11
NOVEMBER • DECEMBER 2022
W W W. W O M E N I N S E C U R I T Y M A G A Z I N E . C O M
FROM THE PUBLISHER To win our battle for the future, we must champion the successes of the past
E
The Australian Women in Security Awards have grown along with the security industry as a whole ver since the pandemic began, pundits
can refine the Awards to deliver a sharper focus on
have been talking about the impact it
celebrations, and on the elevation of our champions.
would have on the security industry – but as the dust settles after the fourth annual
It is because we listen that we added five new
Australian Women in Security Awards, it is
categories this year, aiming to expand recognition
all too clear just how big that impact has been, and
of the ways that diversity, equity, and inclusion (DEI)
how many amazing security heroes it has created.
initiatives are framed and acknowledged.
Just a few years after we launched the 2019 event as
With these awards, I feel that we are growing in
a day conference with an awards ceremony tacked
our respect for one another, and in our resolve to
onto the end – when we had 240 nominations, 12
work and lead with empathy, compassion, and
winners, and a handful of Highly Commended nods –
flexibility. And we do so while respecting and valuing
this year’s event tipped the scales with more than 800
each other’s experiences and perspectives, and
nominations, 19 winners, 17 Highly Commended, and
by highlighting the role that lived experiences play
2 special recognition awards.
in the ways that we adapt – as individuals and as an organisation.
Those numbers show not only how many amazing women are making their mark on the industry, and
RAISE YOUR VOICE FOR CHANGE
how stellar the contributions they made – but how
It’s as true today as it was the first year we ran the
much the profile of security has increased over the
awards that the reason we do this is for the industry.
past four years. Each year, as we look backwards to see what worked Since the first event, the nomination pool is much
and what we could do better, we are also looking
bigger; there are more judges; the categories have
to the future of an industry that has become more
expanded along with the security landscape; and the
important than ever before.
calibre of champions submitted are, hands down, becoming more and more inspiring every year.
It is an industry filled with unsung heroes, so we scream from the top of our lungs about the amazing
As we look to the Awards’ future, planning requires
contributions they make every day.
us to look to the past for guidance, reflect on the experiences of the awards as individuals, and
It is an industry where we elevate and celebrate
understand what recognition and success mean
the champions who are keeping us safe, spreading
to you. We always ask for feedback and we listen,
the word about security, and truly inspiring future
so that we can react and act – so please never be
generations to join the exciting industry we all share.
afraid to contact us with suggestions about how we
2
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
Abigail Swabey
It is an industry where nobody should ever have to
We are helping to create the future we have always
look around the room and feel that there is nobody
wanted. And as we close the books on another
else that looks, sounds, or thinks the same. So many
amazing Women in Security Awards, we can look
of us have struggled with these negative feelings
forward to that future knowing that all of our voices
in the past – and it is my deep hope that by turning
are increasingly being heard.
differences from a divisive wedge into a positive unifier, we can turn the narrative around DEI into a
Thank you to every single person who was involved
powerful force for positive change.
in the Awards – nominees, judges, sponsors,
Year after year, you have heard my voice screaming
created something tremendously special – and we
out for recognition of the brilliant people in this industry. You have watched me step out of my
organisers, and everyone else. Together, we have hope it continues every year as the cause of DEI in our industry keeps going from strength to strength.
comfort zone as I realised that confidence can take you to great places if you step out of your comfort zone. I knew early on that if I wanted the Awards to advance
Abigail Swabey PUBLISHER, and CEO of Source2Create
DEI, then I needed to step out of my comfort zone, and use the event to drive content, discussions, and a
www.linkedin.com/in/abigail-swabey-95145312
sense of shared purpose. aby@source2create.com.au
Just as I discovered that my voice matters, you must allow yourself to believe that your voice does matter too. Every voice matters. Taken together, the voices promoting diversity, equity, inclusion, and resilience form the cornerstones of what makes us better and stronger as individuals. They make us more impactful as organisations. But being committed is not enough on its own. Making progress in our journey also requires putting our commitment into action, sharing our progress along the way, and encouraging our partners and stakeholders to hold us accountable. As they say, you never know how easy it is to break a glass ceiling until you get close enough to touch it. And by working together, we are getting closer and closer.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
3
CONTENTS
2
CAREER PERSPECTIVES
FROM THE PUBLISHER
My journey: from accountancy to cybersecurity
48
Changing the ‘change’ journey
50
Women in cyber security from a recruiters perspective 52 Reflect on your thinking and the behaviours you need to reach your vision 54
THE MORE THINGS STAY THE SAME, THE MORE THEY NEED TO CHANGE
10
COLUMN
People culture builds resilience
Cybercrime in 2022
14
A real hard look
46
Keep calm and carry on
68
Improving security together
60
102
INDUSTRY PERSPECTIVES Australia’s cybersecurity sector: where are the women?
74
The future of developer security maturity is bright, and these verticals are leading the charge
78
WHAT’S HER JOURNEY?
Shifting perceptions of it and cybersecurity policies: policy should not fill you with dread
80
Annelies Moens
16
Joyce Tiwari
18
2022 has been a watershed year for cybersecurity, but what’s next?
82
Ranjeeta Rani
20
Cyber resilience in the cyber world
85
Sandy Assaf
22
Dina Atwell
24
Corporate layoffs: a perfect storm for insider risk and the imperative for holistic mitigation approaches
88
Tara Murphy
28
Emily Goodman
30
Jessica Williams
32
Scarlett McDermott
34
Anna Dart
36
Tash Bettridge
40
TALENT BOARD
42
REACH OUT NOW
Looking back to move forward: thirty years of experience guiding the way 92
JOB BOARD APPLY NOW
64
Cybersecurity: a board issue in 2022
94
How is the industry responding to the skills and talent squeeze? 98 Meeting the security and privacy challenges of the metaverse
101
NOVEMBER • DECEMBER 2022
56
AS BURNOUT TAKES ITS TOLL, REMEMBER TO PUT THE U BACK INTO CYBERSECURITY
IN 2023, LOOK FOR WAYS TO CONSOLIDATE PROGRESS AROUND GENDER EQUITY
FOUNDER & EDITOR Abigail Swabey
70
ADVERTISING Abigail Swabey Charlie-Mae Baker
TECHNOLOGY PERSPECTIVES Blockchain – the technology behind cryptocurrency
106
Sharing our inner voice stories
108
Reflections on malware
112
Misty Bland
139
JOURNALISTS David Braue Stuart Corner
SUB-EDITOR
The relationship between artificial neural networks and cybersecurity 114
Stuart Corner
Key themes from 2022 taking us forward 116
DESIGNER
Out of the shadows: how cybersecurity has taken centre stage in the Australian business arena 118
Rachel Lee
179 Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine
137
STUDENT IN SECURITY SPOTLIGHT
©Copyright 2022 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.
OFF THE SHELF
Oorja Rungta
122
Kao Hansell
124
Jack K
127
Gabrielle Raymundo
128
Haicheur Ichrak Amani
130
Mandeep Brar
134
204
ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE 07
08
MARCH • APRIL
MAY • JUNE
WHO RUNS
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79
20 22 WORLD IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97
YEAR OF THE SECURITY WORKER
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
the
OFFICIAL PARTNER
SUPPORTING ASSOCIATIONS
Innovate to Grow program:
Cyber security
Applications are open for a free 10‑week online program for small to medium enterprises (SMEs) working in cyber security to explore their research and development (R&D) opportunities. Build your R&D idea Small and medium-sized businesses (SMEs) play a key role in growing Australia’s cyber security industry. But taking an R&D idea and turning this into reality can sometimes be a daunting prospect. Our free self-paced 10-week program will build your skills to help you refine your innovation idea and turn this into a R&D opportunity.
Register today Applications close: 7 Nov 2022 Program starts: 1 Dec 2022 csiro.au/Cyber-Security
Australia’s National Science Agency
Key program outcomes
Who can attend
Personalised support to refine your idea: We’ll step you through the process of turning your idea into a viable research project.
Participants working in cyber security. This can be in any sub-sector including;
Confidential feedback: All submissions through the program portal will receive prompt expert feedback.
• Network security.
Mentor: You will be paired with a researcher from CSIRO or a university to help connect you with the relevant specialists.
• Human centric security.
Build your network: You will build key contacts in your sector, including researchers at CSIRO and universities, domain experts, funding professionals and other SMEs.
• Critical infrastructure security.
Key things covered include: • Identifying your innovation opportunities.
• Security and privacy of Artificial Intelligence (AI) / Machine Learning (ML).
• Refining your value proposition.
• AI/ML for security and privacy.
• Understanding the R&D viability.
• Supply chain security.
• Helping you build your business case.
Selection criteria (essential):
• Providing guidance on how to prepare a strong funding application.
• An Australian registered and operating business with an ABN and ACN/ICN.
Commitment and course outline Preparing for the program (~2.5 hours) Pre-workshop videos, onboarding, materials and questionnaires.
• Application security. • Data integrity and privacy. • Incident management and response. • Quantum security. • Software security.
• Business classified as small to medium (<200 employees). • A business currently, or in the early stages of, exploring R&D opportunities for their business and have an idea to work on throughout the course. Other considerations:
Week 1 (Official start date, 1 Dec) Workshop (4.5 hours) Guest speakers from CSIRO, sector experts and SMEs who will provide tips and information on topics such as trends and opportunities, innovation experience and funding. You will also meet your fellow participants and mentor.
• Currently working in the cyber security sector (or have identified a new opportunity relevant to cyber). • Any other information provided to support your application. • Have a clear need to develop your skills in R&D.
Weeks 2–10 Self-paced innovation program (2–3 hours per week) Participants explore opportunities to grow their business through innovation and research. Fortnightly virtual participant networking events and additional webinars (1 hour each).
“The perfect solution in the current times ... nobody knows their product/markets and how to improve them like SMEs, they just don’t have the resources to develop them. This course taps that knowledge rich base and links with the resources.”
A final questionnaire is required at completion.
– Hamish Shaw, GM, Former participant
“Significant benefits of being part of the ‘ecosystem’ – from which associations and opportunities flow.” – Amanda Falconer, Founder and CEO, Former participant
For further information Michelle Armistead Innovate to Grow Program Coordinator michelle.armistead@csiro.au csiro.au/innovatetogrow
CSIRO awards places to businesses based on the strength of the application, and a clear interest and capacity to pursue R&D. We also include participants from a variety of industry sub-sectors and regions. CSIRO Innovate to Grow is delivered using Practera’s online ed-tech platform and facilitation services.
This project is funded by the Australian Government Department of Industry, Science and Resources through the Cyber Security Skills Partnership Innovation Fund Grant Opportunity Program.
B&M | 22-00516
THE MORE THINGS STAY THE SAME, THE MORE THEY NEED TO CHANGE by David Braue
Progress towards cybersecurity diversity was steady but slow in 2022 – so help make 2023 better
B
etween the widespread advocacy,
And while the 18% gender pay gap in STEM subjects
increasing executive awareness,
is less than the 20% across all industries, it is still
government policies of engagement with
far too high. Inequity is exacerbated at the executive
women, and efforts to promote the cause
level, with women holding just 23% of senior
of STEM to girls while they are still in
management roles and 8% of CEO positions in
school – the messages around boosting women’s
STEM‑related industries.
participation in cybersecurity, IT, and other scientific and technical fields have never been stronger.
Pipeline prospects are improving, although it’s hardly time to celebrate yet: while metrics of girls’
But are they working? The newly announced 2022
confidence in STEM-related subjects are up across
update to the government’s ongoing STEM Equity
the board – with 59% of 12 to 17-year-old girls saying
Monitor analysis suggests the answer is both ‘yes’
they are confident in STEM subjects – this is still well
and ‘no’.
behind the 74% of boys who said the same.
Some 15% of STEM-related jobs in Australia are
Cybersecurity is, of course, just one of many careers
now held by women, the new figures show, with
that STEM-focused girls might pursue, which
women comprising 29% of the research workforce
exacerbates the challenge of translating changes in
in 2021 and comprising 38% of university STEM
STEM study into increases in cybersecurity workers.
course completions.
10
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
F E A T U R E
It will take time before security careers are normalised
to corporate HR organisations that
among the girls and women that the industry needs
will need to make their human-centric
so desperately – but delivering on that goal will
policies a key corporate priority for 2023,
require more than just switching from stick to carrot.
if they ever hope to regain lost ground in the cybersecurity skills race.
“Businesses suffering chronic skills shortages the pipeline, in the hope that the system will fix
CLEARING BLOCKAGES IN THE CYBERSECURITY PIPELINE
itself,” noted Lisa Harvey-Smith, a UNSW Sydney
Many non-technical lines of business
professor and the Australian Government Women in
are notching up successes in promoting women:
STEM Ambassador.
for example, women account for 19% of C-level roles
can’t keep focusing on programs designed to grow
in the average supply chain organisation this year, “Although we are doing a better job at attracting
Gartner recently reported, up from 15% last year.
women to some university STEM courses, very few women are still going for vocational STEM education,
Nonetheless, the share of vice president-level roles
and there’s far too little attention paid to actually
and overall supply chain positions actually declined by
keeping STEM-qualified women in the workforce.”
2% from last year – suggesting that the glass ceiling is still present and intact.
Even as STEM-based industries crawled towards better engagement with women during 2022, the need
Supply-chain executives “need to double down on
to improve retention has proven to be a Pandora’s
goal setting, leadership inclusion, and career-pathing
Box of sorts, raising many ancillary questions that
for women,” said Gartner senior principal analyst
required managers to actively address issues such
Caroline Chumakov, noting that global organisations
as workplace harassment – which this year saw a
with deeper and broader talent pools tend to have
“significant, positive step,” Harvey-Smith said, after the
“better pipelines and better representation of women
federal government accepted all 55 recommendations
in underrepresented races and ethnicities.”
of the Respect@Work: Sexual Harassment National Inquiry Report.
The normalisation of corporate gender-equality policies has seen some positive signs of change
“Businesses must urgently put robust systems in
this year: the NSW public sector, for example,
place to prevent discrimination, bias, and sexual
reported that 42.7% of senior leadership positions
harassment,” she added – throwing down a gauntlet
were held by women in 2021 – well ahead of the
I S S U E 11
WOMEN IN SECURITY MAGAZINE
11
There is a chicken-and-egg element at play here, Chicago-based recruitment firm Heidrick & Struggles noted during a recent CISO survey of 327 global CISOs that found 18% of respondents were women – and that more than half of the predominately “men and white” CISOs had moved into their current role from a different CISO role. The figures “reflect a broader trend that CISO roles are often terminal,” the analysis notes. “The career path figure in STEM‑related industries – and a formal
forward for CISOs is most often to another CISO role.”
Gender Equality Action Plan 2022-2025 laying down an agenda to improve this figure over the next
If the CISO function is hopelessly skewed towards
three years.
men, and also hopelessly skewed towards choosing people with prior experience as a CISO, the prospects
Even as the appearance of such formal strategies
for bringing new women into the CISO role may
suggests that the will to advance women is at least
continue to be limited.
present in many environments, however, the profile of women in senior cybersecurity roles has continued
“CISO career progression remains tricky,” the analysis
to languish.
noted, “and our experience recruiting CISOs in 2022 reflects an increasing need for diverse talent.”
One recent UK analysis, for example, found that just 8 of the FTSE 100’s CISOs are women – compared with
Many businesses, the firm noted, “increasingly
nearly 40% of board roles in those companies now
think outside the traditional industry- and IT-specific
being held by women – and a similar US analysis of
criteria for CISOs to find the best executives for the
Fortune 500 companies found that just 13% of those
role, including people who are diverse in terms of
firms’ CISOs are women.
gender and race or ethnicity, as well as industry and functional expertise.”
That’s well behind the roughly 24% of cybersecurity
DRIVING CHANGE FOR 2023
roles currently held by women – according to widely cited figures from cybersecurity industry group (ISC)
12
2
In a gender-equity discussion that is often driven by
– and this figure highlights the intrinsic and persistent
headline numbers and extrapolations of localised
barriers that are keeping many female cybersecurity
surveys, better and broader information about the real
workers from advancing to the higher echelons of
skills gap will be crucial to targeting efforts to fix the
their careers.
problem during 2023.
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
F E A T U R E
A recent month-long AWSN survey, called the Australian Security Industry Workforce – Understanding Gender Dimensions Project, sought to better inform debate in Australia by running a census of women in cybersecurity that will, RMIT University Centre for Cyber Security Research & Innovation director Professor Matt Warren said, provide “a more
“For some time now, we have heard these buzzwords
robust and definitive estimate of the gender diversity
– diversity, equity, inclusion, and belonging – and
within the security workforce.”
everyone is expected to know what they mean,” said Hollee Mangrum-Willis, a US-based senior program
“There is no robust measure of the gender
manager with ISACA diversity arm One In Tech.
composition of Australia’s security industry,” he said, “or a clear picture of the types of jobs that women are
“We do have a gender balance issue within digital
undertaking and the skills they possess.”
trust, and we do need to start creating, or be more aggressive about creating, more inclusive pathways
That the broader picture around women’s
for marginalised persons.”
participation in cybersecurity is still represented by a single number – (ISC)2’s 24% figure – shows just
And while changing statistics suggest that “the work
how far the security industry still has to go to improve
is being done, and it’s working,” Mangrum-Willis said,
gender equity in 2023.
the key now is to build on the momentum leading up to 2022 – and “accelerate” it for 2023 and beyond.
To a certain degree, this change will be driven at a local level, as cybersecurity leaders engage with their
“Think about women’s suffrage and how long it
business counterparts, hiring managers, and others to
took – 100 years – to get to here we are now,” she
identify better ways they can attract and retain a more
said. “I don’t want it to take another 100 years to
diverse field of candidates.
move further.”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
13
AMANDA-JANE TURNER Cybercrime is big business thanks to technical advancement and interconnectivity creating more opportunities. This regular column will explore various aspects of cybercrime in an easy-to-understand manner to help everyone become more cyber safe.
C O L U M N
Cybercrime in 2022 As 2022 draws to a close it is right to reflect on some of the year’s cybercrime campaigns and see what we can learn from them. At the start of the year Russia invaded Ukraine. As the conflict progressed there was a spike in cybercrime activity directed against both Ukraine and Russia. This showed changes in the geopolitical environment can produce a rise in cybercrime and wars can be fought both physically and in cyberspace. Criminals exploit major events to trick people into downloading malware, paying faked invoices or entering their log-in credentials on phishing sites. With the COVID-19 pandemic still causing issues,
cybercrime, keep their cybersecurity defences strong
scam emails using COVID-19 contact tracing,
and encourage their employees to have a positive
vaccinations and fake World Health Organisation
cybersecurity culture.
information as bait were still doing the rounds. Cybercrime is profitable. It is big business. Ransomware coupled with extortion attempts
As technology develops the opportunity for
threatening the release of stolen data continue to
cybercrime develops with it. Organisations and
destroy businesses. In May this year a 157-year-
individuals alike must keep learning from cybercrime
old liberal arts college in the USA closed its doors
campaigns and use the knowledge gained to
permanently after failing to bounce back from a
strengthen their cyber defences.
December 2021 ransomware attack. In Australia report cybercrime via www.cyber.gov.au/ Ransomware is not abating, and a prime vector for it
acsc/report. In another country, report it to your local
is email. It is therefore important for organisations to
police or through the relevant cybercrime reporting
uplift their cybersecurity culture and help employees
mechanism.
spot weaponised emails. Cybercrime is big business – learn from the past, This year several big name companies found
and stay safe.
themselves victims of data thefts perpetrated by cyber intrusion or social engineering. Such thefts negatively affected those organisations, their customers and their supply chains. They highlight the need for organisations to be alert for
14
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/amandajane1
www.demystifycyber.com.au
N O V E M B E R • D E C E M B E R 2022
WHAT’S HER JOURNEY?
Annelies Moens Managing Director, Privcore, Superstar of STEM
I
t is hard to be what you cannot see, and
Moens founded Privcore, a privacy risk management
women are still seriously under-represented in
consulting company helping businesses and
STEM leadership roles. The lack of diversity in
governments make privacy core to their business.
technology industries, particularly in leadership
She has been consulting on privacy for ten years and
roles was highlighted recently in the World
working in privacy since 2001 when she landed her
Economic Forum’s Global Gender Gap Report 2022
first privacy role at the federal privacy regulator — now
which found women make up only 24 percent of
the Office of the Australian Information Commissioner
leadership roles in the technology sector. However,
(OAIC) — as an investigator and auditor.
representation has increased in recent years. She is a trailblazer in privacy and is paving the way for
16
Annelies Moens is one of Australia’s Superstars
others to develop careers in privacy as a cofounder of
of STEM for 2021-2022. She recently spoke about
the International Association of Privacy Professionals
her career journey to high school students across
in Australia and New Zealand. Today, privacy (along
Australia to encourage more women and girls to
with cybersecurity) is one of the most in-demand
create the roles they want, on their terms, so they can
careers as a result of technological advances that
create more humane technology and shape industry
enable organisations to collect ever more information
to reflect the diversity of the world.
about people.
The Superstars of STEM program sets out to smash
A career in privacy did not exist when Moens was at
stereotypes of what a scientist, technologist, engineer
high school and she has been telling students that, in
or mathematician looks like by helping brilliant
ten years’ time, most of them will have careers that
women and non-binary experts in science, technology,
do not exist today. The start of her privacy career
engineering and mathematics to become highly
(unbeknownst to her at the time) was studying
visible media and public role models and show girls
computer science through years 8-12 at an all-girl
that STEM is for them.
high school.
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
Moens and her colleagues had no perception
drive through telematics, monitor health, tailor
of gender bias in their high school computer
advertisements and so forth. However, a key
science class. They experienced this only when
challenge is to ensure the level of personalisation
they graduated from high school and embarked
does not erode human autonomy and choice, which
on university studies in information technology
privacy helps protect.”
and computer science classes amongst a sea of male students.
Meanwhile, Moens says data breaches and ransomware attacks are creating challenges for the
In her second year of university studies, Moens was
privacy and security professionals who help data
awarded a scholarship to study artificial intelligence
custodians keep the trust of the public.
(AI) in Utah, which is vying to become Silicon Valley 2.0. She has since combined her passion for information technology and computer science with a law degree and an international MBA, and says the cross-functional knowledge and skills she has gained are invaluable for
If you have an ability to question, challenge assumptions, think differently, understand different perspectives and do not always follow the herd, you are well on the way to creating your success and helping those around you succeed.
navigating the complex world of privacy risk, and for running a consulting practice.
“In order to navigate our increasingly complex world we need diverse thinkers who can think broadly
Because we cannot easily predict what our world will
across ecosystems and make technologies work for
look like even ten years from now, Moens identifies
us in ways that minimise privacy and security risks so
critical thinking as the most valuable skill to acquire.
as to protect one of the most vulnerable and valuable
“If you have an ability to question, to challenge
resources in the world: information about people.”
assumptions, to think differently, to understand different perspectives, and do not always follow the herd, you are well on the way to creating your success and helping those around you succeed.”
www.linkedin.com/in/amoens
www.privcore.com
Today we are in what she calls the ‘masscustomisation era’. “We have the industrial era’s ability to produce goods and services at scale but with the bespoke characteristics of the pre-industrial era where services and goods were custom-made: think of the local tailor and cobbler of the past. “With technology and personal information we can influence each individual in the world. Personal information can be used to develop customised insurance premiums, craft what people see and hear through newsfeeds, influence how people
I S S U E 11
WOMEN IN SECURITY MAGAZINE
17
Joyce Tiwari Information Security Manager at Tarabut Gateway
J
oyce Tiwari spent ten years as a senior
chance and used my wardrobe doors as a whiteboard
infrastructure engineer with NHS
to make notes if I wanted to read further about a
Professionals, a UK Government-owned
topic etc.”
company that provides staff to the UK’s National Health Service. In that role
BECOMING ISO27001 CERTIFIED
she encountered the security challenges of cloud
With the CISM certification under her belt Tiwari went
computing services, which led to a change of career
on to gain the International Board for IT Governance
path into cybersecurity.
Qualifications’ (IBITGQ) ISO27001 Certified ISMS Lead Implementer (CIS LI) qualification, which required a
“Cloud was easy. You could get an environment set up
different approach. “My ISO27001 exam preparation
in minutes, but what we were missing were the right
was different. There were no audio books. I decided to
levels of access control, port misconfigurations etc,”
record my own notes, so I could listen to them on my
she explains. “As I started cleaning up environments,
walks around the garden.”
setting up security groups, assigning roles etc, my interest in security grew.”
Having gained cybersecurity qualifications Tiwari took on a security architect role at NHS Professionals
So she decided to study for ISACA’s Certified
before moving to her current role of information
Information Security Manager (CISM) qualification.
security manager at Dubai headquartered Tarabut
The first COVID lockdown provided the opportunity
Gateway. She is based in Watford UK, just north
and a copy of the CISM guide by Peter H Gregory
of London.
and the audio book by Phil Martin provided the means.
The company claims to be the largest open banking platform in the Middle East and North America.
18
“I love reading and listening to books. That’s usually
It provides a set of open APIs that, “allows money
the best way for me to gauge if I like a given subject,”
and information to flow securely, instantly, and at a
she says. “I listened to the book whenever I got a
low cost.”
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
Tiwari says, because Tarabut provides services
Both Tiwari’s infrastructure engineering and
in multiple jurisdictions, “there are different
cybersecurity roles are very different to her prior
cybersecurity frameworks we need to comply with,
educational achievements: she holds a master’s
which is a little challenging but interesting at the
degree in geography from the Osmania University
same time.”
in Hyderabad, India, gained in 2002. She “picked geography because I loved the subject, and I still do,”
To meet this challenge Tawari has built her own
and “started working in IT Infrastructure because I
mapping between ISO27001+ NIST and CFSs of
liked it.”
the region. Given her career journey, it is perhaps no surprise She has no regrets about making the shift from
that her advice to anyone aspiring to a career in
infrastructure engineering into cybersecurity and was
cybersecurity is: “nothing can stop you from switching
well-supported to make the transition. “I feel very
your career as long as you put in the effort and don’t
blessed, as I had the guidance I needed right at home
give up.”
when I decided to make the move. When I spoke to my husband about planning to move to InfoSec from infrastructure he said, ‘go for it’.”
I S S U E 11
www.linkedin.com/in/joyce-tiwari-3a42a4224
WOMEN IN SECURITY MAGAZINE
19
Ranjeeta Rani Senior Security Engineer at KONE
R
anjeeta Rani’s cybersecurity career has
CYBERSECURITY THE PERFECT ROLE
taken her from the frying pan to the
She adds: “There is always so much to do in this
freezer, metaphorically speaking. After
space and that keeps your interest high. For someone
almost two decades of study and work
who strives to do something different each day and
in one of the world’s hottest countries,
work on challenges, cyber is the perfect field. At the
India, in January 2022 she moved to one of the
end of the day I am proud knowing the work we do
coldest, Finland, where she works as a senior security
makes the world more secure.”
engineer with Kone. She acknowledges that her fascination with, and She graduated with a Bachelor of Technology
commitment to, the industry do make it difficult to
in Electrical, Electronics and Communications
maintain a good work/life balance but says, “With
Engineering from Jawaharlal Nehru Technological
experience it does become a little easier, and the key
University in 2008 and got into cybersecurity by
is to prioritise and do time management.
chance in her first job after graduation, when graduates were allocated different roles.
“Another important approach is to really disconnect mentally when you are off work. For me, tracking
Rani was, she says, quite ignorant of cybersecurity
things on a tool that keeps my to-do list helps me do
as a career at that point, but has stayed in the
that. Otherwise I have found myself many times still
industry ever since and has no doubt she made the
thinking about work when away from it.”
right choice. “What kept my interest going was just how vast the domain is. No matter how long you are
Rani credits her mentors with having played a
working in it you will always have new challenges to
significant role keeping her in the industry, saying she
deal with every day.”
has had “many good mentors who helped me decide what I want to pursue in cybersecurity.”
20
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
There is always so much to do in this space and that keeps your interest high. For someone who strives to do something different each day and work on challenges, cyber is the perfect field.
DISCOVERING MENTORING And she wishes she could have tapped into the power of mentoring at the end of her school life when wondering what career choices to make. “Getting the right information and knowing where to start was a challenge for me. If I had a chance to go back to my last year of school, I would definitely connect with mentors who can advise what areas and opportunities there are in security so I could develop my skills around my interest area.”
J O U R N E Y ?
N
3 2 0 2 O EW T
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
In 2021 Rani gained ISACA’s Certified Information Security Manager (CISM) qualification and now has her sights set on gaining the (ISC)² Certified Information Systems Security Professional (CISSP) qualification. “It’s a good certification as it covers cybersecurity on an overall level,” she says. “For someone planning to move to a more senior technical management role this certification has many benefits, in my opinion.” Other sources of cybersecurity knowledge Rani relies on are LinkedIN, cyber magazines, news and, for threat intelligence, various security notifications from different vendors.
Watch this space
www.linkedin.com/in/ranjeetarani
I S S U E 11
WOMEN IN SECURITY MAGAZINE
21
Sandy Assaf Head of IT Risk & Compliance at Crown Resorts Assaf started with Crown as a trainee IT operations officer, progressed to a senior IT operations officer
S
and then IT operations coordinator. andy Assaf is Head of IT Risk and
“Soon after I became a systems analyst within the IT
Compliance at Crown Resorts. She has
gaming systems team. It was then that I took a risk
come a long way from her first job: sales
and, with some guidance and mentoring from my now
assistant in a jeweller’s shop, but it was
general manager, I leapt into a position as assistant
that experience that launched her into a
manager IT audit in the newly formed IT governance
cybersecurity career.
team,” she recalls.
IT was her second career choice at school after
“Now, with 15 years in the industry and Crown, I am
photography and media, but she failed to get
in a job I would have never imagined myself in, and
accepted for the digital media and photography
loving it.”
course she wanted to take. She then enrolled for a computer science degree, but did not stay the course.
Assaf acknowledges it was luck that got her in the
“After the first few months I knew this wasn’t for me
door at Crown “with minimal experience and diplomas
and the learning style at university was not my style,”
in IT and E-business,” and attributes her impressive
she says.
career progression to “Having great mentors, developing my skills internally, and Crown providing
There followed numerous unsuccessful applications
me with training and industry courses I required to be
for IT jobs, including one at Crown Resorts. “It was
successful in all the positions I have held.”
the same response from all companies; that I did not have industry experience and other candidates had
MULTIPLE CERTIFICATIONS GAINED
more experience than me.”
Over her years at Crown Assaf has gained ISO/IEC 27001:2013 ISMS Lead Auditor and PCI DSS Internal
PEOPLE SKILLS SCORE HER A ROLE
Security Assessor certifications and completed a
However, a few months later Crown came back to her.
Diploma in Leadership and Management.
“I was curious as to why now, and their response was
22
I had customer service experience and people skills
She says many people are hesitant about taking the
that I could bring to the position and learn the more
leap into a new career path, but with the right support
technical skills on the job.”
most people will be successful.
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
“Having a great team and strong leaders assisted tremendously in the transition. Also, an organisation that invests in training, highlights the gaps individuals have and ensures it provides them with the tools and resourcing required makes a transition seamless.” Her advice to others: “Do your research, see what is suited to you and your future career goals, and go for it. Network with professionals in the industry and take some guidance and advice.”
UNUSUAL STRATEGIES FOR CAREER SUCCESS All sound, and common, advice but Assaf has a few
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
other, unusual, strategies for career success. She created a reflections journal and published it on Amazon to help with her reflections and with setting personal and professional goals. “I use this once a week to ensure I am focusing on maintaining a good work/life balance and working towards both goals,” she says. She also includes meditation in her schedule at the beginning of the work week. She plans holidays and mini breaks throughout the year, and a day off every couple of months to focus on herself while her daughter is in childcare. “It took me a while to realise it is ok to have ‘me time’ without feeling guilty, because this helps me be a great leader and give my all at work, and a great mother and fiancée at home.” Like many people, Assaf struggled initially with the sudden Covid-induced transition to home working. “I wasn’t getting up from my desk often enough throughout the day for a break, and I was logging back in after my daughter was in bed. I now block out my calendar for lunch to ensure I get a decent break from the computer and work. My fiancé also put in
Expand your networks Gain critical insights Grow professionally Hone your leadership skills Empower the next generation
a rule that we need to spend time together once our daughter is in bed: no more logging in after hours.”
www.linkedin.com/in/sandy-assaf-24012897
I S S U E 11
Don’t miss out WOMEN IN SECURITY MAGAZINE
23
Dina Atwell Manager, Cyber Insider Threat and Technical Investigations at Capital One
L
ike so many women who have shared their
Today she is still in a threat analysis role, at a higher
career journeys, Dina Atwell — who lives in
level. She is manager, cyber insider threat and
Washington DC — ended up in cybersecurity
technical investigations with Capital One, a financial
by chance. She was “one hundred percent
services company in Mclean, Virginia.
certain” she wanted to be a lawyer when
she decided to apply for internships in Washington,
“I didn’t have a clear vision. I knew what I enjoyed:
thinking this would be a good place to start putting in
creating and strategizing for insider threat programs
applications to law schools.
and people leadership,” Atwell says. “Having those interests in mind and really just trying to contribute
She was accepted for an internship in the State
in that area led me to a more formalised role where
Department and ended up in what must be one
that’s now my day job.”
of the hottest spots in cybersecurity anywhere in the world: conducting analysis to identify, monitor,
Atwell did her internship at the State Department
assess and counter the threats posed by foreign
while studying for a Bachelor of Arts in political
cyber actors against US information systems, critical
science at Monmouth University and then went on
infrastructure and cyber-related interests.
to gain a master’s in homeland security from the same university. However, she sees some of the
24
“They took a chance on me, even though I was
most important skills needed for her role as being
transparent that I did not have cybersecurity
communication, curiosity and analysis, and says
experience but was willing and excited to learn,” she
these can be developed and honed through any
says. “Once I was immersed in the position, I loved it.
major. “There are many different roles within insider
I was learning every day and it was like a whole new
threat and technical investigations you can pursue:
world opened up to me. I realised I could parlay my
from more of a project manager role to more of a
investigative passions with cyber.”
technical role.”
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
CULTURE RULES
one of my associates get a well-deserved promotion
When contemplating taking on a new role, Atwell sets
or recognition.
great store by company culture. “Culture rules over everything for me, and can really influence how you
“I always encourage others to go after what they
feel about your work. You can have the same exact
want, and I’ve seen nothing but success when
position and role in two different companies with
motivated individuals transition into cyber, even from
different cultures, and the experience can be wildly
a completely unrelated field.
different.” Her current employer, Capital One, “really puts emphasis on the people and living certain values,
“I think it takes so much courage to leave a field where
which encourages a people focused culture.”
you may be comfortable and jump into something that may be totally new. I always encourage others
Of her role there, Atwell says: “There are two things
to talk to as many people in the industry as possible,
I find the most rewarding: one, keeping Capital One,
really expose themselves to all the different fields in
its customers, employees and data, safe. Everything
cyber, try to get an understanding of a day in the life,
our team does daily drives this overall mission.
and see where their talents can shine.”
Second, I love being a people leader. I enjoy helping others and I try to be a positive force on all of my teammates. Nothing makes me happier than seeing
www.linkedin.com/in/dinarusso
Stone & Chalk Group is proud to be supporting careers in Australia’s cyber security industry As the largest innovation community in Australia, the Stone & Chalk Group is proud to be a sponsor of the Australian Women in Security Awards 2022. Through AustCyber, part of the Stone & Chalk Group, we are focused on growing Australia’s vibrant and globally competitive cyber security sector. With our cyber security innovation nodes and hubs, we’re supporting the cyber security needs of all, including startups, scaleups, companies and government. To find out more about cyber security workforce, jobs, career pathways, training and education, visit us at www.aucyberexplorer.com.au
I S S U E 11
WOMEN IN SECURITY MAGAZINE
25
THANK YOU TO OUR 2022 AUSTRALIAN WOMEN IN SECURITY AWARDS SPONSORS
EVENT PARTNER
SILVER SPONSOR
EMERALD SPONSORS
PLATINUM HEADLINER SPONSOR
BRONZE SPONSORS
AFTERPARTY NETWORKING SPONSOR
SUPPORTING SPONSORS
MERCHANDISE PARTNERS
LEADING IT FOR
TAKE YOUR CAREER TO THE NEXT LEVEL
28 YEARS
View our portfolio
CISSP® | CISM® | CRISC® | SABSA® CISA® | CCSP® | TOGAF® | CIPM | CIPT ISO 27001 | CSF+P | NIST® + more… World-class instructor led training keeping you at the forefront of Cyber Security alctraining.com.au
WOMEN IN SECURITY SAVE 10% To redeem simply quote the following code: WISALC10
Tara Murphy Director, Security & Traffic at the University of NSW, Sydney
T
ara Murphy is Director, Security & Traffic
UNREALISTIC EXPECTATIONS
at the University of NSW, Sydney. She
Having raised the profile of the security service,
has been in security at UNSW for almost
Murphy says her biggest challenge is managing
half her security career and in that time
expectations. “My experience in many organisations is
has transformed the security function.
that security is required to wear many hats beyond its core function, which is not realistic in some cases.
“Once I began working at UNSW I progressed from deputy security manager to security manager,” she
“I think this is a result of security being viewed as
says. “In that role I worked to extend the portfolio
trusted partners in the organisation So, whenever
and raise the profile of the security service within the
people come to a sticking point, they reach out to
university. This led to greater recognition of the value
security. This is, of course, a positive thing. However
of security, which resulted in my being appointed to
I need to ensure we do not overcommit to tasks and
my current role as director of security. In this role I am
services we are not trained to undertake that divert us
part of the estate management executive team.”
from our core responsibilities.”
She describes a ‘typical’ day as being atypical,
Key to fulfilling those core responsibilities, she says,
“involving numerous meetings, responding to events,
are good personal networks, both within the university
supporting my team and liaising with a wide range of
and externally. She maintains strong links with
internal and external stakeholders.
her peers in other tertiary education organisations to understand current and emerging threats and
28
“I work with a committed and talented team. Having
responses, is an active member of Association of
them recognised for the critical role they undertake
University Chief Security Officers and attends its
and the value they bring is one of the most rewarding
forums and conferences. She keeps up to date with
parts of my job.”
government websites and press releases and works
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
closely with the local police and local emergency
security risk management and a diploma in security.
management committees.
She is now completing a degree in counterterrorism, security and intelligence.
LEARNING ON THE JOB Murphy says she never planned a career in physical
She is on track to complete this in 2023 and is looking
security and learnt mostly on the job in a number
to undertake further study in emergency and crisis
of roles over the years. “While academic study has
management, responsibilities she already carries
distinct advantages, the value of life experience
in her current role. “While I have developed a sound
should not be overlooked. The biggest part of my role
understanding of the practicalities of this discipline,
is interacting with a diverse group of people. I started
my experiences in responding to a rapidly changing
my career in the UK in loss prevention straight from
environment during the COVID pandemic has piqued
school and learned on the job, mostly from managers
my interest in undertaking further study in this area,”
and colleagues.
she says.
However, she does recognise the value of formal professional development and has taken a number of
www.linkedin.com/in/tara-murphy-a4752513
courses over the years, gaining a foundation degree in
I S S U E 11
WOMEN IN SECURITY MAGAZINE
29
Emily Goodman Cyber Security Consultant at EY
E
mily Goodman joined EY in Sydney as
and after a couple of years was fortunate enough
an executive assistant in Assurance in
to transition into the cyber team where I can now
January 2020, just three months before
achieve my purpose and make a difference.
Covid disrupted life for everybody, but she put lockdown to good use.
“I believe the relationships I have made in my current role contribute to making my experience really
“I decided to enrich my learning by enrolling into a
rewarding. I am part of two mentoring programs and
Master of Cybersecurity course with UNSW which I
they have been a positive experience. It is so valuable
am still studying part-time whilst working full time,”
to gain advice and guidance from experienced senior
she says. “Since pursuing my interest in cybersecurity
colleagues, to be comfortable to share thoughts
I have been able to transition into the cybersecurity
and sound out career goals with a trusted confidant.
team in the company, and I have not looked
Through building relationships I have been presented
back since!”
with opportunities that add value to my career and contribute to my personal growth.”
She is now a cybersecurity consultant in EY’s financial services arm and says she has found her calling: she
FACING IMPOSTER SYNDROME
had already gained a bachelor’s degree in commerce
Her transition into cybersecurity has not been without
with majors in accounting and marketing. “Before
its challenges. “Imposter syndrome can be common
finding my passion in cybersecurity, I felt at a loss as
and is something I have experienced, whether thinking
to where my career pathway was going,” she says.
I am not technical enough, not smart enough or not confident enough for a role in cyber,” she says.
“I completed my undergraduate degree in commerce
30
and started working in a role I wasn’t particularly
“With advice from some of my mentors, I have
enjoying. I then joined EY as an executive assistant
realised the importance of embracing these feelings
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
“It is so valuable to gain advice and guidance from experienced senior colleagues, to be comfortable to share thoughts and sound out career goals with a trusted confidant.“
of doubt. It is impossible to move into a new career path and know all the answers. To embrace the feelings of doubt I remain a passionate learner, learning new skills along the way and taking in the experience.”
