if things don’t
156
WOMEN IN SECURITY MAGAZINE
• most rewarding or fulfilling about your course?
28.06.2022
S T U D E N T
S E C U R I T Y
• most challenging or unsatisfying about your course?
S P O T L I G H T
and once someone becomes a specialist they find it quite difficult to go back to being a generalist. So I am comfortable playing in all fields until I’m ready to
I find the learning experience, the mentoring and the
choose one.
personal connections with like-minded students to be the most rewarding aspects. I find the assumption that students have prior knowledge of computers and
What involvement do you have in security outside your course?
programming to be challenging. Subjects classified as being for beginners had projects requiring high-
I am a member of several cyber and information
level coding skills prior to such skills being taught.
security organisations and I joined AWSN because I wanted to be part of a community that helps propel
What is your approach to studying (time management, etc)? Any tips for other students?
women into security roles. I have also joined the Australian Defence Force Cyber Gap Program of 2022, which is a great training and
Make sure you continue to have a life. Don’t burn
networking opportunity for budding cyber security
yourself out. Manage your projects with strict
experts. I encourage anyone interested in the
schedules you set yourself. Do NOT skimp on weekly
Defence Force or in cyber training to apply if they are
exercises that do not seem to be worthwhile. Every
about to enter their penultimate year of university.
exercise contributes to the grade you receive. Study for at least two hours a day outside classes, and
What are your aspirations when you graduate?
maintain study notes. Gather all the resources you can from university and your subject documents so
I definitely would love a stable, government position.
you have a collection of training materials, manuals
I have a keen interest in government bodies: the
etc you can use in the real world.
Australian Federal Police, the Australian Defence Force and others.
What subject(s) do you find most interesting and/or do you expect to be most useful?
What are your longer-term - five or 10-year career aspirations?
Investigative subjects are the most interesting by far. They involve exploring a network, a hard drive, an IT
In five years I want to be still growing and learning.
infrastructure and much more. Those teaching how to use red team tools are especially useful.
In ten years I aim to be a cyber security team leader or manager. I hold high expectations for myself and I
If you could spend a day with a security expert to learn about their role, what role would you choose?
want to make myself and my family proud. www.linkedin.com/in/dilara-b-cetiner/
I would choose a generalist cyber security analyst role because at present I find it hard to decide which sub-sector of cyber security will be the best fit for me. One of my favourite professors said cyber security experts are either generalists or specialists
28.06.2022
WOMEN IN SECURITY MAGAZINE
157
Sharini Arulkumaran grew up in Sydney and is in the fourth year of studying for a Bachelor of Security Studies with a Bachelor of Laws at Macquarie University. She will graduate at the end of 2023
SHARINI ARULKUMARAN
Aspiring Security Professional, Bachelor of Security Studies and currently studying a Graduate Diploma of Fraud and Financial Crime
What first piqued your interest in security?
I think the most fulfilling thing about my course is the simple fact that I am excited about my future
Procedural TV shows sparked my interest in law
in a world where so many people are jaded or
enforcement and its related fields. After doing a lot of
dissatisfied. It is fulfilling to know I am privileged to
research I discovered the Security Studies degree at
undertake a course of study that interests me and
Macquarie and after reading about the units included
will allow me to make a positive impact.
in the degree, I knew it to be what I wanted to study at university.
• most challenging or unsatisfying about your course?
Were you doing something else before you started studying security?
I was hoping to gain more practical experience from the course. While it is mandatory to complete one
I went straight from high school to study security and
professional and community engagement unit for
law at university.
my degree, I would love to have more interaction with various industry partners because it is hard to gain
To what extent have (a) the course and (b) the institution met your expectations?
work experience in security. I think it is important for every tertiary student to get a glimpse of what the future could look like after university.
• What do you like most? • What is your approach to studying (time The compulsory units cover a wide cross-section
management, etc)? Any tips for other students?
of subjects and give you an insight into the various sectors of security. This is very helpful because most
I think it is important to know yourself and your
of us are being exposed to security studies for the
habits. Do you study best alone or with friends? Are
first time and we get a glimpse of possible future
you more productive at a certain time of day? Do you
career paths.
know your limits and what causes you stress?
• What would you like to see done differently?
Personally, I like a change of scenery when studying for consecutive extended periods. I find studying
I would like to see more creative assignments being
outside or anywhere with good sunlight encourages
prescribed. Essays and critical analyses are crucial
me and adds a sense of calm to stressful periods.
to developing written communication skills but I
When it comes to assignments, I have a standard
think more creative assignments would enhance
structure I follow that streamlines the process.
our learning experience and provide a more realistic
I conduct all the necessary research, collate the
reflection of activities conducted in the workforce.
pertinent information and then categorise it as necessary for the task at hand. After developing a
What do you find
scaffold from my categorisation system, I write the assignment and make minor changes if necessary.
• most rewarding or fulfilling about your course?
