10
SEPTEMBER • OCTOBER 2022
W W W. W O M E N I N S E C U R I T Y M A G A Z I N E . C O M
FROM THE PUBLISHER We’re all in this together
W
hen I sat down to write the
positive impact on society. The awards honour their
introduction to this month’s
achievements in their professional lives and their
issue the theme—Improving
ability to collaborate with others to further the cause
Security Together—had me a little
of diversity and achievement in cybersecurity.
stumped. After all, I’m not actively
improving the security of anything, so what could I
Similarly, our team at Source2Create is regularly
possibly have to say on the matter?
collaborating with industry bodies, organisations and supporters to generate interest and build public
However, a conversation with a reader proved
awareness of the security industry.
me wrong and reminded me we are all working on improving security in our own ways. The very
We are helping to create the future we have always
existence of this magazine, and the runaway success
wanted, by uniting the world one country at a time.
of the Women in Security Awards, are two examples
Although we started in Australia we have also
of collaboration improving security.
recently launched in New Zealand, and who knows where the awards will end up next!
This year the industry came together to support the awards, nominating more than 800 inspiring
Without many organisations in the industry coming
individuals. That was nearly four times the 232
together this initiative would never have worked.
nominated in the first year of the awards, twice the
Each of the organisations we work with offers a
468 nominated in the second year and a significant
different array of industry events, awards, education,
increase on the 624 nominations we received in 2021.
mentor programs, leadership programs, workshops, community meetups and more. Because the
As that timeless Yazz song says, the only way is up!
associations, companies and individuals we partner with all share the same vision, mission and values we
Each year the awards recognise a cohort of amazing
have been able to collaborate to make the security
men and women who are creating positive change
industry a better place to work.
by setting an example for their peers, their mentees and themselves. “If you can see it, you can be it,” the
We are, as the lovely reader pointed out, working
saying goes.
together to improve security. And that’s the strength of the industry: security belongs to everyone, so a
2
Behind each of those nominations is a story of
focus on awareness and education creates a great
collaboration; of people working together to make a
framework for enhancing and advancing the industry.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
Abigail Swabey
This magazine’s sole purpose is to support our
empower everyone around me. That’s what working
partners’ values and their collective mission: to make
together is all about, and its success so far shows
the online world safer. It is a platform that highlights
that, together, we truly can change the world.
the journeys of women today as they become the leaders of tomorrow. It is an assemblage of creative and innovative women and men contributors, award nominees, students and the many other people working for the good of this industry. We collaborate with industry experts and security experts from around the world who have come together to enhance global security by promoting good practice, information sharing and continuous
Abigail Swabey PUBLISHER, and CEO of Source2Create www.linkedin.com/in/abigail-swabey-95145312
aby@source2create.com.au
discussion, and by taking action to achieve diversity, inclusion and equality. By doing so we provide a single voice and create lasting networks and alliances for knowledge sharing in Australia, New Zealand and around the world. This manifests in many ways. In this issue you will learn about the way teams, associations, schools and individuals have come together to create positive change in the security industry. You never know how easy it is to break a glass ceiling until you get close enough to touch it. By working together we are giving current and future generations of security workers a leg up so they can not only touch the glass ceiling but break it into thousands of tiny pieces. As we see time and time again, we are all more powerful when we empower each other. And if I know I am playing even a small part in this empowerment I can put aside the concerns I mentioned earlier and focus on finding new ways to
I S S U E 10
WOMEN IN SECURITY MAGAZINE
3
CONTENTS
2
CAREER PERSPECTIVES
FROM THE PUBLISHER
STRENGTH IN NUMBERS: WHY ASSOCIATIONS MATTER
10
Cracking the code of brain-friendly collaboration 48
COLUMN Collaboration is the key to fighting cybercrime
14
We are all just bricks
46
Should you take your teen’s device as punishment?
60
Improving security together
102
Cybersecurity: it’s a hybrid team sport
52
The education question
54
Becoming a mum: a guide for first-time working parents
56
How do we attract women into cybersecurity, and retain them?
64
Relationships: essential for career success
68
Every voice deserves to be heard
72
Transposing consumer partnerships from the bedside to the client meeting
78
Entering the cyber world at a more mature age
80
INDUSTRY PERSPECTIVES TALENT BOARD
WHAT’S HER JOURNEY?
REACH OUT NOW
Aparna Sundararajan
16
Angela Hall
20
Aastha Sahni
40
22
Gabe Marzano
24
Pooja Shimpi
26
Monica Zhu
30
Sarah Gilbert
34
Sarah Box
36
Parul Mittal
38
Aicha Bouichou
44
JOB BOARD APPLY NOW
74 150
THE LEARNING HUB VISIT HERE
Cyber better together for a better tomorrow
88
Talking privacy
92
Bayanihan for International Women’s Day 96 Collaboration in cybersecurity is the key to combatting the growing cyber threat. Here’s why. 98 A camel is a horse designed by committee: achieving genuine collaboration in cybersecurity 104 There is no ‘I’ in TEAM… but there needs to be one in your attack surface! 108 The evolution of CREST
112
If cloud is your map, security is your compass
114
Lessons from the AWSN Leader Forums 116 Avoiding a culture clash when bringing teams together
118
SEPTEMBER • OCTOBER 2022
62
84
COOLEST CAREERS IN CYBER
CAN SCHOOLS STOP YOUNG STUDENTS FROM DISMISSING CYBER CAREERS?
FOUNDER & EDITOR Abigail Swabey
C O O LE ST CA R E E R S I N CYB E R
Organizations are hiring individuals with a unique set of skills and capabilities, and seek those who have the abilities and knowledge to fulfill many new job roles in the cybersecurity industry. The coolest careers in cybersecurity are the most in-demand by employers. Which jobs are the coolest and most in-demand? We know; let us show you the hottest cybersecurity jobs for 2022. Curricula:
Cyber Defense
01 “Digging below what commercial anti-virus systems are able to detect to find embedded threat actors in client environments makes this job special. Shoutout to Malware and Threat Intelligence Analysts who contribute their expertise to make threat hunters more effective against adversaries.”
Digital Forensics
Offensive Operations
THREAT HUNTER
This expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.
Why is this role important? Threat hunters proactively seek evidence of attackers that were not identified by traditional detection methods. Their discoveries often include latent adversaries that have been present for extended periods of time.
Recommended courses FOR508 GCFA
FOR572 GNFA
FOR578 GCTI
SEC573 GPYC
SEC504 GCIH
SEC541
FOR608
ICS515 GRID
FOR610 GREM
FOR710
ICS612
- Ade Muhammed
05 “Being a malware analyst provides a great opportunity to pit your reverse engineering skills against the skills of malware authors who often do everything in their power to make the software as confusing as possible.” - Bob Pardee
“Incidents are bound to occur and it is important that we have people with the right skill set to manage and mitigate the loss to the organization from these incidents.” - Anita Ali
Why is this role important? If you’re given a task to exhaustively characterize the capabilities of a piece of malicious code, you know you’re facing a case of the utmost importance. Properly handling, disassembling, debugging, and analyzing binaries requires specific tools, techniques, and procedures and the knowledge of how to see through the code to its true functions. Reverse engineers possess these precious skills, and can be a tipping point in the favor of the investigators during incident response operations. Whether extracting critical signatures to aid in better detection, or producing threat intelligence to inform colleagues across an industry, malware analysts are an invaluable investigative resource.
Recommended courses FOR585 GASF
FOR610 GREM
13 17
“It is not only about using existing tools and methods, you must be creative and understand the logic of the application and make guesses about the infrastructure.” - Dan-Mihai Negrea
122
Teams coming together
128
Threat intelligence would be nothing without collaboration
130
Improving security based on the past, the present and the future
132
“The chief gets to coordinate the plans. The chief gets to know the team, know them well and disperse them appropriately to strategically defend and test org networks and security posture.“ - Anastasia Edwards
This dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.
Why is this role important?
While preventing breaches is always the ultimate goal, one unwavering information security reality is that we must assume a sufficiently dedicated attacker will eventually be successful. Once it has been determined that a breach has occurred, incident responders are called into action to locate the attackers, minimize their ability to damage the victim, and ultimately remove them from the environment. This role requires quick thinking, solid technical and documentation skills, and the ability to adapt to attacker methodologies. Further, incident responders work as part of a team, with a wide variety of specializations. Ultimately, they must effectively convey their findings to audiences ranging from deep technical to executive management.
Recommended courses
CLOUD SECURITY ANALYST
The cloud security analyst is responsible for cloud security and day-to-day operations. This role contributes to the design, integration, and testing of tools for security management, recommends configuration improvements, assesses the overall cloud security posture of the organization, and provides technical expertise for organizational decision-making.
Why is this role important? With an unprecedented move from traditional on-premise solutions to the cloud, and a shortage of cloud security experts, this position helps an organization position itself thoughtfully and securely in a multicloud environment necessary for today’s business world.
Recommended courses SEC488 GCLD
SEC510 GPCS
SEC541
SEC504 GCIH
SEC588 GCPN
FOR508 GCFA
SEC401 GSEC
SEC460 GEVA
10 “It doesn’t become much more versatile than in this role, as oftentimes you’ll be challenged with whathever tasks or projects customers or managers envision, ranging from simple analysis support to introducing new solutions and implementing whole services such as a SOC.” - Harun Kuessner
FOR509
FOR518
14 “The intrusion analyst is the guard at the gate and can get great job satisfaction from detecting and stopping network intrusions.” - Chuck Ballard
FOR585 GASF
SEC504 GCIH
SEC575 GMOB
SEC617 GAWN
Why is this role important?
Web applications are critical for conducting business operations, both internally and externally. These applications often use open source plugins which can put these apps at risk of a security breach.
Recommended courses SEC504 GCIH
SEC542 GWAPT
SEC554
SEC556
SEC588 GCPN
SEC617 GAWN
SEC642
SEC661
SEC560 GPEN
SEC760
SEC575 GMOB
SEC554
SEC556
SEC660 GXPN
SEC560 GPEN
SEC670
SEC760
“Forensics is about diving deep into any system and device and locating the problem so as to develop a solution.” - Patricia M “Data doesn’t lie, and the digital forensic analyst looks at the data to convey the stories that they tell.”
SEC565 SEC573 GPYC
The CISO leads staff in identifying, developing, implementing, and maintaining processes across the organization to reduce information and information technology risks. CISOs respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance, such as supervising efforts to achieve ISO/IEC 27001 certification for an entity or a part of it. Typically, the CISO’s influence reaches the entire organization.
Why is this role important? The trend is for CISOs to have a strong balance of business acumen and technology knowledge in order to be up to speed on information security issues from a technical standpoint, understand how to implement security planning into the broader business objectives, and be able to build a longer lasting security and risk-based culture to protect the organization.
07 “In this day and age, we need guys that are good at defense and understand how to harden systems.” - David O
Recommended courses FOR308
FOR498 GBFA
FOR500 GCFE
FOR518
FOR572 GNFA
FOR585 GASF
MGT520
MGT521
CYBERSECURITY ANALYST/ENGINEER
As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Why is this role important? This is a proactive role, creating contingency plans that the company will implement in case of a successful attack. Since cyber attackers are constantly using new tools and strategies, cybersecurity analysts/ engineers must stay informed about the tools and techniques out there to mount a strong defense.
Recommended courses SEC401 GSEC
SEC450
SEC501 GCED
SEC503 GCIA
SEC504 GCIH
SEC554
FOR500 GCFE
FOR508 GCFA
FOR578 GCTI
FOR585 GASF
SEC540 GCSA
ICS410 GICSP
SEC530 GDSA
FOR608
FOR509
SEC555 GCDA
FOR518
FOR610 GREM
FOR509
FOR710
ICS456 GCIP
11 “Being an OSINT investigator allows me to extract information in unique and clever ways and I am never bored. One day I’m working on a fraud investigation and the next I’m trying to locate a missing person. This job always tests my capabilities, stretches my critical thinking skills, and lets me feel like I’m making a difference.”
18
“Working in this type of industry, I can see how the demand is increasing so rapidly that companies starting to desperately looking for people with proper skillsets.” - Ali Alhajhouj
SEC522 GWEB
15
INTRUSION DETECTION/ (SOC) ANALYST
Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.
Why is this role important? SOC analysts help organizations have greater speed in identifying attacks and remedying them before they cause more damage. They also help meet regulation requirements that require security monitoring, vulnerability management, or an incident response function.
Recommended courses SEC450
SEC503 GCIA
SEC511 GMON
FOR572 GNFA
SEC555 GCDA
FOR608
SEC504 GCIH
One foot in the exciting world of offensive operations and the other foot in the critical process control environments essential to life. Discover system vulnerabilities and work with asset owners and operators to mitigate discoveries and prevent exploitation from adversaries.
Why is this role important? Security incidents, both intentional and accidental in nature, that affect OT (primarily in ICS systems) can be considered to be high-impact but low-frequency (HILF); they don’t happen often, but when they do the cost to the business can be considerable.
Recommended courses ICS410 GICSP
ICS418
SEC575 GMOB
ICS456 GCIP
ICS515 GRID
“This role allows me to use my previous experience to influence proper security behaviors, effectively improving our company’s defenses. And the rapidly evolving nature of threats means my job is never boring.” - Sue DeRosier
MGT551 GSOM
ICS/OT SECURITY ASSESSMENT CONSULTANT
SEC560 GPEN
“The combination of red team blue team operations is very interesting and you get to see both sides. I have been on a Purple Team for a while now and it has driven a lot of positive change for us.” - Andrew R
ICS612
19 “From my point of view it is a highly demanded position by companies which need to offer flexible, agile and secure solutions to their clients’ developers.” - Antonio Esmoris
SEC617 GAWN
PURPLE TEAMER
In this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.
Why is this role important? Help blue and red understand one another better! Blue Teams have traditionally been talking about security controls, log sources, use cases, etc. On the other side Red Teams traditionally talk about payloads, exploits, implants, etc. Help bridge the gap by ensuring red and blue are speaking a common language and can work together to improve the overall cybersecurity posture of the organization!
Recommended courses SEC599 GDAT SEC670
This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.
Why is this role important? This job role is highly important as it often shows up in small to mid-size organizations that do not have budget for a full-fledged security team with dedicated roles for each function. The all-around defender isn’t necessarily an official job title as it is the scope of the defense work such defenders may do - a little bit of everything for everyone.
SEC503 GCIA
SEC555 GCDA
SEC388
FOR572 GNFA
FOR508 GCFA
04
FOR608
BLUE TEAMER – ALL-AROUND DEFENDER
SEC450
MGT514 GSTRT
AUSTRALIA +61 2 6174 4581 INDIA +91 974 1900 324 JAPAN +81 3 3242 6276 SINGAPORE +65 6983 1088
GIAC Certification with course
Why is this role important? You are the sleuth in the world of cybersecurity, searching computers, smartphones, cloud data, and networks for evidence in the wake of an incident/crime. The opportunity to learn never stops. Technology is always advancing, as is your career.
Recommended courses
Recommended courses
MGT551 GSOM
SEC460 GEVA
DIGITAL FORENSIC ANALYST
This expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
- Anthony Wo
CHIEF INFORMATION SECURITY OFFICER (CISO)
FOR508 GCFA
Application penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.
03
Recommended courses SEC460 GEVA
Purple Team
SEC511 GMON
SEC530 GDSA
These resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.
Why is this role important? There is a massive amount of data that is accessible on the internet. The issue that many people have is that they do not understand how best to discover and harvest this data. OSINT investigators have the skills and resources to discover and obtain data from sources around the world. They support people in other areas of cybersecurity, intelligence, military, and business. They are the finders of things and the knowers of secrets.
Recommended courses SEC587
“A security architect needs to understand work flows, networks, business requirements, project plans and sometimes even budget restraints. A very diversified role!”
SEC699
SEC573 GPYC
SEC504 GCIH
SEC598
SEC660 GXPN
SEC760
SECURITY ARCHITECT & ENGINEER
Design, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.
FOR578 GCTI
Recommended courses SEC503 GCIA
12 “A technical director must have strong cybersecurity knowledge, a strategic view of the organization’s infrastructure and what’s to come, and communication skills. These things are hard to get, and I would imagine this job to be very challenging, no matter the organization size or business.”
SEC505 GCWN
SEC511 GMON
SEC530 GDSA
SEC554
TECHNICAL DIRECTOR
This expert defines the technological strategies in conjunction with development teams, assesses risk, establishes standards and procedures to measure progress, and participates in the creation and development of a strong team.
Why is this role important?
Security Awareness Officers work alongside their security team to identify their organization’s top human risks and the behaviors that manage those risks. They are then responsible for developing and managing a continous program to effectively train and communicate with the workforce to exhibit those secure behaviors. Highly mature programs not only impact workforce behavior but also create a strong security culture.
Why is this role important? People have become the top drivers of incidents and breaches today, and yet the problem is that most organizations still approach security from a purely technical perspective. Your role will be key in enabling your organization to bridge that gap and address the human side also. Arguably one of the most important and fastest growing fields in cyber security today.
Recommended courses MGT415
MGT433 SSAP
MGT512 GSLC
MGT521
DEVSECOPS ENGINEER
As a DevSecOps engineer, you develop automated security capabilities leveraging best of breed tools and processes to inject security into the DevOps pipeline. This includes leadership in key DevSecOps areas such as vulnerability management, monitoring and logging, security operations, security testing, and application security.
Why is this role important? DevSecOps is a natural and necessary response to the bottleneck effect of older security models on the modern continuous delivery pipeline. The goal is to bridge traditional gaps between IT and security while ensuring fast, safe delivery of applications and business functionality.
Recommended courses SEC510 GPCS
SEC522 GWEB
SEC534
SEC540 GCSA
16 “I think researchers will play a crucial role in years to come. They will be able to identify and help us prepare for the vulnerability before it is exploited by the hacker so instead of responding to incidents we will then be able to proactively prepare ourselves for the future issues.”
Recommended courses MGT516
MGT551 GSOM
SEC557
SEC566 GCCC
SEC388
VULNERABILITY RESEARCHER & EXPLOIT DEVELOPER
In this role, you will work to find 0-days (unknown vulnerabilities) in a wide range of applications and devices used by organizations and consumers. Find vulnerabilities before the adversaries!
Why is this role important?
“This is like solving a puzzle or investigating a crime. There is an exciting element to the unknown and the technical complexity of countermeasures. The sensitivity of content and potential to get real evidence on something is exciting.” - Chris Brown
Recommended courses SEC660 GXPN
SEC661
SEC670
SEC760
MEDIA EXPLOITATION ANALYST This expert applies digital forensic skills to a plethora of media that encompasses an investigation. If investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked, damaged or used in a crime, this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence.
Why is this role important?
136
Understanding a threat landscape takes a team
138
Hidden in plain sight: the evolving threat of BEC
141
Improving security together
144
Misty Bland
You are often the first responder or the first to touch the evidence involved in a criminal act. Common cases involve terrorism, counter-intelligence, law enforcement and insider threat. You are the person relied upon to conduct media exploitation from acquisition to final report and are an integral part of the investigation.
Recommended courses FOR308
FOR498 GBFA
FOR572 GNFA
FOR500 GCFE
FOR585 GASF
FOR508 GCFA
FOR518
FOR608
JOURNALISTS
IF YOUR TEAMS CAN DO DEVOPS, THEY CAN DO DEI TOO
David Braue Stuart Corner
SUB-EDITOR Stuart Corner
DESIGNER Rachel Lee
Insights on collective cyber resilience 134 Data governance, another option to protect the data of your customers and employees
Charlie-Mae Baker
Researchers are constantly finding vulnerabilities in popular products and applications ranging from Internet of Things (IoT) devices to commercial applications and network devices. Even medical devices such as insulin pumps and pacemakers are targets. If we don’t have the expertise to research and find these types of vulnerabilities before the adversaries, the consequences can be grave.
- Anita Ali
20
Abigail Swabey
With a wide range of technologies in use that require more time and knowledge to manage, a global shortage of cybersecurity talent, an unprecedented migration to cloud, and legal and regulatory compliance often increasing and complicating the matter more, a technical director plays a key role in successful operations of an organization.
- Francisco Lugo
SECURITY AWARENESS OFFICER
ADVERTISING
Why is this role important? A security architect and engineer is a versatile Blue Teamer and cyber defender who possesses an arsenal of skills to protect an organization’s critical data, from the endpoint to the cloud, across networks and applications.
SEC586
OSINT INVESTIGATOR/ANALYST
SEC487 GOSI
08 - Chris Bodill
SEC505 GCWN
SEC573 GPYC
- Rebecca Ford
SEC557
APPLICATION PEN TESTER
Industrial Control Systems
Why is this role important? This role is important to help answer the common question of “can that attack that brought down company, happen to us?” Red Teamers will have a holistic view of the organization’s preparedness for a real, sophisticated attack by testing the defenders, not just the defenses.
MGT512 GSLC
INCIDENT RESPONSE TEAM MEMBER
FOR608
“We don’t talk about Bruno. No, no, no.”
06
Cloud Security
RED TEAMER
In this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.
124 - Ben Yee
TECHNOLOGY PERSPECTIVES
“The only way to test a full catalog of defense is to have a full catalog of offense measure its effectiveness. Security scanning is the bare minimum and having Red Team perform various operations from different points will help the organization fix weaknesses where it matters.”
FOR710
FOR308 FOR498 GBFA FOR508 GCFA FOR509 FOR518 FOR572 GNFA FOR578 GCTI FOR585 GASF FOR608 FOR610 GREM FOR710 SEC402 SEC573 GPYC SEC504 GCIH
“This role is essential to find and patch vulnerabilities in the cloud environment to ensure that crackers and hackers are unauthorized in cloud environments.”
02 - Beeson Cho
MALWARE ANALYST
Malware analysts face attackers’ capabilities head-on, ensuring the fastest and most effective response to and containment of a cyber-attack. You look deep inside malicious software to understand the nature of the threat – how it got in, what flaw it exploited, and what it has done, is trying to do, or has the potential to achieve.
FOR518
09
Cybersecurity Leadership
AsiaPacific@sans.org
165 TURN IT UP
Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com).
172
AWSN is the official partner of Women in Security Magazine
OFF THE SHELF
174
STUDENT IN SECURITY SPOTLIGHT Swen Lee
150
Emily Harmon
152
Bettina Marquez
154
Ocia Anwar
156
Raziye Tahiroğlu
158
Caroline Ng
160
SURFING THE NET
176
©Copyright 2022 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.
ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE 07 08 MARCH • APRIL
MAY • JUNE
WHO RUNS
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79
20 22 WORLD IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97
YEAR OF THE SECURITY WORKER
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
the
OFFICIAL PARTNER
SUPPORTING ASSOCIATIONS
Big Picture Easy Reliable No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!
charlie@source2create.com.au
aby@source2create.com.au
misty@source2create.com.au
in partnership with
Invite you to participate in The Australian Security Industry Workforce - Understanding Gender Dimensions Project Survey
This survey aims to gain an accurate picture of the security industry workforce in Australia. The goal of this study is to identify practical ways to expand and diversify the industry’s talent pool to best equip it for the growing challenges and demands it faces.
Come and share your experiences to support shaping the outcomes for our industry
STRENGTH IN NUMBERS: WHY ASSOCIATIONS MATTER by David Braue
Global relationships are helping ISACA’s DEI advocates present a unified front
T
he COVID-19 pandemic challenged
standardise its certification standards and create a
everybody in different ways but for
global charter that would apply consistent regulations
Geetha Murugesan it was a massive
across all global affiliates.
disruption to her efforts to expand the membership structure of ISACA, the
“We didn’t have many regulations or rules prior to
global risk and cybersecurity association whose 220
2015, so we wanted something that would apply to
individual chapters have made it the industry’s de
each of the chapters to apply local laws but adhere
facto skills development body and, through its One in
to ISACA global standards,” she told Women in
Tech foundation, a strong advocate for bringing more
Security Magazine.
women into the industry. “It was a Herculean task. Europe had its privacy laws Murugesan has long worked to spread the ISACA
in place, the EMEA market was not that regulated,
gospel in countries like Morocco and her native India,
then [we had to tackle] APAC, North America and the
where there are eleven chapters, as well as Ivory
Americas group, but it was a fantastic experience and
Coast where ongoing efforts to establish a chapter
a great learning, and things have streamlined a lot.”
were put on hold when COVID-19 made international travel all but impossible.
However, now that travel is opening up again, renewed enthusiasm for ISACA has revived efforts to
10
That was frustrating for a 15-year veteran who, as
establish the Ivory Coast chapter and, by extension,
past president of ISACA’s Mumbai chapter, was
SheLeadsTech, the banner program for the One in
instrumental in the association’s 2015 move to
Tech foundation that has become a centre of gravity
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
F E A T U R E
for ISACA’s efforts to promote diversity, equity and
Nonetheless, ongoing advocacy—including ISACA
inclusion (DEI) across its affiliates.
outreach to female university students and the explicit support for DEI by the government’s NASSCOM
Promoting the DEI cause in India is still a work in
initiatives—is making a difference and Murugesan
progress, Murugesan admits, not only because of
is confident representation will increase rapidly in
long-held biases that keep representation to just nine
coming years, partly because of the unified voice
or 10 percent of cybersecurity workers, but because
coming from ISACA’s local chapters.
the country’s intensely family-focused culture sees representation drop off a cliff once women tech
STRENGTH IN NUMBERS
workers reach their mid 30s.
ISACA is far from the only cybersecurity association in the world. Cybercrime Magazine lists nearly 100 such
“In India, software was always the area in which
groups, and dozens more dedicated to promoting the
women used to work,” she explains, “and one of the
cause of women in cyber, but ISACA’s broad reach, deep
areas in which India had a lot of women. But when it
membership base and global consistency have made
came to cyber, the mindset is “do I need to a 24x7 job,
it an exemplar of how associations can unite expertise
because security is something where you have to be
from around the world for a common purpose.
available around the clock?’ “We realised that, without partners globally, we cannot “That mindset is changing, but women in India take
scale up the little things that we’re doing more locally,”
a back seat when it comes to working after their mid
explains Ginger Spitzer, executive director of the One
30s because their priorities are driven by family.”
in Tech foundation.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
11
“By having these partners, not only are we able to do more, but we can do more that is applicable to each region.” Those relationships have proven crucial to facilitating new projects such as a chapter scholarship program and a SheLeadsTech toolkit that includes webinars, presentations and other marketing materials. The toolkit, Spitzer explained, is “to focus on helping women, supporting them and advancing their careers – how you break that glass ceiling and move into more leadership roles.” Built to be globally consistent, it also includes “enough room for the chapters where we send it to, to add their own perspective to it,” she said, highlighting the way the global organisation maintains consistency and individuality at the same time. The support of the global organisation proved to be a huge help for One in Tech’s Melbourne, Australia chapter, which was founded with two SheLeadsTech ambassadors in February 2020, just as the pandemic took hold. It has since expanded to eleven and is one of just six branches pilot-testing the new toolkit.
see someone in that organisation who looks
“My focus is mainly to bring more women into the
like them, who is from their
tech workforce and supporting women to get into
background and is someone they
leadership roles or wherever they would like to get to,”
can connect to.”
explained SheLeadsTech coordinator Natalie Perez. Despite its relative newness, strong support “I would acknowledge that we’re new,” she said, “but
for the local organisation has seen it embracing
having support from other organisations, doing the
relationships with ISACA’s established Sydney
same programs and same initiatives, has been a
chapter, as well as corporate partners like Dream
strong driver in terms of how we are able to deliver
Collective, the Australian Signals Directorate,
our programs.”
WORK180 and KPMG, which has reached out with offers of venues, staff, presenters and mentorship
UNITING THE WORLD, ONE CHAPTER AT A TIME
opportunities.
For Perez—who came to Melbourne from the
Perez puts it all down to the networking opportunities
Philippines —Melbourne’s renowned multiculturalism
that come with involvement in a well-established
has proved to be a significant benefit in shaping the
organisation and particularly the outreach of well-
local operation.
established individuals like board member and diversity director Reshma Devi, whose extensive
12
“It’s easier for people to have a role model, or to be
industry contacts helped the Melbourne chapter hit
able to connect in an organisation,” she said, “if they
the ground running.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
F E A T U R E
Success is contagious, it turns out: one recent virtual
One in Tech in mid 2021, taking on a role as director
and in-person event attracted 73 individuals, proving
of the chapter’s Special Programs Committee.
so successful that is now fielding requests for advice about setting up SheLeadsTech branches from as far
“Working with ISACA has been one of the most
afield as Auckland, Japan, South Africa, Namibia and
eye-opening opportunities ever,” Nyaga explained,
the USA.
citing the rich experiences in organising conferences, webinars and other events.
Indeed, the ease of access across regional and country boundaries has been one of the biggest
“You have different people from diverse backgrounds
benefits of participating in a global association like
and ethnicities, from all over the world,” she explained,
ISACA, according to Faith Wawira Nyaga, a data
“and if you hear all these stories from different
informatics and analytical solutions practitioner with
companies and institutions, you can appreciate the
Kenya’s Water Resources Authority who serves as a
need for continuous inclusivity and looking at diverse
director of ISACA Kenya.
backgrounds.”
The local chapter was already undertaking advocacy, education, mentorship and other programs through its SheLeadsTech chapter when Nyaga began working with
That has meant the chapter’s advocacy programs not only focus on gender diversity, but also on engaging with neurodiverse and other traditionally marginalised communities, both in the professional world and at universities where the support of a global association has proved to be an immensely valuable way of providing mentorship and networking opportunities. Working under the ISACA banner, the group has been able to reach out to other groups, Nyaga explained, in a process that has enabled strong collaboration with community groups, professional associations and government authorities that are also working to promote digital and cyber careers. “You need a different set of eyes to be able to holistically deal with the evolving landscape of cyber threats,” Nyaga said, “and one of the things that ISACA has exposed to me is the opportunity to see cybersecurity in a bigger picture, and to see the diverse needs of diverse groups. “When it comes to inclusivity and diversity, technology does not know gender, and it does not know your background.”
Geetha Murugesan
I S S U E 10
Ginger Spitzer
Natalie Perez
Faith Wawira Nyaga
WOMEN IN SECURITY MAGAZINE
13
AMANDA-JANE TURNER Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe.
C O L U M N
Collaboration is the key to fighting cybercrime Cybercrime is big business. Perpetrators range from lone opportunists, hacktivists, cyber stalkers and solo deviants to loosely established decentralised groups, people involved in procuring and selling child exploitation/abuse material, nation state sponsored disruption and espionage specialists and members of large criminal enterprises. You do not have to be a tech whiz to be part of the fight against cybercrime, you just need to ensure you are doing what you can to protect your accounts. This means knowing where to go for help, keeping any children under your guardianship aware of basic online safety, and being willing to share with others accurate (non-sensationalised) information on cybercrime you have seen, or have been the victim of. • If you are a parent or guardian of an underage How do these activities contribute to the fight against
person, keep them informed on how to stay safe
cybercrime? If you have received a scam message
online and keep an open dialogue with them so
or email and alert your family to it and they then
they feel safe sharing concerns with you.
alert people they know, the knowledge on staying
• Use multifactor authentication where it is
alert for this fraud will be spread exponentially via
provided.
peer groups.
• Turn on automatic software updates where
If you are a cybersecurity professional, ascertain
• Think before you click or respond to requests for
possible. how your workplace can collaborate with others to support sharing of indicators of compromise.
sensitive information. • Share cybersecurity information with others.
Be active in your community, via social media or in person, in supporting people to be safer online.
To be effective in the fight against cybercrime and protect ourselves, our families, our friends and our
Here are some things we can all do to harden
workplaces, communities and nations, we all need
ourselves against cybercrime.
to work together. Collaboration is the key to fighting cybercrime.
• Stay aware of cyber safety messaging and know where to go for help.
14
W O M E N I N S E C U R I T Y M A G A Z I N E
www.demystifycyber.com.au
S E P T E M B E R • O C T O B E R 2022
WHAT’S HER JOURNEY?
Aparna Sundararajan Manager - Technology Transformation Practice
A
parna Sundararajan recently left a role
were looking for economics students, so I got the
at Australian IT research and advisory
call and after a whole day of grilling interviews, I got
organisation ADAPT as an industry
selected. This job taught me to conduct research
analyst specialising in cybersecurity,
through primary and secondary sources to create a
data analytics and emerging
trend analysis of a particular market. So, I created
technologies and is about to take on a consulting role
market trends and influencers for the financial
focussing on cybersecurity and digital technologies.
services sector, manufacturing, automobile etc.”
Quite an achievement for someone who eschewed
This role was followed by a move into a global IT
family advice to study IT. After graduating in her
market research organisation, but not into an IT
native India in 2004 with a degree in economics,
analyst role. “The common notion across the team
Sundararajan vowed she would “never, ever work in
was that, since I did not have an engineering degree,
IT.” And she confessed just a few years ago to having
I could never be an IT analyst. However, as my
thought, “I will never track security, it’s boring.”
interest grew deeper I kept studying more in areas of cloud computing and enterprise software. Although
Sundararajan says, for her, “IT meant engineers and
I thought I understood technology enough to
codes. Codes meant algorithms and mathematics.
comprehend its business viability I was still working
I wasn’t interested in the subject, and I wanted to
in a backend support role.”
stay far, far away from it.” So, she joined a marketing agency as a brand manager, but not for long. “I
Her elevation to an analyst role came as the result
enjoyed my work, but it was repetitive, and the agency
of a confrontation with another team member,
culture was getting a bit too much. So, I quit my job
considered a top performer. “He was a published
and thought about my next career move.”
author. He had written technical reports that had been published on the portal for leading IT clientele.
16
FROM MARKETING TO BUSINESS RESEARCH
He was the first from the team to accomplish this.
That move was into business research. “These were
On one of my projects, we got into a very stubborn
well paying jobs with great potential for growth and
argument, and it turned ugly. The management sided
international exposure. For one of these jobs, they
with him.”
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
BECOMING AN IT ANALYST
IN PRAISE OF THE IT ANALYST ROLE
That, says Sundararajan, “was the day I decided
She recommends an IT analyst role to anyone
I would become an IT analyst, just to prove a
looking for a career understanding the implications of
point.” She chose the right time, when the interest
technology for business and wanting to get ahead.
in data, text analytics, sentiment analytics, AI, etc was growing.
“Being an analyst opens doors into consulting, tech strategy roles, product roles and much more.
“These areas did not require core technical skills.
Someone starting out as an analyst would get a lot of
They were new for most people. So, I took the
benefit from learning basic data visualisation, analysis,
plunge and worked hard to specialise in data
report writing skills, primary and secondary research
and digital technologies that could remodel and
skills, understanding various business analysis
reshape industries. Once I became an IT analyst,
frameworks such as PESTLE, SWOT, BCG matrix etc.
I got enough support from the US team. They really believed in me and championed me for the position.
“Curiosity to find problems, patterns and solutions,
I became hooked on technology and have not looked
and analysing quantitative and qualitative data are key
back since.”
attributes for anyone who aspires to become an IT analyst or a consultant. Your job is to identify the root
Refuting the expectations and opinions of others—
cause of issues and find the most effective solution.
family and employers—seems to be a hallmark of Sundararajan’s career journey. Born in India into
“Graduating in business studies, economics or
a conservative upper caste Hindu family she was
statistics will help. Even if you are a student of arts
expected to become a school teacher, “because a
and are highly analytical you could learn about the
teaching job lets a woman work as well as take care
topic or subject on the job, but you would have to
of her family,” she says. “If you are a woman, work is
work hard no matter what qualifications you had.”
considered to be just a hobby, not a serious task.”
GETTING INTO CYBERSECURITY Not one to listen to family, Sundararajan took an
What finally got Sundararajan into cybersecurity was
office job, but with little ambition. That changed as a
the increased attention being paid to it by clients. “In
result of negative feedback.
the past three to five years, all the data and digital technology conversations have converged into a
“A series of disappointing comments about my
cybersecurity conversation. Every client I spoke
capabilities made me think ‘Can I really not do this?’
to was worried about the security of their digital
‘How can this be so unachievable?’ I went for it just
assets, network and customers. That intrigued me to
to prove a point. This was especially true for both
think about cybersecurity and I thought it would be
IT and cybersecurity. When I was told I would not
extremely important to understand the subject.
be able to understand it unless I was an engineer. I thought, ‘How can the very thing that is built for
“Last year I did the digital transformation course from
my use be beyond my capacity to comprehend?’
Massachusetts Institute of Technology because I
‘How did they make it so complicated that the
wanted to be up to date in the top areas in tech today:
layperson can’t understand it?’ That’s what drove me
cyber, AI, data, cloud and blockchain. These are the
to achieve more.”
foundations of future businesses and ecosystems.”
I S S U E 10
WOMEN IN SECURITY MAGAZINE
17
Like many women Sundararajan has faced gender
bad experiences just by working with him. Matt and
discrimination and male chauvinism, but for her
I were a great team and I think this is where I learnt
these were particularly damaging. “I faced grave
how we need this balance in the technology industry.”
problems in my personal life including clinical depression and an emotionally challenging marital
Sundararajan adds, “We need equal representation
situation,” she says. “These things were aggravated
not just because we need to create equal
by a hostile boss who did not understand or support
opportunities for all genders and races. We need it
my situation. It was quite interesting. While enduring
because it is highly effective and proven. If you can
a bad marriage my career took a downturn, but my
build trust between two completely different kinds of
ex-husband’s career took off. He got far more support
people, you have a solid team with diverse thinking
at work for his situation than I.”
and the openness to accept that thinking. As we built the team, Matt taught me how to accept and work
On another occasion she says, “I had a very male
with diverse people.”
chauvinistic boss who was highly insecure and threatened by me. He was a key reason for me to quit
Now gearing up for her next role Sundararajan says
my job. He created a seriously hostile environment
she wants to further develop her problem solving
for me.”
skills for the benefit of her clients and “keep working on building my industry reputation as someone who
In contrast, Sundararajan has nothing but praise for
can simplify tech speak without taking away its true
her Australian employer, ADAPT CEO Jim Barry, and
meaning or purpose.
her immediate superior, Matt Boon. “I think more organisations are on a path to
THE POWER OF POSITIVE FEEDBACK
consolidating their cybersecurity efforts to make
“Jim hired me just from hearing my story of survival
a strategic impact on business continuity and
and how I had rebuilt my life. He did not care about
resilience. We will see more resource allocation and
anything else. After I joined ADAPT he showed
executive focus on cybersecurity strategy and plans
immense trust in me, gave me the best opportunities
rather than just increased funding for cyber initiatives.
and always told me ‘Aparna, you are absolutely
Also, there will be more reforms at national and
amazing. You should be proud of yourself.’ No one
industry levels, especially around data protection and
had ever said that to me before in my career, or my
cybersecurity baseline requirements.”
life for that matter. I had been told the exact opposite. This was all so new and refreshing it changed my
* At the time of the interview, Aparna was in between
perception of myself and truly made me thrive.
roles. She now works for one of the big four consulting firms
“With Matt, it was like having the best guide and champion I could ever ask for. He was so patient, accepting and nurturing I felt I healed from my past
18
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/aparna-sundararajan-seniorresearch-strategist-adapt
S E P T E M B E R • O C T O B E R 2022
Contact us today to find out how you can become an industry contributor, no matter the level of experience. reach out now www.womeninsecuritymagazine.com
Angela Hall Client Trust, Risk and Compliance (CTRaC) & Trade Regulations Executive at Kyndryl
A
for 25 years, most of them in IT security
FROM FARMING TO CERTIFIED CYBERSECURITY PROFESSIONAL
and in various roles: identity and
She grew up in a small farming community “where
access management, security analysis,
gender bias was rife and with a father with very
security advisory and policy program
‘old school thinking’.” She was not supported to
ngela Hall has worked in the IT industry
management. She has rolled out a compliance
attend university so instead joined IBM at age 19
education program, spent 12 months overseas
in an entry level role and worked her way upwards.
setting up a security team, has held a process
“Much of my learning has been through on the job
leadership role in Asia Pacific and several field
training, experience based and short courses, and
management positions.
more recently I was encouraged to undertake further industry training,” she says.