MATERNAL INSPIRATION
J O U R N E Y ?
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
She says her inspiration to embark on her cybersecurity masters came not from any contemporary influences, but from her mother. “Growing up my mum completed a university degree and CPA as a mature age student whilst working full time and supporting a young family. She has always taught me to keep persevering through challenges I may face, saying I will always overcome them. From her experience I learnt you can achieve anything you set your mind to,” she says, adding, “I am also inspired by the women leaders and colleagues in my workplace. They are motivational and encourage others to be the best versions of themselves.” As well as being the catalyst for her career transition into cybersecurity, Covid-19 gave Goodman something else: Pilates, which she took up during lockdown. “I think it is important to have something you enjoy outside of work where you can de-stress
Running from March through to June across states
Get Notified
and allow the feeling of balance,” she says. “I aim to practice Pilates every day when I can, even if it is only for 15 minutes. I find I am more productive when I wake up early and do Pilates, take my dog for a walk, or read a book before starting the workday.”
Join our distribution list to be the first to know when tickets go on sale
www.linkedin.com/in/emily-goodman-b9a023144
I S S U E 11
WOMEN IN SECURITY MAGAZINE
31
Jessica Williams Security Specialist Monitoring and Incident Response at Rio Tinto
L
ike many women who have shared their
Williams is no great fan of academic study. Asked
career journeys in these pages, Jessica
what advice about a career in cyber she would give
Williams got her start in cybersecurity not
to your last-year-of-school self, she says, “I would tell
on the strength of formal qualifications, but
myself not to waste so much time trying to achieve
through persistence, networking and soft
top grades in every university subject. I personally
skills. “Despite two to three years of studying IT and
feel I did not get a good ‘return on investment’ when it
personal projects I couldn’t break into IT,” she says.
came to university.
She had worked as a receptionist at a truck company
“I would tell my last-year-of-school self to spend that
and followed this with an administrative role in
time on getting more deeply involved in the security
insurance. With these roles in her CV she got a job
clubs, side projects and industry meetups. I feel
on the periphery of the industry, in cybersecurity
that is where the real gold standard educational
recruiting, and used that to get closer to the
experience is for cybersecurity in Brisbane.”
discipline. “This job gave me huge exposure to the Brisbane security scene. I attended as many events
However her views come with the caveat. “I’m not
as possible, shoulder surfed over capture the flag
recommending it to everybody, all of our paths
participants and took notes at talks,” she says.
are different.”
“I was hired at a conference for a security bid and
And to those beyond school, studying at university
engagement role. I used my writing skills to move
and aspiring to a cybersecurity role similar to hers,
from that role into a technical writing position.
she says: “I would tell all university students to really
Eventually that landed me in penetration testing
enjoy your time there, don’t mindlessly consume
consulting after being exposed to what that role looks
content, and have fun! Ask questions, engage with
like, and practicing through capture the flags in my
people, start fun projects, and get involved with
spare time.”
the community. Just going to classes and getting top grades likely won’t cultivate that passion and
32
NO FAN OF ACADEMIC STUDY
love of learning that really helps when it comes to
Given her experience, it is perhaps not surprising that
these roles.
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
“I would tell myself not to waste so much time trying to achieve top grades in every university subject. I personally feel I did not get a good ‘return on investment’ when it came to university. I would tell my last-yearof-school self to spend that time on getting more deeply involved in the security clubs, side projects and industry meetups.”
“It’s important to take an active approach to your
given me the opportunity to live in Montreal for two
education, not to passively follow along with whatever
years. I feel my career and growth here is taken very
university throws at you. When you land that first
seriously, and it shows through all the opportunities I
security role, it’s likely not going to be based on your
have been given.”
knowledge. It’s more likely employers are going to hire you based on your passion and drive. Dig into that,
ACHIEVING WORK/LIFE BALANCE
and everything else will follow.”
Incident response is, inevitably, not a role conducive to a nine-to-five work routine and Williams has a
INCIDENT RESPONSE, ACROSS TIME ZONES
number of strategies to maintain a good work/life
Today, Williams is a security specialist in the
balance, but says the starting point is an employer
monitoring and incident response team at Rio Tinto: a
that will respect and encourage the boundaries
team spread between Australia and Canada.
employees put in place to maintain that work/life balance, and Rio Tinto has created a workplace
“The biggest challenge in my role is communication
where work/life balance is encouraged. “It really
during large security incidents,” she says. “When
should be a shared responsibility between employer
operating between two time zones, facts and
and employee.”
assumptions can quickly become mixed up without a proper handover. If clear and effective communication
Williams makes a point of balancing any extra hours
isn’t practiced, a group of incident responders can
demanded by incidents and meetings with time off,
waste valuable time going down rabbit holes.”
and has a couple of other strategies.
She says getting the role at Rio Tinto changed her
“I adopted two cats! Having pets around has been
life. “My current manager, Ben Passmore, has really
great for keeping my anxiety levels low and provides
helped me come out of my shell at work. I previously
a nice mental break when working from home when
had a lot of anxiety around asking for help when I
they demand petting from me. And I’m religious about
needed it. Ben made it clear from the get-go that I
using the Headspace app. The mindfulness exercises
could ask as many questions as I needed and never
and ‘sleep casts’ help me get a lot more, higher
made me feel stupid for asking. He encourages
quality sleep.”
the ideas I have, helps me to implement them and provides me with the appropriate level of challenges I need to feel fulfilled at work.
www.linkedin.com/in/jwill1785
“Additionally, the company has provided me with many great training opportunities and has even
I S S U E 11
WOMEN IN SECURITY MAGAZINE
33
Scarlett McDermott Chief Technology Officer at WithYouWithMe
M
eet the up and coming female
Her diverse career spanned from software
entrepreneur who is heading the tech
development to cybersecurity before she put her hand
division of one of Australia’s fastest
up to lead a global product team for WithYouWithMe.
growing start-ups (Deloitte Fast 50
Hers was not a typical journey to the C suite. “I was
2019). Since taking the reigns as
adamant I wouldn’t end up in the same profession as
chief technology officer at WithYouWithMe, Scarlett
my father: a software developer,” she says.
McDermott has seen the company grow around the globe, most notably in the United Kingdom, Canada
After working as an electrician during her Year 10
and the United States.
work placement, McDermott went on to complete a degree in information technology.
Hers is a fast-paced job, and one that sees her meeting regularly with a Who’s Who list of CEOs and
“Ultimately it was my passion for problem-solving
political leaders from around the world.
and fixing things that inspired me to pursue a career in technology,” she says. “When I took a break
Although the number of women working in IT roles
from full time work to start my family I wanted
has increased in recent years, McDermott says there
to keep my mind busy, so I enrolled in a graduate
is still work to be done.
certificate course to study cybersecurity online at Edith Cowan University. I would be at home on my
“As CTO for a tech company that is all about
couch breastfeeding while reading or listening to
solving under-employment I see my role as more
cybersecurity lectures.”
than just technology innovation and development; it’s about shifting the needle for the industry as a
When she returned to full time work, McDermott was
whole to ensure we create an environment where
determined to find a role that made a difference and
women thrive.”
helped people. After researching and learning about WithYouWithMe—a startup helping armed forces
34
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
veterans find employment—she applied, and was
McDermott acknowledges the value of higher
hired for, a software development instructor role.
education but questions whether it should be a prerequisite for all individuals looking for entry-level
She helped establish WithYouWithMe’s tech support
IT jobs.
program, which helps women learn digital skills for remote employment roles such as support desk
“Apprenticeship programs that focus on transferrable
analyst. She recently launched the National Resilience
skills would be more beneficial to candidates than
Project, which enables digitally skilled individuals to
traditional study,” she says, adding, “formal education
sign up for temporary employment projects helping
can help people stay on track once they’ve decided on
government agencies in emergency situations.
a career path.”
“My husband’s military postings meant I moved
McDermott appreciates WithYouWithMe’s skills-based
around a lot, and I have been fortunate to have had a
hiring approach that uses data from aptitude and
career that could adapt to these changes,” McDermott
psychometric tests to show candidates which roles
says. “However, I knew some women who were not
would be a good fit for them.
so fortunate, some whose careers were cut short and others forced to work in jobs beneath their skill level
“I’m encouraged by the Digital Skills Organisation’s
to make ends meet. A family and a successful career
efforts to build a skills taskforce and framework
do not have to be mutually exclusive, and women
focused on skills-based hiring rather than
should not be expected to sacrifice their career to
prerequisites such as university-level training for
support a family.”
entry-level IT roles. This can be a barrier for certain candidates who lack the time or the funds for
One of the challenges McDermott encountered when
courses.”
she was promoted to chief technology officer was expanding WithYouWithMe’s cybersecurity capabilities
McDermott is now leading a new initiative called
from one person to a global security team.
WithWomen in Technology which aims to increase female representation in the IT industry.
She says this was necessary to ensure that the cybersecurity and technology teams worked together
“WithYouWithMe has committed to providing free
and not against each other.
technology skills training to 1000 women this year. WithWomen aims to encourage more women
“An organisation’s security team should not be
to consider a career in IT, especially in fields like
seen as an enemy or a barrier but as an enabler of
cybersecurity,” she says. “We want to encourage
innovation. We use Microsoft Sentinel and various
women and show them IT careers are not dull or
security information and event management
exclusive to intellectuals. Anyone who is willing
(SIEM) tools to assesses threats and maintain a
to put in the time and effort can become a skilled
secure position.
cybersecurity professional.”
“I lead a team of 70 talented technologists spread across the globe, the majority of whom are veterans
www.linkedin.com/in/scarlett-mcdermott-089a01190
and military spouses, all dedicated to creating and developing incredible products that contribute to meet the demands of an evolving technological landscape.”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
35
Anna Dart Senior Manager Protective Security at Westpac
A
nna Dart is Senior Manager Protective
it to a couple of Fortune 50 companies he knew were
Security at Westpac, a role she has
looking for someone with my skillset. I got a job with
held for about two years after more
one of them and stayed for over 10 years.”
than a decade in security with Dell Technologies. And she owed the
From that experience and many others, Dart says she
introduction to that role to the kindness of strangers,
concluded people are often very generous and happy
one in particular.
to help if they are able. “If you ask, you’ll be surprised what people will do for you. I am very aware how this
She arrived in New York to take up a job at New
person’s kindness to a total stranger affected my life,
York University a week before the start of the Global
and I try to remember that when I am approached
Financial Crisis, but the person who was leaving
for help.”
the position changed her mind. Dart says she was, “suddenly, an Australian with no connections in a new
POLICE FORCE ASPIRATIONS
city and country trying to navigate a pretty shocking
A career in security was high on Dart’s agenda in her
job market.”
youth, but she initially aspired to join the police. “I always wanted to be a police officer and my parents
She started cold emailing people, “a pretty
wanted pretty much anything else for me,” she
discouraging thing to do.” However, this tactic
recalls. “They helped me get work experience with the
eventually delivered results. “After reading an article
Queensland Police when I was at high school. I think
I liked on counterterrorism methodologies and
they hoped it would discourage me, but it had the
discovering the writer had transitioned from US
exact opposite result, I loved it and was hooked.”
federal law enforcement into the private sector, I sent yet another cold email and had success.
After plan A failed, her parents implemented plan B. “They encouraged me to look at the AFP, which they
36
“I asked for advice, not a job. He was very generous
thought would be more interesting to me in the longer
and asked for my resumé and then told me he’d sent
term and it was the right fit.”
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
J O U R N E Y ?
However, despite having wanted to be a police
that size,” Dart says. “This gave me exposure to some
officer, Dart chose university studies that would keep
senior representatives from Australian law enforcement
her options open. “I didn’t want to limit my options
and intelligence to see how they operated. During
by taking justice studies or similar, so I studied
my internship I was able to take on a project and
foreign languages.”
completely own it, producing an assessment to the senior leader at the end of my time there.
So, it is perhaps no surprise that her advice to anyone aspiring to a role similar to hers is: “Study something
“Given I was very young to apply to the AFP, this
that demonstrates your interest in the world as well
experience gave me something other than my
as something that gives you a solid base to pivot to a
university jobs to put on my resumé and my
different field if you change your mind: international
application. It also exposed me to another aspect of
relations, law, international security studies.”
the security world, reaffirming my belief that I was in the right place.”
CURIOSITY OPENS DOORS And she adds: “You also need to have practical,
HOME WORKING A PRIORITY
marketable skills. Once you’re in the industry, you
The ‘right place’ in another sense for Dart has been
might find other areas that interest you more than
home: she has worked mostly from home for more
protective intelligence (although I can’t think of
than a decade and says the ability to continue doing
anything myself!), so set yourself up to have broad
so was an important factor in the choice of her
knowledge and skills. I always think when I am
current role with Westpac.
interviewing candidates that we can teach you things we need you to know but attention to detail,
“I can work hard but also get to see my children and
curiosity and a demonstrated work ethic will open a
hear them playing. Everyone works hard but I think
lot of doors.
the pandemic broke down a lot of pretence that people don’t have families. It was great that suddenly
“There are some key skillsets that will stand you in
everyone seemed to be in the same boat, juggling
good stead. For example, an understanding of how
responsibilities. Little people were occasionally,
data and intelligence (should) form the basis of
unexpectedly popping into Zoom meetings for
decision-making. Make an effort to learn to collate,
everyone without it undermining a person’s
use and explain data and how it has informed a
professionalism, the perception of how good they are
decision/project.
at what they do or their commitment to work.”
“A key skill is being able to write well and
And with her decade plus of home working experience
communicate nuanced ideas. Business writing skills
she says it is important to have good boundaries
are often underrated but essential. Learn to write, and
around work areas in the home. “I don’t ever take my
then practice this skill. It’s like any muscle: the more
laptop into the bedroom and very rarely work away
you use it, the more responsive it is.”
from my desk unless it’s a late call or similar. I don’t wear a suit unless I am in the office, but I have found
OLYMPIC INTELLIGENCE ROLE
it’s important to get dressed for work every day. It
A pivotal moment in Dart’s career came when she
helps me switch my brain into work mode and feel like
scored an internship with the Sydney Organising
I am actually going to work.”
Committee for the Olympic Games in the Olympic Intelligence Centre.
However, she does confess to some transgressions. “I am always reading news and reports/assessments,
“I saw some of the preparations and planning that
it’s what I love. So I will often sit on the couch at night
went into a major security operation for an event of
and read on my phone while ostensibly watching TV.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
37
It’s a bit blurry on the work/life balance issue, but I enjoy it and it doesn’t feel like work.” It may not feel like work, but it certainly informs Dart’s views on what will be the most significant developments in the threat landscape: they are all ‘big picture’ issues.
THE, GLOOMY, BIG PICTURE “I am waiting and watching to see what the energy and food supply situation is going to be like over the coming year and am expecting difficulties,” she says. “I am concerned about a cold winter ahead in Europe and about energy being a weapon of war, potentially resulting in political instability, civil unrest and supply chain disruptions. I am watching the price of agricultural products and am concerned these price increases will result in lower yields that will impact countries more reliant on food imports. Also, that the confluence of energy price increases and inflation in places where food accounts for a greater proportion of earnings than in a country such as Australia will result in unrest, political instability and hunger. “Slightly more on the horizon are the effects of climate change and adherence to the practice of growing crops unsuited to the region or in unsuitable climates. And using outdated irrigation practices is going to make water security a greater security risk where competition for the limited resource is increasing.” Despite these gloomy projections, Dart revels in this aspect of her job. “I love my role, but I enjoy the geopolitical / geostrategic side of things most. There’s the stuff happening on the surface and trying to keep track of all the various inputs and players and their motivations (projected and real), all the downstream effects of these developments, trying to assess how nation states will react to things, and how these decisions will affect business operations or employee safety.”
www.linkedin.com/in/anna-dart
38
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
SUBSCRIBE TO OUR MAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content. SUBSCRIBE NOW
08
MAY •
WHOS RUN
JUNE
She took her current role after almost a year as a cloud solution architect in data and AI with Microsoft after being approached by her, now manager, at
Tash Bettridge Customer Success Account Manager at Microsoft
an internal Microsoft event. “I think it has been the best career move I have taken, as I have been really supported in the role,” she says. Her job title does not include ‘cybersecurity’ but she says, “the CSAM role is the person Microsoft business customers and partners turn to when there is a
T
major incident. I keep updated with internal alerts from our support team and I also attend the internal ash Bettridge is a customer success
cyber team sessions that keep CSAMs informed of
account manager (CSAM) with Microsoft
Microsoft security products.
in New Zealand, focussing on Microsoft’s business relationships with New Zealand
ONE ROLE: MANY HATS
small and medium business customers
“My role is always busy, and I wear many hats on the
and partners.
job because there are many different parts I need to play on a day-to-day basis,” she says. “The role is
She describes her role as a mix of account
always exciting, and the days are always different.
management, delivery management, project
One day I could be working with C-level executives
management, change management and incident
on their business and digital transformation strategy,
management. “The customer success account
supporting our customer engineers in workshops,
manager role is a generalist in Microsoft products
giving presentations and working to support
and services. We are the support people for the
escalations when there is a major incident.
customers, and we are there through the whole delivery life cycle.
“The CSAM role suits me as I am someone who loves challenges, loves interacting with people and
“The role used to be known as technical account
stakeholder management as well as being involved
manager, but Microsoft switched over to customer
with the success of customers and partners through
success account manager because of our obsession
their transformation.”
with empowering our customers and partners.” Her career trajectory to this position could be Bettridge says she loves the challenge of bringing
summed up as ‘circuitous and from inauspicious
together a diverse group of people who have never
beginnings’: she was kicked out of home and dropped
previously co-operated on a project. “I enjoy everyone
out of school at age 16.
coming together to empower each other to work on
40
the customer’s digital transformation, and watching
INAUSPICIOUS BEGINNINGS
the project unfold from beginning to end as well as
“I did not have much trust in adults because my
helping the customer when there is a major incident
homelife was not the best and going to school was
affecting their business continuation processes.”
just as bad for me,” she says. “I did not have much in
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
W H A T ’ S
H E R
the way of role models to look up to at home: both my
J O U R N E Y ?
Security, and is a member of WiCyS.
parents had dropped out of school at young ages.” Her first IT role was on a help desk, followed by And you can gauge something of Bettridge’s unhelpful
“moves into a few other industries before I joined the
school experiences from the advice she would give
cybersecurity industry.” This was followed by security
her younger self.
analyst work that opened up further opportunities.
“I believe the words of teachers can have a powerful
A SIGNIFICANT MENTOR
impact on young people. Advice should be offered
Along the way she has had help from mentors
only with great caution. Don’t listen to the advice of
and credits Simon Howard, CTO and founder of
the teachers who are trying to pivot you away from
Wellington-based cybersecurity consultancy ZX
computing. Stick to the computing class and follow
Security as one of her most significant influences.
your passion for computers. Following your passion
Howard also co-founded, and assists with running,
and finding the right mentor can support you, and not
Australasia’s largest hacker conference, KiwiCon
every adult is trying to hurt you.”
(recently re-branded as KawaiiCon).
An early work role, and introduction to cybersecurity,
“Following the work he and his team do at ZX Security
was working overseas teaching digital citizenship and
really inspired me while I was a 20 something year
cyber safety to 7 to 16 year-olds with the American
old going back to study this new industry,” Bettridge
School Foundation in Mexico. When Bettridge
says. “It was the first KiwiCon event I had attended
returned to New Zealand in 2016 she planned to
as a guest, which was very inspiring. I liked how the
continue in education but got diverted into the film
event had a range of speakers from all levels and
and TV industry.
industries. The event is great for people who are new to the security industry and I hope it will continue for
“I was approached by a family member to work at
many years.”
their film production company. I was curious about the film and creative industries so I did a short stint
Bettridge is now working to gain CISSP and
working with the company,” she recalls.
Microsoft SC-100 (Microsoft Cybersecurity Architect) certifications. For newcomers to the industry wanting
FROM CREATIVE ARTS TO CYBERSECURITY
to enter the Microsoft word she advocates the
“I was working on the set of a New Zealand TV show
Microsoft SC-900 (Microsoft Security, Compliance
but I enjoyed more the behind-the-scenes stuff like
and Identity) and AZ-900 (Microsoft Azure
film editing and web design. This sparked my interest
Fundamentals) certifications.
to continue higher education in that area, which led me to sign up for a bachelor’s degree in creative arts,
She is also happy to be working in the environment
but I made a drastic shift and ended up enrolling
Microsoft offers. “I am grateful to be in a company
for a Bachelor of Computing (networking and
that supports and empowers employees. We have
cybersecurity).”
diversity and inclusion pillars that support individuals through mentoring. We have an employee assistance
After that transition Bettridge really embraced
program and other benefits to support health and
cybersecurity, becoming student president of
wellbeing. I was in a toxic work environment before
the ISACA (Information Security Auditing Control
coming into Microsoft and it affected my mental
Association), an ambassador with Google’s Women
health and confidence.”
Techmakers program and a volunteer lead with OMGTech, a New Zealand charity that introduces young people to technology. She also cofounded, with
www.linkedin.com/in/tashbettridge
Sai Honig, the New Zealand Network for Women in
I S S U E 11
WOMEN IN SECURITY MAGAZINE
41
TA L E N T B OA R D Heath Parker Teacher | Analyst (Cyber, Business, IT Support) | Communicator | Coordinator Homebush, NSW, Australia
I have strong experience in stakeholder management at a high level across a diverse range of professional
WHAT POSITIONS ARE YOU LOOKING FOR?
contexts. I successfully adjust
Full-time, Contract
my teaching strategies in line with the audience to achieve optimal outcomes for students. I possess
PREFERRED STATE:
a keen analytical and technical mindset and seek
NSW: Sydney / Central Coast or remote/flexible
out puzzles, whether that be working with complex software, building PCs, or solving my 10x10
WHAT KIND OF ROLE:
Rubick’s Cube.
Cyber Security Awareness Training / Cyber Security Consultant. Entry level with my experience and transferable skills taken into account.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? I am seeking an environment where I can be
WHAT’S YOUR EXPERTISE:
challenged and grow in this industry. A strong
I have over eight years of experience as an educator,
environment of professional development would be
mentoring and teaching in classroom and one-
ideal. I am confident working both independently and
on-one settings. I learn extremely quickly and am
as part of a team. My preferences are for hybrid/work
able to adapt to new environments, systems, and
from home however I am flexible and will commute
protocols with ease. I have been privately studying
for the right position.
Cyber Security, completing an ever-growing number of online courses including a Certification in Agile management from Charles Sturt University and a
DM ON LINKED IN
Certification in Cybersecurity from ISC².
Chris Green Data Analyst | Business Analyst | Business Intelligence Analyst Sunshine Coast, QLD AUSTRALIA
WHAT’S YOUR EXPERTISE: Data analysis, stakeholder management, enterprise-wide transformation projects
WHAT POSITIONS ARE YOU LOOKING FOR? Data Analyst or Business Intelligence Analyst
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
PREFERRED STATE:
My ideal environment is outcomes focus team
QLD/Remote
that support each other and an organisation that prioritises learning and development.
WHAT KIND OF ROLE: Preferably contract roles, ideally in an analytics section
42
W O M E N I N S E C U R I T Y M A G A Z I N E
DM ON LINKED IN
N O V E M B E R • D E C E M B E R 2022
IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.
Mehlika Ercan Cyber Security Analyst | CompTIA security+ | Mitre ATT&CK | D3fend| Incident Response | IBM QRadar | Splunk | Fireeye HX | Linux Sunnyvale, California, United States
WHAT’S YOUR EXPERTISE: Cyber security is my passion. My goal is becoming an expert on the defence side. Malware analysing and APT
WHAT POSITIONS ARE YOU LOOKING FOR?
groups investigation are my favourite parts of cyber
Fulltime or Part-Time
security. I am currently working as an intern, and I am searching for new opportunities and challenges.
PREFERRED STATE: I am looking for cyber security analyst positions in Bay Area/ CA.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Remote or Hybrid
WHAT KIND OF ROLE: I have experience and certifications about cyber security. I am interested in upskilling myself, so my
DM ON LINKED IN
future company should encourage me about my developing and enriching my skillset.
Nga Rampling Junior Full Stack Web Developer | JavaScript | React | Ruby | Rails Adelaide, South Australia, AUSTRALIA
analytical thinker and enjoy collaborating in a team. Strong collaboration and problem-solving skills working
WHAT POSITIONS ARE YOU LOOKING FOR?
with large clients such as
Junior / Entry-level / Associate
Esso (ExxonMobil), and PNG LNG to deliver project goals. Skilled in Procedure Development, Document
PREFERRED STATE:
Management, and Documentation. Experienced
South Australia
in managing construction drawings and ensuring projects are delivered on time and on budget.
WHAT KIND OF ROLE: Web Development (Front / Back / Cloud)
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
WHAT’S YOUR EXPERTISE:
I have a strong preference for a part-time role,
I completed my Full Stack Web Development boot-
however, I am open to taking on more hours if remote
camp in 2022 (10 months duration). I have 13+ years
work is permitted.
working in a dynamic team, providing drafting support to a global engineering consulting company, for the oil & gas industry. I have strong skills in communication
DM ON LINKED IN
and in project management. I am naturally an
I S S U E 11
WOMEN IN SECURITY MAGAZINE
43
TA L E N T B OA R D Saman Fatima Graduate Research Assistant | MSISCybersecurity Graduate at Georgia State University | Cyber Enthusiast | BBWIC Foundation | Actively looking for Internships/Full-time starting Spring’23 Atlanta, Georgia, United States
2. Worked on DB Tools MySQL and well-versed with Linux commands. 3. Worked on Splunk and understand Data Monitoring. 4. Basic understanding of MITRE Att&ck Framework
WHAT POSITIONS ARE YOU LOOKING FOR? Positions open in the “Cybersecurity” domain
5. Have worked with clients (directly) in terms of solutions, design, and implementation. 6. Good Knowledge of Microsoft Azure, have a
PREFERRED STATE: Georgia till I graduate (July 2023) then I would be
successful completion certificate of Microsoft AZ 900
ready to relocate.
7. Worked for a year on the “Data-Driven
WHAT KIND OF ROLE:
8. Experience with offensive security tools.
organization” mission. Security Roles\With 5 years of experience as Certifications - CyberArk Trustee and Microsoft
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
AZ 900. aiming to collect more Cybersecurity
People’s company, work-life balance is priority, mostly
Certifications in the coming years.
remote role as I am a student. Benefits - Health
a DevOps Engineer, I have obtained 2 Industry
Insurance, Personal Leaves, Relocation Bonus.
WHAT’S YOUR EXPERTISE: 1. 5.5 years of experience in Cybersecurity - Identity and Access Management and Data Engineering
DM ON LINKED IN
ARE YOU LOOKING FOR A NEW ROLE IN SECURITY, CYBER, PROTECTIVE, RESILIENCE OR GRC? Contact us today and we can publish your details in the next issue of the magazine to help you find your next role. REACH OUT
aby@source2create.com.au
44
W O M E N I N S E C U R I T Y M A G A Z I N E
misty@source2create.com.au
N O V E M B E R • D E C E M B E R 2022
Women in Security Mentoring Program AWSN is pleased to launch the 2022 Australian Women in Security Network Mentoring Program
Looking for ways to give back? We need you Learn more at awsn.org.au/initiatives/mentoring/ Sponsored by
Powered by
CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change, Special Recognition award winner at 2021 Australian Women in Security Awards
C O L U M N
A real hard look Over the last few months I have taken a really hard
However, that does not make them the only way,
look at myself and the industry, at what I have
or even the best way, for everyone to get into the
achieved and at the state of the industry. I have asked
industry. I have a young pentester, Bailey, in my team
myself: have I made a difference? Does what I do
at Baidam. He is a complete natural who just gets it.
matter in the slightest?
He has the raw talent and drive to go out there, find something and just keep pulling at the threads until
Honestly, it is probably just the slightest ripple in a
he achieves his aim. He is a natural hunter with the
massive pond, but every ripple has an effect.
perfect pentester mindset. He does not have a couple of master’s degrees nor an arm full of certifications,
I think, as we become more successful in our lives,
but I feel he has raw talent much greater than mine.
as we mature, we start to self-reflect and think about
One day, with my help or with your help, Bailey, or
the marks we will leave behind when we are no longer
people like him, could have multiple certifications, or
on this earth. My books, these articles, podcasts and
a couple of degrees if they choose to acquire them,
even my contributions to AISA are my way of leaving
but let us look at what we need from the people in
something behind. I try to share my knowledge and
our teams.
help the next generation so when the members of that next generation are ready to take the reins from
We need smart people who have the drive and the
ours they will, hopefully, have the knowledge and
natural gifts we can hone to help them achieve their
have learnt the lessons to guide them to make fewer
potential. In a few years they will reward us for our
mistakes than I, you or all of us together.
efforts (probably a lot sooner, but let’s go with years). I know we sometimes need people with experience,
If we are unable to learn, change paths and adapt
but open your team to these newcomers. Instead of
to what is to come, we have already lost. I see the
getting another analyst maybe get two graduates
truth of that in the ways we bring new people into the
and help them fulfil their dreams. With that small
industry. We are so stuck in our old ways and hung up
investment you get more motivated staff, more hands
on experience and certifications that we lose sight of
on deck and a much stronger industry.
what we are really trying to achieve: bring in raw talent to help find ways to better protect ourselves.
It is not rocket science, but it can make a huge difference.
To me, it is crazy to demand certifications for technologies that are out of date and to require degrees that do not include hands-on experience in their curriculums.
www.amazon.com/Craig-Ford/e/B07XNMMV8R
Now, before I move on, I value certifications and
www.facebook.com/AHackerIam
degrees. I have some certifications and two master’s degrees I have worked very hard to gain. They have taught me a lot, and made me the person I am today.
46
www.linkedin.com/in/craig-ford-cybersecurity
W O M E N I N S E C U R I T Y M A G A Z I N E
twitter.com/CraigFord_Cyber
N O V E M B E R • D E C E M B E R 2022
CAREER PERSPECTIVES
LIBERTY MUDZAMBA
MY JOURNEY: FROM ACCOUNTANCY TO CYBERSECURITY by Liberty Mudzamba, Senior Consultant in Cybersecurity at EY Liberty Mudzamba is a senior consultant in
simulations to understand their business needs
cybersecurity at EY. One aspect of his role represents
and ensure solutions meet the requirements from a
the achievement of a long-held goal, the other does not.
security, business and technical perspective.
“I always wanted to work for one of the Big Four,” he
In this role, he says problem solving, communication
says. However, cybersecurity was not on his radar
skills, collaboration/teaming skills and stakeholder
initially: he gained a bachelor’s degree in accounting
management are of paramount importance.
and finance from Curtin University and then worked in accounting before landing a role as a security
CURIOSITY AND CONTINUOUS LEARNING
analyst with a not-for-profit organisation. This was
It is a long way from his early roles in accountancy,
followed by various other roles before he joined EY
but he says those roles helped him develop these
in 2019, after gaining a Postgraduate Diploma in
skills. “These were some of the transferrable skills
Cyber Security from a reputable university in Western
and knowledge I found to be relevant in cybersecurity
Australia, where he faced considerable challenges as
from my early roles,” and taught him some valuable
one of few students without a technical background.
lessons. “In hindsight, I realise that my initial fear of not transitioning into cybersecurity because I
“The course was delivered in technical jargon, and this
wasn’t techy enough were exaggerated. I am glad I
required me to study twice as hard to stay on top of
managed to fight the imposter syndrome and step
my grades,” he says. “I doubted my ability to survive in
out of my comfort zone. I also redirected my fear
this industry several times, but I remained focused on
towards growth, reading books and watching as many
the bigger picture, to help simplify the cybersecurity
podcasts as I could to accelerate my learning. The
technical language into simple, consumable language
process imparted an important lesson: that we all can
by non-technical decision makers.”
restart our careers as long as we carry enough drive and curiosity.”
Today, he works with EY’s client organisations
48
undertaking cybersecurity maturity assessments,
And Mudzamba has certainly learnt continuously.
assurance, transformation programs and crisis
In addition to his Postgraduate Diploma in Cyber
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
C A R E E R
P E R S P E C T I V E S
Security, he is also an ISACA Certified Information
“Through my current organisation I have participated
Security Manager (CISM) as well as a Microsoft
in university mentorship programs where I get
Certified Security Operations Analyst Associate.
to share my journey with aspiring cybersecurity
He has also completed three executive level programs
professionals, encouraging them to see beyond the
at the Cyber Leadership Institute, where he was one
obstacles and remain curious and focused. Most
of the youngest in a class of seasoned global cyber
importantly, being able to educate my daughter about
leaders and CISOs.
cybersecurity and teaching her how to be cyber safe has been the most satisfying experience to date.”
STRATEGIC CHOICES He says his certification choices have all been
Beyond mentoring, Mudzamba sees a need for
strategic. “Accounting and finance gave me a solid
established cybersecurity professionals to reach
understanding of how business decisions are made.
out to young people who might not even be
My postgraduate cybersecurity diploma accelerated
contemplating a career in cyber.
my understanding of core foundations in computer science. Certifications from the Cyber Leadership
“Without structured educational at grassroots level
Institute and ISACA’s CISM equipped me with the
cybersecurity will always be viewed/perceived as a
skills to lead with confidence and accelerate change
topic of the future. The time to train current and future
through transformational programs.”
cyber heroes is now. To champion this, top leadership at national and corporate level has a pivotal role to
Also, these programs gave him opportunities to
play to ensure there is a mindset shift at every level.”
collaborate with, and learn from, CISOs around the world, and further that it is the support of people—
To those already contemplating a career in
friends, family, managers, lecturers, mentors etc—
cybersecurity, he says internships and volunteering
that has enabled his career achievements.
are good ways to start. “Hone your soft skills and identify a specific area you are passionate about.
“Now more than ever I understand cybersecurity
Study the main relevant topics and be exceptionally
is a team sport. As such, I would like to continue
good at that. Trust is important in cybersecurity and
making a difference through collaboration, driving
being authentic is one way to earn trust. Being curious
and accelerating the creation/adoption of resilient
and having a good attitude towards learning is a great
digital ecosystem.”
way to stay ahead of the curve. The threat landscape is continuously changing, hence the need for one to
Mudzamba says he is happy he made a career shift
be a continuous learner.”
into cybersecurity. “The most important decision was to get out of my comfort zone to pursue what set
He would particularly like to see more women enter
my soul on fire. If I were to go back the only thing I
the profession, saying the industry needs people with
would do differently would be to find a mentor early
diverse experiences and perspectives. “There are
and to strategically attend networking events to build
various security programs that aim to support women
meaningful relationships.”
and tackle barriers that hinder women looking to enter cybersecurity or progress their careers.”
GIVING BACK THROUGH MENTORING Now, he himself is a mentor and cites the opportunity to give back to the community through mentorship as
www.linkedin.com/in/liberty-mudzamba-b4634243
being one of his most satisfying achievements.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
49
LEKSHMI NAIR
CHANGING THE ‘CHANGE’ JOURNEY by Lekshmi Nair, Managing Principal, APAC, Synopsys Software Integrity Solutions
A few days ago I got a ping from a dear old colleague
• Did you ever feel like going back?
of mine. She wanted my advice on how to settle into
• How did you get over it?
a new role in the organisation she had joined a few months earlier. During our hour-long conversation I
I admit, it was not an easy journey from a well-
realised I had been in a similar situation not so long
established role in an organisation where I was well
ago. We spoke about several issues.
known to a role in a new organisation where I was unknown. Here are some of my experiences of what
I had been a star performer in my previous
worked and what did not.
organisation. My views were heard and valued. No one in my new organisation was willing to listen to me. How could I be heard?
1. S OMETHING IS WORKING HERE, GET HOLD OF IT Know your organisation’s what, when, why and how.
• I could see several ways in which current systems could be improved, but when I made suggestions people, especially my peers, took these personally. How could I bring about change? • I was working across multiple different areas. How could I set priorities? • My team members were carrying a lot of baggage from their previous experience under their former leader. How could I build an environment conducive to growth?
a. What are the organisation’s core business, products and services? b. Who are the key stakeholders who will contribute to the success of your role: leaders, peers, team members, extended teams, support functions, etc? c. Who are your key internal and external customers, and their contacts? d. How is the work being performed?
Moving from my previous organisation after 15 years
2. GAIN THE CONFIDENCE OF YOUR MANAGER
I heard several questions from well-wishers that were
Know your goals, boundaries and objectives. Align
very pertinent to my new situation.
with your manager on short term and long term goals. For the first six months at least schedule
50
• It must have been a very difficult decision for you.
regular one-on-ones with your manager. Work on 90
• How did you adjust to your new environment?
day and 180 day plans and track progress. Build a
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
C A R E E R
P E R S P E C T I V E S
strong relationship with your manager, before you
time to embrace the change and give your new
join if possible. Ask, ask and ask. No question is a
organisation time to embrace you. Consider your
bad question when you need to understand what is
career as a marathon, not a sprint. Ask these
expected of you. Get regular feedback on your plan
questions, and take these steps, before you take
and make changes if needed.
a call:
3. KNOW YOUR TEAM When you are the new manager of an existing team in a new organisation much can go south. Be considerate, because they have gone through a change of manager, and some of them may have worked with your predecessor for several years.
a. Am I able to meet my 90 and 180 day goals and objectives? b. If not, are somethings working? Am I in a position to meet the remaining goals and objectives in 270 days? c. If not, have an open conversation with your
So, be ready for cold shoulders, non-cooperation
leadership. Consider options for role change or
and even emotional outbursts. Be empathetic and
for the support needed to make things work.
kind. Schedule one-on-one meetings to understand
d. If the answer to question a is yes, evaluate your
everyone in the team, their core strengths and
ability to meet your role-specific objectives and
aspirations. This will enable you to better analyse the
business imperatives. If you believe these to be
team’s composition and its individual members. You
achievable you are right to continue.
will also gain a sense of risk factors such as potential resignations.
e. If none of options a, c and d are working, move on. Some things work and some things do not. There is something to learn from every
4. A LOT CAN BE BETTER, BUT NOT FROM DAY ONE
opportunity. Just move on to a better place.
You come to your new organisation with vast
Above all, the most important skill you need when
experience and a rich background. This means
you aspire to be heard in a new environment is to
you have a lot to offer your new organisation. Your
be equally ready to hear. You will pick up something
manager may have told you “Hey, I am looking to
useful from every conversation. So, before you take
you to bring much-needed change here.” Remember
the leap, work on your listening skills.
number one above “Something is working…” You need to embrace your new environment and be part of it before you propose changes. Making changes will be
www.linkedin.com/in/lekshmi-nair-1299548
much harder if you question small parts of a system that is working. You will be perceived as a ‘newly hired outsider’ who is still suffering a hangover from your former organisation. However, do not lose your ‘newness’ in this process. Keep your ideas fresh and take them out when you are reasonably good with actions one, two and three. This was the most difficult part of my change. While I succeeded in making many of the changes I wanted, I am still working through a list of things I want to change.
5. THINGS ARE NOT WORKING AS YOU EXPECTED. BE PATIENT At times, certain decisions may not produce the outcomes you expect or environments may not function as you expect. You need to give yourself
I S S U E 11
WOMEN IN SECURITY MAGAZINE
51
JEMMA LAWRENCE
WOMEN IN CYBER SECURITY FROM A RECRUITERS PERSPECTIVE by Jemma Lawrence, Recruitment Consultant at CyberSec People As a woman who has worked in recruitment for a
they meet all the criteria listed in the job description.
number of years it is great to see a genuine desire
On the other hand, men will typically throw their hat
for diversity and a huge demand for women in
in the ring regardless of how many of the selection
cybersecurity. It is awesome to see new women
criteria they meet. This is a phenomenon that
coming into the industry. It means we will see
disadvantages women because they are less likely
many more women in leadership positions in a few
to apply for more senior roles (referred to as ‘stretch
years. These women are being inspired to fulfil their
roles’ by LinkedIn).
untapped potential and they inspire others to embark on their career journeys.
However, the world has had to adjust post-Covid and companies are hiring outside their usual scope.
I am fortunate to work for CyberSec People, the most
Simply ticking off a laundry list of experience and
engaged recruitment company in the cybersecurity
qualifications is no longer sufficient. It does not
industry. One of the great things about CyberSec
take into consideration transferable skills: abilities
People is that we attend most infosec events
candidates have learned throughout life that are
nationally, giving us great exposure. This means
useful in a new job.
clients and candidates reach out to us for industry information and advice. Through these interactions
As a recruiter for governance, risk and compliance
I know our clients are committed to diversity
specialists I speak to women in the industry daily
and to attracting and promoting women in the
who are passive job seekers, and typically would not
cybersecurity industry.
consider applying for a role more senior than their current role.
However, I notice women still undervalue themselves,
52
not only in cybersecurity but in most industries.
It is extremely rewarding to help anyone into a new
Women are reluctant to apply for positions unless
position, but especially to help women who may not
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
C A R E E R
P E R S P E C T I V E S
have considered applying for a higher paying and/or a more senior position that offers career progression. I often see women underestimating what they can earn in the industry and undervaluing their experience compared to their male counterparts. I recently helped a female principal security advisor secure a salary package $20K above her expectation, which was extremely rewarding. A study by TechBrain, an IT support services group in Perth, looked at the wording used in job advertisements. It found adverts for higher-paying jobs were more likely to use masculine words while those for lower-paid positions used more feminine
Cybersecurity is a growing field of study and
language such as ‘committed’, ‘responsible’ and
employment, offering amazing career pathways.
