Women In Security Magazine Issue 11

Page 1

11

NOVEMBER • DECEMBER 2022

W W W. W O M E N I N S E C U R I T Y M A G A Z I N E . C O M


FROM THE PUBLISHER To win our battle for the future, we must champion the successes of the past

E

The Australian Women in Security Awards have grown along with the security industry as a whole ver since the pandemic began, pundits

can refine the Awards to deliver a sharper focus on

have been talking about the impact it

celebrations, and on the elevation of our champions.

would have on the security industry – but as the dust settles after the fourth annual

It is because we listen that we added five new

Australian Women in Security Awards, it is

categories this year, aiming to expand recognition

all too clear just how big that impact has been, and

of the ways that diversity, equity, and inclusion (DEI)

how many amazing security heroes it has created.

initiatives are framed and acknowledged.

Just a few years after we launched the 2019 event as

With these awards, I feel that we are growing in

a day conference with an awards ceremony tacked

our respect for one another, and in our resolve to

onto the end – when we had 240 nominations, 12

work and lead with empathy, compassion, and

winners, and a handful of Highly Commended nods –

flexibility. And we do so while respecting and valuing

this year’s event tipped the scales with more than 800

each other’s experiences and perspectives, and

nominations, 19 winners, 17 Highly Commended, and

by highlighting the role that lived experiences play

2 special recognition awards.

in the ways that we adapt – as individuals and as an organisation.

Those numbers show not only how many amazing women are making their mark on the industry, and

RAISE YOUR VOICE FOR CHANGE

how stellar the contributions they made – but how

It’s as true today as it was the first year we ran the

much the profile of security has increased over the

awards that the reason we do this is for the industry.

past four years. Each year, as we look backwards to see what worked Since the first event, the nomination pool is much

and what we could do better, we are also looking

bigger; there are more judges; the categories have

to the future of an industry that has become more

expanded along with the security landscape; and the

important than ever before.

calibre of champions submitted are, hands down, becoming more and more inspiring every year.

It is an industry filled with unsung heroes, so we scream from the top of our lungs about the amazing

As we look to the Awards’ future, planning requires

contributions they make every day.

us to look to the past for guidance, reflect on the experiences of the awards as individuals, and

It is an industry where we elevate and celebrate

understand what recognition and success mean

the champions who are keeping us safe, spreading

to you. We always ask for feedback and we listen,

the word about security, and truly inspiring future

so that we can react and act – so please never be

generations to join the exciting industry we all share.

afraid to contact us with suggestions about how we

2

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


Abigail Swabey

It is an industry where nobody should ever have to

We are helping to create the future we have always

look around the room and feel that there is nobody

wanted. And as we close the books on another

else that looks, sounds, or thinks the same. So many

amazing Women in Security Awards, we can look

of us have struggled with these negative feelings

forward to that future knowing that all of our voices

in the past – and it is my deep hope that by turning

are increasingly being heard.

differences from a divisive wedge into a positive unifier, we can turn the narrative around DEI into a

Thank you to every single person who was involved

powerful force for positive change.

in the Awards – nominees, judges, sponsors,

Year after year, you have heard my voice screaming

created something tremendously special – and we

out for recognition of the brilliant people in this industry. You have watched me step out of my

organisers, and everyone else. Together, we have hope it continues every year as the cause of DEI in our industry keeps going from strength to strength.

comfort zone as I realised that confidence can take you to great places if you step out of your comfort zone. I knew early on that if I wanted the Awards to advance

Abigail Swabey PUBLISHER, and CEO of Source2Create

DEI, then I needed to step out of my comfort zone, and use the event to drive content, discussions, and a

www.linkedin.com/in/abigail-swabey-95145312

sense of shared purpose. aby@source2create.com.au

Just as I discovered that my voice matters, you must allow yourself to believe that your voice does matter too. Every voice matters. Taken together, the voices promoting diversity, equity, inclusion, and resilience form the cornerstones of what makes us better and stronger as individuals. They make us more impactful as organisations. But being committed is not enough on its own. Making progress in our journey also requires putting our commitment into action, sharing our progress along the way, and encouraging our partners and stakeholders to hold us accountable. As they say, you never know how easy it is to break a glass ceiling until you get close enough to touch it. And by working together, we are getting closer and closer.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

3


CONTENTS

2

CAREER PERSPECTIVES

FROM THE PUBLISHER

My journey: from accountancy to cybersecurity

48

Changing the ‘change’ journey

50

Women in cyber security from a recruiters perspective 52 Reflect on your thinking and the behaviours you need to reach your vision 54

THE MORE THINGS STAY THE SAME, THE MORE THEY NEED TO CHANGE

10

COLUMN

People culture builds resilience

Cybercrime in 2022

14

A real hard look

46

Keep calm and carry on

68

Improving security together

60

102

INDUSTRY PERSPECTIVES Australia’s cybersecurity sector: where are the women?

74

The future of developer security maturity is bright, and these verticals are leading the charge

78

WHAT’S HER JOURNEY?

Shifting perceptions of it and cybersecurity policies: policy should not fill you with dread

80

Annelies Moens

16

Joyce Tiwari

18

2022 has been a watershed year for cybersecurity, but what’s next?

82

Ranjeeta Rani

20

Cyber resilience in the cyber world

85

Sandy Assaf

22

Dina Atwell

24

Corporate layoffs: a perfect storm for insider risk and the imperative for holistic mitigation approaches

88

Tara Murphy

28

Emily Goodman

30

Jessica Williams

32

Scarlett McDermott

34

Anna Dart

36

Tash Bettridge

40

TALENT BOARD

42

REACH OUT NOW

Looking back to move forward: thirty years of experience guiding the way 92

JOB BOARD APPLY NOW

64

Cybersecurity: a board issue in 2022

94

How is the industry responding to the skills and talent squeeze? 98 Meeting the security and privacy challenges of the metaverse

101


NOVEMBER • DECEMBER 2022

56

AS BURNOUT TAKES ITS TOLL, REMEMBER TO PUT THE U BACK INTO CYBERSECURITY

IN 2023, LOOK FOR WAYS TO CONSOLIDATE PROGRESS AROUND GENDER EQUITY

FOUNDER & EDITOR Abigail Swabey

70

ADVERTISING Abigail Swabey Charlie-Mae Baker

TECHNOLOGY PERSPECTIVES Blockchain – the technology behind cryptocurrency

106

Sharing our inner voice stories

108

Reflections on malware

112

Misty Bland

139

JOURNALISTS David Braue Stuart Corner

SUB-EDITOR

The relationship between artificial neural networks and cybersecurity 114

Stuart Corner

Key themes from 2022 taking us forward 116

DESIGNER

Out of the shadows: how cybersecurity has taken centre stage in the Australian business arena 118

Rachel Lee

179 Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine

137

STUDENT IN SECURITY SPOTLIGHT

©Copyright 2022 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.

OFF THE SHELF

Oorja Rungta

122

Kao Hansell

124

Jack K

127

Gabrielle Raymundo

128

Haicheur Ichrak Amani

130

Mandeep Brar

134

204


ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE 07

08

MARCH • APRIL

MAY • JUNE

WHO RUNS

IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79

20 22 WORLD IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97

YEAR OF THE SECURITY WORKER

W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M

W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M

the


OFFICIAL PARTNER

SUPPORTING ASSOCIATIONS


Innovate to Grow program:

Cyber security

Applications are open for a free 10‑week online program for small to medium enterprises (SMEs) working in cyber security to explore their research and development (R&D) opportunities. Build your R&D idea Small and medium-sized businesses (SMEs) play a key role in growing Australia’s cyber security industry. But taking an R&D idea and turning this into reality can sometimes be a daunting prospect. Our free self-paced 10-week program will build your skills to help you refine your innovation idea and turn this into a R&D opportunity.

Register today Applications close: 7 Nov 2022 Program starts: 1 Dec 2022 csiro.au/Cyber-Security

Australia’s National Science Agency


Key program outcomes

Who can attend

Personalised support to refine your idea: We’ll step you through the process of turning your idea into a viable research project.

Participants working in cyber security. This can be in any sub-sector including;

Confidential feedback: All submissions through the program portal will receive prompt expert feedback.

• Network security.

Mentor: You will be paired with a researcher from CSIRO or a university to help connect you with the relevant specialists.

• Human centric security.

Build your network: You will build key contacts in your sector, including researchers at CSIRO and universities, domain experts, funding professionals and other SMEs.

• Critical infrastructure security.

Key things covered include: • Identifying your innovation opportunities.

• Security and privacy of Artificial Intelligence (AI) / Machine Learning (ML).

• Refining your value proposition.

• AI/ML for security and privacy.

• Understanding the R&D viability.

• Supply chain security.

• Helping you build your business case.

Selection criteria (essential):

• Providing guidance on how to prepare a strong funding application.

• An Australian registered and operating business with an ABN and ACN/ICN.

Commitment and course outline Preparing for the program (~2.5 hours) Pre-workshop videos, onboarding, materials and questionnaires.

• Application security. • Data integrity and privacy. • Incident management and response. • Quantum security. • Software security.

• Business classified as small to medium (<200 employees). • A business currently, or in the early stages of, exploring R&D opportunities for their business and have an idea to work on throughout the course. Other considerations:

Week 1 (Official start date, 1 Dec) Workshop (4.5 hours) Guest speakers from CSIRO, sector experts and SMEs who will provide tips and information on topics such as trends and opportunities, innovation experience and funding. You will also meet your fellow participants and mentor.

• Currently working in the cyber security sector (or have identified a new opportunity relevant to cyber). • Any other information provided to support your application. • Have a clear need to develop your skills in R&D.

Weeks 2–10 Self-paced innovation program (2–3 hours per week) Participants explore opportunities to grow their business through innovation and research. Fortnightly virtual participant networking events and additional webinars (1 hour each).

“The perfect solution in the current times ... nobody knows their product/markets and how to improve them like SMEs, they just don’t have the resources to develop them. This course taps that knowledge rich base and links with the resources.”

A final questionnaire is required at completion.

– Hamish Shaw, GM, Former participant

“Significant benefits of being part of the ‘ecosystem’ – from which associations and opportunities flow.” – Amanda Falconer, Founder and CEO, Former participant

For further information Michelle Armistead Innovate to Grow Program Coordinator michelle.armistead@csiro.au csiro.au/innovatetogrow

CSIRO awards places to businesses based on the strength of the application, and a clear interest and capacity to pursue R&D. We also include participants from a variety of industry sub-sectors and regions. CSIRO Innovate to Grow is delivered using Practera’s online ed-tech platform and facilitation services.

This project is funded by the Australian Government Department of Industry, Science and Resources through the Cyber Security Skills Partnership Innovation Fund Grant Opportunity Program.

B&M | 22-00516


THE MORE THINGS STAY THE SAME, THE MORE THEY NEED TO CHANGE by David Braue

Progress towards cybersecurity diversity was steady but slow in 2022 – so help make 2023 better

B

etween the widespread advocacy,

And while the 18% gender pay gap in STEM subjects

increasing executive awareness,

is less than the 20% across all industries, it is still

government policies of engagement with

far too high. Inequity is exacerbated at the executive

women, and efforts to promote the cause

level, with women holding just 23% of senior

of STEM to girls while they are still in

management roles and 8% of CEO positions in

school – the messages around boosting women’s

STEM‑related industries.

participation in cybersecurity, IT, and other scientific and technical fields have never been stronger.

Pipeline prospects are improving, although it’s hardly time to celebrate yet: while metrics of girls’

But are they working? The newly announced 2022

confidence in STEM-related subjects are up across

update to the government’s ongoing STEM Equity

the board – with 59% of 12 to 17-year-old girls saying

Monitor analysis suggests the answer is both ‘yes’

they are confident in STEM subjects – this is still well

and ‘no’.

behind the 74% of boys who said the same.

Some 15% of STEM-related jobs in Australia are

Cybersecurity is, of course, just one of many careers

now held by women, the new figures show, with

that STEM-focused girls might pursue, which

women comprising 29% of the research workforce

exacerbates the challenge of translating changes in

in 2021 and comprising 38% of university STEM

STEM study into increases in cybersecurity workers.

course completions.

10

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


F E A T U R E

It will take time before security careers are normalised

to corporate HR organisations that

among the girls and women that the industry needs

will need to make their human-centric

so desperately – but delivering on that goal will

policies a key corporate priority for 2023,

require more than just switching from stick to carrot.

if they ever hope to regain lost ground in the cybersecurity skills race.

“Businesses suffering chronic skills shortages the pipeline, in the hope that the system will fix

CLEARING BLOCKAGES IN THE CYBERSECURITY PIPELINE

itself,” noted Lisa Harvey-Smith, a UNSW Sydney

Many non-technical lines of business

professor and the Australian Government Women in

are notching up successes in promoting women:

STEM Ambassador.

for example, women account for 19% of C-level roles

can’t keep focusing on programs designed to grow

in the average supply chain organisation this year, “Although we are doing a better job at attracting

Gartner recently reported, up from 15% last year.

women to some university STEM courses, very few women are still going for vocational STEM education,

Nonetheless, the share of vice president-level roles

and there’s far too little attention paid to actually

and overall supply chain positions actually declined by

keeping STEM-qualified women in the workforce.”

2% from last year – suggesting that the glass ceiling is still present and intact.

Even as STEM-based industries crawled towards better engagement with women during 2022, the need

Supply-chain executives “need to double down on

to improve retention has proven to be a Pandora’s

goal setting, leadership inclusion, and career-pathing

Box of sorts, raising many ancillary questions that

for women,” said Gartner senior principal analyst

required managers to actively address issues such

Caroline Chumakov, noting that global organisations

as workplace harassment – which this year saw a

with deeper and broader talent pools tend to have

“significant, positive step,” Harvey-Smith said, after the

“better pipelines and better representation of women

federal government accepted all 55 recommendations

in underrepresented races and ethnicities.”

of the Respect@Work: Sexual Harassment National Inquiry Report.

The normalisation of corporate gender-equality policies has seen some positive signs of change

“Businesses must urgently put robust systems in

this year: the NSW public sector, for example,

place to prevent discrimination, bias, and sexual

reported that 42.7% of senior leadership positions

harassment,” she added – throwing down a gauntlet

were held by women in 2021 – well ahead of the

I S S U E 11

WOMEN IN SECURITY MAGAZINE

11


There is a chicken-and-egg element at play here, Chicago-based recruitment firm Heidrick & Struggles noted during a recent CISO survey of 327 global CISOs that found 18% of respondents were women – and that more than half of the predominately “men and white” CISOs had moved into their current role from a different CISO role. The figures “reflect a broader trend that CISO roles are often terminal,” the analysis notes. “The career path figure in STEM‑related industries – and a formal

forward for CISOs is most often to another CISO role.”

Gender Equality Action Plan 2022-2025 laying down an agenda to improve this figure over the next

If the CISO function is hopelessly skewed towards

three years.

men, and also hopelessly skewed towards choosing people with prior experience as a CISO, the prospects

Even as the appearance of such formal strategies

for bringing new women into the CISO role may

suggests that the will to advance women is at least

continue to be limited.

present in many environments, however, the profile of women in senior cybersecurity roles has continued

“CISO career progression remains tricky,” the analysis

to languish.

noted, “and our experience recruiting CISOs in 2022 reflects an increasing need for diverse talent.”

One recent UK analysis, for example, found that just 8 of the FTSE 100’s CISOs are women – compared with

Many businesses, the firm noted, “increasingly

nearly 40% of board roles in those companies now

think outside the traditional industry- and IT-specific

being held by women – and a similar US analysis of

criteria for CISOs to find the best executives for the

Fortune 500 companies found that just 13% of those

role, including people who are diverse in terms of

firms’ CISOs are women.

gender and race or ethnicity, as well as industry and functional expertise.”

That’s well behind the roughly 24% of cybersecurity

DRIVING CHANGE FOR 2023

roles currently held by women – according to widely cited figures from cybersecurity industry group (ISC)

12

2

In a gender-equity discussion that is often driven by

– and this figure highlights the intrinsic and persistent

headline numbers and extrapolations of localised

barriers that are keeping many female cybersecurity

surveys, better and broader information about the real

workers from advancing to the higher echelons of

skills gap will be crucial to targeting efforts to fix the

their careers.

problem during 2023.

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


F E A T U R E

A recent month-long AWSN survey, called the Australian Security Industry Workforce – Understanding Gender Dimensions Project, sought to better inform debate in Australia by running a census of women in cybersecurity that will, RMIT University Centre for Cyber Security Research & Innovation director Professor Matt Warren said, provide “a more

“For some time now, we have heard these buzzwords

robust and definitive estimate of the gender diversity

– diversity, equity, inclusion, and belonging – and

within the security workforce.”

everyone is expected to know what they mean,” said Hollee Mangrum-Willis, a US-based senior program

“There is no robust measure of the gender

manager with ISACA diversity arm One In Tech.

composition of Australia’s security industry,” he said, “or a clear picture of the types of jobs that women are

“We do have a gender balance issue within digital

undertaking and the skills they possess.”

trust, and we do need to start creating, or be more aggressive about creating, more inclusive pathways

That the broader picture around women’s

for marginalised persons.”

participation in cybersecurity is still represented by a single number – (ISC)2’s 24% figure – shows just

And while changing statistics suggest that “the work

how far the security industry still has to go to improve

is being done, and it’s working,” Mangrum-Willis said,

gender equity in 2023.

the key now is to build on the momentum leading up to 2022 – and “accelerate” it for 2023 and beyond.

To a certain degree, this change will be driven at a local level, as cybersecurity leaders engage with their

“Think about women’s suffrage and how long it

business counterparts, hiring managers, and others to

took – 100 years – to get to here we are now,” she

identify better ways they can attract and retain a more

said. “I don’t want it to take another 100 years to

diverse field of candidates.

move further.”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

13


AMANDA-JANE TURNER Cybercrime is big business thanks to technical advancement and interconnectivity creating more opportunities. This regular column will explore various aspects of cybercrime in an easy-to-understand manner to help everyone become more cyber safe.

C O L U M N

Cybercrime in 2022 As 2022 draws to a close it is right to reflect on some of the year’s cybercrime campaigns and see what we can learn from them. At the start of the year Russia invaded Ukraine. As the conflict progressed there was a spike in cybercrime activity directed against both Ukraine and Russia. This showed changes in the geopolitical environment can produce a rise in cybercrime and wars can be fought both physically and in cyberspace. Criminals exploit major events to trick people into downloading malware, paying faked invoices or entering their log-in credentials on phishing sites. With the COVID-19 pandemic still causing issues,

cybercrime, keep their cybersecurity defences strong

scam emails using COVID-19 contact tracing,

and encourage their employees to have a positive

vaccinations and fake World Health Organisation

cybersecurity culture.

information as bait were still doing the rounds. Cybercrime is profitable. It is big business. Ransomware coupled with extortion attempts

As technology develops the opportunity for

threatening the release of stolen data continue to

cybercrime develops with it. Organisations and

destroy businesses. In May this year a 157-year-

individuals alike must keep learning from cybercrime

old liberal arts college in the USA closed its doors

campaigns and use the knowledge gained to

permanently after failing to bounce back from a

strengthen their cyber defences.

December 2021 ransomware attack. In Australia report cybercrime via www.cyber.gov.au/ Ransomware is not abating, and a prime vector for it

acsc/report. In another country, report it to your local

is email. It is therefore important for organisations to

police or through the relevant cybercrime reporting

uplift their cybersecurity culture and help employees

mechanism.

spot weaponised emails. Cybercrime is big business – learn from the past, This year several big name companies found

and stay safe.

themselves victims of data thefts perpetrated by cyber intrusion or social engineering. Such thefts negatively affected those organisations, their customers and their supply chains. They highlight the need for organisations to be alert for

14

W O M E N I N S E C U R I T Y M A G A Z I N E

www.linkedin.com/in/amandajane1

www.demystifycyber.com.au

N O V E M B E R • D E C E M B E R 2022


WHAT’S HER JOURNEY?


Annelies Moens Managing Director, Privcore, Superstar of STEM

I

t is hard to be what you cannot see, and

Moens founded Privcore, a privacy risk management

women are still seriously under-represented in

consulting company helping businesses and

STEM leadership roles. The lack of diversity in

governments make privacy core to their business.

technology industries, particularly in leadership

She has been consulting on privacy for ten years and

roles was highlighted recently in the World

working in privacy since 2001 when she landed her

Economic Forum’s Global Gender Gap Report 2022

first privacy role at the federal privacy regulator — now

which found women make up only 24 percent of

the Office of the Australian Information Commissioner

leadership roles in the technology sector. However,

(OAIC) — as an investigator and auditor.

representation has increased in recent years. She is a trailblazer in privacy and is paving the way for

16

Annelies Moens is one of Australia’s Superstars

others to develop careers in privacy as a cofounder of

of STEM for 2021-2022. She recently spoke about

the International Association of Privacy Professionals

her career journey to high school students across

in Australia and New Zealand. Today, privacy (along

Australia to encourage more women and girls to

with cybersecurity) is one of the most in-demand

create the roles they want, on their terms, so they can

careers as a result of technological advances that

create more humane technology and shape industry

enable organisations to collect ever more information

to reflect the diversity of the world.

about people.

The Superstars of STEM program sets out to smash

A career in privacy did not exist when Moens was at

stereotypes of what a scientist, technologist, engineer

high school and she has been telling students that, in

or mathematician looks like by helping brilliant

ten years’ time, most of them will have careers that

women and non-binary experts in science, technology,

do not exist today. The start of her privacy career

engineering and mathematics to become highly

(unbeknownst to her at the time) was studying

visible media and public role models and show girls

computer science through years 8-12 at an all-girl

that STEM is for them.

high school.

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

J O U R N E Y ?

Moens and her colleagues had no perception

drive through telematics, monitor health, tailor

of gender bias in their high school computer

advertisements and so forth. However, a key

science class. They experienced this only when

challenge is to ensure the level of personalisation

they graduated from high school and embarked

does not erode human autonomy and choice, which

on university studies in information technology

privacy helps protect.”

and computer science classes amongst a sea of male students.

Meanwhile, Moens says data breaches and ransomware attacks are creating challenges for the

In her second year of university studies, Moens was

privacy and security professionals who help data

awarded a scholarship to study artificial intelligence

custodians keep the trust of the public.

(AI) in Utah, which is vying to become Silicon Valley 2.0. She has since combined her passion for information technology and computer science with a law degree and an international MBA, and says the cross-functional knowledge and skills she has gained are invaluable for

If you have an ability to question, challenge assumptions, think differently, understand different perspectives and do not always follow the herd, you are well on the way to creating your success and helping those around you succeed.

navigating the complex world of privacy risk, and for running a consulting practice.

“In order to navigate our increasingly complex world we need diverse thinkers who can think broadly

Because we cannot easily predict what our world will

across ecosystems and make technologies work for

look like even ten years from now, Moens identifies

us in ways that minimise privacy and security risks so

critical thinking as the most valuable skill to acquire.

as to protect one of the most vulnerable and valuable

“If you have an ability to question, to challenge

resources in the world: information about people.”

assumptions, to think differently, to understand different perspectives, and do not always follow the herd, you are well on the way to creating your success and helping those around you succeed.”

www.linkedin.com/in/amoens

www.privcore.com

Today we are in what she calls the ‘masscustomisation era’. “We have the industrial era’s ability to produce goods and services at scale but with the bespoke characteristics of the pre-industrial era where services and goods were custom-made: think of the local tailor and cobbler of the past. “With technology and personal information we can influence each individual in the world. Personal information can be used to develop customised insurance premiums, craft what people see and hear through newsfeeds, influence how people

I S S U E 11

WOMEN IN SECURITY MAGAZINE

17


Joyce Tiwari Information Security Manager at Tarabut Gateway

J

oyce Tiwari spent ten years as a senior

chance and used my wardrobe doors as a whiteboard

infrastructure engineer with NHS

to make notes if I wanted to read further about a

Professionals, a UK Government-owned

topic etc.”

company that provides staff to the UK’s National Health Service. In that role

BECOMING ISO27001 CERTIFIED

she encountered the security challenges of cloud

With the CISM certification under her belt Tiwari went

computing services, which led to a change of career

on to gain the International Board for IT Governance

path into cybersecurity.

Qualifications’ (IBITGQ) ISO27001 Certified ISMS Lead Implementer (CIS LI) qualification, which required a

“Cloud was easy. You could get an environment set up

different approach. “My ISO27001 exam preparation

in minutes, but what we were missing were the right

was different. There were no audio books. I decided to

levels of access control, port misconfigurations etc,”

record my own notes, so I could listen to them on my

she explains. “As I started cleaning up environments,

walks around the garden.”

setting up security groups, assigning roles etc, my interest in security grew.”

Having gained cybersecurity qualifications Tiwari took on a security architect role at NHS Professionals

So she decided to study for ISACA’s Certified

before moving to her current role of information

Information Security Manager (CISM) qualification.

security manager at Dubai headquartered Tarabut

The first COVID lockdown provided the opportunity

Gateway. She is based in Watford UK, just north

and a copy of the CISM guide by Peter H Gregory

of London.

and the audio book by Phil Martin provided the means.

The company claims to be the largest open banking platform in the Middle East and North America.

18

“I love reading and listening to books. That’s usually

It provides a set of open APIs that, “allows money

the best way for me to gauge if I like a given subject,”

and information to flow securely, instantly, and at a

she says. “I listened to the book whenever I got a

low cost.”

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

J O U R N E Y ?

Tiwari says, because Tarabut provides services

Both Tiwari’s infrastructure engineering and

in multiple jurisdictions, “there are different

cybersecurity roles are very different to her prior

cybersecurity frameworks we need to comply with,

educational achievements: she holds a master’s

which is a little challenging but interesting at the

degree in geography from the Osmania University

same time.”

in Hyderabad, India, gained in 2002. She “picked geography because I loved the subject, and I still do,”

To meet this challenge Tawari has built her own

and “started working in IT Infrastructure because I

mapping between ISO27001+ NIST and CFSs of

liked it.”

the region. Given her career journey, it is perhaps no surprise She has no regrets about making the shift from

that her advice to anyone aspiring to a career in

infrastructure engineering into cybersecurity and was

cybersecurity is: “nothing can stop you from switching

well-supported to make the transition. “I feel very

your career as long as you put in the effort and don’t

blessed, as I had the guidance I needed right at home

give up.”

when I decided to make the move. When I spoke to my husband about planning to move to InfoSec from infrastructure he said, ‘go for it’.”

I S S U E 11

www.linkedin.com/in/joyce-tiwari-3a42a4224

WOMEN IN SECURITY MAGAZINE

19


Ranjeeta Rani Senior Security Engineer at KONE

R

anjeeta Rani’s cybersecurity career has

CYBERSECURITY THE PERFECT ROLE

taken her from the frying pan to the

She adds: “There is always so much to do in this

freezer, metaphorically speaking. After

space and that keeps your interest high. For someone

almost two decades of study and work

who strives to do something different each day and

in one of the world’s hottest countries,

work on challenges, cyber is the perfect field. At the

India, in January 2022 she moved to one of the

end of the day I am proud knowing the work we do

coldest, Finland, where she works as a senior security

makes the world more secure.”

engineer with Kone. She acknowledges that her fascination with, and She graduated with a Bachelor of Technology

commitment to, the industry do make it difficult to

in Electrical, Electronics and Communications

maintain a good work/life balance but says, “With

Engineering from Jawaharlal Nehru Technological

experience it does become a little easier, and the key

University in 2008 and got into cybersecurity by

is to prioritise and do time management.

chance in her first job after graduation, when graduates were allocated different roles.

“Another important approach is to really disconnect mentally when you are off work. For me, tracking

Rani was, she says, quite ignorant of cybersecurity

things on a tool that keeps my to-do list helps me do

as a career at that point, but has stayed in the

that. Otherwise I have found myself many times still

industry ever since and has no doubt she made the

thinking about work when away from it.”

right choice. “What kept my interest going was just how vast the domain is. No matter how long you are

Rani credits her mentors with having played a

working in it you will always have new challenges to

significant role keeping her in the industry, saying she

deal with every day.”

has had “many good mentors who helped me decide what I want to pursue in cybersecurity.”

20

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

There is always so much to do in this space and that keeps your interest high. For someone who strives to do something different each day and work on challenges, cyber is the perfect field.

DISCOVERING MENTORING And she wishes she could have tapped into the power of mentoring at the end of her school life when wondering what career choices to make. “Getting the right information and knowing where to start was a challenge for me. If I had a chance to go back to my last year of school, I would definitely connect with mentors who can advise what areas and opportunities there are in security so I could develop my skills around my interest area.”

J O U R N E Y ?

N

3 2 0 2 O EW T

THE

WOMEN IN SECURITY AWARDS

ALUMNI SERIES

In 2021 Rani gained ISACA’s Certified Information Security Manager (CISM) qualification and now has her sights set on gaining the (ISC)² Certified Information Systems Security Professional (CISSP) qualification. “It’s a good certification as it covers cybersecurity on an overall level,” she says. “For someone planning to move to a more senior technical management role this certification has many benefits, in my opinion.” Other sources of cybersecurity knowledge Rani relies on are LinkedIN, cyber magazines, news and, for threat intelligence, various security notifications from different vendors.

Watch this space

www.linkedin.com/in/ranjeetarani

I S S U E 11

WOMEN IN SECURITY MAGAZINE

21


Sandy Assaf Head of IT Risk & Compliance at Crown Resorts Assaf started with Crown as a trainee IT operations officer, progressed to a senior IT operations officer

S

and then IT operations coordinator. andy Assaf is Head of IT Risk and

“Soon after I became a systems analyst within the IT

Compliance at Crown Resorts. She has

gaming systems team. It was then that I took a risk

come a long way from her first job: sales

and, with some guidance and mentoring from my now

assistant in a jeweller’s shop, but it was

general manager, I leapt into a position as assistant

that experience that launched her into a

manager IT audit in the newly formed IT governance

cybersecurity career.

team,” she recalls.

IT was her second career choice at school after

“Now, with 15 years in the industry and Crown, I am

photography and media, but she failed to get

in a job I would have never imagined myself in, and

accepted for the digital media and photography

loving it.”

course she wanted to take. She then enrolled for a computer science degree, but did not stay the course.

Assaf acknowledges it was luck that got her in the

“After the first few months I knew this wasn’t for me

door at Crown “with minimal experience and diplomas

and the learning style at university was not my style,”

in IT and E-business,” and attributes her impressive

she says.

career progression to “Having great mentors, developing my skills internally, and Crown providing

There followed numerous unsuccessful applications

me with training and industry courses I required to be

for IT jobs, including one at Crown Resorts. “It was

successful in all the positions I have held.”

the same response from all companies; that I did not have industry experience and other candidates had

MULTIPLE CERTIFICATIONS GAINED

more experience than me.”

Over her years at Crown Assaf has gained ISO/IEC 27001:2013 ISMS Lead Auditor and PCI DSS Internal

PEOPLE SKILLS SCORE HER A ROLE

Security Assessor certifications and completed a

However, a few months later Crown came back to her.

Diploma in Leadership and Management.

“I was curious as to why now, and their response was

22

I had customer service experience and people skills

She says many people are hesitant about taking the

that I could bring to the position and learn the more

leap into a new career path, but with the right support

technical skills on the job.”

most people will be successful.

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

J O U R N E Y ?

“Having a great team and strong leaders assisted tremendously in the transition. Also, an organisation that invests in training, highlights the gaps individuals have and ensures it provides them with the tools and resourcing required makes a transition seamless.” Her advice to others: “Do your research, see what is suited to you and your future career goals, and go for it. Network with professionals in the industry and take some guidance and advice.”

UNUSUAL STRATEGIES FOR CAREER SUCCESS All sound, and common, advice but Assaf has a few

THE

WOMEN IN SECURITY AWARDS

ALUMNI SERIES

other, unusual, strategies for career success. She created a reflections journal and published it on Amazon to help with her reflections and with setting personal and professional goals. “I use this once a week to ensure I am focusing on maintaining a good work/life balance and working towards both goals,” she says. She also includes meditation in her schedule at the beginning of the work week. She plans holidays and mini breaks throughout the year, and a day off every couple of months to focus on herself while her daughter is in childcare. “It took me a while to realise it is ok to have ‘me time’ without feeling guilty, because this helps me be a great leader and give my all at work, and a great mother and fiancée at home.” Like many people, Assaf struggled initially with the sudden Covid-induced transition to home working. “I wasn’t getting up from my desk often enough throughout the day for a break, and I was logging back in after my daughter was in bed. I now block out my calendar for lunch to ensure I get a decent break from the computer and work. My fiancé also put in

Expand your networks Gain critical insights Grow professionally Hone your leadership skills Empower the next generation

a rule that we need to spend time together once our daughter is in bed: no more logging in after hours.”

www.linkedin.com/in/sandy-assaf-24012897

I S S U E 11

Don’t miss out WOMEN IN SECURITY MAGAZINE

23


Dina Atwell Manager, Cyber Insider Threat and Technical Investigations at Capital One

L

ike so many women who have shared their

Today she is still in a threat analysis role, at a higher

career journeys, Dina Atwell — who lives in

level. She is manager, cyber insider threat and

Washington DC — ended up in cybersecurity

technical investigations with Capital One, a financial

by chance. She was “one hundred percent

services company in Mclean, Virginia.

certain” she wanted to be a lawyer when

she decided to apply for internships in Washington,

“I didn’t have a clear vision. I knew what I enjoyed:

thinking this would be a good place to start putting in

creating and strategizing for insider threat programs

applications to law schools.

and people leadership,” Atwell says. “Having those interests in mind and really just trying to contribute

She was accepted for an internship in the State

in that area led me to a more formalised role where

Department and ended up in what must be one

that’s now my day job.”

of the hottest spots in cybersecurity anywhere in the world: conducting analysis to identify, monitor,

Atwell did her internship at the State Department

assess and counter the threats posed by foreign

while studying for a Bachelor of Arts in political

cyber actors against US information systems, critical

science at Monmouth University and then went on

infrastructure and cyber-related interests.

to gain a master’s in homeland security from the same university. However, she sees some of the

24

“They took a chance on me, even though I was

most important skills needed for her role as being

transparent that I did not have cybersecurity

communication, curiosity and analysis, and says

experience but was willing and excited to learn,” she

these can be developed and honed through any

says. “Once I was immersed in the position, I loved it.

major. “There are many different roles within insider

I was learning every day and it was like a whole new

threat and technical investigations you can pursue:

world opened up to me. I realised I could parlay my

from more of a project manager role to more of a

investigative passions with cyber.”

technical role.”

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

J O U R N E Y ?

CULTURE RULES

one of my associates get a well-deserved promotion

When contemplating taking on a new role, Atwell sets

or recognition.

great store by company culture. “Culture rules over everything for me, and can really influence how you

“I always encourage others to go after what they

feel about your work. You can have the same exact

want, and I’ve seen nothing but success when

position and role in two different companies with

motivated individuals transition into cyber, even from

different cultures, and the experience can be wildly

a completely unrelated field.

different.” Her current employer, Capital One, “really puts emphasis on the people and living certain values,

“I think it takes so much courage to leave a field where

which encourages a people focused culture.”

you may be comfortable and jump into something that may be totally new. I always encourage others

Of her role there, Atwell says: “There are two things

to talk to as many people in the industry as possible,

I find the most rewarding: one, keeping Capital One,

really expose themselves to all the different fields in

its customers, employees and data, safe. Everything

cyber, try to get an understanding of a day in the life,

our team does daily drives this overall mission.

and see where their talents can shine.”

Second, I love being a people leader. I enjoy helping others and I try to be a positive force on all of my teammates. Nothing makes me happier than seeing

www.linkedin.com/in/dinarusso

Stone & Chalk Group is proud to be supporting careers in Australia’s cyber security industry As the largest innovation community in Australia, the Stone & Chalk Group is proud to be a sponsor of the Australian Women in Security Awards 2022. Through AustCyber, part of the Stone & Chalk Group, we are focused on growing Australia’s vibrant and globally competitive cyber security sector. With our cyber security innovation nodes and hubs, we’re supporting the cyber security needs of all, including startups, scaleups, companies and government. To find out more about cyber security workforce, jobs, career pathways, training and education, visit us at www.aucyberexplorer.com.au

I S S U E 11

WOMEN IN SECURITY MAGAZINE

25


THANK YOU TO OUR 2022 AUSTRALIAN WOMEN IN SECURITY AWARDS SPONSORS

EVENT PARTNER

SILVER SPONSOR

EMERALD SPONSORS

PLATINUM HEADLINER SPONSOR

BRONZE SPONSORS

AFTERPARTY NETWORKING SPONSOR

SUPPORTING SPONSORS

MERCHANDISE PARTNERS


LEADING IT FOR

TAKE YOUR CAREER TO THE NEXT LEVEL

28 YEARS

View our portfolio

CISSP® | CISM® | CRISC® | SABSA® CISA® | CCSP® | TOGAF® | CIPM | CIPT ISO 27001 | CSF+P | NIST® + more… World-class instructor led training keeping you at the forefront of Cyber Security alctraining.com.au

WOMEN IN SECURITY SAVE 10% To redeem simply quote the following code: WISALC10


Tara Murphy Director, Security & Traffic at the University of NSW, Sydney

T

ara Murphy is Director, Security & Traffic

UNREALISTIC EXPECTATIONS

at the University of NSW, Sydney. She

Having raised the profile of the security service,

has been in security at UNSW for almost

Murphy says her biggest challenge is managing

half her security career and in that time

expectations. “My experience in many organisations is

has transformed the security function.

that security is required to wear many hats beyond its core function, which is not realistic in some cases.

“Once I began working at UNSW I progressed from deputy security manager to security manager,” she

“I think this is a result of security being viewed as

says. “In that role I worked to extend the portfolio

trusted partners in the organisation So, whenever

and raise the profile of the security service within the

people come to a sticking point, they reach out to

university. This led to greater recognition of the value

security. This is, of course, a positive thing. However

of security, which resulted in my being appointed to

I need to ensure we do not overcommit to tasks and

my current role as director of security. In this role I am

services we are not trained to undertake that divert us

part of the estate management executive team.”

from our core responsibilities.”

She describes a ‘typical’ day as being atypical,

Key to fulfilling those core responsibilities, she says,

“involving numerous meetings, responding to events,

are good personal networks, both within the university

supporting my team and liaising with a wide range of

and externally. She maintains strong links with

internal and external stakeholders.

her peers in other tertiary education organisations to understand current and emerging threats and

28

“I work with a committed and talented team. Having

responses, is an active member of Association of

them recognised for the critical role they undertake

University Chief Security Officers and attends its

and the value they bring is one of the most rewarding

forums and conferences. She keeps up to date with

parts of my job.”

government websites and press releases and works

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

J O U R N E Y ?

closely with the local police and local emergency

security risk management and a diploma in security.

management committees.

She is now completing a degree in counterterrorism, security and intelligence.

LEARNING ON THE JOB Murphy says she never planned a career in physical

She is on track to complete this in 2023 and is looking

security and learnt mostly on the job in a number

to undertake further study in emergency and crisis

of roles over the years. “While academic study has

management, responsibilities she already carries

distinct advantages, the value of life experience

in her current role. “While I have developed a sound

should not be overlooked. The biggest part of my role

understanding of the practicalities of this discipline,

is interacting with a diverse group of people. I started

my experiences in responding to a rapidly changing

my career in the UK in loss prevention straight from

environment during the COVID pandemic has piqued

school and learned on the job, mostly from managers

my interest in undertaking further study in this area,”

and colleagues.

she says.

However, she does recognise the value of formal professional development and has taken a number of

www.linkedin.com/in/tara-murphy-a4752513

courses over the years, gaining a foundation degree in

I S S U E 11

WOMEN IN SECURITY MAGAZINE

29


Emily Goodman Cyber Security Consultant at EY

E

mily Goodman joined EY in Sydney as

and after a couple of years was fortunate enough

an executive assistant in Assurance in

to transition into the cyber team where I can now

January 2020, just three months before

achieve my purpose and make a difference.

Covid disrupted life for everybody, but she put lockdown to good use.

“I believe the relationships I have made in my current role contribute to making my experience really

“I decided to enrich my learning by enrolling into a

rewarding. I am part of two mentoring programs and

Master of Cybersecurity course with UNSW which I

they have been a positive experience. It is so valuable

am still studying part-time whilst working full time,”

to gain advice and guidance from experienced senior

she says. “Since pursuing my interest in cybersecurity

colleagues, to be comfortable to share thoughts

I have been able to transition into the cybersecurity

and sound out career goals with a trusted confidant.

team in the company, and I have not looked

Through building relationships I have been presented

back since!”

with opportunities that add value to my career and contribute to my personal growth.”

She is now a cybersecurity consultant in EY’s financial services arm and says she has found her calling: she

FACING IMPOSTER SYNDROME

had already gained a bachelor’s degree in commerce

Her transition into cybersecurity has not been without

with majors in accounting and marketing. “Before

its challenges. “Imposter syndrome can be common

finding my passion in cybersecurity, I felt at a loss as

and is something I have experienced, whether thinking

to where my career pathway was going,” she says.

I am not technical enough, not smart enough or not confident enough for a role in cyber,” she says.

“I completed my undergraduate degree in commerce

30

and started working in a role I wasn’t particularly

“With advice from some of my mentors, I have

enjoying. I then joined EY as an executive assistant

realised the importance of embracing these feelings

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

“It is so valuable to gain advice and guidance from experienced senior colleagues, to be comfortable to share thoughts and sound out career goals with a trusted confidant.“

of doubt. It is impossible to move into a new career path and know all the answers. To embrace the feelings of doubt I remain a passionate learner, learning new skills along the way and taking in the experience.”

MATERNAL INSPIRATION

J O U R N E Y ?