She has also worked in several non-security roles but says “It seems I have a natural affinity to security and
“I have now become a Certified Information Security
have always gravitated back to this domain.”
Manager (CISM) and a Certified Data Privacy Solutions Engineer (CDPSE). Having held many roles
Three years ago she moved into a chief security,
in the part of the organisation I now lead, I have
regulatory and risk management leader position with
gained a unique perspective on how to support our
Kyndryl, the world’s largest IT infrastructure services
clients and my team. That helps me make decisions.”
provider, spun out of IBM in 2021. “In a nutshell, I lead
20
a team of approximately 40 IT security professionals
Hall adds: “Sometimes the downside is that I can get
to support Kyndryl’s and our clients’ infrastructure/
into too much detail with the team, but the positives
IT security needs, policy and risk management,”
far outweigh the negatives!” She says her industry
Hall says.
certifications and organisation memberships have
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
given her greater insights into evolving risks, and
Undertaking training remotely while trying to juggle
great networking opportunities.
being a teacher to three youngsters also had its challenges. “As 2020 progressed we soon understood
NEVER STOP NETWORKING
the family unit was the most important, and that not
“If I were to give advice to a younger version of myself
everything could be achieved every single day. After
I would say: ‘embrace the learning journey, continue
the first lockdown my husband and I decided we were
to increase your skills, maintain your relevance and
not going to pressure ourselves and our boys if time
never stop networking.’ There is always something
did not allow for all activities to be completed in a day.
new on the horizon to learn. New skills are highly
This removed a lot of stress and helped us maintain
transferable to any role and you will always meet
the level of dedication expected in our professional
someone with great insights.”
lives, along with a happier homelife.”
Hall put off gaining industry certifications until after having children, believing it would be difficult to maintain these certifications while on maternity leave. “Now that I understand the requirements and the processes, I definitely would not have delayed achieving these certifications until after my family.” Juggling family and work life has been one of Hall’s main
“If I were to give advice to a younger version of myself I would say: ‘embrace the learning journey, continue to increase your skills, maintain your relevance and never stop networking.’ There is always something new on the horizon to learn. New skills are highly transferable to any role and you will always meet someone with great insights.”
challenges. “Prior to having children I could work unlimited hours to get the job done, but once I had a family my priorities altered, which at
In conclusion, Hall says, “To anyone reading this not
times meant I had to place my career on hold for
already in IT security, I would highly recommend
several years,” she says.
it. There is such diversity. You can work with the business and/or clients on many levels, helping
COMPETING PRIORITIES
protect them from threats originating inside and
“Competing priorities forced me to become better
outside their organisations. Eighteen of my 25 years
at time management in order to survive! The years
have been IT security, and I still love it as much as on
2020 to 2022 have truly been unparalleled times
the day I began. I am sure anyone with an interest in
with the fast rise of COVID cases, remote learning
security would be the same.
adding pressure to the family unit and requiring teams at work to find new ways of working and having to meet and engage with clients and teams in
https://www.linkedin.com/in/angela-hall-787405120/
online meetings.”
I S S U E 10
WOMEN IN SECURITY MAGAZINE
21
Aastha Sahni Technical Trainer at Exabeam and founder of CyberPreserve and BBWIC
A
astha Sahni wears multiple cybersecurity
my counselling sessions in a university, I discovered
hats, some of which she made herself.
a degree in information security management, and
Her ‘day job’ is as a technical trainer
I found it really intriguing,” she recalls. “The idea of
at Exabeam, a US-based provider of
studying forensics, ethical hacking, secure coding
extended detection and response (XDR)
and cryptography among other subjects in the
and security information event management (SIEM)
program made me very excited.”
products. She provides customer training on the Exabeam Security Operations Platform. She is also
She decided to study for a cybersecurity master’s
the founder of CyberPreserve and of BBWIC.
degree at the Indira Gandhi Delhi Technical University of Women (IGDTUW), in Delhi, which she says were
CyberPreserve is an organisation that helps people
the best years of her student life.
wanting to work in cybersecurity and prepares them for the job market. BBWIC—it is anacronym for
“I practiced my skills via hands-on labs, learned
breaking barriers for women in cybersecurity—has a
from the best in the industry, became familiar
mission to “promote research, lateral growth within
with communities like OWASP Delhi Chapter and
different domains of cybersecurity and women
took my first certification exam: Certified Ethical
leadership.” It aims to provide an online venue where
Hacker (CEH).”
women in cybersecurity can envision growing as leaders, and where industry leaders can share their
While studying for her master’s Sahni gained work
ideas and work with their peers across the globe.
experience at the National e-Governance Division (NeGD) of the Ministry of Electronics and Information
22
Sahni grew up and had most of her education in
Technology, as a security intern on its Unified Mobile
India. She gained a bachelor’s degree in computer
Application for New-age Governance (UMANG), a
science in 2013 and was looking to follow this with a
mobile app that provides access to a wide range of
master’s in 2015 when she discovered cybersecurity.
government services.
DISCOVERING CYBERSECURITY
Her first post-graduation roles were in identity and
“After finally clearing my entrance exams in 2015, I
access management, first with Tata Consultancy
started applying for universities and during one of
Services, then with Indian IT service management
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
company Nagarro. She moved to the US in 2019 after
“One really needs to keep learning, practicing
getting married and took on another IAM role, this
and applying for roles. Continuous learning and
time with Identropy, which was acquired by Protiviti in
perseverance are key in cybersecurity.”
late 2020.
AWARDS AND RECOGNITION A PASSION FOR TEACHING
And Sahni’s perseverance and initiative have
During these years Sahni was discovering a passion
brought her awards and recognition. In 2021 she
for teaching she had first recognised at school.
was presented with its Cyber Educator award by The Women’s Society of Cyberjutsu (WSC),
“When I was in high school, I took C++ as an
a non‑profit organisation dedicated to raising
additional subject and loved computer science. I used
awareness of cybersecurity career opportunities
to help classmates to understand the concepts and
and advancement for women. In 2022 BBWIC was
prepare for the exams. I always loved teaching but
named the non-profit Ally of the Year by cybersecurity
I did not know then that teaching computer science
consultancy Inteligenca, recognising BBWIC as “a
could be a career,” she says.
non-profit whose mission has made a large impact on building an inclusive society for women in the
“I really enjoy myself as a trainer because I get to
working world.”
share my knowledge and keep up to date with the latest changes in technology and cyber security.” She undertook some voluntary teaching at New York’s Flatiron School and then took on a fulltime role for two years as a lead instructor. “I was assigned to teach SEIM
“I feel education and training to be very underrated in cybersecurity, and with the ever‑evolving threat landscape and technology around us, training is a very important part of the cybersecurity industry in terms of upskilling. It will continue to grow.”
and threat hunting. I was scared at the beginning to teach something I had never taught before,” she says. “I started preparing myself,
Sahni has achieved much in her six years in
took certifications (Splunk and AZ 900) and prepared
cybersecurity and has her sights set on advancing
myself for my first class and I have not looked back.”
in cybersecurity education. “I see myself moving towards learning and strategy and eventually into a
She says her decision to pursue a masters in
chief learning officer role in the industry,” she says
cybersecurity changed her life for the better, but even armed with this qualification she struggled to find
“I feel education and training to be very underrated
employment.
in cybersecurity, and with the ever-evolving threat landscape and technology around us, training is a very
“Companies won’t hire a fresher in security roles. I
important part of the cybersecurity industry in terms
went through several rejections until I got my first
of upskilling. It will continue to grow.”
job, and even after securing a job in security, the journey to advance my career in different domains of cybersecurity was not easy.
I S S U E 10
www.linkedin.com/in/aastha-sahni
WOMEN IN SECURITY MAGAZINE
23
Gabe Marzano Head of Cybersecurity at Palo Alto Networks and one half of the team behind the Dark Mode podcast
G
abe Marzano is head of cybersecurity at
a $50m cybersecurity software business,” that “taught
Palo Alto Networks and one half of the
me commercialisation and corporate leadership.”
team behind the Dark Mode podcast. It’s a role far from her youthful ambition.
FOCUSSED AMBITION
“When I left school I wanted to be a
With such an impressive list of achievements, it is
professional soccer player,” she says.
perhaps not surprising Marzano cites the most important decision in her career journey as being “to
However, she did manage to fulfil that goal, playing
be purposeful about who I want to become and what
until recently in Melbourne Victory’s women’s team.
I want to achieve in my life.”
Along the journey to her current roles, which are two of many, she managed to fit in a significant stint
It is also hardly surprising she regards individualism
in the military, where her interest in cybersecurity
as “the most important tenet for success.” Her advice
originated.
to anyone aspiring to a role like hers is “Figure out what interests you the most and execute well to
Marzano spent seven years in the Australian Army
get there.”
as a combat engineering officer where, she says, she “became incredibly curious about technology and its
The biggest influences on her highly focussed career
impact on humanity, so was inspired to transition
journey have been “learning from other people and
into the corporate sector.” She also gained the
being curious about the future through various
distinction of being the first female combat diver in
mediums and literature.”
the Australian Defence Force. Marzano confesses to reading an inordinate number Before joining Palo Alto Networks Marzano was
of books and consuming lots of content around
business manager cybersecurity and, later, head of
topics of interest. “As an interpersonal learner I then
cybersecurity at NextGen Group, an IT value added
like to take what I’ve learnt and hear from other
services company founded in 2011 by Oracle when it
people’s perspectives, both in private and public
asked then group CEO John Walters to set up a new
forums,” she says.
Australian distributor. In this role, she says, she “built
24
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
Despite the success she has achieved, Marzano
“The most important security developments include
says “obstacles, challenges and failures” very
the use of automation/artificial technologies and the
much epitomise her career journey, adding, “I have
advancement in our thinking and understanding of
experienced plenty of them!”
cybersecurity,” she says.
She singles out her combat diving experience in the
“The biggest issues in the near term include
Army as being “one of the most challenging and
geopolitical cyber conflict tensions in a multidomain
rewarding times” of her very full life, and confesses,
theatre. The biggest changes impacting cybersecurity
“Making difficult decisions to keep moving and
involve the acceleration of any advancing technology
developing myself typically means saying goodbye to
and how we better protect ourselves in these
special relationships, teams and businesses, which is
environments. From artificial general intelligence
all part of the journey.”
(AGI) to hyper automation and the rise of scientific advancements such a brain-computer interfaces (BCI)
PEOPLE PROBLEMS
and bioengineering; these all impact cybersecurity in
Despite all these challenges she says “I would also
various ways.”
say the BIGGEST [her emphasis] obstacles I face every day are people’s mindsets. … We are in this domain to better protect people and technology and malicious actors are moving fast and exploiting vulnerabilities. In Australia we need to champion an optimistic security conversation and be better at building skills and capabilities to safeguard our communities.” Better we will certainly need to be. Marzano sees
www.linkedin.com/in/gabemarzano
www.gabemarzano.com
youtube.com/channel/UCJ8kAB5vNq3vmiqJahPmTVw
open.spotify.com/show/00E2Xf4RpYUa7bb4x8OhpI
multiple cybersecurity challenges emerging.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
25
Pooja Shimpi Business Information Security Officer at Citibank Singapore
P
ooja Shimpi is Business Information
From a Master’s in Computer Science to a career in
Security Officer with Citi, based in
cybersecurity was a serendipitous step for Pooja.
Singapore, responsible for monitoring and implementing compliance with
“When I studied Computer Science in my Bachelor’s
information security policy and controls
and Master’s degrees, cybersecurity was pretty much
across APAC. She has come a long way from her
non-existent as a domain specialisation. Hence, when
childhood in a small town in India.
I got an opportunity to work on a project at ANZ Bank in India that touched upon areas of security, I
“We didn’t have access to computers in India when I
grabbed it excitedly. And from then, it has been a very
was in school. The first time I got to touch and feel a
interesting and fulfilling journey. Once I completed
computer was in 2001,” she recalls.
that project, there was no looking back. I had found my true calling in the field of cybersecurity.”
And a career in IT was not on Pooja’s parents’
26
roadmap for her. In fact, no career of any kind was.
Despite her qualifications, Pooja Shimpi believes
“Career aspirations were not talked about much.
passion to be “the single most important trait” for a
Parents usually wanted their children to study and
successful career in cybersecurity. “The ‘business as
finish graduation, but being from a small town, and
usual’ world of cybersecurity throws new challenges
a girl, I was expected to get married and settle down
at you every day and, similarly, the governance
as soon as I had completed my studies rather than
of cybersecurity keeps you on your toes. While
focus on a job or think about career aspirations,”
qualifications can take you to a certain level, nothing
she says.
beats the real-life industry experience.
“I did my Master’s degree in Computer Science just
LEARNING BY DOING
to escape getting married. I really enjoyed studying
“So, I would suggest everyone should be ready to get
about computers, but career aspirations were too
their hands dirty. If you have a qualification, excellent,
farfetched at that time.”
but if you don’t, let it not deter you from entering
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
this exciting space. Even though I hold a Master’s
“Corporates are facing severe shortages and are
degree in Computer Science, with no specialisation in
inviting professionals for interviews even if they
information security, I picked up the nuances along
have no prior experience. Once in security, you
the way, and so can anyone. It’s a gradual process
can then branch off to other verticals within the
where you learn in a more practical way. Over the
security domain.
years I got myself certified as Certified Data Steward, Certified Information Systems Security Professional.
“And last but not the least, don’t let anyone deter you from joining the security field because it’s too
“For new entrants, I would recommend LinkedIn
stressful. There could be some bad days as in any
learnings such as cybersecurity foundation courses
other job, but the security industry is full of great
and exploring certifications such as ISC2 and
people who share the passion for this field and are
Systems Security Certified Practitioner (SSCP), which
extremely helpful. “
is a great way to start and display your passion in cybersecurity. It also helps you gain a quick insight
She says getting into security rather than software
into the latest and greatest terminology, understand
development was one of the most important
the job functions and learn about cybersecurity.
decisions of her career. “I have always enjoyed working and engaging with a lot of people rather than
“It’s also important for new entrants to know
cracking code behind a screen all day. Information
information security offers many roles that can
security gave me that opportunity and hence, I would
suit different personality types. A few examples are
not change anything.”
cybersecurity analyst, penetration tester, security specialist, digital forensics and incident response,
OVERCOMING HURDLES
governance, risk and compliance, and information
However, as well as having to overcome the
security manager.”
stereotyped life journey for a young Indian woman, Pooja has had to tackle a few other hurdles in her
OPPORTUNITIES FOR WOMEN
career. “I have encountered strong biases, both on the
She says there are opportunities aplenty for
personal and professional front,” she says.
people, especially women, aspiring to careers in cybersecurity. “Women in information security made
“When I decided to choose the information security
up only 11 percent of the workforce in 2013. This
field, people discouraged me by saying ‘Oh, it’s a very
number has since increased to 25 percent. However,
stressful job,’ ‘there’s hardly any women in this field,
women make up 47 percent of STEM workers overall,
it’s not suited for you,’ etc. Moreover, when I started
so cybersecurity still has a long way to go.
my career in 2008, IT was not a very respected role. It was considered more as a support function and
“Security is a field that has something for everyone.
a cost centre to the overall business or industry.
A wide array of security jobs is available for women
Things have drastically changed since then.”
to choose from. Even if you don’t have a security background, you can easily self-study, get certified
Fortunately Pooja has enjoyed some good support
and be market ready.
from the people in her life. “My first and foremost
I S S U E 10
WOMEN IN SECURITY MAGAZINE
27
strength has been my partner, who has supported
“I used to travel extensively. I had interacted with
me in all my decisions,” she says. “Being senior in the
many people across the globe who loved computers
IT industry, even though from a completely different
but were not sure how to start a career. COVID-19
area of expertise, his objective guidance on topics
put a stop to my travels. Hence, during the COVID-19
and issues has made me a more mature professional.
induced circuit breaker in Singapore, I came up with a mentoring program focused on helping anyone
“I have also been lucky enough to get guidance and
interested in information security or cybersecurity.
support from my mentors, some of whom were at work and others I connected with over LinkedIn. I
“I conceived and ran a program called Global
feel blessed to be part of this huge community of
Mentoring for Cyber Security (GMFC), which received
like-minded cybersecurity professionals who are
an overwhelming response. The program ran for eight
more like a close-knit family, always ready to open
weeks in 10 countries and involved 20 mentors who
their arms to anyone who is remotely interested in
volunteered to help 20 mentees.
cybersecurity. Some of the groups I am part of are Cyber Risk Meetup, ISC2 Singapore, Cyber EdBoard,
“The volunteer mentors, who held leadership
Cyber Leadership Program, and cybersecurity/CISO
positions across the cybersecurity industry globally,
groups on social media.”
connected regularly with their mentees to guide them on how to kickstart or grow their careers
And she adds: “I am a subscriber and regular reader
in cybersecurity. I consider this as my biggest
of LinkedIn posts, ISC2 material, ACS, AISA, etc
achievement.”
that provide a deep insight into developments in cybersecurity and give a clear view of the current
HER NEXT GOAL
threat landscape.
Pooja says she still wants to “grow into a more rounded cybersecurity professional,” and will be
“A knowledge of the happenings around the world in
focussing on this goal over the next few years.
terms of cyber-attacks opens your mind to the wide array of possibilities. This is extremely helpful when
“The sophistication of cyber-attacks demands
I attend conferences or participate as a panelist in
that you know the latest and greatest around the
cybersecurity discussions. Moreover, it gives me
world in this field, be it the types of cyber-attacks,
crucial talking points in board and risk meetings at
development of security products, government
work and helps me suggest improvements.”
regulations for different industries, threat landscape, etc.
COVID-INDUCED MENTORING Pooja has achieved much in her career but says
“Another important aspect is to gain substantial
her most satisfying achievement was outside any
knowhow on this topic to be able to explain the threat
formal role.
landscape and related solutions to the board, in a simple straightforward way.”
“After working for almost a decade, during COVID-19 I realised I had done nothing much for the community. There could be many people just like me who want to
www.linkedin.com/in/poojashimpi
enter the exciting field of cybersecurity, but do not get the right guidance.
28
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
THANK YOU TO OUR 2022 NEW ZEALAND WOMEN IN SECURITY AWARDS SPONSORS
SUPPORTING PARTNER
BRONZE SPONSOR
NETWORKING SPONSOR
SUPPORTING SPONSOR
GOLD SPONSOR
EMERALD SPONSORS
SILVER SPONSOR
MERCHANDISE PARTNER
Monica Zhu Cyber Security Incident Responder & Threat Intel Manager at Qantas Always follow your heart, your passions and do not let anyone define who you are and tell you what you can or cannot achieve. Always take on challenges, overcome obstacles, intimidations, fears and hold fast. To dream and to dream big. We are all on the journey, and I found this journey to be most satisfying and it’s a life worth living.
C
loud computing today is ubiquitous.
potential. My supervisor was a visionary man and he
According to one recent report 94
supported me to complete a research paper on cloud
percent of enterprises use cloud
computing,” she recalls.
services, 67 percent of enterprise infrastructure is cloud-based and 92
“He was a great mentor and a very inspiring
percent of businesses have a multi-cloud strategy in
gentleman [but] I could only find two papers in the
place or in the works.
entire portals of reputable academic literacy on the topic at the time, so my entire thesis had to be built
And of course, security concerns are paramount:
on industrial papers.”
much of this data is business critical and highly sensitive. There is a global body, the Cloud Security
RISKY RESEARCH
Alliance “dedicated to defining and raising awareness
She was warned against embarking on a research
of best practices to help ensure a secure cloud
venture into such unexplored territory. “Before I
computing environment.”
started researching this topic, I was told about its risks and the likelihood of not being able to finish my
So rapid has been the rise of cloud it is difficult
master’s by the majority of my classmates, lecturers
to realise just how recent all these developments
and even my thesis supervisor due to the challenges
are, but it’s something Monica Zhu knows only too
and complexities it presented.
well. She was in the last year of a master’s degree in Forensics Information Technology at Auckland
However, Zhu was not to be deterred. “I like to
University of Technology (AUT) and needing to
challenge myself, so I picked a hard and exciting
complete a substantial research project.
road and chose mobile cloud computing forensics. I knew if I was able to complete this, it would be
30
“Cloud computing was a new technology back in
ground‑breaking research that would serve as a
2010 and due to privacy concerns most people held
cornerstone for anyone wanting to extend their
negative views with only a few people seeing its
research later.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
“I remember sitting my parents down and telling them I
I ended up graduating with first-class honours and my
would pursue this topic, but that there was a possibility
research helped me land my first cybersecurity job in
I may fail miserably and not even get my degree.”
Sydney as a forensic analyst with Deloitte. Because I did well in all my course work, I proved to myself and
Her gamble paid off. “Everything fell into place.
anyone who had discouraged me that with diligence
I was able to find and meet like-minded people in the
and the desire to learn, I had what it took to succeed.”
industry who were willing to help me.” That was the start of Zhu’s journey into cybersecurity, It was not the first time others had tried to divert Zhu
a journey that has taken her to her current position as
from her chosen field of study. She transitioned to her
Incident Response and Threat Intelligence Manager
AUT master’s course from a University of Auckland
with Qantas.
Bachelor of Science Computer and Information Sciences course, where her professor poured cold water on her plans to enrol in a master’s course. “I thought he would be very excited and would encourage me. He thought I was too young, and that a master’s degree was designed for people who
“People who spoke words of discouragement and said I did not have what it takes, for me, created moments to grow resilience, to be rooted in self-worth, overcome obstacles and achieve breakthroughs.”
already had years of experience in the security industry. So, he discouraged me from enrolling. I felt shaken and
“I would really like to thank Qantas and my manager
heartbroken, but although I was discouraged and
for offering me the role. They believed in me and gave
intimidated, I did not let it hold me back.
me the opportunity to learn and grow, even when I had no prior background in incident response. Since then
HER BEST DECISION
I have led a team to resolve cyber issues, designed
“I knew this was what I always wanted and something
and implemented security protection during incidents
I had been waiting for, so in the end my passion
to contain the situation and help the business to
overcame my fear, and I went ahead and applied
remediate the root cause so it operates seamlessly
for the degree. I was able to enrol for the upcoming
and delivers for our customers.
semester before finishing my bachelor’s degree. I was the youngest student and the only female in my
“Today I am the first point of escalation within the
class. Upon reflection, this is probably one of the best
Group Security Operations Centre where I perform
decisions I have ever made in my life: following my
analysis and configure various security platforms,
heart and passion.”
create, review, approve and publish customer-facing reports on threat intelligence, operational metrics,
And she certainly confounded those who had
and/or service performance, manage high-profile
discouraged her. “The Master’s degree was a two-year
security incidents and investigations across the
course; the first year we needed to take eight courses
enterprise and supplier landscape and assess and
to fulfil the credits. Through these courses, I was able
take action based on intelligence relating to Qantas’
to learn the aspects of cybersecurity and forensics.
IT landscape.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
31
“My role is very broad, and no two days are the same.
She recommends such a degree as a foundation
One day I’ll be responding to a potential incident, the
for anyone contemplating a career in cybersecurity
next I will be leading a forensic investigation across
because it provides training in the fundamentals of
different business functions, performing a threat
computer systems and programming languages,
hunting exercise or reversing malware to derive
and more. “It teaches you about problem solving,
threat intelligence. This role has a very high demand
teamwork and critical thinking skills. With a good
on my technical knowledge, interpersonal skills,
foundation, it’s a lot easier to branch into specialised
co-ordination skills and the ability to communicate
areas such as digital forensics, incident response,
effectively to a broad audience ranging from
penetration testing and application security.”
developers to senior management.” While studying for her bachelor’s Zhu was selected
TALENTED TEAM MEMBERS WANTED
to gain real-world work experience in an industry
She has also recently taken responsibility for the
placement program, developing commercial software,
cyber testing function within Qantas, shaping and
but realised software development was not for her.
managing all penetration testing engagements,
With, she says, her “dream of catching cybercriminals
ensuring secure code development across the group
still burning fiercely within me,” she found the
and looking for staff. “I’d like to hire passionate and
master’s degree in Forensics Information Technology.
like-minded individuals and build a talented team to help achieve the best business outcomes and
POSITIVE EFFECTS OF NEGATIVE FEEDBACK
improve the application security posture for Qantas.”
She says she could never have got to where she is without the “help, mentorship, protection, and
Zhu developed her interest in cybersecurity following
encouragement of many influential people throughout
an early encounter with its dark side. “I was very
my career journey.”
fortunate to be able to find my passion at an early age and make a career of it,” she says. “When I was
Paradoxically, in a list that embraces managers
14 years old, my first laptop was infected by malware.
past and present, colleagues, mentors and parents,
I was so devastated that I swore I was going to catch
she includes the naysayers, “People who speak
all the cyber criminals.
words of discouragement and say that you do not have what it takes.” For Zhu these were “moments
“Today, even though I am not physically catching
to grow resilience and be rooted in self-worth, and
cyber criminals, I am still helping the business
opportunities to overcome obstacles and achieve
to resist cyber-attacks by quickly identifying an
breakthroughs.”
attack, minimising its effects, containing damage, and remediating the cause to reduce the risk of future incidents.”
www.linkedin.com/in/monica-zhu-a320432a
That teenage passion led Zhu to her bachelor’s degree course in computer science at the University of Auckland. “At that time, there were only a limited number of security courses to pick from, so I did them all. However, it did not take long for me to realise that university is not the place where they teach you how to hack. (Things are very different now).”
32
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
THANK YOU TO OUR 2022 AUSTRALIAN WOMEN IN SECURITY AWARDS SPONSORS
EVENT PARTNER
SILVER SPONSOR
EMERALD SPONSORS
PLATINUM HEADLINER SPONSOR
BRONZE SPONSORS
AFTERPARTY NETWORKING SPONSOR
SUPPORTING SPONSORS
MERCHANDISE PARTNERS
Sarah Gilbert Senior Business Analyst - Cyber Security at Transport for NSW
T
here’s nothing like having a great mentor
she says. “They gave me my first cyber opportunity
to help guide and support your career
and supported and believed in me when I did not feel
journey, as that of Sarah Gilbert, Senior
I was good enough to do the job.
Business Analyst - Cyber Security at Transport for NSW, demonstrates very
CAREER DEFINING COLLEAGUES
well. She cites self-belief as the biggest challenge she
“It’s because of those individuals I managed to get
has faced throughout her career, a belief reinforced
my foot into the cyber door. They have been there to
by her inability to make progress in the early stages.
listen to me when I have problems or challenges and have given me advice throughout my career in cyber.
“Belief in myself, that I know what I’m talking about
Without them I would not be the person I am today
and I can do a good job is something I have struggled
with the role I have.”
with across all my roles,” she says. “I never believed I was good enough to be a senior/lead business
Gilbert gained a bachelor’s degree in Business
analyst. Any promotions I applied for; I was always
Information Technology from Staffordshire University
knocked back.”
in the UK in 2005 and followed this with a Master’s in Business and ICT in 2011 from the same university.
Moving to Australia from the UK in 2017 was a
Her first role after gaining her bachelor’s was in the IT
watershed moment. “It gave me the opportunity
department of a soft drinks manufacturer.
to not be ‘pinned’ in certain roles, and I took the opportunity to apply for more senior roles.”
“I started off as an enterprise architect, moving to a project management office role and then eventually
Her first role in Australia was as a senior business
landing a business analyst position,” she says.
analyst with Lion, a beverage company. In that role
34
she met colleagues and friends who helped change
“Cyber was not a thing back then, so it wasn’t really
her career journey. “There are two individuals
on my radar. It wasn’t until I moved to Australia and
who have had the most influence in my career.
started working for another manufacturing company
They helped me move into the world of cybersecurity,”
that I was introduced to cyber and discovered what
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
an interesting world it was.” At the time, she had no
“For anyone starting out, I think you have to be willing
formal cybersecurity qualifications.
to learn, to be open to new ideas and new challenges, and if you’re not sure, google it’. Talk to others in
CONTINUOUS CYBER LEARNING
similar roles to understand their journey and to see if
“I have had to learn about the principles of
there is anything you can take from their experience
cybersecurity and the different elements that need to
and apply it to your situation.
be considered when approaching a problem. It’s been a very interesting journey and I’m still learning
“Learn about the industry, learn about what options
every day.
there are and what you think you would like to do. Don’t feel you have to stay in one role. Look for
“I have learnt that cyber is an ever-evolving world.
training opportunities, find people to speak with,
Like technology it’s getting more sophisticated at an
follow security influencers on platforms such as
alarming pace. I remember one conference I attended
LinkedIn, sign up to webinars. There is so much
where the keynote speaker said, ‘If you have a job
information out there to help you learn about the area
in cyber, you have a job for life because we’re never
you are interested in and where you might like to go.”
going to fix it.’ This still resonates with me today. And, like every woman who has shared her career “They were right. The attackers are becoming more
journey in these pages, Gilbert wants to see more
and more sophisticated, and it’s not just industries
women in cyber, and across the board in IT.
that need to be wary, but also people in their everyday lives. We are seeing more and more articles in the
“I think more women in general would be great to see
news where people have succumbed to scams. We
in the security industry and I don’t think they should
think it will never happen to us but if you are not
be limited to specific roles. I have worked with many
diligent and careful, it just very well might. More
women who are amazing at their jobs, whether they
security controls such as multifactor authentication
be business-focussed or of a more technical nature.
and one time PINs are becoming part of everyday life,
There is no stereotype any longer.
but we as a society still need to be very vigilant.” “When I started working in IT it was a very male
HAVE FAITH IN YOURSELF
dominated area. It wasn’t unusual to hold a workshop
Given her confession about a lack of self-belief it is
where 90 percent of the participants were men. Since
no surprise that Gilbert’s advice to anyone aspiring to
starting in cyber I have seen an exponential increase
a role similar to hers is: “Have faith in yourself. If it’s
in the number of women involved, which is great. I
something you are interested then there is no reason
have also seen an increase in the number of women
why you can’t or shouldn’t pursue that career.” And
in more technical roles which are usually taken by
she says, a lack of cybersecurity qualifications should
men. This is also great. Security is not a man’s world.
not be a barrier.
There is no reason why women cannot start a career in cyber – no matter what age they are or what
“There is the old debate about experience versus
their previous experience is. If it is something you’re
qualification: what do you need to be successful? I
interested in, give it a go.”
think it is a balance. When I started in cyber, I had my degree and my masters, which showed commitment to learning and evolving as an individual. I had
www.linkedin.com/in/sarah-gilbert-a1985596
experience as a business analyst across a broad range of areas but no formal cyber qualifications.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
35
Sarah Box Cyber Security Project Facilitator and Advisor at The Business Centre, Newcastle
S
arah Box got her first job at age 16, in a
CYBERSECURITY FOR SMES
Baker’s Delight store because “I wanted
Box facilitates a cybersecurity program for small to
to leave school but could not afford to.
medium businesses in regional NSW, upskilling SMEs
So I had to prove I was financially secure,
in the cyber gaps that may exist in their businesses.
buy a car and not sit around bludging.”
“It starts with a meeting to find potential gaps, then
This came after a brief flirtation with hairdressing
suggesting actions to improve their cybersecurity to protect their reputation and brand,” she says.
and a passing inclination to be a photographer. “I had
36
no idea what I aspired to become,” Box says. “There
Cybersecurity aside, Box is well-qualified for such
was a fleeting moment of being a hairdresser. I was
an educational role. She holds a double bachelor’s
offered an apprenticeship at 14 years of age, but I
degree in Teaching and Design and Technology and
didn’t want to sweep the hair. I enjoyed photography
before getting into cybersecurity spent almost seven
and gave that a go for a while as a teen.”
years as a schoolteacher in Lake Macquarie, NSW.
She left home and had a child at 18, life-changing
“I was asked to join a role within the cyber industry
events that, she says, shaped her every decision.
whilst teaching and I declined on several occasions,”
“My child came first and I had to ensure we were
she says. Then, “I was worn down and I thought, ok,
both housed and fed. I never wanted to rely on any
I have nothing to lose so I will give it 12 months. Fast
handouts, or people. So I have worked hard to be
forward to almost four years later and I am still in
where I am today, with zero regrets.”
the industry.”
Today she works for The Business Centre,
However, she adds: “I loved teaching and miss the
a not‑for‑profit that provides business advice
students immensely. … I would eventually like to run
and skills training for small businesses across
my own cyber consultancy firm, but overall, so long
NSW as part of the NSW Government’s Business
as I am happy, engaged and enjoying what is thrown
Connect program.
my way, I am winning.”
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
Prior to become a teacher Box had a variety of jobs
herself out there and achieving goals. This beautiful
in retail. She worked at Muffin Break, for Kodak as a
person I have watched have time and genuine support
photographic printer and at JB HiFi for several years.
for others around her. The time she has to uplift
“I then became bored and needed more. So I enrolled
others is truly inspiring. Her dedication to her career
in a bridging course to gain entry into university. I
and family truly blows my mind. I really do not know
failed my first attempt, so I tried again and passed,
when she sleeps.”
which allowed me to enrol.” In addition to the support and guidance from these
COLLEAGUE POWER
people, Box says she was fortunate to have grown
Box attributes some of her significant career
up with very strong independent women. “Their work
transitions—from retail to study and from teaching to
ethic has been embedded into my upbringing. As a
cybersecurity—to colleagues.
child I always had chores because my parents were always working. I remember helping my mum with
“Sharon (Shazza) from my days at JB HiFi was super
her studies when she wanted to become a nurse.
supportive. She knew I was bored and needed to
I used to help her prepare for her exams, read her the
study to become a teacher. Almost 20 years later we
questions and I learnt a great deal from this. I can
still catch up.
decipher some medical information to this day.”
“Janine, my head teacher for almost eight years was
Despite all the support she has received, Box says
my mentor who influenced and supported me in
her biggest challenge has been the lack of ‘mateship’
my personal and career life. She knew I was lacking
in the cybersecurity industry. “There are pockets
challenge in my career and supported my career
of people in our industry, as in others, who are not
change into cyber. In fact she pushed me, which I am
team players and looking out only for themselves,”
forever grateful for. I can still turn to her for support
she says.
and non-judgemental advice.”
UNCOMFORTABLE READING Todd, Box’s first cyber boss, helped her make the
“This might be an uncomfortable thing to read for
transition from teaching into the corporate world. “He
some but it needs to be called out, because in this
taught me how to actively listen, because teaching
industry that is still growing at a rapid pace we cannot
is so fast paced and the communication method is
afford to reward this behaviour. It’s a challenge
very different. I learnt how to be comfortable in the
I’ve faced and have had to deal with firsthand on
uncomfortable surroundings of board meetings,
numerous occasions where my kindness has been
conferences and events, and hosting round tables for
taken advantage of and seen as my weakness.
various industry and government bodies. … He also
Despite this, I see it as what helps me be an
regularly sent me new courses to engage with.”
effective collaborator.”
A VERY SPECIAL MENTOR
However, Box says: “Always treat people how you
And Mina Zaki, Associate Director - Cyber Security
want to be treated. This is my number one belief.
Alliances at KPMG Australia, Box’s “number one
No exceptions. I am no better or worse than the
advocate in this industry” is the unofficial mentor Box
person next to me. I will always say hello to the
says she can always lean on for advice.
cleaner or waiter, colleague or the CEO/director of a large company. I will never treat anyone any different
“She always pushes my boundaries and sets
– it makes zero sense to me.”
challenges supporting my growth both professionally and personally. She is such an inspiration, putting
I S S U E 10
www.linkedin.com/in/sarah-b-25670667
WOMEN IN SECURITY MAGAZINE
37
Parul Mittal Senior Manager - Tech Risk at Bendigo and Adelaide Bank
P
arul Mittal landed in Melbourne from her
tech workforce through mentorship, professional
native India in 2014 with her husband, and
development and leadership training.
not much else: no relatives, no friends, no job and, without permanent residency, no
“I want to bring a change in the mindset of people
immediate hope of getting one.
that IT security is not just a man’s place,” she says. “With my initiative in SheLeadsTech, I target to bring
“I realised how alone one is without family, friends
that change with more participation in events like
and a job, she says. “But I learnt that if you’re
GoGirlGoIT, or a session on how STEM can pave a
authentic, people will value you and will want to build
way forward for young girls, especially in the field of
relationships with you.”
science and technology.
Mittal used her time waiting for permanent residency
“Women’s perspective is missing. We need to
productively: she studied for and passed the CISSP
make women more aware of what cybersecurity is
exam and worked to develop her network. “I attended
and what a career in it could mean to them. This
IT security conferences and forums to get to know
awareness should start from the schools and not
more people around me. It was an interesting time
when women start looking for jobs, then it could be
where I had to build my network from scratch, and it
quite late.”
was not easy.”
A BIG ROLE IN BANKING However, she has succeeded in spades. She gained
Mittal’s role at the Bendigo and Adelaide Bank is
her first IT job, as a senior risk consultant in financial
“to drive governance, oversight and continuous
services with EY, within a year of arriving. Today she
improvement of the technology risk management
is Senior Manager – Tech Risk with the Bendigo
practices of the business and first line risk teams,”
and Adelaide Bank and a SheLeadsTech brand
she says.
ambassador, working to increase the representation of women in technology leadership roles and the
38
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
“This includes supporting the oversight and
She embarked on her IT career because it seemed
continuous improvement for the frameworks, policies,
like a good idea at the time. “During the early 2000s a
procedures and tools; providing challenge, influence
couple of us decided to pursue a degree in computer
and oversight of technology risks, controls, and
science without much background, because IT and
processes; providing independent monitoring and
computers were quite the buzzwords then. Everyone
reporting over the technology risk profile of the bank;
who got into it seemed to have a bright future. So our
providing technical support and advice on technology
parents happily agreed.”
risk; and working effectively with stakeholders to ensure technology risks are monitored and escalated
Her transition from studying IT to employment in
as per the risk management framework.”
IT was rapid and led her into cybersecurity. “I was recruited on the university campus. My aspirations at
While Mittal might have arrived in Australia without a
that point were to become successful in my job. I had
network, she came well-equipped with qualifications
no specific expectations. I did not choose the field of
and experience: an MSc in computer science, an
risk and security when I started my first job. My boss
MBA in information technology and experience as a
did that for me, and I cannot thank him enough. I was
senior consultant with Genpact Axis Risk Consulting,
just happy to have landed a job in a good organisation
based in Mumbai. In that role, she travelled the
while I was still on campus, studying.
world, providing services to some of the world’s largest companies. “Travelling and working across
A CAREER IN CONSULTING
the world made me more confident and a strong
Mittal says, since that initial role, the majority of
communicator,” she says. “It removed biases I had
her work experience has been in consulting. “I
about different people and cultures and made me
can say that this has transformed me. It made
more of a people person.”
me more conscious of the impact I was making on organisations and how I was enabling them to
AN IMPORTANT FIRST MENTOR
achieve their strategies. Whether this was restricted
Her first job after completing her MBA was with ICICI
to the delivery of client’s work or the decisions I took
Prudential Life Insurance, also in Mumbai, as a project
on behalf of the organisations, this enabled me to be
manager providing advice on internal control process
self-aware and more focussed on what I wanted to
compliance. It was there that she encountered the
achieve with my career.