However, it is important to find what works for you so you get into a rhythm that allows you to balance all your commitments. I also recommend surrounding
158
WOMEN IN SECURITY MAGAZINE
28.06.2022
S T U D E N T
S E C U R I T Y
S P O T L I G H T
yourself with supportive friends and colleagues so
I would like to take roles that expose me to the
you can assist each other when things get hectic.
diverse careers I could pursue. I would take roles that are not solely behind a computer and that teach me
What subject(s) do you find most interesting and/or do you expect to be most useful?
new skills, particularly forensic skills. My ideal employer/organisation would recognise
My favourite units so far have been:
the importance of empowering women and would not restrict their professional growth or limit the
• Terrorism in the 21st Century
opportunities available to them. In the early stages
• Intelligence and Counter-Intelligence
of my career, I would like to work for an organisation
• Cyber Security in Practice
that invests in recent graduates and does not hold unreasonable expectations but rather recognises us
If you could spend a day with a security expert to learn about their role, what role would you choose? I would choose a role that combines both
as ‘the new kids on the block’ even when we have an undergraduate degree.
How do you gain general information about the security industry?
investigative and analytical activities because I am interested to see what daily tasks make up such a role and would like to know which components I would enjoy most.
• Career fairs conducted by university/student societies • LinkedIn • Guest lecturers
What involvement do you have in security outside your course? I have completed an intelligence foundation course
• Friends who have graduated
What are your longer-term - five or 10 year career aspirations?
and look forward to doing more personal study as I gain a better understanding of what professional
Ideally, five years from when I graduate I will have
career I would like.
a fair understanding of the ins and outs of the security industry so I can direct my career in the
I also have two upcoming internships, one as a legal
best way. I hope to have a position I truly enjoy in
intern at a renowned cyber security company and the
an environment that is supportive, stimulating and
other as a vacationer on the risk advisory team of a
purposeful.
Big Four firm. www.linkedin.com/in/sharini-arulkumaran-425797213
What are your aspirations when you graduate? • What roles(s) would you like to take? • What kind of organisation would you most like to work for?
28.06.2022
WOMEN IN SECURITY MAGAZINE
159
Malwa Bajwa is studying for a Bachelor of Security Studies and a Masters in Cybersecurity and Intelligence at Macquarie University and expects to graduate in 2025. She is of Pakistani heritage but was born and grew up in Sydney.
MALWA BAJWA
Cybersecurity and Intelligence Masters student at Macquarie University
What first piqued your interest in security?
What do you find
I became interested in this course because of what I
• most rewarding or fulfilling about your course?
had read in the news over the years, and as a result of my personal experience. Civilisation is facing a
The security studies course offers broad career
variety of global security threats: terrorism; political
opportunities in a range of fields, for example, to
instability; cybercrime and climate change. As a
work as a cyber security analyst or in an intelligence
security studies student, my goal is to learn about
agency. It also offers a variety of internships that
the security dangers governments, international
enable you to gain work exposure in an interesting
organisations and businesses face throughout the
field and make you an attractive candidate to
world so I have the capability to secure networks,
employers.
protect information and avoid cyber-attacks and foreign threats. Security studies provide a fantastic opportunity for me to hone my ability to understand
• most challenging or unsatisfying about your course?
what makes people feel safe or unsafe and how these dangers might be addressed and avoided in
The heavy workload made it difficult to keep track of
the future.
what was happening in the world at large: in politics, war or anything else.
To what extent have (a) the course and (b) the institution met your expectations? • What do you like most?
What is your approach to studying (time management, etc)? Any tips for other students?
The security studies degree and Macquarie University
To study effectively and meet deadlines I always
have exceeded my expectations to a large extent.
prepared my study timetable in advance. I created a
The course is taught by numerous industry leaders. It
to-do list in which I set myself tasks for each day: to
has helped me have an open mind about my subject
complete lectures, prepare for tutorials, or work on
and allowed me to look at security from a variety
assets to ensure they were finished on time.
of angles, including international security concerns about military power, interstate war and terrorism.
Working on these tasks every day gave me time
Studying at an open and varied university has also
for other priorities outside of the university, such
given me the opportunity to develop an open mind on
as reading material and completing small courses
future security endeavours.
online to help boost my skills and capacity for a future role such as a data analyst. To achieve
• What would you like to see done differently?
success and ensure all your priorities and goals are met it’s important to create a routine and follow a
The security studies degree offers many benefits, but
timetable.
I would like to see the course providing opportunities to develop skills, for example by offering workshops to help prepare students for future roles, rather than focussing heavily on theory.
160
WOMEN IN SECURITY MAGAZINE
If you could spend a day with a security expert to learn about their role, what role would you choose?
28.06.2022
S T U D E N T
S E C U R I T Y
S P O T L I G H T
I would choose a threat intelligence officer because
instability created by disputes between Palestine and
they are genuine specialists who make the majority
Israel. Exploring these sources helps me gain insight
of our security decisions. It’s fascinating to work in
into the security issues these disputes raise and I use
this niche because the threat landscape is constantly
the information to enhance my own understanding
changing. By understanding their strategies and
of threats, recommendations and likely or dangerous
gaining insight into their role I would be able to take a
outcomes.
proactive approach to security.