THE

WOMEN IN SECURITY AWARDS

ALUMNI SERIES

She says her inspiration to embark on her cybersecurity masters came not from any contemporary influences, but from her mother. “Growing up my mum completed a university degree and CPA as a mature age student whilst working full time and supporting a young family. She has always taught me to keep persevering through challenges I may face, saying I will always overcome them. From her experience I learnt you can achieve anything you set your mind to,” she says, adding, “I am also inspired by the women leaders and colleagues in my workplace. They are motivational and encourage others to be the best versions of themselves.” As well as being the catalyst for her career transition into cybersecurity, Covid-19 gave Goodman something else: Pilates, which she took up during lockdown. “I think it is important to have something you enjoy outside of work where you can de-stress

Running from March through to June across states

Get Notified

and allow the feeling of balance,” she says. “I aim to practice Pilates every day when I can, even if it is only for 15 minutes. I find I am more productive when I wake up early and do Pilates, take my dog for a walk, or read a book before starting the workday.”

Join our distribution list to be the first to know when tickets go on sale

www.linkedin.com/in/emily-goodman-b9a023144

I S S U E 11

WOMEN IN SECURITY MAGAZINE

31


Jessica Williams Security Specialist Monitoring and Incident Response at Rio Tinto

L

ike many women who have shared their

Williams is no great fan of academic study. Asked

career journeys in these pages, Jessica

what advice about a career in cyber she would give

Williams got her start in cybersecurity not

to your last-year-of-school self, she says, “I would tell

on the strength of formal qualifications, but

myself not to waste so much time trying to achieve

through persistence, networking and soft

top grades in every university subject. I personally

skills. “Despite two to three years of studying IT and

feel I did not get a good ‘return on investment’ when it

personal projects I couldn’t break into IT,” she says.

came to university.

She had worked as a receptionist at a truck company

“I would tell my last-year-of-school self to spend that

and followed this with an administrative role in

time on getting more deeply involved in the security

insurance. With these roles in her CV she got a job

clubs, side projects and industry meetups. I feel

on the periphery of the industry, in cybersecurity

that is where the real gold standard educational

recruiting, and used that to get closer to the

experience is for cybersecurity in Brisbane.”

discipline. “This job gave me huge exposure to the Brisbane security scene. I attended as many events

However her views come with the caveat. “I’m not

as possible, shoulder surfed over capture the flag

recommending it to everybody, all of our paths

participants and took notes at talks,” she says.

are different.”

“I was hired at a conference for a security bid and

And to those beyond school, studying at university

engagement role. I used my writing skills to move

and aspiring to a cybersecurity role similar to hers,

from that role into a technical writing position.

she says: “I would tell all university students to really

Eventually that landed me in penetration testing

enjoy your time there, don’t mindlessly consume

consulting after being exposed to what that role looks

content, and have fun! Ask questions, engage with

like, and practicing through capture the flags in my

people, start fun projects, and get involved with

spare time.”

the community. Just going to classes and getting top grades likely won’t cultivate that passion and

32

NO FAN OF ACADEMIC STUDY

love of learning that really helps when it comes to

Given her experience, it is perhaps not surprising that

these roles.

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

J O U R N E Y ?

“I would tell myself not to waste so much time trying to achieve top grades in every university subject. I personally feel I did not get a good ‘return on investment’ when it came to university. I would tell my last-yearof-school self to spend that time on getting more deeply involved in the security clubs, side projects and industry meetups.”

“It’s important to take an active approach to your

given me the opportunity to live in Montreal for two

education, not to passively follow along with whatever

years. I feel my career and growth here is taken very

university throws at you. When you land that first

seriously, and it shows through all the opportunities I

security role, it’s likely not going to be based on your

have been given.”

knowledge. It’s more likely employers are going to hire you based on your passion and drive. Dig into that,

ACHIEVING WORK/LIFE BALANCE

and everything else will follow.”

Incident response is, inevitably, not a role conducive to a nine-to-five work routine and Williams has a

INCIDENT RESPONSE, ACROSS TIME ZONES

number of strategies to maintain a good work/life

Today, Williams is a security specialist in the

balance, but says the starting point is an employer

monitoring and incident response team at Rio Tinto: a

that will respect and encourage the boundaries

team spread between Australia and Canada.

employees put in place to maintain that work/life balance, and Rio Tinto has created a workplace

“The biggest challenge in my role is communication

where work/life balance is encouraged. “It really

during large security incidents,” she says. “When

should be a shared responsibility between employer

operating between two time zones, facts and

and employee.”

assumptions can quickly become mixed up without a proper handover. If clear and effective communication

Williams makes a point of balancing any extra hours

isn’t practiced, a group of incident responders can

demanded by incidents and meetings with time off,

waste valuable time going down rabbit holes.”

and has a couple of other strategies.

She says getting the role at Rio Tinto changed her

“I adopted two cats! Having pets around has been

life. “My current manager, Ben Passmore, has really

great for keeping my anxiety levels low and provides

helped me come out of my shell at work. I previously

a nice mental break when working from home when

had a lot of anxiety around asking for help when I

they demand petting from me. And I’m religious about

needed it. Ben made it clear from the get-go that I

using the Headspace app. The mindfulness exercises

could ask as many questions as I needed and never

and ‘sleep casts’ help me get a lot more, higher

made me feel stupid for asking. He encourages

quality sleep.”

the ideas I have, helps me to implement them and provides me with the appropriate level of challenges I need to feel fulfilled at work.

www.linkedin.com/in/jwill1785

“Additionally, the company has provided me with many great training opportunities and has even

I S S U E 11

WOMEN IN SECURITY MAGAZINE

33


Scarlett McDermott Chief Technology Officer at WithYouWithMe

M

eet the up and coming female

Her diverse career spanned from software

entrepreneur who is heading the tech

development to cybersecurity before she put her hand

division of one of Australia’s fastest

up to lead a global product team for WithYouWithMe.

growing start-ups (Deloitte Fast 50

Hers was not a typical journey to the C suite. “I was

2019). Since taking the reigns as

adamant I wouldn’t end up in the same profession as

chief technology officer at WithYouWithMe, Scarlett

my father: a software developer,” she says.

McDermott has seen the company grow around the globe, most notably in the United Kingdom, Canada

After working as an electrician during her Year 10

and the United States.

work placement, McDermott went on to complete a degree in information technology.

Hers is a fast-paced job, and one that sees her meeting regularly with a Who’s Who list of CEOs and

“Ultimately it was my passion for problem-solving

political leaders from around the world.

and fixing things that inspired me to pursue a career in technology,” she says. “When I took a break

Although the number of women working in IT roles

from full time work to start my family I wanted

has increased in recent years, McDermott says there

to keep my mind busy, so I enrolled in a graduate

is still work to be done.

certificate course to study cybersecurity online at Edith Cowan University. I would be at home on my

“As CTO for a tech company that is all about

couch breastfeeding while reading or listening to

solving under-employment I see my role as more

cybersecurity lectures.”

than just technology innovation and development; it’s about shifting the needle for the industry as a

When she returned to full time work, McDermott was

whole to ensure we create an environment where

determined to find a role that made a difference and

women thrive.”

helped people. After researching and learning about WithYouWithMe—a startup helping armed forces

34

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

J O U R N E Y ?

veterans find employment—she applied, and was

McDermott acknowledges the value of higher

hired for, a software development instructor role.

education but questions whether it should be a prerequisite for all individuals looking for entry-level

She helped establish WithYouWithMe’s tech support

IT jobs.

program, which helps women learn digital skills for remote employment roles such as support desk

“Apprenticeship programs that focus on transferrable

analyst. She recently launched the National Resilience

skills would be more beneficial to candidates than

Project, which enables digitally skilled individuals to

traditional study,” she says, adding, “formal education

sign up for temporary employment projects helping

can help people stay on track once they’ve decided on

government agencies in emergency situations.

a career path.”

“My husband’s military postings meant I moved

McDermott appreciates WithYouWithMe’s skills-based

around a lot, and I have been fortunate to have had a

hiring approach that uses data from aptitude and

career that could adapt to these changes,” McDermott

psychometric tests to show candidates which roles

says. “However, I knew some women who were not

would be a good fit for them.

so fortunate, some whose careers were cut short and others forced to work in jobs beneath their skill level

“I’m encouraged by the Digital Skills Organisation’s

to make ends meet. A family and a successful career

efforts to build a skills taskforce and framework

do not have to be mutually exclusive, and women

focused on skills-based hiring rather than

should not be expected to sacrifice their career to

prerequisites such as university-level training for

support a family.”

entry-level IT roles. This can be a barrier for certain candidates who lack the time or the funds for

One of the challenges McDermott encountered when

courses.”

she was promoted to chief technology officer was expanding WithYouWithMe’s cybersecurity capabilities

McDermott is now leading a new initiative called

from one person to a global security team.

WithWomen in Technology which aims to increase female representation in the IT industry.

She says this was necessary to ensure that the cybersecurity and technology teams worked together

“WithYouWithMe has committed to providing free

and not against each other.

technology skills training to 1000 women this year. WithWomen aims to encourage more women

“An organisation’s security team should not be

to consider a career in IT, especially in fields like

seen as an enemy or a barrier but as an enabler of

cybersecurity,” she says. “We want to encourage

innovation. We use Microsoft Sentinel and various

women and show them IT careers are not dull or

security information and event management

exclusive to intellectuals. Anyone who is willing

(SIEM) tools to assesses threats and maintain a

to put in the time and effort can become a skilled

secure position.

cybersecurity professional.”

“I lead a team of 70 talented technologists spread across the globe, the majority of whom are veterans

www.linkedin.com/in/scarlett-mcdermott-089a01190

and military spouses, all dedicated to creating and developing incredible products that contribute to meet the demands of an evolving technological landscape.”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

35


Anna Dart Senior Manager Protective Security at Westpac

A

nna Dart is Senior Manager Protective

it to a couple of Fortune 50 companies he knew were

Security at Westpac, a role she has

looking for someone with my skillset. I got a job with

held for about two years after more

one of them and stayed for over 10 years.”

than a decade in security with Dell Technologies. And she owed the

From that experience and many others, Dart says she

introduction to that role to the kindness of strangers,

concluded people are often very generous and happy

one in particular.

to help if they are able. “If you ask, you’ll be surprised what people will do for you. I am very aware how this

She arrived in New York to take up a job at New

person’s kindness to a total stranger affected my life,

York University a week before the start of the Global

and I try to remember that when I am approached

Financial Crisis, but the person who was leaving

for help.”

the position changed her mind. Dart says she was, “suddenly, an Australian with no connections in a new

POLICE FORCE ASPIRATIONS

city and country trying to navigate a pretty shocking

A career in security was high on Dart’s agenda in her

job market.”

youth, but she initially aspired to join the police. “I always wanted to be a police officer and my parents

She started cold emailing people, “a pretty

wanted pretty much anything else for me,” she

discouraging thing to do.” However, this tactic

recalls. “They helped me get work experience with the

eventually delivered results. “After reading an article

Queensland Police when I was at high school. I think

I liked on counterterrorism methodologies and

they hoped it would discourage me, but it had the

discovering the writer had transitioned from US

exact opposite result, I loved it and was hooked.”

federal law enforcement into the private sector, I sent yet another cold email and had success.

After plan A failed, her parents implemented plan B. “They encouraged me to look at the AFP, which they

36

“I asked for advice, not a job. He was very generous

thought would be more interesting to me in the longer

and asked for my resumé and then told me he’d sent

term and it was the right fit.”

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

J O U R N E Y ?

However, despite having wanted to be a police

that size,” Dart says. “This gave me exposure to some

officer, Dart chose university studies that would keep

senior representatives from Australian law enforcement

her options open. “I didn’t want to limit my options

and intelligence to see how they operated. During

by taking justice studies or similar, so I studied

my internship I was able to take on a project and

foreign languages.”

completely own it, producing an assessment to the senior leader at the end of my time there.

So, it is perhaps no surprise that her advice to anyone aspiring to a role similar to hers is: “Study something

“Given I was very young to apply to the AFP, this

that demonstrates your interest in the world as well

experience gave me something other than my

as something that gives you a solid base to pivot to a

university jobs to put on my resumé and my

different field if you change your mind: international

application. It also exposed me to another aspect of

relations, law, international security studies.”

the security world, reaffirming my belief that I was in the right place.”

CURIOSITY OPENS DOORS And she adds: “You also need to have practical,

HOME WORKING A PRIORITY

marketable skills. Once you’re in the industry, you

The ‘right place’ in another sense for Dart has been

might find other areas that interest you more than

home: she has worked mostly from home for more

protective intelligence (although I can’t think of

than a decade and says the ability to continue doing

anything myself!), so set yourself up to have broad

so was an important factor in the choice of her

knowledge and skills. I always think when I am

current role with Westpac.

interviewing candidates that we can teach you things we need you to know but attention to detail,

“I can work hard but also get to see my children and

curiosity and a demonstrated work ethic will open a

hear them playing. Everyone works hard but I think

lot of doors.

the pandemic broke down a lot of pretence that people don’t have families. It was great that suddenly

“There are some key skillsets that will stand you in

everyone seemed to be in the same boat, juggling

good stead. For example, an understanding of how

responsibilities. Little people were occasionally,

data and intelligence (should) form the basis of

unexpectedly popping into Zoom meetings for

decision-making. Make an effort to learn to collate,

everyone without it undermining a person’s

use and explain data and how it has informed a

professionalism, the perception of how good they are

decision/project.

at what they do or their commitment to work.”

“A key skill is being able to write well and

And with her decade plus of home working experience

communicate nuanced ideas. Business writing skills

she says it is important to have good boundaries

are often underrated but essential. Learn to write, and

around work areas in the home. “I don’t ever take my

then practice this skill. It’s like any muscle: the more

laptop into the bedroom and very rarely work away

you use it, the more responsive it is.”

from my desk unless it’s a late call or similar. I don’t wear a suit unless I am in the office, but I have found

OLYMPIC INTELLIGENCE ROLE

it’s important to get dressed for work every day. It

A pivotal moment in Dart’s career came when she

helps me switch my brain into work mode and feel like

scored an internship with the Sydney Organising

I am actually going to work.”

Committee for the Olympic Games in the Olympic Intelligence Centre.

However, she does confess to some transgressions. “I am always reading news and reports/assessments,

“I saw some of the preparations and planning that

it’s what I love. So I will often sit on the couch at night

went into a major security operation for an event of

and read on my phone while ostensibly watching TV.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

37


It’s a bit blurry on the work/life balance issue, but I enjoy it and it doesn’t feel like work.” It may not feel like work, but it certainly informs Dart’s views on what will be the most significant developments in the threat landscape: they are all ‘big picture’ issues.

THE, GLOOMY, BIG PICTURE “I am waiting and watching to see what the energy and food supply situation is going to be like over the coming year and am expecting difficulties,” she says. “I am concerned about a cold winter ahead in Europe and about energy being a weapon of war, potentially resulting in political instability, civil unrest and supply chain disruptions. I am watching the price of agricultural products and am concerned these price increases will result in lower yields that will impact countries more reliant on food imports. Also, that the confluence of energy price increases and inflation in places where food accounts for a greater proportion of earnings than in a country such as Australia will result in unrest, political instability and hunger. “Slightly more on the horizon are the effects of climate change and adherence to the practice of growing crops unsuited to the region or in unsuitable climates. And using outdated irrigation practices is going to make water security a greater security risk where competition for the limited resource is increasing.” Despite these gloomy projections, Dart revels in this aspect of her job. “I love my role, but I enjoy the geopolitical / geostrategic side of things most. There’s the stuff happening on the surface and trying to keep track of all the various inputs and players and their motivations (projected and real), all the downstream effects of these developments, trying to assess how nation states will react to things, and how these decisions will affect business operations or employee safety.”

www.linkedin.com/in/anna-dart

38

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


SUBSCRIBE TO OUR MAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content. SUBSCRIBE NOW

08

MAY •

WHOS RUN

JUNE


She took her current role after almost a year as a cloud solution architect in data and AI with Microsoft after being approached by her, now manager, at

Tash Bettridge Customer Success Account Manager at Microsoft

an internal Microsoft event. “I think it has been the best career move I have taken, as I have been really supported in the role,” she says. Her job title does not include ‘cybersecurity’ but she says, “the CSAM role is the person Microsoft business customers and partners turn to when there is a

T

major incident. I keep updated with internal alerts from our support team and I also attend the internal ash Bettridge is a customer success

cyber team sessions that keep CSAMs informed of

account manager (CSAM) with Microsoft

Microsoft security products.

in New Zealand, focussing on Microsoft’s business relationships with New Zealand

ONE ROLE: MANY HATS

small and medium business customers

“My role is always busy, and I wear many hats on the

and partners.

job because there are many different parts I need to play on a day-to-day basis,” she says. “The role is

She describes her role as a mix of account

always exciting, and the days are always different.

management, delivery management, project

One day I could be working with C-level executives

management, change management and incident

on their business and digital transformation strategy,

management. “The customer success account

supporting our customer engineers in workshops,

manager role is a generalist in Microsoft products

giving presentations and working to support

and services. We are the support people for the

escalations when there is a major incident.

customers, and we are there through the whole delivery life cycle.

“The CSAM role suits me as I am someone who loves challenges, loves interacting with people and

“The role used to be known as technical account

stakeholder management as well as being involved

manager, but Microsoft switched over to customer

with the success of customers and partners through

success account manager because of our obsession

their transformation.”

with empowering our customers and partners.” Her career trajectory to this position could be Bettridge says she loves the challenge of bringing

summed up as ‘circuitous and from inauspicious

together a diverse group of people who have never

beginnings’: she was kicked out of home and dropped

previously co-operated on a project. “I enjoy everyone

out of school at age 16.

coming together to empower each other to work on

40

the customer’s digital transformation, and watching

INAUSPICIOUS BEGINNINGS

the project unfold from beginning to end as well as

“I did not have much trust in adults because my

helping the customer when there is a major incident

homelife was not the best and going to school was

affecting their business continuation processes.”

just as bad for me,” she says. “I did not have much in

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


W H A T ’ S

H E R

the way of role models to look up to at home: both my

J O U R N E Y ?

Security, and is a member of WiCyS.

parents had dropped out of school at young ages.” Her first IT role was on a help desk, followed by And you can gauge something of Bettridge’s unhelpful

“moves into a few other industries before I joined the

school experiences from the advice she would give

cybersecurity industry.” This was followed by security

her younger self.

analyst work that opened up further opportunities.

“I believe the words of teachers can have a powerful

A SIGNIFICANT MENTOR

impact on young people. Advice should be offered

Along the way she has had help from mentors

only with great caution. Don’t listen to the advice of

and credits Simon Howard, CTO and founder of

the teachers who are trying to pivot you away from

Wellington-based cybersecurity consultancy ZX

computing. Stick to the computing class and follow

Security as one of her most significant influences.

your passion for computers. Following your passion

Howard also co-founded, and assists with running,

and finding the right mentor can support you, and not

Australasia’s largest hacker conference, KiwiCon

every adult is trying to hurt you.”

(recently re-branded as KawaiiCon).

An early work role, and introduction to cybersecurity,

“Following the work he and his team do at ZX Security

was working overseas teaching digital citizenship and

really inspired me while I was a 20 something year

cyber safety to 7 to 16 year-olds with the American

old going back to study this new industry,” Bettridge

School Foundation in Mexico. When Bettridge

says. “It was the first KiwiCon event I had attended

returned to New Zealand in 2016 she planned to

as a guest, which was very inspiring. I liked how the

continue in education but got diverted into the film

event had a range of speakers from all levels and

and TV industry.

industries. The event is great for people who are new to the security industry and I hope it will continue for

“I was approached by a family member to work at

many years.”

their film production company. I was curious about the film and creative industries so I did a short stint

Bettridge is now working to gain CISSP and

working with the company,” she recalls.

Microsoft SC-100 (Microsoft Cybersecurity Architect) certifications. For newcomers to the industry wanting

FROM CREATIVE ARTS TO CYBERSECURITY

to enter the Microsoft word she advocates the

“I was working on the set of a New Zealand TV show

Microsoft SC-900 (Microsoft Security, Compliance

but I enjoyed more the behind-the-scenes stuff like

and Identity) and AZ-900 (Microsoft Azure

film editing and web design. This sparked my interest

Fundamentals) certifications.

to continue higher education in that area, which led me to sign up for a bachelor’s degree in creative arts,

She is also happy to be working in the environment

but I made a drastic shift and ended up enrolling

Microsoft offers. “I am grateful to be in a company

for a Bachelor of Computing (networking and

that supports and empowers employees. We have

cybersecurity).”

diversity and inclusion pillars that support individuals through mentoring. We have an employee assistance

After that transition Bettridge really embraced

program and other benefits to support health and

cybersecurity, becoming student president of

wellbeing. I was in a toxic work environment before

the ISACA (Information Security Auditing Control

coming into Microsoft and it affected my mental

Association), an ambassador with Google’s Women

health and confidence.”

Techmakers program and a volunteer lead with OMGTech, a New Zealand charity that introduces young people to technology. She also cofounded, with

www.linkedin.com/in/tashbettridge

Sai Honig, the New Zealand Network for Women in

I S S U E 11

WOMEN IN SECURITY MAGAZINE

41


TA L E N T B OA R D Heath Parker Teacher | Analyst (Cyber, Business, IT Support) | Communicator | Coordinator Homebush, NSW, Australia

I have strong experience in stakeholder management at a high level across a diverse range of professional

WHAT POSITIONS ARE YOU LOOKING FOR?

contexts. I successfully adjust

Full-time, Contract

my teaching strategies in line with the audience to achieve optimal outcomes for students. I possess

PREFERRED STATE:

a keen analytical and technical mindset and seek

NSW: Sydney / Central Coast or remote/flexible

out puzzles, whether that be working with complex software, building PCs, or solving my 10x10

WHAT KIND OF ROLE:

Rubick’s Cube.

Cyber Security Awareness Training / Cyber Security Consultant. Entry level with my experience and transferable skills taken into account.

WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? I am seeking an environment where I can be

WHAT’S YOUR EXPERTISE:

challenged and grow in this industry. A strong

I have over eight years of experience as an educator,

environment of professional development would be

mentoring and teaching in classroom and one-

ideal. I am confident working both independently and

on-one settings. I learn extremely quickly and am

as part of a team. My preferences are for hybrid/work

able to adapt to new environments, systems, and

from home however I am flexible and will commute

protocols with ease. I have been privately studying

for the right position.

Cyber Security, completing an ever-growing number of online courses including a Certification in Agile management from Charles Sturt University and a

DM ON LINKED IN

Certification in Cybersecurity from ISC².

Chris Green Data Analyst | Business Analyst | Business Intelligence Analyst Sunshine Coast, QLD AUSTRALIA

WHAT’S YOUR EXPERTISE: Data analysis, stakeholder management, enterprise-wide transformation projects

WHAT POSITIONS ARE YOU LOOKING FOR? Data Analyst or Business Intelligence Analyst

WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?

PREFERRED STATE:

My ideal environment is outcomes focus team

QLD/Remote

that support each other and an organisation that prioritises learning and development.

WHAT KIND OF ROLE: Preferably contract roles, ideally in an analytics section

42

W O M E N I N S E C U R I T Y M A G A Z I N E

DM ON LINKED IN

N O V E M B E R • D E C E M B E R 2022


IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.

Mehlika Ercan Cyber Security Analyst | CompTIA security+ | Mitre ATT&CK | D3fend| Incident Response | IBM QRadar | Splunk | Fireeye HX | Linux Sunnyvale, California, United States

WHAT’S YOUR EXPERTISE: Cyber security is my passion. My goal is becoming an expert on the defence side. Malware analysing and APT

WHAT POSITIONS ARE YOU LOOKING FOR?

groups investigation are my favourite parts of cyber

Fulltime or Part-Time

security. I am currently working as an intern, and I am searching for new opportunities and challenges.

PREFERRED STATE: I am looking for cyber security analyst positions in Bay Area/ CA.

WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Remote or Hybrid

WHAT KIND OF ROLE: I have experience and certifications about cyber security. I am interested in upskilling myself, so my

DM ON LINKED IN

future company should encourage me about my developing and enriching my skillset.

Nga Rampling Junior Full Stack Web Developer | JavaScript | React | Ruby | Rails Adelaide, South Australia, AUSTRALIA

analytical thinker and enjoy collaborating in a team. Strong collaboration and problem-solving skills working

WHAT POSITIONS ARE YOU LOOKING FOR?

with large clients such as

Junior / Entry-level / Associate

Esso (ExxonMobil), and PNG LNG to deliver project goals. Skilled in Procedure Development, Document

PREFERRED STATE:

Management, and Documentation. Experienced

South Australia

in managing construction drawings and ensuring projects are delivered on time and on budget.

WHAT KIND OF ROLE: Web Development (Front / Back / Cloud)

WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?

WHAT’S YOUR EXPERTISE:

I have a strong preference for a part-time role,

I completed my Full Stack Web Development boot-

however, I am open to taking on more hours if remote

camp in 2022 (10 months duration). I have 13+ years

work is permitted.

working in a dynamic team, providing drafting support to a global engineering consulting company, for the oil & gas industry. I have strong skills in communication

DM ON LINKED IN

and in project management. I am naturally an

I S S U E 11

WOMEN IN SECURITY MAGAZINE

43


TA L E N T B OA R D Saman Fatima Graduate Research Assistant | MSISCybersecurity Graduate at Georgia State University | Cyber Enthusiast | BBWIC Foundation | Actively looking for Internships/Full-time starting Spring’23 Atlanta, Georgia, United States

2. Worked on DB Tools MySQL and well-versed with Linux commands. 3. Worked on Splunk and understand Data Monitoring. 4. Basic understanding of MITRE Att&ck Framework

WHAT POSITIONS ARE YOU LOOKING FOR? Positions open in the “Cybersecurity” domain

5. Have worked with clients (directly) in terms of solutions, design, and implementation. 6. Good Knowledge of Microsoft Azure, have a

PREFERRED STATE: Georgia till I graduate (July 2023) then I would be

successful completion certificate of Microsoft AZ 900

ready to relocate.

7. Worked for a year on the “Data-Driven

WHAT KIND OF ROLE:

8. Experience with offensive security tools.

organization” mission. Security Roles\With 5 years of experience as Certifications - CyberArk Trustee and Microsoft

WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?

AZ 900. aiming to collect more Cybersecurity

People’s company, work-life balance is priority, mostly

Certifications in the coming years.

remote role as I am a student. Benefits - Health

a DevOps Engineer, I have obtained 2 Industry

Insurance, Personal Leaves, Relocation Bonus.

WHAT’S YOUR EXPERTISE: 1. 5.5 years of experience in Cybersecurity - Identity and Access Management and Data Engineering

DM ON LINKED IN

ARE YOU LOOKING FOR A NEW ROLE IN SECURITY, CYBER, PROTECTIVE, RESILIENCE OR GRC? Contact us today and we can publish your details in the next issue of the magazine to help you find your next role. REACH OUT

aby@source2create.com.au

44

W O M E N I N S E C U R I T Y M A G A Z I N E

misty@source2create.com.au

N O V E M B E R • D E C E M B E R 2022


Women in Security Mentoring Program AWSN is pleased to launch the 2022 Australian Women in Security Network Mentoring Program

Looking for ways to give back? We need you Learn more at awsn.org.au/initiatives/mentoring/ Sponsored by

Powered by


CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change, Special Recognition award winner at 2021 Australian Women in Security Awards

C O L U M N

A real hard look Over the last few months I have taken a really hard

However, that does not make them the only way,

look at myself and the industry, at what I have

or even the best way, for everyone to get into the

achieved and at the state of the industry. I have asked

industry. I have a young pentester, Bailey, in my team

myself: have I made a difference? Does what I do

at Baidam. He is a complete natural who just gets it.

matter in the slightest?

He has the raw talent and drive to go out there, find something and just keep pulling at the threads until

Honestly, it is probably just the slightest ripple in a

he achieves his aim. He is a natural hunter with the

massive pond, but every ripple has an effect.

perfect pentester mindset. He does not have a couple of master’s degrees nor an arm full of certifications,

I think, as we become more successful in our lives,

but I feel he has raw talent much greater than mine.

as we mature, we start to self-reflect and think about

One day, with my help or with your help, Bailey, or

the marks we will leave behind when we are no longer

people like him, could have multiple certifications, or

on this earth. My books, these articles, podcasts and

a couple of degrees if they choose to acquire them,

even my contributions to AISA are my way of leaving

but let us look at what we need from the people in

something behind. I try to share my knowledge and

our teams.

help the next generation so when the members of that next generation are ready to take the reins from

We need smart people who have the drive and the

ours they will, hopefully, have the knowledge and

natural gifts we can hone to help them achieve their

have learnt the lessons to guide them to make fewer

potential. In a few years they will reward us for our

mistakes than I, you or all of us together.

efforts (probably a lot sooner, but let’s go with years). I know we sometimes need people with experience,

If we are unable to learn, change paths and adapt

but open your team to these newcomers. Instead of

to what is to come, we have already lost. I see the

getting another analyst maybe get two graduates

truth of that in the ways we bring new people into the

and help them fulfil their dreams. With that small

industry. We are so stuck in our old ways and hung up

investment you get more motivated staff, more hands

on experience and certifications that we lose sight of

on deck and a much stronger industry.

what we are really trying to achieve: bring in raw talent to help find ways to better protect ourselves.

It is not rocket science, but it can make a huge difference.

To me, it is crazy to demand certifications for technologies that are out of date and to require degrees that do not include hands-on experience in their curriculums.

www.amazon.com/Craig-Ford/e/B07XNMMV8R

Now, before I move on, I value certifications and

www.facebook.com/AHackerIam

degrees. I have some certifications and two master’s degrees I have worked very hard to gain. They have taught me a lot, and made me the person I am today.

46

www.linkedin.com/in/craig-ford-cybersecurity

W O M E N I N S E C U R I T Y M A G A Z I N E

twitter.com/CraigFord_Cyber

N O V E M B E R • D E C E M B E R 2022


CAREER PERSPECTIVES


LIBERTY MUDZAMBA

MY JOURNEY: FROM ACCOUNTANCY TO CYBERSECURITY by Liberty Mudzamba, Senior Consultant in Cybersecurity at EY Liberty Mudzamba is a senior consultant in

simulations to understand their business needs

cybersecurity at EY. One aspect of his role represents

and ensure solutions meet the requirements from a

the achievement of a long-held goal, the other does not.

security, business and technical perspective.

“I always wanted to work for one of the Big Four,” he

In this role, he says problem solving, communication

says. However, cybersecurity was not on his radar

skills, collaboration/teaming skills and stakeholder

initially: he gained a bachelor’s degree in accounting

management are of paramount importance.

and finance from Curtin University and then worked in accounting before landing a role as a security

CURIOSITY AND CONTINUOUS LEARNING

analyst with a not-for-profit organisation. This was

It is a long way from his early roles in accountancy,

followed by various other roles before he joined EY

but he says those roles helped him develop these

in 2019, after gaining a Postgraduate Diploma in

skills. “These were some of the transferrable skills

Cyber Security from a reputable university in Western

and knowledge I found to be relevant in cybersecurity

Australia, where he faced considerable challenges as

from my early roles,” and taught him some valuable

one of few students without a technical background.

lessons. “In hindsight, I realise that my initial fear of not transitioning into cybersecurity because I

“The course was delivered in technical jargon, and this

wasn’t techy enough were exaggerated. I am glad I

required me to study twice as hard to stay on top of

managed to fight the imposter syndrome and step

my grades,” he says. “I doubted my ability to survive in

out of my comfort zone. I also redirected my fear

this industry several times, but I remained focused on

towards growth, reading books and watching as many

the bigger picture, to help simplify the cybersecurity

podcasts as I could to accelerate my learning. The

technical language into simple, consumable language

process imparted an important lesson: that we all can

by non-technical decision makers.”

restart our careers as long as we carry enough drive and curiosity.”

Today, he works with EY’s client organisations

48

undertaking cybersecurity maturity assessments,

And Mudzamba has certainly learnt continuously.

assurance, transformation programs and crisis

In addition to his Postgraduate Diploma in Cyber

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


C A R E E R

P E R S P E C T I V E S

Security, he is also an ISACA Certified Information

“Through my current organisation I have participated

Security Manager (CISM) as well as a Microsoft

in university mentorship programs where I get

Certified Security Operations Analyst Associate.

to share my journey with aspiring cybersecurity

He has also completed three executive level programs

professionals, encouraging them to see beyond the

at the Cyber Leadership Institute, where he was one

obstacles and remain curious and focused. Most

of the youngest in a class of seasoned global cyber

importantly, being able to educate my daughter about

leaders and CISOs.

cybersecurity and teaching her how to be cyber safe has been the most satisfying experience to date.”

STRATEGIC CHOICES He says his certification choices have all been

Beyond mentoring, Mudzamba sees a need for

strategic. “Accounting and finance gave me a solid

established cybersecurity professionals to reach

understanding of how business decisions are made.

out to young people who might not even be

My postgraduate cybersecurity diploma accelerated

contemplating a career in cyber.

my understanding of core foundations in computer science. Certifications from the Cyber Leadership

“Without structured educational at grassroots level

Institute and ISACA’s CISM equipped me with the

cybersecurity will always be viewed/perceived as a

skills to lead with confidence and accelerate change

topic of the future. The time to train current and future

through transformational programs.”

cyber heroes is now. To champion this, top leadership at national and corporate level has a pivotal role to

Also, these programs gave him opportunities to

play to ensure there is a mindset shift at every level.”

collaborate with, and learn from, CISOs around the world, and further that it is the support of people—

To those already contemplating a career in

friends, family, managers, lecturers, mentors etc—

cybersecurity, he says internships and volunteering

that has enabled his career achievements.

are good ways to start. “Hone your soft skills and identify a specific area you are passionate about.

“Now more than ever I understand cybersecurity

Study the main relevant topics and be exceptionally

is a team sport. As such, I would like to continue

good at that. Trust is important in cybersecurity and

making a difference through collaboration, driving

being authentic is one way to earn trust. Being curious

and accelerating the creation/adoption of resilient

and having a good attitude towards learning is a great

digital ecosystem.”

way to stay ahead of the curve. The threat landscape is continuously changing, hence the need for one to

Mudzamba says he is happy he made a career shift

be a continuous learner.”

into cybersecurity. “The most important decision was to get out of my comfort zone to pursue what set

He would particularly like to see more women enter

my soul on fire. If I were to go back the only thing I

the profession, saying the industry needs people with

would do differently would be to find a mentor early

diverse experiences and perspectives. “There are

and to strategically attend networking events to build

various security programs that aim to support women

meaningful relationships.”

and tackle barriers that hinder women looking to enter cybersecurity or progress their careers.”

GIVING BACK THROUGH MENTORING Now, he himself is a mentor and cites the opportunity to give back to the community through mentorship as

www.linkedin.com/in/liberty-mudzamba-b4634243

being one of his most satisfying achievements.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

49


LEKSHMI NAIR

CHANGING THE ‘CHANGE’ JOURNEY by Lekshmi Nair, Managing Principal, APAC, Synopsys Software Integrity Solutions

A few days ago I got a ping from a dear old colleague

• Did you ever feel like going back?

of mine. She wanted my advice on how to settle into

• How did you get over it?

a new role in the organisation she had joined a few months earlier. During our hour-long conversation I

I admit, it was not an easy journey from a well-

realised I had been in a similar situation not so long

established role in an organisation where I was well

ago. We spoke about several issues.

known to a role in a new organisation where I was unknown. Here are some of my experiences of what

I had been a star performer in my previous

worked and what did not.

organisation. My views were heard and valued. No one in my new organisation was willing to listen to me. How could I be heard?

1. S OMETHING IS WORKING HERE, GET HOLD OF IT Know your organisation’s what, when, why and how.

• I could see several ways in which current systems could be improved, but when I made suggestions people, especially my peers, took these personally. How could I bring about change? • I was working across multiple different areas. How could I set priorities? • My team members were carrying a lot of baggage from their previous experience under their former leader. How could I build an environment conducive to growth?

a. What are the organisation’s core business, products and services? b. Who are the key stakeholders who will contribute to the success of your role: leaders, peers, team members, extended teams, support functions, etc? c. Who are your key internal and external customers, and their contacts? d. How is the work being performed?

Moving from my previous organisation after 15 years

2. GAIN THE CONFIDENCE OF YOUR MANAGER

I heard several questions from well-wishers that were

Know your goals, boundaries and objectives. Align

very pertinent to my new situation.

with your manager on short term and long term goals. For the first six months at least schedule

50

• It must have been a very difficult decision for you.

regular one-on-ones with your manager. Work on 90

• How did you adjust to your new environment?

day and 180 day plans and track progress. Build a

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


C A R E E R

P E R S P E C T I V E S

strong relationship with your manager, before you

time to embrace the change and give your new

join if possible. Ask, ask and ask. No question is a

organisation time to embrace you. Consider your

bad question when you need to understand what is

career as a marathon, not a sprint. Ask these

expected of you. Get regular feedback on your plan

questions, and take these steps, before you take

and make changes if needed.

a call:

3. KNOW YOUR TEAM When you are the new manager of an existing team in a new organisation much can go south. Be considerate, because they have gone through a change of manager, and some of them may have worked with your predecessor for several years.

a. Am I able to meet my 90 and 180 day goals and objectives? b. If not, are somethings working? Am I in a position to meet the remaining goals and objectives in 270 days? c. If not, have an open conversation with your

So, be ready for cold shoulders, non-cooperation

leadership. Consider options for role change or

and even emotional outbursts. Be empathetic and

for the support needed to make things work.

kind. Schedule one-on-one meetings to understand

d. If the answer to question a is yes, evaluate your

everyone in the team, their core strengths and

ability to meet your role-specific objectives and

aspirations. This will enable you to better analyse the

business imperatives. If you believe these to be

team’s composition and its individual members. You

achievable you are right to continue.

will also gain a sense of risk factors such as potential resignations.

e. If none of options a, c and d are working, move on. Some things work and some things do not. There is something to learn from every

4. A LOT CAN BE BETTER, BUT NOT FROM DAY ONE

opportunity. Just move on to a better place.

You come to your new organisation with vast

Above all, the most important skill you need when

experience and a rich background. This means

you aspire to be heard in a new environment is to

you have a lot to offer your new organisation. Your

be equally ready to hear. You will pick up something

manager may have told you “Hey, I am looking to

useful from every conversation. So, before you take

you to bring much-needed change here.” Remember

the leap, work on your listening skills.

number one above “Something is working…” You need to embrace your new environment and be part of it before you propose changes. Making changes will be

www.linkedin.com/in/lekshmi-nair-1299548

much harder if you question small parts of a system that is working. You will be perceived as a ‘newly hired outsider’ who is still suffering a hangover from your former organisation. However, do not lose your ‘newness’ in this process. Keep your ideas fresh and take them out when you are reasonably good with actions one, two and three. This was the most difficult part of my change. While I succeeded in making many of the changes I wanted, I am still working through a list of things I want to change.

5. THINGS ARE NOT WORKING AS YOU EXPECTED. BE PATIENT At times, certain decisions may not produce the outcomes you expect or environments may not function as you expect. You need to give yourself

I S S U E 11

WOMEN IN SECURITY MAGAZINE

51


JEMMA LAWRENCE

WOMEN IN CYBER SECURITY FROM A RECRUITERS PERSPECTIVE by Jemma Lawrence, Recruitment Consultant at CyberSec People As a woman who has worked in recruitment for a

they meet all the criteria listed in the job description.

number of years it is great to see a genuine desire

On the other hand, men will typically throw their hat

for diversity and a huge demand for women in

in the ring regardless of how many of the selection

cybersecurity. It is awesome to see new women

criteria they meet. This is a phenomenon that

coming into the industry. It means we will see

disadvantages women because they are less likely

many more women in leadership positions in a few

to apply for more senior roles (referred to as ‘stretch

years. These women are being inspired to fulfil their

roles’ by LinkedIn).

untapped potential and they inspire others to embark on their career journeys.

However, the world has had to adjust post-Covid and companies are hiring outside their usual scope.

I am fortunate to work for CyberSec People, the most

Simply ticking off a laundry list of experience and

engaged recruitment company in the cybersecurity

qualifications is no longer sufficient. It does not

industry. One of the great things about CyberSec

take into consideration transferable skills: abilities

People is that we attend most infosec events

candidates have learned throughout life that are

nationally, giving us great exposure. This means

useful in a new job.

clients and candidates reach out to us for industry information and advice. Through these interactions

As a recruiter for governance, risk and compliance

I know our clients are committed to diversity

specialists I speak to women in the industry daily

and to attracting and promoting women in the

who are passive job seekers, and typically would not

cybersecurity industry.

consider applying for a role more senior than their current role.

However, I notice women still undervalue themselves,

52

not only in cybersecurity but in most industries.

It is extremely rewarding to help anyone into a new

Women are reluctant to apply for positions unless

position, but especially to help women who may not

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


C A R E E R

P E R S P E C T I V E S

have considered applying for a higher paying and/or a more senior position that offers career progression. I often see women underestimating what they can earn in the industry and undervaluing their experience compared to their male counterparts. I recently helped a female principal security advisor secure a salary package $20K above her expectation, which was extremely rewarding. A study by TechBrain, an IT support services group in Perth, looked at the wording used in job advertisements. It found adverts for higher-paying jobs were more likely to use masculine words while those for lower-paid positions used more feminine

Cybersecurity is a growing field of study and

language such as ‘committed’, ‘responsible’ and

employment, offering amazing career pathways.