Sarbanes-Oxley Act (SOX), and her first mentor. “He built my foundation on work ethics, which I still value
“Today, I’m in a leadership role with a big bank
to this day, and I am still in touch with him,” she says.
and with senior executives relying on my acumen to make wise decisions for the bank based on
This role also determined her future career path. “I
overarching strategies.”
would say my first job paved the path forward for me and since then, I have worked across all lines of defence. I got introduced to the world of SOX,
www.linkedin.com/in/parul-mittal-cisa-cissp-88718154
audit etc. It was a different facet of IT, which I had not encountered before. It was a great learning experience in terms of what risk and controls are and why these need to be assessed and why they are critical to be analysed.”
I S S U E 10
WOMEN IN SECURITY MAGAZINE
39
TA L E N T B OA R D Gabriela Guiu-Sorsa WHAT POSITIONS ARE YOU LOOKING FOR?
In my past work experience
Cyber Security Consultant, Information Security
prior cyber security
Analyst (Operational)
consultancy, I have been exposed to Business
PREFERRED STATE
Continuity Plans in Maritime
Queensland
sector – where I have been actively involved and managed security incidents, disaster management
WHAT KIND OF ROLE?
such as floods, fire, life loss, Incident and Evacuation
Cyber Security Governance, Risk and Compliance
Exercises, large evacuations via shore or water.
(GRC) or operational roles that will enable acquired skills from previous roles, I am ready to learn
This experience now translates into very valuable soft
new things.
skills – critical thinking, working under high pressure, decision-making capabilities, empathy.
WHAT'S YOUR EXPERTISE? Flexible, resilient, agile learner and curious
Facilitation of workshops, seminars, working groups,
professional with strong work ethos, excellent
public speaking are situations where I feel extremely
problem-solving ability; solid experience in
comfortable as well.
governance, risk and compliance, incident +15 years in operations management, process
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
improvement and premium service delivery.
Team oriented environment, where professional
management and response in various industries,
development and continuous learning is encouraged ISMS implementation projects and gained exposure
and supported. I acknowledge after my first 14
to ISO 27001 and 31000, supporting government
months of cyber security experience, there is so
organisations, critical infrastructure such as mining,
much more to learn, I have the drive, determination
health care, education and private business to achieve
and curiosity to step into new cyber topics and I am
cyber resilience and protect their most valuable
acquainted with hard work.
assets. I have gained experience in developing and reviewing organisational security standards, policies
I bring real world experience from the various
and procedures, regular audit procedures, practices,
industries where I have worked previously, especially
processes and systems.
from the maritime industry, where I have learned problem solving, resilience and flexibility, working well
ISF, CSF, IS18 and NIST frameworks always crossed
under high stress and having the clarity of making
paths in each project when supporting government
decisions under high pressure circumstances.
organisations, critical infrastructure such as mining, health care, education and private business to
I am looking forward to what the future will bring,
achieve cyber resilience and protect their most
embracing new technologies, new certifications and
valuable assets by creating Standards, Policies,
new knowledge to add value to an organisation where
Procedures and Guidelines for security controls
passion, integrity, professional development and team
operationalisation.
work are supported and encouraged.
DM ON LINKED IN
40
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.
Manavjeet Kaur WHAT POSITIONS ARE YOU LOOKING FOR?
of leadership experience in
Full time/ Contract
process improvements, product lifecycle management, and
PREFERRED STATE
building training/education
NSW (Sydney, or remote/ flexible)
programs from the ground up based on specific needs. I have designed and
WHAT KIND OF ROLE?
delivered Cyber Security awareness courses at
Information security analyst/ Cyber Security Analyst,
Australia's university and RTO levels.
Security awareness training Specialist. Cyber Security Consultant.
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
WHAT'S YOUR EXPERTISE?
I have worked in various environments, from casual
Dynamic, resourceful, and engaging technical
and laid-back to fast-paced agile. I believe in a
professional with solid knowledge of Programming
collaborative environment, where the team members
languages/Platforms including Java, Android,
have a strong sense of camaraderie and a good work
Python, Unity, C#, and C /C++, Data Visualisation, and
ethic, an environment that helps transfer knowledge
Business Analysis. I have more than twenty years
into skills for individual and organisational growth.
DM ON LINKED IN
Grace Imani WHAT POSITIONS ARE YOU LOOKING FOR?
WHAT'S YOUR EXPERTISE?
Contract, Part-time and Full-time
Cyber security, Analytics, Problem-solving, Machine
PREFERRED STATE
learning, Project management,
I love Perth however for the right position I will
Customer service
willingly relocate.
WHAT KIND OF ROLE?
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
Information security analyst, Risk management
An environment where you feel motivated to grow and
professional, SOC analyst (I have developed an
improve. A place where everyone is welcome. A place
interest in this area and I'm slowly upskilling). I am
where your superiors not only delegate, but also lead.
looking for a role that provides some guidance that coupled with my passion and determination will help me grow as a professional.
DM ON LINKED IN
I S S U E 10
WOMEN IN SECURITY MAGAZINE
41
TA L E N T B OA R D Liam Harmon WHAT POSITIONS ARE YOU LOOKING FOR?
industry has refined my eye
Full-time, Part-time or 1-2 days training / volunteer
for detail and quality and has
work a week.
grown my interpersonal and relationship building skills.
PREFERRED STATE Queensland
WHAT’S YOUR IDEAL WORKPLACE ENVIRONMENT OR BENEFITS REQUIRED?
WHAT KIND OF ROLE?
My ideal work environment is where people are doing
Open to anything, ideally cloud/cloud security.
their best, passionate to improve and willing to help each other showing a good team spirit. Training and
WHAT’S YOUR EXPERTISE?
support from colleagues and employer, as well as
Many years experience in customer service and print
some flexibility in the work structure.
production/management. All my time in the print
DM ON LINKED IN
Saber Attar Motlagh WHAT POSITIONS ARE YOU LOOKING FOR?
working in Level 2 support
Cyber Security Forensics, Information Security
at a bank in Australia and
Analyst/Cyber Security Analyst
working as a web designer/SQL developer for a small IT firm.
PREFERRED STATE
However, I am more interested
New South Wales
in Cyber Security and I graduated with a Bachelor of IT majoring in Cyber Security. I am in the process of
WHAT KIND OF ROLE?
studying Comptia's Security Plus.
I am interested in roles that are more on the looking at attacks that happened or trying to analyse/
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
predict future attack methods. However open to most
An ideal work environment would be one that is
roles in the cybersecurity world.
expecting and pushes me to be my best, but also
investigative side of Cyber Security, for example, roles
relaxed and not super rigid in structure. Room for
WHAT'S YOUR EXPERTISE?
growth is very important to me and hybrid work
I have worked in the IT industry for 3 years now
(home/office) is preferred but not essential.
(despite only being 22). This includes time spent
No specific benefits are required.
REACH OUT ON EMAIL
42
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.
Al Mamun Mahbub WHAT POSITIONS ARE YOU LOOKING FOR?
WHAT'S YOUR EXPERTISE?
Preferably mid-level. Full-time
13+ in IT, new to security
PREFERRED STATE Victoria
WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
WHAT KIND OF ROLE?
Hybrid work environment
Any cybersecurity position, if relevant training is offered.
DM ON LINKED IN
Priya Kaul WHAT POSITIONS ARE YOU LOOKING FOR?
WHAT’S YOUR EXPERTISE?
I’m looking for an entry-level role
I possess a high level of stakeholder management and
PREFERRED STATE:
analytical skills
Victoria
WHAT KIND OF ROLE?
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
Blue team roles
Flexible working environment and option to Work From Home.
DM ON LINKED IN
Arthur Mapisa WHAT POSITIONS ARE YOU LOOKING FOR?
WHAT’S YOUR EXPERTISE?
Full-time, part-time or casual
Entry-level Vulnerability management, Medium-level
PREFERRED STATE
Web security, Entry-level
NSW ACT SA TAS VIC
penetration testing, Entry-level IT Governance and Risk compliance.
WHAT KIND OF ROLE? Analyst, Penetration Tester, Cybersecurity Analyst,
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
Cybersecurity architect or similar.
An environment where I can work well as part of a
Cybersecurity Consultant, Security Assurance
team and express my innovative skills
DM ON LINKED IN
I S S U E 10
WOMEN IN SECURITY MAGAZINE
43
Aicha Bouichou PhD student at the National School of Applied Sciences, Tangier
A
icha Bouichou is a PhD student
Her first job was an internship with a cybersecurity
researching blockchain technology at
startup in Rabat. This was followed by a consultancy
the National School of Applied Sciences
in Casablanca. “I learnt about penetration testing
in Tangier where she also teaches
tools, how to perform attacks and how to provide
engineers and masters students in
solutions to protect the whole information system,”
information security and software development.
she says.
If that were not enough to keep her busy, she
Her interest in cybersecurity dates from her
is also the founder and CEO of IT startup Gurzil
schooldays. “I was learning about security breaches
Technologies, the creation of which she describes
with my younger brother. At that time cybersecurity
as “one of the most satisfying achievements of
was not popular and nobody saw the importance of
my career.”
securing their data on the Internet. When I got the option to make it my daily work, I didn’t think twice.”
Gurzil is the name of an 11th-century north African deity, known as a protector, guide, and dispeller of
DREAMING OF A PHD
darkness. Bouichou says she and her co-founders
When Bouichou left school she decided to pursue
started the company, “because we believe we have
her interest in cybersecurity through a career in
enough talent in my country to create solutions for
academia. “Going for a PhD was crucial. It was a
our clients.”
dream come true for me and my family. If I could go back, I would do the same, but with more focus,” she
Prior to embarking on her PhD Bouichou completed
says. “Another important decision was to start my
a bachelor’s degree in software engineering and
company where I can connect with talented people,
a master’s in cybersecurity and cybercrime in
exchange ideas and learn more.”
her current school when she chose to focus on cryptocurrencies and smart contracts.
44
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
Along the way, she had to overcome toxic work environments where women were not valued. “Women are seen as people who should take care of the household, not as people with expertise in technology and even less, expertise in security,” she says. “I learnt the hard way how to manage the toxic environment, stay focussed on my goals and achieve a balance between pursuing a career and my emotional and physical health.” She adds: “It is important to keep in mind that every situation will come to an end and that what matters is maintaining emotional and physical health. I have learnt to never give up, even when it feels like everything is going down, and that it’s ok to give things time and start over again.”
BLOCKCHAIN WILL BE BIG Given her background, it is no surprise that Bouichou sees blockchain technology as having a significant role in cybersecurity in coming years, but one that is threatened by the ability of quantum computing to make today’s encryption techniques insecure. “The emergence of new technologies such as blockchain, quantum computers and developments in AI are very relevant to security,” Bouichou says. “Quantum cryptography is getting attention from many academicians and companies such as IBM. Developing a robust encryption algorithm that can withstand the power of quantum computer is one of the interesting topics that should find an answer in the near future.” For any woman interested in pursuing an academic career in cybersecurity, Bouichou advises “Stay up to date with the latest discoveries in the field, connect with professionals and experts, and never hesitate to ask for help. Recognise your weaknesses and work on them. Work on your analysis skills and develop a good package of soft skills. Don’t limit yourself in a specific area, and trust your intuition.” www.linkedin.com/in/aicha-bouichou
aicha95bouichou@gmail.com
I S S U E 10
WOMEN IN SECURITY MAGAZINE
45
CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change, Special Recognition award winner at 2021 Australian Women in Security Awards
C O L U M N
We are all just bricks I have worked in the IT industry for a while, first in general ICT and then in security. I have written more articles than I can remember, a few books—and I have more to come—and I have been part of quite a few panels, webinars and podcasts. You can probably guess I like to share my knowledge and thoughts with my peers. I want to be an active contributor and make a real difference in helping keep people safe from cyber risks. I like to think of our industry as a house in which each
the three little pigs. Like them, we have lost some
of us is one of the bricks that help hold our house
battles, but together we can be strong: a house of
together. Each individual brick is of little significance.
bricks in which each brick supports and is supported
It could be a nice brick, it could be a really smart brick
by the others.
and it might even go out of its way to help people, but that one brick cannot hold up the house or protect
You are probably thinking: what is Craig talking
what is inside the house without support from the
about? He started by calling all security people bricks.
other bricks: some holding others up, some at the
Then he made these bricks into a house before
top of the wall holding up the roof, some holding the
invoking a fairy-tale story about three little pigs.
doors and windows, keeping them strong and secure. Let me put it another way: we security people are not In security, each brick—each individual—has a job to
isolated individuals; we are members of a village. If
do. Together we stand strong, even if a couple of us
we cannot find a way to stand together, to stand as
are slacking and do not want to work well with the
one, the whole village will fall. Things will get very
others. Security would be much easier if we were all
dark and society as we know it will collapse. If we
working towards the same goal, but that may never
all try a little harder to leave our egos at the door,
happen. I know collaboration—everyone coming
to actually listen to people instead of just talking
together with one purpose—is not easy. I have tried it
at them, we will all be better for it. Then, maybe
a few times, but it can be achieved.
that village will succeed. Everybody will be happy. Everybody will be safe. It surely can’t be hard. Right?
Think of our brick house in the context of the nursery rhyme about three little pigs. The third pig’s brick house stood strong against the big bad wolf (in our case a malicious actor) because all the bricks held together and held off the big bad wolf’s attacks. In some versions of the story, the pig in the house of
www.linkedin.com/in/craig-ford-cybersecurity
www.amazon.com/Craig-Ford/e/B07XNMMV8R
www.facebook.com/AHackerIam/
straw and the pig in the house of wood get eaten. In others, they escape to the brick house and survive. We as an industry can learn from our mistakes like
46
W O M E N I N S E C U R I T Y M A G A Z I N E
twitter.com/CraigFord_Cyber
S E P T E M B E R • O C T O B E R 2022
CAREER PERSPECTIVES
VANNESSA MCCAMLEY
CRACKING THE CODE OF BRAIN‑FRIENDLY COLLABORATION by Vannessa McCamley, Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker
Ask any leader if their organisation values
differently. We could look at our favourite painting
collaboration and you will likely get an affirmative
or hear our favourite song and give it a meaning
response. Ask whether the firm’s strategies to
different from the meaning another person would
increase collaboration have been successful and you
attribute to it.
may receive a different answer.
THE OUTCOMES OF COLLABORATION WIRED TO CONNECT
A collaborative work environment facilitates
Humans are born to connect regardless of whether
a very fruitful exchange of perspectives and
they have introverted or extroverted personalities.
collective creativity.
We are emotionally and cognitively hardwired for connection and belonging. Connection gives us
To accomplish a shared objective, a group of people
purpose and meaning.
collaborate in the workplace by sharing their ideas and expertise. Workers are more productive and feel
We all have different mental maps. No two brains
more connected to the business when they have an
are the same. Yet we often assume we are on the
opportunity to contribute and make a difference.
same page as other people and the information in our
They also find it easier to brainstorm ideas, solve a
brain in known to others. What may seem common
problem or deliver work on time.
knowledge or rational thinking to you is based on your experiences, beliefs and learnings. Every person’s
Teams can solve issues more quickly and effectively
journey, no matter how similar, is different.
when employees with diverse ideas, viewpoints and specialities collaborate to discover novel solutions.
48
Therefore, communication is one of the toughest
When people think outside the square, innovative and
skills to master, because we all interpret things
creative thinking comes alive with purpose.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
INGREDIENTS FOR SUCCESSFUL COLLABORATION Focus on strengths Explore the full range of people’s abilities. Be mindful not to let someone’s differences, your own biases and neurodivergence blind you to the unique contribution each person may be able to offer. Rather than searching for skills gaps, appreciative enquiry lets you consider what people do well. You can then find ways to apply these strengths to other parts of their job and ultimately to your organisation. Once you have the right mix on your team, focus on these strengths, allow everyone to perform to their strengths, be flexible with roles and focus areas. Continue to invest in learning and development of team members’ strengths in alignment with the goals of the organisation, and leverage technology advantages.
with staff about the challenges they face and pairing them with others—internally or externally—who have
Communications
relevant experience and strengths can help expand
Understand each team member’s preferences
their thinking and help them feel supported.
for receiving communication and the best way to prioritise what is most important. Communication
Where and when your team do their best thinking
considerations include the right mix of visual, auditory
For decades work was mostly undertaken in an office
and written communication. It is also important to
and between 9:00am and 5:00pm. Then COVID-19
know what kind of language your people perceive as
forced large scale remote working and many people
threatening and avoid such in favour of language they
discovered they could be more productive outside
perceive as rewarding and want more of.
traditional work hours. Others noticed they were most efficient working in small increments of time.
Communicating how each person’s strengths fit within the organisation’s purpose makes a difference,
There is an optimal way to work, but it differs for
because most people want to contribute and feel a
every person. It is important to know when and where
part of the company culture.
your people do their best work and to gain buy-in on the best times to bring people together to exchange
Regularly check in
ideas. It is also important to provide detailed agendas
Make sure you check in regularly with your team
ahead of time stating the problems to be solved and
members. This has become more important than
the desired outcomes so team members have time to
ever with the growth of remote working and hybrid
digest these and develop their ideas at the times and
workplaces. Starting and continuing conversations
in the places they do their best thinking.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
49
Art of listening
Leveraging brain-
The art of listening is the art of discovering what the
friendly tools
speaker thinks about something. When employees
and models has
listen to one another they learn from one another. A
helped many of
free flow of ideas that is truly listened to can create a
my clients’ teams
workplace where employees are constantly learning
and organisations
from each other. Listening encourages respect and
to collaborate
builds trust.
effectively, reach their goals and fulfil their
Dealing with conflict in brain-friendly ways
purposes. Reach out
Conflict is an opportunity for growth. The best way to
to chat about how I
resolve conflict is to see it as such and to truly listen
can help.
by asking open and insightful questions that seek
you please elaborate your ideas and experiences on
ABOUT VANNESSA MCCAMLEY
solving X, Y, Z or what learnings could be valuable in
Vannessa McCamley is a leadership and
setting this up for success?”
performance expert specialising in neuroscience
understanding. For example, by saying: “I am curious about the valuable insights you just mentioned, can
practices that help individuals and businesses grow At one of my clients the two leaders of the IT team—
in meaningful ways whilst delivering measurable
the head of security and the head of enterprise
results in healthy ways.
applications and operations—were not seeing eye to eye, impacting the performance and productivity of
She has a passion for helping people and businesses
the whole IT team.
to overcome obstacles and enabling them to reach their strategic goals. She brings a strong background
I used PRISM Brain Mapping, a neuroscience
in IT security and more than 20 years’ business
behavioural tool that identifies existing behavioural
experience to working with individuals at all levels
wiring (habits) and highlights the parts of the brain
and from several industries.
people are tapping into. I showed these two leaders how to leverage their capabilities and strengths,
She is the author of REWIRE for SUCCESS – an easy
individually and within a team environment, to
guide to using neuroscience to improve choices for
recognise their strengths and be objective.
work, life and wellbeing.
Knowing how people think and function can change the lens of perception and the stories we tell ourselves. Through a coaching program these two have improved communication and appreciation of how their individual strengths can enable them to work together effectively. They do not need to like
linksuccess.com.au/rewire-for-success
www.linkedin.com/in/vannessa-mccamley
linksuccess.com.au/contact-us
each other to be more collaborative and produce better outcomes from their teams.
50
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
SUBSCRIBE TO OUR MAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content. SUBSCRIBE NOW
08
MAY •
JUNE
WHOS RUN the
STEVE SCHUPP
CYBERSECURITY: IT’S A HYBRID TEAM SPORT by Steve Schupp, Executive Director – CyberCX WA Branch Just as the cloud has blurred the definition of
to incorporate external providers into their own
the network perimeter, the invisible line around
‘hybrid’ cyber capability. Cyndi Spits, Project
your cybersecurity team has also likely blurred.
Manager for Perenti Group, says a collaborative
Whether you have a small team and are reliant
team that encourages the business to engage with
on external providers, or a large team tapping
cybersecurity was an important factor for Perenti,
into specialist capability, it is more than likely
where there is “a relatively flat team structure with
your cyber team extends far wider than those you
collaborative team leaders rather than a traditional
employ. In practice, this fuzzy line around your team
top down management structure, and where both
creates an environment in which you can improve
internal resources and managed service providers
security together.
are used.”
THE HYBRID TEAM
Trudy Bastow, Director, Managed
Gone are the days when someone from the
Security Service Operations,
network team who had an interest in hacking could
Federal Government and
occasionally wear a ‘cyber hat’ and do cybersecurity
Protected SOC for CyberCX,
as a side project. There is now greater awareness
says a structure that combines
that a risk based approach to decision making is a
internal and external resources
crucial prerequisite for effective security outcomes.
enables different skills and experiences to be brought together to achieved desired outcomes.
As a result of this maturation in the cyber domain, the need for specialist skills in various areas of
Bastow also raised the benefit of risk reduction in the
cybersecurity has increased. It is no surprise
event that, in a tight labour market, employees leave.
companies engage with external providers for
“When you partner with an external team, that risk
discrete projects and services. This has been
reduces as you still have a team who are familiar with
happening in IT for decades.
the business risks and requirements, who can pick up that gap to provide continuity of skills,” Bastow says.
However, I believe there has been a strong trend
52
recently for SMEs to consciously consider the
However, this does not mean it is straightforward
structure of their cyber teams, to actively discuss
to build a hybrid team with internal and external
hybrid capabilities with service providers and
members. Bastow stresses the importance of
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
investing in relationships. She says understanding
She describes two-way communication as “a
who your collaborators are and putting time aside to
cornerstone of intelligence analysis.” The professional
achieve this is integral to success.
benefits gained by mastering these skills are valuable for anyone in an extended team role. Muller is
There are many personal and professional benefits
confident doing so has made her better at engaging
to be gained from this investment, such as long term
with other teams during the intelligence analysis
connections you maintain throughout your career, or
cycle, which in turn has made her a better analyst.
the opportunity to build on business skills such as team management which enhance your promotion
GREATER SUCCESS
prospects. Spits involvement with cyber security
Cyber teams that identify gaps and expand their
projects has raised her interest to undertake hands-on
capability through external providers have a much
cybersecurity training through the Australian Women
greater ability to address the security challenges
in Security Network and work towards obtaining other
faced by their organisation. Muller agrees, saying,
technical certifications including CISSP.
“In my role it is essential to work with our clients as partners and to work together as ‘one team’ to
THE SPECIALIST SKILLSET
improve security outcomes.”
Threat intelligence is one specialisation becoming
Spits believes that while
increasingly common in our
IT understand the need for
industry. Claudia Muller, lead
increased cybersecurity, it is
cyber intelligence analyst at
the business users that will be
CyberCX, believes introducing
impacted by the implementation
threat intel allows companies to
of cybersecurity solutions on a
“understand how their internal and external context
daily basis, especially in a decentralised workplace,
influences their cyber risk and informs threat actor
“so we all need to work together to strike the right
behaviour so they can spend their money and effort
balance of cybersecurity and usability”.
on the controls that best protect them from their most significant threats.”
The concept of improving security together resonated with Muller’s role, allowing the extended team to
Assessing and contextualising all information coming
bridge siloes and improve relationships so security
from the firehose of threat intelligence creates a
management could be interoperable across the
significant workload for in-house teams. In addition,
physical, personnel and cyber domains, reflecting how
it is difficult for in-house teams to ‘look over the
threats operate. Muller also notes the importance of
fence’ and see what is happening in other companies
empowering people to understand that no one has
or industries.
a ‘neutral’ impact on security. “Anyone’s actions can uplift or degrade security,” she says.
According to Muller, CyberCX works closely with its security operations analysts, incident responders and
Cybersecurity has become a hybrid team sport
pen testers. “Their insights enrich our intelligence,
where extended teams with shared objectives
and our intelligence enables them to provide services
whose members develop strong relationships
more tailored to Australia and New Zealand based on
and communication skills will be the winners, and
threat activity and broader trends,” she says.
ultimately will improve security together.
Muller also believes communication to be a crucial element in making extended teams perform.
I S S U E 10
www.linkedin.com/in/steve-schupp-605457
WOMEN IN SECURITY MAGAZINE
53
SIMON CARABETTA
THE EDUCATION QUESTION by Simon Carabetta, Project Coordinator at ES2 We in the cybersecurity industry often hear about the
It would be amazing to see schools place the same
skills and experience gap in Australia. I wrote about
emphasis on cyber security as they do on cyber
this recently, in the last issue of Women in Security.
safety. As a former teacher I can certainly understand
We are all well aware there is a mountain of work to
that emphasis and how it links to the overarching
be done to close this gap and futureproof our sector.
values of digital citizenship and student wellbeing.
Some good solutions have been proposed and a
However, we find ourselves in 2022 in an increasingly
number of programs to address the skills gap have
volatile, uncertain and, dare I say, interesting world.
already been launched. However, there is one skills
Young people deserve to understand why the security
gap many of us simply do not mention and do not
of their personal data matters, and they also deserve
understand how to address. That is the skills gap in
to learn the skills to make that security effective.
our primary and secondary education sectors. Fortunately, there is a simple and effective way in Between 2006 and 2019 I was a high school teacher
which cybersecurity can be embedded in schools,
in WA’s public education sector and took a break
and it comes down to following this roadmap:
to spend several years in the Middle East teaching at an international school. Current, former and
1. Provide teacher and school administration
aspiring educators reading this would know teaching
education and development in cybersecurity.
to be a rewarding career, but an extremely taxing
BUT make it simple, clear and fun.
one. There is not sufficient time to teach, develop lesson plans, mark papers, communicate with
2. Develop partnerships between state education
parents, attend mandated weekly meetings, attend
sectors, TAFEs and universities to provide
department meetings, moderate papers, attend
teachers with scholarships to gain cybersecurity
professional development sessions and mark more
qualifications. BUT pay them on the job and get
papers. So perhaps we can forgive the majority of
the Cert IV into schools.
teachers for giving no consideration to the security implications of the technology they and their students
54
3. Introduce cybersecurity into the primary and
use, or to embedding awareness of that security into
secondary school curriculums across Australia.
the curriculum.
BUT embed the knowledge and skills in all
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
learning areas, do not constrain it to a standalone
it is entirely doable and, more importantly, is vital for
subject introduced in year 11 or year 12.
the future of the cybersecurity sector in Australia.
4. State and territory governments should invest
Having had the privilege of working alongside
in cybersecurity education liaison officers to
many talented and passionate teachers during my
speak with schools and students about careers
education career, I can honestly say the majority
in cybersecurity. Alternatively, the Australian
of our nation’s educators would certainly embrace
Cyber Security Centre could be proactive and
developing their knowledge and skills in cybersecurity.
take the lead on this across Australia through its joint centres.
We already have quite a number here in WA who demonstrate a consistent passion for innovation
5. Create partnerships between government,
and ICT in the classroom and a desire to focus on
the private sector and TAFEs/universities to create
cybersecurity. I am proud to say I know them and
meaningful traineeship programs for students
have worked with them in various ways over the past
studying cybersecurity that will increase their
few years. I would certainly like to see more quality
skillsets, give them real-world experience and
educators in WA and elsewhere in Australia embrace
make them job ready.
cybersecurity and accept it as part of the learning and growing their students experience each day in
Implementing the five points in this roadmap will
their classrooms.
be a long term project and will take several years. It would involve a massive number of stakeholders from multiple sectors and extensive consultation. However,
I S S U E 10
www.linkedin.com/in/simoncarabetta
WOMEN IN SECURITY MAGAZINE
55
MELANIE NINOVIC
BECOMING A MUM: A GUIDE FOR FIRST-TIME WORKING PARENTS by Melanie Ninovic, Senior Consultant at ParaFlare Choosing to have kids and establishing, or sustaining,
Starting a family is one of the most exciting times
a career is no easy feat. More shocking, to my surprise,
of your life, but there are a few factors you need to
is that this journey is hardly ever spoken about.
consider before embarking on this journey. Here is a list to help guide you from pre-pregnancy to
Unfortunately, I felt I had few people to turn to in the
maternity leave.
cybersecurity industry for help. I tried to do my own research but there was barely anything out there to
PRE-PREGNANCY
prepare me, as an expectant working mother, for what was to come.
Private health insurance If you choose to give birth at a private hospital you
Thus, I thought I’d write about my experience in the
must have private health insurance. With most
hope of helping other men and women wanting to
providers there is a 12 month waiting period for
start a family. This will serve as a guide on what to
pregnancy claims. This means you need to have been
look out for and what you need to consider when you
covered by private health insurance for a full year
are planning to start a family, or you already have a
before you give birth.
child in your care. Secondly, your cover does not include obstetrician Disclaimer: Because I lived in Australia throughout
costs. My fees were around the $3500 mark, but
this experience, the information provided is based on
I’ve heard from others that these can be up to $10k.
Australian laws and regulations. I am neither a lawyer
This is a fee you will need to include in your financial
nor an accountant, so please talk to a professional.
planning.
I also acknowledge I have been very lucky throughout
56
this journey. I know others will not have the same
Government paid parental leave
straightforward path to motherhood as I did (in terms
As of writing (July 2022), the Parental Leave Pay
of pregnancy, financial situation, both parents
scheme provides a minimum wage payment for up
working from home and a very supportive and
to 18 weeks if you are the primary caregiver. This is
helpful husband).
about $812 a week. However, you will only be eligible
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
for this payment if your earnings are below a certain threshold in the year before you lodge the claim, or have your child (whichever comes earliest). Note: this might change with the recently elected Labor Government. Additionally, Services Australia also provides childcare subsidies, which you might want to consider.
Employer maternity/parental leave policy Be sure to check your company policy for maternity leave and what you are entitled to. Some employers include a length of employment threshold for paid maternity leave. Similarly, paternity/parental leave policies may also include a clause that allows the father to take leave only if the mother is back at work, and the father becomes the primary caregiver. Also ask your manager or HR department whether
communicate these to your manager so you can
your pay will include superannuation. It is common for
adjust your workload accordingly.
this not to be included and is the reason women on average have less superannuation when they retire.
Planning ahead There are so many things to do before having a
PREGNANCY
baby. From the nursery, car seats and sleeping arrangements to cleaning and baby-proofing the
Scheduling
house; the list seems endless. I started doing
If you are planning to give birth at a private hospital
all these things three to four months into my
your pregnancy will be full of appointments: for
pregnancy, because:
obstetrics, scans, blood tests, hospital tours and more. For this reason, I told my manager about my
• Most harsh symptoms subside at this stage.
pregnancy quite early on, and I was fortunate to have
• You do not know how busy your work schedule
had a positive working relationship with my manager. If you do not expect early notification of your
will become later in your pregnancy. • You could give birth early.
pregnancy to be an issue I would recommend doing the same. You can then:
Key tip: baby stores frequently have sales. Wait until there is a sale to buy everything, and always compare
• Plan ahead, juggling all your appointments and a
prices between stores.
busy work schedule. • Give yourself and your employer ample time
Lastly, if you are planning to breastfeed, sign up to an
to hand over your work to others in your team,
online course or do some research. The hospital will
finish important projects, and work to a deadline.
go through breastfeeding with you but by that point,
• Deal with unexpected symptoms or sickness, and with the challenges of pregnancy.
having just delivered a baby, you will be in pain and very tired, and overwhelmed by emotions. It is best to learn different feeding techniques and strategies beforehand,
On that note, listen to your body and do not overexert
and I highly recommend buying a lanolin product such
yourself. Manage your symptoms and if you feel able,
as Lansinoh to put in your go-to-hospital bag.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
57
You will be flooded with advice from a thousand
of days during maternity leave for an employee
nurses, midwives, consultants, paediatricians and, of
to return to work and catch up with all that has
course, your family on how to feed and take care of
happened whilst they have been away. These days
your newborn. This really frustrated me and took a
can either be spread throughout the maternity
toll on my mental health. At the end of the day I went
leave or taken in a block: something to discuss
with what I thought was right for me and my child
with your employer.
and I have not looked back.
DISCRIMINATION Childcare
Whilst I have been quite lucky in my journey through
Childcare centres across Sydney tend to have long
pregnancy and motherhood thus far, discrimination
wait times, anywhere from 12 months to two years.
is unfortunately a very common part of a working
Whilst on maternity leave, or even beforehand, call
woman’s life around the world. Redundancies,
two or three centres that you like and ask to be put on
pay cuts, lost promotions and inflexible working
their waiting list. You can use the Australian Children’s
arrangements are frequent consequences for women
Education and Care Quality Authority’s (ACECQA’s)
who announce their pregnancy to their employer,
register to find centres meeting or exceeding national
or after they become mothers, despite it being
quality standards.
illegal to discriminate against a woman because she is pregnant.
MATERNITY LEAVE 1. Everyone focuses on how challenging pregnancy
It is important to know your rights before becoming
and giving birth can be, but for me the hardest
pregnant in case you do face discrimination in the
part was what came afterwards. Whilst you are
workplace. Here are some resources:
still recovering from a huge procedure you need to learn how to feed and take care of your newborn.
• Australian Human Rights Commission
The first few weeks will be tough. It is quite normal
• Fair Work Ombudsman
to feel overwhelmed, exhausted, confused and
• Raising Children
lonely. Look at joining a mothers group so you can share and learn from others.
One issue for the cybersecurity industry is the need for more opportunities for remote participation
2. Ask for help.
in conferences and training programs. I echo and
If you have family close by, ask if they can cook
stand by Sherri Davidoff’s thoughts. We must do
meals, help you clean the house, or just mind your
more to allow remote speaking and viewing options
newborn so you can go take a shower and have
for all mothers, in particular by supporting family
time to yourself.
attendance at such events. Women are losing out
It is so important to carve out time for yourself, to
on speaking and training opportunities because they
recover, and to feel a sense of yourself.
must care for their child or because of the costs of participating on site.
3. It is quite normal to think “will I lose all my skills whilst on leave?” or “how will I keep up with an
I would be happy to speak to anyone undertaking
industry that is so fast moving?” The way I kept
or planning this journey. If you have any questions,
up to date was by listening to a weekly podcast
please reach out.
(thanks Risky Business) whilst taking my child for a walk, or during feeds, and reading online newsletters (thisweekin4n6 and SANS NewsBites).
www.linkedin.com/in/melanie-cybers
4. Another way is to use your ‘keeping in touch’ days. Some organisations designate a set number
58
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
Women in Security Mentoring Program AWSN is pleased to launch the 2022 Australian Women in Security Network Mentoring Program
Looking for ways to give back? We need you Learn more at awsn.org.au/initiatives/mentoring/ Sponsored by
Powered by
NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
C O L U M N
Should you take your teen’s device as punishment? Confiscation of a teen’s device as punishment is a touchy subject I have put off writing about for some time.
2
Our teens experience an upbringing entirely different from that of their parents.
We spent time in the streets playing with the It’s been on my topic list, but as a parent of two
neighbourhood children. Our children, on the other
teens, I keep mulling it over and continually reminding
hand, have, at some point, been given a device.
myself that all teens are different and all parents have
This might have happened when they were quite
different parenting beliefs and methods.
small and we needed a moment’s peace in which to produce dinner.
When the subject of consequences came up during a recent presentation about the different ways parents
Internet enabled devices
should get involved in a child’s digital life, I took it as a
are part of our teens’
sign that now is the right time to share what I know.
lives. They game on them. They create videos
In my writing I often make distinctions between two
on them. They read on
age groups: preschool to end of primary school, and
them. They create digital
high school. In this article, I want to make it clear I am
art. They communicate
referring specifically to high school age children.
with others. They shop and they do their banking
I am going to share five points about why I think you need to reconsider removing a teen’s device as a form of punishment.
1
Think back to how you socialised when you were
on them.
3
At times we parents become frustrated
with our teens’ use
in high school. You met up after school, made
of their devices. We
phone calls, attended sporting events, parties and
have all been there.
weekend get togethers, etc.
We ask our teen to do something and they
60
Now consider how teens socialise today. They use
continue to use their
their phones or similar devices. They use social
device. We come back
media platforms, online game chats, etc. My point is
later to see if the job is
that teens today do not socialise as we did, and we
done, only to find them
need to recognise this.
still on their device.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
Stop and think. Did we set guidelines and boundaries for using their device when we gave them it? Did we discuss, and reach agreement on, how they should respond if required to help when they were on their device? We need to take some responsibility for how they are using their devices if we have not discussed usage and not modelled the response we expect in such situations.
4
Dopamine. This feel good chemical is released in their brains when our teens are using their
devices. Developers of devices, apps and games want users to stay on their devices and platforms for as long as possible. All are designed to trigger
If they believe we will dive in and take away their
the release of dopamine hits to keep users engaged.
device for every transgression, I can almost guarantee
We need to recognise this as one of the reasons our
that when your teen starts getting bullied online,
teens find it difficult to put their devices down. They
gets in over their head communicating online with a
are looking for the next feel good moment.
stranger or sees something online that makes them
5
uncomfortable they WON’T be bringing their device Parents need to discuss consequences and
or their problem to you because they will expect you
include these in their family technology contract.
to take their device away. That is not what we are aiming for.
My best advice is to try and use natural consequences. For example, if it was your teen’s turn
I am not sure how to close this article. Maybe you
to put away everything in the dishwasher and they did
completely and utterly disagree with me. I just hope
not do so, then they should be required to do this job
you consider these five points before using device
for the rest of the week. If it was agreed they could
removal as the sole punishment for your teen’s
use their device for two hours per day but they have
transgressions.
used it for 2.5 hours, then their daily screen time should drop to 1.5 hours for the next week.
www.linkedin.com/in/nicolle-embra-804259122
Using your teen’s ‘currency’ is also an option when
www.linkedin.com/company/the-cyber-safety-tech-mum
it comes to punishment. If they love going to their local cafe on a Saturday morning, then perhaps the punishment is that they are barred from going for two weeks. We do not want to remove their social connections and we do not want them to expect us to take their device away at the drop of a hat.
I S S U E 10
www.thetechmum.com
www.facebook.com/TheTechMum
www.pinterest.com.au/thetechmum
WOMEN IN SECURITY MAGAZINE
61
C O O LE ST CA R E E R S
Organizations are hiring individuals with a unique set of skills and capabilities, and seek those who have the abilities and kn The coolest careers in cybersecurity are the most in-demand by employers. Which jobs are the coolest and most in-demand Curricula:
Cyber Defense
01 “Digging below what commercial anti-virus systems are able to detect to find embedded threat actors in client environments makes this job special. Shoutout to Malware and Threat Intelligence Analysts who contribute their expertise to make threat hunters more effective against adversaries.”
Digital Forensics
Offensive Operations
THREAT HUNTER
This expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.
Why is this role important? Threat hunters proactively seek evidence of attackers that were not identified by traditional detection methods. Their discoveries often include latent adversaries that have been present for extended periods of time.
Recommended courses FOR508 GCFA
FOR572 GNFA
FOR578 GCTI
SEC573 GPYC
SEC504 GCIH
SEC541
FOR608
ICS515 GRID
FOR610 GREM
FOR710
ICS612
- Ade Muhammed
05 “Being a malware analyst provides a great opportunity to pit your reverse engineering skills against the skills of malware authors who often do everything in their power to make the software as confusing as possible.” - Bob Pardee
“Incidents are bound to occur and it is important that we have people with the right skill set to manage and mitigate the loss to the organization from these incidents.” - Anita Ali
MALWARE ANALYST
Malware analysts face attackers’ capabilities head-on, ensuring the fastest and most effective response to and containment of a cyber-attack. You look deep inside malicious software to understand the nature of the threat – how it got in, what flaw it exploited, and what it has done, is trying to do, or has the potential to achieve.