‘collaborate’. By recognising such gender-biased
There are many opportunities to build an exciting and
wording women can overlook it and apply for higher
solid career in a wide range of roles.
paying opportunities. Whatever a girl’s talent, there will be a good fit for It is important employers and recruiters acknowledge
her in the security industry. Whether she is good at
that gender biased wording does determine who will
maths, or creative, whether she prefers talking to
apply for a position, and use gender-neutral language
people or writing, there is a place for her.
or gender-inclusive language that avoids bias. A diverse workforce brings massive benefits My advice to women when applying for jobs is to
to society in general, and it is inspiring to see
focus on these three things:
the cybersecurity sector embrace the need to encourage, promote and support women throughout
• the responsibilities of the role;
their careers.
• the company you will be working for; • the team you will be working with.
I would love to be able to help more women into the industry, there is a genuine desire for you, and
If those three things match what you are looking for,
I hope you can see your value and be confident in
apply for the job.
your abilities.
“You’ll miss 100 percent of the shots you don’t take.” So, take the shot!”
As a cybersecurity recruiter, I see my role as being more than simply matching vacancies with candidates. I also see my role as being to reduce
Let us have a look at the percentages of women who
risks to our clients (and, by extension, the public)
have taken the shot. According to the latest analysis
through sourcing the best skills to protect us from the
of the cybersecurity profession, women make up
sophisticated cyber threats we see every day.
around 24 percent of the workforce worldwide. This figure is by no means as high as we would like, but it is heading in the right direction: a few years ago it
www.linkedin.com/in/jemmagrc
was roughly 20 percent.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
53
VANNESSA MCCAMLEY
REFLECT ON YOUR THINKING AND THE BEHAVIOURS YOU NEED TO REACH YOUR VISION by Vannessa McCamley, Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker How often do you reflect on your thinking and
to help us achieve success. We often code memories
behaviours to fulfil your purpose?
as good and bad, wanting to move towards the good and away from the bad. A common example is a
Often, we are so busy we do not devote time to
workplace brainstorming session where someone
reflecting on the thinking and behaviours required to
produces an idea and someone else says “I’ve
achieve our WHY, our purpose. Over time some of the
tried that and it doesn’t work.” How often have you
behaviours that have helped you be successful may
experienced this?
no longer serve your purpose. Your purpose may have changed as you have grown and developed. Regularly dedicating time to reflect is one of the most effective strategies for creating a compelling vision of the life you want, and realising that vision. The best way to look at the concept of a life vision is as
In this situation I often ask insightful questions like: • Knowing what did not work, what would you do differently to set up for success? • What options could be explored to gain a different perspective and outcome?
a compass to help guide you to take the actions and make the decisions that will propel you toward your
To become clear on your vision / purpose, what you
best career and life.
want to achieve and what this looks like, reflect on the learnings from these questions without bias.
HINDSIGHT CAN BE A WONDERFUL GIFT
54
Reflection on key learnings is GOLD. Through
WHY YOU NEED A VISION
reflection we can use the key learnings from past
One of my favourite quotes, adapted from Lewis
experiences to explore options in our current
Carroll’s Alice in Wonderland, is: “If you don’t know
environment/situation and choose those most likely
where you are going, how will you know when you get
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
C A R E E R
P E R S P E C T I V E S
Your GOAL
Positive Feedback
Success Milestones in 30, 60, 90 days
there?” With a clear vision you are likely to achieve far more than you would without one. Think of crafting
Values
your life vision as mapping a path to your personal and professional dreams. Life satisfaction and personal happiness are within reach. If you do not develop your vision other people, the environment and
Plan/reflect When you do your best thinking
circumstances will direct the course of your life. Clients have asked for my help because they no
Mitigating Risks
longer want to go with the flow; they want to create
Passions
Vannessa’s Vision Board My ‘WHY’ improves the lives, productivity and performance of individuals, teams and organisations while impacting their health and well-being positively.
Aspirations
the path that adds the most value to their lives. Here are the steps I recommend. The first step is the
Self-care
creation of a vision board.
WHAT IS A VISION BOARD?
Healthy Fuel Required
Mantra’s I am the conductor of my destiny
Social Connection
Your vision board is a unique visualisation tool that creates a space in which to define your goals. Think of as a guide to your day-to-day behaviour, steering you
OUR BRAIN NATURALLY SEEKS CERTAINTY AND PREDICTABILITY
towards the future you desire. Use this to create your
If you can prime your brain to overcome obstacles
desired career, relationship, income level or anything
and create a vision based on these learnings you will
important to you.
save time and effort when making decisions about
it as a map of your future that will inspire you and act
your career and life direction and looking after your
STEPS TO CREATE YOUR VISION BOARD
health and well-being.
1. Define your purpose and goals along with your top three to five values. 2. Identify the actions you need to take to achieve
ABOUT VANNESSA MCCAMLEY Vannessa McCamley is a leadership and performance
your goals. Use photographs, images from the
expert specialising in neuroscience practices that help
web, whatever inspires you.
individuals and businesses grow in meaningful ways
3. Make a collage of all these images on a bulletin
whilst delivering measurable results in healthy ways.
board, wall or piece of paper you can laminate
She has a passion for helping people and businesses
or put into a binder. Feel free to get creative!
to overcome obstacles and enabling them to reach
Consider including a picture of yourself in a
their strategic goals. She brings a strong background
happy state. What would this look like? What
in IT security and more than 20 years of business
would it feel like?
experience to collaborating with individuals at all
4. Tip: to avoid attracting chaos into your life, be
levels and from several industries. She is the author
careful not to create a cluttered or chaotic board.
of Rewire for Success – an easy guide to using
Simplicity is best.
neuroscience to improve choices for work, life and
5. Add motivational ‘affirmation words’ and
wellbeing.
inspiring quotes that represent how you want to FEEL. Choose words like ‘courage,’ ‘brave,’ ‘free,’ ‘creative freedom,’ ‘belonging,’ or ‘orchestrator.’ Take a few moments to review your vision board every day, especially when you wake up and before you go to bed. You can use it while doing yoga, meditating, making plans or relaxing.
I S S U E 11
linksuccess.com.au/rewire-for-success
www.linkedin.com/in/vannessa-mccamley
linksuccess.com.au/contact-us
WOMEN IN SECURITY MAGAZINE
55
AS BURNOUT TAKES ITS TOLL, REMEMBER TO PUT THE U BACK INTO CYBERSECURITY by David Braue
Cybersecurity overhauls will drive new technology investments in 2023 – but don’t forget your people.
A
fter spending two years dealing with
Investments in these areas – which also include
the implications of the dramatic shift to
issues such as cloud security and API security,
remote work, cybersecurity specialists
the major cause of the recent breach of Australia’s
have cast their nets much wider as they
second-largest telecommunications carrier, Optus –
work to rebuild security infrastructure
will dominate security spending in 2023 as entities at
around new concepts such as zero trust, open
every level overhaul their cybersecurity strategies.
security, and new approaches to managing security risk that are more actively aligned with companies’
This includes, among other things, a Budget
operational needs.
commitment by the US Government to ramp up cybersecurity spending in line with a “bold new course
“The whole system needs an innovation approach
to overhaul the Government’s approach to securing
that is sustainable over time,” said Chris Hockings,
Federal IT” – and a $US10.9 billion cybersecurity
chief technology officer with IBM, in spelling out those
budget will accelerate the CISA’s new 2023-2025
three priorities during the recent Gartner Security &
Strategic Plan and a transition to a multi-year zero-
Risk Management 2022 conference, “because we’re
trust strategy by the end of fiscal 2024.
just not going to be able to do this thing the way that we did before.”
Other countries are following suit, with the global National Cyber Security Index (NCSI) highlighting the
56
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
F E A T U R E
ongoing deficiencies in many countries’ cybersecurity
after the pressures of the job compromised her well-
postures – whose transitions to zero-trust security,
being more than she could bear.
across enterprise systems, remote employees and cloud architectures, are set to underscore most
“Feeling like a failure that I couldn’t cut it,” she bravely
cybersecurity investment during 2023.
tweeted, calling the decision to quit “a point of shame and a bit of sadness”.
Yet even as governments and businesses pour tens of billions into improving security technology,
Online colleagues were having none of her self-blame,
grandiose missives riffing about the importance of
with one fellow cybersecurity worker noting that
data protection say little about investing in strategies
“working in this field can be overwhelming while being
to support and nurture the people responsible for
underappreciated, and it never stops. Every time my
running those systems.
phone vibrates I think ‘oh another [incident response] is coming’; it wears on you.”
Although it rolls out well-worn tropes such as building a “diverse workforce, representative of the population
“You didn’t fail just because one specific job at
they serve”, for example, the US Budget outline
one specific employer was too much for you,” said
follows the very common script that sees people
another, “and in a way, your employer failed you.”
only as vessels into which cybersecurity skills must be poured: “a strong cadre of cybersecurity and IT
Such experiences are rife in cybersecurity,
professionals will allow the Government to run more
particularly as the stresses of COVID-era isolation
efficiently and effectively,” the outline notes.
were compounded by the increasing pressure to protect companies that were being attacked more
NOT WHAT IT CRACKED UP TO BE
than ever before – and the emotional alienation that
Investments in developing skilled cybersecurity
festers within cybersecurity teams that are often
professionals is both necessary and important –
comprised of isolated individuals spread out across
but what happens when those cybersecurity and IT
large distances.
professionals, chastened by the realities of what can be an immensely stressful, difficult and ultimately overwhelming job, throw up their arms and walk away? It happened recently to Lily Clark, a former client success representative who moved into a role with offensive security consultant with Pittsburghbased Echelon Risk + Cyber in September 2021 – and walked away from the small firm a year later
I S S U E 11
WOMEN IN SECURITY MAGAZINE
57
This is what the cybersecurity industry looks like on
in the industry: a third of Asia-Pacific CISOs, for
the other side of the fence – the consequences of
example, said they feared losing their job after a
increasingly urgent recruitment that is focused on the
breach and worried about being held personally
input side of the pipeline, but often leaves security
financially liable for a breach – compared with just
workers feeling overused and unsupported.
16% and 11% of European respondents, respectively.
Stress and burnout were by far the two most
Throw in concerns about higher than usual turnover
significant personal risks named by CISOs in the
due to the “dynamic hiring market”, feeling underpaid,
recent Heidrick & Struggles 2022 Global CISO Survey,
worrying that they can’t keep up with rapidly evolving
in which 60% and 53% of North American CISOs,
threats, and concerns that their organisation
respectively, said that those issues were the biggest
doesn’t see the necessity of cybersecurity protocols
risks relating to their role.
– and it’s clear the realities of the CISO job continue to challenge even the most enthusiastic,
Interestingly, CISOs in European (35%) and Asia-
well‑trained candidates.
Pacific (33%) companies were much less likely to report burnout than their North American peers –
“The importance of the role of the CISO continues
suggesting that companies in the latter market are
to grow as digital technologies become even more
either far busier than elsewhere, or proving to be
prevalent,” the report’s authors noted. “There is
particularly poor at managing the stress caused by
burnout and stress associated with this role, which
fighting to keep up.
should lead organisations to consider succession plans and/or retention strategies so that CISOs don’t
Other stressors named by respondents highlighted
make unnecessary exits.”
just how broad a range of stressful experiences cybersecurity is causing for the people who work
TECHNOLOGY FOR THE PEOPLE Given the eye-watering salaries that many companies are paying employees with well-developed cybersecurity skills, executives may find it hard to believe that employee well-being is causing even well-paid CISOs to walk away from their jobs. But it’s happening – and when it does, it can bring even the most well-designed change program to its knees. Indeed, fully 73% of respondents to Splunk’s recent State of Security 2022 report said they knew a colleague who had quit their security jobs due to burnout – with 78% saying that remote workers are harder to secure, and 65% had seen an uptick in attacks during the pandemic. Even the best technology isn’t worth much without the people needed to use it and apply it to their business requirements. Given the technological change that is already ramping up and will dominate
58
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
F E A T U R E
the market during 2023, it is therefore crucial that
automation has become table stakes for a
executives focus not only on investing in security
contemporary security architecture – and with so
technologies, but on employee well-being initiatives
much funding going towards transitioning security
to ensure that cybersecurity staff feel well-supported
architectures into the world of zero trust, it’s
and capable of managing their workloads.
important that executives fund automation initiatives during 2023 with the same enthusiasm that they
“When we talk about diversity, equity, and inclusion,
embrace other security technologies.
it’s not just about finding the diversity and [hiring] people who don’t look like you,” said Elizabeth Wilson,
“We all know that cybersecurity continues to be
director of talent and diversity & inclusion with global
one of the most demanding professions in the
security peak body ISACA.
world,” Gartner senior director analyst Richard Addiscott noted at the firm’s recent Security &
“It’s about bringing them into the fold, and helping
Risk Management Summit, where he exhorted
them feel good about being in your place of business.
attendees to build security strategies for
And sometimes we do the great work of finding the
2023 that accommodate shifting societal and
people, but then we don’t know how to include them.”
regulatory expectations.
This can be harder than it seems, particularly in
“Focus on your people to foster more secure
security jobs that often see workers engaging with
behaviour,” he said, “and adapt to increasingly
screens more than the people around them.
distributed cybersecurity risk decision making. We need to pause – even if it’s only for a minute – and
“We go back into our little holes and back into our
we need to look up, and look out, to reframe current
working environments,” Wilson said, “and we don’t
thinking and simplify.”
have that opportunity to engage with people – but it’s important to take the time to find what’s going on around the world in different communities, and supporting one another.” Security automation technology – which evolved as a way of coping with the explosion of operational data caused by the adoption of tools such as SIEM (security information and event management) systems – has emerged this year as a key way of reducing the human toll of cybersecurity. By streamlining the detection of security anomalies and using AI to whittle down floods of data into what is hoped to be a manageable stream,
I S S U E 11
WOMEN IN SECURITY MAGAZINE
59
SIMON CARABETTA
PEOPLE CULTURE BUILDS RESILIENCE by Simon Carabetta, Business Operations Manager at ES2
The one thing that has remained consistent in my
campaigns such as R U OK? Day have extensive
various roles since I made my career transition from
reach and very good intentions. However, something
high school classroom teacher to cybersecurity
is clearly wrong when organisations that encourage
is the terminologies people use when describing…
their employees to wear yellow once a year, eat
well, people: ‘resource’, ‘FTE’, ‘talent’. The list goes on.
cupcakes and distribute mental health flyers also use dehumanising terms to refer to those same
Granted, in education we use the term ‘student’ as a
employees, and fail to implement real change to
collective noun for the hundreds of different young
support mental health in the workplace.
people we interact with daily, but a (good) teacher always sees their class as a group of individuals,
When massive data breaches make the news it is the
not simply a list of names on a report sheet. In the
security teams that bear the brunt of corporate and
corporate world I have noticed a worrying trend:
media attacks. Questions are asked, investigations
we are using dehumanising words when referring
probe team members and heads roll. The question I
to humans.
have is: what is happening at the corporate level to support these workers?
In cybersecurity circles we speak often about an organisation’s cyber resilience, its cyber posture, its
Beyond cyber incidents, when it is business as usual,
cyber plan. We use personification terms more when
the night-shift security operations analyst is surely
talking about companies than when talking about the
hurting if they have not spent time with their family
people who work for them, which brings to me back
for nearly a week because of the work schedule.
to resilience.
The CISO who has pulled consecutive 12 hour shifts to get their cybersecurity program endorsed and off
IT IS TIME WE STARTED TALKING MORE ABOUT THE RESILIENCE OF PEOPLE WORKING IN SECURITY
the ground is surely hurting. And the student with no
One thing I loathe is people being treated as assets.
they can graduate is surely hurting.
job prospects on the horizon who has had to give up two part-time jobs to take on an unpaid internship so
I come from an education background and I was
60
raised to see people as people, so I hold that view
These are just three examples, but it is quite clear:
very strongly. Extremely effective mental health
there are many different ways individuals in our sector
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
C A R E E R
P E R S P E C T I V E S
are impacted every day. We talk about burnout and
If you have read some of my
fatigue, and it is evident when speaking with security
previous articles for this magazine
workers at out-of-hours functions just how exhausted
you may see I have quite an interest
they really are.
in language and culture. An article earlier this year spoke about how
The attacks are coming thick and fast yet no one
language is used as a weapon in
is giving any thought to the frontline defenders
the security industry. Language
working tirelessly and around the clock to respond to
can also be a tool to bring about
incidents. The recent Optus breach has been covered
positive change. The culture will
relentlessly by the press yet no one has thought to
turn around when a new term for
question the wellbeing of a security team that must
employees is developed: people.
surely be hurting right now. This must change. That is the only word you need. You I know the media will never, ever make the mental
do not need to go too far and call
wellbeing of security workers their focus when a
yourself a family. I loathe that, and
cyber attack occurs. However, I would like to see
it is a big red flag for almost any
some mention of how much effort and hard work so
organisation. People: the people
many security professionals put in day in and day
you work with; the people you hire;
out to protect a company which, let’s face it, sees
the people you report to and the
them only as ‘assets’: replaceable, easy to discard,
people you help to lead; the people
and an expense.
in your team and the people you contract to; the people who acquire
Of course, I do not speak for all organisations and
your services and the people you
businesses. There are some very good cybersecurity
make game-changing deals with.
companies and non-security organisations that treat their people very well. They implement mental health
We work with people. After all,
programs and look after the wellbeing of personnel
cybersecurity is a people-driven
across their businesses. However, should this not be
industry. It is people who carry out
the norm rather than being simply labelled ‘progress’?
the attacks. It is people who do their best to defend and respond
Why can we not build the resilience of our security
to those attacks. We need to use
people the same way we want to build cyber
that word much, much more each day in the office,
resilience into organisations? This should be the
while working from home, even having a coffee with
number one priority for businesses when they are
workmates down the road.
putting together a security team. They need clear and agile thinkers, people who are on the ball and can act
We are security people. Only when we finally adopt
swiftly in a crisis. They need people who will use logic
more human-centric corporate cultures across
but can also think outside the box when they have to.
Australia will we see an increase in wellbeing. I will go
Those traits are most apparent when someone is of
one step further and claim that organisations with a
sound mind and feeling well.
more positive focus on their people and the mental health of their people will have more cyber resilience.
This may seem cynical. You may be thinking right
I challenge anyone in the security sector to find this
now, “But Simon, isn’t the company just treating them
not to be the case.
well so their assets are working at their optimum level?” And yes, you are right, it is cynical. That is why organisations need to adopt a people culture.
I S S U E 11
www.linkedin.com/in/simoncarabetta
WOMEN IN SECURITY MAGAZINE
61
Source2Create Spotlight
Events
Finding the right way to reach and approach your audience is key to success, that’s why we’re shining a light on our events. Our event services are readily available and used to deliver seamless experiences for both you and your audience. Our ‘Events-As-A-Service’ module allows you to break your event into modules and hand across the work you simply don’t have time to coordinate, or simply just want off your plate. S2C can do it all. We invest the time and energy into developing this strategy and plan, driven by data-based assumptions, to make your event a success. What are you waiting for?
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
misty@source2create.com.au
2023 AUSTRALIAN
WOMEN IN SECURITY AWARDS 12
TH
OCTOBER
t u O s s i Don’t M
J O B B OA R D
SENIOR SECURITY ANALYST | C ULTURE AMP MELBOURNE HYBRID
VICTORIA MID-SENIOR LEVEL
AUSTRALIA
FULL TIME
GREAT BENEFITS
DIVERSE AND INCLUSIVE ENVIRONMENT
ABOUT THE JOB
WHAT YOU’LL BRING TO CULTURE AMP
Culture Amp is looking for an experienced Senior Security Analyst to join a growing security operations function and participate in event and incident management, and vulnerability management activities. You will have experience investigating cybersecurity events, supporting incident response activities, and conducting threat hunting exercises.
• Experience investigating security incidents and events using SIEM (Splunk preferred)
The Senior Security Analyst will play a major role in Culture Amp’s cybersecurity detection and response capability and will collaborate with other security operations team members to ensure that processes, tools, and documentation are appropriate. This role is a great opportunity to contribute to the security of the Culture Amp platform while working with talented engineers in a cloud-centric security environment with some of the latest technologies.
• In-depth technical knowledge of operating systems, networking, and cloud platforms
• Experience with playbook development • Experience performing threat hunting and leveraging threat intelligence to guide investigations • Experience participating in cybersecurity tabletop exercises
APPLY HERE
COMMUNICATIONS AND CAMPAIGN SPECIALIST, SECURITY AWARENESS | IAG PERMANENT OPPORTUNITY
AUSTRALIA - NATIONWIDE
THE ROLE Protect IAG’s digital and information assets by increasing the awareness and education of our staff, partners and customers. You will be responsible for clearly and effectively explaining complex security concepts and promoting the secure behaviours necessary for protecting our customer information, systems, assets and people. The position requires the research, analysis and writing of security content for all security education and awareness activities, programs, and campaigns. As a key member of the team, you will ensure an easy-to-understand readability level and tone of voice is maintained across all security communications. This role is also the custodian of the security website, ensuring all content is current and accurate. You will measure and report on success of the
64
W O M E N I N S E C U R I T Y M A G A Z I N E
FLEXIBLE WORK AND LEAVE OPTIONS
security campaigns and communications through channels, such as Security Website, The Vine, Our Place, Yammer. This role is in one of the critical teams in Cyber and Protective Services. It is to be part of an elite group that is in huge demand across Australia. A major sophisticated cyberattack against IAG could have a catastrophic impact on the business, and this team is one of the main lines of defence against such an attack. READY FOR ANYTHING? LET’S TALK. • Start your career journey with us and click ‘Apply’! Applications close on Monday 31st October 2022
APPLY HERE
N O V E M B E R • D E C E M B E R 2022
ACCOUNT EXECUTIVE – CYBERSECURITY | NOVUM GLOBAL SYDNEY
HYBRID
NSW
Recently graduated from university with excellent grades + have 1 year of sales/call centre experience? Do you want to work for a leading Cybersecurity software company to drive security and protection for mid-sized Australian enterprises?
• Great communication skills and bubbly personality Our client offers a great career opportunity, mentoring, training, and the ability to earn significant remuneration. Interested? Contact us and send your CV to us today. (Australian Permanent Residents/Citizens only to apply)
Successful applicants will have the following: • Degree with a credit average • Outbound sales or customer service experience gained from a call centre or sales
APPLY HERE
CYBERSECURITY AWARENESS & EDUCATION LEAD, DELOITTE GLOBAL TECHNOLOGY (DT-GLOBAL CYBERSECURITY) | DELOITTE TORONTO, ON WINNIPEG, MB
CALGARY, AB
EDMONTON, AB
OTTAWA, ON
QUEBEC CITY, QC
FULL TIME
WHAT WILL YOUR TYPICAL DAY LOOK LIKE?
• Articles
In this position, you will write, design, and implement cybersecurity awareness strategies and materials for our internal audiences. Together, we’ll create communications that inform, connect, and engage our complex global community to ensure that we’re cultivating a strong culture focused on protecting and securing our broader organization. You will provide communications expertise and deliverables to the cybersecurity organization. This may include the following activities:
• Compelling images/infographics
• Work with Global Cyber Culture program team to craft cybersecurity awareness and education plans that drive secure cybersecurity behavioral results.
We encourage you to connect with us at accessiblecareers@ deloitte.ca if you require an accommodation for the recruitment process (including alternate formats of materials, accessible meeting rooms or other accommodations). We’d love to hear from you!
• Plan, research, and create high-quality cybersecurity awareness communications deliverables including:
• Web content • Training • Design, support development, and implement cybersecurity educational experiences (e.g., micro-trainings, cyber quizzes) THE NEXT STEP IS YOURS Sound like The One Firm. For You?
• Presentations • Leadership talking points • Videos
APPLY HERE
• Emails
I S S U E 11
WOMEN IN SECURITY MAGAZINE
65
J O B B OA R D
HEAD OF INFORMATION SECURITY | TAB NZ AUCKLAND
NEW ZEALAND
HYBRID
FULL TIME
Information Security is paramount to any leading Digital organisation and a core capability to safeguard the confidentiality, integrity and availability of TAB’s Digital assets. As Head of Information Security, you will be joining our senior leadership team and leading our Information Security Centre of Excellence. You will be responsible for establishing and maintaining the enterprise vision, strategy and supporting initiatives to ensure the protection of TAB’s Digital information assets and technologies. You will also identify best practices in security and risk management and facilitate compliance within NZ and international standards as appropriate. WHY CHOOSE THIS ROLE? • Love the team – We are a passionate bunch that love pushing the boundaries and are proud of what we deliver. We need you to support, motivate and guide them to perform at their highest level • Make a Difference – The TAB gives back millions each year to racing and sport – so come and be part of this NZ icon!
GREAT BENEFITS
Take on the big boys in Sports Entertainment. • Collaboration – Work closely with all stakeholders across the business and drive awareness, education and adoption of Information Security governance, policies, standards and procedures. • Live life your Way – The TAB has offices across the country. This role will sit in either Auckland or at Head Office in Petone, Wellington with travel to either location on a regular basis. Everyone is in the office on Mondays and Tuesdays but on other days you can juggle with working from home so it is a true Hybrid working space. • For more information about the role - stalk us on LinkedIn, nosey around our website and check out the Position Description attached. Apply now, shortlisting and interviews will be held as applications come in. We can’t wait to hear from you!
APPLY HERE
CYBER SECURITY SPECIALIST | V ODAFONE NZ AUCKLAND FULL TIME
WELLINGTON
REMOTE HYBRID
GREAT BENEFITS
YOUR ROLE
• Experience in leading a small technical team.
This is a customer-facing role accountable for operational security activities across a portfolio of enterprise and government customers.
• Proven, commercial experience working with customers.
You’ll act as a lead to provide overall security support and direction to your customers, transposing technical requirements and issues into business outcomes. This includes the design, implementation, and ongoing operations of customer-facing security platforms and services for the assigned customer(s), as well as providing C-level discussion and support to the customers and their teams holding responsibilities for the design and architecture of security products and services. The successful candidate will show a true customer obsession and a drive to deliver results.
• Experience in designing and supporting Information Security platforms in complex customer environments including Public and Hybrid Cloud deployments. • Experience in the operation, build, and design of the following vendors’ security products and services: AWS, Microsoft Azure, Check Point, F5, Fortinet, Cisco, and Palo Alto. Joining the Vodafone whānau will stretch you, challenge you and provide opportunities you’ve been seeking to expand your career. You’ll engage in unique workplace experiences, be exposed to exciting and innovative technology, and gain opportunities for learning beyond Aotearoa.
APPLY HERE
66
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
INFORMATION SECURITY SPECIALIST | LUFTHANSA INTOUCH CAPE TOWN
WESTERN CAPE
SOUTH AFRICA
The Information Security Specialist works with the Information Security Manager/Local IT Team Leaders to ensure security-related services are functional on sites conducting regular internal compliance checks to ensure compliance with PCI requirements.
FULL TIME
GREAT BENEFITS
confidentiality • Contingency/continuity information technology services compliant with policy/regulatory requirements • Perform vulnerability scans/highlight results/generate reports/remedial action where deviations identified
• Projects achieve/maintain PCI DSS compliant/maintain enforce IT/Security
• Monitor/coordinate audit trail/management/review/Patch/ Anti-Virus updates/local FWs/IPS Systems
• Maintain information security standards/procedures in compliance with information security/risk management policies standards/guidelines
• IT standards/processes compliant
• Maintenance/support security controls/user profiles of the functional teams • Participate in security processes/application assessments/ product certification/connectivity to intranet and internet • Report-defined IT/Business privacy/security metrics • Business continuity planning/testing/implement/disaster recovery planning/provide security/availability/integrity/
• Tertiary Qualification/equivalent with working experience • Min 2 yrs of experience in a similar role in a global company • Worked in a process-driven environment with enterprisegrade edge security devices and NGFWs/ distributed Patch management systems, managing engine • IT Enterprise Architecture
APPLY HERE
DO YOU WANT YOUR COMPANY'S JOB LISTED IN THE NEXT ISSUE? Contact us today to find out how we can boost your job listing and help you find the top talent in the security industry.
aby@source2create.com.au
I S S U E 11
REACH OUT
misty@source2create.com.au
WOMEN IN SECURITY MAGAZINE
67
KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group that works with SMEs to protect and grow their businesses by demystifying the technical and helping them to identify and address cybersecurity and governance risks. In 2021 Karen graduated from the Tech Ready Woman Academy’s Accelerator and the Cyber Leadership Institute’s CLP programs.
C O L U M N
Keep calm and carry on As I sit down to write this Australians find themselves knee deep in the Optus data breach.
3. Build cyber knowledge into your DNA. Tick-thebox cyber training leads to complacency and a false sense of security. Training and education
It is all very good to say “keep calm and carry on”
must be continuous, relevant and fun.
but the 9.8 million Australians who may have been affected (and some say the figure could be as high as
4. Patch everything, patch often, patch now. Do
11 million) is a substantial portion of our population,
not make it easy for cybercriminals to exploit your
which stands at around 25 million. So, I fear this
business. Keep your patches up to date on all
message is perhaps not getting through to those who
devices; business and personal.
need it the most. 5. Speak business not tech. Never assume your As always it is important to have good cyber hygiene
business contacts understand what you are
at both a personal and a corporate level. So, while the
saying. There are many interchangeable terms out
mainstream media keeps on feeding the fire of fear
there. ATO, is it Australian Tax Office or Account
and confusion, we need to keep our heads when all
Takeover? Assets, do you want to invest in shares,
about us are losing theirs (with thanks to Mr Kipling)
property, fixed interest accounts or cash, or do you
and focus on ensuring we get the basics right. Here
mean software and hardware? There are many
are six basics to get you started on the cyber secure
more examples, but you get the gist.
journey. 6. Practice makes perfect. When you have a 1. Assessment. You cannot protect what you are
ransomware breach, that is not the time to discuss
not aware of. You cannot educate those you do
how to handle it. The better prepared you are, the
not understand. A good assessment includes both
better your business will handle the breach.
qualitative and technical quantitative components. And do not forget to include your website! 2. Good password hygiene. We saw how important this was during the recent RI Advice court case. While it may be tempting to use a password more than once, to share it (to keep software costs down) or even to choose one you can easily remember, don’t. You need passphrases or a complex password containing 16 alphabetic and non-alphabetic characters for everything: business,
www.linkedin.com/in/karen-stephens-bcyber
www.bcyber.com.au
karen@bcyber.com.au
twitter.com/bcyber2
youtube.bcyber.com.au/2mux
personal, the lot.
68
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
INDUSTRY PERSPECTIVES
IN 2023, LOOK FOR WAYS TO CONSOLIDATE PROGRESS AROUND GENDER EQUITY by David Braue
COVID pressured CISOs like never before – but it also created momentum and empowerment
A
fter two years spent compensating for
“We are getting better at asset management and
the security impact of the COVID-19
starting to build an enterprise architecture capability
pandemic, CISOs were already in
so we understand our [operating] state better and
recovery mode before Russia’s invasion
how it interconnects,” noted Gina Gill, chief digital
of Ukraine sent the global economy
innovation officer with the UK Ministry of Justice,
into a tailspin. And as the cyber attacks continued
who has been working with security teams to ensure
unfettered, it was clear early on that 2022 was
the transformation integrates security at its core.
not going to offer a reprieve for organisations that
“We’re putting some governance, and proportionate
have cranked the transition to digital operations up
governance, around new technology.”
to eleven. Although the ministry’s transformation has coalesced Whereas they entered 2022 with myriad challenges
around a formal Digital Strategy 2025, executing on
and uncertainty to deal with, however, security and
that plan has been burdened by the complexities of
business executives around the world spent much
driving change through an expansive government
of the year learning to manage these risks – and as
body comprised of 13 different organisations –
they head into 2023, they are responding to ongoing
each with a different CEO, board, and governance
challenges on the front foot.
– operating 80 different IT environments across 100 locations in the UK.
70
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
F E A T U R E
“Once you start digging and take a step back and
would be aligned with our risk,” said Audrey Hansen,
look at it, it is more complicated than it needs to be,”
who began working as CISO with global industrial giant
Gill explained, telegraphing the major challenges
BlueScope in mid 2019 and embarked on a global
that she will be helping the organisation tackle as its
program of work “to uplift our security maturity.”
transformation rolls into 2023. That program has included extensive outreach, “We’ve got a big challenge in terms of legacy
open engagement with stakeholders, and risk-based
technology, and that limits our ability to respond to
assessments to better understand the circumstances
change. And I think that’s a common theme and a
around the company’s 2020 ransomware compromise
common problem.”
– which put Hansen’s team into overdrive as they engaged with outside specialists and worked to
“It has taken a long time and experimentation,” she
contain the impact of that event.
added, “to get to a point where we’ve got genuinely digital teams and operational teams and policy teams
“The one thing that came out of it is that cybersecurity
working together to implement policy in a way that
really is a business risk,” Hansen told a recent Gartner
can be easily implemented operationally and digitally.
conference. “My language has always been about
And it’s brilliant to see.”
managing risk, understanding that risk, and mitigating it as well. You can go and say that security is risk and
GETTING BETTER ALL THE TIME
people listen, but it doesn’t completely drive home
From one corner of the corporate world to another,
until something actually happens.”
women executives are demonstrating their management nous, grasping the nettle to lead
In mid 2021, something did happen: Hansen’s
extensive transformation efforts.
cybersecurity team was officially rehomed into BlueScope’s corporate risk area, representing a
“I was asked to get an understanding of what the
significant mindset shift that is continuing to support
maturity level was, and how we could get it to where it
her work around security as she continues to pivot
needed to be so that it was appropriate, and everything
into the new operating state of 2023.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
71
Source: World Economic Forum
More than ever before, women are helping beat the
the C-suites and the CEOs,” explained US National
drum of secure transformation – whether in leading
Security Agency CISO Peg Mitchell, who joined
digital transformation initiatives, managing their
the agency after completing a degree in applied
security, or executing other roles that might have
mathematics and now heads security in one of the
seemed completely out of reach just a few years ago.
world’s most secure organisations.
The good news: women now comprise 42.7% of
“We look up and look around, and we need to see
senior and leadership roles worldwide, the World
reflections of ourselves,” she added. “It’s really
Economic Forum’s latest Global Gender Gap Index
important to bring different voices – whether it’s
found, setting a high-water mark for gender parity
different skills, different backgrounds, or different
that has seen the gender gap closing steadily across
views – to the problem. You learn from that
exemplar countries such as Iceland, Finland, Norway,
diversity of experience because that’s how we get a
New Zealand, and Sweden (Australia is actually
richer answer.”
moving backwards, according to some reports).
THE BRIGHT SIDE OF COVID The bad news: technology remains one of the most
As the security industry heads into 2023, many
stubbornly gender-inequal industries, with just 24% of
women technology leaders feel the cause of equality
leadership roles held by women in 2022 – although,
has turned an important corner – and some are
on the bright side, the technology industry adjusted its
thanking the COVID-19 pandemic for creating the
gender imbalance more during 2021 and 2022 than
opportunity for this to happen.
any other industry. “Flexible working arrangements, work-life integration,
72
“More women than ever are working in cybersecurity,
balance, and hybrid working are all playing out in
from the entry level employees all the way up to
favour of women,” said Annie Chong, Singapore-based
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
F E A T U R E
regional IT director with pharmaceutical giant MSD
are policies in place that are measurable and tangible;
International and an active Women in IT Sponsor.
and that empower people on the working line, to ensure that it goes down all the way to the bottom
“We are able to balance our work and our life better,
and gets implemented.”
because these topics are no longer taboos. Women nowadays are more courageous, and they know what
Such practices will be key to making 2023 the year
they want and what are their priorities – and they
when diversity and gender equality will persist as
know how to exert their worth, and their rights, and
core values for companies around the world – and
their values.”
that, noted UOB first vice president for enterprise data governance Joyce Chua, should be a key goal for
The support of value-driven companies, enabling
executives at every level and every industry.
colleagues and loving families have all played a role in this empowerment, Chong added: “this is not just
“What we can do is to ensure that equality and
us,” she said. “The whole ecosystem has to move and
inclusiveness and culture are the tone from the top,”
support us.”
she said, “and the culture of embracing anyone. in terms of like whether you are female or male, so
This newfound confidence – which was fostered
long you do the job, you get your KPIs, you get your
during 2022 and will be a key enabler of change
promotions, and so on.”
during 2023 and beyond – helped Geetha Gopal, head of infrastructure projects delivery and digital
COVID’s disruption has created other issues, Gill
transformation with Panasonic Asia Pacific, nurture a
points out, with women benefiting from an overall
more confident and capable version of herself during
paucity of security and other technology skills that
the pandemic.
she attributes partly to a lack of foresight by the many companies that got strategically T-boned by the
“During COVID, I saw myself as more empowered
COVID pandemic.
because I was able to juggle the multiple roles that women play,” she explained. “I do not have to take
“I’m still totally baffled why COVID was the driver for
leave to be able to manage my personal situation; I
technology updates [and] why technology wasn’t
can take two hours off, take care of my son, and be
a bigger thing in people’s minds before 2020,”
on escalation calls and manage my go-lives.”
she explained.
Given the freedom to be unapologetically focused on
“Now we’ve got a marketplace that is just so
work-life balance, Gopal said, women are in a stronger
competitive. There aren’t enough skill sets. There
position than ever moving into 2023.
aren’t enough digital skills in our organisation and government, in the country, in the world. I know that
And while she admits not being an advocate of full-
sounds melodramatic, but it’s sadly true.”
time working from home – she encourages staff to work in the office three days a week – she said that to
Ultimately, however, “there is cause for optimism,”
stay competitive organisations will need to become
noted IBM Garage partner and ASEAN leader Charu
real about diversity, equity and inclusion (DEI) and
Mahajan, noting that the industry is exiting 2022
stay more flexible for the long term.
with around one in four leadership positions filled by women.
“If we want to promote DEI, and sustain more women in the workforce, we need to empower this kind of
“If we can move that to 30 per cent,” she said, “we will
hybrid approach,” she said. “You need to be flexible
have made a pretty big impact.”
not just by word, but by practices. Ensure that there
I S S U E 11
WOMEN IN SECURITY MAGAZINE
73
MARIA BEAMOND
LEONORA RISSE
AUSTRALIA’S CYBERSECURITY SECTOR: WHERE ARE THE WOMEN? by Dr Maria Beamond, Lecturer in Management, RMIT University and Dr Leonora Risse, Senior Lecturer in Economics, RMIT University
At a time when Australia’s security sector is growing
These issues mean the factors contributing to
in importance it is suffering from a skill crisis:
women’s low representation within the cybersecurity
employers are having difficulty finding a sufficient
sector need to be better understood.
number of suitably qualified people to fill available roles. Australia will need around 7000 additional
Available estimates suggest women comprise
practitioners in the security sector by 2024, according
somewhere between 11 percent and 24 percent of
to AustCyber.
the cybersecurity workforce. However, there is no accurate measure of the gender composition of
Moreover, the cybersecurity sector, and the security
Australia’s security industry, nor a clear picture of the
sector more broadly, suffer from a distinct lack of
types of jobs women are undertaking and the skills
diversity, particularly from a low level of participation
they possess.
by women. Women’s under-representation could
74
be the result of biases and barriers impeding their
RMIT Centre for Cyber Security Research & Innovation
career opportunities and advancement in the sector.
(CCSRI) and the Australian Women in Security
The growing awareness of the benefits diversity can
Network (AWSN) are partnering to undertake a
bring to organisational performance, decision-making
research project to address this knowledge gap by
and responsiveness and to meeting the real-world
providing new statistics on the gender composition
challenges organisations face, leads to a realisation
of the security sector in Australia, including
that the sector, as a whole, is not operating optimally.
cybersecurity. These fresh insights will be drawn
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
from official labour market statistics collected by
on gender inequalities and the
the Australian Bureau of Statistics and a tailored
factors that explain women’s
survey of members of the security sector workforce
low representation in the
in Australia.
sector. This project will provide insights to better
WHY SHOULD THE CYBERSECURITY SECTOR CARE ABOUT GENDER EQUALITY?
understand the factors
Available data suggests technology workers, such as
deter women from pursuing,
cybersecurity professionals, are approached with a
and flourishing in, a career in the
new job offer once a week and that some 45 percent
security sector.
that can either support or
of organisations are short of cybersecurity talent. There are signs this skills crisis is worsening, given
Taking an industry-wide
discussion about the skills shortage in cybersecurity
and economy-wide
talent “has been going on for over ten years” and
perspective, this
“there has been no significant progress toward a
research project will
solution to this problem,” according to an ESG report.
also investigate the ways in which the
This skills crisis has negatively impacted several
industry is failing
organisations by increasing the workload of existing
to achieve optimal
employees, leaving tasks unfilled and causing high
performance and
burnout among employees. These problems make
fully meet the needs
it imperative to attract new talent and diversify the
of its client base. If
composition of the cybersecurity workforce.
the cybersecurity industry is not
Inequitable opportunities and gender-based biases
operating with a
create barriers to greater diversity that are sometimes
gender balanced
intangible. Our understanding of the influence of
workforce, it is
implicit biases and barriers imposed on women in
failing to attract,
many vocational and professional settings is growing.
nurture and retain
These barriers are often due to the persistence
the full breadth of
of traditional practices and gender-patterned
talent and skills available
stereotypes, according to a report in the Harvard
in the workforce and the
Business Review. This research paper suggests one
capacity for innovation.
solution to the shortage of talent in the cybersecurity industry could lie in better understanding the reasons
THE SOLUTION
for the sector’s gender imbalance.
