Women In Security Magazine Issue 10

Page 104

WWW.WOMENINSECURITYMAGAZINE.COM 10 SEPTEMBER • OCTOBER 2022

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 20222

We are helping to create the future we have always wanted, by uniting the world one country at a time. Although we started in Australia we have also recently launched in New Zealand, and who knows where the awards will end up next! Without many organisations in the industry coming together this initiative would never have worked. Each of the organisations we work with offers a different array of industry events, awards, education, mentor programs, leadership programs, workshops, community meetups and more. Because the associations, companies and individuals we partner with all share the same vision, mission and values we have been able to collaborate to make the security industry a better place to work. We are, as the lovely reader pointed out, working together to improve security. And that’s the strength of the industry: security belongs to everyone, so a focus on awareness and education creates a great framework for enhancing and advancing the industry.

However, a conversation with a reader proved me wrong and reminded me we are all working on improving security in our own ways. The very existence of this magazine, and the runaway success of the Women in Security Awards, are two examples of collaboration improving security. This year the industry came together to support the awards, nominating more than 800 inspiring individuals. That was nearly four times the 232 nominated in the first year of the awards, twice the 468 nominated in the second year and a significant increase on the 624 nominations we received in 2021. As that timeless Yazz song says, the only way is up! Each year the awards recognise a cohort of amazing men and women who are creating positive change by setting an example for their peers, their mentees and themselves. “If you can see it, you can be it,” the saying goes. Behind each of those nominations is a story of collaboration; of people working together to make a

W hen I sat down to write the introduction to this month’s issue the theme—Improving Security Together—had me a little stumped. After all, I’m not actively improving the security of anything, so what could I possibly have to say on the matter?

FROM THE PUBLISHER positive impact on society. The awards honour their achievements in their professional lives and their ability to collaborate with others to further the cause of diversity and achievement in cybersecurity. Similarly, our team at Source2Create is regularly collaborating with industry bodies, organisations and supporters to generate interest and build public awareness of the security industry.

We’re all in this together

Abigail Swabey

Abigail Swabey PUBLISHER, and CEO of Source2Create www.linkedin.com/in/abigail-swabey-95145312aby@source2create.com.au

ISSUE 10 WOMEN IN SECURITY MAGAZINE 3

This magazine’s sole purpose is to support our partners’ values and their collective mission: to make the online world safer. It is a platform that highlights the journeys of women today as they become the leaders of tomorrow. It is an assemblage of creative and innovative women and men contributors, award nominees, students and the many other people working for the good of this industry. We collaborate with industry experts and security experts from around the world who have come together to enhance global security by promoting good practice, information sharing and continuous discussion, and by taking action to achieve diversity, inclusion and equality. By doing so we provide a single voice and create lasting networks and alliances for knowledge sharing in Australia, New Zealand and around the world. This manifests in many ways. In this issue you will learn about the way teams, associations, schools and individuals have come together to create positive change in the security industry. You never know how easy it is to break a glass ceiling until you get close enough to touch it. By working together we are giving current and future generations of security workers a leg up so they can not only touch the glass ceiling but break it into thousands of tiny pieces. As we see time and time again, we are all more powerful when we empower each other. And if I know I am playing even a small part in this empowerment I can put aside the concerns I mentioned earlier and focus on finding new ways to empower everyone around me. That’s what working together is all about, and its success so far shows that, together, we truly can change the world.

88 Talking

104 There

teams together 118 PERSPECTIVESINDUSTRY COLUMN Aparna Sundararajan 16 Angela Hall 20 Aastha Sahni 22 Gabe Marzano 24 Pooja Shimpi 26 Monica Zhu 30 Sarah Gilbert 34 Sarah Box 36 Parul Mittal 38 Aicha Bouichou 1044WHAT’S JOURNEY?HER BOARDTALENT REACH OUT NOW 40 JOB BOARD APPLY NOW 74 LEARNINGTHE HUB VISIT HERE 150 STRENGTHNUMBERS:IN ASSOCIATIONSWHYMATTER

How do we attract women into cybersecurity, and retain them?

Relationships: essential for career success voice deserves to be heard

68 Every

108 The

114 Lessons

78

60 Improving

46 Should

Here’s

52

80

Transposing consumer partnerships from the bedside to the client meeting

14 We

54

CONTENTS PERSPECTIVESCAREER2 FROM PUBLISHERTHE

The education question

clash when

Entering the cyber world at a more mature age

Collaboration in cybersecurity is the key to combatting the growing cyber threat. why. camel is a horse designed by committee: achieving genuine collaboration in cybersecurity is no ‘I’ in TEAM… but there needs to be one in your attack surface! evolution of cloud is your map, security is your compass from the a culture bringing

48 Cybersecurity:

Cracking the code of brain-friendly collaboration it’s a hybrid team sport

102

Cyber better together for a better tomorrow privacy for Women’s Day

92 Bayanihan

International

98 A

56

96

72

AWSN Leader Forums 116 Avoiding

64

CREST 112 If

Collaboration is the key to fighting cybercrime are all just bricks you take your teen’s device as punishment? security together

Becoming a mum: a guide for first-time working parents

COOLEST CAREERS IN CYBER 0201 03 04 0605 07 08 1009 11 12 1413 15 16 1817 19 20 THREAT HUNTER RED TEAMER DIGITAL FORENSIC ANALYST PURPLE TEAMER SECURITY OFFICER (CISO) ALL-AROUND DEFENDER & ENGINEER CLOUD SECURITY ANALYST INTRUSION DETECTION/ (SOC) ANALYST SECURITY AWARENESS VULNERABILITY RESEARCHER Organizations are hiring individuals with unique set of skills and capabilities, and seek those who have the abilities and knowledge to fulfill many new job roles in the cybersecurity industry. The coolest careers in cybersecurity are the most in-demand by employers. Which jobs are the coolest and most in-demand? We know; let us show you the hottest cybersecurity jobs for 2022. Cyber Defense Digital Forensics Offensive Operations Cybersecurity Leadership Cloud Security Industrial Control Systems Purple Team FOUNDER & EDITOR Abigail Swabey ADVERTISING Abigail Charlie-MaeSwabeyBakerMistyBland JOURNALISTS David Braue Stuart Corner SUB-EDITOR Stuart Corner DESIGNER Rachel Lee Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine ©Copyright 2022 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited. “We don’t talk about Bruno. No, no, no.” 122 Teams coming together 128 Threat intelligence would be nothing without collaboration 130 Improving security based on the past, the present and the future 132 Insights on collective cyber resilience 134 Data governance, another option to protect the data of your customers and employees 136 Understanding a threat landscape takes a team 138 Hidden in plain sight: the evolving threat of BEC 141 Improving security together 144 174 OFF THE SHELF TURN IT UP 176172SURFINGTHENET 62COOLEST CAREERS IN CYBER IF TEAMSYOUR CAN DO DEVOPS, THEY CAN DO DEI TOO STUDENT IN SPOTLIGHTSECURITY Swen Lee 150 Emily Harmon 152 Bettina Marquez 154 Ocia Anwar 156 Raziye Tahiroğlu 158 Caroline Ng 160 124 165 SEPTEMBER • OCTOBER 2022

ASSOCIATIONS&GROUPSSUPPORTING THE WOMEN INMAGAZINESECURITY 07 20 22 WWW.WOMENINSECURITYMAGAZINE.COM 08 WORLD WHO RUNS

OFFICIAL PARTNER SUPPORTING ASSOCIATIONS

BigReliableEasyPicture No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY! charlie@source2create.com.au aby@source2create.com.au misty@source2create.com.au

T h i s s u r v e y a i m s t o g a i n a n a c c u r a t e p i c t u r e o f t h e s e c u r i t y i n d u s t r y w o r k f o r c e i n A u s t r a l i a . T h e g o a l o f t h i s s t u d y i s t o i d e n t i f y p r a c t i c a l w a y s t o e x p a n d a n d d i v e r s i f y t h e i n d u s t r y ’ s t a l e n t p o o l t o b e s t e q u i p i t f o r t h e g r o w i n g c h a l l e n g e s a n d d e m a n d s i t f a c e s . in partnership with Invite you to participate in The Australian Security Industry Workforce Understanding Gender Dimensions Project Survey Come and share your experiences to support shaping the outcomes for our industry

“It was a Herculean task. Europe had its privacy laws in place, the EMEA market was not that regulated, then [we had to tackle] APAC, North America and the Americas group, but it was a fantastic experience and a great learning, and things have streamlined a lot.”

Global relationships are helping ISACA’s DEI advocates present a unified front

STRENGTH IN NUMBERS: WHY ASSOCIATIONSMATTER

“We didn’t have many regulations or rules prior to 2015, so we wanted something that would apply to each of the chapters to apply local laws but adhere to ISACA global standards,” she told Women in Security Magazine.

T he COVID-19 pandemic challenged everybody in different ways but for Geetha Murugesan it was a massive disruption to her efforts to expand the membership structure of ISACA, the global risk and cybersecurity association whose 220 individual chapters have made it the industry’s de facto skills development body and, through its One in Tech foundation, a strong advocate for bringing more women into the industry. Murugesan has long worked to spread the ISACA gospel in countries like Morocco and her native India, where there are eleven chapters, as well as Ivory Coast where ongoing efforts to establish a chapter were put on hold when COVID-19 made international travel all but impossible. That was frustrating for a 15-year veteran who, as past president of ISACA’s Mumbai chapter, was instrumental in the association’s 2015 move to

by David Braue standardise its certification standards and create a global charter that would apply consistent regulations across all global affiliates.

However, now that travel is opening up again, renewed enthusiasm for ISACA has revived efforts to establish the Ivory Coast chapter and, by extension, SheLeadsTech, the banner program for the One in Tech foundation that has become a centre of gravity

10 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

“In India, software was always the area in which women used to work,” she explains, “and one of the areas in which India had a lot of women. But when it came to cyber, the mindset is “do I need to a 24x7 job, because security is something where you have to be available around the clock?’

“That mindset is changing, but women in India take a back seat when it comes to working after their mid 30s because their priorities are driven by family.”

STRENGTH IN NUMBERS

ISACA is far from the only cybersecurity association in the world. Cybercrime Magazine lists nearly 100 such groups, and dozens more dedicated to promoting the cause of women in cyber, but ISACA’s broad reach, deep membership base and global consistency have made it an exemplar of how associations can unite expertise from around the world for a common purpose.

for ISACA’s efforts to promote diversity, equity and inclusion (DEI) across its affiliates.

FEATURE ISSUE 10 WOMEN IN SECURITY MAGAZINE 11

“We realised that, without partners globally, we cannot scale up the little things that we’re doing more locally,” explains Ginger Spitzer, executive director of the One in Tech foundation.

Nonetheless, ongoing advocacy—including ISACA outreach to female university students and the explicit support for DEI by the government’s NASSCOM initiatives—is making a difference and Murugesan is confident representation will increase rapidly in coming years, partly because of the unified voice coming from ISACA’s local chapters.

Promoting the DEI cause in India is still a work in progress, Murugesan admits, not only because of long-held biases that keep representation to just nine or 10 percent of cybersecurity workers, but because the country’s intensely family-focused culture sees representation drop off a cliff once women tech workers reach their mid 30s.

UNITING THE WORLD, ONE CHAPTER AT A TIME For Perez—who came to Melbourne from the Philippines —Melbourne’s renowned multiculturalism has proved to be a significant benefit in shaping the local operation.

“It’s easier for people to have a role model, or to be able to connect in an organisation,” she said, “if they see someone in that organisation who looks like them, who is from their background and is someone they can connect to.”

Despite its relative newness, strong support for the local organisation has seen it embracing relationships with ISACA’s established Sydney chapter, as well as corporate partners like Dream Collective, the Australian Signals Directorate, WORK180 and KPMG, which has reached out with offers of venues, staff, presenters and mentorship Perezopportunities.putsitall down to the networking opportunities that come with involvement in a well-established organisation and particularly the outreach of wellestablished individuals like board member and diversity director Reshma Devi, whose extensive industry contacts helped the Melbourne chapter hit the ground running.

12 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

The toolkit, Spitzer explained, is “to focus on helping women, supporting them and advancing their careers – how you break that glass ceiling and move into more leadership roles.” Built to be globally consistent, it also includes “enough room for the chapters where we send it to, to add their own perspective to it,” she said, highlighting the way the global organisation maintains consistency and individuality at the same time. The support of the global organisation proved to be a huge help for One in Tech’s Melbourne, Australia chapter, which was founded with two SheLeadsTech ambassadors in February 2020, just as the pandemic took hold. It has since expanded to eleven and is one of just six branches pilot-testing the new toolkit.

“By having these partners, not only are we able to do more, but we can do more that is applicable to each region.” Those relationships have proven crucial to facilitating new projects such as a chapter scholarship program and a SheLeadsTech toolkit that includes webinars, presentations and other marketing materials.

“My focus is mainly to bring more women into the tech workforce and supporting women to get into leadership roles or wherever they would like to get to,” explained SheLeadsTech coordinator Natalie Perez. “I would acknowledge that we’re new,” she said, “but having support from other organisations, doing the same programs and same initiatives, has been a strong driver in terms of how we are able to deliver our programs.”

“When it comes to inclusivity and diversity, technology does not know gender, and it does not know your background.”

Success is contagious, it turns out: one recent virtual and in-person event attracted 73 individuals, proving so successful that is now fielding requests for advice about setting up SheLeadsTech branches from as far afield as Auckland, Japan, South Africa, Namibia and the Indeed,USA.the ease of access across regional and country boundaries has been one of the biggest benefits of participating in a global association like ISACA, according to Faith Wawira Nyaga, a data informatics and analytical solutions practitioner with Kenya’s Water Resources Authority who serves as a director of ISACA Kenya. The local chapter was already undertaking advocacy, education, mentorship and other programs through its SheLeadsTech chapter when Nyaga began working with One in Tech in mid 2021, taking on a role as director of the chapter’s Special Programs Committee.

MurugesanGeetha NataliePerezSpitzerGinger FaithNyagaWawira

FEATURE ISSUE 10 WOMEN IN SECURITY MAGAZINE 13

“You need a different set of eyes to be able to holistically deal with the evolving landscape of cyber threats,” Nyaga said, “and one of the things that ISACA has exposed to me is the opportunity to see cybersecurity in a bigger picture, and to see the diverse needs of diverse groups.

“Working with ISACA has been one of the most eye-opening opportunities ever,” Nyaga explained, citing the rich experiences in organising conferences, webinars and other events. “You have different people from diverse backgrounds and ethnicities, from all over the world,” she explained, “and if you hear all these stories from different companies and institutions, you can appreciate the need for continuous inclusivity and looking at diverse Thatbackgrounds.”hasmeant the chapter’s advocacy programs not only focus on gender diversity, but also on engaging with neurodiverse and other traditionally marginalised communities, both in the professional world and at universities where the support of a global association has proved to be an immensely valuable way of providing mentorship and networking opportunities.

Working under the ISACA banner, the group has been able to reach out to other groups, Nyaga explained, in a process that has enabled strong collaboration with community groups, professional associations and government authorities that are also working to promote digital and cyber careers.

• Think before you click or respond to requests for sensitive information.

COLUMN WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202214

Collaboration is the key to fighting cybercrime

To be effective in the fight against cybercrime and protect ourselves, our families, our friends and our workplaces, communities and nations, we all need to work together. Collaboration is the key to fighting cybercrime. www.demystifycyber.com.au

You do not have to be a tech whiz to be part of the fight against cybercrime, you just need to ensure you are doing what you can to protect your accounts. This means knowing where to go for help, keeping any children under your guardianship aware of basic online safety, and being willing to share with others accurate (non-sensationalised) information on cybercrime you have seen, or have been the victim of. How do these activities contribute to the fight against cybercrime? If you have received a scam message or email and alert your family to it and they then alert people they know, the knowledge on staying alert for this fraud will be spread exponentially via peer groups. If you are a cybersecurity professional, ascertain how your workplace can collaborate with others to support sharing of indicators of compromise. Be active in your community, via social media or in person, in supporting people to be safer online. Here are some things we can all do to harden ourselves against cybercrime.

• If you are a parent or guardian of an underage person, keep them informed on how to stay safe online and keep an open dialogue with them so they feel safe sharing concerns with you.

Cybercrime is big business. Perpetrators range from lone opportunists, hacktivists, cyber stalkers and solo deviants to loosely established decentralised groups, people involved in procuring and selling child material, nation state sponsored disruption and espionage specialists and members of large criminal enterprises.

• Use multifactor authentication where it is provided.

• Share cybersecurity information with others.

interconnectivity

AMANDA-JANE TURNER

• Stay aware of cyber safety messaging and know where to go for help.

Cybercrime is big business, thanks to technical advancement and creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe.

exploitation/abuse

• Turn on automatic software updates where possible.

WHAT’S JOURNEY?HER

Aparna Sundararajan Manager - Technology Transformation Practice

Sundararajan says, for her, “IT meant engineers and codes. Codes meant algorithms and mathematics. I wasn’t interested in the subject, and I wanted to stay far, far away from it.” So, she joined a marketing agency as a brand manager, but not for long. “I enjoyed my work, but it was repetitive, and the agency culture was getting a bit too much. So, I quit my job and thought about my next career move.”

FROM MARKETING TO BUSINESS RESEARCH

16 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Quite an achievement for someone who eschewed family advice to study IT. After graduating in her native India in 2004 with a degree in economics, Sundararajan vowed she would “never, ever work in IT.” And she confessed just a few years ago to having thought, “I will never track security, it’s boring.”

That move was into business research. “These were well paying jobs with great potential for growth and international exposure. For one of these jobs, they were looking for economics students, so I got the call and after a whole day of grilling interviews, I got selected. This job taught me to conduct research through primary and secondary sources to create a trend analysis of a particular market. So, I created market trends and influencers for the financial services sector, manufacturing, automobile etc.” This role was followed by a move into a global IT market research organisation, but not into an IT analyst role. “The common notion across the team was that, since I did not have an engineering degree, I could never be an IT analyst. However, as my interest grew deeper I kept studying more in areas of cloud computing and enterprise software. Although I thought I understood technology enough to comprehend its business viability I was still working in a backend support role.” Her elevation to an analyst role came as the result of a confrontation with another team member, considered a top performer. “He was a published author. He had written technical reports that had been published on the portal for leading IT clientele. He was the first from the team to accomplish this. On one of my projects, we got into a very stubborn argument, and it turned ugly. The management sided with him.”

A parna Sundararajan recently left a role at Australian IT research and advisory organisation ADAPT as an industry analyst specialising in cybersecurity, data analytics and emerging technologies and is about to take on a consulting role focussing on cybersecurity and digital technologies.

She recommends an IT analyst role to anyone looking for a career understanding the implications of technology for business and wanting to get ahead.

WHAT’S HER JOURNEY?

IN PRAISE OF THE IT ANALYST ROLE

“Being an analyst opens doors into consulting, tech strategy roles, product roles and much more. Someone starting out as an analyst would get a lot of benefit from learning basic data visualisation, analysis, report writing skills, primary and secondary research skills, understanding various business analysis frameworks such as PESTLE, SWOT, BCG matrix etc.

BECOMING AN IT ANALYST

I thought, ‘How can the very thing that is built for my use be beyond my capacity to comprehend?’

GETTING INTO CYBERSECURITY

“A series of disappointing comments about my capabilities made me think ‘Can I really not do this?’

“Curiosity to find problems, patterns and solutions, and analysing quantitative and qualitative data are key attributes for anyone who aspires to become an IT analyst or a consultant. Your job is to identify the root cause of issues and find the most effective solution.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 17

That, says Sundararajan, “was the day I decided I would become an IT analyst, just to prove a point.” She chose the right time, when the interest in data, text analytics, sentiment analytics, AI, etc was growing. “These areas did not require core technical skills. They were new for most people. So, I took the plunge and worked hard to specialise in data and digital technologies that could remodel and reshape industries. Once I became an IT analyst, I got enough support from the US team. They really believed in me and championed me for the position. I became hooked on technology and have not looked back since.”

‘How did they make it so complicated that the layperson can’t understand it?’ That’s what drove me to achieve more.”

‘How can this be so unachievable?’ I went for it just to prove a point. This was especially true for both IT and cybersecurity. When I was told I would not be able to understand it unless I was an engineer.

“Graduating in business studies, economics or statistics will help. Even if you are a student of arts and are highly analytical you could learn about the topic or subject on the job, but you would have to work hard no matter what qualifications you had.”

“Last year I did the digital transformation course from Massachusetts Institute of Technology because I wanted to be up to date in the top areas in tech today: cyber, AI, data, cloud and blockchain. These are the foundations of future businesses and ecosystems.”

Refuting the expectations and opinions of others— family and employers—seems to be a hallmark of Sundararajan’s career journey. Born in India into a conservative upper caste Hindu family she was expected to become a school teacher, “because a teaching job lets a woman work as well as take care of her family,” she says. “If you are a woman, work is considered to be just a hobby, not a serious task.” Not one to listen to family, Sundararajan took an office job, but with little ambition. That changed as a result of negative feedback.

What finally got Sundararajan into cybersecurity was the increased attention being paid to it by clients. “In the past three to five years, all the data and digital technology conversations have converged into a cybersecurity conversation. Every client I spoke to was worried about the security of their digital assets, network and customers. That intrigued me to think about cybersecurity and I thought it would be extremely important to understand the subject.

Like many women Sundararajan has faced gender discrimination and male chauvinism, but for her these were particularly damaging. “I faced grave problems in my personal life including clinical depression and an emotionally challenging marital situation,” she says. “These things were aggravated by a hostile boss who did not understand or support my situation. It was quite interesting. While enduring a bad marriage my career took a downturn, but my ex-husband’s career took off. He got far more support at work for his situation than I.”

18 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Sundararajan adds, “We need equal representation not just because we need to create equal opportunities for all genders and races. We need it because it is highly effective and proven. If you can build trust between two completely different kinds of people, you have a solid team with diverse thinking and the openness to accept that thinking. As we built the team, Matt taught me how to accept and work with diverse people.” Now gearing up for her next role Sundararajan says she wants to further develop her problem solving skills for the benefit of her clients and “keep working on building my industry reputation as someone who can simplify tech speak without taking away its true meaning or purpose.

On another occasion she says, “I had a very male chauvinistic boss who was highly insecure and threatened by me. He was a key reason for me to quit my job. He created a seriously hostile environment for me.” In contrast, Sundararajan has nothing but praise for her Australian employer, ADAPT CEO Jim Barry, and her immediate superior, Matt Boon.

research-strategist-adaptwww.linkedin.com/in/aparna-sundararajan-senior-

THE POWER OF POSITIVE FEEDBACK

“Jim hired me just from hearing my story of survival and how I had rebuilt my life. He did not care about anything else. After I joined ADAPT he showed immense trust in me, gave me the best opportunities and always told me ‘Aparna, you are absolutely amazing. You should be proud of yourself.’ No one had ever said that to me before in my career, or my life for that matter. I had been told the exact opposite. This was all so new and refreshing it changed my perception of myself and truly made me thrive.

“With Matt, it was like having the best guide and champion I could ever ask for. He was so patient, accepting and nurturing I felt I healed from my past bad experiences just by working with him. Matt and I were a great team and I think this is where I learnt how we need this balance in the technology industry.”

“I think more organisations are on a path to consolidating their cybersecurity efforts to make a strategic impact on business continuity and resilience. We will see more resource allocation and executive focus on cybersecurity strategy and plans rather than just increased funding for cyber initiatives. Also, there will be more reforms at national and industry levels, especially around data protection and cybersecurity baseline requirements.”

* At the time of the interview, Aparna was in between roles. She now works for one of the big four consulting firms

Contact us today to find out how you can become an industry contributor, no matter the level of experience.reachoutnow www.womeninsecuritymagazine.com

Hall adds: “Sometimes the downside is that I can get into too much detail with the team, but the positives far outweigh the negatives!” She says her industry certifications and organisation memberships have

20 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Three years ago she moved into a chief security, regulatory and risk management leader position with Kyndryl, the world’s largest IT infrastructure services provider, spun out of IBM in 2021. “In a nutshell, I lead a team of approximately 40 IT security professionals to support Kyndryl’s and our clients’ infrastructure/ IT security needs, policy and risk management,” Hall says.

FROM FARMING TO CERTIFIED CYBERSECURITY PROFESSIONAL

“I have now become a Certified Information Security Manager (CISM) and a Certified Data Privacy Solutions Engineer (CDPSE). Having held many roles in the part of the organisation I now lead, I have gained a unique perspective on how to support our clients and my team. That helps me make decisions.”

“Much of my learning has been through on the job training, experience based and short courses, and more recently I was encouraged to undertake further industry training,” she says.

& Trade Regulations Executive at Kyndryl A ngela Hall has worked in the IT industry for 25 years, most of them in IT security and in various roles: identity and access management, security analysis, security advisory and policy program management. She has rolled out a compliance education program, spent 12 months overseas setting up a security team, has held a process leadership role in Asia Pacific and several field management positions. She has also worked in several non-security roles but says “It seems I have a natural affinity to security and have always gravitated back to this domain.”

She grew up in a small farming community “where gender bias was rife and with a father with very ‘old school thinking’.” She was not supported to attend university so instead joined IBM at age 19 in an entry level role and worked her way upwards.

Angela Hall Client Trust, Risk and Compliance (CTRaC)

In conclusion, Hall says, “To anyone reading this not already in IT security, I would highly recommend it. There is such diversity. You can work with the business and/or clients on many levels, helping protect them from threats originating inside and outside their organisations. Eighteen of my 25 years have been IT security, and I still love it as much as on the day I began. I am sure anyone with an interest in security would be the same.

“If I were to give advice to a younger version of myself

WHAT’S HER JOURNEY? given her greater insights into evolving risks, and great networking opportunities.

https://www.linkedin.com/in/angela-hall-787405120/

“If I were to give advice to a younger version of myself I would say: ‘embrace the learning journey, continue to increase your skills, maintain your relevance and never stop networking.’ There is always something new on the horizon to learn. New skills are highly transferable to any role and you will always meet someone with great insights.”

ISSUE 10 WOMEN IN SECURITY MAGAZINE 21

Undertaking training remotely while trying to juggle being a teacher to three youngsters also had its challenges. “As 2020 progressed we soon understood the family unit was the most important, and that not everything could be achieved every single day. After the first lockdown my husband and I decided we were not going to pressure ourselves and our boys if time did not allow for all activities to be completed in a day. This removed a lot of stress and helped us maintain the level of dedication expected in our professional lives, along with a happier homelife.”

COMPETING PRIORITIES

“Competing priorities forced me to become better at time management in order to survive! The years 2020 to 2022 have truly been unparalleled times with the fast rise of COVID cases, remote learning adding pressure to the family unit and requiring teams at work to find new ways of working and having to meet and engage with clients and teams in online meetings.”

NEVER STOP NETWORKING

I would say: ‘embrace the learning journey, continue to increase your skills, maintain your relevance and never stop networking.’ There is always something new on the horizon to learn. New skills are highly transferable to any role and you will always meet someone with great insights.” Hall put off gaining industry certifications until after having children, believing it would be difficult to maintain these certifications while on maternity leave. “Now that I understand the requirements and the processes, I definitely would not have delayed achieving these certifications until after Jugglingmy family.”family and work life has been one of Hall’s main challenges. “Prior to having children I could work unlimited hours to get the job done, but once I had a family my priorities altered, which at times meant I had to place my career on hold for several years,” she says.

“After finally clearing my entrance exams in 2015, I started applying for universities and during one of my counselling sessions in a university, I discovered a degree in information security management, and I found it really intriguing,” she recalls. “The idea of studying forensics, ethical hacking, secure coding and cryptography among other subjects in the program made me very excited.” She decided to study for a cybersecurity master’s degree at the Indira Gandhi Delhi Technical University of Women (IGDTUW), in Delhi, which she says were the best years of her student life.

Aastha Sahni Technical Trainer at Exabeam and founder of CyberPreserve and BBWIC A astha Sahni wears multiple cybersecurity hats, some of which she made herself. Her ‘day job’ is as a technical trainer at Exabeam, a US-based provider of extended detection and response (XDR) and security information event management (SIEM) products. She provides customer training on the Exabeam Security Operations Platform. She is also the founder of CyberPreserve and of BBWIC CyberPreserve is an organisation that helps people wanting to work in cybersecurity and prepares them for the job market. BBWIC—it is anacronym for breaking barriers for women in cybersecurity—has a mission to “promote research, lateral growth within different domains of cybersecurity and women leadership.” It aims to provide an online venue where women in cybersecurity can envision growing as leaders, and where industry leaders can share their ideas and work with their peers across the globe. Sahni grew up and had most of her education in India. She gained a bachelor’s degree in computer science in 2013 and was looking to follow this with a master’s in 2015 when she discovered cybersecurity.

“I practiced my skills via hands-on labs, learned from the best in the industry, became familiar with communities like OWASP Delhi Chapter and took my first certification exam: Certified Ethical Hacker (CEH).” While studying for her master’s Sahni gained work experience at the National e-Governance Division (NeGD) of the Ministry of Electronics and Information Technology, as a security intern on its Unified Mobile Application for New-age Governance (UMANG), a mobile app that provides access to a wide range of government services. Her first post-graduation roles were in identity and access management, first with Tata Consultancy Services, then with Indian IT service management

22 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

DISCOVERING CYBERSECURITY

“Companiesemployment.won’t

And Sahni’s perseverance and initiative have brought her awards and recognition. In 2021 she was presented with its Cyber Educator award by The Women’s Society of Cyberjutsu (WSC), a non profit organisation dedicated to raising awareness of cybersecurity career opportunities and advancement for women. In 2022 BBWIC was named the non-profit Ally of the Year by cybersecurity consultancy Inteligenca, recognising BBWIC as “a non-profit whose mission has made a large impact on building an inclusive society for women in the working world.”

“I feel education and training to be very underrated in cybersecurity, and with the ever-evolving threat landscape and technology around us, training is a very important part of the cybersecurity industry in terms of upskilling. It will continue to grow.”

www.linkedin.com/in/aastha-sahni

AWARDS AND RECOGNITION

“I really enjoy myself as a trainer because I get to share my knowledge and keep up to date with the latest changes in technology and cyber security.” She undertook some voluntary teaching at New York’s Flatiron School and then took on a fulltime role for two years as a lead instructor. “I was assigned to teach SEIM and threat hunting. I was scared at the beginning to teach something I had never taught before,” she says. “I started preparing myself, took certifications (Splunk and AZ 900) and prepared myself for my first class and I have not looked back.” She says her decision to pursue a masters in cybersecurity changed her life for the better, but even armed with this qualification she struggled to find hire a fresher in security roles. I went through several rejections until I got my first job, and even after securing a job in security, the journey to advance my career in different domains of cybersecurity was not easy.

WHAT’S HER JOURNEY? company Nagarro. She moved to the US in 2019 after getting married and took on another IAM role, this time with Identropy, which was acquired by Protiviti in late 2020.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 23

“One really needs to keep learning, practicing and applying for roles. Continuous learning and perseverance are key in cybersecurity.”

A PASSION FOR TEACHING

During these years Sahni was discovering a passion for teaching she had first recognised at school. “When I was in high school, I took C++ as an additional subject and loved computer science. I used to help classmates to understand the concepts and prepare for the exams. I always loved teaching but I did not know then that teaching computer science could be a career,” she says.

“I feel education and training to be very underrated in cybersecurity, and with the ever‑evolving threat landscape and technology around us, training is a very important part of the cybersecurity industry in terms of upskilling. It will continue to grow.”

Sahni has achieved much in her six years in cybersecurity and has her sights set on advancing in cybersecurity education. “I see myself moving towards learning and strategy and eventually into a chief learning officer role in the industry,” she says

FOCUSSED AMBITION With such an impressive list of achievements, it is perhaps not surprising Marzano cites the most important decision in her career journey as being “to be purposeful about who I want to become and what I want to achieve in my life.”

Gabe Marzano

Head of Cybersecurity at Palo Alto Networks and one half of the team behind the Dark Mode podcast G abe Marzano is head of cybersecurity at Palo Alto Networks and one half of the team behind the Dark Mode podcast It’s a role far from her youthful ambition.

24 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

“When I left school I wanted to be a professional soccer player,” she says. However, she did manage to fulfil that goal, playing until recently in Melbourne Victory’s women’s team. Along the journey to her current roles, which are two of many, she managed to fit in a significant stint in the military, where her interest in cybersecurity Marzanooriginated.spent seven years in the Australian Army as a combat engineering officer where, she says, she “became incredibly curious about technology and its impact on humanity, so was inspired to transition into the corporate sector.” She also gained the distinction of being the first female combat diver in the Australian Defence Force. Before joining Palo Alto Networks Marzano was business manager cybersecurity and, later, head of cybersecurity at NextGen Group, an IT value added services company founded in 2011 by Oracle when it asked then group CEO John Walters to set up a new Australian distributor. In this role, she says, she “built a $50m cybersecurity software business,” that “taught me commercialisation and corporate leadership.”

influences on her highly focussed career journey have been “learning from other people and being curious about the future through various mediums and literature.” Marzano confesses to reading an inordinate number of books and consuming lots of content around topics of interest. “As an interpersonal learner I then like to take what I’ve learnt and hear from other people’s perspectives, both in private and public forums,” she says.

It is also hardly surprising she regards individualism as “the most important tenet for success.” Her advice to anyone aspiring to a role like hers is “Figure out what interests you the most and execute well to Theget there.”biggest

“The most important security developments include the use of automation/artificial technologies and the advancement in our thinking and understanding of cybersecurity,” she says. “The biggest issues in the near term include geopolitical cyber conflict tensions in a multidomain theatre. The biggest changes impacting cybersecurity involve the acceleration of any advancing technology and how we better protect ourselves in these environments. From artificial general intelligence (AGI) to hyper automation and the rise of scientific advancements such a brain-computer interfaces (BCI) and bioengineering; these all impact cybersecurity in various ways.”

WHAT’S HER JOURNEY?

www.linkedin.com/in/gabemarzanowww.gabemarzano.com youtube.com/channel/UCJ8kAB5vNq3vmiqJahPmTVw open.spotify.com/show/00E2Xf4RpYUa7bb4x8OhpI

ISSUE 10 WOMEN IN SECURITY MAGAZINE 25

PEOPLE PROBLEMS Despite all these challenges she says “I would also say the BIGGEST [her emphasis] obstacles I face every day are people’s mindsets. … We are in this domain to better protect people and technology and malicious actors are moving fast and exploiting vulnerabilities. In Australia we need to champion an optimistic security conversation and be better at building skills and capabilities to safeguard our communities.” Better we will certainly need to be. Marzano sees multiple cybersecurity challenges emerging.

Despite the success she has achieved, Marzano says “obstacles, challenges and failures” very much epitomise her career journey, adding, “I have experienced plenty of them!” She singles out her combat diving experience in the Army as being “one of the most challenging and rewarding times” of her very full life, and confesses, “Making difficult decisions to keep moving and developing myself typically means saying goodbye to special relationships, teams and businesses, which is all part of the journey.”

LEARNING BY DOING

26 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

From a Master’s in Computer Science to a career in cybersecurity was a serendipitous step for Pooja.

Pooja Shimpi Business Information Security Officer at Citibank Singapore

“We didn’t have access to computers in India when I was in school. The first time I got to touch and feel a computer was in 2001,” she recalls. And a career in IT was not on Pooja’s parents’ roadmap for her. In fact, no career of any kind was.

“Career aspirations were not talked about much. Parents usually wanted their children to study and finish graduation, but being from a small town, and a girl, I was expected to get married and settle down as soon as I had completed my studies rather than focus on a job or think about career aspirations,” she says. “I did my Master’s degree in Computer Science just to escape getting married. I really enjoyed studying about computers, but career aspirations were too farfetched at that time.”

Despite her qualifications, Pooja Shimpi believes passion to be “the single most important trait” for a successful career in cybersecurity. “The ‘business as usual’ world of cybersecurity throws new challenges at you every day and, similarly, the governance of cybersecurity keeps you on your toes. While qualifications can take you to a certain level, nothing beats the real-life industry experience.

“So, I would suggest everyone should be ready to get their hands dirty. If you have a qualification, excellent, but if you don’t, let it not deter you from entering

P ooja Shimpi is Business Information Security Officer with Citi, based in Singapore, responsible for monitoring and implementing compliance with information security policy and controls across APAC. She has come a long way from her childhood in a small town in India.