‘collaborate’. By recognising such gender-biased

There are many opportunities to build an exciting and

wording women can overlook it and apply for higher

solid career in a wide range of roles.

paying opportunities. Whatever a girl’s talent, there will be a good fit for It is important employers and recruiters acknowledge

her in the security industry. Whether she is good at

that gender biased wording does determine who will

maths, or creative, whether she prefers talking to

apply for a position, and use gender-neutral language

people or writing, there is a place for her.

or gender-inclusive language that avoids bias. A diverse workforce brings massive benefits My advice to women when applying for jobs is to

to society in general, and it is inspiring to see

focus on these three things:

the cybersecurity sector embrace the need to encourage, promote and support women throughout

• the responsibilities of the role;

their careers.

• the company you will be working for; • the team you will be working with.

I would love to be able to help more women into the industry, there is a genuine desire for you, and

If those three things match what you are looking for,

I hope you can see your value and be confident in

apply for the job.

your abilities.

“You’ll miss 100 percent of the shots you don’t take.” So, take the shot!”

As a cybersecurity recruiter, I see my role as being more than simply matching vacancies with candidates. I also see my role as being to reduce

Let us have a look at the percentages of women who

risks to our clients (and, by extension, the public)

have taken the shot. According to the latest analysis

through sourcing the best skills to protect us from the

of the cybersecurity profession, women make up

sophisticated cyber threats we see every day.

around 24 percent of the workforce worldwide. This figure is by no means as high as we would like, but it is heading in the right direction: a few years ago it

www.linkedin.com/in/jemmagrc

was roughly 20 percent.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

53


VANNESSA MCCAMLEY

REFLECT ON YOUR THINKING AND THE BEHAVIOURS YOU NEED TO REACH YOUR VISION by Vannessa McCamley, Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker How often do you reflect on your thinking and

to help us achieve success. We often code memories

behaviours to fulfil your purpose?

as good and bad, wanting to move towards the good and away from the bad. A common example is a

Often, we are so busy we do not devote time to

workplace brainstorming session where someone

reflecting on the thinking and behaviours required to

produces an idea and someone else says “I’ve

achieve our WHY, our purpose. Over time some of the

tried that and it doesn’t work.” How often have you

behaviours that have helped you be successful may

experienced this?

no longer serve your purpose. Your purpose may have changed as you have grown and developed. Regularly dedicating time to reflect is one of the most effective strategies for creating a compelling vision of the life you want, and realising that vision. The best way to look at the concept of a life vision is as

In this situation I often ask insightful questions like: • Knowing what did not work, what would you do differently to set up for success? • What options could be explored to gain a different perspective and outcome?

a compass to help guide you to take the actions and make the decisions that will propel you toward your

To become clear on your vision / purpose, what you

best career and life.

want to achieve and what this looks like, reflect on the learnings from these questions without bias.

HINDSIGHT CAN BE A WONDERFUL GIFT

54

Reflection on key learnings is GOLD. Through

WHY YOU NEED A VISION

reflection we can use the key learnings from past

One of my favourite quotes, adapted from Lewis

experiences to explore options in our current

Carroll’s Alice in Wonderland, is: “If you don’t know

environment/situation and choose those most likely

where you are going, how will you know when you get

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


C A R E E R

P E R S P E C T I V E S

Your GOAL

Positive Feedback

Success Milestones in 30, 60, 90 days

there?” With a clear vision you are likely to achieve far more than you would without one. Think of crafting

Values

your life vision as mapping a path to your personal and professional dreams. Life satisfaction and personal happiness are within reach. If you do not develop your vision other people, the environment and

Plan/reflect When you do your best thinking

circumstances will direct the course of your life. Clients have asked for my help because they no

Mitigating Risks

longer want to go with the flow; they want to create

Passions

Vannessa’s Vision Board My ‘WHY’ improves the lives, productivity and performance of individuals, teams and organisations while impacting their health and well-being positively.

Aspirations

the path that adds the most value to their lives. Here are the steps I recommend. The first step is the

Self-care

creation of a vision board.

WHAT IS A VISION BOARD?

Healthy Fuel Required

Mantra’s I am the conductor of my destiny

Social Connection

Your vision board is a unique visualisation tool that creates a space in which to define your goals. Think of as a guide to your day-to-day behaviour, steering you

OUR BRAIN NATURALLY SEEKS CERTAINTY AND PREDICTABILITY

towards the future you desire. Use this to create your

If you can prime your brain to overcome obstacles

desired career, relationship, income level or anything

and create a vision based on these learnings you will

important to you.

save time and effort when making decisions about

it as a map of your future that will inspire you and act

your career and life direction and looking after your

STEPS TO CREATE YOUR VISION BOARD

health and well-being.

1. Define your purpose and goals along with your top three to five values. 2. Identify the actions you need to take to achieve

ABOUT VANNESSA MCCAMLEY Vannessa McCamley is a leadership and performance

your goals. Use photographs, images from the

expert specialising in neuroscience practices that help

web, whatever inspires you.

individuals and businesses grow in meaningful ways

3. Make a collage of all these images on a bulletin

whilst delivering measurable results in healthy ways.

board, wall or piece of paper you can laminate

She has a passion for helping people and businesses

or put into a binder. Feel free to get creative!

to overcome obstacles and enabling them to reach

Consider including a picture of yourself in a

their strategic goals. She brings a strong background

happy state. What would this look like? What

in IT security and more than 20 years of business

would it feel like?

experience to collaborating with individuals at all

4. Tip: to avoid attracting chaos into your life, be

levels and from several industries. She is the author

careful not to create a cluttered or chaotic board.

of Rewire for Success – an easy guide to using

Simplicity is best.

neuroscience to improve choices for work, life and

5. Add motivational ‘affirmation words’ and

wellbeing.

inspiring quotes that represent how you want to FEEL. Choose words like ‘courage,’ ‘brave,’ ‘free,’ ‘creative freedom,’ ‘belonging,’ or ‘orchestrator.’ Take a few moments to review your vision board every day, especially when you wake up and before you go to bed. You can use it while doing yoga, meditating, making plans or relaxing.

I S S U E 11

linksuccess.com.au/rewire-for-success

www.linkedin.com/in/vannessa-mccamley

linksuccess.com.au/contact-us

WOMEN IN SECURITY MAGAZINE

55


AS BURNOUT TAKES ITS TOLL, REMEMBER TO PUT THE U BACK INTO CYBERSECURITY by David Braue

Cybersecurity overhauls will drive new technology investments in 2023 – but don’t forget your people.

A

fter spending two years dealing with

Investments in these areas – which also include

the implications of the dramatic shift to

issues such as cloud security and API security,

remote work, cybersecurity specialists

the major cause of the recent breach of Australia’s

have cast their nets much wider as they

second-largest telecommunications carrier, Optus –

work to rebuild security infrastructure

will dominate security spending in 2023 as entities at

around new concepts such as zero trust, open

every level overhaul their cybersecurity strategies.

security, and new approaches to managing security risk that are more actively aligned with companies’

This includes, among other things, a Budget

operational needs.

commitment by the US Government to ramp up cybersecurity spending in line with a “bold new course

“The whole system needs an innovation approach

to overhaul the Government’s approach to securing

that is sustainable over time,” said Chris Hockings,

Federal IT” – and a $US10.9 billion cybersecurity

chief technology officer with IBM, in spelling out those

budget will accelerate the CISA’s new 2023-2025

three priorities during the recent Gartner Security &

Strategic Plan and a transition to a multi-year zero-

Risk Management 2022 conference, “because we’re

trust strategy by the end of fiscal 2024.

just not going to be able to do this thing the way that we did before.”

Other countries are following suit, with the global National Cyber Security Index (NCSI) highlighting the

56

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


F E A T U R E

ongoing deficiencies in many countries’ cybersecurity

after the pressures of the job compromised her well-

postures – whose transitions to zero-trust security,

being more than she could bear.

across enterprise systems, remote employees and cloud architectures, are set to underscore most

“Feeling like a failure that I couldn’t cut it,” she bravely

cybersecurity investment during 2023.

tweeted, calling the decision to quit “a point of shame and a bit of sadness”.

Yet even as governments and businesses pour tens of billions into improving security technology,

Online colleagues were having none of her self-blame,

grandiose missives riffing about the importance of

with one fellow cybersecurity worker noting that

data protection say little about investing in strategies

“working in this field can be overwhelming while being

to support and nurture the people responsible for

underappreciated, and it never stops. Every time my

running those systems.

phone vibrates I think ‘oh another [incident response] is coming’; it wears on you.”

Although it rolls out well-worn tropes such as building a “diverse workforce, representative of the population

“You didn’t fail just because one specific job at

they serve”, for example, the US Budget outline

one specific employer was too much for you,” said

follows the very common script that sees people

another, “and in a way, your employer failed you.”

only as vessels into which cybersecurity skills must be poured: “a strong cadre of cybersecurity and IT

Such experiences are rife in cybersecurity,

professionals will allow the Government to run more

particularly as the stresses of COVID-era isolation

efficiently and effectively,” the outline notes.

were compounded by the increasing pressure to protect companies that were being attacked more

NOT WHAT IT CRACKED UP TO BE

than ever before – and the emotional alienation that

Investments in developing skilled cybersecurity

festers within cybersecurity teams that are often

professionals is both necessary and important –

comprised of isolated individuals spread out across

but what happens when those cybersecurity and IT

large distances.

professionals, chastened by the realities of what can be an immensely stressful, difficult and ultimately overwhelming job, throw up their arms and walk away? It happened recently to Lily Clark, a former client success representative who moved into a role with offensive security consultant with Pittsburghbased Echelon Risk + Cyber in September 2021 – and walked away from the small firm a year later

I S S U E 11

WOMEN IN SECURITY MAGAZINE

57


This is what the cybersecurity industry looks like on

in the industry: a third of Asia-Pacific CISOs, for

the other side of the fence – the consequences of

example, said they feared losing their job after a

increasingly urgent recruitment that is focused on the

breach and worried about being held personally

input side of the pipeline, but often leaves security

financially liable for a breach – compared with just

workers feeling overused and unsupported.

16% and 11% of European respondents, respectively.

Stress and burnout were by far the two most

Throw in concerns about higher than usual turnover

significant personal risks named by CISOs in the

due to the “dynamic hiring market”, feeling underpaid,

recent Heidrick & Struggles 2022 Global CISO Survey,

worrying that they can’t keep up with rapidly evolving

in which 60% and 53% of North American CISOs,

threats, and concerns that their organisation

respectively, said that those issues were the biggest

doesn’t see the necessity of cybersecurity protocols

risks relating to their role.

– and it’s clear the realities of the CISO job continue to challenge even the most enthusiastic,

Interestingly, CISOs in European (35%) and Asia-

well‑trained candidates.

Pacific (33%) companies were much less likely to report burnout than their North American peers –

“The importance of the role of the CISO continues

suggesting that companies in the latter market are

to grow as digital technologies become even more

either far busier than elsewhere, or proving to be

prevalent,” the report’s authors noted. “There is

particularly poor at managing the stress caused by

burnout and stress associated with this role, which

fighting to keep up.

should lead organisations to consider succession plans and/or retention strategies so that CISOs don’t

Other stressors named by respondents highlighted

make unnecessary exits.”

just how broad a range of stressful experiences cybersecurity is causing for the people who work

TECHNOLOGY FOR THE PEOPLE Given the eye-watering salaries that many companies are paying employees with well-developed cybersecurity skills, executives may find it hard to believe that employee well-being is causing even well-paid CISOs to walk away from their jobs. But it’s happening – and when it does, it can bring even the most well-designed change program to its knees. Indeed, fully 73% of respondents to Splunk’s recent State of Security 2022 report said they knew a colleague who had quit their security jobs due to burnout – with 78% saying that remote workers are harder to secure, and 65% had seen an uptick in attacks during the pandemic. Even the best technology isn’t worth much without the people needed to use it and apply it to their business requirements. Given the technological change that is already ramping up and will dominate

58

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


F E A T U R E

the market during 2023, it is therefore crucial that

automation has become table stakes for a

executives focus not only on investing in security

contemporary security architecture – and with so

technologies, but on employee well-being initiatives

much funding going towards transitioning security

to ensure that cybersecurity staff feel well-supported

architectures into the world of zero trust, it’s

and capable of managing their workloads.

important that executives fund automation initiatives during 2023 with the same enthusiasm that they

“When we talk about diversity, equity, and inclusion,

embrace other security technologies.

it’s not just about finding the diversity and [hiring] people who don’t look like you,” said Elizabeth Wilson,

“We all know that cybersecurity continues to be

director of talent and diversity & inclusion with global

one of the most demanding professions in the

security peak body ISACA.

world,” Gartner senior director analyst Richard Addiscott noted at the firm’s recent Security &

“It’s about bringing them into the fold, and helping

Risk Management Summit, where he exhorted

them feel good about being in your place of business.

attendees to build security strategies for

And sometimes we do the great work of finding the

2023 that accommodate shifting societal and

people, but then we don’t know how to include them.”

regulatory expectations.

This can be harder than it seems, particularly in

“Focus on your people to foster more secure

security jobs that often see workers engaging with

behaviour,” he said, “and adapt to increasingly

screens more than the people around them.

distributed cybersecurity risk decision making. We need to pause – even if it’s only for a minute – and

“We go back into our little holes and back into our

we need to look up, and look out, to reframe current

working environments,” Wilson said, “and we don’t

thinking and simplify.”

have that opportunity to engage with people – but it’s important to take the time to find what’s going on around the world in different communities, and supporting one another.” Security automation technology – which evolved as a way of coping with the explosion of operational data caused by the adoption of tools such as SIEM (security information and event management) systems – has emerged this year as a key way of reducing the human toll of cybersecurity. By streamlining the detection of security anomalies and using AI to whittle down floods of data into what is hoped to be a manageable stream,

I S S U E 11

WOMEN IN SECURITY MAGAZINE

59


SIMON CARABETTA

PEOPLE CULTURE BUILDS RESILIENCE by Simon Carabetta, Business Operations Manager at ES2

The one thing that has remained consistent in my

campaigns such as R U OK? Day have extensive

various roles since I made my career transition from

reach and very good intentions. However, something

high school classroom teacher to cybersecurity

is clearly wrong when organisations that encourage

is the terminologies people use when describing…

their employees to wear yellow once a year, eat

well, people: ‘resource’, ‘FTE’, ‘talent’. The list goes on.

cupcakes and distribute mental health flyers also use dehumanising terms to refer to those same

Granted, in education we use the term ‘student’ as a

employees, and fail to implement real change to

collective noun for the hundreds of different young

support mental health in the workplace.

people we interact with daily, but a (good) teacher always sees their class as a group of individuals,

When massive data breaches make the news it is the

not simply a list of names on a report sheet. In the

security teams that bear the brunt of corporate and

corporate world I have noticed a worrying trend:

media attacks. Questions are asked, investigations

we are using dehumanising words when referring

probe team members and heads roll. The question I

to humans.

have is: what is happening at the corporate level to support these workers?

In cybersecurity circles we speak often about an organisation’s cyber resilience, its cyber posture, its

Beyond cyber incidents, when it is business as usual,

cyber plan. We use personification terms more when

the night-shift security operations analyst is surely

talking about companies than when talking about the

hurting if they have not spent time with their family

people who work for them, which brings to me back

for nearly a week because of the work schedule.

to resilience.

The CISO who has pulled consecutive 12 hour shifts to get their cybersecurity program endorsed and off

IT IS TIME WE STARTED TALKING MORE ABOUT THE RESILIENCE OF PEOPLE WORKING IN SECURITY

the ground is surely hurting. And the student with no

One thing I loathe is people being treated as assets.

they can graduate is surely hurting.

job prospects on the horizon who has had to give up two part-time jobs to take on an unpaid internship so

I come from an education background and I was

60

raised to see people as people, so I hold that view

These are just three examples, but it is quite clear:

very strongly. Extremely effective mental health

there are many different ways individuals in our sector

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


C A R E E R

P E R S P E C T I V E S

are impacted every day. We talk about burnout and

If you have read some of my

fatigue, and it is evident when speaking with security

previous articles for this magazine

workers at out-of-hours functions just how exhausted

you may see I have quite an interest

they really are.

in language and culture. An article earlier this year spoke about how

The attacks are coming thick and fast yet no one

language is used as a weapon in

is giving any thought to the frontline defenders

the security industry. Language

working tirelessly and around the clock to respond to

can also be a tool to bring about

incidents. The recent Optus breach has been covered

positive change. The culture will

relentlessly by the press yet no one has thought to

turn around when a new term for

question the wellbeing of a security team that must

employees is developed: people.

surely be hurting right now. This must change. That is the only word you need. You I know the media will never, ever make the mental

do not need to go too far and call

wellbeing of security workers their focus when a

yourself a family. I loathe that, and

cyber attack occurs. However, I would like to see

it is a big red flag for almost any

some mention of how much effort and hard work so

organisation. People: the people

many security professionals put in day in and day

you work with; the people you hire;

out to protect a company which, let’s face it, sees

the people you report to and the

them only as ‘assets’: replaceable, easy to discard,

people you help to lead; the people

and an expense.

in your team and the people you contract to; the people who acquire

Of course, I do not speak for all organisations and

your services and the people you

businesses. There are some very good cybersecurity

make game-changing deals with.

companies and non-security organisations that treat their people very well. They implement mental health

We work with people. After all,

programs and look after the wellbeing of personnel

cybersecurity is a people-driven

across their businesses. However, should this not be

industry. It is people who carry out

the norm rather than being simply labelled ‘progress’?

the attacks. It is people who do their best to defend and respond

Why can we not build the resilience of our security

to those attacks. We need to use

people the same way we want to build cyber

that word much, much more each day in the office,

resilience into organisations? This should be the

while working from home, even having a coffee with

number one priority for businesses when they are

workmates down the road.

putting together a security team. They need clear and agile thinkers, people who are on the ball and can act

We are security people. Only when we finally adopt

swiftly in a crisis. They need people who will use logic

more human-centric corporate cultures across

but can also think outside the box when they have to.

Australia will we see an increase in wellbeing. I will go

Those traits are most apparent when someone is of

one step further and claim that organisations with a

sound mind and feeling well.

more positive focus on their people and the mental health of their people will have more cyber resilience.

This may seem cynical. You may be thinking right

I challenge anyone in the security sector to find this

now, “But Simon, isn’t the company just treating them

not to be the case.

well so their assets are working at their optimum level?” And yes, you are right, it is cynical. That is why organisations need to adopt a people culture.

I S S U E 11

www.linkedin.com/in/simoncarabetta

WOMEN IN SECURITY MAGAZINE

61


Source2Create Spotlight

Events

Finding the right way to reach and approach your audience is key to success, that’s why we’re shining a light on our events. Our event services are readily available and used to deliver seamless experiences for both you and your audience. Our ‘Events-As-A-Service’ module allows you to break your event into modules and hand across the work you simply don’t have time to coordinate, or simply just want off your plate. S2C can do it all. We invest the time and energy into developing this strategy and plan, driven by data-based assumptions, to make your event a success. What are you waiting for?

REACH OUT TODAY

charlie@source2create.com.au

aby@source2create.com.au

misty@source2create.com.au


2023 AUSTRALIAN

WOMEN IN SECURITY AWARDS 12

TH

OCTOBER

t u O s s i Don’t M


J O B B OA R D

SENIOR SECURITY ANALYST | C ULTURE AMP MELBOURNE HYBRID

VICTORIA MID-SENIOR LEVEL

AUSTRALIA

FULL TIME

GREAT BENEFITS

DIVERSE AND INCLUSIVE ENVIRONMENT

ABOUT THE JOB

WHAT YOU’LL BRING TO CULTURE AMP

Culture Amp is looking for an experienced Senior Security Analyst to join a growing security operations function and participate in event and incident management, and vulnerability management activities. You will have experience investigating cybersecurity events, supporting incident response activities, and conducting threat hunting exercises.

• Experience investigating security incidents and events using SIEM (Splunk preferred)

The Senior Security Analyst will play a major role in Culture Amp’s cybersecurity detection and response capability and will collaborate with other security operations team members to ensure that processes, tools, and documentation are appropriate. This role is a great opportunity to contribute to the security of the Culture Amp platform while working with talented engineers in a cloud-centric security environment with some of the latest technologies.

• In-depth technical knowledge of operating systems, networking, and cloud platforms

• Experience with playbook development • Experience performing threat hunting and leveraging threat intelligence to guide investigations • Experience participating in cybersecurity tabletop exercises

APPLY HERE

COMMUNICATIONS AND CAMPAIGN SPECIALIST, SECURITY AWARENESS | IAG PERMANENT OPPORTUNITY

AUSTRALIA - NATIONWIDE

THE ROLE Protect IAG’s digital and information assets by increasing the awareness and education of our staff, partners and customers. You will be responsible for clearly and effectively explaining complex security concepts and promoting the secure behaviours necessary for protecting our customer information, systems, assets and people. The position requires the research, analysis and writing of security content for all security education and awareness activities, programs, and campaigns. As a key member of the team, you will ensure an easy-to-understand readability level and tone of voice is maintained across all security communications. This role is also the custodian of the security website, ensuring all content is current and accurate. You will measure and report on success of the

64

W O M E N I N S E C U R I T Y M A G A Z I N E

FLEXIBLE WORK AND LEAVE OPTIONS

security campaigns and communications through channels, such as Security Website, The Vine, Our Place, Yammer. This role is in one of the critical teams in Cyber and Protective Services. It is to be part of an elite group that is in huge demand across Australia. A major sophisticated cyberattack against IAG could have a catastrophic impact on the business, and this team is one of the main lines of defence against such an attack. READY FOR ANYTHING? LET’S TALK. • Start your career journey with us and click ‘Apply’! Applications close on Monday 31st October 2022

APPLY HERE

N O V E M B E R • D E C E M B E R 2022


ACCOUNT EXECUTIVE – CYBERSECURITY | NOVUM GLOBAL SYDNEY

HYBRID

NSW

Recently graduated from university with excellent grades + have 1 year of sales/call centre experience? Do you want to work for a leading Cybersecurity software company to drive security and protection for mid-sized Australian enterprises?

• Great communication skills and bubbly personality Our client offers a great career opportunity, mentoring, training, and the ability to earn significant remuneration. Interested? Contact us and send your CV to us today. (Australian Permanent Residents/Citizens only to apply)

Successful applicants will have the following: • Degree with a credit average • Outbound sales or customer service experience gained from a call centre or sales

APPLY HERE

CYBERSECURITY AWARENESS & EDUCATION LEAD, DELOITTE GLOBAL TECHNOLOGY (DT-GLOBAL CYBERSECURITY) | DELOITTE TORONTO, ON WINNIPEG, MB

CALGARY, AB

EDMONTON, AB

OTTAWA, ON

QUEBEC CITY, QC

FULL TIME

WHAT WILL YOUR TYPICAL DAY LOOK LIKE?

• Articles

In this position, you will write, design, and implement cybersecurity awareness strategies and materials for our internal audiences. Together, we’ll create communications that inform, connect, and engage our complex global community to ensure that we’re cultivating a strong culture focused on protecting and securing our broader organization. You will provide communications expertise and deliverables to the cybersecurity organization. This may include the following activities:

• Compelling images/infographics

• Work with Global Cyber Culture program team to craft cybersecurity awareness and education plans that drive secure cybersecurity behavioral results.

We encourage you to connect with us at accessiblecareers@ deloitte.ca if you require an accommodation for the recruitment process (including alternate formats of materials, accessible meeting rooms or other accommodations). We’d love to hear from you!

• Plan, research, and create high-quality cybersecurity awareness communications deliverables including:

• Web content • Training • Design, support development, and implement cybersecurity educational experiences (e.g., micro-trainings, cyber quizzes) THE NEXT STEP IS YOURS Sound like The One Firm. For You?

• Presentations • Leadership talking points • Videos

APPLY HERE

• Emails

I S S U E 11

WOMEN IN SECURITY MAGAZINE

65


J O B B OA R D

HEAD OF INFORMATION SECURITY | TAB NZ AUCKLAND

NEW ZEALAND

HYBRID

FULL TIME

Information Security is paramount to any leading Digital organisation and a core capability to safeguard the confidentiality, integrity and availability of TAB’s Digital assets. As Head of Information Security, you will be joining our senior leadership team and leading our Information Security Centre of Excellence. You will be responsible for establishing and maintaining the enterprise vision, strategy and supporting initiatives to ensure the protection of TAB’s Digital information assets and technologies. You will also identify best practices in security and risk management and facilitate compliance within NZ and international standards as appropriate. WHY CHOOSE THIS ROLE? • Love the team – We are a passionate bunch that love pushing the boundaries and are proud of what we deliver. We need you to support, motivate and guide them to perform at their highest level • Make a Difference – The TAB gives back millions each year to racing and sport – so come and be part of this NZ icon!

GREAT BENEFITS

Take on the big boys in Sports Entertainment. • Collaboration – Work closely with all stakeholders across the business and drive awareness, education and adoption of Information Security governance, policies, standards and procedures. • Live life your Way – The TAB has offices across the country. This role will sit in either Auckland or at Head Office in Petone, Wellington with travel to either location on a regular basis. Everyone is in the office on Mondays and Tuesdays but on other days you can juggle with working from home so it is a true Hybrid working space. • For more information about the role - stalk us on LinkedIn, nosey around our website and check out the Position Description attached. Apply now, shortlisting and interviews will be held as applications come in. We can’t wait to hear from you!

APPLY HERE

CYBER SECURITY SPECIALIST | V ODAFONE NZ AUCKLAND FULL TIME

WELLINGTON

REMOTE HYBRID

GREAT BENEFITS

YOUR ROLE

• Experience in leading a small technical team.

This is a customer-facing role accountable for operational security activities across a portfolio of enterprise and government customers.

• Proven, commercial experience working with customers.

You’ll act as a lead to provide overall security support and direction to your customers, transposing technical requirements and issues into business outcomes. This includes the design, implementation, and ongoing operations of customer-facing security platforms and services for the assigned customer(s), as well as providing C-level discussion and support to the customers and their teams holding responsibilities for the design and architecture of security products and services. The successful candidate will show a true customer obsession and a drive to deliver results.

• Experience in designing and supporting Information Security platforms in complex customer environments including Public and Hybrid Cloud deployments. • Experience in the operation, build, and design of the following vendors’ security products and services: AWS, Microsoft Azure, Check Point, F5, Fortinet, Cisco, and Palo Alto. Joining the Vodafone whānau will stretch you, challenge you and provide opportunities you’ve been seeking to expand your career. You’ll engage in unique workplace experiences, be exposed to exciting and innovative technology, and gain opportunities for learning beyond Aotearoa.

APPLY HERE

66

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


INFORMATION SECURITY SPECIALIST | LUFTHANSA INTOUCH CAPE TOWN

WESTERN CAPE

SOUTH AFRICA

The Information Security Specialist works with the Information Security Manager/Local IT Team Leaders to ensure security-related services are functional on sites conducting regular internal compliance checks to ensure compliance with PCI requirements.

FULL TIME

GREAT BENEFITS

confidentiality • Contingency/continuity information technology services compliant with policy/regulatory requirements • Perform vulnerability scans/highlight results/generate reports/remedial action where deviations identified

• Projects achieve/maintain PCI DSS compliant/maintain enforce IT/Security

• Monitor/coordinate audit trail/management/review/Patch/ Anti-Virus updates/local FWs/IPS Systems

• Maintain information security standards/procedures in compliance with information security/risk management policies standards/guidelines

• IT standards/processes compliant

• Maintenance/support security controls/user profiles of the functional teams • Participate in security processes/application assessments/ product certification/connectivity to intranet and internet • Report-defined IT/Business privacy/security metrics • Business continuity planning/testing/implement/disaster recovery planning/provide security/availability/integrity/

• Tertiary Qualification/equivalent with working experience • Min 2 yrs of experience in a similar role in a global company • Worked in a process-driven environment with enterprisegrade edge security devices and NGFWs/ distributed Patch management systems, managing engine • IT Enterprise Architecture

APPLY HERE

DO YOU WANT YOUR COMPANY'S JOB LISTED IN THE NEXT ISSUE? Contact us today to find out how we can boost your job listing and help you find the top talent in the security industry.

aby@source2create.com.au

I S S U E 11

REACH OUT

misty@source2create.com.au

WOMEN IN SECURITY MAGAZINE

67


KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group that works with SMEs to protect and grow their businesses by demystifying the technical and helping them to identify and address cybersecurity and governance risks. In 2021 Karen graduated from the Tech Ready Woman Academy’s Accelerator and the Cyber Leadership Institute’s CLP programs.

C O L U M N

Keep calm and carry on As I sit down to write this Australians find themselves knee deep in the Optus data breach.

3. Build cyber knowledge into your DNA. Tick-thebox cyber training leads to complacency and a false sense of security. Training and education

It is all very good to say “keep calm and carry on”

must be continuous, relevant and fun.

but the 9.8 million Australians who may have been affected (and some say the figure could be as high as

4. Patch everything, patch often, patch now. Do

11 million) is a substantial portion of our population,

not make it easy for cybercriminals to exploit your

which stands at around 25 million. So, I fear this

business. Keep your patches up to date on all

message is perhaps not getting through to those who

devices; business and personal.

need it the most. 5. Speak business not tech. Never assume your As always it is important to have good cyber hygiene

business contacts understand what you are

at both a personal and a corporate level. So, while the

saying. There are many interchangeable terms out

mainstream media keeps on feeding the fire of fear

there. ATO, is it Australian Tax Office or Account

and confusion, we need to keep our heads when all

Takeover? Assets, do you want to invest in shares,

about us are losing theirs (with thanks to Mr Kipling)

property, fixed interest accounts or cash, or do you

and focus on ensuring we get the basics right. Here

mean software and hardware? There are many

are six basics to get you started on the cyber secure

more examples, but you get the gist.

journey. 6. Practice makes perfect. When you have a 1. Assessment. You cannot protect what you are

ransomware breach, that is not the time to discuss

not aware of. You cannot educate those you do

how to handle it. The better prepared you are, the

not understand. A good assessment includes both

better your business will handle the breach.

qualitative and technical quantitative components. And do not forget to include your website! 2. Good password hygiene. We saw how important this was during the recent RI Advice court case. While it may be tempting to use a password more than once, to share it (to keep software costs down) or even to choose one you can easily remember, don’t. You need passphrases or a complex password containing 16 alphabetic and non-alphabetic characters for everything: business,

www.linkedin.com/in/karen-stephens-bcyber

www.bcyber.com.au

karen@bcyber.com.au

twitter.com/bcyber2

youtube.bcyber.com.au/2mux

personal, the lot.

68

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


INDUSTRY PERSPECTIVES


IN 2023, LOOK FOR WAYS TO CONSOLIDATE PROGRESS AROUND GENDER EQUITY by David Braue

COVID pressured CISOs like never before – but it also created momentum and empowerment

A

fter two years spent compensating for

“We are getting better at asset management and

the security impact of the COVID-19

starting to build an enterprise architecture capability

pandemic, CISOs were already in

so we understand our [operating] state better and

recovery mode before Russia’s invasion

how it interconnects,” noted Gina Gill, chief digital

of Ukraine sent the global economy

innovation officer with the UK Ministry of Justice,

into a tailspin. And as the cyber attacks continued

who has been working with security teams to ensure

unfettered, it was clear early on that 2022 was

the transformation integrates security at its core.

not going to offer a reprieve for organisations that

“We’re putting some governance, and proportionate

have cranked the transition to digital operations up

governance, around new technology.”

to eleven. Although the ministry’s transformation has coalesced Whereas they entered 2022 with myriad challenges

around a formal Digital Strategy 2025, executing on

and uncertainty to deal with, however, security and

that plan has been burdened by the complexities of

business executives around the world spent much

driving change through an expansive government

of the year learning to manage these risks – and as

body comprised of 13 different organisations –

they head into 2023, they are responding to ongoing

each with a different CEO, board, and governance

challenges on the front foot.

– operating 80 different IT environments across 100 locations in the UK.

70

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


F E A T U R E

“Once you start digging and take a step back and

would be aligned with our risk,” said Audrey Hansen,

look at it, it is more complicated than it needs to be,”

who began working as CISO with global industrial giant

Gill explained, telegraphing the major challenges

BlueScope in mid 2019 and embarked on a global

that she will be helping the organisation tackle as its

program of work “to uplift our security maturity.”

transformation rolls into 2023. That program has included extensive outreach, “We’ve got a big challenge in terms of legacy

open engagement with stakeholders, and risk-based

technology, and that limits our ability to respond to

assessments to better understand the circumstances

change. And I think that’s a common theme and a

around the company’s 2020 ransomware compromise

common problem.”

– which put Hansen’s team into overdrive as they engaged with outside specialists and worked to

“It has taken a long time and experimentation,” she

contain the impact of that event.

added, “to get to a point where we’ve got genuinely digital teams and operational teams and policy teams

“The one thing that came out of it is that cybersecurity

working together to implement policy in a way that

really is a business risk,” Hansen told a recent Gartner

can be easily implemented operationally and digitally.

conference. “My language has always been about

And it’s brilliant to see.”

managing risk, understanding that risk, and mitigating it as well. You can go and say that security is risk and

GETTING BETTER ALL THE TIME

people listen, but it doesn’t completely drive home

From one corner of the corporate world to another,

until something actually happens.”

women executives are demonstrating their management nous, grasping the nettle to lead

In mid 2021, something did happen: Hansen’s

extensive transformation efforts.

cybersecurity team was officially rehomed into BlueScope’s corporate risk area, representing a

“I was asked to get an understanding of what the

significant mindset shift that is continuing to support

maturity level was, and how we could get it to where it

her work around security as she continues to pivot

needed to be so that it was appropriate, and everything

into the new operating state of 2023.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

71


Source: World Economic Forum

More than ever before, women are helping beat the

the C-suites and the CEOs,” explained US National

drum of secure transformation – whether in leading

Security Agency CISO Peg Mitchell, who joined

digital transformation initiatives, managing their

the agency after completing a degree in applied

security, or executing other roles that might have

mathematics and now heads security in one of the

seemed completely out of reach just a few years ago.

world’s most secure organisations.

The good news: women now comprise 42.7% of

“We look up and look around, and we need to see

senior and leadership roles worldwide, the World

reflections of ourselves,” she added. “It’s really

Economic Forum’s latest Global Gender Gap Index

important to bring different voices – whether it’s

found, setting a high-water mark for gender parity

different skills, different backgrounds, or different

that has seen the gender gap closing steadily across

views – to the problem. You learn from that

exemplar countries such as Iceland, Finland, Norway,

diversity of experience because that’s how we get a

New Zealand, and Sweden (Australia is actually

richer answer.”

moving backwards, according to some reports).

THE BRIGHT SIDE OF COVID The bad news: technology remains one of the most

As the security industry heads into 2023, many

stubbornly gender-inequal industries, with just 24% of

women technology leaders feel the cause of equality

leadership roles held by women in 2022 – although,

has turned an important corner – and some are

on the bright side, the technology industry adjusted its

thanking the COVID-19 pandemic for creating the

gender imbalance more during 2021 and 2022 than

opportunity for this to happen.

any other industry. “Flexible working arrangements, work-life integration,

72

“More women than ever are working in cybersecurity,

balance, and hybrid working are all playing out in

from the entry level employees all the way up to

favour of women,” said Annie Chong, Singapore-based

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


F E A T U R E

regional IT director with pharmaceutical giant MSD

are policies in place that are measurable and tangible;

International and an active Women in IT Sponsor.

and that empower people on the working line, to ensure that it goes down all the way to the bottom

“We are able to balance our work and our life better,

and gets implemented.”

because these topics are no longer taboos. Women nowadays are more courageous, and they know what

Such practices will be key to making 2023 the year

they want and what are their priorities – and they

when diversity and gender equality will persist as

know how to exert their worth, and their rights, and

core values for companies around the world – and

their values.”

that, noted UOB first vice president for enterprise data governance Joyce Chua, should be a key goal for

The support of value-driven companies, enabling

executives at every level and every industry.

colleagues and loving families have all played a role in this empowerment, Chong added: “this is not just

“What we can do is to ensure that equality and

us,” she said. “The whole ecosystem has to move and

inclusiveness and culture are the tone from the top,”

support us.”

she said, “and the culture of embracing anyone. in terms of like whether you are female or male, so

This newfound confidence – which was fostered

long you do the job, you get your KPIs, you get your

during 2022 and will be a key enabler of change

promotions, and so on.”

during 2023 and beyond – helped Geetha Gopal, head of infrastructure projects delivery and digital

COVID’s disruption has created other issues, Gill

transformation with Panasonic Asia Pacific, nurture a

points out, with women benefiting from an overall

more confident and capable version of herself during

paucity of security and other technology skills that

the pandemic.

she attributes partly to a lack of foresight by the many companies that got strategically T-boned by the

“During COVID, I saw myself as more empowered

COVID pandemic.

because I was able to juggle the multiple roles that women play,” she explained. “I do not have to take

“I’m still totally baffled why COVID was the driver for

leave to be able to manage my personal situation; I

technology updates [and] why technology wasn’t

can take two hours off, take care of my son, and be

a bigger thing in people’s minds before 2020,”

on escalation calls and manage my go-lives.”

she explained.

Given the freedom to be unapologetically focused on

“Now we’ve got a marketplace that is just so

work-life balance, Gopal said, women are in a stronger

competitive. There aren’t enough skill sets. There

position than ever moving into 2023.

aren’t enough digital skills in our organisation and government, in the country, in the world. I know that

And while she admits not being an advocate of full-

sounds melodramatic, but it’s sadly true.”

time working from home – she encourages staff to work in the office three days a week – she said that to

Ultimately, however, “there is cause for optimism,”

stay competitive organisations will need to become

noted IBM Garage partner and ASEAN leader Charu

real about diversity, equity and inclusion (DEI) and

Mahajan, noting that the industry is exiting 2022

stay more flexible for the long term.

with around one in four leadership positions filled by women.

“If we want to promote DEI, and sustain more women in the workforce, we need to empower this kind of

“If we can move that to 30 per cent,” she said, “we will

hybrid approach,” she said. “You need to be flexible

have made a pretty big impact.”

not just by word, but by practices. Ensure that there

I S S U E 11

WOMEN IN SECURITY MAGAZINE

73


MARIA BEAMOND

LEONORA RISSE

AUSTRALIA’S CYBERSECURITY SECTOR: WHERE ARE THE WOMEN? by Dr Maria Beamond, Lecturer in Management, RMIT University and Dr Leonora Risse, Senior Lecturer in Economics, RMIT University

At a time when Australia’s security sector is growing

These issues mean the factors contributing to

in importance it is suffering from a skill crisis:

women’s low representation within the cybersecurity

employers are having difficulty finding a sufficient

sector need to be better understood.

number of suitably qualified people to fill available roles. Australia will need around 7000 additional

Available estimates suggest women comprise

practitioners in the security sector by 2024, according

somewhere between 11 percent and 24 percent of

to AustCyber.

the cybersecurity workforce. However, there is no accurate measure of the gender composition of

Moreover, the cybersecurity sector, and the security

Australia’s security industry, nor a clear picture of the

sector more broadly, suffer from a distinct lack of

types of jobs women are undertaking and the skills

diversity, particularly from a low level of participation

they possess.

by women. Women’s under-representation could

74

be the result of biases and barriers impeding their

RMIT Centre for Cyber Security Research & Innovation

career opportunities and advancement in the sector.

(CCSRI) and the Australian Women in Security

The growing awareness of the benefits diversity can

Network (AWSN) are partnering to undertake a

bring to organisational performance, decision-making

research project to address this knowledge gap by

and responsiveness and to meeting the real-world

providing new statistics on the gender composition

challenges organisations face, leads to a realisation

of the security sector in Australia, including

that the sector, as a whole, is not operating optimally.

cybersecurity. These fresh insights will be drawn

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

from official labour market statistics collected by

on gender inequalities and the

the Australian Bureau of Statistics and a tailored

factors that explain women’s

survey of members of the security sector workforce

low representation in the

in Australia.

sector. This project will provide insights to better

WHY SHOULD THE CYBERSECURITY SECTOR CARE ABOUT GENDER EQUALITY?

understand the factors

Available data suggests technology workers, such as

deter women from pursuing,

cybersecurity professionals, are approached with a

and flourishing in, a career in the

new job offer once a week and that some 45 percent

security sector.

that can either support or

of organisations are short of cybersecurity talent. There are signs this skills crisis is worsening, given

Taking an industry-wide

discussion about the skills shortage in cybersecurity

and economy-wide

talent “has been going on for over ten years” and

perspective, this

“there has been no significant progress toward a

research project will

solution to this problem,” according to an ESG report.

also investigate the ways in which the

This skills crisis has negatively impacted several

industry is failing

organisations by increasing the workload of existing

to achieve optimal

employees, leaving tasks unfilled and causing high

performance and

burnout among employees. These problems make

fully meet the needs

it imperative to attract new talent and diversify the

of its client base. If

composition of the cybersecurity workforce.

the cybersecurity industry is not

Inequitable opportunities and gender-based biases

operating with a

create barriers to greater diversity that are sometimes

gender balanced

intangible. Our understanding of the influence of

workforce, it is

implicit biases and barriers imposed on women in

failing to attract,

many vocational and professional settings is growing.

nurture and retain

These barriers are often due to the persistence

the full breadth of

of traditional practices and gender-patterned

talent and skills available

stereotypes, according to a report in the Harvard

in the workforce and the

Business Review. This research paper suggests one

capacity for innovation.

solution to the shortage of talent in the cybersecurity industry could lie in better understanding the reasons

THE SOLUTION

for the sector’s gender imbalance.