Women’s under-representation in the security sector can be likened to a leaky
The research being undertaken by RMIT and AWSN
pipeline, an analogy often applied to other
will provide a deeper understanding of the barriers
industries experiencing gender imbalance.
to, and enablers of, women’s careers in the security sector. The insights generated will help expand the
Firstly, there is a need to attract women to the
sector’s talent pool and equip it for the growing
sector, a process that begins during their education
challenges and demands it faces in the future.
when they are assessing their career choices. Those women joining the sector need support throughout
While existing research suggests general ways to
their careers to help them progress. This entails
expand the sector’s talent pool there is little focus
understanding the factors causing women’s careers
I S S U E 11
WOMEN IN SECURITY MAGAZINE
75
to stagnate and lag those of their male peers or
the strategic interventions by key agencies and
causing them to drop out of the sector completely. If
stakeholders that can have influence.
women step out of the workforce to have children, or
• An exploration of the ways to create a
for other caring responsibilities, their re-entry into the
cybersecurity talent management system that
workforce needs to be supported.
will work for women. This entails identifying the elements of the cybersecurity talent management
Dropouts mean fewer women progress to senior
system that will most effectively and equitably
and leadership levels. This has repercussions for
attract, select and retain female talent. It will
workforce culture and the capacity of cybersecurity to
encompass planning, employee engagement,
attract the next generation of women.
learning and development, performance management, recruiting, onboarding, succession
This study will identify the factors contributing to this
and retention.
leaky pipeline and the policies and changes needed to foster the increased representation of women.
ABOUT THE AUTHORS This research project is being conducted by RMIT
THE RESEARCH
University Centre for Cyber Security Research and
Through data analysis and a survey of the security
Innovation in partnership with the Australian Women
workforce, this research project offers:
in Security Network (AWSN). It is being carried out as an independent academic research analysis
• A definitive understanding of the number of
and is not linked to any commercial interests. The
women working in security and the gender
research team comprises: Dr Leonora Risse, Dr Maria
composition of the sector, with a focus
Beamond, Dr Joanne Hall, Dr Lena Wang, Dr Banya
on cybersecurity.
Barua, Professor Matt Warren and Mr Laki Kondylas.
• And understanding of the distribution of women across security roles, with a focus on
Further information on this project can be found at
cybersecurity roles.
https://www.rmit.edu.au/news/ccsri/understanding-
• And understanding of how Australian women’s skills and capabilities can contribute to
gender-dimensions-project-survey. The study will be officially launched later this year.
overcoming the current and expected future professional skills shortage in the security industry. • An understanding of the enablers of and barriers to women’s participation in the security sector,
www.linkedin.com/in/maria-beamond-b8187325
www.linkedin.com/in/leonora-risse-92939091
and identification of the practical applications of this knowledge. This will require an understanding of the sector’s policies and institutional practices, of educational and training pathways and identification of
76
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
Securing our digital future, together. Comprehensive Cybersecurity Solutions
Cyber Strategy and Consulting
Cloud Security
Governance, Risk & Compliance
Managed Services
Security Architecture & Engineering
Technical Assurance & Testing
Incident Response & Planning
Security Awareness Training
We start by listening. tesserent.com
The region’s largest ASX-listed cybersecurity company (ASX:TNT) Melbourne | Sydney | Canberra | Brisbane | Wellington | Auckland | Christchurch
FATEMAH BEYDOUN
THE FUTURE OF DEVELOPER SECURITY MATURITY IS BRIGHT, AND THESE VERTICALS ARE LEADING THE CHARGE by Fatemah Beydoun, Chief Customer Officer, Secure Code Warrior An unspoken war is raging in most IT departments
As an industry we have a long way to go to uplift
across the world, a David and Goliath battle
developer security maturity. However, in my role, I am
between two critical teams: application security
fortunate to work with many organisations leading
and developers. With conflicting priorities and
the charge in helping developers become the security
relationships that are often extremely negative, it is
superheroes we need on the front lines. Generally,
no wonder some internal security cultures are on
their overall internal security maturity is more
life support.
advanced than the norm, and some verticals seem to achieve maturity faster than others. Let us explore why.
Okay, perhaps that was a little dramatic, but it
It is no longer good enough to exclude them from a
MODERN SECURITY MATURITY: WHICH VERTICALS DO IT BEST, AND WHAT SETS THEM APART?
comprehensive, defensive security strategy. With the
There are multiple security maturity models, but
cost of the average data breach swelling to $US4.35M
across the board the adoption of security maturity
in 2022, it is imperative we give cyber defence our
basics like overall role-based awareness and relevant
best shot. That will mean taking an honest look at
skills is somewhat hit-and-miss. However, I have
internal security maturity, and building it upon a
found the financial sector to be ahead of the game in
strong foundation.
both security maturity and in its willingness to make
reinforces my argument: we have got to do more to foster a positive security experience for developers.
developers part of the plan.
78
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
This is perhaps not surprising: financial organisations
shipping code. Nor are most teams measured
are subject to stringent security regulations in
on their security prowess through their KPIs.
most countries and compliance rules like PCI-
Advanced security maturity turns this idea on its
DSS demand continuous attention and adherence.
head and gets developers to share responsibility
Financial organisations achieve compliance by
for security.
adopting modern security techniques despite many
This is a significant shift, and those who embrace
being constrained by legacy platforms and systems.
secure coding should be recognised and
Some of our clients still use COBOL, a programming
rewarded for their efforts. Peer recognition is
language that originated in the 1950s. However,
especially powerful and can lead to better career
they ensure their COBOL developers have precision
opportunities and leadership roles.
training in secure coding, and continuous exposure to the latest vulnerability mitigation strategies.
• Certification. Internal programs which structure tiered learning modules that are both job-relevant
Another factor is the increased effort devoted to
for developers and organisation-critical can give
benchmarking current developer security skills and
developers the opportunity to work towards
building upon these with structured programs that
recognised credentials that can elevate their
suit the security needs of the organisation. With the
status and show at a glance that the company
right guidance developers will gradually get onto the
is committed to the highest standards for
same page as the application security team and will
everyone working on code. With the introduction
see the role they can play in securing software and
of measures like the Biden Administration’s
making security a priority.
Executive Order around verified security skills for those involved in the software supply chain, the
NURTURING DEVELOPERS AND MAKING THEM PRINCIPAL CHARACTERS IN THE SECURITY STORY
need for certification will grow. • Cultivating a positive security culture. While
Overall, it takes an organisation-wide effort to raise
it seems simple, fostering an organisation-wide
security awareness, ensure everyone is equipped with
security culture that embraces developers and
the right skills and knowledge to play the part their
maintains positivity is no cakewalk. Breaking
role requires and expand the security strategy well
down silos between application security and
beyond automation and scanning tools to embrace
developers, focusing on software quality over
people power.
speed, and making security more fun and less daunting should be prioritised. However, it really
Companies that make developers central to
does ‘take a village’, and it takes endorsement
their defensive efforts reap the benefits of early
from the CISO to set and uphold standards of
vulnerability eradication and reduced pressure on
security awareness and action.
the application security team, giving it the breathing space to work on the complex problems only its
Those companies that are truly at the forefront of
members can fix.
developer security maturity go well beyond simply ‘ticking the box’ for compliance. Instead, they opt
Such future-focused organisations follow a pattern
to invest in a transformational process for both
for developer upskilling that often exhibits these three
individuals and the culture in which they operate. It is
core elements.
my hope that more verticals will follow their lead and help set a new standard for code-level security.
• Reward and recognition. Developers have been disadvantaged insofar as the status quo dictates security not be their top priority when
I S S U E 11
www.linkedin.com/in/fatemah-beydoun-b6555bb1
WOMEN IN SECURITY MAGAZINE
79
KAT LENNOX-STEELE
SHIFTING PERCEPTIONS OF IT AND CYBERSECURITY POLICIES: POLICY SHOULD NOT FILL YOU WITH DREAD By Kat Lennox-Steele, Information Security Analyst and Co-Founder at Cyber Tribe and MVP In conversations about policy you will often be
when they, regulations, or the law are breached.
met with groans, exclamations of boredom and
Often policies are long, verbose and full of technical
sometimes apprehension. Writing and managing
or legal jargon making them difficult to consume,
policies is seen as time consuming and requiring
comprehend and retain.
expertise. And it is expensive, so can easily get tossed into the too-hard basket when the day-to-day running
After many years of conducting cybersecurity
of your business seems more important. This was
assessments in various roles our team found
my perception until I started working with companies
cybersecurity and IT policies were, for most
to improve their compliance and realised the positive
companies, often a shortcut to achieving compliance.
impact that well-structured policies could have.
But why is policy so underrated and underutilised?
Policy is viewed as one of those things you need to
People are at the centre of our businesses, clubs
have to tick a compliance box and to make sure every
and communities with technology as another layer
new employee reads in their first week. Once they
or enabler. Policy at its core is about people. If we
have been through their induction, it is unlikely they
change our perspective, policies represent a tool that
will ever see those policies again.
can be used to help, not just to enforce rules and dish out punishment.
Traditionally policies have been seen as a mechanism
80
to protect an organisation and are brought into
Changing people’s perceptions of policy might
bat when addressing poor employee behaviour or
seem like a hard sell, but when used correctly
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
policies can foster a culture of commitment,
visibility of support and keeps everyone in the loop.
personal responsibility and self-regulation by clearly communicating boundaries, expectations and
The company I founded, Cyber Tribe, aims to help
accountability within your team. Good policies also let
lift the cyber posture of all organisations through
you team know where to turn to for help.
easily accessible policy, management tools and user awareness training.
Policies are the top tier of the cake, and the supporting layers are standards and procedures, the
With my newfound passion for helping people with
‘how to’ detailed, directive guides. Using these tools
policy, I created a set of policies aligned with best
together brings uniformity to operations, and they
practice and leading industry standards that would
can be used as training tools, reducing the risk of an
close the identified gaps. One of my main goals
unwanted event. Effective policy creates a business
was to compose policies that would be concise and
environment that is efficient, fair and responsive:
easily understood by the reader without loss of the
one that encourages justified decision making and
critical messaging. We have developed a SaaS policy
promotes good business and cybersecurity practices.
management solution, Impetus, to democratise access to these policies for organisations of all
Once you have policies in place you can then easily align
shapes and sizes.
your information and cybersecurity strategy to the aims and core principles of those policies and use them to
One of the biggest pain points for organisations I have
guide the creation of a roadmap for the implementation
worked with has been the storage and management
of controls to meet the needs of your organisation.
of their policies and the recording of who has read and acknowledged them. Impetus acts as a repository
Initiating change will always be tough. When
to keep all policies in one place. Once users have been
attempting to introduce policy to an organisation
granted access, they can view the documentation at
or alter existing policies, there are a few key
any time. This allows people to use policies as living,
considerations to ensure success. Not everyone in
breathing tools that can, with some quick editing,
your organisation will need to be across every single
easily evolve whenever changes occur. Each user is
policy, and I recommend allocating policies according
also required to digitally accept the policies, providing
to roles, personas or location. Look at the culture in
a record for auditing purposes. Additionally, Impetus
your teams when creating your plan for rollout and
will also notify the policy owner when it is time to
decide on the best vehicle to tackle it. This might be a
review and renew a policy, enabling compliance to
team meeting, a newsletter or a competition between
be maintained.
departments or teams. It could also be important to choose an appropriate time: an accounting firm would
Policy control is one of the essential controls we need
be unlikely to appreciate a policy rollout at the end of
to normalise and use better in our businesses. Using
the financial year.
policies as tools to support and empower people while fostering an improved cybersecurity awareness
A policy should address a real need in your
culture can only be a good thing.
organisation. Helping everyone to understand some of the benefits it will bring can help ensure better uptake and commitment to the desired ways of working. Buyin from those at the top will also help the messaging filter down through your ranks. Requesting feedback, having an open forum or providing a point of contact for anyone to ask questions can also keep your team engaged and supporting the idea that policies are a tool, not a one-time thing. Feedback also provides
I S S U E 11
www.linkedin.com/in/klennox-steele
www.cybertribe.co.nz
www.minimumviableprotection.com
www.capacitategroup.com
WOMEN IN SECURITY MAGAZINE
81
JANA DEKANOVSKA
2022 HAS BEEN A WATERSHED YEAR FOR CYBERSECURITY, BUT WHAT’S NEXT? By Jana Dekanovska, Strategic Threat Advisor at CrowdStrike 2022 has been a pivotal year for cybersecurity
and New Zealand. Continued geopolitical tensions
with adversaries increasingly turning their gaze
between Canberra and Beijing and the AUKUS security
to Australia’s critical infrastructure and essential
pact further fuelled this activity in 2022. Adversaries
industries. Just when organisations were starting
attributed to the Democratic People’s Republic of
to catch up, new and novel threats emerged. In
Korea were also prolific, maintaining a dual focus
September we saw another attack on ride sharing
on financial gain and economic espionage driven by
and food delivery giant, Uber, just months after the
domestic circumstances and ongoing international
company revealed it had suffered a ransomware
sanctions that restrict the country’s access to
attack in 2016.
global markets.
Sophisticated, highly targeted and premeditated
Nor is Australia immune to financially motivated cyber
intrusion campaigns are being carried out against
attacks. Bitwise Spider dominated the eCrime scene
some of the world’s largest companies. CrowdStrike’s
throughout 2022 and continues to operate the most
OverWatch team uncovered a highly sophisticated
professionally run ransomware-as-a-service operation,
Chinese state-sponsored adversary, Aquatic Panda,
accumulating the highest number of victims to
carrying out a long-term targeted intrusion campaign
date. In June 2022, Bitwise Spider released a new
against a global technology and manufacturing
update to its program, introducing novel features and
company. China-linked adversaries such as Aquatic
techniques, and reaffirmed its focus on what we have
Panda continue to be the most active groups
named the triple extortion model: ransomware, DDoS
conducting cyber attacks for economic, diplomatic
attacks and data leaks all at the same time.
and political purposes. This activity is consistent with the criminal behaviour
82
In fact, China-linked adversaries were the most
CrowdStrike Intelligence has tracked over the
frequently observed targeting entities in Australia
course of 2022 in which adversaries move away
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
from using ransomware alone and adopt the triple
unless the ransom is paid. This shows that cyber
extortion strategy.
intrusions are increasingly human-led and, in the worst case, that adversaries will resort to a variety of
Governments are adapting to the onslaught of
tactics, including physical violence, to coerce victims
attacks from nation states and criminal groups
into meeting their demands.
through legislative measures such as the Security Legislation Amendment (Critical Infrastructure
This activity is consistent with CrowdStrike’s most
Protection) Act 2022 which passed in April this year,
recent Falcon OverWatch Threat Hunting Report,
and more recently Labor’s plan to overhaul Australia’s
which observed that human-led cyber attacks against
cybersecurity strategy. But more needs to be done to
organisations in Asia Pacific and Japan grew at a far
keep pace with the continued evolution of cybercrime
faster rate than attacks against their peers elsewhere,
in Australia and the Asia Pacific region more broadly.
with an attack occurring approximately every seven minutes, down from eight minutes in 2021. Globally,
THE GRADUAL DEATH OF RANSOMWARE
71 percent of all threat detections were human-driven,
Headline stories of cyber attacks in which threat
an increase from 64 percent in 2021, as reported by
actors demonstrate new levels of determination
CrowdStrike in February 2022.
and expertise through consistent and successful exploitation of organisations are becoming routine.
Another key, but unexpected, trend we observed this
These attacks are made possible by the continued
year was the rise of ideologically motivated cyber
evolution and innovation of their tradecraft.
attacks around the world. eCrime adversaries from Russia, Ukraine and the US were seen shifting their
One example we have seen over the last year is China-
motivations from financial gain to ideologies as a
linked adversaries moving from relying on phishing
direct consequence of the war in Ukraine. In the
and spear phishing as their primary methods for
APJ region, we saw a similar pattern of behaviour
gaining access to organisations, instead leveraging
with Chinese hacktivists conducting attacks against
zero day and old vulnerabilities for access to public-
Taiwanese government websites ahead of US
facing assets that have not been patched.
House of Representatives Speaker Nancy Pelosi’s arrival in Taipei. Similarly, we saw hackers claiming
Beyond nation state adversaries, financially motivated
to be affiliated with Anonymous deface a Chinese
criminals have been seen moving away from relying
government website in support of Taiwan and
solely on ransomware to adopting the triple extortion
Pelosi’s visit.
model. It has become one of the latest strategies in cyber criminals’ arsenals to maximise pressure on the
In light of these activities we can expect adversaries
victim and increase the likelihood of a ransom being
to continue to experiment with their newly found
paid. With good, regularly maintained data backups
appetite for conducting ideologically motivated
to restore systems in the event of a ransomware
attacks, selecting targets on an ad hoc basis to react
attack, data encryption is no longer enough to extort a
to political conflicts and controversial issues as
ransom from a victim.
they emerge.
As organisations improve their cybersecurity CrowdStrike, threat adversaries are clearly becoming
FUTURE CYBER THREATS AND HOW BUSINESSES CAN SET THEMSELVES UP TO STAY SAFE
frustrated because their old ways are not working.
Based on changing adversary behaviour observed in
We have seen eCrime adversaries leveraging stolen
2022 we can expect to see a greater shift towards
personally identifiable information and cold calling
targeted intrusions in the year ahead. Targeted
company employees to threaten physical violence
intrusions will continue to be a threat particularly
posture by working with security companies such as
I S S U E 11
WOMEN IN SECURITY MAGAZINE
83
In light of these activities we can expect adversaries to continue to experiment with their newly found appetite for conducting ideologically motivated attacks, selecting targets on an ad hoc basis to react to political conflicts and controversial issues as they emerge.
to Australian businesses and government agencies in 2023 as foreign, state-sponsored adversaries undertake intelligence gathering and cyber espionage and sometimes pursue financial objectives. Moreover, the rise of ideologically motivated cyber attacks will see hacktivists replicate the level of sophistication and professionalism of eCrime actors in their campaigns, but in much greater volumes. Adversaries now operate much like any other large organisation and are constantly finding new and innovative ways to exploit existing vulnerabilities within an organisation. Because of this, human threat hunting is key to identifying changing behaviours and preventing attacks. Having access to the latest adversarial intelligence and real-time visibility of misconfigurations and vulnerabilities on a network will enable organisations to anticipate threats and respond immediately to cyber attacks. Today’s adversaries do not only exploit organisations for financial gain; they are ideologically motivated and far more sophisticated than the typical hacker portrayed as someone operating from his mother’s old sofa bed on his home-built computer.
www.linkedin.com/in/janadeka
www.linkedin.com/company/crowdstrike
84
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
ASTHA KESHARIYA
CYBER RESILIENCE IN THE CYBER WORLD By Dr Astha Keshariya, Information Science, University of Otago Cyber resilience is a combination of cybersecurity
organisations strive to achieve. Thus, a fair balance
and business continuity. It is the ability of a business
between offering customers compelling solutions
to prepare, protect, respond, recover and rapidly
whilst maintaining sustainability is necessary in a
reinstate normal operations during or after a cyber
dynamic cyber business.
disruption such as ransomware, a data breach, identity theft or natural disaster.
The paradoxical nature of the cyber-attacks is that the organisations with the most advanced cybersecurity
Cyber resilience comprises strategies, controls and
capabilities are most often attacked. Cyber attackers
planned activities to be taken in response to a cyber
are drawn to high-profile challenges, which often have
disruption, to anticipate the impacts of that disruption,
the potential to provide higher monetary rewards.
counter them and rapidly restore normal operations.
Multinational companies are tempting targets for ransomware attacks or intellectual property theft.
There are many components to an effective
Government organisations are targeted by rival
cyber resilience strategy: technical, functional,
nation states.
organisational, regional and national. Also, it must integrate many components and supply chain actors
It is impossible to accurately assess the global
that are part of the organisation’s ecosystem.
economic cost of cybercrime but experts suggest its dollar value is comparable to that of the global
Furthermore, the evaluation of the impacts of
drug trade.
disruption may vary depending on the sociotechnical nature and purpose of the organisation: the
Cyber resilience-by-design based on digital trust
requirements of a business in the financial sector
is a strategy organisations can adopt to minimise
would differ from one in healthcare and from one
the damage caused by cyber attack and to remain
in retail.
relevant in the digital world.
RESILIENCE BY DESIGN
ISACA defines digital trust as “the confidence in
Today no organisation exists in cyber isolation. There
the integrity of the relationships, interactions and
is no such thing as a perfectly secure environment,
transactions among providers and consumers within
service or product. It is a moving target that
an associated digital ecosystem.”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
85
Frameworks like the US Department of Homeland
It is impossible to accurately assess the global economic cost of cybercrime but experts suggest its dollar value is comparable to that of the global drug trade.
Security’s Cyber Resilience Review and NIST’s Cyber Resiliency Engineering Techniques, Resilience Management Model and the Guidance on Cyber Resilience for Financial Market Infrastructures by the Bank for International Settlements can all be used to help an organisation develop an effective cyber resilience strategy.
KNOW THY DATA Nefarious players who are dedicated to identifying It follows from this definition that digital trust can
and exploiting loopholes in the data management
be achieved only when all parties have robust
strategies of a data-driven economy can bring
cyber resilience strategies that factor in all their
business operations to a standstill.
interdependencies. Data protection has been a focus for cyber defenders Corporations and governments are on the path
for some time. However, the significant rise in
to digital transformation, investing heavily in
ransomware and data breach events demands careful
e-governance initiatives, digitising critical systems,
examination of an organisation’s:
thus inviting digital ecosystems with multiple service and technology providers. An effective resilience
• long-term data strategy keeping in mind business
plan must factor in all these relationships and
requirements to maintain single and multiple
interdependencies.
sources of truth of the information assets,
This also implies that the supply chains and critical infrastructures are at greater risk than ever. There has been a rise in supply chain attacks of 51 percent since 2021, according to Revenera’s 2022 Report on Software Supply Chain Compliance, mostly due to increased reliance on operational support systems. According to a 2022 survey by cyber insurance provider, Munich Re, 35 percent of c-level participants are considering commercial cyber insurance as an essential part of their risk management strategy. The report estimates global cyber premiums to be worth $US9.2 billion annually and expects this figure to grow to approximately $US22 billion by 2025 for IT, manufacturing, financial services providers, healthcare, government institutions (including the education sector), consumer products and services. This growth in demand for cyber insurance is predicted to be swifter than insurers’ capacity to provide it. And organisations pursuing cyber insurance will need robust cyber resilience plans if they are to sustain the cover.
86
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
• its data architecture and data segregation policies to meet regulatory compliance (personal, financial and health data must be handled differently), its coherent policies and processes to ensure data security, privacy, integrity and quality, • data flows and data boundaries that are often blurred to the extended business liaisons and third-party service providers in the ecosystem.
EMPOWERING THE WORKFORCE THROUGH CONTINUOUS LEARNING Traditional cyber defences may no longer be sufficient in light of recent cybersecurity events, the shortage of cybersecurity professionals and gaps in specific cybersecurity skillsets. This situation requires investment in workforce empowerment to develop the necessary talents within an organisation. This can be achieved with: • targeted role-based training in addition to general cybersecurity awareness training for staff, suppliers and external entities involved in business operations; • skill enhancement through training and certifications for cyber defenders, specifically in cyber law, threat intelligence, cybercrime investigation, fraud detection and digital forensics to thwart sophisticated cyberattacks; • research programs on threat intelligence and cybersecurity automation that can help build the capability to extract, analyse and validate meaningful insights for effective real-time response and recovery efforts. Awareness of the need for organisations to have robust cyber resilience strategies that embrace the roles of the partners in their ecosystem. Their shared goals coupled with mandates from regulators will lead to an overall improvement in cyber resilience in the near future.
www.linkedin.com/in/astha-keshariya-ph-d-b80b063
I S S U E 11
WOMEN IN SECURITY MAGAZINE
87
STACEY CHAMPAGNE
CORPORATE LAYOFFS: A PERFECT STORM FOR INSIDER RISK AND THE IMPERATIVE FOR HOLISTIC MITIGATION APPROACHES By Stacey Champagne, Insider Risk Expert, Founder & CEO of The Trade Secrets Network and Hacker in Heels With over 42,000 tech sector employees laid off in
that touts as its competitive edge a proprietary tech
2022, many workplaces are in a constant state of
platform for agents—has conducted three rounds
stress. A June 2022 survey found nearly 80 percent of
of layoffs since June 2022. Onlookers have dubbed
American workers concerned about their job security.
it “the WeWork of residential real estate” saying the
Individual identity, finances and healthcare are
company has “raised and spent money like a tech firm
intertwined with employment. Therefore, the threat
but made money like a brokerage.”
of losing one’s job is a threat to financial security and mental health.
Employees are voicing their opinions loud and clear. Articles about employees meeting their job duties but
The situation is further exacerbated by
refusing to complete above-and-beyond assignments
C-suite executives who display ineptitude and
are rife on social media. Dubbed “quiet quitting,”
mismanagement. In early February 2022, the
this workplace mentality aligns with a Gallup report
cofounder of fitness equipment maker, Peloton,
showing the ratio of engaged to actively disengaged
stepped down after being criticised for inconsistent
employees as 1.8 to 1, the lowest in almost a decade.
pricing and manufacturing strategies. 2,800 jobs were
88
cut and an additional 800+ jobs are reported to have
The current workplace climate of distrust,
been cut since. Compass—a real estate brokerage
disengagement and threat to individuals’ livelihoods
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
is a perfect storm for insider threat activity. Insider
A relationship of concern and trust is everything when
threats are any persons (including contractors and
managing risk or a VUCA event. The magnitude of
third parties) who have, or have had, access to
the event is heavily influenced by the level of trust the
company data and systems and have used their
public (employees) have for the incident responders
trusted access for unauthorised activities such as
(executives). Employees who witness layoffs far
fraud, theft, sabotage and/or workplace violence.
removed from their own role in the company may
Insiders commit hostile acts against organisations
believe they will not experience any impact. However,
for a multitude of reasons. In a climate of workplace
if a software engineer hears of overarching volatility
uncertainty and layoffs insiders may be facing
in the company’s market and does not believe the
financial distress or feel they are about to be/have
company leadership is making the right moves to
been wronged by their employer. They might believe
minimise impact, trust can decrease.
they own the product, code or documentation they have created while employed, and have the right to
If executives lose the trust of employees and
take it with them upon termination.
customers, or fail to follow through on promised actions, according to this paper on crisis leadership
Managing insider risk, especially during times of
in a hyper-VUCA environment, the “level of concern
company turmoil, requires a thoughtful, holistic
increases and the event will grow. As a result, the
approach that addresses both operational psychology
[executives] will find [themselves] not only expending
and the technological components of the layoff
more resources to respond to the event but may
experience. This approach should include not only
deploy additional resources to make the response
employees who will experience their final day with the
appear more robust to outside observers in an
company, but also the colleagues and managers who
attempt to increase trust.”
will remain.
THE CRITICAL PATH TO INSIDER RISK CORPORATE LAYOFFS AS VUCA EVENTS
The loss of trust and subsequent stressors that often
VUCA stands for volatile, uncertain, complex and
accompany a corporate layoff can move employees
ambiguous. The term is used to describe events
down the critical path to insider risk. The Critical Path
that are difficult to plan for and manage, typically
Method uses a collection of indicators created by
in an emergency management context. A company
researchers studying historical insider threat cases in
experiencing layoffs is arguably in a state of emergency/crisis and could benefit from many of the
the US intelligence community and Department of
same mitigation strategies and mindsets used to tackle VUCA events. Retired US Army colonel Eric Kail has outlined adaptive strategies and tactics for operating in a VUCA environment, stating: “clear communication is vital in volatile situations; getting a fresh perspective and maintaining flexibility is critical in uncertain environments; collaborating and seeking incremental solutions are important in complex situations; and listening well and thinking divergently are a must in ambiguous situations.”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
89
Defense that can help organisations identify and
Domestic economic espionage is also a possibility,
direct resources towards those most vulnerable.
conducted through hiring of employees from a competitor to gain knowledge of and access to
Research has shown that “the likelihood, or risk, that
the competitor’s intellectual property. In 2013,
individuals will commit hostile acts against their
Ticketmaster hired an employee from a competing
organisation increases with the accumulation of
ticket sales company who had retained their
factors acting on them over a period of time.” These
access credentials. Ticketmaster requested the
factors roughly follow a chronological sequence. Most
employee to use these access credentials to provide
importantly, the summation of multiple factors does
business intelligence on its competitor. In late 2020
not increase certainty or guarantee that the individual
Ticketmaster was fined $10 million by the Department
will commit a hostile act.
of Justice for the act. It is not difficult to imagine competing companies preying on the instability
Many organisations put significant effort into
of their peers to recruit employees for intelligence
implementing technology controls to mitigate insider
and trade secrets which can give them the edge in
risk, such as blocking the external transfer of data via
a crowded market, or even deliver a final blow to a
webmail, cloud storage or removable media devices.
dying firm.
However, technical behaviours are just one type of concerning behaviour that organisations should keep
For some employees, a corporate layoff event can
an eye out for. A layoff event introduces multiple
be fatal. Earlier this year, Bed Bath & Beyond’s chief
stressors on employees (personal, professional and
financial officer died by suicide days after the retailer
financial) and can produce concerning interpersonal,
announced the closure of 150 stores and the laying
financial and mental health behaviours.
off of about 20 percent of its employees. This sort of event can send shockwaves of grief and trauma
According to the Federal Reserve, 60 percent of laid-
through an organisation and require significant
off adults with a high school education or less would
‘postvention’ (psychological first aid). A workplace
not be able to pay all their bills if an unexpected $400
already suffering an economic crisis will want to
expense popped up during unemployment, and 24
return to business-as-usual as soon as possible, but
percent of adults with a bachelor’s degree education
doing so can lead to even more speculation, distrust
or higher would have the same issue. Approximately
and anger.
one-in-five Americans are experiencing a diagnosable mental illness and deaths associated with alcohol,
Insider threat incidents have risen by more than
drugs and suicide increased 20 percent year-over-year
44 percent over the past two years as COVID-19
in 2020.
lingers and economies continue to suffer from the pandemic’s effects. The cost per incident has
Employees seeking financial security can, and do, find
increased more than 33 percent to $15.38 million. A
it from nation-states eager to acquire trade secrets.
single insider threat incident amid corporate layoffs
An Intelligence and National Security Alliance (INSA)
can wipe out any cost savings the company hoped to
report, Insider Threats and Commercial Espionage,
achieve through its workforce reduction. An effective
notes several indictments of scientific researchers,
plan to mitigate insider risk during layoff events—one
engineers, professors, hackers and businesspeople—
that implements strategies and processes beyond
both American and Chinese—who have committed
technical controls and addresses the humans at the
theft of US intellectual property. Through its
core of the crisis—is therefore essential.
Thousand Talents Plan and other initiatives, China recruits US nationals to provide proprietary data in exchange for payment.
90
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/staceychampagne
N O V E M B E R • D E C E M B E R 2022
Connecting - Supporting - Inspiring
AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY
Memberships are now a 12-month cycle Corporate packages available Learn more at awsn.org.au/members/join/
MARTY MOLLOY
LOOKING BACK TO MOVE FORWARD: THIRTY YEARS OF EXPERIENCE GUIDING THE WAY By Marty Molloy, Events, Marketing and Communications Coordinator at AusCERT
It is common today to hear, or be told, not to look
First is the capacity to predict trends. This may seem
back too often or to ponder what may have been
to be of little value in an ever-evolving industry such
if different choices had been made. Conversely,
as cyber where many attack techniques appear to
age‑old wisdom suggests ignoring past experiences,
have been discontinued. However, many have merely
be they good or bad, could mean overlooking
lain dormant. Opportunistic attackers will look for the
important lessons.
right moment to deploy a proven method to further their aims.
As in so many matters, the wisdom of Star Wars provides guidance. To quote that wise little green
Understanding what led to the original incursion—the
creature, Yoda, “Mind what you have learned. Save
weaknesses of a system, human error, an oversight
you it can.”
in the firewall—can reduce the potential for a new breach or ransomware attack.
Understanding the consequences of past choices and resolving any lingering issues can facilitate personal
Knowledge of past incursions and attack techniques
and professional growth and development. Retaining
can produce another benefit: increased speed of
what one has learned can smooth the path to success
learning. Insight gained from past endeavours can
and reduce the time needed to achieve it.
enable future outcomes to be achieved faster and with less effort. Security measures based on the
As AusCERT approaches its 30 birthday in 2023
evaluation of previous results will help guide staff in
our team has discussed the value and importance of
their decision-making, shorten the learning process
looking back to see our way forward.
and create more efficient and proficient staff.
th
92
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
However, mistakes will continue to be made. Everyone
Whilst it is pertinent to learn from our mistakes and
makes mistakes. The adage that we learn from our
seek improvement, celebrating our accomplishments
mistakes is highly pertinent to this article. Mistakes
emboldens individuals and teams to undertake new
enable us to become stronger. They prepare us to
challenges with enthusiasm and positivity.
deal with what is to come, today and tomorrow. Opportunity and preparation are often identified as And this knowledge can be shared. Whether it comes
key success factors. Learning and innovating also
from a predecessor in your current role or someone in
increase the likelihood of a positive outcome.
another department within your organisation, chances are that people close to you have already walked the
Whilst not everything is under the control of an
path you tread. So, seek their advice and guidance to
individual or organisation, the ability to create
help improve your chances of success.
opportunities, plan, learn and innovate is greatly enhanced with the benefit of reflection.
Collaboration does not guarantee success, but it does provide insight and knowledge and helps identify
Yoda also said, “Impossible to see, the future is.”
the skills and abilities needed to undertake the task
However, by understanding and referencing previous
in hand.
experiences we can better equip ourselves to make insightful decisions, move forward adroitly and
With AusCERT’s 30 birthday approaching we are th
embrace the potential of the present.
looking back to see how far we have come, with particular focus on our achievements and successes.
I S S U E 11
www.linkedin.com/in/marty-molloy-14100932
WOMEN IN SECURITY MAGAZINE
93
LISA VENTURA
CYBERSECURITY: A BOARD ISSUE IN 2022 By Lisa Ventura, Founder – Cyber Security Unity In 2022 cybersecurity gained unprecedented
Fortunately, cybersecurity’s time has finally arrived.
prominence. The war that broke out between Russia
In 2022 boards are not only starting to pay attention
and Ukraine in February 2022 highlighted the scale
to cybersecurity but are also starting to ask questions
of the problem: the many ransomware, phishing and
about how they can protect against cyber attacks and
other types of cyber attacks hitting organisations and
data breaches.
individuals every day. Data breaches are announced frequently. Only recently the InterContinental Hotels
HEADS PULLED FROM THE SAND
group experienced another cyber attack, as did UK
It has become clear boards can no longer ignore
transport group Go Ahead. There was also a cyber
cybersecurity or be complacent when it comes to
attack against Albania which caused the government
their organisation’s cyber posture. The notorious
to cut ties with Iran, believing the latter to be
attack on software company SolarWinds was
responsible for the attack.
a huge wake up call for many boards because it showed the reputational and financial impact
For years security professionals have been asking
of a successful cyber attack. In November 2021
themselves a fundamental question: “How can we
investors in SolarWinds sued the organisation’s board
get our board of directors to take cybersecurity more
members claiming the board had been aware of
seriously and prioritise it?” However, to date boards
the cybersecurity risks long before the data breach
have been reluctant to take the growing cybersecurity
occurred and had failed to take action to mitigate
threat seriously, despite experiencing years of costly
these risks. The investors also alleged SolarWinds’
and devastating ransomware attacks, data breaches
employees had frequently voiced concerns about the
and other security incidents.
company’s poor cybersecurity practices, such as the use of insecure passwords.
While cybersecurity has been on board agendas for
94
some time it has not been prioritised because of
BOARDS TAKE NOTE
its complexity and because boards did not see how
Boards today need to sit up and start asking
closely cyber risk is tied to business risk. Unless
questions about cybersecurity, but they must be
organisations operate in a highly-regulated industry
the right questions. For example, there is no point in
such as healthcare, banking or financial services,
asking the security team to ensure the organisation
their boards face issues seen as far more pressing
has 100 percent protection: there is no such thing,
than cybersecurity.
and no team can make that request a reality. Threat
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
actors are sophisticated and very, very crafty, and
recommendations on how to improve cybersecurity
cyber attacks are always evolving. Whatever defences
strategies, and work with the security team to
security teams deploy, threat actors will always
outline security-related goals that will reduce the
eventually find a way around them.
organisation’s overall risk.
A board should start by having relevant conversations
Most importantly, security professionals should be
with the organisation’s security team, giving security
provided with the tools and the budget to help them
a seat at the table, listening to what security staff
achieve these goals. For example, they might need
have to say about the organisation’s security posture.
a larger budget to upgrade security technologies,
A board should devote as much time as needed
onboard new team members or implement new
to recognising and identifying the risks that result
solutions and facilitate training. They may request
from an inadequate cybersecurity posture, and
companywide security policy implementations or
work with the security team to compile a register
the formation of a cyber-related or risk committee to
of areas deemed critical and at risk from a cyber
provide them with ongoing support.
attack. It should ask the security team to provide
I S S U E 11
WOMEN IN SECURITY MAGAZINE
95
Empowering security teams by providing what they need is a critical first step. The next step is to achieve agreement on budget and strategy.
BOARDS MUST OPEN THEIR EYES TO CYBER RISKS There are occasions where the biggest cybersecurity risks to an organisation are overlooked because the board does not understand the business risks these cybersecurity risks create. One example is the risk to an organisation that results from the risks faced by other parties in its ecosystem, such as its supply chain. Hackers can penetrate such organisations and from those systems gain access to others. Organisations that consider only direct risks will fail to factor these into their strategies. No organisation is immune from cyber threats. There is a misconception that small and medium businesses are less likely to suffer a cyber-attack
Harnessing the power of cyber risk data to gather
because of their small size, and many small business
actionable insights and implement the steps required
owners will often ignore cybersecurity. Such a belief
for remediation can make a huge difference to an
is false, and if the business is attacked the financial
organisation’s security posture and enable it to reduce
and reputational damage can destroy it.
cyber threat risk substantially.
Every organisation must constantly assess its
FINAL THOUGHTS
security posture and those of others in its ecosystem,
Consideration of cybersecurity is no longer optional
including third-party suppliers. This will help to
for board members. In 2022 we have seen a huge
identify gaps and areas that need remediation. Many
shift in how boards manage their organisations’ cyber
organisations often have only partial insight into their
postures, and there is no time to be complacent
overall security posture, leaving blind spots that make
about the growing cyber threat. A data breach
them vulnerable to cyber attacks. Therefore, new
involving confidential company information can be
approaches are needed that focus on the analysis
devastating. To improve the cybersecurity posture
and collection of cyber risk intelligence.
of an organisation its board members should ensure
Watch this space cyber risks are dealt with efficiently and effectively to
There are solutions available that provide actionable
help mitigate the impact of cyber attacks.
cyber risk intelligence and visibility of the entire risk landscape. The ability to gather, analyse and share
cyber risk data can help an organisation identify and understand the cybersecurity threats that could affect it, which in turn will allow security teams to take early action and alert other companies in its ecosystem, including supply chains.
96
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/lisasventura
twitter.com/cybergeekgirl
www.csu.org.uk
N O V E M B E R • D E C E M B E R 2022
W E N
TO
3 2 20
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
70
Australian Ambassadors representing a breadth of Australian states
We are bringing you together to expand your networks, gain critical insights into the field, grow professionally, hone your leadership skills and empower the next generation of security experts. The Alumni series will run from March through to June across states.
Watch this space
ROSALYN PAGE
HOW IS THE INDUSTRY RESPONDING TO THE SKILLS AND TALENT SQUEEZE? By Rosalyn Page, Award-winning writer and content strategist covering innovation, technology and the digital lifestyle Security professionals do not need to be told they
is worse. “The crunch is being felt hardest across
are experiencing a talent squeeze, but the shortage
the public sector, where government departments
is worsening. Sixty three percent of respondents to
struggle to compete for staff against well-heeled
ISACA’s 2022 State of Cybersecurity 2022 report had
private firms in terms of salary,” Singh says. “It is
unfilled cybersecurity positions, up eight percentage
also the case in healthcare, an industry already
points from 2021.
experiencing massive burnout and the added pressure of protecting highly sensitive patient information.”
While the pandemic has exacerbated an already tight issues. According to Jo Stewart-Rattray, a member
THE TALENT SQUEEZE MAKES THE ENTIRE ORGANISATION MORE VULNERABLE
of ISACA’s Information Security Advisory Group,
Increasingly frequent attacks coupled with increased
the pay disparity between genders has produced
digitisation across all sectors means security is no
a male dominated workforce and has inhibited the
longer just an IT issue, according to Verizon’s head of
creation of a wider cohort in the industry.