Why is this role important? If you’re given a task to exhaustively characterize the capabilities of a piece of malicious code, you know you’re facing a case of the utmost importance. Properly handling, disassembling, debugging, and analyzing binaries requires specific tools, techniques, and procedures and the knowledge of how to see through the code to its true functions. Reverse engineers possess these precious skills, and can be a tipping point in the favor of the investigators during incident response operations. Whether extracting critical signatures to aid in better detection, or producing threat intelligence to inform colleagues across an industry, malware analysts are an invaluable investigative resource.
Recommended courses FOR585 GASF
FOR610 GREM
“This role is essential to find and patch vulnerabilities in the cloud environment to ensure that crackers and hackers are unauthorized in cloud environments.” - Ben Yee
“It is not only about using existing tools and methods, you must be creative and understand the logic of the application and make guesses about the infrastructure.” - Dan-Mihai Negrea
06 “The chief gets to coordinate the plans. The chief gets to know the team, know them well and disperse them appropriately to strategically defend and test org networks and security posture.“ - Anastasia Edwards
This dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.
Why is this role important?
While preventing breaches is always the ultimate goal, one unwavering information security reality is that we must assume a sufficiently dedicated attacker will eventually be successful. Once it has been determined that a breach has occurred, incident responders are called into action to locate the attackers, minimize their ability to damage the victim, and ultimately remove them from the environment. This role requires quick thinking, solid technical and documentation skills, and the ability to adapt to attacker methodologies. Further, incident responders work as part of a team, with a wide variety of specializations. Ultimately, they must effectively convey their findings to audiences ranging from deep technical to executive management.
Recommended courses
CLOUD SECURITY ANALYST
The cloud security analyst is responsible for cloud security and day-to-day operations. This role contributes to the design, integration, and testing of tools for security management, recommends configuration improvements, assesses the overall cloud security posture of the organization, and provides technical expertise for organizational decision-making.
Why is this role important? With an unprecedented move from traditional on-premise solutions to the cloud, and a shortage of cloud security experts, this position helps an organization position itself thoughtfully and securely in a multicloud environment necessary for today’s business world.
Recommended courses SEC488 GCLD
SEC510 GPCS
SEC541
SEC504 GCIH
SEC588 GCPN
FOR508 GCFA
Cloud Security
SEC401 GSEC FOR509
SEC460 GEVA FOR518
10 “It doesn’t become much more versatile than in this role, as oftentimes you’ll be challenged with whathever tasks or projects customers or managers envision, ranging from simple analysis support to introducing new solutions and implementing whole services such as a SOC.” - Harun Kuessner
14 “The intrusion analyst is the guard at the gate and can get great job satisfaction from detecting and stopping network intrusions.” - Chuck Ballard
FOR585 GASF
In this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.
Why is this role important? This role is important to help answer the common question of “can that attack that brought down company, happen to us?” Red Teamers will have a holistic view of the organization’s preparedness for a real, sophisticated attack by testing the defenders, not just the defenses.
Recommended courses SEC460 GEVA
SEC504 GCIH
SEC575 GMOB
SEC617 GAWN
Application penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.
Why is this role important? Web applications are critical for conducting business operations, both internally and externally. These applications often use open source plugins which can put these apps at risk of a security breach.
Recommended courses SEC504 GCIH
SEC542 GWAPT
SEC554
SEC556
SEC588 GCPN
SEC617 GAWN
SEC642
SEC661
SEC560 GPEN SEC760
SEC575 GMOB
SEC522 GWEB
18 “Working in this type of industry, I can see how the demand is increasing so rapidly that companies starting to desperately looking for people with proper skillsets.” - Ali Alhajhouj
SEC556
SEC660 GXPN
SEC560 GPEN
SEC670
SEC760
SEC565 SEC573 GPYC
The CISO leads staff in identifying, developing, implementing, and maintaining processes across the organization to reduce information and information technology risks. CISOs respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance, such as supervising efforts to achieve ISO/IEC 27001 certification for an entity or a part of it. Typically, the CISO’s influence reaches the entire organization.
Why is this role important? The trend is for CISOs to have a strong balance of business acumen and technology knowledge in order to be up to speed on information security issues from a technical standpoint, understand how to implement security planning into the broader business objectives, and be able to build a longer lasting security and risk-based culture to protect the organization.
Recommended courses MGT514 GSTRT
MGT520
MGT521
SEC388
CYBERSECURITY ANALYST/ENGINEER
As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Why is this role important? This is a proactive role, creating contingency plans that the company will implement in case of a successful attack. Since cyber attackers are constantly using new tools and strategies, cybersecurity analysts/ engineers must stay informed about the tools and techniques out there to mount a strong defense.
Recommended courses SEC401 GSEC
SEC450
SEC501 GCED
SEC503 GCIA
SEC504 GCIH
SEC554
FOR500 GCFE
FOR508 GCFA
FOR572 GNFA
FOR578 GCTI
MGT551 GSOM
FOR585 GASF
SEC540 GCSA
ICS410 GICSP
SEC530 GDSA
FOR608
FOR509
SEC555 GCDA
FOR518
FOR610 GREM
FOR710
ICS456 GCIP
INTRUSION DETECTION/ (SOC) ANALYST
Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.
Why is this role important? SOC analysts help organizations have greater speed in identifying attacks and remedying them before they cause more damage. They also help meet regulation requirements that require security monitoring, vulnerability management, or an incident response function.
Recommended courses SEC503 GCIA
FOR508 GCFA
APPLICATION PEN TESTER
SEC554
CHIEF INFORMATION SECURITY OFFICER (CISO)
SEC450
SEC557
Industrial Control Systems
RED TEAMER
MGT512 GSLC
INCIDENT RESPONSE TEAM MEMBER
FOR608
17
“The only way to test a full catalog of defense is to have a full catalog of offense measure its effectiveness. Security scanning is the bare minimum and having Red Team perform various operations from different points will help the organization fix weaknesses where it matters.”
FOR710
FOR308 FOR498 GBFA FOR508 GCFA FOR509 FOR518 FOR572 GNFA FOR578 GCTI FOR585 GASF FOR608 FOR610 GREM FOR710 SEC402 SEC573 GPYC SEC504 GCIH
13
02 - Beeson Cho
FOR518
09
Cybersecurity Leadership
SEC511 GMON
FOR572 GNFA
FOR608
SEC555 GCDA
SEC504 GCIH
MGT551 GSOM
ICS/OT SECURITY ASSESSMENT CONSULTANT
One foot in the exciting world of offensive operations and the other foot in the critical process control environments essential to life. Discover system vulnerabilities and work with asset owners and operators to mitigate discoveries and prevent exploitation from adversaries.
Why is this role important? Security incidents, both intentional and accidental in nature, that affect OT (primarily in ICS systems) can be considered to be high-impact but low-frequency (HILF); they don’t happen often, but when they do the cost to the business can be considerable.
Recommended courses ICS410 GICSP
ICS418
SEC560 GPEN
SEC575 GMOB
ICS456 GCIP
ICS515 GRID
SEC617 GAWN
ICS612
I N CYB E R
nowledge to fulfill many new job roles in the cybersecurity industry. d? We know; let us show you the hottest cybersecurity jobs for 2022. Purple Team
03 “Forensics is about diving deep into any system and device and locating the problem so as to develop a solution.” - Patricia M “Data doesn’t lie, and the digital forensic analyst looks at the data to convey the stories that they tell.”
SEC460 GEVA
AsiaPacific@sans.org AUSTRALIA INDIA JAPAN SINGAPORE
GIAC Certification with course
DIGITAL FORENSIC ANALYST
This expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Why is this role important? You are the sleuth in the world of cybersecurity, searching computers, smartphones, cloud data, and networks for evidence in the wake of an incident/crime. The opportunity to learn never stops. Technology is always advancing, as is your career.
Recommended courses FOR308
FOR498 GBFA
FOR500 GCFE
FOR518
FOR572 GNFA
FOR585 GASF
FOR508 GCFA
FOR509
04 “The combination of red team blue team operations is very interesting and you get to see both sides. I have been on a Purple Team for a while now and it has driven a lot of positive change for us.” - Andrew R
FOR608
07 “In this day and age, we need guys that are good at defense and understand how to harden systems.” - David O
BLUE TEAMER – ALL-AROUND DEFENDER
This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.
Why is this role important? This job role is highly important as it often shows up in small to mid-size organizations that do not have budget for a full-fledged security team with dedicated roles for each function. The all-around defender isn’t necessarily an official job title as it is the scope of the defense work such defenders may do - a little bit of everything for everyone.
Recommended courses SEC450
SEC503 GCIA
SEC555 GCDA
11 “Being an OSINT investigator allows me to extract information in unique and clever ways and I am never bored. One day I’m working on a fraud investigation and the next I’m trying to locate a missing person. This job always tests my capabilities, stretches my critical thinking skills, and lets me feel like I’m making a difference.”
SEC573 GPYC
SEC511 GMON
“This role allows me to use my previous experience to influence proper security behaviors, effectively improving our company’s defenses. And the rapidly evolving nature of threats means my job is never boring.” - Sue DeRosier
19 “From my point of view it is a highly demanded position by companies which need to offer flexible, agile and secure solutions to their clients’ developers.” - Antonio Esmoris
In this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.
Why is this role important? Help blue and red understand one another better! Blue Teams have traditionally been talking about security controls, log sources, use cases, etc. On the other side Red Teams traditionally talk about payloads, exploits, implants, etc. Help bridge the gap by ensuring red and blue are speaking a common language and can work together to improve the overall cybersecurity posture of the organization!
Recommended courses SEC599 GDAT
SEC699
SEC573 GPYC
SEC504 GCIH
SEC598
SEC660 GXPN
SEC760
SECURITY ARCHITECT & ENGINEER
Design, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.
Why is this role important? A security architect and engineer is a versatile Blue Teamer and cyber defender who possesses an arsenal of skills to protect an organization’s critical data, from the endpoint to the cloud, across networks and applications.
Recommended courses SEC503 GCIA
SEC505 GCWN
SEC511 GMON
SEC530 GDSA
SEC554
SEC586
These resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.
Why is this role important? There is a massive amount of data that is accessible on the internet. The issue that many people have is that they do not understand how best to discover and harvest this data. OSINT investigators have the skills and resources to discover and obtain data from sources around the world. They support people in other areas of cybersecurity, intelligence, military, and business. They are the finders of things and the knowers of secrets.
Recommended courses SEC587
“A security architect needs to understand work flows, networks, business requirements, project plans and sometimes even budget restraints. A very diversified role!”
SEC530 GDSA
OSINT INVESTIGATOR/ANALYST
SEC487 GOSI
08 - Chris Bodill
SEC505 GCWN
FOR578 GCTI
12 “A technical director must have strong cybersecurity knowledge, a strategic view of the organization’s infrastructure and what’s to come, and communication skills. These things are hard to get, and I would imagine this job to be very challenging, no matter the organization size or business.”
TECHNICAL DIRECTOR
This expert defines the technological strategies in conjunction with development teams, assesses risk, establishes standards and procedures to measure progress, and participates in the creation and development of a strong team.
Why is this role important? With a wide range of technologies in use that require more time and knowledge to manage, a global shortage of cybersecurity talent, an unprecedented migration to cloud, and legal and regulatory compliance often increasing and complicating the matter more, a technical director plays a key role in successful operations of an organization.
Recommended courses MGT516
MGT551 GSOM
SEC557
SEC566 GCCC
SEC388
- Francisco Lugo
- Rebecca Ford
15
PURPLE TEAMER
SEC670
- Anthony Wo
+61 2 6174 4581 +91 974 1900 324 +81 3 3242 6276 +65 6983 1088
SECURITY AWARENESS OFFICER
Security Awareness Officers work alongside their security team to identify their organization’s top human risks and the behaviors that manage those risks. They are then responsible for developing and managing a continous program to effectively train and communicate with the workforce to exhibit those secure behaviors. Highly mature programs not only impact workforce behavior but also create a strong security culture.
Why is this role important? People have become the top drivers of incidents and breaches today, and yet the problem is that most organizations still approach security from a purely technical perspective. Your role will be key in enabling your organization to bridge that gap and address the human side also. Arguably one of the most important and fastest growing fields in cyber security today.
Recommended courses MGT415
MGT433 SSAP
MGT512 GSLC
MGT521
DEVSECOPS ENGINEER
As a DevSecOps engineer, you develop automated security capabilities leveraging best of breed tools and processes to inject security into the DevOps pipeline. This includes leadership in key DevSecOps areas such as vulnerability management, monitoring and logging, security operations, security testing, and application security.
Why is this role important? DevSecOps is a natural and necessary response to the bottleneck effect of older security models on the modern continuous delivery pipeline. The goal is to bridge traditional gaps between IT and security while ensuring fast, safe delivery of applications and business functionality.
Recommended courses SEC510 GPCS
SEC522 GWEB
SEC534
SEC540 GCSA
16 “I think researchers will play a crucial role in years to come. They will be able to identify and help us prepare for the vulnerability before it is exploited by the hacker so instead of responding to incidents we will then be able to proactively prepare ourselves for the future issues.”
VULNERABILITY RESEARCHER & EXPLOIT DEVELOPER
In this role, you will work to find 0-days (unknown vulnerabilities) in a wide range of applications and devices used by organizations and consumers. Find vulnerabilities before the adversaries!
Why is this role important?
Researchers are constantly finding vulnerabilities in popular products and applications ranging from Internet of Things (IoT) devices to commercial applications and network devices. Even medical devices such as insulin pumps and pacemakers are targets. If we don’t have the expertise to research and find these types of vulnerabilities before the adversaries, the consequences can be grave.
Recommended courses SEC660 GXPN
SEC661
SEC670
SEC760
- Anita Ali
20 “This is like solving a puzzle or investigating a crime. There is an exciting element to the unknown and the technical complexity of countermeasures. The sensitivity of content and potential to get real evidence on something is exciting.” - Chris Brown
MEDIA EXPLOITATION ANALYST This expert applies digital forensic skills to a plethora of media that encompasses an investigation. If investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked, damaged or used in a crime, this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence.
Why is this role important? You are often the first responder or the first to touch the evidence involved in a criminal act. Common cases involve terrorism, counter-intelligence, law enforcement and insider threat. You are the person relied upon to conduct media exploitation from acquisition to final report and are an integral part of the investigation.
Recommended courses FOR308
FOR498 GBFA
FOR572 GNFA
FOR500 GCFE
FOR585 GASF
FOR608
FOR508 GCFA
FOR518
HOW DO WE ATTRACT WOMEN INTO CYBERSECURITY, AND RETAIN THEM? by Michelle Gatsi, Cyber Security Consultant at EY Kavika Singhal, Cyber Security Consultant at EY Jay Hira, Director of Cyber Transformation at EY Emily Goodman, Cyber Security Consultant at EY Shinesa Cambric, Principal Product Manager, Microsoft Intelligent Protections - Emerging Identity at Microsoft INTRODUCTION
Michelle Gatsi As the daughter of an automotive technician I grew up around a lot of cars. From kindergarten through to grade three my father would pick me up from school and take me back to his workshop where I would often watch him fix cars (from a safe distance of course) until it was time for us to go home. Virtually all my toys at home were model cars. My fascination
directed at boys, whilst the Barbie and My Little Pony
with these cars was not with driving them but with
commercials were directed towards young girls. I
understanding what made them move; I would
sometimes wonder, had I received the same push
deconstruct out of curiosity. Typically, the same
to consider a STEM-based career as a young boy
behaviours in young boys would be praised and
showing the same interests as I, would I have entered
perhaps even followed with remarks along the lines of
the cybersecurity industry sooner than I did?
“He is going to be an engineer one day, or a scientist.” I got together with some friends in the tech
64
At the time, my interests were not widely considered
industry—Kavika Singhal, Jay Hira, Emily Goodman
the ‘stereotypical feminine interests’. You may
and Shinesa Cambric—to ask some questions and
remember the television commercials for the
discuss the issues around attracting women into the
iconic Hot Wheels Racetrack: they were typically
cybersecurity industry and retaining them.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
Question 1:
Question 2:
WHAT DO YOU THINK IS THE GENERAL PERCEPTION OF CYBERSECURITY AND WHAT CAN WE, AS AN INDUSTRY, DO TO IMPROVE IT?
DO YOU THINK A LACK OF FEMALE INTEREST IN STEM-BASED COURSES IS ONE OF THE REASONS WOMEN ARE UNDERREPRESENTED IN CYBERSECURITY? HOW DO WE INCREASE CHILDREN’S INTEREST IN STEM?
Kavika Singhal Kavika’s answer: I’m sure many people would
Jay Hira
imagine a dark room with a hooded person behind a computer, wearing glasses and typing rapidly.
Jay’s answer: I do not necessarily agree with the
Perhaps lines of code scroll down the screen. Is this
premise of the question that there is a lack of female
really cybersecurity?
interest in STEM. I believe women have always been a part of STEM, but light has not often been shone
The predominant discussions in the cyber industry
on them. Most people, myself included, did not learn
today include the skills shortage. In 2021 Cybercrime
about the brilliant female problem solvers who were
Magazine predicted 3.5 million job vacancies by 2025:
the brightest mathematicians of their generation, and
evidence of this growing concern.
integral to NASA’s space race, until we watched the movie Hidden Figures.
The career choices of our young people could contribute significantly to closing this gap; hence their
Lack of interest in STEM-based courses may come
choices demand our close attention. An individual’s
from adult suggestions (parents and teachers).
perception of their chosen field is ranked as one the
Boys often get pushed towards maths and science
most important factors determining their choice.
subjects while girls are encouraged to take arts
Other important factors are their assessment of job
and humanities.
stability and their belief that people in their chosen industry with have similar personality traits and
STEM can be made fun for all children. Let’s take
interests. Entertainment, news and media often shape
the simplest daily cooking routine - we can make
the perceptions held by young people today, and
it educational and fun by explaining how water
influence visualisation of their future selves.
evaporates when boiled and turns into ice when exposed to lower temperatures. I firmly believe STEM
To change the daunting stereotypical image of
education needs to be promoted differently. Rather
cybersecurity, we industry representatives need
than being seen only as a pathway
to lead by creating a more realistic image of
to high-paying careers, it needs to
cybersecurity. Perhaps we could volunteer with
be seen as teaching valuable
foundational STEM institutes that cater to high
skills and core competencies
schoolers and university students or produce
that children need to
interesting content about our cybersecurity
acquire. STEM allows
journeys by writing or blogging. Company websites
you to experiment and
and job recruitment agencies should have clear
evaluate information
representations of the diverse industry we work in.
objectively, which
Images of women and men from diverse cultural
positively impacts
backgrounds should be the face of advertising. These
how our children and
are some small steps that could make huge changes
future leaders view and
to the perceptions of cybersecurity in our society.
navigate the world.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
65
Question 3:
Question 4:
HOW DO WE LOWER TRADITIONAL BARRIERS AND ATTRACT LATERAL THINKERS WITH DIVERSE EXPERIENCES TO WORK IN CYBERSECURITY?
WHAT WOULD YOU SAY ARE THE ESSENTIAL SKILLS NEEDED TO HAVE A SUCCESSFUL CAREER OR BUILD SUCCESSFUL COLLABORATION WITHIN CYBER? HOW MIGHT THE ESSENTIAL SKILLS REQUIRED CHANGE OVER THE COURSE OF A WOMAN’S CAREER IN CYBER?
Emily Goodman Emily’s answer: It is now more important than ever to
Shinesa Cambric
lower traditional employment barriers and bring more women—and more people with diverse experiences— into cybersecurity and keep them there. Traditionally
Shinesa’s answer: Beyond getting women into
cyber roles have required specific qualifications,
cybersecurity, we need to support and equip women
industry experience and technical skills. An applicant
in ways that will keep them there. In 2020 it was
needs all these to be successful, but missing from
estimated that women accounted for only 20
this traditional list of cyber requirements are other
percent of the cybersecurity workforce. With the
factors that contribute to success: an individual’s
ever-increasing costs of cybercrime there can be a
driving passion; the motivation to learn new skills; and
financial impact on businesses that fail to develop
the innovativeness that comes from having diverse
a strong and sustained pipeline for women to enter
experiences.
and stay in cybersecurity careers. Women are poorly represented in some cybersecurity career stages.
It is common for women to have less confidence in
This can discourage other women from striving for
their job role abilities than their male counterparts.
a successful, progressive career, not realising some
This lack of confidence could stem from self-
of the essential skills will change over the course of
criticism, imposter syndrome or from taking time
their career.
away from a job to have a personal life. It is important for leaders and executives to embrace inclusivity,
One of the most important skills a woman can
and to focus especially on getting women into the
develop and use throughout her career is a sense
cybersecurity industry. Encouraging mentorship,
of empathy. Empathy can be a strong driver when
showing recognition and appreciation and building a
it comes to identifying and solving problems and
collaborative work culture are crucial steps needed
determining which solutions may work better than
to achieve these goals. Women wishing to make a
others. Having empathy also supports the ability to
career move laterally into the cyber industry should
build relationships and diverse social networks, which
be able to seek advice from other professionals and
are critically important foundations of a sustainable
receive correct information on how they can progress
career.
their careers. Workplaces need to provide benefits such as maternity leave, pathways for education and
In addition to empathy, it is important for a woman to
opportunities for career fulfillment.
stretch herself, raise her hand for opportunities and be flexible in charting her career path. Having a bias
The most important initiative is to strongly advocate
towards action and accepting growth opportunities
for the women who are helping to shape the future of
will help propel a woman to the next stage of her
the cyber industry.
career, whether that be as an individual contributor or in a management role. This will enable her to build credibility and confidence as she takes on new
66
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
challenges. Then, as a woman continues to progress to the next stage of her career, it will be important she advocates for, and reaches back to, those coming up behind her and presents as an example of the leader she wishes to see. Finally, by being visible and celebrating success, both she and the women around
N
3 2 0 2 O EW T
her can further encourage other women to enter and stay in the cyber field so the pipeline continues to grow and the cycle continues.
THE
CONCLUSION Michelle Gatsi
SO, HOW CAN WE AS AN INDUSTRY ATTRACT AND RETAIN WOMEN IN CYBERSECURITY? What is apparent to me, based on the different perspectives and insights provided above, and my
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
own personal experiences, is that we as an industry have some work to do. There is no simple solution to this question because there are multiple issues in all industry sectors that we must address. We need to work together as an industry to build on its expansion and diversity, because diverse perspectives produce quality outcomes. www.linkedin.com/in/michellegatsi
www.linkedin.com/in/kavika-singhal
www.linkedin.com/in/jayhira
www.linkedin.com/in/emily-goodman-b9a023144 www.linkedin.com/in/shinesa-cambric-cissp-ccspcisa®-0480685
I S S U E 10
Watch this space WOMEN IN SECURITY MAGAZINE
67
RICHARD EDGE
RELATIONSHIPS: ESSENTIAL FOR CAREER SUCCESS by Richard Edge, CEO at Careerships
INTRODUCTION
you a considerable advantage over others who do not
A career is a part of our lives which often defines
take the time to invest in their relationships.
us. It is, therefore, no surprise our relationships with our work colleagues play a significant role in our
In this article, I aim to share the tricks that will help
progression, achievement and self-esteem.
you be seen and remembered. I’ll suggest steps you can take to perform these tricks. And I’ll show
The connections formed and built throughout our
you how technology can help us better understand
working lives shape how we view our industries,
one another.
communication skills, goals and aspirations, whether those relationships were good or bad.
Let’s get to it!
My experience as a human resources specialist,
FOUR TRICKS AND STEPS TO IMPROVE YOUR CAREER RELATIONSHIPS
director, consultant and personal career coach has enabled me to meet a great number of people with exciting minds who have offered many thought-
1. The key to career and relationships: be nice!
provoking assessments of how we work best in
You would think this to be common sense, but many
groups and as individuals.
people still have a cutthroat approach to careers and business. Here’s something to think about: the world
One thing has always rung true: the importance of
is a small place, and it’s getting smaller. How does
relationships in our working lives. Relationships are at
that small world see you?
the core of our personalities. People often forget this truth, whether they are C-suite executives or mid-level
The world of tech is one of the most interconnected
employees, or are just starting their career paths.
business communities on the planet. It is filled with the brightest minds, working across a global
68
Understanding the significance of how you approach
platform, interacting and connecting. Cultural
those you encounter throughout your career can give
and geographical boundaries are crossed in most
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
industries and companies. This means there is much to consider regarding your interactions with others. Your reputation is built upon how you treat people, not just on the work you deliver. You want to be remembered for how you helped someone when they did not know what to do, rather than how you berated them in frustration. You want to be revered as a thought leader, not a curiosity squasher. You want to be the person people can say made them enjoy the work they did, made them feel inspired and feel heard. Humility is vital in what we do and how we approach our relationships. No matter what stage you are at in your career you always have something to learn, even from people you may consider less experienced than yourself. Being the best at what you do will not get you half as far as being the best at helping and understanding those around you. of myself. They were asked to send back honest, Employers look to bring in people who are exceptional
anonymous feedback so I could collate the data
communicators, who can work well in a team, take
and get an accurate view of how I present to those
direction, and nurture their relationships. These soft
I interact with.
skills are integral to good leadership. Organisations value people others can get behind and trust.
This was hugely beneficial. An exercise like this can help you think more positively about your abilities,
We are all human and everyone wants a fulfilling
adjust your mindset and achieve your goals.
career. But colleagues can determine whether people feel fulfilled in their work or are miserable and want to
Below are three actions you can take to help build
leave. Be the reason people stay. Be nice.
your brand.
2. P ersonal brand – Do you know who you are and what people think of you?
Vision board
We often think we know what others think of us, but
You can write or draw this in a notebook or create a
do we really know? Our perception of self is biased.
physical board with imagery. Platforms like Pinterest,
It is based on what we already know about ourselves,
Mural and Canva are great tools for collating ideas.
Outline where you are and where you are going.
the projections and assumptions we place on others, and how we want to be seen rather than how we
Do you know what you represent?
are seen.
Pick ten people and imagine how you make them feel and how they perceive you. Picking three words you
I have used an outreach survey sent to one hundred
think they would use to describe you is an excellent
people in my network to test others’ perception
starting point.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
69
The best way to discover how someone feels
4. A I in relationships: a strategic advantage and tips that get you seen
about you is to ask! Let them answer anonymously.
To round off this article let’s look to the future and
You can use survey tools online that enable people
see how we are progressing. Technology is evolving
to send feedback without revealing their identities.
rapidly and bringing us together in ways we could
This means you will get an authentic response you
never have imagined.
Appreciative enquiry
can work with. Compare the results. The LinkedIn algorithm is a prime example. Want to If you see a problem, you can adapt. This change
know a secret? Applicants with the most connections
could be as simple as adjusting the way you
working at the company they are applying to join
introduce yourself so you create a more significant
will be boosted to the top of the pile. It pays to build
impression. For example, instead of saying, “Hi, I’m
insightful relationships with your potential future
Kate. I work in Operations,” you could say, “Hi, I’m
colleagues.
Kate. I’m the person who always gives three solutions to a problem.” It stands out, it’s different and it makes
LinkedIn loves you using LinkedIn. So, use it as
you memorable.
much as possible. Write articles, share insightful information about what you do, add a personal touch
3. Market research, research, research…
to your content and develop your authentic voice
Market research is a tool we all have but not all
to build your brand, engage and connect with your
realise the power of. Once you understand yourself
audience.
and your brand, you can identify your opportunities. Research can be your friend.
And did you know that it’s now possible to run psychometrics via AI? This leading-edge technology
LinkedIn is without doubt the tool anyone looking to
is helping people better understand themselves,
develop their brand, career or business should use.
those they work with, the kind of individual they
You can connect with your target network anywhere
aspire to be and those they may be interviewed by.
on the planet. If you want to know what people in your field are earning or what roles are potentially
CURIOUS ABOUT YOUR PSYCHOMETRICS?
open to you, use LinkedIn.
Get in touch to get a free report on your psychometric profile and start growing your network and
You can use manual research to assess tone, style,
relationships today!
history and trajectory and see how you align. Doing this allows you to grow your network in relevant areas, build a community or land that dream role. Do your homework – three steps 1. Pick ten companies of interest on LinkedIn. 2. Connect with ten people in those companies. 3. Tell them why they interest you and what you can offer, and that you would love to have a chat. You never know what you will learn from them, or the opportunities you may find.
70
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/richardjkedge
www.linkedin.com/company/careerships
instagram.com/careerships
twitter.com/careershipsltd
www.careerships.com
S E P T E M B E R • O C T O B E R 2022
2023 AUSTRALIAN
WOMEN IN SECURITY AWARDS 12
TH
OCTOBER
t u O s s i Don’t M
MICHELLE RIBEIRO
EVERY VOICE DESERVES TO BE HEARD by Michelle Ribeiro, Cyber and Information Security Content Director, APAC Companies around the world are investing billions
women talking about their practices and experiences
of dollars to prevent and minimise cyber risks.
is distressing.
Australia’s spending in cybersecurity is expected to hit $7.6 billion by 2024, according to an
On the one hand, there is a lack of diversity and
AustCyber report.
inclusion in the workplace to support women seeking to improve their professional performance and
Cybercriminals are putting organisations under
advance their careers in cybersecurity. On the other
immense pressure with their high-level, sophisticated
hand, many women lack the confidence to speak up
practices. Their activities are increasingly impacting
about their achievements.
businesses’ daily operations, limiting organisations’ ability to grow and critically affecting the lives of their
Speaking at cybersecurity conferences is an
clients and end users—us.
incredibly effective way for women in cybersecurity to support the industry while raising their profile and
As we recognise the importance of cybersecurity
advancing their careers. However, one of the biggest
awareness, most of us feel the urge to do something
objections event organisers face when approaching
that will help protect the companies we work for,
female executives to speak at conferences is
the people we love the most, the countries we live in
the women’s insecurity and fear of not meeting
and the communities we belong to. However, even
the audience’s expectations. It is hard to believe,
experienced security practitioners are often unclear
but most of these women are doing amazing jobs in
about how to achieve this objective.
their cybersecurity roles and delivering outstanding results for their organisations. Often, they have
Attending business conferences, gathering with peers
been referred to event organisers by their peers and
and like-minded people and sharing intelligence are
the community.
crucial to strengthening our collective cyber resilience posture, preventing threats and minimising risks of
So, how can you recognise your successes and
attacks and breaches.
trust yourself to get up and speak? Whether you are a senior leader with considerable experience
72
But, despite the countless events and initiatives
speaking at conferences locally and globally, a
available for cybersecurity practitioners to share
first-time speaker or someone who is just starting
knowledge and collaborate, the low number of
to consider speaking, there are many things you
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
can do to help women share and celebrate their
There are many initiatives to support women who
professional achievements.
want to embrace the challenge of public speaking. The Australian Women in Security Network (AWSN)
For first time speakers or those just starting to think
and the New Zealand Network for Women in Security
about speaking, a great way to begin is by listing the
(NZNWS) are networks that provide valuable
career achievements you are most proud of. How did
membership benefits. They organise and run inspiring
it all start? What did you do? How was your journey?
events that could be great starting points for anyone
What challenges did you have to overcome? What did
looking for speaking opportunities. They also offer many
you learn, and what would you recommend to others
opportunities for women to advance their careers.
who are in the same position as you were? Another great network to join and collaborate with It is important for women to embrace new challenges
is the WomenSpeakCyber LinkedIn group, run by
and understand they do not need to be a CISO or
Louisa Partridge and Louisa Vogelenzang. The
an executive manager at one of Australia’s Top 500
Australian Information Security Association (AISA)
companies to do something meaningful that will
also offers support for first-time speakers. You can
support their community and drive change.
join them and submit a paper for presentation at one of their conferences. Commercial event organisers
Everyone loves an inspiring presentation. In fact,
are constantly on the lookout for inspiring speakers.
the best business conferences are those offering
On their websites you can register your interest
a balance of strategic and technical sessions
in speaking.
combined with inspirational presentations from both senior leaders and rising stars. If you have achieved
The most important thing is to recognise your own
something you are proud of, rest assured you have a
successes and achievements because there are many
good story to share that will inspire someone.
people interested in hearing what you have to say. Be proud of that! Share your successes with others. Be
If you are a senior leader you can help uplift the
courageous: you will inspire other amazing women
women in your team by empowering, inspiring and
to do the same. Take one step at a time and keep
supporting them. When you receive an invitation
going. This is how we improve security together and
to speak you can ask the organisers if they have
drive change.
sessions for first-time speakers and rising stars, and if so, recommend someone from your team. You can also work in collaboration with your organisation’s
“The secret of getting ahead is getting started.” - Mark Twain
internal communications and training teams to offer public speaking and media training for interested members of your team.
I S S U E 10
www.linkedin.com/in/michelle-r656e6
WOMEN IN SECURITY MAGAZINE
73
J O B B OA R D DEPUTY CHIEF INFORMATION SECURITY OFFICER (CISO) | P WC SYDNEY EXECUTIVE
AUSTRALIA
FULL TIME
BUSINESS CONSULTING AND SERVICES
AS THE DEPUTY CISO IN OUR NIS TEAM YOUR IMPACT WILL BE SEEN BY: • Demonstrating extensive knowledge of, and/or proven record of success in, firm priorities, Network Information Security concepts, principles and standards and their application in a large enterprise environment, preferably for a global network of professional services firms. • Demonstrating thought leader-level knowledge and/or a proven record of success directing efforts in driving execution of strategic priorities. • Proven, refined abilities and success in identifying and addressing leadership and stakeholder needs to overcome challenges and gain a positive result. • Extensive experience in stakeholder
management including and influencing others through leadership interactions across a broad structure to build and maintain relationships across a network to effectively deliver security activities.
success, supporting and/or coordinating Information Security Governance to enhance to decrease repeat findings and issues, and make other process efficiency improvements.
• 10 year(s) progressive professional roles involving information security and/or IT management. Bachelor degree preferred.
• Also, it is crucial in this leadership role to have a proven people management experience to provide coaching and development for others to maximise their potential.
• You will have a proven record of managing multi-function relationships throughout major transformation and collaborating with multiple stakeholders across functional and technical skillsets to identify, build and maintain security capabilities or controls. Extensive abilities, and/or proven record of
• You’re collaborative and enjoy working in an innovative environment. You’re a problem solver by nature and want to join a firm that values the kind of people who reimagine the possible for their clients and stakeholders. Most importantly, you act with integrity and show care for the people you work with.
ABOUT YOU
APPLY NOW
SECURITY ADVISOR - P-8 POSEIDON | B OEING DEFENCE AUSTRALIA SECURITY SERVICES (TRADES & SERVICES) ADELAIDE
FULL TIME
ANNUAL BONUS
BENEFITS
We are presently seeking a talented Security Advisor to support the P-8 Poseidon for the security of people, information, property and operations based at RAAF Base Edinburgh. RESPONSIBILITIES:
how to interpret and implement policy.
• Consult, advise and apply Government security standards, including but not limiting to the Principle Security Policy Framework (PSPF), the Defence Security Principles Framework (DSPF), the Defence Industry Security Program (DISP) and the Information Security Manual (ISM).
• Execute internal security controls through performance of compliance assessment reviews and self-inspections to ensure compliance with Government and company regulations and requirements.
• Provide internal subject matter expertise on Australian Government IT & protective security accreditation requirements and
• Collaborate with Enterprise specialists, project managers and S&FP team members on the development and
• Identify deficiencies, develop and implement corrective actions.
maintenance of Personnel Security, Information Security, Physical Security, and Governance. BENEFITS • Flexible working options • Study assistance • Salary packaging • Employee Incentive Program • Global opportunities
If you are ready to join an innovative industry leader and would like to register your interest in working for Boeing, please click Apply Now.
APPLY NOW
74
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
SECURITY ADVISOR - MQ28A GHOST BAT | B OEING DEFENCE AUSTRALIA SECURITY SERVICES (TRADES & SERVICES) BRISBANE
FULL TIME
BENEFITS
ANNUAL BONUS
We are presently seeking a talented Security Advisor to support the MQ28A Ghost Bat for the security of people, information, property and operations based at Brisbane. RESPONSIBILITIES: • Collaborate with Enterprise specialists, project managers and S&FP team members on the development and maintenance of Personnel Security, Information Security, Physical Security, and Governance. • Conduct Communication Security (COMSEC) duties and responsibilities (including inventory, distribution and
destruction), in compliance with Government regulations/requirements. • Lead and perform Personnel Security to assist in obtaining individual security clearances/accesses for customer requirements. • Assist in the implementation of a security awareness training and education program to educate, refresh and motivate personnel to protect
people, property and information. • Empower a culture of safety, security and compliance across the business. BENEFITS • Flexible working options • Study assistance • Salary packaging • Employee Incentive Program • Global opportunities
If you are ready to join an innovative industry leader and would like to register your interest in working for Boeing, please click Apply Now.
APPLY NOW
SENIOR SECURITY ANALYST | R EA GROUP MELBOURNE
AUSTRALIA
FULL TIME
GREAT BENEFITS PACKAGE
If you are looking to work alongside some of the brightest and best in the industry – read on! The Security Operations (aka “Defence Against the Dark Arts”) team is expanding! Do you love investigating suspicious process trees? Do you dream about finding C2 beacons in network logs? Do you want to work in the most diverse*, happiest* and least stressed* incident response team in Australia? Applications are open now, so get in quick and come see why we’re a great place to work. THE SENIOR SECURITY ANALYST SUPPORTS THE GROUP SECURITY TEAM IN THE FOLLOWING WAYS: • Lead the adoption of security threat management capabilities throughout REA. • Monitoring emerging security threats, providing recommendations and direction to management. • Analysing and investigating security events, through monitoring of the REA environment. • Drive continuous improvement of security detection and incident response processes by providing technical security leadership. • Contribution to automations that reduce alert fatigue whilst maintaining effective escalation of true positives.
• Mentoring and development of junior security analysts to support their growth. • Participating in internal and external security forums, working group activities to promote security concepts. WE OFFER: • A flexible working environment, meaning we strike the balance of what you need and what works for the business (and yes, our leaders fully understand the benefits of working flexibly) • A hybrid approach to the future of work – https://rea.to/hybrid-working • Generous and flexible parental leave offering for primary and secondary carers
• Summer Fridays – time back to focus on your wellness every Friday afternoon from December through to March • Support for your mental and physical health and wellbeing via our ‘You Matter’ Program • Because We Care program which includes volunteer leave and community grants, to ensure you have the opportunity to give back to your community • Hack Days for you to bring so you can bring your big ideas to life in a supportive learning environment • An additional day of leave just for your birthday
APPLY NOW I S S U E 10
WOMEN IN SECURITY MAGAZINE
75
J O B B OA R D TECHNICAL LEARNING DESIGNER | DATA SECURITY INSTITUTE ANY LOCATION
PART TIME
Do you have technical skills and the ability to build cyber security training labs? DSI is seeking a range of people who can create lab-based training focused on areas including Penetration Testing, Threat Intelligence, DFIR and SOC. This is a casual role working with leading educational designers to create the next generation of cyber security training. WHAT’S IN IT FOR YOU? • influence future cyber security training • Use your your creative and technical skills • Work with leading educational designers • Make use of your spare time, get paid, and build out your CV Please direct enquiries to Nigel.phair@gmail.com
APPLY NOW
CYBER SECURITY & TECHNOLOGY RISK MANAGER | F OODSTUFFS CHRISTCHURCH ON-SITE
CANTERBURY
NEW ZEALAND
FULL TIME
ABOUT THE ROLE: • This newly created role, reporting to our newly appointed Chief Digital Officer, will work together with our leaders to ensure the future state of the Digital and IT team will enable us to deliver on our strategic outcomes. • This role will provide the vision and leadership to proactively manage cyber and technology risk and build technology resilience in FSSI, by delivering a comprehensive management framework. • You will lead and own the development and delivery of Cyber Strategy, Business Continuity and Resilience Strategy, in collaboration with the CDO, ensuring alignment with the wider business strategy.