What are your aspirations when you graduate? - What role(s) would you like to take?
What are your longer-term - five or 10 year career aspirations? My long term career aspiration is to secure a cyber
I would most like to obtain a role as a cyber security
security threat analyst role at an intelligence agency
analyst, risk analyst or intelligence analyst.
or at a Sydney Airport so I can apply my learning and training and further hone my managerial skills.
• What kind of organisation would you most like to work for?
After a few years, I plan to grow into an executive position, overseeing a department. With my strong entrepreneurial spirit and management experience,
After I graduate I want to work for a company that
I am looking to attain my goals in the next 12 to 15
gives employees flexibility and pays them well
years. I believe it will take me some time to get there
in accordance with the value they provide to the
and will not be easy.
company. Working for a small to medium business would be ideal to begin with, and then I would hope to work my way up over time.
How do you gain general information about the security industry?
www.linkedin.com/in/malwa-bajwa-3ba87b211
instagram.com _malwa.b_
• From your university? The security studies department has a Twitter account dedicated to the course where it regularly provides updates about opportunities and events along with insights into security issues and challenges. Following this account helps me ensure I am on the same page as my colleagues and tutors. • Online sources? I usually explore recent news articles or journals online. Recently I’ve been really into the Middle East
28.06.2022
WOMEN IN SECURITY MAGAZINE
161
Paola Bianca Palomo is in the first semester of a Master of Cyber Security course at RMIT University. She grew up in the Philippines.
PAOLA BIANCA PALOMO
Master of Cybersecurity student at RMIT University
What first piqued your interest in security?
take certifications because these are the key to getting the right skills.
I have family and friends who experienced hacking and social engineering attacks that tainted their reputations. I wanted to study security, so I could prevent these from happening, not only to my family
Can you briefly summarise your security career to date: how did you get into your current study program?
and friends but on a larger scale. I also think there are very few women in security, and I want to be one of
Because I did not have prior work experience in
them. I want to be someone breaking the norm, and
security, my security career started by looking for
I want people to know women can also do jobs in
courses offered by RMIT. I selected cyber security
security and excel in them.
because it interested me the most. After that, I applied for the STEM scholarship provided by the university.
Were you doing something else before you started studying security? If so, what made you transition to the security industry?
To what extent have (a) the course and (b) the institution met your expectations?
I was already in information technology and became
The course opened my mind to real-life security
interested in security when my family and friends
scenarios and exposed me to experienced people and
experienced some security issues. Also, with the
organisations. The university has provided me with
growing reliance of our everyday activities on
opportunities to explore and learn.
information technology, I felt a need to learn about security.
• What do you like most?
Are there any skills you have carried from your previous roles/studies?
I like it when we do coding, when we explore penetration testing and when we do device configurations.
I would say being a critical thinker and good problem solver because security requires excellent analysis to
• What would you like to see done differently?
be implemented correctly. I had hoped they would provide us with more hands-
What advice would you give to someone thinking of entering this industry from a different background?
on configurations.
What do you find • most rewarding or fulfilling about your course?
Skills and knowledge are things we learn and acquire over time. If you are passionate about being in
The most rewarding part is when I get high marks on
security, do not let anything stop you. Your gender,
assignments because it proves I’ve learned what they
prior experience and background do not matter, your
taught me.
skills do. We can be who we want to be or where we want to be if we persevere. Three things people always say in this industry are: learn, practice, and
162
WOMEN IN SECURITY MAGAZINE
• most challenging or unsatisfying about your course?
28.06.2022
S T U D E N T
S E C U R I T Y
The assignments are also the most challenging part because they are complex and require a deep
S P O T L I G H T
• What kind of organisation would you most like to work for?
understanding and application of the theories taught. I want to work in an organisation that provides
What is your approach to studying (time management, etc.)? Any tips for other students?
services to people. I will probably apply for a role in
Time management is something you need to excel
How do you gain general information about the security industry?
in to be a good student, especially when you are also
the government or a large organisation because I know they significantly impact people’s lives.
working. One thing I would suggest is to start early; making incremental progress helps prevent you from
Mostly from university and online sources. I like
becoming exhausted.
to read a lot, and the internet provides a lot of information that is helpful when you want to learn
What subject(s) do you find most interesting, and/or do you expect to be most helpful?
about security. The hacker news is useful if you want
The subject related to coding and case studies in
What are your longer-term - five or ten year career aspirations?
cyber security is interesting. They teach us things
the latest news in cyber security.
we can apply in our daily lives and when we join the industry.
I want to be someone who inspires others to be in security or nurtures their passion for security,
If you could spend a day with a security expert to learn about their role, what role would you choose?
especially young women. I hope by that time, I am in a supervisory or managerial position and can share my knowledge and expertise with others.
I would choose the role of a penetration tester or a cyber security engineer. I like these roles, and I want to know the responsibilities people do in these jobs.
www.linkedin.com/in/paola-bianca-palomo-39a3b5127
What involvement do you have in security outside your course? I currently do some informal study on Microsoft Azure and Cisco CCNA certifications. I am also a member of AISA.