“When I studied Computer Science in my Bachelor’s and Master’s degrees, cybersecurity was pretty much non-existent as a domain specialisation. Hence, when I got an opportunity to work on a project at ANZ Bank in India that touched upon areas of security, I grabbed it excitedly. And from then, it has been a very interesting and fulfilling journey. Once I completed that project, there was no looking back. I had found my true calling in the field of cybersecurity.”

this exciting space. Even though I hold a Master’s degree in Computer Science, with no specialisation in information security, I picked up the nuances along the way, and so can anyone. It’s a gradual process where you learn in a more practical way. Over the years I got myself certified as Certified Data Steward, Certified Information Systems Security Professional. “For new entrants, I would recommend LinkedIn learnings such as cybersecurity foundation courses and exploring certifications such as ISC2 and Systems Security Certified Practitioner (SSCP), which is a great way to start and display your passion in cybersecurity. It also helps you gain a quick insight into the latest and greatest terminology, understand the job functions and learn about cybersecurity.

She says there are opportunities aplenty for people, especially women, aspiring to careers in cybersecurity. “Women in information security made up only 11 percent of the workforce in 2013. This number has since increased to 25 percent. However, women make up 47 percent of STEM workers overall, so cybersecurity still has a long way to go. “Security is a field that has something for everyone. A wide array of security jobs is available for women to choose from. Even if you don’t have a security background, you can easily self-study, get certified and be market ready.

OVERCOMING HURDLES

ISSUE 10 WOMEN IN SECURITY MAGAZINE 27

OPPORTUNITIES FOR WOMEN

WHAT’S HER JOURNEY?

“Corporates are facing severe shortages and are inviting professionals for interviews even if they have no prior experience. Once in security, you can then branch off to other verticals within the security domain. “And last but not the least, don’t let anyone deter you from joining the security field because it’s too stressful. There could be some bad days as in any other job, but the security industry is full of great people who share the passion for this field and are extremely helpful. “ She says getting into security rather than software development was one of the most important decisions of her career. “I have always enjoyed working and engaging with a lot of people rather than cracking code behind a screen all day. Information security gave me that opportunity and hence, I would not change anything.”

“It’s also important for new entrants to know information security offers many roles that can suit different personality types. A few examples are cybersecurity analyst, penetration tester, security specialist, digital forensics and incident response, governance, risk and compliance, and information security manager.”

However, as well as having to overcome the stereotyped life journey for a young Indian woman, Pooja has had to tackle a few other hurdles in her career. “I have encountered strong biases, both on the personal and professional front,” she says.

“When I decided to choose the information security field, people discouraged me by saying ‘Oh, it’s a very stressful job,’ ‘there’s hardly any women in this field, it’s not suited for you,’ etc. Moreover, when I started my career in 2008, IT was not a very respected role. It was considered more as a support function and a cost centre to the overall business or industry. Things have drastically changed since then.”

Fortunately Pooja has enjoyed some good support from the people in her life. “My first and foremost

“I conceived and ran a program called Global Mentoring for Cyber Security (GMFC), which received an overwhelming response. The program ran for eight weeks in 10 countries and involved 20 mentors who volunteered to help 20 mentees.

“I used to travel extensively. I had interacted with many people across the globe who loved computers but were not sure how to start a career. COVID-19 put a stop to my travels. Hence, during the COVID-19 induced circuit breaker in Singapore, I came up with a mentoring program focused on helping anyone interested in information security or cybersecurity.

www.linkedin.com/in/poojashimpi

“The volunteer mentors, who held leadership positions across the cybersecurity industry globally, connected regularly with their mentees to guide them on how to kickstart or grow their careers in cybersecurity. I consider this as my biggest achievement.”

Pooja says she still wants to “grow into a more rounded cybersecurity professional,” and will be focussing on this goal over the next few years.

HER NEXT GOAL

“The sophistication of cyber-attacks demands that you know the latest and greatest around the world in this field, be it the types of cyber-attacks, development of security products, government regulations for different industries, threat landscape, etc.

“Another important aspect is to gain substantial knowhow on this topic to be able to explain the threat landscape and related solutions to the board, in a simple straightforward way.”

Pooja has achieved much in her career but says her most satisfying achievement was outside any formal role. “After working for almost a decade, during COVID-19 I realised I had done nothing much for the community. There could be many people just like me who want to enter the exciting field of cybersecurity, but do not get the right guidance.

28 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

strength has been my partner, who has supported me in all my decisions,” she says. “Being senior in the IT industry, even though from a completely different area of expertise, his objective guidance on topics and issues has made me a more mature professional. “I have also been lucky enough to get guidance and support from my mentors, some of whom were at work and others I connected with over LinkedIn. I feel blessed to be part of this huge community of like-minded cybersecurity professionals who are more like a close-knit family, always ready to open their arms to anyone who is remotely interested in cybersecurity. Some of the groups I am part of are Cyber Risk Meetup, ISC2 Singapore, Cyber EdBoard, Cyber Leadership Program, and cybersecurity/CISO groups on social media.”

And she adds: “I am a subscriber and regular reader of LinkedIn posts, ISC2 material, ACS, AISA, etc that provide a deep insight into developments in cybersecurity and give a clear view of the current threat landscape. “A knowledge of the happenings around the world in terms of cyber-attacks opens your mind to the wide array of possibilities. This is extremely helpful when I attend conferences or participate as a panelist in cybersecurity discussions. Moreover, it gives me crucial talking points in board and risk meetings at work and helps me suggest improvements.”

COVID-INDUCED MENTORING

THANK YOU TO OUR 2022 NEW ZEALAND WOMEN SECURITYINAWARDS SPONSORS SUPPORTING PARTNER NETWORKING SPONSOR GOLD SPONSOR SILVER SPONSOR SUPPORTING SPONSOR EMERALD SPONSORS MERCHANDISE PARTNERBRONZE SPONSOR

Always follow your heart, your passions and do not let anyone define who you are and tell you what you can or cannot achieve. Always take on challenges, overcome obstacles, intimidations, fears and hold fast. To dream and to dream big. We are all on the journey, and I found this journey to be most satisfying and it’s a life worth living.

RISKY RESEARCH

She was warned against embarking on a research venture into such unexplored territory. “Before I started researching this topic, I was told about its risks and the likelihood of not being able to finish my master’s by the majority of my classmates, lecturers and even my thesis supervisor due to the challenges and complexities it presented. However, Zhu was not to be deterred. “I like to challenge myself, so I picked a hard and exciting road and chose mobile cloud computing forensics. I knew if I was able to complete this, it would be ground breaking research that would serve as a cornerstone for anyone wanting to extend their research later.

30 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

C loud computing today is ubiquitous. According to one recent report 94 percent of enterprises use cloud services, 67 percent of enterprise infrastructure is cloud-based and 92 percent of businesses have a multi-cloud strategy in place or in the works. And of course, security concerns are paramount: much of this data is business critical and highly sensitive. There is a global body, the Cloud Security Alliance “dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.” So rapid has been the rise of cloud it is difficult to realise just how recent all these developments are, but it’s something Monica Zhu knows only too well. She was in the last year of a master’s degree in Forensics Information Technology at Auckland University of Technology (AUT) and needing to complete a substantial research project. “Cloud computing was a new technology back in 2010 and due to privacy concerns most people held negative views with only a few people seeing its potential. My supervisor was a visionary man and he supported me to complete a research paper on cloud computing,” she recalls. “He was a great mentor and a very inspiring gentleman [but] I could only find two papers in the entire portals of reputable academic literacy on the topic at the time, so my entire thesis had to be built on industrial papers.”

Monica Zhu Cyber Security Incident Responder & Threat Intel Manager at Qantas

“I knew this was what I always wanted and something I had been waiting for, so in the end my passion overcame my fear, and I went ahead and applied for the degree. I was able to enrol for the upcoming semester before finishing my bachelor’s degree.

WHAT’S HER JOURNEY?

“Today I am the first point of escalation within the Group Security Operations Centre where I perform analysis and configure various security platforms, create, review, approve and publish customer-facing reports on threat intelligence, operational metrics, and/or service performance, manage high-profile security incidents and investigations across the enterprise and supplier landscape and assess and take action based on intelligence relating to Qantas’ IT landscape.

I was the youngest student and the only female in my class. Upon reflection, this is probably one of the best decisions I have ever made in my life: following my heart and passion.” And she certainly confounded those who had discouraged her. “The Master’s degree was a two-year course; the first year we needed to take eight courses to fulfil the credits. Through these courses, I was able to learn the aspects of cybersecurity and forensics. I ended up graduating with first-class honours and my research helped me land my first cybersecurity job in Sydney as a forensic analyst with Deloitte. Because I did well in all my course work, I proved to myself and anyone who had discouraged me that with diligence and the desire to learn, I had what it took to succeed.” That was the start of Zhu’s journey into cybersecurity, a journey that has taken her to her current position as Incident Response and Threat Intelligence Manager with Qantas.

“I remember sitting my parents down and telling them I would pursue this topic, but that there was a possibility I may fail miserably and not even get my degree.” Her gamble paid off. “Everything fell into place. I was able to find and meet like-minded people in the industry who were willing to help me.” It was not the first time others had tried to divert Zhu from her chosen field of study. She transitioned to her AUT master’s course from a University of Auckland Bachelor of Science Computer and Information Sciences course, where her professor poured cold water on her plans to enrol in a master’s course. “I thought he would be very excited and would encourage me. He thought I was too young, and that a master’s degree was designed for people who already had years of experience in the security industry. So, he discouraged me from enrolling. I felt shaken and heartbroken, but although I was discouraged and intimidated, I did not let it hold me back.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 31

HER BEST DECISION

“People who spoke words of discouragement and said I did not have what it takes, for me, created moments to grow resilience, to be rooted in self worth, overcome obstacles and achieve breakthroughs.”

“I would really like to thank Qantas and my manager for offering me the role. They believed in me and gave me the opportunity to learn and grow, even when I had no prior background in incident response. Since then I have led a team to resolve cyber issues, designed and implemented security protection during incidents to contain the situation and help the business to remediate the root cause so it operates seamlessly and delivers for our customers.

While studying for her bachelor’s Zhu was selected to gain real-world work experience in an industry placement program, developing commercial software, but realised software development was not for her. With, she says, her “dream of catching cybercriminals still burning fiercely within me,” she found the master’s degree in Forensics Information Technology.

POSITIVE EFFECTS OF NEGATIVE FEEDBACK

www.linkedin.com/in/monica-zhu-a320432a

TALENTED TEAM MEMBERS WANTED

32 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

She has also recently taken responsibility for the cyber testing function within Qantas, shaping and managing all penetration testing engagements, ensuring secure code development across the group and looking for staff. “I’d like to hire passionate and like-minded individuals and build a talented team to help achieve the best business outcomes and improve the application security posture for Qantas.” Zhu developed her interest in cybersecurity following an early encounter with its dark side. “I was very fortunate to be able to find my passion at an early age and make a career of it,” she says. “When I was 14 years old, my first laptop was infected by malware. I was so devastated that I swore I was going to catch all the cyber criminals. “Today, even though I am not physically catching cyber criminals, I am still helping the business to resist cyber-attacks by quickly identifying an attack, minimising its effects, containing damage, and remediating the cause to reduce the risk of future incidents.” That teenage passion led Zhu to her bachelor’s degree course in computer science at the University of Auckland. “At that time, there were only a limited number of security courses to pick from, so I did them all. However, it did not take long for me to realise that university is not the place where they teach you how to hack. (Things are very different now).”

She recommends such a degree as a foundation for anyone contemplating a career in cybersecurity because it provides training in the fundamentals of computer systems and programming languages, and more. “It teaches you about problem solving, teamwork and critical thinking skills. With a good foundation, it’s a lot easier to branch into specialised areas such as digital forensics, incident response, penetration testing and application security.”

“My role is very broad, and no two days are the same. One day I’ll be responding to a potential incident, the next I will be leading a forensic investigation across different business functions, performing a threat hunting exercise or reversing malware to derive threat intelligence. This role has a very high demand on my technical knowledge, interpersonal skills, co-ordination skills and the ability to communicate effectively to a broad audience ranging from developers to senior management.”

She says she could never have got to where she is without the “help, mentorship, protection, and encouragement of many influential people throughout my career Paradoxically,journey.”inalist

that embraces managers past and present, colleagues, mentors and parents, she includes the naysayers, “People who speak words of discouragement and say that you do not have what it takes.” For Zhu these were “moments to grow resilience and be rooted in self-worth, and opportunities to overcome obstacles and achieve breakthroughs.”

THANK YOU TO OUR AUSTRALIAN2022 WOMEN SECURITYINAWARDS SPONSORS PARTNEREVENT HEADLINERPLATINUMSPONSOR NETWORKINGAFTERPARTYSPONSOR SILVER SPONSOR BRONZE SPONSORS EMERALD SPONSORS MERCHANDISE PARTNERSSUPPORTING SPONSORS

34 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

CAREER DEFINING COLLEAGUES

“It’s because of those individuals I managed to get my foot into the cyber door. They have been there to listen to me when I have problems or challenges and have given me advice throughout my career in cyber. Without them I would not be the person I am today with the role I have.”

Gilbert gained a bachelor’s degree in Business Information Technology from Staffordshire University in the UK in 2005 and followed this with a Master’s in Business and ICT in 2011 from the same university. Her first role after gaining her bachelor’s was in the IT department of a soft drinks manufacturer.

Sarah Gilbert Senior Business Analyst - Cyber Security at Transport for NSW T here’s nothing like having a great mentor to help guide and support your career journey, as that of Sarah Gilbert, Senior Business Analyst - Cyber Security at Transport for NSW, demonstrates very well. She cites self-belief as the biggest challenge she has faced throughout her career, a belief reinforced by her inability to make progress in the early stages. “Belief in myself, that I know what I’m talking about and I can do a good job is something I have struggled with across all my roles,” she says. “I never believed I was good enough to be a senior/lead business analyst. Any promotions I applied for; I was always knocked back.”

“I started off as an enterprise architect, moving to a project management office role and then eventually landing a business analyst position,” she says. “Cyber was not a thing back then, so it wasn’t really on my radar. It wasn’t until I moved to Australia and started working for another manufacturing company that I was introduced to cyber and discovered what

Moving to Australia from the UK in 2017 was a watershed moment. “It gave me the opportunity to not be ‘pinned’ in certain roles, and I took the opportunity to apply for more senior roles.” Her first role in Australia was as a senior business analyst with Lion, a beverage company. In that role she met colleagues and friends who helped change her career journey. “There are two individuals who have had the most influence in my career. They helped me move into the world of cybersecurity,” she says. “They gave me my first cyber opportunity and supported and believed in me when I did not feel I was good enough to do the job.

WHAT’S HER JOURNEY?

CONTINUOUS CYBER LEARNING

“I have had to learn about the principles of cybersecurity and the different elements that need to be considered when approaching a problem. It’s been a very interesting journey and I’m still learning every day. “I have learnt that cyber is an ever-evolving world. Like technology it’s getting more sophisticated at an alarming pace. I remember one conference I attended where the keynote speaker said, ‘If you have a job in cyber, you have a job for life because we’re never going to fix it.’ This still resonates with me today. “They were right. The attackers are becoming more and more sophisticated, and it’s not just industries that need to be wary, but also people in their everyday lives. We are seeing more and more articles in the news where people have succumbed to scams. We think it will never happen to us but if you are not diligent and careful, it just very well might. More security controls such as multifactor authentication and one time PINs are becoming part of everyday life, but we as a society still need to be very vigilant.”

Don’t feel you have to stay in one role. Look for training opportunities, find people to speak with, follow security influencers on platforms such as LinkedIn, sign up to webinars. There is so much information out there to help you learn about the area you are interested in and where you might like to go.”

“I think more women in general would be great to see in the security industry and I don’t think they should be limited to specific roles. I have worked with many women who are amazing at their jobs, whether they be business-focussed or of a more technical nature. There is no stereotype any longer.

And, like every woman who has shared her career journey in these pages, Gilbert wants to see more women in cyber, and across the board in IT.

an interesting world it was.” At the time, she had no formal cybersecurity qualifications.

“When I started working in IT it was a very male dominated area. It wasn’t unusual to hold a workshop where 90 percent of the participants were men. Since starting in cyber I have seen an exponential increase in the number of women involved, which is great. I have also seen an increase in the number of women in more technical roles which are usually taken by men. This is also great. Security is not a man’s world. There is no reason why women cannot start a career in cyber – no matter what age they are or what their previous experience is. If it is something you’re interested in, give it a go.”

www.linkedin.com/in/sarah-gilbert-a1985596

ISSUE 10 WOMEN IN SECURITY MAGAZINE 35

Given her confession about a lack of self-belief it is no surprise that Gilbert’s advice to anyone aspiring to a role similar to hers is: “Have faith in yourself. If it’s something you are interested then there is no reason why you can’t or shouldn’t pursue that career.” And she says, a lack of cybersecurity qualifications should not be a barrier. “There is the old debate about experience versus qualification: what do you need to be successful? I think it is a balance. When I started in cyber, I had my degree and my masters, which showed commitment to learning and evolving as an individual. I had experience as a business analyst across a broad range of areas but no formal cyber qualifications. “For anyone starting out, I think you have to be willing to learn, to be open to new ideas and new challenges, and if you’re not sure, google it’. Talk to others in similar roles to understand their journey and to see if there is anything you can take from their experience and apply it to your situation.

“Learn about the industry, learn about what options there are and what you think you would like to do.

HAVE FAITH IN YOURSELF

36 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Cybersecurity aside, Box is well-qualified for such an educational role. She holds a double bachelor’s degree in Teaching and Design and Technology and before getting into cybersecurity spent almost seven years as a schoolteacher in Lake Macquarie, NSW.

Sarah Box Cyber Security Project Facilitator and Advisor at The Business Centre, Newcastle

This came after a brief flirtation with hairdressing and a passing inclination to be a photographer. “I had no idea what I aspired to become,” Box says. “There was a fleeting moment of being a hairdresser. I was offered an apprenticeship at 14 years of age, but I didn’t want to sweep the hair. I enjoyed photography and gave that a go for a while as a teen.”

CYBERSECURITY FOR SMES

She left home and had a child at 18, life-changing events that, she says, shaped her every decision. “My child came first and I had to ensure we were both housed and fed. I never wanted to rely on any handouts, or people. So I have worked hard to be where I am today, with zero regrets.” Today she works for The Business Centre, a not for profit that provides business advice and skills training for small businesses across NSW as part of the NSW Government’s Business Connect program.

S arah Box got her first job at age 16, in a Baker’s Delight store because “I wanted to leave school but could not afford to. So I had to prove I was financially secure, buy a car and not sit around bludging.”

Box facilitates a cybersecurity program for small to medium businesses in regional NSW, upskilling SMEs in the cyber gaps that may exist in their businesses.

“It starts with a meeting to find potential gaps, then suggesting actions to improve their cybersecurity to protect their reputation and brand,” she says.

“I was asked to join a role within the cyber industry whilst teaching and I declined on several occasions,” she says. Then, “I was worn down and I thought, ok, I have nothing to lose so I will give it 12 months. Fast forward to almost four years later and I am still in the industry.” However, she adds: “I loved teaching and miss the students immensely. … I would eventually like to run my own cyber consultancy firm, but overall, so long as I am happy, engaged and enjoying what is thrown my way, I am winning.”

WHAT’S HER JOURNEY?

www.linkedin.com/in/sarah-b-25670667

“This might be an uncomfortable thing to read for some but it needs to be called out, because in this industry that is still growing at a rapid pace we cannot afford to reward this behaviour. It’s a challenge I’ve faced and have had to deal with firsthand on numerous occasions where my kindness has been taken advantage of and seen as my weakness. Despite this, I see it as what helps me be an effective collaborator.” However, Box says: “Always treat people how you want to be treated. This is my number one belief. No exceptions. I am no better or worse than the person next to me. I will always say hello to the cleaner or waiter, colleague or the CEO/director of a large company. I will never treat anyone any different – it makes zero sense to me.”

ISSUE 10 WOMEN IN SECURITY MAGAZINE 37

A VERY SPECIAL MENTOR And Mina Zaki, Associate Director - Cyber Security Alliances at KPMG Australia, Box’s “number one advocate in this industry” is the unofficial mentor Box says she can always lean on for advice.

“She always pushes my boundaries and sets challenges supporting my growth both professionally and personally. She is such an inspiration, putting herself out there and achieving goals. This beautiful person I have watched have time and genuine support for others around her. The time she has to uplift others is truly inspiring. Her dedication to her career and family truly blows my mind. I really do not know when she sleeps.” In addition to the support and guidance from these people, Box says she was fortunate to have grown up with very strong independent women. “Their work ethic has been embedded into my upbringing. As a child I always had chores because my parents were always working. I remember helping my mum with her studies when she wanted to become a nurse. I used to help her prepare for her exams, read her the questions and I learnt a great deal from this. I can decipher some medical information to this day.” Despite all the support she has received, Box says her biggest challenge has been the lack of ‘mateship’ in the cybersecurity industry. “There are pockets of people in our industry, as in others, who are not team players and looking out only for themselves,” she says.

UNCOMFORTABLE READING

“I then became bored and needed more. So I enrolled in a bridging course to gain entry into university. I failed my first attempt, so I tried again and passed, which allowed me to enrol.”

Prior to become a teacher Box had a variety of jobs in retail. She worked at Muffin Break, for Kodak as a photographic printer and at JB HiFi for several years.

COLLEAGUE POWER Box attributes some of her significant career transitions—from retail to study and from teaching to cybersecurity—to colleagues. “Sharon (Shazza) from my days at JB HiFi was super supportive. She knew I was bored and needed to study to become a teacher. Almost 20 years later we still catch up. “Janine, my head teacher for almost eight years was my mentor who influenced and supported me in my personal and career life. She knew I was lacking challenge in my career and supported my career change into cyber. In fact she pushed me, which I am forever grateful for. I can still turn to her for support and non-judgemental advice.” Todd, Box’s first cyber boss, helped her make the transition from teaching into the corporate world. “He taught me how to actively listen, because teaching is so fast paced and the communication method is very different. I learnt how to be comfortable in the uncomfortable surroundings of board meetings, conferences and events, and hosting round tables for various industry and government bodies. … He also regularly sent me new courses to engage with.”

“I realised how alone one is without family, friends and a job, she says. “But I learnt that if you’re authentic, people will value you and will want to build relationships with you.” Mittal used her time waiting for permanent residency productively: she studied for and passed the CISSP exam and worked to develop her network. “I attended IT security conferences and forums to get to know more people around me. It was an interesting time where I had to build my network from scratch, and it was not However,easy.”shehas

Mittal’s role at the Bendigo and Adelaide Bank is “to drive governance, oversight and continuous improvement of the technology risk management practices of the business and first line risk teams,” she says.

38 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

“With my initiative in SheLeadsTech, I target to bring that change with more participation in events like GoGirlGoIT, or a session on how STEM can pave a way forward for young girls, especially in the field of science and technology.

A BIG ROLE IN BANKING

succeeded in spades. She gained her first IT job, as a senior risk consultant in financial services with EY, within a year of arriving. Today she is Senior Manager – Tech Risk with the Bendigo and Adelaide Bank and a SheLeadsTech brand ambassador, working to increase the representation of women in technology leadership roles and the tech workforce through mentorship, professional development and leadership training.

P arul Mittal landed in Melbourne from her native India in 2014 with her husband, and not much else: no relatives, no friends, no job and, without permanent residency, no immediate hope of getting one.

Parul Mittal Senior Manager - Tech Risk at Bendigo and Adelaide Bank

“I want to bring a change in the mindset of people that IT security is not just a man’s place,” she says.

“Women’s perspective is missing. We need to make women more aware of what cybersecurity is and what a career in it could mean to them. This awareness should start from the schools and not when women start looking for jobs, then it could be quite late.”

www.linkedin.com/in/parul-mittal-cisa-cissp-88718154

Her first job after completing her MBA was with ICICI Prudential Life Insurance, also in Mumbai, as a project manager providing advice on internal control process compliance. It was there that she encountered the Sarbanes-Oxley Act (SOX), and her first mentor. “He built my foundation on work ethics, which I still value to this day, and I am still in touch with him,” she says. This role also determined her future career path. “I would say my first job paved the path forward for me and since then, I have worked across all lines of defence. I got introduced to the world of SOX, audit etc. It was a different facet of IT, which I had not encountered before. It was a great learning experience in terms of what risk and controls are and why these need to be assessed and why they are critical to be analysed.”

ISSUE 10 WOMEN IN SECURITY MAGAZINE 39

“This includes supporting the oversight and continuous improvement for the frameworks, policies, procedures and tools; providing challenge, influence and oversight of technology risks, controls, and processes; providing independent monitoring and reporting over the technology risk profile of the bank; providing technical support and advice on technology risk; and working effectively with stakeholders to ensure technology risks are monitored and escalated as per the risk management framework.” While Mittal might have arrived in Australia without a network, she came well-equipped with qualifications and experience: an MSc in computer science, an MBA in information technology and experience as a senior consultant with Genpact Axis Risk Consulting, based in Mumbai. In that role, she travelled the world, providing services to some of the world’s largest companies. “Travelling and working across the world made me more confident and a strong communicator,” she says. “It removed biases I had about different people and cultures and made me more of a people person.”

WHAT’S HER JOURNEY?

“Today, I’m in a leadership role with a big bank and with senior executives relying on my acumen to make wise decisions for the bank based on overarching strategies.”

She embarked on her IT career because it seemed like a good idea at the time. “During the early 2000s a couple of us decided to pursue a degree in computer science without much background, because IT and computers were quite the buzzwords then. Everyone who got into it seemed to have a bright future. So our parents happily agreed.” Her transition from studying IT to employment in IT was rapid and led her into cybersecurity. “I was recruited on the university campus. My aspirations at that point were to become successful in my job. I had no specific expectations. I did not choose the field of risk and security when I started my first job. My boss did that for me, and I cannot thank him enough. I was just happy to have landed a job in a good organisation while I was still on campus, studying.

A CAREER IN CONSULTING Mittal says, since that initial role, the majority of her work experience has been in consulting. “I can say that this has transformed me. It made me more conscious of the impact I was making on organisations and how I was enabling them to achieve their strategies. Whether this was restricted to the delivery of client’s work or the decisions I took on behalf of the organisations, this enabled me to be self-aware and more focussed on what I wanted to achieve with my career.

AN IMPORTANT FIRST MENTOR

This experience now translates into very valuable soft skills – critical thinking, working under high pressure, decision-making capabilities, empathy.

WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?

In my past work experience prior cyber consultancy,securityIhave been exposed to Business Continuity Plans in Maritime sector – where I have been actively involved and managed security incidents, disaster management such as floods, fire, life loss, Incident and Evacuation Exercises, large evacuations via shore or water.

Cyber Security Governance, Risk and Compliance (GRC) or operational roles that will enable acquired skills from previous roles, I am ready to learn new things.

Team oriented environment, where professional development and continuous learning is encouraged and supported. I acknowledge after my first 14 months of cyber security experience, there is so much more to learn, I have the drive, determination and curiosity to step into new cyber topics and I am acquainted with hard work.

ISMS implementation projects and gained exposure to ISO 27001 and 31000, supporting government organisations, critical infrastructure such as mining, health care, education and private business to achieve cyber resilience and protect their most valuable assets. I have gained experience in developing and reviewing organisational security standards, policies and procedures, regular audit procedures, practices, processes and systems. ISF, CSF, IS18 and NIST frameworks always crossed paths in each project when supporting government organisations, critical infrastructure such as mining, health care, education and private business to achieve cyber resilience and protect their most valuable assets by creating Standards, Policies, Procedures and Guidelines for security controls operationalisation.

WHAT'S YOUR EXPERTISE?

PREFERRED STATE Queensland WHAT KIND OF ROLE?

DM ON LINKED IN WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202240

I am looking forward to what the future will bring, embracing new technologies, new certifications and new knowledge to add value to an organisation where passion, integrity, professional development and team work are supported and encouraged.

WHAT POSITIONS ARE YOU LOOKING FOR?

Facilitation of workshops, seminars, working groups, public speaking are situations where I feel extremely comfortable as well.

I bring real world experience from the various industries where I have worked previously, especially from the maritime industry, where I have learned problem solving, resilience and flexibility, working well under high stress and having the clarity of making decisions under high pressure circumstances.

Flexible, resilient, agile learner and curious professional with strong work ethos, excellent problem-solving ability; solid experience in governance, risk and compliance, incident management and response in various industries, +15 years in operations management, process improvement and premium service delivery.

Cyber Security Consultant, Information Security Analyst (Operational)

TALENT BOARD Gabriela Guiu-Sorsa

Contract, Part-time and Full-time PREFERRED STATE I love Perth however for the right position I will willingly relocate. WHAT KIND OF ROLE? Information security analyst, Risk management professional, SOC analyst (I have developed an interest in this area and I'm slowly upskilling). I am looking for a role that provides some guidance that coupled with my passion and determination will help me grow as a professional.

WHAT KIND OF ROLE? Information security analyst/ Cyber Security Analyst, Security awareness training Specialist. Cyber Security Consultant. WHAT'S YOUR EXPERTISE? Dynamic, resourceful, and engaging technical professional with solid knowledge of Programming languages/Platforms including Java, Android, Python, Unity, C#, and C /C++, Data Visualisation, and Business Analysis. I have more than twenty years of leadership experience in process improvements, product lifecycle management, and building programstraining/educationfromtheground

WHAT'S YOUR EXPERTISE? Cyber security, learning,Problem-solving,Analytics,MachineProjectmanagement, Customer service

WHAT POSITIONS ARE YOU LOOKING FOR?

An environment where you feel motivated to grow and improve. A place where everyone is welcome. A place where your superiors not only delegate, but also lead.

Grace Imani

Full time/ Contract PREFERRED STATE NSW (Sydney, or remote/ flexible)

I have worked in various environments, from casual and laid-back to fast-paced agile. I believe in a collaborative environment, where the team members have a strong sense of camaraderie and a good work ethic, an environment that helps transfer knowledge into skills for individual and organisational growth.

IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.

up based on specific needs. I have designed and delivered Cyber Security awareness courses at Australia's university and RTO levels.

WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?

DM ON LINKED IN DM ON LINKED IN Kaur

Manavjeet

ISSUE 10 WOMEN IN SECURITY MAGAZINE 41

WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?

WHAT POSITIONS ARE YOU LOOKING FOR?

PREFERRED STATE New South Wales

WHAT POSITIONS ARE YOU LOOKING FOR?

WHAT'S YOUR EXPERTISE?

Full-time, Part-time or 1-2 days training / volunteer work a week. PREFERRED STATE Queensland WHAT KIND OF ROLE? Open to anything, ideally cloud/cloud security.

WHAT KIND OF ROLE? I am interested in roles that are more on the investigative side of Cyber Security, for example, roles looking at attacks that happened or trying to analyse/ predict future attack methods. However open to most roles in the cybersecurity world.

I have worked in the IT industry for 3 years now (despite only being 22). This includes time spent working in Level 2 support at a bank in Australia and working as a web designer/SQL developer for a small IT firm. However, I am more interested in Cyber Security and I graduated with a Bachelor of IT majoring in Cyber Security. I am in the process of studying Comptia's Security Plus.

TALENT BOARD REACH OUT ON EMAIL Saber Attar Motlagh

WHAT POSITIONS ARE YOU LOOKING FOR? Cyber Security Forensics, Information Security Analyst/Cyber Security Analyst

WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? An ideal work environment would be one that is expecting and pushes me to be my best, but also relaxed and not super rigid in structure. Room for growth is very important to me and hybrid work (home/office) is preferred but not essential. No specific benefits are required.

WHAT’S YOUR IDEAL WORKPLACE ENVIRONMENT OR BENEFITS REQUIRED?

Liam Harmon

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202242

My ideal work environment is where people are doing their best, passionate to improve and willing to help each other showing a good team spirit. Training and support from colleagues and employer, as well as some flexibility in the work structure.

DM ON LINKED IN

WHAT’S YOUR EXPERTISE? Many years experience in customer service and print production/management. All my time in the print industry has refined my eye for detail and quality and has grown my interpersonal and relationship building skills.

Preferably mid-level. Full-time PREFERRED STATE Victoria WHAT KIND OF ROLE? Any cybersecurity position, if relevant training is offered.

I possess a high level of stakeholder management and analytical skills WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Flexible working environment and option to Work From Home.

IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.

WHAT’S YOUR EXPERTISE?

IT Governance and Risk compliance. WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? An environment where I can work well as part of a team and express my innovative skills ON LINKED IN DM ON LINKED IN Al Mamun Mahbub

I’m looking for an entry-level role

DM

Full-time,

WHAT POSITIONS ARE YOU LOOKING FOR?

Arthur Mapisa

ISSUE 10 WOMEN IN SECURITY MAGAZINE 43

WHAT’S YOUR EXPERTISE? Entry-level penetrationWebmanagement,VulnerabilityMedium-levelsecurity,Entry-leveltesting,Entry-level

WHAT

Cybersecurity

13+

WHAT POSITIONS ARE YOU LOOKING FOR? part-time or casual

PREFERRED STATE NSW ACT SA TAS VIC WHAT KIND OF ROLE? Consultant, Security Assurance Analyst, Penetration Tester, Cybersecurity Analyst, Cybersecurity architect or similar.

WHAT'S YOUR EXPERTISE? in IT, new to security WHAT'S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Hybrid work environment DM ON LINKED IN Priya Kaul POSITIONS ARE YOU LOOKING FOR?

PREFERRED STATE: Victoria WHAT KIND OF ROLE? Blue team roles

icha Bouichou is a PhD student researching blockchain technology at the National School of Applied Sciences in Tangier where she also teaches engineers and masters students in information security and software development.

on her PhD Bouichou completed a bachelor’s degree in software engineering and a master’s in cybersecurity and cybercrime in her current school when she chose to focus on cryptocurrencies and smart contracts.

A

Her first job was an internship with a cybersecurity startup in Rabat. This was followed by a consultancy in Casablanca. “I learnt about penetration testing tools, how to perform attacks and how to provide solutions to protect the whole information system,” she says. Her interest in cybersecurity dates from her schooldays. “I was learning about security breaches with my younger brother. At that time cybersecurity was not popular and nobody saw the importance of securing their data on the Internet. When I got the option to make it my daily work, I didn’t think twice.”

DREAMING OF A PHD

44 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

If that were not enough to keep her busy, she is also the founder and CEO of IT startup Gurzil Technologies, the creation of which she describes as “one of the most satisfying achievements of my career.” Gurzil is the name of an 11th-century north African deity, known as a protector, guide, and dispeller of darkness. Bouichou says she and her co-founders started the company, “because we believe we have enough talent in my country to create solutions for our

Priorclients.”toembarking

When Bouichou left school she decided to pursue her interest in cybersecurity through a career in academia. “Going for a PhD was crucial. It was a dream come true for me and my family. If I could go back, I would do the same, but with more focus,” she says. “Another important decision was to start my company where I can connect with talented people, exchange ideas and learn more.”

Aicha Bouichou PhD student at the National School of Tangier

Applied Sciences,

For any woman interested in pursuing an academic career in cybersecurity, Bouichou advises “Stay up to date with the latest discoveries in the field, connect with professionals and experts, and never hesitate to ask for help. Recognise your weaknesses and work on them. Work on your analysis skills and develop a good package of soft skills. Don’t limit yourself in a specific area, and trust your intuition.”

BLOCKCHAIN WILL BE BIG

WHAT’S HER JOURNEY?

Along the way, she had to overcome toxic work environments where women were not valued. “Women are seen as people who should take care of the household, not as people with expertise in technology and even less, expertise in security,” she says. “I learnt the hard way how to manage the toxic environment, stay focussed on my goals and achieve a balance between pursuing a career and my emotional and physical health.” She adds: “It is important to keep in mind that every situation will come to an end and that what matters is maintaining emotional and physical health. I have learnt to never give up, even when it feels like everything is going down, and that it’s ok to give things time and start over again.”

ISSUE 10 WOMEN IN SECURITY MAGAZINE 45

www.linkedin.com/in/aicha-bouichouaicha95bouichou@gmail.com

Given her background, it is no surprise that Bouichou sees blockchain technology as having a significant role in cybersecurity in coming years, but one that is threatened by the ability of quantum computing to make today’s encryption techniques insecure. “The emergence of new technologies such as blockchain, quantum computers and developments in AI are very relevant to security,” Bouichou says. “Quantum cryptography is getting attention from many academicians and companies such as IBM. Developing a robust encryption algorithm that can withstand the power of quantum computer is one of the interesting topics that should find an answer in the near future.”

www.facebook.com/AHackerIam/www.linkedin.com/in/craig-ford-cybersecuritywww.amazon.com/Craig-Ford/e/B07XNMMV8Rtwitter.com/CraigFord_Cyber

I have worked in the IT industry for a while, first in general ICT and then in security. I have written more articles than I can remember, a few books—and I have more to come—and I have been part of quite a few panels, webinars and podcasts. You can probably guess I like to share my knowledge and thoughts with my peers. I want to be an active contributor and make a real difference in helping keep people safe from cyber risks. I like to think of our industry as a house in which each of us is one of the bricks that help hold our house together. Each individual brick is of little significance. It could be a nice brick, it could be a really smart brick and it might even go out of its way to help people, but that one brick cannot hold up the house or protect what is inside the house without support from the other bricks: some holding others up, some at the top of the wall holding up the roof, some holding the doors and windows, keeping them strong and secure. In security, each brick—each individual—has a job to do. Together we stand strong, even if a couple of us are slacking and do not want to work well with the others. Security would be much easier if we were all working towards the same goal, but that may never happen. I know collaboration—everyone coming together with one purpose—is not easy. I have tried it a few times, but it can be achieved.