Women’s under-representation in the security sector can be likened to a leaky

The research being undertaken by RMIT and AWSN

pipeline, an analogy often applied to other

will provide a deeper understanding of the barriers

industries experiencing gender imbalance.

to, and enablers of, women’s careers in the security sector. The insights generated will help expand the

Firstly, there is a need to attract women to the

sector’s talent pool and equip it for the growing

sector, a process that begins during their education

challenges and demands it faces in the future.

when they are assessing their career choices. Those women joining the sector need support throughout

While existing research suggests general ways to

their careers to help them progress. This entails

expand the sector’s talent pool there is little focus

understanding the factors causing women’s careers

I S S U E 11

WOMEN IN SECURITY MAGAZINE

75


to stagnate and lag those of their male peers or

the strategic interventions by key agencies and

causing them to drop out of the sector completely. If

stakeholders that can have influence.

women step out of the workforce to have children, or

• An exploration of the ways to create a

for other caring responsibilities, their re-entry into the

cybersecurity talent management system that

workforce needs to be supported.

will work for women. This entails identifying the elements of the cybersecurity talent management

Dropouts mean fewer women progress to senior

system that will most effectively and equitably

and leadership levels. This has repercussions for

attract, select and retain female talent. It will

workforce culture and the capacity of cybersecurity to

encompass planning, employee engagement,

attract the next generation of women.

learning and development, performance management, recruiting, onboarding, succession

This study will identify the factors contributing to this

and retention.

leaky pipeline and the policies and changes needed to foster the increased representation of women.

ABOUT THE AUTHORS This research project is being conducted by RMIT

THE RESEARCH

University Centre for Cyber Security Research and

Through data analysis and a survey of the security

Innovation in partnership with the Australian Women

workforce, this research project offers:

in Security Network (AWSN). It is being carried out as an independent academic research analysis

• A definitive understanding of the number of

and is not linked to any commercial interests. The

women working in security and the gender

research team comprises: Dr Leonora Risse, Dr Maria

composition of the sector, with a focus

Beamond, Dr Joanne Hall, Dr Lena Wang, Dr Banya

on cybersecurity.

Barua, Professor Matt Warren and Mr Laki Kondylas.

• And understanding of the distribution of women across security roles, with a focus on

Further information on this project can be found at

cybersecurity roles.

https://www.rmit.edu.au/news/ccsri/understanding-

• And understanding of how Australian women’s skills and capabilities can contribute to

gender-dimensions-project-survey. The study will be officially launched later this year.

overcoming the current and expected future professional skills shortage in the security industry. • An understanding of the enablers of and barriers to women’s participation in the security sector,

www.linkedin.com/in/maria-beamond-b8187325

www.linkedin.com/in/leonora-risse-92939091

and identification of the practical applications of this knowledge. This will require an understanding of the sector’s policies and institutional practices, of educational and training pathways and identification of

76

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


Securing our digital future, together. Comprehensive Cybersecurity Solutions

Cyber Strategy and Consulting

Cloud Security

Governance, Risk & Compliance

Managed Services

Security Architecture & Engineering

Technical Assurance & Testing

Incident Response & Planning

Security Awareness Training

We start by listening. tesserent.com

The region’s largest ASX-listed cybersecurity company (ASX:TNT) Melbourne | Sydney | Canberra | Brisbane | Wellington | Auckland | Christchurch


FATEMAH BEYDOUN

THE FUTURE OF DEVELOPER SECURITY MATURITY IS BRIGHT, AND THESE VERTICALS ARE LEADING THE CHARGE by Fatemah Beydoun, Chief Customer Officer, Secure Code Warrior An unspoken war is raging in most IT departments

As an industry we have a long way to go to uplift

across the world, a David and Goliath battle

developer security maturity. However, in my role, I am

between two critical teams: application security

fortunate to work with many organisations leading

and developers. With conflicting priorities and

the charge in helping developers become the security

relationships that are often extremely negative, it is

superheroes we need on the front lines. Generally,

no wonder some internal security cultures are on

their overall internal security maturity is more

life support.

advanced than the norm, and some verticals seem to achieve maturity faster than others. Let us explore why.

Okay, perhaps that was a little dramatic, but it

It is no longer good enough to exclude them from a

MODERN SECURITY MATURITY: WHICH VERTICALS DO IT BEST, AND WHAT SETS THEM APART?

comprehensive, defensive security strategy. With the

There are multiple security maturity models, but

cost of the average data breach swelling to $US4.35M

across the board the adoption of security maturity

in 2022, it is imperative we give cyber defence our

basics like overall role-based awareness and relevant

best shot. That will mean taking an honest look at

skills is somewhat hit-and-miss. However, I have

internal security maturity, and building it upon a

found the financial sector to be ahead of the game in

strong foundation.

both security maturity and in its willingness to make

reinforces my argument: we have got to do more to foster a positive security experience for developers.

developers part of the plan.

78

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

This is perhaps not surprising: financial organisations

shipping code. Nor are most teams measured

are subject to stringent security regulations in

on their security prowess through their KPIs.

most countries and compliance rules like PCI-

Advanced security maturity turns this idea on its

DSS demand continuous attention and adherence.

head and gets developers to share responsibility

Financial organisations achieve compliance by

for security.

adopting modern security techniques despite many

This is a significant shift, and those who embrace

being constrained by legacy platforms and systems.

secure coding should be recognised and

Some of our clients still use COBOL, a programming

rewarded for their efforts. Peer recognition is

language that originated in the 1950s. However,

especially powerful and can lead to better career

they ensure their COBOL developers have precision

opportunities and leadership roles.

training in secure coding, and continuous exposure to the latest vulnerability mitigation strategies.

• Certification. Internal programs which structure tiered learning modules that are both job-relevant

Another factor is the increased effort devoted to

for developers and organisation-critical can give

benchmarking current developer security skills and

developers the opportunity to work towards

building upon these with structured programs that

recognised credentials that can elevate their

suit the security needs of the organisation. With the

status and show at a glance that the company

right guidance developers will gradually get onto the

is committed to the highest standards for

same page as the application security team and will

everyone working on code. With the introduction

see the role they can play in securing software and

of measures like the Biden Administration’s

making security a priority.

Executive Order around verified security skills for those involved in the software supply chain, the

NURTURING DEVELOPERS AND MAKING THEM PRINCIPAL CHARACTERS IN THE SECURITY STORY

need for certification will grow. • Cultivating a positive security culture. While

Overall, it takes an organisation-wide effort to raise

it seems simple, fostering an organisation-wide

security awareness, ensure everyone is equipped with

security culture that embraces developers and

the right skills and knowledge to play the part their

maintains positivity is no cakewalk. Breaking

role requires and expand the security strategy well

down silos between application security and

beyond automation and scanning tools to embrace

developers, focusing on software quality over

people power.

speed, and making security more fun and less daunting should be prioritised. However, it really

Companies that make developers central to

does ‘take a village’, and it takes endorsement

their defensive efforts reap the benefits of early

from the CISO to set and uphold standards of

vulnerability eradication and reduced pressure on

security awareness and action.

the application security team, giving it the breathing space to work on the complex problems only its

Those companies that are truly at the forefront of

members can fix.

developer security maturity go well beyond simply ‘ticking the box’ for compliance. Instead, they opt

Such future-focused organisations follow a pattern

to invest in a transformational process for both

for developer upskilling that often exhibits these three

individuals and the culture in which they operate. It is

core elements.

my hope that more verticals will follow their lead and help set a new standard for code-level security.

• Reward and recognition. Developers have been disadvantaged insofar as the status quo dictates security not be their top priority when

I S S U E 11

www.linkedin.com/in/fatemah-beydoun-b6555bb1

WOMEN IN SECURITY MAGAZINE

79


KAT LENNOX-STEELE

SHIFTING PERCEPTIONS OF IT AND CYBERSECURITY POLICIES: POLICY SHOULD NOT FILL YOU WITH DREAD By Kat Lennox-Steele, Information Security Analyst and Co-Founder at Cyber Tribe and MVP In conversations about policy you will often be

when they, regulations, or the law are breached.

met with groans, exclamations of boredom and

Often policies are long, verbose and full of technical

sometimes apprehension. Writing and managing

or legal jargon making them difficult to consume,

policies is seen as time consuming and requiring

comprehend and retain.

expertise. And it is expensive, so can easily get tossed into the too-hard basket when the day-to-day running

After many years of conducting cybersecurity

of your business seems more important. This was

assessments in various roles our team found

my perception until I started working with companies

cybersecurity and IT policies were, for most

to improve their compliance and realised the positive

companies, often a shortcut to achieving compliance.

impact that well-structured policies could have.

But why is policy so underrated and underutilised?

Policy is viewed as one of those things you need to

People are at the centre of our businesses, clubs

have to tick a compliance box and to make sure every

and communities with technology as another layer

new employee reads in their first week. Once they

or enabler. Policy at its core is about people. If we

have been through their induction, it is unlikely they

change our perspective, policies represent a tool that

will ever see those policies again.

can be used to help, not just to enforce rules and dish out punishment.

Traditionally policies have been seen as a mechanism

80

to protect an organisation and are brought into

Changing people’s perceptions of policy might

bat when addressing poor employee behaviour or

seem like a hard sell, but when used correctly

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

policies can foster a culture of commitment,

visibility of support and keeps everyone in the loop.

personal responsibility and self-regulation by clearly communicating boundaries, expectations and

The company I founded, Cyber Tribe, aims to help

accountability within your team. Good policies also let

lift the cyber posture of all organisations through

you team know where to turn to for help.

easily accessible policy, management tools and user awareness training.

Policies are the top tier of the cake, and the supporting layers are standards and procedures, the

With my newfound passion for helping people with

‘how to’ detailed, directive guides. Using these tools

policy, I created a set of policies aligned with best

together brings uniformity to operations, and they

practice and leading industry standards that would

can be used as training tools, reducing the risk of an

close the identified gaps. One of my main goals

unwanted event. Effective policy creates a business

was to compose policies that would be concise and

environment that is efficient, fair and responsive:

easily understood by the reader without loss of the

one that encourages justified decision making and

critical messaging. We have developed a SaaS policy

promotes good business and cybersecurity practices.

management solution, Impetus, to democratise access to these policies for organisations of all

Once you have policies in place you can then easily align

shapes and sizes.

your information and cybersecurity strategy to the aims and core principles of those policies and use them to

One of the biggest pain points for organisations I have

guide the creation of a roadmap for the implementation

worked with has been the storage and management

of controls to meet the needs of your organisation.

of their policies and the recording of who has read and acknowledged them. Impetus acts as a repository

Initiating change will always be tough. When

to keep all policies in one place. Once users have been

attempting to introduce policy to an organisation

granted access, they can view the documentation at

or alter existing policies, there are a few key

any time. This allows people to use policies as living,

considerations to ensure success. Not everyone in

breathing tools that can, with some quick editing,

your organisation will need to be across every single

easily evolve whenever changes occur. Each user is

policy, and I recommend allocating policies according

also required to digitally accept the policies, providing

to roles, personas or location. Look at the culture in

a record for auditing purposes. Additionally, Impetus

your teams when creating your plan for rollout and

will also notify the policy owner when it is time to

decide on the best vehicle to tackle it. This might be a

review and renew a policy, enabling compliance to

team meeting, a newsletter or a competition between

be maintained.

departments or teams. It could also be important to choose an appropriate time: an accounting firm would

Policy control is one of the essential controls we need

be unlikely to appreciate a policy rollout at the end of

to normalise and use better in our businesses. Using

the financial year.

policies as tools to support and empower people while fostering an improved cybersecurity awareness

A policy should address a real need in your

culture can only be a good thing.

organisation. Helping everyone to understand some of the benefits it will bring can help ensure better uptake and commitment to the desired ways of working. Buyin from those at the top will also help the messaging filter down through your ranks. Requesting feedback, having an open forum or providing a point of contact for anyone to ask questions can also keep your team engaged and supporting the idea that policies are a tool, not a one-time thing. Feedback also provides

I S S U E 11

www.linkedin.com/in/klennox-steele

www.cybertribe.co.nz

www.minimumviableprotection.com

www.capacitategroup.com

WOMEN IN SECURITY MAGAZINE

81


JANA DEKANOVSKA

2022 HAS BEEN A WATERSHED YEAR FOR CYBERSECURITY, BUT WHAT’S NEXT? By Jana Dekanovska, Strategic Threat Advisor at CrowdStrike 2022 has been a pivotal year for cybersecurity

and New Zealand. Continued geopolitical tensions

with adversaries increasingly turning their gaze

between Canberra and Beijing and the AUKUS security

to Australia’s critical infrastructure and essential

pact further fuelled this activity in 2022. Adversaries

industries. Just when organisations were starting

attributed to the Democratic People’s Republic of

to catch up, new and novel threats emerged. In

Korea were also prolific, maintaining a dual focus

September we saw another attack on ride sharing

on financial gain and economic espionage driven by

and food delivery giant, Uber, just months after the

domestic circumstances and ongoing international

company revealed it had suffered a ransomware

sanctions that restrict the country’s access to

attack in 2016.

global markets.

Sophisticated, highly targeted and premeditated

Nor is Australia immune to financially motivated cyber

intrusion campaigns are being carried out against

attacks. Bitwise Spider dominated the eCrime scene

some of the world’s largest companies. CrowdStrike’s

throughout 2022 and continues to operate the most

OverWatch team uncovered a highly sophisticated

professionally run ransomware-as-a-service operation,

Chinese state-sponsored adversary, Aquatic Panda,

accumulating the highest number of victims to

carrying out a long-term targeted intrusion campaign

date. In June 2022, Bitwise Spider released a new

against a global technology and manufacturing

update to its program, introducing novel features and

company. China-linked adversaries such as Aquatic

techniques, and reaffirmed its focus on what we have

Panda continue to be the most active groups

named the triple extortion model: ransomware, DDoS

conducting cyber attacks for economic, diplomatic

attacks and data leaks all at the same time.

and political purposes. This activity is consistent with the criminal behaviour

82

In fact, China-linked adversaries were the most

CrowdStrike Intelligence has tracked over the

frequently observed targeting entities in Australia

course of 2022 in which adversaries move away

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

from using ransomware alone and adopt the triple

unless the ransom is paid. This shows that cyber

extortion strategy.

intrusions are increasingly human-led and, in the worst case, that adversaries will resort to a variety of

Governments are adapting to the onslaught of

tactics, including physical violence, to coerce victims

attacks from nation states and criminal groups

into meeting their demands.

through legislative measures such as the Security Legislation Amendment (Critical Infrastructure

This activity is consistent with CrowdStrike’s most

Protection) Act 2022 which passed in April this year,

recent Falcon OverWatch Threat Hunting Report,

and more recently Labor’s plan to overhaul Australia’s

which observed that human-led cyber attacks against

cybersecurity strategy. But more needs to be done to

organisations in Asia Pacific and Japan grew at a far

keep pace with the continued evolution of cybercrime

faster rate than attacks against their peers elsewhere,

in Australia and the Asia Pacific region more broadly.

with an attack occurring approximately every seven minutes, down from eight minutes in 2021. Globally,

THE GRADUAL DEATH OF RANSOMWARE

71 percent of all threat detections were human-driven,

Headline stories of cyber attacks in which threat

an increase from 64 percent in 2021, as reported by

actors demonstrate new levels of determination

CrowdStrike in February 2022.

and expertise through consistent and successful exploitation of organisations are becoming routine.

Another key, but unexpected, trend we observed this

These attacks are made possible by the continued

year was the rise of ideologically motivated cyber

evolution and innovation of their tradecraft.

attacks around the world. eCrime adversaries from Russia, Ukraine and the US were seen shifting their

One example we have seen over the last year is China-

motivations from financial gain to ideologies as a

linked adversaries moving from relying on phishing

direct consequence of the war in Ukraine. In the

and spear phishing as their primary methods for

APJ region, we saw a similar pattern of behaviour

gaining access to organisations, instead leveraging

with Chinese hacktivists conducting attacks against

zero day and old vulnerabilities for access to public-

Taiwanese government websites ahead of US

facing assets that have not been patched.

House of Representatives Speaker Nancy Pelosi’s arrival in Taipei. Similarly, we saw hackers claiming

Beyond nation state adversaries, financially motivated

to be affiliated with Anonymous deface a Chinese

criminals have been seen moving away from relying

government website in support of Taiwan and

solely on ransomware to adopting the triple extortion

Pelosi’s visit.

model. It has become one of the latest strategies in cyber criminals’ arsenals to maximise pressure on the

In light of these activities we can expect adversaries

victim and increase the likelihood of a ransom being

to continue to experiment with their newly found

paid. With good, regularly maintained data backups

appetite for conducting ideologically motivated

to restore systems in the event of a ransomware

attacks, selecting targets on an ad hoc basis to react

attack, data encryption is no longer enough to extort a

to political conflicts and controversial issues as

ransom from a victim.

they emerge.

As organisations improve their cybersecurity CrowdStrike, threat adversaries are clearly becoming

FUTURE CYBER THREATS AND HOW BUSINESSES CAN SET THEMSELVES UP TO STAY SAFE

frustrated because their old ways are not working.

Based on changing adversary behaviour observed in

We have seen eCrime adversaries leveraging stolen

2022 we can expect to see a greater shift towards

personally identifiable information and cold calling

targeted intrusions in the year ahead. Targeted

company employees to threaten physical violence

intrusions will continue to be a threat particularly

posture by working with security companies such as

I S S U E 11

WOMEN IN SECURITY MAGAZINE

83


In light of these activities we can expect adversaries to continue to experiment with their newly found appetite for conducting ideologically motivated attacks, selecting targets on an ad hoc basis to react to political conflicts and controversial issues as they emerge.

to Australian businesses and government agencies in 2023 as foreign, state-sponsored adversaries undertake intelligence gathering and cyber espionage and sometimes pursue financial objectives. Moreover, the rise of ideologically motivated cyber attacks will see hacktivists replicate the level of sophistication and professionalism of eCrime actors in their campaigns, but in much greater volumes. Adversaries now operate much like any other large organisation and are constantly finding new and innovative ways to exploit existing vulnerabilities within an organisation. Because of this, human threat hunting is key to identifying changing behaviours and preventing attacks. Having access to the latest adversarial intelligence and real-time visibility of misconfigurations and vulnerabilities on a network will enable organisations to anticipate threats and respond immediately to cyber attacks. Today’s adversaries do not only exploit organisations for financial gain; they are ideologically motivated and far more sophisticated than the typical hacker portrayed as someone operating from his mother’s old sofa bed on his home-built computer.

www.linkedin.com/in/janadeka

www.linkedin.com/company/crowdstrike

84

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


ASTHA KESHARIYA

CYBER RESILIENCE IN THE CYBER WORLD By Dr Astha Keshariya, Information Science, University of Otago Cyber resilience is a combination of cybersecurity

organisations strive to achieve. Thus, a fair balance

and business continuity. It is the ability of a business

between offering customers compelling solutions

to prepare, protect, respond, recover and rapidly

whilst maintaining sustainability is necessary in a

reinstate normal operations during or after a cyber

dynamic cyber business.

disruption such as ransomware, a data breach, identity theft or natural disaster.

The paradoxical nature of the cyber-attacks is that the organisations with the most advanced cybersecurity

Cyber resilience comprises strategies, controls and

capabilities are most often attacked. Cyber attackers

planned activities to be taken in response to a cyber

are drawn to high-profile challenges, which often have

disruption, to anticipate the impacts of that disruption,

the potential to provide higher monetary rewards.

counter them and rapidly restore normal operations.

Multinational companies are tempting targets for ransomware attacks or intellectual property theft.

There are many components to an effective

Government organisations are targeted by rival

cyber resilience strategy: technical, functional,

nation states.

organisational, regional and national. Also, it must integrate many components and supply chain actors

It is impossible to accurately assess the global

that are part of the organisation’s ecosystem.

economic cost of cybercrime but experts suggest its dollar value is comparable to that of the global

Furthermore, the evaluation of the impacts of

drug trade.

disruption may vary depending on the sociotechnical nature and purpose of the organisation: the

Cyber resilience-by-design based on digital trust

requirements of a business in the financial sector

is a strategy organisations can adopt to minimise

would differ from one in healthcare and from one

the damage caused by cyber attack and to remain

in retail.

relevant in the digital world.

RESILIENCE BY DESIGN

ISACA defines digital trust as “the confidence in

Today no organisation exists in cyber isolation. There

the integrity of the relationships, interactions and

is no such thing as a perfectly secure environment,

transactions among providers and consumers within

service or product. It is a moving target that

an associated digital ecosystem.”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

85


Frameworks like the US Department of Homeland

It is impossible to accurately assess the global economic cost of cybercrime but experts suggest its dollar value is comparable to that of the global drug trade.

Security’s Cyber Resilience Review and NIST’s Cyber Resiliency Engineering Techniques, Resilience Management Model and the Guidance on Cyber Resilience for Financial Market Infrastructures by the Bank for International Settlements can all be used to help an organisation develop an effective cyber resilience strategy.

KNOW THY DATA Nefarious players who are dedicated to identifying It follows from this definition that digital trust can

and exploiting loopholes in the data management

be achieved only when all parties have robust

strategies of a data-driven economy can bring

cyber resilience strategies that factor in all their

business operations to a standstill.

interdependencies. Data protection has been a focus for cyber defenders Corporations and governments are on the path

for some time. However, the significant rise in

to digital transformation, investing heavily in

ransomware and data breach events demands careful

e-governance initiatives, digitising critical systems,

examination of an organisation’s:

thus inviting digital ecosystems with multiple service and technology providers. An effective resilience

• long-term data strategy keeping in mind business

plan must factor in all these relationships and

requirements to maintain single and multiple

interdependencies.

sources of truth of the information assets,

This also implies that the supply chains and critical infrastructures are at greater risk than ever. There has been a rise in supply chain attacks of 51 percent since 2021, according to Revenera’s 2022 Report on Software Supply Chain Compliance, mostly due to increased reliance on operational support systems. According to a 2022 survey by cyber insurance provider, Munich Re, 35 percent of c-level participants are considering commercial cyber insurance as an essential part of their risk management strategy. The report estimates global cyber premiums to be worth $US9.2 billion annually and expects this figure to grow to approximately $US22 billion by 2025 for IT, manufacturing, financial services providers, healthcare, government institutions (including the education sector), consumer products and services. This growth in demand for cyber insurance is predicted to be swifter than insurers’ capacity to provide it. And organisations pursuing cyber insurance will need robust cyber resilience plans if they are to sustain the cover.

86

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

• its data architecture and data segregation policies to meet regulatory compliance (personal, financial and health data must be handled differently), its coherent policies and processes to ensure data security, privacy, integrity and quality, • data flows and data boundaries that are often blurred to the extended business liaisons and third-party service providers in the ecosystem.

EMPOWERING THE WORKFORCE THROUGH CONTINUOUS LEARNING Traditional cyber defences may no longer be sufficient in light of recent cybersecurity events, the shortage of cybersecurity professionals and gaps in specific cybersecurity skillsets. This situation requires investment in workforce empowerment to develop the necessary talents within an organisation. This can be achieved with: • targeted role-based training in addition to general cybersecurity awareness training for staff, suppliers and external entities involved in business operations; • skill enhancement through training and certifications for cyber defenders, specifically in cyber law, threat intelligence, cybercrime investigation, fraud detection and digital forensics to thwart sophisticated cyberattacks; • research programs on threat intelligence and cybersecurity automation that can help build the capability to extract, analyse and validate meaningful insights for effective real-time response and recovery efforts. Awareness of the need for organisations to have robust cyber resilience strategies that embrace the roles of the partners in their ecosystem. Their shared goals coupled with mandates from regulators will lead to an overall improvement in cyber resilience in the near future.

www.linkedin.com/in/astha-keshariya-ph-d-b80b063

I S S U E 11

WOMEN IN SECURITY MAGAZINE

87


STACEY CHAMPAGNE

CORPORATE LAYOFFS: A PERFECT STORM FOR INSIDER RISK AND THE IMPERATIVE FOR HOLISTIC MITIGATION APPROACHES By Stacey Champagne, Insider Risk Expert, Founder & CEO of The Trade Secrets Network and Hacker in Heels With over 42,000 tech sector employees laid off in

that touts as its competitive edge a proprietary tech

2022, many workplaces are in a constant state of

platform for agents—has conducted three rounds

stress. A June 2022 survey found nearly 80 percent of

of layoffs since June 2022. Onlookers have dubbed

American workers concerned about their job security.

it “the WeWork of residential real estate” saying the

Individual identity, finances and healthcare are

company has “raised and spent money like a tech firm

intertwined with employment. Therefore, the threat

but made money like a brokerage.”

of losing one’s job is a threat to financial security and mental health.

Employees are voicing their opinions loud and clear. Articles about employees meeting their job duties but

The situation is further exacerbated by

refusing to complete above-and-beyond assignments

C-suite executives who display ineptitude and

are rife on social media. Dubbed “quiet quitting,”

mismanagement. In early February 2022, the

this workplace mentality aligns with a Gallup report

cofounder of fitness equipment maker, Peloton,

showing the ratio of engaged to actively disengaged

stepped down after being criticised for inconsistent

employees as 1.8 to 1, the lowest in almost a decade.

pricing and manufacturing strategies. 2,800 jobs were

88

cut and an additional 800+ jobs are reported to have

The current workplace climate of distrust,

been cut since. Compass—a real estate brokerage

disengagement and threat to individuals’ livelihoods

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

is a perfect storm for insider threat activity. Insider

A relationship of concern and trust is everything when

threats are any persons (including contractors and

managing risk or a VUCA event. The magnitude of

third parties) who have, or have had, access to

the event is heavily influenced by the level of trust the

company data and systems and have used their

public (employees) have for the incident responders

trusted access for unauthorised activities such as

(executives). Employees who witness layoffs far

fraud, theft, sabotage and/or workplace violence.

removed from their own role in the company may

Insiders commit hostile acts against organisations

believe they will not experience any impact. However,

for a multitude of reasons. In a climate of workplace

if a software engineer hears of overarching volatility

uncertainty and layoffs insiders may be facing

in the company’s market and does not believe the

financial distress or feel they are about to be/have

company leadership is making the right moves to

been wronged by their employer. They might believe

minimise impact, trust can decrease.

they own the product, code or documentation they have created while employed, and have the right to

If executives lose the trust of employees and

take it with them upon termination.

customers, or fail to follow through on promised actions, according to this paper on crisis leadership

Managing insider risk, especially during times of

in a hyper-VUCA environment, the “level of concern

company turmoil, requires a thoughtful, holistic

increases and the event will grow. As a result, the

approach that addresses both operational psychology

[executives] will find [themselves] not only expending

and the technological components of the layoff

more resources to respond to the event but may

experience. This approach should include not only

deploy additional resources to make the response

employees who will experience their final day with the

appear more robust to outside observers in an

company, but also the colleagues and managers who

attempt to increase trust.”

will remain.

THE CRITICAL PATH TO INSIDER RISK CORPORATE LAYOFFS AS VUCA EVENTS

The loss of trust and subsequent stressors that often

VUCA stands for volatile, uncertain, complex and

accompany a corporate layoff can move employees

ambiguous. The term is used to describe events

down the critical path to insider risk. The Critical Path

that are difficult to plan for and manage, typically

Method uses a collection of indicators created by

in an emergency management context. A company

researchers studying historical insider threat cases in

experiencing layoffs is arguably in a state of emergency/crisis and could benefit from many of the

the US intelligence community and Department of

same mitigation strategies and mindsets used to tackle VUCA events. Retired US Army colonel Eric Kail has outlined adaptive strategies and tactics for operating in a VUCA environment, stating: “clear communication is vital in volatile situations; getting a fresh perspective and maintaining flexibility is critical in uncertain environments; collaborating and seeking incremental solutions are important in complex situations; and listening well and thinking divergently are a must in ambiguous situations.”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

89


Defense that can help organisations identify and

Domestic economic espionage is also a possibility,

direct resources towards those most vulnerable.

conducted through hiring of employees from a competitor to gain knowledge of and access to

Research has shown that “the likelihood, or risk, that

the competitor’s intellectual property. In 2013,

individuals will commit hostile acts against their

Ticketmaster hired an employee from a competing

organisation increases with the accumulation of

ticket sales company who had retained their

factors acting on them over a period of time.” These

access credentials. Ticketmaster requested the

factors roughly follow a chronological sequence. Most

employee to use these access credentials to provide

importantly, the summation of multiple factors does

business intelligence on its competitor. In late 2020

not increase certainty or guarantee that the individual

Ticketmaster was fined $10 million by the Department

will commit a hostile act.

of Justice for the act. It is not difficult to imagine competing companies preying on the instability

Many organisations put significant effort into

of their peers to recruit employees for intelligence

implementing technology controls to mitigate insider

and trade secrets which can give them the edge in

risk, such as blocking the external transfer of data via

a crowded market, or even deliver a final blow to a

webmail, cloud storage or removable media devices.

dying firm.

However, technical behaviours are just one type of concerning behaviour that organisations should keep

For some employees, a corporate layoff event can

an eye out for. A layoff event introduces multiple

be fatal. Earlier this year, Bed Bath & Beyond’s chief

stressors on employees (personal, professional and

financial officer died by suicide days after the retailer

financial) and can produce concerning interpersonal,

announced the closure of 150 stores and the laying

financial and mental health behaviours.

off of about 20 percent of its employees. This sort of event can send shockwaves of grief and trauma

According to the Federal Reserve, 60 percent of laid-

through an organisation and require significant

off adults with a high school education or less would

‘postvention’ (psychological first aid). A workplace

not be able to pay all their bills if an unexpected $400

already suffering an economic crisis will want to

expense popped up during unemployment, and 24

return to business-as-usual as soon as possible, but

percent of adults with a bachelor’s degree education

doing so can lead to even more speculation, distrust

or higher would have the same issue. Approximately

and anger.

one-in-five Americans are experiencing a diagnosable mental illness and deaths associated with alcohol,

Insider threat incidents have risen by more than

drugs and suicide increased 20 percent year-over-year

44 percent over the past two years as COVID-19

in 2020.

lingers and economies continue to suffer from the pandemic’s effects. The cost per incident has

Employees seeking financial security can, and do, find

increased more than 33 percent to $15.38 million. A

it from nation-states eager to acquire trade secrets.

single insider threat incident amid corporate layoffs

An Intelligence and National Security Alliance (INSA)

can wipe out any cost savings the company hoped to

report, Insider Threats and Commercial Espionage,

achieve through its workforce reduction. An effective

notes several indictments of scientific researchers,

plan to mitigate insider risk during layoff events—one

engineers, professors, hackers and businesspeople—

that implements strategies and processes beyond

both American and Chinese—who have committed

technical controls and addresses the humans at the

theft of US intellectual property. Through its

core of the crisis—is therefore essential.

Thousand Talents Plan and other initiatives, China recruits US nationals to provide proprietary data in exchange for payment.

90

W O M E N I N S E C U R I T Y M A G A Z I N E

www.linkedin.com/in/staceychampagne

N O V E M B E R • D E C E M B E R 2022


Connecting - Supporting - Inspiring

AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY

Memberships are now a 12-month cycle Corporate packages available Learn more at awsn.org.au/members/join/


MARTY MOLLOY

LOOKING BACK TO MOVE FORWARD: THIRTY YEARS OF EXPERIENCE GUIDING THE WAY By Marty Molloy, Events, Marketing and Communications Coordinator at AusCERT

It is common today to hear, or be told, not to look

First is the capacity to predict trends. This may seem

back too often or to ponder what may have been

to be of little value in an ever-evolving industry such

if different choices had been made. Conversely,

as cyber where many attack techniques appear to

age‑old wisdom suggests ignoring past experiences,

have been discontinued. However, many have merely

be they good or bad, could mean overlooking

lain dormant. Opportunistic attackers will look for the

important lessons.

right moment to deploy a proven method to further their aims.

As in so many matters, the wisdom of Star Wars provides guidance. To quote that wise little green

Understanding what led to the original incursion—the

creature, Yoda, “Mind what you have learned. Save

weaknesses of a system, human error, an oversight

you it can.”

in the firewall—can reduce the potential for a new breach or ransomware attack.

Understanding the consequences of past choices and resolving any lingering issues can facilitate personal

Knowledge of past incursions and attack techniques

and professional growth and development. Retaining

can produce another benefit: increased speed of

what one has learned can smooth the path to success

learning. Insight gained from past endeavours can

and reduce the time needed to achieve it.

enable future outcomes to be achieved faster and with less effort. Security measures based on the

As AusCERT approaches its 30 birthday in 2023

evaluation of previous results will help guide staff in

our team has discussed the value and importance of

their decision-making, shorten the learning process

looking back to see our way forward.

and create more efficient and proficient staff.

th

92

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

However, mistakes will continue to be made. Everyone

Whilst it is pertinent to learn from our mistakes and

makes mistakes. The adage that we learn from our

seek improvement, celebrating our accomplishments

mistakes is highly pertinent to this article. Mistakes

emboldens individuals and teams to undertake new

enable us to become stronger. They prepare us to

challenges with enthusiasm and positivity.

deal with what is to come, today and tomorrow. Opportunity and preparation are often identified as And this knowledge can be shared. Whether it comes

key success factors. Learning and innovating also

from a predecessor in your current role or someone in

increase the likelihood of a positive outcome.

another department within your organisation, chances are that people close to you have already walked the

Whilst not everything is under the control of an

path you tread. So, seek their advice and guidance to

individual or organisation, the ability to create

help improve your chances of success.

opportunities, plan, learn and innovate is greatly enhanced with the benefit of reflection.

Collaboration does not guarantee success, but it does provide insight and knowledge and helps identify

Yoda also said, “Impossible to see, the future is.”

the skills and abilities needed to undertake the task

However, by understanding and referencing previous

in hand.

experiences we can better equip ourselves to make insightful decisions, move forward adroitly and

With AusCERT’s 30 birthday approaching we are th

embrace the potential of the present.

looking back to see how far we have come, with particular focus on our achievements and successes.

I S S U E 11

www.linkedin.com/in/marty-molloy-14100932

WOMEN IN SECURITY MAGAZINE

93


LISA VENTURA

CYBERSECURITY: A BOARD ISSUE IN 2022 By Lisa Ventura, Founder – Cyber Security Unity In 2022 cybersecurity gained unprecedented

Fortunately, cybersecurity’s time has finally arrived.

prominence. The war that broke out between Russia

In 2022 boards are not only starting to pay attention

and Ukraine in February 2022 highlighted the scale

to cybersecurity but are also starting to ask questions

of the problem: the many ransomware, phishing and

about how they can protect against cyber attacks and

other types of cyber attacks hitting organisations and

data breaches.

individuals every day. Data breaches are announced frequently. Only recently the InterContinental Hotels

HEADS PULLED FROM THE SAND

group experienced another cyber attack, as did UK

It has become clear boards can no longer ignore

transport group Go Ahead. There was also a cyber

cybersecurity or be complacent when it comes to

attack against Albania which caused the government

their organisation’s cyber posture. The notorious

to cut ties with Iran, believing the latter to be

attack on software company SolarWinds was

responsible for the attack.

a huge wake up call for many boards because it showed the reputational and financial impact

For years security professionals have been asking

of a successful cyber attack. In November 2021

themselves a fundamental question: “How can we

investors in SolarWinds sued the organisation’s board

get our board of directors to take cybersecurity more

members claiming the board had been aware of

seriously and prioritise it?” However, to date boards

the cybersecurity risks long before the data breach

have been reluctant to take the growing cybersecurity

occurred and had failed to take action to mitigate

threat seriously, despite experiencing years of costly

these risks. The investors also alleged SolarWinds’

and devastating ransomware attacks, data breaches

employees had frequently voiced concerns about the

and other security incidents.

company’s poor cybersecurity practices, such as the use of insecure passwords.

While cybersecurity has been on board agendas for

94

some time it has not been prioritised because of

BOARDS TAKE NOTE

its complexity and because boards did not see how

Boards today need to sit up and start asking

closely cyber risk is tied to business risk. Unless

questions about cybersecurity, but they must be

organisations operate in a highly-regulated industry

the right questions. For example, there is no point in

such as healthcare, banking or financial services,

asking the security team to ensure the organisation

their boards face issues seen as far more pressing

has 100 percent protection: there is no such thing,

than cybersecurity.

and no team can make that request a reality. Threat

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

actors are sophisticated and very, very crafty, and

recommendations on how to improve cybersecurity

cyber attacks are always evolving. Whatever defences

strategies, and work with the security team to

security teams deploy, threat actors will always

outline security-related goals that will reduce the

eventually find a way around them.

organisation’s overall risk.

A board should start by having relevant conversations

Most importantly, security professionals should be

with the organisation’s security team, giving security

provided with the tools and the budget to help them

a seat at the table, listening to what security staff

achieve these goals. For example, they might need

have to say about the organisation’s security posture.

a larger budget to upgrade security technologies,

A board should devote as much time as needed

onboard new team members or implement new

to recognising and identifying the risks that result

solutions and facilitate training. They may request

from an inadequate cybersecurity posture, and

companywide security policy implementations or

work with the security team to compile a register

the formation of a cyber-related or risk committee to

of areas deemed critical and at risk from a cyber

provide them with ongoing support.

attack. It should ask the security team to provide

I S S U E 11

WOMEN IN SECURITY MAGAZINE

95


Empowering security teams by providing what they need is a critical first step. The next step is to achieve agreement on budget and strategy.

BOARDS MUST OPEN THEIR EYES TO CYBER RISKS There are occasions where the biggest cybersecurity risks to an organisation are overlooked because the board does not understand the business risks these cybersecurity risks create. One example is the risk to an organisation that results from the risks faced by other parties in its ecosystem, such as its supply chain. Hackers can penetrate such organisations and from those systems gain access to others. Organisations that consider only direct risks will fail to factor these into their strategies. No organisation is immune from cyber threats. There is a misconception that small and medium businesses are less likely to suffer a cyber-attack

Harnessing the power of cyber risk data to gather

because of their small size, and many small business

actionable insights and implement the steps required

owners will often ignore cybersecurity. Such a belief

for remediation can make a huge difference to an

is false, and if the business is attacked the financial

organisation’s security posture and enable it to reduce

and reputational damage can destroy it.

cyber threat risk substantially.

Every organisation must constantly assess its

FINAL THOUGHTS

security posture and those of others in its ecosystem,

Consideration of cybersecurity is no longer optional

including third-party suppliers. This will help to

for board members. In 2022 we have seen a huge

identify gaps and areas that need remediation. Many

shift in how boards manage their organisations’ cyber

organisations often have only partial insight into their

postures, and there is no time to be complacent

overall security posture, leaving blind spots that make

about the growing cyber threat. A data breach

them vulnerable to cyber attacks. Therefore, new

involving confidential company information can be

approaches are needed that focus on the analysis

devastating. To improve the cybersecurity posture

and collection of cyber risk intelligence.

of an organisation its board members should ensure

Watch this space cyber risks are dealt with efficiently and effectively to

There are solutions available that provide actionable

help mitigate the impact of cyber attacks.

cyber risk intelligence and visibility of the entire risk landscape. The ability to gather, analyse and share

cyber risk data can help an organisation identify and understand the cybersecurity threats that could affect it, which in turn will allow security teams to take early action and alert other companies in its ecosystem, including supply chains.

96

W O M E N I N S E C U R I T Y M A G A Z I N E

www.linkedin.com/in/lisasventura

twitter.com/cybergeekgirl

www.csu.org.uk

N O V E M B E R • D E C E M B E R 2022


W E N

TO

3 2 20

THE

WOMEN IN SECURITY AWARDS

ALUMNI SERIES

70

Australian Ambassadors representing a breadth of Australian states

We are bringing you together to expand your networks, gain critical insights into the field, grow professionally, hone your leadership skills and empower the next generation of security experts. The Alumni series will run from March through to June across states.

Watch this space


ROSALYN PAGE

HOW IS THE INDUSTRY RESPONDING TO THE SKILLS AND TALENT SQUEEZE? By Rosalyn Page, Award-winning writer and content strategist covering innovation, technology and the digital lifestyle Security professionals do not need to be told they

is worse. “The crunch is being felt hardest across

are experiencing a talent squeeze, but the shortage

the public sector, where government departments

is worsening. Sixty three percent of respondents to

struggle to compete for staff against well-heeled

ISACA’s 2022 State of Cybersecurity 2022 report had

private firms in terms of salary,” Singh says. “It is

unfilled cybersecurity positions, up eight percentage

also the case in healthcare, an industry already

points from 2021.

experiencing massive burnout and the added pressure of protecting highly sensitive patient information.”

While the pandemic has exacerbated an already tight issues. According to Jo Stewart-Rattray, a member

THE TALENT SQUEEZE MAKES THE ENTIRE ORGANISATION MORE VULNERABLE

of ISACA’s Information Security Advisory Group,

Increasingly frequent attacks coupled with increased

the pay disparity between genders has produced

digitisation across all sectors means security is no

a male dominated workforce and has inhibited the

longer just an IT issue, according to Verizon’s head of

creation of a wider cohort in the industry.

APJ cybersecurity, John Hines. He says organisations

cybersecurity talent pool, there are other systemic

are already struggling with increased security risks. “A Adding to the challenges, ADAPT research analyst

cyber skills shortage means teams may not have the

Pooja Singh says it is critical to have the right talent.

right mix of resources to manage potential attacks.”

“As organisations try to modernise and remain secure against evolving threats, the cyber skills shortage can

One of the less obvious issues, according to Hines, is

often feel more pronounced than shortages in other

that more organisations are falling into the category

technical areas,” she says.

of critical infrastructure. “Pressure for a strong security posture for these Australian organisations is

However, there are some sectors where the shortage

98

W O M E N I N S E C U R I T Y M A G A Z I N E

at an all-time high.”