What are your aspirations when you graduate? • What roles(s) would you like to take? I want to be a penetration tester or a cyber security engineer.
28.06.2022
WOMEN IN SECURITY MAGAZINE
163
LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
Making a difference in security Twins Olivia and Jack love spending time with
Olivia and Jack always love speaking with
their grandparents, chatting and showing
Amanda-Jane because she has purple hair
them all the fun things they learn at school.
and wears brightly coloured socks with
Their grandparents recently moved to a new
oversized polka dots, knows everything about
home far away and they don’t get to visit
computers and is always helpful when they
as often. Luckily, Olivia and Jack received
get stuck. Amanda-Jane was keen to help
a tablet from their grandparents for their
Olivia and Jack’s grandparents and said,
birthday last month and have been using
“Let’s go for a drive and see if we can help fix
it nearly every day to video chat with their
their computer.”
grandparents. It’s a great way to stay in touch and enables them to have regular catchups when they cannot meet often in person. Grandpa usually tells funny jokes and grandma loves showing off her next baking sensation they will all be able to enjoy on their next visit. Cookies - yummy! Olivia and Jack were getting ready for their usual video call with their grandparents when suddenly their mum’s phone rang. Their grandparents called to say their computer was running very slowly and they could not log into the video app to chat. Their mum tried to troubleshoot over the phone, but the problem seemed very tricky and they needed
grandparents’ house on a mission to fix their computer. They were pleased to see Olivia and Jack in person but grandpa was worried about missing important emails and grandma missed being able to speak to her overseas friends. Amanda-Jane asked grandma and grandpa questions to try and find out what had happened to their computer. They had not noticed anything unusual. However, it turned out grandpa had clicked on a link in an email he thought was from Olivia and Jack, asking him and grandma to buy them a gift card for
to call on a cybercriminal expert.
their birthday.
Olivia and Jack knew cybercrime to be a big
Grandpa said the link appeared safe and did
problem that could cause people to lose money, privacy and identity. Could this have happened to their grandparents’ computer? They were afraid their grandparents had become victims of cybercrime. Olivia and Jack’s mum decided to call her friend from work, Amanda-Jane, a cybercrime specialist to see if she could help. 164
Their mum drove them all to their
WOMEN IN SECURITY MAGAZINE
not look unusual, so he clicked on it. But when he entered his email username and password he got an error message. Ever since then, he had been unable to access his email and the computer had been running very slow. Amanda-Jane suspected a cybercriminal had sent them a fraudulent email to trick
28.06.2022
AMANDA-JANE TURNER Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe.
them into providing their username and password and thought the link might also have included malware. Grandpa told her he and grandma used the same password for everything because it was easy to remember. With the stolen credentials the criminal had changed the email password and taken over their email account. Amanda-Jane initiated a scan of their computer using antivirus software that looks for malicious applications. The scan
the video apps were safe and had security controls in place so grandma and grandpa could chat with Olivia and Jack.
showed apps had been installed to steal their
Grandma and grandpa were so happy
passwords, steal all the information on their
Amanda-Jane had fixed everything, to have
computer and break into their bank accounts!
learnt how important it is to be sceptical
Olivia and Jack’s mum were distraught.
of emails and links and to have multifactor
Amanda-Jane is here to help!
authentication on their apps and devices.
After the scan, Amanda-Jane installed security software to remove the viruses, scan continuously for malicious apps and protect the computer from them. After ensuring the computer was free from malware she helped grandma and grandpa change the passwords to all their accounts, set up multifactor authentication and regain access to their emails. She also suggested they use a password manager so they could assign unique passwords to all their accounts and not worry about forgetting them. This made grandpa very happy. She then made sure
28.06.2022
Amanda-Jane also gave them a copy of her book Unmasking the Hacker: Demystifying Cybercrime to read and learn more about how to stay safe on the internet. Lisa Rothfield-Kirschner www.linkedin.com/company/how-we-got-cyber-smart/
www.facebook.com/howwegotcybersmart
twitter.com/howwegotcybers1
Amanda-Jane Turner www.demystifycyber.com.au/
WOMEN IN SECURITY MAGAZINE
165
Recom mend ed by F amily zone
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.