THE KEY FOCUS OF THIS ROLE INCLUDES: • Strategic, technical and functional leadership for Cyber Security and Technology Risk • Subject Matter Expertise and thought leadership to develop cyber security, technology risk, and data protection. • Evaluate the existing data protection framework and identify areas of noncompliance to rectify any issues • Promote a culture of data protection compliance across all business divisions • Develop, implement and promote fit for purpose policies, standards and guidelines. • A strong emphasis on continuous improvement in the operational space.
WHAT YOU’LL BRING As a Senior Leader, you will bring significant experience in developing and delivering cyber security and technology risk outcomes. You will have a proven record in driving and leading change, effectively able to lead and develop high performing teams and demonstrate solid business acumen. Along with your extensive project management capability, you will have excellent analytical and problem-solving skills. WHAT WE OFFER • Competitive remuneration package including a company vehicle • Medical Insurance for you and your family after a qualifying period • Excellent work environment • A really good on-site cafe
If this sounds like the opportunity you have been waiting for please apply online now including a CV and Covering Letter. If you have any questions about this role or would like a copy of the position description, please contact our recruitment team on centralrecruitment@foodstuffs-si.co.nz
APPLY NOW
76
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
TECHNICAL ACCOUNT MANAGER - SYDNEY | FORTINET AUSTRALIA
FULL TIME
REMOTE
ROLE OVERVIEW: As a member of the Technical Account Support Team, you will use your deep understanding of network/security architectures and general knowledge about the current trends in the market to help promote product quality, while providing best in class solutions. You will work with research and development groups, sales teams and regional support teams in a fast paced environment.
of the situation, and to respond well to questions when dealing with both positive and negative situations. This position also requires the ability to write clearly to provide full information as well as to understand and interpret written information. This role can be based in Canberra, Sydney or Melbourne. RESPONSIBILITIES
For this position, you have to demonstrate experience in participating in the postsales support escalation processes, which includes pre-sales experience, as well as strong customer facing skills particular in the telco and large enterprise space.
• Primary point of contact for the dedicated account.
This position requires strong oral and written communication skills. Oral communication skills include the ability to speak clearly and persuasively, to listen carefully to ensure full understanding
• Reproduction of customer environments on lab equipment.
• Provide technical solutions to address customer issues. • Centrally manage and prioritize customer issue to assure timely resolution.
• Follow-up with R&D departments to resolve product issues. • Responsible for tracking, maintaining
and resolving incident reports and customer support requests. • Creation of technical documentation and bulletins to improve internal and external knowledge base. • Update and provide guidance on new releases and features to dedicated accounts. • Develop best practice deployment and troubleshooting methodology documentation. • Conduct periodic site visits for the managed accounts. • Exercise independent judgment in methods, techniques and evaluation criteria for obtaining results. • Provide both technical and customer relationship handling mentorship to junior Technical Account Managers. • Lead initiatives that contributes to the success of the Advanced Services team and the company.
APPLY NOW
POSTDOCTORAL RESEARCH FELLOW (CYBER SECURITY) | THE UNIVERSITY OF QLD FULL TIME
ACADEMIC LEVEL A
FIXED TERM POSITION FOR UP TO 12 MONTHS
ABOUT THIS OPPORTUNITY: This is an exciting opportunity for a Postdoctoral Research Fellow to focus their efforts on developing their expertise and emerging research profile in their discipline. At this level it is expected that the incumbent will contribute to service and engagement roles and activities. This position will engage in postgraduate and honours thesis supervision, and support contract work and grant application development, industry research collaborations and other activities associated with the School of
Information Technology and Electrical Engineering (ITEE) and UQ Cyber Security.
position through to 30 September 2023 at Academic Level A.
Working with leading researchers from UQ Cyber Security and CSIRO’s Data61, the Postdoctoral Research Fellow will gain access to state-of-the-art industrial control systems equipment through Data61’s facilities, UQ Energy Testlab, and specific domain expertise through collaboration with healthcare and energy research groups at ITEE..
The full-time equivalent base salary will be in the range $87,006.34 - $96,530.67 plus super of up to 17%. The total FTE package will be in the range $101,797.42112,940.91 per annum.
WHAT WE CAN OFFER This is a Full Time, 100% FTE Fixed Term
The following flexible employment options may be available for this role: Part time/ job share; some working from home; variable start or finish times; compressed hours; purchased leave; flex-time. To discuss this role please contact Prof Ryan Ko (ryan.ko@uq.edu.au).
APPLY NOW
I S S U E 10
WOMEN IN SECURITY MAGAZINE
77
DANIELLE ROSENFELD-LOVELL
TRANSPOSING CONSUMER PARTNERSHIP FROM THE BEDSIDE TO THE CLIENT MEETING by Danielle Rosenfeld-Lovell, Consultant Security Testing and Assurance at CyberCX Long before the idea of a career in information
So, I would like to share a few lessons learnt from
security or technology occurred to me, I trained to
the bedside that I think could be usefully adapted to
be a nurse. I knew that the better informed I was, the
consulting with stakeholders, especially our clients.
safer and more effective would be the standard of care I could provide. So I took to intensely studying anatomy, pathophysiology and pharmacology.
LESSON 1: THE FINE AND FINICKY ART OF ESTABLISHING RAPPORT QUICKLY Very early in my nursing career I realised spending
I thought my understanding of diagnoses and of how
a little time at the beginning of each shift getting to
various drugs should be used for best effect would
know my patients and their family could contribute
be the most valuable things I could offer. So, when I
substantially to making the shift go more smoothly.
began to practice, it came as something of a surprise
Committing time to creating a meaningful relationship
to me that much of my time at work was consumed
with patients (or consumers) can be challenging
by learning the context of the patient and their family.
when you have a backlog of tasks to plough through. Nonetheless, I found it took very little time to ask a
I started to routinely grapple with questions such
couple of questions about things I could observe in the
as “What sort of social support does the patient
room when I first introduced myself, like a favourite
have?” “Will my patient reasonably be able to commit
toy or a book a patient or family member was reading.
to the treatment we are suggesting when they go
78
home?” and “Am I speaking using words that my
Depending on the situation, I might ask whether
patient understands?” Increasingly, these questions
anything notable had happened that day (people
became less speculation and more an essential part
find amazing ways to manage the boredom of being
of the job if I wanted to deliver effective healthcare.
in hospital!) Whatever topic I chose, demonstrating
Consideration of people’s preferences, needs,
genuine curiosity and buy-in, even if I had only a
culture and the context of their lives underpins the
few minutes, could go a long way to establishing
philosophy of patient/family-centred care in nursing.
good rapport.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
In a security context, making the effort to get to know
what to expect and when to expect it can help them
a little more about a client and their business puts you
maintain a sense of control and limit the need for
in a much stronger position to work effectively with
follow-up questions that could have been addressed
that client. Being curious might also give you access
at the outset. At the bedside this will often mean
to important clues that can enable you to deliver more
making a plan in direct discussion with the patient
tailored and valuable security services.
or their family which enables them to make choices such as when to see visitors or when to go for a short
LESSON 2: MAKING SURE EVERYONE IS ON THE SAME PAGE
walk, if they are well enough.
A notable aspect of providing clinical care is that
In the information security context, managing
consumers might have an understanding of an
expectations is more likely to mean giving an
intervention that is inconsistent with the clinician’s
indicative timeframe for the delivery of a report, or
intent. For example, a patient might think I am giving
establishing an agreed frequency for the delivery
them an antibiotic when I am, in fact, introducing a
of progress reports on a project. In both situations,
small amount of saline into their vein through a drip
frontloading some of these discussions into your
to make sure the drip can be used safely. If I am not
initial interactions with a client can save everyone
explicit about what I am doing and do not provide an
time and avoid uncertainty.
opportunity for questions and information-sharing, trust and consumer engagement with treatment can suffer. In cybersecurity, you might assume that clients and stakeholders know why a security assessment of some kind is underway, but if you neglect to verify their goals you introduce the risk of delivering services that do not meet client expectations. Any seasoned professional working in a
While there are as many approaches to client‑facing roles as people in them, I feel strongly there are some valuable takeaways from the healthcare industry that could be applied to information security consulting roles.
complex and dynamic field will know there is tremendous variation in individuals’ literacy in a specialist domain. For cyber security professionals, we recognise that this extends to
PARTING THOUGHTS
the immense differences in the maturity of the
While there are as many approaches to client-facing
security posture of organisations we provide
roles as people in them, I feel strongly there are some
services to. Probing questions such as, “What’s your
valuable takeaways from the healthcare industry that
understanding of this issue?” or “What are you hoping
could be applied to information security consulting
to get out of this?” can help you get an accurate
roles. Hopefully I have offered one or two ideas that
understanding of the client’s needs. You are then
might be useful for you. Finally, a crucial thing I took
much more likely to identify any knowledge gaps that
from my early career experience is that the people
might be making communication more challenging.
we serve stand to be our greatest allies, helping us produce something that has real merit. We are better
LESSON 3: MANAGING EXPECTATIONS
off working together.
The term “managing expectations” has been done to death in corporate settings, but for good reason.
www.linkedin.com/in/danielle-rosenfeld-lovell
Providing people with crucial information about
I S S U E 10
WOMEN IN SECURITY MAGAZINE
79
SHINTA BENILDA
ENTERING THE CYBER WORLD AT A MORE MATURE AGE by Shinta Benilda, Cyber Systems Administrator at Services Australia “Uh? Are you sure? Can you do it?” Those were the
They were very supportive of my decision to switch
spontaneous comments from my younger siblings
professions. “Good on you. It’s a good decision,”
in Indonesia when they first heard about my plan to
they said.
switch professions. To be honest, the differing reactions from my family “The challenge in the IT and cybersecurity fields is to
members in Indonesia and Australia also played a
keep up with skills that are updated every day,” I had
part in my decision. On the one hand I was interested
told them. “For me, who loves learning new things,
and excited to try a new career. On the other hand,
this challenge is very interesting. There is absolutely
I had my doubts. I was an Asian woman in her 40s
no time to feel bored because I am always busy
who had never worked in a technical field. I had a
learning new knowledge.”
bachelor’s degree in economic management and a master’s degree in Asian studies, but was I capable of
It was 2019 and I had made up my mind to leave my
making a career in IT or cybersecurity?
old profession as an Indonesian language teacher and pursue a new career in IT and cybersecurity.
Fortunately I took an optimistic view. I have now been working in the penetration testing team in a large
My siblings sounded shocked and sceptical. I did
government agency for almost a year. It’s something
not blame them. It was a natural reaction. I had been
I could never have imagined, but I’m enjoying
teaching Indonesian as a second language for more
every day.
than twenty years, two years in my home country Indonesia, four years in Singapore and 15 years in
There were several reasons for my decision to
Australia. So, when I announced plans to embark on
switch professions. First, I read an article from a
a completely different career, my younger siblings’
cybersecurity organisation saying, by 2026, Australia
comments were inevitable.
would need almost 17,000 more cybersecurity workers, and there would be a huge discrepancy been
In contrast, the reactions of my husband, relatives
positions and people to fill them.
and friends in Australia were 180 degrees different.
80
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
C A R E E R
P E R S P E C T I V E S
This information opened my eyes and instantly
This further lowered my confidence. Was I cut out
sparked the idea of trying a new profession. I had
for this new field? Fortunately, my husband then said
been working for many years, but I still wanted
something that restored my confidence. “Not all IT
to work for another 15 to 20 years. This article
people should be able to program because not all of
portended a bright future for cybersecurity. Many
them are programmers.” It was a simple sentence, but
opportunities and avenues could open up if I chose to
it lightened my heart. I became determined to do my
pursue a cybersecurity career.
best in my studies.
The second reason I switched professions was the
Of course, the real test came after I finished my Cert
belief I could find work in any state in Australia. As
IV. I applied to several places, and I got interviews but
an Indonesian language teacher my job was very
never managed to get a job because, apparently, for
location-bound. Most language teaching opportunities
even an ‘entry-level’ job, you need to have one to two
are in Canberra, which has a diplomatic academy. In
years’ experience in IT and at least an NV1 security
other states the opportunities are very limited: many
clearance from the Department of Defence. When
Indonesian language programs at universities have
I finally got a call for an interview and test at my
been closed. In contrast, jobs in IT and cybersecurity
current organisation, I was thrilled. But my excitement
are not location-bound. If one day I decide to move
faded as soon as I discovered my hacking skills would
interstate, there will be job opportunities.
be tested.
In addition, although I loved and enjoyed teaching
What? Hacking? Oh, boy.
Indonesian, I felt my career had reached a plateau and I could not progress further. I had taught in various places: universities, private companies and government institutions, and taught individuals, including diplomats, ambassadors, senators and the governor-general of Australia. There was nothing further I could, or wanted to, achieve. Therefore, switching professions to cybersecurity with its many opportunities was the best choice for me.
YOU CAN TEACH AN OLD DOG NEW TRICKS My first step to realising my new dream was to take Cert IV in Cybersecurity, followed by Cert IV in IT. Having spent decades in a non-technical field, learning IT was certainly not easy. But I was patient and enthusiastic, and sometimes frustrated. Moreover, I had difficulty understanding programming languages. I remember spending hours in front of the computer writing code for assignments, but my program still would not run. I was completely stuck, not knowing what else to do. When my husband—an IT guy with a knack for programming—came home, he only needed two minutes to fix my code errors.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
81
opportunity. I consulted with my husband and
BREAKING DOWN EXTERNAL AND INTERNAL BIASES
mentor. They were united in supporting me to take
Something else I initially perceived as a challenge
the test. “Just go. See what happens. At worst, you’ll
was the large age difference between myself and
get rejected.”
my colleagues. I had to work with colleagues almost
To be honest, I did not immediately say yes to this
half my age. I thought, am I too old to be a newbie in
THE TEST OF MY LIFE
this field?
The hacking test at my current organisation was a landmark event I will never forget. The three
But as it turned out, starting a new career at a mature
interviewers I met did not ask much. They just
age has its advantages. Despite being older, a lot of
handed me a blank laptop with a simple command.
work was delegated to me because I understood the
“Go ahead. You can go crazy. You can break it.”
meaning of responsibility. I always try to complete
Facing that pitch-black screen, I did not know what
every task, not leave it half done. I do not rush out
to do. As the minutes passed, I finally got up the
of the office to hang out with friends. Compared
courage to ask the examiners nicely. To my surprise,
to millennials or Gen-Zers, I also have a longer
they were willing to answer my questions. They gave
attention span, which makes me more focused in
me little hints that allowed me to move forward step
long meetings.
by step until I finally completed the test. I did not expect to pass. So when a large government agency called and offered me a job, I could hardly believe it. What made them choose me? My husband thinks the examiners may have seen a lot of test‑takers who gave up after two or three
Not all IT people should be able to program because not all of them are programmers.
minutes. Or perhaps many test-takers were too proud to ask for help. So, in addition to testing ability, the examiners may also have been looking for persistence and the humility to ask questions when
Another big challenge is countering biased views
encountering obstacles.
of me as an Asian woman. Some people believe Asian women working abroad usually work ‘only’ as
I have been working in my current organisation as
masseuses, domestic helpers or cleaners. And I still
a cyber system administrator for a little over a year.
lack confidence. I am a woman and an immigrant in
I am in the penetration testing team. I am enjoying
this country. Will I be fully accepted? Am I capable
my new profession, but, as with any job, there are
of doing this job? Can I be as smart as other people?
pluses and minuses. On the plus side, there are many
Am I smart enough?
training opportunities available, so my knowledge and skills have increased rapidly in a short period.
These are the biases I must deal with and slowly
For example, I was sponsored to take the SANS
try to erode. But the longer I work, the more I
401 course.
understand what needs to be done. The more I understand, the more confident and assertive I
Meanwhile, the challenge of working in cybersecurity
become in the workplace. I believe my decision to
is to maintain required skills that are changing
switch professions was the right one and will pay off
daily. I love learning new things, so this challenge is
handsomely in the future.
welcome. There is absolutely no time to feel bored because I am always busy acquiring new knowledge.
82
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/shintabenilda
S E P T E M B E R • O C T O B E R 2022
INDUSTRY PERSPECTIVES
CAN SCHOOLS STOP YOUNG STUDENTS FROM DISMISSING CYBER CAREERS? by David Braue
Imposter syndrome starts early, and so should advocacy of cyber careers.
C
ybersecurity industry advocates long
that invited attendees
ago recognised that resolving the
to bring their wives and
chronic skills pipeline would require early
children along.
engagement with students but anecdotal evidence increasingly suggests that, by
“We decided it was time
working together, schools and cybersecurity experts
to start something,”
can successfully steer students into cybersecurity
she said, and WITSEC
by enlightening them about the many possibilities
was born.
it offers. In a country where the women-in-cyber movement Andrea Szeiler-Zengo, the global CISO for Swedish
was still in its infancy, the group grew steadily on the
outsourcing firm Transcom, realised the significant
back of a growing roster of speaking engagements,
potential of student outreach. In 2014 she co-
first in Hungary then, eventually, in other countries.
founded Hungary’s first-ever Women in IT Security
An annual conference increased visibility further
(WITSEC) association with a mission to improve
as did ongoing visits to schools and engagement
representation and opportunities for women in the
with students.
cybersecurity space. “We’re just talking about what we’ve achieved and
84
Now a board member of the Hungarian Chapters of
what newcomers can achieve,” she explained, noting
ISACA and cybersecurity organisation (ISC)2, Szeiler-
that the group has a mentorship program “and we
Zengo remembers going to industry conferences
get results.”
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
F E A T U R E
After observing there were no girls in her son’s technically focused class and just 10 girls in the entire school, Szeiler-Zengo arranged for WITSEC to speak at outreach events for new students in grades seven and eight who were just starting to form concrete ideas of the career paths they would eventually take. “Two years later, 29 girls started there to study,” Szeiler-Zengo said. “We showed them that it’s visible, and that we can reach the sky even when we are women. We have the same, or maybe even more capabilities in the cyber field and it is a rainbow, with lots of directions they can go. I just let them understand what their future can be.”
BE THE FUTURE YOU WANT TO CREATE
The proportion of boys
Whereas the industry initially
engineering, computing
deferred to universities as the
or IT-related job was three
primary sources of formal
times larger than that of girls,
cybersecurity education, growing
expressing interest in
while boys were twice as
attention on school-aged
likely to express
students has reinforced the
interest in being
value of earlier intervention that
data analysts or
paints cybersecurity as a real
mathematicians.
career option. The only area YouthInsight’s most recent Youth in STEM survey of Australian
where girls were more interested in STEM-related
young people highlighted some of the challenges that
careers was science,
await those trying to engage young people around
suggesting science jobs
cybersecurity and other STEM-related subjects.
have achieved stronger brand recognition than
Sixty eight percent of girls, for example, said they
cybersecurity and IT jobs.
were not really interested in STEM subjects and 74 percent said the subjects were not related to the
Those figures suggest that
career they wanted.
imposter syndrome—the all-too-common belief
Girls were more self-critical, with 48 percent saying
that women cannot build
they were not very good at maths and 47 percent
careers in cybersecurity
saying they were not very good at science. Some 53
because they are not
percent said STEM subjects were “too hard for me”
smart or capable
while, disappointingly, 41 percent said they did not
enough—is already
see themselves as smart enough to pursue a STEM-
well developed in
related career.
adolescence.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
85
However, digging into the YouthInsight numbers reveals that the window of opportunity may be more open when girls are much younger. Although 40 percent of 14 to 17-year-old girls said they were not smart enough to do STEM subjects, just 12 percent of
early primary school years to develop capabilities and
12 and 13-year-olds said the
soft skills.
same. Fifty five percent of 12 and 13-year-old boys said they
“While they are good consumers, do they understand
were not smart enough for STEM subjects.
the nuts and bolts of how it works? Make it part of their life growing up, and I think that will help them to
Something, it is clear, is happening to the self-esteem
become cybersecurity and cyber aware.”
of young people as they become teenagers and it is making boys more confident while making girls
ALL TOGETHER NOW
less so.
A growing roster of school programs has proved successful in engaging those students who have
If school programs can maintain the confidence
recognised their intrinsic interest in cyber and
12-year-old girls seem to have in abundance, they
STEM‑related fields and who understand the field
could arrest the dive in interest that has plagued
is about much more than sitting hunched over a
efforts to improve cybersecurity’s gender diversity.
glowing screen.
“A lot of the focus needs to be in primary school,
School-based cybersecurity events such as
rather than waiting until higher years for students
hackathons and capture-the-flag (CTF) competitions
to make that decision,” noted Toni Falusi, the ACT
have become regular features on the schedules of
project officer for Adelaide University’s Computer
high schools around the world, sharing calendar
Science Education Research (CSER) program and
space with the likes of the recent Day of AI.
president of the Information Technology Educators Association ACT.
That nationwide US effort, designed by MIT and i2 Learning and recently replicated in Australia, aimed
“It’s too late by then,” she continued.
to help students between years three and 12 to
“We need to capture them early and
appreciate the many ways artificial intelligence (AI) is
encourage and inspire them in those
infiltrating everyday life. Cybersecurity authorities are taking a similar approach with programs like the US Air Force Association’s CyberPatriot, National Cyber League competitions, Hacker Highschool, Schools Cyber Security Challenges and GenCyber summer camps each taking a different approach to
86
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
F E A T U R E
engage students with cyber, STEM and other technology-related roles. However, the challenge with such programs is that they can be self-selecting, catering only to those students who are already interested in such areas. Converting girls from disinterested selfdoubters into self-confident learners who are at least willing to consider the merits of cybersecurity will take more time. Anecdotal evidence suggests the figures in other countries would likely show a similar spread and that increased visibility supported by targeted early intervention is consistent with improved engagement of girls with technical subjects. Even as the number of cybersecurity-related school programs continues to expand, often backed by universities for whom the programs are a way of improving the skills of their future students, nationally consistent programs are steadily helping scale repeatable cybersecurity initiatives. Such programs are also providing critical mass for industry organisations seeking to turn successful student teaching innovations into forces for widespread industry change. For example, partnerships between cybersecurity association ISACA and Kenya’s Presidential DigiTalent Programme
“Most people used to hear about professional
have helped link students, universities and
opportunities when they were already working,”
potential employers.
explained Faith Wawira Nyaga, special programs director with ISACA’s Kenya chapter. “They would look
Input from professional organisations like ISACA has
at what courses they could take and maybe their boss
helped provide crucial perspectives about the types
needed to promote them or had asked them to have a
of courses available to students, helping
particular certificate.”
them shape their course decisions early in their university degree courses while they can still steer themselves towards cybersecurity if it takes their fancy.
I S S U E 10
“But if that information is passed on early, it allows someone to plan their career nicely, to be able to see ahead and think about how to get prepared, as a recent graduate or student, to get there.”
WOMEN IN SECURITY MAGAZINE
87
HANLIE BOTHA
CYBER BETTER TOGETHER FOR A BETTER TOMORROW By Hanlie Botha, Cyber Security Leader I am a proud member of the Cyber leadership team
with an ambition: Cyber better together for a
at Woolworths Group and I love our stated purpose:
better tomorrow.
We create better experiences together for a better tomorrow. I love being part of a business where even
Sir Winston Churchill had these wise words: “However
the smallest actions can form big waves that flow
beautiful the strategy, you should occasionally look at
out through our people, through the community and
the results.”
shape the nation. Having a cyber strategy was awesome, but it was just We’re a business that employs more than 170,000
the beginning of a journey. It’s a roadmap that does
people, with more than 1,500 stores across Australia
not guarantee the traveller will arrive at the desired
and New Zealand, serving more than 29 million
destination. Executing and implementing a strategy is
customers every week with unwavering dedication.
the hard part: where the rubber hits the road.
The cyber threat environment has shifted significantly
That was where my passion for delivery, resilience,
and remains challenging. Ransomware is soaring
organisation skills and focus on results came in real
and a record number of zero-day vulnerabilities
handy. I played a key role in guiding and mobilising
are exploitable in the wild. At the same time the
the squads around defining and managing key
regulatory and legislative bar continues to rise.
results, running effective quarterly planning sessions,
Woolworths was specifically named as critical
setting up sessions and coaching on agile practices,
infrastructure in the Security Legislation Amendment
reporting on progress and ensuring the strategy
(Critical Infrastructure Protection) Act 2022 which
was implemented. It is only when a strategy is
amends the Security of Critical Infrastructure (SOCI)
implemented that we close the ambition gap, and
Act 2018.
only when initiatives are well executed that we shift to the desired security outcomes.
In 2020 the Woolworths Group cyber team embarked
88
on a new security strategy called Cyber 2.0 to provide
According to Fortune magazine, nine out of ten
an outcome-based retail cyber services capability,
organisations fail to implement their strategic plans.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
Valuing that we are better together, with each other in partnership
Cyber better Together for a better Tomorrow Constantly innovating, to lead and exceed expectations
Understanding the plans we make and the actions we take are an opportunity to leave a positive impact for the generations to come
I am proud of our success thus far and happy to
achieving our goals. Showcasing our good work
share how we did it. As with most teams, there was
serves as a motivator. We do that as part of our Agile
much to do and people were working long hours,
ceremonies, in cyber leadership meetings and in our
especially during the pandemic. We needed to find a
cyber tribe meetings.
way to ensure we focussed on activities that delivered the best outcomes and value. Managing a huge
3. Collaboration: Woolworths Group embarked
pipeline with limited cyber capacity was challenging.
on a journey towards an Agile way of working. We
We needed transparency, visibility and the ability to
established 11 squads within our cyber tribe. We
prioritise.
have quarterly big room planning sessions where all squads come together and plan their work
Our implementation success recipe had three
and collaborate around interdependency between
basic pillars:
squads. Planning includes strategic work as well as operational work because we have cross functional
1. Defined goals: Our cyber leadership defines yearly
DevOps squads to improve collaboration. We
cyber objectives and key results (OKRs) that are
use Google Workspace in Woolworths Group. It
directly linked to our strategy. All squads contribute
makes working on documents, sheets and decks
to these OKRs, and their initiatives and day-to-day
collaboratively super easy. We also use Jamboards,
activities align to them. Our security outcomes are
Lucidchart and Miro which are great collaboration
therefore front of mind in everything we do, and every
tools, especially in our remote work setup.
team member has a stake in and responsibility for these goals.
Legendary baseball player Babe Ruth once said: “The way a team plays as a whole determines its
2. Measuring/showcasing: Without tracking progress
success. You may have the world’s greatest bunch of
we can all get side-tracked with daily activities and
individual stars, but if they don’t play together, the club
firefighting. Then, when we look back, we realise how
won’t be worth a dime.”
far we have moved away from our plan. To avoid this we manage our work in Jira with initiatives, epics and
Our cyber team plays together with a clear game
user stories linked to OKRs to provide visibility of the
plan based on OKRs. Everyone is on the same page,
work we do and the progress we are making towards
doing their part towards better security outcomes.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
89
We have executive commitment and support and the right tools for collaboration. Based on a recent independent review, we are making great progress in implementing our cyber strategy.
ABOUT THE AUTHOR My career in information technology spans 30 years, working mostly in a predominantly male environment. Despite always getting high performance ratings, I sometimes still suffer from imposter syndrome: believing I am not as competent as others perceive me to be. I would stand back when honours were being given despite having played a pivotal role in the achievements. I do what a lot of women do — put in the hard work, deliver excellent results, but still doubt
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
their ability to take on bigger and better roles. The 2022 federal election was a win for women candidates. The strong “teal independents” women really inspired me. I also realised that more women won seats, because more women than ever contested seats in 2022, rendering true the maxim “you have to be in it to win it”. Like the women in politics, I wanted to be brave and throw my hat into the ring more often. Therefore I took the courage to write this article and tell you how proud I am about playing a leading role in security in Woolworths Group, one of the leading companies in Australia. I appreciate the opportunities Woolworths Group has provided, and especially the opportunity to act as CISO whilst the incumbent was out of office. I will continue to push myself out of my comfort zone and seize opportunities to grow. I encourage all women to do the same because we need more women in cyber to tackle the enormous number of opportunities.
Expand your networks Gain critical insights Grow professionally Hone your leadership skills Empower the next generation
www.linkedin.com/in/hanlie-botha-a84a50
Don’t miss out 90
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
n’t t Do O u is s M
2023 AUSTRALIAN
WOMEN IN SECURITY AWARDS 12
TH
OCTOBER
GET NOTIFIED Join our distribution list to be the first to know when tickets go on sale
NICOLE STEPHENSEN
TALKING PRIVACY By Nicole Stephensen, Privacy Maven and Partner, at IIS Partners I read a wonderful book a couple of years ago. It has
of the local hospital was an all too frequent privacy
impacted my work immensely, leading to frank and
breach. Email was not a common form of almost real
fearless discussions, moments of clarity around
time communication, and digitisation (of work, life,
responsible stewardship of data (the personal stuff,
banking, socialising) was still a twinkle in the eyes of
the stuff about you and me) and innovative and
technologists. Fast forward to today and the focus
elegant development of privacy-enhancing features
of digitisation has moved beyond communication
in policy and technology. Yet it has nothing to do with
technologies to managed service provision,
privacy. Nothing and everything, apparently.
governance, the Internet of Things, all things social, insights and trends. All these applications of digital
I’m talking about The Art of Gathering: How we meet
technology have one thing in common: data.
and why it matters by Priya Parker. Her premise is that getting together at a conference, in a boardroom,
Following the merger of my boutique consultancy,
at a café, over Zoom, over Teams or even with a
Ground Up Consulting with privacy consultancy IIS
quick phone call has meaning and can be a powerful
Partners in April 2022 my work continues to focus
experience if we go about such activities the
on the intersection of privacy and technology, where
right way.
information security considerations are a huge part of the privacy discussion, and where both disciplines
Just days after finishing the book I had the
need a seat at the table to solve today’s wicked
opportunity to meet Parker at a leadership retreat for
privacy problems. When we meet at that table we get
privacy professionals and experience firsthand her
the chance to hear each other and understand we
approach to gathering. Her message was simple but
share common purposes: to promote good decision
transformative: “We rely too much on routine and the
making and prevent harm.
conventions of gatherings when we should focus on distinctiveness and the people involved.”
Now, back to that book. I see three opportunities to acknowledge the distinctive nature of the privacy
92
The nature of my work has changed over the years.
discipline and its significance, straddling as it does
There was a time when erroneously sending medical
information security, data governance and risk in
records by fax to the local convenience store instead
our organisations (and the people at the heart of
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
them all). These opportunities are: to avoid conflating
When I ask, “What about privacy?” those at the table
privacy with security; to learn to understand the risk
often hear “What about security?” The latter is a good
landscape; to use the correct terms for the stuff
question for security folks. How do we protect the
that matters.
data? How do we maintain its confidentiality, integrity and availability? But I am not asking those questions.
AVOID CONFLATING PRIVACY WITH SECURITY It is important to answer both the privacy and
I am not asking about processes or controls or about
the security questions that arise from the various
building a big fence, physical or digital, around what
technologies, programs, projects and initiatives into
we want to protect (ie, the data or the systems and
which we have professional visibility.
other infrastructure underpinning it). I am asking about purpose specification (what do we want from
When people representing our cities, companies,
the data?), necessity (do we need all the data?) and
not-for-profits, innovators, vendors and platforms
proportionality (does the benefit of having and using
start talking ‘data’, I am often brought into these
the data outweigh the privacy risk?).
discussions (lamentably, often after a project is already well underway, but I will save the exploration
I am asking how we intend to collect and manage
of Privacy by Design for another article). By the time
personal information, the kind of data I am most
I take my seat at the table, data is likely to be the
concerned about, in accordance with the law and with
starting point for the conversation. What do we do
community expectations.
with the data? How can we derive value from the data? How can we add more data to the data?
When we conflate privacy with security two things can happen: we end up focusing on securing the
Where the data is about a person or a group of
data, as if it and the infrastructure underpinning it are
people, my job is to ask, “What about privacy?” This is
what we most need to protect or worry about; we lose
where it is vital the people being asked the question
sight of our primary objective, the fair and transparent
truly understand the role of a privacy consultant and
handling of personal information pertaining to the
do not misunderstand the question.
community we serve.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
93
LEARN TO UNDERSTAND THE RISK LANDSCAPE
Security vendors, managed service providers,
Organisational risks include (but certainly are not
avoid using the term PII to describe information that
limited to) poor information practice, compromised
identifies, or could lead to identification of, a person.
integrity of data or systems and non-compliance
Here in Australia, our Privacy Act 1988 and relevant
with the law. These give rise to outcomes such as
state and territory privacy laws use the term ‘personal
regulatory scrutiny, penalties, cancelled contracts and
information’. New Zealand, Canada, Japan and China
brand damage. The lens through which organisational
also use this term. Where security professionals are
risks are viewed by many security professionals is
operating in the European Economic Area, Singapore
often protective and inward-looking: it is focused on
or Brazil, the term ‘personal data’ should be used.
auditors, recruiters and industry specialists should
avoiding negative outcomes for the organisation.
THE NEXT CHAPTER For privacy professionals, protecting the organisation
The preoccupation of organisations and governments
from harm is a secondary motivator. Our primary
with data and privacy awareness across disciplines
aim is the prevention, reduction or elimination of
continues to grow in importance in parallel with
organisational risks that are also privacy risks and
increasing digitisation, particularly where there
where the outcome is harm to a person or group.
are shared interests, such as information security.
For anyone unsure what privacy harm looks like, it
Empowering the colleagues with whom we share
is worth checking out Dr Dan Solove’s taxonomy on
experiences (and professional obligations) will ensure
the topic. This identifies multiple harms across four
we are able to meet their expectations in years
broad categories: information collection, information
to come.
processing, information dissemination and invasion (Enterprivacy offers a great high-level visual of
I have offered opportunities for vitalising privacy and
this taxonomy).
celebrating its distinctiveness when security and privacy professionals share the table. Perhaps these
Privacy risk, when viewed as “something that would
opportunities can give rise to a larger discussion
cause real or perceived harm to a person,” becomes
about how we can learn more from each other,
an outward-looking conversation focused on how
compare dictionaries and refine our techniques for
organisational decisions impact the community
influencing good decision making.
we serve. ~~~
USE THE CORRECT TERMS
An earlier version of this column first appeared on 1
To be seen as an authority in privacy it is important
January 2020 in a Demystify Cyber guest blog series
to use terms that are recognised or defined in law.
curated by Amanda-Jane Turner, author of Unmasking
To do otherwise risks confusing the discussion and
the hacker: demystifying cybercrime.
losing credibility amongst peers. Take the term ‘personally identifiable information’ (PII)
www.linkedin.com/in/nicole-stephensen-privacymaven
for example. This term is found in some key infosec frameworks, guidance and best practice documents such as those published by the US National Institute of Standards and Technology (NIST). However, it is not a generally recognised privacy term and is frequently used erroneously.
94
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
10 Minutes to change the future What you say today shapes our future for tomorrow. Decrypting Diversity | An Inclusion, Diversity and Equity survey of the Australian cyber security workforce.
Have your say at: https://bit.ly/3AoyLre
© 2022 KPMG, an Australian partnership. All rights reserved.
KPMG.com.au
NATALIE PEREZ
BAYANIHAN FOR INTERNATIONAL WOMEN’S DAY By Natalie Perez, SheLeadsTech Coordinator of the ISACA Melbourne Chapter Natalie is the SheLeadsTech Coordinator of the ISACA Melbourne Chapter. In this article, she reflects on her experience leading the organising of the International Women’s Day event with other organisations that share the same objectives in their programs, i.e. increase the representation of women in the technology industry. Natalie who is a dual Australian-Filipino citizen, fondly connects her experience with a Philippine value known as Bayanihan, where a community/ group of people work together for a common goal.
In the Philippines ‘Bayanihan’ means communal unity,
the house. A whole house is a heavy load, but the
people helping each other to achieve a goal without
community is in unison and its spirit is strong.
expecting reward. Bayanihan is a centuries old tradition in the Philippines. In earlier days, a common
I felt the Filipino spirit of Bayanihan when we planned
example of Bayanihan was house moving. Houses
and ran the full-day International Women’s Day
were ‘nipa’ huts made from light materials such
event on 7 March 2022. The event had almost 1500
as bamboo and coconut leaves and townspeople
registered participants, 1300 of whom attended.
gathered to carry a house on their shoulders to move
The virtual sessions also attracted participants from
it from one block of land to another. Those people
across Australia and elsewhere.
might have been either family members, relatives or neighbours.
In September 2021, I started to think about programs and events SheLeadsTech Melbourne could offer
A house moving Bayanihan has a leader who provides
in 2022 and which organisations we could partner
instructions and leads the way to where the house
or collaborate with. One of the initiatives that
will be moved whilst community members walk
came to mind was International Women’s Day
together, sharing the load of carrying and moving
for 2022. Its theme, ‘Break the Bias’, aligned with SheLeadsTech’s purpose, vision and mission.
96
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
International Women’s Day is held in March every year.
ISACA Melbourne, AWSN, AISA and One in Tech
My experience with the 2021 event taught me that
Foundation, which advertised the events.
early planning is essential, in particular identifying the organisations with which we would like to collaborate
Collectively, the sessions had approximately 1500
to contribute something to the International Women’s
registrations, from Australia and elsewhere. These
Day program.
sessions included topics on the theme Break the Bias: presentations and panel discussions with
I identified the Australian Women in Security Network
CISOs, senior leaders, coaches and subject matter
(AWSN) as one of the organisations SheLeadsTech
experts located in Melbourne, Sydney, Adelaide,
Melbourne would like to work with. SheLeadsTech
Canberra, Auckland and elsewhere. Guidance to
Melbourne already had the collaborative relationship
better understand and manage biases was provided
with AWSN from previous initiatives such as IWD
and inspiration came from authentic and honest
2021 and Go Girl Go for IT CyberEdition. I also thought
conversations with panel members.
of reaching out to ISACA Sydney Chapter’s leads who were part of the 2021 International Women’s Day
So, what was my role in the International Women’s
event which SheLeadsTech Melbourne took part in.