You are probably thinking: what is Craig talking about? He started by calling all security people bricks. Then he made these bricks into a house before invoking a fairy-tale story about three little pigs.

Let me put it another way: we security people are not isolated individuals; we are members of a village. If we cannot find a way to stand together, to stand as one, the whole village will fall. Things will get very dark and society as we know it will collapse. If we all try a little harder to leave our egos at the door, to actually listen to people instead of just talking at them, we will all be better for it. Then, maybe that village will succeed. Everybody will be happy. Everybody will be safe. It surely can’t be hard. Right?

CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change, Special Recognition award winner at 2021 Australian Women in Security Awards

the three little pigs. Like them, we have lost some battles, but together we can be strong: a house of bricks in which each brick supports and is supported by the others.

COLUMN WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202246

We are all just bricks

Think of our brick house in the context of the nursery rhyme about three little pigs. The third pig’s brick house stood strong against the big bad wolf (in our case a malicious actor) because all the bricks held together and held off the big bad wolf’s attacks. In some versions of the story, the pig in the house of straw and the pig in the house of wood get eaten. In others, they escape to the brick house and survive. We as an industry can learn from our mistakes like

CAREER PERSPECTIVES

To accomplish a shared objective, a group of people collaborate in the workplace by sharing their ideas and expertise. Workers are more productive and feel more connected to the business when they have an opportunity to contribute and make a difference. They also find it easier to brainstorm ideas, solve a problem or deliver work on time.

A collaborative work environment facilitates a very fruitful exchange of perspectives and collective creativity.

THE OUTCOMES OF COLLABORATION

WIRED TO CONNECT Humans are born to connect regardless of whether they have introverted or extroverted personalities. We are emotionally and cognitively hardwired for connection and belonging. Connection gives us purpose and meaning. We all have different mental maps. No two brains are the same. Yet we often assume we are on the same page as other people and the information in our brain in known to others. What may seem common knowledge or rational thinking to you is based on your experiences, beliefs and learnings. Every person’s journey, no matter how similar, is different. Therefore, communication is one of the toughest skills to master, because we all interpret things

Ask any leader if their organisation values collaboration and you will likely get an affirmative response. Ask whether the firm’s strategies to increase collaboration have been successful and you may receive a different answer.

Teams can solve issues more quickly and effectively when employees with diverse ideas, viewpoints and specialities collaborate to discover novel solutions. When people think outside the square, innovative and creative thinking comes alive with purpose.

BRAIN‑FRIENDLY COLLABORATION

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202248

by Vannessa McCamley , Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker

differently. We could look at our favourite painting or hear our favourite song and give it a meaning different from the meaning another person would attribute to it.

VANNESSA MCCAMLEY

THECRACKINGCODEOF

Communicating how each person’s strengths fit within the organisation’s purpose makes a difference, because most people want to contribute and feel a part of the company culture. Regularly check in Make sure you check in regularly with your team members. This has become more important than ever with the growth of remote working and hybrid workplaces. Starting and continuing conversations with staff about the challenges they face and pairing them with others—internally or externally—who have relevant experience and strengths can help expand their thinking and help them feel supported.

Focus on strengths Explore the full range of people’s abilities. Be mindful not to let someone’s differences, your own biases and neurodivergence blind you to the unique contribution each person may be able to offer. Rather than searching for skills gaps, appreciative enquiry lets you consider what people do well. You can then find ways to apply these strengths to other parts of their job and ultimately to your Onceorganisation.youhave the right mix on your team, focus on these strengths, allow everyone to perform to their strengths, be flexible with roles and focus areas. Continue to invest in learning and development of team members’ strengths in alignment with the goals of the organisation, and leverage technology advantages. Communications Understand each team member’s preferences for receiving communication and the best way to prioritise what is most important. Communication considerations include the right mix of visual, auditory and written communication. It is also important to know what kind of language your people perceive as threatening and avoid such in favour of language they perceive as rewarding and want more of.

For decades work was mostly undertaken in an office and between 9:00am and 5:00pm. Then COVID-19 forced large scale remote working and many people discovered they could be more productive outside traditional work hours. Others noticed they were most efficient working in small increments of time.

There is an optimal way to work, but it differs for every person. It is important to know when and where your people do their best work and to gain buy-in on the best times to bring people together to exchange ideas. It is also important to provide detailed agendas ahead of time stating the problems to be solved and the desired outcomes so team members have time to digest these and develop their ideas at the times and in the places they do their best thinking.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 49

CAREER PERSPECTIVES INGREDIENTS FOR SUCCESSFUL COLLABORATION

Where and when your team do their best thinking

Vannessa McCamley is a leadership and performance expert specialising in neuroscience practices that help individuals and businesses grow in meaningful ways whilst delivering measurable results in healthy ways. She has a passion for helping people and businesses to overcome obstacles and enabling them to reach their strategic goals. She brings a strong background in IT security and more than 20 years’ business experience to working with individuals at all levels and from several industries. She is the author of REWIRE for SUCCESS – an easy guide to using neuroscience to improve choices for work, life and wellbeing.

The art of listening is the art of discovering what the speaker thinks about something. When employees listen to one another they learn from one another. A free flow of ideas that is truly listened to can create a workplace where employees are constantly learning from each other. Listening encourages respect and builds trust. Dealing with conflict in brain-friendly ways

Conflict is an opportunity for growth. The best way to resolve conflict is to see it as such and to truly listen by asking open and insightful questions that seek understanding. For example, by saying: “I am curious about the valuable insights you just mentioned, can you please elaborate your ideas and experiences on solving X, Y, Z or what learnings could be valuable in setting this up for success?”

Knowing how people think and function can change the lens of perception and the stories we tell ourselves. Through a coaching program these two have improved communication and appreciation of how their individual strengths can enable them to work together effectively. They do not need to like each other to be more collaborative and produce better outcomes from their teams.

Leveraging brainfriendly tools and models has helped many of my clients’ teams and organisations to effectively,collaboratereach their goals and fulfil their purposes. Reach out to chat about how I can help.

MCCAMLEYVANNESSAABOUT

www.linkedin.com/in/vannessa-mccamleylinksuccess.com.au/rewire-for-successlinksuccess.com.au/contact-us

50 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

At one of my clients the two leaders of the IT team— the head of security and the head of enterprise applications and operations—were not seeing eye to eye, impacting the performance and productivity of the whole IT team. I used PRISM Brain Mapping, a neuroscience behavioural tool that identifies existing behavioural wiring (habits) and highlights the parts of the brain people are tapping into. I showed these two leaders how to leverage their capabilities and strengths, individually and within a team environment, to recognise their strengths and be objective.

Art of listening

SUBSCRIBETOOURMAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content. WORLD WHO RUNS the SUBSCRIBE NOW

THE HYBRID TEAM Gone are the days when someone from the network team who had an interest in hacking could occasionally wear a ‘cyber hat’ and do cybersecurity as a side project. There is now greater awareness that a risk based approach to decision making is a crucial prerequisite for effective security outcomes.

CYBERSECURITY: IT’S A HYBRID TEAM SPORT

by Steve Schupp , Executive Director – CyberCX WA Branch

As a result of this maturation in the cyber domain, the need for specialist skills in various areas of cybersecurity has increased. It is no surprise companies engage with external providers for discrete projects and services. This has been happening in IT for decades. However, I believe there has been a strong trend recently for SMEs to consciously consider the structure of their cyber teams, to actively discuss hybrid capabilities with service providers and

Just as the cloud has blurred the definition of the network perimeter, the invisible line around your cybersecurity team has also likely blurred. Whether you have a small team and are reliant on external providers, or a large team tapping into specialist capability, it is more than likely your cyber team extends far wider than those you employ. In practice, this fuzzy line around your team creates an environment in which you can improve security together.

STEVE SCHUPP to incorporate external providers into their own ‘hybrid’ cyber capability. Cyndi Spits, Project Manager for Perenti Group, says a collaborative team that encourages the business to engage with cybersecurity was an important factor for Perenti, where there is “a relatively flat team structure with collaborative team leaders rather than a traditional top down management structure, and where both internal resources and managed service providers are used.” Trudy Bastow, Director, Managed Security Service Operations, Federal Government and Protected SOC for CyberCX, says a structure that combines internal and external resources enables different skills and experiences to be brought together to achieved desired outcomes. Bastow also raised the benefit of risk reduction in the event that, in a tight labour market, employees leave. “When you partner with an external team, that risk reduces as you still have a team who are familiar with the business risks and requirements, who can pick up that gap to provide continuity of skills,” Bastow says. However, this does not mean it is straightforward to build a hybrid team with internal and external members. Bastow stresses the importance of

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202252

ISSUE 10 WOMEN IN SECURITY MAGAZINE 53

THE SPECIALIST SKILLSET Threat intelligence is one specialisation becoming increasingly common in our industry. Claudia Muller, lead cyber intelligence analyst at CyberCX, believes introducing threat intel allows companies to “understand how their internal and external context influences their cyber risk and informs threat actor behaviour so they can spend their money and effort on the controls that best protect them from their most significant threats.”

She describes two-way communication as “a cornerstone of intelligence analysis.” The professional benefits gained by mastering these skills are valuable for anyone in an extended team role. Muller is confident doing so has made her better at engaging with other teams during the intelligence analysis cycle, which in turn has made her a better analyst.

GREATER SUCCESS Cyber teams that identify gaps and expand their capability through external providers have a much greater ability to address the security challenges faced by their organisation. Muller agrees, saying, “In my role it is essential to work with our clients as partners and to work together as ‘one team’ to improve security outcomes.”

Cybersecurity has become a hybrid team sport where extended teams with shared objectives whose members develop strong relationships and communication skills will be the winners, and ultimately will improve security together.

Spits believes that while IT understand the need for increased cybersecurity, it is the business users that will be impacted by the implementation of cybersecurity solutions on a daily basis, especially in a decentralised workplace, “so we all need to work together to strike the right balance of cybersecurity and usability”. The concept of improving security together resonated with Muller’s role, allowing the extended team to bridge siloes and improve relationships so security management could be interoperable across the physical, personnel and cyber domains, reflecting how threats operate. Muller also notes the importance of empowering people to understand that no one has a ‘neutral’ impact on security. “Anyone’s actions can uplift or degrade security,” she says.

investing in relationships. She says understanding who your collaborators are and putting time aside to achieve this is integral to success.

There are many personal and professional benefits to be gained from this investment, such as long term connections you maintain throughout your career, or the opportunity to build on business skills such as team management which enhance your promotion prospects. Spits involvement with cyber security projects has raised her interest to undertake hands-on cybersecurity training through the Australian Women in Security Network and work towards obtaining other technical certifications including CISSP.

CAREER PERSPECTIVES

Assessing and contextualising all information coming from the firehose of threat intelligence creates a significant workload for in-house teams. In addition, it is difficult for in-house teams to ‘look over the fence’ and see what is happening in other companies or industries. According to Muller, CyberCX works closely with its security operations analysts, incident responders and pen testers. “Their insights enrich our intelligence, and our intelligence enables them to provide services more tailored to Australia and New Zealand based on threat activity and broader trends,” she says.

www.linkedin.com/in/steve-schupp-605457

Muller also believes communication to be a crucial element in making extended teams perform.

QUESTION by Simon Carabetta , Project Coordinator at ES2

Young people deserve to understand why the security of their personal data matters, and they also deserve to learn the skills to make that security effective.

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202254

It would be amazing to see schools place the same emphasis on cyber security as they do on cyber safety. As a former teacher I can certainly understand that emphasis and how it links to the overarching values of digital citizenship and student wellbeing.

2. Develop partnerships between state education sectors, TAFEs and universities to provide teachers with scholarships to gain cybersecurity qualifications. BUT pay them on the job and get the Cert IV into schools.

THE EDUCATION

Fortunately, there is a simple and effective way in which cybersecurity can be embedded in schools, and it comes down to following this roadmap:

SIMON CARABETTA

However, we find ourselves in 2022 in an increasingly volatile, uncertain and, dare I say, interesting world.

Between 2006 and 2019 I was a high school teacher in WA’s public education sector and took a break to spend several years in the Middle East teaching at an international school. Current, former and aspiring educators reading this would know teaching to be a rewarding career, but an extremely taxing one. There is not sufficient time to teach, develop lesson plans, mark papers, communicate with parents, attend mandated weekly meetings, attend department meetings, moderate papers, attend professional development sessions and mark more papers. So perhaps we can forgive the majority of teachers for giving no consideration to the security implications of the technology they and their students use, or to embedding awareness of that security into the curriculum.

1. Provide teacher and school administration education and development in cybersecurity. BUT make it simple, clear and fun.

We in the cybersecurity industry often hear about the skills and experience gap in Australia. I wrote about this recently, in the last issue of Women in Security. We are all well aware there is a mountain of work to be done to close this gap and futureproof our sector. Some good solutions have been proposed and a number of programs to address the skills gap have already been launched. However, there is one skills gap many of us simply do not mention and do not understand how to address. That is the skills gap in our primary and secondary education sectors.

3. Introduce cybersecurity into the primary and secondary school curriculums across Australia. BUT embed the knowledge and skills in all

5. Create partnerships between government, the private sector and TAFEs/universities to create meaningful traineeship programs for students studying cybersecurity that will increase their skillsets, give them real-world experience and make them job ready. Implementing the five points in this roadmap will be a long term project and will take several years. It would involve a massive number of stakeholders from multiple sectors and extensive consultation. However, it is entirely doable and, more importantly, is vital for the future of the cybersecurity sector in Australia.

Having had the privilege of working alongside many talented and passionate teachers during my education career, I can honestly say the majority of our nation’s educators would certainly embrace developing their knowledge and skills in cybersecurity. We already have quite a number here in WA who demonstrate a consistent passion for innovation and ICT in the classroom and a desire to focus on cybersecurity. I am proud to say I know them and have worked with them in various ways over the past few years. I would certainly like to see more quality educators in WA and elsewhere in Australia embrace cybersecurity and accept it as part of the learning and growing their students experience each day in their classrooms.

CAREER PERSPECTIVES learning areas, do not constrain it to a standalone subject introduced in year 11 or year 12.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 55

www.linkedin.com/in/simoncarabetta

4. State and territory governments should invest in cybersecurity education liaison officers to speak with schools and students about careers in cybersecurity. Alternatively, the Australian Cyber Security Centre could be proactive and take the lead on this across Australia through its joint centres.

Unfortunately, I felt I had few people to turn to in the cybersecurity industry for help. I tried to do my own research but there was barely anything out there to prepare me, as an expectant working mother, for what was to come. Thus, I thought I’d write about my experience in the hope of helping other men and women wanting to start a family. This will serve as a guide on what to look out for and what you need to consider when you are planning to start a family, or you already have a child in your care.

Choosing to have kids and establishing, or sustaining, a career is no easy feat. More shocking, to my surprise, is that this journey is hardly ever spoken about.

A MUM: A GUIDE FOR FIRST TIME WORKING PARENTS

by Melanie Ninovic , Senior Consultant at ParaFlare MELANIE NINOVIC

Starting a family is one of the most exciting times of your life, but there are a few factors you need to consider before embarking on this journey. Here is a list to help guide you from pre-pregnancy to maternity leave.

PRE-PREGNANCY Private health insurance

As of writing (July 2022), the Parental Leave Pay scheme provides a minimum wage payment for up to 18 weeks if you are the primary caregiver. This is about $812 a week. However, you will only be eligible

Disclaimer: Because I lived in Australia throughout this experience, the information provided is based on Australian laws and regulations. I am neither a lawyer nor an accountant, so please talk to a professional. I also acknowledge I have been very lucky throughout this journey. I know others will not have the same straightforward path to motherhood as I did (in terms of pregnancy, financial situation, both parents working from home and a very supportive and helpful husband).

BECOMING

If you choose to give birth at a private hospital you must have private health insurance. With most providers there is a 12 month waiting period for pregnancy claims. This means you need to have been covered by private health insurance for a full year before you give birth. Secondly, your cover does not include obstetrician costs. My fees were around the $3500 mark, but I’ve heard from others that these can be up to $10k. This is a fee you will need to include in your financial planning. Government paid parental leave

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202256

• Give yourself and your employer ample time to hand over your work to others in your team, finish important projects, and work to a deadline.

Lastly, if you are planning to breastfeed, sign up to an online course or do some research. The hospital will go through breastfeeding with you but by that point, having just delivered a baby, you will be in pain and very tired, and overwhelmed by emotions. It is best to learn different feeding techniques and strategies beforehand, and I highly recommend buying a lanolin product such as Lansinoh to put in your go-to-hospital bag.

Employer maternity/parental leave policy Be sure to check your company policy for maternity leave and what you are entitled to. Some employers include a length of employment threshold for paid maternity leave. Similarly, paternity/parental leave policies may also include a clause that allows the father to take leave only if the mother is back at work, and the father becomes the primary caregiver. Also ask your manager or HR department whether your pay will include superannuation. It is common for this not to be included and is the reason women on average have less superannuation when they retire.

If you are planning to give birth at a private hospital your pregnancy will be full of appointments: for obstetrics, scans, blood tests, hospital tours and more. For this reason, I told my manager about my pregnancy quite early on, and I was fortunate to have had a positive working relationship with my manager.

• Most harsh symptoms subside at this stage.

• You could give birth early. Key tip: baby stores frequently have sales. Wait until there is a sale to buy everything, and always compare prices between stores.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 57

CAREER PERSPECTIVES for this payment if your earnings are below a certain threshold in the year before you lodge the claim, or have your child (whichever comes earliest).

Note: this might change with the recently elected Labor Government. Additionally, Services Australia also provides childcare subsidies, which you might want to consider.

• You do not know how busy your work schedule will become later in your pregnancy.

Planning ahead

PREGNANCY Scheduling

• Deal with unexpected symptoms or sickness, and with the challenges of pregnancy. On that note, listen to your body and do not overexert yourself. Manage your symptoms and if you feel able, communicate these to your manager so you can adjust your workload accordingly.

There are so many things to do before having a baby. From the nursery, car seats and sleeping arrangements to cleaning and baby-proofing the house; the list seems endless. I started doing all these things three to four months into my pregnancy, because:

If you do not expect early notification of your pregnancy to be an issue I would recommend doing the same. You can then:

• Plan ahead, juggling all your appointments and a busy work schedule.

DISCRIMINATION

Whilst on maternity leave, or even beforehand, call two or three centres that you like and ask to be put on their waiting list. You can use the Australian Children’s Education and Care Quality Authority’s (ACECQA’s) register to find centres meeting or exceeding national quality standards.

MATERNITY LEAVE

The first few weeks will be tough. It is quite normal to feel overwhelmed, exhausted, confused and lonely. Look at joining a mothers group so you can share and learn from others.

Childcare Childcare centres across Sydney tend to have long wait times, anywhere from 12 months to two years.

You will be flooded with advice from a thousand nurses, midwives, consultants, paediatricians and, of course, your family on how to feed and take care of your newborn. This really frustrated me and took a toll on my mental health. At the end of the day I went with what I thought was right for me and my child and I have not looked back.

58 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Whilst I have been quite lucky in my journey through pregnancy and motherhood thus far, discrimination is unfortunately a very common part of a working woman’s life around the world. Redundancies, pay cuts, lost promotions and inflexible working arrangements are frequent consequences for women who announce their pregnancy to their employer, or after they become mothers, despite it being illegal to discriminate against a woman because she is pregnant. It is important to know your rights before becoming pregnant in case you do face discrimination in the workplace. Here are some resources: Australian Human Rights Commission

One issue for the cybersecurity industry is the need for more opportunities for remote participation in conferences and training programs. I echo and stand by Sherri Davidoff’s thoughts. We must do more to allow remote speaking and viewing options for all mothers, in particular by supporting family attendance at such events. Women are losing out on speaking and training opportunities because they must care for their child or because of the costs of participating on site.

4. Another way is to use your ‘keeping in touch’ days. Some organisations designate a set number of days during maternity leave for an employee to return to work and catch up with all that has happened whilst they have been away. These days can either be spread throughout the maternity leave or taken in a block: something to discuss with your employer.

2. Ask for help. If you have family close by, ask if they can cook meals, help you clean the house, or just mind your newborn so you can go take a shower and have time to yourself. It is so important to carve out time for yourself, to recover, and to feel a sense of yourself.

1. Everyone focuses on how challenging pregnancy and giving birth can be, but for me the hardest part was what came afterwards. Whilst you are still recovering from a huge procedure you need to learn how to feed and take care of your newborn.

I would be happy to speak to anyone undertaking or planning this journey. If you have any questions, please reach out www.linkedin.com/in/melanie-cybers

3. It is quite normal to think “will I lose all my skills whilst on leave?” or “how will I keep up with an industry that is so fast moving?” The way I kept up to date was by listening to a weekly podcast (thanks Risky Business) whilst taking my child for a walk, or during feeds, and reading online newsletters (thisweekin4n6 and SANS NewsBites).

• Fair Work Ombudsman • Raising Children

L o o k i n g f o r w a y s t o g i v e b a c k ? W e n e e d y o u L e a r n m o r e a t a w s n . o r g . a u / i n i t i a t i v e s / m e n t o r i n g / Sponsored by Powered by A W S N i s p l e a s e d t o l a u n c h t h e 2 0 2 2 A u s t r a l i a n W o m e n i n S e c u r i t y N e t w o r k M e n t o r i n g P r o g r a m Women in Security Mentoring Program

Confiscation of a teen’s device as punishment is a touchy subject I have put off writing about for some time. It’s been on my topic list, but as a parent of two teens, I keep mulling it over and continually reminding myself that all teens are different and all parents have different parenting beliefs and methods.

I am going to share five points about why I think you need to reconsider removing a teen’s device as a form of 1punishment.Thinkback

to how you socialised when you were in high school. You met up after school, made phone calls, attended sporting events, parties and weekend get togethers, etc. Now consider how teens socialise today. They use their phones or similar devices. They use social media platforms, online game chats, etc. My point is that teens today do not socialise as we did, and we need to recognise this.

In my writing I often make distinctions between two age groups: preschool to end of primary school, and high school. In this article, I want to make it clear I am referring specifically to high school age children.

When the subject of consequences came up during a recent presentation about the different ways parents should get involved in a child’s digital life, I took it as a sign that now is the right time to share what I know.

Should you take your teen’s device as punishment?

COLUMNdevice. WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202260

3 At times we parents become frustrated with our teens’ use of their devices. We have all been there. We ask our teen to do something and they continue to use their device. We come back later to see if the job is done, only to find them still on their

NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

2 Our teens experience an upbringing entirely different from that of their parents. We spent time in the streets playing with the neighbourhood children. Our children, on the other hand, have, at some point, been given a device. This might have happened when they were quite small and we needed a moment’s peace in which to produce dinner. Internet enabled devices are part of our teens’ lives. They game on them. They create videos on them. They read on them. They create digital art. They communicate with others. They shop and they do their banking on them.

Stop and think. Did we set guidelines and boundaries for using their device when we gave them it? Did we discuss, and reach agreement on, how they should respond if required to help when they were on their device?

We need to take some responsibility for how they are using their devices if we have not discussed usage and not modelled the response we expect in such situations.

Using your teen’s ‘currency’ is also an option when it comes to punishment. If they love going to their local cafe on a Saturday morning, then perhaps the punishment is that they are barred from going for two weeks. We do not want to remove their social connections and we do not want them to expect us to take their device away at the drop of a hat.

www.linkedin.com/company/the-cyber-safety-tech-mumwww.linkedin.com/in/nicolle-embra-804259122www.thetechmum.comwww.facebook.com/TheTechMumwww.pinterest.com.au/thetechmum

5

ISSUE 10 WOMEN IN SECURITY MAGAZINE 61

Parents need to discuss consequences and include these in their family technology contract. My best advice is to try and use natural consequences. For example, if it was your teen’s turn to put away everything in the dishwasher and they did not do so, then they should be required to do this job for the rest of the week. If it was agreed they could use their device for two hours per day but they have used it for 2.5 hours, then their daily screen time should drop to 1.5 hours for the next week.

If they believe we will dive in and take away their device for every transgression, I can almost guarantee that when your teen starts getting bullied online, gets in over their head communicating online with a stranger or sees something online that makes them uncomfortable they WON’T be bringing their device or their problem to you because they will expect you to take their device away. That is not what we are aiming for. I am not sure how to close this article. Maybe you completely and utterly disagree with me. I just hope you consider these five points before using device removal as the sole punishment for your teen’s transgressions.

4 Dopamine. This feel good chemical is released in their brains when our teens are using their devices. Developers of devices, apps and games want users to stay on their devices and platforms for as long as possible. All are designed to trigger the release of dopamine hits to keep users engaged. We need to recognise this as one of the reasons our teens find it difficult to put their devices down. They are looking for the next feel good moment.

Recommended

affect OT

-

incident responders

“This role is essential to find and vulnerabilitiespatchin the cloud environment to ensure that crackers and hackers are unauthorized in cloud environments.” Ben Yee

and be able to build a longer lasting security

Web applications are critical for conducting business operations, both internally and externally. These applications often use open source plugins which can put these apps at risk of a security breach.

offensive operations and the other foot in the critical process control environments essential to life. Discover system vulnerabilities and work with asset owners and operators to mitigate discoveries and prevent exploitation from adversaries. Why

Malware analysts face attackers’ capabilities head-on, ensuring the fastest and most effective response to and containment of a cyber-attack. You look deep inside malicious software to understand the nature of the threat – how it got in, what flaw it exploited, and what it has done, is trying to do, or has the potential to achieve.

“The intrusion analyst is the guard at the gate and can get great job satisfaction from detecting and stopping network intrusions.” Chuck Ballard

18

-

RED TEAMER

“Working in this type of industry, I can see how the demand is increasing so rapidly that companies starting to desperately looking for people with proper skillsets.” Ali Alhajhouj

Recommended courses FOR508 GCFA FOR572 GNFA FOR578 GCTI FOR608 FOR610 GREM FOR710 SEC573 GPYC SEC504 GCIH SEC541 ICS515 GRID ICS612

Recommended courses FOR518 FOR585 GASF FOR610 GREM FOR710

order

01

13

COOLEST CAREERS02

THREAT HUNTER

issues

“The only way to test a full catalog of defense is to have a full catalog of offense measure its effectiveness. Security scanning is the bare minimum and having Red Team perform various operations from different points will help the organization fix weaknesses where it matters.” - Beeson Cho “Digging below what commercial anti-virus systems are able to detect to find embedded threat actors in client environments makes this job special. Shoutout to Malware and Threat Intelligence Analysts who contribute their expertise to make threat hunters more effective against adversaries.” - Ade Muhammed

information

“Incidents are bound to occur and it is important that we have people with the right skill set to manage and mitigate the loss to the organization from these incidents.” - Anita Ali 14

risk-based

protect the

“Being a malware analyst provides a great opportunity to pit your reverse engineering skills against the skills of malware authors who often do everything in their power to make the software as confusing as possible.” - Bob Pardee 10

Recommended courses MGT512 GSLC MGT514 GSTRT MGT520 MGT521 SEC388 INCIDENT RESPONSE TEAM MEMBER This

fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding. Why is

one unwavering

into action

GCPN SEC617 GAWN SEC642 SEC661 SEC760 SEC522 GWEB

“It is not only about using existing tools and methods, you must be creative and understand the logic of the application and make guesses about the infrastructure.”

Recommended courses SEC504 GCIH SEC542 GWAPT SEC554 SEC556 SEC560 GPEN SEC575 GMOB SEC588

ICS/OT ASSESSMENTSECURITYCONSULTANT foot in the exciting of is this both and nature, that (primarily to be (HILF); they but when they

One

intentional

accidental in

Why is this role important?

If you’re given a task to exhaustively characterize the capabilities of a piece of malicious code, you know you’re facing a case of the utmost importance. Properly handling, disassembling, debugging, and analyzing binaries requires specific tools, techniques, and procedures and the knowledge of how to see through the code to its true functions. Reverse engineers possess these precious skills, and can be a tipping point in the favor of the investigators during incident response operations. Whether extracting critical signatures to aid in better detection, or producing threat intelligence to inform colleagues across an industry, malware analysts are an invaluable investigative resource.

ability to damage the victim, and ultimately remove

Why is this role important?

“The chief gets to coordinate the plans. The chief gets to know the team, know them well and disperse them appropriately to strategically defend and test org networks and security posture.“ - Anastasia Edwards

sufficiently dedicated

CHIEF SECURITYINFORMATIONOFFICER (CISO)

in ICS systems) can be considered

GEVA SEC504 GCIH SEC554 SEC556 SEC560 GPEN SEC565 SEC575 GMOB SEC617 GAWN SEC660 GXPN SEC670 SEC760 SEC573 GPYC MALWARE ANALYST

the

the attackers, minimize

deep technical to executive management. Recommended courses FOR308 FOR498 GBFA FOR508 GCFA FOR509 FOR518 FOR572 GNFA FOR578 GCTI FOR585 GASF FOR608 FOR610 GREM FOR710 SEC402 SEC573 GPYC SEC504 GCIH ANALYST/ENGINEERCYBERSECURITY As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data. Why is this role important? This is a proactive role, creating contingency plans that the company will implement in case of a successful attack. Since cyber attackers are constantly using new tools and strategies, cybersecurity analysts/ engineers must stay informed about the tools and techniques out there to mount a strong defense. Recommended courses SEC401 GSEC SEC450 SEC501 GCED SEC503 GCIA SEC530 GDSA SEC555 GCDA SEC504 GCIH SEC554 FOR500 GCFE FOR508 GCFA FOR509 FOR518 FOR572 GNFA FOR578 GCTI FOR585 GASF FOR608 FOR610 GREM FOR710 MGT551 GSOM SEC540 GCSA ICS410 GICSP ICS456 GCIP CLOUD SECURITY ANALYST The cloud security analyst is responsible for cloud security and day-to-day operations. This role contributes to the design, integration, and testing of tools for security management, recommends configuration improvements, assesses the overall cloud security posture of the organization, and provides technical expertise for organizational decision-making. Why is this role important? With an unprecedented move from traditional on-premise solutions to the cloud, and a shortage of cloud security experts, this position helps an organization position itself thoughtfully and securely in a multicloud environment necessary for today’s business world. Recommended courses SEC488 GCLD SEC510 GPCS SEC541 SEC401 GSEC SEC460 GEVA SEC504 GCIH SEC588 GCPN FOR508 GCFA FOR509 FOR518 FOR585 GASF FOR608 SEC557 INTRUSION DETECTION/ (SOC) ANALYST Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss. Why is this role important? SOC analysts help organizations have greater speed in identifying attacks and remedying them before they cause more damage. They also help meet regulation requirements that require security monitoring, vulnerability management, or an incident response function. Recommended courses SEC450 SEC503 GCIA SEC511 GMON SEC555 GCDA SEC504 GCIH FOR508 GCFA FOR572 GNFA FOR608 MGT551 GSOM APPLICATION PEN TESTER Application penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope

The CISO leads staff in identifying, developing, implementing, and maintaining processes across the organization to reduce information and information technology risks. CISOs respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance, such as supervising efforts to achieve ISO/IEC 27001 certification for an entity or a part of it. Typically, the CISO’s influence reaches the entire organization.

the

do the cost to the business can be considerable. Recommended courses ICS410 GICSP ICS418 ICS456 GCIP ICS515 GRID ICS612 SEC560 GPEN SEC575 GMOB SEC617 GAWN Organizations are hiring individuals with a unique set of skills and capabilities, and seek those who have the abilities and knowledge The coolest careers in cybersecurity are the most in-demand by employers. Which jobs are the coolest and most in-demand? Curricula: Cyber Defense Digital Forensics Offensive Operations Cybersecurity Leadership Cloud Security Industrial Control Systems

The trend is for CISOs to have a strong balance of business acumen and knowledge in to be up to on security from a technical standpoint, into the broader objectives, and culture to organization. dynamic and this preventing breaches is always the ultimate goal, information security reality is that we a attacker Once it has been determined that a breach has occurred, are called to locate their them from environment. This quick thinking, and ability as part with from vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.

of a team,

technology

world

09

don’t happen often,

-

understand how to implement security planning

solid technical and documentation skills,

to adapt to attacker methodologies. Further, incident responders work

a wide variety of specializations. Ultimately, they must effectively convey their findings to audiences ranging

Threat hunters proactively seek evidence of attackers that were not identified by traditional detection methods. Their discoveries often include latent adversaries that have been present for extended periods of time.

Why is this role important?

In this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.

business

“It doesn’t become much more versatile than in this role, as oftentimes you’ll be challenged with whathever tasks or projects customers or managers envision, ranging from simple analysis support to introducing new solutions and implementing whole services such as a SOC.” - Harun Kuessner

17

Why is this role important?

will eventually be successful.

role important? Security incidents,

role important? While

- Dan-Mihai Negrea

high-impact but low-frequency

speed

This expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.

must assume

This role is important to help answer the common question of “can that attack that brought down company, happen to us?” Red Teamers will have a holistic view of the organization’s preparedness for a real, sophisticated attack by testing the defenders, not just the defenses. courses SEC460

06

Why is this role important?

role requires

05

Help blue and red understand one another better! Blue Teams have traditionally been talking about security controls, log sources, use cases, etc. On the other side Red Teams traditionally talk about payloads, exploits, implants, etc. Help bridge the gap by ensuring red and blue are speaking a common language and can work together to improve the overall cybersecurity posture of the organization! Recommended courses SEC599 GDAT SEC699 SEC573 GPYC

Why is this role important?

of content and potential to get real evidence on something is exciting.” - Chris

These resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.

IN CYBER 03

Why is this role important?

TECHNICAL DIRECTOR

The

Recommended courses SEC487

-

This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.

“This is like solving a puzzle or investigating a crime. There is an exciting element to the unknown and the technical complexity of countermeasures. sensitivity Brown Esmoris

“Forensics is about diving deep into any system and device and locating the problem so as to develop a solution.” Patricia M “Data doesn’t lie, and the digital forensic analyst looks at the data to convey the stories that they tell.” Anthony Wo

07 “A

Design, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures. is this role

19 20

DEVSECOPS ENGINEER

“Being an investigatorOSINTallows me to extract information in unique and clever ways and I am never bored. One day I’m working on a fraud investigation and the next I’m trying to locate a missing person. This job always tests my capabilities, stretches my critical thinking skills, and lets me feel like I’m making a difference.”

This expert defines the technological strategies in conjunction with development teams, assesses risk, establishes standards and procedures to measure progress, and participates in the creation and development of a strong team. Why is this role important?

Why is this role important?

-

- Andrew

“From my point of view it is a highly demanded position by companies which need to offer flexible, agile and secure solutions to their clients’ developers.” - Antonio

This job role is highly important as it often shows up in small to mid-size organizations that do not have budget for a full-fledged security team with dedicated roles for each function. The all-around defender isn’t necessarily an official job title as it is the scope of the defense work such defenders may do - a little bit of everything for everyone. & ENGINEER

This expert applies digital forensic skills to a plethora of media that encompasses an investigation. If investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked, damaged or used in a crime, this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence.

08 11 12

Recommended courses SEC450 SEC503 GCIA SEC505 GCWN SEC511 GMON SEC530 GDSA SEC555 GCDA SEC573 GPYC SEC586 SECURITY ARCHITECT

- Rebecca Ford

In this role, you will work to find 0-days (unknown vulnerabilities) in a wide range of applications and devices used by organizations and consumers. Find vulnerabilities before the adversaries! Why is this role important? Researchers are constantly finding vulnerabilities in popular products and applications ranging from Internet of Things (IoT) devices to commercial applications and network devices. Even medical devices such as insulin pumps and pacemakers are targets. If we don’t have the expertise to research and find these types of vulnerabilities before the adversaries, the consequences can be grave.