READ NOW
Want to unlock the potential of our network? GET STARTED
Reach out today to advertise in the Women in Security Magazine and find out how we can help you optimise your marketing needs
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01
02
1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist
2. BEX NITERT 03
04
Director, Digital Forensics & Incident Response @ ParaFlare | Supporting Women in Security @ AWSN
3. TASH BETTRIDGE Customer Success Account Manager (CSAM) at Microsoft
4. ZOE EDMEADES 05
06
Co-Owner and Managing Director, The Security Company (International) Limited
5. SARAH IANNANTUONO APAC Cyber Security Strategy and Program Lead at SEEK
6. GEORGEINA WHELAN AM, CSC AND BAR Commissioner at ACT Emergency Services Agency
07
08
7. SONOMI MIYAZAKI Senior Information Security Consultant and Team Leader at Westpac
8. DOMIZIANA FOTI Security Analyst | GRC at BIP
09
10
9. MICHELLE RIBEIRO Executive Conference Producer at Corinium Global Intelligence
10.LESLEY HONEYMAN Director of Cyber Security Operations at Cyber Security NSW
11
12
11. SHAMANE TAN Chief Growth Officer at Sekuro
12. GINA MIHAJLOVSKA Cyber Security Manager at EY
13. PRANJALI KARVE 13
14
Cybersecurity Intern at Telstra| Bachelor of Cybersecurity student at Deakin University
14. SOPHIA PACE Head of Community and Brand at Avertro
15
16
15. LUKASZ GOGOLKIEWICZ Head of Corporate Security at SEEK
16. DANIELLE ROSENFELD LOVELL Consultant Security Testing and Assurance at CyberCX
17. NICOLLE EMBRA 17
18
Cyber Safety Expert, The Cyber Safety Tech Mum
18. DEEPA BRADLEY Global Transformation Executive - Cybersecurity Specialist
19. ADAM HALLYBURTON IT Security Program Project Manager
19
20
20. HASHIM KHAN Digital, CyberSecurity and Agile Enthusiast
21. SIMON CARABETTA Cyber Communications Specialist
21
22
22. MARISE ALPHONSO Information Security Lead at Infoxchange
23. KAVIKA SINGHAL Western Sydney University, Final Year Student
24. EMILY GOODMAN 23
24
Cyber Security Consultant at EY
25. MICHELLE GATSI Cyber Security Consultant at EY
26. SHINESA CAMBRIC 25
26
Principal Product Manager, Microsoft Intelligent Protections - Emerging Identity at Microsoft
27. JAY HIRA Director of Cyber Transformation at EY
28. KAYELENE KERR Body Safety, Cyber Safety and Pornography Education Specialist |Child Safety Advocate | Founder eSafeKids
27
28
29. SHANNA DALY
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 29
30
Cyber Security, Incident Response, Digital Forensics. Advisor, Speaker, Streamer, & Master of Shenanigans
30. NIVI NEWAR Head of Cyber Security Strategy & Governance at UNSW
31. KAREN STEPHENS 31
32
CEO and co-founder of BCyber
32. VERONIKA LAPUSHNIANU International Business Communications Trainer, Founder of GroupEtiq
33. ANGELINA LIU Account Executive at Barracuda
33
34
34. ASOU AMINNEZHAD Security Evangelist
35. RINA MADLANI Cloud Advocate
35
36
36. MEL MIGRINO Chairman and President, Women in Security Alliance Philippines and Group CISO, Meralco
37. VIRGINIA CALEGARE Founding Director - CISOaaS - DPOaaS - CISSP - LGPD Expert, ISO27001 LI & LA - SABSA - CCNA SecOps I & II
37
38
38. VANNESSA MCCAMLEY Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker
39. CRAIG FORD
39
40
Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
40. DIANA SELCK-PAULSSON Lead Security Researcher
41. CHARL VAN DER WALT Lead Security Researcher at Orange Cyberdefense
41
42
42. SAI HONIG CISSP, CCSP, Co-founder -New Zealand Network for Women in Security
43
44
43. PALLAVI PHUTANE Senior Consultant at KPMG Canada
44. LESLEY CARHART Director of ICS Cybersecurity Incident Response
45
46
45. NEHA DHYANI Cyber Security Leader (CISSP, CCSP, CISM, MITRE ATT&CK Certified Defender) Senior Security Consultant at Nokia Solutions & Networks
46. BROCK RODERICK Creator of Education Arcade
47
48
47. MEGHAN JACQUOT Cyber Threat Intelligence Professional
48. MADHURI NANDI IT Security Manager at Till Payments | Creator of - ITSA
49. OLIVIA CONLON 49
50
Cyber Security and Criminology Graduate at Deakin University
50. DILARA CETINER Digital Forensics Student at the University of Technology Sydney
51. SHARINI ARULKUMARAN 51
52
Aspiring Security Professional, Bachelor of Security Studies and currently studying a Graduate Diploma of Fraud and Financial Crime
52. MALWA BAJWA Cybersecurity and Intelligence Masters student at Macquarie University
53
54
53. PAOLA BIANCO PALOMO Master of Cybersecurity student at RMIT University
54. LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
THE LEARNING HUB
CYBRARY Collaborate in an open-source environment, revolutionising the cyber security educational experience. They offer more than 150 free courses on cryptography, secure coding, advanced penetration testing, etc. They have courses tailored to your skill set, regardless of your experience level.
VISIT HERE
CYBERDEFENDERS CyberDefenders is a training platform focused on the defensive side of cybersecurity, aiming to provide a place for blue teams to practice, validate the skills they have, and acquire the ones they need.
VISIT HERE 172
WOMEN IN SECURITY MAGAZINE
TECHEXAMS BY INFOSEC If you’re looking to study for a specific tech certification, TechExams.net’s free certification preparation community is a great place to start. Members can offer insightful perspectives on the process and direct you to resources that were not previously on your list.