Day event? I took the leadership role and I provided directions on how the event should be planned and
The core working committee with volunteers from
organised. Before we started planning and organising
SheLeadsTech Melbourne, ISACA Melbourne Chapter
this joint International Women’s Day event I had
and ISACA Sydney Chapter was set up in December
not known or worked with any of the committee
and commenced planning and organisation. With
members, except for Reshma Devi who is diversity
the Omicron strain of COVID being more infectious
director for the ISACA Melbourne Chapter and the
than other strains, and its effects still unknown,
AWSN chapter lead for Melbourne. Most of the
there was no certainty people would return to work
members in the working group committee may have
in the central business district. So the decision was
already known each other from previous initiatives.
taken to run the morning sessions virtually and the
For me, leading the committee whilst knowing only
afternoon sessions hybrid. Each group was assigned
one member was a breakthrough. It enabled me to
two slots and agreed to set extra allocations to have
shake off my belief that I could not lead a group of
at nine sessions. The working committee reached
people I did not know.
out to people championing increased representation of women in the tech workforce and they offered
Should we do this again? My answer is – “Why not?”
books they had authored to be given as presents
Just like the spirit of Bayanihan, organising a full day
to speakers.
event with 10 sessions for International Women’s Day is a huge load and lifting the load required a
The social media tiles and digital programme were
community of several organisations. I would not be
published two weeks before the event, and the
surprised if we came together to do this again when
committee from SheLeadsTech Melbourne, AWSN
the opportunity arises.
and ISACA Sydney posted these across their social media pages and newsletters. The committee was also supported by their respective lead organisations:
I S S U E 10
www.linkedin.com/in/natalie-perez-74298436
WOMEN IN SECURITY MAGAZINE
97
LISA VENTURA
COLLABORATION IN CYBERSECURITY IS THE KEY TO COMBATTING THE GROWING CYBER THREAT HERE’S WHY By Lisa Ventura, Founder – Cyber Security Unity In a post-pandemic world cybersecurity is more
There are many organisations around the world
important than ever. According to a recent report
doing great work to help combat the growing cyber
by Kaspersky the number of Trojan-PSW (password
threat, but many remain isolated. As a result, the
stealing ware) detections increased by almost a
cybersecurity industry is often unaware of this great
quarter globally in 2022, to 4,003,323 from 3,029,903
work. Greater collaboration between associations
in 2021.
and entities in cybersecurity is the key to the industry being stronger and better at combatting cybercrime,
In addition, the number of internet attacks grew from
but how can this be achieved?
32,500,000 globally in 2021 to almost 35,400,000 organisations of all sizes can no longer adopt a head-
WHY IS COLLABORATION SO POWERFUL IN CYBERSECURITY?
in-the-sand approach and say they have no need to
Collaboration with associations and other key
worry about it.
stakeholders in cybersecurity globally can reduce
in 2022. With cybercrime still growing massively,
the time between the discovery of new threats and
98
Many in cybersecurity have an excellent record of
the development and implementation of protection
collaborating, but the industry remains fragmented
measures, enabling organisations to keep up with
and siloed, which can leave organisations vulnerable.
the ever-evolving threat landscape. Speeding up the
These silos often arise because of an outdated,
delivery of threat intelligence is crucial for building a
silo‑based corporate structure that leaves an
strong cybersecurity program, and vendors should
organisation vulnerable to data loss and business
work on making it as easy as possible to break down
continuity disruptions.
the silos between different security disciplines.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
There are many cybersecurity associations, councils and other groups around the world, but they tend to work alone and to exclude any perceived outsiders. Usually this is because of a competitive threat. Sometimes it is justifiable for organisations to keep their distance from others. But these important bodies could help combat the growing cyber threat by joining forces and working together.
BARRIERS TO SUCCESSFUL COLLABORATION IN CYBERSECURITY sharing threat intelligence. These can make
COLLABORATING BEYOND BORDERS TO HELP COMBAT THE GROWING CYBER THREAT
collaboration difficult to implement at scale. For
Many non-profit organisations have already
example, associations may be working on projects
been established that aim to make cybercrime
they deem strictly confidential, or that include
more difficult and less lucrative, and they already
information sensitive from a national security
collaborate well on a global scale. Examples include
perspective. Vendors might use data formats or
the Cyber Threat Alliance, which takes threat
APIs that require plug-ins or proprietary tools in their
information sharing to a new level in the hope it will
commercial products.
lead to greater protection for the public against cyber-
Historically there have been many barriers to
attacks. This not-for-profit organisation encourages There is often a misguided perception that
greater collaboration between cybersecurity
cybersecurity means a lone person sitting in a
organisations by enabling near real time high
darkened room wearing a hoodie and responding
quality cyber threat information sharing amongst its
to the ’bad guys’. This image is not very appealing
members, and with the world.
to those who are searching for a career focused on people and on being part of a strong team.
In the UK, associations and organisations such as the Cyber Security Alliance and the National Cyber
The industry also needs to start talking about
Security Centre work together to foster greater
cybersecurity issues beyond ‘ransomware’ and
collaboration. The newly created entity Cyber Security
‘attackers’. Therefore, the industry must change
Unity aims to take this to the next level by joining and
its siloed perceptions. While a focus on these
collaborating with trade associations globally. The
issues is understandable, there are many ways this
ethos of Cyber Security Unity is that associations are
focus can be expanded to other issues, enabling
stronger together when it comes to combatting the
greater collaboration.
growing cyber threat.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
99
THE ROLE OF GOVERNMENTS IN COLLABORATING WITH ASSOCIATIONS
FINAL THOUGHTS Associations in cybersecurity joining up to work
Governments need to play a major role in achieving
in a collaborative fashion would help establish a
greater collaboration, but the industry associations
more sound, successful and strategic framework
that all operate in, and fully appreciate, the
for cybersecurity. By making a conscious effort to
increasingly dangerous cyber threat landscape
improve information sharing globally, as well as
must take the initiative if real progress on greater
through government and law enforcement agencies,
collaboration is to be made. The digital world is
the world would benefit from gaining intelligence and
borderless, and the attacks coming through are
insights that would help strengthen defences against
having a huge global impact. It may fall to these
cybercrime. And that could only be a good thing.
associations to educate governments on just how serious the cyber threat problem is, and on its potentially catastrophic impact. Once governments start working more closely with industry and treating cyber threats with the seriousness they deserve, they can develop
www.linkedin.com/in/lisasventura
twitter.com/cybergeekgirl
www.csu.org.uk
the necessary global infrastructure to foster collaboration. For example, an international communication system could be developed to enable intelligence to be rapidly passed between governments and organisations in the same way as there are tsunami and terror warning systems. The cyber industry must be at the forefront of such an approach. Communication is key to global collaboration, but caution should be exercised, because there must be a strategy in place. Associations need to join hands with everyone, to communicate effectively between different countries and organisations, and build this together.
100
W O M E N I N S E C U R I T Y M A G A Z I N E
Watch this space S E P T E M B E R • O C T O B E R 2022
W E N
TO
3 2 20
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
70
Australian Ambassadors representing a breadth of Australian states
We are bringing you together to expand your networks, gain critical insights into the field, grow professionally, hone your leadership skills and empower the next generation of security experts. The Alumni series will run from March through to June across states.
Watch this space
KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group that works with SMEs to protect and grow their businesses by demystifying the technical and helping them to identify and address cybersecurity and governance risks. In 2021 Karen graduated from the Tech Ready Woman Academy’s Accelerator and the Cyber Leadership Institute’s CLP programs.
C O L U M N
Improving security together Another month and another gentle (or maybe not
register serving as a single source of truth accessible
so gentle) push from the government to get our
through a single secure portal.
cybersecurity house in order. Since 8 July we have Critical Infrastructure Act 2018 (SOCI) Act.
DOES YOUR BUSINESS KNOW AND UNDERSTAND THE REPORTING TRIGGERS AND REQUIREMENTS?
This is a great opportunity to move our cybersecurity
There will be some slight variations depending upon
discussions from the “it’s a technology problem” silo
‘criticality’ and ‘sector’, but, under the SOCI Act’s
into the “let’s embed cybersecurity into the broader
requirements for cybersecurity incident reporting:
been working under the newly amended Security of
business risk program” to imagine working as one team to improve our cybersecurity.
• “If you become aware that a critical cybersecurity incident has occurred, or is occurring, AND the
Here are a few points to get the conversation started.
incident has had, or is having, ‘a significant impact’ on the availability of your asset, you must
DO YOU KNOW IF YOUR BUSINESS HAS NOW BEEN ‘CAPTURED’ BY THE SOCI ACT?
notify the Australian Cyber Security Centre (ACSC)
The definition of what constitutes critical
incident. If you make the report verbally, you must
infrastructure has been expanded. The SOCI
make a written record through the ACSC’s website
Act now places obligations on specific entities in the electricity, communications, data storage
within 12 hours after you become aware of the
within 84 hours of verbally notifying the ACSC.” • “If you become aware that a cybersecurity
or processing, financial services and markets,
incident has occurred, or is occurring, AND the
water, healthcare and medical, higher education
incident has had, is having, or is likely to have, a
and research, food and grocery, transport, space
‘relevant impact’ on your asset you must notify
technology, and defence sectors.
the ACSC within 72 hours after you become aware of the incident. If you make the report
HAVE YOUR BUSINESS PROCESSES AND PROCEDURES ACROSS ALL DEPARTMENTS BEEN UPDATED TO ENSURE REPORTING OBLIGATIONS CAN BE MET? Your reforms need to be addressed holistically rather than with the traditional siloed approach. Cybersecurity cuts across all departments: finance,
the ACSC’s website within 48 hours of verbally notifying the ACSC.”
www.linkedin.com/in/karen-stephens-bcyber
people and culture, sales, marketing, etc.
www.bcyber.com.au
DOES YOUR BUSINESS KNOW WHERE TO START?
karen@bcyber.com.au
As businesses look to incorporating changes to their
twitter.com/bcyber2
risk management programs, a logical place to start may be IT asset management with the key asset
102
verbally, you must make a written record through
W O M E N I N S E C U R I T Y M A G A Z I N E
youtube.bcyber.com.au/2mux
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
2023 NEW ZEALAND
WOMEN IN SECURITY AWARDS 2
I S S U E 10
ND
NOVEMBER
t u O s s i Don’t M
WOMEN IN SECURITY MAGAZINE
103
TRAVIS QUINN
A CAMEL IS A HORSE DESIGNED BY COMMITTEE: ACHIEVING GENUINE COLLABORATION IN CYBERSECURITY By Travis Quinn, State Director at Trustwave To many organisations, cybersecurity can
not go to plan. While attitudes towards cybersecurity
appear to be a hindrance. This is unfortunate but
are maturing, outdated perceptions are still held at all
understandable, because cybersecurity often does
levels of industry, government and academia.
not contribute to their core business or does so only tangentially. Take a software developer as an
While it is convenient to blame the individuals holding
example. The core business of the developer is to
those views, they are not at fault. In part, the blame
create high quality software that is fit for purpose and
rests with the cybersecurity professionals who have
sell it to customers. Adding security features to the
failed to convince them. As a security professional
software or security oversight to the development
you have the responsibility to communicate and,
process does not necessarily add to the value of the
ideally, demonstrate the value of doing security well.
software for the customer.
You also have the responsibility to highlight the risks of doing security poorly. The latter is usually much
This is a bitter pill to swallow but is true across many
easier, but both are important.
domains in technology. In addition to not contributing
104
to its core business, the value proposition of
Within an organisation both these responsibilities
cybersecurity to an organisation is often vague. To
are best fulfilled through genuine collaboration and
some, cybersecurity is viewed as an abstract type of
tending to the often adversarial relationship that
insurance: a sunk cost to account for when things do
exists between security and other parts of your
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
organisation. As someone external to an organisation
The good news: the industry appears to agree, at least
(eg, a consultant), this is harder, but being candid with
in principle. With the popularity of cross-functional
your clients is an excellent place to start.
approaches like DevOps and DevSecOps we are seeing the adoption of practices that can normalise
This article describes how we can best bring teams
integration across development, IT and security, as
together and get our stakeholders to invest in
well as introduce efficiencies. This is a good thing.
security as both a process and an outcome. Through
However, for many organisations these approaches
this type of genuine collaboration, we can change
are not feasible, which is ok because there are many
perceptions about security and be viewed as enablers,
pathways to good cross-functional cooperation.
not blockers.
Regardless of how you run your business or your projects, there are a few things you can do to
The longest and bitterest rivalry in our industry
improve collaboration.
exists between cybersecurity and IT. The objectives of IT are generally well understood; keep the lights
Firstly, invite early and invite often. Cast a wide net
on, provide users with access to resources and
when inviting relevant stakeholders to your meetings
services in a timely manner and put out the
and workshops. If an invitee does not think they will
fires as they occur. These objectives seem straightforward until you add security to the mix. Security people invariably introduce requirements and constraints, making the
have something to contribute or they are worried they will not get something out of it, then they will let you know one way or another.
job of IT harder. Simple questions coming from security—like “Why are you using this version of this software?” or “Why are you not using this crypto protocol?”— can result in a significant amount of work and heartache for IT. From their perspective, some of these questions may appear spurious or may generate work that provides little benefit from a disproportionately large investment of time and effort. A common example of both these issues is poorly chosen treatments in a security risk assessment. What, to a security assessor, is one line in a table cell may represent weeks of work for IT. Here is another bitter pill to swallow: the IT team is justified in being sceptical. After all, who knows your organisation’s IT and infrastructure better than your IT team? That is a rhetorical question, no one does. With that in mind, integration and collaboration are critical.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
105
Secondly, get your stakeholders invested in the
requirements of all the arms of the United States
outcomes. Give them opportunities to have inputs
military. In a highly critical January 2021 review of
and to challenge your assumptions, assessments
the JSF program, then acting US Defense Secretary
and decisions. Where possible, you can also consider
Christopher Miller described the JSF as a “piece of
their objectives in your strategies and planning.
[expletive]”. In psychology there is a closely related
Thirdly, do not do security in a vacuum. Cybersecurity
concept to design by committee: groupthink.
is often described as a team sport, and that is a
Groupthink describes how the desire for harmony in a
reductive but apt way to describe it. When this idiom
group negatively impacts the collective reasoning and
is used in our industry often it is to describe enabling
decision-making ability of its members.
others in the security team to succeed. Of course, this is a good thing and something we should all aspire
Groupthink is a common problem in cybersecurity
to, but the team is not security alone: if your goal is to
and is a danger to genuine collaborative efforts. It is
win, it cannot be.
a particularly easy trap to fall into early in your career or in an environment where you are less confident in
Doing security in a vacuum can be avoided with
speaking up. Combatting groupthink is largely about
simple initiatives. For example, know the architecture
recognising that collaboration is not people pleasing
and networking experts in your organisation. Of
and avoiding ‘rocking the boat’.
necessity, these individuals have often developed a great understanding of cybersecurity and can help
Genuine collaboration comes from working with your
you fill in the gaps in your own knowledge. Lastly, do
teams and subject matter experts to achieve the
not fall victim to design by committee or groupthink.
best outcomes while factoring in requirements and
This concept stands in contrast to the rest and is
constraints. At times this could mean disagreeing
worthy of a separate discussion.
and having difficult conversations, but that is part and parcel of any collaborative effort.
Calling back to the title, the expression a camel is a horse designed by committee dates from the
In closing, collaboration in security is difficult and
mid 20th century. It describes a situation where
complex but ultimately rewarding. Doing it well is one
the perspectives of all members of a group are
of the best ways to dispel the unhelpful perceptions
incorporated in an outcome and, lacking a unifying
of cybersecurity that still linger, and to deconstruct
vision, the outcome becomes compromised.
adversarial relationships in your workplace.
In a security and engineering context this may manifest as an impossible set of requirements
Things will not always go to plan, but with honest
from too many stakeholders with weak scoping and
communication and engagement you can achieve
prioritisation skills.
the best possible outcome given the circumstances and carry forward the lessons learned to support
An infamous example of this is the F-35 Joint Strike
your career.
Fighter (JSF), which ran over budget, over schedule and, arguably, underdelivered on its specification because the design team was trying to balance the
106
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/travis-quinn1
S E P T E M B E R • O C T O B E R 2022
Connecting - Supporting - Inspiring
AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY
Memberships are now a 12-month cycle Corporate packages available Learn more at awsn.org.au/members/join/
PETER LAKE
THERE IS NO ‘I’ IN TEAM … BUT THERE NEEDS TO BE ONE IN YOUR ATTACK SURFACE! By Peter Lake, Experienced Service Management Leader We love a good anagram or analogy and a good
Hang on – are you talking eyes, ayes, or I? In
motivating slogan to bring us all together as the
cybersecurity there is a plethora of frameworks
proverbial one team. You will have heard many over
covering many disciplines. The National Institute
the years: Together Everyone Achieves More, The
of Standards [NIST] offers one such, its Framework
Example Always Motivates, and there is that timeless
for Improving Critical Infrastructure Cybersecurity.
classic: “There is no I in team.” It implies team
We remember it as I-P-D-R-R.
members use their various individual strengths for the good of the team and for the greater good, and
• Identify
the interests of the team come before the interests of
• Protect
the individuals.
• Detect • Respond
We see the rich diversity of teams today and
• Recover
celebrate the strengths each individual brings, delivering extra capabilities, synergy and energy to the team. An ancient anthropological text made the point a long time ago: “If we are all eyes, where would the
I P D R R
hearing be?”
108
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
Detect Respond
Protect • Anomalies and
Identify • Management of • Business Environment • Asset Management
Access Control
Continuous Monitoring
Training
Processes and
Management
Processes
• Information
• Risk
Chain Risk
• Detection
• Data Security Protection
• Supply
• Response
• Security
• Awareness and
• Governance Management
Recover
Events Planning • Communications
• Recovery Planning
• Analysis • Mitigation
• Improvements
• Improvements
• Communication
Procedures • Maintenance • Protective Technology
Identify is where NIST starts, and where the journey
Companies need to identify and understand what
starts for companies and individuals seeking to
their intellectual property is, why they value it, and
understand the attack surface. It is where our effort
how they can protect that value. Across the company,
needs to be directed in the first instance.
the HR department needs to identify roles, which roles should have access to specific information
Everyone loves paper planes. We can spend hours
assets, and build this into role-based authority. IT and
making them, adjusting them and launching them into
security then pick up this matrix, link it to minimum
the wind. There is great anticipation and moments of
privilege, structure the identity access management
hilarity observing where they go, how far they go and
and manage the Active Directory. Identify is therefore
how well they fly. Purposeful strategy makes them
much deeper than endpoint management, internet
fly better.
facing infrastructure patching and updates. Identify is not just a list of firewalls, servers and external facing
In cybersecurity we cannot simply launch paper
IP addresses, it’s about identifying every filament and
planes and hope they land in a good place. The NIST
fibre of the organisation and the risks it faces.
Framework unpacks the delivery mechanism for a purposeful strategy that builds a successful outcome.
Women are excelling in cybersecurity because they bring to teams four of the vital skills and
The Identify phase, is vital. Everyone in cybersecurity
characteristics needed: curiosity, innovation, strategy
is on a journey, but I suggest no one is where they
and purpose. I see these traits in my own daughters
want to be on that journey, and every day presents
every day, and in many of the amazing women
new and sometimes unimaginable challenges.
studying cybersecurity with me who come from
I S S U E 10
WOMEN IN SECURITY MAGAZINE
109
diverse non-IT backgrounds. Everywhere you look,
So it’s quarter time and (dare we go for another
women are leading in cybersecurity. It is a great and
team‑based analogy?) whether we are a champion
refreshing change. Collaborative working requires
team or a team of champions, everyone has, and
everyone to be involved in the Identify phase.
is part of, an attack surface. So we need to work
Curiosity, innovation, strategy and purpose are the
together to Identify what we are, what we value and
‘eyes and ears’ that make sure the Identify phase
where it is so we can have a purposeful strategy to
captures all the risk exposures. There is even room
get to the place we all want to arrive at.
for the ‘ayes’ of the pen-testing ‘pirates’ (ethical pirates, of course).
Indeed, there needs to be an I in TEAM!
So, returning to our theme, individuals also need to
ABOUT THE AUTHOR
assess and Identify their own attack surface.
Peter Lake is an experienced service management leader who has worked for Telstra and Cisco
• How many things have I signed up for?
supporting Australia’s largest companies. He is
• How many social media applications am I
completing a Master’s in Cyber Security at Edith
active on?
Cowan University.
• How much personal information have I shared? • Am I stripping all EXIF information (metadata) from any photos I share?
www.linkedin.com/in/peter-lake-6b84a521
• How much fodder am I providing for any opensource intelligence bad actor to exploit? • Can I unsubscribe from all the promotional emails coming into my inbox? It’s sobering to consider these questions. As a parent, every time I hear the words “These people trying to scam me are so dumb, I don’t even have an account with that bank,” I know two things: the danger is ever present and there is a growing awareness of the risk. One mental walk-through exercise I give myself regularly is to imagine who I would most like to receive an email from, and the topic that would make me want to open it immediately. When I receive an email from that person, I inspect the XML header for a spoofed address. Even though it’s a trusted sender and I have good MailGuard software, I force myself to do that occasionally just to put it through the lens of my own personal risk assessment as a reminder of the constant threat.
110
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
n’t t Do O u is s M
2023 NEW ZEALAND
WOMEN IN SECURITY AWARDS 2
ND
NOVEMBER GET NOTIFIED
Join our distribution list to be the first to know when tickets go on sale
NIGEL PHAIR
THE EVOLUTION OF CREST By Nigel Phair, Chair, Australasian Council, at CREST International
CREST—an international not-for-profit, membership
incident response, threat intelligence and security
body representing the global cybersecurity industry—
operations centres.
has been active in Australia for over 10 years and continues to advance to meet the demands of both
ACCREDITATION OF INDIVIDUALS
buyers and suppliers of cybersecurity services.
Individuals involved in the scoping, delivery and signoff of a CREST International accredited service
CREST International started life in 2006 in the UK
can now register with CREST. There are two parts to
and has come a long way. It is now truly international
this process.
with chapters run by democratically elected councils in Southeast Asia, the Americas, Australasia, the European Union and the United Kingdom.
1) An individual provides basic information that allows CREST to identify them as a unique entity. As part of this process the individual will
CREST established a presence in Australia 10 years
be sent the CREST code of conduct to read and
ago as CREST Australia. It was created with funding
electronically sign. The application is reviewed and
and support from the Commonwealth Government
the individual is issued a CREST ID.
to provide assurance to organisations seeking cybersecurity consulting services. It focused initially on penetration testing.
2) An individual provides additional information about skills, training, examinations and experience. CREST is seeking a better understanding of
However the Australian chapter is now CREST
individual competencies as they relate to
Australasia. CREST Australia has become CREST
each accredited CREST member organisation.
Australia New Zealand, and has no connection with
This information will be used to more effectively
CREST International. It has not adopted the CREST
present skilled and competent teams to the buying
accreditation standards and CREST ANZ membership
community, governments and regulators.
does not confer membership of CREST International.
CONNECTING BUYERS WITH SELLERS
112
CREST International now has five focus areas:
The CREST International website has a significant
vulnerability assessment, penetration testing,
focus on connecting buyers of cybersecurity services
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
with CREST member companies. The website puts
to the examination framework, and CREST-accredited
members, the buying community and professionals
organisations will have free access to entry-level labs.
seeking CREST certification centre stage with clear signposting on the home page and throughout.
These are exciting times for CREST. The changes to accreditation, the website and branding are the
A core function of the site is to turn buyers’
outcome of considerable member engagement. In
engagement with the website into sales leads for
Australia we run an annual CRESTCon event along
members. CREST has developed a new buyer-focused
with smaller member engagements. Exams are
Find a Supplier journey that takes organisations, many
moving online making them more accessible and
of whom may be unsure what cybersecurity services
obtainable. There is a lot to do, and we welcome
they need, through a series of straightforward
support to help create a secure digital world for
questions designed to generate meaningful results
all by quality assuring our members and delivering
from the member database.
professional certifications to the cybersecurity industry.
CREST continues to add to the Find a Supplier journey to improve its functionality for the buyers using it and
For more information visit www.crest-approved.org
to capture information about the buying community that can be aggregated and shared with members to inform their business development strategies.
www.linkedin.com/in/nigelphair
New contact and callback functions on each member page allow potential clients to contact members directly and these leads will be logged in members’ dashboards.
MEMBER DASHBOARDS For the first time members can log into the website with usernames and passwords. CREST members can edit details about their organisation including contacts, overall description, logos and banner images. They can also post links to content such as events and job vacancies hosted on their own websites using the careers and events tabs.
JOB LISTINGS Members who link from their pages on the CREST website to job vacancies posted on their own websites will enjoy an additional benefit. CREST will collate the jobs to which members link and present them on its website in a way that allows qualified individuals to browse those vacancies.
TRAINING AND EDUCATION CREST has signed agreements with Immersive Labs and Hack the Box to provide free access for member companies. Immersive Labs will provide labs aligned
I S S U E 10
WOMEN IN SECURITY MAGAZINE
113
ANGELO FRIGGIERI
IF CLOUD IS YOUR MAP, SECURITY IS YOUR COMPASS HOW SECURIT Y GUIDES YOUR PATH IN THE CLOUD By Angelo Friggieri, Managing Director – Applied Security, at Accenture
The race to the cloud is underway. When business
CHALLENGING TIMES
resilience came under threat from the pandemic a
Eighty percent of workloads could be in the cloud
shift to remote working meant many organisations
in the next few years, which means organisations
needed the flexible, scalable networks made possible
should balance their security needs today with those
by the cloud.
of tomorrow. They should be ready and sufficiently agile to secure their existing technology footprint
At the same time, new cloud-based technologies
while being prepared to manage what lies ahead—
offered opportunities to drive innovation, automate
wherever they are on the cloud journey. And they
and pursue new growth—or simply to save money
must often do so without the luxury of additional
and be more efficient.
resources.
As these factors came together historical
Organisations should consider their security profiles
uncertainties about cloud drifted away. Yet,
against the backdrop of a range of issues, such as:
accelerated cloud adoption also exposed organisations to new business risks—especially potential security vulnerabilities.
• Increasing attacks—Accenture’s 2021 research found an average of 270 attacks per company during the year, a 31 percent increase over 2020;
According to Accenture’s latest Future-proof secure cloud report, on any cloud journey, security is the compass that guides organisations to navigate more effectively.
114
W O M E N I N S E C U R I T Y M A G A Z I N E
• Smart threat tactics—threat actors are quickly taking advantage of emerging technologies; • Security analysis paralysis—or overengineering solutions to close a vulnerability gap.
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
Future-proof secure cloud How security guides your path in the cloud
As we shift toward a more human-centric internet and
Both routes will take organisations to their end
embrace advances like the metaverse, security teams
goal but will produce different experiences. From a
need to improve their cloud security competency and
security perspective, each route is effective but has
agility to clearly identify and respond to evolving risks.
different risks and requires a different approach.
Security teams should be aligned with the business to be ready to protect their organisations and take
YOUR SECURITY COMPASS
advantage of cloud opportunities.
Accenture offers organisations insights on how they can engage their security teams to adjust these
UNDERSTANDING THE ROUTE
routes, manage the risks and make sure they are on
Accenture’s report identifies two routes—direct and
the optimal path to meet business outcomes.
scenic—that represent the extremes of route options commonly considered when moving to the cloud.
View the full report at www.accenture.com/au-en/ insights/security/secure-cloud-future-proof
The direct route takes organisations through some challenging terrain but uses the freeway to help fasttrack innovation.
www.linkedin.com/in/angelofriggieri
The scenic route takes organisations on a more meandering road through culture shifts and cloud complexity but picks up the benefits of business transformation along the way.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
115
MEGAN KOUFOS
LESSONS FROM THE AWSN LEADER FORUMS By Megan Koufos, Program Manager at AWSN The Australian Women in Security Network (AWSN)
societal level to better support mental health
recently held its first two Leader Forum roundtables
and manage burnout in our industry?
as part of its Women in Security leadership initiative,
• How do you maintain work/life balance?
proudly supported by the Australian Signals Directorate (ASD).
HOW DO WE INCREASE DIVERSITY IN SECURITY LEADERSHIP ROLES?
The aim of the AWSN Leader Forums is to provide a
This is a key question for our industry, and one
space for women to come together, connect, discuss,
faced by many organisations. The answer is: focus
collaborate and learn. They provide a platform for
on what is working, where successful strategies are
women in the Women in Leadership programs to
being implemented and then amplify those ideas and
discuss common issues, share ideas, ask questions
solutions across the industry.
and be inspired. Some of the key ideas and solutions tabled at the Each forum begins with a presentation from a guest
forum included:
speaker. This is followed by several small group discussions, held simultaneously. Participants are
• Training the workforce and employers on how
free to join their topic of choice. All small group
to embed a focus on diversity into organisation
participants then come together to share what they
culture.
have learnt.
• Changing the mindset of interviewers who unconsciously have different expectations and
The topics that garnered most discussion is the last
apply different competency and experience
two forum sessions were:
criteria when hiring someone different from themselves. They should apply the same
• What strategies/initiatives would you like to see to increase diversity in security leadership roles? • What practices/ideas/solutions could be implemented at a personal/organisational/
116
W O M E N I N S E C U R I T Y M A G A Z I N E
criteria to all applicants, regardless of gender, background or appearance. • The McKinsey & Company Lean in Report was discussed. It showed (page 8) that
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
the percentage of women coming through
to the organisation. This can be detrimental to their
the corporate pipeline is increasing but the
own work/life balance. All participants agreed that,
representation of women decreases as seniority
no matter how hard it might be, letting others take
increases.
responsibility for their roles and responsibilities
• There needs to be more support for women
is paramount for maintaining their own work/life
supporting women, and more mentoring
balance. In situations where people are expected to
opportunities.
take on other responsibilities, asking for priorities to
• There needs to be more opportunities to show role models from diverse backgrounds in
be assigned to these is key to ensuring they do not burn out or become overwhelmed.
different security roles. (“You cannot be what you cannot see.”) • Companies need to believe that diversity is important and to really work on tangible solutions to increase diversity.
WHAT ABOUT MAINTAINING WORK/LIFE BALANCE? As they move up to more senior roles in leadership many women look to their more senior executives for role guidance. How their managers work (or never
WHAT PRACTICES/IDEAS/SOLUTIONS COULD BE IMPLEMENTED AT A PERSONAL/ ORGANISATIONAL/SOCIETAL LEVEL TO BETTER SUPPORT MENTAL HEALTH AND MANAGE BURNOUT IN OUR INDUSTRY? • Recognising we are sometimes our own worst enemies when it comes to working overtime, and being unable to say no. • Developing the confidence, and earning the right, to say no.
stop working) has an impact on their own work/
• Work/life balance.
life balance. So, it is important for senior managers
• Building a support network.
to demonstrate an appropriate work/life balance to
• Owning decisions and not apologising!
those beginning their leadership journey.
• Asking for a deadline and for managers to help prioritise work when it becomes overwhelming.
Some of the more practical activities for achieving work/life balance we discussed included:
These forums are a great opportunity to meet, share and collaborate with the incredible women leaders in
• Defining boundaries and seeing our time as important.
our industry. Future forums will delve deeper into the topics above and will add the following:
• Setting time in our calendars for lunch and breaks throughout the day. • Blocking out time for email so it does not become a drain on our time.
• Challenges and tips when returning to the workforce after a career break. • Career planning and career advancement.
• Making use of organisation-introduced initiatives such as 10-minute Monday morning meditations. People tend to take on responsibilities beyond those prescribed for their role, seeing a need to contribute
I S S U E 10
To find out more visit awsn.org.au www.linkedin.com/in/megankoufos
WOMEN IN SECURITY MAGAZINE
117
VERONIKA LAPUSHNIANU
AVOIDING A CULTURE CLASH WHEN BRINGING TEAMS TOGETHER By Veronika Lapushnianu, International Business Communications Trainer, Founder at GroupEtiq During the past few years we have witnessed
Therefore, it is important to provide team leaders with
multiple mergers and acquisitions of cybersecurity
transcultural communication skills that will enable
companies. Australian and international enterprises
them to assess how these differences play out in
are striving to become more competitive and increase
real situations, strategize responses before a conflict
their market share by strengthening their solutions
arises and create an environment of mutual trust.
offerings, innovating and investing in high potential startups and established corporations.
When company A acquires company B it is important to profile the organisational cultures of both to
Bringing organisations and teams together during
develop a successful communication strategy based
and after an acquisition requires special managerial
on an understanding of values and cultures. This
competence. Enabling collaboration, either on short-
will enable both teams to understand what to expect
term projects or long-term, can be difficult when there
from one another in a specific situation.
are conflicting work cultures. Different management styles and different cultural values can lead to
Examples of questions to consider when assessing
frustration and costly outcomes when teams are
an organisation’s culture are:
under pressure to achieve common goals. • What is the decision-making process? Restructuring often produces new teams, the
• Who wields real power and authority?
transformation of old processes and procedures,
• Are team members involved in important
the adoption of new technologies and changed communication flows. It changes the dynamics of external cooperation with partners and customers.
118
W O M E N I N S E C U R I T Y M A G A Z I N E
company decisions? • Are people promoted based on merit or based on personal relationships?
S E P T E M B E R • O C T O B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
• What are the social benefits offered?
burnout. Company B has a so called ‘soul’ culture.
• What is an acceptable sense of urgency?
People and their happiness are the key priority.
• How is diversity promoted?
Trust is very important. Decisions are made slowly
• What does good customer service look like?
and require multiple inputs from team members.
• What is the negotiation style?
Communication flows are clearly defined. Feelings are
• What does onboarding of new employees
more important than getting the task done.
look like? • Is initiative promoted or punished?
Cooperation between company A and company B could be challenging in activities such as negotiating
And, finally: what are the protocol and etiquette
a mutually beneficial contract on time, hiring new
norms when addressing subordinates and
talent that reflects company values, and successfully
company executives?
deploying a complex project with minimum variations.
Let’s assume company A has a ‘goal’ culture. In this
For these organisations to cooperate effectively they
organisation the key focus is on the task itself. There
would need to start with a self-assessment, consider
are reduced controls for faster decision-making, a
differences and assumptions, understand how each
lack of organisational structure, and teams operate in
team behaves and then create a communication
a highly competitive mode with the aim of achieving
strategy and plan.
the company’s goals and mission. Everyone works hard to get the job done and this often leads to
I S S U E 10
www.linkedin.com/in/veronika-lapushnianu
WOMEN IN SECURITY MAGAZINE
119
HAVE YOU EVER DREAMED OF BEING A
"This technological thriller is the hacker world having such global impact to the unsuspecting world that it makes you very aware the power within the web…” - Trevor, indiebook reviewer
ORDER NOW
TECHNOLOGY PERSPECTIVES
QUEEN A AIGBEFO
“WE DON’T TALK ABOUT BRUNO. NO, NO, NO.” by Queen A Aigbefo, Research Student at Macquarie University Bruno is a fictional character in Disney’s animated
to drive breaches. This year 82 percent of breaches
movie, Encanto with the ability to see the future. He
involved the human element.” And, according to IBM’s
is one member of a family with magical powers who
2022 Cost of a Data Breach report, “Human errors,
lives in a magical house. But Bruno is ostracised
meaning breaches caused unintentionally through
because he mostly predicts negative events and his
negligent actions of employees or contractors were
family, and all the townspeople blame a series of
responsible for 21 percent of breaches.” Clearly, we
misfortunes on him. Also, his magic is waning. So,
need to talk about Bruno and stop blaming Bruno for
everyone is advised not to speak his name. Family
every mishap.
member Mirabel, the story’s heroine, goes against the wishes of other family members to seek out
In the aftermath of cybersecurity incidents or data
Bruno. As a result of her actions Bruno’s prescience is
breaches, there is much finger pointing and blame
restored, he saves the family magic, and the town.
assigning. Previously, the chief information security office (CISO) took the brunt of this, despite not having
I like Bruno’s character, but how is this relevant to
a voice at board level. Today, the CISO has a voice in
cyber security?
the boardroom and users are in the hot seat, taking most of the blame for cybersecurity incidents.
CYBERSECURITY BLAME CULTURE As end users we are all Brunos: we collectively
As a security community we must do better to
take the blame when primary attack vectors—
improve security together and stop shifting blame.
social engineering or human error—are exploited
The blame culture distracts security defenders
by malicious actors to gain entry into our
from uncovering the underlining reasons behind
organisation’s network.
security incidents. Perhaps more trust and transparency are needed among security teams,
122
According to Verizons 2022 Data Breach
including end users, to improve resilience and secure
Investigation Report, “The human element continues
our perimeters.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
NEURODIVERSITY
BRUNO SAVES THE DAY
Analysis of Bruno’s character suggests he may be
Bruno’s prescience showed that Mirabel might either
neurodivergent, which would explain why he did not fit
destroy the family or remedy its troubles. It also
in with his family. At the 2022 RSA Conference Kelly
revealed the steps she needed to take to save the
Shortridge talked about how behavioural economics
family and the town.
matters to infosec and how it is appropriate for security practitioners to understand why users are
End users remain one of the strongest links in the
considered bad security decisionmakers. I concur
security chain; they interact with the security features
with Kelly’s thoughts and wonder why end users
of business systems. The stress we experience as
are such a risk to security. I found a hint in Bruno’s
security practitioners trying to ensure all systems
neurodivergent nature.
are secure transfers to end users when we demand security expertise from them.
Neurodiverse people experience and interact with the world around them differently; there is no one
Like Bruno, our end users can save the day if we can
‘right’ way of thinking, learning and behaving, and
understand how they react to the threats that gain
differences are not viewed as deficiencies. Yet, as
their attention. Security defences compatible with the
security practitioners, we are sometimes guilty of
different ways people think can then be implemented
labelling end users’ as security illiterates because they
to counter the most pressing threats.
view security differently. It may be a tall order to understand user diversity, On the one hand, we lump them into groups and
but it starts with acknowledgment of the need to
provide them with basic security defence tools
do better instead of blaming users when security
such as a thirty minute annual security training
mishaps occur.
and awareness session. On the other hand, we hold them responsible when they fall for a phishing email or for other actions and non-actions that
www.linkedin.com/in/queenaigbefo
may have led to security incidents. We cannot demand security expertise from end users if we, as security practitioners, fail to build neurodiversity into implementing security defences. The world is still in recovery from the COVID-19 pandemic. Hybrid work is here to stay, and end users will always find interesting ways to work around security when they see it as a hinderance. Diversity in security involves more than simply recruiting diverse talent. The workplace comprises diverse end users’ interacting with the security defences we put in place. Do we need to flip the tables and include end users diversity to collectively improve our cyber defences?
I S S U E 10
WOMEN IN SECURITY MAGAZINE
123
IF YOUR TEAMS CAN DO DEVOPS, THEY CAN DO DEI TOO by David Braue
As DevOps steadily reshapes security culture, why not use its lessons to tackle DEI as well?
A
doption of DevOps and its security-
Gartner expects three quarters
related cousin, SecDevOps, has driven
of DevOps initiatives will still
the most dramatic transformation in the
fail this year due to “issues
way technology teams work together
around organisational learning
since the Agile Manifesto pushed
and change.”
iterative thinking into the mainstream. Those issues include: failure to relate DevOps
The changes brought on by DevOps have proved
to customer value; poor organisational change
crucial as businesses push digital transformation
management; a lack of collaboration across teams
to maturity. They have produced a new software
and silos; trying to do too much, too quickly; and
development lifecycle (SDLC) cadence in which
having unrealistic expectations of how much change
applications are deployed in stages onto a fault-
DevOps can deliver. They are slowly becoming less
tolerant infrastructure that ebbs and flows according
problematic as companies assimilate DevOps into
to changing demand.
their everyday operations.