APJ cybersecurity, John Hines. He says organisations
cybersecurity talent pool, there are other systemic
are already struggling with increased security risks. “A Adding to the challenges, ADAPT research analyst
cyber skills shortage means teams may not have the
Pooja Singh says it is critical to have the right talent.
right mix of resources to manage potential attacks.”
“As organisations try to modernise and remain secure against evolving threats, the cyber skills shortage can
One of the less obvious issues, according to Hines, is
often feel more pronounced than shortages in other
that more organisations are falling into the category
technical areas,” she says.
of critical infrastructure. “Pressure for a strong security posture for these Australian organisations is
However, there are some sectors where the shortage
98
W O M E N I N S E C U R I T Y M A G A Z I N E
at an all-time high.”
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
ISACA’s Stewart-Rattray agrees that an underresourced security team certainly poses risks for an organisation. “The level of increased risk does depend on the organisation’s security posture and environment to begin with,” she says. “For example, is it a labour-intensive team? Are they using a lot of monitoring tools? Are there state-of-the-art platforms in place? “The most obvious impact of an underresourced security team is on its ability to respond instantly and remediate a breach. If the organisation has to contract external consultants there is, potentially, a costly time-lag in addressing a vulnerability.”
HOW SHOULD ORGANISATIONS WITH A SKILLS SHORTAGE BOOST THEIR SECURITY POSTURE? Dealing with the skills shortage is one thing. The other equally important issue is working to reinforce the organisation’s security posture in the face of the ongoing talent squeeze. While they build their talent pipeline, “organisations need to get serious about taking a risk‑based approach and use existing tools and resources available to them to mitigate those risks,” says Hines.
these decisions through both a security and enablement lens is pivotal,” Singh says.
Cybersecurity awareness programs need to run move away from the ‘one and done’ approach.
WHAT ARE THE SOLUTIONS TO THE PIPELINE PROBLEM?
Instead, they must actively use phishing emails for
Those looking for the magic bullet will be
testing, collaborate with academic institutes and enrol
disappointed. Everyone agrees attracting more
their cybersecurity team into certification programs.
students into security is vital, as is boosting women’s
“Designing security in from the start can reduce the
participation, but to achieve these goals ingrained
time, cost and risk involved with addressing these
stigmas about security being a male-centric career
issues as an afterthought,” Hines says.
must be dispelled.
Security must also be an underlying qualifier for any
Stewart-Rattray says the gender pay gap only
and all digital transformation initiatives, including
validates this. “So systemic barriers hindering gender
architectural design, cloud projects, data compliance
disparity issues must be addressed.” She nominates
and the use of artificial intelligence and machine
mentoring, coaching and more role models as the
learning for prediction and augmentation. “Evaluating
means to achieve this. “It’s up to my generation of
throughout the organisation, says Singh, but must
I S S U E 11
WOMEN IN SECURITY MAGAZINE
99
security experts to encourage and support aspiring
Over the longer term, Weintraub recommends building
generations to give this career option serious
a strong bench of talent by leveraging an early career
consideration and have a crack.”
pipeline and recruiting from a wider pool of applicants with a variety of educational backgrounds, rather than
ADAPT’s Singh believes senior executives should
focusing specifically on cybersecurity and computer
also support better diversity and inclusion initiatives
science. “Candidates with degrees in areas such
including gender outreach programs to encourage
as political science or economics bring a unique
women to kick-start their cybersecurity careers. She
perspective on problem solving and critical thinking;
says building better pipelines designed for greater
cybersecurity concepts can be learned on the job,”
inclusion will not only grow the talent pool but also
says Weintraub.
offer increased access to the problem-solving skills available from greater neurodiversity and a mix of
Another avenue to boost participation, suggests
experiences, demographics and vision.
Weintraub, is partnering with non-profit organisations to sponsor scholarships “for potential students who
For the time being, organisations are looking to
come from underrepresented communities, especially
cross-training as well as tapping consultants
those who are first in their families to attend college.”
and contractors to help fill the gaps, according to ISACA’s survey. However, MassMutual CISO, Ariel Weintraub, warns this approach requires focused efforts on “comprehensive risk assessments and risk quantification to ensure resources are allocated to
www.linkedin.com/in/rosalyn-page
rosalynpage.com
addressing the most important threats.”
100
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
KARA KELLY
SARAH IANNANTUONO
MEETING THE SECURITY AND PRIVACY CHALLENGES OF THE METAVERSE By Kara Kelly, Manager at Deloitte and Sarah Iannantuono, Security Strategy and Program at SEEK “Other virtual worlds soon followed suit, from the Metaverse to the Matrix. … Users could now teleport back and forth between their favorite fictional worlds. Middle Earth. Vulcan. Pern. Arrakis. Magrathea. Discworld, Mid‑World, Riverworld, Ringworld. Worlds upon worlds.” Ready Player One
The metaverse, a fully immersive shared virtual
have brought to light the ways in which innocent-
space for humans to work and socialise, became
looking games can have real security and privacy
the subject of global discourse in 2022. The term
issues. Imagine playing in a virtual reality escape
‘metaverse’—coined by author Neal Stephenson in his
room while, behind the scenes, an adversarial
1992 novel ‘Snow Crash’—entered into mainstream
program was able to accurately infer over 25 personal
popular discourse (or as we like to say, dinner party/
data attributes about you: height, age, gender, etc.
BBQ conversations) after Facebook rebranded as
That is certainly not ideal.
Meta in line with a focus on leading the development of the metaverse. So, virtual hands up, who within the
With businesses racing to boost their bottom lines
security, risk and privacy professions has been asked
and governments taking advantage of the topicality of
by family or friends what the metaverse is?
the metaverse there is a genuine need for reimagined security and privacy processes. It is imperative
Depictions of the metaverse in the media, such as
cybersecurity professionals are involved in metaverse
Ernest Cline’s Ready Player One, romanticise the
opportunity exploration or discussion within their
concept of the metaverse. However, recent studies
organisations to influence greater security and privacy.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
101
PRIVACY THOUGHTS WITH KARA KELLY The metaverse presents many unique challenges to individuals’ privacy. Data minimisation—the need to collect only data necessary to conduct processing activities—is a principle of data protection regulations. A challenge posed by the metaverse is that the data processing required to create immersive environments is expected to result in massive collections of data about individuals, from health data to financial data. Companies in the metaverse such as JP Morgan, Walmart, Nike and Samsung may soon have access to surveillance data from business engagement and sales, exposing us to highly commercialised digital spaces where overcollection of data may become unavoidable. The 2022 Deloitte Australia Privacy Index stressed the link between consumer behaviour and privacy with 51 percent of individuals surveyed saying they were uncomfortable with their behaviour being subject to online surveillance. So, how do companies create these environments while managing consumer expectations of data minimisation? Meta is one company that has attempted to overcome this challenge. As of August 2022, users of Meta’s virtual reality (VR) devices will no longer need their Facebook account details to log in. However, Meta will still require name, email address, phone number, payment information and date of birth for age verification to create this new type of account. This practice raises the question of whether or not Meta is adhering to the principle of data minimisation.
How do we address the risk of overcollection of personal information in the metaverse?
and explain this to their users in a manner that
Most data protection laws are drafted to be agnostic
allows for informed decisions. Companies looking to
in their treatment of new technologies, and are
benefit long term in the metaverse by engaging with
applicable to the metaverse. The EU’s General Data
individuals must examine their data collection needs
Protection Regulations (GDPR) and China’s Personal
and build trust through transparency.
Information Protection Law (PIPL) specifically persons living within their territories regardless of
SECURITY THOUGHTS WITH SARAH IANNANTUONO
where the data gathered is processed. They also
The metaverse represents a convergence of multiple
require a high level of transparency from entities
technologies. This makes security a top priority
processing the personal information of individuals.
for metaverse development if the opportunities it
Such entities must be able to identify exactly what
creates are to be exploited. With countries like South
they are collecting and processing in the metaverse
Korea investing $US177.1 million into the metaverse
mention monitoring the behaviours of natural
102
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
I N D U S T R Y
P E R S P E C T I V E S
assets between platforms. In addition, the current fragmentation between the players in the metaverse divides applications and products. What to think about. A new approach to governance and standards in the metaverse needs to be established. Some companies currently exploring the metaverse, such as Meta and Microsoft, have committed to portability of data across platforms. If your company is looking into metaverse opportunities, consider staying flexible and remaining open about applications and products used to ensure you are not locked in.
Broader attack surface and fraud opportunities. Mixed reality devices provide malicious actors with new attack surfaces. New metaverse-specific crimes such as ‘pump and dump’ NFTs and fraudulent metaverse investments have already emerged. Looking at the history of IoT devices, there are numerous examples in which exploitation of new weak points in the enterprise were targeted. What to think about: Ensure devices such as mixed reality headsets with mobile device management are secure. Provide training to staff members on scams exploiting metaverse opportunities and, lastly, ensure your company secures the rights to its URL address to stop impersonation.
Call for discussion The metaverse is here to stay (and will develop exponentially), but there will be teething pains for ecosystem and companies such as Meta, Microsoft
privacy and security as it does so. Building trust
and NVIDIA focusing on the metaverse as a core
through transparency and security will be key for
offering it is important to foster discussion on
companies seeking to use this new channel of
security concerns and collective ways to mitigate
communication with users. While current laws and
them. Here is a small snapshot of some of the key
regulations will apply, our understanding of this
security consideration to be aware of, and some
technology will be critical to how we, as users, adopt
example mitigations.
it and behave in this new hyper-spatiotemporal and self-sustaining virtual environment.
Data portability and fragmentation. The (slightly utopian) objective to have one seamless digital experience across companies and providers creates trust challenges for individuals who are currently unable, in most cases, to take identity and
I S S U E 11
www.linkedin.com/in/kara-kelly-9515b9b3
www.linkedin.com/in/sarahiannantuono
WOMEN IN SECURITY MAGAZINE
103
2023 NEW ZEALAND
WOMEN IN SECURITY AWARDS 9
TH
NOVEMBER
t u O s s i Don’t M
TECHNOLOGY PERSPECTIVES
SAI HONIG
BLOCKCHAIN – THE TECHNOLOGY BEHIND CRYPTOCURRENCY by Sai Honig, Engagement Security Consultant at Amazon Web Services Blockchain is the technology behind cryptocurrencies.
connections are broken. It is these connections that
Because of wild swings in the values of
provide irrefutability. When something is irrefutable, it
cryptocurrencies, blockchain has had a great deal
is impossible to dispute. This irrefutability creates the
of bad press. However, blockchain is a technology
integrity of blockchain technology.
that can be used for many other business and personal processes.
We can identify many applications where irrefutability is useful and, in some cases, essential.
Let us try and understand blockchain by looking at a very ancient technology, that of step pyramids. A
In insurance, blockchain technology can bring cost
step pyramid, or stepped pyramid, is an architectural
savings, transparency and fraud mitigation. It can also
structure that uses flat platforms, or steps, receding
enable faster payouts because data can be shared
from the ground up to achieve a shape similar to that
between parties in a trusted and traceable manner.
of a geometric pyramid. Step pyramids were built by several cultures in the past and in various parts of
In Canada, personal identification using blockchain
the world.
was implemented in 2019. Users verify their identity online, in person or on the phone using information
These structures are built with stones. Each stone
held in banks, health records and government
is precisely cut and placed next to others. The
services which they have consented to share.
connections between each stone to those next to it give these pyramids great strength, and many remain
A blockchain network in the healthcare system could
largely intact. However, if even one stone is incorrectly
be used to preserve and exchange patient data
placed, the pyramid loses its integrity.
between hospitals, diagnostic laboratories, pharmacy firms and physicians. This could be done through
106
A blockchain also provides integrity through the
electronic healthcare record systems interoperability
connections between one block of data and another.
and healthcare data exchange. Such an exchange can
If the data in a block is modified or deleted, the
be created using blockchain technology.
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
We have lived with the benefits of global supply chains for several decades. During the current pandemic we saw disruptions of these supply chains. Blockchain technologies helped with tracking shipments. From container shipping to commodity sourcing, blockchain business applications provide certification and ensure correct payments. These technologies can also enable quick responses to quality issues arising in consumer packaged goods, such as identifying batches to be quarantined because of contamination. The next time you drink coffee or tea, consider where it may have come from and the journey it may have taken to get to your favourite retailer. Blockchain technology has provided coffee, tea and other food commodities with complete
“The COVID-19 outbreak has further exacerbated
end‑to‑end traceability.
supply chain vulnerabilities across different industries as a result of travel bans and factory shutdowns.
In addition to food, blockchain business applications
This added newer challenges to PPE supply chains,
have been used to track and trace jewellery,
as many countries rely on exporting PPE rather than
automobiles (production and car sharing), and art.
stockpiling to optimise the use of resources. Moreover,
All these industries need to track and trace the
there has been a rise in counterfeit PPE amid the
locations of goods, and payments.
COVID-19 outbreak.”
Perhaps the most common application of blockchain
Blockchain can also be used in the treatment of
is in healthcare. As we have seen during the current
diseases such as cancer and in organ transplants.
pandemic, access to reliable healthcare records and treatments is necessary to save lives. As stated in
So, beyond cryptocurrencies and NFTs, blockchain
ScienceDirect,
technology has a number of use cases. This technology might be around for as long as
“An efficient supply chain is fundamental to a fully
the pyramids.
functional healthcare system. Thus, the health supply system must be designed to quickly and reliably deliver crucial health commodities such as medicines,
www.linkedin.com/in/saihonig
vaccines, and PPE during infectious disease outbreaks.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
107
SHARING OUR INNER VOICE STORIES by Kavika Singhal, Cyber Security Consultant at EY Jay Hira, Director of Cyber Transformation at EY Michelle Gatsi, Cyber Security Consultant at EY Emily Goodman, Cyber Security Consultant at EY Shinesa Cambric, Principal Product Manager, Microsoft Intelligent Protections - Emerging Identity at Microsoft Kaajal Sharma, Offensive Security Associate at EY Baby Lyn Nagayo, Cyber Security Manager at EY INTRODUCTION individuals from diverse walks of life—to share their stories of how they had found themselves at the junction of diverging pathways and at the lifelong
Kavika Singhal Reflecting is an intimate, thought-provoking process.
changes their choice between these had wrought.
STORIES
It is the focal point where our grown self and old self meet to have a conversation about our strengths, weaknesses, values and learnings. These lines from
Jay Hira
the poem The Road Not Taken by Robert Frost stirred up some questions for me: “Two roads diverged in a wood, and I—
“Do not let anybody’s opinion define your choices: the future is yours to create.”
I took the one less travelled by, And that has made all the difference.”
Aged 18, I sat in the dean’s office with my father. My grades were average but my ambitions lofty. To this
Frost writes that when, in life, he found himself having
day, I clearly remember the dean’s laughter and blunt
to choose between two diverging roads, travelling
remarks when my father asked about my chances of
the less trodden path made ”all the difference” in his
getting into the computer science program. “Your son
life. Each of us encounters such occasions in our
has ZERO chance of getting into computer science.
lifetime, where we need to make tough choices and
Have you looked at his track record? I’m doubtful he
become confused while weighing up which choice
will even be able to complete his degree in four years.”
will deliver the best outcome. What factors should I consider in such a situation? Can I always make the
Those words crushed my soul and filled me with
best choice? And most importantly: how do I stay on
fear, leaving me with two choices: either give up
my chosen path?
and surrender to the harsh, critical voice in my head telling me, “You are not smart enough, you are not
108
With a head full of questions and the determination
capable enough!” Or trust my inner voice encouraging
to seek an answer I sat down with some of my
me to believe my hard work and strength would lead
cybersecurity industry mentors and friends—
to success.
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
My determination and strong self-belief led me to
said than done. I work in an industry saturated
make the second choice: the harder one. I worked
with extremely sharp and talented minds and, as
diligently, made my work speak for itself and did
a newcomer to cybersecurity with an academic
not allow anybody’s opinion to define my reality or
background in criminology and social science, it
my capabilities. A year later, I was among the top
is easy to feel like a fish out of water. A solution
students in my cohort and transferred easily to
to counter those doubts was to keep track of my
computer science. The biggest lesson I learnt was
personal journey. When I first decided to venture
that believing in yourself may not be easy, but it is the
into cybersecurity I bought myself a little turquoise
most crucial ingredient in determining your success.
journal and labelled it ‘My Cyber Journal’. Its purpose was to keep track of my journey and I followed through in writing about my experiences, fears and achievements.
Kaajal Sharma
In moments when imposter syndrome showed itself, I recorded in my journal. The journal is evidence of
“Challenge yourself to venture out of your comfort zone.”
all the hard work I have put in so far to break into the cybersecurity industry and build my career, including the tremendous amount of support I have received
The intimidating experience of venturing into the
along the way. My little turquoise journal is my source
unknown world of penetration testing (ethical
of strength, and my journey is not only a reminder of
hacking) has traditionally kept talent away, maybe
my progress, but also my potential.
because the discipline requires extensive technical skills and expertise. I chose to venture outside my comfort zone. My decision to pursue an offensive security career stemmed from my appetite for
Shinesa Cambric
investigation and my unwavering belief in my competencies.
“There is great power in being intentional.” It is important to be tenacious when working towards your goals. If you do not have the right set of skills,
It took a very long time for me to discover this, but
you can always develop them and advance to where
one key lesson I learnt in my career journey was that
you want to be. The biggest takeaway in my career
being intentional. is empowering. I have always been
journey was to not measure my self-worth from a
someone who enjoys achieving and getting things
perspective of past or future. You must be prepared
done, but it only late in my journey did I realise the
to challenge yourself to achieve your goals. However,
importance of being intentional with the choices I had
you must live in the present to build a better future.
made in my career, such as focussing on doing the right things. The early choices I made were for myself or because they met the expectations of others.
Michelle Gatsi
When I took time to pause and reflect on my actions I realised I had influenced others to achieve their goals
“Keep track of your progress as a reminder of your potential.”
while achieving my own. Hence, I became committed to becoming intentional about my choices rather than drifting with the current: to acknowledge the power of
“Don’t be so hard on yourself Michelle, you’re doing
my actions and focus on the things that would bring
great!” If I had a dollar for each time I have heard
me joy.
those words… The truth is, this is much easier
I S S U E 11
WOMEN IN SECURITY MAGAZINE
109
syndrome and I have doubts. However, mentors and colleagues who believe in me keep me going. The
Baby Lyn Nagayo
advice from one of my mentors: “You do not get anywhere by standing still,” keeps me motivated to
“If it’s possible in the world, it is possible for me.”
overcome any challenges, step outside my comfort zone and trust my inner voice, because we can
When I started my career in cybersecurity I made
achieve whatever we set our minds to.
little progress in the technology industry until I became involved with the EY Women in Tech
CONCLUSION
and SheLeadsTech Melbourne communities. They empowered me to thrive in discomfort.
Kavika Singhal
The mentorship, coaching and sponsorship I
Our thoughts are the foundation of our actions, and
received were instrumental in me overcoming my
our inner voice is the guiding light in our life journey.
self‑limiting beliefs.
If we land ourselves in a position where we can choose a tough path, we should never let outside
As I continue to thrive and grow in the industry, I find
voices influence our inner voice, because each of us
my achievements to be still within my comfort zone.
is the creator of our own reality. When faced with
It is important for me to venture out of that comfort
harsh obstacles on the road to achieving something
zone, challenge my beliefs and change my behaviours
we desire it is important to push ourselves beyond
if I am to achieve my ultimate goals in life. I live by
our comfort zone, because we get nowhere by
these famous words of Tony Robbins: “It is in your
standing still.
moments of decision that your destiny is shaped.” Each day I repeat to myself: “If it’s possible in the
On this path, keeping track of progress is an essential,
world, it is possible for me.”
motivating indicator. We may not always make the best decisions, but good intent always results in better outcomes. Lastly, when things look impossible, we need to remember: if it is possible in this world, we can make it happen.
Emily Goodman These stories certainly answered my questions.
“You don’t get anywhere by standing still.”
I hope they assist you when you reflect on your journey.
For my undergraduate degree I majored in accounting. Whenever I told anyone this, a common reaction was: “You don’t seem like someone who would study accounting or someone who would like maths.” This statement often made me doubt my abilities, and imposter syndrome developed. I could have let this self-doubt take over. However, I listened to my inner voice knowing I wanted to achieve more. This led me to joining the cybersecurity industry, to earning a master’s degree and working in a role where I have a purpose. Over the years I have learnt to listen to my inner voice
www.linkedin.com/in/kavika-singhal
www.linkedin.com/in/jayhira
www.linkedin.com/in/michellegatsi
www.linkedin.com/in/emily-goodman-b9a023144 www.linkedin.com/in/shinesa-cambric-cissp-ccspcisa®-0480685 www.linkedin.com/in/kaajalsharma
www.linkedin.com/in/baby-lyn-nagayo-09821210b
as my best guidance. I have moments of imposter
110
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
MEGHAN JACQUOT
REFLECTIONS ON MALWARE by Meghan Jacquot, Security Engineer at Inspectiv Malicious software (malware) did not always exist.
on endpoints the file names shifted and so the
Researchers disagree on what represented the first
distribution chain was broken.
virus. I will define it as Wabbit in 1974, because it caused computers to crash. Over time, malware
This was an error that needed to be fixed, and that is
changed the software scene dramatically. At first
exactly what the threat actor group did. Its members
malware was often sent as a joke: think of a snake
either learned about the error through monitoring
game. However, it has become much more serious
their systems or through monitoring defenders’ social
and is now a standard tool of criminal syndicates and
media posts, and modified Emotet rapidly. The error
threat actor groups. This article will discuss three
was found on a Friday, tested, fully debugged and
trends in modern malware seen in 2022.
fixed by the following Monday. Think back to the question about how long it would take your team to
ADAPTABILITY
fix an issue. As defenders we need to be aware of
If you noticed an issue on a Friday afternoon that
how adaptable threat actors are.
impaired the functionality of a system how long would it take to get it fixed? I am certain many of
DECEPTION
you are thinking “It depends” and are considering
A continuing trend observed in malware operations
criticality, uptime, services, who it impacts, etc.
is deception. Deceptive tactics often exploit current
For many teams, a Friday afternoon issue would be
events and this was the case in 2022. For example, in
fixed in the following week, or later depending on
January the final phase of the Windows 11 upgrade
its criticality.
was announced and was exploited as a current-eventbased deception by threat actors. They were able
112
Threat actors are sometimes much more responsive
to create various deceptions masquerading as this
to the issues they face. Emotet, long-lived malware,
necessary download to install their own malicious
was developed by a threat actor group that has
payloads. The group behind infostealer malware,
shown adaptability over the years, including in 2022.
RedLine Stealer, was observed using this exact tactic.
Research group Cryptolaemus identified an update
Another form of deception that researcher iamdeadlyz
to a static file reference in Emotet that compromised
identified in August was more complex. Threat actors
its performance. When the malware was installed
pretended to be testers for a play-to-earn (P2E)
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
video game, Cthulhu World. The ‘game’ appeared well-developed and legitimate, would‑be testers were sent codes to test it, but these codes installed one of three infostealer malwares: AsyncRAT, RedLine Stealer or Raccoon Stealer. The website of that fake game is now defunct, but deception will continue to be a much used tactic for threat actors. A final example of current event exploitation saw malware embedded in a jpg file of images from the James Webb telescope.
Source: Andy Robbins, shared and modified with permission.
The threat actors realised people were sending these beautiful images to one another and took advantage
WHAT IS A DEFENDER TO DO?
of this to add a malicious payload to an image.
Knowledge is power. The more we can understand, model and identify threat actor activity the better
BUSINESS MODELS
we can predict and defend against it. Additionally,
Another trend observed in 2022 was the continuation
defenders can add in layers of defence based on
of complexity with malware being part of a business
threat modeling of attacker activity. If MFA and
model. There are criminal organisations that develop
social engineering are being bypassed, then what
malware-as-a-service (MaaS) or phishing-as-a-service
other layers of defence exist for your network? What
(PhaaS) models other less skilled threat actors can
backup and data recovery processes do you have?
use to commit cybercrimes. For example, a new malware, ZingoStealer, was observed by researchers
Do you make use of honeypots or other deceptions to
and the threat actor group behind it chose to give this
delay a threat actor? Additionally, what methods are
malware away for free. Its use gave the group data
being used for detection? The less time an attacker
about infected endpoints they could use for additional
has in your network the better, so early detection
criminal activity. They were gathering data, building a
can be quite helpful. Malware today is no longer as
user base and beta testing their dashboards.
innocuous as a snake game filling up your screen where an individual can troubleshoot the issue. It is
Another cybercriminal group offers EvilProxy
more damaging and requires a team-based approach.
PhaaS on subscription. Researchers found there
As computer programming pioneer, Grace Hopper,
were specific tutorials and methods discussed for
said, “I’ve always been more interested in the future
bypassing two factor or multifactor authentication
than in the past.” So let us look to the future and work
(MFA). Multiple attacks on a variety of organisations
together as defenders against malicious software.
in 2022 bypassed MFA with the help of infostealer malware. For example, the July cyberattack on
Here’s a collection of resources related to this article
Twilio, which ended up affecting more than 160 of
and focused on malware.
its customers, has led to additional software supply chain attacks.
www.linkedin.com/in/meghan-jacquot-carpe-diem
Another attack that had its roots in infostealers was
twitter.com/CarpeDiemT3ch
the September Uber cyber attack. It was initiated by credentials being found via an infostealer and progressed using social engineering. Here is a visual
www.youtube.com/c/CarpeDiemT3ch
of a likely breakdown of the attack.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
113
MEHLIKA ERCAN
THE RELATIONSHIP BETWEEN ARTIFICIAL NEURAL NETWORKS AND CYBERSECURITY by Mehlika Ercan, Cyber Security Analyst
THE RELATIONSHIP BETWEEN ARTIFICIAL NEURAL NETWORKS AND CYBERSECURITY
in these sectors. Artificial intelligence is proving a valuable tool to supplement these limited resources.
It is a fact that, with the development and spread of information technologies in recent years, malicious
WHAT IS AN ARTIFICIAL NEURAL NETWORK?
software that threatens information systems has
Artificial intelligence mimics the human brain’s
increased and become more diverse. Having a
functionality and connectivity. The human brain
flexible and multi-layered security strategy is critical
consists of neurons with dendrites and axons.
to preventing damage to company networks, but
Dendrites bring information to the cell body and
damage to healthcare or nuclear systems can have
information passes through the axon. The information
more dangerous consequences. In the past cyber
is then transferred to the dendrites of another neuron
attacks have been prevented before they caused
at the synapse, which is a small gap between the
major catastrophes. However, today’s cyber criminals
axon of one neuron and the dendrites of the other
are not merely stealing data or cause overt damage:
neuron.
their focus is on data manipulation, a form of cyber attack that can be more destructive and more deadly.
Artificial neural networks (ANN) are comprised of node layers that have an input layer, one or
114
There are insufficient people with the experience
more hidden layers, and an output layer. There are
and skills to ensure the confidentiality and integrity
connection between nodes, or artificial neurons, and
of critical infrastructure systems, networks and data
each has an associated weight and threshold. To
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
Deep Neural Network
activate a node and send data to the next layer of
CASE STUDY
the network the output must be above the specified
Shun Tobiyama and coresearchers from Japan’s
threshold value.
Nagoya University and NTT Secure Platform Laboratories investigated the use of CNNs, DNNs and
A convolutional neural network (CNN) is a class of
RNNs to detect malware.
artificial neural network. It has convolution layers, fully connected layers and pooling layers.
They obtained 26 malware files from the NTT labs, ran these malware files and some benign files though
Recurrent neural networks (RNN) have a unique loop
a Cuckoo Sandbox to obtain 81 malware process log
structure of memory units that store data from past
files and 69 benign process log files for training and
inputs or the hidden layer’s current state. Because the
validation.
output depends on earlier inputs, an RNN can train sequential data.
As a result of their research they proposed an AIbased technique for malware detection that would
Deep neural network (DNN) (also known as deep
use a RNN to construct a behavioural language
structured learning) is a machine learning technology
model of the malware, extract behavioural features
with many hidden layers.
and generate feature images. These feature images would then be classified by the CNN. Details of their
WHY ARTIFICIAL INTELLIGENCE IS IMPORTANT FOR CYBERSECURITY
research were presented at the IEEE’s 40th Annual
Signature based detection is not a good way to
2016 in a paper Malware Detection with Deep Neural
catch zero-day attacks. However, artificial neural
Network Using Process Behavior.
Computer Software and Applications Conference,
networks (ANNs) can improve the performance of intrusion detection system (IDS), security information and event management (SIEM) tools and extended
https://www.linkedin.com/in/mehlikaercan/
detection and response (XDR) tools.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
115
MARISE ALPHONSO
KEY THEMES FROM 2022 TAKING US FORWARD by Marise Alphonso, Information Security Professional KEY THEMES FROM 2022 TAKING US FORWARD
met. The appointment of a woman as minister for
You may have heard that the only constant in the
working in, or aspiring to work in, the information
information security industry is change. 2022 ushered
security sector.
cybersecurity is an encouraging sign to other women
in some major changes and trends in the Australian and global landscape that can be leveraged to
AustCyber’s Sector Competitiveness Plan 2020
improve cyber maturity and create a safer cyber
highlights five key industries becoming increasingly
environment for individuals and organisations.
digitised, and hence with growing cybersecurity requirements. Key components of this digitisation
THE APPROACH TO CYBERSECURITY AT A NATIONAL LEVEL
are the shift to online infrastructure, the increase
The Albanese government sworn in earlier this year
IoT and smart devices, remote access to operations
sent a strong signal to the information security
technology (OT) and the expansion of AI and quantum
community by appointing Clare O’Neil as Minister
computing.
in digital payments and fintech, the proliferation of
for Cyber Security. With a dedicated minister for cybersecurity, Australians can be optimistic about
It is projected that future cybersecurity products and
Australia becoming a cyber-resilient nation with a
services will be required to focus on these five areas
trusted and secure digital economy. Cybersecurity
in response to the increased attack surfaces they will
has certainly been given the prominence and visibility
create and the expanded regulatory requirements that
to help achieve this. The needs for greater diversity
will be imposed on various sectors of the economy.
and inclusion and a larger cyber workforce are
116
topics much discussed. Government, industry and
In discussions about digital trust and in the
academia must pull together if these needs are to be
announcement of a planned review of Australia’s
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
2020 cyber security strategy there is growing mention
(PSO) require organisations bound by the SOCI Act to
of ‘sovereign capability’ and the need for Australia
(a) provide ownership and operational information to
to have the cyber capability to protect the digital
the Register of Critical Infrastructure Assets and (b)
economy. The rise in geopolitical tensions has
notify the Australian Cyber Security Centre (ACSC) of
cybersecurity implications, as was seen with Russia’s
cybersecurity incidents within certain timeframes. A
invasion of Ukraine in February and with cyber
third PSO, yet to be ‘switched on’ by the government,
attacks on the Taiwanese government and Taiwanese
requires organisations to maintain a risk management
businesses following Nancy Pelosi’s visit in August.
plan and uplift security practices that relate to the
Developing and maturing a local cyber capability is
management of critical infrastructure assets.
a necessity. The new version of ISO/IEC27002:2022 has ushered
CHANGING WORK ENVIRONMENT
in changes to existing organisational security control
Practices accelerated by the Covid-19 pandemic—
frameworks. These include a consolidation of
including remote working, digital transformation
controls with additions and deletions as well as the
and cloud services usage—have led to changes
introduction of attributes to allow for categorisation.
on the cybersecurity front that are here to stay. An
The updated version of ISO/IEC27001:2022 is
organisation’s network no longer represents a logical
expected in October and organisations certified to
perimeter where protection can be deployed. Neither
ISO/IEC27001 will have to review the changes and
do its premises represent a physical perimeter to
make adjustments to their governance processes
its operations that can be protected. Therefore, it
that facilitate the running of an information security
has never been more important for employees to
management system.
be cognisant of their key role in protecting their organisation’s data. Customer personal information
DRIVING INCREASED SECURITY MATURITY
is now visible on screens in a staff member’s home.
The journey towards cyber resilience tends to be
Connections into an organisation’s network are via a
cyclical rather than linear with several checkpoints
home network WiFi router. Staff are more reachable
along the way. To be successful and stay on the path,
via email or messaging applications and hence more
organisations need:
prone to phishing attacks. An organisation’s security awareness initiatives will continue to be critical to addressing cyber risk and fostering a cyber aware and cyber safe workforce.
• their board and executive leadership teams engaged and asking the right questions of the security team; • clarity on their legal, regulatory and contractual
LEGAL, REGULATORY AND INFORMATION SECURITY STANDARDS LANDSCAPE Australian consumers and businesses are awaiting the results of the review of the Privacy Act being
obligations for data and system protection; • to embrace the changed work environment and use security practices to enable the organisation; • a baseline of operational security practices so
conducted by the Attorney General’s office. The Office
they are able to benefit from cyber insurance
of the Australian Information Commissioner (OAIC)
policies;
indicates this review will strengthen requirements for protecting personal information, empower consumers, hold businesses accountable and ensure
• to provide evidence demonstrating effective security practices that will satisfy auditors; • a culture of preparedness for security incidents
the OAIC can provide effective privacy regulation in
that enables them respond and recover
line with community expectations.
effectively.
The Security of Critical Infrastructure (SOCI) Act has introduced new obligations on 11 sectors of
www.linkedin.com/in/marisealphonso
the economy. Two new positive security obligations
I S S U E 11
WOMEN IN SECURITY MAGAZINE
117
MICHELLE LIAO
OUT OF THE SHADOWS: HOW CYBERSECURITY HAS TAKEN CENTRE STAGE IN THE AUSTRALIAN BUSINESS ARENA by Michelle Liao, A/NZ Channel and Distribution Manager at WatchGuard Technologies
The pandemic has invigorated the cybersecurity sector
CYBER SHAKE-UP
and made it a more appealing place to work.
The pandemic has shaken things up in the cybersecurity sector, albeit in ways that, to folks who
What a difference a couple of years can make. When
do not work in the space every day, may not seem
a globally momentous event takes place—think
quite so dramatic as its wider impacts.
World Wars I and II and the September 11 attacks—it inevitably becomes an indelible time marker, splitting
I am fortunate to have worked in cybersecurity since
history into two parts: before and after.
2016 and I have observed big changes since 2020. Prior to Covid, cybersecurity was very much a niche
So it has been with Covid-19. The biggest health crisis
subsector of the broader ICT industry.
since the Spanish Flu pandemic of 1918 has triggered
118
significant economic and societal changes, including
Yes, businesses and organisations knew they needed
a rethink about the reliance on global supply chains by
to take steps to protect their systems and data from
businesses and governments, and the normalisation
compromise and attack, but senior decisionmakers
of hybrid and remote working.
typically did not get overly exercised about the
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
T E C H N O L O G Y
P E R S P E C T I V E S
specifics of the risk mitigation measures they had
That is good news, because the events of the past
in place.
two years have shown us that hackers and cyber criminals do not confine their attentions to the
For most, the cyber solutions and services they relied
top end of town. Smaller players are just as likely
on were very much grudge purchases: up there with
to be targeted, and their capacity to recover from
insurance on the list of things they needed to have but
a major incident is often less than that of their
did not want to spend more than the minimum on.
larger counterparts. End user education has also become far more common as organisations realise
RISING RISK
well‑trained employees can be a formidable first line
And then along came the virus and with it a host
of defence.
of other viruses, phishing campaigns and cyberscams. Hackers and cyber criminals are nothing if
WORKING TOGETHER
not opportunistic, and many of them sought to cash
All that activity and investment has been good news
in on the fear, uncertainty and doubt individuals and
for cybersecurity vendors and their partners in the
organisations were experiencing.
channel, but the benefits extend beyond the, always welcome, bottom-line boost.
During the 2020-21 financial year the Australian Cyber Security Centre received more than 67,500
Acceptance into the broader business conversation
cyber crime reports, an increase of 13 percent on the
has engendered a palpable sense of positivity among
previous year.
the folk who work in cybersecurity: salespeople, engineers and analysts alike. After years of them
Widely reported ransomware attacks—including the
being relegated to the backroom the contribution
two that crippled beer and dairy products producer
they make and the importance of their work is being
Lion’s operations in June 2020—put the wind up
acknowledged and appreciated. At last, everyone
businesses of all stripes and sizes. Hence, we saw
gets it.
business leaders begin to take a much keener interest in the tools, technologies and processes their own
And the sector’s increasingly high profile is also
organisations were deploying to avert and mitigate
alerting more Australians to the opportunities it
similar offensives.
can offer. This is important if we are to solve the country’s long-running cyber skills shortage, which
READINESS TO INVEST
is a crisis in itself and one further exacerbated by
Upon becoming aware of gaps, they were prepared,
pandemic‑driven demand.
finally, to spend serious sums on plugging them. So much so that Gartner is predicting end user spending
For anyone looking for a challenging and fulfilling
on cybersecurity will continue to grow at a compound
career, I am delighted to say there has never
annual rate of 10.4 percent until 2026.
been a more rewarding time to get into the cybersecurity space.
Pleasingly, we have seen small and medium sized businesses account for their fair share of that spend. An increasing number are augmenting their traditional
www.linkedin.com/in/michelle-liao
firewalls with tools and technologies such as multifactor authentication and endpoint security that were not previously in their budgets.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
119
QuintessenceLabs congratulates all the nominees for the 2022 Australian Women in Security Awards!
RESILIENCY STARTS HERE quintessencelabs.com
STUDENT IN SECURITY SPOTLIGHT
Oorja Rungta grew up in Indore in India and still lives there but hopes to find work elsewhere when she graduates. She is in the final year of study for a Btech in computer science, specialising in cybersecurity and digital forensics. OORJA RUNGTA Final year student studying BTech in Computer Science, Indore, India
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
in a country saturated with software developers, people find my career choice to be a novel field of study. I am often treated with curiosity and get a lot of questions about what cybersecurity professionals actually do.
professional is to help secure organisations from
Who, or what would you say has had the biggest influence on your cybersecurity career journey to date, and why?
threats in the virtual world. I would say I am basically
I would say the seniors at my university have been a
a heroic warrior, albeit in a virtual world. I would also
massive influence on my cybersecurity career journey.
explain how cybersecurity is a dynamic field that is
They helped me find my footing, guided me on how
constantly changing and where you learn something
to study the domain and on the different options I
new every day. It never gets boring.
have in cybersecurity. They shared training resources
I would explain that my job as a cybersecurity
and took time to clarify my doubts. They developed
How does the reality of cybersecurity as you experience it today sit with your understanding when you first thought about studying it?
a sense of community in the university so we always
Like most sci-fi fans, cybersecurity for me involved
domain. You would often find me using my spare
cool lines of scrolling green code that led to a hack,
time to discuss cybersecurity-related topics with my
and companies trying to prevent that. On a more
seniors. These discussions gave me deeper insights
technical side, I understood my antivirus software
into the field and encouraged my curiosity.
had somebody we could approach in case of doubts or questions. This allowed me to freely explore the
was helping me defend my device from malicious
fish with nothing of value, I would never catch an
What do you see has having been the most memorable and/or significant event in your cybersecurity journey to date, and why?
attacker’s attention and would never be breached.
I think winning the Women in Cybersecurity (WiCys)
software like viruses. My knowledge was pretty much limited to this. I had a mindset that, as a small
training scholarship as one of 900 plus applicants
122
After gaining a better understanding of the value of
worldwide was one of the most memorable events
data and how attacks actually work I realised the
in my cybersecurity career. The scholarship program
importance of personal security. Massive breaches
helped me greatly widen my horizons and allowed
that compromise the data of small fry like me occur
me to take my knowledge in cybersecurity to the
every day and this data is sold for very high prices.
next level. Besides the obvious benefits, winning the
Since understanding the value of my data I have
scholarship was definitely an acknowledgement of my
learnt to protect it as meticulously as I protect any of
potential to be a cybersecurity professional and gave
my other assets.
me a massive confidence boost.
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so how did you feel about this?
The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain, any of these, if so which ones, and why?
I generally receive a very positive response when I tell
I have three industry certifications from Global
people I am pursuing a career in cybersecurity. In fact,
Information Assurance Certification (GIAC). Preparing
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
for these certifications helped me learn much, and I
policy represent the intersection of cybersecurity and
was able to study many cybersecurity concepts in a
law. There is a separate specialisation dedicated to
structured manner. The certifications definitely helped
the cybersecurity of healthcare-related organisations.
boost my resumé and get noticed by recruiters, but I
These are just a few examples of the many different
do not think they are necessary to break into the field.
fields cybersecurity professionals specialise in. As
Do they lower the barrier of entry into cybersecurity?
a person who loves forming links between different
Yes, but at the end of the day they are a means
domains this interdisciplinary nature of cybersecurity
for employers to validate your knowledge of
greatly excites me.
cybersecurity concepts. If you can show employers
papers, I believe you can break into cybersecurity
Are you involved in the wider cybersecurity community, eg AWSN, if so, how and what has been your experience?
without these certificates.