“In this day and age, we need guys that are good at defense and understand how to harden systems.” David O Purple Team

“The combination of red team blue team operations is very interesting and you get to see both sides. I have been on a Purple Team for a while now and it has driven a lot of positive change for us.” R security architect needs to understand work flows, networks, business requirements, project plans and sometimes even budget restraints. A very diversified role!” Chris Bodill

Recommended courses FOR308 FOR498 GBFA GCFE GCFA

OSINT INVESTIGATOR/ANALYST

Why is this role important?

“I think researchers will play a crucial role in years to come. They will be able to identify and help us prepare for the vulnerability before it is exploited by the hacker so instead of responding to incidents we will then be able to proactively prepare ourselves for the future issues.” Anita Ali

15 16

A security architect and engineer is a versatile Blue Teamer and cyber defender who possesses an arsenal of skills to protect an organization’s critical data, from the endpoint to the cloud, across networks and applications.

SEC504 GCIH SEC598 SEC660 GXPN SEC670 SEC760 BLUE TEAMER –ALL-AROUND DEFENDER

Why is this role important?

Recommended courses SEC660 GXPN SEC661 SEC670 SEC760 MEDIA EXPLOITATION ANALYST

You are the sleuth in the world of cybersecurity, searching computers, smartphones, cloud data, and networks for evidence in the wake of an incident/crime. The opportunity to learn never stops. Technology is always advancing, as is your career. Recommended courses FOR308 FOR498 GBFA FOR500 GCFE FOR508 GCFA FOR509 FOR518 FOR572 GNFA FOR585 GASF FOR608

This expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.

FOR578

04

FOR500

“This role allows me to use my boring.”meansevolvingdefenses.improvingbehaviors,properexperienceprevioustoinfluencesecurityeffectivelyourcompany’sAndtherapidlynatureofthreatsmyjobisnever

-

There is a massive amount of data that is accessible on the internet. The issue that many people have is that they do not understand how best to discover and harvest this data. OSINT investigators have the skills and resources to discover and obtain data from sources around the world. They support people in other areas of cybersecurity, intelligence, military, and business. They are the finders of things and the knowers of secrets. GOSI SEC587 GCTI

People have become the top drivers of incidents and breaches today, and yet the problem is that most organizations still approach security from a purely technical perspective. Your role will be key in enabling your organization to bridge that gap and address the human side also. Arguably one of the most important and fastest growing fields in cyber security today. courses MGT415 MGT433 SSAP MGT512 GSLC

Why is this role important? You are often the first responder or the first to touch the evidence involved in a criminal act. Common cases involve terrorism, counter-intelligence, law enforcement and insider threat. You are the person relied upon to conduct media exploitation from acquisition to final report and are an integral part of the investigation.

FOR508

important?

Recommended

With a wide range of technologies in use that require more time and knowledge to manage, a global shortage of cybersecurity talent, an unprecedented migration to cloud, and legal and regulatory compliance often increasing and complicating the matter more, a technical director plays a key role in successful operations of an organization. Awareness Officers work alongside their security team to identify their organization’s top human risks and the behaviors that manage those risks. They are then responsible for developing and managing a continous program to effectively train and communicate with the workforce to exhibit those secure behaviors. Highly mature programs not only impact workforce behavior but also create a strong security culture.

SEC460 GEVA GIAC Certification with course AsiaPacific@sans.org AUSTRALIA +61 2 6174 4581 INDIA +91 974 1900 324 JAPAN +81 3 3242 6276 SINGAPORE +65 6983 1088

Recommended courses MGT516 MGT551 GSOM SEC557 SEC566 GCCC SEC388 SECURITY AWARENESS OFFICER Security

PURPLE TEAMER

GCSA

SEC522 GWEB SEC534

-

Recommended courses SEC503 GCIA SEC505 GCWN SEC511 GMON SEC530 GDSA SEC554

DIGITAL FORENSIC ANALYST

As a DevSecOps engineer, you develop automated security capabilities leveraging best of breed tools and processes to inject security into the DevOps pipeline. This includes leadership in key DevSecOps areas such as vulnerability management, monitoring and logging, security operations, security testing, and application security. Why is this role important? DevSecOps is a natural and necessary response to the bottleneck effect of older security models on the modern continuous delivery pipeline. The goal is to bridge traditional gaps between IT and security while ensuring fast, safe delivery of applications and business functionality. GPCS SEC540

-

Why

VULNERABILITY RESEARCHER & EXPLOIT DEVELOPER

MGT521

FOR518 FOR572 GNFA FOR585 GASF FOR608 knowledge to fulfill many new job roles in the cybersecurity industry. in-demand? We know; let us show you the hottest cybersecurity jobs for 2022.

“A technical director must have strong cybersecurity knowledge, a strategic view of the business.”thechallenging,thisget,Thesecommunicationwhat’sinfrastructureorganization’sandtocome,andskills.thingsarehardtoandIwouldimaginejobtobeverynomatterorganizationsizeor Francisco Lugo

Recommended courses SEC510

- Sue DeRosier

-

In this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.

INTRODUCTION

At the time, my interests were not widely considered the ‘stereotypical feminine interests’. You may remember the television commercials for the iconic Hot Wheels Racetrack: they were typically

directed at boys, whilst the Barbie and My Little Pony commercials were directed towards young girls. I sometimes wonder, had I received the same push to consider a STEM-based career as a young boy showing the same interests as I, would I have entered the cybersecurity industry sooner than I did? I got together with some friends in the tech industry—Kavika Singhal, Jay Hira, Emily Goodman and Shinesa Cambric—to ask some questions and discuss the issues around attracting women into the cybersecurity industry and retaining them.

HOW DO WE ATTRACT WOMEN INTO CYBERSECURITY, AND RETAIN THEM?

64 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

by Michelle Gatsi, Cyber Security Consultant at EY Kavika Singhal, Cyber Security Consultant at EY Jay Hira, Director of Cyber Transformation at EY Emily Goodman, Cyber Security Consultant at EY Shinesa Cambric, Principal Product Manager, Microsoft Intelligent Protections - Emerging Identity at Microsoft

Michelle Gatsi As the daughter of an automotive technician I grew up around a lot of cars. From kindergarten through to grade three my father would pick me up from school and take me back to his workshop where I would often watch him fix cars (from a safe distance of course) until it was time for us to go home. Virtually all my toys at home were model cars. My fascination with these cars was not with driving them but with understanding what made them move; I would deconstruct out of curiosity. Typically, the same behaviours in young boys would be praised and perhaps even followed with remarks along the lines of “He is going to be an engineer one day, or a scientist.”

Question 2: DO YOU THINK A LACK OF FEMALE INTEREST IN STEM-BASED COURSES IS ONE OF THE REASONS WOMEN ARE UNDERREPRESENTED IN CYBERSECURITY? HOW DO WE INCREASE CHILDREN’S INTEREST IN STEM? Jay Hira Jay’s answer: I do not necessarily agree with the premise of the question that there is a lack of female interest in STEM. I believe women have always been a part of STEM, but light has not often been shone on them. Most people, myself included, did not learn about the brilliant female problem solvers who were the brightest mathematicians of their generation, and integral to NASA’s space race, until we watched the movie Hidden Figures.

Question 1: WHAT DO YOU THINK IS THE GENERAL PERCEPTION OF CYBERSECURITY AND WHAT CAN WE, AS AN INDUSTRY, DO TO IMPROVE IT?

CAREER PERSPECTIVES

Kavika Singhal Kavika’s answer: I’m sure many people would imagine a dark room with a hooded person behind a computer, wearing glasses and typing rapidly. Perhaps lines of code scroll down the screen. Is this really cybersecurity? The predominant discussions in the cyber industry today include the skills shortage. In 2021 Cybercrime Magazine predicted 3.5 million job vacancies by 2025: evidence of this growing concern. The career choices of our young people could contribute significantly to closing this gap; hence their choices demand our close attention. An individual’s perception of their chosen field is ranked as one the most important factors determining their choice. Other important factors are their assessment of job stability and their belief that people in their chosen industry with have similar personality traits and interests. Entertainment, news and media often shape the perceptions held by young people today, and influence visualisation of their future selves. To change the daunting stereotypical image of cybersecurity, we industry representatives need to lead by creating a more realistic image of cybersecurity. Perhaps we could volunteer with foundational STEM institutes that cater to high schoolers and university students or produce interesting content about our cybersecurity journeys by writing or blogging. Company websites and job recruitment agencies should have clear representations of the diverse industry we work in.

Boys often get pushed towards maths and science subjects while girls are encouraged to take arts and humanities. STEM can be made fun for all children. Let’s take the simplest daily cooking routine - we can make it educational and fun by explaining how water evaporates when boiled and turns into ice when exposed to lower temperatures. I firmly believe STEM education needs to be promoted differently. Rather than being seen only as a pathway to high-paying careers, it needs to be seen as teaching valuable skills and core competencies that children need to acquire. STEM allows you to experiment and evaluate futurehowpositivelyobjectively,informationwhichimpactsourchildrenandleadersviewand navigate the world.

Lack of interest in STEM-based courses may come from adult suggestions (parents and teachers).

ISSUE 10 WOMEN IN SECURITY MAGAZINE 65

Images of women and men from diverse cultural backgrounds should be the face of advertising. These are some small steps that could make huge changes to the perceptions of cybersecurity in our society.

Question 4: WHAT WOULD YOU SAY ARE THE ESSENTIAL SKILLS NEEDED TO HAVE A SUCCESSFUL CAREER OR BUILD SUCCESSFUL COLLABORATION WITHIN CYBER? HOW MIGHT THE ESSENTIAL SKILLS REQUIRED CHANGE OVER THE COURSE OF A WOMAN’S CAREER IN CYBER? Shinesa Cambric

Question 3: HOW DO WE LOWER TRADITIONAL BARRIERS AND ATTRACT LATERAL THINKERS WITH DIVERSE EXPERIENCES TO WORK IN CYBERSECURITY?

Emily’s answer: It is now more important than ever to lower traditional employment barriers and bring more women—and more people with diverse experiences— into cybersecurity and keep them there. Traditionally cyber roles have required specific qualifications, industry experience and technical skills. An applicant needs all these to be successful, but missing from this traditional list of cyber requirements are other factors that contribute to success: an individual’s driving passion; the motivation to learn new skills; and the innovativeness that comes from having diverse experiences. It is common for women to have less confidence in their job role abilities than their male counterparts. This lack of confidence could stem from selfcriticism, imposter syndrome or from taking time away from a job to have a personal life. It is important for leaders and executives to embrace inclusivity, and to focus especially on getting women into the cybersecurity industry. Encouraging mentorship, showing recognition and appreciation and building a collaborative work culture are crucial steps needed to achieve these goals. Women wishing to make a career move laterally into the cyber industry should be able to seek advice from other professionals and receive correct information on how they can progress their careers. Workplaces need to provide benefits such as maternity leave, pathways for education and opportunities for career fulfillment. The most important initiative is to strongly advocate for the women who are helping to shape the future of the cyber industry.

Shinesa’s answer: Beyond getting women into cybersecurity, we need to support and equip women in ways that will keep them there. In 2020 it was estimated that women accounted for only 20 percent of the cybersecurity workforce. With the ever-increasing costs of cybercrime there can be a financial impact on businesses that fail to develop a strong and sustained pipeline for women to enter and stay in cybersecurity careers. Women are poorly represented in some cybersecurity career stages. This can discourage other women from striving for a successful, progressive career, not realising some of the essential skills will change over the course of their career. One of the most important skills a woman can develop and use throughout her career is a sense of empathy. Empathy can be a strong driver when it comes to identifying and solving problems and determining which solutions may work better than others. Having empathy also supports the ability to build relationships and diverse social networks, which are critically important foundations of a sustainable Incareer.addition to empathy, it is important for a woman to stretch herself, raise her hand for opportunities and be flexible in charting her career path. Having a bias towards action and accepting growth opportunities will help propel a woman to the next stage of her career, whether that be as an individual contributor or in a management role. This will enable her to build credibility and confidence as she takes on new

Emily Goodman

66 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

THE WOMEN IN SECURITY AWARDS ALUMNISERIES NEW TO 2023 thisWatchspace ISSUE 10 WOMEN IN SECURITY MAGAZINE 67

SO, HOW CAN WE AS AN INDUSTRY ATTRACT AND RETAIN WOMEN IN CYBERSECURITY?

CAREER PERSPECTIVES challenges. Then, as a woman continues to progress to the next stage of her career, it will be important she advocates for, and reaches back to, those coming up behind her and presents as an example of the leader she wishes to see. Finally, by being visible and celebrating success, both she and the women around her can further encourage other women to enter and stay in the cyber field so the pipeline continues to grow and the cycle continues. CONCLUSION Michelle Gatsi

cisa®-0480685www.linkedin.com/in/shinesa-cambric-cissp-ccsp-www.linkedin.com/in/emily-goodman-b9a023144www.linkedin.com/in/jayhirawww.linkedin.com/in/kavika-singhalwww.linkedin.com/in/michellegatsi

What is apparent to me, based on the different perspectives and insights provided above, and my own personal experiences, is that we as an industry have some work to do. There is no simple solution to this question because there are multiple issues in all industry sectors that we must address. We need to work together as an industry to build on its expansion and diversity, because diverse perspectives produce quality outcomes.

1. The key to career and relationships: be nice! You would think this to be common sense, but many people still have a cutthroat approach to careers and business. Here’s something to think about: the world is a small place, and it’s getting smaller. How does that small world see you? The world of tech is one of the most interconnected business communities on the planet. It is filled with the brightest minds, working across a global platform, interacting and connecting. Cultural and geographical boundaries are crossed in most

A career is a part of our lives which often defines us. It is, therefore, no surprise our relationships with our work colleagues play a significant role in our progression, achievement and self-esteem. The connections formed and built throughout our working lives shape how we view our industries, communication skills, goals and aspirations, whether those relationships were good or bad. My experience as a human resources specialist, director, consultant and personal career coach has enabled me to meet a great number of people with exciting minds who have offered many thoughtprovoking assessments of how we work best in groups and as individuals.

RELATIONSHIPS:ESSENTIALFOR CAREER SUCCESS by Richard Edge , CEO at Careerships RICHARD EDGE you a considerable advantage over others who do not take the time to invest in their relationships. In this article, I aim to share the tricks that will help you be seen and remembered. I’ll suggest steps you can take to perform these tricks. And I’ll show you how technology can help us better understand one another. Let’s get to it!

FOUR TRICKS AND STEPS TO IMPROVE YOUR CAREER RELATIONSHIPS

INTRODUCTION

One thing has always rung true: the importance of relationships in our working lives. Relationships are at the core of our personalities. People often forget this truth, whether they are C-suite executives or mid-level employees, or are just starting their career paths. Understanding the significance of how you approach those you encounter throughout your career can give

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202268

Employers look to bring in people who are exceptional communicators, who can work well in a team, take direction, and nurture their relationships. These soft skills are integral to good leadership. Organisations value people others can get behind and trust. We are all human and everyone wants a fulfilling career. But colleagues can determine whether people feel fulfilled in their work or are miserable and want to leave. Be the reason people stay. Be nice.

CAREER PERSPECTIVES industries and companies. This means there is much to consider regarding your interactions with others. Your reputation is built upon how you treat people, not just on the work you deliver. You want to be remembered for how you helped someone when they did not know what to do, rather than how you berated them in frustration. You want to be revered as a thought leader, not a curiosity squasher. You want to be the person people can say made them enjoy the work they did, made them feel inspired and feel heard.

Humility is vital in what we do and how we approach our relationships. No matter what stage you are at in your career you always have something to learn, even from people you may consider less experienced than yourself. Being the best at what you do will not get you half as far as being the best at helping and understanding those around you.

Below are three actions you can take to help build your brand.

Vision board Outline where you are and where you are going. You can write or draw this in a notebook or create a physical board with imagery. Platforms like Pinterest, Mural and Canva are great tools for collating ideas.

2. Personal brand – Do you know who you are and what people think of you? We often think we know what others think of us, but do we really know? Our perception of self is biased. It is based on what we already know about ourselves, the projections and assumptions we place on others, and how we want to be seen rather than how we are seen. I have used an outreach survey sent to one hundred people in my network to test others’ perception of myself. They were asked to send back honest, anonymous feedback so I could collate the data and get an accurate view of how I present to those I interact with. This was hugely beneficial. An exercise like this can help you think more positively about your abilities, adjust your mindset and achieve your goals.

Do you know what you represent?

Pick ten people and imagine how you make them feel and how they perceive you. Picking three words you think they would use to describe you is an excellent starting point.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 69

CURIOUS ABOUT YOUR PSYCHOMETRICS? Get in touch to get a free report on your psychometric profile and start growing your network and relationships today!

4. AI in relationships: a strategic advantage and tips that get you seen

know that it’s now possible to run psychometrics via AI? This leading-edge technology is helping people better understand themselves, those they work with, the kind of individual they aspire to be and those they may be interviewed by.

70 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

The LinkedIn algorithm is a prime example. Want to know a secret? Applicants with the most connections working at the company they are applying to join will be boosted to the top of the pile. It pays to build insightful relationships with your potential future LinkedIncolleagues.loves you using LinkedIn. So, use it as much as possible. Write articles, share insightful information about what you do, add a personal touch to your content and develop your authentic voice to build your brand, engage and connect with your Andaudience.didyou

Appreciative enquiry The best way to discover how someone feels about you is to ask! Let them answer anonymously. You can use survey tools online that enable people to send feedback without revealing their identities. This means you will get an authentic response you can work with. Compare the results.

To round off this article let’s look to the future and see how we are progressing. Technology is evolving rapidly and bringing us together in ways we could never have imagined.

If you see a problem, you can adapt. This change could be as simple as adjusting the way you introduce yourself so you create a more significant impression. For example, instead of saying, “Hi, I’m Kate. I work in Operations,” you could say, “Hi, I’m Kate. I’m the person who always gives three solutions to a problem.” It stands out, it’s different and it makes you memorable.

www.linkedin.com/company/careershipswww.linkedin.com/in/richardjkedgeinstagram.com/careershipstwitter.com/careershipsltdwww.careerships.com

3. Market research, research, research… Market research is a tool we all have but not all realise the power of. Once you understand yourself and your brand, you can identify your opportunities. Research can be your friend. LinkedIn is without doubt the tool anyone looking to develop their brand, career or business should use. You can connect with your target network anywhere on the planet. If you want to know what people in your field are earning or what roles are potentially open to you, use LinkedIn. You can use manual research to assess tone, style, history and trajectory and see how you align. Doing this allows you to grow your network in relevant areas, build a community or land that dream role. Do your homework – three steps 1. Pick ten companies of interest on LinkedIn. 2. Connect with ten people in those companies. 3. Tell them why they interest you and what you can offer, and that you would love to have a chat. You never know what you will learn from them, or the opportunities you may find.

2023 AUSTRALIAN WOMEN SECURITYINAWARDS 12 TH OCTOBER Don’t Miss Out

As we recognise the importance of cybersecurity awareness, most of us feel the urge to do something that will help protect the companies we work for, the people we love the most, the countries we live in and the communities we belong to. However, even experienced security practitioners are often unclear about how to achieve this objective.

by Michelle Ribeiro , Cyber and Information Security Content Director, APAC

Attending business conferences, gathering with peers and like-minded people and sharing intelligence are crucial to strengthening our collective cyber resilience posture, preventing threats and minimising risks of attacks and breaches. But, despite the countless events and initiatives available for cybersecurity practitioners to share knowledge and collaborate, the low number of VOICE DESERVES TO BE HEARD

women talking about their practices and experiences is Ondistressing.theonehand, there is a lack of diversity and inclusion in the workplace to support women seeking to improve their professional performance and advance their careers in cybersecurity. On the other hand, many women lack the confidence to speak up about their achievements.

Australia’s spending in cybersecurity is expected to hit $7.6 billion by 2024, according to an AustCyber report. Cybercriminals are putting organisations under immense pressure with their high-level, sophisticated practices. Their activities are increasingly impacting businesses’ daily operations, limiting organisations’ ability to grow and critically affecting the lives of their clients and end users—us.

MICHELLE RIBEIRO

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202272

Speaking at cybersecurity conferences is an incredibly effective way for women in cybersecurity to support the industry while raising their profile and advancing their careers. However, one of the biggest objections event organisers face when approaching female executives to speak at conferences is the women’s insecurity and fear of not meeting the audience’s expectations. It is hard to believe, but most of these women are doing amazing jobs in their cybersecurity roles and delivering outstanding results for their organisations. Often, they have been referred to event organisers by their peers and the community. So, how can you recognise your successes and trust yourself to get up and speak? Whether you are a senior leader with considerable experience speaking at conferences locally and globally, a first-time speaker or someone who is just starting to consider speaking, there are many things you

EVERY

Companies around the world are investing billions of dollars to prevent and minimise cyber risks.

CAREER PERSPECTIVES can do to help women share and celebrate their

just starting to think about speaking, a great way to begin is by listing the career achievements you are most proud of. How did it all start? What did you do? How was your journey? What challenges did you have to overcome? What did you learn, and what would you recommend to others who are in the same position as you were?

Another great network to join and collaborate with is the WomenSpeakCyber LinkedIn group, run by Louisa Partridge and Louisa Vogelenzang. The Australian Information Security Association (AISA) also offers support for first-time speakers. You can join them and submit a paper for presentation at one of their conferences. Commercial event organisers are constantly on the lookout for inspiring speakers. On their websites you can register your interest in speaking. The most important thing is to recognise your own successes and achievements because there are many people interested in hearing what you have to say. Be proud of that! Share your successes with others. Be courageous: you will inspire other amazing women to do the same. Take one step at a time and keep going. This is how we improve security together and drive change. “The secret of getting ahead is getting started.”

It is important for women to embrace new challenges and understand they do not need to be a CISO or an executive manager at one of Australia’s Top 500 companies to do something meaningful that will support their community and drive change.

If you are a senior leader you can help uplift the women in your team by empowering, inspiring and supporting them. When you receive an invitation to speak you can ask the organisers if they have sessions for first-time speakers and rising stars, and if so, recommend someone from your team. You can also work in collaboration with your organisation’s internal communications and training teams to offer public speaking and media training for interested members of your team.

- Mark Twain www.linkedin.com/in/michelle-r656e6

Everyone loves an inspiring presentation. In fact, the best business conferences are those offering a balance of strategic and technical sessions combined with inspirational presentations from both senior leaders and rising stars. If you have achieved something you are proud of, rest assured you have a good story to share that will inspire someone.

Forprofessional achievements.firsttimespeakersorthose

ISSUE 10 WOMEN IN SECURITY MAGAZINE 73

There are many initiatives to support women who want to embrace the challenge of public speaking. The Australian Women in Security Network (AWSN) and the New Zealand Network for Women in Security (NZNWS) are networks that provide valuable membership benefits. They organise and run inspiring events that could be great starting points for anyone looking for speaking opportunities. They also offer many opportunities for women to advance their careers.

BENEFITS Flexible working options

If you are ready to join an innovative industry leader and would like to register your interest in working for Boeing, please click Apply Now.

• Extensive experience in stakeholder management including and influencing others through leadership interactions across a broad structure to build and maintain relationships across a network to effectively deliver security activities.

• Also, it is crucial in this leadership role to have a proven people management experience to provide coaching and development for others to maximise their You’repotential.collaborative and enjoy working in an innovative environment. You’re a problem solver by nature and want to join a firm that values the kind of people who reimagine the possible for their clients and stakeholders. Most importantly, you act with integrity and show care for the people you work with.

• You will have a proven record of managing multi-function relationships throughout major transformation and collaborating with multiple stakeholders across functional and technical skillsets to identify, build and maintain security capabilities or controls. Extensive abilities, and/or proven record of success, supporting and/or coordinating Information Security Governance to enhance to decrease repeat findings and issues, and make other process efficiency improvements.

SECURITY ADVISOR - P-8 POSEIDON DEFENCE AUSTRALIA SECURITY SERVICES (TRADES & SERVICES)

| BOEING

• Provide internal subject matter expertise on Australian Government IT & protective security accreditation requirements and how to interpret and implement policy.

• Proven, refined abilities and success in identifying and addressing leadership and stakeholder needs to overcome challenges and gain a positive result.

ABOUT YOU • 10 year(s) progressive professional roles involving information security and/or IT management. Bachelor degree preferred.

• Identify deficiencies, develop and implement corrective actions.

APPLY NOW WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202274

• Demonstrating thought leader-level knowledge and/or a proven record of success directing efforts in driving execution of strategic priorities.

RESPONSIBILITIES:

• Collaborate with Enterprise specialists, project managers and S&FP team members on the development and maintenance of Personnel Security, Information Security, Physical Security, and Governance.

• Consult, advise and apply Government security standards, including but not limiting to the Principle Security Policy Framework (PSPF), the Defence Security Principles Framework (DSPF), the Defence Industry Security Program (DISP) and the Information Security Manual (ISM).

• Execute internal security controls through performance of compliance assessment reviews and self-inspections to ensure compliance with Government and company regulations and requirements.

APPLY NOW

We are presently seeking a talented Security Advisor to support the P-8 Poseidon for the security of people, information, property and operations based at RAAF Base Edinburgh.

Demonstrating extensive knowledge of, and/or proven record of success in, firm priorities, Network Information Security concepts, principles and standards and their application in a large enterprise environment, preferably for a global network of professional services firms.

JOB BOARD DEPUTY CHIEF INFORMATION SECURITY OFFICER (CISO) | PWC SYDNEY AUSTRALIA FULL TIME EXECUTIVE BUSINESS CONSULTING AND SERVICES AS THE DEPUTY CISO IN OUR NIS TEAM YOUR IMPACT WILL BE SEEN BY:

• Study assistance Salary packaging Employee Incentive Program Global opportunities

ADELAIDE FULL TIME ANNUAL BONUS BENEFITS

BRISBANE FULL TIME ANNUAL BONUS BENEFITS

APPLY NOW SENIOR SECURITY ANALYST | REA GROUP

ISSUE 10 WOMEN IN SECURITY MAGAZINE 75

SECURITY ADVISOR - MQ28A GHOST BAT | BOEING DEFENCE AUSTRALIA SECURITY SERVICES (TRADES & SERVICES)

• An additional day of leave just for your birthday APPLY NOW

RESPONSIBILITIES: Collaborate with Enterprise specialists, project managers and S&FP team members on the development and maintenance of Personnel Security, Information Security, Physical Security, and Governance.

• Because We Care program which includes volunteer leave and community grants, to ensure you have the opportunity to give back to your community

• Mentoring and development of junior security analysts to support their growth.

• Participating in internal and external security forums, working group activities to promote security concepts.

• Monitoring emerging security threats, providing recommendations and direction to management.

• Summer Fridays – time back to focus on your wellness every Friday afternoon from December through to March

If you are ready to join an innovative industry leader and would like to register your interest in working for Boeing, please click Apply Now.

• Generous and flexible parental leave offering for primary and secondary carers

• Hack Days for you to bring so you can bring your big ideas to life in a supportive learning environment

• Assist in the implementation of a security awareness training and education program to educate, refresh and motivate personnel to protect people, property and information.

• A flexible working environment, meaning we strike the balance of what you need and what works for the business (and yes, our leaders fully understand the benefits of working flexibly)

• Analysing and investigating security events, through monitoring of the REA environment.

• Conduct Communication Security (COMSEC) duties and responsibilities (including inventory, distribution and destruction), in compliance with Government regulations/requirements. Lead and perform Personnel Security to assist in obtaining individual security clearances/accesses for customer requirements.

If you are looking to work alongside some of the brightest and best in the industry – read on! The Security Operations (aka “Defence Against the Dark Arts”) team is expanding! Do you love investigating suspicious process trees?

THE SENIOR SECURITY ANALYST SUPPORTS THE GROUP SECURITY TEAM IN THE FOLLOWING WAYS:

• Global

• Employee

• Lead the adoption of security threat management capabilities throughout REA.

WE OFFER:

Salary

• assistance • packaging Incentive Program opportunities

We are presently seeking a talented Security Advisor to support the MQ28A Ghost Bat for the security of people, information, property and operations based at Brisbane.

• A hybrid approach to the future of work –https://rea.to/hybrid-working

• Drive continuous improvement of security detection and incident response processes by providing technical security leadership.

• Support for your mental and physical health and wellbeing via our ‘You Matter’ Program

MELBOURNE AUSTRALIA FULL TIME GREAT BENEFITS PACKAGE

BENEFITS Flexible working options

Study

Do you dream about finding C2 beacons in network logs? Do you want to work in the most diverse*, happiest* and least stressed* incident response team in Australia? Applications are open now, so get in quick and come see why we’re a great place to work.

• Contribution to automations that reduce alert fatigue whilst maintaining effective escalation of true positives.

• Empower a culture of safety, security and compliance across the business.

• Evaluate the existing data protection framework and identify areas of noncompliance to rectify any issues

• Work with leading educational designers

WHAT WE OFFER

• You will lead and own the development and delivery of Cyber Strategy, Business Continuity and Resilience Strategy, in collaboration with the CDO, ensuring alignment with the wider business strategy.

APPLY

WHAT’S IN IT FOR YOU?

• This role will provide the vision and leadership to proactively manage cyber and technology risk and build technology resilience in FSSI, by delivering a comprehensive management framework.

DATA SECURITY INSTITUTE

INCLUDES:

APPLY NOW WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202276

ANY LOCATION PART TIME

THE KEY FOCUS OF THIS ROLE

If you have any questions about this role or would like a copy of the position description, please contact our recruitment team on centralrecruitment@foodstuffs-si.co.nz

As a Senior Leader, you will bring significant experience in developing and delivering cyber security and technology risk outcomes. You will have a proven record in driving and leading change, effectively able to lead and develop high performing teams and demonstrate solid business acumen. Along with your extensive project management capability, you will have excellent analytical and problem-solving skills.

JOB TECHNICALBOARDLEARNINGDESIGNER |

CHRISTCHURCH

• A really good on-site cafe

• Medical Insurance for you and your family after a qualifying period

If this sounds like the opportunity you have been waiting for please apply online now including a CV and Covering Letter.

CYBER SECURITY & TECHNOLOGY RISK MANAGER | FOODSTUFFS CANTERBURY NEW ZEALAND ON-SITE FULL TIME ABOUT THE ROLE:

• Strategic, technical and functional leadership for Cyber Security and Technology Risk • Subject Matter Expertise and thought leadership to develop cyber security, technology risk, and data protection.

• influence future cyber security training Use your your creative and technical skills

• A strong emphasis on continuous improvement in the operational space.

Do you have technical skills and the ability to build cyber security training labs? DSI is seeking a range of people who can create lab-based training focused on areas including Penetration Testing, Threat Intelligence, DFIR and SOC. This is a casual role working with leading educational designers to create the next generation of cyber security training.

• This newly created role, reporting to our newly appointed Chief Digital Officer, will work together with our leaders to ensure the future state of the Digital and IT team will enable us to deliver on our strategic outcomes.

Please direct enquiries to Nigel.phair@gmail.com NOW

• Promote a culture of data protection compliance across all business divisions

WHAT YOU’LL BRING

• Excellent work environment

• Competitive remuneration package including a company vehicle

• Make use of your spare time, get paid, and build out your CV

• Develop, implement and promote fit for purpose policies, standards and guidelines.

• Provide both technical and customer relationship handling mentorship to junior Technical Account Managers.

THE UNIVERSITY OF QLD FULL TIME ACADEMIC LEVEL A

WHAT WE CAN OFFER

• Lead initiatives that contributes to the success of the Advanced Services team and the company.

POSTDOCTORAL RESEARCH FELLOW (CYBER SECURITY) |

This is an exciting opportunity for a Postdoctoral Research Fellow to focus their efforts on developing their expertise and emerging research profile in their discipline. At this level it is expected that the incumbent will contribute to service and engagement roles and activities. This position will engage in postgraduate and honours thesis supervision, and support contract work and grant application development, industry research collaborations and other activities associated with the School of Information Technology and Electrical Engineering (ITEE) and UQ Cyber Security.

Working with leading researchers from UQ Cyber Security and CSIRO’s Data61, the Postdoctoral Research Fellow will gain access to state-of-the-art industrial control systems equipment through Data61’s facilities, UQ Energy Testlab, and specific domain expertise through collaboration with healthcare and energy research groups at ITEE..

APPLY NOW ISSUE 10 WOMEN IN SECURITY MAGAZINE 77

Primary point of contact for the dedicated account. Provide technical solutions to address customer issues. Centrally manage and prioritize customer issue to assure timely resolution. Reproduction of customer environments on lab Follow-upequipment.withR&D departments to resolve product issues.

AUSTRALIA FULL TIME REMOTE ROLE OVERVIEW: As a member of the Technical Account Support Team, you will use your deep understanding of network/security architectures and general knowledge about the current trends in the market to help promote product quality, while providing best in class solutions. You will work with research and development groups, sales teams and regional support teams in a fast paced environment. For this position, you have to demonstrate experience in participating in the postsales support escalation processes, which includes pre-sales experience, as well as strong customer facing skills particular in the telco and large enterprise space. This position requires strong oral and written communication skills. Oral communication skills include the ability to speak clearly and persuasively, to listen carefully to ensure full understanding of the situation, and to respond well to questions when dealing with both positive and negative situations. This position also requires the ability to write clearly to provide full information as well as to understand and interpret written Thisinformation.rolecan be based in Canberra, Sydney or Melbourne.

FIXED TERM POSITION FOR UP TO 12 MONTHS

RESPONSIBILITIES

TECHNICAL ACCOUNT MANAGER - SYDNEY | FORTINET

ABOUT THIS OPPORTUNITY:

• Update and provide guidance on new releases and features to dedicated Developaccounts.best practice deployment and troubleshooting methodology documentation.

The full-time equivalent base salary will be in the range $87,006.34 - $96,530.67 plus super of up to 17%. The total FTE package will be in the range $101,797.42112,940.91 per annum.

APPLY NOW

The following flexible employment options may be available for this role: Part time/ job share; some working from home; variable start or finish times; compressed hours; purchased leave; flex-time.

Responsible for tracking, maintaining and resolving incident reports and customer support requests.

• Exercise independent judgment in methods, techniques and evaluation criteria for obtaining results.

This is a Full Time, 100% FTE Fixed Term position through to 30 September 2023 at Academic Level A.

To discuss this role please contact Prof Ryan Ko (ryan.ko@uq.edu.au).

• Conduct periodic site visits for the managed accounts.

• Creation of technical documentation and bulletins to improve internal and external knowledge base.

LESSON 1: THE FINE AND FINICKY ART OF ESTABLISHING RAPPORT QUICKLY

Long before the idea of a career in information security or technology occurred to me, I trained to be a nurse. I knew that the better informed I was, the safer and more effective would be the standard of care I could provide. So I took to intensely studying anatomy, pathophysiology and pharmacology. I thought my understanding of diagnoses and of how various drugs should be used for best effect would be the most valuable things I could offer. So, when I began to practice, it came as something of a surprise to me that much of my time at work was consumed by learning the context of the patient and their family. I started to routinely grapple with questions such as “What sort of social support does the patient have?” “Will my patient reasonably be able to commit to the treatment we are suggesting when they go home?” and “Am I speaking using words that my patient understands?” Increasingly, these questions became less speculation and more an essential part of the job if I wanted to deliver effective healthcare. Consideration of people’s preferences, needs, culture and the context of their lives underpins the philosophy of patient/family-centred care in nursing.

FROM THE BEDSIDE TO THE CLIENT MEETING by Danielle Rosenfeld-Lovell , Consultant Security Testing and Assurance at CyberCX

Very early in my nursing career I realised spending a little time at the beginning of each shift getting to know my patients and their family could contribute substantially to making the shift go more smoothly. Committing time to creating a meaningful relationship with patients (or consumers) can be challenging when you have a backlog of tasks to plough through. Nonetheless, I found it took very little time to ask a couple of questions about things I could observe in the room when I first introduced myself, like a favourite toy or a book a patient or family member was reading. Depending on the situation, I might ask whether anything notable had happened that day (people find amazing ways to manage the boredom of being in hospital!) Whatever topic I chose, demonstrating genuine curiosity and buy-in, even if I had only a few minutes, could go a long way to establishing good rapport.

DANIELLE ROSENFELD-LOVELL

So, I would like to share a few lessons learnt from the bedside that I think could be usefully adapted to consulting with stakeholders, especially our clients.