Yet, while DevOps specifically applies to the SDLC its
“Regardless of how they define DevOps,” notes
broader tenets also hold lessons for organisations
Puppet’s most recent State of DevOps report,
looking to reset their culture and team-building
“thousands of teams now have the ability to deploy
processes with an eye to improving diversity, equity
software more safely and more quickly. … Many of
and inclusion (DEI).
the teams that are ‘doing DevOps’ well don’t even talk about DevOps anymore—it’s simply how they work.”
Many struggle to avoid hitting the same
124
organisational speedbumps that regularly torment
Yet there is still work to be done, with many
DevOps advocates. Despite improving maturity,
companies still stuck midway through the cultural
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
F E A T U R E
transition that DevOps involves: just under 80 percent
pushing people to think
of surveyed companies reported having a medium
differently about the way
level of maturity in each of the past few years.
they work.
According to Commonwealth Bank of Australia (CBA)
“When you start to
executive manager for customer and banking core
challenge the way
Simon Davies, breaking through to a fully optimised
people have historically
state requires change that has been difficult to
done their jobs,” Davies
achieve in the past.
explained, “you get some friction, sometimes quite a bit of friction. … We’ve all come up in this industry
As the bank embraced DevOps to drive a major
relying on a very predictable march of change and
migration of its core SAP systems, Davies told the
being able to rely on the accumulated knowledge of
recent AWS Summit, “We needed to lower the barrier
decades of experience in very fixed roles.
to experimentation to help us understand the shift and incrementally build that engineering muscle
“So, what we were pushing here, though, was step
to support the leaner operating model that we’re
change, and it is uncomfortable. And I think you’ve
striving for.”
got to be uncompromising in your pursuit of real improvement, but also very generous with the
Although the process ultimately proved technically
effort that you invest into upskilling and educating
robust, one of the major issues with the rollout was
your people.”
I S S U E 10
WOMEN IN SECURITY MAGAZINE
125
arbitrarily imposing SecDevOps discipline on a team that has other conflicting goals is a recipe
DEI IS YET ANOTHER CULTURE CHANGE
for disaster.
That’s all well and good, but what do DevOps and SecDevOps have to do with DEI?
Similarly, simply stating that DEI is an organisational priority is far from enough to make it work
As it turns out, many of the cultural issues
within organisations.
that impede DevOps also emerge during DEI migrations, and they stem from similar issues
One recent Robert Half survey, for example, found
that lie in wait just under the surface of any major
that while 42 percent of respondents believe DEI
organisational change, ready to emerge at the least
programs have increased their company’s diversity,
opportune moment.
41 percent believe they have not had any impact, and 16 percent believe the programs actually
For all the importance of ‘baked-in’ security,
decreased diversity.
SecDevOps has already been credited with slowing down the SDLC by requiring regular security tests
That is not a great result for an essential cultural
that often take hours.
change whose financial and cultural value to the business has already been well established.
This creates intrinsic conflict with natural deadline pressures and, in many cases, motivates
The results confirm that “diversity remains a deeply
developers to skip security scans to meet release
ingrained and complex structural issue that positive
cycle deadlines.
sentiment and intent alone cannot solve,” Robert Half director Nicole Gordon said. “Businesses must
One in five development managers surveyed in a
ensure they support their hiring efforts with a culture
recent Contrast Security study said they often skip
of inclusivity that values diverse backgrounds
security scans to meet release cycle deadlines, with
and perspectives.”
37 percent saying they did so sometimes and 29 percent occasionally.
PUSH BACK AGAINST DEI PUSHBACK In cases where employees harbour resentment to,
126
Only 16 percent of respondents said they prioritised
or show disinterest in, DEI initiatives, it’s important
security over release deadlines, proof positive that
to understand what aspects of effective cultural
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
F E A T U R E
change are hindering the transition and to implement
their company, with 42 percent calling those efforts
policies to address them so security practices can
divisive and a similar percentage saying they resent
improve overall.
DEI efforts.
That means leading by example, measuring
“Failing to actively address pushback can mean
progress against evolving goals, promoting diverse
losing progress with DEI,” the analysts note, warning
employees, working to eradicate potential biases,
of alienation or backlash towards marginalised
creating a culture of safety around expressing myriad
employees and, at the organisational level, decreased
viewpoints and seeking out diverse voices during
workforce engagement and inclusion, potentially
decision making.
driving increases in employee attrition.
In many ways, those strategies echo similar
As important as the fact that such resentment exists
obstacles that proponents of DevOps have had to
is understanding why it exists, which helps managers
overcome in changing the dynamics of something
appreciate what they can do about it. Gartner divides
as fundamental as software development processes
anti-DEI sentiment into two key categories; perceived
and, more recently, the integration of security into
threats to individual identity, and to social identity.
those processes.
It advises HR leaders to learn to recognise three types of pushback: denial, disengagement and derailment.
“‘Culture’ talks in which speakers explore the roles of empathy, trust and psychological safety have
Such strategies are often unconscious responses
always been a part of the DevOps movement and
to employees’ feelings of disempowerment,
corresponding events,” Puppet’s report notes.
disenfranchisement, or what they see as reverse discrimination. Managers must, Gartner advises,
“However, large portions of our industry led with a
actively communicate with hesitant employees to
focus on technology without setting out to change the
understand those feelings and head off potential
way work happens, which is—fundamentally—culture.”
problems they may cause.
When that happens the results are predictable: in
Managers should also foster empathy for
the DEI context experts now recognise that poorly
marginalised groups by inviting employees to
managed change initiatives often face ‘DEI pushback’,
engage with DEI efforts and by building awareness,
a form of institutional inertia that can trip up even the
including building safe spaces that “allow employees
most well-intentioned DEI efforts.
to make mistakes and ask uncomfortable questions [about DEI issues] without feeling threatened and
“In the face of the COVID-19 pandemic and a
without putting the burden of educating them on
worldwide reckoning about racial injustice, many
marginalised employees.”
organisations have taken action to engage with social issues that were previously avoided at work,” Gartner research specialist Trisha Rai and senior principal for HR research Caitlin Dutkiewicz write, commenting on a recent Gartner survey in which over 31 percent of employees said DEI had gained more attention within their organisations over the past two years. Forty four percent of respondents said a growing number of their colleagues feel alienated by DEI programs within
I S S U E 10
WOMEN IN SECURITY MAGAZINE
127
CHRISTIE WILSON
TEAMS COMING TOGETHER by Christie Wilson, Cyber Resilience Manager at UniSuper
‘Better together’ is a core value of the company I
Building, developing and maintaining a champion
work for. It underpins everything from the way we
team is a delicate balancing act. Great teams are like
show up for work and the way we drive innovation
delicate houseplants: they need nurturing, care and
and solve problems together, to the way we celebrate
attention. Sometimes a little, sometimes a lot.
the good times and support each other in the challenging times. We even run ‘Better Together’
An experienced CISO was brought in as a ‘safe pair
training to further strengthen the company culture
of hands’ to develop our cybersecurity team. He in
and to improve trust and communication at every
turn brought in an experienced security architect and
level. Everyone, including executives and individual
a security governance risk and compliance (GRC)
contributors, participates in the training.
consultant. Their combined experience was important for setting strategy and direction for the team
This ethos also underpins the security community.
and, crucially, for developing trust with our board,
Whether you are new to security or have been
executives and other teams. The members of this
working in the field for many years, you will generally
cybersecurity team had a great breadth and depth
find a strong focus on people coming together to
of security experience across many organisations,
keep each other, their businesses, their loved ones
so nothing really fazed them. Experience matters,
and their communities cyber safe. Technology
especially in greenfields environments. People who
is ubiquitous. Most of us use it daily to send
have ‘seen it before’ and have a few battle scars are
emails, check social media, read the news or buy
good mentors and guides.
something online. It is also important for a greenfields team to have
128
Five years ago I was given a gift: the opportunity to
members with experience in the organisation
join a greenfields cybersecurity team. It’s not every
it serves. Although our new CISO, architect and
day you get to be part of a team at its inception. If
GRC consultant knew security inside out, they did
you are ever offered this opportunity in your career,
not know the organisation. Every company has a
I’d encourage you to grasp it with both hands. You’ll
unique culture and idiosyncrasies. Including existing
be excited, challenged and scared (often at the same
employees who had both security experience
time), but you’ll never be bored. I guarantee it.
and experience of the company helped the new
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
employees navigate the social norms and ‘ways we do things around here’. As the team grew we looked for people within the organisation and from the wider security industry to join us. Team members from the IT department with complementary skills sets including service desk, networking (the technical kind), servers and storage joined our security operations and identity and access management teams. Many people with technical skills have a great foundation from which to pivot into security. Their skills may also enable them to progress their careers within the team. One member of our security operations team moved into the security architecture team after a year or two. Most industries are tight-knit communities, but none
invaluable when we are developing cyber awareness
more so than security. I am always amazed by the
content. This diversity also produces some amusing
number of people I know in the field. Attending an
moments. Recently, I saw a fleeting look of confusion
industry event with my teammates is akin to watching
on a team member’s face when I casually mentioned
the Kardashians at the Met Gala. They know everyone,
I had seen the original Top Gun movie shortly after its
and everyone knows them, a great asset when
release in the 80s.
building a greenfields team. Every team will go through a forming-stormingOur CISO brought in our security architect and
norming-performing cycle following its formation.
GRC consultant, who recommended people they
This is normal and healthy, and when it works helps
knew. They in turn recommended people they
achieve the goal of creating a champion team rather
knew. Network contacts do not guarantee entry
than a team of champions. There are no shrinking
to an organisation, but networks and personal
violets in our security leadership team and we have
recommendations do count.
had our fair share of storming. But the important achievement was that we created a safe environment
Business skills are also essential for any team,
in which we all feel comfortable when challenging
but especially for highly technical security teams.
each other. Psychological safety allows people to
Security experts have deep knowledge in their chosen
bring their whole self to work, which is important for
technical fields, but often need complementary skills
team building.
to help communicate their deep knowledge to the business. Security may be the most important thing
So, diversity in skills, experience and backgrounds is
in the world to security teams, but I guarantee the
important. But for me, the attributes that make our
rest of the business considers security dry, boring or
team a champion team are: we all genuinely like each
a hinderance, if they even think about it. So, having
other; we want the best for each other; we support
skills in the team able to win hearts and minds in the
each other. We’re a family, some days a dysfunctional
business helps.
family, but a family nonetheless. We celebrate our wins together and support each other through our
Diversity in age and cultural experience is important
losses. And that is what makes us better together.
too. Our team members include people with ages ranging from their 20s to their 50s. The generational and cultural experiences of each team member are
I S S U E 10
www.linkedin.com/in/christie-wilson-9135317
WOMEN IN SECURITY MAGAZINE
129
SARA MOORE
THREAT INTELLIGENCE WOULD BE NOTHING WITHOUT COLLABORATION by Sara Moore, Cyber Threat Intelligence Analyst
Threat intelligence would not exist if there were
inbox and notice a sudden increase in the number
not some element of gathering information from a
of emails arriving into a folder dedicated to a threat
source and sharing it. It needs collaboration at its
sharing group of which you are a member. It is where
very core to work effectively, right from working with
analysts like yourself from across your industry share
others within an organisation to better understand
interesting issues. You open the folder and skim
requirements, to developing intelligence sources to
the subject lines of the emails. You discover one of
better serve those requirements. It does not matter
your peers has seen a spoof text message on the
what kind of classification it is. Working with others
phone of someone in their c-suite. The message is
is essential. Cyber threat intelligence is as quick fire
targeted. You take a deeper look at the conversations
and tactical as you can get on an everyday basis, but
between your peers to get a better sense of what has
taking a step back from the tree to see the woods is
happened.
where analysts begin to join the dots and produce more thoughtful reports. The kinds of techniques that
One of the emails contains a picture of the text
help analysts see to the heart of a matter, forecast
message. It looks generic but you remember from
better and think like the enemy also benefit from
yesterday that the vulnerability management team
team analytical sessions, not just individual focus
highlighted a new security update for iPhone related
time. Good threat intelligence would be nothing
to WhatsApp. It was mentioned on a team call. You
without collaboration.
decide to email the vulnerability management team and the security operations centre (SOC) to enquire
130
Imagine you are a cyber threat intelligence (CTI)
about the vulnerability and share information about
analyst. It’s a Friday morning and everybody is
the targeted messages mentioned in the threat
looking forward to the weekend. You browse your
intelligence sharing group.
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
They respond telling you the software on your
and their likely pattern of attack. You share with your
organisation’s phones is not up to date, but the
SOC the technical data generated from your research
C-suite’s phones are being upgraded first. SOC staff
explaining that the spoof text message may have
say they will let you know if anything comes up on
come from a known APT group. You then share the
their logs. They ask for any indicators of what they
same information with the threat sharing group that
should monitor and block. There was nothing specific
alerted you to the attack.
in the email, but there is a phone number and a domain address. You pass these over and decide to
Before the day ends your SOC tells you there has
do some research into the indicators.
been no activity in the logs related to the indicators of compromise you shared. However, the organisation
First you visit an online website full of malware
that received the spoof text message tells you it has
information contributed by people all over the world.
been able to block several malicious connections
When you input the domain, it leads to associated
based on the information you provided.
URLs and IP addresses. Further investigating the URLs and the domains, you discover a number of
Then your manager calls. “The CEO has just had
files that have been downloaded from these sites,
one of those messages” he says. You groan.
which give you a new avenue to explore. After
“What’s the damage?”
digging around for several minutes you discover related infrastructure information in an online
“Well although he clicked on the link it was
threat intelligence report published by a well-known
immediately blocked thanks to the work of the SOC.”
organisation. This report details the operations of a significant advanced persistent threat (APT) group
Phew!
based in an Asian country. The power of threat intelligence lies not only in how it After recording your findings you share the
enables you to assess and analyse information but in
information through email with your team. One of
how you share it. Threat intelligence would be nothing
your colleagues has specialist knowledge in Chinese
without collaboration.
APT group activity. They call you to provide further information on how this particular APT group behaves: their tactics, techniques and procedures,
I S S U E 10
www.linkedin.com/in/sara-moore-698594168
WOMEN IN SECURITY MAGAZINE
131
MARISE ALPHONSO
IMPROVING SECURITY BASED ON THE PAST, THE PRESENT AND THE FUTURE by Marise Alphonso, Information Security Lead at Infoxchange The information security industry is dynamic.
an organisation and their alignment with policies
The threat landscape shifts quickly, local and global
and standards. Audit results confirm the fulfillment
legal and regulatory requirements change, technology
of requirements to meet stakeholder expectations.
advances and the risk profile of organisations adjusts
They highlight potential areas of risk, and identify
based on a changing operating environment. In this
non-conformance that indicates where changes
dynamic environment, security can be improved
across people, process and technology can benefit
through the power of collaboration. Timeframes can
an organisation. Security auditors, both internal
provide the scaffolding for focus areas that can be
and external, play a pivotal role in assessing the
examined to facilitate this improvement.
security performance of an organisation and where improvements are required.
THE PAST Previous security incidents and data breaches offer a
THE PRESENT
rich source of data points from which to gain valuable
The 2022 Verizon Data Breach Investigations Report
learnings. They provide a chance for stakeholders in
(DBIR) and the recent Notifiable Data Breaches
an organisation to reflect upon where improvements
and Scamwatch reports outline current threats and
could be made to prevent recurrence, or to improve
the attack vectors used to compromise individuals
security practices. In addition, incidents that produce
and organisations. The 2022 DBIR indicates no
significant organisational impact provide lessons for
organisation is safe without a plan to handle phishing,
other organisations on how they can improve their
the use of stolen credentials, exploitation of software
practices to avoid falling victim.
vulnerabilities and botnets: the prevalent means of compromise. Work put into analysing patterns
132
Information/cybersecurity audits and assurance
from security incidents, data breaches and scams is
activities validate processes and practices within
essential to provide the security industry with insight
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
into where efforts must be focused and resources
Celebrating successes within the security team or
prioritised. Security researchers and data analysts are
broader organisation on completion of projects or
key players in global efforts to improve security.
successful incident response activities provides the momentum to keep moving forward on the continuous
The ‘Do’ component of the Deming cycle requires
improvement path. Doing so also assists in creating
security teams within organisations to constantly
a security culture and the necessary behaviours that
perform activities that keep the pulse of an
maintain security as everyone’s responsibility.
organisation’s information security heartbeat regular. This may mean running security awareness initiatives,
Embedding a learning culture within the organisation
oversight of threat and vulnerability management
by encouraging professional development, attendance
activities or initiating user access reviews for key IT
at conferences or professional association events is
systems and services. To quote Aristotle, “We are
another future-focused improvement point. Learning
what we repeatedly do. Excellence, then, is not an act
is required within the information security domain
but a habit.”
and across all capabilities and skills required by the organisation in fulfilment of its mission.
The bottom line is that maintaining and acting upon the entries in an information security calendar
In looking to improve information security, it is helpful
contribute the small steps that over time lead to an
to look through the lenses of the past, the present and
improved security posture.
the future. In doing so, we glean insights, collaborate and look to the horizon to determine how best to
THE FUTURE
move forward.
ISO/IEC27001, an international standard on information security management, outlines the governance requirements for effective information
www.linkedin.com/in/marisealphonso
security practices. Clause 10 of this standard is titled ‘improvement’. Organisations must confirm that their
MARISE ALPHONSO
information security governance practices facilitate improvement. These practices can take the form of processes to understand the potential impact of external changes on the organisation’s operating environment and stakeholders’ needs. These processes might include scanning for mega (global or national), macro (industry or sector) and micro (organisational) trends that could impact information/cybersecurity requirements. The main point in looking to the future, in this instance, is to allow for effective information security risk management when the likelihood of a risk eventuating, or the impact of that risk, changes. This risk management should then facilitate riskbased decision making and resource allocation to address identified risks.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
133
MEL MIGRIÑO
INSIGHTS ON COLLECTIVE CYBER RESILIENCE by Mel Migriño, VP/Group CISO at Meralco, Chairman & President of the Women in Security Alliance Philippines Decades ago, when computers were expensive
To counter the increased sophistication of attackers
and not readily accessible, computer hacking had
organisations are increasingly adopting a zero
little to do with criminal behaviour. Hackers were
trust approach. Zero Trust is a security framework
people sufficiently adventurous to go beyond the
that requires all users, whether inside or outside
instruction manual and explore the possibilities
an organisation’s network, to be authenticated,
of the new technologies. They were motivated to
authorised and continuously validated for security
explore the potential of technologies beyond their
configuration and posture to gain and maintain
stated limitations.
access. However, it is challenging for organisations to have 100 percent visibility across all segments,
In the 80s the profile of a hacker transformed from
all assets and all possible attack vectors. Thus,
that of a heroic figure to a young programmer
we need to look at establishing a collective cyber
hacking into big organisations. While their actions
resilience strategy.
caused inconveniences, their main motivation was to gain kudos from the success of their exploits.
Attackers are become more powerful and more effective through increased collaboration, or
Today, the attack surface has increased drastically
‘collective offence’. They are sharing data and exploit
with the increased connectivity of networks and
tools on the dark web to achieve breaches, and there
devices, and hackers’ motives have evolved to
is also a growing cottage industry of independent
financial gain and the advancement of political and/
cyber mercenary groups.
or personal agendas. Hackers are now employing
134
advanced technology and sophisticated techniques.
Despite investing millions in cybersecurity technology
They are members of criminal enterprises prepared
and human resources, organisations in all industries
to use innovative tactics to gain access to
and the public sector are still getting attacked.
their targets.
Organisations from public sector agencies to Fortune
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
500 companies to SMEs and service providers across supply chains find themselves in the same boat, but with varying levels of resources to address the security challenge. The current trend to increase spending on the defence of core platforms and networks is already unsustainable. Therefore, we need a new defence strategy to keep pace with cyber threats. We need collective defence. According to the March 2020 report of the US Cyberspace Solarium Commission (p96), “This ‘collective defence’ in cyberspace requires that the public and private sectors work from a place of truly shared situational awareness and that each leverages its unique comparative advantages for the common defence.” Collective defence can be achieved through the following activities.
ADVANCED DETECTION BASED ON AI Shifting from signature-based detection that focusses
Our end goal is to have a perspective of the threat
on older and known threats towards a behaviour-
landscape that will enable us to prepare and build
based detection capability that proactively identifies
defences in advance. Adopting collective defence
the underlying behaviour of unknown threats to the
enables peers to:
network across the intrusion cycle and not just the final ‘action-on-target’ step, when it is too late to stop system exploitation or data exfiltration.
• Better detect anomalous cyber activities that might go unnoticed. • Gain greater visibility of unknown and known
REALTIME THREAT SHARING Sharing threat insights with the wider community to create an early warning mechanism. In a collective defence ecosystem participants actively
threats through anonymised threat sharing. • Get early warning of threats targeting all elements in the supply chain. • Build better triage and stronger response
share anonymised cyber anomalies at machine
capabilities by creating a unified force through
speed across the community of public and private
collaboration.
organisations. This crowdsourced threat sharing capability allows companies to identify stealthy
Collective defence is easy to understand, but difficult
attackers earlier in the attack cycle.
to implement. However, it is high time we all worked together regardless of organisation type, size or
COORDINATION IN THE SUPPLY CHAIN
location. We should aim to have a greater impact that
Leveraging the community for triage and response
will better protect our organisation and the world we
insights based on real time feedback. This allows
live in.
peers to take immediate action to mitigate active threats. Peers within the collective defence chain have better opportunities to optimise resources to achieve ‘defensive economies of scale’.
I S S U E 10
www.linkedin.com/in/mel-migriño-b5464151 www.linkedin.com/company/wisap-women-in-securityalliance-philippines/
WOMEN IN SECURITY MAGAZINE
135
NANCY BENJUMEA
DATA GOVERNANCE, ANOTHER OPTION TO PROTECT THE DATA OF YOUR CUSTOMERS AND EMPLOYEES by Nancy Benjumea, Lead Data Governance Consultant at Pernix As a technology professional with more than 15
progressing in data roles. Many of you might have
years’ experience, I have held various roles: web
decided to stay working with data because you found
developer, tester, security analyst, IT auditor, data
such roles gave meaning to your careers.
classification analyst and, now, data governance specialist. Many of you may have had similar career
This is a magazine about security not data, so why
paths; switching between IT roles or
am I talking about data governance? Keep reading and you will understand. Data governance is a fairly new area. It came into being because of the gap between IT departments and the business. IT staff claim ownership of data because it is stored in the systems or applications they maintain, but the people from the business understand the processes and business rules that make sense of the data. With the emergence of data governance data ownership has shifted from IT to the business. Now, data is being valued appropriately and given the protection it needs.
136
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
Businesspeople now own the data and want to know how to properly use it for the benefit of their company, but they face significant hurdles. They do not know what data they have, where it is stored, if it is consistent, if it is duplicated, if it is shared externally without controls or if it has value that can be exploited to produce profits. Without such knowledge companies cannot be certain how to protect their data. Regulations such as GDPR and international standards such as ISO 27001:2022 require companies to adequately protect personal information.
P E R S P E C T I V E S
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
I believe data governance to be the discipline most companies should adopt to protect their sensitive data. Data governance can provide the framework for a program through which companies identify their critical data, assign owners and label it according to its sensitivity. When data governance is implemented correctly, security controls can be applied to prevent data loss, data breaches and data misuse. With a mature data governance framework the business can find value in its data that can drive strategies to attract new customers, or it can sell that data to others, generating immediate profits. I liken a data storage system to a closet. If a closet is messy, only those who have put clothes into it know where to find them. However, if a closet is properly catalogued and organised with drawers others can
Running from March through to June across states
Get Notified
easily find a specific item without the intervention of whoever keeps the clothes. How is your data closet organised?
www.linkedin.com/in/nancybenjumea
I S S U E 10
Join our distribution list to be the first to know when tickets go on sale
WOMEN IN SECURITY MAGAZINE
137
MEGHAN JACQUOT
UNDERSTANDING A THREAT LANDSCAPE TAKES A TEAM by Meghan Jacquot, Security Engineer at Inspectiv Software patches, hardware vulnerabilities, geopolitical
• How will that data be collected?
events, information operations, threat actor campaigns,
• What type of tools will be used?
malware and tech stack asset inventory can all be
• Do those tools already exist in-house or does a
analysed to gain understanding of a threat landscape. However, it would be very difficult for all these to be
third party contract need to be initiated? • How will actions be validated?
investigated by one person in a timely and detailed manner. Therefore, a team is needed to understand
SOFTWARE AND HARDWARE
an organisation’s threat landscape.
Once the scope of an engagement has been determined, an inventory of software and hardware
SCOPE AND RESOURCES
must be taken, and the alignment of hardware and
When assessing a threat landscape, it is essential
software with scope goals must be determined. If
to first determine the scope of an engagement.
current software and hardware assets do not enable
Threat modelling and threat intelligence can be
these goals to be achieved then either these assets or
gathered in‑house, by a third party team or by a
the goals will need to be adjusted. These are parts of
combination of a third party and in-house teams.
the process team members will complete to measure the threat landscape.
To determine the scope of an engagement a series of questions should be asked:
Patching and vulnerability management will also need to be part of the engagement. When a new
• What exactly is within bounds?
vulnerability is disclosed the team will need to
• What is out of bounds?
understand whether it is relevant. If so, resources will
• What data will be considered?
need to be allocated quickly to mitigate the threat of
• Who will be targeting that data?
the vulnerability being exploited. One good way to
• Over what period will the data be collected?
assess the severity of a vulnerability is to see when
• Do the resources exist to collect the data or do
the US Cybersecurity and Infrastructure Security
new resources need to be allocated?
138
W O M E N I N S E C U R I T Y M A G A Z I N E
Agency (CISA) requires US government agencies
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
to apply a patch or fix. For example the Follina vulnerability, CVE-2022-30190, was added to the Known Exploited Vulnerability Catalog in June 2022 and patches had to be applied within a month.
THREAT ACTORS Researching and understanding threat actors takes a team. There are many ways to research a threat actor and several frameworks an analyst can use.
Intelligence Framework MITRE ATT&CK®
Description
This is a model based upon real-world observations of threat actor behaviours and campaigns. This framework includes a matrix that lists tactics, techniques,
MALWARE
and procedures (TTPs) used by
Malware samples can be analysed if found on internal
adversaries to gain access to
devices or by conducting research about a threat
victims’ systems.
actor. Security researchers may request samples from other researchers. Use caution: sometimes
Cyber Kill
The cyber kill chain helps with the
nation state funded threat actors impersonate
Chain® |
analysis of advanced persistent
legitimate security researchers to compromise their
Lockheed
threat (APT) groups: cybercriminals
networks. To better understand the landscape a
Martin
who gain a foothold into a system
team might have specific roles devoted to malware
and remain undetected for a long
analysis and reverse engineering. IDA Pro is software
time. Specifically, this framework
commonly used as a dissembler to analyse malware.
maps APT activity, including
It can generate assembly language source code from
reconnaissance, weaponization,
machine-executable code and make this complex
delivery, exploitation, installation,
code more human-readable. This code can then
command and control (C2) and
be decompiled, ported and even allows for Python
actions on objectives.
extensions with their SDK. Human intervention is needed at this point to further analyse the malware
The Diamond
The Diamond Model leverages
and data.
Model of
a diamond shape to map
Intrusion
adversaries, their victims,
INFORMATION OPERATIONS
Analysis
infrastructure and capabilities.
The use of malinformation is particularly nefarious.
Recently, cybersecurity company
It is information intentionally shared by a malicious
Recorded Future published a
user that, CISA says, “is based on fact, but used out
white paper analysing information
of context to mislead, harm or manipulate.” Team
operations within the context of
members could study the effect of InfoOps on the
the Diamond Model. This paper
organisation, brand, individual, etc. A thorough
was reviewed by the creator of this
understanding of communication methods and
framework, Sergio Caltagirone.
techniques will be essential for these team members.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
139
GEOPOLITICAL EVENTS
THREAT LANDSCAPES TAKE A TEAM
Events in the physical world affect digital outcomes in
Threat landscapes are dynamic and vast and
cybersecurity and the threat landscape. If one country
each organisation is different with different needs,
declares war on another, in the 21st century, this war
priorities, resources, etc. A team is needed to provide
will not only be kinetic, but it will also be cyber-kinetic.
defence against the varied threats an organisation
There will be cyber activity against the targeted
could encounter. One person cannot do this
country’s physical systems or use of the internet. This
effectively, it takes a village.
has been seen in the war Russia is waging against Ukraine. Ukrainians have been targeted by phishing schemes, malware and wiper malware disguised as ransomware. Having team members who understand international relations can be crucial to analysing how geopolitical events will impact an organisation’s threat landscape.
140
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/meghan-jacquot-carpe-diem
twitter.com/CarpeDiemT3ch
www.youtube.com/c/CarpeDiemT3ch
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
ALEX NIXON
HIDDEN IN PLAIN SIGHT: THE EVOLVING THREAT OF BEC by Alex Nixon, Senior Vice President and the Head of Kroll’s Cyber Risk practice in Australia The world of cybercrime may not seem to have
There is no ignoring the disruption ransomware can
much in common with the glitz and glamour of the
cause organisations. However, turning our collective
Hollywood A-List, but in the past few years one up
attention to it may distract us from the fact that it
and coming cybersecurity ingenue has made the
is not the most lucrative nor the most prolific form
headlines in both the industry press and the world’s
of cybercrime. In the United States Federal Bureau
media: ransomware.
of Investigations’ (FBI) Internet Crime Report 2021, ransomware incidents were well down the list of
Ransomware is malware that encrypts files and
cybercrimes reported.
prevents access until a ransom is paid to provide a decryption key. There is no award wage for
The most commonly reported form of cybercrime
a ransomware actor so the amount demanded
typically results in lower reported losses per incident
can range from the mildly irritating to the profit
than ransomware. However, in aggregate, the almost
destroying. Whatever the amount, decryption is often
20,000 incidents of this nature reported in the FBI’s
not straightforward.
Internet Crime Report led to adjusted losses totalling close to $US2.4b. We’re talking about business email
Ransomware’s celebrity status might be the result
compromise (BEC), reimagined for the criminal
of a few high profile cases over the years, such as
of today.
WannaCry and (Not)Petya, or because the concept of being held to ransom is both understandable to non-
A caveat at this stage. Whilst that $US2.4b in losses
technical players and holds a degree of intrigue.
dwarfs the $US49.2m reported lost in 3,700 reports
I S S U E 10
WOMEN IN SECURITY MAGAZINE
141
of ransomware last year to the FBI, as with all
when criminals leverage the information obtained
statistics, it may not tell a complete story. The dollar
through email compromise for extortion.
amount attached to ransomware incidents does not take into consideration any revenue lost during
My colleagues at Kroll, Christopher Ballod and Jaycee
down time or any additional recovery costs, and
Roth, spoke about this approach in a recent article,
organisations may downplay their losses. Despite
Cyber Extortion Gets Personal – The Next Step in
this, I think it is fair to say that losses sustained from
Email Compromises. Threat actors are beginning to
BEC attacks are substantial.
see the value-add in committing BEC/EAC attacks and using the credentials obtained to exfiltrate sensitive
BEC, or email account compromise (EAC), has
emails, attachments and data stored in connected
evolved along with the preventative measures
cloud repositories.
organisations have put in place. Many of us will be familiar with the old school BEC schemes involving
The workflow shown on the opposite page represents
requests for gift cards, or those targeting the real
a common pattern Kroll has observed.
estate sector (both of which are still to be found in the wild). But as security controls and the way we
Describing one attack of this nature Kroll witnessed,
conduct business evolve, so too do our adversaries.
Ballod and Roth outline how several gigabytes of data and a contact database were stolen from the
The ongoing pandemic with its associated
email and cloud repositories of one victim of email
recommendations on limiting in-person work and
compromise. The threat actors used this data to
the increased difficulty of international travel has
target the individual’s extended family (including
been a boon to cyber criminals in many ways. The
minors), threatening to expose sensitive information
increased adoption of remote working and virtual
about their relative.
communication has led to the development of a new form of BEC/EAC that embraces deep fake
To combat such an attack your organisation’s security
phenomena to conduct executive impersonation
controls should be reviewed. For example, modifying
(CEO fraud). After compromising the email account
bring your own device (BYOD) policy to prohibit the
of a senior executive, such as a managing director or
downloading of attachments onto personal devices
chief financial officer, the threat actor will send out
may help to mitigate the risk of exploitation in a EAC
a request to employees for a virtual meeting. Citing
scenario. Implementing multifactor authentication on
either technical issues preventing audio or using deep
all systems (including those pesky legacy ones) for all
fake audio, the threat actor will instruct employees to
users (including those impatient and important ones)
initiate a wire transfer. The funds transferred are then
can prevent or limit damage from email compromise.
quickly moved into a cryptocurrency wallet, making recovery prohibitively difficult and expensive.
Need a jumping off point? Kroll has put together guidance on 10 essential cybersecurity controls,
Threat actors would be remiss if they used
based on what our experts are seeing on the front
compromised credentials for this purpose alone. The
lines. This can help you open an internal discussion
multitude of opportunities compromised credentials
about how to meet this evolving threat, because
present make them an attractive proposition for any
history shows us our adversaries will continue to
adversary. Monetary gain can be obtained through
evolve alongside us.
classic BEC and through the wider environment that compromised credentials give access to. This is where the ransomware mindset intersects with BEC,
142
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/alexlnixon
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
External Victim Scouting – Phishing Email Credentials harvested via malware or dark web forums
Initial Exploit – Use stolen credentials to log in Reach SharePoint OneDrive and related accounts
Internal Scouting and Escalation – Gain access and establish persistence Created additional Admin-level accounts to retain access
Toolkit Deployment – Data collection and exfiltration Hundreds of GBs stolen including emails, attachments, fileshares, cloud repositories, etc
Mission Execution – Extortion Attackers incorporate company executives, vendors, family members and clients in extortion scheme
I S S U E 10
WOMEN IN SECURITY MAGAZINE
143
GINA MIHAJLOVSKA
IMPROVING SECURITY TOGETHER by Gina Mihajlovska, Cyber Security Manager at EY This article argues that we need to consider our
on managing security together. Fast forward seven
relationship with security as part of the bigger picture
decades. Today, a united front to address present day
created through togetherness: caring for each other
security threats, unimaginable to those living in the
and making sure we create a safe environment for
1950s, has become an imperative.
ourselves and those we love. Those of us who work in cybersecurity tend to focus on the complexity
Our lives have been changed forever by the internet.
of technology, systems, processes and risk
The technologies it spawned and the benefits
management and overlook the human component.
it offered have been seamlessly absorbed and
Can there be security without people coming together
integrated into our lives. It removed the constraints
to create awareness?
of 20th century analogue telecommunication architectures and introduced the ability to be virtually
US historian Henry Adams (1838-1918) lived through
present anywhere on the globe. The notion that other
a period of great change, the most tumultuous period
countries, other languages and other cultures could
of US history. Unity and togetherness were crucial to
be experienced from the comfort of one’s home
the consolidation of the US into a unified, secure and
or office was emboldening. With the help of social
prosperous nation that would come to lead the world.
media we shared our private stories and information,
“Unity is vision; it must have been part of the process
unaware of the potential for these to be misused.
of learning to see” he wrote. Our uptake of social media and our readiness to
144
So, we have history as our teacher, when coming
share the most private aspects of our lives with
together was critical to improving security. If Adams
openness and trust have created opportunities for
had been writing in the 1950s he would focus on
misappropriation by those who maliciously seek to
messages to raise our consciousness and collective
benefit from the information and are able to evade
awareness of threats to ourselves and the security
the technical controls imposed to protect it. These
of our societies. The societal and governmental
vulnerabilities are also new threats to our brave new
responses to the Cold War rested heavily on unity and
world. Cybersecurity professionals engage in daily
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
efforts to mitigate threats from hacking, abuse of financial products (credit cards, bank accounts) and identity theft, and to protect us from these. In time, cyber professionals have come to appreciate the benefits of an aware and vigilant user base and how it greatly improves the management of cybersecurity. During Cyber Security Awareness Month 2021, in March 2021, the government urged Australians to take simple steps to better protect themselves from common online threats and cyber-crime. The then assistant minister for defence used the opportunity to address the importance of each of us being cyber smart and doing our part by learning to apply basic safeguards to our information and to the way we interact with the internet. Educating citizens to run software updates and perform backup functions and helping seniors to identify scams are significant steps to improving security together. The battle to counter the growing threats coming from increasingly skilled and sophisticated cybercrime perpetrators will continue, but these actions on the government’s part were necessary steps to developing technical prowess among the population. The need to create a relationship between people and technology represents a paradigm shift to a future
“Unity is vision; it must have been part of the process of learning to see.” HENRY ADAMS
where there is increased information systems literacy that enables everyone to play a role in reducing the opportunities for cyber-crime to succeed. However, improved security that is strong and
from other forms of criminal activity. Through these
sustainable should not demand sacrifice or
we begin to learn as a collective, sharing experiences
compromise of the values we treasure as a society.
to enhance our response and our ability to teach
Therefore, any attempt to improve security together
those dear to us about the threats to their wellbeing.
needs to address these aspects. Security should not come at the expense of people. This is a very
What is important to our personal and social
important dimension to consider when we come
wellbeing must be part of a unified vision. Without
together to improve security.
the efforts of people, cybersecurity experts are left to battle alone to protect us from cyber criminality
In summary, I would argue that improving security
and are likely to fail to achieve their goal of making
together is an important facet of collective human
us safe.
interaction. We also improve security together by learning to be discerning in what we identify as a threat and how we treat it. This comes from vigilance
www.linkedin.com/in/ginamihajlo
and understanding of how cyber criminality differs
I S S U E 10
WOMEN IN SECURITY MAGAZINE
145
WHO WILL MAKE THE FINALS?
@wisms2c
@source2create
@womeninsecuritymagazine
@Source2C
DIGITAL womeninsecuritymagazine.com
Stay connected All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services.
STUDENT IN SECURITY SPOTLIGHT
Swen Lee is studying for a Bachelor of Computer Science at Edith Cowan University’s Joondalup campus, majoring in cybersecurity. She is in the last semester of her final year. She grew up in Kuching in Sarawak, Malaysia. Thanks to COVID-19, she took a whole year of her course online from Malaysia. SWEN LEE Bachelor of Computer Science, Edith Cowan University
What were your career aspirations in your last year of school? In my last year of high school, I had already set
Did you consider pathways into cybersecurity other than your present course of study, and if so which ones?
my mind on the IT field. I took a gap semester and
I have. I was considering software engineering
proceeded to college. My career aspirations at the
because I love programming and web development.
time were to graduate university with good grades, work as a part time cybersecurity intern while studying to gain more experience in the field and hopefully be employed by an industry to work on my interest fields.
Many women have given us their thoughts on cybersecurity saying it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?
What led you to pursue study in cybersecurity?
Here are some of the roles I believe I am well able
My father is in the IT industry (networking). I have
to fulfil:
seen his work and he has always told me how interesting the IT field is. I love learning about
• Project manager/management. I have good
cyberattacks around in the world and new malware.
communication, leadership and team building
It’s scary but an interesting topic to ponder.
skills. I speak three languages: Chinese, English and Malay.