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

ISACA’s Stewart-Rattray agrees that an underresourced security team certainly poses risks for an organisation. “The level of increased risk does depend on the organisation’s security posture and environment to begin with,” she says. “For example, is it a labour-intensive team? Are they using a lot of monitoring tools? Are there state-of-the-art platforms in place? “The most obvious impact of an underresourced security team is on its ability to respond instantly and remediate a breach. If the organisation has to contract external consultants there is, potentially, a costly time-lag in addressing a vulnerability.”

HOW SHOULD ORGANISATIONS WITH A SKILLS SHORTAGE BOOST THEIR SECURITY POSTURE? Dealing with the skills shortage is one thing. The other equally important issue is working to reinforce the organisation’s security posture in the face of the ongoing talent squeeze. While they build their talent pipeline, “organisations need to get serious about taking a risk‑based approach and use existing tools and resources available to them to mitigate those risks,” says Hines.

these decisions through both a security and enablement lens is pivotal,” Singh says.

Cybersecurity awareness programs need to run move away from the ‘one and done’ approach.

WHAT ARE THE SOLUTIONS TO THE PIPELINE PROBLEM?

Instead, they must actively use phishing emails for

Those looking for the magic bullet will be

testing, collaborate with academic institutes and enrol

disappointed. Everyone agrees attracting more

their cybersecurity team into certification programs.

students into security is vital, as is boosting women’s

“Designing security in from the start can reduce the

participation, but to achieve these goals ingrained

time, cost and risk involved with addressing these

stigmas about security being a male-centric career

issues as an afterthought,” Hines says.

must be dispelled.

Security must also be an underlying qualifier for any

Stewart-Rattray says the gender pay gap only

and all digital transformation initiatives, including

validates this. “So systemic barriers hindering gender

architectural design, cloud projects, data compliance

disparity issues must be addressed.” She nominates

and the use of artificial intelligence and machine

mentoring, coaching and more role models as the

learning for prediction and augmentation. “Evaluating

means to achieve this. “It’s up to my generation of

throughout the organisation, says Singh, but must

I S S U E 11

WOMEN IN SECURITY MAGAZINE

99


security experts to encourage and support aspiring

Over the longer term, Weintraub recommends building

generations to give this career option serious

a strong bench of talent by leveraging an early career

consideration and have a crack.”

pipeline and recruiting from a wider pool of applicants with a variety of educational backgrounds, rather than

ADAPT’s Singh believes senior executives should

focusing specifically on cybersecurity and computer

also support better diversity and inclusion initiatives

science. “Candidates with degrees in areas such

including gender outreach programs to encourage

as political science or economics bring a unique

women to kick-start their cybersecurity careers. She

perspective on problem solving and critical thinking;

says building better pipelines designed for greater

cybersecurity concepts can be learned on the job,”

inclusion will not only grow the talent pool but also

says Weintraub.

offer increased access to the problem-solving skills available from greater neurodiversity and a mix of

Another avenue to boost participation, suggests

experiences, demographics and vision.

Weintraub, is partnering with non-profit organisations to sponsor scholarships “for potential students who

For the time being, organisations are looking to

come from underrepresented communities, especially

cross-training as well as tapping consultants

those who are first in their families to attend college.”

and contractors to help fill the gaps, according to ISACA’s survey. However, MassMutual CISO, Ariel Weintraub, warns this approach requires focused efforts on “comprehensive risk assessments and risk quantification to ensure resources are allocated to

www.linkedin.com/in/rosalyn-page

rosalynpage.com

addressing the most important threats.”

100

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


KARA KELLY

SARAH IANNANTUONO

MEETING THE SECURITY AND PRIVACY CHALLENGES OF THE METAVERSE By Kara Kelly, Manager at Deloitte and Sarah Iannantuono, Security Strategy and Program at SEEK “Other virtual worlds soon followed suit, from the Metaverse to the Matrix. … Users could now teleport back and forth between their favorite fictional worlds. Middle Earth. Vulcan. Pern. Arrakis. Magrathea. Discworld, Mid‑World, Riverworld, Ringworld. Worlds upon worlds.” Ready Player One

The metaverse, a fully immersive shared virtual

have brought to light the ways in which innocent-

space for humans to work and socialise, became

looking games can have real security and privacy

the subject of global discourse in 2022. The term

issues. Imagine playing in a virtual reality escape

‘metaverse’—coined by author Neal Stephenson in his

room while, behind the scenes, an adversarial

1992 novel ‘Snow Crash’—entered into mainstream

program was able to accurately infer over 25 personal

popular discourse (or as we like to say, dinner party/

data attributes about you: height, age, gender, etc.

BBQ conversations) after Facebook rebranded as

That is certainly not ideal.

Meta in line with a focus on leading the development of the metaverse. So, virtual hands up, who within the

With businesses racing to boost their bottom lines

security, risk and privacy professions has been asked

and governments taking advantage of the topicality of

by family or friends what the metaverse is?

the metaverse there is a genuine need for reimagined security and privacy processes. It is imperative

Depictions of the metaverse in the media, such as

cybersecurity professionals are involved in metaverse

Ernest Cline’s Ready Player One, romanticise the

opportunity exploration or discussion within their

concept of the metaverse. However, recent studies

organisations to influence greater security and privacy.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

101


PRIVACY THOUGHTS WITH KARA KELLY The metaverse presents many unique challenges to individuals’ privacy. Data minimisation—the need to collect only data necessary to conduct processing activities—is a principle of data protection regulations. A challenge posed by the metaverse is that the data processing required to create immersive environments is expected to result in massive collections of data about individuals, from health data to financial data. Companies in the metaverse such as JP Morgan, Walmart, Nike and Samsung may soon have access to surveillance data from business engagement and sales, exposing us to highly commercialised digital spaces where overcollection of data may become unavoidable. The 2022 Deloitte Australia Privacy Index stressed the link between consumer behaviour and privacy with 51 percent of individuals surveyed saying they were uncomfortable with their behaviour being subject to online surveillance. So, how do companies create these environments while managing consumer expectations of data minimisation? Meta is one company that has attempted to overcome this challenge. As of August 2022, users of Meta’s virtual reality (VR) devices will no longer need their Facebook account details to log in. However, Meta will still require name, email address, phone number, payment information and date of birth for age verification to create this new type of account. This practice raises the question of whether or not Meta is adhering to the principle of data minimisation.

How do we address the risk of overcollection of personal information in the metaverse?

and explain this to their users in a manner that

Most data protection laws are drafted to be agnostic

allows for informed decisions. Companies looking to

in their treatment of new technologies, and are

benefit long term in the metaverse by engaging with

applicable to the metaverse. The EU’s General Data

individuals must examine their data collection needs

Protection Regulations (GDPR) and China’s Personal

and build trust through transparency.

Information Protection Law (PIPL) specifically persons living within their territories regardless of

SECURITY THOUGHTS WITH SARAH IANNANTUONO

where the data gathered is processed. They also

The metaverse represents a convergence of multiple

require a high level of transparency from entities

technologies. This makes security a top priority

processing the personal information of individuals.

for metaverse development if the opportunities it

Such entities must be able to identify exactly what

creates are to be exploited. With countries like South

they are collecting and processing in the metaverse

Korea investing $US177.1 million into the metaverse

mention monitoring the behaviours of natural

102

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


I N D U S T R Y

P E R S P E C T I V E S

assets between platforms. In addition, the current fragmentation between the players in the metaverse divides applications and products. What to think about. A new approach to governance and standards in the metaverse needs to be established. Some companies currently exploring the metaverse, such as Meta and Microsoft, have committed to portability of data across platforms. If your company is looking into metaverse opportunities, consider staying flexible and remaining open about applications and products used to ensure you are not locked in.

Broader attack surface and fraud opportunities. Mixed reality devices provide malicious actors with new attack surfaces. New metaverse-specific crimes such as ‘pump and dump’ NFTs and fraudulent metaverse investments have already emerged. Looking at the history of IoT devices, there are numerous examples in which exploitation of new weak points in the enterprise were targeted. What to think about: Ensure devices such as mixed reality headsets with mobile device management are secure. Provide training to staff members on scams exploiting metaverse opportunities and, lastly, ensure your company secures the rights to its URL address to stop impersonation.

Call for discussion The metaverse is here to stay (and will develop exponentially), but there will be teething pains for ecosystem and companies such as Meta, Microsoft

privacy and security as it does so. Building trust

and NVIDIA focusing on the metaverse as a core

through transparency and security will be key for

offering it is important to foster discussion on

companies seeking to use this new channel of

security concerns and collective ways to mitigate

communication with users. While current laws and

them. Here is a small snapshot of some of the key

regulations will apply, our understanding of this

security consideration to be aware of, and some

technology will be critical to how we, as users, adopt

example mitigations.

it and behave in this new hyper-spatiotemporal and self-sustaining virtual environment.

Data portability and fragmentation. The (slightly utopian) objective to have one seamless digital experience across companies and providers creates trust challenges for individuals who are currently unable, in most cases, to take identity and

I S S U E 11

www.linkedin.com/in/kara-kelly-9515b9b3

www.linkedin.com/in/sarahiannantuono

WOMEN IN SECURITY MAGAZINE

103


2023 NEW ZEALAND

WOMEN IN SECURITY AWARDS 9

TH

NOVEMBER

t u O s s i Don’t M


TECHNOLOGY PERSPECTIVES


SAI HONIG

BLOCKCHAIN – THE TECHNOLOGY BEHIND CRYPTOCURRENCY by Sai Honig, Engagement Security Consultant at Amazon Web Services Blockchain is the technology behind cryptocurrencies.

connections are broken. It is these connections that

Because of wild swings in the values of

provide irrefutability. When something is irrefutable, it

cryptocurrencies, blockchain has had a great deal

is impossible to dispute. This irrefutability creates the

of bad press. However, blockchain is a technology

integrity of blockchain technology.

that can be used for many other business and personal processes.

We can identify many applications where irrefutability is useful and, in some cases, essential.

Let us try and understand blockchain by looking at a very ancient technology, that of step pyramids. A

In insurance, blockchain technology can bring cost

step pyramid, or stepped pyramid, is an architectural

savings, transparency and fraud mitigation. It can also

structure that uses flat platforms, or steps, receding

enable faster payouts because data can be shared

from the ground up to achieve a shape similar to that

between parties in a trusted and traceable manner.

of a geometric pyramid. Step pyramids were built by several cultures in the past and in various parts of

In Canada, personal identification using blockchain

the world.

was implemented in 2019. Users verify their identity online, in person or on the phone using information

These structures are built with stones. Each stone

held in banks, health records and government

is precisely cut and placed next to others. The

services which they have consented to share.

connections between each stone to those next to it give these pyramids great strength, and many remain

A blockchain network in the healthcare system could

largely intact. However, if even one stone is incorrectly

be used to preserve and exchange patient data

placed, the pyramid loses its integrity.

between hospitals, diagnostic laboratories, pharmacy firms and physicians. This could be done through

106

A blockchain also provides integrity through the

electronic healthcare record systems interoperability

connections between one block of data and another.

and healthcare data exchange. Such an exchange can

If the data in a block is modified or deleted, the

be created using blockchain technology.

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


T E C H N O L O G Y

P E R S P E C T I V E S

We have lived with the benefits of global supply chains for several decades. During the current pandemic we saw disruptions of these supply chains. Blockchain technologies helped with tracking shipments. From container shipping to commodity sourcing, blockchain business applications provide certification and ensure correct payments. These technologies can also enable quick responses to quality issues arising in consumer packaged goods, such as identifying batches to be quarantined because of contamination. The next time you drink coffee or tea, consider where it may have come from and the journey it may have taken to get to your favourite retailer. Blockchain technology has provided coffee, tea and other food commodities with complete

“The COVID-19 outbreak has further exacerbated

end‑to‑end traceability.

supply chain vulnerabilities across different industries as a result of travel bans and factory shutdowns.

In addition to food, blockchain business applications

This added newer challenges to PPE supply chains,

have been used to track and trace jewellery,

as many countries rely on exporting PPE rather than

automobiles (production and car sharing), and art.

stockpiling to optimise the use of resources. Moreover,

All these industries need to track and trace the

there has been a rise in counterfeit PPE amid the

locations of goods, and payments.

COVID-19 outbreak.”

Perhaps the most common application of blockchain

Blockchain can also be used in the treatment of

is in healthcare. As we have seen during the current

diseases such as cancer and in organ transplants.

pandemic, access to reliable healthcare records and treatments is necessary to save lives. As stated in

So, beyond cryptocurrencies and NFTs, blockchain

ScienceDirect,

technology has a number of use cases. This technology might be around for as long as

“An efficient supply chain is fundamental to a fully

the pyramids.

functional healthcare system. Thus, the health supply system must be designed to quickly and reliably deliver crucial health commodities such as medicines,

www.linkedin.com/in/saihonig

vaccines, and PPE during infectious disease outbreaks.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

107


SHARING OUR INNER VOICE STORIES by Kavika Singhal, Cyber Security Consultant at EY Jay Hira, Director of Cyber Transformation at EY Michelle Gatsi, Cyber Security Consultant at EY Emily Goodman, Cyber Security Consultant at EY Shinesa Cambric, Principal Product Manager, Microsoft Intelligent Protections - Emerging Identity at Microsoft Kaajal Sharma, Offensive Security Associate at EY Baby Lyn Nagayo, Cyber Security Manager at EY INTRODUCTION individuals from diverse walks of life—to share their stories of how they had found themselves at the junction of diverging pathways and at the lifelong

Kavika Singhal Reflecting is an intimate, thought-provoking process.

changes their choice between these had wrought.

STORIES

It is the focal point where our grown self and old self meet to have a conversation about our strengths, weaknesses, values and learnings. These lines from

Jay Hira

the poem The Road Not Taken by Robert Frost stirred up some questions for me: “Two roads diverged in a wood, and I—

“Do not let anybody’s opinion define your choices: the future is yours to create.”

I took the one less travelled by, And that has made all the difference.”

Aged 18, I sat in the dean’s office with my father. My grades were average but my ambitions lofty. To this

Frost writes that when, in life, he found himself having

day, I clearly remember the dean’s laughter and blunt

to choose between two diverging roads, travelling

remarks when my father asked about my chances of

the less trodden path made ”all the difference” in his

getting into the computer science program. “Your son

life. Each of us encounters such occasions in our

has ZERO chance of getting into computer science.

lifetime, where we need to make tough choices and

Have you looked at his track record? I’m doubtful he

become confused while weighing up which choice

will even be able to complete his degree in four years.”

will deliver the best outcome. What factors should I consider in such a situation? Can I always make the

Those words crushed my soul and filled me with

best choice? And most importantly: how do I stay on

fear, leaving me with two choices: either give up

my chosen path?

and surrender to the harsh, critical voice in my head telling me, “You are not smart enough, you are not

108

With a head full of questions and the determination

capable enough!” Or trust my inner voice encouraging

to seek an answer I sat down with some of my

me to believe my hard work and strength would lead

cybersecurity industry mentors and friends—

to success.

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


T E C H N O L O G Y

P E R S P E C T I V E S

My determination and strong self-belief led me to

said than done. I work in an industry saturated

make the second choice: the harder one. I worked

with extremely sharp and talented minds and, as

diligently, made my work speak for itself and did

a newcomer to cybersecurity with an academic

not allow anybody’s opinion to define my reality or

background in criminology and social science, it

my capabilities. A year later, I was among the top

is easy to feel like a fish out of water. A solution

students in my cohort and transferred easily to

to counter those doubts was to keep track of my

computer science. The biggest lesson I learnt was

personal journey. When I first decided to venture

that believing in yourself may not be easy, but it is the

into cybersecurity I bought myself a little turquoise

most crucial ingredient in determining your success.

journal and labelled it ‘My Cyber Journal’. Its purpose was to keep track of my journey and I followed through in writing about my experiences, fears and achievements.

Kaajal Sharma

In moments when imposter syndrome showed itself, I recorded in my journal. The journal is evidence of

“Challenge yourself to venture out of your comfort zone.”

all the hard work I have put in so far to break into the cybersecurity industry and build my career, including the tremendous amount of support I have received

The intimidating experience of venturing into the

along the way. My little turquoise journal is my source

unknown world of penetration testing (ethical

of strength, and my journey is not only a reminder of

hacking) has traditionally kept talent away, maybe

my progress, but also my potential.

because the discipline requires extensive technical skills and expertise. I chose to venture outside my comfort zone. My decision to pursue an offensive security career stemmed from my appetite for

Shinesa Cambric

investigation and my unwavering belief in my competencies.

“There is great power in being intentional.” It is important to be tenacious when working towards your goals. If you do not have the right set of skills,

It took a very long time for me to discover this, but

you can always develop them and advance to where

one key lesson I learnt in my career journey was that

you want to be. The biggest takeaway in my career

being intentional. is empowering. I have always been

journey was to not measure my self-worth from a

someone who enjoys achieving and getting things

perspective of past or future. You must be prepared

done, but it only late in my journey did I realise the

to challenge yourself to achieve your goals. However,

importance of being intentional with the choices I had

you must live in the present to build a better future.

made in my career, such as focussing on doing the right things. The early choices I made were for myself or because they met the expectations of others.

Michelle Gatsi

When I took time to pause and reflect on my actions I realised I had influenced others to achieve their goals

“Keep track of your progress as a reminder of your potential.”

while achieving my own. Hence, I became committed to becoming intentional about my choices rather than drifting with the current: to acknowledge the power of

“Don’t be so hard on yourself Michelle, you’re doing

my actions and focus on the things that would bring

great!” If I had a dollar for each time I have heard

me joy.

those words… The truth is, this is much easier

I S S U E 11

WOMEN IN SECURITY MAGAZINE

109


syndrome and I have doubts. However, mentors and colleagues who believe in me keep me going. The

Baby Lyn Nagayo

advice from one of my mentors: “You do not get anywhere by standing still,” keeps me motivated to

“If it’s possible in the world, it is possible for me.”

overcome any challenges, step outside my comfort zone and trust my inner voice, because we can

When I started my career in cybersecurity I made

achieve whatever we set our minds to.

little progress in the technology industry until I became involved with the EY Women in Tech

CONCLUSION

and SheLeadsTech Melbourne communities. They empowered me to thrive in discomfort.

Kavika Singhal

The mentorship, coaching and sponsorship I

Our thoughts are the foundation of our actions, and

received were instrumental in me overcoming my

our inner voice is the guiding light in our life journey.

self‑limiting beliefs.

If we land ourselves in a position where we can choose a tough path, we should never let outside

As I continue to thrive and grow in the industry, I find

voices influence our inner voice, because each of us

my achievements to be still within my comfort zone.

is the creator of our own reality. When faced with

It is important for me to venture out of that comfort

harsh obstacles on the road to achieving something

zone, challenge my beliefs and change my behaviours

we desire it is important to push ourselves beyond

if I am to achieve my ultimate goals in life. I live by

our comfort zone, because we get nowhere by

these famous words of Tony Robbins: “It is in your

standing still.

moments of decision that your destiny is shaped.” Each day I repeat to myself: “If it’s possible in the

On this path, keeping track of progress is an essential,

world, it is possible for me.”

motivating indicator. We may not always make the best decisions, but good intent always results in better outcomes. Lastly, when things look impossible, we need to remember: if it is possible in this world, we can make it happen.

Emily Goodman These stories certainly answered my questions.

“You don’t get anywhere by standing still.”

I hope they assist you when you reflect on your journey.

For my undergraduate degree I majored in accounting. Whenever I told anyone this, a common reaction was: “You don’t seem like someone who would study accounting or someone who would like maths.” This statement often made me doubt my abilities, and imposter syndrome developed. I could have let this self-doubt take over. However, I listened to my inner voice knowing I wanted to achieve more. This led me to joining the cybersecurity industry, to earning a master’s degree and working in a role where I have a purpose. Over the years I have learnt to listen to my inner voice

www.linkedin.com/in/kavika-singhal

www.linkedin.com/in/jayhira

www.linkedin.com/in/michellegatsi

www.linkedin.com/in/emily-goodman-b9a023144 www.linkedin.com/in/shinesa-cambric-cissp-ccspcisa®-0480685 www.linkedin.com/in/kaajalsharma

www.linkedin.com/in/baby-lyn-nagayo-09821210b

as my best guidance. I have moments of imposter

110

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022



MEGHAN JACQUOT

REFLECTIONS ON MALWARE by Meghan Jacquot, Security Engineer at Inspectiv Malicious software (malware) did not always exist.

on endpoints the file names shifted and so the

Researchers disagree on what represented the first

distribution chain was broken.

virus. I will define it as Wabbit in 1974, because it caused computers to crash. Over time, malware

This was an error that needed to be fixed, and that is

changed the software scene dramatically. At first

exactly what the threat actor group did. Its members

malware was often sent as a joke: think of a snake

either learned about the error through monitoring

game. However, it has become much more serious

their systems or through monitoring defenders’ social

and is now a standard tool of criminal syndicates and

media posts, and modified Emotet rapidly. The error

threat actor groups. This article will discuss three

was found on a Friday, tested, fully debugged and

trends in modern malware seen in 2022.

fixed by the following Monday. Think back to the question about how long it would take your team to

ADAPTABILITY

fix an issue. As defenders we need to be aware of

If you noticed an issue on a Friday afternoon that

how adaptable threat actors are.

impaired the functionality of a system how long would it take to get it fixed? I am certain many of

DECEPTION

you are thinking “It depends” and are considering

A continuing trend observed in malware operations

criticality, uptime, services, who it impacts, etc.

is deception. Deceptive tactics often exploit current

For many teams, a Friday afternoon issue would be

events and this was the case in 2022. For example, in

fixed in the following week, or later depending on

January the final phase of the Windows 11 upgrade

its criticality.

was announced and was exploited as a current-eventbased deception by threat actors. They were able

112

Threat actors are sometimes much more responsive

to create various deceptions masquerading as this

to the issues they face. Emotet, long-lived malware,

necessary download to install their own malicious

was developed by a threat actor group that has

payloads. The group behind infostealer malware,

shown adaptability over the years, including in 2022.

RedLine Stealer, was observed using this exact tactic.

Research group Cryptolaemus identified an update

Another form of deception that researcher iamdeadlyz

to a static file reference in Emotet that compromised

identified in August was more complex. Threat actors

its performance. When the malware was installed

pretended to be testers for a play-to-earn (P2E)

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


T E C H N O L O G Y

P E R S P E C T I V E S

video game, Cthulhu World. The ‘game’ appeared well-developed and legitimate, would‑be testers were sent codes to test it, but these codes installed one of three infostealer malwares: AsyncRAT, RedLine Stealer or Raccoon Stealer. The website of that fake game is now defunct, but deception will continue to be a much used tactic for threat actors. A final example of current event exploitation saw malware embedded in a jpg file of images from the James Webb telescope.

Source: Andy Robbins, shared and modified with permission.

The threat actors realised people were sending these beautiful images to one another and took advantage

WHAT IS A DEFENDER TO DO?

of this to add a malicious payload to an image.

Knowledge is power. The more we can understand, model and identify threat actor activity the better

BUSINESS MODELS

we can predict and defend against it. Additionally,

Another trend observed in 2022 was the continuation

defenders can add in layers of defence based on

of complexity with malware being part of a business

threat modeling of attacker activity. If MFA and

model. There are criminal organisations that develop

social engineering are being bypassed, then what

malware-as-a-service (MaaS) or phishing-as-a-service

other layers of defence exist for your network? What

(PhaaS) models other less skilled threat actors can

backup and data recovery processes do you have?

use to commit cybercrimes. For example, a new malware, ZingoStealer, was observed by researchers

Do you make use of honeypots or other deceptions to

and the threat actor group behind it chose to give this

delay a threat actor? Additionally, what methods are

malware away for free. Its use gave the group data

being used for detection? The less time an attacker

about infected endpoints they could use for additional

has in your network the better, so early detection

criminal activity. They were gathering data, building a

can be quite helpful. Malware today is no longer as

user base and beta testing their dashboards.

innocuous as a snake game filling up your screen where an individual can troubleshoot the issue. It is

Another cybercriminal group offers EvilProxy

more damaging and requires a team-based approach.

PhaaS on subscription. Researchers found there

As computer programming pioneer, Grace Hopper,

were specific tutorials and methods discussed for

said, “I’ve always been more interested in the future

bypassing two factor or multifactor authentication

than in the past.” So let us look to the future and work

(MFA). Multiple attacks on a variety of organisations

together as defenders against malicious software.

in 2022 bypassed MFA with the help of infostealer malware. For example, the July cyberattack on

Here’s a collection of resources related to this article

Twilio, which ended up affecting more than 160 of

and focused on malware.

its customers, has led to additional software supply chain attacks.

www.linkedin.com/in/meghan-jacquot-carpe-diem

Another attack that had its roots in infostealers was

twitter.com/CarpeDiemT3ch

the September Uber cyber attack. It was initiated by credentials being found via an infostealer and progressed using social engineering. Here is a visual

www.youtube.com/c/CarpeDiemT3ch

of a likely breakdown of the attack.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

113


MEHLIKA ERCAN

THE RELATIONSHIP BETWEEN ARTIFICIAL NEURAL NETWORKS AND CYBERSECURITY by Mehlika Ercan, Cyber Security Analyst

THE RELATIONSHIP BETWEEN ARTIFICIAL NEURAL NETWORKS AND CYBERSECURITY

in these sectors. Artificial intelligence is proving a valuable tool to supplement these limited resources.

It is a fact that, with the development and spread of information technologies in recent years, malicious

WHAT IS AN ARTIFICIAL NEURAL NETWORK?

software that threatens information systems has

Artificial intelligence mimics the human brain’s

increased and become more diverse. Having a

functionality and connectivity. The human brain

flexible and multi-layered security strategy is critical

consists of neurons with dendrites and axons.

to preventing damage to company networks, but

Dendrites bring information to the cell body and

damage to healthcare or nuclear systems can have

information passes through the axon. The information

more dangerous consequences. In the past cyber

is then transferred to the dendrites of another neuron

attacks have been prevented before they caused

at the synapse, which is a small gap between the

major catastrophes. However, today’s cyber criminals

axon of one neuron and the dendrites of the other

are not merely stealing data or cause overt damage:

neuron.

their focus is on data manipulation, a form of cyber attack that can be more destructive and more deadly.

Artificial neural networks (ANN) are comprised of node layers that have an input layer, one or

114

There are insufficient people with the experience

more hidden layers, and an output layer. There are

and skills to ensure the confidentiality and integrity

connection between nodes, or artificial neurons, and

of critical infrastructure systems, networks and data

each has an associated weight and threshold. To

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


T E C H N O L O G Y

P E R S P E C T I V E S

Deep Neural Network

activate a node and send data to the next layer of

CASE STUDY

the network the output must be above the specified

Shun Tobiyama and coresearchers from Japan’s

threshold value.

Nagoya University and NTT Secure Platform Laboratories investigated the use of CNNs, DNNs and

A convolutional neural network (CNN) is a class of

RNNs to detect malware.

artificial neural network. It has convolution layers, fully connected layers and pooling layers.

They obtained 26 malware files from the NTT labs, ran these malware files and some benign files though

Recurrent neural networks (RNN) have a unique loop

a Cuckoo Sandbox to obtain 81 malware process log

structure of memory units that store data from past

files and 69 benign process log files for training and

inputs or the hidden layer’s current state. Because the

validation.

output depends on earlier inputs, an RNN can train sequential data.

As a result of their research they proposed an AIbased technique for malware detection that would

Deep neural network (DNN) (also known as deep

use a RNN to construct a behavioural language

structured learning) is a machine learning technology

model of the malware, extract behavioural features

with many hidden layers.

and generate feature images. These feature images would then be classified by the CNN. Details of their

WHY ARTIFICIAL INTELLIGENCE IS IMPORTANT FOR CYBERSECURITY

research were presented at the IEEE’s 40th Annual

Signature based detection is not a good way to

2016 in a paper Malware Detection with Deep Neural

catch zero-day attacks. However, artificial neural

Network Using Process Behavior.

Computer Software and Applications Conference,

networks (ANNs) can improve the performance of intrusion detection system (IDS), security information and event management (SIEM) tools and extended

https://www.linkedin.com/in/mehlikaercan/

detection and response (XDR) tools.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

115


MARISE ALPHONSO

KEY THEMES FROM 2022 TAKING US FORWARD by Marise Alphonso, Information Security Professional KEY THEMES FROM 2022 TAKING US FORWARD

met. The appointment of a woman as minister for

You may have heard that the only constant in the

working in, or aspiring to work in, the information

information security industry is change. 2022 ushered

security sector.

cybersecurity is an encouraging sign to other women

in some major changes and trends in the Australian and global landscape that can be leveraged to

AustCyber’s Sector Competitiveness Plan 2020

improve cyber maturity and create a safer cyber

highlights five key industries becoming increasingly

environment for individuals and organisations.

digitised, and hence with growing cybersecurity requirements. Key components of this digitisation

THE APPROACH TO CYBERSECURITY AT A NATIONAL LEVEL

are the shift to online infrastructure, the increase

The Albanese government sworn in earlier this year

IoT and smart devices, remote access to operations

sent a strong signal to the information security

technology (OT) and the expansion of AI and quantum

community by appointing Clare O’Neil as Minister

computing.

in digital payments and fintech, the proliferation of

for Cyber Security. With a dedicated minister for cybersecurity, Australians can be optimistic about

It is projected that future cybersecurity products and

Australia becoming a cyber-resilient nation with a

services will be required to focus on these five areas

trusted and secure digital economy. Cybersecurity

in response to the increased attack surfaces they will

has certainly been given the prominence and visibility

create and the expanded regulatory requirements that

to help achieve this. The needs for greater diversity

will be imposed on various sectors of the economy.

and inclusion and a larger cyber workforce are

116

topics much discussed. Government, industry and

In discussions about digital trust and in the

academia must pull together if these needs are to be

announcement of a planned review of Australia’s

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


T E C H N O L O G Y

P E R S P E C T I V E S

2020 cyber security strategy there is growing mention

(PSO) require organisations bound by the SOCI Act to

of ‘sovereign capability’ and the need for Australia

(a) provide ownership and operational information to

to have the cyber capability to protect the digital

the Register of Critical Infrastructure Assets and (b)

economy. The rise in geopolitical tensions has

notify the Australian Cyber Security Centre (ACSC) of

cybersecurity implications, as was seen with Russia’s

cybersecurity incidents within certain timeframes. A

invasion of Ukraine in February and with cyber

third PSO, yet to be ‘switched on’ by the government,

attacks on the Taiwanese government and Taiwanese

requires organisations to maintain a risk management

businesses following Nancy Pelosi’s visit in August.

plan and uplift security practices that relate to the

Developing and maturing a local cyber capability is

management of critical infrastructure assets.

a necessity. The new version of ISO/IEC27002:2022 has ushered

CHANGING WORK ENVIRONMENT

in changes to existing organisational security control

Practices accelerated by the Covid-19 pandemic—

frameworks. These include a consolidation of

including remote working, digital transformation

controls with additions and deletions as well as the

and cloud services usage—have led to changes

introduction of attributes to allow for categorisation.

on the cybersecurity front that are here to stay. An

The updated version of ISO/IEC27001:2022 is

organisation’s network no longer represents a logical

expected in October and organisations certified to

perimeter where protection can be deployed. Neither

ISO/IEC27001 will have to review the changes and

do its premises represent a physical perimeter to

make adjustments to their governance processes

its operations that can be protected. Therefore, it

that facilitate the running of an information security

has never been more important for employees to

management system.

be cognisant of their key role in protecting their organisation’s data. Customer personal information

DRIVING INCREASED SECURITY MATURITY

is now visible on screens in a staff member’s home.

The journey towards cyber resilience tends to be

Connections into an organisation’s network are via a

cyclical rather than linear with several checkpoints

home network WiFi router. Staff are more reachable

along the way. To be successful and stay on the path,

via email or messaging applications and hence more

organisations need:

prone to phishing attacks. An organisation’s security awareness initiatives will continue to be critical to addressing cyber risk and fostering a cyber aware and cyber safe workforce.

• their board and executive leadership teams engaged and asking the right questions of the security team; • clarity on their legal, regulatory and contractual

LEGAL, REGULATORY AND INFORMATION SECURITY STANDARDS LANDSCAPE Australian consumers and businesses are awaiting the results of the review of the Privacy Act being

obligations for data and system protection; • to embrace the changed work environment and use security practices to enable the organisation; • a baseline of operational security practices so

conducted by the Attorney General’s office. The Office

they are able to benefit from cyber insurance

of the Australian Information Commissioner (OAIC)

policies;

indicates this review will strengthen requirements for protecting personal information, empower consumers, hold businesses accountable and ensure

• to provide evidence demonstrating effective security practices that will satisfy auditors; • a culture of preparedness for security incidents

the OAIC can provide effective privacy regulation in

that enables them respond and recover

line with community expectations.

effectively.

The Security of Critical Infrastructure (SOCI) Act has introduced new obligations on 11 sectors of

www.linkedin.com/in/marisealphonso

the economy. Two new positive security obligations

I S S U E 11

WOMEN IN SECURITY MAGAZINE

117


MICHELLE LIAO

OUT OF THE SHADOWS: HOW CYBERSECURITY HAS TAKEN CENTRE STAGE IN THE AUSTRALIAN BUSINESS ARENA by Michelle Liao, A/NZ Channel and Distribution Manager at WatchGuard Technologies

The pandemic has invigorated the cybersecurity sector

CYBER SHAKE-UP

and made it a more appealing place to work.

The pandemic has shaken things up in the cybersecurity sector, albeit in ways that, to folks who

What a difference a couple of years can make. When

do not work in the space every day, may not seem

a globally momentous event takes place—think

quite so dramatic as its wider impacts.

World Wars I and II and the September 11 attacks—it inevitably becomes an indelible time marker, splitting

I am fortunate to have worked in cybersecurity since

history into two parts: before and after.

2016 and I have observed big changes since 2020. Prior to Covid, cybersecurity was very much a niche

So it has been with Covid-19. The biggest health crisis

subsector of the broader ICT industry.

since the Spanish Flu pandemic of 1918 has triggered

118

significant economic and societal changes, including

Yes, businesses and organisations knew they needed

a rethink about the reliance on global supply chains by

to take steps to protect their systems and data from

businesses and governments, and the normalisation

compromise and attack, but senior decisionmakers

of hybrid and remote working.

typically did not get overly exercised about the

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


T E C H N O L O G Y

P E R S P E C T I V E S

specifics of the risk mitigation measures they had

That is good news, because the events of the past

in place.

two years have shown us that hackers and cyber criminals do not confine their attentions to the

For most, the cyber solutions and services they relied

top end of town. Smaller players are just as likely

on were very much grudge purchases: up there with

to be targeted, and their capacity to recover from

insurance on the list of things they needed to have but

a major incident is often less than that of their

did not want to spend more than the minimum on.

larger counterparts. End user education has also become far more common as organisations realise

RISING RISK

well‑trained employees can be a formidable first line

And then along came the virus and with it a host

of defence.

of other viruses, phishing campaigns and cyberscams. Hackers and cyber criminals are nothing if

WORKING TOGETHER

not opportunistic, and many of them sought to cash

All that activity and investment has been good news

in on the fear, uncertainty and doubt individuals and

for cybersecurity vendors and their partners in the

organisations were experiencing.

channel, but the benefits extend beyond the, always welcome, bottom-line boost.

During the 2020-21 financial year the Australian Cyber Security Centre received more than 67,500

Acceptance into the broader business conversation

cyber crime reports, an increase of 13 percent on the

has engendered a palpable sense of positivity among

previous year.

the folk who work in cybersecurity: salespeople, engineers and analysts alike. After years of them

Widely reported ransomware attacks—including the

being relegated to the backroom the contribution

two that crippled beer and dairy products producer

they make and the importance of their work is being

Lion’s operations in June 2020—put the wind up

acknowledged and appreciated. At last, everyone

businesses of all stripes and sizes. Hence, we saw

gets it.

business leaders begin to take a much keener interest in the tools, technologies and processes their own

And the sector’s increasingly high profile is also

organisations were deploying to avert and mitigate

alerting more Australians to the opportunities it

similar offensives.

can offer. This is important if we are to solve the country’s long-running cyber skills shortage, which

READINESS TO INVEST

is a crisis in itself and one further exacerbated by

Upon becoming aware of gaps, they were prepared,

pandemic‑driven demand.

finally, to spend serious sums on plugging them. So much so that Gartner is predicting end user spending

For anyone looking for a challenging and fulfilling

on cybersecurity will continue to grow at a compound

career, I am delighted to say there has never

annual rate of 10.4 percent until 2026.

been a more rewarding time to get into the cybersecurity space.

Pleasingly, we have seen small and medium sized businesses account for their fair share of that spend. An increasing number are augmenting their traditional

www.linkedin.com/in/michelle-liao

firewalls with tools and technologies such as multifactor authentication and endpoint security that were not previously in their budgets.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

119


QuintessenceLabs congratulates all the nominees for the 2022 Australian Women in Security Awards!

RESILIENCY STARTS HERE quintessencelabs.com


STUDENT IN SECURITY SPOTLIGHT


Oorja Rungta grew up in Indore in India and still lives there but hopes to find work elsewhere when she graduates. She is in the final year of study for a Btech in computer science, specialising in cybersecurity and digital forensics. OORJA RUNGTA Final year student studying BTech in Computer Science, Indore, India

Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?

in a country saturated with software developers, people find my career choice to be a novel field of study. I am often treated with curiosity and get a lot of questions about what cybersecurity professionals actually do.

professional is to help secure organisations from

Who, or what would you say has had the biggest influence on your cybersecurity career journey to date, and why?

threats in the virtual world. I would say I am basically

I would say the seniors at my university have been a

a heroic warrior, albeit in a virtual world. I would also

massive influence on my cybersecurity career journey.

explain how cybersecurity is a dynamic field that is

They helped me find my footing, guided me on how

constantly changing and where you learn something

to study the domain and on the different options I

new every day. It never gets boring.

have in cybersecurity. They shared training resources

I would explain that my job as a cybersecurity

and took time to clarify my doubts. They developed

How does the reality of cybersecurity as you experience it today sit with your understanding when you first thought about studying it?

a sense of community in the university so we always

Like most sci-fi fans, cybersecurity for me involved

domain. You would often find me using my spare

cool lines of scrolling green code that led to a hack,

time to discuss cybersecurity-related topics with my

and companies trying to prevent that. On a more

seniors. These discussions gave me deeper insights

technical side, I understood my antivirus software

into the field and encouraged my curiosity.

had somebody we could approach in case of doubts or questions. This allowed me to freely explore the

was helping me defend my device from malicious

fish with nothing of value, I would never catch an

What do you see has having been the most memorable and/or significant event in your cybersecurity journey to date, and why?

attacker’s attention and would never be breached.

I think winning the Women in Cybersecurity (WiCys)

software like viruses. My knowledge was pretty much limited to this. I had a mindset that, as a small

training scholarship as one of 900 plus applicants

122

After gaining a better understanding of the value of

worldwide was one of the most memorable events

data and how attacks actually work I realised the

in my cybersecurity career. The scholarship program

importance of personal security. Massive breaches

helped me greatly widen my horizons and allowed

that compromise the data of small fry like me occur

me to take my knowledge in cybersecurity to the

every day and this data is sold for very high prices.

next level. Besides the obvious benefits, winning the

Since understanding the value of my data I have

scholarship was definitely an acknowledgement of my

learnt to protect it as meticulously as I protect any of

potential to be a cybersecurity professional and gave

my other assets.

me a massive confidence boost.

What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so how did you feel about this?

The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain, any of these, if so which ones, and why?

I generally receive a very positive response when I tell

I have three industry certifications from Global

people I am pursuing a career in cybersecurity. In fact,

Information Assurance Certification (GIAC). Preparing

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


S T U D E N T

I N

S E C U R I T Y

S P O T L I G H T

for these certifications helped me learn much, and I

policy represent the intersection of cybersecurity and

was able to study many cybersecurity concepts in a

law. There is a separate specialisation dedicated to

structured manner. The certifications definitely helped

the cybersecurity of healthcare-related organisations.

boost my resumé and get noticed by recruiters, but I

These are just a few examples of the many different

do not think they are necessary to break into the field.

fields cybersecurity professionals specialise in. As

Do they lower the barrier of entry into cybersecurity?

a person who loves forming links between different

Yes, but at the end of the day they are a means

domains this interdisciplinary nature of cybersecurity

for employers to validate your knowledge of

greatly excites me.

cybersecurity concepts. If you can show employers

papers, I believe you can break into cybersecurity

Are you involved in the wider cybersecurity community, eg AWSN, if so, how and what has been your experience?

without these certificates.

I have been an active member of Women in

They are very expensive and, for most students,

Cybersecurity (WiCys) and was previously the

unaffordable. I was lucky enough to get a full

secretary of my university’s WiCys student chapter.

scholarship for them. For any other student

My experience with WiCys has been phenomenal.

struggling and wanting to get a certification, I

I have found a community of women who truly

suggest joining a cybersecurity community. Often

support each other. As a WiCys member I get access

these communities help their members get these

to many resources that help me learn much, and I get

certifications for free or for discounted rates. I would

exposure. For example, very recently I played AWS

also recommend keeping an eye on LinkedIn because

Game Day through WiCys. It allows participants to

many members of the cybersecurity community

get their hands dirty with AWS security through a

share resources for free training and certifications.

gamified platform. It was an eye opener.

We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?