I have been an active member of Women in
They are very expensive and, for most students,
Cybersecurity (WiCys) and was previously the
unaffordable. I was lucky enough to get a full
secretary of my university’s WiCys student chapter.
scholarship for them. For any other student
My experience with WiCys has been phenomenal.
struggling and wanting to get a certification, I
I have found a community of women who truly
suggest joining a cybersecurity community. Often
support each other. As a WiCys member I get access
these communities help their members get these
to many resources that help me learn much, and I get
certifications for free or for discounted rates. I would
exposure. For example, very recently I played AWS
also recommend keeping an eye on LinkedIn because
Game Day through WiCys. It allows participants to
many members of the cybersecurity community
get their hands dirty with AWS security through a
share resources for free training and certifications.
gamified platform. It was an eye opener.
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
Every year WiCys has various collaborations with
It is difficult to rapidly evolve the coursework to
professionals who provide guidance. I recommend
keep pace with changes in the cybersecurity domain
every aspiring cybersecurity professional to be part
because of bureaucracy and regulations but my
of at least one cybersecurity community. It allows
professors make up for this by discussing the latest
you to interact with industry professionals, make
threats and technologies in the class even though
connections and get access to learning resources.
your knowledge of cybersecurity through other means such as projects, competitions or research
different organisations that give its members exposure. WiCys also has an annual mentoring program that connects students with cybersecurity
they are not within the scope of our coursework. developments. Our studies at university are also
What is your favourite source of general information about cybersecurity?
supplemented by workshops and events that invite
Twitter and LinkedIn are rich sources of cybersecurity
industry professionals to help us better understand
information. Cybersecurity professionals often
the latest threats and the technologies to combat
discuss the latest attacks, their own research and
them. For example, we recently conducted a seminar
general cybersecurity topics on these forums. Being
on drone security, which is an emerging domain of
a part of the cybersecurity communities on these
cybersecurity. It gave students an introduction to this
platforms gives you access to much information.
fascinating field.
I also supplement this knowledge with my Google
This allows us to keep pace with the latest
feed which has, over time, recognised my interest
What aspect of your studies excites you the most?
in the domain and frequently supplies me with cybersecurity related articles.
I find cybersecurity to be a discipline that spans many domains. For example, cyber ethics and cyber www.linkedin.com/in/oorja-rungta
I S S U E 11
WOMEN IN SECURITY MAGAZINE
123
Kao Hansell grew up in the Blue Mountains region of NSW but moved to Salisbury North in South Australia when she was 11. She is now studying for a Bachelor of Information Technology: Networking and Cybersecurity at the University of South Australia. Her final semester will be the first semester of 2023. KAO HANSELL Bachelor of Information Technology: Networking and Cybersecurity at the University of South Australia
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
I help people without them knowing. By engaging
a lot of support for my choice. I do remember one
with companies and assisting with their cybersecurity
comment from a friend who said I would have to
needs I can make a difference in a stranger’s life,
prove myself more than my male peers, which caught
and they would never know. I help companies and
me off-guard.
I did not find any opposition. I did get the usual “so you want to be a hacker” comment. Overall, I had
organisations secure what is important and give those trying to protect you a fighting chance against the tide of those who would want to do harm.
Who, or what, would you say has had the biggest influence on your cybersecurity career journey to date, and why?
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
Having several female lecturers at both TAFE and
I fell into the category of people who thought
on my career journey was being introduced to Paul
cybersecurity was black hoodies, too many coffees
Dewsnap from Digital Resilience. This has led to me
and energy drinks, big screens with data streaming
becoming part of his company and shadowing some
across them and conducting penetration testing. I
of the most amazing people I have come to know.
quickly learnt that is simply one important, but small,
This was also how I found I enjoyed governance risk
area of cybersecurity. Cybersecurity covers many
and compliance (GRC) and shifted the direction of my
technical and non-technical areas I had no idea about.
career journey.
university had an impact on my confidence in pursuing my IT career Overall, the biggest impact
I have found that, while I love the technical side of cybersecurity, pen-testing and how that works, I have also developed a great interest in risk and policy management.
What do you see has having been the most memorable and/or significant in your cybersecurity journey to date, and why? I would say meeting many women not only
What cybersecurity role would most like to be hired into when you graduate, and why?
in cybersecurity but STEM in general through
This is a tough question. If you had asked me 12
finding my feet and gaining confidence. Being able to
months ago, I would have given a very different
network with such a variety of inspirational women
response. Previously it would have been something
and talk and learn was by far the most memorable
in forensics or insider threat analysis but after the
and significant aspect of my journey.
HerTechPath. This was a major step forward to
experiences I have had this year I want to go into stay up to date and, in turn, protect the customers
In addition to your studies, what employment experience do you have in cybersecurity?
they serve.
Since February I have been shadowing and working
governance, risk and compliance, helping companies
alongside members of Digital Resilience. This has mainly been across GRC, but I have also had the
124
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
S T U D E N T
I N
S E C U R I T Y
pleasure of discussing penetration testing with our amazing pentester as well as gaining a greater understanding of how to approach and work with clients to meet their cybersecurity needs
S P O T L I G H T
Is there any aspect of cybersecurity you think should be given greater focus in your course, or any aspect you think should be given less focus? My bachelors is a major in network with a minor in
The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain, any of these, if so which ones, and why?
cybersecurity, and I feel there is a need for more
I was lucky enough to be one of the first students
knowledge seems wasteful and the time could be
to graduate with a Certificate IV in Cybersecurity
better spent learning other skills.
focus on cybersecurity. While it is very important for someone going into a cybersecurity career to have a foundation knowledge of networking, CCNP level
from TAFE SA. Other than that, I do not hold any
Fundamentals certifications. These are newer entry
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?
levels certifications they have released which I
I personally do not feel I will need to do this. I have
believe will be beneficial once I have completed my
previously worked in management and customer/
university study.
client facing roles, which has given me a good set of
industry certifications. I do plan to acquire the new certification from ISACA for cybersecurity fundamentals and work towards their IT Risk
soft skills.
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
Are you involved in the wider cybersecurity community, eg AWSN if so, how and what has been your experience?
I believe the university and TAFE are doing their best
communities. These include AWSN, HerTechPath,
to keep up with a landscape that seems to change
AISA and ISACA. These communities have been
daily. However, I would suggest anyone studying
amazing for learning, gathering information, growing
today to also keep learning outside of their courses.
my confidence and, most importantly, networking.
I am a member of several cybersecurity
All have different atmospheres and have been a
What aspect of your studies excites you the most?
great way to build confidence and find how I fit in the landscape.
Graduating! Joking aside, learning how I can have an impact on businesses, be it in governance or technical manners, has been great.
What is your favourite source of general information about cybersecurity? I find following a few people on Twitter, including Troy
What aspect do you find least interesting or useful?
Hunt, useful along with my connections on LinkedIn and news sites like bleepingcomputer.com.
I think it important to have an understanding of and a foundation in programming, because it can be very useful in cybersecurity. I was not terrible at it, I just was not interested.
I S S U E 11
Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details?
WOMEN IN SECURITY MAGAZINE
125
I do not believe I have experienced this, or I have not been aware of it. It is always a strange feeling attending an event and being one of only a handful of women in the room, but I have always found members of the cybersecurity community I have interacted with to be welcoming.
What measures do you have in place for your personal cybersecurity? I try to ensure I use my password manager and keep good password hygiene. I use MFA wherever possible. I use a VPN when surfing the web, especially in public. I check emails for phishing and I do not click links or download random files. I ensure my settings stop macros running on Word, and so on.
With the benefit of hindsight, would you change your career trajectory to date, and if so now? No, I do not think I would. I went into cybersecurity not knowing where I would land but so far I have been very happy with how I am going.
Have you already sought employment in cybersecurity, if so, what has been your experience of applications/interview? I have applied for a few jobs during my time studying. I have made it through the general application phase and into the 3-4 stages. After the general applications I went through psychometric testing and video interviews but unfortunately was unsuccessful. I found my current position through word of mouth and meeting the owner of the company. I always say networking is an important skill for any student to learn.
www.linkedin.com/in/kao-hansell
126
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
Jack K grew up in the hinterland of Queensland’s Sunshine Coast. He is in the first year of study for a Bachelor of Information Technology at the University of the Sunshine Coast. JACK K Bachelor of Information Technology student at the University of the Sunshine Coast
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
and threats and white hat hacking, which I found quite interesting.
What aspect do you find least interesting or useful? What I find least interesting are the theoretical and
From what I have seen so far most people know
mathematical aspects of the course, which require
the word cybersecurity but don’t know what it really
quite a lot of work to understand. I probably will not
means. So I usually have to take it gently if I am not
specialise in a particular area of cybersecurity but I
to overwhelm them. I would tell them there are a few
am still uncertain.
kinds of cybersecurity. However, they are all generally connected.
What is your favourite source of general information about cybersecurity
Last semester in the bachelor’s degree course I am
I get most of my general information and updates
completing, I did a course on computer security and
about cybersecurity from YouTube, Twitter
I learnt how to prepare and protect hardware and
and Reddit.
software from cyber attacks and threats. I also learnt also tell them there are always jobs for people in
What measures do you have in place for your personal cybersecurity?
cybersecurity and they pay well.
I do not have the same passwords for any accounts
how some of these attacks are carried out. I would
and my passwords are all saved in a password
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
manager. Most of my sensitive accounts are also
Technology is always changing and improving, but I undertook last semester was new to my university
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
and covered a large range of topics in cybersecurity,
When I first learned about cybersecurity I was
which were recent. It was taught and coordinated by
probably about seven or eight years old and was
a former US government agent specialising in cyber
always told not to share passwords or my home
intelligence. Because it was only an introductory level
address. I now have a much broader understanding
course we did not explore many of the topics of cyber
of how easy it can be to be cyber attacked, but I have
and computer security in-depth, but we covered quite
also learned what to do to prepare for an attack, and
a lot.
how to deal with it.
so is the threat to this new technology. The course
protected by two-factor authentication and my hardware is checked by threat detection and antivirus software.
What aspect of your studies excites you the most? What I find most exciting about my studies is how to protect hardware and software from cyber attacks
I S S U E 11
WOMEN IN SECURITY MAGAZINE
127
Gabrielle Raymundo grew up in the Greater Western Sydney area, in Blacktown, and is nearing the end of a Certified Cyber Security Professional course at the Australian Institute of ICT under the Australian Women in Security Network’s Security Pathway Program. GABRIELLE RAYMUNDO Certified Cyber Security Professional course, at the Australian Institute of ICT
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
What do you see has having been the most memorable and/or significant event in your cybersecurity journey to date, and why?
Cybersecurity is a fast-paced and ever-evolving
Group’s Stay Smart Online Day. I was intrigued by
science that is intertwined with every piece of
the creativity and communication skills displayed
technology, every organisation, and every person.
and found I was not only making an impact on the
It is the gateway into understanding how technology
awareness of my team members to different cyber
is embedded in our daily lives and, like technology,
threats, but able to educate them on ways they could
is ubiquitous in modern society.
keep themselves and their families safe online. After
What initially sparked my interest in cyber security was my experience in the security awareness team. I helped organise the marketing for Woolworths
that project, I realised roles in cyber security were not Working in cyber security is a challenging and
reserved for technical specialists but were available to
rewarding career that makes a tangible difference
those with many other skills.
to peoples’ lives. You will never get bored as there is always a new and exciting thing to learn!
In addition to your studies, what employment experience do you have in cybersecurity?
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
Before starting my cyber security studies I completed
Most of the people from my inner circle were
graduating I returned to Woolworths under its cyber
surprised about my decision to jump into cyber
security graduate program, which prompted me
security, let alone pursue a technical role as a security
to undertake additional study. During the two-year
operations centre (SOC) analyst. My strengths were
program I was exposed to a number of cyber security
mainly in creativity and analysis, so most of my peers
teams and took on roles in cyber awareness, identity
assumed I would take a job in interaction design or
and access management, cyber data and analytics
user experience.
and the security operations centre.
After completing a rotation across four different
problem-solving and suggesting new ways to improve
The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain any of these, if so which ones, and why?
our workflows, and I honed my love for learning as
As part of the Australian Women in Security Network’s
I delved into incident analysis. When they realised I
Certified Cyber Security Professional’s course with
could use my strengths in an exciting and fulfilling
the Australian Institute of ICT (AIICT) my current
way, my parents and peers got onboard with the idea
focus is to complete the CompTIA A+, Security+ and
of me pursuing a role in the SOC.
Network+ certifications. Gaining these certifications
security teams I found myself enjoying the role of a SOC analyst. I was able to use my creativity in
an internship in the Woolworths Group Identity and Access Management team as part of my Bachelor of Information Technology degree at UTS. After
would solidify my knowledge of the critical IT and security concepts needed to piece together the
128
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
to my interests in security operations and reverse
Are you involved in the wider cybersecurity community, eg AWSN, if so how, and what has been your experience?
malware engineering such as the courses provided
Being a part of the AWSN Cadets program has
by Offensive Security or GIAC.
definitely opened the doors to many learning
environment and the controls needed to secure it. Furthermore, I hope to pursue certifications specific
opportunities. I participated in the AWSN Security
What aspect of your studies excites you the most?
Pathways programs and met like-minded individuals
I have always been the type of person who enjoys
(DFIR) at Hax4n6. I was surprised at the growth of
learning the intricacies of how different technologies
the community and the support from the network.
work. Studying a course that covers such a broad
Joining the seminars was beneficial for learning the
range of foundational IT and security themes has
skills needed for my job, and connecting with women
been an exciting journey and has helped me in
with diverse backgrounds in cybersecurity has
my current role as a SOC analyst, especially while
motivated me to broaden my career horizons.
interested in digital forensics incident response
triaging a variety of security incidents.
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?
What is your favourite source of general information about cybersecurity? My go-to sources for infosec news would be the Bleeping Computer, The Hacker News, and ThreatPost. I love learning about the latest threats,
Learning soft skills tends to be overlooked. However,
the chain of events in a cyber attack, and how
as we work in such a dynamic and growing industry,
security teams resolve a variety of incidents. I am
it is imperative to prioritise the development of
also excited to come across a phishing campaign
communication, collaboration and management
or malware I have read about in the news. So I try to
skills among cyber security professionals.
keep up to date with as many sources as possible.
Threat actors are evolving quickly and we
What measures do you have in place for your personal cybersecurity?
need individuals with strong interpersonal and management skills to educate the public about these
I am usually forgetful when it comes to remembering
threats and security behaviours, build trust with our
the passwords for all of my accounts, so I keep my
customers, foster partnerships with other teams
accounts safe by using a password manager. It is
and industries and inspire future generations to join
a simple tool to securely store passwords, check
cyber security.
password strength and generate unique and strong passwords for each account.
Even while working in the SOC, communicating findings and reporting trends in security incidents, it is vital to develop intelligence-driven defence
www.linkedin.com/in/gabrielle-raymundo
for the company. With this in mind I am definitely considering studying a course in management or digital leadership in the future.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
129
Haicheur Ichrak Amani is in her second year of study for a master’s degree in cybersecurity at Université des Sciences et de la Technologie ‘Houari Boumédiène’ in her native Algeria after graduating with a Bachelor of Computer Science, Computer Systems Networking and Telecommunications from the same university. HAICHEUR ICHRAK AMANI She is also a Microsoft Learn Student Ambassador, one of a global group of campus leaders helping fellow students create robust technical communities and develop technical and career skills for the future.
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
What do you see has having been the most memorable and/or significant event in your cybersecurity journey to date, and why?
Cybersecurity is the application of technologies, processes and controls to protect systems, networks,
In addition to your studies, what employment experience do you have in cybersecurity?
programs, devices and data from cyber attacks. It
I have done three internships in different firms.
Being able to achieve my goals and progress in this career. from knowing nothing to an intermediate level.
aims to reduce the risk of cyber attacks and protect against the unauthorised exploitation of systems, networks and technologies. A career in cybersecurity has several paths depending on the interests, goals and experience.
The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain any of these, if so which ones, and why? I am planning to gain many certifications, including
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
Certified Ethical Hacker, CEH v12 from the EC-Council and Offensive Security Experienced Penetration (OSEP) from Offensive Security.
I first thought that cybersecurity is really complicated and hard to learn, but with time I started to learn more about it and the more I learnt, the more I enjoyed. I became passionate about the field and ended up choosing it as a career.
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
What cybersecurity role would most like to be hired into when you graduate, and why?
Cybersecurity requires continuous learning. A
The role I would most like to be hired for is a red
by taking courses to checking cybersecurity news.
teamer because I like offensive security more than
That is why learning cybersecurity is challenging.
cybersecurity student should always keep up to date
defensive security.
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
What aspect of your studies excites you the most? Learning new concepts and skills and trying to exploit new vulnerabilities.
Some of my peers advised me to choose it and others
Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details?
said it would be hard. I felt confused, but I ended up
It is true there are more men than women in this field,
choosing it because I am passionate about it.
but I always felt respected and never disadvantaged
My parents were not from the field so they could not advise me, but they always supported my choices.
or discriminated against by my peers. We were evaluated based on our skills not gender.
130
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
What measures do you have in place for your personal cybersecurity? For my personal cybersecurity I like to play capture the flag exercises. They are computer security challenges, available on different platforms. They are fun and very useful.
With the benefit of hindsight, would you change your career trajectory to date, and if so now? I would never change my career trajectory. I am glad I chose a career I am passionate about.
Have you already sought employment in cybersecurity, if so, what has been your experience of applications/interview? I have done three internships already, but I applied for more. I was ghosted more than once but I never stopped searching because I was motivated and eager to acquire new skills.
www.linkedin.com/in/haicheur-ichrak-amani-2837371b3
I S S U E 11
WOMEN IN SECURITY MAGAZINE
131
S TAY C O N N E CT E D All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services.
@wisms2c
@source2create
@womeninsecuritymagazine
DIGITAL
@Source2C
womeninsecuritymagazine.com
womeninsecuritymagazine.com
A PROGRAM THAT CONNECTS, SUPPORTS AND INSPIRES FEMALE TERTIARY STUDENTS AND EARLY CAREER PROFESSIONALS EXPLORE A CAREER IN SECURITY. EXPLORERS WILL BE ABLE TO ACCESS MONTHLY WORKSHOPS, MENTORING OPPORTUNITIES AND INDUSTRY CONNECTIONS
"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Explorers program today!" - Liz B, Co-Founder
Studying or an Early Career Professional in information security? Learn more at .awsn.org.au/initiatives/awsn-explorers/
Mandeep Brar grew up in a small village in Northern Punjab, India. She now lives in Northern California and is about to graduate from a cybersecurity bootcamp at the Flatiron School. She plans to continue learning and pursue a career as a security analyst. MANDEEP BRAR Cybersecurity bootcamp, Flatiron School
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
I would like to be hired as a cybersecurity analyst
“Have you heard about the internet? If not, ask any two-
mitigate risk and prepare for a range of events. I will
year-old who knows how to play TikTok. Ask eight-year-
feel confident about these roles as I practice more.
where I would configure the network to be secure using my understanding of network topology. I am also interested in becoming a threat incident responder where I would create an incident report plan and a disaster recovery plan that would help
olds who are gaming all day. Ask 18 year olds who are
waiting for their prey. These can start with social
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
engineering manipulation, to get someone to click on
The reaction of my immediate family was surprising,
a phishing link that downloads ransomware.
because they knew I knew nothing about computers
watching YouTube videos and texting all day. Cyber thieves are out there, setting traps with bait,
and what I was getting myself into. However, they A few years ago a hacker stole the email credentials
were neutral and supportive about the idea. My
of someone in my contact list, sent me an email
extended family, my friends, bosses and co-workers
pretending to be that contact and telling an emotional
were all impressed, and supportive.
story about being in a financial crisis and needing
me his identity had been stolen, it was too late. Not
Who, or what, would you say has had the biggest influence on your cybersecurity career journey to date, and why?
only had I lost the money, I had lost my instinctive
I would not be here if it were not for Amazon’s career
trust of people. Now, would you not want to learn the
choice and the Flatiron School. The course has helped
basic rules of internet security?
me greatly to gain mental strength, but I think WiCyS
help. I was so taken in that I wire-transferred him $500. Later, when my original contact emailed to tell
has had the greatest influence on my journey. By
How does the reality of cybersecurity as you experience it today sit with your understanding when you first thought about studying it?
joining the community, I felt supported. I am taking
The reality of cybersecurity is way more difficult than
the Fortinet summer camp, SANS capture the flag
I thought. Having no experience in the IT industry was
challenges and other resources such as virtual career
a drawback. And the idea of having a computer inside
fairs and internships.
advantage of almost every opportunity WiCyS has to offer, such as the Target malware challenge,
a computer, the concept of networking protocols, signatures to a file by hashing, remotely controlling
In addition to your studies, what employment experience do you have in cybersecurity?
a computer by SSH… and so on. All these things
I do not yet have any professional employment
amazed me.
experience.
What cybersecurity role would most like to be hired into when you graduate, and why?
The cybersecurity industry abounds with certifications from multiple organisations.
capturing packets in Wireshark, creating unique
134
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
S T U D E N T
I N
S E C U R I T Y
Have you gained, or do you plan to gain any of these, if so which ones, and why?
S P O T L I G H T
I am working to gain Fortinet’s NSE4 Certificate (I am
Are you involved in the wider cybersecurity community, eg AWSN if so, how and what has been your experience?
enrolled in the summer program). I recently took an
I am a member of WiCyS and SANS. These
assessment for SANS Immersion based on the GIAC
communities have enabled me to come out of my
certificate exam. I felt the questions put me in real
shell and connect with professional people. So, they
life scenarios and made me think outside the box.
are meat and potatoes for my journey. Also, LinkedIn
Since then I have become very interested in preparing
has given me a platform to connect with inspiring
the Global Information Assurance Certification
professionals from all over the world.
(GIAC) exam. I am also willing to take an exam that may be required by an organisation for learning and advancement in cybersecurity.
What’s your favourite source of general information about cybersecurity? I may be more of a visual person because I really
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
enjoy learning from YouTube videos and images on the web.
I believe my school is doing well in teaching the
Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details?
framework of cybersecurity. However, as the industry
I have never felt discriminated against for being a
is ever changing there is constant need for self-
woman in this industry. In fact, WiCyS is all about
learning. I still have a lot to learn and practice.
women. I am proud to be a member of such a community, which is supporting women. To date,
What aspect of your studies excites you the most?
I have felt supported by all organisations I have dealt with.
I enjoy working with the powerful command line interfaces of virtual machines. The idea of having a computer inside a computer will always astonish me.
What measures do you have in place for your personal cybersecurity? My secure VPN, firewall, antivirus and tracker
What aspect do you find least interesting or useful?
removal system are all up to date. I do not click on
So far, I have found everything I have come across to
Craigslist, WhatsApp and any unexpected email to
be useful.
avoid phishing attacks. I make sure I browse only
any clickable link from unknown resources such as
on websites that are secure. I have continuous
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why?
automated data backup. I do not share any
I find coding and the governance, risk and compliance
Have you already sought employment in cybersecurity, if so what has been your experience of applications/interviews?
part of my coursework difficult and overwhelming.
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?
confidential information without verification.
No, I have not gained employment in cybersecurity yet. I plan to prepare for exams and interviews after my graduation when I will have more time. I want to be ready and feel confident about my future role.
No, I do not feel the need for additional non-cyber skills as yet, but I am always willing to learn in an area I recognize I may be weak in. I have learnt networking
www.linkedin.com/in/mandeepbrar2022
and social skills in my school’s career workshops.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
135
LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
How to have a cyber smart sleepover: Olivia and Jack’s plan for staying safe online with friends All Olivia and her friends have been able to talk about lately is organising a sleepover during the school holidays. They have been planning it for weeks. Their excitement has been growing as they talk about all the fun things they will do, not to mention staying up really late! They have been discussing which movie to watch, what junk food they will eat too much of, and all the sneaky ways they will pull pranks on Olivia’s brother Jack. The sleepover is going to be the best fun ever.
seek, shooting hoops outside, jumping on the trampoline and baking cookies. Olivia and Jack’s parents were really impressed. They reminded her that she and her friends were also allowed a limited time to play with the game station on which they had set up parental controls.
Some of Olivia’s friends have their own smartphones and watches, but she does not yet have her own device. Olivia’s Mum and Dad said to her: “We don’t think your friends need to bring their devices over, but if they want to, that’s fine. We’ll just put a basket on the kitchen bench for them to be stored in at night.”
Olivia and Jack’s tech sleepover rules.
Olivia understands why her parents do not like children having devices until they reach a certain age, and knows when she is ready she will get her one of her own. However, it is not easy when almost all her friends have their own device, but she’s also seen some of the nasty things that have happened to her friends because of their phones: such as being bullied in a group chat by some mean children, or being really jealous of how people look on social media, until they realise that, in real life, they look the same as everyone else. Olivia decided she was going to ask her brother Jack for help to add to her list of fun activities she and her friends could do and, in return, she would go easy on him with the pranks. They brainstormed lots of activities that would be fun without the need for devices, activities such as card games, Monopoly, Scrabble, hide and
136
W O M E N I N S E C U R I T Y M A G A Z I N E
Olivia’s mother then sent messages to the other parents to let them know their family’s tech rules, to ask if they were ok with these or had any questions.
• Devices (phones and smart watches) can be brought over but must be left in a basket on the kitchen bench to be used when needed, but not at night. At night they will be locked away for safekeeping, because we parents cannot supervise you whilst we are asleep. • We will also ask if the phone or smart watch has a parental control installed on it. • Your friends can use their phones or smart watches to contact their parents or caregivers, but this needs to be done in a communal area so we can supervise. • You can play age-appropriate games on the game station. Olivia thinks the rules are very fair and that her friends will be happy to follow them. She is so excited to have her sleepover party with her friends in the school holidays. It is going to be the best fun ever! www.linkedin.com/company/how-we-got-cyber-smart
facebook.com/howwegotcybersmart
twitter.com/howwegotcybers1
N O V E M B E R • D E C E M B E R 2022
Recom mend ed by F amily zone
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.
READ NOW
NEW ZEALAND WOMEN IN SECURITY AWARDS
EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2023 Australian or New Zealand Women in Security Awards.
Register your interest today Sponsorship opportunities will open up November 28 th 2022. *Sponsors are subject to approval
AUSTRALIAN WOMEN IN SECURITY AWARDS 2022: ALL THE WINNERS by David Braue
Record numbers of nominees are reshaping the future, together
As happened to every real-world event, the pandemic
“The awards honour their achievements in their
proved problematic for the Australian Women in
professional lives and their ability to collaborate
Security (WiS) Awards over the past two years –
with others to further the cause of diversity and
but those problems were all in the past this year,
achievement in security.”
as hundreds of attendees converged from around Australia on a jungle-themed awards night that
Reflecting the growing interest in WiS and the awards
celebrated the achievements of security industry
from afar, attendees came from most states and
leaders in 18 different categories.
distant attendees tuned into the livestream, with social-media buzz for the awards (via #WISAwards)
Themed ‘Reshaping the Future’, the awards, which are
generating over 750,000 views – not including the
arranged by Source2Create and supported by partner
social-media shares.
AWSN and a range of corporate sponsors, attracted 826 nominations – well up from 630 last year and
“One thing that strikes me about the security industry
460 the year before – and kept our 20 industry judges
is that there are so many amazing people from all
busy whittling them down to a shortlist of 81 finalists.
different backgrounds,” said Gergana Winzer, partner for enterprise advisory - cyber with platinum awards
“Behind each of these nominations is a story of
sponsor KPMG, a Bulgarian who came to Australia
collaboration, of people working together to make
via Italy 11 years ago and, after careers in fashion,
a positive impact on society,” Source2Create CEO
journalism, law and scientific research, found her new
and founder Abigail Swabey said as the festivities
home in the local cybersecurity industry.
kicked off.
140
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
“Tonight,” she said, “we would like to celebrate that
“By working together, we are giving current and future
there is more than one pathway to success.”
generations of security workers a leg up so they can not only touch the glass ceiling but break it into
“It’s not really what you do but who you are,” agreed
thousands of tiny pieces.”
Natasha Paisley, who grew up feeling like an outsider knowing anybody who could help direct her into the
OPERATIONAL RESILIENCE – CONVERGED SECURITY RESILIENCE CHAMPION
corporate workforce.
WINNER: Johanna Williamson, NBN Co
in Cardiff, Wales and recalled growing up without
FINALISTS: Reshma Devi (NAB), Rinske Geerlings “I was determined to work hard, learn and grow
(Business As Usual)
and push myself outside of my comfort zone,” she development. Your background and experience are
BEST INDUSTRY INITIATIVE THAT SUPPORTS DIVERSITY, INCLUSION AND EQUALITY
not a limitation; they made you who you are, so
WINNER: WithYouWithMe
embrace it.”
HIGHLY COMMENDED: The Women in National
said, “both with formal courses and personal self-
Security Podcast (WiNS Podcast - NSC & Four of this year’s winners were given an additional
ACCENTURE)
opportunity by receiving scholarships from the Cyber
FINALISTS: The State of Diversity & Inclusion in
Leadership Institute, where they will gain cyber
Australian Workplaces (WithYouWithMe), Women
leadership skills to help further their careers. Winners
in Leadership programs (AWSN), Cyber Security
include Cairo Malet (Octopus Deploy), Sarah Wood
Internship program (Telstra)
(AustralianSuper), Dominika Zerbe-Anders (KPMG), and Johanna Williamson (NBN Co Limited).
BEST SECURITY MENTOR WINNER: Amy Roberts (Australian Signals
The event would not have been possible without
Directorate)
the generous support of sponsors including KPMG,
HIGHLY COMMENDED: Kylie Watson (IBM)
CyberCX, Accenture, AusCERT, Okta, Stone & Chalk,
SPECIAL RECOGNITION: Shannon Gibb (NBN Co)
Everbridge, Sekuro, Tesserent, NAB, ALC Training,
FINALISTS: Farhana Dawood (Orro Group), Alpesh
Australian Cyber Collaboration Centre, Trend Micro,
Nakar (Avanade)
Western University, Avertro, Decipher Bureau, Axis Communications, Quintessence Labs, Kyndryl, and OneInTech Melbourne.
MOST INNOVATIVE EDUCATOR IN CYBERSECURITY WINNER: Dr. Yenni Tim (UNSW Business School
The 2023 Australian WiS Awards will be held on
WINNER: Nivedita Newar, University of New South
12 October 2023, and in the runup to the awards
Wales (UNSW)
Source2Create will be launching the 2023 Women
FINALISTS: Grok Adacemy, Lisa Rothfield-Kirschner
in Security Awards Alumni series – a series of
(How We Got Cyber Smart), Michaela Ripper
collaborative workshops, to be held across Australia,
(Questacon – the National Science and Technology
in which attendees will celebrate and workshop the
Centre), Sarah Iannantuono (SEEK), Elaine Muir (IAG)
future of the industry. “We are helping to create the future we have always
AUSTRALIA’S MOST OUTSTANDING WOMAN IN PROTECTIVE SECURITY
wanted,” said Swabey. “You never know how easy it is
WINNER: Emily Hunt (Scentre Group)
to break a glass ceiling until you get close enough to
HIGHLY COMMENDED: Anna Dart (Westpac)
touch it.”
FINALISTS: Rebecca Winfield (IAG), Sandra Ortmanns
I S S U E 11
WOMEN IN SECURITY MAGAZINE
141
(University of South Australia), Vannessa Van Beek
HIGHLY COMMENDED: Corien Vermaak (Cisco), Alana
(KINETIC IT PROTECT+)
Maurushat (Western Sydney University Cybersecurity Aid and Community Engagement)
AUSTRALIA’S MOST OUTSTANDING WOMAN IN IT SECURITY
FINALISTS: Fiona Long (Cyber Security Consulting), Tessa Bowles (NAB)
WINNER: Rachael Greaves (Castlepoint Systems) Daniella Pittis (Flight Centre Travel Group)
BEST PLACE TO WORK FOR WOMEN IN SECURITY
FINALISTS: Fiona Long (InfoSecAssure Pty Ltd),
WINNER: Origin Energy
Sandra Hanel (IAG)
HIGHLY COMMENDED: Equifax
HIGHLY COMMENDED: Katherine Mansted (CyberCX),
FINALISTS: Telstra, Woolworths Group, Accenture
BEST PROGRAM FOR YOUNG WOMEN IN SECURITY
MALE CHAMPION OF CHANGE
WINNER: Girls Programming Network (GPN)
WINNER: Timothy McKay (OK RDY)
HIGHLY COMMENDED: The Emerging Leaders
HIGHLY COMMENDED: Clive Reeves (Telstra);
program (Ernst & Young)
Dushyant Sattiraju (Deakin University)
FINALISTS: Australian Signals Directorate Internship
SPECIAL RECOGNITION: Dave O’Loan (AARNet)
Program (ASD), Women in Security Mentoring
FINALISTS: Craig Millar (IAG), Pieter van der Merwe
Program (Australian Women in Security Network)
(Woolworths Group), Wayne Williamson (Equifax)
BEST INNOVATIVE BUSINESS ‘RESHAPING THE FUTURE’ OF THE SECURITY INDUSTRY
WINNER: Laura Jiew (CSIRO)
WINNER: DekkoSecure
FINALISTS: Natalie Perez (Medibank and One in
FINALISTS: BCyber, InfoSecAssure
Tech), Anita Siassios (Women in Cyber Security
BEST VOLUNTEER
Australia).
PROTECTIVE SECURITY CHAMPION WINNER: Scarlett McDermott (WithYouWithMe)
BEST SECURITY STUDENT
FINALISTS: Anastasia Gomes (AMP), Christina Rose
WINNER: Elena Scifleet (CyberCX)
(Qantas)
HIGHLY COMMENDED: Eleni Lykopandis (Australian Bureau of Statistics), Eloise Robertson (UC
THE ONE TO WATCH IN PROTECTIVE SECURITY
Supporting Women in STEM)
WINNER: Sarah Wood (AustralianSuper)
Fadzayi Chiwandire (CyberCX)
FINALISTS: Gabrielle Raymundo (Woolworths Group),
HIGHLY COMMENDED: Laure Ruymaekers (Sydney Metro)
UNSUNG HERO
FINALISTS: Cassie Carman (Westpac Group), Mina
WINNER: Cairo Malet (Octopus Deploy)
Zaki (KPMG Australia)
HIGHLY COMMENDED: Sharon Mitchell (NBN Co), Melanie Truscott (CyberCX)
THE ONE TO WATCH IN IT SECURITY
FINALISTS: Amanda Pitrans (IAG), Belinda Charleson
WINNER: Samantha Lengyel (Decoded.AI)
(Digicert Australia)
HIGHLY COMMENDED: Caitlin Randall (Baidam Solutions)
BEST FEMALE SECURE CODER
FINALISTS: Emma Kirby (Macquarie Group), Claudia
WINNER: Holly Wright (IBM)
Muller (CyberCX), Sam Fariborz (Kmart Australia)
FINALISTS: Rania Bilal (Australian Cyber Security Centre – Australian Signals Directorate), Yan Liu
IT SECURITY CHAMPION
(Retrospect Labs).
WINNER: Dominika Zerbe (KPMG)
142
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
KPMG.com/au © 2022 KPMG, an Australian partnership. All rights reserved.
THESE ARE YOUR
144
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
R 2022 FINALISTS
I S S U E 11
WOMEN IN SECURITY MAGAZINE
145
AUSTRALIA’S MOST OUTSTANDING WOMAN IN PROTECTIVE SECURITY WINNER
Emily Hunt
Anna Dart
National Risk & Security Mgr Centre Experience, SCentre Group
Senior Manager - Protective Security, Westpac Banking Group
FINALISTS
NOMINEES
Emily Hunt
Emily Hunt
Tara Murphy
National Risk & Security Mgr Centre Experience SCentre Group
Anna Dart
Susie Jones
Anna Dart
Rebecca Winfield
Amanda Jane Turner
Senior Manager - Protective Security Westpac Banking Group
Sandra Ortmanns
Rebecca Winfield
Vannessa Van Beek
Manager, Protective Security Services and Delivery IAG
Sandra Ortmanns Defence & National Security Officer University of South Australia (UniSA)
Vannessa Van Beek Director of Security Services KINETIC IT PROTECT+
146
HIGHLY COMMENDED
W O M E N I N S E C U R I T Y M A G A Z I N E
Melissa Dundas Sonya Brackenridge Joannie Lee-Lang
Christina Rose Amy Ormrod Maryam Bechtel Lesley Arundel
Leanne Tunningley
N O V E M B E R • D E C E M B E R 2022
AUSTRALIA’S MOST OUTSTANDING WOMAN IN IT SECURITY
SPONS
ORED
KPMG
WINNER
BY
HIGHLY COMMENDED
Daniella Pittis
Katherine Mansted
Group CISO, Flight Centre
Director, Cyber Intelligence and Public Policy, CyberCX
Rachael Greaves CEO, Castlepoint Systems
FINALISTS
NOMINEES
Rachael Greaves
Rachael Greaves
Amy Roberts
CEO, Castlepoint Systems
Daniella Pittis
April George
Katherine Mansted
Astha Nanda
Fiona Long
Gergana Winzer
Sandra Hanel
Mitra Minai
Mina Zaki
Parul Mittal
Shamane Tan
Reshma Devi
Daniela Fernandez
Brooke Parker
Gabe Marzano
Monica Zhu
Director / Founder, InfoSecAssure
Linda Cavanagh
Uyapo Alidi
Susie Jones
Audrey Jacquemart
Sandra Hanel
Laura Hartley‑Quinn
Shyvone Forster
Natasha Passley
Martina Mueller
Kelly Henney
Seema
Kim Valois
Angela Pak
Daniella Pittis Group CISO, Flight Centre
Katherine Mansted Director, Cyber Intelligence and Public Policy, CyberCX
Fiona Long
Specialist, Offensive Security, Cyber Threat Emulation and Defence, IAG
Dominika Zerbe‑Anders Teena Hanson Linda-Clare Chilvers Aarati Pradhananga Larissa Deylen Tara Dharnikota Gabriela Suiu‑Gorsa Nancy Elrifai Nazia Mastali Deepa Amrat‑Bradley Patricia Ortiz Rebecca Williams Sue Cheerath Roxanne Pashaei
Meagan McClendon
I S S U E 11
WOMEN IN SECURITY MAGAZINE
147
KPMG: LEADING IN DIVERSITY KPMG is leading the charge to increase the representation of women in cyber, but women cannot be what they cannot see. So to give cyber women something to see, and to learn how KPMG is promoting women, we spoke to four of KPMG’s leading women to highlight them as role models for women aspiring to leadership in cybersecurity. Interviewees:
Kate Marshall National Leader of KPMG’s Cyber law practice
Mitra Minai National Cyber Partner to the Health sector
Natasha Passley Partner, Technology, Risk and Cyber
Gergana Winzer Partner, Enterprise Advisory – Cyber
OVER YOUR CAREER TO DATE, HOW HAVE YOU SEEN THE TREATMENT OF WOMEN CHANGE TO BE MORE INCLUSIVE?
acknowledge [the progress] yet not let it impact our
For Marshall, who has 30 plus years as a partner in
In contrast, Winzer says she has rarely seen any
multiple law firms, the answer is: enormously. Often
issues with inclusivity “except the few times I got
the only woman in a room, even though a partner, she
interrupted and spoken over,” and cites the growing
was assumed to be merely a personal assistant to
number of women at networking events as a sign of
one of the men. She has also lived with many non-
greater inclusivity.
drive and enthusiasm to get to full equality.”
supportive rules and regulations. “Women can’t wear pants/no part time work is permitted/no paid parental
However her involvement in cyber is much more
leave/no support to return to work/no part time
recent than Marshall’s. “When I first joined the
partners/no part time equity partners.”
industry after coming to Australia in 2013 it was very difficult to spot a female professional in the room. I
She says there has been great progress, but
was literally by myself on many occasions.”
more needs to be done. “I think it is important to
148
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
Passley says the introduction of more flexible working
Marshall agrees that unconscious bias remains a
has been of particular benefit to women trying to
challenge. “I see the next challenge being with more
juggle childcare or caring responsibilities even though
subtle gender bias: it is still there, just not always so
it was not designed as an equality measure.
easy to spot.”
Passley also sees deliberate moves to hire more
And Passley sees gender bias as still being an issue
women and get more women into leadership roles as
to some extent, because preconceived ideas and
signs of progress, but says these are often targets
unconscious bias about gender still exist in society.
set at the top and do not necessarily boost inclusivity.
“In the business world, there are still the internal
“Having a target does not make an organisation
politics and culture of the company to deal with, as
inclusive and, unfortunately, there are sometimes
well as ‘backlash’ against gender diversity present
policies and company norms that are not inclusive.”
in an organisation. If a female gets a role on merit, or is the best person for the job, others think she’s
Minai also homes in on flexible working as a major
only there because of a gender diversity target. …
contributor to inclusivity, saying she has seen a
Companies have to focus on building and fostering
significant increase since long before COVID forced
a culture of inclusivity across all aspects of diversity,
employers to be more flexible. “It’s become the
equity and inclusion, whether that is gender, ethnicity,
norm for everyone to work from anywhere and work
LGBTQ+, socioeconomic, etc.”
flexibly to allow for life commitments. This has really benefited women who are usually the primary carer
For all four, increased diversity—across all gender
for their kids, and has allowed more women to come
variations—is key to reducing bias. “In my team I have
back seamlessly into the workforce after taking
50 percent gender equality across the board, and
parental leave.”