VISIT HERE
BLUE TEAM RESOURCES It can be hard for individual security professionals to stay current on all of these changes. That’s why there are so many great resources out there designed specifically for people working in this field, especially in SOC. Get the best out of the free resources available on this website.
VISIT HERE
CODE WITH GOOGLE Code with Google is a free resource provided by Google to make sure everyone has access to the collaborative, coding, and technical skills that can unlock opportunities in the classroom and beyond. Their aim is to help educators give their students confidence in CS, advance their skills, and prepare them for the future.
VISIT HERE
ELASTIC Build your enterprise search, observability, security, and Stack skills with Elastic’s on-demand training for free. Their self-paced courses include expertly designed materials, engaging demos, hands-on lab exercises, and access to Elastic experts to help you build and retain new skills.
VISIT HERE 28.06.2022
FEATURING FREE SECURITY TRAINING RESOURCES THAT ARE AIMED AT INCREASING SECURITY AWARENESS AND HELPING PEOPLE BUILD AND UPSKILL THEIR SECURITY SKILLS.
CYBER ACES
HACKTHISSITE.ORG
PENTESTERLAB
SANS Cyber Aces Online is a course that teaches the core concepts needed to assess and protect information security systems for free! The course material is updated regularly to keep pace with changes in technology and threat landscape. It’s available as open courseware so learners can take it anytime and anywhere.
HackThisSite.org is a free, safe and legal training ground for hackers to test and expand their ethical hacking skills. This site is more than just another hacker wargames site. They’re a living, breathing community devoted to learning and sharing ethical hacking knowledge, technical hobbies, programming expertise, with many active projects in development.
PentesterLab is a free resource for getting started with web penetration testing or pen-testing in general. It provides information about potential web security flaws, their behaviour, and methods for exploiting them. More importantly, it aids in the development of a hacker-like mindset.
VISIT HERE
EVOLVE ACADEMY Cybersecurity is the fastest growing IT sector and the talent shortage continues to widen. The free Cybersecurity Fundamentals course available at Evolve Academy can help you gain hands-on technical skills to lay the foundation for a challenging and rewarding cybersecurity career.
VISIT HERE 28.06.2022
VISIT HERE
CULTURE OF CYBERSECURITY This site constitutes free downloadable kids activities to help families learn basic cybersecurity concepts. Their initiatives are aimed to expose K-12 students to cybersecurity education and possible career paths and aims to engage young learners to educate them on cybersecurity to keep them cyber safe.
VISIT HERE
VISIT HERE
CENTER FOR DEVELOPMENT OF SECURITY EXCELLENCE Center for Development of Security Excellence has tons of free security awareness resources for learners including games, posters, shorts, videos, and webinars.
VISIT HERE WOMEN IN SECURITY MAGAZINE
173
TURN IT UP
TALK PYTHON TO ME
FORENSIC LENS
CAVEAT
By Michael Kennedy
By KPMG Australia
By CyberWire, Inc.
Talk Python to Me is a weekly podcast hosted by developer Michael Kennedy. They dive deep into the popular packages and software developers, data scientists, and incredible hobbyists doing amazing things with Python.
Join Dean Mitchell, KPMG’s forensics specialist and host of Forensic Lens, as he discusses the intriguing world of fraud, deception, and corporate crime and what drives white-collar criminals to deception.
Listen to thought-provoking conversations on surveillance, digital privacy, and cybersecurity law and policy in the information age. Each week, the hosts break down the headlines, legal cases, and policy battles that matter most.
CLICK TO LISTEN
THE SECUREWORLD SESSIONS
THE ART OF INCLUSION
By SecureWorld
By Diversity Council Australia
Cybersecurity weekly podcast series featuring industry thought leaders discussing security solutions, best practices, threat intel, and more.
Brought to you by Diversity Council Australia, you’ll hear stories from fascinating people of all stripes, with reflection from experts and policy makers, who’ll help you master The Art of Inclusion.
CLICK TO LISTEN 174
CLICK TO LISTEN
WOMEN IN SECURITY MAGAZINE
CLICK TO LISTEN
CLICK TO LISTEN
WOMEN ON THE MOVE By Behind Closed doors Women On The Move shares remarkable stories from women who have achieved significant milestones in their professional careers. These inspirational women explain the highs and lows, the devastating failures and incredible successes, and the invaluable benefit that comes from developing a support network to guide you on your business journey.
CLICK TO LISTEN 28.06.2022
WHAT HAPPENS NEXT?
DARK MODE WITH BEN & GABE
By KPMG Australia
By Gabe Marzano and Ben Sullivan
Join host Whitney Fitzsimmons as she discusses a range of topics such as science, sport, leadership, current affairs, and culture with global change-makers on issues and ideas that affect businesses, communities, societies, and the world.
The Creating Synergy Podcast brings Technology, Cyber Security and Universal Mega Trends shaping the future of humanity. They discuss various topics, trends and themes relevant to the global population and invite incredibly insightful guest speakers to share their perspectives!