Every year WiCys has various collaborations with

It is difficult to rapidly evolve the coursework to

professionals who provide guidance. I recommend

keep pace with changes in the cybersecurity domain

every aspiring cybersecurity professional to be part

because of bureaucracy and regulations but my

of at least one cybersecurity community. It allows

professors make up for this by discussing the latest

you to interact with industry professionals, make

threats and technologies in the class even though

connections and get access to learning resources.

your knowledge of cybersecurity through other means such as projects, competitions or research

different organisations that give its members exposure. WiCys also has an annual mentoring program that connects students with cybersecurity

they are not within the scope of our coursework. developments. Our studies at university are also

What is your favourite source of general information about cybersecurity?

supplemented by workshops and events that invite

Twitter and LinkedIn are rich sources of cybersecurity

industry professionals to help us better understand

information. Cybersecurity professionals often

the latest threats and the technologies to combat

discuss the latest attacks, their own research and

them. For example, we recently conducted a seminar

general cybersecurity topics on these forums. Being

on drone security, which is an emerging domain of

a part of the cybersecurity communities on these

cybersecurity. It gave students an introduction to this

platforms gives you access to much information.

fascinating field.

I also supplement this knowledge with my Google

This allows us to keep pace with the latest

feed which has, over time, recognised my interest

What aspect of your studies excites you the most?

in the domain and frequently supplies me with cybersecurity related articles.

I find cybersecurity to be a discipline that spans many domains. For example, cyber ethics and cyber www.linkedin.com/in/oorja-rungta

I S S U E 11

WOMEN IN SECURITY MAGAZINE

123


Kao Hansell grew up in the Blue Mountains region of NSW but moved to Salisbury North in South Australia when she was 11. She is now studying for a Bachelor of Information Technology: Networking and Cybersecurity at the University of South Australia. Her final semester will be the first semester of 2023. KAO HANSELL Bachelor of Information Technology: Networking and Cybersecurity at the University of South Australia

Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?

What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?

I help people without them knowing. By engaging

a lot of support for my choice. I do remember one

with companies and assisting with their cybersecurity

comment from a friend who said I would have to

needs I can make a difference in a stranger’s life,

prove myself more than my male peers, which caught

and they would never know. I help companies and

me off-guard.

I did not find any opposition. I did get the usual “so you want to be a hacker” comment. Overall, I had

organisations secure what is important and give those trying to protect you a fighting chance against the tide of those who would want to do harm.

Who, or what, would you say has had the biggest influence on your cybersecurity career journey to date, and why?

How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?

Having several female lecturers at both TAFE and

I fell into the category of people who thought

on my career journey was being introduced to Paul

cybersecurity was black hoodies, too many coffees

Dewsnap from Digital Resilience. This has led to me

and energy drinks, big screens with data streaming

becoming part of his company and shadowing some

across them and conducting penetration testing. I

of the most amazing people I have come to know.

quickly learnt that is simply one important, but small,

This was also how I found I enjoyed governance risk

area of cybersecurity. Cybersecurity covers many

and compliance (GRC) and shifted the direction of my

technical and non-technical areas I had no idea about.

career journey.

university had an impact on my confidence in pursuing my IT career Overall, the biggest impact

I have found that, while I love the technical side of cybersecurity, pen-testing and how that works, I have also developed a great interest in risk and policy management.

What do you see has having been the most memorable and/or significant in your cybersecurity journey to date, and why? I would say meeting many women not only

What cybersecurity role would most like to be hired into when you graduate, and why?

in cybersecurity but STEM in general through

This is a tough question. If you had asked me 12

finding my feet and gaining confidence. Being able to

months ago, I would have given a very different

network with such a variety of inspirational women

response. Previously it would have been something

and talk and learn was by far the most memorable

in forensics or insider threat analysis but after the

and significant aspect of my journey.

HerTechPath. This was a major step forward to

experiences I have had this year I want to go into stay up to date and, in turn, protect the customers

In addition to your studies, what employment experience do you have in cybersecurity?

they serve.

Since February I have been shadowing and working

governance, risk and compliance, helping companies

alongside members of Digital Resilience. This has mainly been across GRC, but I have also had the

124

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


S T U D E N T

I N

S E C U R I T Y

pleasure of discussing penetration testing with our amazing pentester as well as gaining a greater understanding of how to approach and work with clients to meet their cybersecurity needs

S P O T L I G H T

Is there any aspect of cybersecurity you think should be given greater focus in your course, or any aspect you think should be given less focus? My bachelors is a major in network with a minor in

The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain, any of these, if so which ones, and why?

cybersecurity, and I feel there is a need for more

I was lucky enough to be one of the first students

knowledge seems wasteful and the time could be

to graduate with a Certificate IV in Cybersecurity

better spent learning other skills.

focus on cybersecurity. While it is very important for someone going into a cybersecurity career to have a foundation knowledge of networking, CCNP level

from TAFE SA. Other than that, I do not hold any

Fundamentals certifications. These are newer entry

Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?

levels certifications they have released which I

I personally do not feel I will need to do this. I have

believe will be beneficial once I have completed my

previously worked in management and customer/

university study.

client facing roles, which has given me a good set of

industry certifications. I do plan to acquire the new certification from ISACA for cybersecurity fundamentals and work towards their IT Risk

soft skills.

We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?

Are you involved in the wider cybersecurity community, eg AWSN if so, how and what has been your experience?

I believe the university and TAFE are doing their best

communities. These include AWSN, HerTechPath,

to keep up with a landscape that seems to change

AISA and ISACA. These communities have been

daily. However, I would suggest anyone studying

amazing for learning, gathering information, growing

today to also keep learning outside of their courses.

my confidence and, most importantly, networking.

I am a member of several cybersecurity

All have different atmospheres and have been a

What aspect of your studies excites you the most?

great way to build confidence and find how I fit in the landscape.

Graduating! Joking aside, learning how I can have an impact on businesses, be it in governance or technical manners, has been great.

What is your favourite source of general information about cybersecurity? I find following a few people on Twitter, including Troy

What aspect do you find least interesting or useful?

Hunt, useful along with my connections on LinkedIn and news sites like bleepingcomputer.com.

I think it important to have an understanding of and a foundation in programming, because it can be very useful in cybersecurity. I was not terrible at it, I just was not interested.

I S S U E 11

Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details?

WOMEN IN SECURITY MAGAZINE

125


I do not believe I have experienced this, or I have not been aware of it. It is always a strange feeling attending an event and being one of only a handful of women in the room, but I have always found members of the cybersecurity community I have interacted with to be welcoming.

What measures do you have in place for your personal cybersecurity? I try to ensure I use my password manager and keep good password hygiene. I use MFA wherever possible. I use a VPN when surfing the web, especially in public. I check emails for phishing and I do not click links or download random files. I ensure my settings stop macros running on Word, and so on.

With the benefit of hindsight, would you change your career trajectory to date, and if so now? No, I do not think I would. I went into cybersecurity not knowing where I would land but so far I have been very happy with how I am going.

Have you already sought employment in cybersecurity, if so, what has been your experience of applications/interview? I have applied for a few jobs during my time studying. I have made it through the general application phase and into the 3-4 stages. After the general applications I went through psychometric testing and video interviews but unfortunately was unsuccessful. I found my current position through word of mouth and meeting the owner of the company. I always say networking is an important skill for any student to learn.

www.linkedin.com/in/kao-hansell

126

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


Jack K grew up in the hinterland of Queensland’s Sunshine Coast. He is in the first year of study for a Bachelor of Information Technology at the University of the Sunshine Coast. JACK K Bachelor of Information Technology student at the University of the Sunshine Coast

Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?

and threats and white hat hacking, which I found quite interesting.

What aspect do you find least interesting or useful? What I find least interesting are the theoretical and

From what I have seen so far most people know

mathematical aspects of the course, which require

the word cybersecurity but don’t know what it really

quite a lot of work to understand. I probably will not

means. So I usually have to take it gently if I am not

specialise in a particular area of cybersecurity but I

to overwhelm them. I would tell them there are a few

am still uncertain.

kinds of cybersecurity. However, they are all generally connected.

What is your favourite source of general information about cybersecurity

Last semester in the bachelor’s degree course I am

I get most of my general information and updates

completing, I did a course on computer security and

about cybersecurity from YouTube, Twitter

I learnt how to prepare and protect hardware and

and Reddit.

software from cyber attacks and threats. I also learnt also tell them there are always jobs for people in

What measures do you have in place for your personal cybersecurity?

cybersecurity and they pay well.

I do not have the same passwords for any accounts

how some of these attacks are carried out. I would

and my passwords are all saved in a password

We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?

manager. Most of my sensitive accounts are also

Technology is always changing and improving, but I undertook last semester was new to my university

How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?

and covered a large range of topics in cybersecurity,

When I first learned about cybersecurity I was

which were recent. It was taught and coordinated by

probably about seven or eight years old and was

a former US government agent specialising in cyber

always told not to share passwords or my home

intelligence. Because it was only an introductory level

address. I now have a much broader understanding

course we did not explore many of the topics of cyber

of how easy it can be to be cyber attacked, but I have

and computer security in-depth, but we covered quite

also learned what to do to prepare for an attack, and

a lot.

how to deal with it.

so is the threat to this new technology. The course

protected by two-factor authentication and my hardware is checked by threat detection and antivirus software.

What aspect of your studies excites you the most? What I find most exciting about my studies is how to protect hardware and software from cyber attacks

I S S U E 11

WOMEN IN SECURITY MAGAZINE

127


Gabrielle Raymundo grew up in the Greater Western Sydney area, in Blacktown, and is nearing the end of a Certified Cyber Security Professional course at the Australian Institute of ICT under the Australian Women in Security Network’s Security Pathway Program. GABRIELLE RAYMUNDO Certified Cyber Security Professional course, at the Australian Institute of ICT

Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?

What do you see has having been the most memorable and/or significant event in your cybersecurity journey to date, and why?

Cybersecurity is a fast-paced and ever-evolving

Group’s Stay Smart Online Day. I was intrigued by

science that is intertwined with every piece of

the creativity and communication skills displayed

technology, every organisation, and every person.

and found I was not only making an impact on the

It is the gateway into understanding how technology

awareness of my team members to different cyber

is embedded in our daily lives and, like technology,

threats, but able to educate them on ways they could

is ubiquitous in modern society.

keep themselves and their families safe online. After

What initially sparked my interest in cyber security was my experience in the security awareness team. I helped organise the marketing for Woolworths

that project, I realised roles in cyber security were not Working in cyber security is a challenging and

reserved for technical specialists but were available to

rewarding career that makes a tangible difference

those with many other skills.

to peoples’ lives. You will never get bored as there is always a new and exciting thing to learn!

In addition to your studies, what employment experience do you have in cybersecurity?

What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?

Before starting my cyber security studies I completed

Most of the people from my inner circle were

graduating I returned to Woolworths under its cyber

surprised about my decision to jump into cyber

security graduate program, which prompted me

security, let alone pursue a technical role as a security

to undertake additional study. During the two-year

operations centre (SOC) analyst. My strengths were

program I was exposed to a number of cyber security

mainly in creativity and analysis, so most of my peers

teams and took on roles in cyber awareness, identity

assumed I would take a job in interaction design or

and access management, cyber data and analytics

user experience.

and the security operations centre.

After completing a rotation across four different

problem-solving and suggesting new ways to improve

The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain any of these, if so which ones, and why?

our workflows, and I honed my love for learning as

As part of the Australian Women in Security Network’s

I delved into incident analysis. When they realised I

Certified Cyber Security Professional’s course with

could use my strengths in an exciting and fulfilling

the Australian Institute of ICT (AIICT) my current

way, my parents and peers got onboard with the idea

focus is to complete the CompTIA A+, Security+ and

of me pursuing a role in the SOC.

Network+ certifications. Gaining these certifications

security teams I found myself enjoying the role of a SOC analyst. I was able to use my creativity in

an internship in the Woolworths Group Identity and Access Management team as part of my Bachelor of Information Technology degree at UTS. After

would solidify my knowledge of the critical IT and security concepts needed to piece together the

128

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


S T U D E N T

I N

S E C U R I T Y

S P O T L I G H T

to my interests in security operations and reverse

Are you involved in the wider cybersecurity community, eg AWSN, if so how, and what has been your experience?

malware engineering such as the courses provided

Being a part of the AWSN Cadets program has

by Offensive Security or GIAC.

definitely opened the doors to many learning

environment and the controls needed to secure it. Furthermore, I hope to pursue certifications specific

opportunities. I participated in the AWSN Security

What aspect of your studies excites you the most?

Pathways programs and met like-minded individuals

I have always been the type of person who enjoys

(DFIR) at Hax4n6. I was surprised at the growth of

learning the intricacies of how different technologies

the community and the support from the network.

work. Studying a course that covers such a broad

Joining the seminars was beneficial for learning the

range of foundational IT and security themes has

skills needed for my job, and connecting with women

been an exciting journey and has helped me in

with diverse backgrounds in cybersecurity has

my current role as a SOC analyst, especially while

motivated me to broaden my career horizons.

interested in digital forensics incident response

triaging a variety of security incidents.

Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?

What is your favourite source of general information about cybersecurity? My go-to sources for infosec news would be the Bleeping Computer, The Hacker News, and ThreatPost. I love learning about the latest threats,

Learning soft skills tends to be overlooked. However,

the chain of events in a cyber attack, and how

as we work in such a dynamic and growing industry,

security teams resolve a variety of incidents. I am

it is imperative to prioritise the development of

also excited to come across a phishing campaign

communication, collaboration and management

or malware I have read about in the news. So I try to

skills among cyber security professionals.

keep up to date with as many sources as possible.

Threat actors are evolving quickly and we

What measures do you have in place for your personal cybersecurity?

need individuals with strong interpersonal and management skills to educate the public about these

I am usually forgetful when it comes to remembering

threats and security behaviours, build trust with our

the passwords for all of my accounts, so I keep my

customers, foster partnerships with other teams

accounts safe by using a password manager. It is

and industries and inspire future generations to join

a simple tool to securely store passwords, check

cyber security.

password strength and generate unique and strong passwords for each account.

Even while working in the SOC, communicating findings and reporting trends in security incidents, it is vital to develop intelligence-driven defence

www.linkedin.com/in/gabrielle-raymundo

for the company. With this in mind I am definitely considering studying a course in management or digital leadership in the future.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

129


Haicheur Ichrak Amani is in her second year of study for a master’s degree in cybersecurity at Université des Sciences et de la Technologie ‘Houari Boumédiène’ in her native Algeria after graduating with a Bachelor of Computer Science, Computer Systems Networking and Telecommunications from the same university. HAICHEUR ICHRAK AMANI She is also a Microsoft Learn Student Ambassador, one of a global group of campus leaders helping fellow students create robust technical communities and develop technical and career skills for the future.

Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?

What do you see has having been the most memorable and/or significant event in your cybersecurity journey to date, and why?

Cybersecurity is the application of technologies, processes and controls to protect systems, networks,

In addition to your studies, what employment experience do you have in cybersecurity?

programs, devices and data from cyber attacks. It

I have done three internships in different firms.

Being able to achieve my goals and progress in this career. from knowing nothing to an intermediate level.

aims to reduce the risk of cyber attacks and protect against the unauthorised exploitation of systems, networks and technologies. A career in cybersecurity has several paths depending on the interests, goals and experience.

The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain any of these, if so which ones, and why? I am planning to gain many certifications, including

How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?

Certified Ethical Hacker, CEH v12 from the EC-Council and Offensive Security Experienced Penetration (OSEP) from Offensive Security.

I first thought that cybersecurity is really complicated and hard to learn, but with time I started to learn more about it and the more I learnt, the more I enjoyed. I became passionate about the field and ended up choosing it as a career.

We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?

What cybersecurity role would most like to be hired into when you graduate, and why?

Cybersecurity requires continuous learning. A

The role I would most like to be hired for is a red

by taking courses to checking cybersecurity news.

teamer because I like offensive security more than

That is why learning cybersecurity is challenging.

cybersecurity student should always keep up to date

defensive security.

What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?

What aspect of your studies excites you the most? Learning new concepts and skills and trying to exploit new vulnerabilities.

Some of my peers advised me to choose it and others

Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details?

said it would be hard. I felt confused, but I ended up

It is true there are more men than women in this field,

choosing it because I am passionate about it.

but I always felt respected and never disadvantaged

My parents were not from the field so they could not advise me, but they always supported my choices.

or discriminated against by my peers. We were evaluated based on our skills not gender.

130

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


S T U D E N T

I N

S E C U R I T Y

S P O T L I G H T

What measures do you have in place for your personal cybersecurity? For my personal cybersecurity I like to play capture the flag exercises. They are computer security challenges, available on different platforms. They are fun and very useful.

With the benefit of hindsight, would you change your career trajectory to date, and if so now? I would never change my career trajectory. I am glad I chose a career I am passionate about.

Have you already sought employment in cybersecurity, if so, what has been your experience of applications/interview? I have done three internships already, but I applied for more. I was ghosted more than once but I never stopped searching because I was motivated and eager to acquire new skills.

www.linkedin.com/in/haicheur-ichrak-amani-2837371b3

I S S U E 11

WOMEN IN SECURITY MAGAZINE

131


S TAY C O N N E CT E D All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services.

FACEBOOK

LINKEDIN

INSTAGRAM

@wisms2c

@source2create

@womeninsecuritymagazine

TWITTER

DIGITAL

@Source2C

womeninsecuritymagazine.com

womeninsecuritymagazine.com


A PROGRAM THAT CONNECTS, SUPPORTS AND INSPIRES FEMALE TERTIARY STUDENTS AND EARLY CAREER PROFESSIONALS EXPLORE A CAREER IN SECURITY. EXPLORERS WILL BE ABLE TO ACCESS MONTHLY WORKSHOPS, MENTORING OPPORTUNITIES AND INDUSTRY CONNECTIONS

"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Explorers program today!" - Liz B, Co-Founder

Studying or an Early Career Professional in information security? Learn more at .awsn.org.au/initiatives/awsn-explorers/


Mandeep Brar grew up in a small village in Northern Punjab, India. She now lives in Northern California and is about to graduate from a cybersecurity bootcamp at the Flatiron School. She plans to continue learning and pursue a career as a security analyst. MANDEEP BRAR Cybersecurity bootcamp, Flatiron School

Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?

I would like to be hired as a cybersecurity analyst

“Have you heard about the internet? If not, ask any two-

mitigate risk and prepare for a range of events. I will

year-old who knows how to play TikTok. Ask eight-year-

feel confident about these roles as I practice more.

where I would configure the network to be secure using my understanding of network topology. I am also interested in becoming a threat incident responder where I would create an incident report plan and a disaster recovery plan that would help

olds who are gaming all day. Ask 18 year olds who are

waiting for their prey. These can start with social

What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?

engineering manipulation, to get someone to click on

The reaction of my immediate family was surprising,

a phishing link that downloads ransomware.

because they knew I knew nothing about computers

watching YouTube videos and texting all day. Cyber thieves are out there, setting traps with bait,

and what I was getting myself into. However, they A few years ago a hacker stole the email credentials

were neutral and supportive about the idea. My

of someone in my contact list, sent me an email

extended family, my friends, bosses and co-workers

pretending to be that contact and telling an emotional

were all impressed, and supportive.

story about being in a financial crisis and needing

me his identity had been stolen, it was too late. Not

Who, or what, would you say has had the biggest influence on your cybersecurity career journey to date, and why?

only had I lost the money, I had lost my instinctive

I would not be here if it were not for Amazon’s career

trust of people. Now, would you not want to learn the

choice and the Flatiron School. The course has helped

basic rules of internet security?

me greatly to gain mental strength, but I think WiCyS

help. I was so taken in that I wire-transferred him $500. Later, when my original contact emailed to tell

has had the greatest influence on my journey. By

How does the reality of cybersecurity as you experience it today sit with your understanding when you first thought about studying it?

joining the community, I felt supported. I am taking

The reality of cybersecurity is way more difficult than

the Fortinet summer camp, SANS capture the flag

I thought. Having no experience in the IT industry was

challenges and other resources such as virtual career

a drawback. And the idea of having a computer inside

fairs and internships.

advantage of almost every opportunity WiCyS has to offer, such as the Target malware challenge,

a computer, the concept of networking protocols, signatures to a file by hashing, remotely controlling

In addition to your studies, what employment experience do you have in cybersecurity?

a computer by SSH… and so on. All these things

I do not yet have any professional employment

amazed me.

experience.

What cybersecurity role would most like to be hired into when you graduate, and why?

The cybersecurity industry abounds with certifications from multiple organisations.

capturing packets in Wireshark, creating unique

134

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


S T U D E N T

I N

S E C U R I T Y

Have you gained, or do you plan to gain any of these, if so which ones, and why?

S P O T L I G H T

I am working to gain Fortinet’s NSE4 Certificate (I am

Are you involved in the wider cybersecurity community, eg AWSN if so, how and what has been your experience?

enrolled in the summer program). I recently took an

I am a member of WiCyS and SANS. These

assessment for SANS Immersion based on the GIAC

communities have enabled me to come out of my

certificate exam. I felt the questions put me in real

shell and connect with professional people. So, they

life scenarios and made me think outside the box.

are meat and potatoes for my journey. Also, LinkedIn

Since then I have become very interested in preparing

has given me a platform to connect with inspiring

the Global Information Assurance Certification

professionals from all over the world.

(GIAC) exam. I am also willing to take an exam that may be required by an organisation for learning and advancement in cybersecurity.

What’s your favourite source of general information about cybersecurity? I may be more of a visual person because I really

We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?

enjoy learning from YouTube videos and images on the web.

I believe my school is doing well in teaching the

Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details?

framework of cybersecurity. However, as the industry

I have never felt discriminated against for being a

is ever changing there is constant need for self-

woman in this industry. In fact, WiCyS is all about

learning. I still have a lot to learn and practice.

women. I am proud to be a member of such a community, which is supporting women. To date,

What aspect of your studies excites you the most?

I have felt supported by all organisations I have dealt with.

I enjoy working with the powerful command line interfaces of virtual machines. The idea of having a computer inside a computer will always astonish me.

What measures do you have in place for your personal cybersecurity? My secure VPN, firewall, antivirus and tracker

What aspect do you find least interesting or useful?

removal system are all up to date. I do not click on

So far, I have found everything I have come across to

Craigslist, WhatsApp and any unexpected email to

be useful.

avoid phishing attacks. I make sure I browse only

any clickable link from unknown resources such as

on websites that are secure. I have continuous

Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why?

automated data backup. I do not share any

I find coding and the governance, risk and compliance

Have you already sought employment in cybersecurity, if so what has been your experience of applications/interviews?

part of my coursework difficult and overwhelming.

Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?

confidential information without verification.

No, I have not gained employment in cybersecurity yet. I plan to prepare for exams and interviews after my graduation when I will have more time. I want to be ready and feel confident about my future role.

No, I do not feel the need for additional non-cyber skills as yet, but I am always willing to learn in an area I recognize I may be weak in. I have learnt networking

www.linkedin.com/in/mandeepbrar2022

and social skills in my school’s career workshops.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

135


LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller

How to have a cyber smart sleepover: Olivia and Jack’s plan for staying safe online with friends All Olivia and her friends have been able to talk about lately is organising a sleepover during the school holidays. They have been planning it for weeks. Their excitement has been growing as they talk about all the fun things they will do, not to mention staying up really late! They have been discussing which movie to watch, what junk food they will eat too much of, and all the sneaky ways they will pull pranks on Olivia’s brother Jack. The sleepover is going to be the best fun ever.

seek, shooting hoops outside, jumping on the trampoline and baking cookies. Olivia and Jack’s parents were really impressed. They reminded her that she and her friends were also allowed a limited time to play with the game station on which they had set up parental controls.

Some of Olivia’s friends have their own smartphones and watches, but she does not yet have her own device. Olivia’s Mum and Dad said to her: “We don’t think your friends need to bring their devices over, but if they want to, that’s fine. We’ll just put a basket on the kitchen bench for them to be stored in at night.”

Olivia and Jack’s tech sleepover rules.

Olivia understands why her parents do not like children having devices until they reach a certain age, and knows when she is ready she will get her one of her own. However, it is not easy when almost all her friends have their own device, but she’s also seen some of the nasty things that have happened to her friends because of their phones: such as being bullied in a group chat by some mean children, or being really jealous of how people look on social media, until they realise that, in real life, they look the same as everyone else. Olivia decided she was going to ask her brother Jack for help to add to her list of fun activities she and her friends could do and, in return, she would go easy on him with the pranks. They brainstormed lots of activities that would be fun without the need for devices, activities such as card games, Monopoly, Scrabble, hide and

136

W O M E N I N S E C U R I T Y M A G A Z I N E

Olivia’s mother then sent messages to the other parents to let them know their family’s tech rules, to ask if they were ok with these or had any questions.

• Devices (phones and smart watches) can be brought over but must be left in a basket on the kitchen bench to be used when needed, but not at night. At night they will be locked away for safekeeping, because we parents cannot supervise you whilst we are asleep. • We will also ask if the phone or smart watch has a parental control installed on it. • Your friends can use their phones or smart watches to contact their parents or caregivers, but this needs to be done in a communal area so we can supervise. • You can play age-appropriate games on the game station. Olivia thinks the rules are very fair and that her friends will be happy to follow them. She is so excited to have her sleepover party with her friends in the school holidays. It is going to be the best fun ever! www.linkedin.com/company/how-we-got-cyber-smart

facebook.com/howwegotcybersmart

twitter.com/howwegotcybers1

N O V E M B E R • D E C E M B E R 2022


Recom mend ed by F amily zone

How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.

READ NOW


NEW ZEALAND WOMEN IN SECURITY AWARDS

EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2023 Australian or New Zealand Women in Security Awards.

Register your interest today Sponsorship opportunities will open up November 28 th 2022. *Sponsors are subject to approval



AUSTRALIAN WOMEN IN SECURITY AWARDS 2022: ALL THE WINNERS by David Braue

Record numbers of nominees are reshaping the future, together

As happened to every real-world event, the pandemic

“The awards honour their achievements in their

proved problematic for the Australian Women in

professional lives and their ability to collaborate

Security (WiS) Awards over the past two years –

with others to further the cause of diversity and

but those problems were all in the past this year,

achievement in security.”

as hundreds of attendees converged from around Australia on a jungle-themed awards night that

Reflecting the growing interest in WiS and the awards

celebrated the achievements of security industry

from afar, attendees came from most states and

leaders in 18 different categories.

distant attendees tuned into the livestream, with social-media buzz for the awards (via #WISAwards)

Themed ‘Reshaping the Future’, the awards, which are

generating over 750,000 views – not including the

arranged by Source2Create and supported by partner

social-media shares.

AWSN and a range of corporate sponsors, attracted 826 nominations – well up from 630 last year and

“One thing that strikes me about the security industry

460 the year before – and kept our 20 industry judges

is that there are so many amazing people from all

busy whittling them down to a shortlist of 81 finalists.

different backgrounds,” said Gergana Winzer, partner for enterprise advisory - cyber with platinum awards

“Behind each of these nominations is a story of

sponsor KPMG, a Bulgarian who came to Australia

collaboration, of people working together to make

via Italy 11 years ago and, after careers in fashion,

a positive impact on society,” Source2Create CEO

journalism, law and scientific research, found her new

and founder Abigail Swabey said as the festivities

home in the local cybersecurity industry.

kicked off.

140

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


“Tonight,” she said, “we would like to celebrate that

“By working together, we are giving current and future

there is more than one pathway to success.”

generations of security workers a leg up so they can not only touch the glass ceiling but break it into

“It’s not really what you do but who you are,” agreed

thousands of tiny pieces.”

Natasha Paisley, who grew up feeling like an outsider knowing anybody who could help direct her into the

OPERATIONAL RESILIENCE – CONVERGED SECURITY RESILIENCE CHAMPION

corporate workforce.

WINNER: Johanna Williamson, NBN Co

in Cardiff, Wales and recalled growing up without

FINALISTS: Reshma Devi (NAB), Rinske Geerlings “I was determined to work hard, learn and grow

(Business As Usual)

and push myself outside of my comfort zone,” she development. Your background and experience are

BEST INDUSTRY INITIATIVE THAT SUPPORTS DIVERSITY, INCLUSION AND EQUALITY

not a limitation; they made you who you are, so

WINNER: WithYouWithMe

embrace it.”

HIGHLY COMMENDED: The Women in National

said, “both with formal courses and personal self-

Security Podcast (WiNS Podcast - NSC & Four of this year’s winners were given an additional

ACCENTURE)

opportunity by receiving scholarships from the Cyber

FINALISTS: The State of Diversity & Inclusion in

Leadership Institute, where they will gain cyber

Australian Workplaces (WithYouWithMe), Women

leadership skills to help further their careers. Winners

in Leadership programs (AWSN), Cyber Security

include Cairo Malet (Octopus Deploy), Sarah Wood

Internship program (Telstra)

(AustralianSuper), Dominika Zerbe-Anders (KPMG), and Johanna Williamson (NBN Co Limited).

BEST SECURITY MENTOR WINNER: Amy Roberts (Australian Signals

The event would not have been possible without

Directorate)

the generous support of sponsors including KPMG,

HIGHLY COMMENDED: Kylie Watson (IBM)

CyberCX, Accenture, AusCERT, Okta, Stone & Chalk,

SPECIAL RECOGNITION: Shannon Gibb (NBN Co)

Everbridge, Sekuro, Tesserent, NAB, ALC Training,

FINALISTS: Farhana Dawood (Orro Group), Alpesh

Australian Cyber Collaboration Centre, Trend Micro,

Nakar (Avanade)

Western University, Avertro, Decipher Bureau, Axis Communications, Quintessence Labs, Kyndryl, and OneInTech Melbourne.

MOST INNOVATIVE EDUCATOR IN CYBERSECURITY WINNER: Dr. Yenni Tim (UNSW Business School

The 2023 Australian WiS Awards will be held on

WINNER: Nivedita Newar, University of New South

12 October 2023, and in the runup to the awards

Wales (UNSW)

Source2Create will be launching the 2023 Women

FINALISTS: Grok Adacemy, Lisa Rothfield-Kirschner

in Security Awards Alumni series – a series of

(How We Got Cyber Smart), Michaela Ripper

collaborative workshops, to be held across Australia,

(Questacon – the National Science and Technology

in which attendees will celebrate and workshop the

Centre), Sarah Iannantuono (SEEK), Elaine Muir (IAG)

future of the industry. “We are helping to create the future we have always

AUSTRALIA’S MOST OUTSTANDING WOMAN IN PROTECTIVE SECURITY

wanted,” said Swabey. “You never know how easy it is

WINNER: Emily Hunt (Scentre Group)

to break a glass ceiling until you get close enough to

HIGHLY COMMENDED: Anna Dart (Westpac)

touch it.”

FINALISTS: Rebecca Winfield (IAG), Sandra Ortmanns

I S S U E 11

WOMEN IN SECURITY MAGAZINE

141


(University of South Australia), Vannessa Van Beek

HIGHLY COMMENDED: Corien Vermaak (Cisco), Alana

(KINETIC IT PROTECT+)

Maurushat (Western Sydney University Cybersecurity Aid and Community Engagement)

AUSTRALIA’S MOST OUTSTANDING WOMAN IN IT SECURITY

FINALISTS: Fiona Long (Cyber Security Consulting), Tessa Bowles (NAB)

WINNER: Rachael Greaves (Castlepoint Systems) Daniella Pittis (Flight Centre Travel Group)

BEST PLACE TO WORK FOR WOMEN IN SECURITY

FINALISTS: Fiona Long (InfoSecAssure Pty Ltd),

WINNER: Origin Energy

Sandra Hanel (IAG)

HIGHLY COMMENDED: Equifax

HIGHLY COMMENDED: Katherine Mansted (CyberCX),

FINALISTS: Telstra, Woolworths Group, Accenture

BEST PROGRAM FOR YOUNG WOMEN IN SECURITY

MALE CHAMPION OF CHANGE

WINNER: Girls Programming Network (GPN)

WINNER: Timothy McKay (OK RDY)

HIGHLY COMMENDED: The Emerging Leaders

HIGHLY COMMENDED: Clive Reeves (Telstra);

program (Ernst & Young)

Dushyant Sattiraju (Deakin University)

FINALISTS: Australian Signals Directorate Internship

SPECIAL RECOGNITION: Dave O’Loan (AARNet)

Program (ASD), Women in Security Mentoring

FINALISTS: Craig Millar (IAG), Pieter van der Merwe

Program (Australian Women in Security Network)

(Woolworths Group), Wayne Williamson (Equifax)

BEST INNOVATIVE BUSINESS ‘RESHAPING THE FUTURE’ OF THE SECURITY INDUSTRY

WINNER: Laura Jiew (CSIRO)

WINNER: DekkoSecure

FINALISTS: Natalie Perez (Medibank and One in

FINALISTS: BCyber, InfoSecAssure

Tech), Anita Siassios (Women in Cyber Security

BEST VOLUNTEER

Australia).

PROTECTIVE SECURITY CHAMPION WINNER: Scarlett McDermott (WithYouWithMe)

BEST SECURITY STUDENT

FINALISTS: Anastasia Gomes (AMP), Christina Rose

WINNER: Elena Scifleet (CyberCX)

(Qantas)

HIGHLY COMMENDED: Eleni Lykopandis (Australian Bureau of Statistics), Eloise Robertson (UC

THE ONE TO WATCH IN PROTECTIVE SECURITY

Supporting Women in STEM)

WINNER: Sarah Wood (AustralianSuper)

Fadzayi Chiwandire (CyberCX)

FINALISTS: Gabrielle Raymundo (Woolworths Group),

HIGHLY COMMENDED: Laure Ruymaekers (Sydney Metro)

UNSUNG HERO

FINALISTS: Cassie Carman (Westpac Group), Mina

WINNER: Cairo Malet (Octopus Deploy)

Zaki (KPMG Australia)

HIGHLY COMMENDED: Sharon Mitchell (NBN Co), Melanie Truscott (CyberCX)

THE ONE TO WATCH IN IT SECURITY

FINALISTS: Amanda Pitrans (IAG), Belinda Charleson

WINNER: Samantha Lengyel (Decoded.AI)

(Digicert Australia)

HIGHLY COMMENDED: Caitlin Randall (Baidam Solutions)

BEST FEMALE SECURE CODER

FINALISTS: Emma Kirby (Macquarie Group), Claudia

WINNER: Holly Wright (IBM)

Muller (CyberCX), Sam Fariborz (Kmart Australia)

FINALISTS: Rania Bilal (Australian Cyber Security Centre – Australian Signals Directorate), Yan Liu

IT SECURITY CHAMPION

(Retrospect Labs).

WINNER: Dominika Zerbe (KPMG)

142

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


KPMG.com/au © 2022 KPMG, an Australian partnership. All rights reserved.


THESE ARE YOUR

144

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


R 2022 FINALISTS

I S S U E 11

WOMEN IN SECURITY MAGAZINE

145


AUSTRALIA’S MOST OUTSTANDING WOMAN IN PROTECTIVE SECURITY WINNER

Emily Hunt

Anna Dart

National Risk & Security Mgr Centre Experience, SCentre Group

Senior Manager - Protective Security, Westpac Banking Group

FINALISTS

NOMINEES

Emily Hunt

Emily Hunt

Tara Murphy

National Risk & Security Mgr Centre Experience SCentre Group

Anna Dart

Susie Jones

Anna Dart

Rebecca Winfield

Amanda Jane Turner

Senior Manager - Protective Security Westpac Banking Group

Sandra Ortmanns

Rebecca Winfield

Vannessa Van Beek

Manager, Protective Security Services and Delivery IAG

Sandra Ortmanns Defence & National Security Officer University of South Australia (UniSA)

Vannessa Van Beek Director of Security Services KINETIC IT PROTECT+

146

HIGHLY COMMENDED

W O M E N I N S E C U R I T Y M A G A Z I N E

Melissa Dundas Sonya Brackenridge Joannie Lee-Lang

Christina Rose Amy Ormrod Maryam Bechtel Lesley Arundel

Leanne Tunningley

N O V E M B E R • D E C E M B E R 2022


AUSTRALIA’S MOST OUTSTANDING WOMAN IN IT SECURITY

SPONS

ORED

KPMG

WINNER

BY

HIGHLY COMMENDED

Daniella Pittis

Katherine Mansted

Group CISO, Flight Centre

Director, Cyber Intelligence and Public Policy, CyberCX

Rachael Greaves CEO, Castlepoint Systems

FINALISTS

NOMINEES

Rachael Greaves

Rachael Greaves

Amy Roberts

CEO, Castlepoint Systems

Daniella Pittis

April George

Katherine Mansted

Astha Nanda

Fiona Long

Gergana Winzer

Sandra Hanel

Mitra Minai

Mina Zaki

Parul Mittal

Shamane Tan

Reshma Devi

Daniela Fernandez

Brooke Parker

Gabe Marzano

Monica Zhu

Director / Founder, InfoSecAssure

Linda Cavanagh

Uyapo Alidi

Susie Jones

Audrey Jacquemart

Sandra Hanel

Laura Hartley‑Quinn

Shyvone Forster

Natasha Passley

Martina Mueller

Kelly Henney

Seema

Kim Valois

Angela Pak

Daniella Pittis Group CISO, Flight Centre

Katherine Mansted Director, Cyber Intelligence and Public Policy, CyberCX

Fiona Long

Specialist, Offensive Security, Cyber Threat Emulation and Defence, IAG

Dominika Zerbe‑Anders Teena Hanson Linda-Clare Chilvers Aarati Pradhananga Larissa Deylen Tara Dharnikota Gabriela Suiu‑Gorsa Nancy Elrifai Nazia Mastali Deepa Amrat‑Bradley Patricia Ortiz Rebecca Williams Sue Cheerath Roxanne Pashaei

Meagan McClendon

I S S U E 11

WOMEN IN SECURITY MAGAZINE

147


KPMG: LEADING IN DIVERSITY KPMG is leading the charge to increase the representation of women in cyber, but women cannot be what they cannot see. So to give cyber women something to see, and to learn how KPMG is promoting women, we spoke to four of KPMG’s leading women to highlight them as role models for women aspiring to leadership in cybersecurity. Interviewees:

Kate Marshall National Leader of KPMG’s Cyber law practice

Mitra Minai National Cyber Partner to the Health sector

Natasha Passley Partner, Technology, Risk and Cyber

Gergana Winzer Partner, Enterprise Advisory – Cyber

OVER YOUR CAREER TO DATE, HOW HAVE YOU SEEN THE TREATMENT OF WOMEN CHANGE TO BE MORE INCLUSIVE?

acknowledge [the progress] yet not let it impact our

For Marshall, who has 30 plus years as a partner in

In contrast, Winzer says she has rarely seen any

multiple law firms, the answer is: enormously. Often

issues with inclusivity “except the few times I got

the only woman in a room, even though a partner, she

interrupted and spoken over,” and cites the growing

was assumed to be merely a personal assistant to

number of women at networking events as a sign of

one of the men. She has also lived with many non-

greater inclusivity.

drive and enthusiasm to get to full equality.”

supportive rules and regulations. “Women can’t wear pants/no part time work is permitted/no paid parental

However her involvement in cyber is much more

leave/no support to return to work/no part time

recent than Marshall’s. “When I first joined the

partners/no part time equity partners.”

industry after coming to Australia in 2013 it was very difficult to spot a female professional in the room. I

She says there has been great progress, but

was literally by myself on many occasions.”

more needs to be done. “I think it is important to

148

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


Passley says the introduction of more flexible working

Marshall agrees that unconscious bias remains a

has been of particular benefit to women trying to

challenge. “I see the next challenge being with more

juggle childcare or caring responsibilities even though

subtle gender bias: it is still there, just not always so

it was not designed as an equality measure.

easy to spot.”

Passley also sees deliberate moves to hire more

And Passley sees gender bias as still being an issue

women and get more women into leadership roles as

to some extent, because preconceived ideas and

signs of progress, but says these are often targets

unconscious bias about gender still exist in society.

set at the top and do not necessarily boost inclusivity.

“In the business world, there are still the internal

“Having a target does not make an organisation

politics and culture of the company to deal with, as

inclusive and, unfortunately, there are sometimes

well as ‘backlash’ against gender diversity present

policies and company norms that are not inclusive.”

in an organisation. If a female gets a role on merit, or is the best person for the job, others think she’s

Minai also homes in on flexible working as a major

only there because of a gender diversity target. …

contributor to inclusivity, saying she has seen a

Companies have to focus on building and fostering

significant increase since long before COVID forced

a culture of inclusivity across all aspects of diversity,

employers to be more flexible. “It’s become the

equity and inclusion, whether that is gender, ethnicity,

norm for everyone to work from anywhere and work

LGBTQ+, socioeconomic, etc.”

flexibly to allow for life commitments. This has really benefited women who are usually the primary carer

For all four, increased diversity—across all gender

for their kids, and has allowed more women to come

variations—is key to reducing bias. “In my team I have

back seamlessly into the workforce after taking

50 percent gender equality across the board, and

parental leave.”

I can see how this is bringing balance and a more inclusive culture as well as results for my team’s

DO YOU SEE GENDER BIAS AS STILL BEING A SIGNIFICANT ISSUE, AND IF SO, WHAT DO YOU THINK AN ORGANISATION CAN DO TO DEAL WITH IT?

performance,” says Winzer.

For Winzer it certainly is. Not at KPMG, but from what

roles at Healthscope and NAB, I maintained 50-60

friends and colleagues in other organisations tell her.

percent women across my security function. Not

“Classical examples are interruption in a conversation,

only did I achieve gender diversity, but I also ensured

or thinking of someone as being a less valuable team

diversity in race, age and LGBTIQA+ as well. This

member because they could get pregnant and be

worked wonders for the team dynamics and we

away for a few months,” she says, recounting the

had great success because of the diverse thought

story of an eight month pregnant director in another

leadership and problem-solving skills that different

company being told she would never be a partner.

people brought into our team.”

Minai does see bias having improved in recent years, in some meetings. “There have been times where

WHAT PATH LED YOU TO YOUR ROLE, OR WHAT SPECIFIC ELEMENT ATTRACTED YOU TO CYBER?