CONSUMERTRANSPOSINGPARTNERSHIP

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202278

A notable aspect of providing clinical care is that consumers might have an understanding of an intervention that is inconsistent with the clinician’s intent. For example, a patient might think I am giving them an antibiotic when I am, in fact, introducing a small amount of saline into their vein through a drip to make sure the drip can be used safely. If I am not explicit about what I am doing and do not provide an opportunity for questions and information-sharing, trust and consumer engagement with treatment can suffer. In cybersecurity, you might assume that clients and stakeholders know why a security assessment of some kind is underway, but if you neglect to verify their goals you introduce the risk of delivering services that do not meet client expectations. Any seasoned professional working in a complex and dynamic field will know there is tremendous variation in individuals’ literacy in a specialist domain. For cyber security professionals, we recognise that this extends to the immense differences in the maturity of the security posture of organisations we provide services to. Probing questions such as, “What’s your understanding of this issue?” or “What are you hoping to get out of this?” can help you get an accurate understanding of the client’s needs. You are then much more likely to identify any knowledge gaps that might be making communication more challenging.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 79

CAREER PERSPECTIVES

The term “managing expectations” has been done to death in corporate settings, but for good reason. Providing people with crucial information about what to expect and when to expect it can help them maintain a sense of control and limit the need for follow-up questions that could have been addressed at the outset. At the bedside this will often mean making a plan in direct discussion with the patient or their family which enables them to make choices such as when to see visitors or when to go for a short walk, if they are well enough. In the information security context, managing expectations is more likely to mean giving an indicative timeframe for the delivery of a report, or establishing an agreed frequency for the delivery of progress reports on a project. In both situations, frontloading some of these discussions into your initial interactions with a client can save everyone time and avoid uncertainty.

LESSON 2: MAKING SURE EVERYONE IS ON THE SAME PAGE

While there are as many approaches to client‑facing roles as people in them, I feel strongly there are some valuable takeaways from the healthcare industry that could be applied to information security consulting roles.

In a security context, making the effort to get to know a little more about a client and their business puts you in a much stronger position to work effectively with that client. Being curious might also give you access to important clues that can enable you to deliver more tailored and valuable security services.

LESSON 3: MANAGING EXPECTATIONS

While there are as many approaches to client-facing roles as people in them, I feel strongly there are some valuable takeaways from the healthcare industry that could be applied to information security consulting roles. Hopefully I have offered one or two ideas that might be useful for you. Finally, a crucial thing I took from my early career experience is that the people we serve stand to be our greatest allies, helping us produce something that has real merit. We are better off working together.

www.linkedin.com/in/danielle-rosenfeld-lovell

PARTING THOUGHTS

Fortunately I took an optimistic view. I have now been working in the penetration testing team in a large government agency for almost a year. It’s something I could never have imagined, but I’m enjoying every day. There were several reasons for my decision to switch professions. First, I read an article from a cybersecurity organisation saying, by 2026, Australia would need almost 17,000 more cybersecurity workers, and there would be a huge discrepancy been positions and people to fill them.

“The challenge in the IT and cybersecurity fields is to keep up with skills that are updated every day,” I had told them. “For me, who loves learning new things, this challenge is very interesting. There is absolutely no time to feel bored because I am always busy learning new knowledge.”

It was 2019 and I had made up my mind to leave my old profession as an Indonesian language teacher and pursue a new career in IT and cybersecurity. My siblings sounded shocked and sceptical. I did not blame them. It was a natural reaction. I had been teaching Indonesian as a second language for more than twenty years, two years in my home country Indonesia, four years in Singapore and 15 years in Australia. So, when I announced plans to embark on a completely different career, my younger siblings’ comments were inevitable. In contrast, the reactions of my husband, relatives and friends in Australia were 180 degrees different.

“Uh? Are you sure? Can you do it?” Those were the spontaneous comments from my younger siblings in Indonesia when they first heard about my plan to switch professions.

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202280

ENTERING THE CYBER WORLD AT A MORE MATURE AGE

by Shinta Benilda , Cyber Systems Administrator at Services Australia SHINTA BENILDA

They were very supportive of my decision to switch professions. “Good on you. It’s a good decision,” they said. To be honest, the differing reactions from my family members in Indonesia and Australia also played a part in my decision. On the one hand I was interested and excited to try a new career. On the other hand, I had my doubts. I was an Asian woman in her 40s who had never worked in a technical field. I had a bachelor’s degree in economic management and a master’s degree in Asian studies, but was I capable of making a career in IT or cybersecurity?

My first step to realising my new dream was to take Cert IV in Cybersecurity, followed by Cert IV in IT. Having spent decades in a non-technical field, learning IT was certainly not easy. But I was patient and enthusiastic, and sometimes frustrated. Moreover, I had difficulty understanding programming Ilanguages.remember spending hours in front of the computer writing code for assignments, but my program still would not run. I was completely stuck, not knowing what else to do. When my husband—an IT guy with a knack for programming—came home, he only needed two minutes to fix my code errors.

The second reason I switched professions was the belief I could find work in any state in Australia. As an Indonesian language teacher my job was very location-bound. Most language teaching opportunities are in Canberra, which has a diplomatic academy. In other states the opportunities are very limited: many Indonesian language programs at universities have been closed. In contrast, jobs in IT and cybersecurity are not location-bound. If one day I decide to move interstate, there will be job opportunities.

In addition, although I loved and enjoyed teaching Indonesian, I felt my career had reached a plateau and I could not progress further. I had taught in various places: universities, private companies and government institutions, and taught individuals, including diplomats, ambassadors, senators and the governor-general of Australia. There was nothing further I could, or wanted to, achieve. Therefore, switching professions to cybersecurity with its many opportunities was the best choice for me.

This further lowered my confidence. Was I cut out for this new field? Fortunately, my husband then said something that restored my confidence. “Not all IT people should be able to program because not all of them are programmers.” It was a simple sentence, but it lightened my heart. I became determined to do my best in my studies. Of course, the real test came after I finished my Cert IV. I applied to several places, and I got interviews but never managed to get a job because, apparently, for even an ‘entry-level’ job, you need to have one to two years’ experience in IT and at least an NV1 security clearance from the Department of Defence. When I finally got a call for an interview and test at my current organisation, I was thrilled. But my excitement faded as soon as I discovered my hacking skills would be What?tested.Hacking? Oh, boy.

This information opened my eyes and instantly sparked the idea of trying a new profession. I had been working for many years, but I still wanted to work for another 15 to 20 years. This article portended a bright future for cybersecurity. Many opportunities and avenues could open up if I chose to pursue a cybersecurity career.

CAREER PERSPECTIVES

YOU CAN TEACH AN OLD DOG NEW TRICKS

ISSUE 10 WOMEN IN SECURITY MAGAZINE 81

BREAKING DOWN EXTERNAL AND INTERNAL BIASES

To be honest, I did not immediately say yes to this opportunity. I consulted with my husband and mentor. They were united in supporting me to take the test. “Just go. See what happens. At worst, you’ll get rejected.”

For example, I was sponsored to take the SANS 401 course. Meanwhile, the challenge of working in cybersecurity is to maintain required skills that are changing daily. I love learning new things, so this challenge is welcome. There is absolutely no time to feel bored because I am always busy acquiring new knowledge.

Not all IT people should be able to program because not all of them are programmers.

The hacking test at my current organisation was a landmark event I will never forget. The three interviewers I met did not ask much. They just handed me a blank laptop with a simple command. “Go ahead. You can go crazy. You can break it.” Facing that pitch-black screen, I did not know what to do. As the minutes passed, I finally got up the courage to ask the examiners nicely. To my surprise, they were willing to answer my questions. They gave me little hints that allowed me to move forward step by step until I finally completed the test. I did not expect to pass. So when a large government agency called and offered me a job, I could hardly believe it. What made them choose me? My husband thinks the examiners may have seen a lot of test takers who gave up after two or three minutes. Or perhaps many test-takers were too proud to ask for help. So, in addition to testing ability, the examiners may also have been looking for persistence and the humility to ask questions when encountering obstacles. I have been working in my current organisation as a cyber system administrator for a little over a year. I am in the penetration testing team. I am enjoying my new profession, but, as with any job, there are pluses and minuses. On the plus side, there are many training opportunities available, so my knowledge and skills have increased rapidly in a short period.

Something else I initially perceived as a challenge was the large age difference between myself and my colleagues. I had to work with colleagues almost half my age. I thought, am I too old to be a newbie in this field? But as it turned out, starting a new career at a mature age has its advantages. Despite being older, a lot of work was delegated to me because I understood the meaning of responsibility. I always try to complete every task, not leave it half done. I do not rush out of the office to hang out with friends. Compared to millennials or Gen-Zers, I also have a longer attention span, which makes me more focused in long meetings.

These are the biases I must deal with and slowly try to erode. But the longer I work, the more I understand what needs to be done. The more I understand, the more confident and assertive I become in the workplace. I believe my decision to switch professions was the right one and will pay off handsomely in the future.

THE TEST OF MY LIFE

www.linkedin.com/in/shintabenilda

82 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Another big challenge is countering biased views of me as an Asian woman. Some people believe Asian women working abroad usually work ‘only’ as masseuses, domestic helpers or cleaners. And I still lack confidence. I am a woman and an immigrant in this country. Will I be fully accepted? Am I capable of doing this job? Can I be as smart as other people? Am I smart enough?

INDUSTRY

PERSPECTIVES

CAN SCHOOLS STOP YOUNG STUDENTS FROM CYBERDISMISSINGCAREERS?

“We’re just talking about what we’ve achieved and what newcomers can achieve,” she explained, noting that the group has a mentorship program “and we get results.”

Imposter syndrome starts early, and so should advocacy of cyber careers.

84 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

by David Braue that invited attendees to bring their wives and children along. “We decided it was time to start something,” she said, and WITSEC was born. In a country where the women-in-cyber movement was still in its infancy, the group grew steadily on the back of a growing roster of speaking engagements, first in Hungary then, eventually, in other countries. An annual conference increased visibility further as did ongoing visits to schools and engagement with students.

C ybersecurity industry advocates long ago recognised that resolving the chronic skills pipeline would require early engagement with students but anecdotal evidence increasingly suggests that, by working together, schools and cybersecurity experts can successfully steer students into cybersecurity by enlightening them about the many possibilities it offers. Andrea Szeiler-Zengo, the global CISO for Swedish outsourcing firm Transcom, realised the significant potential of student outreach. In 2014 she cofounded Hungary’s first-ever Women in IT Security (WITSEC) association with a mission to improve representation and opportunities for women in the cybersecurity space. Now a board member of the Hungarian Chapters of ISACA and cybersecurity organisation (ISC) 2, SzeilerZengo remembers going to industry conferences

FEATUREadolescence.wellenough—issmartbecausecareersthatall-too-commonsyndrome—thebeliefwomencannotbuildincybersecuritytheyarenotorcapablealreadydevelopedin ISSUE 10 WOMEN IN SECURITY MAGAZINE 85

career they wanted. Girls were more self-critical, with 48 percent saying they were not very good at maths and 47 percent saying they were not very good at science. Some 53 percent said STEM subjects were “too hard for me” while, disappointingly, 41 percent said they did not see themselves as smart enough to pursue a STEMrelated career.

The proportion of boys expressing interest in engineering, computing or IT-related job was three times larger than that of girls, while boys were twice as likely to express interest in being data analysts whereThemathematicians.oronlyareagirlswere more interested in STEM-related careers was science, suggesting science jobs have achieved stronger brand recognition than cybersecurity and IT jobs. Those figures suggest that imposter

ALL TOGETHER NOW

“A lot of the focus needs to be in primary school, rather than waiting until higher years for students to make that decision,” noted Toni Falusi, the ACT project officer for Adelaide University’s Computer Science Education Research (CSER) program and president of the Information Technology Educators Association ACT. “It’s too late by then,” she continued. “We need to capture them early and encourage and inspire them in those early primary school years to develop capabilities and soft “Whileskills.they are good consumers, do they understand the nuts and bolts of how it works? Make it part of their life growing up, and I think that will help them to become cybersecurity and cyber aware.”

86 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

However, digging into the YouthInsight numbers reveals that the window of opportunity may be more open when girls are much

Althoughyounger.40percent of 14 to 17-year-old girls said they were not smart enough to do STEM subjects, just 12 percent of 12 and 13-year-olds said the same. Fifty five percent of 12 and 13-year-old boys said they were not smart enough for STEM subjects. Something, it is clear, is happening to the self-esteem of young people as they become teenagers and it is making boys more confident while making girls Ifless so.school programs can maintain the confidence 12-year-old girls seem to have in abundance, they could arrest the dive in interest that has plagued efforts to improve cybersecurity’s gender diversity.

A growing roster of school programs has proved successful in engaging those students who have recognised their intrinsic interest in cyber and STEM related fields and who understand the field is about much more than sitting hunched over a glowing screen. School-based cybersecurity events such as hackathons and capture-the-flag (CTF) competitions have become regular features on the schedules of high schools around the world, sharing calendar space with the likes of the recent Day of AI That nationwide US effort, designed by MIT and i2 Learning and recently replicated in Australia, aimed to help students between years three and 12 to appreciate the many ways artificial intelligence (AI) is infiltrating everyday life.

Cybersecurity authorities are taking a similar approach with programs like the US Air Force Association’s CyberPatriot, National Cyber League competitions, Hacker Highschool, Schools Cyber Security Challenges and GenCyber summer camps each taking a different approach to

Even as the number of cybersecurity-related school programs continues to expand, often backed by universities for whom the programs are a way of improving the skills of their future students, nationally consistent programs are steadily helping scale repeatable cybersecurity initiatives. Such programs are also providing critical mass for industry organisations seeking to turn successful student teaching innovations into forces for widespread industry change. For example, partnerships between cybersecurity association ISACA and Kenya’s Presidential DigiTalent Programme have helped link students, universities and potential employers.

engage students with cyber, STEM and other technology-related roles. However, the challenge with such programs is that they can be self-selecting, catering only to those students who are already interested in such areas.

Input from professional organisations like ISACA has helped provide crucial perspectives about the types of courses available to students, helping them shape their course decisions early in their university degree courses while they can still steer themselves towards cybersecurity if it takes their fancy.

“Most people used to hear about professional opportunities when they were already working,” explained Faith Wawira Nyaga, special programs director with ISACA’s Kenya chapter. “They would look at what courses they could take and maybe their boss needed to promote them or had asked them to have a particular certificate.” “But if that information is passed on early, it allows someone to plan their career nicely, to be able to see ahead and think about how to get prepared, as a recent graduate or student, to get there.”

FEATURE ISSUE 10 WOMEN IN SECURITY MAGAZINE 87

Converting girls from disinterested selfdoubters into self-confident learners who are at least willing to consider the merits of cybersecurity will take more time. Anecdotal evidence suggests the figures in other countries would likely show a similar spread and that increased visibility supported by targeted early intervention is consistent with improved engagement of girls with technical subjects.

I am a proud member of the Cyber leadership team at Woolworths Group and I love our stated purpose: We create better experiences together for a better tomorrow. I love being part of a business where even the smallest actions can form big waves that flow out through our people, through the community and shape the nation. We’re a business that employs more than 170,000 people, with more than 1,500 stores across Australia and New Zealand, serving more than 29 million customers every week with unwavering dedication.

The cyber threat environment has shifted significantly and remains challenging. Ransomware is soaring and a record number of zero-day vulnerabilities are exploitable in the wild. At the same time the regulatory and legislative bar continues to rise. Woolworths was specifically named as critical infrastructure in the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 which amends the Security of Critical Infrastructure (SOCI) Act 2018. In 2020 the Woolworths Group cyber team embarked on a new security strategy called Cyber 2.0 to provide an outcome-based retail cyber services capability,

TOMORROW

By Hanlie Botha, Cyber Security Leader

TOGETHER FOR A BETTER

Having a cyber strategy was awesome, but it was just the beginning of a journey. It’s a roadmap that does not guarantee the traveller will arrive at the desired destination. Executing and implementing a strategy is the hard part: where the rubber hits the road.

with an ambition: Cyber better together for a better tomorrow. Sir Winston Churchill had these wise words: “However beautiful the strategy, you should occasionally look at the results.”

That was where my passion for delivery, resilience, organisation skills and focus on results came in real handy. I played a key role in guiding and mobilising the squads around defining and managing key results, running effective quarterly planning sessions, setting up sessions and coaching on agile practices, reporting on progress and ensuring the strategy was implemented. It is only when a strategy is implemented that we close the ambition gap, and only when initiatives are well executed that we shift to the desired security outcomes. According to Fortune magazine, nine out of ten organisations fail to implement their strategic plans.

CYBER BETTER

HANLIE BOTHA

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202288

INDUSTRY PERSPECTIVES

ISSUE 10 WOMEN IN SECURITY MAGAZINE 89

Understanding the plans we make and the actions we take are an opportunity to leave a positive impact for the generations to come

Constantly innovating, to lead and expectationsexceed

1. Defined goals: Our cyber leadership defines yearly cyber objectives and key results (OKRs) that are directly linked to our strategy. All squads contribute to these OKRs, and their initiatives and day-to-day activities align to them. Our security outcomes are therefore front of mind in everything we do, and every team member has a stake in and responsibility for these goals.

Legendary baseball player Babe Ruth once said: “The way a team plays as a whole determines its success. You may have the world’s greatest bunch of individual stars, but if they don’t play together, the club won’t be worth a dime.”

3. Collaboration: Woolworths Group embarked on a journey towards an Agile way of working. We established 11 squads within our cyber tribe. We have quarterly big room planning sessions where all squads come together and plan their work and collaborate around interdependency between squads. Planning includes strategic work as well as operational work because we have cross functional DevOps squads to improve collaboration. We use Google Workspace in Woolworths Group. It makes working on documents, sheets and decks collaboratively super easy. We also use Jamboards, Lucidchart and Miro which are great collaboration tools, especially in our remote work setup.

Valuing that we are better together, with each other in partnership

Ourprioritise.implementation

I am proud of our success thus far and happy to share how we did it. As with most teams, there was much to do and people were working long hours, especially during the pandemic. We needed to find a way to ensure we focussed on activities that delivered the best outcomes and value. Managing a huge pipeline with limited cyber capacity was challenging. We needed transparency, visibility and the ability to success recipe had three basic pillars:

2. Measuring/showcasing: Without tracking progress we can all get side-tracked with daily activities and firefighting. Then, when we look back, we realise how far we have moved away from our plan. To avoid this we manage our work in Jira with initiatives, epics and user stories linked to OKRs to provide visibility of the work we do and the progress we are making towards achieving our goals. Showcasing our good work serves as a motivator. We do that as part of our Agile ceremonies, in cyber leadership meetings and in our cyber tribe meetings.

Our cyber team plays together with a clear game plan based on OKRs. Everyone is on the same page, doing their part towards better security outcomes.

Cyber better Together for a better Tomorrow

The 2022 federal election was a win for women candidates. The strong “teal independents” women really inspired me. I also realised that more women won seats, because more women than ever contested seats in 2022, rendering true the maxim “you have to be in it to win it”.

ABOUT THE AUTHOR

My career in information technology spans 30 years, working mostly in a predominantly male environment. Despite always getting high performance ratings, I sometimes still suffer from imposter syndrome: believing I am not as competent as others perceive me to be. I would stand back when honours were being given despite having played a pivotal role in the achievements. I do what a lot of women do — put in the hard work, deliver excellent results, but still doubt their ability to take on bigger and better roles.

www.linkedin.com/in/hanlie-botha-a84a50

Expand  your networks Gain critical insights Grow professionally Hone your leadership skills Empower the next generation Don’t miss out THE WOMEN IN SECURITY AWARDS ALUMNISERIES 90 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

We have executive commitment and support and the right tools for collaboration. Based on a recent independent review, we are making great progress in implementing our cyber strategy.

Like the women in politics, I wanted to be brave and throw my hat into the ring more often. Therefore I took the courage to write this article and tell you how proud I am about playing a leading role in security in Woolworths Group, one of the leading companies in IAustralia.appreciate the opportunities Woolworths Group has provided, and especially the opportunity to act as CISO whilst the incumbent was out of office. I will continue to push myself out of my comfort zone and seize opportunities to grow. I encourage all women to do the same because we need more women in cyber to tackle the enormous number of opportunities.

2023 AUSTRALIAN WOMEN SECURITYINAWARDS 12 TH OCTOBER Join our distribution list to be the first to know when tickets go on sale MissDon’tOut GET NOTIFIED

NICOLE STEPHENSEN

TALKING PRIVACY

I read a wonderful book a couple of years ago. It has impacted my work immensely, leading to frank and fearless discussions, moments of clarity around responsible stewardship of data (the personal stuff, the stuff about you and me) and innovative and elegant development of privacy-enhancing features in policy and technology. Yet it has nothing to do with privacy. Nothing and everything, apparently. I’m talking about The Art of Gathering: How we meet and why it matters by Priya Parker. Her premise is that getting together at a conference, in a boardroom, at a café, over Zoom, over Teams or even with a quick phone call has meaning and can be a powerful experience if we go about such activities the Justright way.days after finishing the book I had the opportunity to meet Parker at a leadership retreat for privacy professionals and experience firsthand her approach to gathering. Her message was simple but transformative: “We rely too much on routine and the conventions of gatherings when we should focus on distinctiveness and the people involved.”

The nature of my work has changed over the years. There was a time when erroneously sending medical records by fax to the local convenience store instead

By Nicole Stephensen, Privacy Maven and Partner, at IIS Partners of the local hospital was an all too frequent privacy breach. Email was not a common form of almost real time communication, and digitisation (of work, life, banking, socialising) was still a twinkle in the eyes of technologists. Fast forward to today and the focus of digitisation has moved beyond communication technologies to managed service provision, governance, the Internet of Things, all things social, insights and trends. All these applications of digital technology have one thing in common: data. Following the merger of my boutique consultancy, Ground Up Consulting with privacy consultancy IIS Partners in April 2022 my work continues to focus on the intersection of privacy and technology, where information security considerations are a huge part of the privacy discussion, and where both disciplines need a seat at the table to solve today’s wicked privacy problems. When we meet at that table we get the chance to hear each other and understand we share common purposes: to promote good decision making and prevent harm. Now, back to that book. I see three opportunities to acknowledge the distinctive nature of the privacy discipline and its significance, straddling as it does information security, data governance and risk in our organisations (and the people at the heart of

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202292

AVOID CONFLATING PRIVACY WITH SECURITY

It is important to answer both the privacy and the security questions that arise from the various technologies, programs, projects and initiatives into which we have professional visibility.

I am asking how we intend to collect and manage personal information, the kind of data I am most concerned about, in accordance with the law and with community expectations.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 93

INDUSTRY PERSPECTIVES them all). These opportunities are: to avoid conflating privacy with security; to learn to understand the risk landscape; to use the correct terms for the stuff that matters.

When people representing our cities, companies, not-for-profits, innovators, vendors and platforms start talking ‘data’, I am often brought into these discussions (lamentably, often after a project is already well underway, but I will save the exploration of Privacy by Design for another article). By the time I take my seat at the table, data is likely to be the starting point for the conversation. What do we do with the data? How can we derive value from the data? How can we add more data to the data? Where the data is about a person or a group of people, my job is to ask, “What about privacy?” This is where it is vital the people being asked the question truly understand the role of a privacy consultant and do not misunderstand the question. When I ask, “What about privacy?” those at the table often hear “What about security?” The latter is a good question for security folks. How do we protect the data? How do we maintain its confidentiality, integrity and availability? But I am not asking those questions. I am not asking about processes or controls or about building a big fence, physical or digital, around what we want to protect (ie, the data or the systems and other infrastructure underpinning it). I am asking about purpose specification (what do we want from the data?), necessity (do we need all the data?) and proportionality (does the benefit of having and using the data outweigh the privacy risk?).

When we conflate privacy with security two things can happen: we end up focusing on securing the data, as if it and the infrastructure underpinning it are what we most need to protect or worry about; we lose sight of our primary objective, the fair and transparent handling of personal information pertaining to the community we serve.

Organisational risks include (but certainly are not limited to) poor information practice, compromised integrity of data or systems and non-compliance with the law. These give rise to outcomes such as regulatory scrutiny, penalties, cancelled contracts and brand damage. The lens through which organisational risks are viewed by many security professionals is often protective and inward-looking: it is focused on avoiding negative outcomes for the organisation. For privacy professionals, protecting the organisation from harm is a secondary motivator. Our primary aim is the prevention, reduction or elimination of organisational risks that are also privacy risks and where the outcome is harm to a person or group.

THE NEXT CHAPTER

www.linkedin.com/in/nicole-stephensen-privacymaven

To be seen as an authority in privacy it is important to use terms that are recognised or defined in law To do otherwise risks confusing the discussion and losing credibility amongst peers.

USE THE CORRECT TERMS

For anyone unsure what privacy harm looks like, it is worth checking out Dr Dan Solove’s taxonomy on the topic. This identifies multiple harms across four broad categories: information collection, information processing, information dissemination and invasion (Enterprivacy offers a great high-level visual of this taxonomy). Privacy risk, when viewed as “something that would cause real or perceived harm to a person,” becomes an outward-looking conversation focused on how organisational decisions impact the community we serve.

LANDSCAPE

Here in Australia, our Privacy Act 1988 and relevant state and territory privacy laws use the term ‘personal information’. New Zealand, Canada, Japan and China also use this term. Where security professionals are operating in the European Economic Area, Singapore or Brazil, the term ‘personal data’ should be used.