CLICK TO LISTEN
THE DIVERSITY GAP By Bethaney Wilkinson The Diversity Gap is for everyday people who want to pair their good intentions for diversity with true cultural change. Through thoughtful conversation and authentic storytelling, the host will inspire and equip you to create the kind of culture you say you want: one where all people are seen, heard, respected, and given what they need to thrive.
CLICK TO LISTEN 28.06.2022
CLICK TO LISTEN
CYENTIA PODCAST By Cyentia Institute: Cybersecurity and Data Science Join hosts Jay and Wade as they discuss topics with those working to find incredible insights, tell awesome data-driven stories and are willing to share their work with the larger community.
CLICK TO LISTEN
CYBER SECURITY HEROES
THE CYBRARY PODCAST
By IRONSCALES
By Cybrary Inc
Cybersecurity Heroes is an IRONSCALES podcast for security professionals to share and learn from one another, in order to become more resilient.
Discussing topics ranging from DevSecOps and Ransomware attacks to diversity and the retention of talent the Cybrary Podcast covers it all. Stay up to date with recent discussions and insight from current vendors and instructors from Cybrary.
CLICK TO LISTEN
CLICK TO LISTEN WOMEN IN SECURITY MAGAZINE
175
OFF THE SHELF
LESSONS LEARNED: SHORT STORIES OF CONTINUITY AND RESILIENCE Author // Michele L. Turner Continuity and Resilience- two words that could track to the same destination albeit, varied in arrival time. According to MerriamWebster, the definition of Continuity is: uninterrupted connection, succession, or union. Using this same resource, the definition of Resilience is: an ability to recover from or adjust easily to misfortune or change. While an uninterrupted life, free of misfortune may sound wonderful, it is in the challenge, in the change, that we learn the greatest lessons. This book has been written with 51 years of personal life experiences, and an overlay of close to 30 years of professional subject matter expertise in managing the continuance of business operations across the globe, come rain...or shine. Both aspects have resulted in significant lessons learned... stories of continuity and resilience.
BUY THE BOOK 176
WOMEN IN SECURITY MAGAZINE
97 THINGS EVERY INFORMATION SECURITY PROFESSIONAL SHOULD KNOW: COLLECTIVE WISDOM FROM THE EXPERTS Author // Christina Morillo Whether you’re searching for new or additional opportunities, information security can be vast and overwhelming. In this practical guide, author Christina Morillo introduces technical knowledge from a diverse range of experts in the infosec field. Through 97 concise and useful tips, you’ll learn how to expand your skills and solve common issues by working through everyday security problems. You’ll also receive valuable guidance from professionals on how to navigate your career within this industry. How do you get buy-in from the C-suite for your security program? How do you establish an incident and disaster response plan? This practical book takes you through actionable advice on a wide variety of infosec topics, including thoughtprovoking questions that drive the direction of the field.
BUY THE BOOK
CYBERSECURITY EXPOSED: THE CYBER HOUSE RULES Author // Raef Meeuwisse Mind the gap...between the actual level of cybersecurity and the amount required to protect you. Ever wondered what exactly is going so badly wrong in society that the fastest booming industry in the world is cybercrime? Psychology meets technology as this book explores how the rapid progression of technology is luring us all forwards at a pace that outstrips the human comfort zone. This book exposes the reasons that many organizations decide it is cheaper, easier and less painful in the short term to leave their security broken. Is security fixable? Or are we destined to remain at the mercy of cyber criminals? We take a look at the cyber house rules, a set of principles that lead to what makes cybersecurity effective or, if not addressed, leaves large gaps that cyber criminals, rogue insiders and other hostile parties can take advantage of. What is causing the frequency and magnitude of digital disruption to increase? Is there a set of principles organizations can apply to prevent mega breaches?
BUY THE BOOK 28.06.2022
CYBER SECURITY & ACCOUNTING INFORMATION SYSTEMS: STAY AHEAD OF THE TECHNOLOGY CURVE Author // Y.K. Wong, PhD With the fast growth in information technologies, as well as an increasing number of mobile and wireless devices and services, the need to address vulnerabilities has been highly prioritized by many large corporations, as well as small and medium companies. The value of financial data in an accounting information system is extremely high. Thus, cybersecurity has become a critical concern in managing accounting information systems. Accounting information systems (AIS) aim to support all accounting functions and activities, including financial reporting, auditing, taxation, and management accounting. The AIS is a core knowledge area for accounting professionals and is a critical requirement for accounting practice. This book provides the essential knowledge for the accounting professional to stay ahead of the technology curve. This includes the accounting information system’s characteristics, accounting cycles, and accounting processes; reviews different types of information system designs and architectures; and discusses cyber security, vulnerabilities, cyber crime, cyberattacks, and defence strategies.