I’ve attended meetings with key stakeholders to talk

One aspect of cyber in which there is no lack of

about complex cybersecurity matters with my team

diversity is the many different pathways by which

and some attendees have automatically looked to the

people arrived at their current roles.

and acknowledges there is still unconscious bias

Says Minai: “I always ensure I have full diversity representation in the teams I build. In my last two

male team members to lead the conversation.”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

149


Winzer arrived in Australia “in search of travel and adventure” with at least an IT background but with poor English. The first—part time—job she applied for just happened to be in cybersecurity. “In six months, I got a sponsorship visa and was able to go full time

KPMG HAS ADOPTED A CYBER WOMEN LEAD PROGRAM TO ENGAGE ITS FEMALE WORKFORCE. CAN YOU TALK HOW IT AIMS TO DO THIS? HAS IT MADE KPMG A BETTER PLACE FOR WOMEN TO WORK IN CYBER?

as well as grow the business I was working for. It all

According to Winzer the program aims to create

started with my CEO at the time giving me a chance

opportunities for young—and not so young—women

and believing in me. The rest is history!”

to exchange ideas and grow within the industry while supporting each other. “You will be hearing more over

Minai says she had “always been interested in

the years as this will truly be a space for women to

technology.” She studied technology at university,

share vulnerably and learn from their leaders and

completed a master’s degree in business systems,

each other,” she says.

started her career in technology risk management and worked on a number of internal audit and regulatory

“We believe that a leader is not a title. Unlike

compliance engagements.

management responsibilities, which need to be given to people, leadership is something we create and

“Understanding the importance of robust and

take on if we decide to do so. Hence the idea is that

effective application controls and general IT controls

everyone in our industry is a leader and can lead

set the foundations for me to expand my experience

towards great outcomes and objectives.”

into information security processes and controls,” she says.

Minai says KPMG has rolled out several Cyber Women Lead program initiatives focused on developing

“I worked for two of the largest banks in Australia

existing talent and attracting new talent. “We have a

and gained experience in the UK financial sector,

number of mentorship programs that provide access

which gave me the grounding for good practices and

to senior leaders who offer extensive support and

key operations and controls. This experience gave

advice to our new leaders.

me the tools and knowledge to successfully define and operationalise a mature, market leading security

“We have also rolled out a number of training

function for one of the largest private health providers

programs aimed at refining leadership skills for our

in Australia.”

female cohort to ensure they have the necessary tools and skills to succeed in senior leadership positions.”

Passley started her career in technology, moved into risk and compliance and then into security

Passley adds that the program is only one of several

through leading large program transformations.

aimed at developing KPMG’s female talent, building

“I’m particularly interested in cyber because I love

the future of female leaders and attracting top female

learning and change, and nothing ever stands still

talent into KPMG. Others include “formal training

in the world of cyber,” she says. “There’s always

programs that give women access to female leaders,

something new to learn or understand because

in-person events and informal groups where women

the threat landscape changes so rapidly, and the

can connect in person on a geographical level.”

subsequent impacts of that require companies to frequently pivot, restrategise and transform to further

In addition to the virtual avenues for connection

secure themselves.”

like Yammer and Teams channels, she says there is “a real emphasis on connecting the women across the firm regardless of level, area of expertise, background etc.”

150

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


GERGANA, MITRA AND NATASHA YOU ARE ALL REASONABLY NEW TO KPMG - ARE THERE ANY SURPRISES YOU ENCOUNTERED AT KPMG IN RELATION TO ITS DIVERSITY OR INCLUSIVITY? Gergana Winzer says KPMG’s company-wide focus

A THEME OF THIS ARTICLE IS HOW YOU ARE “TAKING CHARGE TO ENCOURAGE MORE WOMEN INTO CYBER.” WHAT DO YOU THINK ARE THE BEST INITIATIVES THAT COULD BE TAKEN TO ENCOURAGE MORE WOMEN INTO CYBER AND KEEP THEM THERE?

on gender equality “warms my heart and makes me

Passley says any initiative that shows how women

believe in a better future for all emerging talent out

can succeed in a male-dominated environment will

there,” adding: “It is definitely a breath of fresh air

“show women that it is possible to take charge and be

to see how much investment and real commitment

successful against the myriad challenges they may

there is to foster a new generation of female cyber

face along the way,” and is “why visible role models

leaders, ready to change the face and the shape of

and mentoring are so important. They allow other

our industry.”

women from all different walks of life see that you can be successful in an area like cybersecurity.”

Mitra Minai says KPMG lives its values every single day. “I have been very well supported and connected

Minai agrees with the importance of visible role models.

with all parts of our incredible organisation, which

“I was recently approached by a very excited graduate

continues to excel in collaboration across our service

in our team from the Middle East. She wanted to

lines and bring the best of breed practices and

celebrate the fact that a female partner from the Middle

solutions to the market.

East had been appointed into a senior role at KPMG. This needs to become the norm, not the exception.”

“Everyone really lives by the values of equality and inclusion and it has resulted in visible diversity across

Marshall agrees that women in cyber need to be

all our service lines. I’ve often found there is not

visible “so other females can see it is possible and a

enough diversity at the senior leadership levels in

great career path.” However, she says women already

many of the organisations I’ve worked for, but I can

established in cyber roles need to actively support

see that’s now changing drastically and the diversity I

others venturing into the space. “They may be the

see across KPMG’s leadership group is truly inspiring

only female in the room and we (men and women)

and refreshing.”

need to take steps to make them feel comfortable to be themselves and we need to stand up if we see

Natasha Passley—who is the partner sponsor for DEI

behaviours that don’t support females.”

across Technology at KPMG—says the first thing that struck her when she joined KPMG was how diverse

Winzer emphasises the role men need to play. “I

the organisation is. “There is a wealth of global talent,

believe male leaders have a huge role to play in

and I really love that. I also love the fact that there’s so

inspiring this transformation. I personally have

much focus from the top on DEI initiatives, and a real

great male leader supporters within and outside the

focus on inclusivity as part of that. With dedicated

organisation and would not have been successful if I

executive level sponsorship, DEI is certainly getting

didn’t partner up with them and allow them to mentor

the focus and priority it needs to have and this filters

me along the way.”

down from the top.” She adds: “One important component in attracting talent is also the ability to tap into the talent early enough and I feel we need to make an effort as a society to collectively think how to inspire the next generations to join the industry and cover the already huge shortages we have in the industry.”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

151


WOMEN NEED EXAMPLES AND ROLE MODELS: “YOU CAN’T BE WHAT YOU CAN’T SEE”. HAVE MENTORS BEEN A PART OF YOUR LIFE AND HOW HAVE THEY IMPACTED YOUR CAREER? DO YOU HAVE EXAMPLES OF HOW PEOPLE HAVE HELPED YOU SUCCEED?

on panels and in industry events and has started

Winzer is a firm believer in the value of mentors

leadership and to ensure my team is inspired to be the

and coaches. She says she has had many mentors

best version of themselves. I am setting the path for

and continues to be mentored. She also has an

other talented women and it’s my duty to make sure

‘ontological coach’ who she sees every two weeks.

I’m being a visible role model. I’m always volunteering

turning down invitations to speak on panels or attend vendor lunches and dinners unless the organisers have invited at least another five women along. “I do my best every day to set a good example for

for mentorship programs, speaking engagements, Marshall says she has had many supportive men

and participating on panels and in industry events.”

encourage her to put her hand up and say yes when she would hesitate, and back her when she was

Winzer says she is a role model without deliberately

pushing to change outdated practices and policies,

setting out to be one. “I may not always consider

adding “poor role models have also been important

myself as a role model, but I know I am one. I have

and I am determined not to replicate those.”

had many people telling me this and I can see the impact I have when I own it.”

Passley says most of her mentors have been men, partly because leaders she has worked for

Passley says she hopes to be a role model because

or alongside have been male. “Men see things

“there weren’t many senior, ethnically diverse female

in a different light to women so can provide a

role models in corporate environments when I was a

different perspective.”

young girl growing up many years ago.” She tries to be a role model by “being visible, doing interviews and

She now has a mix of males and females who act as

writing in publications like this, and being available to

mentors or coaches. “They help me either by shining

mentor and coach other women wherever I can.”

a light on a particular aspect of my character that I’ve not been aware of, or by pointing out something I should consider that I wouldn’t have thought of.” Minai says mentors have been of enormous value

WHAT ROLE DO MALE CHAMPIONS OF CHANGE AND ALLIES FOR WOMEN IN CYBER PLAY? WHAT WOULD YOU LIKE THEM ALL TO KNOW?

to her. “I’ve always aspired to be more like the

Passley says these men are extremely important and

inspirational leaders I’ve been surrounded with, and

often not recognised for their contributions. “I see

have been lucky to have a few quite diverse and highly

male champions of change everywhere, through our

respected members of our industry as my mentors.

husbands and partners and friends that support us

I’ve been able to rely on them for support, guidance

every day. I want them to get the acknowledgement

and advice. Without these mentors, I don’t think I

and recognition too, as we wouldn’t get to where we

would have navigated my career as well as I have

are without them.”

and would probably not be in the senior leadership positions that I have been in for the past 8-10 years.”

For Minai, male champions of change play a huge role. “Most of my mentors are men. They have been

152

DO YOU CONSIDER YOURSELF A ROLE MODEL AND, IF SO, WHAT DO YOU DO TO GET OTHER TO SEE YOU AS SUCH?

incredibly generous with their time and coaching,

Minai says she is always volunteering for mentorship

the chances I have in my career if I had not had my

programs, speaking engagements, and participating

incredible support network around me. We need

W O M E N I N S E C U R I T Y M A G A Z I N E

providing me with the support, guidance and advice to get me to where I am today. I would not have taken

N O V E M B E R • D E C E M B E R 2022


more people (men and women) across our industry

Passley says she would tell her younger self: “Not to

providing mentorship to our next generation.”

worry so much about not fitting in, and just realise that you can still make a difference with the skills you

Marshall agrees. “They are hugely important, both to

have, and that this experience is still beneficial from a

support the women and to help those who don’t see

cyber perspective for others.”

why this is important.” Marshall would tell her younger self “Don’t be too hard Winzer too is full of praise. She wants them to know:

on yourself. If there is an acronym you don’t know, or

“That I see you and I love and appreciate you. Thank

some jargon being discussed, it is ok to ask: ‘can you

you for being the ones who unleash talent.”

just take me through that?’” And she adds: “I really wish I had told myself that, as a working mum, it

WHAT IS ONE MYTH ABOUT CYBER WHICH YOU WANT TO BUST?

is okay to take a few shortcuts. You don’t need to

Marshall and Passley both cite the common myth that

good mum.”

make the birthday cake, etc, just to show you are a

every cyber security professional is “a techie wearing a hoodie.”

Minai would tell her younger self to have a go and not be afraid to put up her hand and say yes to

Minai has a very clear idea. It is a myth that: “You

opportunities. “Sometimes I’ve been worried about

must have deep technical skills or be a pen tester to

making a mistake and getting it wrong and have

succeed in a cyber career.” She says it is important for

held myself back from new challenges. I now know

a leader to have in-depth understanding of the field

that I can do anything I set my mind to. I am always

they are leading and setting the vision and direction

learning and growing my knowledge and skills in my

in. “However, it’s not necessary to have all the required

field and challenging myself to be a better version of

technical skills to be successful. Cyber expertise and

myself every day. I know by continuing to surround

operating models are quite diverse and expand from

myself with incredibly talented experts, we can set the

really deep technical skills in penetration testing and

vision and achieve the right outcomes.”

triaging events within the security operations centre to providing secure-by-design advice on complex solutions to the business, through to board reporting and cyber governance, risk management and cyber education and influence. “These different and wide-ranging service offerings don’t all need deep technical skills. They need leaders with the clarity of vision and strategy

www.linkedin.com/in/kate-marshall-87274411

www.linkedin.com/in/mitraminai

www.linkedin.com/in/natashapassley

www.linkedin.com/in/gergana-winzer-0939937

to bring these different elements together and appoint key professionals with deep expertise in each of these areas to produce a market leading cybersecurity function.”

WHAT WOULD BE THE MOST IMPORTANT PIECE OF ADVICE YOU WOULD GIVE TO YOURSELF IN THE EARLY STAGES OF YOUR CAREER IN CYBER SECURITY? Winzer says: “Be patient, keep learning, believing in yourself and you are doing great!”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

153



BEST FEMALE SECURE CODER SPONS

ORED

Trend M

BY

icro

WINNER

Holly Wright Software Architect - Security Elite Team IBM

FINALISTS

NOMINEES

Holly Wright

Holly Wright

Software Architect - Security Elite Team IBM

Rania Bilal

Rania Bilal Technical Officer Australian Cyber Security Centre - Australian Signals Directorate

Yan Liu Lead Software Engineer Retrospect Labs

Yan Liu Mahrita Harahap Vicki Fan Eugenie Franzinelli Swapnali Kesarkar Anjani Sankar Samin Pour Rashmi Gopinath Divya Saxena

I S S U E 11

WOMEN IN SECURITY MAGAZINE

155


BEST INDUSTRY INITIATIVE THAT SUPPORTS DIVERSITY, INCLUSION AND EQUALITY

WINNER

HIGHLY COMMENDED

WithYouWithMe

Women in National Security Podcast

WithYouWithMe

NSC & Accenture

FINALISTS

NOMINEES

WithYouWithMe

WithYouWithMe

WithYouWithMe

Women in National Security Podcast NSC & Accenture

The state of diversity & inclusion in Australian workplaces

Women in National Security Podcast The state of diversity & inclusion in Australian workplaces Women in Leadership programs

WithYouWithMe

Cyber Security Internship program

Women in Leadership programs

SheLeadsTech (ISACA Melbourne Chapter)

AWSN

Cyber Security Internship program Telstra

Live & Learn program (Think & Grow) Tangible Uplift Program for Women in Cyber Security Camp SEEK

156

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


BEST PLACE FOR WOMEN TO WORK IN SECURITY

SPONS

ORED

Okta

WINNER

HIGHLY COMMENDED

Origin Energy

Equifax

FINALISTS

NOMINEES

Origin Energy

Origin Energy

Akamai Technologies

Equifax

Equifax

Orro Group

Telstra

Telstra

Trend Micro

Woolworths Group

ISD Cyber

Accenture

Platinum Talent Management

Woolworths Group Accenture

BY

SEEK Deloitte Cyber Healthscope

KPMG Australia Westpac Banking Group

Okta

I S S U E 11

WOMEN IN SECURITY MAGAZINE

157


MARTINA MUELLER

DRIVING DIVERSITY AND INCLUSION IN ACCENTURE CYBERSECURITY by Martina Mueller Martina Mueller is the Accenture Australia financial services security lead and a founding member of Accenture’s Global Women in Security program which kickedoff in 2017 aiming to attract and retain female talent in the security practice. She now heads Accenture Security Australia’s diversity and inclusion agenda with colleague, Sinead MacCreadie. YOUR GOAL IS TO HAVE A GENDER BALANCED WORKFORCE BY 2025. WHAT IS THE RATIO TODAY AND HOW ARE YOUR RECRUITMENT INITIATIVES HELPING TO ACHIEVE THIS GOAL?

Locally, we are proactive in the measures we are

Accenture’s global workforce is 47 percent female,

and we have gender recruitment goals that are

and we are very much on our way to meeting our

tracked and reported on monthly. We also aim to

2025 goal. This is the result of our leadership

achieve a balanced gender split at each career level.

taking to reduce gender bias in the recruitment process and increase the percentage of women. Salaries are reviewed on commencement and annually to ensure comparability with similar roles

relentlessly driving initiatives and programs to achieve this. In ANZ 29.1 percent of the executive level

Accenture’s removal of gendered language from

leadership team are women and the gender split is

recruitment campaigns has had a really positive

38.6% in the rest of the business.

impact. In business areas such as cybersecurity we often see women reluctant to pursue a role if they do

158

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


not ‘check all the boxes’ in the position description.

share home-schooling war stories. The network is

Gender-neutral language removes this hurdle.

open to everyone, not only the females in security. We actively encourage all Accenture people to attend.

HOW IS RESPONSIBILITY FOR DIVERSITY AND INCLUSION MANAGED IN ACCENTURE? DO YOU HAVE A MANAGER WITH OVERALL RESPONSIBILITY OR IS IT THE RESPONSIBILITY OF INDIVIDUAL DEPARTMENTS/BUSINESS UNITS TO FOCUS ON DIVERSITY?

In the cybersecurity space we also run an intensive Leadership Connection course across all career levels focused on developing authentic leadership skills, confidence, courage and establishing a personal presence and brand.

Diversity and inclusion are global priorities.

The Powerful Presenter is another initiative. It is

Commitment starts at the top with our chair and

an eight-week coaching program run annually for

chief executive officer (Julie Sweet) and board and

staff from analyst to manager levels to improve

filters down.

presentation skills and prepare our females in security to speak at conferences and industry

Leaders at all levels have a fundamental role in

networking events. Feedback from the women

helping to create and sustain a culture of equality

who have participated is that it is a “powerful and

in their teams in which everyone can advance and

transformative experience” and has “helped them

thrive. As a leader in the cybersecurity space I am

supercharge their careers.” So we are really proud

responsible for promoting the power of inclusion and

of it.

diversity. We offer robust programming including specialised training, networking support, flexible work arrangements, mentoring, mental health resources and equal benefits. We also have a dedicated inclusion and diversity team responsible for initial and ongoing education, embedding the ANZ I&D strategy and executing it.

DO YOU SEE SOME OF THE DIVERSITY CHALLENGES ACCENTURE CYBERSECURITY FACES AS BEING PARTICULAR TO THAT BUSINESS AND DO YOU HAVE ANY INITIATIVES TO BRING ATTENTION TO THIS ISSUE? Accenture’s Cybersecurity Forum Women’s Council recently released a PoV, Rising to the Top, which

MY INSTRUCTIONS WERE TO ASK YOU ABOUT HOW ACCENTURE IS DRIVING DIVERSITY AND INCLUSION IN ACCENTURE CYBER SECURITY. CAN YOU SAY SOMETHING ABOUT SPECIFIC INITIATIVES IN THAT BUSINESS?

highlights some prevalent issues around the lack

We run an active and engaged Women in Security

professionals worldwide, only 25 percent, a little less

group led by myself and my colleague, Sinead

than one million, are women.

of representation of women in cybersecurity and how men and women are pursuing the role of the CISO differently. There are some really confronting statistics, one of which is that, out of 4,1 million cyber

MacCreadie. This group was set up to support and retain our female talent and to run various initiatives

A way to encourage women to pursue careers in

for our women in security such as the Leadership

cybersecurity is to elevate female role models. Meg

Connection and The Powerful Presenter.

Tapia, Principal Director for Defence and National Security, launched the Women in National Security

The group meets bimonthly to discuss our strategy

podcast to inspire and empower women outside

and progress, initiatives, and how to improve our

Accenture to think about cybersecurity as a viable

uptake and retention of women in cybersecurity and

career path.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

159


The podcast, which just received a highly commended

One initiative I think sets us apart is to appoint a

award in the Australian Women in Security awards,

trained equality champion and have them present in

started because Accenture and the Australian

talent and promotion processes to identify and call

National University National Security College were

out any commentary that could be seen as biased.

aligned on the need to create positive change around

This person assesses whether comments would

diversity in the security community.

be considered fair if roles were reversed (eg, if the individual were of a different gender, race/ethnicity,

The podcast has become an incredibly powerful

culture or background).

platform for defence, intelligence and national security leaders who happen to be women to speak

Equality champions speak up when potentially biased

about their own journeys and lessons learnt, as well

comments or decisions are made during discussions

as what their agencies are doing to address the

and encourage others to do the same to help reach

diversity challenge. It is an initiative easily accessible

the best outcomes.

by all career levels and one that seeks to drive real change. I am incredibly proud it is out there pushing this change.

RECENT RESEARCH SHOWS THERE IS A REAL SKILL DEFICIT IN CYBERSECURITY. WHY DO YOU THINK WOMEN ARE RETICENT TO PURSUE CAREERS IN AN INDUSTRY WHERE THERE IS SO MUCH DEMAND?

YOUR WEBSITE SAYS: “WHEN YOU WORK WITH US, YOU CAN BRING YOUR WHOLE SELF TO WORK EVERY DAY.” I TALKED TO ANOTHER COMPANY THAT SURVEYED ITS WORKFORCE AND GOT A NASTY SHOCK WHEN IT FOUND HOW FEW FELT THEY COULD DO THAT. DO YOU TRY AND MEASURE THIS, AND IF SO, WHAT RESULT DO YOU GET? Our approach is not linear. We really embody the

There are several contributing factors. Firstly, the

ethos that employees should feel comfortable

industry needs to be more inclusive in its hiring

bringing what they want to bring to their place of

practices. Rather than focusing on the credential or

work. For some, it is their whole self. While others

technical requirements for a job we should be looking

want to separate elements of their personal and

for the right qualities in job candidates a purpose-

professional lives. We understand and encourage

driven mindset, leadership, excellent problem-solving

this type of inclusivity and have inclusive support

skills, c-suite and board level communication skills

networks and communities to help each individual

and a passion for learning. Other skills can be taught

determine how they will best thrive.

and should be continually reinforced over the course of a career. We also need to encourage women

We run regular people engagement surveys to gauge

to apply for roles even if they do not meet every

employees’ sentiments about our business, report

requirement in the job description.

these results and work proactively to action change to make Accenture a truly great place to work. We

HOW IS ACCENTURE HELPING WOMEN TO FEEL SUPPORTED WHEN TAKING THE ‘NEXT STEP UP’ IN THEIR CAREERS? Accenture is recognised as an Employer of Choice for Gender Equality by the national Workplace

direct result of these engagements. We offer: • Support leave for employees assisting aging parents/adult friends or persons with disabilities;

Gender Equality Agency (WGEA) and is committed

• 18 weeks paid parental leave;

to raising the bar on attracting, supporting and

• Assisted reproductive treatment (including IVF)

promoting women.

160

have recently launched progressive leave policies as a

W O M E N I N S E C U R I T Y M A G A Z I N E

leave;

N O V E M B E R • D E C E M B E R 2022


• Aboriginal and Torres Strait Islander cultural leave; • Gender affirmation leave; • Additional leave purchasing and career break options.

ACCENTURE MADE PLATINUM STATUS IN THE 2022 AUSTRALIAN LGBTQ INCLUSION AWARDS. CAN YOU TELL ME ABOUT ANY INITIATIVES SPECIFIC TO LGBTQ INCLUSION THAT WOULD HAVE HELPED YOU ACHIEVE THIS AWARD. Accenture has been recognised as a Platinum Employer for seven consecutive years from 2016 to 2022 in the Australian Workplace Index (AWEI), the definitive national benchmark on LGBTI workplace inclusion. And in 2020 Accenture was recognised as the Highest-Ranking Private Sector organisation of the decade. Our PRIDE employee resource group is led by employees across our organisation. They work hard to build a community for our LGBTI employees and allies and to create a safe and inclusive workplace by improving policies and processes. For example, early in 2022 Accenture launched gender affirmation leave to support transgender employees. We have provided ally training to over 1,600 employees. In addition, we provide pro bono support to external partners and community organisations to help create safe communities.

www.linkedin.com/in/martina-t-mueller

I S S U E 11

WOMEN IN SECURITY MAGAZINE

161


THE ONE TO WATCH IN IT SECURITY SPONS

FINALISTS WINNER

ORED

Accent

ure

Samantha Lengyel Co-founder, CEO, Decoded.AI

Caitlin Randall Southern Sales Director, Baidam Solutions

Emma Kirby Senior Manager, Macquarie Group

Claudia Muller Lead Analyst Cyber Intelligence, CyberCX

Sam Fariborz Kmart Australia

NOMINEES Samantha Lengyel Co-founder, CEO, Decoded.AI

HIGHLY COMMENDED

Caitlin Randall Southern Sales Director, Baidam Solutions

162

W O M E N I N S E C U R I T Y M A G A Z I N E

Samantha Lengyel Caitlin Randall Emma Kirby Claudia Muller Sam Fariborz Michelle Gatsi Courtney Pitson Jasmine Woolley Karla McGrellis Ritu Dahiya Mahrita Harahap Tara Dharnikota Alisha Hummel Julia Wulf‑Rhodes Simone Van Nieuwenhuizen Alessandra Byres Laura Dominguez Nikola Jimenez Sapna Kumari Christine Eikenhout Emily Goodman Saba Bagheri Georgia Brady Mariya Novakova Polly Cheung Tracy Chen Esther Lim Amanda Soo Jenn West

Tynagh Songberg Rachael Greaves Bimal Jeet Kaur Rachel Bamberg Binitha Sudheer Vivienne Mutembwa Kasi Greven Neha Dhyani Manon te Riele Alina Kontarero Vedusha Chooramun Courtney Carr Anita Tomison Kate Ellis Anya Avinash Samantha Lear Madeleine StewartSophie Harding Teh Ciara Crimmins Susan Lee Karen Hobson Divya Dayalamurthy Kellie Stockham‑Vasey Flavia Souza Madhuri Badarinath Grace Cox Rebecca Ahmed Madhumita Iyer Sabrina Pedersoli Shireen Syed Anupma Garg Rochelle Shahfazli Hannah Quayle Nancy Elrifai Nikki Peever Anna Snape Tisa Majumder Rutvaben Patel Ane Hellmann Stephanie Hagenbrock Anjali Varghese Alana Balacco Honey Scowen Nicole Neil Veronica Ikpa Sophia Barbour Julia Zhu Alana Mannix Adeline Martin Veronica Hobbs Akansha Pandey Melanie Maxwell Cayley Wright Tenzin Chogyal Jalpa Bhavsar Vernica Ta Manju Iyer

N O V E M B E R • D E C E M B E R 2022

BY


We secure the world Threats don’t have boundaries. Neither do we.

Security breaches are getting smarter, stronger and more devastating to industries across Australia. We’re looking for passionate, creative people to help tackle some of the biggest cyber-security threats facing us today. Come and join us. Find out how you can take the next step in your career and help our clients build a cyber resilient future. Bring your intellect, your passion and your ideas. accenture.com/au-en/careers


BEST SECURITY MENTOR WINNER

Amy Roberts

HIGHLY SPECIAL COMMENDED RECOGNITION

Kylie Watson

Shannon Gibb

Lead Client Partner, National Security & Defence, IBM

Cyber Analyst, NBN Co

Director Skills, Training and Enabling Programs, Australian Signals Directorate

FINALISTS Amy Roberts Director Skills, Training and Enabling Programs Australian Signals Directorate

Kylie Watson Lead Client Partner, National Security & Defence IBM

Shannon Gibb Cyber Analyst NBN Co

Farhana Dawood Cyber Security Control Assurance Analyst Orro Group

Alpesh Nakar Director, Cyber Defence Avanade

164

W O M E N I N S E C U R I T Y M A G A Z I N E

NOMINEES Amy Roberts Kylie Watson Shannon Gibb Farhana Dawood Alpesh Nakar Daniel Goldberg Dominika Zerbe Beti Dafovski Catherine Wise Nivedita Newar Lucy Liu

Mansooreh Zahedi Gabriella Guiu‑Sorsa Asangi Jayatilaka Julie Gleeson Heloise Hocart Nadine De Lile Chris Mohan Dipti Mulgund Rakesh Sharma

Martina Mueller Chathura Abeydeera Asou Aminnezhad Lukasz Gogolkiewicz Leanne Howell Amila Elcic Sinead MacCreadie

Leonard Ng

Angelina Gramatkovski

Daniela Fernandez Palacios

Tory Lane

Shelley Godden

Lucy Mannering

Tara Dharnikota

Marie Chami

Roshan Fernandes

Fraser Metcalf

Esther Lim

N O V E M B E R • D E C E M B E R 2022


BEST SECURITY STUDENT SPONS

ORED

BY

AusCE R

T

WINNER

Elena Scifleet

HIGHLY COMMENDED

Eleni Lykopandis

Eloise Robertson

Information Security Officer, Australian Bureau of Statistics

Founder and Executive Director, UC Supporting Women in STEM

Senior Consultant, CyberCX

FINALISTS Elena Scifleet

NOMINEES Elena Scifleet

Evelyn (Evie) Downing

Eleni Lykopandis

Mia Symonds

Eloise Robertson

Nesera Dissanyaka

Gabrielle Raymundo

Niamh Hitchman

Fadzayi Chiwandire

Olivia Ong

Brittany Dalamangas

Annabelle Harrison

Kaajal Sharma

Vaibhavi Sarkar

Little Butterflies

Carina Yu

Amy McGregor

Rameen Nadeem

SOC Specialist Woolworths Group

Elina Lonchampt

Claudia Squire

Caitlin Sauza

Charlotte Kohler

Fadzayi Chiwandire

Sarah Assaf

Avon Chang

Associate Application Security Consultant CyberCX

Abbey McLean

Adela Ramadhina

Senior Consultant CyberCX

Eleni Lykopandis Information Security Officer Australian Bureau of Statistics

Eloise Robertson Founder and Executive Director UC Supporting Women in STEM

Gabrielle Raymundo

I S S U E 11

Jasmine Woolley

WOMEN IN SECURITY MAGAZINE

165


BEST PROGRAM FOR YOUNG WOMEN IN SECURITY WINNER

HIGHLY COMMENDED

Girls Programming Network (GPN)

FINALISTS Girls Programming Network (GPN) Ernst & Young The Emerging Leader Program (ELP)

ASD Australian Signals Directorate Internship Program, Entry Level Programs

Australian Women in Security Network Women in Security Mentoring Program

166

W O M E N I N S E C U R I T Y M A G A Z I N E

Ernst & Young The Emerging Leader Program (ELP)

NOMINEES Girls Programming Network (GPN) The Emerging Leader Program (ELP) (EY) Australian Signals Directorate Internship Program (ASD) Women in Security Mentoring Program (AWSN) Deloitte Cyber Academy (Deloitte) SheLeadstech (ISACA Melbourne) Girls Do Cyber (The University of Queenland)

Engagement and Outreach to High Schools program for Cyber Security, CounterTerrorism and Security and Intelligence courses (Edith Cowan University) Tangible Uplift Program Hackcelerator Program (Sekuro) Tech Girls Movement Foundation UC Supporting Women in STEM Kids SecuriDay CyberSista (STEM FastTrack)

N O V E M B E R • D E C E M B E R 2022


BEST INNOVATIVE BUSINESS “RESHAPING THE FUTURE” OF THE SECURITY INDUSTRY WINNER

FINALISTS DekkoSecure BCyber InfoSecAssure

NOMINEES DekkoSecure BCyber InfoSecAssure DekkoSecure

Trend Micro Cydarm Deloitte

A HUGE CONGRATULATIONS to all Winners, Highly Commended and Special Recognition recipients across all categories from the Source2Create team

I S S U E 11

WOMEN IN SECURITY MAGAZINE

167


We are a mission-driven, not-for-profit organisation that is commited to using our knowledge to make cyber space a safer place for organisations, corporations, agencies and institutions to do business - now and into the future.

With our strong network of national and international partnerships, we can equip Australian organisations with the tools and knowledge to operate safely and efficiently in the digital economy. As an independent non-for-profit, The Centre complements the work of existing research bodies in eventuating cyber security to the forefront of the nations consciousness - while also acting as a translator between business, government and cyber specialists. We are committed to growing the nation’s reputation as a cyber security leader that delivers smart solutions and provides economic stimulus in this new world.

Membership Opportunities Affiliate Membership designed for SMEs Premium Membership designed for cyber security vendors and system integrators Platinum Membership designed for the organisations who want to contribute to the cyber ecosystem. Each membership receives discounts on products and services, access to our facilities at LotFourteen, and contributes to the growth of The Centre

Training Including IRAP Assessor Training, IRAP Readiness Training & IRAP Re-Certification Exam

We are committed to growing the nation’s reputation as a cyber security leader that delivers smart solutions and provides economic stimulus in this new world.

The Centre regularly collaborates with its members

We connect the leaders, the thinkers and doers with real opportunities to learn, launch and protect businesses.

A focus of The Centre is to provide SMEs

and cyber professionals to collaborate on training and workshops.

Services with the necessary tools and resources to begin their cyber journey. Cyber Clinics GCA Tool Kit SME Networking events

Creating solutions through collaboration, innovation, and entrepreneurship


BEST VOLUNTEER WINNER

CORRECTION – LAURA JIEW, WINNER BEST VOLUNTEER The citation for Laura Jiew, named Best Volunteer award in the Australian Women in Security Awards, contained incorrect information. We correctly stated that Laura’s day job is as Marketing and Events Advisor at CSIRO, based in Brisbane. However, her volunteer roles – given as being with ISACA Sydney Chapter, the ISACA OneInTech foundation, ISACA SheLeadsTech initiative, International Women’s Day, the Factor Analysis of Information Risk (FAIR) Institute and the ASA Sydney chapter – were not correct.

Laura Jiew Marketing & Events Advisor, CSIRO

FINALISTS Laura Jiew Marketing & Events Advisor, CSIRO

Natalie Perez Senior Internal Auditor - Enabling Functions, Medibank and SheLeadsTech Coordinator for ISACA Melbourne

Anita Siassios

Prior to joining CSIRO, Laura had held a role at AusCERT and volunteered with the AWSN as National Lead, Marketing and Social Media in her spare time. Alongside AWSN’s Founder and Exec. Manager, Jacqui Loustau, and its Board members – Laura had led the team through an immense period of growth by establishing and executing its marketing communications plan, brand guidelines and delivered its social media strategy. In the span of the almost 2-years that she was in that role, AWSN’s membership network grew by about 40% and saw an incredible uptake of support in sponsorship income from organisations such as the ASD, CyberCX, CBA, Telstra etc. This obviously goes without saying that it was a team effort, comprising of other fellow National level leads; as the saying goes, cyber is a team sport! Throughout Laura’s time working in the security sector, she had seen the impact that cybercrime can have on small businesses and corporations. As someone with a marcomms background, Laura really wanted to use different and creative ways to encourage cyber safe practices across Australia and was inspired by the incredible colleagues she had worked with.

Women in Cyber Security Australia

NOMINEES Laura Jiew

Daisy Wong

Natalie Perez

Shelly Mills

Anita Siassios

Cheryl Wong & Jocasta Norman

I S S U E 11

Amongst her proudest accomplishment was witnessing the increased number and diversity of attendees and presenters at the annual AusCERT conference, leveraging her active contribution within AWSN. And finally, Laura was always, and continues to be, passionate about giving a voice to women, particularly of First Nations and CALD backgrounds, through featuring them on the Source2Create Women in Security Magazine; and, through her connections with UQ, by mentoring female students who were studying cyber security or were part of the UQ Cyber Squad.

WOMEN IN SECURITY MAGAZINE

169


IT SECURITY CHAMPION

SPONS

ORED

BY

Stone & Chalk

WINNER

HIGHLY COMMENDED

Corien Vermaak

Alana Maurushat

CISO Advisor, Cisco

Director, Western Centre for Cybersecurity Aid and Community Engagement

Dominika Zerbe-Anders Director, Cyber, KPMG

FINALISTS Dominika Zerbe-Anders Director, Cyber, KPMG

Corien Vermaak

Dominika Zerbe‑Anders Corien Vermaak

CISO Advisor, Cisco

Alana Maurushat

Alana Maurushat

Tessa Bowles

Director, Western Centre for Cybersecurity Aid and Community Engagement

Fiona Long Director, Cyber Security Consulting

Tessa Bowles Senior Consultant, Security Advisory & Awareness, NAB

170

NOMINEES

W O M E N I N S E C U R I T Y M A G A Z I N E

Fiona Long Alex Nixon

Sarah Box

Maryam Bayat

Sarah Humphries

Sandy Assaf

Enid Zheng

Asou Aminnezhad

Melisa Allan Nazia Mastali Vidhu Bhardwaj

Barbara Lima Gaya Gounder Alison Dean

Hannah McKelvie

Anneliese McDowell

Shannon Lorimer

Catherine Wise

Victoria Cole

Farhana Darwood

Raman Gill

Angela Hall

Celia Yap

Deepa AmratBradley

Deanna Gibbs

Christiane Perez

Emma Lovell

Hilary Walker

Laura Davis

Madhuri Nandi Hansika Vats

N O V E M B E R • D E C E M B E R 2022


MALE CHAMPION OF CHANGE

SPONS

ORED

KPMG

WINNER

BY

HIGHLY COMMENDED Clive Reeves Deputy CISO / Head of Cyber Operations, Telstra

Dushyant Sattiraju Manager Cyber Security Operations, Deakin University

SPECIAL RECOGNITION Dave O’Loan

Timothy McKay

Head of Cyber Relations, AARNET

CEO and Founder, OK RDY

FINALISTS Timothy McKay

Craig Millar

CEO and Founder OK RDY

Executive Manager, Group Protective Services IAG

Clive Reeves Deputy CISO / Head of Cyber Operations Telstra

Dushyant Sattiraju Manager Cyber Security Operations Deakin University

Dave O’Loan Head of Cyber Relations AARNET

I S S U E 11

Pieter van der Merwe Chief Information Security Officer Woolworths Group

Wayne Williamson Chief Information Security Officer for A/NZ & Emerging Markets Equifax

NOMINEES Timothy McKay

Brad Miller

Danny Flint

Clive Reeves

Erwin Jansink

Faisal Masaud

Dushyant Sattiraju

Jason Becker

Michael O’Brien

Dave O’Loan

Jay Harish Hira

Dan Goldberg

Craig Millar

Leonard Ng

Harvey Marcus

Pieter van der Merwe

Nrupak Shah

Varun Acharya

Peter Sharp

Adam Hallyburton

Amit Chaubey

Mario Antoniou and Damian Farrugia

Wayne Williamson Ajay Unni Luke Eason Raven David Tony Vizza Brett Ramm Craig Wishart Mat Franklin Ashwin Pal

Chris McDonald Gordon Archibald Liam Connolly Martin Barnier Anthony Coops Chirag Joshi

Hashim Khan Andrew Wan James Ng Aman Malik

Paul Auglys Shane Laffin

WOMEN IN SECURITY MAGAZINE

171


MOST INNOVATIVE EDUCATOR IN CYBERSECURITY WINNER

WINNER

Dr. Yenni Tim

Nivedita Newar

Senior Lecturer, UNSW Business School

Head of Cyber Security Strategy and Governance, University of New South Wales (UNSW)

FINALISTS Dr. Yenni Tim Senior Lecturer UNSW Business School

Nivedita Newar Head of Cyber Security Strategy and Governance University of New South Wales (UNSW)

Grok Academy

Author How We Got Cyber Smart

Michaela Ripper Exhibit Developer Questacon Cyber intiative

Schools Cyber Security Challenges

Sarah Iannantuono

Elaine Muir

Security Strategy and Program Lead SEEK

Manager, Security Education and Awareness IAG

172

Lisa RothfieldKirschner

W O M E N I N S E C U R I T Y M A G A Z I N E

NOMINEES Dr. Yenni Tim

Gabe Marzano

Nivedita Newar

Jacqueline Jayne

Grok Academy

Suzanne Dyke

Lisa RothfieldKirschner

Cyber Leadership Institute

Michaela Ripper

Sharon Dancer

Sarah Iannantuono

Ivana Kvesic

Elaine Muir

Melanie Youngson

Serena Pillay Cyber Sista - Girls Mentoring Program

N O V E M B E R • D E C E M B E R 2022


OPERATIONAL RESILIENCE – CONVERGED SECURITY RESILIENCE CHAMPION SPONS

ORED

Everbr

BY

idge

WINNER

Johanna Williamson Senior Manager Security Strategy and Governance, NBN Co

FINALISTS

NOMINEES

Johanna Williamson

Johanna Williamson

Senior Manager Security Strategy and Governance NBN Co

Reshma Devi

Reshma Devi

Rinske Geerlings

Associate Director Enterprise Data and Analytics Risk NAB

Sandra Ortmanns

Rinske Geerlings

Rimple Kapil

Managing Director Business As Usual

I S S U E 11

Lisa O’Donohue

WOMEN IN SECURITY MAGAZINE

173



PROTECTIVE SECURITY CHAMPION

WINNER

Scarlett McDermott Chief Technology Officer, WithYouWithMe

FINALISTS

NOMINEES

Scarlett McDermott

Scarlett McDermott

Chief Technology Officer WithYouWithMe

Anastasia Gomes

Anastasia Gomes Cyber Governance & Assurance Analyst AMP

Christina Rose Harini Ramadas Roxanne Pashaei

Christina Rose Manager Security Operations & Advisory Group Security and facilitation Qantas

I S S U E 11

WOMEN IN SECURITY MAGAZINE

175


THE ONE TO WATCH IN PROTECTIVE SECURITY WINNER

HIGHLY COMMENDED

Sarah Wood

Laure Ruymaekers

Manager Security Intelligence AustralianSuper

Security Intelligence & Reporting Analyst Sydney Metro

FINALISTS

NOMINEES

Sarah Wood

Sarah Wood

Manager Security Intelligence AustralianSuper

Laure Ruymaekers

Laure Ruymaekers Security Intelligence & Reporting Analyst Sydney Metro

Cassie Carman Manager Protective Security Westpac Banking Group

Cassie Carman Mina Zaki Isabella Parkman Vannessa Van Beek Kavika Singhal

Mina Zaki

Liz Gomez

Associate Director - Cyber Security Alliances KPMG

Victoria Zhong Monica Vorster Baby Lyn Nagayo

176

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


UNSUNG HERO WINNER

HIGHLY COMMENDED

Cairo Malet

Sharon R Mitchell

Melanie Truscott

Executive Assistant to the Chief Security Officer, NBN Co

Executive Director Engagement and Communications, CyberCX

Senior Risk and Compliance Specialist Octopus Deploy

FINALISTS Cairo Malet Senior Risk and Compliance SpecialistOctopus Deploy

Sharon R Mitchell

NOMINEES Cairo Malet

Reshma Devi

Parul Mittal

Sharon R Mitchell

Paula Oliver

Shannon Pinney

Melanie Truscott

Hanlie Botha

Mahima Kopparam Cassandra Schweers

Executive Assistant to the Chief Security Officer NBN Co

Amanda Pitrans

Barbara Cook

Belinda Charleson

Pooja Shimpi

Bronwyn Mercer

Baby Lyn Nagayo

Melanie Truscott

Ingrid Matosevic

Adeline Martin

Executive Director Engagement and Communications CyberCX

Sharon Dorothy Jenkins

Shyvone Forster

Amanda Pitrans Specialist, Group Protective Security Intelligence and Operations IAG

Belinda Charleson Marketing Director Digicert Australia

I S S U E 11

Jalpa Bhavsar Linda Chai

Jo Douglas Amanda Russell

Bex Nitert Deepa Bradley Meg Peddada Sita Bhat Suzanne Ward Tracey Fraser

Elena Scifleet

Mehrnaz Akbari Roumani

Emma Mills

Sarah Cain-Frost

Vanessa Gale

Tamara Jesenkovic

Mina Zaki

Emily Wingward

Heather Hicks

Shereen Samuel

Avon Chang

WOMEN IN SECURITY MAGAZINE

177


DIGITAL

TRANSFORMATION DELIVERED IN ONE PLACE

Spark Business Group is the end-to-end solution to digitally amplify your business. We’ve brought together experts right across the digital spectrum to help you discover the potential of digital tools to transform your organisation. From reaching new depths in data and analytics and optimising your digital infrastructure to reinventing your CX and automating your business processes. Each field of expertise coming together to help grow your business performance and productivity.