94 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

~~~ An earlier version of this column first appeared on 1 January 2020 in a Demystify Cyber guest blog series curated by Amanda-Jane Turner, author of Unmasking the hacker: demystifying cybercrime.

Take the term ‘personally identifiable information’ (PII) for example. This term is found in some key infosec frameworks, guidance and best practice documents such as those published by the US National Institute of Standards and Technology (NIST). However, it is not a generally recognised privacy term and is frequently used erroneously. Security vendors, managed service providers, auditors, recruiters and industry specialists should avoid using the term PII to describe information that identifies, or could lead to identification of, a person.

The preoccupation of organisations and governments with data and privacy awareness across disciplines continues to grow in importance in parallel with increasing digitisation, particularly where there are shared interests, such as information security. Empowering the colleagues with whom we share experiences (and professional obligations) will ensure we are able to meet their expectations in years to come. I have offered opportunities for vitalising privacy and celebrating its distinctiveness when security and privacy professionals share the table. Perhaps these opportunities can give rise to a larger discussion about how we can learn more from each other, compare dictionaries and refine our techniques for influencing good decision making.

LEARN TO UNDERSTAND THE RISK

10 Minutes to change the future What you say today shapes our future for tomorrow. Decrypting Diversity | An Inclusion, Diversity and Equity survey of the Australian cyber security workforce. KPMG.com.au© 2022 KPMG, an Australian partnership. All rights reserved. Have your say at: https://bit.ly/3AoyLre

In this article, she reflects on her experience leading the organising of the International Women’s Day event with other organisations that share the same objectives in their programs, i.e. increase the representation of women in the technology industry. Natalie who is a dual Australian-Filipino citizen, fondly connects her experience with a Philippine value known as Bayanihan, where a community/ group of people work together for a common goal.

BAYANIHAN FOR INTERNATIONAL WOMEN’S DAY

By Natalie Perez, SheLeadsTech Coordinator of the ISACA Melbourne Chapter the house. A whole house is a heavy load, but the community is in unison and its spirit is strong.

I felt the Filipino spirit of Bayanihan when we planned and ran the full-day International Women’s Day event on 7 March 2022. The event had almost 1500 registered participants, 1300 of whom attended. The virtual sessions also attracted participants from across Australia and elsewhere.

Natalie is the SheLeadsTech Coordinator of the ISACA Melbourne Chapter.

A house moving Bayanihan has a leader who provides instructions and leads the way to where the house will be moved whilst community members walk together, sharing the load of carrying and moving

NATALIE PEREZ

In September 2021, I started to think about programs and events SheLeadsTech Melbourne could offer in 2022 and which organisations we could partner or collaborate with. One of the initiatives that came to mind was International Women’s Day for 2022. Its theme, ‘Break the Bias’, aligned with SheLeadsTech’s purpose, vision and mission.

In the Philippines ‘Bayanihan’ means communal unity, people helping each other to achieve a goal without expecting reward. Bayanihan is a centuries old tradition in the Philippines. In earlier days, a common example of Bayanihan was house moving. Houses were ‘nipa’ huts made from light materials such as bamboo and coconut leaves and townspeople gathered to carry a house on their shoulders to move it from one block of land to another. Those people might have been either family members, relatives or neighbours.

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202296

www.linkedin.com/in/natalie-perez-74298436

INDUSTRY PERSPECTIVES

The core working committee with volunteers from SheLeadsTech Melbourne, ISACA Melbourne Chapter and ISACA Sydney Chapter was set up in December and commenced planning and organisation. With the Omicron strain of COVID being more infectious than other strains, and its effects still unknown, there was no certainty people would return to work in the central business district. So the decision was taken to run the morning sessions virtually and the afternoon sessions hybrid. Each group was assigned two slots and agreed to set extra allocations to have at nine sessions. The working committee reached out to people championing increased representation of women in the tech workforce and they offered books they had authored to be given as presents to speakers. The social media tiles and digital programme were published two weeks before the event, and the committee from SheLeadsTech Melbourne, AWSN and ISACA Sydney posted these across their social media pages and newsletters. The committee was also supported by their respective lead organisations: ISACA Melbourne, AWSN, AISA and One in Tech Foundation, which advertised the events.

Collectively, the sessions had approximately 1500 registrations, from Australia and elsewhere. These sessions included topics on the theme Break the Bias: presentations and panel discussions with CISOs, senior leaders, coaches and subject matter experts located in Melbourne, Sydney, Adelaide, Canberra, Auckland and elsewhere. Guidance to better understand and manage biases was provided and inspiration came from authentic and honest conversations with panel members.

Just like the spirit of Bayanihan, organising a full day event with 10 sessions for International Women’s Day is a huge load and lifting the load required a community of several organisations. I would not be surprised if we came together to do this again when the opportunity arises.

International Women’s Day is held in March every year. My experience with the 2021 event taught me that early planning is essential, in particular identifying the organisations with which we would like to collaborate to contribute something to the International Women’s Day program.

So, what was my role in the International Women’s Day event? I took the leadership role and I provided directions on how the event should be planned and organised. Before we started planning and organising this joint International Women’s Day event I had not known or worked with any of the committee members, except for Reshma Devi who is diversity director for the ISACA Melbourne Chapter and the AWSN chapter lead for Melbourne. Most of the members in the working group committee may have already known each other from previous initiatives. For me, leading the committee whilst knowing only one member was a breakthrough. It enabled me to shake off my belief that I could not lead a group of people I did not know. Should we do this again? My answer is – “Why not?”

I identified the Australian Women in Security Network (AWSN) as one of the organisations SheLeadsTech Melbourne would like to work with. SheLeadsTech Melbourne already had the collaborative relationship with AWSN from previous initiatives such as IWD 2021 and Go Girl Go for IT CyberEdition. I also thought of reaching out to ISACA Sydney Chapter’s leads who were part of the 2021 International Women’s Day event which SheLeadsTech Melbourne took part in.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 97

In a post-pandemic world cybersecurity is more important than ever. According to a recent report by Kaspersky the number of Trojan-PSW (password stealing ware) detections increased by almost a quarter globally in 2022, to 4,003,323 from 3,029,903 in 2021. In addition, the number of internet attacks grew from 32,500,000 globally in 2021 to almost 35,400,000 in 2022. With cybercrime still growing massively, organisations of all sizes can no longer adopt a headin-the-sand approach and say they have no need to worry about it. Many in cybersecurity have an excellent record of collaborating, but the industry remains fragmented and siloed, which can leave organisations vulnerable. These silos often arise because of an outdated, silo based corporate structure that leaves an organisation vulnerable to data loss and business continuity disruptions.

WHY IS COLLABORATION SO POWERFUL IN CYBERSECURITY?

Collaboration with associations and other key stakeholders in cybersecurity globally can reduce the time between the discovery of new threats and the development and implementation of protection measures, enabling organisations to keep up with the ever-evolving threat landscape. Speeding up the delivery of threat intelligence is crucial for building a strong cybersecurity program, and vendors should work on making it as easy as possible to break down the silos between different security disciplines.

COLLABORATION IN CYBERSECURITY IS THE KEY TO COMBATTING THE GROWING CYBER THREAT HERE’S WHY

By Lisa Ventura, Founder – Cyber Security Unity

LISA VENTURA

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 202298

There are many organisations around the world doing great work to help combat the growing cyber threat, but many remain isolated. As a result, the cybersecurity industry is often unaware of this great work. Greater collaboration between associations and entities in cybersecurity is the key to the industry being stronger and better at combatting cybercrime, but how can this be achieved?

BARRIERS TO SUCCESSFUL COLLABORATION IN CYBERSECURITY

INDUSTRY PERSPECTIVES

In the UK, associations and organisations such as the Cyber Security Alliance and the National Cyber Security Centre work together to foster greater collaboration. The newly created entity Cyber Security Unity aims to take this to the next level by joining and collaborating with trade associations globally. The ethos of Cyber Security Unity is that associations are stronger together when it comes to combatting the growing cyber threat.

Many non-profit organisations have already been established that aim to make cybercrime more difficult and less lucrative, and they already collaborate well on a global scale. Examples include the Cyber Threat Alliance, which takes threat information sharing to a new level in the hope it will lead to greater protection for the public against cyberattacks. This not-for-profit organisation encourages greater collaboration between cybersecurity organisations by enabling near real time high quality cyber threat information sharing amongst its members, and with the world.

There is often a misguided perception that cybersecurity means a lone person sitting in a darkened room wearing a hoodie and responding to the ’bad guys’. This image is not very appealing to those who are searching for a career focused on people and on being part of a strong team. The industry also needs to start talking about cybersecurity issues beyond ‘ransomware’ and ‘attackers’. Therefore, the industry must change its siloed perceptions. While a focus on these issues is understandable, there are many ways this focus can be expanded to other issues, enabling greater collaboration.

COLLABORATING BEYOND BORDERS TO HELP COMBAT THE GROWING CYBER THREAT

There are ofUsuallyperceivedtoworktheyworld,aroundothercouncilsassociations,cybersecuritymanyandgroupsthebuttendtoaloneandexcludeanyoutsiders.thisisbecauseacompetitivethreat.

Sometimes it is justifiable for organisations to keep their distance from others. But these important bodies could help combat the growing cyber threat by joining forces and working together.

Historically there have been many barriers to sharing threat intelligence. These can make collaboration difficult to implement at scale. For example, associations may be working on projects they deem strictly confidential, or that include information sensitive from a national security perspective. Vendors might use data formats or APIs that require plug-ins or proprietary tools in their commercial products.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 99

The cyber industry must be at the forefront of such an approach. Communication is key to global collaboration, but caution should be exercised, because there must be a strategy in place. Associations need to join hands with everyone, to communicate effectively between different countries and organisations, and build this together.

THE ROLE OF GOVERNMENTS IN COLLABORATING WITH ASSOCIATIONS

space 100 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Governments need to play a major role in achieving greater collaboration, but the industry associations that all operate in, and fully appreciate, the increasingly dangerous cyber threat landscape must take the initiative if real progress on greater collaboration is to be made. The digital world is borderless, and the attacks coming through are having a huge global impact. It may fall to these associations to educate governments on just how serious the cyber threat problem is, and on its potentially catastrophic impact. Once governments start working more closely with industry and treating cyber threats with the seriousness they deserve, they can develop the necessary global infrastructure to foster collaboration. For example, an international communication system could be developed to enable intelligence to be rapidly passed between governments and organisations in the same way as there are tsunami and terror warning systems.

Watch

FINAL THOUGHTS

Associations in cybersecurity joining up to work in a collaborative fashion would help establish a more sound, successful and strategic framework for cybersecurity. By making a conscious effort to improve information sharing globally, as well as through government and law enforcement agencies, the world would benefit from gaining intelligence and insights that would help strengthen defences against cybercrime. And that could only be a good thing.

www.linkedin.com/in/lisasventuratwitter.com/cybergeekgirlwww.csu.org.uk this

We are bringing you together to expand your networks, gain critical insights into the field, grow professionally, hone  your leadership skills and empower the next generation of security experts. The Alumni series will run from March through to June across states. Australian Ambassadors representing a breadth of Australian states

ALUMNISERIES

THE WOMEN IN SECURITY AWARDS

70 NEWTO2023 Watch this space

• “If you become aware that a cybersecurity incident has occurred, or is occurring, AND the incident has had, is having, or is likely to have, a ‘relevant impact’ on your asset you must notify the ACSC within 72 hours after you become aware of the incident. If you make the report verbally, you must make a written record through the ACSC’s website within 48 hours of verbally notifying the ACSC.”

www.linkedin.com/in/karen-stephens-bcyber

HAVE YOUR BUSINESS PROCESSES AND PROCEDURES ACROSS ALL DEPARTMENTS BEEN UPDATED TO ENSURE REPORTING OBLIGATIONS CAN BE MET? Your reforms need to be addressed holistically rather than with the traditional siloed approach. Cybersecurity cuts across all departments: finance, people and culture, sales, marketing, etc.

DOES YOUR BUSINESS KNOW WHERE TO START? As businesses look to incorporating changes to their risk management programs, a logical place to start may be IT asset management with the key asset

• “If you become aware that a critical cybersecurity incident has occurred, or is occurring, AND the incident has had, or is having, ‘a significant impact’ on the availability of your asset, you must notify the Australian Cyber Security Centre (ACSC) within 12 hours after you become aware of the incident. If you make the report verbally, you must make a written record through the ACSC’s website within 84 hours of verbally notifying the ACSC.”

youtube.bcyber.com.au/2muxtwitter.com/bcyber2karen@bcyber.com.auwww.bcyber.com.au

KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group that works with SMEs to protect and grow their businesses by demystifying the technical and helping them to identify and address cybersecurity and governance risks. In 2021 Karen graduated from the Tech Ready Woman Academy’s Accelerator and the Cyber Leadership Institute’s CLP programs. Another month and another gentle (or maybe not so gentle) push from the government to get our cybersecurity house in order. Since 8 July we have been working under the newly amended Security of Critical Infrastructure Act 2018 (SOCI) Act. This is a great opportunity to move our cybersecurity discussions from the “it’s a technology problem” silo into the “let’s embed cybersecurity into the broader business risk program” to imagine working as one team to improve our cybersecurity. Here are a few points to get the conversation started.

COLUMN 102 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

DO YOU KNOW IF YOUR BUSINESS HAS NOW BEEN ‘CAPTURED’ BY THE SOCI ACT?

Improving security together register serving as a single source of truth accessible through a single secure portal. DOES YOUR BUSINESS KNOW AND UNDERSTAND THE REPORTING TRIGGERS AND REQUIREMENTS?

There will be some slight variations depending upon ‘criticality’ and ‘sector’, but, under the SOCI Act’s requirements for cybersecurity incident reporting:

The definition of what constitutes critical infrastructure has been expanded. The SOCI Act now places obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, healthcare and medical, higher education and research, food and grocery, transport, space technology, and defence sectors.

2023 NEW ZEALAND WOMEN SECURITYINAWARDS 2 ND NOVEMBER Don’t Miss Out ISSUE 10 WOMEN IN SECURITY MAGAZINE 103

By Travis Quinn, State Director at Trustwave not go to plan. While attitudes towards cybersecurity are maturing, outdated perceptions are still held at all levels of industry, government and academia.

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022104

To many organisations, cybersecurity can appear to be a hindrance. This is unfortunate but understandable, because cybersecurity often does not contribute to their core business or does so only tangentially. Take a software developer as an example. The core business of the developer is to create high quality software that is fit for purpose and sell it to customers. Adding security features to the software or security oversight to the development process does not necessarily add to the value of the software for the customer. This is a bitter pill to swallow but is true across many domains in technology. In addition to not contributing to its core business, the value proposition of cybersecurity to an organisation is often vague. To some, cybersecurity is viewed as an abstract type of insurance: a sunk cost to account for when things do A CAMEL IS A HORSE DESIGNED BY COMMITTEE: ACHIEVING COLLABORATIONGENUINEINCYBERSECURITY

While it is convenient to blame the individuals holding those views, they are not at fault. In part, the blame rests with the cybersecurity professionals who have failed to convince them. As a security professional you have the responsibility to communicate and, ideally, demonstrate the value of doing security well. You also have the responsibility to highlight the risks of doing security poorly. The latter is usually much easier, but both are important.

Within an organisation both these responsibilities are best fulfilled through genuine collaboration and tending to the often adversarial relationship that exists between security and other parts of your TRAVIS QUINN

INDUSTRY PERSPECTIVES organisation. As someone external to an organisation (eg, a consultant), this is harder, but being candid with your clients is an excellent place to start. This article describes how we can best bring teams together and get our stakeholders to invest in security as both a process and an outcome. Through this type of genuine collaboration, we can change perceptions about security and be viewed as enablers, not blockers. The longest and bitterest rivalry in our industry exists between cybersecurity and IT. The objectives of IT are generally well understood; keep the lights on, provide users with access to resources and services in a timely manner and put out the fires as they occur. These objectives seem straightforward until you add security to the mix. Security people invariably introduce requirements and constraints, making the job of IT harder. Simple questions coming from security—like “Why are you using this version of this software?” or “Why are you not using this crypto protocol?”— can result in a significant amount of work and heartache for IT. From their perspective, some of these questions may appear spurious or may generate work that provides little benefit from a disproportionately large investment of time and effort. A common example of both these issues is poorly chosen treatments in a security risk assessment. What, to a security assessor, is one line in a table cell may represent weeks of work for IT. Here is another bitter pill to swallow: the IT team is justified in being sceptical. After all, who knows your organisation’s IT and infrastructure better than your IT team? That is a rhetorical question, no one does. With that in mind, integration and collaboration are critical.

The good news: the industry appears to agree, at least in principle. With the popularity of cross-functional approaches like DevOps and DevSecOps we are seeing the adoption of practices that can normalise integration across development, IT and security, as well as introduce efficiencies. This is a good thing. However, for many organisations these approaches are not feasible, which is ok because there are many pathways to good cross-functional cooperation. Regardless of how you run your business or your projects, there are a few things you can do to improve collaboration. Firstly, invite early and invite often. Cast a wide net when inviting relevant stakeholders to your meetings and workshops. If an invitee does not think they will have something to contribute or they are worried they will not get something out of it, then they will let you know one way or another.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 105

Thirdly, do not do security in a vacuum. Cybersecurity is often described as a team sport, and that is a reductive but apt way to describe it. When this idiom is used in our industry often it is to describe enabling others in the security team to succeed. Of course, this is a good thing and something we should all aspire to, but the team is not security alone: if your goal is to win, it cannot be. Doing security in a vacuum can be avoided with simple initiatives. For example, know the architecture and networking experts in your organisation. Of necessity, these individuals have often developed a great understanding of cybersecurity and can help you fill in the gaps in your own knowledge. Lastly, do not fall victim to design by committee or groupthink. This concept stands in contrast to the rest and is worthy of a separate discussion. Calling back to the title, the expression a camel is a horse designed by committee dates from the mid 20th century. It describes a situation where the perspectives of all members of a group are incorporated in an outcome and, lacking a unifying vision, the outcome becomes compromised. In a security and engineering context this may manifest as an impossible set of requirements from too many stakeholders with weak scoping and

www.linkedin.com/in/travis-quinn1

Groupthink is a common problem in cybersecurity and is a danger to genuine collaborative efforts. It is a particularly easy trap to fall into early in your career or in an environment where you are less confident in speaking up. Combatting groupthink is largely about recognising that collaboration is not people pleasing and avoiding ‘rocking the boat’.

106 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Anprioritisation skills.infamousexample of this is the F-35 Joint Strike Fighter (JSF), which ran over budget, over schedule and, arguably, underdelivered on its specification because the design team was trying to balance the requirements of all the arms of the United States military. In a highly critical January 2021 review of the JSF program, then acting US Defense Secretary Christopher Miller described the JSF as a “piece of [expletive]”. In psychology there is a closely related concept to design by committee: groupthink. Groupthink describes how the desire for harmony in a group negatively impacts the collective reasoning and decision-making ability of its members.

Secondly, get your stakeholders invested in the outcomes. Give them opportunities to have inputs and to challenge your assumptions, assessments and decisions. Where possible, you can also consider their objectives in your strategies and planning.

Things will not always go to plan, but with honest communication and engagement you can achieve the best possible outcome given the circumstances and carry forward the lessons learned to support your career.

Genuine collaboration comes from working with your teams and subject matter experts to achieve the best outcomes while factoring in requirements and constraints. At times this could mean disagreeing and having difficult conversations, but that is part and parcel of any collaborative effort.

In closing, collaboration in security is difficult and complex but ultimately rewarding. Doing it well is one of the best ways to dispel the unhelpful perceptions of cybersecurity that still linger, and to deconstruct adversarial relationships in your workplace.

A S A F O R M A L M E M B E R , Y O U R C O N T R I B U T I O N E N A B L E S U S T O B U I L D A N D S U S T A I N A S T R O N G E R F U T U R E F O R O U R I N D U S T R Y Connecting - Supporting - Inspiring M e m b e r s h i p s a r e n o w a 1 2 m o n t h c y c l e C o r p o r a t e p a c k a g e s a v a i l a b l e L e a r n m o r e a t a w s n . o r g . a u / m e m b e r s / j o i n /

• Identify • Protect • Detect • Respond • Recover PETER LAKE I PD R R WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022108

We love a good anagram or analogy and a good motivating slogan to bring us all together as the proverbial one team. You will have heard many over the years: Together Everyone Achieves More, The Example Always Motivates, and there is that timeless classic: “There is no I in team.” It implies team members use their various individual strengths for the good of the team and for the greater good, and the interests of the team come before the interests of the individuals. We see the rich diversity of teams today and celebrate the strengths each individual brings, delivering extra capabilities, synergy and energy to the team. An anthropologicalancienttextmade the point a long time ago: “If we are all eyes, where would the hearing be?”

By Peter Lake, Experienced Service Management Leader

THERE IS NO ‘I’ IN TEAM … BUT THERE NEEDS TO BE ONE IN YOUR ATTACK SURFACE!

Hang on – are you talking eyes, ayes, or I? In cybersecurity there is a plethora of frameworks covering many disciplines. The National Institute of Standards [NIST] offers one such, its Framework for Improving Critical Infrastructure Cybersecurity We remember it as I-P-D-R-R.

Women are excelling in cybersecurity because they bring to teams four of the vital skills and characteristics needed: curiosity, innovation, strategy and purpose. I see these traits in my own daughters every day, and in many of the amazing women studying cybersecurity with me who come from

Companies need to identify and understand what their intellectual property is, why they value it, and how they can protect that value. Across the company, the HR department needs to identify roles, which roles should have access to specific information assets, and build this into role-based authority. IT and security then pick up this matrix, link it to minimum privilege, structure the identity access management and manage the Active Directory. Identify is therefore much deeper than endpoint management, internet facing infrastructure patching and updates. Identify is not just a list of firewalls, servers and external facing IP addresses, it’s about identifying every filament and fibre of the organisation and the risks it faces.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 109

INDUSTRY PERSPECTIVES Identify • EnvironmentBusiness • ManagementAsset • Governance • ManagementRisk • ManagementChainSupplyRisk Recover • PlanningRecovery • Improvements • Communication Respond • PlanningResponse • Communications • Analysis • Mitigation • Improvements • Management of Access Control • Awareness and Training • Data Security • ProceduresProcessesProtectionInformationand • Maintenance • TechnologyProtective Protect • Anomalies and Events • MonitoringContinuousSecurity • ProcessesDetection Detect

Everyone loves paper planes. We can spend hours making them, adjusting them and launching them into the wind. There is great anticipation and moments of hilarity observing where they go, how far they go and how well they fly. Purposeful strategy makes them fly better. In cybersecurity we cannot simply launch paper planes and hope they land in a good place. The NIST Framework unpacks the delivery mechanism for a purposeful strategy that builds a successful outcome.

Identify is where NIST starts, and where the journey starts for companies and individuals seeking to understand the attack surface. It is where our effort needs to be directed in the first instance.

The Identify phase, is vital. Everyone in cybersecurity is on a journey, but I suggest no one is where they want to be on that journey, and every day presents new and sometimes unimaginable challenges.

• Can I unsubscribe from all the promotional emails coming into my inbox? It’s sobering to consider these questions. As a parent, every time I hear the words “These people trying to scam me are so dumb, I don’t even have an account with that bank,” I know two things: the danger is ever present and there is a growing awareness of the risk. One mental walk-through exercise I give myself regularly is to imagine who I would most like to receive an email from, and the topic that would make me want to open it immediately. When I receive an email from that person, I inspect the XML header for a spoofed address. Even though it’s a trusted sender and I have good MailGuard software, I force myself to do that occasionally just to put it through the lens of my own personal risk assessment as a reminder of the constant threat.

110 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

• How many social media applications am I active on?

• How many things have I signed up for?

• How much personal information have I shared?

• How much fodder am I providing for any opensource intelligence bad actor to exploit?

So it’s quarter time and (dare we go for another team based analogy?) whether we are a champion team or a team of champions, everyone has, and is part of, an attack surface. So we need to work together to Identify what we are, what we value and where it is so we can have a purposeful strategy to get to the place we all want to arrive at. Indeed, there needs to be an I in TEAM! ABOUT THE AUTHOR Peter Lake is an experienced service management leader who has worked for Telstra and Cisco supporting Australia’s largest companies. He is completing a Master’s in Cyber Security at Edith Cowan University. www.linkedin.com/in/peter-lake-6b84a521

• Am I stripping all EXIF information (metadata) from any photos I share?

Curiosity, innovation, strategy and purpose are the ‘eyes and ears’ that make sure the Identify phase captures all the risk exposures. There is even room for the ‘ayes’ of the pen-testing ‘pirates’ (ethical pirates, of course). So, returning to our theme, individuals also need to assess and Identify their own attack surface.

diverse non-IT backgrounds. Everywhere you look, women are leading in cybersecurity. It is a great and refreshing change. Collaborative working requires everyone to be involved in the Identify phase.

Join our distribution list to be the first to know when tickets go on sale MissDon’tOut 2023 NEW ZEALAND WOMEN SECURITYINAWARDS 2 ND NOVEMBER GET NOTIFIED

Individuals involved in the scoping, delivery and signoff of a CREST International accredited service can now register with CREST. There are two parts to this process.

The CREST International website has a significant focus on connecting buyers of cybersecurity services

NIGEL PHAIR

CREST International now has five focus areas: vulnerability assessment, penetration testing, THE EVOLUTION OF CREST

CREST International started life in 2006 in the UK and has come a long way. It is now truly international with chapters run by democratically elected councils in Southeast Asia, the Americas, Australasia, the European Union and the United Kingdom.

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022112

1) An individual provides basic information that allows CREST to identify them as a unique entity. As part of this process the individual will be sent the CREST code of conduct to read and electronically sign. The application is reviewed and the individual is issued a CREST ID.

ACCREDITATION OF INDIVIDUALS

By Nigel Phair, Chair, Australasian Council, at CREST International incident response, threat intelligence and security operations centres.

2) An individual provides additional information about skills, training, examinations and experience. CREST is seeking a better understanding of individual competencies as they relate to each accredited CREST member organisation. This information will be used to more effectively present skilled and competent teams to the buying community, governments and regulators.

CREST—an international not-for-profit, membership body representing the global cybersecurity industry— has been active in Australia for over 10 years and continues to advance to meet the demands of both buyers and suppliers of cybersecurity services.

CONNECTING BUYERS WITH SELLERS

CREST established a presence in Australia 10 years ago as CREST Australia. It was created with funding and support from the Commonwealth Government to provide assurance to organisations seeking cybersecurity consulting services. It focused initially on penetration testing. However the Australian chapter is now CREST Australasia. CREST Australia has become CREST Australia New Zealand, and has no connection with CREST International. It has not adopted the CREST accreditation standards and CREST ANZ membership does not confer membership of CREST International.

A core function of the site is to turn buyers’ engagement with the website into sales leads for members. CREST has developed a new buyer-focused Find a Supplier journey that takes organisations, many of whom may be unsure what cybersecurity services they need, through a series of straightforward questions designed to generate meaningful results from the member database. CREST continues to add to the Find a Supplier journey to improve its functionality for the buyers using it and to capture information about the buying community that can be aggregated and shared with members to inform their business development strategies.

TRAINING AND EDUCATION

JOB LISTINGS

INDUSTRY PERSPECTIVES with CREST member companies. The website puts members, the buying community and professionals seeking CREST certification centre stage with clear signposting on the home page and throughout.

For the first time members can log into the website with usernames and passwords. CREST members can edit details about their organisation including contacts, overall description, logos and banner images. They can also post links to content such as events and job vacancies hosted on their own websites using the careers and events tabs.

New contact and callback functions on each member page allow potential clients to contact members directly and these leads will be logged in members’ dashboards.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 113

CREST has signed agreements with Immersive Labs and Hack the Box to provide free access for member companies. Immersive Labs will provide labs aligned to the examination framework, and CREST-accredited organisations will have free access to entry-level labs. These are exciting times for CREST. The changes to accreditation, the website and branding are the outcome of considerable member engagement. In Australia we run an annual CRESTCon event along with smaller member engagements. Exams are moving online making them more accessible and obtainable. There is a lot to do, and we welcome support to help create a secure digital world for all by quality assuring our members and delivering professional certifications to the cybersecurity Forindustry.more information visit www.crest-approved.org www.linkedin.com/in/nigelphair

Members who link from their pages on the CREST website to job vacancies posted on their own websites will enjoy an additional benefit. CREST will collate the jobs to which members link and present them on its website in a way that allows qualified individuals to browse those vacancies.

MEMBER DASHBOARDS

The race to the cloud is underway. When business resilience came under threat from the pandemic a shift to remote working meant many organisations needed the flexible, scalable networks made possible by the cloud. At the same time, new cloud-based technologies offered opportunities to drive innovation, automate and pursue new growth—or simply to save money and be more efficient. As these factors came together historical uncertainties about cloud drifted away. Yet, accelerated cloud adoption also exposed organisations to new business risks—especially potential security vulnerabilities.

Organisations should consider their security profiles against the backdrop of a range of issues, such as:

HOW SECURITY GUIDES YOUR PATH IN THE CLOUD

By Angelo Friggieri, Managing Director – Applied Security, at Accenture ANGELO FRIGGIERI

According to Accenture’s latest Future proof secure cloud report, on any cloud journey, security is the compass that guides organisations to navigate more effectively.

CHALLENGING TIMES

114 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

IF CLOUD IS YOUR MAP, SECURITY IS YOUR COMPASS

• Smart threat tactics—threat actors are quickly taking advantage of emerging technologies;

• Security analysis paralysis—or overengineering solutions to close a vulnerability gap.

Eighty percent of workloads could be in the cloud in the next few years, which means organisations should balance their security needs today with those of tomorrow. They should be ready and sufficiently agile to secure their existing technology footprint while being prepared to manage what lies ahead— wherever they are on the cloud journey. And they must often do so without the luxury of additional resources.

• Increasing attacks—Accenture’s 2021 research found an average of 270 attacks per company during the year, a 31 percent increase over 2020;

INDUSTRY PERSPECTIVES

secureFuture-proofcloud

YOUR SECURITY COMPASS Accenture offers organisations insights on how they can engage their security teams to adjust these routes, manage the risks and make sure they are on the optimal path to meet business outcomes.

How security guidesyour path in the cloud

ISSUE 10 WOMEN IN SECURITY MAGAZINE 115

The direct route takes organisations through some challenging terrain but uses the freeway to help fasttrack innovation. The scenic route takes organisations on a more meandering road through culture shifts and cloud complexity but picks up the benefits of business transformation along the way.

View the full report at insights/security/secure-cloud-future-proofwww.accenture.com/au-en/ www.linkedin.com/in/angelofriggieri

UNDERSTANDING THE ROUTE

Both routes will take organisations to their end goal but will produce different experiences. From a security perspective, each route is effective but has different risks and requires a different approach.

Accenture’s report identifies two routes—direct and scenic—that represent the extremes of route options commonly considered when moving to the cloud.

As we shift toward a more human-centric internet and embrace advances like the metaverse, security teams need to improve their cloud security competency and agility to clearly identify and respond to evolving risks. Security teams should be aligned with the business to be ready to protect their organisations and take advantage of cloud opportunities.

The Australian Women in Security Network (AWSN) recently held its first two Leader Forum roundtables as part of its Women in Security leadership initiative, proudly supported by the Australian Signals Directorate (ASD).

• The McKinsey & Company Lean in Report was discussed. It showed (page 8) that MEGAN KOUFOS

By Megan Koufos, Program Manager at AWSN societal level to better support mental health and manage burnout in our industry?

• What strategies/initiatives would you like to see to increase diversity in security leadership roles?

• Training the workforce and employers on how to embed a focus on diversity into organisation culture.

• Changing the mindset of interviewers who unconsciously have different expectations and apply different competency and experience criteria when hiring someone different from themselves. They should apply the same criteria to all applicants, regardless of gender, background or appearance.

This is a key question for our industry, and one faced by many organisations. The answer is: focus on what is working, where successful strategies are being implemented and then amplify those ideas and solutions across the industry.

• What practices/ideas/solutions could be implemented at a personal/organisational/ LESSONS FROM THE AWSN

The aim of the AWSN Leader Forums is to provide a space for women to come together, connect, discuss, collaborate and learn. They provide a platform for women in the Women in Leadership programs to discuss common issues, share ideas, ask questions and be inspired. Each forum begins with a presentation from a guest speaker. This is followed by several small group discussions, held simultaneously. Participants are free to join their topic of choice. All small group participants then come together to share what they have learnt.

116 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

FORUMSLEADER

Some of the key ideas and solutions tabled at the forum included:

HOW DO WE INCREASE DIVERSITY IN SECURITY LEADERSHIP ROLES?

• How do you maintain work/life balance?

The topics that garnered most discussion is the last two forum sessions were:

• Asking for a deadline and for managers to help prioritise work when it becomes overwhelming. These forums are a great opportunity to meet, share and collaborate with the incredible women leaders in our industry. Future forums will delve deeper into the topics above and will add the following:

BETTER SUPPORT MENTAL HEALTH AND MANAGE BURNOUT IN OUR INDUSTRY?

• There needs to be more support for women supporting women, and more mentoring opportunities.

WHAT ABOUT MAINTAINING WORK/LIFE BALANCE?

• Building a support network.

Some of the more practical activities for achieving work/life balance we discussed included:

• Career planning and career advancement. To find out more visit awsn.org.au www.linkedin.com/in/megankoufos

• Developing the confidence, and earning the right, to say no.

• Defining boundaries and seeing our time as important.

INDUSTRY PERSPECTIVES the percentage of women coming through the corporate pipeline is increasing but the representation of women decreases as seniority increases.

• Setting time in our calendars for lunch and breaks throughout the day.

• Work/life balance.

As they move up to more senior roles in leadership many women look to their more senior executives for role guidance. How their managers work (or never stop working) has an impact on their own work/ life balance. So, it is important for senior managers to demonstrate an appropriate work/life balance to those beginning their leadership journey.

• Owning decisions and not apologising!

• Making use of organisation-introduced initiatives such as 10-minute Monday morning meditations. People tend to take on responsibilities beyond those prescribed for their role, seeing a need to contribute to the organisation. This can be detrimental to their own work/life balance. All participants agreed that, no matter how hard it might be, letting others take responsibility for their roles and responsibilities is paramount for maintaining their own work/life balance. In situations where people are expected to take on other responsibilities, asking for priorities to be assigned to these is key to ensuring they do not burn out or become overwhelmed.

WHAT ORGANISATIONAL/SOCIETALCOULDPRACTICES/IDEAS/SOLUTIONSBEIMPLEMENTEDATAPERSONAL/LEVELTO

• Recognising we are sometimes our own worst enemies when it comes to working overtime, and being unable to say no.

• Companies need to believe that diversity is important and to really work on tangible solutions to increase diversity.

• Blocking out time for email so it does not become a drain on our time.

• Challenges and tips when returning to the workforce after a career break.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 117

• There needs to be more opportunities to show role models from diverse backgrounds in different security roles. (“You cannot be what you cannot see.”)

By Veronika Lapushnianu, International Business Communications Trainer, Founder at GroupEtiq

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022118

Examples of questions to consider when assessing an organisation’s culture are:

When company A acquires company B it is important to profile the organisational cultures of both to develop a successful communication strategy based on an understanding of values and cultures. This will enable both teams to understand what to expect from one another in a specific situation.

VERONIKA LAPUSHNIANU

Therefore, it is important to provide team leaders with transcultural communication skills that will enable them to assess how these differences play out in real situations, strategize responses before a conflict arises and create an environment of mutual trust.

During the past few years we have witnessed multiple mergers and acquisitions of cybersecurity companies. Australian and international enterprises are striving to become more competitive and increase their market share by strengthening their solutions offerings, innovating and investing in high potential startups and established corporations. Bringing organisations and teams together during and after an acquisition requires special managerial competence. Enabling collaboration, either on shortterm projects or long-term, can be difficult when there are conflicting work cultures. Different management styles and different cultural values can lead to frustration and costly outcomes when teams are under pressure to achieve common goals. Restructuring often produces new teams, the transformation of old processes and procedures, the adoption of new technologies and changed communication flows. It changes the dynamics of external cooperation with partners and customers.

AVOIDING A CULTURE CLASH WHEN BRINGING TEAMS TOGETHER

• What is the decision-making process? Who wields real power and authority? Are team members involved in important company decisions? Are people promoted based on merit or based on personal relationships?

For these organisations to cooperate effectively they would need to start with a self-assessment, consider differences and assumptions, understand how each team behaves and then create a communication strategy and plan.

Let’s assume company A has a ‘goal’ culture. In this organisation the key focus is on the task itself. There are reduced controls for faster decision-making, a lack of organisational structure, and teams operate in a highly competitive mode with the aim of achieving the company’s goals and mission. Everyone works hard to get the job done and this often leads to

burnout. Company B has a so called ‘soul’ culture. People and their happiness are the key priority.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 119

Cooperation between company A and company B could be challenging in activities such as negotiating a mutually beneficial contract on time, hiring new talent that reflects company values, and successfully deploying a complex project with minimum variations.

INDUSTRY PERSPECTIVES • What are the social benefits offered? • What is an acceptable sense of urgency? • How is diversity promoted? • What does good customer service look like? • What is the negotiation style? • What does onboarding of new employees look like? • Is initiative promoted or punished? And, finally: what are the protocol and etiquette norms when addressing subordinates and company executives?

www.linkedin.com/in/veronika-lapushnianu

Trust is very important. Decisions are made slowly and require multiple inputs from team members. Communication flows are clearly defined. Feelings are more important than getting the task done.

HAVE YOU DREAMEDEVEROFBEINGA "This technological thriller is the hacker world having such global impact to the unsuspecting world that it makes you very aware the power within the web…” - Trevor, indiebook reviewer ORDER NOW

TECHNOLOGY PERSPECTIVES

QUEEN A AIGBEFO to drive breaches. This year 82 percent of breaches involved the human element.” And, according to IBM’s 2022 Cost of a Data Breach report, “Human errors, meaning breaches caused unintentionally through negligent actions of employees or contractors were responsible for 21 percent of breaches.” Clearly, we need to talk about Bruno and stop blaming Bruno for every mishap.

In the aftermath of cybersecurity incidents or data breaches, there is much finger pointing and blame assigning. Previously, the chief information security office (CISO) took the brunt of this, despite not having a voice at board level. Today, the CISO has a voice in the boardroom and users are in the hot seat, taking most of the blame for cybersecurity incidents.

by Queen A Aigbefo, Research Student at Macquarie University

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022122

According to Verizons 2022 Data Breach Investigation Report, “The human element continues “WE DON’T ABOUT BRUNO.TALK NO, NO.”

Bruno is a fictional character in Disney’s animated movie, Encanto with the ability to see the future. He is one member of a family with magical powers who lives in a magical house. But Bruno is ostracised because he mostly predicts negative events and his family, and all the townspeople blame a series of misfortunes on him. Also, his magic is waning. So, everyone is advised not to speak his name. Family member Mirabel, the story’s heroine, goes against the wishes of other family members to seek out Bruno. As a result of her actions Bruno’s prescience is restored, he saves the family magic, and the town.

I like Bruno’s character, but how is this relevant to cyber security?

NO,

As a security community we must do better to improve security together and stop shifting blame. The blame culture distracts security defenders from uncovering the underlining reasons behind security incidents. Perhaps more trust and transparency are needed among security teams, including end users, to improve resilience and secure our perimeters.

As end users we are all Brunos: we collectively take the blame when primary attack vectors— social engineering or human error—are exploited by malicious actors to gain entry into our organisation’s network.

CYBERSECURITY BLAME CULTURE

It may be a tall order to understand user diversity, but it starts with acknowledgment of the need to do better instead of blaming users when security mishaps occur.

TECHNOLOGY PERSPECTIVES

Analysis of Bruno’s character suggests he may be neurodivergent, which would explain why he did not fit in with his family. At the 2022 RSA Conference Kelly Shortridge talked about how behavioural economics matters to infosec and how it is appropriate for security practitioners to understand why users are considered bad security decisionmakers. I concur with Kelly’s thoughts and wonder why end users are such a risk to security. I found a hint in Bruno’s neurodivergent nature. Neurodiverse people experience and interact with the world around them differently; there is no one ‘right’ way of thinking, learning and behaving, and differences are not viewed as deficiencies. Yet, as security practitioners, we are sometimes guilty of labelling end users’ as security illiterates because they view security differently.