BUY THE BOOK 28.06.2022
CYBERSECURITY LEADERSHIP DEMYSTIFIED: A COMPREHENSIVE GUIDE TO BECOMING A WORLD-CLASS MODERN CYBERSECURITY LEADER AND GLOBAL CISO Author // Dr. Erdal Ozkaya (Author), Melih Abdulhayoglu (Foreword) This book is for busy cybersecurity leaders and executives looking to gain deep insights into the domains important for becoming a competent cybersecurity leader. The book begins by introducing you to the CISO’s role, where you’ll learn key definitions, explore the responsibilities involved, and understand how you can become an efficient CISO. In order to be a good leader, you’ll need a good team. This book guides you in building your dream team by familiarising you with HR management, documentation, and stakeholder onboarding. Despite taking all that care, you might still fall prey to cyber attacks; this book will show you how to quickly respond to an incident to help your organisation minimise losses, decrease vulnerabilities, and rebuild services and processes. Finally, you’ll explore other key CISO skills that’ll help you communicate at both senior and operational levels.
BUY THE BOOK
CYBERSECURITY CAREER GUIDE Author // Alyssa Miller Kickstart a career in cybersecurity by adapting your existing technical and non-technical skills. Author Alyssa Miller has spent fifteen years in cybersecurity leadership and talent development and shares her unique perspective in this revealing industry guide. Cybersecurity Career Guide shows you how to turn your existing technical skills into an awesome career in information security. In this practical guide, you’ll explore popular cybersecurity jobs, from penetration testing to running a Security Operations Center. Actionable advice, self-analysis exercises, and concrete techniques for building skills in your chosen career path ensure you’re always taking concrete steps towards getting hired. Cybersecurity Career Guide unlocks your pathway to becoming a great security practitioner. You’ll learn how to reliably enter the security field and quickly grow into your new career, following clear, practical advice that’s based on research and interviews with hundreds of hiring managers. Practical self-analysis exercises identify gaps in your resume, what makes you valuable to an employer, and what you want out of your career in cyber. You’ll assess the benefits of all major professional qualifications, and get practical advice on relationship building with mentors.
BUY THE BOOK WOMEN IN SECURITY MAGAZINE
177
SURFING THE NET
ESAFEKIDS BLOG By Kayelene Kerr Founded by Kayelene Kerr, eSafeKids’ blog provides resources to teach children about social and emotional intelligence, respectful relationships, diversity, resilience, empathy, gender equality, consent, body safety, protective behaviours, cyber safety, digital wellness, media literacy, puberty and pornography.
READ BLOG
CIPHER BLOG By Cipher In the CIPHER blog, you will find helpful information security articles, trends in cybersecurity, and insight on threats and cyber attacks.
READ BLOG 178
WOMEN IN SECURITY MAGAZINE
CYBER SECURITY BLOG - CYBERSPHERE By Cyphere The web is full of information, whether it is the relevant information needed to learn, or to unlearn is a challenge of our times. This blog provides insights into good practices, and relevant content that is practical, targeted at action and keeps readers up-to-date with the latest security practices and tips, and tricks.
READ BLOG
AVAST BLOG By Avast Get the latest in security news, threat research, tips & advice, business security, diversity and inclusion, covid-19 scams, privacy and much more.
READ BLOG 28.06.2022
NETOGRAPHY BLOG
INFOSECTRAIN BLOG
PURPLE BLOG
By Netography
By InfosecTrain
By The Purple Book Community
Netography Blog discusses all things cloud and cyber security from zero trust, to how to make a move in the cloud space, trends, future solutions, strengthening defence, atomised network and so much more.
InfosecTrain Blog features important and informative information security blogs from the industry’s top leaders. They feature a variety of topics including cloud security, data privacy, data science, information security, networks, training, project management, ransomware, etc.
Discover informational insights, and trends and stay on top of security topics including protecting data, risk management, software security, cloud security, DevSecOps, zero trust, and much more.
READ BLOG
READ BLOG
READ BLOG
SKILLCRUSH BLOG
WOMENTECH BLOG
JULIA EVANS
By Skillcrush
By Women Tech Network
By Julia Evans
Skillcrush posts on career, culture, digital skills, and tech 101. They have a multitude of posts for women in tech, ranging from career growth strategies to the latest tech buzz to book recommendations. They believe that technology does not have to be difficult and that technology can be used by anyone.
Discover the most recent community news, as well as notable women in technology, and much more! Women in Tech Network is a community that promotes gender diversity in technology by connecting talented and skilled professionals with top companies and leading startups that value diversity, inclusion, and strive to cultivate a culture of belonging.
Julia Evans is a Montreal-based software developer. This blog covers everything from programming to being curious and asking questions to demonstrating how traditional “hard” and “scary” topics are actually accessible, interesting, and fun (TCP! / Kernel hacking! / Traceroute! / gzip! / databases! / SSL!).
READ BLOG 28.06.2022
READ BLOG
READ BLOG WOMEN IN SECURITY MAGAZINE
179
womeninsecurityawards.com.au
THE 2022 WOMEN IN SECURITY AWARDS
Don’t miss the largest security awards of the year!
womeninsecurityawards.co.nz
Want to be part of it? Register your interest today by contacting aby@source2create.com.au