I can see how this is bringing balance and a more inclusive culture as well as results for my team’s
DO YOU SEE GENDER BIAS AS STILL BEING A SIGNIFICANT ISSUE, AND IF SO, WHAT DO YOU THINK AN ORGANISATION CAN DO TO DEAL WITH IT?
performance,” says Winzer.
For Winzer it certainly is. Not at KPMG, but from what
roles at Healthscope and NAB, I maintained 50-60
friends and colleagues in other organisations tell her.
percent women across my security function. Not
“Classical examples are interruption in a conversation,
only did I achieve gender diversity, but I also ensured
or thinking of someone as being a less valuable team
diversity in race, age and LGBTIQA+ as well. This
member because they could get pregnant and be
worked wonders for the team dynamics and we
away for a few months,” she says, recounting the
had great success because of the diverse thought
story of an eight month pregnant director in another
leadership and problem-solving skills that different
company being told she would never be a partner.
people brought into our team.”
Minai does see bias having improved in recent years, in some meetings. “There have been times where
WHAT PATH LED YOU TO YOUR ROLE, OR WHAT SPECIFIC ELEMENT ATTRACTED YOU TO CYBER?
I’ve attended meetings with key stakeholders to talk
One aspect of cyber in which there is no lack of
about complex cybersecurity matters with my team
diversity is the many different pathways by which
and some attendees have automatically looked to the
people arrived at their current roles.
and acknowledges there is still unconscious bias
Says Minai: “I always ensure I have full diversity representation in the teams I build. In my last two
male team members to lead the conversation.”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
149
Winzer arrived in Australia “in search of travel and adventure” with at least an IT background but with poor English. The first—part time—job she applied for just happened to be in cybersecurity. “In six months, I got a sponsorship visa and was able to go full time
KPMG HAS ADOPTED A CYBER WOMEN LEAD PROGRAM TO ENGAGE ITS FEMALE WORKFORCE. CAN YOU TALK HOW IT AIMS TO DO THIS? HAS IT MADE KPMG A BETTER PLACE FOR WOMEN TO WORK IN CYBER?
as well as grow the business I was working for. It all
According to Winzer the program aims to create
started with my CEO at the time giving me a chance
opportunities for young—and not so young—women
and believing in me. The rest is history!”
to exchange ideas and grow within the industry while supporting each other. “You will be hearing more over
Minai says she had “always been interested in
the years as this will truly be a space for women to
technology.” She studied technology at university,
share vulnerably and learn from their leaders and
completed a master’s degree in business systems,
each other,” she says.
started her career in technology risk management and worked on a number of internal audit and regulatory
“We believe that a leader is not a title. Unlike
compliance engagements.
management responsibilities, which need to be given to people, leadership is something we create and
“Understanding the importance of robust and
take on if we decide to do so. Hence the idea is that
effective application controls and general IT controls
everyone in our industry is a leader and can lead
set the foundations for me to expand my experience
towards great outcomes and objectives.”
into information security processes and controls,” she says.
Minai says KPMG has rolled out several Cyber Women Lead program initiatives focused on developing
“I worked for two of the largest banks in Australia
existing talent and attracting new talent. “We have a
and gained experience in the UK financial sector,
number of mentorship programs that provide access
which gave me the grounding for good practices and
to senior leaders who offer extensive support and
key operations and controls. This experience gave
advice to our new leaders.
me the tools and knowledge to successfully define and operationalise a mature, market leading security
“We have also rolled out a number of training
function for one of the largest private health providers
programs aimed at refining leadership skills for our
in Australia.”
female cohort to ensure they have the necessary tools and skills to succeed in senior leadership positions.”
Passley started her career in technology, moved into risk and compliance and then into security
Passley adds that the program is only one of several
through leading large program transformations.
aimed at developing KPMG’s female talent, building
“I’m particularly interested in cyber because I love
the future of female leaders and attracting top female
learning and change, and nothing ever stands still
talent into KPMG. Others include “formal training
in the world of cyber,” she says. “There’s always
programs that give women access to female leaders,
something new to learn or understand because
in-person events and informal groups where women
the threat landscape changes so rapidly, and the
can connect in person on a geographical level.”
subsequent impacts of that require companies to frequently pivot, restrategise and transform to further
In addition to the virtual avenues for connection
secure themselves.”
like Yammer and Teams channels, she says there is “a real emphasis on connecting the women across the firm regardless of level, area of expertise, background etc.”
150
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
GERGANA, MITRA AND NATASHA YOU ARE ALL REASONABLY NEW TO KPMG - ARE THERE ANY SURPRISES YOU ENCOUNTERED AT KPMG IN RELATION TO ITS DIVERSITY OR INCLUSIVITY? Gergana Winzer says KPMG’s company-wide focus
A THEME OF THIS ARTICLE IS HOW YOU ARE “TAKING CHARGE TO ENCOURAGE MORE WOMEN INTO CYBER.” WHAT DO YOU THINK ARE THE BEST INITIATIVES THAT COULD BE TAKEN TO ENCOURAGE MORE WOMEN INTO CYBER AND KEEP THEM THERE?
on gender equality “warms my heart and makes me
Passley says any initiative that shows how women
believe in a better future for all emerging talent out
can succeed in a male-dominated environment will
there,” adding: “It is definitely a breath of fresh air
“show women that it is possible to take charge and be
to see how much investment and real commitment
successful against the myriad challenges they may
there is to foster a new generation of female cyber
face along the way,” and is “why visible role models
leaders, ready to change the face and the shape of
and mentoring are so important. They allow other
our industry.”
women from all different walks of life see that you can be successful in an area like cybersecurity.”
Mitra Minai says KPMG lives its values every single day. “I have been very well supported and connected
Minai agrees with the importance of visible role models.
with all parts of our incredible organisation, which
“I was recently approached by a very excited graduate
continues to excel in collaboration across our service
in our team from the Middle East. She wanted to
lines and bring the best of breed practices and
celebrate the fact that a female partner from the Middle
solutions to the market.
East had been appointed into a senior role at KPMG. This needs to become the norm, not the exception.”
“Everyone really lives by the values of equality and inclusion and it has resulted in visible diversity across
Marshall agrees that women in cyber need to be
all our service lines. I’ve often found there is not
visible “so other females can see it is possible and a
enough diversity at the senior leadership levels in
great career path.” However, she says women already
many of the organisations I’ve worked for, but I can
established in cyber roles need to actively support
see that’s now changing drastically and the diversity I
others venturing into the space. “They may be the
see across KPMG’s leadership group is truly inspiring
only female in the room and we (men and women)
and refreshing.”
need to take steps to make them feel comfortable to be themselves and we need to stand up if we see
Natasha Passley—who is the partner sponsor for DEI
behaviours that don’t support females.”
across Technology at KPMG—says the first thing that struck her when she joined KPMG was how diverse
Winzer emphasises the role men need to play. “I
the organisation is. “There is a wealth of global talent,
believe male leaders have a huge role to play in
and I really love that. I also love the fact that there’s so
inspiring this transformation. I personally have
much focus from the top on DEI initiatives, and a real
great male leader supporters within and outside the
focus on inclusivity as part of that. With dedicated
organisation and would not have been successful if I
executive level sponsorship, DEI is certainly getting
didn’t partner up with them and allow them to mentor
the focus and priority it needs to have and this filters
me along the way.”
down from the top.” She adds: “One important component in attracting talent is also the ability to tap into the talent early enough and I feel we need to make an effort as a society to collectively think how to inspire the next generations to join the industry and cover the already huge shortages we have in the industry.”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
151
WOMEN NEED EXAMPLES AND ROLE MODELS: “YOU CAN’T BE WHAT YOU CAN’T SEE”. HAVE MENTORS BEEN A PART OF YOUR LIFE AND HOW HAVE THEY IMPACTED YOUR CAREER? DO YOU HAVE EXAMPLES OF HOW PEOPLE HAVE HELPED YOU SUCCEED?
on panels and in industry events and has started
Winzer is a firm believer in the value of mentors
leadership and to ensure my team is inspired to be the
and coaches. She says she has had many mentors
best version of themselves. I am setting the path for
and continues to be mentored. She also has an
other talented women and it’s my duty to make sure
‘ontological coach’ who she sees every two weeks.
I’m being a visible role model. I’m always volunteering
turning down invitations to speak on panels or attend vendor lunches and dinners unless the organisers have invited at least another five women along. “I do my best every day to set a good example for
for mentorship programs, speaking engagements, Marshall says she has had many supportive men
and participating on panels and in industry events.”
encourage her to put her hand up and say yes when she would hesitate, and back her when she was
Winzer says she is a role model without deliberately
pushing to change outdated practices and policies,
setting out to be one. “I may not always consider
adding “poor role models have also been important
myself as a role model, but I know I am one. I have
and I am determined not to replicate those.”
had many people telling me this and I can see the impact I have when I own it.”
Passley says most of her mentors have been men, partly because leaders she has worked for
Passley says she hopes to be a role model because
or alongside have been male. “Men see things
“there weren’t many senior, ethnically diverse female
in a different light to women so can provide a
role models in corporate environments when I was a
different perspective.”
young girl growing up many years ago.” She tries to be a role model by “being visible, doing interviews and
She now has a mix of males and females who act as
writing in publications like this, and being available to
mentors or coaches. “They help me either by shining
mentor and coach other women wherever I can.”
a light on a particular aspect of my character that I’ve not been aware of, or by pointing out something I should consider that I wouldn’t have thought of.” Minai says mentors have been of enormous value
WHAT ROLE DO MALE CHAMPIONS OF CHANGE AND ALLIES FOR WOMEN IN CYBER PLAY? WHAT WOULD YOU LIKE THEM ALL TO KNOW?
to her. “I’ve always aspired to be more like the
Passley says these men are extremely important and
inspirational leaders I’ve been surrounded with, and
often not recognised for their contributions. “I see
have been lucky to have a few quite diverse and highly
male champions of change everywhere, through our
respected members of our industry as my mentors.
husbands and partners and friends that support us
I’ve been able to rely on them for support, guidance
every day. I want them to get the acknowledgement
and advice. Without these mentors, I don’t think I
and recognition too, as we wouldn’t get to where we
would have navigated my career as well as I have
are without them.”
and would probably not be in the senior leadership positions that I have been in for the past 8-10 years.”
For Minai, male champions of change play a huge role. “Most of my mentors are men. They have been
152
DO YOU CONSIDER YOURSELF A ROLE MODEL AND, IF SO, WHAT DO YOU DO TO GET OTHER TO SEE YOU AS SUCH?
incredibly generous with their time and coaching,
Minai says she is always volunteering for mentorship
the chances I have in my career if I had not had my
programs, speaking engagements, and participating
incredible support network around me. We need
W O M E N I N S E C U R I T Y M A G A Z I N E
providing me with the support, guidance and advice to get me to where I am today. I would not have taken
N O V E M B E R • D E C E M B E R 2022
more people (men and women) across our industry
Passley says she would tell her younger self: “Not to
providing mentorship to our next generation.”
worry so much about not fitting in, and just realise that you can still make a difference with the skills you
Marshall agrees. “They are hugely important, both to
have, and that this experience is still beneficial from a
support the women and to help those who don’t see
cyber perspective for others.”
why this is important.” Marshall would tell her younger self “Don’t be too hard Winzer too is full of praise. She wants them to know:
on yourself. If there is an acronym you don’t know, or
“That I see you and I love and appreciate you. Thank
some jargon being discussed, it is ok to ask: ‘can you
you for being the ones who unleash talent.”
just take me through that?’” And she adds: “I really wish I had told myself that, as a working mum, it
WHAT IS ONE MYTH ABOUT CYBER WHICH YOU WANT TO BUST?
is okay to take a few shortcuts. You don’t need to
Marshall and Passley both cite the common myth that
good mum.”
make the birthday cake, etc, just to show you are a
every cyber security professional is “a techie wearing a hoodie.”
Minai would tell her younger self to have a go and not be afraid to put up her hand and say yes to
Minai has a very clear idea. It is a myth that: “You
opportunities. “Sometimes I’ve been worried about
must have deep technical skills or be a pen tester to
making a mistake and getting it wrong and have
succeed in a cyber career.” She says it is important for
held myself back from new challenges. I now know
a leader to have in-depth understanding of the field
that I can do anything I set my mind to. I am always
they are leading and setting the vision and direction
learning and growing my knowledge and skills in my
in. “However, it’s not necessary to have all the required
field and challenging myself to be a better version of
technical skills to be successful. Cyber expertise and
myself every day. I know by continuing to surround
operating models are quite diverse and expand from
myself with incredibly talented experts, we can set the
really deep technical skills in penetration testing and
vision and achieve the right outcomes.”
triaging events within the security operations centre to providing secure-by-design advice on complex solutions to the business, through to board reporting and cyber governance, risk management and cyber education and influence. “These different and wide-ranging service offerings don’t all need deep technical skills. They need leaders with the clarity of vision and strategy
www.linkedin.com/in/kate-marshall-87274411
www.linkedin.com/in/mitraminai
www.linkedin.com/in/natashapassley
www.linkedin.com/in/gergana-winzer-0939937
to bring these different elements together and appoint key professionals with deep expertise in each of these areas to produce a market leading cybersecurity function.”
WHAT WOULD BE THE MOST IMPORTANT PIECE OF ADVICE YOU WOULD GIVE TO YOURSELF IN THE EARLY STAGES OF YOUR CAREER IN CYBER SECURITY? Winzer says: “Be patient, keep learning, believing in yourself and you are doing great!”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
153
BEST FEMALE SECURE CODER SPONS
ORED
Trend M
BY
icro
WINNER
Holly Wright Software Architect - Security Elite Team IBM
FINALISTS
NOMINEES
Holly Wright
Holly Wright
Software Architect - Security Elite Team IBM
Rania Bilal
Rania Bilal Technical Officer Australian Cyber Security Centre - Australian Signals Directorate
Yan Liu Lead Software Engineer Retrospect Labs
Yan Liu Mahrita Harahap Vicki Fan Eugenie Franzinelli Swapnali Kesarkar Anjani Sankar Samin Pour Rashmi Gopinath Divya Saxena
I S S U E 11
WOMEN IN SECURITY MAGAZINE
155
BEST INDUSTRY INITIATIVE THAT SUPPORTS DIVERSITY, INCLUSION AND EQUALITY
WINNER
HIGHLY COMMENDED
WithYouWithMe
Women in National Security Podcast
WithYouWithMe
NSC & Accenture
FINALISTS
NOMINEES
WithYouWithMe
WithYouWithMe
WithYouWithMe
Women in National Security Podcast NSC & Accenture
The state of diversity & inclusion in Australian workplaces
Women in National Security Podcast The state of diversity & inclusion in Australian workplaces Women in Leadership programs
WithYouWithMe
Cyber Security Internship program
Women in Leadership programs
SheLeadsTech (ISACA Melbourne Chapter)
AWSN
Cyber Security Internship program Telstra
Live & Learn program (Think & Grow) Tangible Uplift Program for Women in Cyber Security Camp SEEK
156
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
BEST PLACE FOR WOMEN TO WORK IN SECURITY
SPONS
ORED
Okta
WINNER
HIGHLY COMMENDED
Origin Energy
Equifax
FINALISTS
NOMINEES
Origin Energy
Origin Energy
Akamai Technologies
Equifax
Equifax
Orro Group
Telstra
Telstra
Trend Micro
Woolworths Group
ISD Cyber
Accenture
Platinum Talent Management
Woolworths Group Accenture
BY
SEEK Deloitte Cyber Healthscope
KPMG Australia Westpac Banking Group
Okta
I S S U E 11
WOMEN IN SECURITY MAGAZINE
157
MARTINA MUELLER
DRIVING DIVERSITY AND INCLUSION IN ACCENTURE CYBERSECURITY by Martina Mueller Martina Mueller is the Accenture Australia financial services security lead and a founding member of Accenture’s Global Women in Security program which kickedoff in 2017 aiming to attract and retain female talent in the security practice. She now heads Accenture Security Australia’s diversity and inclusion agenda with colleague, Sinead MacCreadie. YOUR GOAL IS TO HAVE A GENDER BALANCED WORKFORCE BY 2025. WHAT IS THE RATIO TODAY AND HOW ARE YOUR RECRUITMENT INITIATIVES HELPING TO ACHIEVE THIS GOAL?
Locally, we are proactive in the measures we are
Accenture’s global workforce is 47 percent female,
and we have gender recruitment goals that are
and we are very much on our way to meeting our
tracked and reported on monthly. We also aim to
2025 goal. This is the result of our leadership
achieve a balanced gender split at each career level.
taking to reduce gender bias in the recruitment process and increase the percentage of women. Salaries are reviewed on commencement and annually to ensure comparability with similar roles
relentlessly driving initiatives and programs to achieve this. In ANZ 29.1 percent of the executive level
Accenture’s removal of gendered language from
leadership team are women and the gender split is
recruitment campaigns has had a really positive
38.6% in the rest of the business.
impact. In business areas such as cybersecurity we often see women reluctant to pursue a role if they do
158
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
not ‘check all the boxes’ in the position description.
share home-schooling war stories. The network is
Gender-neutral language removes this hurdle.
open to everyone, not only the females in security. We actively encourage all Accenture people to attend.
HOW IS RESPONSIBILITY FOR DIVERSITY AND INCLUSION MANAGED IN ACCENTURE? DO YOU HAVE A MANAGER WITH OVERALL RESPONSIBILITY OR IS IT THE RESPONSIBILITY OF INDIVIDUAL DEPARTMENTS/BUSINESS UNITS TO FOCUS ON DIVERSITY?
In the cybersecurity space we also run an intensive Leadership Connection course across all career levels focused on developing authentic leadership skills, confidence, courage and establishing a personal presence and brand.
Diversity and inclusion are global priorities.
The Powerful Presenter is another initiative. It is
Commitment starts at the top with our chair and
an eight-week coaching program run annually for
chief executive officer (Julie Sweet) and board and
staff from analyst to manager levels to improve
filters down.
presentation skills and prepare our females in security to speak at conferences and industry
Leaders at all levels have a fundamental role in
networking events. Feedback from the women
helping to create and sustain a culture of equality
who have participated is that it is a “powerful and
in their teams in which everyone can advance and
transformative experience” and has “helped them
thrive. As a leader in the cybersecurity space I am
supercharge their careers.” So we are really proud
responsible for promoting the power of inclusion and
of it.
diversity. We offer robust programming including specialised training, networking support, flexible work arrangements, mentoring, mental health resources and equal benefits. We also have a dedicated inclusion and diversity team responsible for initial and ongoing education, embedding the ANZ I&D strategy and executing it.
DO YOU SEE SOME OF THE DIVERSITY CHALLENGES ACCENTURE CYBERSECURITY FACES AS BEING PARTICULAR TO THAT BUSINESS AND DO YOU HAVE ANY INITIATIVES TO BRING ATTENTION TO THIS ISSUE? Accenture’s Cybersecurity Forum Women’s Council recently released a PoV, Rising to the Top, which
MY INSTRUCTIONS WERE TO ASK YOU ABOUT HOW ACCENTURE IS DRIVING DIVERSITY AND INCLUSION IN ACCENTURE CYBER SECURITY. CAN YOU SAY SOMETHING ABOUT SPECIFIC INITIATIVES IN THAT BUSINESS?
highlights some prevalent issues around the lack
We run an active and engaged Women in Security
professionals worldwide, only 25 percent, a little less
group led by myself and my colleague, Sinead
than one million, are women.
of representation of women in cybersecurity and how men and women are pursuing the role of the CISO differently. There are some really confronting statistics, one of which is that, out of 4,1 million cyber
MacCreadie. This group was set up to support and retain our female talent and to run various initiatives
A way to encourage women to pursue careers in
for our women in security such as the Leadership
cybersecurity is to elevate female role models. Meg
Connection and The Powerful Presenter.
Tapia, Principal Director for Defence and National Security, launched the Women in National Security
The group meets bimonthly to discuss our strategy
podcast to inspire and empower women outside
and progress, initiatives, and how to improve our
Accenture to think about cybersecurity as a viable
uptake and retention of women in cybersecurity and
career path.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
159
The podcast, which just received a highly commended
One initiative I think sets us apart is to appoint a
award in the Australian Women in Security awards,
trained equality champion and have them present in
started because Accenture and the Australian
talent and promotion processes to identify and call
National University National Security College were
out any commentary that could be seen as biased.
aligned on the need to create positive change around
This person assesses whether comments would
diversity in the security community.
be considered fair if roles were reversed (eg, if the individual were of a different gender, race/ethnicity,
The podcast has become an incredibly powerful
culture or background).
platform for defence, intelligence and national security leaders who happen to be women to speak
Equality champions speak up when potentially biased
about their own journeys and lessons learnt, as well
comments or decisions are made during discussions
as what their agencies are doing to address the
and encourage others to do the same to help reach
diversity challenge. It is an initiative easily accessible
the best outcomes.
by all career levels and one that seeks to drive real change. I am incredibly proud it is out there pushing this change.
RECENT RESEARCH SHOWS THERE IS A REAL SKILL DEFICIT IN CYBERSECURITY. WHY DO YOU THINK WOMEN ARE RETICENT TO PURSUE CAREERS IN AN INDUSTRY WHERE THERE IS SO MUCH DEMAND?
YOUR WEBSITE SAYS: “WHEN YOU WORK WITH US, YOU CAN BRING YOUR WHOLE SELF TO WORK EVERY DAY.” I TALKED TO ANOTHER COMPANY THAT SURVEYED ITS WORKFORCE AND GOT A NASTY SHOCK WHEN IT FOUND HOW FEW FELT THEY COULD DO THAT. DO YOU TRY AND MEASURE THIS, AND IF SO, WHAT RESULT DO YOU GET? Our approach is not linear. We really embody the
There are several contributing factors. Firstly, the
ethos that employees should feel comfortable
industry needs to be more inclusive in its hiring
bringing what they want to bring to their place of
practices. Rather than focusing on the credential or
work. For some, it is their whole self. While others
technical requirements for a job we should be looking
want to separate elements of their personal and
for the right qualities in job candidates a purpose-
professional lives. We understand and encourage
driven mindset, leadership, excellent problem-solving
this type of inclusivity and have inclusive support
skills, c-suite and board level communication skills
networks and communities to help each individual
and a passion for learning. Other skills can be taught
determine how they will best thrive.
and should be continually reinforced over the course of a career. We also need to encourage women
We run regular people engagement surveys to gauge
to apply for roles even if they do not meet every
employees’ sentiments about our business, report
requirement in the job description.
these results and work proactively to action change to make Accenture a truly great place to work. We
HOW IS ACCENTURE HELPING WOMEN TO FEEL SUPPORTED WHEN TAKING THE ‘NEXT STEP UP’ IN THEIR CAREERS? Accenture is recognised as an Employer of Choice for Gender Equality by the national Workplace
direct result of these engagements. We offer: • Support leave for employees assisting aging parents/adult friends or persons with disabilities;
Gender Equality Agency (WGEA) and is committed
• 18 weeks paid parental leave;
to raising the bar on attracting, supporting and
• Assisted reproductive treatment (including IVF)
promoting women.
160
have recently launched progressive leave policies as a
W O M E N I N S E C U R I T Y M A G A Z I N E
leave;
N O V E M B E R • D E C E M B E R 2022
• Aboriginal and Torres Strait Islander cultural leave; • Gender affirmation leave; • Additional leave purchasing and career break options.
ACCENTURE MADE PLATINUM STATUS IN THE 2022 AUSTRALIAN LGBTQ INCLUSION AWARDS. CAN YOU TELL ME ABOUT ANY INITIATIVES SPECIFIC TO LGBTQ INCLUSION THAT WOULD HAVE HELPED YOU ACHIEVE THIS AWARD. Accenture has been recognised as a Platinum Employer for seven consecutive years from 2016 to 2022 in the Australian Workplace Index (AWEI), the definitive national benchmark on LGBTI workplace inclusion. And in 2020 Accenture was recognised as the Highest-Ranking Private Sector organisation of the decade. Our PRIDE employee resource group is led by employees across our organisation. They work hard to build a community for our LGBTI employees and allies and to create a safe and inclusive workplace by improving policies and processes. For example, early in 2022 Accenture launched gender affirmation leave to support transgender employees. We have provided ally training to over 1,600 employees. In addition, we provide pro bono support to external partners and community organisations to help create safe communities.
www.linkedin.com/in/martina-t-mueller
I S S U E 11
WOMEN IN SECURITY MAGAZINE
161
THE ONE TO WATCH IN IT SECURITY SPONS
FINALISTS WINNER
ORED
Accent
ure
Samantha Lengyel Co-founder, CEO, Decoded.AI
Caitlin Randall Southern Sales Director, Baidam Solutions
Emma Kirby Senior Manager, Macquarie Group
Claudia Muller Lead Analyst Cyber Intelligence, CyberCX
Sam Fariborz Kmart Australia
NOMINEES Samantha Lengyel Co-founder, CEO, Decoded.AI
HIGHLY COMMENDED
Caitlin Randall Southern Sales Director, Baidam Solutions
162
W O M E N I N S E C U R I T Y M A G A Z I N E
Samantha Lengyel Caitlin Randall Emma Kirby Claudia Muller Sam Fariborz Michelle Gatsi Courtney Pitson Jasmine Woolley Karla McGrellis Ritu Dahiya Mahrita Harahap Tara Dharnikota Alisha Hummel Julia Wulf‑Rhodes Simone Van Nieuwenhuizen Alessandra Byres Laura Dominguez Nikola Jimenez Sapna Kumari Christine Eikenhout Emily Goodman Saba Bagheri Georgia Brady Mariya Novakova Polly Cheung Tracy Chen Esther Lim Amanda Soo Jenn West
Tynagh Songberg Rachael Greaves Bimal Jeet Kaur Rachel Bamberg Binitha Sudheer Vivienne Mutembwa Kasi Greven Neha Dhyani Manon te Riele Alina Kontarero Vedusha Chooramun Courtney Carr Anita Tomison Kate Ellis Anya Avinash Samantha Lear Madeleine StewartSophie Harding Teh Ciara Crimmins Susan Lee Karen Hobson Divya Dayalamurthy Kellie Stockham‑Vasey Flavia Souza Madhuri Badarinath Grace Cox Rebecca Ahmed Madhumita Iyer Sabrina Pedersoli Shireen Syed Anupma Garg Rochelle Shahfazli Hannah Quayle Nancy Elrifai Nikki Peever Anna Snape Tisa Majumder Rutvaben Patel Ane Hellmann Stephanie Hagenbrock Anjali Varghese Alana Balacco Honey Scowen Nicole Neil Veronica Ikpa Sophia Barbour Julia Zhu Alana Mannix Adeline Martin Veronica Hobbs Akansha Pandey Melanie Maxwell Cayley Wright Tenzin Chogyal Jalpa Bhavsar Vernica Ta Manju Iyer
N O V E M B E R • D E C E M B E R 2022
BY
We secure the world Threats don’t have boundaries. Neither do we.
Security breaches are getting smarter, stronger and more devastating to industries across Australia. We’re looking for passionate, creative people to help tackle some of the biggest cyber-security threats facing us today. Come and join us. Find out how you can take the next step in your career and help our clients build a cyber resilient future. Bring your intellect, your passion and your ideas. accenture.com/au-en/careers
BEST SECURITY MENTOR WINNER
Amy Roberts
HIGHLY SPECIAL COMMENDED RECOGNITION
Kylie Watson
Shannon Gibb
Lead Client Partner, National Security & Defence, IBM
Cyber Analyst, NBN Co
Director Skills, Training and Enabling Programs, Australian Signals Directorate
FINALISTS Amy Roberts Director Skills, Training and Enabling Programs Australian Signals Directorate
Kylie Watson Lead Client Partner, National Security & Defence IBM
Shannon Gibb Cyber Analyst NBN Co
Farhana Dawood Cyber Security Control Assurance Analyst Orro Group
Alpesh Nakar Director, Cyber Defence Avanade
164
W O M E N I N S E C U R I T Y M A G A Z I N E
NOMINEES Amy Roberts Kylie Watson Shannon Gibb Farhana Dawood Alpesh Nakar Daniel Goldberg Dominika Zerbe Beti Dafovski Catherine Wise Nivedita Newar Lucy Liu
Mansooreh Zahedi Gabriella Guiu‑Sorsa Asangi Jayatilaka Julie Gleeson Heloise Hocart Nadine De Lile Chris Mohan Dipti Mulgund Rakesh Sharma
Martina Mueller Chathura Abeydeera Asou Aminnezhad Lukasz Gogolkiewicz Leanne Howell Amila Elcic Sinead MacCreadie
Leonard Ng
Angelina Gramatkovski
Daniela Fernandez Palacios
Tory Lane
Shelley Godden
Lucy Mannering
Tara Dharnikota
Marie Chami
Roshan Fernandes
Fraser Metcalf
Esther Lim
N O V E M B E R • D E C E M B E R 2022
BEST SECURITY STUDENT SPONS
ORED
BY
AusCE R
T
WINNER
Elena Scifleet
HIGHLY COMMENDED
Eleni Lykopandis
Eloise Robertson
Information Security Officer, Australian Bureau of Statistics
Founder and Executive Director, UC Supporting Women in STEM
Senior Consultant, CyberCX
FINALISTS Elena Scifleet
NOMINEES Elena Scifleet
Evelyn (Evie) Downing
Eleni Lykopandis
Mia Symonds
Eloise Robertson
Nesera Dissanyaka
Gabrielle Raymundo
Niamh Hitchman
Fadzayi Chiwandire
Olivia Ong
Brittany Dalamangas
Annabelle Harrison
Kaajal Sharma
Vaibhavi Sarkar
Little Butterflies
Carina Yu
Amy McGregor
Rameen Nadeem
SOC Specialist Woolworths Group
Elina Lonchampt
Claudia Squire
Caitlin Sauza
Charlotte Kohler
Fadzayi Chiwandire
Sarah Assaf
Avon Chang
Associate Application Security Consultant CyberCX
Abbey McLean
Adela Ramadhina
Senior Consultant CyberCX
Eleni Lykopandis Information Security Officer Australian Bureau of Statistics
Eloise Robertson Founder and Executive Director UC Supporting Women in STEM
Gabrielle Raymundo
I S S U E 11
Jasmine Woolley
WOMEN IN SECURITY MAGAZINE
165
BEST PROGRAM FOR YOUNG WOMEN IN SECURITY WINNER
HIGHLY COMMENDED
Girls Programming Network (GPN)
FINALISTS Girls Programming Network (GPN) Ernst & Young The Emerging Leader Program (ELP)
ASD Australian Signals Directorate Internship Program, Entry Level Programs
Australian Women in Security Network Women in Security Mentoring Program
166
W O M E N I N S E C U R I T Y M A G A Z I N E
Ernst & Young The Emerging Leader Program (ELP)
NOMINEES Girls Programming Network (GPN) The Emerging Leader Program (ELP) (EY) Australian Signals Directorate Internship Program (ASD) Women in Security Mentoring Program (AWSN) Deloitte Cyber Academy (Deloitte) SheLeadstech (ISACA Melbourne) Girls Do Cyber (The University of Queenland)
Engagement and Outreach to High Schools program for Cyber Security, CounterTerrorism and Security and Intelligence courses (Edith Cowan University) Tangible Uplift Program Hackcelerator Program (Sekuro) Tech Girls Movement Foundation UC Supporting Women in STEM Kids SecuriDay CyberSista (STEM FastTrack)
N O V E M B E R • D E C E M B E R 2022
BEST INNOVATIVE BUSINESS “RESHAPING THE FUTURE” OF THE SECURITY INDUSTRY WINNER
FINALISTS DekkoSecure BCyber InfoSecAssure
NOMINEES DekkoSecure BCyber InfoSecAssure DekkoSecure
Trend Micro Cydarm Deloitte
A HUGE CONGRATULATIONS to all Winners, Highly Commended and Special Recognition recipients across all categories from the Source2Create team
I S S U E 11
WOMEN IN SECURITY MAGAZINE
167
We are a mission-driven, not-for-profit organisation that is commited to using our knowledge to make cyber space a safer place for organisations, corporations, agencies and institutions to do business - now and into the future.
With our strong network of national and international partnerships, we can equip Australian organisations with the tools and knowledge to operate safely and efficiently in the digital economy. As an independent non-for-profit, The Centre complements the work of existing research bodies in eventuating cyber security to the forefront of the nations consciousness - while also acting as a translator between business, government and cyber specialists. We are committed to growing the nation’s reputation as a cyber security leader that delivers smart solutions and provides economic stimulus in this new world.
Membership Opportunities Affiliate Membership designed for SMEs Premium Membership designed for cyber security vendors and system integrators Platinum Membership designed for the organisations who want to contribute to the cyber ecosystem. Each membership receives discounts on products and services, access to our facilities at LotFourteen, and contributes to the growth of The Centre
Training Including IRAP Assessor Training, IRAP Readiness Training & IRAP Re-Certification Exam
We are committed to growing the nation’s reputation as a cyber security leader that delivers smart solutions and provides economic stimulus in this new world.
The Centre regularly collaborates with its members
We connect the leaders, the thinkers and doers with real opportunities to learn, launch and protect businesses.
A focus of The Centre is to provide SMEs
and cyber professionals to collaborate on training and workshops.
Services with the necessary tools and resources to begin their cyber journey. Cyber Clinics GCA Tool Kit SME Networking events
Creating solutions through collaboration, innovation, and entrepreneurship
BEST VOLUNTEER WINNER
CORRECTION – LAURA JIEW, WINNER BEST VOLUNTEER The citation for Laura Jiew, named Best Volunteer award in the Australian Women in Security Awards, contained incorrect information. We correctly stated that Laura’s day job is as Marketing and Events Advisor at CSIRO, based in Brisbane. However, her volunteer roles – given as being with ISACA Sydney Chapter, the ISACA OneInTech foundation, ISACA SheLeadsTech initiative, International Women’s Day, the Factor Analysis of Information Risk (FAIR) Institute and the ASA Sydney chapter – were not correct.
Laura Jiew Marketing & Events Advisor, CSIRO
FINALISTS Laura Jiew Marketing & Events Advisor, CSIRO
Natalie Perez Senior Internal Auditor - Enabling Functions, Medibank and SheLeadsTech Coordinator for ISACA Melbourne
Anita Siassios
Prior to joining CSIRO, Laura had held a role at AusCERT and volunteered with the AWSN as National Lead, Marketing and Social Media in her spare time. Alongside AWSN’s Founder and Exec. Manager, Jacqui Loustau, and its Board members – Laura had led the team through an immense period of growth by establishing and executing its marketing communications plan, brand guidelines and delivered its social media strategy. In the span of the almost 2-years that she was in that role, AWSN’s membership network grew by about 40% and saw an incredible uptake of support in sponsorship income from organisations such as the ASD, CyberCX, CBA, Telstra etc. This obviously goes without saying that it was a team effort, comprising of other fellow National level leads; as the saying goes, cyber is a team sport! Throughout Laura’s time working in the security sector, she had seen the impact that cybercrime can have on small businesses and corporations. As someone with a marcomms background, Laura really wanted to use different and creative ways to encourage cyber safe practices across Australia and was inspired by the incredible colleagues she had worked with.
Women in Cyber Security Australia
NOMINEES Laura Jiew
Daisy Wong
Natalie Perez
Shelly Mills
Anita Siassios
Cheryl Wong & Jocasta Norman
I S S U E 11
Amongst her proudest accomplishment was witnessing the increased number and diversity of attendees and presenters at the annual AusCERT conference, leveraging her active contribution within AWSN. And finally, Laura was always, and continues to be, passionate about giving a voice to women, particularly of First Nations and CALD backgrounds, through featuring them on the Source2Create Women in Security Magazine; and, through her connections with UQ, by mentoring female students who were studying cyber security or were part of the UQ Cyber Squad.
WOMEN IN SECURITY MAGAZINE
169
IT SECURITY CHAMPION
SPONS
ORED
BY
Stone & Chalk
WINNER
HIGHLY COMMENDED
Corien Vermaak
Alana Maurushat
CISO Advisor, Cisco
Director, Western Centre for Cybersecurity Aid and Community Engagement
Dominika Zerbe-Anders Director, Cyber, KPMG
FINALISTS Dominika Zerbe-Anders Director, Cyber, KPMG
Corien Vermaak
Dominika Zerbe‑Anders Corien Vermaak
CISO Advisor, Cisco
Alana Maurushat
Alana Maurushat
Tessa Bowles
Director, Western Centre for Cybersecurity Aid and Community Engagement
Fiona Long Director, Cyber Security Consulting
Tessa Bowles Senior Consultant, Security Advisory & Awareness, NAB
170
NOMINEES
W O M E N I N S E C U R I T Y M A G A Z I N E
Fiona Long Alex Nixon
Sarah Box
Maryam Bayat
Sarah Humphries
Sandy Assaf
Enid Zheng
Asou Aminnezhad
Melisa Allan Nazia Mastali Vidhu Bhardwaj
Barbara Lima Gaya Gounder Alison Dean
Hannah McKelvie
Anneliese McDowell
Shannon Lorimer
Catherine Wise
Victoria Cole
Farhana Darwood
Raman Gill
Angela Hall
Celia Yap
Deepa AmratBradley
Deanna Gibbs
Christiane Perez
Emma Lovell
Hilary Walker
Laura Davis
Madhuri Nandi Hansika Vats
N O V E M B E R • D E C E M B E R 2022
MALE CHAMPION OF CHANGE
SPONS
ORED
KPMG
WINNER
BY
HIGHLY COMMENDED Clive Reeves Deputy CISO / Head of Cyber Operations, Telstra
Dushyant Sattiraju Manager Cyber Security Operations, Deakin University
SPECIAL RECOGNITION Dave O’Loan
Timothy McKay
Head of Cyber Relations, AARNET
CEO and Founder, OK RDY
FINALISTS Timothy McKay
Craig Millar
CEO and Founder OK RDY
Executive Manager, Group Protective Services IAG
Clive Reeves Deputy CISO / Head of Cyber Operations Telstra
Dushyant Sattiraju Manager Cyber Security Operations Deakin University
Dave O’Loan Head of Cyber Relations AARNET
I S S U E 11
Pieter van der Merwe Chief Information Security Officer Woolworths Group
Wayne Williamson Chief Information Security Officer for A/NZ & Emerging Markets Equifax
NOMINEES Timothy McKay
Brad Miller
Danny Flint
Clive Reeves
Erwin Jansink
Faisal Masaud
Dushyant Sattiraju
Jason Becker
Michael O’Brien
Dave O’Loan
Jay Harish Hira
Dan Goldberg
Craig Millar
Leonard Ng
Harvey Marcus
Pieter van der Merwe
Nrupak Shah
Varun Acharya
Peter Sharp
Adam Hallyburton
Amit Chaubey
Mario Antoniou and Damian Farrugia
Wayne Williamson Ajay Unni Luke Eason Raven David Tony Vizza Brett Ramm Craig Wishart Mat Franklin Ashwin Pal
Chris McDonald Gordon Archibald Liam Connolly Martin Barnier Anthony Coops Chirag Joshi
Hashim Khan Andrew Wan James Ng Aman Malik
Paul Auglys Shane Laffin
WOMEN IN SECURITY MAGAZINE
171
MOST INNOVATIVE EDUCATOR IN CYBERSECURITY WINNER
WINNER
Dr. Yenni Tim
Nivedita Newar
Senior Lecturer, UNSW Business School
Head of Cyber Security Strategy and Governance, University of New South Wales (UNSW)
FINALISTS Dr. Yenni Tim Senior Lecturer UNSW Business School
Nivedita Newar Head of Cyber Security Strategy and Governance University of New South Wales (UNSW)
Grok Academy
Author How We Got Cyber Smart
Michaela Ripper Exhibit Developer Questacon Cyber intiative
Schools Cyber Security Challenges
Sarah Iannantuono
Elaine Muir
Security Strategy and Program Lead SEEK
Manager, Security Education and Awareness IAG
172
Lisa RothfieldKirschner
W O M E N I N S E C U R I T Y M A G A Z I N E
NOMINEES Dr. Yenni Tim
Gabe Marzano
Nivedita Newar
Jacqueline Jayne
Grok Academy
Suzanne Dyke
Lisa RothfieldKirschner
Cyber Leadership Institute
Michaela Ripper
Sharon Dancer
Sarah Iannantuono
Ivana Kvesic
Elaine Muir
Melanie Youngson
Serena Pillay Cyber Sista - Girls Mentoring Program
N O V E M B E R • D E C E M B E R 2022
OPERATIONAL RESILIENCE – CONVERGED SECURITY RESILIENCE CHAMPION SPONS
ORED
Everbr
BY
idge
WINNER
Johanna Williamson Senior Manager Security Strategy and Governance, NBN Co
FINALISTS
NOMINEES
Johanna Williamson
Johanna Williamson
Senior Manager Security Strategy and Governance NBN Co
Reshma Devi
Reshma Devi
Rinske Geerlings
Associate Director Enterprise Data and Analytics Risk NAB
Sandra Ortmanns
Rinske Geerlings
Rimple Kapil
Managing Director Business As Usual
I S S U E 11
Lisa O’Donohue
WOMEN IN SECURITY MAGAZINE
173
PROTECTIVE SECURITY CHAMPION
WINNER
Scarlett McDermott Chief Technology Officer, WithYouWithMe
FINALISTS
NOMINEES
Scarlett McDermott
Scarlett McDermott
Chief Technology Officer WithYouWithMe
Anastasia Gomes
Anastasia Gomes Cyber Governance & Assurance Analyst AMP
Christina Rose Harini Ramadas Roxanne Pashaei
Christina Rose Manager Security Operations & Advisory Group Security and facilitation Qantas
I S S U E 11
WOMEN IN SECURITY MAGAZINE
175
THE ONE TO WATCH IN PROTECTIVE SECURITY WINNER
HIGHLY COMMENDED
Sarah Wood
Laure Ruymaekers
Manager Security Intelligence AustralianSuper
Security Intelligence & Reporting Analyst Sydney Metro
FINALISTS
NOMINEES
Sarah Wood
Sarah Wood
Manager Security Intelligence AustralianSuper
Laure Ruymaekers
Laure Ruymaekers Security Intelligence & Reporting Analyst Sydney Metro
Cassie Carman Manager Protective Security Westpac Banking Group
Cassie Carman Mina Zaki Isabella Parkman Vannessa Van Beek Kavika Singhal
Mina Zaki
Liz Gomez
Associate Director - Cyber Security Alliances KPMG
Victoria Zhong Monica Vorster Baby Lyn Nagayo
176
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
UNSUNG HERO WINNER
HIGHLY COMMENDED
Cairo Malet
Sharon R Mitchell
Melanie Truscott
Executive Assistant to the Chief Security Officer, NBN Co
Executive Director Engagement and Communications, CyberCX
Senior Risk and Compliance Specialist Octopus Deploy
FINALISTS Cairo Malet Senior Risk and Compliance SpecialistOctopus Deploy
Sharon R Mitchell
NOMINEES Cairo Malet
Reshma Devi
Parul Mittal
Sharon R Mitchell
Paula Oliver
Shannon Pinney
Melanie Truscott
Hanlie Botha
Mahima Kopparam Cassandra Schweers
Executive Assistant to the Chief Security Officer NBN Co
Amanda Pitrans
Barbara Cook
Belinda Charleson
Pooja Shimpi
Bronwyn Mercer
Baby Lyn Nagayo
Melanie Truscott
Ingrid Matosevic
Adeline Martin
Executive Director Engagement and Communications CyberCX
Sharon Dorothy Jenkins
Shyvone Forster
Amanda Pitrans Specialist, Group Protective Security Intelligence and Operations IAG
Belinda Charleson Marketing Director Digicert Australia
I S S U E 11
Jalpa Bhavsar Linda Chai
Jo Douglas Amanda Russell
Bex Nitert Deepa Bradley Meg Peddada Sita Bhat Suzanne Ward Tracey Fraser
Elena Scifleet
Mehrnaz Akbari Roumani
Emma Mills
Sarah Cain-Frost
Vanessa Gale
Tamara Jesenkovic
Mina Zaki
Emily Wingward
Heather Hicks
Shereen Samuel
Avon Chang
WOMEN IN SECURITY MAGAZINE
177
DIGITAL
TRANSFORMATION DELIVERED IN ONE PLACE
Spark Business Group is the end-to-end solution to digitally amplify your business. We’ve brought together experts right across the digital spectrum to help you discover the potential of digital tools to transform your organisation. From reaching new depths in data and analytics and optimising your digital infrastructure to reinventing your CX and automating your business processes. Each field of expertise coming together to help grow your business performance and productivity.