www.linkedin.com/in/queenaigbefo

NEURODIVERSITY

BRUNO SAVES THE DAY

ISSUE 10 WOMEN IN SECURITY MAGAZINE 123

Bruno’s prescience showed that Mirabel might either destroy the family or remedy its troubles. It also revealed the steps she needed to take to save the family and the town. End users remain one of the strongest links in the security chain; they interact with the security features of business systems. The stress we experience as security practitioners trying to ensure all systems are secure transfers to end users when we demand security expertise from them. Like Bruno, our end users can save the day if we can understand how they react to the threats that gain their attention. Security defences compatible with the different ways people think can then be implemented to counter the most pressing threats.

On the one hand, we lump them into groups and provide them with basic security defence tools such as a thirty minute annual security training and awareness session. On the other hand, we hold them responsible when they fall for a phishing email or for other actions and non-actions that may have led to security incidents. We cannot demand security expertise from end users if we, as security practitioners, fail to build neurodiversity into implementing security defences. The world is still in recovery from the COVID-19 pandemic. Hybrid work is here to stay, and end users will always find interesting ways to work around security when they see it as a hinderance. Diversity in security involves more than simply recruiting diverse talent. The workplace comprises diverse end users’ interacting with the security defences we put in place. Do we need to flip the tables and include end users diversity to collectively improve our cyber defences?

A doption of DevOps and its securityrelated cousin, SecDevOps, has driven the most dramatic transformation in the way technology teams work together since the Agile Manifesto pushed iterative thinking into the mainstream.

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022124

Yet there is still work to be done, with many companies still stuck midway through the cultural As DevOps steadily reshapes security culture, why not use its lessons to tackle DEI as well?

IF YOUR TEAMS CAN DO DEVOPS, THEY CAN DO DEI TOO

The changes brought on by DevOps have proved crucial as businesses push digital transformation to maturity. They have produced a new software development lifecycle (SDLC) cadence in which applications are deployed in stages onto a faulttolerant infrastructure that ebbs and flows according to changing demand.

Yet, while DevOps specifically applies to the SDLC its broader tenets also hold lessons for organisations looking to reset their culture and team-building processes with an eye to improving diversity, equity and inclusion (DEI). Many struggle to avoid hitting the same organisational speedbumps that regularly torment DevOps advocates. Despite improving maturity,

by David Braue Gartner expects three quarters of DevOps initiatives will still fail this year due to “issues around organisational learning and change.” Those issues include: failure to relate DevOps to customer value; poor organisational change management; a lack of collaboration across teams and silos; trying to do too much, too quickly; and having unrealistic expectations of how much change DevOps can deliver. They are slowly becoming less problematic as companies assimilate DevOps into their everyday operations.

“Regardless of how they define DevOps,” notes Puppet’s most recent State of DevOps report, “thousands of teams now have the ability to deploy software more safely and more quickly. … Many of the teams that are ‘doing DevOps’ well don’t even talk about DevOps anymore—it’s simply how they work.”

transition that DevOps involves: just under 80 percent of surveyed companies reported having a medium level of maturity in each of the past few years. According to Commonwealth Bank of Australia (CBA) executive manager for customer and banking core Simon Davies, breaking through to a fully optimised state requires change that has been difficult to achieve in the past. As the bank embraced DevOps to drive a major migration of its core SAP systems, Davies told the recent AWS Summit, “We needed to lower the barrier to experimentation to help us understand the shift and incrementally build that engineering muscle to support the leaner operating model that we’re striving for.” Although the process ultimately proved technically robust, one of the major issues with the rollout was pushing people to think differently about the way they work. “When you start to challenge the way people have historically done their jobs,” Davies explained, “you get some friction, sometimes quite a bit of friction. … We’ve all come up in this industry relying on a very predictable march of change and being able to rely on the accumulated knowledge of decades of experience in very fixed roles. “So, what we were pushing here, though, was step change, and it is uncomfortable. And I think you’ve got to be uncompromising in your pursuit of real improvement, but also very generous with the effort that you invest into upskilling and educating your people.”

FEATURE ISSUE 10 WOMEN IN SECURITY MAGAZINE 125

The results confirm that “diversity remains a deeply ingrained and complex structural issue that positive sentiment and intent alone cannot solve,” Robert Half director Nicole Gordon said. “Businesses must ensure they support their hiring efforts with a culture of inclusivity that values diverse backgrounds and perspectives.”

PUSH BACK AGAINST DEI PUSHBACK

Onecycle deadlines.infivedevelopment

In cases where employees harbour resentment to, or show disinterest in, DEI initiatives, it’s important to understand what aspects of effective cultural

For all the importance of ‘baked-in’ security, SecDevOps has already been credited with slowing down the SDLC by requiring regular security tests that often take hours. This creates intrinsic conflict with natural deadline pressures and, in many cases, motivates developers to skip security scans to meet release

That’s all well and good, but what do DevOps and SecDevOps have to do with DEI?

126 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

DEI IS YET ANOTHER CULTURE CHANGE

That is not a great result for an essential cultural change whose financial and cultural value to the business has already been well established.

As it turns out, many of the cultural issues that impede DevOps also emerge during DEI migrations, and they stem from similar issues that lie in wait just under the surface of any major organisational change, ready to emerge at the least opportune moment.

managers surveyed in a recent Contrast Security study said they often skip security scans to meet release cycle deadlines, with 37 percent saying they did so sometimes and 29 percent occasionally. Only 16 percent of respondents said they prioritised security over release deadlines, proof positive that arbitrarily imposing SecDevOps discipline on a team that has other conflicting goals is a recipe for disaster. Similarly, simply stating that DEI is an organisational priority is far from enough to make it work within organisations.

One recent Robert Half survey, for example, found that while 42 percent of respondents believe DEI programs have increased their company’s diversity, 41 percent believe they have not had any impact, and 16 percent believe the programs actually decreased diversity.

“However, large portions of our industry led with a focus on technology without setting out to change the way work happens, which is—fundamentally—culture.”

When that happens the results are predictable: in the DEI context experts now recognise that poorly managed change initiatives often face ‘DEI pushback’, a form of institutional inertia that can trip up even the most well-intentioned DEI efforts.

“In the face of the COVID-19 pandemic and a worldwide reckoning about racial injustice, many organisations have taken action to engage with social issues that were previously avoided at work,” Gartner research specialist Trisha Rai and senior principal for HR research Caitlin Dutkiewicz write, commenting on a recent Gartner survey in which over 31 percent of employees said DEI had gained more attention within their organisations over the past two years. Forty four percent of respondents said a growing number of their colleagues feel alienated by DEI programs within their company, with 42 percent calling those efforts divisive and a similar percentage saying they resent

“‘Culture’ talks in which speakers explore the roles of empathy, trust and psychological safety have always been a part of the DevOps movement and corresponding events,” Puppet’s report notes.

That means leading by example, measuring progress against evolving goals, promoting diverse employees, working to eradicate potential biases, creating a culture of safety around expressing myriad viewpoints and seeking out diverse voices during decision making. In many ways, those strategies echo similar obstacles that proponents of DevOps have had to overcome in changing the dynamics of something as fundamental as software development processes and, more recently, the integration of security into those processes.

DEI “Failingefforts.toactively

address pushback can mean losing progress with DEI,” the analysts note, warning of alienation or backlash towards marginalised employees and, at the organisational level, decreased workforce engagement and inclusion, potentially driving increases in employee attrition.

As important as the fact that such resentment exists is understanding why it exists, which helps managers appreciate what they can do about it. Gartner divides anti-DEI sentiment into two key categories; perceived threats to individual identity, and to social identity.

Managers should also foster empathy for marginalised groups by inviting employees to engage with DEI efforts and by building awareness, including building safe spaces that “allow employees to make mistakes and ask uncomfortable questions [about DEI issues] without feeling threatened and without putting the burden of educating them on marginalised employees.”

change are hindering the transition and to implement policies to address them so security practices can improve overall.

It advises HR leaders to learn to recognise three types of pushback: denial, disengagement and derailment.

Such strategies are often unconscious responses to employees’ feelings of disempowerment, disenfranchisement, or what they see as reverse discrimination. Managers must, Gartner advises, actively communicate with hesitant employees to understand those feelings and head off potential problems they may cause.

FEATURE ISSUE 10 WOMEN IN SECURITY MAGAZINE 127

TEAMS COMING

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022128

Building, developing and maintaining a champion team is a delicate balancing act. Great teams are like delicate houseplants: they need nurturing, care and attention. Sometimes a little, sometimes a lot. An experienced CISO was brought in as a ‘safe pair of hands’ to develop our cybersecurity team. He in turn brought in an experienced security architect and a security governance risk and compliance (GRC) consultant. Their combined experience was important for setting strategy and direction for the team and, crucially, for developing trust with our board, executives and other teams. The members of this cybersecurity team had a great breadth and depth of security experience across many organisations, so nothing really fazed them. Experience matters, especially in greenfields environments. People who have ‘seen it before’ and have a few battle scars are good mentors and guides. It is also important for a greenfields team to have members with experience in the organisation it serves. Although our new CISO, architect and GRC consultant knew security inside out, they did not know the organisation. Every company has a unique culture and idiosyncrasies. Including existing employees who had both security experience and experience of the company helped the new

TOGETHER by Christie Wilson, Cyber Resilience Manager at UniSuper CHRISTIE WILSON

‘Better together’ is a core value of the company I work for. It underpins everything from the way we show up for work and the way we drive innovation and solve problems together, to the way we celebrate the good times and support each other in the challenging times. We even run ‘Better Together’ training to further strengthen the company culture and to improve trust and communication at every level. Everyone, including executives and individual contributors, participates in the training. This ethos also underpins the security community. Whether you are new to security or have been working in the field for many years, you will generally find a strong focus on people coming together to keep each other, their businesses, their loved ones and their communities cyber safe. Technology is ubiquitous. Most of us use it daily to send emails, check social media, read the news or buy something online.

Five years ago I was given a gift: the opportunity to join a greenfields cybersecurity team. It’s not every day you get to be part of a team at its inception. If you are ever offered this opportunity in your career, I’d encourage you to grasp it with both hands. You’ll be excited, challenged and scared (often at the same time), but you’ll never be bored. I guarantee it.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 129

Diversity in age and cultural experience is important too. Our team members include people with ages ranging from their 20s to their 50s. The generational and cultural experiences of each team member are invaluable when we are developing cyber awareness content. This diversity also produces some amusing moments. Recently, I saw a fleeting look of confusion on a team member’s face when I casually mentioned I had seen the original Top Gun movie shortly after its release in the 80s. Every team will go through a forming-stormingnorming-performing cycle following its formation. This is normal and healthy, and when it works helps achieve the goal of creating a champion team rather than a team of champions. There are no shrinking violets in our security leadership team and we have had our fair share of storming. But the important achievement was that we created a safe environment in which we all feel comfortable when challenging each other. Psychological safety allows people to bring their whole self to work, which is important for team building. So, diversity in skills, experience and backgrounds is important. But for me, the attributes that make our team a champion team are: we all genuinely like each other; we want the best for each other; we support each other. We’re a family, some days a dysfunctional family, but a family nonetheless. We celebrate our wins together and support each other through our losses. And that is what makes us better together.

TECHNOLOGY PERSPECTIVES employees navigate the social norms and ‘ways we do things around here’. As the team grew we looked for people within the organisation and from the wider security industry to join us. Team members from the IT department with complementary skills sets including service desk, networking (the technical kind), servers and storage joined our security operations and identity and access management teams. Many people with technical skills have a great foundation from which to pivot into security. Their skills may also enable them to progress their careers within the team. One member of our security operations team moved into the security architecture team after a year or two. Most industries are tight-knit communities, but none more so than security. I am always amazed by the number of people I know in the field. Attending an industry event with my teammates is akin to watching the Kardashians at the Met Gala. They know everyone, and everyone knows them, a great asset when building a greenfields team. Our CISO brought in our security architect and GRC consultant, who recommended people they knew. They in turn recommended people they knew. Network contacts do not guarantee entry to an organisation, but networks and personal recommendations do count. Business skills are also essential for any team, but especially for highly technical security teams. Security experts have deep knowledge in their chosen technical fields, but often need complementary skills to help communicate their deep knowledge to the business. Security may be the most important thing in the world to security teams, but I guarantee the rest of the business considers security dry, boring or a hinderance, if they even think about it. So, having skills in the team able to win hearts and minds in the business helps.

www.linkedin.com/in/christie-wilson-9135317

by Sara Moore, Cyber Threat Intelligence Analyst SARA MOORE inbox and notice a sudden increase in the number of emails arriving into a folder dedicated to a threat sharing group of which you are a member. It is where analysts like yourself from across your industry share interesting issues. You open the folder and skim the subject lines of the emails. You discover one of your peers has seen a spoof text message on the phone of someone in their c-suite. The message is targeted. You take a deeper look at the conversations between your peers to get a better sense of what has Onehappened.ofthe emails contains a picture of the text message. It looks generic but you remember from yesterday that the vulnerability management team highlighted a new security update for iPhone related to WhatsApp. It was mentioned on a team call. You decide to email the vulnerability management team and the security operations centre (SOC) to enquire about the vulnerability and share information about the targeted messages mentioned in the threat intelligence sharing group.

Threat intelligence would not exist if there were not some element of gathering information from a source and sharing it. It needs collaboration at its very core to work effectively, right from working with others within an organisation to better understand requirements, to developing intelligence sources to better serve those requirements. It does not matter what kind of classification it is. Working with others is essential. Cyber threat intelligence is as quick fire and tactical as you can get on an everyday basis, but taking a step back from the tree to see the woods is where analysts begin to join the dots and produce more thoughtful reports. The kinds of techniques that help analysts see to the heart of a matter, forecast better and think like the enemy also benefit from team analytical sessions, not just individual focus time. Good threat intelligence would be nothing without

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022130

WOULDINTELLIGENCEBE

NOTHING WITHOUT COLLABORATION

Imaginecollaboration.youareacyber threat intelligence (CTI) analyst. It’s a Friday morning and everybody is looking forward to the weekend. You browse your THREAT

“Well although he clicked on the link it was immediately blocked thanks to the work of the SOC.”

They respond telling you the software on your organisation’s phones is not up to date, but the C-suite’s phones are being upgraded first. SOC staff say they will let you know if anything comes up on their logs. They ask for any indicators of what they should monitor and block. There was nothing specific in the email, but there is a phone number and a domain address. You pass these over and decide to do some research into the indicators. First you visit an online website full of malware information contributed by people all over the world. When you input the domain, it leads to associated URLs and IP addresses. Further investigating the URLs and the domains, you discover a number of files that have been downloaded from these sites, which give you a new avenue to explore. After digging around for several minutes you discover related infrastructure information in an online threat intelligence report published by a well-known organisation. This report details the operations of a significant advanced persistent threat (APT) group based in an Asian country. After recording your findings you share the information through email with your team. One of your colleagues has specialist knowledge in Chinese APT group activity. They call you to provide further information on how this particular APT group behaves: their tactics, techniques and procedures, and their likely pattern of attack. You share with your SOC the technical data generated from your research explaining that the spoof text message may have come from a known APT group. You then share the same information with the threat sharing group that alerted you to the attack.

Before the day ends your SOC tells you there has been no activity in the logs related to the indicators of compromise you shared. However, the organisation that received the spoof text message tells you it has been able to block several malicious connections based on the information you provided. Then your manager calls. “The CEO has just had one of those messages” he says. You groan.

ThePhew!power of threat intelligence lies not only in how it enables you to assess and analyse information but in how you share it. Threat intelligence would be nothing without collaboration. www.linkedin.com/in/sara-moore-698594168

131ISS UE 10 WOMEN IN SECURITY MAGAZINE

TECHNOLOGY PERSPECTIVES

“What’s the damage?”

BASED ON THE PAST, THE PRESENT AND THE FUTURE

The threat landscape shifts quickly, local and global legal and regulatory requirements change, technology advances and the risk profile of organisations adjusts based on a changing operating environment. In this dynamic environment, security can be improved through the power of collaboration. Timeframes can provide the scaffolding for focus areas that can be examined to facilitate this improvement.

THE PRESENT

Information/cybersecurityvictim.audits and assurance activities validate processes and practices within

by Marise Alphonso, Information Security Lead at Infoxchange MARISE ALPHONSO an organisation and their alignment with policies and standards. Audit results confirm the fulfillment of requirements to meet stakeholder expectations. They highlight potential areas of risk, and identify non-conformance that indicates where changes across people, process and technology can benefit an organisation. Security auditors, both internal and external, play a pivotal role in assessing the security performance of an organisation and where improvements are required.

IMPROVING SECURITY

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022132

The 2022 Verizon Data Breach Investigations Report (DBIR) and the recent Notifiable Data Breaches and Scamwatch reports outline current threats and the attack vectors used to compromise individuals and organisations. The 2022 DBIR indicates no organisation is safe without a plan to handle phishing, the use of stolen credentials, exploitation of software vulnerabilities and botnets: the prevalent means of compromise. Work put into analysing patterns from security incidents, data breaches and scams is essential to provide the security industry with insight

The information security industry is dynamic.

THE PAST

Previous security incidents and data breaches offer a rich source of data points from which to gain valuable learnings. They provide a chance for stakeholders in an organisation to reflect upon where improvements could be made to prevent recurrence, or to improve security practices. In addition, incidents that produce significant organisational impact provide lessons for other organisations on how they can improve their practices to avoid falling

www.linkedin.com/in/marisealphonso

ISSUE 10 WOMEN IN SECURITY MAGAZINE 133

The ‘Do’ component of the Deming cycle requires security teams within organisations to constantly perform activities that keep the pulse of an organisation’s information security heartbeat regular. This may mean running security awareness initiatives, oversight of threat and vulnerability management activities or initiating user access reviews for key IT systems and services. To quote Aristotle, “We are what we repeatedly do. Excellence, then, is not an act but a habit.”

TECHNOLOGY PERSPECTIVES into where efforts must be focused and resources prioritised. Security researchers and data analysts are key players in global efforts to improve security.

The bottom line is that maintaining and acting upon the entries in an information security calendar contribute the small steps that over time lead to an improved security posture.

THE FUTURE ISO/IEC27001, an international standard on information security management, outlines the governance requirements for effective information security practices. Clause 10 of this standard is titled ‘improvement’. Organisations must confirm that their information security governance practices facilitate improvement. These practices can take the form of processes to understand the potential impact of external changes on the organisation’s operating environment and stakeholders’ needs. These processes might include scanning for mega (global or national), macro (industry or sector) and micro (organisational) trends that could impact information/cybersecurity requirements. The main point in looking to the future, in this instance, is to allow for effective information security risk management when the likelihood of a risk eventuating, or the impact of that risk, changes. This risk management should then facilitate riskbased decision making and resource allocation to address identified risks.

Celebrating successes within the security team or broader organisation on completion of projects or successful incident response activities provides the momentum to keep moving forward on the continuous improvement path. Doing so also assists in creating a security culture and the necessary behaviours that maintain security as everyone’s responsibility.

Embedding a learning culture within the organisation by encouraging professional development, attendance at conferences or professional association events is another future-focused improvement point. Learning is required within the information security domain and across all capabilities and skills required by the organisation in fulfilment of its mission. In looking to improve information security, it is helpful to look through the lenses of the past, the present and the future. In doing so, we glean insights, collaborate and look to the horizon to determine how best to move forward.

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022134

INSIGHTS ON COLLECTIVERESILIENCECYBER

Decades ago, when computers were expensive and not readily accessible, computer hacking had little to do with criminal behaviour. Hackers were people sufficiently adventurous to go beyond the instruction manual and explore the possibilities of the new technologies. They were motivated to explore the potential of technologies beyond their

by Mel Migriño, VP/Group CISO at Meralco, Chairman & President of the Women in Security Alliance Philippines

MEL MIGRIÑO

of a hacker transformed from that of a heroic figure to a young programmer hacking into big organisations. While their actions caused inconveniences, their main motivation was to gain kudos from the success of their exploits. Today, the attack surface has increased drastically with the increased connectivity of networks and devices, and hackers’ motives have evolved to financial gain and the advancement of political and/ or personal agendas. Hackers are now employing advanced technology and sophisticated techniques. They are members of criminal enterprises prepared to use innovative tactics to gain access to their targets.

To counter the increased sophistication of attackers organisations are increasingly adopting a zero trust approach. Zero Trust is a security framework that requires all users, whether inside or outside an organisation’s network, to be authenticated, authorised and continuously validated for security configuration and posture to gain and maintain access. However, it is challenging for organisations to have 100 percent visibility across all segments, all assets and all possible attack vectors. Thus, we need to look at establishing a collective cyber resilience strategy. Attackers are become more powerful and more effective through increased collaboration, or ‘collective offence’. They are sharing data and exploit tools on the dark web to achieve breaches, and there is also a growing cottage industry of independent cyber mercenary groups. Despite investing millions in cybersecurity technology and human resources, organisations in all industries and the public sector are still getting attacked.

Instated limitations.the80stheprofile

Organisations from public sector agencies to Fortune

Shifting from signature-based detection that focusses on older and known threats towards a behaviourbased detection capability that proactively identifies the underlying behaviour of unknown threats to the network across the intrusion cycle and not just the final ‘action-on-target’ step, when it is too late to stop system exploitation or data exfiltration.

COORDINATION IN THE SUPPLY CHAIN

• Better detect anomalous cyber activities that might go unnoticed.

• Gain greater visibility of unknown and known threats through anonymised threat sharing.

Leveraging the community for triage and response insights based on real time feedback. This allows peers to take immediate action to mitigate active threats. Peers within the collective defence chain have better opportunities to optimise resources to achieve ‘defensive economies of scale’.

Collective defence is easy to understand, but difficult to implement. However, it is high time we all worked together regardless of organisation type, size or location. We should aim to have a greater impact that will better protect our organisation and the world we live in.

According to the March 2020 report of the US Cyberspace Solarium Commission (p96), “This ‘collective defence’ in cyberspace requires that the public and private sectors work from a place of truly shared situational awareness and that each leverages its unique comparative advantages for the common defence.” Collective defence can be achieved through the following activities.

• Build better triage and stronger response capabilities by creating a unified force through collaboration.

Sharing threat insights with the wider community to create an early warning mechanism. In a collective defence ecosystem participants actively share anonymised cyber anomalies at machine speed across the community of public and private organisations. This crowdsourced threat sharing capability allows companies to identify stealthy attackers earlier in the attack cycle.

500 companies to SMEs and service providers across supply chains find themselves in the same boat, but with varying levels of resources to address the security challenge. The current trend to increase spending on the defence of core platforms and networks is already unsustainable. Therefore, we need a new defence strategy to keep pace with cyber threats. We need collective defence.

REALTIME THREAT SHARING

• Get early warning of threats targeting all elements in the supply chain.

Our end goal is to have a perspective of the threat landscape that will enable us to prepare and build defences in advance. Adopting collective defence enables peers to:

alliance-philippines/www.linkedin.com/company/wisap-women-in-security-www.linkedin.com/in/mel-migriño-b5464151

ADVANCED DETECTION BASED ON AI

ISSUE 10 WOMEN IN SECURITY MAGAZINE 135

TECHNOLOGY PERSPECTIVES

NANCY BENJUMEA

ANOTHER

As a technology professional with more than 15 years’ experience, I have held various roles: web developer, tester, security analyst, IT auditor, data classification analyst and, now, data governance specialist. Many of you may have had similar career paths; switching between IT roles or DATA GOVERNANCE, OPTION TO PROTECT THE DATA OF YOUR CUSTOMERS AND EMPLOYEES

progressing in data roles. Many of you might have decided to stay working with data because you found such roles gave meaning to your careers. This is a magazine about security not data, so why am I talking about data governance? Keep reading and you will understand. Data governance is a fairly new area. It came into being because of the gap between IT departments and the business. IT staff claim ownership of data because it is stored in the systems or applications they maintain, but the people from the business understand the processes and business rules that make sense of the data. With the emergence of data governance data ownership has shifted from IT to the business. Now, data is being valued appropriately and given the protection it needs.

by Nancy Benjumea, Lead Data Governance Consultant at Pernix

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022136

I believe data governance to be the discipline most companies should adopt to protect their sensitive data. Data governance can provide the framework for a program through which companies identify their critical data, assign owners and label it according to its sensitivity. When data governance is implemented correctly, security controls can be applied to prevent data loss, data breaches and data misuse. With a mature data governance framework the business can find value in its data that can drive strategies to attract new customers, or it can sell that data to others, generating immediate profits.

www.linkedin.com/in/nancybenjumea

TECHNOLOGY PERSPECTIVES

Running from March through to June across states Join our distribution list to be the first to know when tickets go on sale Get Notified THE WOMEN IN SECURITY AWARDS ALUMNISERIES ISSUE 10 WOMEN IN SECURITY MAGAZINE 137

I liken a data storage system to a closet. If a closet is messy, only those who have put clothes into it know where to find them. However, if a closet is properly catalogued and organised with drawers others can easily find a specific item without the intervention of whoever keeps the clothes. How is your data closet organised?

Businesspeople now own the data and want to know how to properly use it for the benefit of their company, but they face significant hurdles. They do not know what data they have, where it is stored, if it is consistent, if it is duplicated, if it is shared externally without controls or if it has value that can be exploited to produce profits. Without such knowledge companies cannot be certain how to protect their data. Regulations such as GDPR and international standards such as ISO 27001:2022 require companies to adequately protect personal information.

• What is out of bounds?

by Meghan Jacquot, Security Engineer at Inspectiv MEGHAN JACQUOT

• What exactly is within bounds?

UNDERSTANDING A THREAT LANDSCAPE

• Do those tools already exist in-house or does a third party contract need to be initiated?

• Do the resources exist to collect the data or do new resources need to be allocated?

• How will that data be collected?

• Over what period will the data be collected?

• How will actions be validated?

SCOPE AND RESOURCES When assessing a threat landscape, it is essential to first determine the scope of an engagement.

TAKES A TEAM

Software patches, hardware vulnerabilities, geopolitical events, information operations, threat actor campaigns, malware and tech stack asset inventory can all be analysed to gain understanding of a threat landscape. However, it would be very difficult for all these to be investigated by one person in a timely and detailed manner. Therefore, a team is needed to understand an organisation’s threat landscape.

• What type of tools will be used?

SOFTWARE AND HARDWARE

Once the scope of an engagement has been determined, an inventory of software and hardware must be taken, and the alignment of hardware and software with scope goals must be determined. If current software and hardware assets do not enable these goals to be achieved then either these assets or the goals will need to be adjusted. These are parts of the process team members will complete to measure the threat landscape. Patching and vulnerability management will also need to be part of the engagement. When a new vulnerability is disclosed the team will need to understand whether it is relevant. If so, resources will need to be allocated quickly to mitigate the threat of the vulnerability being exploited. One good way to assess the severity of a vulnerability is to see when the US Cybersecurity and Infrastructure Security Agency (CISA) requires US government agencies

• Who will be targeting that data?

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022138

• What data will be considered?

Threat modelling and threat intelligence can be gathered in house, by a third party team or by a combination of a third party and in-house teams. To determine the scope of an engagement a series of questions should be asked:

INFORMATION OPERATIONS

ATT&CK®MITRE

The cyber kill chain helps with the analysis of advanced persistent threat (APT) groups: cybercriminals who gain a foothold into a system and remain undetected for a long time. Specifically, this framework maps APT activity, including reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2) and actions on objectives.

The Diamond Model leverages a diamond shape to map adversaries, their victims, infrastructure and capabilities. Recently, cybersecurity company Recorded Future published a white paper analysing information operations within the context of the Diamond Model. This paper was reviewed by the creator of this framework, Sergio Caltagirone.

TECHNOLOGY PERSPECTIVES to apply a patch or fix. For example the Follina vulnerability, CVE-2022-30190, was added to the Known Exploited Vulnerability Catalog in June 2022 and patches had to be applied within a month.

ISSUE 10 WOMEN IN SECURITY MAGAZINE 139

Researching and understanding threat actors takes a team. There are many ways to research a threat actor and several frameworks an analyst can use.

THREAT ACTORS

Cyber LockheedChain®Kill|Martin

This is a model based upon real-world observations of threat actor behaviours and campaigns. This framework includes a matrix that lists tactics, techniques, and procedures (TTPs) used by adversaries to gain access to victims’ systems.

TheIntrusionModelDiamondofAnalysis

MALWARE Malware samples can be analysed if found on internal devices or by conducting research about a threat actor. Security researchers may request samples from other researchers. Use caution: sometimes nation state funded threat actors impersonate legitimate security researchers to compromise their networks. To better understand the landscape a team might have specific roles devoted to malware analysis and reverse engineering. IDA Pro is software commonly used as a dissembler to analyse malware. It can generate assembly language source code from machine-executable code and make this complex code more human-readable. This code can then be decompiled, ported and even allows for Python extensions with their SDK. Human intervention is needed at this point to further analyse the malware and data.

Intelligence Framework Description

The use of malinformation is particularly nefarious. It is information intentionally shared by a malicious user that, CISA says, “is based on fact, but used out of context to mislead, harm or manipulate.” Team members could study the effect of InfoOps on the organisation, brand, individual, etc. A thorough understanding of communication methods and techniques will be essential for these team members.

THREAT LANDSCAPES TAKE A TEAM

Threat landscapes are dynamic and vast and each organisation is different with different needs, priorities, resources, etc. A team is needed to provide defence against the varied threats an organisation could encounter. One person cannot do this effectively, it takes a village.

GEOPOLITICAL EVENTS

Events in the physical world affect digital outcomes in cybersecurity and the threat landscape. If one country declares war on another, in the 21st century, this war will not only be kinetic, but it will also be cyber-kinetic. There will be cyber activity against the targeted country’s physical systems or use of the internet. This has been seen in the war Russia is waging against Ukraine. Ukrainians have been targeted by phishing schemes, malware and wiper malware disguised as ransomware. Having team members who understand international relations can be crucial to analysing how geopolitical events will impact an organisation’s threat landscape.

140 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

www.linkedin.com/in/meghan-jacquot-carpe-diemtwitter.com/CarpeDiemT3chwww.youtube.com/c/CarpeDiemT3ch

TECHNOLOGY PERSPECTIVES

The world of cybercrime may not seem to have much in common with the glitz and glamour of the Hollywood A-List, but in the past few years one up and coming cybersecurity ingenue has made the headlines in both the industry press and the world’s media: ransomware. Ransomware is malware that encrypts files and prevents access until a ransom is paid to provide a decryption key. There is no award wage for a ransomware actor so the amount demanded can range from the mildly irritating to the profit destroying. Whatever the amount, decryption is often not Ransomware’sstraightforward.celebrity status might be the result of a few high profile cases over the years, such as WannaCry and (Not)Petya, or because the concept of being held to ransom is both understandable to nontechnical players and holds a degree of intrigue.

HIDDEN IN PLAIN SIGHT: THE EVOLVING THREAT OF BEC

ALEX NIXON There is no ignoring the disruption ransomware can cause organisations. However, turning our collective attention to it may distract us from the fact that it is not the most lucrative nor the most prolific form of cybercrime. In the United States Federal Bureau of Investigations’ (FBI) Internet Crime Report 2021, ransomware incidents were well down the list of cybercrimes reported.

by Alex Nixon, Senior Vice President and the Head of Kroll’s Cyber Risk practice in Australia

ISSUE 10 WOMEN IN SECURITY MAGAZINE 141

The most commonly reported form of cybercrime typically results in lower reported losses per incident than ransomware. However, in aggregate, the almost 20,000 incidents of this nature reported in the FBI’s Internet Crime Report led to adjusted losses totalling close to $US2.4b. We’re talking about business email compromise (BEC), reimagined for the criminal of today. A caveat at this stage. Whilst that $US2.4b in losses dwarfs the $US49.2m reported lost in 3,700 reports

of ransomware last year to the FBI, as with all statistics, it may not tell a complete story. The dollar amount attached to ransomware incidents does not take into consideration any revenue lost during down time or any additional recovery costs, and organisations may downplay their losses. Despite this, I think it is fair to say that losses sustained from BEC attacks are substantial. BEC, or email account compromise (EAC), has evolved along with the preventative measures organisations have put in place. Many of us will be familiar with the old school BEC schemes involving requests for gift cards, or those targeting the real estate sector (both of which are still to be found in the wild). But as security controls and the way we conduct business evolve, so too do our adversaries.

142 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

My colleagues at Kroll, Christopher Ballod and Jaycee Roth, spoke about this approach in a recent article, Cyber Extortion Gets Personal – The Next Step in Email Compromises. Threat actors are beginning to see the value-add in committing BEC/EAC attacks and using the credentials obtained to exfiltrate sensitive emails, attachments and data stored in connected cloud repositories. The workflow shown on the opposite page represents a common pattern Kroll has observed.

Threat actors would be remiss if they used compromised credentials for this purpose alone. The multitude of opportunities compromised credentials present make them an attractive proposition for any adversary. Monetary gain can be obtained through classic BEC and through the wider environment that compromised credentials give access to. This is where the ransomware mindset intersects with BEC, when criminals leverage the information obtained through email compromise for extortion.

www.linkedin.com/in/alexlnixon

The ongoing pandemic with its associated recommendations on limiting in-person work and the increased difficulty of international travel has been a boon to cyber criminals in many ways. The increased adoption of remote working and virtual communication has led to the development of a new form of BEC/EAC that embraces deep fake phenomena to conduct executive impersonation (CEO fraud). After compromising the email account of a senior executive, such as a managing director or chief financial officer, the threat actor will send out a request to employees for a virtual meeting. Citing either technical issues preventing audio or using deep fake audio, the threat actor will instruct employees to initiate a wire transfer. The funds transferred are then quickly moved into a cryptocurrency wallet, making recovery prohibitively difficult and expensive.

To combat such an attack your organisation’s security controls should be reviewed. For example, modifying bring your own device (BYOD) policy to prohibit the downloading of attachments onto personal devices may help to mitigate the risk of exploitation in a EAC scenario. Implementing multifactor authentication on all systems (including those pesky legacy ones) for all users (including those impatient and important ones) can prevent or limit damage from email compromise. Need a jumping off point? Kroll has put together guidance on 10 essential cybersecurity controls, based on what our experts are seeing on the front lines. This can help you open an internal discussion about how to meet this evolving threat, because history shows us our adversaries will continue to evolve alongside us.

Describing one attack of this nature Kroll witnessed, Ballod and Roth outline how several gigabytes of data and a contact database were stolen from the email and cloud repositories of one victim of email compromise. The threat actors used this data to target the individual’s extended family (including minors), threatening to expose sensitive information about their relative.

TECHNOLOGY PERSPECTIVES External Victim Scouting – Phishing Email

Reach SharePoint OneDrive and related accounts Created additional Admin-level accounts to retain access

Toolkit

Initial Exploit

Mission

Credentials harvested via malware or dark web forums

– Use stolen credentials to log in Internal Scouting and Escalation – Gain access and establish persistence Deployment

Attackers incorporate company executives, vendors, family members and clients in extortion scheme

ISSUE 10 WOMEN IN SECURITY MAGAZINE 143

– Data collection and exfiltration Execution – Extortion

Hundreds of GBs stolen including emails, attachments, fileshares, cloud repositories, etc

by Gina Mihajlovska, Cyber Security Manager at EY GINA MIHAJLOVSKA

TOGETHER

Our lives have been changed forever by the internet. The technologies it spawned and the benefits it offered have been seamlessly absorbed and integrated into our lives. It removed the constraints of 20th century analogue telecommunication architectures and introduced the ability to be virtually present anywhere on the globe. The notion that other countries, other languages and other cultures could be experienced from the comfort of one’s home or office was emboldening. With the help of social media we shared our private stories and information, unaware of the potential for these to be misused.

“Unity is vision; it must have been part of the process of learning to see” he wrote. So, we have history as our teacher, when coming together was critical to improving security. If Adams had been writing in the 1950s he would focus on messages to raise our consciousness and collective awareness of threats to ourselves and the security of our societies. The societal and governmental responses to the Cold War rested heavily on unity and

IMPROVINGSECURITY

on managing security together. Fast forward seven decades. Today, a united front to address present day security threats, unimaginable to those living in the 1950s, has become an imperative.

This article argues that we need to consider our relationship with security as part of the bigger picture created through togetherness: caring for each other and making sure we create a safe environment for ourselves and those we love. Those of us who work in cybersecurity tend to focus on the complexity of technology, systems, processes and risk management and overlook the human component. Can there be security without people coming together to create awareness? US historian Henry Adams (1838-1918) lived through a period of great change, the most tumultuous period of US history. Unity and togetherness were crucial to the consolidation of the US into a unified, secure and prosperous nation that would come to lead the world.

Our uptake of social media and our readiness to share the most private aspects of our lives with openness and trust have created opportunities for misappropriation by those who maliciously seek to benefit from the information and are able to evade the technical controls imposed to protect it. These vulnerabilities are also new threats to our brave new world. Cybersecurity professionals engage in daily

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022144

www.linkedin.com/in/ginamihajlo

During Cyber Security Awareness Month 2021, in March 2021, the government urged Australians to take simple steps to better protect themselves from common online threats and cyber-crime. The then assistant minister for defence used the opportunity to address the importance of each of us being cyber smart and doing our part by learning to apply basic safeguards to our information and to the way we interact with the internet. Educating citizens to run software updates and perform backup functions and helping seniors to identify scams are significant steps to improving security together.

“Unity is vision; it must have been part of the process of learning to see.”

HENRY ADAMS ISSUE 10 WOMEN IN SECURITY MAGAZINE 145

TECHNOLOGY PERSPECTIVES

efforts to mitigate threats from hacking, abuse of financial products (credit cards, bank accounts) and identity theft, and to protect us from these. In time, cyber professionals have come to appreciate the benefits of an aware and vigilant user base and how it greatly improves the management of cybersecurity.

The battle to counter the growing threats coming from increasingly skilled and sophisticated cybercrime perpetrators will continue, but these actions on the government’s part were necessary steps to developing technical prowess among the population. The need to create a relationship between people and technology represents a paradigm shift to a future where there is increased information systems literacy that enables everyone to play a role in reducing the opportunities for cyber-crime to succeed. However, improved security that is strong and sustainable should not demand sacrifice or compromise of the values we treasure as a society. Therefore, any attempt to improve security together needs to address these aspects. Security should not come at the expense of people. This is a very important dimension to consider when we come together to improve security. In summary, I would argue that improving security together is an important facet of collective human interaction. We also improve security together by learning to be discerning in what we identify as a threat and how we treat it. This comes from vigilance and understanding of how cyber criminality differs from other forms of criminal activity. Through these we begin to learn as a collective, sharing experiences to enhance our response and our ability to teach those dear to us about the threats to their wellbeing. What is important to our personal and social wellbeing must be part of a unified vision. Without the efforts of people, cybersecurity experts are left to battle alone to protect us from cyber criminality and are likely to fail to achieve their goal of making us safe.