Tap into tomorrow with Spark Business Group

Discover how Spark Business Group can help accelerate your business businessgroup.spark.co.nz



THESE ARE YOUR

180

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


R 2022 FINALISTS

I S S U E 11

WOMEN IN SECURITY MAGAZINE

181


DIVERSITY: THE HEART OF SPARK New Zealand’s largest telecommunications and

inclusion, Blue Heart, is focused on celebrating

digital services provider, Spark, is in the running

differences and encouraging Spark employees

for several awards at the inaugural New Zealand

to bring their whole self to work. The Blue Heart

Women in Security Awards: Best Industry Initiative

symbol is a visual representation of how Spark

that Supports Diversity, Inclusion and Equality and

people think and act in an inclusive way. When

Best Place for Women to Work in Security. Also

Blue Heart was launched, thousands of Spark

its head of security, Nyuk Loong Kiw, has been

people made a Blue Heart Pledge—their personal

nominated for the Male Champion of Change award

commitment to D&I—and the company continues

and many of Spark’s female leaders in security have

to invite new starters to do the same when they join

been nominated for a variety of awards such as

the business.

professional services. These include: network and security design consultant Amina Aggarwal for the IT

Tierney says the program received a substantial

Security Champion award, Best Security Mentor award

boost in 2018 when Spark undertook a significant

and One to Watch in IT Security award; and security

restructure, called ‘Flipping the business to Agile’.

governance, risk and assurance specialist Megan

“We changed our organisation from a traditional

Young for the One to Watch in IT Security award.

hierarchical model of departments to diverse small teams of people with mixed and blended skills.

At the heart of Spark’s initiatives to promote diversity

We dismantled the hierarchy. We used to have

and gender equality is its Blue Heart Kaupapa

seven layers of management; we now have three.

(a Māori term for principle or policy). It emerged, says

That reorganisation helped Blue Heart Kaupapa

Spark product director Tessa Tierney, from some

gather momentum.

internal research undertaken in 2017 which revealed the company environment to be one in which some

“We measured this year how many of our people

employees, particularly women, did not feel like

feel they can bring their whole selves to work. Now

they belonged.

it is 84 percent, so there has been a huge change in the culture.”

“We had a few hard truths show up. A lot of our people said to us, ‘we don’t think we can bring our

The shift to Agile also ushered in some changes

whole selves to work at Spark’,” she says.

aimed at countering personality differences that often disadvantage women.

From the survey’s revelations came Blue Heart Kaupapa. It was, and still is, says Tierney “about

“One of the values we put into Agile was shifting

making a commitment to each other, a pledge for

from ‘loudest voice wins’ to ‘value every voice’,”

what we will stand for in diversity and inclusion, to

Tierney says. “For example, we start meetings by

make sure we became much more inclusive.”

writing things down rather than speaking. We are very aware that some people don’t have really quick

182

VISIBLE ICON OF A HEART-LED APPROACH

voices and thoughts in the moment or are not the

Spark’s people-led approach to digital equity and

loudest speaker.”

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


TOP DOWN: SETTING STRATEGY, AMBITION AND STANDARDS

Tierney says that, in an Agile environment, there are

Digital equity and inclusion are strategic business

ethnic diversity.

very clear business benefits from gender, age and

priorities for Spark and embedded in its business strategy. When Spark launched its current three-year

“After four years of Agile, I can see it is the teams with

strategy to the market, the ambition for 2023 was to

a high level of diversity that are always the ones that

create a culture defined by its engagement, diversity

have the best outcomes. They’re the most exhausted

and inclusion. The company holds itself accountable

because everybody brings a subtle worldview or

to progress through the following targets:

perspective difference. And the outcomes are better. They more quickly crystallise what will work for a

1. Achieving 40:40:20 representation Spark-wide

customer, because they represent the customers we

2. Reducing its median gender pay gap by 10

actually serve.”

percentage points to 18 percent 3. Reaching 50+ percent ethnicity data sharing

Male Champion of Change contender Nyuk Loong Kiw

among its people, to enable more targeted

is a 20-year veteran of the company. As the head of

interventions to improve representation

security at Spark, Kiw leads a team of more than 100 and says one of his biggest diversity challenges is

Spark recognises that building an inclusive culture

getting more women to apply for security roles. “Every

must be led by Spark leaders, and as such these

time we put up a job advertisement, 95 percent of

strategic ambitions have been integrated into the

applicants are male.”

workplans of leaders across the business. To try and change this Spark has established several

DIVERSITY IS KEY TO SUCCESS

partnerships with tertiary institutions designed to

Job interviews for new positions must have a woman

help identify, upskill and recruit future talent while

on the interview panel and the pool of interviewees

also building diversity within its teams. In addition,

must have 40 percent men, 40 percent women and 20

any technical job advertisements from Spark

percent of any gender.

are filtered through a platform that identifies any ‘masculine’ words/phrases and makes suggestions

Spark’s achievements in diversity and gender equality

to ensure the adverts are gender neutral. Kiw and

extend well beyond simple male/female issues. It

his team actively encourage more women to take up

was the first telecommunications company in New

careers in cybersecurity, with some success: he has

Zealand to receive the Rainbow Tick Certification.

recently recruited two women from non-cybersecurity

“You have to demonstrate you are an inclusive

backgrounds into his team. “One used to work in the

organisation for the LGBTI community,” Tierney says.

retail store, another used to be an early childcare

“You have to set formal benchmarks around LGBTI

teacher. They had both been working in New Zealand

inclusion in the workplace, and they reassess your

for a long time and felt they were getting nowhere,

certification annually.”

career wise,” Kiw says.

The company acknowledges it still has some work

“They found me through other people and I’ve been

to do to achieve its Spark-wide gender target of

mentoring them, helping them understand what the

40:40:20, with women comprising 34 percent of

industry is all about and guiding them on the type of

Spark’s total workforce. Covid-19 made creating

training and certifications they need. Both are now in

opportunities for change more challenges and is now

my team.”

aiming to achieve its representation target in 2024.

I S S U E 11

WOMEN IN SECURITY MAGAZINE

183


MENTORING FUTURE LEADERS

months of being in the company, I was able to watch

Another challenge Kiw has is getting female

a professional woman in cybersecurity getting the

members of his security team to apply for higher

job done. She brought me along to her interactions

level roles. “They’re doing an amazing job, but when

with customers. It was great seeing how it’s done and

an opportunity comes up, not one of them will go for

seeing what’s possible.”

the role. Somehow they feel their skill level is nowhere near that of their male colleagues.”

Another woman with a positive career journey in cybersecurity at Spark is also a nominee for the

To try and redress this Kiw has identified female team

IT Security Champion award, Best Security Mentor

members with leadership potential and is working to

award and the One to Watch in IT Security award

prepare them to apply for roles in the future. He holds

Amina Aggarwal, a professional services network and

monthly mentoring catch ups with these women as

security design consultant. She had a brief stint at

he does with his direct reports and they are enrolled in

Spark left and re-joined two years later.

Spark leadership training courses.

SUPPORTIVE LEADERSHIP One woman who did apply for a cybersecurity role

“The leadership is very supportive. We have one

at Spark, and get accepted, is Megan Young who

on one meetings with our managers on a regular

nominated the company for the Best Place for a

basis where we talk about our career progression,

Woman to Work and has been nominated for the One

the certifications we’d like to gain, the initiatives, the

to Watch in IT Security award. She has a background

programs that we work on. The leadership at Spark is

in legal and corporate procurement and, wanting

empowered to make things happen and support us

something different, gained a CISSP certification.

where we need it,” Aggarwal says.

“I think it was a perfect example of the security tribe

“That has helped me to grow as a leader and a

and Spark really wanting to diversify and get people

cybersecurity professional. Spark provide equal

in with completely different backgrounds who think

opportunities for professionals to learn and grow.

in different ways and have different perspectives

I am supported by my people managers at every

and different skill sets,” she says. “It felt like a bit of a

step whether it’s a presentation to a customer or an

gamble for myself, and for Spark. But it’s worked out

initiative that I would like to work on.”

because two years later, I’m still doing it and I love it.” Spark’s focus on diversity, equity and inclusion has She joined a team of 12 with fairly even numbers

helped to create an environment where all employees

of men and women and was assigned a mentor,

can feel comfortable bringing their whole selves to

a woman with many years of experience in

work, regardless of gender, ethnicity, orientation, age,

cybersecurity. “I was able to shadow her in all her

experience, neurodivergence or ability.

security tasks and projects. So, within the first few

184

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


Spark women on why cybersecurity needs more women Spark’s head of security, Nyuk Loong Kiw, says he wants more women in cybersecurity roles. Here are seven powerful arguments why Spark, or any other organisation, would benefit if he achieves that goal.

RUTH GLOVER Chapter Area Lead, Identity Access Management, Spark Glover got a clerical job in the Post Office—responsible for telecommunications prior to the creation of Telecom NZ which then become Spark—and one day saw an opening for a computer programmer. “When I said I was going to apply I was told I wouldn’t be smart enough. Forty two years later I am still here working in identity. Identity requires analytical thinking, but also teamwork and communication skills which women excel in. Being able to promote universal access to people and businesses gives a real purpose to my role. Having the chance to use interpersonal skills as well as technical skills is why more women should work in cyber security.”

MEGAN YOUNG Security Governance Risk and Architecture Specialist, Spark Young says it is important for women to work in cybersecurity for three reasons. “Firstly, at an individual level, women use information systems and operate in cyberspace alongside our male counterparts, every day of our lives. So why wouldn’t we also be responsible for securing them? “Secondly, at an organisational level, to have any hope in combating the increasing complexity of cybersecurity challenges, companies should equip themselves with a diverse mix of problem solvers from different backgrounds, with different life experiences and offering different perspectives. A diverse team of problem solvers is more likely to identify and understand end users and the possible threats they face, and identify solutions more efficiently. “And finally, at a societal level, to adequately protect the information systems and cyberspace which our community exists and relies on every day, is it only conscionable for the cybersecurity industry to have appropriate representation and engagement with all members of that community.”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

185


Spark women on why cybersecurity needs more women

COCO LIU Cybersecurity Analyst, Spark Liu says getting more women into cybersecurity would help organisations in many different ways. “Building gender diversity in the company and gender equality will bring in more talent into the organisation and fill the workforce. The way women and men think are different. Hackers are from different backgrounds so defenders also need different perspectives. A male perspective alone is not enough. Women are a natural fit for cybersecurity when it comes to counterattack and protection.”

VIVIEN HII Security Governance Risk and Architecture Specialist, Spark As a woman in IT Hii has long experience of being in the minority. “Throughout my journey from university to the workforce, I have often been one of very few females. It is becoming ever more important to encourage more women to work in this field, to bring more diversification to the industry. This will remove the stigma that IT and cybersecurity are only for males. Diversity in experiences and backgrounds is good because threat actors can be from different backgrounds. Greater diversity will also enable the industry to be better positioned to respond to different problems.”

CHERRY LIWAG Security Certification & Accreditation Specialist, Spark Liwag has a rather different argument for more women in cybersecurity. “Security is all about protecting people, assets and technology. If you look at it from a different perspective, we women have a strong sense of protection. Mothers protect their children to term, generally speaking. Security comes naturally to women. We can do more if women are given the same opportunities as men. Break the stigma. It is time to prove that women are as capable as men. At the end of the day, it is all about passion, drive and determination to succeed.”

186

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


OLIVIA YANG Cybersecurity Analyst, Spark Yang makes the point that, aside from what cybersecurity gains from having more women, women gain much from being in the industry. “People often think cybersecurity is the Secret Squirrel: a complex, dark and highly technical area, especially for woman. However, when I fell into cybersecurity I was like Alice in Wonderland falling into the rabbit hole. I found it to be a fun, exciting and enjoyable experience. “Working in cybersecurity, I become a wonder woman who could protect many people all at once. I could keep our staff and customers safe every single day, and that is extremely valuable for me. There are not many jobs that give this kind of satisfaction, but cybersecurity always does.”

TAHIRA BEGUM Senior Security Consultant, Spark Begum argues that society as a whole is diverse and cybersecurity should reflect this diversity, especially that of its adversaries. “We have adversaries from disparate demographics and if the people who are defending against threats do not have a diverse team that is very alarming for an organisation’s cybersecurity maturity. We have seen women at the forefront of all sectors, and cybersecurity is no different in its need for female representation to add value by sharing their unique skills, leadership and strategy.”

I S S U E 11

WOMEN IN SECURITY MAGAZINE

187


WHO WILL WIN? BEST INDUSTRY INITIATIVE THAT SUPPORTS DIVERSITY, INCLUSION AND EQUALITY FINALISTS

NOMINEES

#10KWāhine initiative

#10KWāhine initiative

Microsoft

AWS She Builds

She# She Sharp

Spark NZ Blue Heart Program Spark NZ

SPONS

ORED

BY

ORED

BY

Spark

OMGTech She# Spark NZ Blue Heart Program

BEST PLACE FOR WOMEN TO WORK IN SECURITY FINALISTS

NOMINEES

Price Waterhouse Coopers New Zealand - Cyber and Digital Identity Practice

Netsafe

SPONS

Spark

Spark New Zealand

Price Waterhouse Coopers New Zealand - Cyber and Digital Identity Practice

Xero

Spark New Zealand Tauranga City Council Trade Me Xero ZX Security

188

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


WHO WILL WIN? BEST FEMALE SECURE CODER

SPONS

FINALISTS

NOMINEES

Darya Kokovikhina

Darya Kokovikhina

Software Developer, Best Practice Software

Grace Lee

Grace Lee Senior Security Consultant, CyberCX

ORED

Atlassi

BY

an

Justina Koh

Justina Koh Security Consultant, ZX Security

UNSUNG HERO FINALISTS

SPONS

NOMINEES

Duo, a division of Sektor 1stTuesday and Project Wednesday

Antionette Murray

Lesley Maguire

Duo Team Members, Duo, a division of Sektor

Beth Jackson

Liz Schoff

Chloe Ashford

Melonie Cole

Georgia Kitt-Lobo

Duo, a division of Sektor - 1stTuesday and Project Wednesday

Phoebe Soon Robyn Campbell

Eva Knotkova

Sarah McMaster

Georgia Kitt-Lobo

Tandi McCarthy

Janice Lecias

Tina Bautista

Cybersecurity Consultant - Governance, Risk and Compliance, Datacom

Sai Honig Engagement Security Consultant, Amazon Web Services

Tandi McCarthy Lead Security Consultant, ZX Security

I S S U E 11

ORED

Atlassi

BY

an

Sai Honig

Kathleen Aparte

WOMEN IN SECURITY MAGAZINE

189


JODIE VLASSIS

TRUST, SECURITY — AND TRANSPARENCY AT ATLASSIAN by Jodie Vlassis, Senior Cyber Security SME | Trust, Security & Engagement at Atlassian ASX listed global software company Atlassian

information needed to understand and evaluate

is unusual in the amount of information it offers

our security, compliance and privacy practices and

customers on its security practices and policies.

policies through the use of self service,” she says.

Its website hosts a 42 page book: Security @

“We have a number of outreach and engagement

Atlassian: an in-depth view of Atlassian’s approach

channels that support customers to identify how

to security, along with the Atlassian Trust Center

the Atlassian trust team keeps their cloud systems

that “connects you to the latest information on the

secure, the many steps we take to build security

security, reliability, privacy, and compliance of our

into our products, and the role our customers play in

products and services”, Security at Atlassian and

keeping their work environments secure.”

Security Practices at Atlassian.

NO SECURITY SILOES These information sources are manifestations of an

At Atlassian, security functions are not siloed between

evolution of security from being “a very confidential

product development, internal company security and

aspect in a company’s business practices to

customer security. Vlassis is a member of the trust,

becoming super-transparent,” says Atlassian trust and

security and engagement team, which, she says,

security team lead Jodie Vlassis.

“serves both our internal teams in driving security and compliance initiatives across the organisation, as well

“Atlassian, and our trust team, are committed to

as our customers.”

ensuring the unfaltering safety and security of our customers’ data, and to providing them with the

190

W O M E N I N S E C U R I T Y M A G A Z I N E

One of the core functions of her team is to be

N O V E M B E R • D E C E M B E R 2022


the bridge between customers and the Atlassian

top priorities for customers in the area of cloud and

trust team. “Our mission is to remove security and

distributed systems.”

compliance blockers for customers,” she says. “We are embedded in a number of functions across

She says this has simplified Atlassian’s organisational

the company: security, compliance, go-to-market,

structures and removed collaboration barriers

regulatory compliance and privacy, to name just

between interconnected teams: the security team,

a few.”

privacy team and development team.

She believes what Atlassian is doing represents a

“We’ve seen a real positive result from this, and it’s

trend other companies will have to follow. “I think

allowed us to resolve security issues much faster,

customers are starting to become a lot more aware

respond to international regulatory regulations in a

of what their rights are when it comes to customer

more agile way and communicate with customers

data and data privacy rights, and I think that is forcing

more proactively.”

businesses to become more transparent. … I’d like to hope that Atlassian, being such a cutting-edge

Security, Vlassis says, is no longer just a company

company, is setting the scene for others to step up

problem but more of a people problem, and a

and do the same.”

psychological problem. “As an industry we’ve discovered that enforcing security procedures and

Creating greater importance for security — and

enhancing training are slowly starting to become a

greater transparency around security — is the move

little redundant. Instead, we encourage our security

to cloud, Vlassis says. “Our primary focus continues

teams, or our trust teams, to practice empathy and to

to be building the world class cloud platform which

better understand and comprehend developer primary

powers our existing portfolio of leading collaboration

issues when building products.”

tools for workers across every business function. Our cloud products enable teams to collaborate and

She believes Atlassian to be out in front with the

innovate more effectively, scale quickly and focus

creation of the chief trust officer role. “The evolution

more time and energy on their core mission.”

CISO to chief trust officer continues to be a balancing act and it will continue to be so for some time.

CHIEF TRUST, NOT SECURITY, OFFICER

However, our peers know Atlassian is super thought

“Today’s chief trust officers must expand beyond the

provoking and super cutting edge when it comes

position of security enforcer and into a more visionary

to our somewhat radical approach, and we feel this

and strategic role, balancing security risk with

approach continues to pay off in really positive ways.”

enterprise reward.”

REMOTE WORKING NOW THE NORM Vlassis says a chief trust officer should be

Atlassian is also well-known for its cutting-edge

responsible for leading a proactive approach, getting

approach to remote working. In April 2021 Atlassian

ahead of rising regulatory policies and rethinking how

announced Team Anywhere, described as a policy

an organisation manages user privacy.

that would enable staff to work from any location in a country where the company has a corporate entity.

“I believe in today’s landscape we are witnessing the

This move followed release by Atlassian in October

blurring of lines in the cybersecurity world between

2020 of a commissioned report Reworking Work:

security, engineering and compliance. And in addition

Understanding The Rise of Work Anywhere.

to security and reliability, privacy and compliance are

I S S U E 11

WOMEN IN SECURITY MAGAZINE

191


Almost 18 months from the announcement of Team

THE DIVERSITY DIVIDEND

Anywhere the company says 31 percent of 2021

“A study of workplace trends shows that some of the

Australian hires are working remotely and 26 percent

key benefits of a diverse workforce are better decision

of its global workforce is remote. Furthermore, the

making, increased creativity and innovation, and

company argues that giving new recruits the option

higher levels of employment engagement.”

of working remotely is the only way it will be able to meet requirements.

Vlassis epitomises that diversity. When she left school she became a professional dancer and worked for a

“Our plans are to hire another 5,000 employees

real estate agent. Then she went to university as a

(bringing us to over 7,000 here in Australia), we

mature age student and studied for eight years. She

wouldn’t be able to rely on hiring all of this talent in

aspired to become a police officer, but realised it was

Sydney alone.”

not for her and pivoted into cybersecurity.

Vlassis says the move to remote working was driven

“I studied social sciences, psychology and

by the pandemic, but is proving beneficial as those

criminology for five years. Then I did a master’s in

constraints have eased. “The pandemic forced us

policing intelligence and counterterrorism with a

to take a step back and rethink our commonly held

sub specialisation in intelligence in cybersecurity.

beliefs. It became clear that not only is it possible

That’s what sparked my interest in wanting to get

to work flexibly and remotely, but it offers the

into security.

opportunity to learn and continuously improve our employee experience and offering. … At the end of the

“The beauty of the cybersecurity industry, in my

day, we want our people to live the life they want, and

opinion, is that the skills and attributes anyone holds

this choice helps achieve that.”

in their career are easily transferable into the industry. You can find yourself bringing something new

Also, she says, the remote working policy supports

and fresh.”

what Atlassian sees as another key priority: building a diverse workforce. “In order to create great products for our customers, we need to attract

www.linkedin.com/in/jodie-vlassis

Atlassians to represent them who are as diverse as the communities we serve. Research has proven that commercial benefits flow as a result of attracting and enabling a diverse workforce through inclusive business practices.

192

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


Big Picture Easy Reliable No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!

charlie@source2create.com.au

aby@source2create.com.au

misty@source2create.com.au


WHO WILL WIN? NEW ZEALAND’S MOST OUTSTANDING WOMAN IN IT SECURITY FINALISTS

NOMINEES

Aimee Lin

Aimee Lin

Kandice Mclean

Chief Product Officer & Technical co-founder, DataMasque

Ankita Dhakar

Kat Lennox-Steele

Cherry Liwag

Kate Pearce

Denise CarterBennett

Melonie Cole

Erica Anderson COO and Director, Safestack and SafeAdvisory

Hilary Walton CISO, Kordia

Erica Anderson

Kate Pearce

Hilary Walton

Head of Security, Trade Me

Jenny Botton

Ngaire Kelaher Rudo Tagwireyi Tarryn Roth Yael Lord

BEST INNOVATIVE BUSINESS “RESHAPING THE FUTURE” OF THE SECURITY INDUSTRY FINALISTS

NOMINEES

Cyber Tribe

Cyber Tribe

DataMasque

DataMasque

Mindshift

Hacking for Heroes KPMG Mindshift Security Lit NZ

194

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


WHO WILL WIN? BEST SECURITY MENTOR FINALISTS

NOMINEES

Amina Aggarwal

Amina Aggarwal

Laura Bell

Security Design Consultant, Spark NZ

Hilary Walton

Laura Smith

Ivy Macapagal

Michelle Crowe

Jaimee Pasig

Robyn Campbell

Jan Thornborough

Scotland Symons

Ivy Macapagal Security Analyst, ESR - Science and Research

Jan Thornborough Founder & Director, Intelligensia

Robyn Campbell

Katherine Pearce

Partner, Cyber & Privacy, PwC

IT SECURITY CHAMPION FINALISTS

NOMINEES Aastha Sharma

Mae Koh

Security Design Consultant, Spark NZ

Akarsha Palle

Megan Young

Anupurna Kaw

Amina Aggarwal

Mikala Jane Anstis Easte

Amina Aggarwal

Cyber and Cloud Security professional, Microsoft

Anupurna Kaw

Jenny Botton

Cherry liwag

Head of Corporate Information Security, CCL

Mikala Jane Anstis Easte

Coco Liu Diana Yang

Manager Security Assurance and Governance, Reserve Bank of New Zealand

Ivy Macapagal

Sarah Burgess

Jenny Botton

Product Owner - Security, Xero

I S S U E 11

Jaimee Pasig Kyla Butcher

Nadia Yousef Sarah Burgess Teodora Bear Tiffany Chu Vanessa Piper Vivien Hii Yolanda Wilke

WOMEN IN SECURITY MAGAZINE

195


WHO WILL WIN? MALE CHAMPION OF CHANGE FINALISTS

NOMINEES

Andrew Thorburn

Paul Platen

Adwin Singh

Eugene Gibney

Enterprise Security & Risk Manager, Atlas Gentech NZ

Chief Information Officer, SSS - IT Security Specialists

Andrew Thorburn

James Dickinson

Andy Crawford

John Martin

Andy Crawford

Rob Lonie

Bill Moses

Nyuk Loong Kiw

Professional Services Delivery Lead, Spark NZ

Sales Leader in Cybersecurity, Microsoft

Craig Maskell

Paul Platen

Dan Richardson

Rob Lonie

David Higgins

Simon Howard

Nyuk Loong Kiw Head of Security, Spark NZ

BEST SECURITY STUDENT FINALISTS

NOMINEES

Caitlin Mojica

Ayla Narciso

Graduate Security Analyst, Xero

Caitlin Mojica

Malahat Rehan DevSecOps Engineer, Snapper Services

Ayla Narciso Student, Developers Institute

Danielle Domingo Daphne Gumban Elle Wright Malahat Rehan Rachel Grimwood

196

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


WHO WILL WIN? BEST VOLUNTEER FINALISTS

NOMINEES

Abby Zhang

Abby Zhang

Security Analyst, Kordia SecOps and Chapter Lead NZNWS and SheLeadsTech Liaison ISACA Auckland Chapter

Katherine Lennox-Steele Toni James

Katherine Lennox-Steele Founder of Cyber Tribe, Customer Success Manager and Security Consultant, Unisphere, Cyber Tribe

Toni James Security Engineer, Salesforce

MOST INNOVATIVE EDUCATOR IN CYBERSECURITY FINALISTS

NOMINEES

Education Arcade

Dr Mahsa Mohaghegh

Founder, Education Arcade

Education Arcade

Dr Mahsa Mohaghegh Director of Women in Technology, Auckland University of Technology

Te Pūkenga - New Zealand Institute of Skills & Technology Unitec

I S S U E 11

Jennie Vickers Melonie Cole Mindshift Te Pūkenga - New Zealand Institute of Skills & Technology

WOMEN IN SECURITY MAGAZINE

197


WHO WILL WIN? THE ONE TO WATCH IN IT SECURITY FINALISTS

SPONS

NOMINEES

ORED

Amaryah Halo

Aleisha Hoult

Lauren O’Sullivan

Information Security Analyst, Kiwibank

Amaryah (Ama) Halo

Marnie McLeod

Justina Koh Security Consultant, ZX Security

Amina Aggarwal

Meaghan Bradshaw

Lauren O’Sullivan

Ann Babuji

Megan Young

Chloe Ashford

Narmada Kohli

Denise CarterBennett

Olivia Uhrle

Senior Consultant, CyberCX

Meaghan Bradshaw Senior Consultant - Security, Microsoft

Megan Young Security GRA Specialist, Spark NZ

Dimpal Tailor Emma Harrison Hazel Schapel Ila Vala Isabella RiddellGarner Jamie McClymont Jenna Whitman Jennie Vickers Justina Koh

Patience Mitchell Prinka Rana Rajbir Kaur Remya Kumar Richa Sharma Sheree Fleming Tahira Begum Tessa Anton Tina Bautista Vanessa La Luna

Katja Feldtmann Keerthana (Kiya) Kumar

198

W O M E N I N S E C U R I T Y M A G A Z I N E

BY

Westpa c

N O V E M B E R • D E C E M B E R 2022


THANK YOU TO OUR 2022 NEW ZEALAND WOMEN IN SECURITY AWARDS SPONSORS

SUPPORTING PARTNER

BRONZE SPONSOR

NETWORKING SPONSOR

SUPPORTING SPONSOR

GOLD SPONSOR

EMERALD SPONSORS

SILVER SPONSOR

MERCHANDISE PARTNER


WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01

02

1. AMANDA-JANE TURNER

Author of the Demystifying Cybercrime series and Women in Tech books. Conference Speaker and Cybercrime specialist

2. ANNELIES MOENS

03

04

Managing Director, Privcore, Superstar of STEM

3. JOYCE TIWARI

Information Security Manager at Tarabut Gateway

4. RANJEETA RANI

Senior Security Engineer at KONE

05

06

5. SANDY ASSAF

Head of IT Risk & Compliance at Crown Resorts

6. DINA ATWELL

Manager, Cyber Insider Threat and Technical Investigations at Capital One

07

08

7. TARA MURPHY

Director, Security & Traffic at the University of NSW, Sydney

8. EMILY GOODMAN

Cyber Security Consultant at EY

09

10

9. JESSICA WILLIAMS

Security Specialist Monitoring and Incident Response at Rio Tinto

10. SCARLETT MCDERMOTT

Chief Technology Officer at WithYouWithMe

11. ANNA DART

11

12

Senior Manager Protective Security at Westpac

12. TASH BETTRIDGE

Customer Success Account Manager at Microsoft

13. CRAIG FORD

13

14

Cyber Enthusiast, Ethical Hacker, Author of A Hacker I Am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards

14. LIBERTY MUDZAMBA

Senior Consultant in Cybersecurity at EY

15. LEKSHMI NAIR

15

16

Managing Principal, APAC, Synopsys Software Integrity Solutions

16. JEMMA LAWRENCE

Recruitment Consultant at CyberSec People

200

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


17

18

17. VANNESSA MCCAMLEY

Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker

18. SIMON CARABETTA

19

20

Business Operations Manager at ES2

19. KAREN STEPHENS

CEO and co-founder of BCyber

20. DR MARIA BEAMOND

Lecturer in Management, RMIT University

21

22

21. DR LEONORA RISSE

Senior Lecturer in Economics, RMIT University

22. FATEMAH BEYDOUN

Chief Customer Officer, Secure Code Warrior

23

24

23. KAT LENNOX-STEELE

Information Security Analyst and Co-Founder at Cyber Tribe and MVP

24. JANA DEKANOVSKA

Strategic Threat Advisor at CrowdStrike

25

26

25. DR ASTHA KESHARIYA

Information Science, University of Otago

26. STACEY CHAMPAGNE

Insider Risk Expert, Founder & CEO of The Trade Secrets Network and Hacker in Heels

27

28

27. MARTY MOLLOY

Events, Marketing and Communications Coordinator at AusCERT

28. LISA VENTURA

Founder – Cyber Security Unity

29. ROSALYN PAGE

29

30

Award-winning writer and content strategist covering innovation, technology and the digital lifestyle

30. KARA KELLY

Manager at Deloitte

31. SARAH IANNANTUONO

31

32

Security Strategy and Program at SEEK

32. SAI HONIG

Engagement Security Consultant at Amazon Web Services

I S S U E 11

WOMEN IN SECURITY MAGAZINE

201


WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 33

34

33. KAVIKA SINGHAL

Cyber Security Consultant at EY

34. JAY HIRA

Director of Cyber Transformation at EY

35

36

35. MICHELLE GATSI

Cyber Security Consultant at EY

36. SHINESA CAMBRIC

Principal Product Manager, Microsoft Intelligent Protections Emerging Identity at Microsoft

37

38

37. KAAJAL SHARMA

Offensive Security Associate at EY

38. BABY LYN NAGAYO

Cyber Security Manager at EY

39

40

39. MEGHAN JACQUOT

Security Engineer at Inspectiv

40. MEHLIKA ERCAN

Cyber Security Analyst

41

42

41. MARISE ALPHONSO

Information Security Professional

42. MICHELLE LIAO

A/NZ Channel and Distribution Manager at WatchGuard Technologies

43

44

43. OORJA RUNGTA

BTech in Computer Science Student

44. KAO HANSELL

Bachelor of Information Technology: Networking and Cybersecurity Student

45

46

45. JACK K

Bachelor of Information Technology Student

46. GABRIELLE RAYMUNDO

Certified Cyber Security Professional Course Student

47. HAICHEUR ICHRAK AMANI

47

48

Master’s Student in Cybersecurity

48. MANDEEP BRAR

Cybersecurity bootcamp

202

W O M E N I N S E C U R I T Y M A G A Z I N E

N O V E M B E R • D E C E M B E R 2022


49

50

49. LISA ROTHFIELD-KIRSCHNER

Author of How We Got Cyber Smart | Amazon Bestseller

50. KATE MARSHALL

51

52

National Leader of KPMG’s Cyber law practice

51. MITRA MINAI

National Cyber Partner to the Health sector

52. NATASHA PASSLEY

53

54

Partner, Technology, Risk and Cyber

53. GERGANA WINZER

Partner, Enterprise Advisory – Cyber

54. MARTINA MUELLER

Accenture Australia financial services security lead

55

56

55. RUTH GLOVER

Chapter Area Lead, Identity Access Management, Spark

56. MEGAN YOUNG

Security Governance Risk and Architecture Specialist, Spark

57

58

57. COCO LIU

Cybersecurity Analyst, Spark

58. VIVIEN HII

Security Governance Risk and Architecture Specialist, Spark

59. CHERRY LIWAG

59

60

Security Certification & Accreditation Specialist, Spark

60. OLIVIA YANG

Cybersecurity Analyst, Spark

61. TAHIRA BEGUM

Senior Security Consultant, Spark

61

62

62. JODIE VLASSIS

Senior Cyber Security SME | Trust, Security & Engagement at Atlassian

I S S U E 11

WOMEN IN SECURITY MAGAZINE

203


OFF THE SHELF

FUTUREPROOF YOU Author // Kellie Tomney Constant Volatility, Uncertainty, Complexity, Ambiguity and Disruption in our world are making jobs, careers and industries more insecure. The Future of Work and the fourth industrial revolution are here. Careers have changed and will continue to change rapidly and significantly. The question is: Will you change with the times, or will you be forced to change because of them? Able to relate to the constant internal call for career change as well as recognising the sudden, dramatic, external catalysts at work in the world, in Futureproof You, careers expert Kellie Tomney addresses: •

The global trends influencing career choices and the opportunities inherent in the new world of work

The journey from feeling abandoned, disconnected and Frustrated to becoming truly Futureproof

The 3 Futureproofing Keys that will unlock your unique value and superpower your career

The tools to adapt and grow in an ever-evolving cycle of impact

THE ART OF INVISIBILITY: THE WORLD’S MOST FAMOUS HACKER TEACHES YOU HOW TO BE SAFE IN THE AGE OF BIG BROTHER AND BIG DATA Authors // Kevin Mitnick and Robert Vamosi Like it or not, your every move is being watched and analyzed. Consumer’s identities are being stolen, and a person’s every step is being tracked and stored. What once might have been dismissed as paranoia is now a hard truth, and privacy is a luxury few can afford or understand.

THE CUCKOO’S EGG: TRACKING A SPY THROUGH THE MAZE OF COMPUTER ESPIONAGE Author // Clifford Stoll Before the Internet became widely known as a global tool for terrorists, one perceptive U.S. citizen recognized its ominous potential. Armed with clear evidence of computer espionage, he began a highly personal quest to expose a hidden network of spies.

In this explosive yet practical book, Kevin Mitnick illustrates what is happening without your knowledge-and he teaches you “the art of invisibility.” Mitnick is the world’s most famous--and formerly the Most Wanted--computer hacker. He has hacked into some of the country’s most powerful and seemingly impenetrable agencies and companies, and at one point he was on a three-year run from the FBI. Now, though, Mitnick is reformed and is widely regarded as the expert on the subject of computer security. He knows exactly how vulnerabilities can be exploited and just what to do to prevent that from happening. In THE ART OF INVISIBILITY Mitnick provides both online and real life tactics and inexpensive methods to protect you and your family, in easy step-by-step instructions. He even talks about more advanced “elite” techniques, which, if used properly, can maximize your privacy. Invisibility isn’t just for superheroes-privacy is a power you deserve and need in this modern age.

BUY THE BOOK 204

W O M E N I N S E C U R I T Y M A G A Z I N E

BUY THE BOOK

BUY THE BOOK N O V E M B E R • D E C E M B E R 2022


THE CYBER EFFECT: A PIONEERING CYBERPSYCHOLOGIST EXPLAINS HOW HUMAN BEHAVIOUR CHANGES ONLINE

THE ART OF MEMORY FORENSICS: DETECTING MALWARE AND THREATS IN WINDOWS, LINUX, AND MAC MEMORY

SECURITY ENGINEERING: A GUIDE TO BUILDING DEPENDABLE DISTRIBUTED SYSTEMS

Author // Mary Aiken

Author // Michael Hale Ligh

Author // Ross J. Anderson

Dr Mary Aiken is the world’s leading expert in forensic cyberpsychology - a discipline that combines psychology, criminology and technology to investigate the intersection between technology and human behaviour. In this, her first book, Aiken has created a starting point for all future conversations about how the Internet is shaping our perception of the world, development and behaviour, societal norms and values, children, safety and security.

Memory forensics provides cutting edge technology to help investigate digital attacks.

In Security Engineering: A Guide to Building Dependable Distributed Systems, Third Edition Cambridge University professor Ross Anderson updates his classic textbook and teaches readers how to design, implement, and test systems to withstand both error and attack.

Covering everything from the impact of screens on the developing child to the explosion of teen sexting, and the acceleration of compulsive and addictive online behaviours (gaming, shopping, pornography), The Cyber Effect also examines the escalation in cyberchondria (self-diagnosis online), cyberstalking and organized crime in the Deep Web. Cyberspace is an environment full of surveillance, but who is looking out for us? Full of surprising statistics and incrediblebut-true case studies of the hidden trends that are shaping our culture, this book raises troubling questions about where the digital revolution is taking us.

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst’s Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics—now the most sought after skill in the digital forensics and incident response fields. Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly.

This book became a best-seller in 2001 and helped establish the discipline of security engineering. By the second edition in 2008, underground dark markets had let the bad guys specialize and scale up; attacks were increasingly on users rather than on technology. The book repeated its success by showing how security engineers can focus on usability.

Upending your assumptions about your online life and forever changing the way you think about the technology that you, your friends and your family use, The Cyber Effect offers a fascinating and chilling look at a future we can still do something about.

BUY THE BOOK I S S U E 11

BUY THE BOOK

BUY THE BOOK WOMEN IN SECURITY MAGAZINE

205


THE

2023 WOMEN IN SECURITY AWARDS

Don’t miss the largest security awards of the year!

12

NEW ZEALAND WOMEN IN SECURITY AWARDS

9

OCTOBER

NOVEMBER

womeninsecurityawards.com.au

womeninsecurityawards.co.nz

WANT TO BE PART OF IT? Register your interest today by contacting aby@source2create.com.au


Turn static files into dynamic content formats.

Create a flipbook

Articles inside

Gabrielle Raymundo

5min
pages 128-129

Haicheur Ichrak Amani

3min
pages 130-133

Jack K

2min
page 127

Kao Hansell

7min
pages 124-126

Oorja Rungta

6min
pages 122-123

Out of the shadows: how cybersecurity has taken centre stage in the Australian business arena

3min
pages 118-121

Key themes from 2022 taking us forward

4min
pages 116-117

neural networks and cybersecurity

2min
pages 114-115

Reflections on malware

4min
pages 112-113

Sharing our inner voice stories

7min
pages 108-111

behind cryptocurrency

3min
pages 106-107

Improving security together

3min
pages 102-105

Meeting the security and privacy challenges of the metaverse

1min
page 101

How is the industry responding to the skills and talent squeeze?

4min
pages 98-100

Looking back to move forward: thirty years of experience guiding the way

2min
pages 92-93

Corporate layoffs: a perfect storm for insider risk and the imperative for holistic mitigation approaches

7min
pages 88-91

Cyber resilience in the cyber world

4min
pages 85-87

2022 has been a watershed year for cybersecurity, but what’s next?

5min
pages 82-84

not fill you with dread

4min
pages 80-81

The future of developer security maturity is bright, and these verticals are leading the charge

4min
pages 78-79

Australia’s cybersecurity sector: where are the women?

5min
pages 74-77

you need to reach your vision

12min
pages 54-59

Keep calm and carry on

10min
pages 68-73

Women in cyber security from a recruiters perspective

4min
pages 52-53

Changing the ‘change’ journey

4min
pages 50-51

to cybersecurity

4min
pages 48-49

A real hard look

3min
pages 46-47

Scarlett McDermott

4min
pages 34-35

Jessica Williams

4min
pages 32-33

Cybercrime in 2022

1min
pages 14-15

Emily Goodman

3min
pages 30-31

Dina Atwell

4min
pages 24-27

Joyce Tiwari

2min
pages 18-19

Tara Murphy

2min
pages 28-29

Ranjeeta Rani

2min
pages 20-21

Annelies Moens

3min
pages 16-17

Sandy Assaf

3min
pages 22-23
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.