Tap into tomorrow with Spark Business Group
Discover how Spark Business Group can help accelerate your business businessgroup.spark.co.nz
THESE ARE YOUR
180
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
R 2022 FINALISTS
I S S U E 11
WOMEN IN SECURITY MAGAZINE
181
DIVERSITY: THE HEART OF SPARK New Zealand’s largest telecommunications and
inclusion, Blue Heart, is focused on celebrating
digital services provider, Spark, is in the running
differences and encouraging Spark employees
for several awards at the inaugural New Zealand
to bring their whole self to work. The Blue Heart
Women in Security Awards: Best Industry Initiative
symbol is a visual representation of how Spark
that Supports Diversity, Inclusion and Equality and
people think and act in an inclusive way. When
Best Place for Women to Work in Security. Also
Blue Heart was launched, thousands of Spark
its head of security, Nyuk Loong Kiw, has been
people made a Blue Heart Pledge—their personal
nominated for the Male Champion of Change award
commitment to D&I—and the company continues
and many of Spark’s female leaders in security have
to invite new starters to do the same when they join
been nominated for a variety of awards such as
the business.
professional services. These include: network and security design consultant Amina Aggarwal for the IT
Tierney says the program received a substantial
Security Champion award, Best Security Mentor award
boost in 2018 when Spark undertook a significant
and One to Watch in IT Security award; and security
restructure, called ‘Flipping the business to Agile’.
governance, risk and assurance specialist Megan
“We changed our organisation from a traditional
Young for the One to Watch in IT Security award.
hierarchical model of departments to diverse small teams of people with mixed and blended skills.
At the heart of Spark’s initiatives to promote diversity
We dismantled the hierarchy. We used to have
and gender equality is its Blue Heart Kaupapa
seven layers of management; we now have three.
(a Māori term for principle or policy). It emerged, says
That reorganisation helped Blue Heart Kaupapa
Spark product director Tessa Tierney, from some
gather momentum.
internal research undertaken in 2017 which revealed the company environment to be one in which some
“We measured this year how many of our people
employees, particularly women, did not feel like
feel they can bring their whole selves to work. Now
they belonged.
it is 84 percent, so there has been a huge change in the culture.”
“We had a few hard truths show up. A lot of our people said to us, ‘we don’t think we can bring our
The shift to Agile also ushered in some changes
whole selves to work at Spark’,” she says.
aimed at countering personality differences that often disadvantage women.
From the survey’s revelations came Blue Heart Kaupapa. It was, and still is, says Tierney “about
“One of the values we put into Agile was shifting
making a commitment to each other, a pledge for
from ‘loudest voice wins’ to ‘value every voice’,”
what we will stand for in diversity and inclusion, to
Tierney says. “For example, we start meetings by
make sure we became much more inclusive.”
writing things down rather than speaking. We are very aware that some people don’t have really quick
182
VISIBLE ICON OF A HEART-LED APPROACH
voices and thoughts in the moment or are not the
Spark’s people-led approach to digital equity and
loudest speaker.”
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
TOP DOWN: SETTING STRATEGY, AMBITION AND STANDARDS
Tierney says that, in an Agile environment, there are
Digital equity and inclusion are strategic business
ethnic diversity.
very clear business benefits from gender, age and
priorities for Spark and embedded in its business strategy. When Spark launched its current three-year
“After four years of Agile, I can see it is the teams with
strategy to the market, the ambition for 2023 was to
a high level of diversity that are always the ones that
create a culture defined by its engagement, diversity
have the best outcomes. They’re the most exhausted
and inclusion. The company holds itself accountable
because everybody brings a subtle worldview or
to progress through the following targets:
perspective difference. And the outcomes are better. They more quickly crystallise what will work for a
1. Achieving 40:40:20 representation Spark-wide
customer, because they represent the customers we
2. Reducing its median gender pay gap by 10
actually serve.”
percentage points to 18 percent 3. Reaching 50+ percent ethnicity data sharing
Male Champion of Change contender Nyuk Loong Kiw
among its people, to enable more targeted
is a 20-year veteran of the company. As the head of
interventions to improve representation
security at Spark, Kiw leads a team of more than 100 and says one of his biggest diversity challenges is
Spark recognises that building an inclusive culture
getting more women to apply for security roles. “Every
must be led by Spark leaders, and as such these
time we put up a job advertisement, 95 percent of
strategic ambitions have been integrated into the
applicants are male.”
workplans of leaders across the business. To try and change this Spark has established several
DIVERSITY IS KEY TO SUCCESS
partnerships with tertiary institutions designed to
Job interviews for new positions must have a woman
help identify, upskill and recruit future talent while
on the interview panel and the pool of interviewees
also building diversity within its teams. In addition,
must have 40 percent men, 40 percent women and 20
any technical job advertisements from Spark
percent of any gender.
are filtered through a platform that identifies any ‘masculine’ words/phrases and makes suggestions
Spark’s achievements in diversity and gender equality
to ensure the adverts are gender neutral. Kiw and
extend well beyond simple male/female issues. It
his team actively encourage more women to take up
was the first telecommunications company in New
careers in cybersecurity, with some success: he has
Zealand to receive the Rainbow Tick Certification.
recently recruited two women from non-cybersecurity
“You have to demonstrate you are an inclusive
backgrounds into his team. “One used to work in the
organisation for the LGBTI community,” Tierney says.
retail store, another used to be an early childcare
“You have to set formal benchmarks around LGBTI
teacher. They had both been working in New Zealand
inclusion in the workplace, and they reassess your
for a long time and felt they were getting nowhere,
certification annually.”
career wise,” Kiw says.
The company acknowledges it still has some work
“They found me through other people and I’ve been
to do to achieve its Spark-wide gender target of
mentoring them, helping them understand what the
40:40:20, with women comprising 34 percent of
industry is all about and guiding them on the type of
Spark’s total workforce. Covid-19 made creating
training and certifications they need. Both are now in
opportunities for change more challenges and is now
my team.”
aiming to achieve its representation target in 2024.
I S S U E 11
WOMEN IN SECURITY MAGAZINE
183
MENTORING FUTURE LEADERS
months of being in the company, I was able to watch
Another challenge Kiw has is getting female
a professional woman in cybersecurity getting the
members of his security team to apply for higher
job done. She brought me along to her interactions
level roles. “They’re doing an amazing job, but when
with customers. It was great seeing how it’s done and
an opportunity comes up, not one of them will go for
seeing what’s possible.”
the role. Somehow they feel their skill level is nowhere near that of their male colleagues.”
Another woman with a positive career journey in cybersecurity at Spark is also a nominee for the
To try and redress this Kiw has identified female team
IT Security Champion award, Best Security Mentor
members with leadership potential and is working to
award and the One to Watch in IT Security award
prepare them to apply for roles in the future. He holds
Amina Aggarwal, a professional services network and
monthly mentoring catch ups with these women as
security design consultant. She had a brief stint at
he does with his direct reports and they are enrolled in
Spark left and re-joined two years later.
Spark leadership training courses.
SUPPORTIVE LEADERSHIP One woman who did apply for a cybersecurity role
“The leadership is very supportive. We have one
at Spark, and get accepted, is Megan Young who
on one meetings with our managers on a regular
nominated the company for the Best Place for a
basis where we talk about our career progression,
Woman to Work and has been nominated for the One
the certifications we’d like to gain, the initiatives, the
to Watch in IT Security award. She has a background
programs that we work on. The leadership at Spark is
in legal and corporate procurement and, wanting
empowered to make things happen and support us
something different, gained a CISSP certification.
where we need it,” Aggarwal says.
“I think it was a perfect example of the security tribe
“That has helped me to grow as a leader and a
and Spark really wanting to diversify and get people
cybersecurity professional. Spark provide equal
in with completely different backgrounds who think
opportunities for professionals to learn and grow.
in different ways and have different perspectives
I am supported by my people managers at every
and different skill sets,” she says. “It felt like a bit of a
step whether it’s a presentation to a customer or an
gamble for myself, and for Spark. But it’s worked out
initiative that I would like to work on.”
because two years later, I’m still doing it and I love it.” Spark’s focus on diversity, equity and inclusion has She joined a team of 12 with fairly even numbers
helped to create an environment where all employees
of men and women and was assigned a mentor,
can feel comfortable bringing their whole selves to
a woman with many years of experience in
work, regardless of gender, ethnicity, orientation, age,
cybersecurity. “I was able to shadow her in all her
experience, neurodivergence or ability.
security tasks and projects. So, within the first few
184
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
Spark women on why cybersecurity needs more women Spark’s head of security, Nyuk Loong Kiw, says he wants more women in cybersecurity roles. Here are seven powerful arguments why Spark, or any other organisation, would benefit if he achieves that goal.
RUTH GLOVER Chapter Area Lead, Identity Access Management, Spark Glover got a clerical job in the Post Office—responsible for telecommunications prior to the creation of Telecom NZ which then become Spark—and one day saw an opening for a computer programmer. “When I said I was going to apply I was told I wouldn’t be smart enough. Forty two years later I am still here working in identity. Identity requires analytical thinking, but also teamwork and communication skills which women excel in. Being able to promote universal access to people and businesses gives a real purpose to my role. Having the chance to use interpersonal skills as well as technical skills is why more women should work in cyber security.”
MEGAN YOUNG Security Governance Risk and Architecture Specialist, Spark Young says it is important for women to work in cybersecurity for three reasons. “Firstly, at an individual level, women use information systems and operate in cyberspace alongside our male counterparts, every day of our lives. So why wouldn’t we also be responsible for securing them? “Secondly, at an organisational level, to have any hope in combating the increasing complexity of cybersecurity challenges, companies should equip themselves with a diverse mix of problem solvers from different backgrounds, with different life experiences and offering different perspectives. A diverse team of problem solvers is more likely to identify and understand end users and the possible threats they face, and identify solutions more efficiently. “And finally, at a societal level, to adequately protect the information systems and cyberspace which our community exists and relies on every day, is it only conscionable for the cybersecurity industry to have appropriate representation and engagement with all members of that community.”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
185
Spark women on why cybersecurity needs more women
COCO LIU Cybersecurity Analyst, Spark Liu says getting more women into cybersecurity would help organisations in many different ways. “Building gender diversity in the company and gender equality will bring in more talent into the organisation and fill the workforce. The way women and men think are different. Hackers are from different backgrounds so defenders also need different perspectives. A male perspective alone is not enough. Women are a natural fit for cybersecurity when it comes to counterattack and protection.”
VIVIEN HII Security Governance Risk and Architecture Specialist, Spark As a woman in IT Hii has long experience of being in the minority. “Throughout my journey from university to the workforce, I have often been one of very few females. It is becoming ever more important to encourage more women to work in this field, to bring more diversification to the industry. This will remove the stigma that IT and cybersecurity are only for males. Diversity in experiences and backgrounds is good because threat actors can be from different backgrounds. Greater diversity will also enable the industry to be better positioned to respond to different problems.”
CHERRY LIWAG Security Certification & Accreditation Specialist, Spark Liwag has a rather different argument for more women in cybersecurity. “Security is all about protecting people, assets and technology. If you look at it from a different perspective, we women have a strong sense of protection. Mothers protect their children to term, generally speaking. Security comes naturally to women. We can do more if women are given the same opportunities as men. Break the stigma. It is time to prove that women are as capable as men. At the end of the day, it is all about passion, drive and determination to succeed.”
186
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
OLIVIA YANG Cybersecurity Analyst, Spark Yang makes the point that, aside from what cybersecurity gains from having more women, women gain much from being in the industry. “People often think cybersecurity is the Secret Squirrel: a complex, dark and highly technical area, especially for woman. However, when I fell into cybersecurity I was like Alice in Wonderland falling into the rabbit hole. I found it to be a fun, exciting and enjoyable experience. “Working in cybersecurity, I become a wonder woman who could protect many people all at once. I could keep our staff and customers safe every single day, and that is extremely valuable for me. There are not many jobs that give this kind of satisfaction, but cybersecurity always does.”
TAHIRA BEGUM Senior Security Consultant, Spark Begum argues that society as a whole is diverse and cybersecurity should reflect this diversity, especially that of its adversaries. “We have adversaries from disparate demographics and if the people who are defending against threats do not have a diverse team that is very alarming for an organisation’s cybersecurity maturity. We have seen women at the forefront of all sectors, and cybersecurity is no different in its need for female representation to add value by sharing their unique skills, leadership and strategy.”
I S S U E 11
WOMEN IN SECURITY MAGAZINE
187
WHO WILL WIN? BEST INDUSTRY INITIATIVE THAT SUPPORTS DIVERSITY, INCLUSION AND EQUALITY FINALISTS
NOMINEES
#10KWāhine initiative
#10KWāhine initiative
Microsoft
AWS She Builds
She# She Sharp
Spark NZ Blue Heart Program Spark NZ
SPONS
ORED
BY
ORED
BY
Spark
OMGTech She# Spark NZ Blue Heart Program
BEST PLACE FOR WOMEN TO WORK IN SECURITY FINALISTS
NOMINEES
Price Waterhouse Coopers New Zealand - Cyber and Digital Identity Practice
Netsafe
SPONS
Spark
Spark New Zealand
Price Waterhouse Coopers New Zealand - Cyber and Digital Identity Practice
Xero
Spark New Zealand Tauranga City Council Trade Me Xero ZX Security
188
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
WHO WILL WIN? BEST FEMALE SECURE CODER
SPONS
FINALISTS
NOMINEES
Darya Kokovikhina
Darya Kokovikhina
Software Developer, Best Practice Software
Grace Lee
Grace Lee Senior Security Consultant, CyberCX
ORED
Atlassi
BY
an
Justina Koh
Justina Koh Security Consultant, ZX Security
UNSUNG HERO FINALISTS
SPONS
NOMINEES
Duo, a division of Sektor 1stTuesday and Project Wednesday
Antionette Murray
Lesley Maguire
Duo Team Members, Duo, a division of Sektor
Beth Jackson
Liz Schoff
Chloe Ashford
Melonie Cole
Georgia Kitt-Lobo
Duo, a division of Sektor - 1stTuesday and Project Wednesday
Phoebe Soon Robyn Campbell
Eva Knotkova
Sarah McMaster
Georgia Kitt-Lobo
Tandi McCarthy
Janice Lecias
Tina Bautista
Cybersecurity Consultant - Governance, Risk and Compliance, Datacom
Sai Honig Engagement Security Consultant, Amazon Web Services
Tandi McCarthy Lead Security Consultant, ZX Security
I S S U E 11
ORED
Atlassi
BY
an
Sai Honig
Kathleen Aparte
WOMEN IN SECURITY MAGAZINE
189
JODIE VLASSIS
TRUST, SECURITY — AND TRANSPARENCY AT ATLASSIAN by Jodie Vlassis, Senior Cyber Security SME | Trust, Security & Engagement at Atlassian ASX listed global software company Atlassian
information needed to understand and evaluate
is unusual in the amount of information it offers
our security, compliance and privacy practices and
customers on its security practices and policies.
policies through the use of self service,” she says.
Its website hosts a 42 page book: Security @
“We have a number of outreach and engagement
Atlassian: an in-depth view of Atlassian’s approach
channels that support customers to identify how
to security, along with the Atlassian Trust Center
the Atlassian trust team keeps their cloud systems
that “connects you to the latest information on the
secure, the many steps we take to build security
security, reliability, privacy, and compliance of our
into our products, and the role our customers play in
products and services”, Security at Atlassian and
keeping their work environments secure.”
Security Practices at Atlassian.
NO SECURITY SILOES These information sources are manifestations of an
At Atlassian, security functions are not siloed between
evolution of security from being “a very confidential
product development, internal company security and
aspect in a company’s business practices to
customer security. Vlassis is a member of the trust,
becoming super-transparent,” says Atlassian trust and
security and engagement team, which, she says,
security team lead Jodie Vlassis.
“serves both our internal teams in driving security and compliance initiatives across the organisation, as well
“Atlassian, and our trust team, are committed to
as our customers.”
ensuring the unfaltering safety and security of our customers’ data, and to providing them with the
190
W O M E N I N S E C U R I T Y M A G A Z I N E
One of the core functions of her team is to be
N O V E M B E R • D E C E M B E R 2022
the bridge between customers and the Atlassian
top priorities for customers in the area of cloud and
trust team. “Our mission is to remove security and
distributed systems.”
compliance blockers for customers,” she says. “We are embedded in a number of functions across
She says this has simplified Atlassian’s organisational
the company: security, compliance, go-to-market,
structures and removed collaboration barriers
regulatory compliance and privacy, to name just
between interconnected teams: the security team,
a few.”
privacy team and development team.
She believes what Atlassian is doing represents a
“We’ve seen a real positive result from this, and it’s
trend other companies will have to follow. “I think
allowed us to resolve security issues much faster,
customers are starting to become a lot more aware
respond to international regulatory regulations in a
of what their rights are when it comes to customer
more agile way and communicate with customers
data and data privacy rights, and I think that is forcing
more proactively.”
businesses to become more transparent. … I’d like to hope that Atlassian, being such a cutting-edge
Security, Vlassis says, is no longer just a company
company, is setting the scene for others to step up
problem but more of a people problem, and a
and do the same.”
psychological problem. “As an industry we’ve discovered that enforcing security procedures and
Creating greater importance for security — and
enhancing training are slowly starting to become a
greater transparency around security — is the move
little redundant. Instead, we encourage our security
to cloud, Vlassis says. “Our primary focus continues
teams, or our trust teams, to practice empathy and to
to be building the world class cloud platform which
better understand and comprehend developer primary
powers our existing portfolio of leading collaboration
issues when building products.”
tools for workers across every business function. Our cloud products enable teams to collaborate and
She believes Atlassian to be out in front with the
innovate more effectively, scale quickly and focus
creation of the chief trust officer role. “The evolution
more time and energy on their core mission.”
CISO to chief trust officer continues to be a balancing act and it will continue to be so for some time.
CHIEF TRUST, NOT SECURITY, OFFICER
However, our peers know Atlassian is super thought
“Today’s chief trust officers must expand beyond the
provoking and super cutting edge when it comes
position of security enforcer and into a more visionary
to our somewhat radical approach, and we feel this
and strategic role, balancing security risk with
approach continues to pay off in really positive ways.”
enterprise reward.”
REMOTE WORKING NOW THE NORM Vlassis says a chief trust officer should be
Atlassian is also well-known for its cutting-edge
responsible for leading a proactive approach, getting
approach to remote working. In April 2021 Atlassian
ahead of rising regulatory policies and rethinking how
announced Team Anywhere, described as a policy
an organisation manages user privacy.
that would enable staff to work from any location in a country where the company has a corporate entity.
“I believe in today’s landscape we are witnessing the
This move followed release by Atlassian in October
blurring of lines in the cybersecurity world between
2020 of a commissioned report Reworking Work:
security, engineering and compliance. And in addition
Understanding The Rise of Work Anywhere.
to security and reliability, privacy and compliance are
I S S U E 11
WOMEN IN SECURITY MAGAZINE
191
Almost 18 months from the announcement of Team
THE DIVERSITY DIVIDEND
Anywhere the company says 31 percent of 2021
“A study of workplace trends shows that some of the
Australian hires are working remotely and 26 percent
key benefits of a diverse workforce are better decision
of its global workforce is remote. Furthermore, the
making, increased creativity and innovation, and
company argues that giving new recruits the option
higher levels of employment engagement.”
of working remotely is the only way it will be able to meet requirements.
Vlassis epitomises that diversity. When she left school she became a professional dancer and worked for a
“Our plans are to hire another 5,000 employees
real estate agent. Then she went to university as a
(bringing us to over 7,000 here in Australia), we
mature age student and studied for eight years. She
wouldn’t be able to rely on hiring all of this talent in
aspired to become a police officer, but realised it was
Sydney alone.”
not for her and pivoted into cybersecurity.
Vlassis says the move to remote working was driven
“I studied social sciences, psychology and
by the pandemic, but is proving beneficial as those
criminology for five years. Then I did a master’s in
constraints have eased. “The pandemic forced us
policing intelligence and counterterrorism with a
to take a step back and rethink our commonly held
sub specialisation in intelligence in cybersecurity.
beliefs. It became clear that not only is it possible
That’s what sparked my interest in wanting to get
to work flexibly and remotely, but it offers the
into security.
opportunity to learn and continuously improve our employee experience and offering. … At the end of the
“The beauty of the cybersecurity industry, in my
day, we want our people to live the life they want, and
opinion, is that the skills and attributes anyone holds
this choice helps achieve that.”
in their career are easily transferable into the industry. You can find yourself bringing something new
Also, she says, the remote working policy supports
and fresh.”
what Atlassian sees as another key priority: building a diverse workforce. “In order to create great products for our customers, we need to attract
www.linkedin.com/in/jodie-vlassis
Atlassians to represent them who are as diverse as the communities we serve. Research has proven that commercial benefits flow as a result of attracting and enabling a diverse workforce through inclusive business practices.
192
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
Big Picture Easy Reliable No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!
charlie@source2create.com.au
aby@source2create.com.au
misty@source2create.com.au
WHO WILL WIN? NEW ZEALAND’S MOST OUTSTANDING WOMAN IN IT SECURITY FINALISTS
NOMINEES
Aimee Lin
Aimee Lin
Kandice Mclean
Chief Product Officer & Technical co-founder, DataMasque
Ankita Dhakar
Kat Lennox-Steele
Cherry Liwag
Kate Pearce
Denise CarterBennett
Melonie Cole
Erica Anderson COO and Director, Safestack and SafeAdvisory
Hilary Walton CISO, Kordia
Erica Anderson
Kate Pearce
Hilary Walton
Head of Security, Trade Me
Jenny Botton
Ngaire Kelaher Rudo Tagwireyi Tarryn Roth Yael Lord
BEST INNOVATIVE BUSINESS “RESHAPING THE FUTURE” OF THE SECURITY INDUSTRY FINALISTS
NOMINEES
Cyber Tribe
Cyber Tribe
DataMasque
DataMasque
Mindshift
Hacking for Heroes KPMG Mindshift Security Lit NZ
194
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
WHO WILL WIN? BEST SECURITY MENTOR FINALISTS
NOMINEES
Amina Aggarwal
Amina Aggarwal
Laura Bell
Security Design Consultant, Spark NZ
Hilary Walton
Laura Smith
Ivy Macapagal
Michelle Crowe
Jaimee Pasig
Robyn Campbell
Jan Thornborough
Scotland Symons
Ivy Macapagal Security Analyst, ESR - Science and Research
Jan Thornborough Founder & Director, Intelligensia
Robyn Campbell
Katherine Pearce
Partner, Cyber & Privacy, PwC
IT SECURITY CHAMPION FINALISTS
NOMINEES Aastha Sharma
Mae Koh
Security Design Consultant, Spark NZ
Akarsha Palle
Megan Young
Anupurna Kaw
Amina Aggarwal
Mikala Jane Anstis Easte
Amina Aggarwal
Cyber and Cloud Security professional, Microsoft
Anupurna Kaw
Jenny Botton
Cherry liwag
Head of Corporate Information Security, CCL
Mikala Jane Anstis Easte
Coco Liu Diana Yang
Manager Security Assurance and Governance, Reserve Bank of New Zealand
Ivy Macapagal
Sarah Burgess
Jenny Botton
Product Owner - Security, Xero
I S S U E 11
Jaimee Pasig Kyla Butcher
Nadia Yousef Sarah Burgess Teodora Bear Tiffany Chu Vanessa Piper Vivien Hii Yolanda Wilke
WOMEN IN SECURITY MAGAZINE
195
WHO WILL WIN? MALE CHAMPION OF CHANGE FINALISTS
NOMINEES
Andrew Thorburn
Paul Platen
Adwin Singh
Eugene Gibney
Enterprise Security & Risk Manager, Atlas Gentech NZ
Chief Information Officer, SSS - IT Security Specialists
Andrew Thorburn
James Dickinson
Andy Crawford
John Martin
Andy Crawford
Rob Lonie
Bill Moses
Nyuk Loong Kiw
Professional Services Delivery Lead, Spark NZ
Sales Leader in Cybersecurity, Microsoft
Craig Maskell
Paul Platen
Dan Richardson
Rob Lonie
David Higgins
Simon Howard
Nyuk Loong Kiw Head of Security, Spark NZ
BEST SECURITY STUDENT FINALISTS
NOMINEES
Caitlin Mojica
Ayla Narciso
Graduate Security Analyst, Xero
Caitlin Mojica
Malahat Rehan DevSecOps Engineer, Snapper Services
Ayla Narciso Student, Developers Institute
Danielle Domingo Daphne Gumban Elle Wright Malahat Rehan Rachel Grimwood
196
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
WHO WILL WIN? BEST VOLUNTEER FINALISTS
NOMINEES
Abby Zhang
Abby Zhang
Security Analyst, Kordia SecOps and Chapter Lead NZNWS and SheLeadsTech Liaison ISACA Auckland Chapter
Katherine Lennox-Steele Toni James
Katherine Lennox-Steele Founder of Cyber Tribe, Customer Success Manager and Security Consultant, Unisphere, Cyber Tribe
Toni James Security Engineer, Salesforce
MOST INNOVATIVE EDUCATOR IN CYBERSECURITY FINALISTS
NOMINEES
Education Arcade
Dr Mahsa Mohaghegh
Founder, Education Arcade
Education Arcade
Dr Mahsa Mohaghegh Director of Women in Technology, Auckland University of Technology
Te Pūkenga - New Zealand Institute of Skills & Technology Unitec
I S S U E 11
Jennie Vickers Melonie Cole Mindshift Te Pūkenga - New Zealand Institute of Skills & Technology
WOMEN IN SECURITY MAGAZINE
197
WHO WILL WIN? THE ONE TO WATCH IN IT SECURITY FINALISTS
SPONS
NOMINEES
ORED
Amaryah Halo
Aleisha Hoult
Lauren O’Sullivan
Information Security Analyst, Kiwibank
Amaryah (Ama) Halo
Marnie McLeod
Justina Koh Security Consultant, ZX Security
Amina Aggarwal
Meaghan Bradshaw
Lauren O’Sullivan
Ann Babuji
Megan Young
Chloe Ashford
Narmada Kohli
Denise CarterBennett
Olivia Uhrle
Senior Consultant, CyberCX
Meaghan Bradshaw Senior Consultant - Security, Microsoft
Megan Young Security GRA Specialist, Spark NZ
Dimpal Tailor Emma Harrison Hazel Schapel Ila Vala Isabella RiddellGarner Jamie McClymont Jenna Whitman Jennie Vickers Justina Koh
Patience Mitchell Prinka Rana Rajbir Kaur Remya Kumar Richa Sharma Sheree Fleming Tahira Begum Tessa Anton Tina Bautista Vanessa La Luna
Katja Feldtmann Keerthana (Kiya) Kumar
198
W O M E N I N S E C U R I T Y M A G A Z I N E
BY
Westpa c
N O V E M B E R • D E C E M B E R 2022
THANK YOU TO OUR 2022 NEW ZEALAND WOMEN IN SECURITY AWARDS SPONSORS
SUPPORTING PARTNER
BRONZE SPONSOR
NETWORKING SPONSOR
SUPPORTING SPONSOR
GOLD SPONSOR
EMERALD SPONSORS
SILVER SPONSOR
MERCHANDISE PARTNER
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01
02
1. AMANDA-JANE TURNER
Author of the Demystifying Cybercrime series and Women in Tech books. Conference Speaker and Cybercrime specialist
2. ANNELIES MOENS
03
04
Managing Director, Privcore, Superstar of STEM
3. JOYCE TIWARI
Information Security Manager at Tarabut Gateway
4. RANJEETA RANI
Senior Security Engineer at KONE
05
06
5. SANDY ASSAF
Head of IT Risk & Compliance at Crown Resorts
6. DINA ATWELL
Manager, Cyber Insider Threat and Technical Investigations at Capital One
07
08
7. TARA MURPHY
Director, Security & Traffic at the University of NSW, Sydney
8. EMILY GOODMAN
Cyber Security Consultant at EY
09
10
9. JESSICA WILLIAMS
Security Specialist Monitoring and Incident Response at Rio Tinto
10. SCARLETT MCDERMOTT
Chief Technology Officer at WithYouWithMe
11. ANNA DART
11
12
Senior Manager Protective Security at Westpac
12. TASH BETTRIDGE
Customer Success Account Manager at Microsoft
13. CRAIG FORD
13
14
Cyber Enthusiast, Ethical Hacker, Author of A Hacker I Am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
14. LIBERTY MUDZAMBA
Senior Consultant in Cybersecurity at EY
15. LEKSHMI NAIR
15
16
Managing Principal, APAC, Synopsys Software Integrity Solutions
16. JEMMA LAWRENCE
Recruitment Consultant at CyberSec People
200
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
17
18
17. VANNESSA MCCAMLEY
Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker
18. SIMON CARABETTA
19
20
Business Operations Manager at ES2
19. KAREN STEPHENS
CEO and co-founder of BCyber
20. DR MARIA BEAMOND
Lecturer in Management, RMIT University
21
22
21. DR LEONORA RISSE
Senior Lecturer in Economics, RMIT University
22. FATEMAH BEYDOUN
Chief Customer Officer, Secure Code Warrior
23
24
23. KAT LENNOX-STEELE
Information Security Analyst and Co-Founder at Cyber Tribe and MVP
24. JANA DEKANOVSKA
Strategic Threat Advisor at CrowdStrike
25
26
25. DR ASTHA KESHARIYA
Information Science, University of Otago
26. STACEY CHAMPAGNE
Insider Risk Expert, Founder & CEO of The Trade Secrets Network and Hacker in Heels
27
28
27. MARTY MOLLOY
Events, Marketing and Communications Coordinator at AusCERT
28. LISA VENTURA
Founder – Cyber Security Unity
29. ROSALYN PAGE
29
30
Award-winning writer and content strategist covering innovation, technology and the digital lifestyle
30. KARA KELLY
Manager at Deloitte
31. SARAH IANNANTUONO
31
32
Security Strategy and Program at SEEK
32. SAI HONIG
Engagement Security Consultant at Amazon Web Services
I S S U E 11
WOMEN IN SECURITY MAGAZINE
201
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 33
34
33. KAVIKA SINGHAL
Cyber Security Consultant at EY
34. JAY HIRA
Director of Cyber Transformation at EY
35
36
35. MICHELLE GATSI
Cyber Security Consultant at EY
36. SHINESA CAMBRIC
Principal Product Manager, Microsoft Intelligent Protections Emerging Identity at Microsoft
37
38
37. KAAJAL SHARMA
Offensive Security Associate at EY
38. BABY LYN NAGAYO
Cyber Security Manager at EY
39
40
39. MEGHAN JACQUOT
Security Engineer at Inspectiv
40. MEHLIKA ERCAN
Cyber Security Analyst
41
42
41. MARISE ALPHONSO
Information Security Professional
42. MICHELLE LIAO
A/NZ Channel and Distribution Manager at WatchGuard Technologies
43
44
43. OORJA RUNGTA
BTech in Computer Science Student
44. KAO HANSELL
Bachelor of Information Technology: Networking and Cybersecurity Student
45
46
45. JACK K
Bachelor of Information Technology Student
46. GABRIELLE RAYMUNDO
Certified Cyber Security Professional Course Student
47. HAICHEUR ICHRAK AMANI
47
48
Master’s Student in Cybersecurity
48. MANDEEP BRAR
Cybersecurity bootcamp
202
W O M E N I N S E C U R I T Y M A G A Z I N E
N O V E M B E R • D E C E M B E R 2022
49
50
49. LISA ROTHFIELD-KIRSCHNER
Author of How We Got Cyber Smart | Amazon Bestseller
50. KATE MARSHALL
51
52
National Leader of KPMG’s Cyber law practice
51. MITRA MINAI
National Cyber Partner to the Health sector
52. NATASHA PASSLEY
53
54
Partner, Technology, Risk and Cyber
53. GERGANA WINZER
Partner, Enterprise Advisory – Cyber
54. MARTINA MUELLER
Accenture Australia financial services security lead
55
56
55. RUTH GLOVER
Chapter Area Lead, Identity Access Management, Spark
56. MEGAN YOUNG
Security Governance Risk and Architecture Specialist, Spark
57
58
57. COCO LIU
Cybersecurity Analyst, Spark
58. VIVIEN HII
Security Governance Risk and Architecture Specialist, Spark
59. CHERRY LIWAG
59
60
Security Certification & Accreditation Specialist, Spark
60. OLIVIA YANG
Cybersecurity Analyst, Spark
61. TAHIRA BEGUM
Senior Security Consultant, Spark
61
62
62. JODIE VLASSIS
Senior Cyber Security SME | Trust, Security & Engagement at Atlassian
I S S U E 11
WOMEN IN SECURITY MAGAZINE
203
OFF THE SHELF
FUTUREPROOF YOU Author // Kellie Tomney Constant Volatility, Uncertainty, Complexity, Ambiguity and Disruption in our world are making jobs, careers and industries more insecure. The Future of Work and the fourth industrial revolution are here. Careers have changed and will continue to change rapidly and significantly. The question is: Will you change with the times, or will you be forced to change because of them? Able to relate to the constant internal call for career change as well as recognising the sudden, dramatic, external catalysts at work in the world, in Futureproof You, careers expert Kellie Tomney addresses: •
The global trends influencing career choices and the opportunities inherent in the new world of work
•
The journey from feeling abandoned, disconnected and Frustrated to becoming truly Futureproof
•
The 3 Futureproofing Keys that will unlock your unique value and superpower your career
•
The tools to adapt and grow in an ever-evolving cycle of impact
THE ART OF INVISIBILITY: THE WORLD’S MOST FAMOUS HACKER TEACHES YOU HOW TO BE SAFE IN THE AGE OF BIG BROTHER AND BIG DATA Authors // Kevin Mitnick and Robert Vamosi Like it or not, your every move is being watched and analyzed. Consumer’s identities are being stolen, and a person’s every step is being tracked and stored. What once might have been dismissed as paranoia is now a hard truth, and privacy is a luxury few can afford or understand.
THE CUCKOO’S EGG: TRACKING A SPY THROUGH THE MAZE OF COMPUTER ESPIONAGE Author // Clifford Stoll Before the Internet became widely known as a global tool for terrorists, one perceptive U.S. citizen recognized its ominous potential. Armed with clear evidence of computer espionage, he began a highly personal quest to expose a hidden network of spies.
In this explosive yet practical book, Kevin Mitnick illustrates what is happening without your knowledge-and he teaches you “the art of invisibility.” Mitnick is the world’s most famous--and formerly the Most Wanted--computer hacker. He has hacked into some of the country’s most powerful and seemingly impenetrable agencies and companies, and at one point he was on a three-year run from the FBI. Now, though, Mitnick is reformed and is widely regarded as the expert on the subject of computer security. He knows exactly how vulnerabilities can be exploited and just what to do to prevent that from happening. In THE ART OF INVISIBILITY Mitnick provides both online and real life tactics and inexpensive methods to protect you and your family, in easy step-by-step instructions. He even talks about more advanced “elite” techniques, which, if used properly, can maximize your privacy. Invisibility isn’t just for superheroes-privacy is a power you deserve and need in this modern age.
BUY THE BOOK 204
W O M E N I N S E C U R I T Y M A G A Z I N E
BUY THE BOOK
BUY THE BOOK N O V E M B E R • D E C E M B E R 2022
THE CYBER EFFECT: A PIONEERING CYBERPSYCHOLOGIST EXPLAINS HOW HUMAN BEHAVIOUR CHANGES ONLINE
THE ART OF MEMORY FORENSICS: DETECTING MALWARE AND THREATS IN WINDOWS, LINUX, AND MAC MEMORY
SECURITY ENGINEERING: A GUIDE TO BUILDING DEPENDABLE DISTRIBUTED SYSTEMS
Author // Mary Aiken
Author // Michael Hale Ligh
Author // Ross J. Anderson
Dr Mary Aiken is the world’s leading expert in forensic cyberpsychology - a discipline that combines psychology, criminology and technology to investigate the intersection between technology and human behaviour. In this, her first book, Aiken has created a starting point for all future conversations about how the Internet is shaping our perception of the world, development and behaviour, societal norms and values, children, safety and security.
Memory forensics provides cutting edge technology to help investigate digital attacks.
In Security Engineering: A Guide to Building Dependable Distributed Systems, Third Edition Cambridge University professor Ross Anderson updates his classic textbook and teaches readers how to design, implement, and test systems to withstand both error and attack.
Covering everything from the impact of screens on the developing child to the explosion of teen sexting, and the acceleration of compulsive and addictive online behaviours (gaming, shopping, pornography), The Cyber Effect also examines the escalation in cyberchondria (self-diagnosis online), cyberstalking and organized crime in the Deep Web. Cyberspace is an environment full of surveillance, but who is looking out for us? Full of surprising statistics and incrediblebut-true case studies of the hidden trends that are shaping our culture, this book raises troubling questions about where the digital revolution is taking us.
Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst’s Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly.
This book became a best-seller in 2001 and helped establish the discipline of security engineering. By the second edition in 2008, underground dark markets had let the bad guys specialize and scale up; attacks were increasingly on users rather than on technology. The book repeated its success by showing how security engineers can focus on usability.
Upending your assumptions about your online life and forever changing the way you think about the technology that you, your friends and your family use, The Cyber Effect offers a fascinating and chilling look at a future we can still do something about.
BUY THE BOOK I S S U E 11
BUY THE BOOK
BUY THE BOOK WOMEN IN SECURITY MAGAZINE
205
THE
2023 WOMEN IN SECURITY AWARDS
Don’t miss the largest security awards of the year!
12
NEW ZEALAND WOMEN IN SECURITY AWARDS
9
OCTOBER
NOVEMBER
womeninsecurityawards.com.au
womeninsecurityawards.co.nz
WANT TO BE PART OF IT? Register your interest today by contacting aby@source2create.com.au