WHO WILL MAKE THE FINALS?

All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services. FACEBOOK@wisms2c TWITTER@Source2C womeninsecuritymagazine.comDIGITAL LINKEDIN@source2create @womeninsecuritymagazineINSTAGRAM Stayconnected

STUDENTSECURITYIN SPOTLIGHT

Here are some of the roles I believe I am well able to fulfil:

• Web developer. I can write code in PHP, HTML, JavaScript, CSS and SQL.

• Project manager/management. I have good communication, leadership and team building skills. I speak three languages: Chinese, English and Malay.

• Information security analyst – I have coding as well as security knowledge to satisfy the requirements of the field.

What led you to pursue study in cybersecurity? My father is in the IT industry (networking). I have seen his work and he has always told me how interesting the IT field is. I love learning about cyberattacks around in the world and new malware. It’s scary but an interesting topic to ponder. How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue? I was studying for a Diploma in Software Development at South Metropolitan TAFE in Murdoch. At the time, I had a friend studying to get her Diploma in Cyber Security. She told me how easy it was for our personal information to be traced and used maliciously. I realised cyberattacks were happening all around the world without our knowledge. I started doing my own study of malware and viruses and developed an interest in cryptography. I really enjoy encrypting and decrypting ciphers and even used cryptography to encrypt a message in my parents’ anniversary gift. That was when they realised I had a passion for cybersecurity and supported me in my decision to pursue a career in the field. Did you consider pathways into cybersecurity other than your present course of study, and if so which ones? I have. I was considering software engineering because I love programming and web development. Many women have given us their thoughts on cybersecurity saying it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?

SWEN LEE Swen Lee is studying for a Bachelor of Computer Science at Edith Cowan University’s Joondalup campus, majoring in cybersecurity. She is in the last semester of her final year. She grew up in Kuching in Sarawak, Malaysia. Thanks to COVID 19, she took a whole year of her course online from Malaysia.

Bachelor of Computer Science, Edith Cowan University

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022150

Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?

I have had neither formal nor informal mentoring, but I have made friends who had been to university before me and they helped a lot by passing on their knowledge on how to better manage assignments and lecture content.

• Cyber security consultant. I have good communication skills and knowledge of security.

What were your career aspirations in your last year of school? In my last year of high school, I had already set my mind on the IT field. I took a gap semester and proceeded to college. My career aspirations at the time were to graduate university with good grades, work as a part time cybersecurity intern while studying to gain more experience in the field and hopefully be employed by an industry to work on my interest fields.

On my first day of class, I met a friend who introduced me to the outreach and program coordinator for the School of Science at ECU, Dr Michelle Ellis. Since then, Dr Ellis has opened many doors and opportunities for me. I have run and tutored in cybersecurity workshops on topics such as cryptography, digital forensics and open source intelligence.

If you could spend a day with a security expert to learn about their role, what role would you choose?

I missed out on by having to study online and made me even more impassioned about my course.

I have also volunteered for Big Day in Perth 2022, an IT careers conference for high school and university students designed by students for students. I am also a tutor for Girls Programming Network which runs workshops to teach programming to high school students.

I would be very interested to learn from a malware analyst. They characterise malware by handling, disassembling, debugging and analysing the malicious code.

• informal, personal study?

I got the chance to volunteer at a Microsoft Sustainability Hackathon with Microsoft’s developer engagement lead, Michelle Sandford, who then introduced me to Microsoft engineer, George Coldham. I am now going to DDD Perth, Perth’s largest community run conference for the tech community, in September to talk about ‘How your simple application could lead to your customers losing their life savings!’ with him. I can’t wait!

STUDENT

IN SECURITY SPOTLIGHT ISSUE 10 WOMEN IN SECURITY MAGAZINE 151

I am interested in learning about new malware and cyberattacks happening around the world. One I am currently looking at is the Russian-Ukraine attack.

www.linkedin.com/in/swen-lee-16893a207instagram.com/leekeswenn

What are your longer term - five or 10 yearcareer aspirations? I would like to become more specialised rather than briefly working in every field, to gain knowledge in various cybersecurity fields but find a specialisation and focus on building my skills on it. What aspect of cyber security in your studies most excites you, and why? Digital forensics, because it is very scary to realise how much information can be disclosed by just swiping your credit card, being scanned by a retina scanner, etc. What involvement do you have in security outside your course? • part time job? I am currently a cybersecurity intern at Retrospect Labs. • volunteer role? I am a student ambassador for the School of Science at ECU. This has put me more in touch with the many aspects of cybersecurity, made me realise how much

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022152

How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue?

I hope to move into a blue team/defence role as a defence analyst. Once I graduate from university I hope to upskill and complete some industry certifications such as OSCP. I will also continue

I wanted to be a veterinary surgeon and would spend school holidays shadowing surgeries. What led you to pursue study in cybersecurity?

I started studying computer science majoring in software engineering, but after completing the computer security unit in my second semester I decided to switch to cybersecurity. I had an awesome lecturer and the prospects of a career in security and problem-solving enticed me, so I switched to my current degree. I was also working on Bunnings’ IT service desk at the time, so I had some insight into what our cybersecurity team did. I reached out to our cybersecurity operations manager to discuss my course and see if there were any entry-level opportunities in cybersecurity. He kept me in the loop, so I applied when an opportunity came up. Did you consider pathways into cybersecurity other than your present course of study, and if so, which ones? I did not, but I wish I had known there were options and pathways other than TAFE and university. I have always been academically inclined and wanted to go to university. I put my studies on hold for a long time because I did not have Australian citizenship and was unable to afford the international student fees. During this time, I could have considered certifications. Emily Harmon grew up in Kent, just outside Southeast London and moved to Perth in 2013. She works at Bunnings in cyber operations as an identity and access management administrator and is studying off campus part time for a Bachelor of Science (Cyber Security) at Edith Cowan University. She is a little over halfway through the course.

I have been fortunate to have mentors within and outside my organisation. Most people in our industry are very generous with their time, and their knowledge of the industry is invaluable. I have had the opportunity to speak with people holding various roles in our industry, from CISOs to researchers at university. I would advise others to never be afraid to reach out to someone, even on LinkedIn, or talk to someone at an industry event. People who work in security are generally passionate about the industry and love to talk about it.

If you could spend a day with a security expert to learn about their role, what role would you choose?

I cultivated my passion for technology whilst working at Bunnings. Working on the shop floor, I was curious about what the service desk officers were doing on the other end of my phone calls, and how all our technologies and systems worked together.

Someone in digital forensics and incident response. What are your longer term - five or 10-yearcareer aspirations?

Many women have given us their thoughts on cybersecurity, saying it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil? Our threat actors are diverse, so to mitigate the threats they present we also need diverse teams.

EMILY HARMON Bachelor of Science (Cyber Security) Student, Edith Cowan University

What were your career aspirations in your last year of school?

Security is also a group effort. In a large organisation such as Bunnings a great culture around security is key. Because I have worked in various roles across the business I can empathise with the different departments and understand their challenges from their point of view. Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?

• part time job? I work fulltime as an identity and access management administrator at Bunnings. • member of security organisations? I am a member of AWSN and WiTWA. • informal, personal study? I regularly attend events such as AustCyber’s Students of Cyber (SOC) events which take place every month. www.linkedin.com/in/emily-harmon-75b0831a0

advocating for women in our industry and being an active member of AWSN and WiTWA. I hope to pay forward the support and welcome I have received from these organisations, and mentor newcomers to the industry. What aspect of cybersecurity in your studies most excites you, and why?

SECURITY SPOTLIGHT ISSUE 10 WOMEN IN SECURITY MAGAZINE 153

I enjoy the hands-on workshops, such as setting up virtual environments, and learning Linux and cybersecurity tools, because these are real-world skills I can use at work. What involvement do you have in security outside your course?

STUDENT IN

What led you to pursue study in cybersecurity?

Just as I was exploring my options I came across the Cyber Defense Professional program at the University of Central Florida and decided to sign up for the introductory course. It did not take me long to decide this was definitely the path I wanted to take. How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue? The beautiful thing about going through the bootcamp program was that it gave me a great foundation in the many facets of cybersecurity, Bettina Marquez has just completed the Cyber Defense Professional Certificate program offered by ThriveDx—formerly HackerU—and the University of Central Florida. The program is an intensive, 10 month deep dive into foundational cybersecurity skills and principles, from basic Microsoft and Linux security to digital forensics and incident response (DFIR) and game theory. She grew up in the Mid Hudson Valley area of New York State.

The complete answer to that could have me talking for a while. The short version is that I originally became interested in pursuing cybersecurity more than ten years ago when it was still very new as a field of formal study, academically.

As I mentioned, I had previously applied to a cybersecurity program about a decade earlier, which would have been a two-year degree program at a local college—a much more traditional approach than the bootcamp I have just completed.

Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?

I have always been good with technology and enjoy trying to troubleshoot and figuring things out myself. It was clear to me that cybersecurity was where everything was headed, and I wanted to be a part of it. I went so far as to apply for, and get accepted into, a local program, but then had to drop those plans because of my husband’s job transfer and other family priorities. Fast forward to this time last year when I was suddenly faced with a major shakeup in my personal life that necessitated a return to the workforce.

What were your career aspirations in your last year of school? Coming out of high school, my career aspirations were to get into field zoology or marine biology thereby combining my love of the outdoors, animals and scientific research with my ever-present drive to understand why things (or people, or animals) work the way they do.

I have not participated in any kind of formal

Oh wow, that’s a great question! I think my skills and experience make me diverse and adaptable to different roles. I am someone who can be both detail- and big-picture-oriented, work alone or in teams (I prefer a mix of both), identify patterns and concomitant outliers and break down complicated concepts into terms people can more easily grasp. And I love researching and problem-solving. Between my skills and my interests, I think I would eventually best fill roles in either DFIR or perhaps risk management.

Many women who have given us their thoughts on cybersecurity say it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022154

Did you consider pathways into cybersecurity other than your present course of study, and if so which ones?

BETTINA MARQUEZ Cyber Defense Professional Student, University of Central Florida starting with basics and progressing to the more advanced topics. Along the way we benefitted from the experiences and insights of our instructors, who were all working professionals in the field. Also, the program incorporated periodic review and study sessions that helped to prepare us for select certifications like Security+. Like most people new to cybersecurity, this is what I decided to choose as my starting point.

• informal, personal study? Many YouTube videos, of course. I have especially benefited from NetworkChuck, but have also made use of Sunny Classroom, PowerCert, David Bombal, and others. I also have a subscription to what used to be known as The Great Courses and am about to start a Python programming course it offers, because it seems clear a solid foundation in Python will be tremendously beneficial in any cyber role.

• part time job? None. • volunteer role? Not yet, but I am actively looking for opportunities right now. • outplacement as part of your course?

mentoring program, but I am definitely interested in finding someone willing to play that role in my life. I thrive on challenge and really enjoy relationships with people who believe in me enough to push me to grow and be better.

I heard Tia Hopkins speak in a webinar and she said something that really resonated with me, along the lines of, “I don’t want to be where everyone is; I want to be where everyone is going.” That’s me. I’ve always been drawn to research because I want to push the boundaries and answer the questions no one else has yet answered. This was exactly what most excited me about cybersecurity right from the start: it’s new and evolving, and—of necessity—will have to keep adapting and evolving as the threats and

What involvement do you have in security outside your course?

There is no formal outplacement program in the course, but connections have been forged that have led to potential opportunities.

• member of security organisations? Not yet.

www.linkedin.com/in/bettinamarquez

If you could spend a day with a security expert to learn about their role, what role would you choose? Right now, I’d choose to shadow someone working in a DFIR or risk management role.

What are your longer term - five or 10 yearcareer aspirations? I know I want to grow into a leadership role of some kind, but I’m not exactly sure yet what that will look like. When I say leadership, I’m not thinking management—I picture myself as someone who sets the pace, defines the conversation, blazes a trail, calls people to action and makes a difference. That’s a lofty goal, I know, but I’ve always been a very purposedriven person. As far as the more prosaic question of what role do I see myself filling in cybersecurity down the road, I like the idea of working in DFIR in a larger crime-solving capacity; I like the idea of hunting down the bad guys! What aspect of cybersecurity in your studies most excites you, and why?

technology evolve.

STUDENT IN SECURITY SPOTLIGHT ISSUE 10 WOMEN IN SECURITY MAGAZINE 155

Did you consider pathways into cybersecurity other than your present course of study, and if so which ones?

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022156

At the beginning I was not aware of cybersecurity. It caught my attention when I applied for university because the course had all the things I was interested in, from digital forensics investigation to psychology.

If you could spend a day with a security expert to learn about their role, what role would you choose?

I also loved technology and its power to change something in a matter of minutes. How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue? In my final year of school I studied multimedia, which opened the doors to technology and how useful it is.

Bachelor of Cyber Security and Behaviour, Western Sydney University

I have benefited from both informal and formal mentoring. I undertook a cadetship with Cochlear in its cybersecurity department and was lucky to have contact with the manager through LinkedIn. He helped me with my resumé. Also, I was lucky to connect with Agathe Savard security leader and strategist through a colleague and she answered some questions I had regarding interviews and how to best prepare for them.

Yes, I would have gone to TAFE and completed a diploma of cybersecurity and then continued with my studies at university. Now, to gain further knowledge and to stay up to date with current trends I will study courses from LinkedIn, (ISC)2, Plural and SANS.

I would choose security compliance, governance and consulting because these are intertwined. What are your longer term - five or 10 yearcareer aspirations? Working with the Australian Taxation Office for three years as a junior in cybersecurity compliance, then becoming a manager for three years and following this with five years at the Commmonwealth Bank as team manager, then working with National Australia Bank as a senior consultant. What aspect of cybersecurity in your studies most excites you, and why?

What led you to pursue study in cybersecurity? Because of my physical disability I wanted to study something that would demonstrate my mental ability.

Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?

At first I wanted to become an interior designer because I loved art and creating things from nothing, but then my passion for crime and technology led me to study cybersecurity and behaviour.

What were your career aspirations in your last year of school?

Many women who have given us their thoughts on cybersecurity say it is really important the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil? As I have attention to detail, I would be best at security compliance.

There were two, intertwined units: human behaviour and forensic investigation. You never know what you can find and how people can change their behaviour/ personality based on the environment.

OCIA ANWAR Ocia Anwar has been studying for a Bachelor of Cyber Security and Behaviour, which she completed in July 2022. She was born in Kabul, Afghanistan in 1999 and lived there for most of her childhood before moving to Pakistan in 2008. She migrated to Australia in January 2010.

What involvement do you have in security outside your course? • part time job? I undertook a cadetship at Cochlear from 30 November 2020 to 5 February 2021. • outplacement as part of your course? I had an outplacement at Western Sydney University’s security operations centre. • member of security organisations? I am a member of the Cyber Security Association, AISA, Women in Security and ISACA • informal, personal study? LinkedIn Learning: SPSS Statistics essential training FDM Group: mini expert’s challenge Cyber@ANZ program Qualys: compliance policy and procedures www.linkedin.com/in/ocia-anwar-1ab3a5184 STUDENT IN SECURITY SPOTLIGHT ISSUE 10 WOMEN IN SECURITY MAGAZINE 157

Raziye Tahiroğlu is about to start the second year of study for a degree in computer science at Istanbul Aydin University in Türkiye. She will undertake an internship during the year, and aims to start working as a security analyst in her final year. She also intends to pursue further education after obtaining her degree, and to conduct academic research.

If you could spend a day with a security expert to learn about their role, what role would you choose?

Did you consider pathways into cybersecurity other than your present course of study, and if so which ones?

I am also very interested in open source intelligence, so it would be great for me to spend time with an open source intelligence (OSINT) investigator/analyst, observe how they work and learn from them.

What are your longer term - five or 10 yearcareer aspirations?

RAZIYE TAHIROĞLU

I will continue to study computer science as an academic career. I want to do a master’s in this field, and the idea of publishing an article also excites me. As a woman in cybersecurity I want to support my associates. I would like to instruct other students as to the institutions that make it possible for me to learn today. I am currently stronger on the defensive side of cybersecurity. I aim to increase my strength on the offensive side with hard work. I also have an interest in open source intelligence and I will enhance my skills in this field. During this time, I aspire to gain experience by performing penetration tests.

I agree with that. I’ve concentrated on the defensive/ blue team side until now. Therefore, I believe a cybersecurity analyst position would be a good fit for me. I want to work hard and develop my offensive skills and work as a red team member. Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship? Yes, definitely. It’s important to have a mentor. A mentor can help you develop and realise many of your skills in the learning process. They can guide you when you are stuck. I participated in many course activities organised by institutions in my country. Institutions in my country moved their activities online during the COVID-19 pandemic. Many bootcamps and courses were conducted online and I benefited from these lessons.

Computer Science Student, Istanbul Aydin University

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022158

Everyone’s cybersecurity pathway is different, and I think my pathway is appropriate for me. Many women who have given us their thoughts on cybersecurity saying it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil?

I would like to spend a day with an incident responder, and security operations centres would be a good fit to enable me to gain experience in line with my current career goals.

What led you to pursue study in cybersecurity?

I had heard about cybersecurity from those around me and became very interested. I found myself following cybersecurity news and published articles. Then I thought “Why shouldn’t I have a place in the cyber world, too?” Thus, I decided to be more than merely a consumer of cybersecurity. How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue? Cybersecurity is forever changing. There is constantly more for me to learn. I still have a long way to go. I think I’m just at the beginning. I obtained the information I have gained so far by using the internet. At the same time, I tried to improve myself by joining activities staged by cybersecurity organisations in my country.

I find it very interesting that cybersecurity is both dangerous and beneficial. My cyber awareness is very beneficial in my daily life. When I set a password or make a payment, I start to wonder if what I am doing is safe. Cybersecurity comes in handy when I am investigating the veracity of the news. We are now in a world where every individual should be aware of cybersecurity because it is significant in every aspect of our lives. What involvement do you have in security outside your course? I participate in events under the title of Women in ITechnology.followevents organised by the SANS Institute and many similar organisations. I am a volunteer intern at a company and I am working on my coding skills.

What aspect of cybersecurity in your studies most excites you, and why?

STUDENT IN SECURITY SPOTLIGHT ISSUE 10 WOMEN IN SECURITY MAGAZINE 159

www.linkedin.com/in/raziye-tahiroğlu

I was interested in cybersecurity because it combined my passion for technology with my passion for helping people and keeping them safe. I joined the Australian Women in Security Network (AWSN) and strengthened my interest in cyber through the mentorship, networking and workshops it offered. How did you gain the knowledge and understanding of cybersecurity that enabled you to make your choice of what study/ qualification to pursue? Through the UNSW Co-op Scholarship Program I was able to gain work placements in cyber teams at IAG and Westpac. During those placements I spoke with people in various cyber teams and learnt about the different roles available. Additionally, after gaining experience in Westpac’s penetration testing team and shadowing pentesters, I decided pentesting would be suitable for me.

What were your career aspirations in your last year of school? I aspired to become a leader in IT who would help make the world a better place. What led you to pursue study in cybersecurity?

www.linkedin.com/in/carolinengcyber

What are your longer term - five or 10 yearcareer aspirations? I aspire to use my technical knowledge to help me become a leader who makes better decisions through business and technical acumen. What aspect of cybersecurity in your studies most excites you, and why?

I have been able to gain mentors informally through my work placements and more formally through the AWSN pilot mentoring program.

I am an AWSN member and I participate in capture the flag competitions whilst I complete my studies.

If you could spend a day with a security expert to learn about their role, what role would you choose?

Many women who have given us their thoughts on cybersecurity saying it is really important that the industry hires people with diverse skills. What roles do you think your skills would best equip you to fulfil? Pentesting is suitable for me because, during my time in Westpac’s pentesting team, I enjoyed the technical challenge of trying to figure out how to break into systems. I also found communicating and explaining vulnerabilities to be a nice balance with the technical work. Many have also talked about the value they have gained from having a mentor. What has been your experience? Have you participated in any formal mentoring program, or benefited from an informal mentoring relationship?

CAROLINE NG Caroline Ng is in her fourth year of study for a Bachelor of Information Systems (Honours) under the UNSW Co op Scholarship Program. She grew up on Sydney’s Northern Beaches. Bachelor of Information Systems (Honours), UNSW

WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022160

Did you consider pathways into cybersecurity other than your present course of study, and if so which ones? Because I was studying for a degree in information systems, I decided to continue and complete it.

I would choose a CISO to understand what decisions they make day-to-day and how they work with other senior leaders in their company.

I am excited about protecting organisations and customers from malicious actors. What involvement do you have in security outside your course?

Why build your own community when you can use ours? HOW TO UNLOCK THE POTENTIAL OF OUR NETWORK

WHO WILL MAKE THE FINALS?

• Do not connect to a USB device that you are unfamiliar with; it could contain viruses.

• Your camera must have the privacy cover on unless you are in a class that needs the camera. Otherwise, the camera needs to be off.

• The school IT department will install software on your device to filter out Jack and Olivia are getting their first laptop for school inappropriate apps and block other people from contacting you. A friendly reminder that if anyone you don’t know contacts you online, you need to tell your teacher or a trusted adult straight away.

Author of How We Got Cyber Smart

164 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

• Don’t be a bystander, if you see anyone sending nasty messages or if you know of anyone at school being cyberbullied, you must tell a teacher so that they can help.

• Your computer must have anti-virus software running that is up to date.

Olivia and Jack think the rules are very fair, as they know what can happen online if you don’t follow the rules. They can’t wait to get their new laptops and discover some fascinating things to learn online.

| Amazon Bestseller

• Don’t click on strange links or websites, these could be harmful.

• Email has been set up to communicate with your teacher only, no one can email you from outside the school.

• When you’re away from home or school, never connect to ‘free WiFi’ as cyber criminals may use it to access your computer.

• You can do your homework on the laptop after school in a communal area so that we can supervise you. We will also have time limits for how long you can use your laptops as it’s important to play outside.

Also, Olivia and Jack’s parents said that we have additional rules at home:

• If you do receive a nasty message, please do not delete it. We will teach you how to save, screenshot and print the message as evidence of cyberbullying.

LISA ROTHFIELD-KIRSCHNER

www.linkedin.com/company/how-we-got-cyber-smartfacebook.com/howwegotcybersmarttwitter.com/howwegotcybers1

• We will install parental controls on your laptop to only allow content appropriate to your age, but these are not always 100 percent safe. If anyone tries to contact you, or if you see something strange online it is important to let us know straightaway. You will not get into trouble, and we will not take your laptop away. We will help figure out what has happened to keep you safe online.

Next year, Jack and Olivia will be getting a laptop for school. It’s very exciting as they can’t wait to have their own computer like the big kids. At school, they call this a “BYOD Program” – bring your own device, and they are keen to help their parents choose their laptops for school. At school, their teachers have been preparing them for the responsibility that comes with having their own devices. The teachers explained that there are rules that they need to agree to as part of the BYOD Program: Olivia and Jack’s School BYOD Rules:

How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children. READ NOW

byRecommended Family zone

0105030709 1008040602 1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books. Conference Speaker and Cybercrime specialist 2. APARNA SUNDARARAJAN Manager - Technology Transformation Practice 3. ANGELA HALL Client Trust, Risk and Compliance (CTRaC) & Trade Regulations Executive at Kyndryl 4. AASTHA SAHNI Technical Trainer at Exabeam and founder of CyberPreserve and BBWIC 5. GABE MARZANO Head of Cybersecurity at Palo Alto Networks and one half of the team behind the Dark Mode podcast 6. POOJA SHIMPI Business Information Security Officer at Citibank Singapore 7. MONICA ZHU Cyber Security Incident Responder & Threat Intel Manager at Qantas 8. SARAH GILBERT Senior Business Analyst - Cyber Security at Transport for NSW 9. SARAH BOX Sarah Box, Cyber Security Project Facilitator and Advisor at The Business Centre 10. PARUL MITTAL Senior Manager - Tech Risk at Bendigo and Adelaide Bank 11. AICHA BOUICHOU PhD student at the National School of Applied Sciences, Tangier 12. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A Hacker I Am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards 13. VANNESSA MCCAMLEY Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker 14. STEVE SCHUPP Executive Director at CyberCX WA Branch WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 1311 1412

15. SIMON CARABETTA Project Coordinator at ES2 16. MELANIE NINOVIC Senior Consultant at ParaFlare 17. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum 18. MICHELLE GATSI Cyber Security Consultant at EY 19. KAVIKA SINGHAL Cyber Security Consultant at EY 20. JAY HIRA Director of Cyber Transformation at EY 21. EMILY GOODMAN Cyber Security Consultant at EY 22. SHINESA CAMBRIC Principal Product Manager, Microsoft Intelligent Protections - Emerging Identity at Microsoft 23. RICHARD EDGE CEO at Careerships 24. MICHELLE RIBEIRO Cyber and Information Security Content Director, APAC 25. DANIELLE ROSENFELD-LOVELL Consultant Security Testing and Assurance at CyberCX 26. SHINTA BENILDA Cyber Systems Administrator at Services Australia 27. HANLIE BOTHA Cyber Security Leader 28. NICOLE STEPHENSEN Privacy Maven and Partner, at IIS Partners 2321171915 2422182016 2725 2826

2933313537 3836323430 29. NATALIE PEREZ SheLeadsTech Coordinator of the ISACA Melbourne Chapter 30. LISA VENTURA Founder – Cyber Security Unity 31. KAREN STEPHENS CEO and co-founder of BCyber 32. TRAVIS QUINN State Director at Trustwave 33. PETER LAKE Experienced Service Management Leader 34. NIGEL PHAIR Chair, Australasian Council, CREST International 35. ANGELO FRIGGIERI Managing Director – Applied Security, at Accenture 36. MEGAN KOUFOS Program Manager at AWSN 37. VERONIKA LAPUSHNIANU International Business Communications Trainer, Founder at GroupEtiq 38. QUEEN A AIGBEFO Research Student at Macquarie University 39. CHRISTIE WILSON Cyber Resilience Manager at UniSuper 40. SARA MOORE Cyber Threat Intelligence Analyst 41. MARISE ALPHONSO Information Security Lead at Infoxchange 42. MEL MIGRIÑO VP/Group CISO Meralco, Chairman & President, Women in Security Alliance Philippines 4139 4240 WOMEN IN SECURITY MAGAZINE CONTRIBUTORS

43. NANCY BENJUMEA Lead Data Governance Consultant at Pernix 44. MEGHAN JACQUOT Security Engineer at Inspectiv 45. ALEX NIXON Senior Vice President and Head of Kroll’s Cyber Risk practice in Australia 46. GINA MIHAJLOVSKA Cyber Security Manager at EY 47. SWEN LEE Bachelor of Computer Science Student 48. EMILY HARMON Bachelor of Science (Cyber Security) Student 49. BETTINA MARQUEZ Cyber Defense Professional Student 50. OCIA ANWAR Bachelor of Cyber Security and Behaviour Student 51. RAZIYE TAHIROĞLU Computer Science Student 52. CAROLINE NG Bachelor of Information Systems (Honours) Student 53. LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller 54. NATALIE ALLATT Marketing Manager, APAC at SANS Institute 5149454743 5250464844 53 54

Open Security Training has an abundance of cybersecurity-related course matter which ranges from basic lessons on Android Security Testing to Advanced x86 Virtualization courses. Overall, they offer a considerable volume of free cybersecurity training resources in the form of open-source material. They also have a team of instructors who constantly update the courses and keep the learners up-to-date with the current and ongoing threats.

FEDERAL ENVIRONMENTTRAININGVIRTUAL

CYBERSECURITYFOUNDATIONSSPRINGBOARD’SOF

PICOCTF picoCTF is a free computer security education program with original content built on a capture-the-flag framework created by security and privacy experts at Carnegie Mellon University. Gain access to a safe and unique hands-on experience where participants must reverse engineer, break, hack, decrypt, and think creatively and critically to solve the challenges and capture the flags.

ELASTIC Start your Elastic journey and become an expert faster than ever—for free. Build your enterprise search, observability, security, and Elastic Stack skills with their on-demand training.

UNIVERSITYBUGCROWD

Bugcrowd University operates as a free and open-source project to help improve the skills of the industry’s security researchers. It includes content modules to help researchers find the most critical and prevalent bugs that impact customers. Each module has slides, videos and labs for researchers to master the art of bug hunting with the aim of creating a new standard for security testing training.

Springboard’s Foundations of Cybersecurity is a free course offered by Springboard that has more than 38 hours of content and is highly suitable for anyone willing to solidify their cybersecurity basics. The course offers 40 plus resources across 9 core modules and thoroughly explains the most basic aspects of cybersecurity.

THE LEARNING HUB WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022170

Federal Virtual Training Environment (FedVTE) offers its cybersecurity courses online at no charge for federal government personnel and veterans. Managed by CISA, FedVTE contains more than 800 hours of training on topics including ethical hacking and surveillance, risk management and malware analysis. Course proficiency ranges from beginner to advanced levels.

VISIT HERE VISIT HERE VISIT HERE VISIT HERE VISIT HERE VISIT HERE

OPEN TRAININGSECURITY

COMMUNITYRANGEFORCEEDITION

Access free training courses, including red and blue team training, in an on demand cyber range.

This website delivers tutorials for powerful hacking attacks with the intent of helping students understand the concepts better. It is the community of security researchers and ethical hackers where you will find amazing content to master the art of ethical hacking.

Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.

FEATURING FREE SECURITY TRAINING RESOURCES THAT ARE AIMED AT INCREASING SECURITY AWARENESS AND HELPING PEOPLE BUILD AND UPSKILL THEIR SECURITY SKILLS.

HOPPER’S ROPPERS SECURITY TRAINING

HACK A DAY

Their aim is to create the best site on the internet for aspiring cyber security professionals to learn and grow while mastering the fundamentals of the field, along with growing a community alongside the training material to provide a central location for cyber education.

FROMDEV FromDev is one of the top-rated hacking learning websites for beginners to learn ethical hacking from scratch.

HACKER101

VISIT HERE VISIT HERE VISIT HERE VISIT HERE VISIT HERE VISIT HERE ISSUE 10 WOMEN IN SECURITY MAGAZINE 171

SKILLSOFT Access free trial to sample 7,151 courses, 110+ practise labs, and 10+ live online boot camps across 67 subjects.

CLICK TO LISTEN CLICK TO CLICK TO

ByNEUROSECNathanChung

It can be challenging to secure your business, especially when you have limited time. The Get Cyber Resilient Show, brought to you by Mimecast, is the perfect way to stay up-to-date with the latest cyber developments across Australia and New Zealand. From cyber security to cyber awareness, the hosts will bring you insights and real stories from IT and Security Leaders.

Adventures of Alice & Bob is a podcast where hosts talk shop with hackers, thought leaders, and the unsung heroes of the cybersecurity world about the human element of being on the front lines of cyber attacks.

CYBER ByPODCASTWORKInfosec

Tune in to hear the latest in cyber defence and security operations from blue team leaders and experts. With a focus on learning, BLUEPRINT includes interviews with today’s top security practitioners defending the world’s most respected brands, and in-depth explanations of the newest technologies, protocols, and defensive tools.

ADVENTURES OF ALICE & BOB By Karl Lankford, James Maude, and Marc Maiffret

This podcast aims to cover stories about people in the Information Security community. The podcast guests will talk about their journey in the infosec industry, their learning & challenges faced and any advice to the newcomers. Currently covering the Indian edition.

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

LISTEN

CLICK TO LISTEN CLICK TO LISTEN CLICK TO LISTEN

ByEDITIONShruthiKamath

LISTEN

THE GET

O’Hara

UPITTURN 172 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

ByRESILIENTCYBERSHOWDanielMcDermottandGarrett

STORIES OF INFOSEC JOURNEYS - INDIAN

BLUEPRINT PODCAST By SANS Institute

Uniting people and organizations to support and advance Neuro-diverse people in Cybersecurity.

JACOBS: IF/WHEN By Jacobs

This monthly podcast by NCC Group, goes into the latest details about everything you may want to know about cyber security. From web apps, networks, cyber education, ransomware and much more!

CLICK TO LISTEN CLICK TO LISTEN CLICK TO LISTEN

By Erika McDuffie and Jaclyn (Jax) Scott

The world we’ll be faced with tomorrow demands big ideas today. In Jacobs’ series of interviews with some of today’s leading industry and academic problem solvers, we discuss the Ifs and Whens of disruption - those phenomena with the potential to unsettle the status quo, as well as those now imminent and emerging.

TALKING CYBER By NCC Group

Listen to cyber professionals across Canberra to find out why the demand for skilled workers in cyber is booming and how the careers in the industry are becoming more diverse. Hear from those excelling in the industry and what advice they have for those interested in pursuing a career in cyber.

The Cyber People Podcast focusses on the people that help protect some of the largest companies across Australia and the globe. Join Will Wetherall as he follows their journey and stories in the world of cybersecurity.

CYBER ByPODCASTPEOPLEWillWetherall

ByCANBERRAINCYBERCanberraCyberHub

2 CYBER CHICKS

ByCYBERMonicaVerma

CLICK TO LISTEN CLICK TO LISTEN CLICK TO LISTEN

MONICA TALKS

ISSUE 10 WOMEN IN SECURITY MAGAZINE 173 CAREERS

A technology podcast and an engaging platform for real stories, discussions and opinions from renowned global experts on All Things Cyber. The podcast series is hosted by Monica Verma, a leading spokesperson for digitalization, cloud computing, innovation and security enabling technology and business.

2 Cyber Chicks Podcast With Erika McDuffie And Jax Scott is an inclusive cybersecurity podcast designed to educate and break the stereotypes of cybersecurity professionals. We will be discussing the “tough” topics that come along with being a woman in this field while providing life hacks on how to handle burnout, networking, and goal-setting.

Transformational Security Awareness empowers security leaders with the information and resources they need to assemble and deliver effective world-class security awareness programs that drive secure behaviours and culture change. When all other processes, controls, and technologies fail, humans are your last line of defence. But, how can you prepare them?

FORCYBERSECURITYEVERYONE: CYBERCRIMEDEMYSTIFYING

SHELFTHEOFF 174 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

Frustrated with ineffective training paradigms, most security leaders know that there must be a better way. A way that engages users, shapes behaviours, and fosters an organizational culture that encourages and reinforces securityrelated values. The good news is that there is hope. That’s what Transformational Security Awareness is all Authorabout.Perry Carpenter weaves together insights and best practices from experts in communication, persuasion, psychology, behavioural economics, organizational culture management, employee engagement, and storytelling to create a multidisciplinary masterpiece that transcends traditional security education and sets you on the path to making a lasting impact in your organization.

Author // Perry Carpenter

Author // Nigel Phair Cybercrime in Australia: 20 years of in-action provides an engaging analysis of how Australia’s law enforcement and justice system have responded to the exponential rise of Ascybercrime.technology has evolved and the criminal misuse thereof continues to increase, successive governments have attempted to provide more powers to law enforcement agencies and regulate how individuals live in the online environment. But as the mainstream media reporting and statistics tell us, this has been a failure. More and more organisations and individuals are falling prey to Utilisingcybercrime.investigative case studies, an array of statistics, and surveys of police, consultants, lawyers and privacy experts, this book analyses two decades’ worth of cyber and cyber-related legislation combined with policy and operational responses by law enforcement agencies to combat online crime. The book is packed with fascinating and unexpected findings. It also offers hope by providing a set of recommendations to be considered both in an Australian and an overseas context.

AWARENESS:SECURITYTRANSFORMATIONAL BEHAVIORSDRIVINGTEACHMARKETERSSTORYTELLERS,NEUROSCIENTISTS,WHATANDCANUSABOUTSECURE

BUY THE BOOK BUY THE BOOK BUY THE BOOK

CYBERCRIME IN AUSTRALIA: 20 YEARS IN‑ACTIONOF

Author // Amanda-Jane Turner Cybercrime is big business, and as the use of technology increases, so does the opportunity for crime. There is no solely technical solution to stopping cybercrime, which is why it is important for all users of technology, regardless of age, race, education or job, to understand how to keep themselves safer online. To help all users of technology gain a better understanding of some cybersecurity basics, this quick-read book presents easyto-understand information, with the added, and possibly dubious, bonus of entertainment in the form of limericks and cartoons. Stay informed and stay safe. (Recommended reader age group is from young adult up to TimeLord aged.)

WHY YOU SHOULD CARE, AND WHAT TO DO ABOUT IT Author // Jennifer Stisa Granick US intelligence agencies - the eponymous American spies - are exceedingly aggressive, pushing and sometimes bursting through the technological, legal and political boundaries of lawful surveillance. Written for a general audience by a surveillance law expert, this book educates readers about how the reality of modern surveillance differs from popular understanding. Weaving the history of American surveillance - from J. Edgar Hoover through the tragedy of September 11th to the fusion centres and mosque infiltrators of today - the book shows that mass surveillance and democracy are fundamentally incompatible. Granick shows how surveillance law has fallen behind while surveillance technology has given American spies vast new powers. She skillfully guides the reader through proposals for reining in massive surveillance with the ultimate goal of surveillance reform.

Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers. They contributed to the development of Tor, the most important privacy tool on the net, and helped build cyberweapons that advanced US security without injuring anyone. With its origins in the earliest days of the Internet, the cDc is full of oddball characters -- activists, artists, and even future politicians. Many of these hackers have become top executives and advisors walking the corridors of power in Washington and Silicon Valley. The most famous is former Texas Congressman and current presidential candidate Beto O’Rourke, whose time in the cDc set him up to found a tech business, launch an alternative publication in El Paso, and make long-shot bets on unconventional campaigns.

A COMPUTERDATA-DRIVENDEFENSE:

BUY THE BOOK BUY THE BOOK BUY THE BOOK

Most organizations are using inefficient computer security defences which allow hackers to break in at will. It’s so bad that most companies have to assume that it is already or can easily be breached. It doesn’t have to be this way! A data-driven defence will help any entity better focus on the right threats and defences. It will create an environment that will help you recognize emerging threats sooner, communicate those threats faster, and defend far more efficiently. What is taught in this book...better aligning defences to the very threats they are supposed to defend against, will seem common-sense after you read them, but for reasons explained in the book, aren’t applied by most companies. The lessons learned come from a 30-year computer security veteran who consulted with hundreds of companies, large and small, who figured out what did and didn’t work when defending against hackers and malware. Roger A. Grimes is the author of nine previous books and over 1000 national magazine articles on computer security. Reading A Data-Driven Computer Defense will change the way you look at and use computer security from now on. This is the revised 2nd Edition, which contains new, expanded chapters, operational advice, and many more examples you can use to craft your own data-driven defence.

Author // Roger A. Grimes

A WAY TO IMPROVE ANY DEFENSECOMPUTER

SPIES:AMERICAN SURVEILLANCE,MODERN

CULT OF THE DEAD

ISSUE 10 WOMEN IN SECURITY MAGAZINE 175

AuthorCOW// Joseph Menn

The blog discusses the latest in security, access control, IT compliance, and product developments.

ByBLOGCyberRevolution

OUTSEER BLOG

By Outseer blog

By Twingate

TERI RADICHEL BLOG

Cyber Revolution aims to close the widening cyber security skills gap, through education, courses and placement of skilled professionals.

Discover insights, perspectives, and learn all about the latest updates on the newest fraud detection and prevention technologies.

By Teri Radichel

TWINGATE BLOG

Teri Radichel shares blogs on Medium about Cloud Security Training and Penetration Testing, GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN and AWS.

READ BLOG READ BLOG READ BLOG READ BLOG NETTHESURFING 176 WOMEN IN SECURITY MAGAZINE SEPTEMBER • OCTOBER 2022

CYBER REVOLUTION

IMPERVA BLOG By Imperva Read Imperva’s news, articles, and insights about the latest trends and updates on data security, application security, and application delivery.

ZONEALARM BLOG By Check Point News and information about internet security, online threats and safe web practices.

HELP NET SECURITY By Help Net Security Daily information security news with a focus on enterprise security.

CyberHoot offers training, phish testing, and policy compliance. Their blog articles cover current, critical cybersecurity topics to help the world become more aware and more secure.

INVICTI BLOG By Invicti Learn about the latest web application security & vulnerabilities news, and find out how you can make your website more secure with automated web scanning.

CYBERHOOT BLOG By CyberHoot

ISSUE 10 WOMEN IN SECURITY MAGAZINE 177

READ BLOG READ BLOG READ BLOG READ BLOG READ BLOG READ BLOG

HACKER COMBAT By Hacker Combat Hacker combat provides frequent updates on cyber attacks, hacking, and exclusive events. Explore the latest news and security stories from around the world.

ResourcefulReliableEasy No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY! charlie@source2create.com.au aby@source2create.com.au misty@source2create.com.au

Turn static files into dynamic content formats.

Create a flipbook

Articles inside

Lessons from the AWSN Leader Forums

3min
pages 116-117

A camel is a horse designed by committee: achieving genuine collaboration in cybersecurity

6min
pages 104-107

your compass

2min
pages 114-115

The evolution of CREST

3min
pages 112-113

Improving security together

2min
pages 102-103

Relationships: essential for career success

6min
pages 68-71

Bayanihan for International Women’s Day

4min
pages 96-97

Talking privacy

6min
pages 92-95

Entering the cyber world at a more mature age

14min
pages 80-87

Transposing consumer partnerships from the bedside to the client meeting

4min
pages 78-79

Every voice deserves to be heard

15min
pages 72-77

How do we attract women into cybersecurity, and retain them?

7min
pages 64-67

Sarah Box

5min
pages 36-37

Should you take your teen’s device as punishment?

22min
pages 60-63

The education question

3min
pages 54-55

We are all just bricks

2min
pages 46-47

Aicha Bouichou

3min
pages 44-45

Parul Mittal

11min
pages 38-43

Cybersecurity: it’s a hybrid team sport

4min
pages 52-53

working parents

7min
pages 56-59

Pooja Shimpi

7min
pages 26-29

Aastha Sahni

4min
pages 22-23

Sarah Gilbert

5min
pages 34-35

to fighting cybercrime

1min
pages 14-15

Angela Hall

3min
pages 20-21

Aparna Sundararajan

7min
pages 16-19

Gabe Marzano

3min
pages 24-25

Monica Zhu

7min
pages 30-33
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.