How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue? I was studying for a Diploma in Software Development at South Metropolitan TAFE in Murdoch. At the time, I had a friend studying to get her Diploma
• Cyber security consultant. I have good communication skills and knowledge of security. • Information security analyst – I have coding as well as security knowledge to satisfy the requirements of the field. • Web developer. I can write code in PHP, HTML, JavaScript, CSS and SQL.
in Cyber Security. She told me how easy it was for
developed an interest in cryptography. I really enjoy
Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?
encrypting and decrypting ciphers and even used
I have had neither formal nor informal mentoring,
cryptography to encrypt a message in my parents’
but I have made friends who had been to university
anniversary gift. That was when they realised I had
before me and they helped a lot by passing on their
a passion for cybersecurity and supported me in my
knowledge on how to better manage assignments
decision to pursue a career in the field.
and lecture content.
our personal information to be traced and used maliciously. I realised cyberattacks were happening all around the world without our knowledge. I started doing my own study of malware and viruses and
150
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
On my first day of class, I met a friend who
I missed out on by having to study online and made
introduced me to the outreach and program
me even more impassioned about my course.
coordinator for the School of Science at ECU, Dr Michelle Ellis. Since then, Dr Ellis has opened
I got the chance to volunteer at a Microsoft
many doors and opportunities for me. I have
Sustainability Hackathon with Microsoft’s developer
run and tutored in cybersecurity workshops on
engagement lead, Michelle Sandford, who then
topics such as cryptography, digital forensics and
introduced me to Microsoft engineer, George
open‑source intelligence.
Coldham. I am now going to DDD Perth, Perth’s largest community run conference for the tech
If you could spend a day with a security expert to learn about their role, what role would you choose?
community, in September to talk about ‘How your simple application could lead to your customers losing their life savings!’ with him. I can’t wait!
I would be very interested to learn from a malware analyst. They characterise malware by handling,
I have also volunteered for Big Day in Perth 2022, an
disassembling, debugging and analysing the
IT careers conference for high school and university
malicious code.
students designed by students for students. I am also a tutor for Girls Programming Network which
What are your longer term - five or 10 year career aspirations?
runs workshops to teach programming to high school students.
I would like to become more specialised rather than briefly working in every field, to gain knowledge in
• informal, personal study?
various cybersecurity fields but find a specialisation
I am interested in learning about new malware and
and focus on building my skills on it.
cyberattacks happening around the world. One I am currently looking at is the Russian-Ukraine attack.
What aspect of cyber security in your studies most excites you, and why? Digital forensics, because it is very scary to realise
www.linkedin.com/in/swen-lee-16893a207
how much information can be disclosed by just swiping your credit card, being scanned by a retina
instagram.com/leekeswenn
scanner, etc.
What involvement do you have in security outside your course? • part time job? I am currently a cybersecurity intern at Retrospect Labs. • volunteer role? I am a student ambassador for the School of Science at ECU. This has put me more in touch with the many aspects of cybersecurity, made me realise how much
I S S U E 10
WOMEN IN SECURITY MAGAZINE
151
Emily Harmon grew up in Kent, just outside Southeast London and moved to Perth in 2013. She works at Bunnings in cyber operations as an identity and access management administrator and is studying off-campus part-time for a Bachelor of Science (Cyber Security) at Edith Cowan University. She is a little over halfway through the course. EMILY HARMON Bachelor of Science (Cyber Security) Student, Edith Cowan University
What were your career aspirations in your last year of school? I wanted to be a veterinary surgeon and would spend school holidays shadowing surgeries.
Many women have given us their thoughts on cybersecurity, saying it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?
What led you to pursue study in cybersecurity?
Our threat actors are diverse, so to mitigate the
I cultivated my passion for technology whilst working
threats they present we also need diverse teams.
at Bunnings. Working on the shop floor, I was curious
Security is also a group effort. In a large organisation
about what the service desk officers were doing on
such as Bunnings a great culture around security is
the other end of my phone calls, and how all our
key. Because I have worked in various roles across
technologies and systems worked together.
the business I can empathise with the different departments and understand their challenges from
How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue?
their point of view.
computer security unit in my second semester I
Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?
decided to switch to cybersecurity. I had an awesome
I have been fortunate to have mentors within
lecturer and the prospects of a career in security
and outside my organisation. Most people in our
and problem-solving enticed me, so I switched to my
industry are very generous with their time, and their
current degree.
knowledge of the industry is invaluable. I have had
I started studying computer science majoring in software engineering, but after completing the
the opportunity to speak with people holding various I was also working on Bunnings’ IT service desk
roles in our industry, from CISOs to researchers at
at the time, so I had some insight into what our
university. I would advise others to never be afraid
cybersecurity team did. I reached out to our
to reach out to someone, even on LinkedIn, or talk to
cybersecurity operations manager to discuss
someone at an industry event. People who work in
my course and see if there were any entry-level
security are generally passionate about the industry
opportunities in cybersecurity. He kept me in the loop,
and love to talk about it.
so I applied when an opportunity came up.
Did you consider pathways into cybersecurity other than your present course of study, and if so, which ones?
If you could spend a day with a security expert to learn about their role, what role would you choose? Someone in digital forensics and incident response.
I did not, but I wish I had known there were options always been academically inclined and wanted to go
What are your longer term - five or 10-year career aspirations?
to university. I put my studies on hold for a long time
I hope to move into a blue team/defence role as a
because I did not have Australian citizenship and was
defence analyst. Once I graduate from university
unable to afford the international student fees. During
I hope to upskill and complete some industry
this time, I could have considered certifications.
certifications such as OSCP. I will also continue
and pathways other than TAFE and university. I have
152
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
advocating for women in our industry and being an active member of AWSN and WiTWA. I hope to pay forward the support and welcome I have received from these organisations, and mentor newcomers to the industry.
What aspect of cybersecurity in your studies most excites you, and why? I enjoy the hands-on workshops, such as setting up virtual environments, and learning Linux and cybersecurity tools, because these are real-world skills I can use at work.
What involvement do you have in security outside your course? • part time job? I work fulltime as an identity and access management administrator at Bunnings. • member of security organisations? I am a member of AWSN and WiTWA. • informal, personal study? I regularly attend events such as AustCyber’s Students of Cyber (SOC) events which take place every month.
www.linkedin.com/in/emily-harmon-75b0831a0
I S S U E 10
WOMEN IN SECURITY MAGAZINE
153
Bettina Marquez has just completed the Cyber Defense Professional Certificate program offered by ThriveDx—formerly HackerU—and the University of Central Florida. The program is an intensive, 10 month deep-dive into foundational cybersecurity skills and principles, from basic Microsoft and Linux security to digital forensics and incident response (DFIR) and game theory. She grew up in the Mid-Hudson Valley area of New York State. BETTINA MARQUEZ Cyber Defense Professional Student, University of Central Florida
What were your career aspirations in your last year of school?
starting with basics and progressing to the more
Coming out of high school, my career aspirations
the experiences and insights of our instructors,
were to get into field zoology or marine biology
who were all working professionals in the field.
thereby combining my love of the outdoors, animals
Also, the program incorporated periodic review and
and scientific research with my ever-present drive to
study sessions that helped to prepare us for select
understand why things (or people, or animals) work
certifications like Security+.
advanced topics. Along the way we benefitted from
the way they do. Like most people new to cybersecurity, this is what I
What led you to pursue study in cybersecurity?
decided to choose as my starting point.
The complete answer to that could have me talking
than ten years ago when it was still very new as a
Did you consider pathways into cybersecurity other than your present course of study, and if so which ones?
field of formal study, academically.
As I mentioned, I had previously applied to a
for a while. The short version is that I originally became interested in pursuing cybersecurity more
cybersecurity program about a decade earlier, which I have always been good with technology and enjoy
would have been a two-year degree program at a
trying to troubleshoot and figuring things out myself.
local college—a much more traditional approach than the bootcamp I have just completed.
It was clear to me that cybersecurity was where
family priorities. Fast forward to this time last year
Many women who have given us their thoughts on cybersecurity say it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?
when I was suddenly faced with a major shakeup
Oh wow, that’s a great question! I think my skills and
in my personal life that necessitated a return to the
experience make me diverse and adaptable to different
workforce.
roles. I am someone who can be both detail- and
everything was headed, and I wanted to be a part of it. I went so far as to apply for, and get accepted into, a local program, but then had to drop those plans because of my husband’s job transfer and other
big-picture-oriented, work alone or in teams (I prefer a Just as I was exploring my options I came across the
mix of both), identify patterns and concomitant outliers
Cyber Defense Professional program at the University
and break down complicated concepts into terms
of Central Florida and decided to sign up for the
people can more easily grasp. And I love researching
introductory course. It did not take me long to decide
and problem-solving. Between my skills and my
this was definitely the path I wanted to take.
interests, I think I would eventually best fill roles in either DFIR or perhaps risk management.
How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue? bootcamp program was that it gave me a great
Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?
foundation in the many facets of cybersecurity,
I have not participated in any kind of formal
The beautiful thing about going through the
154
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
finding someone willing to play that role in my life. I
What involvement do you have in security outside your course?
thrive on challenge and really enjoy relationships with
• part time job?
people who believe in me enough to push me to grow
None.
mentoring program, but I am definitely interested in
and be better. • volunteer role?
If you could spend a day with a security expert to learn about their role, what role would you choose?
Not yet, but I am actively looking for opportunities
Right now, I’d choose to shadow someone working in
• outplacement as part of your course?
a DFIR or risk management role.
There is no formal outplacement program in the
right now.
course, but connections have been forged that have
What are your longer term - five or 10 year career aspirations?
led to potential opportunities.
I know I want to grow into a leadership role of some
• member of security organisations?
kind, but I’m not exactly sure yet what that will
Not yet.
look like. When I say leadership, I’m not thinking management—I picture myself as someone who sets
• informal, personal study?
the pace, defines the conversation, blazes a trail, calls
Many YouTube videos, of course. I have especially
people to action and makes a difference. That’s a
benefited from NetworkChuck, but have also made
lofty goal, I know, but I’ve always been a very purpose-
use of Sunny Classroom, PowerCert, David Bombal,
driven person.
and others. I also have a subscription to what used to be known as The Great Courses and am about to
As far as the more prosaic question of what role do I
start a Python programming course it offers, because
see myself filling in cybersecurity down the road, I like
it seems clear a solid foundation in Python will be
the idea of working in DFIR in a larger crime-solving
tremendously beneficial in any cyber role.
capacity; I like the idea of hunting down the bad guys!
What aspect of cybersecurity in your studies most excites you, and why?
www.linkedin.com/in/bettinamarquez
I heard Tia Hopkins speak in a webinar and she said something that really resonated with me, along the lines of, “I don’t want to be where everyone is; I want to be where everyone is going.” That’s me. I’ve always been drawn to research because I want to push the boundaries and answer the questions no one else has yet answered. This was exactly what most excited me about cybersecurity right from the start: it’s new and evolving, and—of necessity—will have to keep adapting and evolving as the threats and technology evolve.
I S S U E 10
WOMEN IN SECURITY MAGAZINE
155
Ocia Anwar has been studying for a Bachelor of Cyber Security and Behaviour, which she completed in July 2022. She was born in Kabul, Afghanistan in 1999 and lived there for most of her childhood before moving to Pakistan in 2008. She migrated to Australia in January 2010. OCIA ANWAR Bachelor of Cyber Security and Behaviour, Western Sydney University
What were your career aspirations in your last year of school?
but then my passion for crime and technology led me
Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?
to study cybersecurity and behaviour.
I have benefited from both informal and formal
At first I wanted to become an interior designer because I loved art and creating things from nothing,
mentoring. I undertook a cadetship with Cochlear
What led you to pursue study in cybersecurity?
in its cybersecurity department and was lucky to
Because of my physical disability I wanted to study
have contact with the manager through LinkedIn.
something that would demonstrate my mental ability.
He helped me with my resumé. Also, I was lucky
I also loved technology and its power to change
to connect with Agathe Savard security leader and
something in a matter of minutes.
strategist through a colleague and she answered some questions I had regarding interviews and how
How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue?
to best prepare for them.
In my final year of school I studied multimedia, which
If you could spend a day with a security expert to learn about their role, what role would you choose?
opened the doors to technology and how useful it is.
I would choose security compliance, governance and
At the beginning I was not aware of cybersecurity.
consulting because these are intertwined.
It caught my attention when I applied for university because the course had all the things I was interested in, from digital forensics investigation to psychology.
What are your longer term - five or 10 year career aspirations? Working with the Australian Taxation Office for three
Did you consider pathways into cybersecurity other than your present course of study, and if so which ones?
years as a junior in cybersecurity compliance, then
Yes, I would have gone to TAFE and completed a
team manager, then working with National Australia
diploma of cybersecurity and then continued with my
Bank as a senior consultant.
becoming a manager for three years and following this with five years at the Commmonwealth Bank as
studies at university. Now, to gain further knowledge and to stay up to date with current trends I will study courses from LinkedIn, (ISC)2, Plural and SANS.
What aspect of cybersecurity in your studies most excites you, and why? There were two, intertwined units: human behaviour
Many women who have given us their thoughts on cybersecurity say it is really important the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?
and forensic investigation. You never know what you can find and how people can change their behaviour/ personality based on the environment.
As I have attention to detail, I would be best at security compliance.
156
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
What involvement do you have in security outside your course? • part time job? I undertook a cadetship at Cochlear from 30 November 2020 to 5 February 2021. • outplacement as part of your course? I had an outplacement at Western Sydney University’s security operations centre. • member of security organisations? I am a member of the Cyber Security Association, AISA, Women in Security and ISACA • informal, personal study? LinkedIn Learning: SPSS Statistics essential training FDM Group: mini expert’s challenge Cyber@ANZ program Qualys: compliance policy and procedures
www.linkedin.com/in/ocia-anwar-1ab3a5184
I S S U E 10
WOMEN IN SECURITY MAGAZINE
157
Raziye Tahiroğlu is about to start the second year of study for a degree in computer science at Istanbul Aydin University in Türkiye. She will undertake an internship during the year, and aims to start working as a security analyst in her final year. She also intends to pursue further education after obtaining her degree, and to conduct academic research. RAZIYE TAHIROĞLU Computer Science Student, Istanbul Aydin University
What led you to pursue study in cybersecurity? I had heard about cybersecurity from those around
in any formal mentoring program, or benefited from an informal mentoring relationship?
me and became very interested. I found myself
Yes, definitely. It’s important to have a mentor. A
following cybersecurity news and published articles.
mentor can help you develop and realise many of
Then I thought “Why shouldn’t I have a place in the
your skills in the learning process. They can guide
cyber world, too?” Thus, I decided to be more than
you when you are stuck. I participated in many
merely a consumer of cybersecurity.
course activities organised by institutions in my country. Institutions in my country moved their
How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue?
activities online during the COVID-19 pandemic. Many
Cybersecurity is forever changing. There is constantly go. I think I’m just at the beginning. I obtained the
If you could spend a day with a security expert to learn about their role, what role would you choose?
information I have gained so far by using the internet.
I would like to spend a day with an incident responder,
At the same time, I tried to improve myself by joining
and security operations centres would be a good fit to
activities staged by cybersecurity organisations in
enable me to gain experience in line with my current
my country.
career goals.
Did you consider pathways into cybersecurity other than your present course of study, and if so which ones?
I am also very interested in open source intelligence,
Everyone’s cybersecurity pathway is different, and I
observe how they work and learn from them.
more for me to learn. I still have a long way to
bootcamps and courses were conducted online and I benefited from these lessons.
so it would be great for me to spend time with an open source intelligence (OSINT) investigator/analyst,
think my pathway is appropriate for me.
Many women who have given us their thoughts on cybersecurity saying it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?
What are your longer term - five or 10 year career aspirations? I will continue to study computer science as an academic career. I want to do a master’s in this field, and the idea of publishing an article also excites me.
I agree with that. I’ve concentrated on the defensive/
As a woman in cybersecurity I want to support my
blue team side until now. Therefore, I believe a
associates. I would like to instruct other students
cybersecurity analyst position would be a good fit for
as to the institutions that make it possible for me to
me. I want to work hard and develop my offensive
learn today. I am currently stronger on the defensive
skills and work as a red team member.
side of cybersecurity. I aim to increase my strength on the offensive side with hard work. I also have an
Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated
158
W O M E N I N S E C U R I T Y M A G A Z I N E
interest in open source intelligence and I will enhance my skills in this field. During this time, I aspire to gain experience by performing penetration tests.
S E P T E M B E R • O C T O B E R 2022
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
What aspect of cybersecurity in your studies most excites you, and why? I find it very interesting that cybersecurity is both dangerous and beneficial. My cyber awareness is very beneficial in my daily life. When I set a password or make a payment, I start to wonder if what I am doing is safe. Cybersecurity comes in handy when I am investigating the veracity of the news. We are now in a world where every individual should be aware of cybersecurity because it is significant in every aspect of our lives.
What involvement do you have in security outside your course? I participate in events under the title of Women in Technology. I follow events organised by the SANS Institute and many similar organisations. I am a volunteer intern at a company and I am working on my coding skills.
www.linkedin.com/in/raziye-tahiroğlu
I S S U E 10
WOMEN IN SECURITY MAGAZINE
159
Caroline Ng is in her fourth year of study for a Bachelor of Information Systems (Honours) under the UNSW Co-op Scholarship Program. She grew up on Sydney’s Northern Beaches. CAROLINE NG Bachelor of Information Systems (Honours), UNSW
What were your career aspirations in your last year of school?
explaining vulnerabilities to be a nice balance with the technical work.
I aspired to become a leader in IT who would help
my passion for technology with my passion for
Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?
helping people and keeping them safe. I joined the
I have been able to gain mentors informally through
Australian Women in Security Network (AWSN)
my work placements and more formally through the
and strengthened my interest in cyber through the
AWSN pilot mentoring program.
make the world a better place.
What led you to pursue study in cybersecurity? I was interested in cybersecurity because it combined
mentorship, networking and workshops it offered.
How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue? Through the UNSW Co-op Scholarship Program I was
If you could spend a day with a security expert to learn about their role, what role would you choose? I would choose a CISO to understand what decisions they make day-to-day and how they work with other senior leaders in their company.
able to gain work placements in cyber teams at IAG people in various cyber teams and learnt about the
What are your longer term - five or 10 year career aspirations?
different roles available. Additionally, after gaining
I aspire to use my technical knowledge to help me
experience in Westpac’s penetration testing team and
become a leader who makes better decisions through
shadowing pentesters, I decided pentesting would be
business and technical acumen.
and Westpac. During those placements I spoke with
suitable for me.
Did you consider pathways into cybersecurity other than your present course of study, and if so which ones?
What aspect of cybersecurity in your studies most excites you, and why? I am excited about protecting organisations and customers from malicious actors.
Because I was studying for a degree in information systems, I decided to continue and complete it.
What involvement do you have in security outside your course?
Many women who have given us their thoughts on cybersecurity saying it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?
I am an AWSN member and I participate in capture the flag competitions whilst I complete my studies.
www.linkedin.com/in/carolinengcyber
Pentesting is suitable for me because, during my time in Westpac’s pentesting team, I enjoyed the technical challenge of trying to figure out how to break into systems. I also found communicating and
160
W O M E N I N S E C U R I T Y M A G A Z I N E
S E P T E M B E R • O C T O B E R 2022
Why build your own community when you can use ours?
HOW TO UNLOCK THE POTENTIAL OF OUR NETWORK
WHO WILL MAKE THE FINALS?
LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
Jack and Olivia are getting their first laptop for school Next year, Jack and Olivia will be getting a laptop for school. It’s very exciting as they can’t wait to have their own computer like the big kids. At school, they call this a “BYOD Program” – bring your own device, and they are keen to help their parents choose their laptops for school. At school, their teachers have been preparing them for the responsibility that comes with having their own devices. The teachers explained that there are rules that they need to agree to as part of the BYOD Program: Olivia and Jack’s School BYOD Rules: • Don’t be a bystander, if you see anyone sending nasty messages or if you know of anyone at school being cyberbullied, you must tell a teacher so that they can help. • Don’t click on strange links or websites, these could be harmful. • Email has been set up to communicate with your teacher only, no one can email you from outside the school. • Your camera must have the privacy cover on unless you are in a class that needs the camera. Otherwise, the camera needs to be off. • Do not connect to a USB device that you are unfamiliar with; it could contain viruses. • When you’re away from home or school, never connect to ‘free WiFi’ as cyber criminals may use it to access your computer. • Your computer must have anti-virus software running that is up to date. • The school IT department will install software on your device to filter out
164
W O M E N I N S E C U R I T Y M A G A Z I N E
inappropriate apps and block other people from contacting you. A friendly reminder that if anyone you don’t know contacts you online, you need to tell your teacher or a trusted adult straight away. Also, Olivia and Jack’s parents said that we have additional rules at home: • You can do your homework on the laptop after school in a communal area so that we can supervise you. We will also have time limits for how long you can use your laptops as it’s important to play outside. • We will install parental controls on your laptop to only allow content appropriate to your age, but these are not always 100 percent safe. If anyone tries to contact you, or if you see something strange online it is important to let us know straightaway. You will not get into trouble, and we will not take your laptop away. We will help figure out what has happened to keep you safe online. • If you do receive a nasty message, please do not delete it. We will teach you how to save, screenshot and print the message as evidence of cyberbullying. Olivia and Jack think the rules are very fair, as they know what can happen online if you don’t follow the rules. They can’t wait to get their new laptops and discover some fascinating things to learn online. www.linkedin.com/company/how-we-got-cyber-smart
facebook.com/howwegotcybersmart
twitter.com/howwegotcybers1
S E P T E M B E R • O C T O B E R 2022
Recom mend ed by F amily zone
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.
READ NOW
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01
02
1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books. Conference Speaker and Cybercrime specialist
2. APARNA SUNDARARAJAN 03
04
Manager - Technology Transformation Practice
3. ANGELA HALL Client Trust, Risk and Compliance (CTRaC) & Trade Regulations Executive at Kyndryl
4. AASTHA SAHNI 05
06
Technical Trainer at Exabeam and founder of CyberPreserve and BBWIC
5. GABE MARZANO Head of Cybersecurity at Palo Alto Networks and one half of the team behind the Dark Mode podcast
6. POOJA SHIMPI Business Information Security Officer at Citibank Singapore
07
08
7. MONICA ZHU Cyber Security Incident Responder & Threat Intel Manager at Qantas
8. SARAH GILBERT Senior Business Analyst - Cyber Security at Transport for NSW
09
10
9. SARAH BOX Sarah Box, Cyber Security Project Facilitator and Advisor at The Business Centre
10. PARUL MITTAL Senior Manager - Tech Risk at Bendigo and Adelaide Bank
11. AICHA BOUICHOU 11
12
PhD student at the National School of Applied Sciences, Tangier
12. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A Hacker I Am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
13
14
13. VANNESSA MCCAMLEY Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker
14. STEVE SCHUPP Executive Director at CyberCX WA Branch
15
16
15. SIMON CARABETTA Project Coordinator at ES2
16. MELANIE NINOVIC Senior Consultant at ParaFlare
17
18
17. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
18. MICHELLE GATSI Cyber Security Consultant at EY
19
20
19. KAVIKA SINGHAL Cyber Security Consultant at EY
20. JAY HIRA Director of Cyber Transformation at EY
21
22
21. EMILY GOODMAN Cyber Security Consultant at EY
22. SHINESA CAMBRIC Principal Product Manager, Microsoft Intelligent Protections - Emerging Identity at Microsoft
23
24
23. RICHARD EDGE CEO at Careerships
24. MICHELLE RIBEIRO Cyber and Information Security Content Director, APAC
25
26
25. DANIELLE ROSENFELD-LOVELL Consultant Security Testing and Assurance at CyberCX
26. SHINTA BENILDA Cyber Systems Administrator at Services Australia
27
28
27. HANLIE BOTHA Cyber Security Leader
28. NICOLE STEPHENSEN Privacy Maven and Partner, at IIS Partners
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 29
30
29. NATALIE PEREZ SheLeadsTech Coordinator of the ISACA Melbourne Chapter
30. LISA VENTURA 31
32
Founder – Cyber Security Unity
31. KAREN STEPHENS CEO and co-founder of BCyber
32. TRAVIS QUINN State Director at Trustwave
33
34
33. PETER LAKE Experienced Service Management Leader
34. NIGEL PHAIR Chair, Australasian Council, CREST International
35
36
35. ANGELO FRIGGIERI Managing Director – Applied Security, at Accenture
36. MEGAN KOUFOS Program Manager at AWSN
37
38
37. VERONIKA LAPUSHNIANU International Business Communications Trainer, Founder at GroupEtiq
38. QUEEN A AIGBEFO Research Student at Macquarie University
39
40
39. CHRISTIE WILSON Cyber Resilience Manager at UniSuper
40. SARA MOORE Cyber Threat Intelligence Analyst
41. MARISE ALPHONSO 41
42
Information Security Lead at Infoxchange
42. MEL MIGRIÑO VP/Group CISO Meralco, Chairman & President, Women in Security Alliance Philippines
43
44
43. NANCY BENJUMEA Lead Data Governance Consultant at Pernix
44. MEGHAN JACQUOT Security Engineer at Inspectiv
45
46
45. ALEX NIXON Senior Vice President and Head of Kroll’s Cyber Risk practice in Australia
46. GINA MIHAJLOVSKA Cyber Security Manager at EY
47
48
47. SWEN LEE Bachelor of Computer Science Student
48. EMILY HARMON Bachelor of Science (Cyber Security) Student
49
50
49. BETTINA MARQUEZ Cyber Defense Professional Student
50. OCIA ANWAR Bachelor of Cyber Security and Behaviour Student
51
52
51. RAZIYE TAHIROĞLU Computer Science Student
52. CAROLINE NG Bachelor of Information Systems (Honours) Student
53. LISA ROTHFIELD-KIRSCHNER 53
54
Author of How We Got Cyber Smart | Amazon Bestseller
54. NATALIE ALLATT Marketing Manager, APAC at SANS Institute
THE LEARNING HUB
BUGCROWD UNIVERSITY Bugcrowd University operates as a free and open-source project to help improve the skills of the industry’s security researchers. It includes content modules to help researchers find the most critical and prevalent bugs that impact customers. Each module has slides, videos and labs for researchers to master the art of bug hunting with the aim of creating a new standard for security testing training.
VISIT HERE
SPRINGBOARD’S FOUNDATIONS OF CYBERSECURITY Springboard’s Foundations of Cybersecurity is a free course offered by Springboard that has more than 38 hours of content and is highly suitable for anyone willing to solidify their cybersecurity basics. The course offers 40 plus resources across 9 core modules and thoroughly explains the most basic aspects of cybersecurity.
VISIT HERE 170
W O M E N I N S E C U R I T Y M A G A Z I N E
FEDERAL VIRTUAL TRAINING ENVIRONMENT Federal Virtual Training Environment (FedVTE) offers its cybersecurity courses online at no charge for federal government personnel and veterans. Managed by CISA, FedVTE contains more than 800 hours of training on topics including ethical hacking and surveillance, risk management and malware analysis. Course proficiency ranges from beginner to advanced levels.
VISIT HERE
OPEN SECURITY TRAINING Open Security Training has an abundance of cybersecurity-related course matter which ranges from basic lessons on Android Security Testing to Advanced x86 Virtualization courses. Overall, they offer a considerable volume of free cybersecurity training resources in the form of open-source material. They also have a team of instructors who constantly update the courses and keep the learners up-to-date with the current and ongoing threats.
VISIT HERE
PICOCTF picoCTF is a free computer security education program with original content built on a capture-the-flag framework created by security and privacy experts at Carnegie Mellon University. Gain access to a safe and unique hands-on experience where participants must reverse engineer, break, hack, decrypt, and think creatively and critically to solve the challenges and capture the flags.
VISIT HERE
ELASTIC Start your Elastic journey and become an expert faster than ever—for free. Build your enterprise search, observability, security, and Elastic Stack skills with their on-demand training.
VISIT HERE S E P T E M B E R • O C T O B E R 2022
FEATURING FREE SECURITY TRAINING RESOURCES THAT ARE AIMED AT INCREASING SECURITY AWARENESS AND HELPING PEOPLE BUILD AND UPSKILL THEIR SECURITY SKILLS.
HACKER101 Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.
VISIT HERE
HOPPER’S ROPPERS SECURITY TRAINING
RANGEFORCE COMMUNITY EDITION
Their aim is to create the best site on the internet for aspiring cyber security professionals to learn and grow while mastering the fundamentals of the field, along with growing a community alongside the training material to provide a central location for cyber education.
Access free training courses, including red and blue team training, in an on‑demand cyber range.
VISIT HERE
VISIT HERE
SKILLSOFT
FROMDEV
HACK A DAY
Access free trial to sample 7,151 courses, 110+ practise labs, and 10+ live online boot camps across 67 subjects.
FromDev is one of the top-rated hacking learning websites for beginners to learn ethical hacking from scratch.
This website delivers tutorials for powerful hacking attacks with the intent of helping students understand the concepts better. It is the community of security researchers and ethical hackers where you will find amazing content to master the art of ethical hacking.
VISIT HERE I S S U E 10
VISIT HERE
VISIT HERE WOMEN IN SECURITY MAGAZINE
171
TURN IT UP
THE GET CYBER RESILIENT SHOW By Daniel McDermott and Garrett O’Hara It can be challenging to secure your business, especially when you have limited time. The Get Cyber Resilient Show, brought to you by Mimecast, is the perfect way to stay up-to-date with the latest cyber developments across Australia and New Zealand. From cyber security to cyber awareness, the hosts will bring you insights and real stories from IT and Security Leaders.
CLICK TO LISTEN
NEUROSEC By Nathan Chung Uniting people and organizations to support and advance Neuro-diverse people in Cybersecurity.
CLICK TO LISTEN 172
W O M E N I N S E C U R I T Y M A G A Z I N E
STORIES OF INFOSEC JOURNEYS - INDIAN EDITION By Shruthi Kamath This podcast aims to cover stories about people in the Information Security community. The podcast guests will talk about their journey in the infosec industry, their learning & challenges faced and any advice to the newcomers. Currently covering the Indian edition.
CLICK TO LISTEN
ADVENTURES OF ALICE & BOB By Karl Lankford, James Maude, and Marc Maiffret Adventures of Alice & Bob is a podcast where hosts talk shop with hackers, thought leaders, and the unsung heroes of the cybersecurity world about the human element of being on the front lines of cyber attacks.
CLICK TO LISTEN
CYBER WORK PODCAST By Infosec Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.
CLICK TO LISTEN
BLUEPRINT PODCAST By SANS Institute Tune in to hear the latest in cyber defence and security operations from blue team leaders and experts. With a focus on learning, BLUEPRINT includes interviews with today’s top security practitioners defending the world’s most respected brands, and in-depth explanations of the newest technologies, protocols, and defensive tools.
CLICK TO LISTEN S E P T E M B E R • O C T O B E R 2022
CAREERS IN CANBERRA CYBER
MONICA TALKS CYBER
By Canberra Cyber Hub
By Monica Verma
Listen to cyber professionals across Canberra to find out why the demand for skilled workers in cyber is booming and how the careers in the industry are becoming more diverse. Hear from those excelling in the industry and what advice they have for those interested in pursuing a career in cyber.
A technology podcast and an engaging platform for real stories, discussions and opinions from renowned global experts on All Things Cyber. The podcast series is hosted by Monica Verma, a leading spokesperson for digitalization, cloud computing, innovation and security enabling technology and business.
CLICK TO LISTEN
CLICK TO LISTEN
TALKING CYBER
2 CYBER CHICKS
By NCC Group
By Erika McDuffie and Jaclyn (Jax) Scott
This monthly podcast by NCC Group, goes into the latest details about everything you may want to know about cyber security. From web apps, networks, cyber education, ransomware and much more!
2 Cyber Chicks Podcast With Erika McDuffie And Jax Scott is an inclusive cybersecurity podcast designed to educate and break the stereotypes of cybersecurity professionals. We will be discussing the “tough” topics that come along with being a woman in this field while providing life hacks on how to handle burnout, networking, and goal-setting.
CLICK TO LISTEN I S S U E 10
CLICK TO LISTEN
JACOBS: IF/WHEN By Jacobs The world we’ll be faced with tomorrow demands big ideas today. In Jacobs’ series of interviews with some of today’s leading industry and academic problem solvers, we discuss the Ifs and Whens of disruption - those phenomena with the potential to unsettle the status quo, as well as those now imminent and emerging.
CLICK TO LISTEN
CYBER PEOPLE PODCAST By Will Wetherall The Cyber People Podcast focusses on the people that help protect some of the largest companies across Australia and the globe. Join Will Wetherall as he follows their journey and stories in the world of cybersecurity.
CLICK TO LISTEN WOMEN IN SECURITY MAGAZINE
173
OFF THE SHELF
CYBERCRIME IN AUSTRALIA: 20 YEARS OF IN‑ACTION
CYBERSECURITY FOR EVERYONE: DEMYSTIFYING CYBERCRIME
Author // Nigel Phair
Author // Amanda-Jane Turner
Cybercrime in Australia: 20 years of in-action provides an engaging analysis of how Australia’s law enforcement and justice system have responded to the exponential rise of cybercrime.
Cybercrime is big business, and as the use of technology increases, so does the opportunity for crime. There is no solely technical solution to stopping cybercrime, which is why it is important for all users of technology, regardless of age, race, education or job, to understand how to keep themselves safer online.
As technology has evolved and the criminal misuse thereof continues to increase, successive governments have attempted to provide more powers to law enforcement agencies and regulate how individuals live in the online environment. But as the mainstream media reporting and statistics tell us, this has been a failure. More and more organisations and individuals are falling prey to cybercrime. Utilising investigative case studies, an array of statistics, and surveys of police, consultants, lawyers and privacy experts, this book analyses two decades’ worth of cyber and cyber-related legislation combined with policy and operational responses by law enforcement agencies to combat online crime.
To help all users of technology gain a better understanding of some cybersecurity basics, this quick-read book presents easyto-understand information, with the added, and possibly dubious, bonus of entertainment in the form of limericks and cartoons. Stay informed and stay safe. (Recommended reader age group is from young adult up to TimeLord aged.)
The book is packed with fascinating and unexpected findings. It also offers hope by providing a set of recommendations to be considered both in an Australian and an overseas context.
BUY THE BOOK 174
W O M E N I N S E C U R I T Y M A G A Z I N E
TRANSFORMATIONAL SECURITY AWARENESS: WHAT NEUROSCIENTISTS, STORYTELLERS, AND MARKETERS CAN TEACH US ABOUT DRIVING SECURE BEHAVIORS Author // Perry Carpenter Transformational Security Awareness empowers security leaders with the information and resources they need to assemble and deliver effective world-class security awareness programs that drive secure behaviours and culture change. When all other processes, controls, and technologies fail, humans are your last line of defence. But, how can you prepare them? Frustrated with ineffective training paradigms, most security leaders know that there must be a better way. A way that engages users, shapes behaviours, and fosters an organizational culture that encourages and reinforces securityrelated values. The good news is that there is hope. That’s what Transformational Security Awareness is all about. Author Perry Carpenter weaves together insights and best practices from experts in communication, persuasion, psychology, behavioural economics, organizational culture management, employee engagement, and storytelling to create a multidisciplinary masterpiece that transcends traditional security education and sets you on the path to making a lasting impact in your organization.
BUY THE BOOK
BUY THE BOOK S E P T E M B E R • O C T O B E R 2022
A DATA-DRIVEN COMPUTER DEFENSE: A WAY TO IMPROVE ANY COMPUTER DEFENSE Author // Roger A. Grimes Most organizations are using inefficient computer security defences which allow hackers to break in at will. It’s so bad that most companies have to assume that it is already or can easily be breached. It doesn’t have to be this way! A data-driven defence will help any entity better focus on the right threats and defences. It will create an environment that will help you recognize emerging threats sooner, communicate those threats faster, and defend far more efficiently. What is taught in this book...better aligning defences to the very threats they are supposed to defend against, will seem common-sense after you read them, but for reasons explained in the book, aren’t applied by most companies. The lessons learned come from a 30-year computer security veteran who consulted with hundreds of companies, large and small, who figured out what did and didn’t work when defending against hackers and malware. Roger A. Grimes is the author of nine previous books and over 1000 national magazine articles on computer security. Reading A Data-Driven Computer Defense will change the way you look at and use computer security from now on. This is the revised 2nd Edition, which contains new, expanded chapters, operational advice, and many more examples you can use to craft your own data-driven defence.
BUY THE BOOK I S S U E 10
AMERICAN SPIES: MODERN SURVEILLANCE, WHY YOU SHOULD CARE, AND WHAT TO DO ABOUT IT Author // Jennifer Stisa Granick US intelligence agencies - the eponymous American spies - are exceedingly aggressive, pushing and sometimes bursting through the technological, legal and political boundaries of lawful surveillance. Written for a general audience by a surveillance law expert, this book educates readers about how the reality of modern surveillance differs from popular understanding. Weaving the history of American surveillance - from J. Edgar Hoover through the tragedy of September 11th to the fusion centres and mosque infiltrators of today - the book shows that mass surveillance and democracy are fundamentally incompatible. Granick shows how surveillance law has fallen behind while surveillance technology has given American spies vast new powers. She skillfully guides the reader through proposals for reining in massive surveillance with the ultimate goal of surveillance reform.
BUY THE BOOK
CULT OF THE DEAD COW Author // Joseph Menn Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers. They contributed to the development of Tor, the most important privacy tool on the net, and helped build cyberweapons that advanced US security without injuring anyone. With its origins in the earliest days of the Internet, the cDc is full of oddball characters -- activists, artists, and even future politicians. Many of these hackers have become top executives and advisors walking the corridors of power in Washington and Silicon Valley. The most famous is former Texas Congressman and current presidential candidate Beto O’Rourke, whose time in the cDc set him up to found a tech business, launch an alternative publication in El Paso, and make long-shot bets on unconventional campaigns.
BUY THE BOOK WOMEN IN SECURITY MAGAZINE
175
SURFING THE NET
CYBER REVOLUTION BLOG By Cyber Revolution Cyber Revolution aims to close the widening cyber security skills gap, through education, courses and placement of skilled professionals.
READ BLOG
OUTSEER BLOG
TWINGATE BLOG
TERI RADICHEL BLOG
By Outseer blog
By Twingate
By Teri Radichel
Discover insights, perspectives, and learn all about the latest updates on the newest fraud detection and prevention technologies.
The blog discusses the latest in security, access control, IT compliance, and product developments.
Teri Radichel shares blogs on Medium about Cloud Security Training and Penetration Testing, GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN and AWS.
READ BLOG
176
W O M E N I N S E C U R I T Y M A G A Z I N E
READ BLOG
READ BLOG
S E P T E M B E R • O C T O B E R 2022
IMPERVA BLOG
INVICTI BLOG
HELP NET SECURITY
By Imperva
By Invicti
By Help Net Security
Read Imperva’s news, articles, and insights about the latest trends and updates on data security, application security, and application delivery.
Learn about the latest web application security & vulnerabilities news, and find out how you can make your website more secure with automated web scanning.
Daily information security news with a focus on enterprise security.
READ BLOG
READ BLOG
ZONEALARM BLOG
CYBERHOOT BLOG
HACKER COMBAT
By Check Point
By CyberHoot
By Hacker Combat
News and information about internet security, online threats and safe web practices.
CyberHoot offers training, phish testing, and policy compliance. Their blog articles cover current, critical cybersecurity topics to help the world become more aware and more secure.
Hacker combat provides frequent updates on cyber attacks, hacking, and exclusive events. Explore the latest news and security stories from around the world.
READ BLOG
I S S U E 10
READ BLOG
READ BLOG
READ BLOG
WOMEN IN SECURITY MAGAZINE
177
Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!
charlie@source2create.com.au
aby@source2create.com.au
misty@source2create.com.au
